[protected health information] once you’re disconnected from the EHR,” he notes. That means healthcare providers still will need to be vigilant in ensuring that PHI is protected in all applications where it resides, he adds.
In another encryption provision for Stage 2, the meaningful use rule requires that participants conduct a risk assessment that specifically addresses “the encryption/security of data stored in CEHRT [certified electronic health records technology].” The rule also requires providers to “implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.” But it does not explicitly mandate encryption.
Regulators included this requirement, which shines a spotlight on requirements that already exist within the HIPAA security rule, in hopes of improving the protection of stored information.
McMillan applauds the provision because it helps increase awareness that “you will be responsible for the decisions you make” on whether to encrypt stored PHI beyond the encryption that occurs by default through EHRs.
Similarly, Herold says calling attention to the need to consider encryption of stored data is a good idea.
“I know from seeing many inadequate risk assessment methodologies … that including an explicit requirement to check for encryption is good and will make covered entities and business associates think twice before simply deciding that they don’t want to invest in encryption.”
Bill Spooner, CIO at Sharp HealthCare in San Diego, says encrypting data at rest shouldn’t be too tricky for healthcare providers.
“The challenges will be around gaining support from those who view technologies like encrypted thumb drives as inconvenient, and ensuring that we have closed any potential detours around the requirement,” he says. “The focus on end-user device encryption is quite sensible, as loss of such devices has been the most common cause of breaches to date.”
Patient Data Access
Among the final provisions getting a mixed reaction are the meaningful use requirements for hitting a threshold for patients securely accessing their information, such as through a portal with appropriate protections.
The rule requires that 5 percent of all patients who are discharged from the inpatient or emergency department of a hospital view, download or transmit to a third party their information during the EHR reporting period for Stage 2. For physicians, the requirement is that 5 percent of patients take the same action within four days of an office visit. The proposed version of the rule, issued earlier this year, had set a 10 percent threshold for hospitals and physicians.
In addition to the patient record access requirement, another of the original proposed rule’s “most ambitious and controversial measures” deals with referral transactions, says Adam Greene, a partner at the law firm Davis, Wright Tremaine, who formerly worked at the Office for Civil Rights.
The proposed rule would have required that providers, for 10 percent of transfers and referrals, transmit a summary of care record to a recipient with no organizational affiliation and using a different EHR vendor than the sender, Greene says. The final rule, however, drops the specific percentage threshold and instead requires a provider to only send one referral to a recipient that uses different EHR technology than the sender or conduct a successful test, he notes.
The revised provisions on patients accessing their records and on transferring records for referrals “represent strong, continued commitment to the privacy and security issues of improved patient access and secure electronic health information exchange, but recognize that substantial challenges remain in these areas,” Greene says. “In the preamble, HHS makes clear that it will continue to focus on health information exchange and interoperability as it moves toward Stage 3.”
Meeting the Requirement
But Spooner of Sharp HealthCare says that even the reduced requirement for patient access to information could prove difficult to meet.
“I am not thrilled with the accountability for 5 percent of my patients accessing their data online,” Spooner says. “I wonder when the [regulators] last sat through a busy Saturday evening in an emergency room and thought ‘I can’t wait to get home and look up my information online’.”
Spooner calls including hospital emergency room patients in the data access requirement “worrisome,” adding: “These are occasional visits, many by patients without a regular doctor or insurance coverage. It will be a challenge to bring them back to our portals [to access information],” he says.
McMillan, however, does not believe that healthcare providers will find it difficult to get 5 percent of patients to access their data online. “I don’t subscribe to the ‘patients don’t want access [argument],” he says. “When you look at what’s happening online in other industries, people shop, bank,” he says. “My 82-year-old mother goes online for her and my father’s prescriptions.”
Dan Rode, vice president of advocacy and policy at the American Health Information Management Association, contends that some healthcare providers are concerned about the potential for being held responsible for breaches caused by patients once they download their information.
“Providers are concerned that individuals themselves might release their information by accident,” Rode says. “A patient might send their information to Facebook; providers don’t want to be responsible for something like that.”
Data Exchange Standards Lacking
The meaningful use rule includes a signal that more regulations related to health information exchange, which presumably would address privacy and security, could be on the way in Stage 3 if the industry fails to make adequate progress with standards-based information exchange, McMillan, the consultant, points out.
The rule states, “…As we look toward meaningful use Stage 3, we will monitor the ease with which EPs [eligible providers], eligible hospitals, and CAHs [critical access hospitals] engage in electronic exchange, especially across different vendors’ EHRs.” The rule notes that if HHS does not see sufficient progress for standards-based exchange goals being met, “we will … consider other policies to strengthen the interoperability requirements included in meaningful use as well as consider other policies and regulations.”
To exchange data efficiently and securely, “the real issues are interoperability, compatibility, and standards,” McMillan says.
A Nationwide Health Information Governance Rule, now in the works, would set voluntary standards for data exchange.