From Meaningful Use Stage 2 to stronger HIPAA regs, HHS gets ready to juggle

We all know that 2012 will be a watershed year for electronic health records systems. The Department of Health and Human Services' fall 2011 agenda, which it presented to the Office of Management and Budget (OMB) this week, contains four rules directly impacting providers' use of EHRs. Everyone wants to know: What will the regulations require?

Good question.

It looks like the Stage 2 Meaningful Use regulations and its companion regulations (which establish the standards, implementation specifications and certification criteria to enhance EHR operability, functionality and utility under Stage 2) may receive OMB clearance first. While agencies are typically tight lipped about their rules before they're released for public view, we know from the agenda that the Stage 2 proposed rule will "expand upon the Stage 1 criteria to encourage the use of health IT for continuous quality improvement at the point of care and the exchange of information in the most structured format possible, such as the electronic transmission of orders entered using computerized provider order entry (CPOE) and the electronic transmission of diagnostic test results."

And we know that Stage 2 will include, at a minimum, more security requirements, more clinical measurements, higher thresholds, longer measurement timelines and actual reporting rather than attestation.

But the two rules to progress to Stage 2 of Meaningful Use come with the promise of incentive payments if providers comply with the rules. Moreover, they are just proposed rules. That means providers, associations, and others can give HHS their two cents (or in some cases, a piece of their minds).

Providers also can't lose sight of two more rules that should be finalized in the first half of 2012 that will have a major impact on their use of EHRs. Both will strengthen the Health Insurance Portability and Accountability Act.

The first is the accounting for disclosure rule that outlines how to tell patients who accessed their records in the EHR. The second is a "mega rule" that implements more stringent privacy, security, enforcement and breach notifications.  

These rules impose burdens on providers with no corresponding promise of bonus payments for compliance. In proposed form, they're pretty tough.  

For instance, the accounting for disclosure proposed rule, which expands the accounting for disclosure of protected health information (PHI) contained an EHR, created a new right for patients to obtain an "access report." The rule expands reporting requirements not only for disclosures, including those for payment treatment and operations, but also for uses, including internal uses by employees who have legitimate reasons to access the records. 

One of the provisions of the proposed mega rule allows providers to avoid telling patients of an unsecured breach if the provider determined the breach didn't meet a "harm threshold." But HHS withdrew this provision amid speculation that HHS was considering removing this threshold. That means that a should your EHR suffer a security breach of unsecured PHI, you need to notify patients, HHS and possibly the media--even if no harm occurred at all.


HHS has a lot to juggle. It operates more than 300 programs and has an ambitious agenda for 2012, including coverage to the uninsured, implementation of the Accountable Care Act, public health programs and food safety. Can it accomplish what it has boldly set out to do?

I don't know. But hopefully HHS will realize what an awful lot it's asking of the provider community, many of whom are adopting EHRs with more than a little trepidation.  - Marla