HIPAA and Meaningful Use: Joined at the hip

There's been a lot of hoopla surrounding some of the more eye-catching provisions of the two final rules released last week defining and setting the standards for Stage 2 of Meaningful Use, such as the retention of patient engagement obligations.

But one of the most significant aspects of these rules is how intertwined they are with HIPAA's privacy and security requirements, despite the fact that many of the 6,100-odd commenters on the proposed rules asked the Centers for Medicare & Medicaid Services to remove the redundancies. It highlights that keeping electronic records secure--and allaying patient fears about that security--is a high priority for the government.

"We're reinforcing HIPAA," Elizabeth Holland, Director HIT Initiative Group of CMS' Office of e-Health Standards and Services, tells FierceEMR in an exclusive interview. "We're emphasizing the privacy and security of patient information. People are wary [about the confidentiality of their records] when the information goes electronic."

For instance, conducting an effective risk assessment of electronic protected health information and safeguarding the data from vulnerabilities now is officially part of both HIPAA's security rule and the Stage 2 rule, although the requirements aren't completely identical. Risk assessments conducted for Meaningful Use purposes must more specifically address encryption of data stored in the electronic health record than do risk assessments for HIPAA's security rule. Providers also have to conduct a risk assessment every year under the Meaningful Use program, since it's an annual program; HIPAA doesn't require an annual risk assessment, Holland says.

Yet while the final Stage 2 rules adopted most of the HIPAA-related provisions contained in the proposed rules, there are some notable differences, including:

Encryption as default setting: The proposed rule said that encryption should be enabled as the default setting on EHRs, and the ability to disable it be limited. This is not in the final rule.

Accounting for disclosures: The rule expanding the accounting for disclosure obligations for patient data in electronic form is not yet final, and the proposed Stage 2 certification rule recommended that this be an "optional" criterion to meet the Stage 2 certification obligations. However, the Office of the National Coordinator for Health IT had requested public comment on whether the 2014 edition of EHRs must have the capabilities to meet the upcoming accounting for disclosures requirement. ONC kept this "optional" in the final rule in response to the overwhelming number of comments on that point.  

Amendments: The proposed certification rule included particular technical requirements when dealing with patient requests to amend their electronic data. The final rule allows for more flexibility in this technical capability.

The bottom line: "If you're complying with HIPAA you should be able to meet Stage 2 of Meaningful Use," Holland says.

True. But this marriage of two sets of rules does raise the bar--and the stakes--even higher, since if you're not complying with one, you're in violation of both. - Marla

Suggested Articles

Roche, which already owned a 12.6% stake in Flatiron Health, has agreed to buy the health IT company for $1.9 billion.

Allscripts managed to acquire two EHR platforms for just $50 million by selling off a portion of McKesson's portfolio for as much as $235 million.

Artificial intelligence could help physicians predict a patient's risk of developing a deadly infection.