How does Stage 2 dovetail with HIPAA?

There's been a lot of hoopla surrounding the two proposed rules released last week defining and setting the standards for Stage 2 of meaningful use, and rightly so. This next stage of the Centers for Medicare & Medicaid Services incentive program takes the industry to ambitious, almost dizzying new heights, including cutting-edge technology, increased patient engagement, more stringent quality measures and demonstrated data sharing. The Health IT bar has been raised ever higher.

But how do the proposed rules dovetail with HIPAA? Do they even impact HIPAA?

In a word, yes. 

Sure, the proposed rules take great pains to reiterate that they do not "override" or "supersede" the HIPAA privacy rule. The rules even go so far as to say "we do not propose to change the HIPAA Security Rule requirements or require any more than would be required under HIPAA,"  and "we note that EHR technology certification is not a substitute for, or guarantee of, HIPAA Privacy Rule compliance."

But the Meaningful Use incentive program does not exist in a vacuum, and CMS is keenly aware of it. "This is a confirmation that Meaningful Use and HIPAA go together," Wendy Whittington, Chief Medical Officer of Dallas-based Anthelio Healthcare Solutions tells FierceEMR

Here are just some of the ways that Stage 2 will affect HIPAA:

Encryption: The proposed rules do not require providers to encrypt their data; encryption remains "addressable" under the security rule. However, CMS specifically expresses concern regarding the protection of unencrypted data at rest, saying it's an area of security that appears to need specific focus. CMS goes on to say that almost 40 percent of large breaches involved lost or stolen devices, which if they had been encrypted would have been secured. The Stage 2 rules propose that encryption should be enabled as the default setting on EHRs, and the ability to disable it be limited.

"Encryption is morphing into a quasi-requirement. It boggles the mind why folks would not at least seriously consider it," Casa Grande, Ariz.-based HIPAA consultant Frank Ruelas tells FierceEMR. "If you're accountable for a breach and your data is not encrypted it will be an uphill battle to explain why you didn't encrypt, especially when you know the emphasis and how easy it is to encrypt."

Risk analysis/management: Conducting an effective risk assessment of a provider's electronic systems--and managing discovered vulnerabilities--remains a requirement not only of HIPAA's security rule but also of meeting Meaningful Use. "You'd think stressing it in Stage 1 was enough. But evidently not," Ruelas says. Providers will also have to attest that they are protecting their patients' health information.

Accounting for disclosures: The expansion of the accounting for disclosure obligations for patient data in electronic form is not yet final, and the Stage 2 proposed rules recommend that this be an "optional" criterion to meet the Stage 2 certification obligations. However, CMS is requesting public comment on whether the agency should revise the rule so that this criterion is mandatory.

Enforcement: Providers should expect to see heightened enforcement of HIPAA, particularly in areas that have been highlighted as important in the Stage 2 Meaningful Use rules, such as conducting risk assessments and protecting data in devices. "We learned in Stage 1 that the government was serious about HIPAA. There's no change in Stage 2. So now you really need to comply," Whittington warns.

What's more, the transition to Stage 2 will make it easier to uncover HIPAA violations, according to Whittington. "The more patient data becomes granular and traceable, the easier it will be to do an audit trail," she says.

Although CMS doesn't say so, intertwining Meaningful Use with HIPAA itself may be its way of acknowledging the public's concern about providers' ability to protect their confidential health information while engaging in health information exchange, reporting to registries, offering electronic access to patients, and the other new requirements inherent in Stage 2.

Failing to protect patient data could not only land a provider in legal hot water for violating HIPAA. It could also mean that the provider did not successfully attest to Meaningful Use, jeopardizing the provider's ability to obtain--or keep--an incentive payment.

CMS will accept public comment on the proposed rules for 60 days after they are formally published in the Federal Register, which is slated to occur next week.  This is your opportunity to voice your opinion about any and all aspects of the proposed rules. Please consider doing so. - Marla