Meaningful Use rule corrections I'd like to see

Earlier this week, the Centers for Medicare & Medicaid Services released a 10-page document correcting omissions and errors to the final rule implementing Stage 2 of Meaningful Use.

Most of the corrections are minor in nature, such as renumbering tables and fixing grammatical and typographical errors. Some of them fix mistakes that could confuse readers or lead providers to questions in interpreting the rule. CMS routinely issues these types of corrections to replace, update and fix manuals, guidance, and other documents.

Of course, CMS can't revise laws; that's Congress' job. But sometimes Congress will do so,  enacting a law that amends a prior one that needs updating. The HITECH Act, which amended HIPAA (and created the Meaningful Use Incentive Program), is one such example.

CMS also can't actually change rules without undertaking a particular process, including providing notice, publishing the proposed rule and giving the public the opportunity to comment. CMS specifically stated in this week's "correction" that this process can be waived since the changes are minor in nature.

But wouldn't it be nice if we could make corrections affecting EHRs so easily? I'm sure we can pinpoint a number of changes that might better reflect the state of the industry, protect patient information, and otherwise improve things.

Here are just a few items that I would consider changing, if I had the authority:

For starters, I'd make EHR vendors accountable for their errors. Sure, if the provider-user makes an error and happens to be using an EHR, that is not the vendor's fault. But if a design snafu causes patient harm, or if the vendor's technician doesn't turn the firewall back on after an upgrade, enabling the system to be hacked, then the provider should be able to have recourse against the vendor. Those "no liability" provisions in vendor contracts are overbroad.

I'd also reassess the "payment adjustment" to be imposed on hospitals and physicians. Beginning in 2015, eligible professionals who don't successfully attest to Meaningful Use will be subject to a penalty, which will start at 1 percent, and eventually rise to 5 percent. But is that enough of a penalty to really move hospitals to buy EHRs? If a provider system receives $500,000 from Medicare each year, a 1 percent penalty is only $5,000; a 5 percent penalty would be $25,000. Perhaps for hospitals, the penalty should be increased.

Alternatively, maybe the penalty should be removed altogether for eligible professionals. Evidently only half of all eligible professionals have even registered for the program. If the true goal of the EHR incentive program is to improve patient care and lower costs, perhaps it would be better without a regulatory downside.    

Additionally, I would consider moving encryption under HIPAA's security rule from "addressable" to "required." It is my understanding that encryption no longer is as expensive as it was when HIPAA was first enacted in 1996. Some devices--even iPhones--have encryption features that can be activated at no further cost. If all patient data in EHRs and elsewhere were encrypted, the data would be much safer in the case of a breach. If encryption were required, providers might be more likely to encrypt.

These are just a few examples. I'm sure there are many more--as well as many differences of opinion about what should and should not be corrected.

I'd love to hear your thoughts. What do you think of my corrections? And what changes would you like to see? - Marla