Meaningful Use rules should focus more on how vendors protect patient data

As the Centers for Medicare & Medicaid Services begins to sort through the comments it's received on the proposed "flexibility" rule softening Stages 1 and 2 of Meaningful Use for 2015-2017 and the proposed rule implementing Stage 3, it's no surprise that certain organizations have honed in on some of their hot-button concerns.

For instance, provider representatives support the provisions that would lighten their burdens, such as reducing the reporting period in 2015 from 365 days to 90 days. Many entities have expressed concern that the flexibility rule would be finalized too late in 2015.

And many also have criticized CMS' vision for Stage 3, recommending that it be delayed. For instance, the Medical Group Management Association suggested that CMS hold off on Stage 3 until the Medicare Access and CHIP Reauthorization Act, which moves physicians out of the Meaningful Use program into the merit-based incentive payment system (MIPs), is implemented.

Not surprisingly, consumer groups lambasted the proposed watered down patient engagement requirements.

Yes, these are all important issues.

But no one seems to be focusing on what may be the biggest problem we have: the security of the records themselves.

Just last week, EHR cloud vendor Medical Informatics Engineering (MIE) announced that it has suffered a cyberattack, compromising the patient data of several of its customers.

This is a bigger problem than percentages of patients that view their data or the number of days doctors have to report their EHR use.

MIE's breach points to how vulnerable EHRs are in the cloud and in the hands of vendors. But is anyone asking how cloud and other EHR vendors keep patient data secure? What are they doing to protect this data when it's out of the hands of the provider? All three stages of Meaningful Use (as well as HIPAA) require providers to protect patient information on EHRs, including conducting security risk analyses of vulnerabilities. But how many providers include their EHR vendor in that analysis?

And since many contracts between providers and their EHR vendors favor the vendor, the providers--and the patients--have very little control over how the vendor handles the records. For instance, does the vendor segregate data? What happens if the vendor commingles patient information? Then one hacking can affect all of its customers.

Surely MIE's mishap will not be the last breach involving cloud and other EHR vendors, which the Office of Inspector General (OIG) recognized when it announced in its 2015 work plan last October that it plans to review how well EHR users and cloud vendors protect electronic patient information.

Ironically, though, OIG just dropped from its work plan its intent to review the cloud vendors. Extraordinarily bad timing.

CMS, the Meaningful Use rules are an opportunity to beef up oversight of electronic patient data when in the hands of vendors. Please consider doing so.

And OIG, please add that review of cloud vendors back into the work plan. This problem is only going to grow. - Marla (@MarlaHirsch and @FierceHealthIT)