- Health data security is a crucial topic for covered entities of all sizes, and as the push to meet meaningful use requirements continues, organizations must remain current on how the two are connected.
Earlier this week, the Centers for Medicare & Medicaid Services (CMS) finalized modifications to meaningful use requirements between 2015 and 2017 and postponed Stage 3 Meaningful Use as mandatory for eligible providers until 2018. But how exactly does health data security - specifically patient data security - tie into the meaningful use requirements?
HealthITSecurity.com will break down the finer points of data security within the meaningful use requirements, and what key things covered entities need to keep in mind as they work through the incentive program.
Basics of the finalized modifications
One of the key takeaways of the recently finalized modifications is that a 60-day comment period was included, which means that while the rule is “final,” it could still technically change once again. According to the Department of Health & Human Services (HHS), this will help CMS appropriately shape future meaningful use requirements.
“HHS is committed to working with physicians, clinicians, hospitals, consumers, and other stakeholders to make these programs as effective as possible,” an HHS statement explains. “We want to use this time to pause and reflect about how the safe, secure exchange of actionable electronic health information can best be used to deliver better patient care and how to create an infrastructure that supports that.”
The finalized modifications also state that all eligible providers have a 90-day reporting period in 2015 and the number of objectives was reduced from 20 to less than 10. Moreover, all providers will report according to the calendar year.
The modifications also require a 90-day reporting period for all eligible providers in 2015, while Stage 3 Meaningful Use is optional in 2017 and not effective for all providers until 2018.
Health information exchange is also a larger part of the finalized modifications, with CMS stating that the measures were modified “so that more than 60 percent of measures rely upon exchange of health information, compared to 33 percent previously.”
How does patient data security tie into MU?
One of the top objectives in Stage 3 meaningful use is to improve patient data security by better protecting patient health information. This will be done through “the implementation of appropriate technical, administrative, and physical safeguards,” according to the finalized rule. Technical safeguards on their own are not enough to ensure PHI security, CMS explains, which is why the additional inclusion of administrative and physical safeguards was so important.
A security risk analysis will also be required, according to the final rule, and “must be conducted or reviewed for each EHR reporting period, and any security updates and deficiencies identified should be included in the provider's risk management process and implemented or corrected as dictated by that process.” CMS noted the importance of a risk analysis being performed in the same calendar year as the EHR reporting period:
Again, we reiterate that the security risk analysis and review should not be an episodic "snap-shot" in time, but rather include an analysis and review of the protection of ePHI for the full year no matter at what point in time that analysis or review are conducted within the year. In short, the analysis should cover retrospectively from the beginning of the year to the point of the analysis and prospectively from the point of the analysis to the end of the year.
Another key takeaway is that encryption was to be included in the security risk analysis as a way to address ePHI security. However, CMS maintains that meaningful use is not the appropriate regulatory tool to ensure compliance with HIPAA regulations. Providers should not use the incentive program as a way to satisfy the HIPAA Security Rule, according to CMS.
“Our discussion of this measure as it relates to 45 CFR 164.308(a)(1) is only relevant for purposes of the EHR Incentive Program requirements and is not intended to supersede or satisfy the broader, separate requirements under the HIPAA Security Rule and other rulemaking,” the rule states. “For information on identity proofing, authentication, authorization, and encryption, we refer readers to the OCR website.”
Data encryption is not mandated in the final rule, but just needs to be considered by the covered entity. As with HIPAA regulation, if data encryption is deemed unnecessary, the explanation as to why that was the conclusion must be properly documented.
Overall, the finalized modifications encourage CEs to work toward a more secure and seamless health information exchange process, while still focusing on better health outcomes for patients. Health data security must remain a priority, and the HIPAA Privacy and Security Rules should also be adhered to.