The Meaningful Use program is important for facilities when it comes to securing patient data.
- The Meaningful Use program is designed to help healthcare providers protect patients’ electronic health information that is created or maintained in certified EHR technology. Both Stage 1 and Stage 2 Meaningful Use require organizations to conduct a security risk analysis, along with other requirements.
However, the Meaningful Use program is not without its difficulties. There have been numerous delays in the implementation process. For example, last November the Centers for Medicare & Medicaid Service (CMS) extended the deadline for Meaningful Use attestation for the Medicare EHR Incentive Program. Moreover, several healthcare agencies have voiced concerns in the Meaningful Use process.
In Oct. 2014, the American Medical Association (AMA) wrote a letter to CMS Administrator Marilyn Tavenner and Karen DeSalvo, National Coordinator for Health Information Technology, saying that the “view-download-transmit,” transitions of care and secure messaging criteria in stage 2 Meaningful Use should be optional.
Even so, healthcare providers should keep themselves educated on the Meaningful Use timeline, and ensure that they understand what each stage entails. Moreover, a basic review of the Meaningful Use requirements can help organizations decide what approach to keeping patient data secure will be their best option.
Why are the deadlines important?
As previously mentioned, the deadline for Meaningful Use attestation for the Medicare EHR Incentive Program was pushed back last year from Nov. 30, 2014 to Dec. 31, 2014. The next important date for eligible professionals (EP) is Feb. 28, 2015, which is the attestation deadline for Medicare eligible professionals for the new year. This is the last day for Medicare EPs to register and attest to receive an incentive payment for calendar year 2014.
It is important to remember that meeting Meaningful Use requirements is not a one-time experience: it must be conducted every year. It is up to an organization whether or not it wants to continue to move forward, or repeatedly meet the same level.
“The Medicare and Medicaid EHR Incentive Programs provide financial incentives for the meaningful use of certified EHR technology to improve patient care,” according to the CMS website. “To receive an EHR incentive payment, providers have to show that they are meaningfully using their EHRs by meeting thresholds for a number of objectives.”
How crucial is a security risk analysis?
Regardless of an organization’s size, all HIPAA covered entities are required to perform a risk analysis. In order to receive EHR incentive payments, healthcare facilities must complete this aspect of the Meaningful Use process.
Additionally, a security risk analysis will help organizations address all electronic protected health information they maintain. These analyses need to also go beyond just the data stored in an EHR.
“Review all electronic devices that store, capture, or modify electronic protected health information,” states the Office of the National Coordinator for Health Information Technology website. “Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data.”
While there is no is no single method or one “best practice” that guarantees compliance, providers should regular review their existing security infrastructure, identifying potential threats and then prioritize the risks.
“Your risk analysis may also reveal that you need to update your system software, change the workflow processes or storage methods, review and modify policies and procedures, schedule additional training for your staff, or take other necessary corrective action to eliminate identified security deficiency,” according to a CMS tipsheet.
Another important factor to keep in mind is that installing a certified EHR does not fulfill the Meaningful Use security analysis requirement. This extra security aspect ensures that all ePHI maintained by an organization is reviewed, not just the information stored in an EHR. For example, any electronic device – tablets, laptops, mobile phones – that store, capture or modify ePHI need to be examined for security.
CMS also highlights the fact that the security risk analysis does not need to be completely redone every year. Healthcare facilities only need to conduct this process when they adopt an EHR. When an organization changes its setup or makes alterations to its electronic systems, then it is time to review and make updates for any subsequent changes in risk.
Avoiding future issues
The Meaningful Use program offers financial incentives to organizations, but even so, no facility wants to have a lackluster security system that leads to a healthcare data breach. Technology will continue to evolve over time, and healthcare providers are likely to continuously alter the ways that they keep ePHI protected. Being able to communicate with employees and patients quickly is an important aspect of healthcare, but the entire process must be done in a secure way.
Regardless of an organization’s stance on the various benefits and drawbacks of Meaningful Use itself, the security aspect cannot be overlooked. Patients’ ePHI has a much greater chance at remaining secure when EPs take the time to conduct thorough security risk analyses as they update or change electronic systems.