On March 7, 2012, the Centers for Medicare & Medicaid Services (CMS) published in the Federal Register its 132-page notice of proposed rule making (NPRM): Medicare and Medicaid Programs; Electronic Health Record Incentive Program–Stage 2. Comments to the Department of Health and Human Services (HHS) may be made until 5 PM on May 7, 2012.
The summary of the NPRM is included here:
“This proposed rule would specify the Stage 2 criteria that eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) must meet in order to qualify for Medicare and/or Medicaid electronic health record (EHR) incentive payments. In addition, it would specify payment adjustments under Medicare for covered professional services and hospital services provided by EPs, eligible hospitals, and CAHs failing to demonstrate meaningful use of certified EHR technology and other program participation requirements. This proposed rule would also revise certain Stage 1 criteria, as well as criteria that apply regardless of Stage, as finalized in the final rule titled Medicare and Medicaid Programs; Electronic Health Record Incentive Program published on July 28, 2010 in the Federal Register. The provisions included in the Medicaid section of this proposed rule (which relate to calculations of patient volume and hospital eligibility) would take effect shortly after finalization of this rule, not subject to the proposed 1 year delay for Stage 2 of meaningful use of certified EHR technology. Changes to Stage 1 of meaningful use would take effect for 2013, but most would be optional until 2014.” [p.13698]
The NPRM also summarizes Stage 2 Meaningful Use Objectives and Measures:
“In the Stage 1 final rule we outlined Stage 1 criteria, we finalized a separate set of core objectives and menu objectives for both EPs and eligible hospitals and CAHs. EPs and hospitals must meet or qualify for an exclusion to all of the core objectives and 5 out of the 10 menu measures in order to qualify for an EHR incentive payment. In this proposed rule, we propose to maintain the same core-menu structure for the program for Stage 2. We propose that EPs must meet or qualify for an exclusion to 17 core objectives and 3 of 5 menu objectives. We propose that eligible hospitals and CAHs must meet or qualify for an exclusion to 16 core objectives and 2 of 4 menu objectives. Nearly all of the Stage 1 core and menu objectives would be retained for Stage 2. The ‘exchange of key clinical information’ core objective from Stage 1 would be re-evaluated in favor of a more robust ‘transitions of care’ core objective in Stage 2, and the ‘Provide patients with an electronic copy of their health information’ objective would be removed because it would be replaced by an ‘electronic/online access’ core objective. There are also multiple Stage 1 objectives that would be combined into more unified Stage 2 objectives, with a subsequent rise in the measure threshold that providers must achieve for each objective that has been retained from Stage 1.” [p. 13700]
HIPAA.com has focused especially on privacy and security issues related to safeguarding protected health information (PHI). Both Stage 1 and proposed Stage 2 retain as unchanged the 42 CFR 495.6 “protection” core objective: “Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.” [pp. 13819 for EPs and 13821 for eligible hospitals and CAHs] However, the corresponding measures for EPs and for eligible hospitals and CAHs have been amended under the Stage 2 proposal, with the proposed amendment underlined below and combined for EPs and hospitals:
“Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) [security management process standard], including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(as)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s or of the eligible hospital’s or CAH’s risk management process.”
The Stage 2 NPRM provides an explanation for the proposed amendment:
“This measure is the same as in Stage 1 except that we specifically address the encryption/security of data that is stored in Certified EHR Technology (data at rest). Dure to the number of breaches reported to HHS involving lost or stolen devices, the HIT Policy Committee recommended specifically highlighting the importance of an entity’s reviewing its encryption practices as part of its risk analysis. We agree that this is an area of security that appears to need specific focus. Recent HHS analysis of reported breaches indicates that almost 40 percent of large breaches involve lost or stolen devices. Had these devices been encrypted, their data would have been secured. It is for these reasons that we specifically call out this element of the requirements under 45 CFR 164.308(a)(1) for the meaningful use measure. We do not propose to change the HIPAA Security Rule requirements, or require any more than would be required under HIPAA. We only emphasize the importance of an EP or hospital including in its security risk analysis an assessment of the reasonableness and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.
“We propose this measure because the implementation of Certified EHR Technology has privacy and security implications under 45 CFR 164.308(a)(1). A review must be conducted for each EHR reporting period and any security updates and deficiencies that are identified should be included in the provider’s risk management process and implemented or corrected as dictated by that process.” [pp. 13716-13717]
The importance of this focus on encryption if illustrated, as noted above, by the latest data on large breaches of 500 or more impacted individuals, as made publicly available on the HHS Office for Civil Rights (OCR) Web page as required by the HITECH Act:
As of March 8, 2012, 400 breaches have impacted 19,137,957 individuals since publication began on September 22, 2009, covering the period from that date through January 17, 2012. Approximately 3 out of 4 breaches involve electronic devices and of those, 60% are laptops or other portable electronic devices, of which 91% involve theft or loss. Clearly, the amended focus on encryption and securing PHI in this NPRM is warranted.
Also warranted to help stem the large number of privacy and security breaches is the release of the delayed Final HIPAA/HITECH Act Privacy, Security, Breach Notification, and Enforcement [Omnibus] Rule, which the January 20, 2012, White House release of the semi-annual regulatory agenda for HHS indicates is scheduled for this month. Hopefully, its release is imminent and not further delayed.