HIPAA and Meaningful Use Stage 2
Health and Human Services Department (HHS) Released Final Health Insurance Profitability and Accountability Act (HIPAA) Rule
The Department of Health and Human Services has issued a final rule to modify the HIPAA privacy, security, breach notification and enforcement rules, as well as increasing privacy protections under the Genetic Information Nondiscrimination Act.
For the most part, the final rule is very similar to proposed rules and interim final rules issued in 2009 and 2010. But a major change in the final rule is made in the breach notification section replacing subjective measures of determining whether a breach has or could cause considerable harm to one or more individuals and must be reported with a more objective risk assessment process to determine if protected information has been compromised.
The final HIPAA rule becomes effective on March 26, 2013 with the compliance date for covered entities and business associates on September 23, 2013. Covered entities have one year from the compliance date to amend business associate agreements to match new requirements.
The final rule includes provisions:
- Setting four-tier financial penalty structure for breaches deemed serious enough to warrant a federal-imposed penalty. Based on fault, fines range from $100 to $50,000 per violation with a $1.5 million cap on violations of an identical provision within a calendar year.
- Making business associates and subcontractors comply with HIPAA rules in the same manner covered entities must; making BAs and subcontractors directly liable for HIPAA violations – even if a BA failed to enter into a formal contract with a subcontractor – and making covered entities and business associates legally liable for the acts of their business associates. The BA for a business associate would be a subcontractor. The BA – not the covered entity – is responsible for having a subcontractor appropriately safeguard information, but the covered entity is responsible for the BA’s actions.
- Expanding the definition of business associates to include patient safety organizations, health information organizations, e-prescribing gateways, providers of data transmission services for protected health information to a covered entity and requiring routine access to PHI, or personal health record vendors offering PHRs to individuals on behalf of a covered entity. PHRs offered directly only to individuals are not covered.
- Clarifying that PHI stored in photocopiers, faxes and other office equipment that retain data, whether intentionally or not, is subject to the privacy and security rules, and PHI should be wiped before a device is removed from the office.
- Applying to business associates the minimum necessary standard when using or disclosing PHI, or when requesting PHI from another covered entity or business associate.
- Enabling patients to ask for a copy of their electronic medical record in an electronic form, with fees charged not greater than labor costs.
- Enabling patients paying with cash to instruct providers to not make information about their treatment available to insurers. Separate or segregated records are not required, but some type of flag or other notification of restrictions in the record are necessary.
- Enabling patients to easily opt out of receiving fundraising and marketing solicitations.
- Prohibiting the sale of an individuals’ health information without their express consent, with exemptions when the information is used for public health activities or research purposes.
The Medical Group Management Association (MGMA) has voiced its concern with the new final rule:
“We are strongly supportive of comprehensive privacy and security standards aimed at avoiding unauthorized use or disclosure of patient health information. However, it is critical that the safeguards mandated by the government be practical, flexible and affordable for the broad spectrum of medical practices”.
“We are concerned about the ability of practices to implement the changes associated with this final rule, including the requirement to modify and reissue notices of privacy practices and modify business associate agreements–within the short time frames allotted. We will continue to monitor our member practices to ensure that administrative burdens imposed by the government do not hinder the necessary flow of health information for patient treatment, payment and healthcare operations purposes”.
The final rule is available here for further review.
Meaningful Use Stage 2
The Centers for Medicare and Medicaid services (CMS) recently published a final rule that specifies the criteria for Stage 2 of Meaningful Use. The earliest Stage 2 will be effective is in 2014. CMS is permitting a one-time three-month reporting period in 2014 to allow providers to upgrade to 2014 Certified EHR Technology.
The new objectives and measures under Stage 2 will require eligible professionals and hospitals to communicate to patients relevant to their health information. This will require healthcare professionals to provide patients with an electronic patient health record which they can view online, download, and transmit their health information. The ultimate goal for Stage 2 is to require patients to use health information technology in order for providers to achieve meaningful use.
Core and Menu Objectives
To demonstrate meaningful use under Stage 2 criteria below is a list of core and menu objectives. Eligible professionals must meet 17 core objectives:
- Use computerized provider order entry (CPOE) for medication, laboratory and radiology orders
- Generate and transmit permissible prescriptions electronically (eRx)
- Record demographic information
- Record and chart changes in vital signs
- Record smoking status for patient 13+ years
- Use clinical decision support to improve performance on high-priority health conditions
- Provide patients the ability to view online, download, and transmit their health information
- Provide clinical summaries for patients for each office visit
- Protect electronic health information related or maintained by the Certified EHR Technology
- Incorporate clinical lab-test results into Certified EHR Technology
- Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research, or outreach
- Use clinically relevant information to identify patients who should receive reminders for preventive/follow-up care
- Use Certified EHR Technology to identify patient-specific education resources
- Perform medication reconciliation
- Provide summary of care record for each transition of care or referral
- Submit electronic data to immunization registries
- Use secure electronic messaging to communicate with patients on relevant health information
Eligible professionals must meet 3 menu objectives:
- Submit electronic synfromic surveillance data to public health agencies
- Record electronic notes in patient records
- Imaging results accessible through CEHRT
- Record patient family health history
- Identify and report cancer cases to a State cancer registry
- Identify and report specific cases to a specialized registry (other than a cancer registry)