"Meaningful Use" Requires Risk AnalysisAssessing requirements for incentive payments
As the year drew to a close, federal regulators issued a proposed rule to define how hospitals and physicians must demonstrate their "meaningful use" of EHRs so they can qualify for the Medicare and Medicaid incentive payments.
The lengthy proposed rule, which could be revised in the months ahead, only briefly addresses data security. It says the "meaningful use" requirements are designed to ensure that organizations implementing EHRs use the data protection functions within the software as well as "processes and possibly tools outside the scope of the certified EHR technology."
The proposed rule states that to qualify for Stage 1 of the incentive payments, healthcare providers must "conduct or review a security risk analysis of certified EHR technology and implement updates as necessary."
Several data security experts acknowledge that this requirement is far from crystal-clear. But they interpret it to mean that organizations that want to receive incentive payments should size up their use of the security functions within their EHR software as part of their broader risk assessments.
The rule implies that organizations implementing EHRs should "do a risk assessment of that technology against their broader privacy security risk assessments that they should have been doing under HIPAA," says Dan Rode, vice president for policy and government relations at the American Health Information Management Association, Chicago.
Rode notes that the security rule under the Health Insurance Portability and Accountability Act of 1996 requires healthcare organizations to conduct periodic risk assessments. "In bringing in new technology, an organization really has to look at how it fits into that broader risk assessment," he stresses. "Smaller organizations, like physician practices, may lack the expertise to do that."
Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society, Chicago, offers a similar assessment.
"For now, an organization should conduct a security risk analysis of their implemented EHR or procure a security risk analysis from a third party, such as a consultant," she says. "Then review those results and act on the recommendations to determine what changes or additions you might want to make to your security controls to address any risks that were uncovered during that analysis."
Gallagher notes, however, that because the security requirements in the proposed "meaningful use" rule are somewhat ambiguous, HIMSS intends to ask federal regulators to clarify the provision in the final rule.
But security consultant Kate Borten, president of the Marblehead (Mass.) Group, argues that the proposed rule is clearly stating a simple message: "Technology alone is not enough." "If you only focus on technical controls, you will not have a secure environment," the consultant stresses. Rather, organizations must roll out a comprehensive data security program that's built, in part, on a thorough risk assessment of their EHR software and all other applications, she says.
Healthcare provider organizations also will need to carefully review whether they are using all of an EHR's security capabilities, such as encryption, access control and frequent changing of passwords, says Rosemarie Nelson, principal at MGMA Consulting Group, an Englewood, Colo.-based consulting firm serving physician group practices.
In a separate interim final rule, federal regulators spell out standards for certified EHR software. To earn incentives, hospitals and physicians must implement certified software. The software certification standards require, among other criteria, that the software include encryption capability and offer unspecified access controls.