Meaningful Use Stage Two
As you might know, this week the Center for Medicare and Medicaid released its proposed rule for Meaningful Use Stage II.
You will note that the proposed rule emphasizes direct contact with patients, patient safety (especially in medication administration to those hospitalized) and a modicum of flexibility in order to reduce burdens upon providers and vendors. There didn’t appear to be much discussion of HIPAA/privacy.
I spend a great deal of time in my practice thinking about issues of privacy and security and HIPAA compliance and was therefore interested in seeing how the draft rules dealt with these.
Where is Privacy Considered Within Meaningful Use?
A rudimentary word search revealed that the first reference to privacy was found on page 77 of a 445 page document. That particular reference basically exorts eligible providerss”Oh, and hey, by the way, remember that thing called HIPAA!” Actually, the reference goes on to redeem itself a bit, because it then explicitly tells provider that HIPAA does not restrict a provider from giving the patient access to his/her clinical summaries. Indeed, the rule requires the patients be provided with their clinical summaries within 24 hours 50 percent of the time.
The next two references were music to this breach avoidance evangalist’s ears! The draft points out the vital nature of encryption and states that almost 40 percent of large breaches rep0orted to HHS involve lost or stolen devices. If these devices are properly encrypted, covered entities basically “get out of jail free.” Thorough risk analysis and security updates are also highlighted. http://www.ofr.gov/OFRUpload/OFRData/2012-04443_PI.pdf
The rule drafters take pains to highlight that discussion of certain HIPAA requirements within the context of defining Stage Two Meaningful Use does not in any way diminish the requirement that eligible providers adhere to all requirements of the HIPAA Privacy and Security Rules as well as state confidentiality rules. Additionally, those providing substance abuse and mental health services are reminded to review SAMHSA regulations. http://www.ofr.gov/OFRUpload/OFRData/2012-04443_PI.pdf
Stage Two also includes a requirement that Eligible Providers give patients the ability to access view, download and transmit their own health information within 4 business days of the information being available to the Eligible Provider. This is less a nod to HIPAA than it is to Fair Information Practice Principles, implemented in the 1970’s, which set forth minimum standards for allowing citizens access to information collected about them. http://www.ofr.gov/OFRUpload/OFRData/2012-04443_PI.pdf. These principles were instrumental in HIPAA’s development.
Meaningful Use Presupposes Some meaningful protection of PHI.
In sum, the Proposed Rule defining Stage Two of Meaningful Use highlight the need to ensure adequate protection for protected health information.
The #: meaningfuluseprivacy
The 140: Meaningful Use Stage 2 mentions HIPAA compliance & incorporates by reference more than emphasizing it.