There's been a lot of hoopla surrounding some of the more eye-catching provisions of the two final rules released last week defining and setting the standard for Stage 2 of Meaningful Use.
But one of the most significant aspects of these rules is how intertwined they are with HIPAA's privacy and security requirements, despite the fact that many of the 6,100-odd commenters on the proposed rules asked the Centers for Medicare & Medicaid Services to remove the redundancies. It highlights that keeping electronic records secure, and allaying patient fears about that security, is a high priority for the government.
For instance, conducting an effective risk assessment of electronically protected health information and safeguarding the data from vulnerabilities now is officially part of both HIPAA's security rule and the Stage 2 rule, although the requirements aren't completely identical. Risk assessments conducted for Meaningful Use purposes must more specifically address encryption of data stored in the electronic health record than do risk assessments for HIPAA's security rule. Providers also have to conduct a risk assessment every year under the Meaningful Use program, since it's an annual program; HIPAA doesn't require an annual risk assessment, Holland says.
Yet while the final Stage 2 rules adopted most of the HIPAA-related provisions contained in the proposed rule, there are some notable differences, including
1. Encryption as default setting: The proposed rule said that encryption should be enabled as the default setting on EHRs, and the ability to disable it should be limited. This is not in the final rule.
2. Accounting for disclosures: The rule expanding the accounting for disclosure obligations for patient data in electronic form is not yet final, and the proposed Stage 2 certification rule recommended that this be an "optional" criterion to meet the Stage 2 certification obligations. However, the Office of the National Coordinator for Health IT had requested public comment on whether the 2014 edition of EHRs must have the capabilities to meet the upcoming accounting for disclosures requirement. ONC kept this "optional" in the final rule in response to the overwhelming number of comments on that point.
1. Amendments: The proposed certification rule included particular technical requirements when dealing with patient requests to amend their electronic data. The final rule allows for more flexibility in this technical capability.
The bottom line: If you're complying with HIPAA you should be able to meet Stage 2 of Meaningful Use.
But this marriage of two sets of rules does raise the bar (and the stakes) even higher since if you're not complying with one, you're in violation of both.
Your risk assessment can be very time-consuming and complicated. You can rest assured that we at Healthcare Compliance Pros can give you all the help you need in completing it.