Meaningful Use Stage 2 Compliant EHR
Many practices have been busy attesting to Meaningful Use (MU) objectives, many of which pertain to HIPAA privacy and security. Privacy- and security-related MU measures include those that address the protection of electronic protected health information (ePHI) from unauthorized access. These measures also allow patients themselves to access their own ePHI. This article explores several MU measures that relate to keeping patients’ ePHI private and secure. Physicians must be aware of these measures and take steps to ensure compliance.
Privacy and security measures embedded in MU Stage 2
MU Stage 2 requires eligible professionals (EP) to report 17 core objectives and three out of six menu objectives. Several of the core objectives include privacy- and security-related measures, such as:
- Provide patients the ability to view online, download and transmit their health information
- Provide clinical summaries for patients for each office visit
- Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical, administrative, and physical safeguards
- Use secure electronic messaging to communicate with patients on relevant health information
The importance of using a certified EHR cannot be underestimated. Certified EHR technology helps accomplish the following goals:
- Provides the technological capability, functionality, and security to help EPs meet MU criteria
- Gives providers and patients the confidence they need in knowing that the systems they use are secure and can maintain data confidentiality
What to expect in proposed MU Stage 3?
Protection of ePHI is also a strong theme in the proposed MU Stage 3. Following are several notable changes:
- EPs must provide patients with the ability to view online, download, and transmit their health information within 24 hours if generated during the course of a visit (labs or other types of information not generated within the course of a visit must be available to the patient within four business days)
- EPs must be able to receive patient-generated health data via secure messaging or structured/semi-structured questionnaires
- EPs must provide office visit summaries to patients or their representatives with relevant, actionable information and instructions pertaining to the visit (summaries should be shared in a format of the patient’s choosing)
- EPs must conduct or review a security risk analysis for each EHR reporting period (i.e., every calendar year)
The HIT Policy Committee Workgroup published a helpful side-by-side comparison of Stages 2 and 3 so physicians can better understand the implications of any proposed new or revised requirements.
How to ensure protection of ePHI under MU Stage 3?
Not surprisingly, 18% of respondents to a recent survey conducted by QuantiaMD said protecting ePHI would be the most difficult MU Stage 3 proposed measure for physicians to meet. In April, the Office of the National Coordinator for Health Information Technology published a Guide to Privacy and Security of Electronic Health Information that includes a 7-step approach to implementing a security management process:
- Step one: Lead your culture, select your team, and learn
- Step two: Document your process, findings, and actions
- Step three: Review existing security of ePHI
- Step four: Develop an action plan
- Steps five: Manage and mitigate risks
- Step six: Attest for MU security-related objective
- Step seven: Monitor, audit, and update security on an ongoing basis
As providers continue to implement EHRs, they must keep the privacy and security of ePHI in mind. This is important not only in terms of protection of information but also in terms of meeting MU requirements. Work with your certified EHR vendor to ensure that all current requirements are met and that proposed requirements can be met in the future.