Guest post by James Hofert, Roy Bossen, Linnea Schramm and Michael Dowell of Hinshaw & Culbertson.
In 2013, healthcare industry stakeholders, including associations, EHR vendors, practitioners and providers, raised significant concerns relating to the implementation timing of meaningful use Stage 2 and 3 criteria, including problems with interoperability, usability and regulatory failure to assess “value added” by implementation of meaningful use criteria to date. On December 6, 2013, federal officials announced that Centers for Medicare and Medicaid Services (“CMS”) were proposing a new timeline for the implementation of meaningful use stage criteria for the Medicare and Medicaid Electronic Health Record (“EHR”) incentive programs. The Office of the National Coordinator for Health Information Technology (“ONC”) further proposed a more regular approach for the update of ONC’s certification regulations.
Under the revised timeline, Stage 2 will be extended through 2016 and Stage 3 will begin in 2017 for those providers had completed at least two years in Stage 2. The goal of the proposed changes is twofold; to allow CMS and ONC to focus efforts on the successful implementation of the enhanced patient engagement, interoperability and health information exchange requirements in Stage 2, as well as evaluate data from Stage 1 and Stage 2 compliance, to date, to create and form policy decisions for Stage 3.
Roy Bossen
CMS expects to release proposed rulemaking for Stage 3 in the fall of 2014, which may further define this proposed new timeline. Stage 3 final rules would follow in the first half of 2015.
Despite CMS’s positive response to stakeholders concerns relating to the timeline for implementation of Stage 2 and Stage 3 meaningful use criteria, significant reservations continue to be enunciated, on a monthly basis, by providers at both Health information technology (“HIT”) policy committee and work group meetings. Providers continue to urge rule makers to institute consensus standards that could be adopted broadly across the healthcare industry to ensure both usability and interoperability.
In early 2013, former national coordinate Farzad Mostashar chastised electronic health record vendors for improper behavior in the marketing and sales of systems that continued to frustrate interoperability goals. This frustration with EHR vendors continues to be enunciated in HIT policy committee and work group meetings as recently as January of 2014.
With the implementation of the Affordable Care Act pushing hospitals and health systems to provide services more efficiently, a significant number of hospitals, health systems and providers are sharing secure patient information through health information exchanges (“HIEs”), and accountable care organizations (“ACOs”). The advent of both the HIEs and the ACOs are additional opportunities for protected health information to be shared by hospitals, doctors and other providers.
HIEs allow for patient information, including lab tests, imaging tests, prescriptions and treatments, to be shared by the participants in the HIE. The development of these electronic HIEs allow for the secure exchange of health information among entities participating in the HIE. Generally, the rights and responsibilities of those entitled to share the information is governed by participation agreements. Many providers believe that sharing data will improve healthcare and promote not only quality of care, but efficient care, as well. Similarly, the development of ACOs by otherwise independent providers results in more patient information shared in electronic fashion. The advent of both HIEs and ACOs provide another medium for possible breaches of the privacy rule.
The privacy rule requires that covered entities verify the identity and authority of persons requesting Protected Health Information (“PHI”) if the individual requesting it is not known to the entity. The Rule, however, does not specify in great detail the verification that must be made and, thus, there is flexibility that can be applied with regard to HIEs and ACOs.
Generally, in a HIE, the participants agree, by contract or otherwise, to provide to the HIE a list of authorized persons so the HIE can appropriately authenticate users of the network. Documentation required for uses and disclosures may be provided in electronic form, and documentation requiring signatures may be provided as scanned images. It is important from an HIE perspective for the various participants to agree on a common set of privacy safeguards that are appropriate to the risk associated with exchanging PHI to and through the HIE. Similarly, with ACOs, the ACO should establish a common set of privacy safeguards that are appropriate to the privacy risks associated with multiple providers using PHI. These common standards would include a breach notification policy or procedure. To fully understand what must be done, one must have a basic understanding of what is considered a breach.