Risk Analysis Requirement Survives 'Meaningful Use' RevampCMS Proposes Major Overhaul of EHR Incentive Program, Emphasizing Interoperability
Federal regulators are proposing an overhaul to requirements for the "meaningful use" electronic health record incentive program - as well as a name change - to emphasize a focus on interoperability.
See Also: A CISO's Guide to Communicating Risk
But despite the many changes, the current program requirement for participating healthcare providers to attest to having conducted a security risk assessment would remain.
To better reflect the new focus on interoperability, the Department of Health and Human Services' Centers for Medicare and Medicaid Services, which administers the EHR incentive programs, says it has re-named the "meaningful use" program - which was created under the HITECH Act of 2009 - the "Promoting Interoperability" program.
In a statement Tuesday, CMS said it was "overhauling and streamlining" its EHR incentive programs for hospitals, as well as for the Advancing Care Information performance category of the related Merit-based Incentive Payment System (MIPS), which is one track of the agency's Quality Payment Program for eligible clinicians.
The changes "will move the programs beyond the existing requirements of meaningful use to a new phase of EHR measurement with an increased focus on interoperability and improving patient access to health information," CMS said.
CMS said the proposed changes - which include a focus on application programming interfaces to help patients access and healthcare providers to exchange health data - are aimed at empowering patients and reducing administrative burdens on healthcare organizations.
"The proposed policies ... strengthen interoperability or the sharing of healthcare data between providers," CMS says.
CMS notes that the proposed rule reiterates the requirement for providers to use the 2015 Edition of certified EHR technology in 2019 as part of demonstrating meaningful use to qualify for incentive payments and avoid reductions to Medicare payments.
"This updated technology includes the use of application programming interfaces, which have the potential to improve the flow of information between providers and patients," CMS says.
Patients could collect their health information from multiple providers and potentially incorporate all of their health information into a single portal, application, program or other software, the agency says.
"This can support a patient's ability to share their information with another member of their care team or with a new doctor, which can reduce duplication and provide continuity of care," CMS says.
The overhaul would result in the elimination of 25 "meaningful measures" across the five related incentive programs, "with well over 2 million burden hours reduced for hospital providers impacted by the proposed rule, saving them $75 million," CMS says.
One such requirement slated for elimination is the "view, download or transmit" measurement for patient access to their health information.
CMS notes: "The VDT measure requires at least one unique patient (or their authorized representative) discharged from the eligible hospital ... to access their health information through the use of an API, view, download or transmit their health information to a third party or a combination of both. Hospitals and hospital associations have indicated that, although they can encourage their patients to access their data electronically and through this type of platform, it is beyond their control to require such action."
Instead, a proposed measurement includes having participating hospitals ensure that "the patient's health information is available for the patient - or patient-authorized representative - to access using any application of their choice that is configured to meet the technical specifications of the API in the eligible hospital."
In CMS' 1,883-page proposed rule published on Wednesday in the Federal Register, the agency notes that the Medicare and Medicaid EHR incentive programs has been broken into three stages primarily focused on data capture and sharing, advanced clinical processes, and improved outcomes.
"In this proposed rule, we are proposing scoring and measurement policies to move beyond the three stages of meaningful use to a new phase of EHR measurement, with an increased focus on interoperability and improving patient access to health information."
While some current MU requirements, such as the VDT measure, are slated for the waste bin, under the proposals, an important security related requirement - conducting a security risk analysis - will continue - more or less becoming a prerequisite for participating in the incentive programs.
The proposed rule notes that the current meaningful use Stage 3 objective, "protect patient health information," and its associated measure, security risk analysis, would remain part of the program but would no longer be scored as part of the objectives and measures.
"To earn any score in the Promoting Interoperability Program, we are proposing eligible hospitals and critical care hospitals would have to attest that they completed the actions included in the security risk analysis measure at some point during the calendar year in which the EHR reporting period occurs."
The proposed rule notes that the HIPAA Security Rule requires covered entities to conduct a risk assessment of their healthcare organization. "The risk assessment requirement [under the incentive program] will help eligible hospitals to comply with HIPAA's administrative, physical, and technical safeguard," CMS notes in the proposed rule.
"We believe that every eligible hospital ... should already be meeting the requirements for this objective and measure as they are required by HIPAA," the proposed rule notes.
"We still believe this objective and its associated measure is imperative in ensuring the safe delivery of patient health data. As a result, we would maintain the security risk analysis measure as part of the Promoting Interoperability Program, but we would not score the measure."
As part of CMS' request for public comment on the proposed rule, "we are seeking ... comment on whether the security risk analysis measure should remain part of the program as an attestation with no associated score, or whether there should be points associated with this measure."
HHS is accepting public comment on the proposed rule for 60 days.
Beef Up Requirements?
Privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek, says he would like to see the meaningful use revamp proposals include beefed-up security requirements.
"Conspicuously missing from this proposed rule making is discussion or recognition of the threat posed by poor cybersecurity practices that allow threats including malware and ransomware to spread," he says.
"The HIPAA Security Rule is an outdated approach to address or identify the attributes that would help organizations defend and respond to today's cybersecurity threats. CMS is missing an opportunity to advance healthcare's ability to defend and respond to cybersecurity threats by incentivizing healthcare organizations in fighting the greatest threat to security of EHRs."