CMS Releases New Meaningful Use FAQ for EPs using Hospital EHRs

CMS released a new FAQ on June 27 to help clarify to what extent an eligible professional (EP) can use a hospital EHR to meet Meaningful Use objectives and measures. The FAQ makes it clear that an EP can use both a certified ambulatory EHR and a certified inpatient EHR to demonstrate Meaningful Use.  Therefore, provided that the ambulatory EHR is used to meet those measures for which the inpatient EHR is not designed for (e.g., EP clinical quality measures, e-prescribing), a physician can use both to successfully attest.

ONC specifically lists the following measures as being flexible enough to use either inpatient or ambulatory EHRs:

  • 170.304(a) which is the same as 170.306(a); (CPOE)
  • 170.304(e) which is the same as 170.306(c); (clinical decision support rule)
  • 170.306(b) which is more comprehensive than 170.304(c); (demographics recorded as structured data)
  • 170.306(d) which is more comprehensive than 170.304(f); (electronic copy of health information) and
  • 170.306(f) which is more comprehensive than 170.304(i). (exchange key clinical information)

This and other CMS FAQs can be found on the CMS FAQ page and the ONC FAQs are available on the ONC Regulations FAQ pageAs a reminder, Tuesday, July 3, is the last day for hospitals and critical access hospitals to begin their 90-day reporting period for the fiscal year. 

CMS FAQ 6421

Question: Can an EP use EHR technology certified for an inpatient setting to meet a meaningful use objective and measure?

Answer: Yes. For objectives and measures where the capabilities and standards of EHR technology designed and certified for an inpatient setting are equivalent to or require more information than EHR technology designed and certified for an ambulatory setting, an EP can use the EHR technology designed and certified for an inpatient setting to meet an objective and measure.  There are some EP objectives, however, that have no corollary on the inpatient side. As a result, an EP must possess Certified EHR Technology designed for an ambulatory setting for such objectives.  Please reference ONC FAQ 12-10-021-1 and 9-10-017-2 and CMS FAQ 10162 for discussions on what it means to possess Certified EHR Technology, ONC FAQ 6-12-025-1 for a list of affected capabilities and standards, and how that relates to the exclusion and deferral options of meaningful use.

OCR Releases HIPAA Audit Protocol as Audits Continue

Without pomp and circumstance, OCR made available its protocol for the HIPAA performance audits conducted pursuant to the HITECH audit requirement.  The Audit Protocol covers the Privacy, Security and Breach Notification Rules, delineating over 150 areas of performance evaluation.  OCR has completed the first set of 20 audits as of March 2012, with the next set of organizations being notified and audited on a rolling basis. 

With clear-cut references to each applicable standard and implementation specification, and the key performance criteria, activities and procedures for each, the Audit Protocol revolves largely around whether policies and procedures are in place to address each standard/implementation specification and the extent to which processes within the covered entity actually conform to these policies and procedures.  For example, one area of performance evaluation for assessing compliance with the Privacy Rule covers uses and disclosures for treatment, payment and health care operations, requiring the auditor to:

Inquire of management as to whether a process exists for the use or disclosure of PHI for treatment, payment or health care operations provided and whether such use or disclosure is consistent with other applicable requirements.  Obtain and review the process and evaluate the content relative to the specified criteria used for use or disclosure of PHI for treatment, payment, or health care operations proided to determine whether such use or discosure is consistent with other applicable requirements.  Obtain and review a sample of training programs and evaluate the content relative to the specified criteria to determine the use or disclosure of PHI for treatment, payment, or health care operations provided is consistent with other applicable requirements. 

Another critical set of audit procedures inquires about the policies and practices for accurate assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI, stating

Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI.  Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the covered entity's environment.  Determine if the covered entity risk assessment has been conducted on a periodic basis.  Determine if the covered entity has identified all systems that contain, process or transmit ePHI. (emphasis added)

The Audit Protocol can easily be used by covered entities to self-assess their levels of compliance with all aspects of HIPAA and should be a light in the darkness for many organizations.  Although the Audit Protocol does NOT tell covered entities exactly how often they need to be conducting a risk assessment, conducting internal audits or reviewing their policies and procedures, how many patient records they should be self-auditing, and other "guarantees" for complying with HIPAA, it still provides a basic roadmap for covered entities to understand what they will be called upon to provide.  The Audit Protocol can and should be used to identify what policies, procedures and practices will be carefully scrutinized by OCR and whether the organization's existing policies and procedures would reasonably pass muster in the event of an audit.  It should also be used to assess the level of compliance by the organization's workforce with such policies and procedures, and the training materials used to educate new-hires and current employees. 

Some key areas that OCR has highlighted as problematic include HIPAA risk assessments and user activity monitoring (e.g., audit logs, access reports and security incident reports).  OCR has provided guidance previously on conducting risk assessments, see HIPAA Security Standards: Guidance on Risk Analysis, however, as we continually see and the audits have underscored, this remains a source of confusion and an area which covered entities frequently are deficient in. With Meaningful Use also requiring completion of a HIPAA risk assessment for each applicable reporting period, it is even more critical for providers and hospitals to ensure that they are periodically conducting comprehensive risk assessments. It remains to be seen whether CMS and State Medicaid EHR Incentive Program audits will result in recoupment of payments to eligible professionals and hospitals based on a failure to properly perform these risk assessments.  

For more information on the OCR Audit Program, visit OCR's Audit page.  HHS and OCR have also made available substantial resources for compliance with the Privacy Rule, as well as the Security Rule that includes the Security Rule Educational Paper Series and links to various NIST Special Publications, all which can be used to assess compliance with HIPAA. You can also check out live and video training workshops and other options on our Workshops page for workforce compliance, as well as our November "Health Law Diagnosis," which contains additional tips for preparing for an audit.    

The $1.7 Million Flashdrive...Alaska Medicaid Settles HIPAA Violations

Even state agencies are not invisible to the all-seeing eye of OCR.  The use, and subsequent theft of, an unencrypted flashdrive cost the Alaska Medicaid agency $1.7 million, according to the Office of Civil Rights (OCR) in a news release issued yesterday. According to OCR, an employee of the Alaska Department of Health and Human Services (ADHHS), the state's Medicaid agency, had an unencrypted flashdrive possibly containing PHI stolen from his car back in October 2009.  ADHHS reported the breach promptly to OCR, which began an investigation in the beginning of 2010. 

In the Resolution Agreement, OCR stated that ADHSS had failed to:

  • Complete a HIPAA risk analysis;
  • Implement sufficient risk management measures;
  • Complete security training for ADHHS workforce members;
  • Implement device and media controls; and
  • Address device and media encryption.

The Resolution Agreement require ADHHS to revise and submit to OCR its policies and procedures relating to access to e-PHI, specifically with regard to tracking and safeguarding devices containing e-PHI, encryption, disposal and re-use of such devices, responding to security incidents, and appropriately applying sanctions for violations. In addition, ADHHS is required to conduct a risk assessment of the confidentiality, integrity and availability of e-PHI, and implement security measures sufficient to reduce risks and vulnerabilities identified.  The Resolution Agreement also requires ADHHS to provide specific training on the new policies.   

We all know the considerable security risks that are accompanied by use of unencrypted flashdrives, laptops and other portable devices and media by employees, residents and other workforce members -- now with a hefty price tag of $1.7 million.  Even for entities that have policies and procedures in place prohibiting use of such unencrypted devices, or that implement software that automatically encrypts any information saved to such devices, clearly communicating and enforcing these and the entity's other security policies and procedures is critical to avoiding security breaches and defending against potential OCR audits. 

While encryption isn't per se required to be implemented by HIPAA, it is an "addressable" implementation specification of the Security Rule.  This means that you must assess whether encryption would be "reasonable and appropriate" for ePHI "at rest" and in transmission, and if not appropriate, clearly have in place alternative safeguards and mechanisms to secure electronic PHI.  It has become all too clear that not encrypting flashdrives, laptops, hard drives and other devices and media that can potentially leave the safety of your facility can not only result in a reportable security breach, but also some serious explaining to OCR when it comes knocking on your door. And remember, if a security incident occurs and the information that was stored or transmitted was encrypted, you are likely not required to notify patients that a security breach has occurred.  

To help assess whether your security management process will stand up to OCR review, keep an eye out for our next post reviewing the the newly released OCR Audit Protocol for the HIPAA performance audits. 

HITECH Omnibus Rule Out by End of Summer

HealthDataManagement reports that the HITECH "Omnibus Rule" is due to be released by the end of the summer, according to Farzad Mostashari, the National Coordinator for Health Information Technology within the Office of the National Coordinator for Health Information Technology (ONC).  The announcement was made during his keynote given at the 2nd International Summit on the Future of Heath Privacy last week.  The two-day Summit brought together leading experts in health privacy, focusing on the privacy implications of the digitization and electronic exchange of health information. 

The long-awaited Omnibus Rule, which would implement HITECH modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, as well as address the Genetic Information Non-Discrimination Act (GINA), was sent for review before publication to the Office of Management and Budget (OMB) at the end of March.  Ordinarily, the OMB has 90 days to review regulations, subject to certain extensions. 

Of particular interest are regulations expected to clarify business associate liability, new restrictions on marketing and fundraising, and data breach enforcement and penalties, among others.  A final regulation on the HITECH changes to the HIPAA Accounting of Disclosure requirements is also expected, although it is unclear whether it will be released part and parcel with the HITECH Omnibus Rule. The Proposed Accounting of Disclosures Rule was published for public comment in May of 2011. 

During the keynote, Mostashari emphasized the importance of technical and cultural considerations to keep privacy protections at the center of ONC's efforts and activities, expanding the adoption of EHRs, and increasing public trust in electronic exchange of health information, saying,

"You can't get information exchange unless there's trust. We can't get a learning health system unless there's trust."

Mostashari noted that ONC is currently working with vendors to develop information system privacy functionalities "by design", with the goal of having privacy protections built into each information system, for example, encrypting personal identifiers when exchanging data. Stating that patients should never hear,

"Sorry, I can't give you your health records because of HIPAA",

Mostashari also noted the need for patients to be better educated on their privacy rights, in particular, how their information is used and how to submit complaints about violations or concerns, as well as for providers themselves to have a better understanding of their obligations under HIPAA. 

Mass. AG Levies 750k Judgment on Hospital for Data Breach

Massachusetts Attorney General Martha Coakley announced on May 24, 2012 having reached a settlement agreement with South Shore Hospital for failure to protect personal and confidential health information of over 800,000 patients. 

“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form,” AG Coakley said. “It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”

The consent judgment requires South Shore Hospital to pay a total of $750,000, including $250,000 in civil penalties and $220,000 towards an education fund for protection of PHI and personal information.  However, South Shore Hospital did receive a "credit" for security measures it implemented after the breach occurred of $275,000, leaving only $475,000 payable. 

The consent judgment also requires South Shore Hospital to undergo audit and report results of certain security measures, as well as take steps to ensure compliance with HIPAA business associate provisions and other federal and state security requirements.  In addition to failure to comply with HIPAA business associate obligations, South Shore Hospital also failed to comply with HIPAA and state obligations to implement appropriate safeguards, policies, and procedures to protect patient information, and appropriately train its workforce in safeguarding the privacy of PHI. It also neglected to ensure that the contractor itself had procedures in place to protect such PHI, according to the AG. 

Three boxes full of unencrypted computer backup tapes had been sent to a subcontractor of Archive Data Solutions in 2010 to be erased and resold; however, the subcontractor only received one of the boxes and the remaining two were never recovered.  According to the AG's office, South Shore Hospital did not have a business associate agreement in place with the contractor nor had it informed Archive Data that the backup tapes contained PHI.

The backup tapes contained Social Security Numbers, names, financial account numbers, and medical diagnoses.  As reported by HealthDataManagement, South Shore Hospital had determined in July 2010 that the missing backup tapes was not a breach requiring individual notice to affected and potentially affected individuals.  Rather, it posted a prominent notice on its website, citing state law provisions permitting alternative notifications where costs would exceed $250,000 or where over 500,000 residents are affected. 

It is unclear whether this breach was reportable and therefore actually reported to the Department of Health and Human Services (HHS) under the HITECH Breach Notification Rule.  Although the PHI here was unencrypted and therefore "unsecured" within the meaning of the HITECH Breach Notification Rule, covered entities are also required to conduct an assessment to determine whether an incident poses a "significant risk of harm" to the individual(s) that would give rise to a reportable breach.  Most importantly, a breach in and of itself does not automatically mean a HIPAA violation has occurred.

If a covered entity determines that there was a breach, all affected individuals and individuals reasonably believed to be affected are required to receive written notice of the breach, as well as HHS where over 500 individuals have been affected.  HITECH also permit alternative notification but only where the contact information of an individual is incomplete or where written notice has been returned undeliverable to the covered entity attempting to notify such individual of a reportable breach. 

Aside from South Shore Hospital's obvious failure to obtain a business associate agreement and apparently even inform Archive Data that it was a business associate subject to certain HIPAA provisions, it is unclear what else it was South Shore Hospital did or failed to do that contributed to the 750k settlement agreement and other alleged HIPAA and state law violations.  The AG's office noted that multiple shipping companies had handled the backup tapes, but did not otherwise indicate whether it was the lack of policies and procedures for safeguarding PHI and training workforce in such safeguards that resulted in the missing backup tapes (again, a breach itself does not automatically mean a HIPAA violation has occurred) or whether the focus was on the hospital's overall HIPAA and state law compliance program.

What is even more noteworthy is that the AG stated South Shore Hospital failed to determine whether Archive Data had sufficient safeguards in place to protect the PHI it would receive on the backup tapes prior to destruction.  This clearly places an obligation upon covered entities to go beyond ensuring that the business associate agreement itself is in compliance with HIPAA by requiring the business associate to implement reasonable safeguards to protect PHI.

While covered entities have always been, and should be, responsible for appropriate oversight and monitoring of their business associates, just how far is a covered entity responsible for going?  Does a hospital need to request that the business associate provide copies of its policies and procedures for safeguarding PHI? Policies and procedures for data destruction or erasing data?  Information on how its staff is trained on the business associate's obligations under HIPAA and the business associate agreement? 

And if a hospital is not satisfied with a business associate's policies and procedures, can it require additional safeguards and processes be implemented? Should a hospital also require notification by a business associate of potential breaches and security incidents to safeguard against bad calls? With business associates frequently resisting the inclusion of any provisions in a business associate agreement beyond the bare minimum required by HIPAA, covered entities may find it increasingly difficult to provide the required levels of oversight, safeguards and assigned responsibility.

With over 22% of reported breaches since 2009 involving business associates, as reported by HealthcareInfoSecurity, and with only one case (see Minnesota AG case against Accretive Health) so far targeting business associates directly for HIPAA violations, covered entities remain liable for the actions of their business associates, despite that business associates are now directly subject to certain HIPAA provisions. Covered entities also bear the brunt of a breach, as it is their patients who may be seriously harmed.  As determining liability for breaches and other security incidents between a covered entity and a business associate involved remains quite uncertain for now, the business associate regulations (expected "soon" ever since last year) will be a welcomed ray of clarity for covered entities and business associates alike.