The HITECH Act established the regulations and guidelines for the establishment of EHR’s to be demonstrated through a variety of meaningful use objectives. HITECH Meaningful Use Stage 2, started in 2014, establishes stricter regulations for the privacy and security rules of HIPAA and focuses on encryption of ePHI while using advanced clinical processes. The attention is now on security of EHR’s during exchange of information between professionals and during online access of records by patients. As opposed to demonstrating that in-house use of EHR’s by internal staff is secure and protects patient privacy, Meaningful Use Stage 2 focuses on what happens during outside interactions, either with other professionals or patients. This is referred to as a direct exchange of information and many practitioners will find that they need to upgrade existing IT systems in order to accomplish these up-to-date HIPAA standards.
Direct exchange of information involves practitioners to swap information securely regardless of the fact that they are using two different EHR systems. Many providers have jumped through hoops to ensure their EHR met requirements for MU Stage 1 and know how to demonstrate this fact under a worst-case scenario HIPAA audit. Given the attention that was on establishing an EHR, with all the accompanying documentation and attestation forms and often follow-up documents, providers may not recognize the limitations of their HIPAA compliance software since MU Stage 2 has just begun. Many providers found that even with incentive funds the software systems that needed to be adopted to become HIPAA compliant were over their budgets. Some decided to buy software that came in modules so that they could limit spending during years one and two, putting off purchasing the additional software with functions needed to accomplish the objectives of Stage 2 until necessary.
Unfortunately, it is now necessary, and some providers are no longer fully aware of what was purchased and what would need to be upgraded. Others are mistaking the capacity of their system to automatically update existing functions for automatically updating the program by adding functions. Still others may simply not realize that the ability to pull up information from their own EHR system does not automatically mean that breaches will not occur when exchanging information with other systems from other vendors. Regardless of whether or not you believe the software you originally purchased to establish your EHR had the functions to ensure you were compliant with requirement after MU Stage 1, all providers need to check their HIPAA compliance software minimally to ensure the most current updates have been installed.
The clear place to start is conducting a thorough risk analysis with extended focus on the ability of your EHR software to encrypt data for the purposes of exchange. The analysis of encryption capabilities, while not officially a mandate that is required for MU Stage 1 compliance, is being strongly encouraged. All risks higher than what is deemed reasonable must be mitigated, and all anticipated threats should also be identified and included in with intended remediation plans in the organizations policy and procedure manual. Those who choose to use a different method of securing and transmitting data must have a strong reason for doing so and be able to explain it for attestation purposes. Anyone choosing to use a data security strategy other than encryption should contact OCR to determine if the method they intend to use will meet general and Meaningful Use requirements.
When considering new HIPAA compliance software or determining if the software you are using has all the functions needed to be compliant with MU Stage 2 (or MU Stage 1 if you have not yet achieved Stage 1 compliance) several areas should be examined:
- Conduct a self-audit of all systems and requirements. This function should be clear and easy to use by a number of staff within the organization and not just those in the IT department. The questions answered for the audit should be role specific and simply phrased so all appropriate personnel can quickly and accurately complete their section of the questionnaire.
- Set up notifications / alerts. Staff and business associates need to be notified in order to complete their section of the audit questionnaire.
- Remediation plan and recommendations. Your HIPAA compliance software should be able to use the findings from the audit questionnaire to not only identify areas where remediation is needed, but it should provide recommendations for potential remediation solutions.
“It is key to provide your organization with a system that helps it organize all documentation for the purposes of policy management, training and attestation. The proper software is also vital for capacity for any IT solutions you decide to use.” Joe Bilello of Compliancy Group LLC
Innovation is the name of the game for information technology. Companies that do not continually improve the programs they offer and design new programs on a regular basis do not survive. This applies to HIPAA compliance software as well. The competition is so great that new systems, software programs andspecific function updates are now available that are even more advanced and provide increased protection over systems available even six months ago. This means that even if you are convinced you purchased everything necessary to comply with MU stage 2, you may find that your vendor has newer options available that will make HIPAA compliance for MU stage 2 easier. I’m sure anyone required to put in place new HIPAA requirements after feeling like they have run an obstacle course to meet requirements for stage one would agree – the easier, the better.o be aware that those entities who did not yet attest for Meaningful Use Stage 1 will be required to comply with altered requirements as set forth in the Omnibus Final Rule, starting with 2014 reporting periods. Part of these new requirements includes: compliance with direct exchange and other transmission guidelines and the adoption of an EHR IT system that is HIPAA certified for 2014. Whether you are working towards attesting to compliance with Meaningful Use Stage 1 or Stage 2 requirements, it is crucial to make sure your software solutions successfully secure all transmission or exchange of ePHI regardless of the specifications of the system you may your software may be required to interact with.