Do the proposed changes to “meaningful use” mean the end of risk assessments?

Do the proposed changes to “meaningful use” mean the end of risk assessments?

by Yenny (SU)

Technology sometimes changes faster than regulations can keep up. Laws and incentives that are part of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) were designed to encourage the adoption of electronic health records to replace paper and streamline communications. There is a new level of information sharing that remains as secure as the laws require, that the Centers for Medicare and Medicaid Services (CMS) refers to as “interoperability.” This term replaces “meaningful use.” What does this mean for compliance? 

These changes do not affect the requirement for security risk assessments. Providers will still be required to have a security risk assessment in order to qualify for incentives.

“Promoting Interoperability”

In 2009, HITECH introduced standards for the security of electronic health records (EHR) and promoted its adoption and “meaningful use.” In an attempt to optimize the use of secure technology and make healthcare records more accessible to patients, the CMS seeks to eliminate 225 criteria of “meaningful measures” from the program. Regulators expect that these changes will greatly reduce the administrative burden placed on providers to comply. 

One former requirement that will not be in the new iteration is the VDT, or view, download and transfer measure. This rule made it mandatory for a patient to access his or her EHR after being discharged, and view the records, download them, and/or transfer them to another provider. While hospitals can and should make this feature available to its patients, and educate and market their patient portal, it is unreasonable to require patients to take advantage of it. There is no way to force patient compliance through regulating the hospital.

The interoperability mentioned in the new proposal refers to giving patients greater control and responsibility for the management of their health records. One goal of the measures is to revamp the system in which a patient must take one or several steps to request his or her own medical records, wait for them to be provided by the healthcare facility, and sometimes even pay for them. Portals that include an interface that is compatible with other systems will allow patients to view, compare, and send records among their providers. This will also have the effect of reducing the time and effort of transmission and administration within the medical practice. 

Risk Assessments

Conducting an annual security risk analysis was included among the objectives of stage 3 of the meaningful use clause in HITECH. Under the new measures, the hospital is required to perform a risk assessment to demonstrate security compliance in the year of EHR reporting for the purpose of attaining or maintaining incentives. An annual risk assessment is seen by the CMS as being an integral part of data security, that although it will no longer be scored as part of the program, remains a vital procedure that the hospital will need to attest to. 

HIPAA Resources

When navigating the new measures or maintaining your current compliance, the dedicated experts at Colington Consulting can professionally handle security, privacy and breach rule assessments, training, documentation, and recommendations for your practice. Our experienced HIPAA consultants will give you and your employees the help you need to maximize your benefits under the current and any new regulations and Promote an Interoperability Program.  Call (800) 733-6379 today for your free quote.