Healthcare data and privacy have been a priority for lawmakers and IT professionals for decades. Maintaining privacy related to health information, and giving ownership and agency over disclosure to patients, drives current regulations around Personal Health Information (PHI). The most important of these regulations, HIPAA, has undergone various changes and revisions over time to meet modern security demands. One of these changes, the implementation of HITECH and digital record keeping, includes several additional rules on managing digital health records, including the concept of “meaningful use.”
Here, we will discuss what it means when HITECH legal language encourages the meaningful use of health records and how that can impact compliance and security.
What Are HITECH and Electronic Health Records (EHR)?
HIPAA was conceived and passed in the 1990s. While society was well on its way towards a digital-native culture, not all industries or organizations were keeping up at the same pace. In the healthcare industry especially, many compliance and security professionals saw offices still using paper records or insecure combinations of paper and digital documents.
IN 2009, Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act. This law refined and revised some language in the main body of HIPAA regulations while, at the same time, incentivizing healthcare institutions to adopt strictly digital record-keeping systems.
With that fact in mind, one of the central priorities of HITECH is the adoption of Electronic Health Records (EHR) by all healthcare organizations. It promoted EHR adoption through a dual approach of providing financial incentives around the adoption of EHR and more severe penalties for breaches and violations of HIPAA rules for organizations not implementing EHR.
Outside of these specific approaches, the HITECH Act defines the commitment of law to the idea that the adoption of modern EHR will provide greater security for PHI. Furthermore, these digital systems will increase the overall quality of healthcare, patient safety, and service efficiency.
The HITECH Act was wildly successful, with up to 86% of providers adopting complete EHR systems by 2018. However, this success story doesn’t mean that these providers could simply implement whatever digital systems they wanted. These EHR systems are required by law to follow regulations specifying the “meaningful use” of EHR.
What is Meaningful Use, and How Does it Relate to EHR?
The Meaningful Use Program, managed by the Centers for Medicare and Medicaid Services (CMS), was launched by the Department of Health and Human Services (HHS) to provide financial incentives for organizations to implement certified technology that improves the quality of care for patients.
This definition seems a bit vague on the surface, a fact that has vexed cybersecurity professionals for years. HHS, however, defined the “five pillars of health outcomes” to help vendors and security firms better gauge if technology fell under meaningful use.
These pillars require that certified technology accomplish the following::
- Improve the quality, safety and efficiency of healthcare overall and reduce health disparities.
- Engage patients and families about healthcare provision, patient concerns, etc.
- Improve coordination of care between organizations, departments and doctors.
- Improve public health through the improvement of general healthcare.
- Ensure the privacy and confidentiality of patient PHI as dictated by HIPAA.
The short answer for technology implementation falling under meaningful use is that it must improve care and provide real value to patients in terms of service or privacy. So, for example, an electronic prescription system would fall under meaningful use.
One of the major components of the Meaningful Use Program is that when organizations meet these criteria, they can receive financial compensation from the government as an incentive.
Recently, the CMS rebranded the Meaningful Use Program as the Promoting Interoperability Program. While the concept of meaningful use isn’t gone, it has been folded into a larger concern around how healthcare systems operate with one another.
The shift to the Promoting Interoperability Program maintains financial incentives for organizations and adds requirements for those incentives, including the following:
- Developing systems with straightforward interoperability in terms of infrastructure, file management and file types.
- Improving patients’ ability to access their own PHI.
To assess their preparedness for these requirements, organizations must attest to a subsection of 6 reporting measures:
- Immunization Registry Reporting
- Syndromic Surveillance Reporting
- Electronic Case Reporting
- Public Health Registries Reporting
- Clinical Data Registries Reporting
- Electronic Reportable Laboratory Test Reporting.
Hospitals must attest to four of these six measures, while providers must attest to at least two.
What Is a Meaningful Use Audit?
While there are different incentives and criteria for determining meaningful use, the bottom line is that your organization will have to undergo a meaningful use audit as part of an overall HIPAA assessment.
As a baseline, if you’ve implemented certified technology and received EHR incentive payments, you are eligible for audits for six years. These audits will require that you prove meaningful use of your technology, not just currently but up to six years prior as well.
In terms of making it through an audit, however, there are some basic approaches
- Keep Logs to Prove Attestation: You’ll need to demonstrate that your systems meet meaningful use criteria, and in many cases, this evidence isn’t cookie-cutter information. It’s logs or reports related to technology use in your infrastructure that directly shows how that technology positively impacts patient care.
- Manage Upgrades and Reporting: Audits will look for proper attestation for six years prior, which means you must show that your systems met requirements for up to 6 years before the audit. You cannot upgrade to a compliance system mid-year and avoid providing reports from the first half of that year.
- Work with HIPAA Experts: You may not have a clue as to what information you’ll actually need to provide during an audit. A security firm with expertise in HIPAA, HITECH and meaningful use can help you understand where you should pull data to show compliance.
- Automate Reporting: Alongside consulting with experts, also make sure you’re automating reports and documents. This process will make it easier to obtain compliance information that can streamline audits.
Manage HIPAA, HITECH and Meaningful Use Audits with Lazarus Alliance
Lazarus Alliance is an established and experienced compliance firm supporting clients seeking certification in industries like healthcare. Our team can help you assess your IT infrastructure for HIPAA compliance and, as part of that, help you inventory your system and whether or not you are meeting meaningful use standards.
Ready to Get Started with HIPAA and HITECH Compliance?
Call Lazarus Alliance at 1-888-896-7580 or fill our this form.