One of the American Recovery and Reinvestment Act of 2009’s (ARRA) (Pub. L. No. 111-5) areas of emphasis is expanding the use of health information technology, both in terms of storing and managing medical records in electronic form and in terms of facilitating the exchange of information contained in such records. The Recovery Act included significant funding to provide incentive payments to healthcare providers to adopt electronic health record (EHR) technology; these incentives require eligible providers not only to acquire and install systems, but also to demonstrate “meaningful use” of electronic health records (§4101). The criteria needed to show meaningful use were defined in a Notice of Proposed Rulemaking released on December 30 and subsequently published in the Federal Register (Proposed Rule, 75 Fed. Reg. 1858 (Jan. 13, 2010)) along with an Interim Final Rule detailing standards, specifications, and certification criteria for EHR systems used by providers (Interim Final Rule, 75 Fed. Reg. 2028 (Jan. 13, 2010)). Following a 60-day comment period (through March 15, 2010), the meaningful use criteria will be finalized as the mechanisms to implement the incentive payment provisions in the Health Information Technology for Economic and Clinical Health (HITECH) Act portion of the Recovery Act. (Comment period notwithstanding, the Interim Final Rule became effective on February 12, 2010.) The rules are organized according to a set of five policy priorities specified by the Health IT Policy Committee, one of two advisory bodies (the other is the Health IT Standards Committee) created through provisions in the Recovery Act. These priorities are:
1. Improving quality, safety, efficiency and reducing health disparities
2. To engage patients and families in their healthcare
3. To improve care coordination
4. Improving population and public health
5. Ensure adequate privacy and security protections for personal health information
This article focuses on the criteria associated with the fifth policy priority, which addresses security and privacy protections for personal health information and, in particular, on the lack of privacy-specific requirements in the meaningful use rules. For 2011, there is a single meaningful use measure for privacy and security: “Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) and implement security updates as necessary.” The part of the federal code cited is part of the statutory requirements associated with the Health Insurance Portability and Accountability Act of 1996 (HIPAA); more familiarly the requirement for HIPAA-covered entities to conduct regular risk analyses is one of the administrative safeguards addressed in the HIPAA Security Rule. The reference to HIPAA requirements is intentional—by aligning certification criteria to existing HIPAA requirements, the intent is to try to help the eligible professionals and eligible hospitals that are the focus of the meaningful use rules to improve their privacy and security practices in general.
For HIPAA-covered entities seeking to qualify for health IT incentives, the fact that the privacy and security measure is already an obligation under HIPAA should in theory make it easy to satisfy; the HIPAA Security Rule has been in force since April 2003 and the deadline for entities to fully comply with the rule elapsed in April 2006. Despite this requirement, however, not all healthcare organizations comply; the results of a 2009 security survey of 196 senior-level healthcare professionals conducted by the Healthcare Information Management and Systems Society (HIMSS) found that only 74 percent of these organizations actually perform risk analyses, and of those just over half (55 percent) do so with at least annual frequency. This suggests that as many as 40 percent of healthcare organizations do not conduct risk analyses on a regular basis (and perhaps a quarter do not conduct them at all), and further suggests that similar proportions of healthcare organizations do not appear prepared to satisfy the privacy and security measure for meaningful use.
Privacy and meaningful use
Despite the inclusion of the word privacy in the fifth policy priority, as the meaningful use measures and certification criteria currently stand, there are no specific privacy requirements that must be met in order to demonstrate meaningful use. However, the healthcare providers, professionals, and organizations eligible to seek incentive funding to which the meaningful use determination applies are, without exception, HIPAA-covered entities, so there is an assumption that these entities’ obligations under the HIPAA Privacy Rule serve to make a separate meaningful use privacy requirement redundant.
The Privacy and Security Policy workgroup of the Health IT Policy Committee has proposed, within its comments and recommendations on the meaningful use rules, that an explicit requirement should be added obligating eligible entities to demonstrate compliance with HIPAA Security and Privacy Rules as a stage one objective for 2011. The rationale behind this recommendation is less about strengthening privacy provisions in the rules and more about making sure an entity cannot be considered to have met meaningful use requirements if they have been found liable or fined for a HIPAA violation. A somewhat broader recommendation is noted in the Notice of Proposed Rulemaking (Proposed Rule, 75 Fed. Reg. 1858 (Jan. 13, 2010)) to include language requiring compliance with both the HIPAA Privacy and Security Rules and the fair data sharing practices in the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, released by the Office of the National Coordinator (ONC) in December 2008. However, HHS determined that meaningful use is not the appropriate regulatory tool to ensure such compliance, choosing to omit compliance as a formal requirement as requested by the Health IT Policy Committee, while acknowledging that the use of certified EHR technology should support compliance. There are no specific meaningful use measures associated with this compliance, in part because covered entities are already obligated to comply whether or not they seek EHR incentives, and also because the assessment of meaningful use or use of certified EHR technology is not by itself indicative of compliance with HIPAA privacy or security requirements.
At the end of the day, at least for 2011, this means the meaningful use rules will not impose any additional privacy requirements on HIPAA-covered entities or business associates beyond what is already required under HIPAA as strengthened by the HITECH Act. However, organizations that are not currently fully compliant with those requirements may put themselves at risk of being found ineligible for EHR incentives, particularly if they have been the subject of any complaints or claims of violations.
Notably absent from meaningful use rules—as stressed by privacy advocates such as the Coalition for Patient Privacy—are criteria to ensure that individuals (patients) can control the use or disclosure of the information in their electronic health records. Closely related to this is the ability for EHR systems and the providers that use them to capture, manage, and respect consumer preferences about information disclosure, but this functionality is also not among the criteria published in the interim final rule. Statutory language already exists (42 CFR Part 2, Subpart C) specifying practices for health record information disclosure with consent, as well as prohibiting re-disclosure absent such consent, but these rules only apply to records concerning alcohol and drug abuse, not healthcare in general. The ONC has been working on consumer preferences since at least 2008 and has produced a Consumer Preferences Draft Requirements Document that is likely to serve as a key input should ONC move to add consumer preferences criteria to any of the meaningful use stages.
Impacts and implications
For healthcare providers or organizations interested in qualifying for EHR incentives in order to acquire, implement, and adopt EHR systems and related health information technologies, the meaningful use criteria will likely have both external and internal impacts.
The externally facing implications are the constraints that the EHR certification criteria and technical standards will put on the selection and acquisition of health IT solutions, and also in terms of environment configuration, technical architecture, and systems integration. From an internal organizational perspective, it is imperative for healthcare providers to ensure that their information security and privacy practices include regular risk analyses.
Although the meaningful use standards do not come into effect until late 2011, healthcare providers and other HIPAA-covered entities and business associates who expect to participate in the movement towards electronic health records have several reasons to act now to take appropriate steps to be able to demonstrate compliance with meaningful use requirements. First among these are the financial incentives tied to meaningful use, qualification factors for which will be added and strengthened in two additional phases in 2013 and 2015. The subsequent eligibility criteria are intended to be additive, so organizations that fall behind or are unable to demonstrate meaningful use against the first phase criteria for 2011 may find themselves in an ongoing struggle to catch up as new and more robust requirements come into effect. Second, many of the requirements and obligations in the HIPAA Privacy and Security Rules were made tougher under the provisions of the HITECH Act and those provisions generally apply directly to business associates just as they do to covered entities. These stricter rules are already in effect, but the HHS Office of Civil Rights (OCR) has suggested the requirements will not yet be enforced—as much or more due to OCR’s lack of readiness to begin enforcement and still pending audit standards to be applied than to covered entities or business associates lack of readiness to comply. This gives organizations a temporary opportunity to close any gaps in their conformance before they will be formally held accountable. Third, many of the privacy and security practices healthcare organizations should be following under HIPAA and HITECH to demonstrate meaningful use of EHR technology are the same as those needed to comply with non-health-specific legal requirements such as those in Massachusetts’ new Standards for the Protection of Personal Information (201 CMR 17), which went into effect on March 1. Even for organizations without any Massachusetts residents among their patients or customers, the requirements in the Massachusetts law are likely to be replicated in other state-level laws, raising the probability that a given organization will find itself subject to one or more of these state laws, even if no federal-level legislation is enacted.
For organizations that do not already routinely conduct risk analyses, or who do so but are concerned that their processes may not be sufficiently robust to pass muster under meaningful use, the Health IT Policy Committee is considering recommendations from its own Privacy and Security Policy Workgroup and multiple outside commenters that healthcare professionals and hospitals be given explicit guidance on performing risk analyses. The most likely source for such guidance is existing documentation from the National Institute of Standards and Technology (NIST) and the Center for Medicare and Medicaid Services related to complying with the HIPAA Security Rule where the required risk analysis is codified. Both the NIST Special Publication 800-66, “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule” and CMS’ Security Rule Education Paper on “Basics of Risk Analysis and Risk Management” direct organizations to a standard security risk assessment process, documented in detail in NIST Special Publication 800-30, “Risk Management Guide for Information Technology Systems.”
For those preferring to seek guidance outside the U.S. federal standards, the ISO/IEC 27000 series of international standards covers risk assessment and risk management for information systems, particularly in ISO/IEC 27005 (Information security risk management) and the risk assessment section of ISO/IEC 27002 (Code of practice for information security management). Those seeking to follow any of this guidance on risk management or performing risk analyses should be aware that substantially all of the guidance is written in a way that focuses on risk assessments of individual information systems, not on organizations overall. This limitation is important because the risk analysis requirement under the HIPAA Security Rule is not limited to systems used by covered entities, so it is reasonable to assume that despite the emphasis of the meaningful use rules on EHR systems, the scope for a risk analysis conducted to satisfy the meaningful use measure should address all potential risks to health information the organization has, not just the data associated with an EHR system. Organizations looking for more enterprise-level perspectives on assessing and managing risk can find relevant guidance in ISO 31000 (Risk management—Principles and guidelines), and within major IT governance frameworks such as ISACA’s Risk IT Framework based on COBIT® or the risk management section of the Information Technology Infrastructure Library (ITIL®).
Looking at risk analysis from a privacy perspective, organizations have few options in terms of official guidance for privacy risk assessments or even auditing compliance with the HIPAA Privacy Rule. While not health-specific, the American Institute of Certified Public Accountants (AICPA) developed and maintains a set of “generally accepted privacy principles“ (GAPP), most recently updated in April 2009, which addresses risk assessment among many other criteria. AICPA also produced a spreadsheet-based Privacy Risk Assessment Tool that addresses 66 criteria across the 10 principles in the GAPP.
While some healthcare organizations may respond with a sense of relief that the meaningful use rules do not contain more specific requirements about privacy, it seems highly unlikely that this will remain the case for future stages in 2013 and 2015. These organizations should instead look to the absence of new requirements as an opportunity to either validate existing privacy protections and practices, or to augment or establish appropriate security controls and privacy practices before organizations become subject to audit or are otherwise held accountable for them.
