INTRODUCTION
As the new year begins, the health care industry is preparing to become compliant with yet another regulation that requires all health care organizations to implement the use of electronic health records ("EHR") by 2015. The American Recovery and Reinvestment Act ("ARRA") authorized the Center for Medicare and Medicaid Services ("CMS") to provide funding as an incentive to physicians and hospitals that are successful in becoming "meaningful users" of electronic health records. The eligibility for funding began in 2011 and will be phased out as providers are expected to have implemented EHR by 2015 or face financial penalties under Medicare.
INCENTIVE PROGRAMS
There are two EHR incentive programs available. Click the link below to review the programs side-by-side.
Although the two programs are similar, there are some differences between them.
MEANINGFUL USE DEFINED
Meaningful use is the process of using EHR technology to:
- Improve quality, safety, efficiency and reduce health disparities
- Engage patients and family
- Improve care coordination, and population and public health
- Maintain privacy and security of patient health information
The main focus of the EHR program was to increase transparency of health care data, increase efficiency of health care practices and improve health care services and quality overall.
The following chart outlines the three stages of using the meaningful use criteria to chart the provider's progress of adopting the conversion to electronic health care records.
BENEFITS OF ELECTRONIC HEALTH RECORDS
Most people that have visited their doctor or hospital over the last few years have noticed that the medical staff is utilizing a variety of portable electronic devices (laptops, tablets, etc.) to document and update conversations and testing being performed. The accessibility of medical tests and records provides a wealth of information at the doctor's fingertips. The quality of the visit and service is much better as the treatment is now almost on a real-time basis. You no longer have to wait for a phone call or mail to receive your test results or diagnosis. More efficient communication was one of the key features of the new requirements.
Patients can now access a limited amount of their medical records online, view test results, future appointments, etc. and can actually create a health plan for themselves. Personal health and fitness devices can be integrated into these plans by using activity trackers like Fitbit. This increase in data availability to the patient and doctor will change the medical profession in providing future services, as this data will now become available to the doctor without having to rely on conversations with the patient.
CONCERNS OF ELECTRONIC HEALTH RECORDS
As with all new modes of technology, availability of data and communications come concerns about access to that data. Security is one issue that always seems to popup. Who will be able to access your health care data? Will it be secure? What are the requirements of the health care provider to make sure it is secure?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules (Privacy & Security) and CMS' Meaningful Use requirements provide for the security of your health care data including EHR. Under HIPAA covered entities must have:
- Safeguards in place to protect patients' health information
- Minimum and limited usage and sharing to accomplish its intended purpose
- Privacy agreements with their service providers who perform functions or activities on their behalf
- Procedures to limit access to patients' health information as well as the implementation of training programs for employees about how to protect patients' health information
These security requirements will help to prevent identity theft and will reduce reputation and financial losses of all parties involved.
MINIMIZE RISKS OF ELECTRONIC HEALTH RECORDS
There are many ways to minimize the risks associated with EHR. Compliance with various regulations is certainly a good starting point. As with most security standards, they are just a minimum level of control that helps to reduce risk of unauthorized access. They do not guarantee that a breach will not occur. So going above and beyond the minimum requirements is a good policy to have as well as good monitoring practices.
Keeping your security policies up to date for any changes in the information technology environment is critical. The changes can be changes in hardware, software or even processes and procedures. Make sure to map out where the data resides and how it travels to make sure that it is protected at all times.
Physical and logical controls are very important to prevent unauthorized access. Data in hard copy form should be just as secure as if it resided on a server or mobile device. Password configurations have to be complex and enforced to be effective. File cabinets and file rooms should be secured also with a need-to-know policy enforced.
Data should be encrypted whenever possible to reduce risk of accidental loss of mobile devices. Storage of data through a third party should also be encrypted to reduce loss of reputation and financial loss should a breach occur. If cloud service providers are utilized, make sure that they are compliant with any relevant regulations if they fall under the new expanded definition of business associate. Obtain proof of this compliance and a statement of compliance report (either SSAE 16 or SOC 2) to provide proof of adequate controls.
CONCLUSION
Electronic health record benefits far outweigh the concerns but the data needs to remain secure to keep public opinion positive. This will lead to necessary but additional costs to the providers. The benefits need to be marketed to consumers to help recoup the costs.
