HIPAA Regulatory Alert

Survey: Hospitals not up to speed on 'meaningful use'

Onlya bout 52% of surveyed hospitals use encryption technologies

According to a survey released in January by Falls Church, VA-based CSC, only two-thirds of hospitals have identified gaps in their current systems to meet the requirements for meaningful use, as set forth by the Office of the National Coordinator for Health Information Technology, Department of Health and Human Services (HHS). While it is true that the "interim final rule" was not published until Jan. 13, 2010, in the Federal Register1, experts have had a good idea of what "meaningful use" would consist of, at least as early as last spring as HHS issued guidance on the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA).

Additional findings include the following:

• Most hospitals (98%) have a policy in place to limit the disclosure of protected health information, but only 52% employ encryption technologies to render data unreadable or unusable in the case of unauthorized access.

• Smaller hospitals have lower readiness scores, especially for use of required applications and quality reporting.

• 54% are using the latest software version of their electronic health record (EHR) product, which indicates upgrading might be required to meet the criteria for meaningful use.

• Although 89% report on core quality measures, only half capture the majority of the required data from their EHR system.

• Only 40% report that there is clear and broad awareness of the new civil and criminal penalties under the ARRA.

The HITECH standards revealed last spring on privacy and security (especially breach notification) and the attendant penalties for violators garnered the greatest attention among compliance officers and risk managers, and according to CSC hospitals have the highest readiness scores for privacy and security protection. But this is not a time to relax; with the publication of the meaningful use standards required for EHRs, "the other shoe" has now dropped.

Although the privacy and meaningful use standards were not formalized at the same time, they are inextricably linked. Consider this language in the Federal Register:

"The health outcome policy priorities identified in the Medicare and Medicaid EHR Incentive Programs proposed rule are: improving quality, safety, efficiency, and reducing health disparities; engage patients and families in their health care; improve care coordination; improve population and public health; and ensure adequate privacy and security protections for personal health information.''1

Or these comments in the "Privacy and Security Standards" section concerning "certified" EHR technology ("certified" technology is technology that meets the meaningful use standards):

"We believe it is necessary for Certified EHR Technology to provide certain privacy and security capabilities. In that regard, we have aligned adopted certification criteria to applicable HIPAA Security Rule requirements and believe that in doing so, such capabilities may assist eligible professionals and eligible hospitals to improve their overall approach to privacy and security. In addition, some may find that the capabilities provided by Certified EHR Technology may facilitate and streamline compliance with federal and state privacy and security laws. We believe that the HIPAA Security Rule serves as an appropriate starting point for establishing the capabilities for Certified EHR Technology."1

In fact, the document goes on to say that the adopted certification criteria "assure that Certified EHR Technology is capable of supporting eligible professionals and eligible hospitals comply with HIPAA requirements to protect electronic health information residing within Certified EHR Technology and, where appropriate, when such information is exchanged."1

What's more, this linkage is a two-way street: The HIT Policy Committee has recommended that CMS and Medicaid withhold meaningful-use payment (the HITECH Act offers incentives for compliance) until any confirmed HIPAA privacy or security violation has been resolved.

In other words, if your facility's EHR is not certified, it may not adequately address the privacy and security aspects of HITECH; on the other hand, if there are HIPAA violations in your facility, you could not only face HIPAA-related penalties, but you also could prevent your hospital from reaping the benefits of meeting meaningful use standards.

Know where you stand

Perhaps the first step towards meaningful use compliance, says Carlos Nunez, MD, chief physician executive at Picis, is to develop a realistic approach. This is already happening, he blogged after attending the HIMSS conference. "This year's sessions have revealed that a lot of attendees are more comfortable admitting the reality of the situation; that they are just now . . . understanding the challenges that this will bring," he wrote. "I overheard an IT executive from one of the most prestigious and well-regarded health centers in the world claim, 'If we're not sure that we are going to be ready by 2011 (the Phase I date), I can only imagine what others are facing.'"

Vendors such as Picis "need to approach each hospital partner with an understanding that each one will be in a different state of readiness," Nunez continues. There will never be a one-size-fits-all solution for each step along the way to 2015 (the Phase III date)."

"I'm not at all surprised by the fact that many hospitals find themselves at least partially unprepared," Nunez tells HRA. "Up until the latter part of last year, nobody knew what [the government] would do. In December, many of the things they had been expecting had changed, and underneath this, most CIOs were starting to realize there's a lot here, and they're just not sure they can get all the pieces in place."

Allison Viola, MBA, RHIA, director, federal relations for the American Health Information Management Association (AHIMA), agrees that the challenge is significant. "We at AHIMA will be submitting our comments officially, but basically we feel the criteria to achieve full use is extremely aggressive given the nature of what's being required," she says. "There's a lot of manual data collection to report — particularly HIT functionality measures, and we envision that a lot of that work will fall on HIM professionals." AHIMA, she says, "will try to get [the government] to look at alternative options or consider ways to ratchet this down a little bit."

"There is definitely time to identify gaps and become compliant so you can receive the incentives," counters Erica Drazen, managing partner, emerging practices healthcare group, for CSC in Waltham, MA. "The question is, how quickly they can they get there? One of the things that are going to happen for sure is there will be a shortage of people to do this — vendor employees, consultants, as well as people in the hospital; that will be a major challenge."

In addition, "They've upped the ante on privacy and security, with requirements like audit trails of all disclosures," says Drazen. "To share information with patients and other providers will be challenging for most organizations, as these reports have not been designed to be read by patients."

How to move forward

Viola says facilities that are not yet in compliance need to get going. "We would encourage hospitals to start getting teams in place, pay attention to what is going on with the whole certification process, and start the dialogue with their vendors — reviewing their contracts and potentially looking at new vendors if the current vendor is not certified," she says. "If you have a hybrid environment and are predominantly paper-based, you probably want to get moving on this, because by 2015 you will start to see a reduction in payments if you do not meet the requirements." As a first step, she recommends "getting a task force or committee together of multi-stakeholders within the hospital or provider organization, and start nailing down what each of these measures mean."

Drazen recommends you review the list of standards and pick out those that have the highest priority. "Also, start negotiating with your vendor; if they are not going to be certified on the same time frame, you're out of luck. You and they have to be certified on a schedule as aggressive as meaningful use. So, for example, you have to be certified for stage II requirements for 2013, so look at your vendor and see if they meet all the requirements for stage I, which would mean they're on course for stage II."

Nunez, on the other hand, questions whether it's better to do the wrong things quickly or the right things slowly. "A CIO told me that one of the big consulting firms said to him they advised some of their clients not to rush into this, but to do it slowly and deliberately so that you're ready by the time the penalties kick in; you might not get incentives, but at least no penalties," he shares. "I read a study recently that said the average hospital would get between $6 million and $8 million if they met all the requirements — but you could be spending tens or even hundreds of millions in IT projects to get to meaningful use."

A lot depends on the progress you have made to date, he continues. "If as a hospital or a health care system you've been part of a process to implement meaningful use and you've been thoughtful and taken a long-term look at things, then you're probably really close to getting toward meaningful use," says Nunez. "If you're a Mayo Clinic, or a Mass General, if you have integrated systems and an efficient automated work flow, you'll probably get there soon. However, if for whatever reason you've not undertaken it, or have not been successful, or have chosen the wrong vendors, and you're just now really looking at a ramp-up effort, you may not be ready by 2011 or 2013. If that's the case, you may need to take a step back and say, 'Are we rushing for a couple of million dollars, or should we take time and start on a path that makes sense for us and our patients, so at the very least we do not get penalized?'"

If you decide to take what Nunez calls the "baby steps" approach, "at the very least you should look at the roadmap of the Office of the National Coordinator," he recommends. "We know what the requirements are for 2011; and we have some idea of what will be required for 2013 and 2015, although right now the descriptions are at a very high level. To the credit of the Office of the National Coordinator, what they've done really well is spelled out a vision; they say they want to get there in three phases, and they initially set the bar low with incentives to move up to better performance."

In other words, he continues, if you are not in good shape at present, "that first baby step to take is an honest assessment of where you are and where you can be in five years." He recognizes that it is a difficult process. "I've seen so many different hospitals and health systems that have tried to implement systems — some of which were the biggest companies — and they failed miserably, while the very same EHR systems have done very well in other hospitals and health systems. If your hospital is ready, the HITECH provisions of ARRA are laid out, as well as what the measures will be. If not, be honest with yourself about where you are and where you want to be in five years."


1. Department of Health and Human Services Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Interim Final Rule. Federal Register: January 13, 2010 (Volume 75, Number 8) [Rules and Regulations] [Page 2013-2047].