The Centers for Medicare and Medicaid Services (CMS) Electronic Health Record (EHR) Incentive Program (Meaningful Use) provides for eligible physicians who demonstrate “meaningful use” of certified EHR technology to be eligible to receive up to $44,000 in Medicare incentive payments over five years or up to $63,750 in Medicaid incentive payments over six years. But what does it really mean to achieve “meaningful use” for the EHR Incentive Program, and what will your practice need to do to meet the required objectives?
Privacy and Security of Electronic Health Information
One Meaningful Use objective that generates quite a bit of interest and even more questions is the aim to ensure appropriate protection of electronic health information. To meet this objective, you need to ensure that your EHR system is equipped to support basic security functionalities and that your practice is doing everything it can to identify potential threats and implement policy to keep information protected from nontechnical threats.
The Meaningful Use certification program addresses the more technical aspects of privacy and security, making sure that your system functionally protects electronic health information by implementing controls and encryption, such as:
- Assigning a unique user name for each user;
- Encrypting and decrypting health information for backups and removable media;
- Providing for event recording such as deletion of records;
- Creating an audit review log;
- Using systems to ensure health information has not been altered using a hash algorithm;
- Recording disclosures made for treatment; and
- Ensuring identity management is in place.
However, technology is just one piece of the security puzzle. Using certified EHR technology alone will not guarantee compliance with the Health Insurance Portability and Accountability Act (HIPAA) and supporting security rules. Your practice will also need to actively conduct a security risk assessment, documenting the findings and any plans to mitigate risk and improve practice workflow and policy that supports the security of patient data.
HIT Resources
The ACR website offers information and resources for Health Information Technology, including:
- HIT Webinar Library: View recordings and slides on all aspects of the CMS EHR Incentive Program
- Frequently Asked Questions about the EHR Incentive program
- CMS 2011 e-Prescribing Program: What you need to know about the program and its financial impact on your practice
- EHR selection and implementation
- HITECH programs supporting HIT and your practice
- Rheumatology Clinical Registry
- HIT education opportunities and events
To access these resources, visit www.rheumatology.org/HIT.
The Risk Assessment
During a recent ACR Meaningful Use webinar, Nicholas Harned, JD, a health law attorney from Vedder Price, P.C., focused on the privacy and security requirements. Harned said that the Meaningful Use Privacy and Security objective is framed to ensure certified EHR technology supports the protection of electronic data but “does not impede [a provider’s] ability to comply with HIPAA.”1
Harned laid out the following program to help your practice engage in a comprehensive risk assessment to ensure appropriate protections of electronic health information—a good practice whether or not you are participating in the CMS EHR Incentive Program.
To meet the privacy and security objective for Meaningful Use, your practice should conduct a security audit or risk analysis at least once prior to the end of the each reporting period. Your risk assessment should include these basic steps:
- Identify the scope of the analysis.
- Identify the location of all electronic health information including where it is stored, how it is retrieved and by whom, and the workflow for maintenance and transmission of this information.
- Identify and document potential technical and nontechnical threats and vulnerabilities to the protection of the electronic health information, including natural threats, human threats, and environmental threats.
- Assess your current implemented security measures to minimize or eliminate risks to electronic health information.
- Ascertain and document the probability that an identified risk will materialize.
- Determine and document the potential impacts of each identified risk.
- Determine the overall level of risk to the electronic health information and develop a “risk matrix,” categorizing all of the risks based upon the likelihood of occurrence and potential impact.
- Identify and document the required security measures and upgrades and the actions that must be taken to mitigate identified risks.
Simply implementing a certified EHR system will not satisfy your responsibilities for protecting your patients’ health information. As you are conducting your risk analysis, you must consider the security of each system that stores or processes electronic health information (e.g., backup systems, hard drives, and removable media). In conducting the risk analysis, your practice should look at the whole system—the people and the electronic systems responsible for collecting, storing, analyzing, and transferring healthcare information.
For more information on performing a privacy and security analysis in your practice and achieving meaningful use of your EHR system, visit www.rheumatology.org/HIT or contact ACR Registries and Health Informatics staff at [email protected].
Reference
- Department of Health and Human Services, Basics of Security Risk Analysis and Risk Management. HIPAA Security Series. 2005;2(6):1-20.
2011 Annual Meeting
Basic Science at ACR 2011: An Offer You Can’t Refuse
By Anne-Marie Malfait, MD, PhD
Whether you are a clinician-rheumatologist with a busy practice, a basic scientist, or a clinical researcher in academia or the private sector, you can’t afford to miss the basic science sessions at this year’s ACR/ARHP Annual Scientific Meeting in Chicago this November 4–9.
An excellent overview of novel concepts and recent advances in all things rheumatology will be offered because the planning committee focused on topics that are likely to affect patient care in the years ahead. A sampling of this year’s offerings is highlighted below.
Pain
Treating chronic painful conditions is a central responsibility of the rheumatologist, but the science of pain in arthritis still holds many secrets. Origins and pathways of joint pain are poorly understood, but recent research has uncovered many novel determinants of arthritis pain. If you want to learn about new imaging techniques of the “arthritic brain,” genetic variation in pain perception, or new inflammatory mediators of chronic pain, be sure not to miss the following sessions:
- State-of-the-Art Lecture: Pain, the Brain, and Osteoarthritis
Sunday, November 6; 9:00 am–10:00 am - State-of-the-Art Lecture: Cytokine and Chemokine Regulation of Chronic Pain
Tuesday, November 8; 9:00 am–10:00 am - Basic Science Symposium: Pain Pathways in Rheumatic Diseases
Wednesday, November 9; 11:00 am–12:30 pm
Osteoarthritis
Osteoarthritis remains a difficult problem for clinicians and basic researchers alike. Whereas cartilage was the center of attention for many years, it is becoming increasingly clear that osteoarthritis involves the entire joint. Understanding how different joint tissues contribute to the pathogenesis and progression of osteoarthritis will open new avenues for intervention and for early detection of osteoarthritis. Therefore, do not miss the opportunity to discuss the state-of-the-art science on joint imaging, biomarkers, synovial inflammation, and more, in these translational sessions:
- Basic Science Symposium: Tools for Studying Joint Tissue Changes in Osteoarthritis
Sunday, November 6; 2:30 pm–4:00 pm - ACR REF Paul Klemperer, MD Memorial Lectureship: Osteoarthritis, Quo Vadis—Where Are We Now, Where Are We Going?
Tuesday, November 8; 9:00 am–10:00 am - Basic Science Symposium: Osteoarthritis: A Disease of the Joint as an Organ
Tuesday, November 8; 4:30 pm–6:00 pm
The Genetic Basis of Rheumatic Disease
In the last five years, genome-wide association studies have helped identify genetic risk factors for systemic autoimmune and rheumatic diseases. However, the underlying causal variants have been identified for only a small number of genetic loci. Further, currently identified genetic loci only explain a small proportion of the overall genetic contribution to these diseases. Advances in genomic technology, such as next generation DNA sequencing, make it possible to sequence the entire human genome at an affordable cost. The whole genome can be sequenced to search for rare variants that contribute to risk of rheumatic diseases. Make sure you understand these new approaches to identify causal genetic variants by attending these sessions:
- State-of-the-Art Lecture: Moving Forward in the Genome Wide Association Studies Era
Monday, November 7; 7:30 am–8:30 am - Basic Science Symposium: Next-Generation Sequencing Applied to Rheumatic Diseases
Tuesday, November 8; 2:30 pm–4:00 pm
The 2011 ACR/ARHP Annual Scientific Meeting is the place to be to keep up with recent developments in the field of rheumatology. We hope to see you in Chicago this November!
Dr. Malfait is an ACR Annual Meeting Planning Committee member.