Search the KHIT Blog

Saturday, June 4, 2011

Meaningful Use ePHI Privacy and Security compliance criteria

CORE MEASURE OBJECTIVE: Protect electronic health information (ePHI) created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.

ASSOCIATED MEASURE: Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) of the certified EHR technology, and implement security updates and correct identified security deficiencies as part of its risk management process.

METHOD OF MEASURE CALCULATION: Measure requires only a Yes/No attestation.

THRESHOLD: Conduct one security risk assessment.

: None.

I recently accompanied on of my REC colleagues on a "Meaningful Use training session" at one of our outpatient solo doc client sites. The vendor support rep (I won't name the product) blithely made a couple of serious misstatements of fact as he walked the physician through the core and menu set criteria. First, he stated in error that the doctor could simply export a patient CCD/CCR document (basically an XML dump of a patient record) to a PDF file and send it on to another provider as an email attachment in order to satisfy the "perform at least one test of certified EHR technology's capacity to electronically exchange key clinical information" criterion.

I had to point out that any live patient data would have to first be appropriately encrypted prior to any transmission. Failure to do so would constitute a HIPAA violation, the sanctions for which are now quite severe.

His second errant assertion was equally misinformed. He stated that the doctor was automatically in compliance with the "
Protect electronic health information" criterion cited at the outset of this post -- simply by virtue of using the vendor's ONC CHPL certified release of this particular EHR platform.

Nothing could be further from the truth. He was irrelevantly referring to the NIST EHR certification standards comprising 45 CFR §170.302(o) through §170.302(w):
  • Access control;
  • Emergency access;
  • Automatic log-off;
  • Audit log;
  • Integrity;
  • Authentication;
  • General encryption;
  • Encryption when exchanging electronic health information;
  • Accounting of disclosures (optional),
all of which simply address the functional capability of an EHR platform to comply with the foregoing.

And, none which has anything to do with the Meaningful Use core requirement to "
conduct or review a security risk analysis" during the Attestation period.


To be useful for significant and sustained improvements in individual and population health, health care data must be available in timely fashion to those with the requisite authority (hence the security requirement) and need to access and act upon them. Moreover, in that regard we must also be assured of the integrity of the data – i.e., we must have ongoing confidence that the data transmitted electronically (especially those with direct bearing on clinical decision-making) are exactly** those acquired and stored at the source.
** It is tangentially noteworthy that the Meaningful Use ePHI standard does not address source data “accuracy” per se (i.e., the GIGO risk – “Garbage In, Garbage Out”), regarding which the venue for patient redress (there being no affirmative, proactive provider onus) is accorded at 45 CFR 164.526: Amendment of protected health information. (a) Standard: Right to amend. (1) Right to amend. An individual has the right to have a covered entity amend protected health information or a record about the individual in a designated record set for as long as the protected health information is maintained in the designated record set. This is essentially akin to consumers’ remedies for inaccuracies that come to light in credit reporting agencies’ data.

This Meaningful Use (MU) criterion explicitly focuses on three ePHI areas:
  1. Access;
  2. Storage, and;
  3. Transmission.
And, with respect to the foregoing, the Stage 1 MU compliance standard requires attestation of documentable demonstration of implementation of reasonable and sufficient
  1. administrative safeguards;
  2. technical safeguards, and;
  3. physical safeguards
of ePHI in order to ensure that the potentially conflicting ends of patient data availability, security, and integrity are consistently resolved in documentable fashion.

Returning to the language of this Meaningful Use ePHI compliance specification:
ASSOCIATED MEASURE: Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) of the certified EHR technology, and implement security updates and correct identified security deficiencies as part of its risk management process.
And then from the cited “per 45 CFR” itself,
§ 164.308 Administrative safeguards.

(a) A covered entity must, in accordance with §164.306:
(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
We ought make note that “accordance with §164.306” obligates the attestee to having adequately addressed all of the subsectional provisions of 45 CFR 164.3 (the breadth of “Subpart C,”):
§164.306(c) Standards. A covered entity must comply with the standards as provided in this section and in §164.308, §164.310, §164.312, §164.314, and §164.316 with respect to all electronic protected health information.
These mandate, in the aggregate, effective [1] administrative safeguards, [2] technical safeguards, and [3] physical safeguards – the gamut. Moreover, activities undertaken pursuant to compliance with this criterion must be sufficiently documented:
§ 164.316 Policies and procedures and documentation requirements.

A covered entity must, in accordance with §164.306:

(a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
There is a six-year records retention requirement associated with the measure [§164.316(2)(i)]. Also noteworthy is that, while the various compliance specifications are denoted as either “required” or “addressable” (highlighted in the Subpart C appendix below), the latter are not to be construed as “optional.” While the measure speaks to “flexibility” and “reasonableness” with regard to implementation latitude, such are not to be construed as license for a la carte non-documentation.

See, e.g., §164.306(d)(1) through (B)(2)(e).

In light of recent national media attention regarding ePHI concerns, it is not advisable to take the foregoing lightly. For example:
HHS Inspector General reports highlight IT security gaps in health care

May 26, 2011,
Baker & Hostetler LLP

On May 16, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) issued two reports critical of the government’s efforts to build and enforce a federal information security framework for protecting individuals’ electronic protected health information (ePHI). Of particular interest to health care providers and health plans, these reports signal that heightened enforcement efforts appear likely in the future, making information security a top priority when developing and operating interoperable health care information technology (HIT).

The first OIG report, which assessed the Centers for Medicare and Medicaid Services’ (CMS’) and Office of Civil Rights’ (OCR’s) oversight of the Security Standards under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), found shortcomings in hospital information security implementation, and criticized a perceived lack of effective of oversight of such Security Standards by CMS and OCR.

The OIG audit examined information security systems at seven large hospitals located in several states. The report found 151 security vulnerabilities, ranging from insufficient password strength and unencrypted laptops containing ePHI, to lack of physical protections (e.g., locks) for computer storage rooms, inadequate encryption methods, and incomplete policies and procedures to address audit controls, backup plans and disaster contingencies. The majority of findings were rated as “high impact”, which means posing a significant risk of harm to the individuals whose ePHI was transmitted or stored in such facilities. The report concluded that the OCR needs to significantly improve oversight and enforcement of data security under HIPAA, including continuation of the compliance oversight reviews of covered entities begun in 2009 at the direction of CMS. The OIG report also referred to exercise of the specific HIPAA enforcement measures and larger penalties enacted under the 2009 American Recovery and Reinvestment Act’s Health Information Technology for Economic and Clinical Health Act (HITECH) provisions.

The second OIG report criticized the Office of the National Coordinator for Health Information Technology (ONC), the agency created under ARRA/HITECH to administer and oversee federal incentives for the adoption and meaningful use of interoperable electronic health records (EHRs), and other related national HIT initiatives. That report found that the ONC failed to incorporate general information security requirements in the measures required for certified EHRs under HITECH. While certain application security controls were included in the HIT standards, the OIG found that general security requirements for the overall security structure, policies and procedures to be specifically applied to EHR systems were lacking.

In light of these OIG reports, and of ongoing news of misappropriation of patients’ health information and wide-scale security breaches, health care providers and health plans should consider reassessing their security risk exposure and preparedness to address information security lapses and HIPAA enforcement likely to be at the forefront of the national HIT trend.

More recent news:

[, May 26th] Despite spending a lot of time making sure they are compliant with federal and state regulations, health care organizations claim they are still seeing a lot of data breaches.

Being regulatory-compliant does not necessarily reduce the chances of a data breach, at least for the health care industry, according to a new study. Even more worrisome, organizations appear to be focusing more on compliance and less on security.

About 56 percent of IT security professionals in the health care industry said they spend the majority of their time addressing compliance requirements, according to the results of a GlobalSign survey released May 26. Even so, 34 percent of the health care industry IT security professionals polled said their organizations experienced a patient-records data breach within the past two years.

The survey “validates” the fact that health care organizations are putting in the effort to comply with HIPAA (the Health Insurance Portability and Accountability Act), the HITECH (Health Information Technology for Economic and Clinical Health) Act, and other state and federal regulations, according to Lila Kee, chief product officer at GlobalSign. However, it also demonstrated that “checking the boxes on compliance audits” will not ensure security or privacy when it comes to sensitive data, Kee said...

I visited with another solo practice physician recently for an initial REC assessment. When I asked about written HIPAA-compliant policies and procedures, I got that too-familiar deer-in-the-headlights look. With all the recent contentious ePHI news, I don't think this is a particularly good time for providers to be ignoring or paying lip service to the breadth of HIT privacy and security concerns reflected in the foregoing Meaningful Use criterion.


We at the REC have come to simply reiterate the phrase "privacy and security."

But, "privacy" per se is addressed specifically at 45 CFR 164.5nn --
Subpart E—Privacy of Individually Identifiable Health Information, which is about things such as
  • patient data access;
  • consents;
  • disclosure;
  • right of correction of erroneous PHI;
  • records retention requirements.
The Meaningful Use measure recounted at the top of this post is really about ePHI "security" -- the "privacy" part appears to exceed our portfolio.

But, without PHI security there can be no patient "privacy."


Mucking around in SmartDraw one recent afternoon. Click to enlarge.

1 comment:

  1. Nice blog ! Thanks for visiting HEALTH TRAIN EXPRESS Follow me twitter @glevin1