Krystyna Monticello, Healthcare Attorney, Attorneys at Oscistawski LLC
Gerry Blass, President & CEO, ComplyAssistant
How the shift to Promoting Interoperability impacts security and privacy efforts
ComplyAssistant and Oscislawski LLC recently contributed an article on meaningful use in the March 2019 edition of Compliance Today. The following blog post covers some of the key points.
Originally designed as part of HITECH to encourage providers to adopt electronic health records (EHRs), meaningful use was a means to an end – towards improved population health and better patient care among fragmented providers. The program prioritized five pillars of health outcomes:
- Improve quality, safety, efficiency, and reduce health disparities.
- Engage patients and families in their health.
- Improve care coordination.
- Improve population and public health.
- Ensure adequate privacy and security protection for personal health information.
But, with nearly 90 percent of providers using EHRs today, is meaningful use still relevant?
While the “meaningful use” moniker has been retired, the program has evolved and continues to be essential for secure sharing of information.
The evolution of meaningful use
CMS recognized that significant advances in technology warranted an overhaul of meaningful use. Thus, in April 2018, CMS renamed the program to Promoting Interoperability, and outlined three new objectives:
- Make [the program] more flexible and less burdensome,
- Emphasize interoperability through measures that require the exchange of health information between providers and patients, and
- Incentivize providers to make it easier for patients to obtain their medical records electronically.
In August 2018, Promoting Interoperability was adopted. Hospitals can demonstrate compliance through a flexible points-based system, rather than the old pass/fail model. And, the incentive for participation is now based on penalty avoidance instead of incentive payments.
HIPAA + meaningful use = protected PHI
The fifth pillar of meaningful use prioritized adequate privacy and security protection for PHI, and HIPAA was already in place by the time meaningful use was adopted. While the introduction of meaningful use did not impact the requirements under HIPAA, the combination of the two programs further emphasized the need for providers to start paying more attention to HIPAA and how to protect patient data.
Providers must ensure privacy and security controls are in place to protect patient data. They also must perform security risk assessments to demonstrate promoting interoperability. Because of this, Promoting Interoperability, like its meaningful use predecessor, is a powerful partner to HIPAA, aiding compliance with the Security Rule, and helping providers view protection of electronic PHI as a long-term strategy.
The role of security and compliance officers
Under Promoting Interoperability, security and compliance officers should focus on the idea of secure connectivity and accessibility. Security is the foundation for connected data across care disciplines, protecting connectivity of medical devices and easy access to patient information.
Security and compliance teams – led by a Chief Information Security Officer (CISO) – implement the adoption of cybersecurity frameworks (such as NIST), along with policies and controls that support Promoting Interoperability, including:
- A comprehensive and robust cybersecurity infrastructure;
- Alignment of organizational practices with security frameworks;
- Technical controls around access to information; and
- Appropriate security controls for the sharing of data.
How to demonstrate Promoting Interoperability
Though meaningful use has shifted, the focus on data security and patient access remain. Promoting Interoperability better reflects the industry’s use of EHRs, and considers the need for providers to share information when they provide care for the same patient.
In order to demonstrate compliance with Promoting Interoperability, providers and healthcare organizations need to:
- Assess previous performance under meaningful use to understand any improvements that need to be made.
- Prioritize the provider-to-patient exchange, which will have the highest performance impact for providers.
- Remember that the program is not static, and that CMS will continue to evolve it over time.
- Shift their mindset regarding privacy and security as a primary, foundational element of meaningful use and Promoting Interoperability.
- Allocate the appropriate resources to support privacy and security efforts.
Read the full article in Compliance Today.
© 2019 Compliance Today, a publication of the Health Care Compliance Association (HCCA).
Want more? Read our Guide to the NIST Cybersecurity Framework.
For a consultation and demo, contact ComplyAssistant.