Meaningful Use Stage 3 Proposed Rule: Security Risk Analysis and Patient Access

Where HIPAA and Meaningful Use intersect, does the newly released Meaningful Use Stage 3 proposed rule provide greater clarity or create more confusion?

As discussed in our earlier advisory, the Meaningful Use Stage 3 proposed rule was released on March 30, offering a glimpse of the current thinking towards ensuring patient information is safeguarded as we move towards increased electronic health record (EHR) use and interoperability.

Security risk analysis
The proposed rule seeks to clarify the Meaningful Use requirement regarding its risk analysis "to alleviate provider confusion and simplify the EHR Incentive Program." Ironically, the proposal may do just the opposite by creating a “HIPAA” risk analysis under Meaningful Use with a different scope than the risk analysis under the HIPAA regulations.

Under HIPAA, covered entities and business associates are required to conduct a risk analysis for all electronic protected health information. This includes evaluating risks to an EHR as well as other information systems, media, and devices that contain or are used to access electronic protected health information. By contrast, the Meaningful Use proposed measure requires a risk analysis, in accordance with 45 C.F.R. 164.308(a)(1), for data stored in the certified EHR. Of course, a risk analysis done in accordance with 45 C.F.R. 164.308(a)(1) (the HIPAA implementation specification for risk analysis) would require an evaluation of the potential risks to all electronic protected health information that the covered entity or business associate creates, receives, maintains, or transmits. In fact, HHS’ Office for Civil Rights (OCR) expressly clarifies this in its Security Rule guidance.

While CMS can be commended for acknowledging confusion in this area, the proposed solution may cause greater uncertainty, leading health care providers to incorrectly believe that they have satisfied HIPAA by completing a risk analysis that is limited to their certified EHR in accordance with Meaningful Use.

Patient electronic access to health information
The proposed rule introduces application program interfaces (APIs) as a method for providers to allow patients access to their information. CMS touts third party applications that interface with the provider’s EHR as an alternative to patient portals. This complements the Office of the National Coordinator for Health Information Technology’s 2015 Edition proposed certification criteria. As of September 2013, when the patient has the right to access their protected health information, the provider (or other covered entity) must provide the information electronically if the patient requests an electronic copy and the provider maintains the protected health information electronically. The provider also must provide the patient with the electronic protected health information in the form or format requested, if it is readily producible in such form and format.

As health care providers across the country look to implement or upgrade to 2015 Edition certified EHRs, assuming the rules are finalized as proposed, a big question will be whether protected health information is readily producible via an API where the technology has the capability to permit access through an API.

Public comments must be submitted by May 29, 2015, and can be submitted anonymously through counsel. DWT has extensive experience helping health care providers navigate the Meaningful Use and HIPAA requirements. For more information please contact Anna Watterson or the attorney with whom you regularly work.