Skip to content
DWT logo
People Services Insights
About Offices Careers
Search
People
Services
Insights
About
Offices
Careers
Search
Advisories
Healthcare

Meaningful Use Stage 3 Proposed Rule: Security Risk Analysis and Patient Access

By Anna C. Watterson
05.01.15
Share
Print this page

Where HIPAA and Meaningful Use intersect, does the newly released Meaningful Use Stage 3 proposed rule provide greater clarity or create more confusion?

As discussed in our earlier advisory, the Meaningful Use Stage 3 proposed rule was released on March 30, offering a glimpse of the current thinking towards ensuring patient information is safeguarded as we move towards increased electronic health record (EHR) use and interoperability.

Security risk analysis
The proposed rule seeks to clarify the Meaningful Use requirement regarding its risk analysis "to alleviate provider confusion and simplify the EHR Incentive Program." Ironically, the proposal may do just the opposite by creating a “HIPAA” risk analysis under Meaningful Use with a different scope than the risk analysis under the HIPAA regulations.

Under HIPAA, covered entities and business associates are required to conduct a risk analysis for all electronic protected health information. This includes evaluating risks to an EHR as well as other information systems, media, and devices that contain or are used to access electronic protected health information. By contrast, the Meaningful Use proposed measure requires a risk analysis, in accordance with 45 C.F.R. 164.308(a)(1), for data stored in the certified EHR. Of course, a risk analysis done in accordance with 45 C.F.R. 164.308(a)(1) (the HIPAA implementation specification for risk analysis) would require an evaluation of the potential risks to all electronic protected health information that the covered entity or business associate creates, receives, maintains, or transmits. In fact, HHS’ Office for Civil Rights (OCR) expressly clarifies this in its Security Rule guidance.

While CMS can be commended for acknowledging confusion in this area, the proposed solution may cause greater uncertainty, leading health care providers to incorrectly believe that they have satisfied HIPAA by completing a risk analysis that is limited to their certified EHR in accordance with Meaningful Use.

Patient electronic access to health information
The proposed rule introduces application program interfaces (APIs) as a method for providers to allow patients access to their information. CMS touts third party applications that interface with the provider’s EHR as an alternative to patient portals. This complements the Office of the National Coordinator for Health Information Technology’s 2015 Edition proposed certification criteria. As of September 2013, when the patient has the right to access their protected health information, the provider (or other covered entity) must provide the information electronically if the patient requests an electronic copy and the provider maintains the protected health information electronically. The provider also must provide the patient with the electronic protected health information in the form or format requested, if it is readily producible in such form and format.

As health care providers across the country look to implement or upgrade to 2015 Edition certified EHRs, assuming the rules are finalized as proposed, a big question will be whether protected health information is readily producible via an API where the technology has the capability to permit access through an API.

Public comments must be submitted by May 29, 2015, and can be submitted anonymously through counsel. DWT has extensive experience helping health care providers navigate the Meaningful Use and HIPAA requirements. For more information please contact Anna Watterson or the attorney with whom you regularly work.

Related Articles

2025
Feature
Financial Services
New Administration Outlook: Helping You Navigate Post-Election Uncertainty in 2025 and Beyond Read More External Link
03.25.25
Publications
Artificial Intelligence
Co-author, "Privacy Law Issues for Developers and Deployers of Generative Artificial Intelligence," LexisNexis Read More External Link
02.27.25
Webinars
Privacy & Security
"Securing Americans' Sensitive Data: Understanding the DOJ's New Final Rule," Davis Wright Tremaine Webinar Read More
DWT logo
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.
Media Kit Affiliations Legal notices
Privacy policy Employees DWT Collaborate EEO

SUBSCRIBE
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.