Electronic Healthcare Records , HIPAA/HITECH

If EHR Incentive Program Ending, What's Next?

Sizing Up Impact a New Regulatory Approach Will Have on Privacy, Security
If EHR Incentive Program Ending, What's Next?
Andy Slavitt of the Centers for Medicare & Medicaid Services

A federal official's comments this week that the government is "ending" the HITECH Act's "meaningful use" incentive program for electronic health records is raising numerous questions.

See Also: Cyber Kill Chain: How To Keep Network Intruders At Bay

For example, how soon might the program, which has provided nearly $32 billion in incentive payments, be phased out? And will its privacy and security provisions, including an emphasis on risk assessments, as well as related standards for EHR software functionality be replaced by new regulations?

Some security experts are already calling on the federal government to use the transition to impose tough new requirements to protect patient records.

In a Jan. 11 speech, Andy Slavitt, acting administrator for the Centers for Medicare & Medicaid Services, noted: "Now that we effectively have technology into virtually every place care is provided, we are now in the process of ending meaningful use and moving to a new regime culminating with the MACRA implementation," referring to the Medicare Access and CHIP Reauthorization Act of 2015.

MACRA is designed to change how Medicare pays providers by such steps as creating a new framework for rewarding healthcare providers for giving better care, not more just more care.

What's Next?

"We will be putting out the details on this next stage over the next few months," Slavitt said. "The focus will move away from rewarding providers for the use of technology and toward the outcome they achieve with their patients."

In his speech, he also noted, "Technology must be user-centered and support physicians, not distract them. ... One way to aid this is by leveling the technology playing field for start-ups and new entrants. We are requiring open APIs in order [that] the physician desktop can be opened up and move away from the lock that early EHR decisions placed on physician organizations [to] allow apps, analytic tools, and connected technologies to get data in and out of an EHR securely.

Slavitt also stressed the importance of ensuring the interoperability of EHR systems to ease the sharing of data. "We will begin initiatives in collaboration with physicians and consumers toward pointing technology to fill critical use cases like closing referral loops and engaging a patient in their care. And technology companies that look for ways to practice 'data blocking' in opposition to new regulations will find that it won't be tolerated."

Trial Balloon?

Some security and privacy experts say Slavitt's comments create a great deal of uncertainty.

"CMS is hoisting trial balloons on fundamental changes to meaningful use that will create anxiety and uncertainty throughout the healthcare industry," says privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek. Pressure on the Department of Health and Human Services from Congress, which has been scrutinizing whether the massive investment in the HITECH incentive program has been worth it, could be a factor in CMS's apparent re-evaluation of the program's future, he adds.

"Reading the tea leaves, there seems to be consensus developing in the Congress to take action to repeal Stage 3 [of meaningful use]," he notes. "My view is that HHS is taking a pragmatic approach to managing what comes next by moving forward in the transition to MACRA sooner rather than later."

The development of the MACRA standards provides an opportunity to incentivize adoption of stronger patient data safeguards, Holtzman says. That includes "requiring encryption on all end-user devices and workstations on which e-PHI is stored, adopting two-factor authentication to ensure that only authorized users have access to patient data and requiring assessing cybersecurity threats through use of National Institute of Standards and Technology's CyberSecurity Risk Assessment Framework."

Jay Trinckes, senior practice lead at security consulting firm Coalfire, says he'd like to see the meaningful use program replaced with "a mandatory, comprehensive" validation/certification process for all systems that create, receive, maintain or transmit electronic protected health information. "If a system touches ePHI, it needs to be assessed and come with a 'validated-secure label' before a healthcare organization is permitted to utilize the software/solution to manage ePHI," he suggests.

Wake-Up Call

The biggest impact of the meaningful use program so far has been to wake up some healthcare providers about the importance of security and privacy, says Dan Berger of the security consulting firm Redspin. "Although the HIPAA Security Rule had been in effect since 2005, the MU program was a key driver in refocusing the attention of providers on security requirements, particularly the necessity of conducting a HIPAA risk analysis," he says.

Unfortunately, some smaller provider organizations' interest in conducting a risk assessment has been fueled only by qualifying for meaningful use incentive dollars, says Tom Walsh, founder of consulting firm tw-Security. "We see smaller providers that struggle every day just to keep their doors open for business. Once meaningful use ends, so will their efforts to maintain risk analysis at least on an annual basis. It is not as if they don't care or don't understand the value in doing a risk analysis; they just don't have the resources to get it done."

The meaningful use program provided both "the carrot and the stick" to encourage good security practices, Walsh says. "Many organizations used their MU incentive money to enhance their privacy and security posture by purchasing new products, tools and services. With operating budgets getting tighter, smaller healthcare organizations will still need help in securing their environments. Security isn't cheap. Without the MU program, now all the government has is 'the stick,' - fines, penalties for [HIPAA] noncompliance or breaches," he says.

Details Scarce

CMS officials declined to offer Information Security Media Group specific details about its plans for phasing out the meaningful use program beyond the public comments Slavitt made.

CMS last October published rules for Stage 3 of the meaningful use program and modifications for 2015 through 2017.

A CMS spokesman said the Stage 3 rule "moves us beyond the staged approach of 'meaningful use' by 2018 and helps us collectively move forward to a system based on the quality of care delivered, as opposed to quantity. We will use feedback [from the healthcare sector] to inform future policy developments for the EHR incentive program, as well as consider it during rulemaking to implement MACRA, which we expect to release in the spring of 2016, and other rulemaking as appropriate."

The Office of the National Coordinator for Health IT also declined to comment on the future of the Health IT certification program - which certifies whether software used by healthcare providers to qualify for meaningful use incentives meet certain technology requirements, including those pertaining to security and privacy.

Editor's Note: On Jan. 19, CMS and ONC officials posted a blog clarifying that proposed regulations to replace the meaningful use rules won't be released until the spring. So for now, "existing regulations - including meaningful use Stage 3 - are still in effect."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.