The drive toward interoperability continues as rules for Meaningful Use and the security objective are updated.
On October 16, 2015 CMS published Modifications to Meaningful Use in 2015 through 2017, and the Electronic Health Record Incentive Program Stage 3 rules. The rules retain the Privacy and Security Objective, as Objective #1, in both Stage 2 and Stage 3, which require the HIPAA Security Risk Analysis be completed on an annual basis, and that updates be implemented to correct deficiencies identified.
To take a trip down memory lane, the original Meaningful Use rule for Stage 1 included Core Measure #15 as the Privacy and Security Objective. A subsequent update of the rules eliminated a measure, and in the following year it became Stage 1 Core Measure #14.
The initial Stage 2 Rule (published September 4, 2015) had a different numbering scheme for hospitals and eligible providers. The first Stage 2 rule included the Privacy and Security Objective as Core Measure #7 for Hospitals and Core Measure #9 for Physicians. The language of the requirement was adjusted to emphasize that encryption was an area that needed to be covered in the risk analysis.
Which brings us to the present rule change. It seems as if the last has become first, as this objective has moved from last, Core Measure 15 of 15, to first, Measure 1 of 10. The language has evolved again, and this time, the scope of the risk analysis is clarified to require security of the ePHI “created or maintained by CEHRT”, in other words, the data in the electronic record software. This clarifies that the Security Risk Analysis required by Meaningful use is narrower than that required by the HIPAA Security Rule, which requires the security of all PHI.
Editor’s Note: Subsequent to the publication of this article, CMS has renamed the “Meaningful Use” programs and MIPS “Advancing Care Information” category to “Promoting Interoperability”.
