HealthData Management - February 2013

WASHINGTON report

The Office of the National Coordinator for Health Information Technology has released the final Test Method for the 2014 Edition of the electronic health records meaningful use certification program. These are the test procedures and applicable test data files that EHR certification testing laboratories and certification bodies will use to evaluate conformance and functionality of EHRs and EHR Modules against adopted standards, implementation specifications and certification criteria. The Test Method includes a list of all meaningful use criteria that an EHR must support with links to each test procedure. Final Test Methods for EHR Certification in 2014 Now Available

An industry survey has revealed significant ambivalence among hospital leaders about their ability to meet newly issued requirements for Stage 2 of meaningful use.

The poll, conducted by I. T. consulting firm KPMG, shows that nearly half ( 47 percent) of hospital and health system business leaders are only “ somewhat confident” in their level of readiness to meet the requirements, which became final in July. Thirty-six percent said they were confident and just 4 percent said they were not confident at all. Eleven percent said they didn’t know what their level of readiness was.

Asked to identify the biggest challenge in complying with the standard,

29 percent cited training and change management. This was followed by lack of monitoring processes to help ensure sustained demonstration of meaningful use, and capturing the relevant data electronically as part of clinical workflow ( 19 percent each); lack of a dedicated meaningful use team ( 12 percent); and vendor availability that has appropriate certified technology ( 6 percent).

“Attesting to meaningful use standards is an evolving
process,” said Mike Beaty, principal and KPMG Health-
care IT enablement leader. “It’s key for organizations to
have the right clinical workflows, care delivery processes
and the right support structures in place not just to meet
the standards but also to ensure a sustainable transfor-
mation of these critical systems.”
Leaders also said their organiza-
tions are being challenged to meet
standards on privacy and security
of patient information as prescribed
by both meaningful use Stage 2 and
HIPAA. Close to half ( 47 percent)
of respondents said they were only
somewhat comfortable with their or-
ganization’s ability to comply with all
parts of HIPAA, including new annual
risk assessments and protecting data
such as patient identifiable informa-
tion. An additional 8 percent said they
were not comfortable at all and 13 percent said they were
not sure. Thirty one percent said they were comfortable.
“Stage 2 specifically requires that the transmission
and exchange of patient data or information across the
enterprise be very solid and secure,” said Jerry Howell,
principal with KPMG Healthcare. “Stage 2 meaningful
use compliance will require an expanded focus on secure
transmission of data within, and outside the enterprise.”

The survey responses come from more than 140 hospital and health system administrators.

INDUSTRY PREPARATIONS

Health Execs Wobbly on Stage 2 MU
Readiness, HIPAA Compliance

The Department of Health and Human Services’ Office for Civil Rights for the first time is financially punishing an organization for a breach of protected health information that affected less than 500 individuals.

This is a new policy; OCR has previously limited issuance of hefty fines—and publicity of the fines—against several organizations following a “major” breach that affected 500 or more individuals.

The Hospice of North Idaho in Hayden will pay a $50,000 fine and has entered into a resolution agreement and corrective action plan with OCR.

The hospice in February 2011 reported to OCR the theft of a laptop computer in June 2010 containing PHI on 441 individuals.

To uphold federal law, organizations must annually notify OCR of breaches affecting less than 500 individuals, and must give notification of larger breaches within 60 days of discovery.

OCR notified the hospice in June 2011 that it was investigating the breach, and contends in the resolution agreement that the hospice did not adequately implement sufficient protections to ensure security of electronic protected health information from the April 21, 2005, HIPAA security rule compliance date until Jan. 17, 2012.

The Hospice of North Idaho in the agreement does not admit liability, but does not contest the validity of obligations agreed to under the settlement and agrees to comply with a corrective action plan.