EHR / EMR regulations detail the manner in which health care providers qualify for Medicare and Medicaid EMR “meaningful use” payments under The Health Information Technology for Economic and Clinical Health (HITECH) Act, which in turn is part of the American Recovery and Reinvestment Act of 2009 (ARRA).
These EHR and EMR regulations make direct and indirect reference to the latest regulations issued by The U.S. Department of Health and Human Services (HHS) regarding providers’ security and privacy obligations under the Health Insurance Portability and Accountability Act (HIPAA). EMR requirements fall under both HITECH / ARRA definitions for meaningful use requirements and for HIPAA security rules.
ARRA / HITECH
Federal payments are available for qualifying health care providers (referred to as Eligible Professionals (EPs) in the federal regulations).
While a maximum of $21,250 of Medicaid EHR / EMR payments are independent of EMR use, the bulk of payments under Medicaid and all payments under Medicare require “meaningful use” by an EP of an EMR system accredited by a proper certification authority. These EMR regulations are designed to encourage widespread adoption of EMR technology and integration of these capabilities into the health care system. Meaningful Use criteria and rules under these two programs are the same.
It’s critical to note that there are three stages to meaningful use. The deadline for complying with Meaningful Use Stage 1 has passed (October 2012) and deadlines for meeting standards for Meaningful Use Stage 2 have recently been postponed until calendar year 2014. Meaningful use payments will require compliance with these as-yet unissued regulations.
HIPAA, among other things, offers protection for personal health information, including medical records. The HIPAA law gave patients more control over their health information, set limits on the use and release of their medical records, and established a series of privacy standards for health care providers which provides penalties for those who do not follow these standards.
HIPAA grants patients several key privacy rights over their medical records, as outlined in this PDF, which impose obligations on health care providers. There is widespread industry expectation that HHS intends to intensify oversight of HIPAA compliance as part of the rollout of EMR systems.
Patients have the right to ask for a written notice about how their health information is used and shared, and to view their medical records. They can request a copy of their file, and also request that any mistakes be corrected. In most cases, health care providers must produce these documents within 30 days of receiving the request, but may charge reasonable fees to cover any expenses associated with making copies, if these are requested by the patient.
Certain parties are exempted from HIPAA requirements, which means some medical information may be shared without a patient’s knowledge in limited circumstances. Information shared with other providers in order to treat any patient is always exempted. Full HIPAA regulations are quite complex and are detailed here.
With respect to HIPAA and EHR / EMR requirements, these systems typically use data encryption to protect patient medical records stored on an EMR system. Data encryption technology protects electronic records while they are stored and while they are being transferred, ensuring that only the intended recipients are able to view them.
In addition, while the HIPAA deadline of October 1, 2013 for the transition from ICD-9 to ICD-10 encoding is for hospital treatment inpatient procedures only, integrated treatment plans will increasingly require ICD-10 use by most health care providers. Since Stage 3 meaningful use standards have not even been issued in preliminary rulings as of October 2012, it is unclear whether ICD-10 compliance will be required by all providers, but it remains a possibility.