General Overview of EMR Regulations For Health Care Providers | medicalrecords.com
EMR regulations detail the manner in which health care providers qualify for Medicare and Medicaid EMR “meaningful use” payments under The Health Information Technology for Economic and Clinical Health (HITECH) Act, which in turn is part of the American Recovery and Reinvestment Act of 2009 (ARRA).
These rules make direct and indirect reference to the latest regulations issued by The U.S. Department of Health and Human Services (HHS) regarding providers’ security and privacy obligations under the Health Insurance Portability and Accountability Act (HIPAA). EMR regulations fall under both HITECH / ARRA definitions for meaningful use requirements and for HIPAA security rules.
ARRA / HITECH
Federal payments are available for qualifying health care providers (referred to as Eligible Professionals (EPs) in the federal regulations).
While a maximum of $21,250 of Medicaid EMR payments are independent of EMR use, the bulk of payments under Medicaid and all payments under Medicare require “meaningful use” by an EP of an EMR system accredited by a proper certification authority. These regulations are designed to encourage widespread adoption of EMR technology and integration of these capabilities into the health care system. Meaningful Use rules under these two programs are the same.
It’s critical to note that there are three stages to meaningful use, only one of which has been formalized as of January, 2012. Deadlines for meeting standards for Meaningful Use Stage 2 have recently been postponed until calendar year 2014, for instance. Meaningful use payments will require compliance with these as-yet unissued regulations.
HIPAA
HIPAA, among other things, offers protection for personal health information, including medical records. This law gave patients more control over their health information, set limits on the use and release of their medical records, and established a series of privacy standards for health care providers which provides penalties for those who do not follow these standards.
HIPAA grants patients several key privacy rights over their medical records, as outlined in this PDF, which impose obligations on health care providers. There is widespread industry expectation that HHS intends to intensify oversight of HIPAA compliance as part of the rollout of EMR systems.
Patients have the right to ask for a written notice about how their health information is used and shared, and to view their medical records. They can request a copy of their file, and also request that any mistakes be corrected. In most cases, health care providers must produce these documents within 30 days of receiving the request, but may charge reasonable fees to cover any expenses associated with making copies, if these are requested by the patient.
Certain parties are exempted from HIPAA requirements, which means some medical information may be shared without a patient’s knowledge in limited circumstances. Information shared with other providers in order to treat any patient is always exempted. Full HIPAA regulations are quite complex and are detailed here.
With respect to HIPAA and EMR requirements, these systems typically use data encryption to protect patient medical records stored on an EMR system. Data encryption technology protects electronic records while they are stored and while they are being transferred, ensuring that only the intended recipients are able to view them.
In addition, while the HIPAA deadline of October 1, 2013 for the transition from ICD-9 to ICD-10 encoding is for hospital treatment inpatient procedures only, integrated treatment plans will increasingly require ICD-10 use by most health care providers. Since Phase 3 meaningful use standards have not even been issued in preliminary rulings as of January, 2012, it is unclear whether ICD-10 compliance will be required by all providers, but it remains a possibility.
TAKEAWAYS
EMR Regulations can broadly be broken into parts: meaningful use qualification, and HIPAA. The nature of these regulations is that they often overlap and interlock with respect to provider requirements.
Providers need to make sure they their EMR systems will not only meet issued Phase 1 meaningful use but un-finalized Phase 2 and Phase 3 requirements. It is imperative that you understand your vendor’s roadmap to ensuring compliance with ongoing meaningful use requirements.
HIPAA compliance is also important, as violations can result in costly fines, and there is widespread expectation HHS will be increasing enforcement actions.
Related articles include