Stage 2 Implications on HIPAA Hosting
Initially I had some difficulty pinning down the exact objectives and implications Stage 2 would have on health IT for healthcare organizations that deal with electronic protected health information (ePHI). I combed through the entire document for any implications the proposed revisions might have on the HIPAA hosting aspect of health IT, as that can affect the decisions our clients make and our ability to fulfill those needs to help meet compliance and meaningful use.
Here’s a rundown of what I could pinpoint through a review of the official federal register document, 42 CFR Parts 412, 413 and 495, Medicare and Medicaid Programs; Electronic Health Record Incentive Program – Stage 2.
In Stage 2, the proposed rule is to highlight the importance of encryption while conducting a security risk analysis. While the proposal does not seek to make encryption a requirement under the HIPAA Security Rule, awareness of encryption and the security of data at rest will be emphasized as a key measure in the review of a security risk analysis/assessment.
The federal register acknowledges that a recent HHS analysis of reported shows nearly 40 percent of large breaches were due to lost or stolen devices – encryption could secure data on any device and prevent data leaks.
Data Accessibility by Patients
In Stage 1, a core objective requires eligible hospitals to provide patients with an electronic copy of their health information upon request. Stage 2 ups the ante by requiring hospitals to provide patients with timely electronic access to their health information within 4 business days of information being made available to the hospital.
Stage 2 proposes an online patient portal or personal health record (PHR) be available to allow patient access to lab results, problem list, medication lists and allergies. This provision would call for the integration of a patient portal system into the IT infrastructure of any eligible hospital, increasing the need to streamline and support an always-available system.
But what if there was hardware failure, or a natural disaster that affected your data and application availability? In the event of a disaster, a formal disaster recovery plan can ensure your data will be readily available to meet future meaningful use requirements. Cloud-based disaster recovery can provide recovery time objectives of four hours, meaning patient data can be recovered and available on a timely basis.
Medical Imaging Accessibility
A new core objective for Stage 2 proposes that imaging results and information are accessible through Certified EHR Technology. By making medical imaging results (CAT Scans, CT Scans, X-Rays, etc.) available through an EHR system, the provision intends to reduce unnecessary costs and radiation exposure from tests repeated only because a prior test is not available to the provider.
Making medical images accessible through these systems means the need the invest in high-capacity data storage. A high-capacity HIPAA cloud hosting solution can provide massive storage or synchronization with scalability to grow as your storage needs require.
The Stage 2 meaningful use proposed changes may affect the certification process for EHR systems. As Kyle Murphy writes in What Does ONC Mean by a Certified EHR? - to demonstrate meaningful use, you need a certified EHR system; to create a certifiable EHR system, you need to know how to meet the different stages of meaningful use.