Bye, Bye Privacy and Security, Hello HIPAA, Hello!

Some vendors think there may be a hidden ‘gold nugget’ buried in the proposed Meaningful
Use Stage 2 regulations. ONC is proposing to eliminate the Privacy and Security (P&S) test
criteria for EHR Module certification in Stage 2. On the surface it looks like they want to give
niche players and Best of Breed (BoB) vendors a nice break. If you are not familiar with the
P&S criteria the Accredited Testing and Certification Bodies (ATCB) require here they are
along with a short description:

    1.        Access Controls - can you system prevent unauthorized access?
    2.        Authentication – does you system authenticate each user?
    3.        Emergency Access – can your system allow limited access in
               emergency situations?
    4.        Automatic Log off – after no user activity for a specified period of time
              does your system clear all PHI and log off all users?
    5.       System Access Logs – do you maintain system logs for all inquiries, adds,
              modifications and deletions of PHI? Do you generate mandatory reports?
    6.       General Encryption – does your system encrypt PHI at rest using a
              FIPS 140 compliant algorithm?
    7.       Integrity – Do you use SHA1 compliant tools to maintain file and data integrity?
    8.       HIE Encryption - how does your system ensure integrity and encryption
               when data is communicated /received to/from outside entities?
    9.       Account for Disclosures – do you track requests for PHI from outside entities?

Most EHR Module vendors that have gone through ONC Certification get certified on 1
through 8. Number 9 is deemed ‘optional’. In my many certification experiences, numbers 6
through 8 can be a hurdle, particularly if you are a SaaS or ‘Cloud’ deployed system.

Meanwhile on page 125 of the Proposed Stage 2 Rules for Vendor Certification, ONC states:

We propose not to apply the privacy and security certification requirements at §170.550
(e) for the certification of EHR Modules to the 2014 Edition EHR certification criteria.
Stakeholder feedback, particularly from EHR technology developers, has identified that this
regulatory requirement is causing unnecessary burden (both in effort and cost). EHR Module
developers have expressed that they have had to redesign their EHR technology in atypical
ways to accommodate this regulatory requirement, which sometimes leads to the inclusion of
a privacy or security feature that would not normally be found in a certain type of EHR
Module. In turn, this has led to EPs, EHs, and CAHs purchasing EHR Modules that have
redundant or sometimes conflicting privacy and security capabilities.

And then ONC goes on to state…

In addition, EPs, EHs, and CAHs remain responsible for implementing their EHR
technology in ways that meet applicable privacy and security requirements under Federal
and applicable State law (e.g., the HIPAA Privacy Rule and Security Rule and 42
CFR Part 2)..

But as might be expected in this regulatory maze when you look at the ONC Stage 2 Draft
“Medicare and Medicaid Programs; Electronic Health Record Incentive Program”, which is the
basis for provider MU attestation for Stage 2 you will see repeatedly that to meet the Privacy
and Security MU requirements the provider (not the vendor) must:

Conduct or review a security risk analysis in accordance with the requirements under 45
CFR 164.308(a)(1), including addressing the encryption/security of data at rest in
accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3),
and implement security updates as necessary and correct identified security deficiencies as
part of the provider's risk management process.

45 CFR 164 is the HIPAA security rules and just last month HHS' Office for Civil Rights
published the protocol that it will use to conduct audits of the HIPAA Privacy and Security
rules. In that document they outline the audit procedures the OCR will follow.  For example:

164.308 (a) Audit Procedure
Inquire of management as to whether formal or informal policy and procedures exist to review
information system activities; such as audit logs, access reports, and security incident
tracking reports. Obtain and review formal or informal policy and procedures and evaluate
the content in relation to specified performance criteria to determine if an appropriate review
process is in place of information system activities. Obtain evidence for a sample of instances
showing implementation of covered entity review practices Determine if the covered entity
policy and procedures have been approved and updated on a periodic basis.

This audit procedure is repeated frequently throughout 164.308 and applies to all PHI
regardless of whether it is in the primary EHR or resides in a Module(s). In regard to
Business Associate agreements under 164.308 (b)(1) OCR further states:

Inquire of management as to whether a process exists to ensure contracts or agreements
include security requirements to address confidentiality, integrity, and availability of ePHI.
Obtain and review the documentation of the process used to ensure contracts or
arrangements include security requirements to address confidentiality, integrity, and
availability of ePHI and evaluate the content in relation to the specified criteria. Determine if
the contracts or arrangements are reviewed to ensure applicable requirements are

As you can see, the HIPAA audit does not differentiate between a full EHR and EHR Module.
Any and all systems or service contracts that deal with PHI of any type must comply, and the
provider must prove it under audit. The audit review above requires the provider to include
these requirements as part of the vendor contract, then prove same during the OCR audit.

Under Stage 1 the ongoing debate was whether a Best of Breed system supplier needed to
get ONC certified. Fact is there was never an ONC  mandated requirement that any vendor
get certified. But many BoBs underwent certification for competitive reasons and some
addressed most P&S criteria because they did not want to allow the big EHR vendors a
‘certification edge’.

Now, ONC is trying to push the P&S criteria of MU back on the provider and thereby reduce
the time and effort for the testing bodies. Their strategy, as they often state in the proposed
Stage 2 regulations (see page 119), is to let the market require (demand) it, not mandate it
via ONC regulation. Simply put, since the health provider needs to be legally responsible for
P&S under HIPAA and MU attestation, ONC expects that providers will demand from their
vendors that they meet the HIPAA P&S requirements. HIPAA audits by OCR have started this
year so expect your clients to contact you for help and assistance as OCR asks to see the
P&S documentation for all systems that touch PHI. And the best documentation you can show
that confirms you the vendor comply with HIPAA P&S will be …ONC certification!  

As Stage 2 unfolds I would expect either one of these scenarios;

    1) Things stay as they are – EHR Modules must meet the eight P&S criteria, or,

    2)  If the Draft regulations stand, module vendors can request to be tested by the
    ATCBs for P&S so as to satisfy HIPAA Business Associate requirements and
    address market /competitive issues.

In summary, in the past BoB and niche vendors could casually sign Business Associate
agreements, under proposed Stage 2 and HIPAA you’ll have to prove you got real P&S. On
closer inspection that nugget is beginning to look more like fools gold!  

Frank Poggio
Previously published on HISTalk 7/22/2012
All Rights Reserved
ONC via HIPAA will
require vendors to
be HIPAA Privacy
and Security
compliant. Just
signing a business
agreement will not
be enough
contracts will be
looking for poof
that your system
meets HIPAA
P&S criteria. Will
you be ready to
prove it does?