Meaningful Use: Compliance and Privacy Implications

Your health care organization has established an electronic health record (EHR) program and has begun implementing the criteria necessary for “Meaningful Use,” but has your organization considered the compliance component of Meaningful Use? In a Webinar entitled “Meaningful Use and Your Compliance Program,” sponsored by Mediregs, a Wolters Kluwer company, Phyllis A. Patrick, MBA, GACHE, CHC, discussed the compliance, privacy, and security implications noting that there is a logical flow between Meaningful Use and compliance processes.

 Federal Laws Impacting Meaningful Use Processes

 Patrick identified a number of federal laws that might impact EHR and the Meaningful Use processes. Among the laws Patrick identified were the Patient Protection and Affordable Care Act (PPACA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act), the False Claims Act, Stark law, and Health Insurance Portability and Accountability Act (HIPAA). For example, the attestation process can have implications for the FCA if the attestation has false statements.

 Federal privacy and security requirements affect the move toward EHR integration, Meaningful Use, and Health Information Exchanges (HIEs), and all of these processes have a compliance component, Patrick said.  In addition, enforcement of HIPAA compliance has been enhanced by the addition of the right of private action in HIPAA privacy cases, the right of state attorney generals to bring actions for HIPAA violations and increased oversight by the Office of Civil Rights and the Federal Trade Commission. The OCR Audit Program mandated by HIPAA and the HITECH Act permits audits not only of hospitals and doctors but also on vendors, e-prescribing gateway, and HIEs.

 The Meaningful Use Task Force

 According to Patrick, Meaningful Use affects privacy, security, internal audit, legal, and compliance. The Meaningful Use Task Force should partner with internal audit, risk management, legal, information technology (IT), and others to integrate enterprise-wide risk management, she said. Its policies should include compliance, privacy, security, notice of privacy practices, and business associate agreements. Patrick recommended that all relevant groups participate in governance to achieve attestation readiness.  

 Addressing the role of the board of directors, Patrick noted that as part of its fiduciary responsibilities the board should have, in addition to an audit and compliance committee, a committee to oversee privacy and security, adding that it also be required to have an IT person as a member of the board. Patrick advised that the Board of Directors and senior leaders should track and manage money for the use, criteria for identifying and mitigating risk, and oversee attestation readiness. She also recommended that the legal department be included in the selection of EHR.

 Patrick explained that compliance officers and privacy and security officers roles must involve more strategic thinking and must have an external focus as well as internal. Privacy and security officers should communicate with senior leaders as well as regional agencies. They should be involved in EHR selection and implementation, meaningful use strategy and processes, and must audit and monitor compliance and privacy issues, particularly the attestation. They must document evidence that risk analysis is done. Internal auditors also must be involved.  In addition, compliance and privacy officers should participate in HIE developments

 Project Management

 To be in compliance, Meaningful Use processes should be documented, tracked and managed. The processes for Meaningful Use are not a one time thing, they are ongoing. Internal coordination and responsibility designation is needed.

 According to Casey O’Brien, of MediRegs, thoughtful project management is essential for Meaningful Use. Fulfilling Meaningful Use objectives requires time, planning, and careful documentation and may take varied lengths of time to complete. The process will take years and the objectives have various levels of difficulty. Progress, auditing, and monitoring must be kept up to date. The Meaningful Use team should have tools to identify, prioritize, and document.

 More specifically, attestation must be done in a timely manner and it must be accurate. To ensure this compliance requires the proper tools and the proper parties. Some of the tools recommended include: auditable communication trails, documentation storage, record metrics testing and achievement, information security risk assessment to prove data protection, and independent third party validation. In addition, auditing and monitoring should include the attestation process for MU evidence of risk analysis, mitigation, and documentation of the MU process.

Has your organization considered the compliance aspects? Has it involved the orgnaization’s complaince, privacy and security officers? Does the board have oversight responsibility for the EHR program and Meaningful Use?