Will MU Objectives Advance Privacy, Security?

At the first meeting of the Health IT Policy Committee following the July 13 publication of the meaningful use Stage 1 final rule, most of the members praised the Office of the National Coordinator for Health IT and the Centers for Medicare and Medicaid Services (CMS) for their flexibility. But a few members at the July 21 meeting expressed disappointment with the privacy and security aspect, stating that CMS may be missing an opportunity to drive improvements.

The final rule from CMS states “we do not see meaningful use as an appropriate regulatory tool to impose different, additional, and/or inconsistent privacy and security policy requirements from those policies already required by HIPAA.”

Gayle Harrell, a former Florida state legislator on the committee, said that comment might send a signal that CMS is not serious about privacy, and that it needs to assert that it will use every policy lever possible to promote privacy and security.

Deven McGraw of the Center for Democracy & Technology (CDT) raised the concern that CMS may be taking off the table an important tool to push for improvements. McGraw elaborated on some of her comments in a blog posting on the CDT website. There she agreed that meaningful use should not contradict or conflict with HIPAA requirements, and shouldn’t be the primary mechanism for implementing a comprehensive privacy and security framework. “But to foreclose the use of meaningful use criteria to make any advances in health privacy and security is to surrender a significant policy lever for encouraging industry adoption of privacy and security best practices for using EHR technology,” she added.

She also expressed disappointment that CMS rejected recommendations to make compliance with state and federal privacy and security laws a meaningful use requirement and to disqualify providers fined for willful neglect of the HIPAA privacy and security regulations from eligibility for the federal health IT subsidies.

Both Tony Trenkle, director of the CMS Office of e-Health Standards and Services, and National Coordinator for Health IT David Blumenthal, M.D., responded by saying there was no intention to preclude privacy and security criteria in future stages of meaningful use. “When we can define criteria that are consistent with the privacy rule and find other ways to measure, audit, and report on them, we will support that,” Trenkle said.

Blumenthal said he would support “ambitious and achievable” goals and doesn’t see privacy and security as off the table at all.

On another topic, Trenkle mentioned that CMS would be monitoring which of the meaningful use optional objectives are being deferred most often by hospitals and eligible providers to study patterns that will impact outreach programs and future rule-making.