Newly finalized rules for Stage 2 of the "meaningful use" electronic health records (EHR) incentive program take into consideration some of the ways mobile technology has changed how healthcare professionals and patients access health information.
Notably, the 672-page rule, which the Centers for Medicare and Medicaid Services (CMS) released Thursday, requires providers to conduct a risk assessment on whether they need to encrypt all personally identifiable health data while "at rest." The standard for protecting data is the same as in the current Stage 1, but this time, CMS specifically mentions data at rest because of mobile devices, based on comments from the Health IT Policy Committee, a federal advisory board.
"Due to the number of breaches reported to HHS involving lost or stolen devices, the HIT Policy Committee recommended specifically highlighting the importance of an entity's reviewing its encryption practices as part of its risk analysis. We agree that this is an area of security that appears to need specific focus. Recent HHS analysis of reported breaches indicates that almost 40 percent of large breaches involve lost or stolen devices. Had these devices been encrypted, their data would have been secured," the lengthy CMS explanation says.
CMS also talks about mobile devices in the context of computerized physician order entry (CPOE). The new rule calls for providers to enter medication orders electronically for 60 percent of patients—double the Stage 1 standard—and also adds a 30 percent requirement for laboratory and radiology orders. CMS defines CPOE as "the provider's use of computer assistance to directly enter medical orders … from a computer or mobile device. The order is then documented or captured in a digital, structured, and computable format for use in improving safety and efficiency of the ordering process."
The final rule does dial back some thresholds from a proposal released in February, at least one of which seems relevant to mobile technology developers. Providers now only have to offer online access to health information and secure messaging for a minuscule 5% of patients, not 10%, as had been proposed.
The companion rule from the Office of the National Coordinator for Health Information Technology (ONC) regarding certification of EHR systems has quite a bit to say about mobile technology, however.
While providers don't have to spend a whole lot of time on portals, vendors have the OK to develop mobile apps for patient engagement, as long as the technology meets basic certification requirements. "[S]ecure email, a secure portal, even some type of mobile application could all be examples for secure messaging methods that could potentially meet this certification criterion. Along those lines, we decline to specify or restrict certification in this case to a particular transport standard because, again, we intend to permit a wide range of different secure messaging solutions, that will likely use different approaches and transport standards," ONC states.
Significantly, ONC will not require separate certification for "adaptation" of certified EHR technology into a new format such as a smartphone or tablet app as long as the spinoff contains the "full and exact same capabilities" for each criterion as the original version.
"[W]e acknowledge that adaptations will naturally require the certified complete EHR or certified EHR module’s user interface and other design features to be changed in order to perform efficiently on mobile platforms," ONC explains. Mobile adaptations may contain less functionality than desktop versions without requiring separate certification as long as any included capabilities exactly match those previously certified.
All EHR products, mobile or otherwise, do have to meet HIPAA requirements to earn certification for meaningful use. "For example, we would expect that an adaptation designed to run on a mobile device would employ authentication, access control, and authorization capabilities," ONC says.
The ONC certification rule also addresses encryption of mobile devices. "The general policy we express in this certification criterion requires EHR technology designed to locally store electronic health information on end-user devices to encrypt such information after use of EHR technology on those devices stops," the rule says. ONC clarifies a point from the proposal that this applies to "storage actions that EHR technology is programmed to take (i.e., creation of temp files, cookies, or other types of cache approaches)," not how individuals save files.
However, an EHR must be able to create an audit log actions related to encryption of "end-user devices" if the system allows local storage on such devices. "EHR technology that is designed to locally store electronic health information on end-user devices must encrypt the electronic health information stored on such devices after use of EHR technology on those devices stops," the certification rule says.
As expected, Stage 2 has officially been delayed until 2014, a year later than the American Recovery and Reinvestment Act legislation originally called for, or two years after a provider first achieves Stage 1 requirements.
In a conference call with reporters Thursday, national health IT coordinator Dr. Farzad Mostashari said Stage 1 was about "beginning the journey" to a nationwide network of interoperable EHRs that promote safety, quality, efficiency and care coordination by asking providers to collect data electronically. Stage 2 builds on the current phase and starts to emphasize data sharing.
"The big message here is the push on standards-based interoperability of information," Mostashari said. "We are staying on course with the roadmap that we set in Stage 1."
