Blog: In flurry of rules, feds got a few things right

HHS certainly backed up the old regulatory dump truck and pulled the lever, spilling out 1,354 pages of legalese in three separate health information technology-related rules.

One was the CMS' long awaited Stage 2 meaningful-use final rule affecting providers, running a sumo-sized 672 pages.

Another was a companion rule from the Office of the National Coordinator for Health Information Technology, coming in at a hefty 474 pages and targeting IT developers on certification criteria for electronic health-record systems.

Finally, the third rule, also from the CMS and weighing in at a comparatively svelte heavyweight 208 pages, does three things. It pushes back to 2014 the compliance deadline for ICD-10, tweaks an earlier rule on the national provider identifiers, and—after 16 years—establishes a set of health plan identification numbers first called for in the Health Insurance Portability and Accountability Act of 1996.

Like many of you, I'll be spending the weekend poring over the new rules, and I'll be giving you my take on them in the coming weeks.

A few things come to mind right now, one being that perhaps the feds got a few things right, based on the mixed criticism that quickly emanated from healthcare industry leaders tracking—and lobbying—the federal rulemakers.

For example, the American Hospital Association quickly fired off a summary, praising the feds and the CMS in particular for "a shorter meaningful-use reporting period for 2014," but quickly adding expression of disappointment "that this rule sets an unrealistic date by which hospitals must achieve the initial meaningful-use requirements to avoid penalties." The AHA also said that CMS "complicated the reporting of clinical quality measures and added to the meaningful use objectives, creating significant new burdens."

Meanwhile, the Medical Group Management Association and the American College of Medical Practice Executives weighed in and were pleased that the CMS extended the Stage 2 start date until 2014 and is allowing physicians in a medical group to report their qualifying information as a group instead of as individuals.

The MGMA also noted that "lowering the thresholds for achieving certain measures such as mandatory online access and electronic exchange of summary of care documents" will reduce the administrative burden on group practices.

On thing that jumped out at me in the CMS' meaningful-use rule is the increased emphasis on encryption as a data security measure for so-called data at rest—that is, patient-identifiable records on servers, hard drives and portable devices.

Under Stage 1 rules, providers are required to perform a risk assessment, as they are required to do under the security provisions of Health Insurance Portability and Accountability Act.

Now, under Stage 2, they must give serious consideration to encrypting that data.

Why the change in emphasis?

We know from the number of breach incidents reported to the Office for Civil Rights at HHS that—how can I put this delicately—what the industry has done so far is leak patient data like a sieve.

At last report, the OCR claimed more than 50,000 breaches have been reported to it since late 2009, as mandated by the American Recovery and Reinvestment Act of that year. Of those breaches, 489 involved 500 or more individuals and have exposed the medical records of more than 21 million patients.

The new CMS rule calls out this abominable record.

"Recent HHS analysis of reported breaches indicates that almost 40% of large breaches involve lost or stolen devices," the rule writers said. "Had these devices been encrypted, their data would have been secured. It is for these reasons that we specifically call out this element" of the HIPAA security rule as a meaningful-use measure.

Rulemakers were careful to point out they're not members of Congress: "We did not propose to change the HIPAA Security Rule requirements, or require any more than is required under HIPAA. We only emphasize the importance of an EP (eligible professional) or hospital including in its security risk analysis an assessment of the reasonable and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure."

This could force a big change on the industry, and one for the better.

Follow Joseph Conn on Twitter: @MHJConn.