Also disclosed Tuesday at the Health Information Technology Policy Committee's meeting—the EHR incentive payment program has paid out slightly more than $24 billion through May with just under $15.9 billion paid out by the Medicare portions of the programs and slightly more than $8.1 billion paid under Medicaid programs, CMS official Elisabeth Meyers said in a presentation.
The committee approved several recommendations by its privacy and security tiger team pertaining to a proposed “voluntary” testing and certification program for developers of electronic health-record systems used for behavioral healthcare providers.
Behavioral health providers that receive federal funds are bound by a privacy rule that is far more stringent than the chief federal patient data privacy rule for most healthcare providers, the Health Insurance Portability and Accountability Act. The more stringent rule requires patient consent before a patient's healthcare information about drug or alcohol abuse treatment can be shared with another provider or health information exchange, even for treatment. The consent requirement attaches to the data itself, a “tag you're it” principle, so that, when a record changes hands, the consent requirement flows with it.
Thus far, the federal EHR incentive payment program has ignored this requirement when it has set technical standards for EHR vendors to meet in the first two editions of software that must be tested and certified for use by healthcare providers in Stage 1 and Stage 2 of the program.
The tiger team recommendations approved by the full committee would apply to Stage 3 meaningful use criteria, slated to go into effect in 2017 for general providers and their EHRs, and, presumably for behavioral health providers and any vendors who agree to develop systems to meet the proposed voluntary standards applicable to them.
The recommendation would have EHRs used by behavioral health providers be capable of “tagging” documents containing sensitive behavioral health information. The protected information would be sent in documents using the Consolidated Continuity of Care Document format developed by the standards development organization Health Level Seven, and also using its “data segmentation for privacy” tagging format.
For general healthcare providers, there would be no mandatory Stage 3 meaningful-use requirement that they be capable of receiving C-CDA/DS4P documents. Only general providers who are likely to be recipients of sensitive behavioral health records under 42 CFR restrictions could use EHRs tested and certified as capable of meeting those standards.
Vendors marketing systems to general healthcare providers would not be required to test and certify to those standards, either, but could if they thought there was a sufficient market for them. Only recipient general providers would request this capability from vendors, the tiger team recommendation said.
Deven McGraw, a privacy lawyer with the firm Manatt, Phelps & Phillips and chairwoman of the tiger team, conceded that the recommendations were “baby steps,” but better than the status quo, where many healthcare organizations are either exchanging sensitive patient records on paper, or not exchanging at all.
Follow Joseph Conn on Twitter: @MHJConn