ABA Health eSource
February 2010 Volume 6 Number 6

More Incentive To Comply with HIPAA and HITECH:
The New “Meaningful Use of Electronic Health Record” Rules

by Barbara J. Zabawa, Whyte Hirschboeck Dudek S.C., Madison, WI

AuthorAs if the holidays and looming February 17, 2010 deadline for HITECH was not enough, the federal Department of Health and Human Services (DHHS) issued two inter-related rules regarding the adoption of electronic health records (EHRs) on December 30, 2009 to further encourage health care entities to comply with HIPAA privacy and security rules. 1 Both rules stem from requirements imposed upon DHHS in the American Recovery and Reinvestment Act (ARRA), signed into law on February 17, 2009.

“Meaningful Use” Rules

The first set of rules begins to define what qualifies as “meaningful use” of EHRs. 2 Meaningful use of EHRs is important for eligible health care providers (such as non-hospital based physicians and hospitals) who wish to receive financial incentives from the Medicare or Medicaid programs for adopting EHRs. Specifically, eligible providers must be a meaningful EHR user for the relevant EHR reporting period in order to qualify for the incentive payment for a payment year. Starting in 2011, these incentive payments can amount up to $44,000 for physicians and possibly millions of dollars for hospitals over the course of a four-year period. 3

Under the proposed rule, DHHS has adopted a “phased approach” for establishing reasonable criteria for meaningful use. This phased approach encompasses three stages. The proposed rule issued on December 30, 2009 addresses criteria for Stage 1. DHHS will propose criteria for Stage 2 by the end of 2011 and Stage 3 criteria by the end of 2013. This final stage will occur a year before ARRA’s goal of having in use for each person an EHR by the year 2014.

In order to receive the financial incentive payments in 2011, eligible providers will need to satisfy the requirements of Stage 1 criteria of meaningful use. DHHS listed the criteria in a newly created regulatory section, 42 CFR § 495.6. These criteria encompass five health outcomes policy priorities, which are:

  • Improving quality, safety and efficiency, and reducing health disparities;
  • Engaging patients and families in their health care;
  • Improving care coordination;
  • Improving population and public health; and
  • Ensuring adequate privacy and security protections for personal health information.

Within each of these health and outcomes priorities are objectives and ways to measure those objectives. For example, one objective under criterion number 5 listed above is to “protect electronic health information created or maintained by certified EHR technology through the implementation of appropriate technical capabilities. 4 The measure for that objective is to have the eligible provider “conduct or review a security risk analysis in accordance with the requirements under 45 CFR § 164.308(a)(1) and implement security updates as necessary.” 5

Thus, the proposed rule requires eligible healthcare providers to once again review their HIPAA security measures to ensure that any information transmitted on the certified EHR system is protected for security breaches. However, unlike the past where compliance was to avoid scrutiny or the imposition of penalties, the proposed rule provides financial incentive to comply with HIPAA security rules.

Certified EHR Technology Rules

The rule establishes the capabilities and related standards that certified EHR technology will need to include in order to, at a minimum, support the achievement of the proposed meaningful use in Stage 1 by eligible providers. 6 This second rule is an “interim final rule” and adds a new part, Part 170, to the HIPAA regulations.

One of standard types implemented by the interim final rule relates to health information technology to protect electronic health information created, maintained and exchanged. 7 These standards for certified EHR technology include:

  • Encryption and decryption standards;
  • Requiring that the date, time, patient identification and user identification be recorded when electronic health information is created, modified, deleted or printed;
  • Verification that the electronic health information has not been altered in transit;
  • Requiring a cross-enterprise secure transaction that contains sufficient identity information such that the receiver can make access control decisions and produced detailed and accurate security audit trails;
  • Requiring that the date, time, patient identification, user identification, and a description of the disclosure be recorded for disclosures for treatment, payment, and health care operations, as those terms are defined in 45 CFR § 164.501.

Each of these standards reflects HIPAA security and the ARRA Health Information Technology for Health Economic and Clinical Health Act (“HITECH”) provisions and facilitate the implementation of those provisions. For example, the encryption and decryption standards are now required for EHR technology to be certified, even though under the original HIPAA security rule, encryption and decryption capabilities were an “addressable” item. 8 This change is important in light of the new Notice of Breach rules created by ARRA and HITECH. The Notice of Breach rule, which requires security breaches to be reported to individuals, DHHS and sometimes the media, relieves health care providers from reporting obligations when the electronic PHI is encrypted. 9

The standard that requires identification related to treatment, payment and healthcare operations disclosures will facilitate a new HITECH requirement. Specifically, the certified EHR technology that records identifying information will help healthcare providers meet the HITECH requirement that mandates provision of an accounting of electronic health record disclosures relating to treatment, payment or health care operations. 10


Despite the enormity of the new rules published on December 30, 2009, it appears that DHHS is trying to integrate past health information security and privacy requirements with the new ones. For many healthcare providers, this evidence of a plan and goal may be enough good news to make the many months of implementation a little less painful.

1 Dept. of Health and Human Services, Centers for Medicare & Medicaid Services, Proposed Rule for 42 CFR Parts 412, 413, 422 and 495, CMS-0033-P, RIN 0938-AP78 (Dec. 30, 2009) (“Proposed Rule”). Published in 75 Fed. Reg. 1844 (Jan. 13, 2010).
2 75 Fed. Reg. at 1851.
3 American Recovery and Reinvestment Act, P.L. 111-005, §§ 4101 and 4102.
4 Proposed Rule 42 CFR § 495.6(c)(17)(i).
5 Proposed Rule 42 CFR § 495.6(c)(17)(ii).
6 Dept. of Health and Human Services, Office of the Secretary, Interim final rule 45 CFR Part 170, RIN 0991-AB58 (Dec. 30, 2009) (“Interim Final Rule”). Published in 75 Fed. Reg. 2014 (Jan. 13, 2010).
7 Interim Final Rule 45 CFR § 170.210. With regard to all the standards for certified EHR technology, DHHS reminds eligible providers it is not their responsibility to adopt the standards, but the responsibility of the EHR developers from whom the providers purchase the EHR system See 75 Fed. Reg. at 2028.
8 See 45 CFR § 164.312(a)(2)(iv).
9 See 74 Fed. Reg. 42740, 42742 (Aug. 24, 2009).
10 P.L. 111-005, HITECH § 13405(c).

The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.