Latest Meaningful Use Matrix Reinforces HIPAA Compliance, CPOE
Is the third time a charm? That's the burning question on everyone's minds as the Office of the National Coordinator (ONC) begins to review the third set of recommendations set forth by the HIT Policy Committee's meaningful use work group.
Although the newest matrix closely follows the July version, the work group did add the following new footnotes:
- While all process measures (e.g., computerized physician order entry [CPOE] adoption) apply to all eligible providers, applicability of quality or outcome measures to specialists will be defined in the rule-making process. In 2013, disease- and/or specialty-specific registries are included as objectives. Specific measures will be included in refinements to the 2013 recommendations.
- Additional efficiency measures to consider for 2013 recommendations include: generic therapeutic substitutions for medications.
- National Quality Forum is working with measure developers to refine existing administratively defined quality measures referenced in the matrix to be redefined using clinical and administrative data from EHRs.
Of note is that both the July and current versions of the matrix recommend that in 2011, hospitals must be able to prove they are using CPOE for at least 10% of orders (any type). According to the matrix, orders must be entered directly by the authorizing provider, such as an MD, DO, RN, PA, or NP. By 2013, that percentage would jump to 100%. By 2015, hospitals must be able to achieve certain levels of performance as dictated by yet-to-be-determined clinical outcomes standards.
On the physician practice side, providers must use CPOE for 100% of all order types beginning in 2011.
The CPOE requirement shouldn't be too burdensome for hospitals, says Kelly McLendon, RHIA, president of Health Information Xperts, LLC, in Titusville, FL, who adds that "the 10% is low" as compared to requirements for providers in the practice setting.
Another notable recommendation is that CMS withhold meaningful use payment for any entity until any confirmed HIPAA privacy or security violation has been resolved. In 2011, hospitals and providers must satisfy the following measures:
- Full compliance with HIPAA privacy and security rules
- Conduct or update a security risk assessment and implement security updates as necessary
In 2013, hospitals and providers must be able to provide summarized or de-identified data when reporting information for health purposes (e.g., public health, quality reporting, and research), where appropriate, so that important information is available with minimal privacy risk.