2011 is here, and the first meaningful use reporting period is under way. Does your practice plan to take advantage of the stimulus money? Just to remind you, the HITECH Act will reimburse eligible professionals (EPs) up to $44,000 under Medicare or $64,000 under Medicaid for implementing a certified electronic health record (EHR) and utilizing it according to the meaningful use guidelines. EPs wishing to participate should be aware of the following developments.

Meaningful Use registration is now open. EPs can register their practice on the web. You will need to register as soon as possible if you plan to participate. You can register even if you do not yet have EHR or if your EHR is not yet certified. Also, please be sure to register as an eligible professional, unless you are a hospital administrator. Medicaid registration is now open in select states, however, everyone can register for the Medicare program at this time.

EPs must purchase all meaningful use software up front. HHS recently clarified that EPs or eligible hospitals must purchase all of the functionality required by meaningful use in order to qualify for stage one. There are 25 components required for stage one: 15 of them are “core” requirements. Ten of them are “menu” requirements; EPs are allowed to pick five of the ten to implement over stage one. However, EPs must purchase all of the menu requirements for stage one, regardless of whether they choose to implement them or not.

There are currently five approved testing and certification bodies. HHS has approved five bodies to certify EHR systems for meaningful use compliance. They are ICSA Labs, SLI Global Solutions, InfoGard Laboratories, CCHIT, and the Drummond Group. 200 complete EHR and EHR modules have been certified to date. Multiple certification bodies will ensure EHRs are certified quickly and keep costs down so they are not passed on to consumers.

HIPAA Security Risk Analysis is still required for stage one. The HIPAA security rule, 45 CFR 164.308 (a)(1), requires covered entities to conduct and review a security risk assessment at least annually. Core requirement 14 states that EPs must “implement systems to protect privacy and security of patient data in the EHR,” and the measurement further clarifies that EPs must “conduct or review a security risk analysis, implement security updates as necessary, and correct identified security deficiencies.” Risk analyses are typically not part of EHR systems, so EPs will need to contract with a third party to ensure they meet this requirement.

Please let us know if you have any questions about meaningful use or risk analyses. Conducting a risk analysis can take time, so you should begin immediately if you want to qualify for meaningful use during the first reporting period. We offer a simple easy risk analysis solution. Please let us know if we can help.

Ryan Ricks
Security Officer