Consumer Groups Want Tougher EHR Regs

In a letter to regulators, the Consumer Partnership for eHealth says the proposed rule "does not go far enough to ensure that providers are using appropriate safeguards."

The proposed rule states that to qualify for Stage 1 of the incentives under the HITECH Act, healthcare providers must "conduct or review a security risk analysis of certified EHR technology and implement updates as necessary."

Call for clarity

The coalition says regulators should make it clear that organizations that have never conducted a HIPAA security risk analysis must complete one to qualify for the incentives.

The group also asks regulators to clarify the meaning of "implement updates as necessary." The letter states that physicians and hospitals "should be required to have a written policy regarding how they will handle security updates, and they should also address any deficiencies identified in the security assessment. Attestation on the risk assessment should indicate that a risk analysis was conducted and that the entity has mitigated any risks that were identified."

In its letter, the group also says physicians and hospitals who are fined for significant HIPAA violations should not be eligible for EHR incentive payments.

Stand firm

Unlike many healthcare associations, the consumer coalition largely endorses the meaningful use rule as written and warns against weakening its criteria. "We strongly urge you to maintain this robust direction for meaningful use and address concerns that it is too challenging by offering ample support in the form of technical and other assistance," it states.

Comments on the "meaningful use" rule were due March 15. David Blumenthal M.D., national coordinator for health information technology, recently said the final versions of the three core rules for the EHR incentive program will be completed by the end of spring. (To read story, click here).