Just because your EHR was CERTIFIED to do it doesn’t mean you HAVE to do it for Meaningful Use.
CMS and ONC (the Office of the National Coordinator for Health IT) were the authors of the Meaningful Use rule and the EHR Certification Rule, respectively. The clearly stated intention of the certification rule is to give providers and facilities a way to know that basic capabilities exist in their EHR system. Those capabilities must then be used and tracked to prove Meaningful Use, but CMS explicitly described some differences in the MU rule, usually in the name of “flexibility.”
For instance, Certified EHR systems must provide a way for users to encrypt files containing PHI. On the other hand, however, the Meaningful Use rule clearly states that it will not mandate when or how the facility should use this encryption capability, if at all. The rule does note that HIPAA and HITECH already provide guidance on privacy and security. The long and short of this is that as facilities create electronic copies of medical records for patients, they are at liberty to decide when and how to encrypt, or even to decide not to encrypt at all. This means they can use the encryption tools within the Certified EHR, or other tools. At HealthPort, we feel strongly that electronic copies should all be encrypted, as the hard-drives of all HealthPort PCs are encrypted, so that maximum protection can be ensured no matter where that electronic copy may travel. And we work with our partners to create an encryption password process that works for the facility and for the patients.
In another example, Certified EHR systems must be able to produce a CCD or CCR (“Continuity of Care Document” or “Continuity of Care Record”) - two national standards for electronic layouts of medical data – in xml format and a human readable version. However, to meet Meaningful Use for patient electronic copies of medical records, only the human readable version must be provided to the patient. CMS understands that the most common use of the patient copy will be for humans to view and read it, not machines, and so at this point, CCD or CCR is not required for patient copies.
Nearly every facility HealthPort has spoken to about this is planning to deliver just the human readable version. Many have said they would not pass CCD or CCR versions to patients because they believe it will only lead to questions and it may also lead to debates about payment for the CCD/CCR portion of the copy. CCD and CCR were designed for system-to-system exchange of medical record data, and the patient copy is not seen, yet, as part of that type of transfer.
As your facility is working through the other MU requirements, it’s important to know the difference between what was certified and what is required for MU. Many MU requirements do mandate that the exact certified process or format be used in order to qualify, but some do not. Wherever possible, the rule makers wanted to allow room for facilities and vendors to innovate, and many of those breathing spaces show up as differences between the certification and the MU requirements.
A terrific resource for learning about these breathing spaces, and CMS interpretation of the rule, is the CMS EHR Incentive Programs website – particularly the FAQ page. Click here and look for the Frequently Asked Questions link on the lower left side of the EHR Incentive Programs site.