Key Compliance Considerations When Implementing EMRs

Electronic medical records will soon replace paper files of patients' information, which will allow for easier access for providers, reduced errors and less redundancy. In addition to the benefits inherent in a digitized system of patient records, the Centers for Medicare and Medicaid Services is offering financial incentives for providers who establish meaningful use of EMRs. Despite these rewards, healthcare organizations should remain aware of legal and regulatory issues surrounding EMRs so they remain compliant and do not jeopardize savings or patient care. "While many want to see more sharing of information, the right thing to do from a patient care perspective is often challenged relative to the legal and privacy issues involved," says Sue Schade, CIO at Boston's Brigham and Women's Hospital. By being aware of the regulations, however, healthcare leaders can successfully use EMRs to improve patient care without violating laws.

Privacy and security
Since the advent of the Health Insurance Portability and Accountability Act of 1996, healthcare organizations have been familiar with rules regarding patients' privacy and security of their information. Although most health systems have HIPAA training and education programs, EMRs may necessitate a heightened awareness and recognition of the specific challenges that an electronic database presents.

Holly Carnell, an attorney at the law firm McGuireWoods, says, "Hospitals are very aware of the need for compliance with HIPAA, but are not necessarily aware of all the potential vulnerabilities to protected health information." As an example, she cites the increase in the usage of mobile technology such as iPads that may be used to access EMRs. "EMRs create a lot more potential for unauthorized use and disclosures because the information is much more available," she says. The increased availability of private information may require increased vigilance by hospital leaders and employees to protect patients' rights and ensure the organization remains compliant. "Because of the potentially ubiquitous access, there needs to be similarly ubiquitous training," Ms. Schade says. At BWH, for example, employees sign a form to acknowledge their understanding of and compliance with privacy and confidentiality regulations at every annual performance review.

Complying with HIPAA does not automatically guarantee the security of data, however, according to Joe Granneman, CIO at Hinsdale, Ill.-based Adventist Midwest Health. He suggests using other security frameworks such as ISO 27000, an international standard for IT risk management, to identify where critical data are located and implement security measures. While HIPAA is broad and does not make specific recommendations, ISO 27000 provides a detailed framework to secure data, according to Mr. Granneman. He also says hiring someone knowledgeable in IT security is helpful in ensuring compliance and patients' privacy.

Functionality and integration
A challenge of establishing the security of EMRs is making the system usable, Mr. Granneman says. Integrating EMR programs across the health organization is one way leaders can help physicians easily access and use the patients' secured information. Having one integrated system can allow providers to access data with only one authentication or login, instead of several logins that may be required for separate systems within an organization.

Mr. Granneman says in the past many providers bought best-of-breed systems for ancillary departments that included features specific to a specific healthcare service, but that forced physicians to login several times to access information from different departments. While leaders may have to sacrifice some features to build an integrated solution, the latter will be more efficient over time, Mr. Granneman says. Instead of solving problems in the short term by implementing separate ancillary systems, an integrated EMR system will benefit the organization's long-term goals.

Daniel J. Marino, CEO of the healthcare consulting firm Health Directions, says a hospital's strategy should be taken into consideration when choosing an EMR. While meaningful-use requirements currently drive EMR implementation plans, thinking about how EMRs can help achieve the hospital's goals can produce significant long-term benefits to the organization, according to Mr. Marino. "Regulation and incentives are good, but make sure the solution you choose supports the strategy of the hospital, certainly as it relates to accountable care or clinical integration," he says. As separate EMRs for different departments may solve short-term solutions but hinder physicians' access, EMRs chosen solely with regard to meaningful-use requirements may not be best suited to a hospital's strategic plan.

Meaningful-use
Hospital leaders must comply with meaningful-use requirements to receive financial incentives for using EMRs. CMS has provided lists of criteria eligible providers must meet to qualify as a meaningful user, including generating and transmitting permissible prescriptions electronically, reporting ambulatory clinical quality measures and providing patients with an electronic copy of their health information upon request.

Stark Act
The Stark Act may also affect hospitals' use of EMRs. There has been a recent relaxation in Stark regulations, so that hospitals can provide vendors up to 85 percent of the cost of EMRs for physicians. Mr. Marino says his company has worked with organizations that created a tiered subsidy model in which the hospital subsidizes a larger portion of the physician's EMR-related costs if they implement the hospital's preferred EMR solution compared to implementing a different EMR system.

Despite the relaxation of Stark, Mr. Granneman, Ms. Carnell, Ms. Schade and Mr. Marino caution that leaders must follow the Stark Act regulations very carefully to remain compliant.

To achieve the potential financial, operational and clinical benefits from EMRs, healthcare leaders will need to secure data by complying with HIPAA and other risk assessments; meet meaningful use criteria; and follow Stark Act regulations.

Related Articles on Electronic Medical Records:

Study: EMRs Can Decrease Neonatal Mortality Rates

First Medicare Payments to Be Paid Out to Meaningful EHR Users

Study: Widespread EMR Adoption Depends on Usability


© Copyright ASC COMMUNICATIONS 2021. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.