HIPAA Versus EHR Certification, HIMSS13 Session Review

After enjoying HIMSS13 last week, I am writing one blog per day this week to review the educational sessions I thought were most insightful.

The education session that peaked my interest the most was Session 118, which compared the criteria of HIPAA to those of EHR Certification. The presenters were Rich Cohan from Providence Health and Adam H. Greene from Davis Wright Tremaine, and the title was “Privacy and Security Challenges of Meaningful Use.”

Based on the title, I went into the session looking to gain insight on privacy and security from a major health system. What immediately caught my attention were the comparisons drawn between the HIPAA rules as compared to EHR Certification criteria. As a vendor, I have been intimately involved in meeting the privacy and security requirements for EHR Certification. However, it has been very difficult to figure out how the EHR Certification criteria relate (or don’t relate) to the HIPAA requirements that providers must follow. This presentation summed it up beautifully.

Mr. Greene presented a table which included the following data in each row:

  • Privacy and security criteria for 2011 EHR Certification
  • The equivalent privacy and security criteria for 2014 EHR Certification
  • The HIPAA document number that corresponds to the EHR Certification criteria
  • Whether the criteria was a requirement under HIPAA rules or not 

This is a great take-a-way from the presentation. I can now utilize this table anytime I need to investigate how a specific EHR Certification criterion applies to a specific HIPAA rule.

The presentation also compared Meaningful Use objectives for patient access to data. This included the timeframes for making the data available per Meaningful Use and also the amount of data that must be made available. In general the timeframes are much shorter for the Meaningful Use criteria, but the amount of data that must be presented to the patient is much more comprehensive for HIPAA rules. In addition, HIPAA requires that all patient requests are fulfilled, while Meaningful Use only requires a percentage.

Many other facets of HIPAA and Meaningful Use were explored as well, including transport of summary of care documents, public health reporting, and patient reminders. The slides from this presentation are a resource that I will utilize when privacy and security questions arise.

For complete information on all the concepts that were covered, you can download the slides here.