The Centers for Medicare & Medicaid Services (CMS) recently published proposed rules setting forth the “Stage 2” criteria that eligible providers (EPs), eligible hospitals (EHs), and critical access hospitals (CAHs) (referred to herein collectively as “providers”) would be required to meet in order to qualify for Medicare and/or Medicaid incentive payments for the use of electronic health records (EHRs) (“Stage 2 Proposal”).  The Stage 2 Proposal is a small-font, acronym-laden, tediously-detailed 131-page document that modifies and expands upon the criteria included in the “Stage 1” final rule published on July 28, 2010 and is likely to be of interest primarily to providers concerned with  receiving or continuing to receive added payments from CMS for adopting and “meaningfully using” EHR. 

The Stage 2 Proposal is not, at first glance, particularly relevant reading for those of us generally interested in issues involving the privacy and security of personal information — or even for those of us more specifically interested in the privacy and security of protected health information (PHI).  Still, two new provisions caught my attention because they measure the meaningful use required for provider incentive payments based not simply on the providers’ use of EHR, but on their patients’ use of it.  

One provision of the Stage 2 Proposal would require a provider to give at least 50% of its patients the ability to timely "view online, download, and transmit" their health information ("timely" meaning within 4 business days after the provider receives it) (and subject to the provider’s discretion to withhold certain information).   Moreover, it would require that more than 10% of those patients (or their authorized representatives) actually view, download or transmit the information to a third party.  There’s an exception for providers that conduct a majority (more than 50%) of their patient encounters in a county that doesn’t have 50% or more of "its housing units with 4Mbps broadband availability as per the most recent information available from the FCC” (whew!) as of the first day of the applicable EHR reporting period.

For a continuation of this post, please refer to our sister blog at http://hipaahealthlaw.foxrothschild.com/