Final MU Objectives: Submit Immunization Data, Submit Reportable Lab Results, Submit Syndromic Surveillance Data, Protect Health Information

Final MU Objectives: Submit Immunization Data, Submit Reportable Lab Results, Submit Syndromic Surveillance Data, Protect Health Information

This is the seventh (and last) in a series of hospital-focused summaries of the final Stage 1 meaningful use objectives and measures. The goal of these entries is to support rural community hospital personnel in their efforts to meet specific meaningful use objectives. Notations marked “implications…” are my interpretations, which may or may not be correct.

Objectives # 1-24 were covered in previous blogs.

Objective #25: Submit Electronic Data to Immunization Registries (Menu Set)

The proposed “submission to immunization registries” objective for EPs and hospitals was: “Capability to submit electronic data to immunization registries and actual submission where required and accepted.”

The final “submission to immunization registries” objective is: “Capability to submit electronic data to immunization registries or Immunization Information Systems and actual submission in accordance with applicable law and practice.”

The objective must be achieved using certified EHR technology as defined in the final certification rule. The definition of “submission to immunization registries” in the final certification rule is: “Submission to immunization registries: Electronically record, modify, retrieve, and submit immunization information in accordance with: (1) The standard (and applicable implementation specifications) specified in §170.205(e)(1) or §170.205(e)(2); and (2) At a minimum, the version of the standard specified in §170.207(e).

ONC supporting language: “We appreciate that commenters support our adoption of both HL7 2.3.1 and HL7 2.5.1. We understand that both standards are currently in use and for that reason we have permitted either to be used for purposes of certification. We also understand that eligible professionals and eligible hospitals will have to use the standard that the immunization registry or Immunization Information System in their jurisdiction can receive and, as a result, we have adopted the two most common standards utilized for the transmission of immunization information.” Additionally, “we believe that CVX codes are more appropriate than CPT codes because as the commenter referenced, CPT codes are used for billing purposes. In that regard, we believe that because there is a publicly available mapping between CVX and CPT, it would not be difficult or burdensome to map CPT codes to CVX codes.”

Implications of the above: Providers should verify that existing vendors can (or at least are working to) meet the certification and standards requirements as defined. Providers should also verify that immunization registries to which the provider submits information have the capacity to receive this information electronically. If they do not, providers are not required to meet this objective.

The proposed “submission to immunizations registries” measure for EPs and hospitals was: “Performed at least one test of certified EHR technology’s capacity to submit electronic data to immunization registries (unless none of the immunization registries to which the EP, eligible hospital, or CAH submits such information have the capacity to receive the information electronically).”

The final “submission to immunizations registries” measure for EPs and hospitals is: “Performed at least one test of certified EHR technology’s capacity to submit electronic data to immunization registries and follow up submission if the test is successful (unless none of the immunization registries to which the EP, eligible hospital, or CAH submits such information have the capacity to receive the information electronically)”.

CMS supporting language: “We agree that many areas of the country currently lack the infrastructure to support the electronic exchange of information. As meaningful use seeks to ensure certified EHR technology has the capability to submit electronic data to registries, we only require a single test if a receiving entity is available and follow up submission only if that test is successful. If none of the immunization registries to which the EP, eligible hospital or CAH submits information has the capacity to receive the information electronically, then this objective would not apply.”

The ability to calculate the measure will be included in the certified EHR technology as a certification requirement.

Exclusion: “Those that have not given any immunizations during the recording period are excluded from this measure.”

CMS will accept a yes/no attestation to verify providers are in compliance with this objective.

Objective #26: Submit Reportable Lab Results to Public Health (Menu Set: hospitals only)

The proposed “submit lab results to public health” objective for hospitals was: “Capability to provide electronic submission of reportable (as required by state or local law) lab results to public health agencies and actual submission where it can be received.”

The final “submit lab results to public health” objective is: “Capability to submit electronic data on reportable (as required by state or local law) lab results to public health agencies and actual submission in accordance with applicable law and practice.”

The objective must be achieved using certified EHR technology as defined in the final certification rule. The definition of “reportable lab results” in the final certification rule is: “Reportable lab results: Electronically record, modify, retrieve, and submit reportable clinical lab results in accordance with the standard (and applicable implementation specifications) specified in §170.205(c) and, at a minimum, the version of the standard specified in §170.207(c).”

ONC supporting language: “we have decided to adopt the HL7 Version 2.5.1 Implementation Guide: Electronic Laboratory Reporting to Public Health, Release 1 (US Realm) to further constrain how HL7 2.5.1 is formatted for the purposes of submitting laboratory test results to public health. With respect to the comment regarding HL7 V3, we do not believe that the industry and public health departments are currently able to support the HL7 V3 constructs on a widespread basis and are therefore not adopting them.”

Implications of the above: Hospitals should verify that existing vendors can (or at least are working to) meet the certification and standards requirements as defined. Hospitals should also verify that the public health agencies to which they submit reportable lab results have the capacity to receive the information electronically. If they do not, providers are not required to meet this objective.

The proposed “submit lab results to public health” measure for hospitals was: “Performed at least one test of certified EHR technology capacity to provide electronic submission of reportable lab results to public health agencies (unless none of the public health agencies to which eligible hospital submits such information have the capacity to receive the information electronically).”

The final “submit lab results to public health” measure is: “Performed at least one test of certified EHR technology’s capacity to provide electronic submission of reportable lab results to public health agencies and follow-up submission if the test is successful (unless none of the public health agencies to which eligible hospital or CAH submits such information have the capacity to receive the information electronically).”

CMS supporting language: “We agree that many areas of the country currently lack the infrastructure to support the electronic exchange of information. As meaningful use seeks to ensure certified EHR technology has the capability to submit electronic data to public health agencies, we only require a single test if a receiving entity is available and follow up submission only if that test is successful.”

The ability to calculate the measure will be included in the certified EHR technology as a certification requirement.

CMS will accept a yes/no attestation to verify providers are in compliance with this objective.

Objective #27: Submit Electronic Surveillance Data to Public Health (Menu Set)

The proposed “submit surveillance data to public health” objective for hospitals was: “Capability to provide electronic syndromic surveillance data to public health agencies and actual submission according to law and practice.”

The final “submit surveillance results to public health” objective is: “Capability to submit electronic syndromic surveillance data to public health agencies and actual submission in accordance with applicable law and practice.”

The objective must be achieved using certified EHR technology as defined in the final certification rule. The definition of “public health surveillance” in the final certification rule is: “Public health surveillance: Electronically record, modify, retrieve, and submit syndrome-based public health surveillance information in accordance with the standard (and applicable implementation specifications) specified in, §170.205(d)(1) or §170.205(d)(2).”

ONC supporting language: “… we have adopted the following implementation specifications for HL7 2.5.1: Public Health Information Network HL7 Version 2.5 Message Structure Specification for National Condition Reporting Final Version 1.0 and the Errata and Clarifications National Notification Message Structural Specification. We believe that these implementation specifications provide the additional clarity commenters were seeking and will enable Complete EHR and EHR Module developers to focus their efforts on a more specific implementation of the HL7 2.5.1 standard. We do not believe that a suitable implementation specification for HL7 2.3.1 exists for the purpose of public health surveillance and reporting.” Additionally, “We permit a Complete EHR or EHR Module to be tested and certified to either HL7 2.3.1 or HL7 2.5.1. No other versions will be considered compliant with the adopted standards or certification criterion.”

Implications of the above: Hospitals should verify that existing vendors can (or at least are working to) meet the certification and standards requirements as defined. Hospitals should also verify that the public health agencies to which they would submit syndromic surveillance data have the capacity to receive the information electronically. If they do not, providers are not required to meet this objective.

The proposed “submit surveillance data to public health” measure for EPs and hospitals was: “Performed at least one test of certified EHR technology’s capacity to provide electronic syndromic surveillance data to public health agencies (unless none of the public health agencies to which an EP, eligible hospital, or CAH submits such information have the capacity to receive the information electronically).”

The final “submit surveillance data to public health” measure is: “Performed at least one test of certified EHR technology’s capacity to provide electronic syndromic surveillance data to public health agencies and follow-up submission if the test is successful (unless none of the public health agencies to which an EP, eligible hospital, or CAH submits such information have the capacity to receive the information electronically).”

CMS supporting language: “We agree that many areas of the country currently lack the infrastructure to support the electronic exchange of information. As meaningful use seeks to ensure certified EHR technology has the capability to submit electronic data to public entities, we only require a single test if a receiving entity is available and follow up submission only if that test is successful. We note that this measure only applies to a public health agency with the capacity to receive this information.”

The ability to calculate the measure will be included in the certified EHR technology as a certification requirement.

Exclusion: “If an EP does not collect any reportable syndromic information on their patients during the EHR reporting period, then they are excluded.”

CMS will accept a yes/no attestation to verify providers are in compliance with this objective.

Objective #28: Protect Electronic Health Information (Core Set)

The proposed “protect electronic health information” objective for EPs and hospitals was: “Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.”

The final “protect electronic health information” objective is: No change: finalized as proposed.

The final certification rule requires that certified EHR technology meet a variety of security capabilities, including:

• “Access control: Assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information.
• “Emergency access: Permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency.
• “Automatic log-off: Terminate an electronic session after a predetermined time of inactivity.
• Auditing: “(1) Record actions. Record actions related to electronic health information in accordance with the standard specified in §170.210(b). (2) Generate audit log. Enable a user to generate an audit log for a specific time period and to sort entries in the audit log according to any of the elements specified in the standard at 170.210(b)
• Integrity: “(1) Create a message digest in accordance with the standard specified in 170.210(c). (2) Verify in accordance with the standard specified in 170.210(c) upon receipt of electronically exchanged health information that such information has not been altered. (3) Detection. Detect the alteration of audit logs.
• “Authentication: Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information.
• “General encryption: Encrypt and decrypt electronic health information in accordance with the standard specified in §170.210(a)(1), unless the Secretary determines that the use of such algorithm would pose a significant security risk for Certified EHR Technology.
• “Encryption when exchanging electronic health information: Encrypt and decrypt electronic health information when exchanged in accordance with the standard specified in §170.210(a)(2).
• “Record disclosures made for treatment, payment, and health care operations in accordance with the standard specified in §170.210(e)” (This certification criteria has been made optional)

Implications of the above: Community hospital information systems (HIS) generally utilize some level of the security capabilities listed above. Providers should verify that existing vendors can (or at least are working to) meet the certification and standards requirements as defined. Providers should also be planning to perform a security risk analysis to identify and correct security deficiencies and thereby attain compliance with this objective.

The proposed “protect electronic health information” measure for EPs and hospitals was: “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary.”

The final “protect electronic health information” measure is: ““Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) of the certified EHR technology, and implement security updates and correct identified security deficiencies as part of its risk management process.”

CMS supporting language: “…for the Stage 1 criteria of meaningful use we propose that EPs and eligible hospitals conduct or review a security risk analysis of certified EHR technology and implement updates as necessary at least once prior to the end of the EHR reporting period and attest to that conduct or review. The testing could occur prior to the beginning of the EHR reporting period … A security update would be required if any security deficiencies were identified during the risk analysis. A security update could be updated software for certified EHR technology to be implemented as soon as available, to changes in workflow processes, or storage methods or any other necessary corrective action that needs to take place in order to eliminate the security deficiency or deficiencies identified in the risk analysis.”

CMS will accept a yes/no attestation to verify providers are in compliance with this objective.