State surveyors not to determine whether EHR meets HIPAA Privacy and Security Rules; Providers and Suppliers must provide access to EHR to Surveyors

In a letter to State Survey Agency Directors dated August 14, 2009, the Centers for Medicare and Medicaid Services (CMS) gave state surveyors guidance regarding surveys of facilities that use electronic health records (EHRs).  CMS first stated its support and commitment to the goal that, by 2014, most Americans “will have access to health care providers who use EHRs.”  CMS notes that the expanded use of EHRs will cause surveyors to encounter more and more situations where there is no paper-based record immediately available for review.  In addition, there may be concerns about the scope of responsibility of State Survey Agencies in enforcing the Conditions of Participation (CoPs), Conditions for Coverage or Conditions for Certification (CfCs) applicable to the surveyed provider or supplier.  The CoPs and CfCs include requirements respecting confidentiality of clinical information stored in an EHR. 

CMS noted that currently there is no requirement that a Medicare provider use an EHR or any designated type of EHR. Providers can continue to use the paper or electronic records system that best meets their needs.  However, CMS noted that providers must grant access to any medical record, including access to the EHR, when the surveyor requests it.  In doing so, providers are expected to give the surveyor a tutorial on how to use it and to designate an individual who will respond to the surveyor’s questions or assist the surveyor in accessing electronic information in a timely manner. 

During the entrance conference, survey teams should establish the process they will use to have “unrestricted access” to medical records and, at that time, request the facility to provide a terminal for this purpose. If there is more than one care locations, surveyors must be provided access to a terminal at each care location.  Upon request by the surveyor, providers are to provide printouts in a timeframe that does not impede the survey process.  The surveyor, however, should only request a paper printout of those parts of the record needed to support findings of noncompliance, unless the survey protocol requires a complete copy of the record (e.g., during an EMTALA physician review).

CMS pointed out that surveyors are not responsible for assessing compliance with the HIPAA Privacy and Security Rules. The U.S. Department of Health and Human Services Office of Civil Rights is responsible for assessing compliance with the Privacy Rule. The CMS Office of eHealth Standards and Services is responsible for enforcing the Security Rule

How far can surveyors go in assessing compliance with specific CoP or CfC requirements that the provider or supplier maintain the confidentiality of the medical record?  Here, CMS said that surveyors should not cite providers or suppliers for violation of confidentiality requirements simply due to participation in an EHR system that shares clinical information across multiple providers and suppliers.  Further, CMS noted that “surveyors are not trained nor are they expected to review” the features of an EHR system in order to determine whether the EHR provides a sufficient level of confidentiality. 

Surveyors also are “not trained nor expected to review” whether a provider or supplier has: a) made all required disclosures to all patients or residents; b) entered into all required Business Associate agreements; c) provided all required staff training; or d) fulfilled any other of the obligations specified in the HIPAA Privacy Rule.  Instead, surveyors are to focus on how the facility is using the EHR and whether that use is consistent with applicable CoPs or CfCs.   For example, are computer screens left unattended and visible to other patients/residents/visitors?  Are passwords publicly posted?  Is there evidence that facility staff shared information from an EHR with unauthorized individuals?  Survey Agencies should report practices that may be significant violations of the HIPAA Privacy Rule to the Office of Civil Rights or of the Security Rule to the CMS Office of eHealth Standards and Services.  Surveyors, however, should not routinely file such complaints whenever citing for noncompliance with a CoP or CfC requirement concerning confidentiality or security of medical records.

The guidance is effective immediately. To read the Letter, go here.

2 thoughts on “State surveyors not to determine whether EHR meets HIPAA Privacy and Security Rules; Providers and Suppliers must provide access to EHR to Surveyors

  1. Based on the Security Rule can surveyors be allowed to have a staff member log in and review a medical record under the staff members log in or do they need their own log in credentials?

    • You ask a very good question. The CMS Letter to State Survey Directors published August 14, 2009, states that “each surveyor will determine the EHR access method that best meets the need for that survey.” (See Page 2.) This is a fairly broad statement. However, in the very next paragraph, CMS reminds State Survey Directors that providers are “covered entities” and must comply with the HIPAA Privacy Rule and the HIPAA Security Rule. Covered entity security policies typically prohibit employees from sharing their log-in ID or password with anyone.

      The State Survey Director’s office may have specific guidance and should be consulted before a facility has to confront the EHR access issue on the day of a survey. In addition, the organization’s HIPAA Security Officer with assistance from an IT professional may be able to help establish a secure log-in method for a “guest” surveyor that would expire when the surveyor is done and would avoid having a surveyor logged in under an employee’s ID and password.

      Additional guidance on assisting surveyors with EHR access is provided in the August 14, 2009 letter, including but not limited to the following statement: “However, a provider must grant access to any medical record, including access to EHRs, when requested by the surveyor. If access to an EHR is requested by the surveyor, the facility will (a) provide the surveyor with a tutorial on how to use its particular electronic system and (b) designate an individual who will, when requested by the surveyor, access the system, respond to any questions or assist the surveyor as needed in accessing electronic information in a timely fashion. Each surveyor will determine the EHR access method that best meets the need for that survey. During the entrance conference in a facility using EHRs the survey team must request that the facility, provide a terminal(s) where the surveyors may access records. In the case of a hospital or other provider or supplier with terminals at multiple care locations, surveyors must be provided access to a terminal at each care location.”

      THIS IS NOT LEGAL ADVICE. CONSULT DIRECTLY WITH A LICENSED ATTORNEY IN YOUR STATE FOR FURTHER ADVICE AND GUIDANCE ON STATE SURVEY REQUIREMENTS THAT MAY BE APPLICABLE TO YOUR ORGANIZATION.

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s