In a letter to State Survey Agency Directors dated August 14, 2009, the Centers for Medicare and Medicaid Services (CMS) gave state surveyors guidance regarding surveys of facilities that use electronic health records (EHRs). CMS first stated its support and commitment to the goal that, by 2014, most Americans “will have access to health care providers who use EHRs.” CMS notes that the expanded use of EHRs will cause surveyors to encounter more and more situations where there is no paper-based record immediately available for review. In addition, there may be concerns about the scope of responsibility of State Survey Agencies in enforcing the Conditions of Participation (CoPs), Conditions for Coverage or Conditions for Certification (CfCs) applicable to the surveyed provider or supplier. The CoPs and CfCs include requirements respecting confidentiality of clinical information stored in an EHR.
CMS noted that currently there is no requirement that a Medicare provider use an EHR or any designated type of EHR. Providers can continue to use the paper or electronic records system that best meets their needs. However, CMS noted that providers must grant access to any medical record, including access to the EHR, when the surveyor requests it. In doing so, providers are expected to give the surveyor a tutorial on how to use it and to designate an individual who will respond to the surveyor’s questions or assist the surveyor in accessing electronic information in a timely manner.
During the entrance conference, survey teams should establish the process they will use to have “unrestricted access” to medical records and, at that time, request the facility to provide a terminal for this purpose. If there is more than one care locations, surveyors must be provided access to a terminal at each care location. Upon request by the surveyor, providers are to provide printouts in a timeframe that does not impede the survey process. The surveyor, however, should only request a paper printout of those parts of the record needed to support findings of noncompliance, unless the survey protocol requires a complete copy of the record (e.g., during an EMTALA physician review).
CMS pointed out that surveyors are not responsible for assessing compliance with the HIPAA Privacy and Security Rules. The U.S. Department of Health and Human Services Office of Civil Rights is responsible for assessing compliance with the Privacy Rule. The CMS Office of eHealth Standards and Services is responsible for enforcing the Security Rule.
How far can surveyors go in assessing compliance with specific CoP or CfC requirements that the provider or supplier maintain the confidentiality of the medical record? Here, CMS said that surveyors should not cite providers or suppliers for violation of confidentiality requirements simply due to participation in an EHR system that shares clinical information across multiple providers and suppliers. Further, CMS noted that “surveyors are not trained nor are they expected to review” the features of an EHR system in order to determine whether the EHR provides a sufficient level of confidentiality.
Surveyors also are “not trained nor expected to review” whether a provider or supplier has: a) made all required disclosures to all patients or residents; b) entered into all required Business Associate agreements; c) provided all required staff training; or d) fulfilled any other of the obligations specified in the HIPAA Privacy Rule. Instead, surveyors are to focus on how the facility is using the EHR and whether that use is consistent with applicable CoPs or CfCs. For example, are computer screens left unattended and visible to other patients/residents/visitors? Are passwords publicly posted? Is there evidence that facility staff shared information from an EHR with unauthorized individuals? Survey Agencies should report practices that may be significant violations of the HIPAA Privacy Rule to the Office of Civil Rights or of the Security Rule to the CMS Office of eHealth Standards and Services. Surveyors, however, should not routinely file such complaints whenever citing for noncompliance with a CoP or CfC requirement concerning confidentiality or security of medical records.
The guidance is effective immediately. To read the Letter, go here.