CMS Issues Final Rules for EHR Incentive Programs, Stage Two0


In 1996 the Federal government took on increased regulatory responsibility with the passage of the Health Insurance Portability and Accountability Act (HIPAA).

This multifaceted bill was broad in its jurisdiction over  both Medicare and American health care in general, as it sought to provide new Federal rules improving continuity  or “portability” of coverage in the large group, small group, and individual health insurance markets, while reinforcing the need to protect the privacy of patient health records.

Combining a group of disparate issues, Title I of HIPAA amended the Public Health Service Act, the Employee Retirement Income Security Act of 1974 (ERISA), and the Internal Revenue Code of 1986. In doing so, HIPAA strove to regulate the availability and scope of group health plans and many individual health insurance policies, including the protection of health coverage for workers and their families who have lost or changed jobs. Further provisions also limited a group health plan’s ability to restrict coverage for preexisting conditions.

Title II, also known as the Administrative Simplification Provisions, focused on creating a set of national standards for electronic health care transactions and national identifiers for health insurance plans, providers, and  employees alike. Recognizing the value of well-utilized electronic health records in increasing efficiency throughout the health care system, Title II tasked the Department of Health and Human Services (DHHS) with implementing national standards for the use and dissemination of electronic medical data.

Once accomplished, health providers were instructed to comply with HIPAA’s Privacy and Security Acts by 2003 or risk severe financial penalties. As a result, many health care facilities sought help from a variety of forprofit HIPAA consultants who were familiar with the complexities of this far-reaching bill and capable of guaranteeing compliance for a price. This in turn added to the already extensive costs forced onto hospitals and  medical practices as a result of HIPAA’s passage, including the need to reorganize systems and infrastructure to comply with electronic health data privacy standards and an increase in staffing to address the myriad requirements of its legislation.


With the passage of the American Recovery and Reinvestment Act of 2009 (ARRA) certain standards governing electronic health care transactions under HIPAA were strengthened and fine-tuned under the Health  Information Technology for Economic and Clinical Health Act (HITECH). Seeking to protect patient privacy and tighten the rules of accountability for the sharing of a patient’s medical information, HITECH will undoubtedly have a dramatic effect on the ways in which medical files are shared in the years to come.

Under HIPAA, a covered entity was able to disclose protected health information (PHI) to a business associate without a patient’s authorization if the business associate provided the covered entity with satisfactory assurance that it would appropriately safeguard the information. These assurances were to be documented in a written contract often referred to as a business associate agreement (BAA) that met certain regulatory requirements. Prior to HITECH, although a covered entity was required to impose certain requirements on its business associates via contract, business associates were not regulated directly by the DHHS or its Office of Civil Rights (OCR).

But HITECH changed these rules. With an eye toward expanding liability, HITECH makes most of the HIPAA Security Rule requirements directly applicable to business associates as well, including direct regulation by the OCR and enhanced penalties for HIPAA violations. Among other things, after February 17, 2010, HITECH required a business associate to:

  • Implement reasonable and appropriate written policies and procedures
  • Develop a system for identifying breaches and notify covered entities following discovery of a breach of unsecured PHI
  • Mitigate any harms from the inappropriate use or disclosure of PHI
  • Train its workforce
  • Develop a sanctions policy
  • Establish safeguards
  • Develop and implement a complaint system

On January 13, 2010, CMS proposed the adoption of a more specific definition of what was to constitute “meaningful use” of electronic health records (EHRs), while also implementing financial incentive programs through Medicare and Medicaid that would reward or penalize hospitals and physicians for their ability to institute certified EHRs within an established time frame. Such a proposal drew on the strength of the newly passed HITECH Act, which required the Secretary of DHHS to establish such a definition.

CMS proposed that hospitals adopt this new ruling on “meaningful use” in three stages of increasingly technological sophistication. Although most hospitals will only need to meet Stage One requirements for a 90 day  contiguous period during the first year to receive incentive payments, they will in future need to continue to enhance their EHR capability in order to continue to receive incentive payments and avoid penalties beginning in 2015.


Stage One “meaningful use” criteria focused on electronically capturing health information in a coded format; using that information to track key clinical conditions and communicating such information to coordinate care; implementing clinical  tools to facilitate disease and medication management (consistent with other Medicare and Medicaid regulations); and reporting clinical quality measures and public health information.

According to federal government estimates, more than 120,000 eligible health care professionals and more than 3,300 hospitals have qualified to participate in the program and receive an incentive payment since it began.  This includes more than half of all eligible hospitals and critical access hospitals, as well as 1 out of every 5 eligible health care professionals.

In order to qualify for incentives under this second part of HITECH, hospitals and health care providers must satisfy the Stage Two criteria.  The Final Rule includes, in part:

  • Clarification that Stage Two will begin as early as 2014, although providers will not be required to comply before 2014.
  • The requirements for the certification of EHR technology, thereby enabling all eligible professionals and hospitals to: (1) confirm their systems will work; (2) help them make “meaningfully use” of health information technology; and (3) qualify for incentive payments.
  • Modification of the certification program to eliminate “red tape” and improve efficiencies in the certification process.
  • Confirmation that current “2011 Edition Certified EHR Technology” can be used until 2014.

The Final Rule also provides for a flexible reporting period for 2014, allowing providers sufficient time to transition into the latest EHR technology certified for 2014. In Stage Two, CMS seeks to expand the meaningful use of certified EHR technology.  CMS explains:  “Certified EHR technology used in a meaningful way is one piece of a broader health information technology infrastructure needed to reform the health care system and improve health care quality, efficiency, and patient safety.” While the original CMS timeline required providers who demonstrated meaningful use in Stage One by 2011 to meet Stage Two criteria in 2013, the Final Rule gives providers an extension until 2014.


As CMS explains:

Nearly all of the Stage 1 core and menu objectives that were proposed are being finalized for Stage 2. The test of “exchange of key clinical information” core objective from Stage 1 is eliminated in favor of a more robust “transitions of care” core objective in Stage 2; and the “Provide patients with an electronic copy of their health information” objective  is also eliminated because it was replaced by the “electronic/online access” core objective. [¶] The final rule adds “outpatient lab reporting” to the menu for hospitals and “recording clinical notes” as a menu objective for both EPs and hospitals. There will be 20 measures for EPs (17 core and 3 of 6 menu) and 19 measures for eligible hospitals and CAHs (16 core and 3 of 6 menu).

Some of the additional components in Stage Two include:

  • New Core Objectives. (1)  Use of secure electronic messaging to communicate with patients on relevant health information; and (2) Automatically track medications from order to administration using assistive technologies in conjunction with an electronic medication administration record (eMAR).
  • Group Reporting. CMS finalized the ability to use a batch reporting process for meaningful use, which will allow groups to submit attestation information for all of their individual EPs in one file.
  • Patient Engagement. CMS proposed two new core objectives with measures that require patients to take specific actions in order for a provider to achieve meaningful use and receive an EHR incentive payment (setting a threshold at 10% of the patients).  Due to provider concerns, CMS lowered the threshold to 5%, and introduced  exclusions based on availability of broadband in a provider’s practice area.


Medicare payment adjustments begin in 2015. The Final Rule provides that any Medicare Eligible Professional (EP) or hospital that demonstrates meaningful use in 2013 will avoid payment adjustment in 2015. Moreover, a Medicare provider that first demonstrates meaningful use in 2014 will avoid the penalty if they successfully register and attest to meaningful use by July 1, 2014 (eligible hospitals) or October 1, 2014 (EPs).

CMS also finalized four categories of exceptions for EPs (concentrating among anesthesiology, radiology, and pathology):

  1. Infrastructure
  2. New EPs
  3. Unforeseen Circumstances
  4. Scope of Practice.

While the Final Rule’s 672 pages contain an abundance of information, there is no misunderstanding the Federal Government’s commitment to eventual implementation of electronic health records.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.