The Centers for Medicare & Medicaid Services (CMS) recently published proposed rules setting forth the “Stage 2” criteria that eligible providers (EPs), eligible hospitals (EHs), and critical access hospitals (CAHs) (referred to herein collectively as “providers”) would be required to meet in order to qualify for Medicare and/or Medicaid incentive payments for the use of electronic health records (EHRs) (“Stage 2 Proposal”). The Stage 2 Proposal is a small-font, acronym-laden, tediously-detailed 131-page document that modifies and expands upon the criteria included in the “Stage 1” final rule published on July 28, 2010 and is likely to be of interest primarily to providers concerned with receiving or continuing to receive added payments from CMS for adopting and “meaningfully using” EHR. 

The Stage 2 Proposal is not, at first glance, particularly relevant reading for those of us generally interested in issues involving the privacy and security of personal information — or even those of us more specifically interested in the privacy and security of protected health information (PHI). Still, two new provisions caught my attention because they measure the meaningful use required for provider incentive payments based not simply on the providers’ use of EHR, but on their patients’ use of it. 


One provision of the Stage 2 Proposal would require a provider to give at least 50% of its patients the ability to timely "view online, download, and transmit" their health information ("timely" meaning within 4 business days after the provider receives it) (and subject to the provider’s discretion to withhold certain information).  Moreover, it would require that more than 10% of those patients (or their authorized representatives) actually view, download or transmit the information to a third party.  There’s an exception for providers that conduct a majority (more than 50%) of their patient encounters in a county that doesn’t have 50% or more of "its housing units with 4Mbps broadband availability as per the most recent information available from the FCC” (whew!) for the applicable EHR reporting period. 


Another provision would require a provider to use "secure electronic messaging to communicate with patients on relevant health information" and would require the provider to show that more than 10% of the provider’s patients seen during the reporting period actually sent secure messages (presumably, to the provider, though the language is not precise) using the "electronic messaging function of Certified EHR Technology."  According to CMS:


[O]ver 43,000 providers have received $3.1 billion to help make the transition to electronic health records; the number of hospitals using EHRs has more than doubled in the last two years from 16 to 35 percent between 2009 and 2011; and 85 percent of hospitals now report that by 2015 they intend to take advantage of the incentive payments.


The Stage 2 Proposal will incentivize providers to continue this trend toward meaningful use of EHRs, but is also likely to result in providers’ efforts to induce to their patients to become EHR users.


Perhaps patients are ready, willing and able to communicate with providers via email and to download and forward their PHI. According to AARP, the aging baby boomer generation appears to be embracing electronic media and social networking at an unprecedented rate, and it is this segment of the population that is most likely to require health care services.