HITECH Stage 2 Rules Unveiled EHR Incentive Program Regulations Address Encryption

The two final rules for Stage 2 of the HITECH Act's electronic health record incentive program, which address encryption and other privacy and security issues, were released on the Federal Register Electronic Public Inspection Desk Aug. 23. Both rules from the Department of Health and Human Services are slated to be officially published in the Federal Register on Sept. 4.

See Also: The Enterprise at Risk: The 2015 State of Mobility Security

The meaningful use rule spells out the requirements for how hospitals and physicians must use EHRs to qualify for a second round of incentives, beginning in 2014. The software certification rule spells out the requirements for EHR applications that qualify for Stage 2.

The HITECH Act incentive program, part of the economic stimulus package, is providing billions of dollars in incentives to hospitals and physician groups that meet the requirements for meaningfully using EHRs. The incentives are slated to be paid out in several stages.

Meaningful Use

The Stage 2 meaningful use rule, developed by HHS' Centers for Medicare and Medicaid Services, requires that participants conduct a risk assessment, as was required in Stage 1. However, the Stage 2 rule specifically requires that the analysis address "the encryption/security of data stored in CEHRT [certified electronic health records technology]." The rule also requires providers to "implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process."

"We did not propose to change the HIPAA Security Rule requirements, or require any more than is required under HIPAA," an explanation within the rule states. "We only emphasize the importance of a [physician/other professional] or hospital including in its security risk analysis an assessment of the reasonable[ness] and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure."

The Privacy and Security Tiger Team, an advisory group that recommended the provision, said it was necessary to help call attention to the importance of protecting "data at rest" because so many major health information breaches have involved the loss or theft of unencrypted devices that stored patient information.

The meaningful use rule "continues to reaffirm the importance of doing security assessments and mitigation," says Farzad Mostashari, M.D., who heads the HHS Office of the National Coordinator for Health IT. "People really rely legally, and in terms of the professional ethos, on an expectation that their providers will keep their information confidential and secure. And as they're transitioning to electronic health records, they have to make sure they're following all the administrative and physical safeguards, as well as technical safeguards."

Software Certification

The Stage 2 software certification rule, developed by Mostashari's office, requires that EHR software be designed to encrypt, by default, electronic health information stored locally on end-user devices.

"The general policy we express in this certification criterion requires EHR technology designed to locally store electronic health information on end-user devices to encrypt such information after use of EHR technology on those devices stops," the rule states. The rule also states that locally stored "is intended to mean the storage actions that EHR technology is programmed to take (i.e., creation of temp files, cookies, or other types of cache approaches) and not an individual or isolated user action to save or export a file to their personal electronic storage media. ... We have clarified that in this scenario, the EHR technology must be set by default to perform this capability and, unless this configuration cannot be disabled by any user, the ability to change the configuration must be restricted to a limited set of identified users."

The rule points out that an EHR technology developer would not have to demonstrate that its EHR technology can encrypt electronic health information locally stored on end-users devices "if the EHR technology is designed to prevent electronic health information from being locally stored on end-user devices after use of EHR technology on those devices stops."

(Marianne Kolbasuk McGee contributed to this story).


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.