EHR Incentives: Encouraging SignsStage 2 Criteria Likely to Include More Privacy, Security Requirements
But the meaningful use criteria that must be met to qualify for stage one of the incentive program, which kicked off in January, contain few privacy and security details. The only spelled-out requirement is to conduct a risk analysis and take appropriate steps to mitigate risks identified. And that's already required under the HIPAA security rule.
The criteria for certifying EHR software as qualifying for the program, however, require the applications to include numerous security functions, including encryption. But the stage one meaningful use rules don't explicitly require the use of any of those functions.
EHRs will never win the support of physicians and their patients unless they trust that the information will remain private.
Now, federal authorities are contemplating what privacy and security requirements to include in stage two of the program. Under the current proposed timeline, incentive program participants would have to meet the stage two meaningful use requirements in 2012 to earn the next round of payments in 2013.
It's far too soon to tell what specific requirements will be included in the rule spelling out stage two criteria, due from the Department of Health and Human Services at year's end. But there are encouraging signs that stage two criteria will include far more privacy and security requirements than stage one.
This week, the Privacy and Security Tiger Team, one of several federal advisory groups working on EHR incentive program criteria, continued to discuss a long list of potential requirements (See Tiger Team Tackles EHR Requirements). Since its formation last year, the team has made a number of proposals that could wind up in the incentive program criteria or other federal rules. Those range from guidelines for obtaining patient consent to exchange their records to ways to match patients to the right records.
Take a look at the slides from this week's Privacy and Security Tiger Team meeting, and you'll get an idea of the many protections they're considering for stage two criteria, including potentially requiring the use of encryption in certain circumstances.
In addition to the tiger team, several committees and workgroups are working on the various stage two criteria. They all serve as advisers to the Office of the National Coordinator for Health IT, which ultimately will make recommendations to HHS. So there are still a lot of hoops to jump through before tougher privacy and security standards for the incentive program become a reality.
But for now, there are some encouraging signs that stage two criteria will include some "meaningful" privacy and security protections. And that's good news, given that EHRs will never win the support of physicians and their patients unless they trust that the information will remain private.