HITECH Rules: Make Your Views KnownComments on Proposed Stage 2 Rules Due May 7
Rules for Stage 2 of the HITECH Act electronic health record incentive program are a work in progress. Remember that you've got until May 7 to submit comments on the rules, which include new privacy and security requirements.
Among those preparing to comment is the Health IT Policy Committee, which offered recommendations to the Department of Health and Human Services about what privacy and security provisions should be in the rules. Those recommendations were devised by the Privacy and Security Tiger Team, which advises the committee.
So what do you think of the rules' privacy and security provisions? It's time to let regulators know.
Tiger team members now are tackling the difficult task of wading through the two rules to figure out what provisions should be added (see: Stage 2 HITECH Rules Under the Microscope ). One rule spells out requirements for demonstrating the meaningful use of EHRs to qualify for additional incentive payments. The other rule spells out standards for EHR software certification for the incentive program.
If you'd like to see a detailed rundown of all the provisions the team is reviewing, be sure to check out the presentation that team co-chair Deven McGraw shared with the HIT Committee April 4. The HIT Committee will vote on the tiger team's recommendations for rule revisions at its May 2 meeting.
McGraw also reviewed the two rules' privacy and security provisions in a recent interview (See: Sizing Up the HITECH Stage 2 Rules).
The encryption provisions of the two rules have attracted attention. They stop just short of an outright mandate.
The proposed meaningful use rule for Stage 2, for example, retains the Stage 1 requirement to conduct a risk assessment and take appropriate action to mitigate risks. But the Stage 2 rule adds that the assessment must include "addressing the encryption/security of data at rest." The proposal states hospitals and physician practices must include in their risk analysis "an assessment of the reasonableness and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure."
I'm glad to see that provision, recommended by the tiger team, made it into the rule.
The proposed Stage 2 software certification rule requires that when EHR software manages information on a mobile device that stores patient information, that data must be encrypted by default. And that's pretty close to a mandate to encrypt data on mobile devices.
Given all the major breaches that have involved the loss or theft of unencrypted mobile devices, encryption should be a no-brainer. But another key step is to minimize the data that gets stored on these devices in the first place.
So what do you think of the rules' privacy and security provisions? It's time to let regulators know. Instructions on how to comment are included within the proposed meaningful use and EHR software certification rules.
Meanwhile, if you're looking for tips on how to begin preparing for Stage 2, check out my interview with attorney Adam Greene. He recommends, for example, that hospitals and physician practices begin posing tough questions to their EHR vendors, including how they'll address hardware and software encryption issues (see: Stage 2 EHR Incentive Rules: Get Ready).