Final HITECH EHR Rules Now AvailableRegulations Define Meaningful Use, Create Software Standards
The so-called "meaningful use" rule, officially titled "Medicare and Medicaid Programs; Electronic Health Record Incentive Program," goes into effect Sept. 27. It spells out how hospitals and physicians must use electronic health records to earn federal incentive payments and requires the providers to conduct a security risk analysis.
The EHR software certification criteria rule, "Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology," is effective Aug. 27. It creates standards for EHR software certified for the incentive program and lists required security capabilities, including encryption and authentication.
The software certification program is slated to begin this fall.
The EHR incentive program was created by the Health Information Technology for Economic and Clinical Health Act, or the HITECH Act. HITECH was part of the American Recovery and Reinvestment Act, also known as the economic stimulus bill.
Core ObjectivesThe risk analysis requirement in the meaningful use rule is one of the "core objectives" that physicians and hospitals alike must achieve to qualify for Stage 1 of the Medicare and Medicaid incentive program. The program will provide as much as $27 billion in payments to EHR users starting in 2011.
The meaningful use rule requires those receiving incentive payments to "conduct or review a security risk analysis and implement security updates as necessary and correct identified security deficiencies as part of its risk management process."
Under the rule, both hospitals and physicians must "protect electronic health information created or maintained by certified EHR technology through the implementation of appropriate technical capabilities." But those capabilities are not spelled out.
Software RequirementsWhile the meaningful use rule lacks security specifics, the rule creating standards for EHR software offers many security details.
For example, to be certified as qualifying for the federal incentive program, the software must be able to accommodate encryption and authentication. It also must be able to verify that information that has been exchanged has not been altered.
The software standards, as well as requirements for meaningful use of EHRs, will evolve in future phases of the incentive program.