Final HITECH EHR Rules Now Available

Regulations Define Meaningful Use, Create Software Standards
Final HITECH EHR Rules Now Available
Two final rules for the Medicare and Medicaid electronic health record incentive program, both of which have security components, have been posted on the Federal Register.

The so-called "meaningful use" rule, officially titled "Medicare and Medicaid Programs; Electronic Health Record Incentive Program," goes into effect Sept. 27. It spells out how hospitals and physicians must use electronic health records to earn federal incentive payments and requires the providers to conduct a security risk analysis.

The EHR software certification criteria rule, "Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology," is effective Aug. 27. It creates standards for EHR software certified for the incentive program and lists required security capabilities, including encryption and authentication.

The software certification program is slated to begin this fall.

The EHR incentive program was created by the Health Information Technology for Economic and Clinical Health Act, or the HITECH Act. HITECH was part of the American Recovery and Reinvestment Act, also known as the economic stimulus bill.

Core Objectives

The risk analysis requirement in the meaningful use rule is one of the "core objectives" that physicians and hospitals alike must achieve to qualify for Stage 1 of the Medicare and Medicaid incentive program. The program will provide as much as $27 billion in payments to EHR users starting in 2011.

The meaningful use rule requires those receiving incentive payments to "conduct or review a security risk analysis and implement security updates as necessary and correct identified security deficiencies as part of its risk management process."

Under the rule, both hospitals and physicians must "protect electronic health information created or maintained by certified EHR technology through the implementation of appropriate technical capabilities." But those capabilities are not spelled out.

Software Requirements

While the meaningful use rule lacks security specifics, the rule creating standards for EHR software offers many security details.

For example, to be certified as qualifying for the federal incentive program, the software must be able to accommodate encryption and authentication. It also must be able to verify that information that has been exchanged has not been altered.

The software standards, as well as requirements for meaningful use of EHRs, will evolve in future phases of the incentive program.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.