Final HITECH Rules: The Security DetailsRisk Assessments Required; EHR Functions Spelled Out
In addition, a 228-page companion rule creating standards for EHR software certified for the incentive program requires that the applications include encryption, authentication and other security functions.
Both rules, released July 13, will be officially posted on the Federal Register July 28. For now, they're available in near-final form at the Federal Register public inspection desk.
Also, the Department of Health and Human Services has a new web site devoted to the Medicare and Medicaid EHR incentive program.
Risk AnalysisThe risk analysis requirement, which reinforces a longstanding provision of the HIPAA security rule, is one of the "core objectives" for meaningful use that physicians and hospitals alike must achieve to qualify for Stage 1 of the Medicare and Medicaid incentive program. The program will provide billions of dollars in payments to EHR users starting in 2011.
The meaningful use rule requires those receiving incentive payments to "conduct or review a security risk analysis and implement security updates as necessary and correct identified security deficiencies as part of its risk management process."
Under the rule, hospitals and physicians must "protect electronic health information created or maintained by certified EHR technology through the implementation of appropriate technical capabilities." But those capabilities are not spelled out.
The rule notes that regulators "could not develop an exhaustive list" of technical capabilities. It goes on to note: "Compliance with the HIPAA privacy and security rules is required for all covered entities, regardless of whether or not they participate in the EHR incentive program."
Software StandardsWhile the meaningful use rule lacks security specifics, the rule creating standards for EHR software offers many security details. For example, to be certified as qualifying for the federal incentive program, the software must be able to:
- Encrypt and decrypt electronic health information within an organization and also when it is exchanged with others. The encryption capability of the EHR must be "any encryption algorithm identified by the National Institute of Standards and Technology as an approved security function in Annex A of the Federal Information Processing Standards Publication 140-2."
- Verify that a person or entity seeking access to electronic health information "is the one claimed and is authorized to access such information." The rule states, however, that regulators "do not believe that it is appropriate to specify, as a condition of certification, the types of factors that users could utilize to authenticate themselves."
- Assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information;
- Terminate an electronic session after a predetermined time of inactivity;
- Enable a user to generate an audit log; and
- For records that are exchanged, verify that the information has not been altered in transit.
The rule lists as "optional" the ability to provide a complete accounting of who has accessed a patient's electronic records. "We recognize that significant technical and policy challenges remain unresolved," the rule states. The HHS Office for Civil Rights eventually will develop a regulatory policy on this issue, as mandated in the HITECH Act.
The UnveilingDavid Blumenthal, M.D., the HHS' national coordinator for health information technology, joined other federal officials July 13 in unveiling the "meaningful use" rule, officially known as: "Medicare and Medicaid Programs: Electronic Health Record Incentive Program."
The companion software standards rule is called: "Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology."
The EHR incentive program, which will provide as much as $27 billion in Medicare and Medicaid incentives over the next 10 years, was created by the Health Information Technology for Economic and Clinical Health Act, or the HITECH Act. HITECH was part of the American Recovery and Reinvestment Act, also known as the economic stimulus bill.
Requirements for meaningful use of EHRs, as well as the software standards, will evolve in future phases of the incentive program.
Other RulesOn July 8, HHS unveiled a proposal to update the HIPAA privacy, security and enforcement rules, which was required under the HITECH Act. Among other things, the proposal clarifies that business associates and their subcontractors must comply with the HIPAA rules.
And on June 24, HHS introduced a final rule for a temporary program for selecting certifiers for EHRs under the incentive program. These certifiers will determine whether the software meets the new certification standards.