HITECH Stage 3 Rules in the Works

Officials Seeking Comment on Privacy, Security Provisions
HITECH Stage 3 Rules in the Works

Federal officials are seeking feedback on privacy, security and other requirements that should be included in the meaningful use rule for Stage 3 of the HITECH Act electronic health record incentive program.

See Also: HIPAA Risk Assessment: Assessing Your Security Gaps Before You Get Audited or Hacked

A request for comments is expected to be released in the Federal Register the week of Nov. 19, according to a spokeswoman for the Office of the National Coordinator for Health IT. Rules for Stage 2 of the incentive program, which begins in 2014, were released in September (see: HITECH Stage 2 Rules Unveiled). Stage 3 is slated to begin in 2016.

As of September, $7.7 billion in meaningful incentives have been paid to 82,535 eligible providers (physicians and other professionals) and 1,474 hospitals for Stage 1 compliance, according to the Centers for Medicare and Medicaid Services. CMS, like ONC, is a unit of the Department of Health and Human Services.

A draft of the request for comments, prepared by the HIT Policy Committee, which advises ONC, calls for the use of two-factor or higher authentication for healthcare providers remotely accessing patients' protected health information (see: Multi-Factor Authentication Gets a Boost).

The proposal also recommends that for Stage 3, healthcare entities, as part of their HIPAA security risk analysis "should identify any other access environments that may require multiple factors to authenticate an asserted identity, and that organizations should continue to identity-proof provider users in compliance with HIPAA."

The draft indicates ONC will seek comment on three questions related to multi-factor provider authentication:

  • How can the committee's recommendation be reconciled with the National Strategy for Trusted Identities in Cyberspace approach to identification, which strongly encourages the re-use of third party credentials?
  • How would ONC test the recommended certification criteria?
  • Should ONC permit certification of an EHR as a stand-alone application and/or an EHR along with a third-party authentication service provider?

HIPAA Training

ONC also will seek public feedback on whether to require in Stage 3 that hospitals and physicians attest to providing staff with HIPAA Security Rule training and outreach. The draft document notes that failure to provide workforce HIPAA security rule training is one of the top five areas of non-compliance identified by the HHS Office for Civil Rights.

In addition, ONC will seek comment on EHR software certification criteria related to secure information exchange. The preliminary proposal states that an EHR "must be able to query another entity for outside records and respond to such queries." The outside entity may be another EHR system, a health information exchange or an entity on the Nationwide Health Information Network Exchange (see: HIE Collaborative Effort Restructured).

Some details still being worked out include the model for how patient permission will be handled in EHR queries, says Dixie Baker, a member of several federal advisory panels, including the Health IT Standards Committee. "Consent is location-centric now. We need to start thinking about how to manage patients' permission and preferences across different organizations," says Baker, who is senior partner at the consulting firm Martin, Blanck and Associates.

For instance, if a patient's primary care doctor exchanges the patient's data via EHR query with a cancer specialist, "how does that cancer doctor know whether the patient also permits their data to be used for research?" she asks.

Patient Data Matching

ONC also will seek comment on patient ID matching to ensure records from multiple sources are linked to the right patient. Discussions about patient data matching are heating up as concerns grow that more widespread use of EHRs and data exchange among providers from different organizations will lead to privacy, security and safety issues if health data is matched to the wrong patient.

During a Nov 14 House subcommittee hearing about HITECH Act progress, Willa Fields, chair of the Healthcare Information Management and Systems Society called on Congress to conduct a study of patient data matching (see: Congress Gets HITECH Progress Report).

In her testimony, Fields said, "One of the largest unresolved issues in the safe and secure electronic exchange of health information is the need for a nationwide patient data matching strategy to ensure the accurate, timely, and efficient matching of patients with their healthcare data across different systems and settings of care."

In addition to the meaningful use rule, the HIT Standards Committee is still working on details for the Stage 3 EHR software certification rule, Baker says. One important area being hammered out is privacy and security requirements for EHR modules, she says, because those were left out of the Stage 2 final rule. Software modules offer EHR components, such as e-prescribing or lab management, rather than a comprehensive package.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.