New EHR Incentive Rule Inches Forward

Would Set Stage 2 Software Security Requirements for HITECH
New EHR Incentive Rule Inches Forward

Federal regulators are offering a hint about which of the pending rules affecting healthcare information privacy and security will be among the first to be issued this year.

See Also: Live Webinar | Software Security: Prescriptive vs. Descriptive

On Jan. 19, the Department of Health and Human Services submitted to the White House Office of Management and Budget a proposed rule setting software certification standards for Stage 2 of the HITECH Act electronic health record incentive program. Submitting a rule to OMB usually is a final step before it's published in the Federal Register and public comments are solicited.

The EHR software certification rule for Stage 1 of the HITECH Act incentive program required that the software include several security functions, including encryption. The stage 2 rule is expected to contain additional security functionality requirements.

Not yet submitted to OMB is a Stage 2 rule spelling out criteria for qualifying as a "meaningful user" of EHRs to earn additional incentive payments. In the Stage 1 version of the meaningful use rule, the only security requirement was to conduct a risk assessment and take action to mitigate risks identified. The stage 2 rule is expected to include many more security requirements.

Other Pending Regulations

Another rule pending as a result of the HITECH Act is the Nationwide Health Information Network governance rule, providing guidelines for health information exchange, including privacy provisions.

Also long overdue is an omnibus package of regulations slated to include a final version of modifications to HIPAA privacy and security rules as well as a final version of the HIPAA breach notification rule. An interim final version of the breach rule has been in effect since September 2009.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.