New EHR Incentive Rule Inches ForwardWould Set Stage 2 Software Security Requirements for HITECH
Federal regulators are offering a hint about which of the pending rules affecting healthcare information privacy and security will be among the first to be issued this year.
See Also: HIPAA Audits: A Revised Game Plan
On Jan. 19, the Department of Health and Human Services submitted to the White House Office of Management and Budget a proposed rule setting software certification standards for Stage 2 of the HITECH Act electronic health record incentive program. Submitting a rule to OMB usually is a final step before it's published in the Federal Register and public comments are solicited.
The EHR software certification rule for Stage 1 of the HITECH Act incentive program required that the software include several security functions, including encryption. The stage 2 rule is expected to contain additional security functionality requirements.
Not yet submitted to OMB is a Stage 2 rule spelling out criteria for qualifying as a "meaningful user" of EHRs to earn additional incentive payments. In the Stage 1 version of the meaningful use rule, the only security requirement was to conduct a risk assessment and take action to mitigate risks identified. The stage 2 rule is expected to include many more security requirements.
Other Pending Regulations
Another rule pending as a result of the HITECH Act is the Nationwide Health Information Network governance rule, providing guidelines for health information exchange, including privacy provisions.
Also long overdue is an omnibus package of regulations slated to include a final version of modifications to HIPAA privacy and security rules as well as a final version of the HIPAA breach notification rule. An interim final version of the breach rule has been in effect since September 2009.