Second EHR Incentive Rule Progresses

Would Set HITECH Stage 2 'Meaningful Use' Requirements
Second EHR Incentive Rule Progresses

Federal regulators are a step closer to releasing a second proposed rule for Stage 2 of the HITECH Act electronic health record incentive program.

See Also: The Application Security Team's Framework For Upgrading Legacy Applications

On Jan. 24, the Department of Health and Human Services submitted to the White House Office of Management and Budget a proposed rule outlining how hospitals and physicians must meaningfully use EHRs to achieve a second round of incentive payments from Medicare and Medicaid. On Jan. 19, HHS submitted to OMB a related rule setting software certification standards for Stage 2 of the incentive program (see: New EHR Incentive Rule Inches Forward).

Submitting a rule to OMB is a final step before it's published in the Federal Register and public comments are solicited.

The meaningful use rule for Stage 1 of the incentive program contains only limited security requirements. It requires that hospitals and physician groups conduct a risk assessment and take action to mitigate any risks identified. The Stage 2 rule is expected to spell out more requirements. For example, the Privacy and Security Tiger Team recommended providers be required to verify how they're protecting stored data, such as with encryption (see: The Regulation Waiting Game).

The EHR software certification rule for Stage 1 of the HITECH Act incentive program required that the software include several security functions, including encryption. The stage 2 rule is expected to contain additional security functionality requirements.

HHS also is expected to soon submit to OMB the Nationwide Health Information Network governance rule, providing guidelines for health information exchange, including privacy provisions. Tiger Team Co-Chair Deven McGraw expects that rule, along with the incentive program rules, will be released in the first quarter.

Also pending - and long overdue - is an omnibus package of regulations slated to include a final version of modifications to HIPAA privacy and security rules as well as a final version of the HIPAA breach notification rule. An interim final version of the breach rule has been in effect since September 2009.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.