Second EHR Incentive Rule ProgressesWould Set HITECH Stage 2 'Meaningful Use' Requirements
Federal regulators are a step closer to releasing a second proposed rule for Stage 2 of the HITECH Act electronic health record incentive program.
On Jan. 24, the Department of Health and Human Services submitted to the White House Office of Management and Budget a proposed rule outlining how hospitals and physicians must meaningfully use EHRs to achieve a second round of incentive payments from Medicare and Medicaid. On Jan. 19, HHS submitted to OMB a related rule setting software certification standards for Stage 2 of the incentive program (see: New EHR Incentive Rule Inches Forward).
Submitting a rule to OMB is a final step before it's published in the Federal Register and public comments are solicited.
The meaningful use rule for Stage 1 of the incentive program contains only limited security requirements. It requires that hospitals and physician groups conduct a risk assessment and take action to mitigate any risks identified. The Stage 2 rule is expected to spell out more requirements. For example, the Privacy and Security Tiger Team recommended providers be required to verify how they're protecting stored data, such as with encryption (see: The Regulation Waiting Game).
The EHR software certification rule for Stage 1 of the HITECH Act incentive program required that the software include several security functions, including encryption. The stage 2 rule is expected to contain additional security functionality requirements.
HHS also is expected to soon submit to OMB the Nationwide Health Information Network governance rule, providing guidelines for health information exchange, including privacy provisions. Tiger Team Co-Chair Deven McGraw expects that rule, along with the incentive program rules, will be released in the first quarter.
Also pending - and long overdue - is an omnibus package of regulations slated to include a final version of modifications to HIPAA privacy and security rules as well as a final version of the HIPAA breach notification rule. An interim final version of the breach rule has been in effect since September 2009.