Second Stage 2 HITECH Rule Advances

OMB Reviewing EHR Software Certification Provisions
Second Stage 2 HITECH Rule Advances

A second rule for Stage 2 of the HITECH Act electronic health record incentive program has moved closer to publication. The Department of Health and Human Services on July 31 sent the final version of the EHR software certification rule to the Office of Management and Budget for review, the last step before a regulation is published in the Federal Register.

See Also: Take Inventory of Your Medical Device Security Risks

The certification rule sets standards for EHR software eligible for the incentive program. A proposed version of the rule included a provision that EHRs must be able to demonstrate the capacity to encrypt data on mobile devices in circumstances where electronic health record technology manages the data flow on the device.

On July 16, HHS submitted to OMB the final version of the Stage 2 "meaningful use" rule, which sets detailed requirements for hospitals and physician groups to prove they are meaningfully using EHRs and, thus, qualify for additional incentive payments. A proposed version of the rule called for requiring hospitals and physician groups to conduct a security risk analysis that includes "addressing the encryption/security of data at rest."

Earlier, federal officials had indicated the final versions of both of the Stage 2 rules would be published in the Federal Register by the end of summer (see: HIPAA, HITECH Updates Inch Closer). But in the past, OMB has taken from several weeks to many months to complete its reviews.

Comments on Rule

Earlier, in commenting on the encryption provision for mobile devices included in the proposed Stage 2 software certification rule, the HIMSS Electronic Health Record Association, which represents EHR vendors, supported the provision.

"Lost end-user devices represent a significant data breach risk to covered entities. We applaud the decision to allow the option to either encrypt end-user devices or make sure no data remains on end-user devices (managed by the technology)," the association wrote (see: Industry Debates Stage 2 EHR Rules).

But the records vendor association sought "clarity on when electronic health information is 'managed' by the EHR."


About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.