Second Stage 2 HITECH Rule AdvancesOMB Reviewing EHR Software Certification Provisions
A second rule for Stage 2 of the HITECH Act electronic health record incentive program has moved closer to publication. The Department of Health and Human Services on July 31 sent the final version of the EHR software certification rule to the Office of Management and Budget for review, the last step before a regulation is published in the Federal Register.
The certification rule sets standards for EHR software eligible for the incentive program. A proposed version of the rule included a provision that EHRs must be able to demonstrate the capacity to encrypt data on mobile devices in circumstances where electronic health record technology manages the data flow on the device.
On July 16, HHS submitted to OMB the final version of the Stage 2 "meaningful use" rule, which sets detailed requirements for hospitals and physician groups to prove they are meaningfully using EHRs and, thus, qualify for additional incentive payments. A proposed version of the rule called for requiring hospitals and physician groups to conduct a security risk analysis that includes "addressing the encryption/security of data at rest."
Earlier, federal officials had indicated the final versions of both of the Stage 2 rules would be published in the Federal Register by the end of summer (see: HIPAA, HITECH Updates Inch Closer). But in the past, OMB has taken from several weeks to many months to complete its reviews.
Comments on Rule
Earlier, in commenting on the encryption provision for mobile devices included in the proposed Stage 2 software certification rule, the HIMSS Electronic Health Record Association, which represents EHR vendors, supported the provision.
"Lost end-user devices represent a significant data breach risk to covered entities. We applaud the decision to allow the option to either encrypt end-user devices or make sure no data remains on end-user devices (managed by the technology)," the association wrote (see: Industry Debates Stage 2 EHR Rules).
But the records vendor association sought "clarity on when electronic health information is 'managed' by the EHR."