Stage 2 HITECH EHR Rule Unveiled

'Meaningful Use' Rule Contains Few Security Details
Stage 2 HITECH EHR Rule Unveiled

A proposed rule defining how to achieve "meaningful use" of electronic health records to qualify for Stage 2 of the HITECH Act electronic health record incentive program contains few new requirements on privacy and security.

See Also: Take Inventory of Your Medical Device Security Risks

The proposed rule was posted on the Federal Register Public Inspection Site Feb. 23. Another Stage 2 rule setting standards for certifying EHR software as qualifying for the incentive program was released Feb. 24.

Both rules will be officially published in the Federal Register March 7. The Department of Health and Human Services will accept comments on the rules for 60 days. Final versions of both Stage 2 rules will be completed by late summer, a Department of Health and Human Services official said at the Healthcare Information and Management Systems Society Conference in Las Vegas.

Privacy, Security Details

The meaningful use rule for Stage 1 of the program contained only one privacy and security requirement, and the proposed Stage 2 rule narrowly expands that one requirement.

To qualify for Stage 1, hospitals and eligible professionals (physicians) must conduct or review a risk analysis and implement security updates as necessary to correct identified security deficiencies. The proposed Stage 2 rule includes the identical requirement. But it adds that the assessment must include "addressing the encryption/security of data at rest."

The proposed rule would not alter the HIPAA Security Rule's requirements on encryption. Under that rule, encryption is "addressable," which means it must be implemented if doing so is reasonable and appropriate - which stops short of an outright mandate.

The proposed rule specifically states: "We do not propose to change the HIPAA Security Rule requirements or require any more than would be required under HIPAA. We only emphasize the importance of an EP [eligible professional] or hospital including in its security risk analysis an assessment of the reasonableness and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure."

The proposed EHR software certification rule for Stage 2 also includes new details on encryption, says Farzad Mostashari, who heads the Office of the National Coordinator for Health IT. "We have proposed that [EHR] vendors ... by default enable encryption of data on end-user devices if any data is kept on user devices after the session ends," he said at a Feb. 23 press briefing at the HIMSS Conference.

Other Security Provisions

At least two other provisions in the proposed Stage 2 meaningful use rule touch on the security issue.

One would require hospitals and physician practices to provide secure online access to health information for more than 50 percent of patients. They would also have to verify that 10 percent of their patients actually have "viewed, downloaded or transmitted to a third party their health information."

The other provision would require that physician practices "use secure electronic messaging to communicate with patients on relevant health information. Practices would have to verify that, for more than 10 percent of patients seen during a defined period, "a secure message was sent using the electronic messaging function of certified EHR technology."

Financial Incentives

The HITECH incentive program, funded by the economic stimulus package, is providing billions of dollars in payments from Medicare and Medicaid to hospitals and physician practices that demonstrate they're meaningfully using certified EHRs.

Participants in the EHR incentive program can gain additional payments in the next two stages if they meet the tougher requirements for each phase of the program. Stage 2 begins Oct. 1, 2013, for hospitals and Jan. 1, 2014, for physicians.

In a Feb. 17 speech, Kathleen Sebelius, secretary of the Department of Health and Human Services, said a total of $3.1 billion in incentives have been paid so far to nearly 2,000 hospitals and more than 41,000 physicians under Stage 1 of the incentive program. She cited a new study by the American Hospital Association that found 34 percent of hospitals had adopted EHRs by 2011, up from 16 percent in 2009. And about 85 percent of hospitals plan to take part in the incentive program by 2015, the survey showed.

Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.