Stage 2 HITECH EHR Rules PreviewGuidelines for Next Phase of Incentive Program Coming Today
In a presentation at the Healthcare Information and Management Systems Society Conference Feb. 22, Mostashari offered some insights about the content of the two rules. One rule sets requirements for how to demonstrate "meaningful use" of EHRs in Stage 2; the other sets standards for EHR software to be certified for the second stage of the program.
Mostashari and other federal officials point out:
- The meaningful use rule will require that hospitals and physician groups demonstrate that more than 10 percent of all patients have securely viewed or downloaded their records or transmitted them to a third party. t
- The software certification rule will require that EHRs used in ambulatory care settings must accommodate secure messaging.
- The rules will have an "increased emphasis on encryption of data at rest," Mostashari says. The proposed EHR software certification rule, for example, says that if the software "has patient data stored on end-user devices they [the EHR vendor] should account for default encryption," he adds.
Billions in Incentives
The incentive program, funded by the economic stimulus package, is providing billions of dollars in payments to hospitals and physician groups that demonstrate they're meaningfully using certified EHRs. The Department of Health and Human Services' Office of the National Coordinator for Health IT developed the guidelines.
In a Feb. 17 speech, HHS Secretary Kathleen Sebelius said a total of $3.1 billion in incentives have been paid so far to nearly 2,000 hospitals and more than 41,000 physicians under Stage 1 of the incentive program. She cited a new study by the American Hospital Association that found 34 percent of hospitals had adopted EHRs by 2011, up from 16 percent in 2009. And about 85 percent of hospitals plan to take part in the incentive program by 2015, the survey showed.
Participants in the EHR incentive program can gain additional payments in the next two stages if they meet the tougher requirements - including those for privacy and security - for each phase of the program. Hospitals and physicians that qualify for Stage 1 have until 2014 to begin complying with Stage 2 requirements to qualify for additional payments.
For Stage 1, the only security requirement for demonstrating meaningful use was to conduct a risk assessment and take action to mitigate risks identified; that's also a requirement of the HIPAA security rule. The Stage 1 EHR software certification standards included a long list of required security functions, including encryption.
HHS will accept comments on the two proposed Stage 2 rules for 60 days after the rules are officially published in the Federal Register, which is likely within a few days of the Feb. 23 announcement on the public inspection site.
On Feb. 17, HHS announced plans for a survey of consumers about their attitudes toward the privacy and security aspects of EHRs and electronic health information exchange. HHS plans to conduct telephone interviews with 2,000 Americans each year for five years to track trends and support decisions on policy objectives.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.