Stage 2 HITECH Rules Under MicroscopeEHR Incentive Rules' Privacy Provisions Under Review
The Health IT Policy Committee plans to make recommendations for privacy and security changes in the proposed Stage 2 rules for the HITECH Act electronic health record incentive program. Panel members expect to vote on recommendations May 2.
The Privacy and Security Tiger Team, which advises the committee, is continuing its in-depth review of the Stage 2 rules, which incorporate some, but not all, of the team's earlier recommendations, which the HIT Policy Committee endorsed. One rule spells out requirements for demonstrating the meaningful use of EHRs to qualify for additional incentive payments. The other rule spells out standards for EHR software certification for the incentive program. Public comments on both rules are due May 7.
The tiger team will meet again April 9 and April 23 to discuss refinements and additions to the rules and will present a final set of recommendations to the HIT Policy Committee at its May 2 meeting. The committee advises the Department of Health and Human Services, which issued the rules.
Reviewing the Provisions
At the April 4 meeting of the committee, tiger team co-chair Deven McGraw stressed that many of the team's recommendations made their way into the rules, including, in particular, a requirement that risk assessments verify how data at rest is protected, such as through encryption. She offered a presentation on the team's recommendations that were included in the rules as well as those that are not in the pending regulations.
The team plans to recommend that the Stage 2 EHR software certification rule require that EHR systems accommodate patient amendments to their records in free text as well as by scanning documents. The team also plans to recommend that the Stage 2 certification rule make it clear that EHR vendors should be working toward a Stage 3 requirement that EHRs demonstrate the capability to transmit amendments to other providers.
The team is weighing many other potential recommendations, including requiring the testing of certified EHRs for authentication of patients and for secure download capability via patient portals. It's also considering whether the rules contain enough direction on how EHRs should accommodate digital certificates as well as how to ensure EHRs can help with matching patient records from various sources to the right patient.
At the April 4 committee meeting, McGraw noted that recent privacy and security guidance the HHS Office of the National Coordinator for Health IT provided to federally funded health information exchanges incorporates many tiger team recommendations (see: HIEs Get Privacy, Security Guidance). The program information notice containing the guidance points out that HIEs that are not taking the recommended privacy and security steps must develop a "strategy, timeline and action plan for addressing these gaps."