Tiger Team Tackles EHR RequirementsMulling Stage 2 EHR Incentive Program Criteria
The team continued discussions of its potential proposals Wednesday with a goal of presenting them at the April 13 meeting of the Health IT Policy Committee. It will continue is deliberations April 6.
Once the HIT Policy Committee approves the privacy and security recommendations, they must go through several more stages of approval before the Department of Health and Human Services ultimately issues a proposed rule for stage two EHR incentive requirements by year's end.
HITECH Incentive CriteriaA preliminary draft of stage two "meaningful use" criteria that hospitals and physician practices would have to meet did not include any privacy or security requirements because the tiger team was continuing its work (See: Waiting for More EHR Privacy Standards).
The only security requirement in stage one of the meaningful use criteria calls for conducting a risk analysis and taking unspecified steps to mitigate any risks identified. The tiger team is considering whether to go beyond that requirement to specify the use of a long list of security functions, as outlined by another panel, the HIT Standards Privacy and Security Working Group. For example, that list includes requirements for encryption of protected health information transmissions that leave the facility and travel in part over shared networks as well as encryption of PHI stored on portable devices and removable media. It also calls for encryption of all internal and external PHI transmissions "where the possibility of their going over unsecured wireless or cellular networks cannot be ruled out."
EHR Meaningful Use Criteria
At the Wednesday meeting, Deven McGraw, co-chair of the tiger team, offered a rundown of other key issues the tiger team hopes to address for stage two:
- A pending stage two EHR meaningful use requirement is for 20 percent of an organization's patients to use a web portal to access their information. At its meeting Wednesday, tiger team members appeared close to a consensus that single-factor authentication (user name and password) should be required for patients to access a portal after they complete an initial identity verification process.
- Another proposed stage 2 requirement calls for expanded use of health information exchange. The tiger team has already recommended the use of digital certificates to authenticate organizations exchanging data.
- The tiger team also is completing other proposals for user authentication. For example, it's considering recommending that at least two-factor authentication be required for those exchanging information by using the Nationwide Health Information Network standards. Such a requirement could potentially be included in the upcoming NHIN governance rule as well as the criteria for the federal EHR incentive program, McGraw pointed out.
- Also, the tiger team is considering expanding EHR software certification requirements for recording patient demographic data. It recently approved recommendations on matching patients to the right records.