Federal officials recently released the final rules for Stage 2 of the HITECH Act electronic health record incentive program, which is providing billions of dollars worth of payments to hospitals and physicians. What privacy and security requirements are contained in the new rules? And what's the best way to prepare to comply?
Register for this session to gain insights from Deven McGraw, chair of the Privacy and Security Tiger Team, who helped craft recommendations for the rules. She'll discuss:
What the rules have to say about encryption;
The rules' requirements for patient downloads of records, secure messaging and more;
Steps to take now to prepare to comply with the privacy and security provisions.
Under the HITECH Act electronic health record incentive program, launched as part of the economic stimulus package, hospitals and physicians are earning billions of dollars worth of incentives from Medicare and Medicaid for meaningfully using EHRs.
The Centers for Medicare & Medicaid Services and the Office of the National Coordinator for Health IT have released the final regulations for Stage 2 of the program. For providers who attested to meeting Stage 1 meaningful use requirements in 2011 or 2012, Stage 2 requirements begin in 2014. All participants in the incentive program must be using EHR technology certified to the updated certification criteria by 2014.
The two lengthy rules contain numerous provisions that touch on the issues of privacy and security. Sorting through the dense rules is challenging, as is preparing a compliance strategy.
In this session, attorney Deven McGraw, who helped draft some of the recommendations that ultimately became provisions in the rules, will offer a detailed guide to the privacy and security requirements. She'll also provide timely insights on the most important steps your organization can take now to begin compliance preparation. She'll review:
The scope of the Stage 2 meaningful use and software certification rules;
The requirement on meaningful users to perform a security risk assessment and address encryption of health information at rest;
The software certification requirement that EHRs must, by default, encrypt patient data stored on end-users' devices;
The privacy and security capabilities required to be included in the "Base EHR," and the elimination of the original certification requirement for all EHR modules to include these capabilities;Requirements for professionals and institutional providers to give patients access to their health information through secure "view, download, and transmit" capabilities;
Requirements for professionals to use secure e-mail to communicate with patients;
EHR software requirements to support secure transport of patient data, compliance with the HIPAA Privacy Rule's provisions on patient-requested amendments to health data, matching of data to the right patient record and data portability;
The persistence of "optional" status for EHR capabilities to implement the Access Report requirements proposed by the HHS Office for Civil Rights; and
Understanding the intersection between the meaningful use and certification requirements and HIPAA regulations.
Premium Members Only
OnDemand access to this webinar is restricted to Premium Members.
Former Deputy Director of Health Information Privacy, Department of Health and Human Services' Office of Civil Rights
McGraw was the acting chief privacy officer and deputy director of health information privacy at the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA. Previously, she was a partner at the law firm Manatt, Phelps & Phillips LLP, where she co-chaired its privacy and data security practice. Earlier, she was director of the health privacy project at the Center for Democracy & Technology, a consumer advocacy group. For six years, McGraw served as an adviser to HHS on health data privacy and security issues. She served on the Health IT Policy Committee, which advises HHS' Office of the National Coordinator for Health IT, and co-led the committee's Privacy and Security Workgroup as well as its Information Exchange Workgroup.