The IT Security Requirements of Stage 2 Meaningful Use for Hospitals

The IT Security Requirements of Stage 2 Meaningful Use for Hospitals

Stage 2 of the EHR Meaningful Use Incentive Program opened for registration in early October. It was a busy month for healthcare headlines (the HIPAA Omninbus Rule, the federal government shutdown, and the launch of So much so, it may have been easy to overlook the increased IT security risk analysis requirements in Stage 2. In fact the word "security" is mentioned 61 times in the 676-page Stage 2 rule. While the core requirement to conduct a security risk analysis contained in Stage 1 is repeated almost verbatim in Stage 2, there are more nuances, additional requirements, and as usual, plenty of room for interpretation. In this webinar, attendees will learn:

See Also: HIPAA Risk Assessment: Assessing Your Security Gaps Before You Get Audited or Hacked

  • Exactly what is required of a eligible hospital to meet the security risk analysis requirement of Stage 2 Meaningful Use
  • What is meant by "addressing the encryption/security of data stored in Certified EHR Technology (CEHRT)?"
  • What is the formal definition of CEHRT?
  • What is the best way to document remediation as part of a hospital's risk management process?
  • Are there other security requirements (beyond a risk analysis) stated or implied in the Stage 2 Meaningful Use Rule?


Hospital EHR adoption rates are dramatically increasing, fueled in large part by the CMS Meaningful Use EHR Incentive Program. To attest to "meaningful use," hospitals must be using a certified EHR system. Then they must meet a number of "core requirements" to show that they have implemented and are actively using the EHR system. From 2011-to-present over two-thirds of hospitals have achieved Stage 1 Meaningful Use. It is safe to assume that the earliest Stage 1 adopters will be working to attest to Stage 2 in 2014.

Both Stage 1 and Stage 2 require hospitals to "conduct or review a security risk analysis" and "implement security updates as necessary and correct identified security deficiencies as part of its risk management process." Although the core measure is very similar in Stage 1 and Stage 2, there are persistent concerns about a broader Stage 2 scope. For example, Stage 2 raises the bar for health information exchange between providers and giving patients secure online access to their health information. It specifically calls out and addressable requirement from the HIPAA Security Rule regarding the encryption of "data at rest." This webinar will bring clarity and help answer the most commonly asked questions, such as:

  • Does ouR security risk analysis only need to look at the EHR application?
  • What is the difference between the security risk analysis in Stage 1 and the requirements in Stage 2?
  • We did a security risk analysis for Stage 1. Do we have to do another one for Stage 2?
  • How do I prove that our organization has addressed the issue of the encryption/security of data stored in CEHRT?

Webinar Registration

Premium Members Only

OnDemand access to this webinar is restricted to Premium Members.

Join Now to Access
Have an account? Sign in.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.