What's New in EHR Certification Rule?

Proposed Stage 2 HITECH EHR Incentive Rule Released
What's New in EHR Certification Rule?

Federal authorities on Feb. 24 released a proposed rule setting certification standards for electronic health record software for Stage 2 of the HITECH Act EHR incentive program. The proposal from the Department of Health and Human Services includes new details about encryption that go beyond Stage 1 requirements.

See Also: Take Inventory of Your Medical Device Security Risks

The proposed rule spells out all the functions, including privacy protections and security, that must be included in EHR software in order for it to qualify for the next phase of the incentive program.


The Stage 1 rule required EHR software to include a list of security functions, including encryption and automatic log-off, and that continues in Stage 2.

But regarding encryption, the proposed Stage 2 rule is more specific: "If EHR technology manages electronic health information on an end-user device and the electronic health information remains stored on the device after use of the EHR technology on that device has stopped, the electronic health information must be encrypted .... This capability must be enabled by default (i.e., turned on) and must only be permitted to be disabled (and re-enabled) by a limited set of identified users."

In explaining what security functions were considered, but not added, to the proposed Stage 2 rule, the writers note that they rejected adding a recommendation from the Health IT Standards Committee. "The HITSC recommended that we require as a condition of certification other privacy and security oriented capabilities, such as single factor authentication and secure download. We did not include these additional capabilities in our proposals because we believe their technical implementations are commonplace and ubiquitous. Thus, there would seem to be little value added by requiring that these capabilities be demonstrated as a condition of certification."

Also not included in the rule are proposed requirements for metadata tagging to indicate patient privacy preferences for who can access certain portions of the record. The metadata tagging issue was raised in a report from the President's Council of Advisors on Science and Technology. "We are not proposing metadata standards for privacy and intend to continue to work with the industry to further flesh out what such metadata standards could be."

Meaningful Use

On Feb. 23, federal authorities issued another proposed rule outlining how hospitals and physician practices would have to "meaningfully use" EHR software to earn Stage 2 incentives (see: Stage 2 HITECH EHR Rule Unveiled). That proposal contains relatively few new requirements on privacy and security.

Both rules will be officially published in the Federal Register March 7. The Department of Health and Human Services will accept comments on the rules for 60 days. Final versions of both rules will be completed by late summer, a Department of Health and Human Services official said at the Healthcare Information and Management Systems Society Conference.

A proposed Nationwide Health Information Network Governance Rule, not yet released, could also include new requirements for privacy and security tied to electronic health information exchange.

Incentive Payments

The HITECH incentive program, funded by the economic stimulus package, is providing billions of dollars in payments from Medicare and Medicaid to hospitals and physician practices that demonstrate they're meaningfully using certified EHRs.

Participants in the EHR incentive program can gain additional payments in the next two stages if they meet the tougher requirements for each phase of the program. Stage 2 begins Oct. 1, 2013, for hospitals and Jan. 1, 2014, for physicians.

Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.