What's New in EHR Certification Rule?Proposed Stage 2 HITECH EHR Incentive Rule Released
Federal authorities on Feb. 24 released a proposed rule setting certification standards for electronic health record software for Stage 2 of the HITECH Act EHR incentive program. The proposal from the Department of Health and Human Services includes new details about encryption that go beyond Stage 1 requirements.
The proposed rule spells out all the functions, including privacy protections and security, that must be included in EHR software in order for it to qualify for the next phase of the incentive program.
The Stage 1 rule required EHR software to include a list of security functions, including encryption and automatic log-off, and that continues in Stage 2.
But regarding encryption, the proposed Stage 2 rule is more specific: "If EHR technology manages electronic health information on an end-user device and the electronic health information remains stored on the device after use of the EHR technology on that device has stopped, the electronic health information must be encrypted .... This capability must be enabled by default (i.e., turned on) and must only be permitted to be disabled (and re-enabled) by a limited set of identified users."
In explaining what security functions were considered, but not added, to the proposed Stage 2 rule, the writers note that they rejected adding a recommendation from the Health IT Standards Committee. "The HITSC recommended that we require as a condition of certification other privacy and security oriented capabilities, such as single factor authentication and secure download. We did not include these additional capabilities in our proposals because we believe their technical implementations are commonplace and ubiquitous. Thus, there would seem to be little value added by requiring that these capabilities be demonstrated as a condition of certification."
Also not included in the rule are proposed requirements for metadata tagging to indicate patient privacy preferences for who can access certain portions of the record. The metadata tagging issue was raised in a report from the President's Council of Advisors on Science and Technology. "We are not proposing metadata standards for privacy and intend to continue to work with the industry to further flesh out what such metadata standards could be."
On Feb. 23, federal authorities issued another proposed rule outlining how hospitals and physician practices would have to "meaningfully use" EHR software to earn Stage 2 incentives (see: Stage 2 HITECH EHR Rule Unveiled). That proposal contains relatively few new requirements on privacy and security.
Both rules will be officially published in the Federal Register March 7. The Department of Health and Human Services will accept comments on the rules for 60 days. Final versions of both rules will be completed by late summer, a Department of Health and Human Services official said at the Healthcare Information and Management Systems Society Conference.
A proposed Nationwide Health Information Network Governance Rule, not yet released, could also include new requirements for privacy and security tied to electronic health information exchange.
The HITECH incentive program, funded by the economic stimulus package, is providing billions of dollars in payments from Medicare and Medicaid to hospitals and physician practices that demonstrate they're meaningfully using certified EHRs.
Participants in the EHR incentive program can gain additional payments in the next two stages if they meet the tougher requirements for each phase of the program. Stage 2 begins Oct. 1, 2013, for hospitals and Jan. 1, 2014, for physicians.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.