While you may be striving to achieve 'meaningful use' status to qualify for electronic health record incentives, some new requirements on privacy and security have surfaced as part of the proposed rule that defines how to achieve 'meaningful use' for Stage 2 of the HITECH Act EHR incentive program.
The proposed rule was posted on the Federal Register Public Inspection Site on Feb. 23, with the official announcement of the meaningful use rule published the Federal Register on March 7. Yet another rule setting the standards for certifying EHR software for the incentive program has also been proposed. The ONC Proposed Rule seeks feedback through the Stage 2 rule on how to increase patient safety through updated certification criteria, how to improve data portability and how to increase price transparency with regard to certified Complete EHRs or EHR Modules. Comments on these rules will be accepted by HHS for 60 days after the official announcement, following which the final version of the rules will be published by late summer.
What this means to you
Stage 1 of the meaningful use rule incorporated just one privacy and security requirement: Healthcare entities must conduct or review risk analysis and implement necessary security updates to fill gaps and fix deficiencies identified in the process. The proposed Stage 2 rule however expands this requirement with more specific additions. It requires that risk assessment also include "addressing encryption/security of data at rest."
This would mean that while there will be no major change in the requirements of the HIPAA security rule, there will be added emphasis on the inclusion of encryption of protected health information where reasonable and appropriate, and where it is not, it necessitates the adoption of an equivalent alternative measure to secure electronic health records.
Similarly, the proposed EHR software certification rule also contains new additions on encryption, such as enabling encryption of data on end-user devices by default, in cases where data is stored on user devices.
There are at least two provisions in the proposed Stage 2 rule concerning security of health information:
Under the HITECH incentive program, which is funded by the economic stimulus package, providers may be eligible for millions of dollars in payments from Medicare and Medicaid if they can demonstrate the use of certified EHR technology in a meaningful manner. If you participate in the EHR incentive program, once you qualify in the first phase, you can gain additional incentives in the following two stages if you meet the tougher requirements at each stage.
A total of $3.1 billion has been paid in incentives to nearly 2,000 hospitals and more than 41,000 physicians so far under Stage 1 of the program. And you could soon be one of them if you can effectively adopt and demonstrate 'meaningful use' of EHR.
What should you do?
Cloud computing based software-as-a service options exist today that can show proof that you are compliant with the requirements in safeguarding electronically stored data and ensuring that your patients' health information is protected at all times. Demonstrate 'meaningful use', and you will qualify to receive these handsome EHR incentives.
Anupam Sahai is president of eGestalt Technologies, a provider of IT security, governance, risk management and compliance solutions based in Santa Clara, Calif. With more than 21 years of IT experience and three worldwide patents, Sahai has held positions with Silicon Graphics, Hewlett Packard and Microsoft. He holds a Bachelors in Engineering from IIT Kharagpur, India, a Masters in Computer Science from IIT Kanpur, India, a Masters in engineering and an MBA degree from The Sloan School of Management at MIT. You can reach him at anupam.sahai@egestalt.com
39 Things to Know About CMS' Stage 2 Requirements for Meaningful
The proposed rule was posted on the Federal Register Public Inspection Site on Feb. 23, with the official announcement of the meaningful use rule published the Federal Register on March 7. Yet another rule setting the standards for certifying EHR software for the incentive program has also been proposed. The ONC Proposed Rule seeks feedback through the Stage 2 rule on how to increase patient safety through updated certification criteria, how to improve data portability and how to increase price transparency with regard to certified Complete EHRs or EHR Modules. Comments on these rules will be accepted by HHS for 60 days after the official announcement, following which the final version of the rules will be published by late summer.
What this means to you
Stage 1 of the meaningful use rule incorporated just one privacy and security requirement: Healthcare entities must conduct or review risk analysis and implement necessary security updates to fill gaps and fix deficiencies identified in the process. The proposed Stage 2 rule however expands this requirement with more specific additions. It requires that risk assessment also include "addressing encryption/security of data at rest."
This would mean that while there will be no major change in the requirements of the HIPAA security rule, there will be added emphasis on the inclusion of encryption of protected health information where reasonable and appropriate, and where it is not, it necessitates the adoption of an equivalent alternative measure to secure electronic health records.
Similarly, the proposed EHR software certification rule also contains new additions on encryption, such as enabling encryption of data on end-user devices by default, in cases where data is stored on user devices.
There are at least two provisions in the proposed Stage 2 rule concerning security of health information:
- Hospitals have to provide secure online access to health information to more than 50 percent of their patients, and should be able to verify that at least 10 percent of their patients have actually viewed, downloaded or transmitted health information with such access.
- Physicians should use 'secure electronic messaging' to communicate relevant health information to patients, and should be able to verify that more than 10 percent of the patients in a defined time period have received a secure message through the electronic messaging service which uses certified EHR technology.
Under the HITECH incentive program, which is funded by the economic stimulus package, providers may be eligible for millions of dollars in payments from Medicare and Medicaid if they can demonstrate the use of certified EHR technology in a meaningful manner. If you participate in the EHR incentive program, once you qualify in the first phase, you can gain additional incentives in the following two stages if you meet the tougher requirements at each stage.
A total of $3.1 billion has been paid in incentives to nearly 2,000 hospitals and more than 41,000 physicians so far under Stage 1 of the program. And you could soon be one of them if you can effectively adopt and demonstrate 'meaningful use' of EHR.
What should you do?
Cloud computing based software-as-a service options exist today that can show proof that you are compliant with the requirements in safeguarding electronically stored data and ensuring that your patients' health information is protected at all times. Demonstrate 'meaningful use', and you will qualify to receive these handsome EHR incentives.
Anupam Sahai is president of eGestalt Technologies, a provider of IT security, governance, risk management and compliance solutions based in Santa Clara, Calif. With more than 21 years of IT experience and three worldwide patents, Sahai has held positions with Silicon Graphics, Hewlett Packard and Microsoft. He holds a Bachelors in Engineering from IIT Kharagpur, India, a Masters in Computer Science from IIT Kanpur, India, a Masters in engineering and an MBA degree from The Sloan School of Management at MIT. You can reach him at anupam.sahai@egestalt.com
More Articles on Stage 2 of Meaningful Use:
6 Benefits & Challenges in CMS' Meaningful Use Stage 2 Proposed Rule39 Things to Know About CMS' Stage 2 Requirements for Meaningful