While you may be striving to achieve ‘meaningful use’ status to qualify for the EHR incentives, some new requirements on privacy and security have surfaced as part of the proposed rule which defines how to achieve ‘meaningful use’ of electronic health records (EHR) to qualify for Stage 2 of the HITECH Act EHR incentive program.
The proposed rule was posted on the Federal Register Public Inspection Site on February 23rd, and the official announcement of the meaningful use rule will be published in the Federal Register on March 7th. Yet another rule setting the standards for certifying EHR software for the incentive program has also been proposed but not yet posted. Comments on these rules will be accepted by the Department of Health and Human Services for 60 days after the official announcement, following which the final versions of both the rules will be published by late summer.
What this means to you
Stage 1 of the meaningful use rule incorporated just one privacy and security requirement: Healthcare entities must conduct or review risk analysis and implement necessary security updates to fill gaps and fix deficiencies identified in the process. The proposed Stage 2 rule however expands this requirement with more specific additions. It requires that risk assessment also include “addressing encryption/security of data at rest.”
This would mean that while there will be no major change in the requirements of the HIPAA security rule, there will be added emphasis on the inclusion of encryption of protected health information where reasonable and appropriate, and where it is not, it necessitates the adoption of an equivalent alternative measure to secure electronic health records.
Similarly, the proposed EHR software certification rule, which is yet to be released, also contains new additions on encryption, such as enabling encryption of data on end-user devices by default, in cases where data is stored on user devices.
There are at least two provisions in the proposed Stage 2 rule concerning security of health information:
- Hospitals have to provide secure online access to health information to more than 50% of their patients, and should be able to verify that at least 10% of their patients have actually viewed, downloaded, or transmitted health information with such access
- Physicians should use ‘secure electronic messaging’ to communicate relevant health information to patients, and should be able to verify that more than 10% of the patients in a defined time period have received a secure message through the electronic messaging service which uses certified EHR technology
What do you get?
Under the HITECH incentive program, which is funded by the economic stimulus package, you may be eligible for millions of dollars in payments from Medicare and Medicaid if you can demonstrate that you are using certified EHR technology in a meaningful manner. If you participate in the EHR incentive program, once you qualify in the first phase, you can gain additional incentives in the following two stages if you meet the tougher requirements at each stage.
A total of $3.1 billion has been paid in incentives to nearly 2,000 hospitals and more than 41,000 physicians so far under Stage 1 of the program. And you could soon be one of them if you can effectively adopt and demonstrate ‘meaningful use’ of EHR.
What should you do?
All you need to do is adopt a comprehensive information security and compliance solution that can enable you to ensure that you are indeed compliant with the requirements in safeguarding electronically stored data, and ensure that your patients’ health information is protected at all times. eGestalt’s SecureGRC offers this capability. It is an automated and completely integrated solution, which is ideal for all your risk assessment and security management needs. It helps you safeguard electronic data, thus enabling you to demonstrate ‘meaningful use’ and qualifies you to receive EHR incentives.