The Security Scrutinizer with Howard Anderson

EHR Incentives: Encouraging Signs

Stage 2 Criteria Likely to Include More Privacy, Security Requirements

The HITECH Act's electronic health record incentive program, which could provide as much as $27 billion in payments to hospitals and clinics that "meaningfully use" EHRs, could go a long way toward making EHRs ubiquitous. And the rules for earning the Medicare and Medicaid incentives also could go a long way toward ensuring the privacy and security of digitized patient information.

But the meaningful use criteria that must be met to qualify for stage one of the incentive program, which kicked off in January, contain few privacy and security details. The only spelled-out requirement is to conduct a risk analysis and take appropriate steps to mitigate risks identified. And that's already required under the HIPAA security rule.

The criteria for certifying EHR software as qualifying for the program, however, require the applications to include numerous security functions, including encryption. But the stage one meaningful use rules don't explicitly require the use of any of those functions.

Now, federal authorities are contemplating what privacy and security requirements to include in stage two of the program. Under the current proposed timeline, incentive program participants would have to meet the stage two meaningful use requirements in 2012 to earn the next round of payments in 2013.

It's far too soon to tell what specific requirements will be included in the rule spelling out stage two criteria, due from the Department of Health and Human Services at year's end. But there are encouraging signs that stage two criteria will include far more privacy and security requirements than stage one.

This week, the Privacy and Security Tiger Team, one of several federal advisory groups working on EHR incentive program criteria, continued to discuss a long list of potential requirements (See Tiger Team Tackles EHR Requirements). Since its formation last year, the team has made a number of proposals that could wind up in the incentive program criteria or other federal rules. Those range from guidelines for obtaining patient consent to exchange their records to ways to match patients to the right records.

Take a look at the slides from this week's Privacy and Security Tiger Team meeting, and you'll get an idea of the many protections they're considering for stage two criteria, including potentially requiring the use of encryption in certain circumstances.

In addition to the tiger team, several committees and workgroups are working on the various stage two criteria. They all serve as advisers to the Office of the National Coordinator for Health IT, which ultimately will make recommendations to HHS. So there are still a lot of hoops to jump through before tougher privacy and security standards for the incentive program become a reality.

But for now, there are some encouraging signs that stage two criteria will include some "meaningful" privacy and security protections. And that's good news, given that EHRs will never win the support of physicians and their patients unless they trust that the information will remain private.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.