Tiger Team Tackles EHR Requirements

Mulling Stage 2 EHR Incentive Program Criteria
Tiger Team Tackles EHR Requirements
The Privacy and Security Tiger Team is scrambling to finish its recommendations for stage two requirements for the HITECH Act's electronic health record incentive program. It's considering issues ranging from authenticating the identity of patients using portals to requiring incentive program participants to use certain security functions, such as encryption.

The team continued discussions of its potential proposals Wednesday with a goal of presenting them at the April 13 meeting of the Health IT Policy Committee. It will continue is deliberations April 6.

Once the HIT Policy Committee approves the privacy and security recommendations, they must go through several more stages of approval before the Department of Health and Human Services ultimately issues a proposed rule for stage two EHR incentive requirements by year's end.

HITECH Incentive Criteria

A preliminary draft of stage two "meaningful use" criteria that hospitals and physician practices would have to meet did not include any privacy or security requirements because the tiger team was continuing its work (See: Waiting for More EHR Privacy Standards).

The only security requirement in stage one of the meaningful use criteria calls for conducting a risk analysis and taking unspecified steps to mitigate any risks identified. The tiger team is considering whether to go beyond that requirement to specify the use of a long list of security functions, as outlined by another panel, the HIT Standards Privacy and Security Working Group. For example, that list includes requirements for encryption of protected health information transmissions that leave the facility and travel in part over shared networks as well as encryption of PHI stored on portable devices and removable media. It also calls for encryption of all internal and external PHI transmissions "where the possibility of their going over unsecured wireless or cellular networks cannot be ruled out."

EHR Meaningful Use Criteria

At the Wednesday meeting, Deven McGraw, co-chair of the tiger team, offered a rundown of other key issues the tiger team hopes to address for stage two:

  • A pending stage two EHR meaningful use requirement is for 20 percent of an organization's patients to use a web portal to access their information. At its meeting Wednesday, tiger team members appeared close to a consensus that single-factor authentication (user name and password) should be required for patients to access a portal after they complete an initial identity verification process.
  • Another proposed stage 2 requirement calls for expanded use of health information exchange. The tiger team has already recommended the use of digital certificates to authenticate organizations exchanging data.
  • The tiger team also is completing other proposals for user authentication. For example, it's considering recommending that at least two-factor authentication be required for those exchanging information by using the Nationwide Health Information Network standards. Such a requirement could potentially be included in the upcoming NHIN governance rule as well as the criteria for the federal EHR incentive program, McGraw pointed out.
  • Also, the tiger team is considering expanding EHR software certification requirements for recording patient demographic data. It recently approved recommendations on matching patients to the right records.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.