Comments are being accepted through Jan. 14, 2013, on potential privacy and security requirements to be included in the meaningful use rule for Stage 3 of the HITECH Act's electronic health record incentive program.
See Also: Don't Be The Next OPM: Recognizing Risk
Stage 3 of the HITECH incentive program begins in 2016. Rules for Stage 2, which starts in 2014, were published in September.
The request for comment, published in the Federal Register Nov. 26, comes from the Healthcare IT Policy Committee, which advices the Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services (see: HITECH Stage 3 Rules in the Works).
Details about the draft Stage 3 requirements were provided in an earlier blog posting by Jodi Daniel, director of ONC's office of policy and planning.
In addition to seeking comments on privacy and security issues, the HIT Policy Committee is also seeking feedback on proposals and questions related to a variety of other Stage 3 meaningful use objectives and measurements as well as quality measures.
Daniel's blog notes that the request for comment represents the HIT Policy Committee's "preliminary thinking [for Stage 3 proposals] and not necessarily HHS or its various agencies." The committee is recommending that the focus for meaningful use Stage 3 be the beginning of "transition from a setting-specific focus to a collaborative, patient and family-centric approach."
Among the key issues for which the committee is seeking comment is patient consent for the disclosure of sensitive health information.
"Some federal and state health information privacy and confidentiality laws, including but not limited to 42 CFR Part 2 [for substance abuse], establish detailed requirements for obtaining patient consent for sharing certain sensitive health information, including restricting the recipient's further disclosure of such information," states the request for comment, which then asks:
- How can EHRs and health information exchanges manage data that requires patient consent for disclosure so that populations receiving care covered by these laws are not excluded from health information exchange?
- How can meaningful use help improve the capacity of EHR infrastructure to record consent, limit the disclosure of this information to those providers and organizations specified on a consent form, manage consent expiration and consent revocation, and communicate the limitations on use and restrictions on re-disclosure to receiving providers?
- Are there existing standards, such as those identified by the Data Segmentation for Privacy Initiative Implementation Guide, that are mature enough to facilitate the exchange of this type of consent information in today's EHRs and HIEs?
Other privacy and security issues for which the committee is seeking feedback include Stage 3 proposals for multi-factor provider authentication; HIPAA Security Rule training for staff at physicians' offices and hospitals; and secure EHR information queries.