HHS Releases HITECH Act Final RulesRegulations for Stage 3 of EHR Incentive Program, 2015 Software Certification
The Department of Health and Human Services has released final rules for the HITECH Act electronic health record incentive program. Those rules, which address privacy and security, among other issues, include a rule spelling out how providers can demonstrate meaningful use of EHRs to earn additional incentive payments in Stage 3 and a rule setting 2015 health IT software certification criteria. Providers participating in the incentive program must use certified software.
See Also: Securing the Borderless Enterprise
The two final rules simplify requirements and add new flexibilities for providers to make electronic health information available when and where it matters most, HHS said in a statement.
Karen DeSalvo, M.D., who heads HHS' Office of the National Coordinator for Health IT, said during a media briefing Oct. 6 that the final rule for the 2015 software certification, among other things, "strengthens cybersecurity, making sure systems are more secure."
The software rule focuses on increasing interoperability - "a secure but seamless flow of electronic health information" - and improving transparency and competition in the health IT marketplace, DeSalvo said.
"This rule is a key step forward in our work with the private sector to realize the shared goal of making actionable electronic health information available when and where it matters most to transform care and improve health for the individual, community and larger population. It will bring us closer to a world in which healthcare providers and consumers can readily, safely and securely exchange electronic health information," she said.
In a statement provided to Information Security Media Group, ONC further explains: "The 2015 Edition Final Rule includes a new privacy and security framework that ensures each 2015 edition certification capability is paired with the appropriate privacy and security 'safeguards.' This is a key update to our program. For example, when health IT is being certified for exchange capabilities, it is also being tested to ensure it has capabilities for authentication and access, auditing and encryption/hashing.
"We note that for hashing, we now require health IT to be capable of creating a hashing algorithm with security strength equal to or greater than SHA-2, which increases security of the message sent."
Patrick Conway, M.D., acting principal deputy administrator and chief medical officer at the Centers for Medicare & Medicaid Services, said at the briefing that CMS decided to issue meaningful use rule for Stage 3 - despite calls by some industry groups and some members of Congress to delay the rule-making - because the rules for meaningful use requirements and the 2015 software certification could not be separated.
So instead of delaying the release of the meaningful use rule for Stage 3, CMS is continuing to seek public comment on the rule for 60 days. This input could be considered by CMS for future policy developments for the EHR incentive program, as well as other government programs, he says.
In addition to the two final rules, ONC also on Oct. 6 released the final version of its 10-year interoperability roadmap.
Among other objectives, the roadmap seeks to help "clarify and align federal and state privacy and security requirements that enable interoperability" of EHRs and ease health information exchange, says the document. ONC released a draft roadmap earlier this year (see Roadmap for National Health Data Exchange).
Watch for more information on this developing story.