Industry Debates Stage 2 EHR Rules

Comments on HITECH Proposals Address Privacy, Security
Industry Debates Stage 2 EHR Rules

Federal regulators have received hundreds of comments about proposed rules for Stage 2 of the HITECH Act electronic health record incentive program, sparking debate on many issues, including how to provide patients with prompt, secure access to their records.

See Also: How to Scale Your Vendor Risk Management Program

The Department of Health and Human Services will issue final versions of the rules in the coming weeks once it reviews comments received.

While some consumer groups want patients to have even more rapid access to their records than proposed, the American Hospital Association says it's too aggressive to require electronic information about a hospital admission to be available within 36 hours of discharge for at least 50 percent of patients by the deadline for Stage 2.

The AHA also notes: "Our members are particularly concerned with the proposed objective to provide patients with the ability to view, download and transmit large volumes of protected health information via the Internet (a 'patient portal'). The AHA believes that this objective is not feasible as proposed, raises significant security issues, and goes well beyond current technical capacity. ..."

The proposed meaningful use rule for Stage 2 would require that at least 10 percent of patients have actually viewed, downloaded or transmitted records via a secure portal.

But a coalition of 21 consumer organizations says patients should be able to view, download or transmit their information within 24 hours, not 36 hours, of an office visit or hospital discharge. "We take issue with the proposed timeframes for when the patient's information must become available to the patient, because the proposed approach is not consistent with the patient's workflow during transitions of care, and does not ensure information availability to patients and their caregivers when they need it most and are most motivated to follow through with self-care instructions - immediately following an encounter or admission."

Encryption of Data at Rest

Several healthcare associations are questioning another provision that would require hospitals and physician groups to conduct a security risk analysis that includes "addressing the encryption/security of data at rest."

The Privacy and Security Tiger Team, which advises regulators, made the recommendation that the risk assessment requirement for Stage 1 of the EHR incentive program be expanded for Stage 2 to include attesting to how data at rest is protected.

The tiger team wanted to use the meaningful use rule to "shine a spotlight" on the existing requirement in the HIPAA security rule, which states data at rest should be encrypted unless it's not "reasonable and appropriate," says Deven McGraw, team co-chair. Under HIPAA, if encryption is not applied, providers must demonstrate other safeguards, such as physical security, are in place. Encryption, especially of data on mobile devices, is a vital safeguard, McGraw contends, pointing to the many major health information breaches that have involved the loss or theft of unencrypted devices.

In commenting on the provision, the Healthcare Information and Management Systems Society calls on regulators to provide "additional education and clarification on what it means to 'address encryption'."

The College of Healthcare Information Management Executives goes further, saying this provision should be simplified "to refer only to compliance with applicable HIPAA privacy and security rules. We believe that it would be a mistake for each EHR incentive program regulation to emphasize different aspects of the HIPAA privacy and security rules. ..."

And the Medical Group Management Association takes a similar position. "Requiring an eligible professional to conduct a security risk analysis that is already required under HIPAA is duplicative and adds an unnecessary reporting burden," MGMA argues. The association, which represents physician practice administrators, calls on regulators to offer "guidance and educational materials to assist physician practices to understand and implement encryption should it be determined by the organization to be an appropriate solution."

MGMA also calls for a more precise definition of a "risk analysis" if conducting such an analysis continues to be a requirement under the meaningful use rule.

Software Certification Rule

A second Stage 2 proposed rule sets standards for certification of EHR software as qualifying for the program. It includes a provision that the software needs to be able to demonstrate the capacity to encrypt data on mobile devices in circumstances where the EHR technology manages the data flow on the mobile device.

In its comments, the HIMSS Electronic Health Record Association, which represents EHR vendors, supports this provision. "Lost end-user devices represent a significant data breach risk to covered entities. We applaud the decision to allow the option to either encrypt end-user devices or make sure no data remains on end-user devices (managed by the technology)," the association wrote.

But the records vendor association seeks "clarity on when electronic health information is 'managed' by the EHR."


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network