One of the final rules for Stage 2 of the HITECH Act electronic health record incentive program has moved a step closer to publication. The Centers for Medicare and Medicaid Services on July 16 sent the rule to the Office of Management and Budget for review, the final step before a regulation is published in the Federal Register.
Earlier, federal officials had indicated the final version of both of the Stage 2 rules would be released by the end of summer (see: HIPAA, HITECH Updates Inch Closer). But in the past, OMB has taken from several weeks to many months to complete its reviews.
The proposed Stage 2 meaningful use rule sets detailed requirements for hospitals and physician groups to prove they are meaningfully using EHRs and, thus, qualify for additional incentive payments. For example, it would require hospitals and physician groups to conduct a security risk analysis that includes "addressing the encryption/security of data at rest."
In commenting on the proposed provision, the Healthcare Information and Management Systems Society called on regulators to provide "additional education and clarification on what it means to 'address encryption'." (See: Industry Debates Stage 2 EHR Rules).
The College of Healthcare Information Management Executives went further, saying this provision should be simplified "to refer only to compliance with applicable HIPAA privacy and security rules. We believe that it would be a mistake for each EHR incentive program regulation to emphasize different aspects of the HIPAA privacy and security rules. ..."
A second proposed Stage 2 rule on software certification is not yet on the list of regulations OMB is reviewing. That rule, which sets standards for software eligible for the incentive program, includes a provision that EHRs must be able to demonstrate the capacity to encrypt data on mobile devices in circumstances where electronic health record technology manages the data flow on the device.