Stage 2 Meaningful Use Rule Progresses

OMB Review is Final Step Before Publication
Stage 2 Meaningful Use Rule Progresses

One of the final rules for Stage 2 of the HITECH Act electronic health record incentive program has moved a step closer to publication. The Centers for Medicare and Medicaid Services on July 16 sent the rule to the Office of Management and Budget for review, the final step before a regulation is published in the Federal Register.

See Also: Defense Strategies for Advanced Threats: Breaking the Cyber Kill Chain with SANS 20 Critical Security Controls

Earlier, federal officials had indicated the final version of both of the Stage 2 rules would be released by the end of summer (see: HIPAA, HITECH Updates Inch Closer). But in the past, OMB has taken from several weeks to many months to complete its reviews.

The proposed Stage 2 meaningful use rule sets detailed requirements for hospitals and physician groups to prove they are meaningfully using EHRs and, thus, qualify for additional incentive payments. For example, it would require hospitals and physician groups to conduct a security risk analysis that includes "addressing the encryption/security of data at rest."

In commenting on the proposed provision, the Healthcare Information and Management Systems Society called on regulators to provide "additional education and clarification on what it means to 'address encryption'." (See: Industry Debates Stage 2 EHR Rules).

The College of Healthcare Information Management Executives went further, saying this provision should be simplified "to refer only to compliance with applicable HIPAA privacy and security rules. We believe that it would be a mistake for each EHR incentive program regulation to emphasize different aspects of the HIPAA privacy and security rules. ..."

A second proposed Stage 2 rule on software certification is not yet on the list of regulations OMB is reviewing. That rule, which sets standards for software eligible for the incentive program, includes a provision that EHRs must be able to demonstrate the capacity to encrypt data on mobile devices in circumstances where electronic health record technology manages the data flow on the device.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network