HITECH Stage 2 Extension Planned

More Time for Compliance With Privacy, Other Requirements
HITECH Stage 2 Extension Planned

Federal regulators plan to extend Stage 2 of the HITECH Act electronic health record incentive program one year, giving healthcare providers and EHR software vendors more time to comply with requirements that include a variety of privacy and security provisions.

See Also: OnDemand | Driving Security, Privacy, & Compliance Goals by Accelerating HITRUST Certification

The Centers for Medicare and Medicaid Services, which administers payment of financial incentives to healthcare providers who participate in the HITECH EHR incentive program, says that under the proposed revised timeline, Stage 2 would be extended through 2016 and Stage 3 would begin in 2017 for those providers that have completed at least two years in Stage 2.

Participants can earn additional financial incentives from Medicare or Medicaid for achieving the requirements of each stage of the program. Stage 2 started for hospitals on Oct. 1; it will start for physicians and other clinicians on Jan. 1, 2014.

Two Goals

"The goal of this change is two-fold: first, to allow CMS and the Office of the National Coordinator for Health IT to focus efforts on the successful implementation of the enhanced patient engagement, interoperability and health information exchange requirements in Stage 2; and second, to utilize data from Stage 2 participation to inform policy decisions for Stage 3," says a blog posted late Dec. 6 on the website of the ONC. The office oversees standards and policy-setting for HITECH Act programs and administers the EHR software certification program.

"The phased approach to program participation helps providers move from creating information in Stage 1, to exchanging health information in Stage 2 to focusing on improved outcomes in Stage 3. This approach has allowed us to support an aggressive yet smart transition for providers."

Additionally, regulators say the proposed revised timeline would have a number of benefits, such as:

  • More analysis of feedback from stakeholders on Stage 2 progress and outcomes;
  • More available data on Stage 2 adoption and measure calculations - especially on new patient engagement measures and secure health information exchange objectives;
  • More consideration of potential Stage 3 requirements;
  • Additional time for preparation for enhanced Stage 3 requirements;
  • Ample time for developers to create and distribute certified EHR technology before Stage 3 begins and incorporate lessons learned about usability and customization.

Notices of proposed rulemaking to formalize the revised timeline and Stage 3 requirements will likely be issued in the fall of 2014, according to the blog, with a final rule to be issued in the first half of 2015 after comments are reviewed.

Privacy and Security

The Stage 2 security and privacy requirements include:

  • Under an EHR software certification requirement, software must automatically encrypt data if it's stored on end-user devices, including mobile gear such as laptop computers and smart phones.
  • Hospitals and physicians must attest to conducting a risk assessment that specifically describes protection of data at rest either through encryption or another reasonable and appropriate method, which they must document.
  • Physicians and hospitals must demonstrate that 5 percent of their patients are taking advantage of the opportunity to securely view, download or transmit to third parties their electronic health information. To meet the requirement, organizations can, for example, provide patients with access to their health information through a secure portal.
  • Clinicians must demonstrate that 5 percent of their patients are using secure messaging to communicate with them about relevant health information.
  • Participants must electronically exchange summary of care documents for more than half of transitions of care and referrals.

The Healthcare Information and Management Systems Society said it is "gratified" that the timeline has been extended for the HITECH Act program.

"This additional time to attest offers an opportunity for increased feedback and analysis on technology implementation, e-clinical quality measure reporting, and progress toward interoperability that will enhance the ability of eligible hospitals and eligible professionals to meaningfully use health IT, and thus improve the quality and cost-effectiveness of patient care."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.