The recently released proposed rule for Stage 2 of the meaningful use program emphasizes the importance of encrypting health information, InformationWeek reports.
Under the 2009 federal economic stimulus package, health care providers who demonstrate meaningful use of certified electronic health records can qualify for Medicaid and Medicare incentive payments (Lewis, InformationWeek, 2/24).
The proposed rule released last week outlines the requirements for health care providers attesting to Stage 2 of the meaningful use program.
National Coordinator for Health IT Farzad Mostashari said the proposed Stage 2 requirements offer new flexibility and emphasize the importance of interoperability.
Officials hope to release the final Stage 2 rules this summer (iHealthBeat, 2/24).
Greater Emphasis on Data Encryption
The Stage 2 proposed rule does not require the encryption of health data but calls for greater consideration of data encryption for ambulatory and inpatient EHRs (Goedert, Health Data Management, 2/23). It also calls for health care providers to consider encrypting data on mobile devices such as laptops, tablet computers and smartphones.
Federal officials noted that a significant percentage of health data breaches involve the loss or theft of mobile devices. The proposed rule states, "Had these devices been encrypted, their data would have been secured" (InformationWeek, 2/24).
Officials wrote that the proposed rule does not seek to change any HIPAA security requirements but strives to "emphasize the importance of an [eligible provider] or hospital including in its security risk analysis an assessment of the reasonable and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure"(Health Data Management, 2/23).
Joy Pritts -- chief privacy offer at the Office of the National Coordinator for Health IT -- said the proposed rule's emphasis on data encryption aligns with the Health IT Policy Committee's effort to focus on areas where "a minimum amount of effort would produce a huge amount of impact" (InformationWeek, 2/24).