One area of interest will be the wording around the use of encryption to protect patient information. Currently the HIPAA and HITECH regulations do not make the use of encryption mandatory. Will the MU Stage 2 requirements require encryption? I would say that although it should require encryption to protect patient information I believe it will not go that far. From what I have read, it looks like there will be an emphasis on using encryption for “data at rest”. Data at rest includes data stored in an EMR, file servers, and portable devices (smartphones, tablets, etc.).
One thing to point out is that although the use of encryption is “addressable” in the HIPAA Security Rule, that does not mean it is optional. Covered entities have to document why they have chosen not to implement encryption. With the greater emphasis on encryption in MU Stage 2, it will be harder for covered entities to rationalize against the use of encryption.