The proposed meaningful use stage 2 requirements were posted yesterday. The requirements are over 450 pages so we are still going through them and trying to digest them. As of now, two major IT related items jump out at us.
The first IT related objective is focused on protecting and securing patient information. In stage 1, one of the objectives was to perform a HIPAA risk assessment on how patient information is being protected. This requirement is still in place but additional emphasis has been placed on the use of encryption.
Proposed Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45CMS-0044-P 83 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.
Insight into why the use of encryption is being emphasized in very interesting
This measure is the same as in Stage 1 except that we specifically address the encryption/security of data is that is stored in Certified EHR Technology (data at rest). Due to the number of breaches reported to HHS involving lost or stolen devices, the HIT Policy Committee recommended specifically highlighting the importance of an entity’s reviewing its encryption practices as part of its risk analysis. We agree that this is an area of security that appears to need specific focus. Recent HHS analysis of reported breaches indicates that almost 40 percent of large breaches involve lost or stolen devices. Had these devices been encrypted, their data would have been secured. It is for these reasons that we specifically call out this element of the requirements under 45 CFR 164.308(a)(1) for the meaningful use measure.
Although the use of encryption is not required, it is clear that the emphasis has been placed on its use. An organization that has not implemented encryption will find itself in an awkward position of trying to explain why it has not been implemented.
The second IT related item is a change to stage 1 requirements. In stage 1 the requirement was to provide patients with an electronic copy of their health information and discharge instructions. This requirement has been removed. The new requirement, in stage 2, would allow patients to view online, download and transmit their health information
Proposed EP Objective: Provide patients the ability to view online, download, and transmit their health information within 4 business days of the information being available to the EP.
The goal of this objective is to allow patients easy access to their health information as soon as possible so that they can make informed decisions regarding their care or share their most recent clinical information with other health care providers and personal caregivers as they see fit.
This requirement signals the use of secure patient portals that will allow patients to login and access their records.