5/23/2018 Editor’s Note: In April 2018, the Meaningful Use program has been renamed “Promoting Interoperability”. Nonetheless, the language of this requirement are unchanged and this post remains relevant in 2018.
The Meaningful Use rules, part of the HITECH Act, specify the requirements for physicians and hospitals to receive their portion of $32 Billion in federal health information technology incentives. Those rules include many legal citations that are unfamiliar to many. These citations are explained in this post.
The Stage 2 Meaningful Use Proposed Rules, released yesterday, include strengthened protections for privacy and security. The Stage 2 Objective for both Eligible Providers (EPs) and Eligible Hospitals (EHs) is identical:
“Protect electronic health information created or maintained by the Certified EHR Technology through implementation of appropriate technical capabilities.”
The Stage 2 Measure is also identical for EPs and EHs:
“Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.”
First of all, 45 CFR 164.3xx is the HIPAA Security Rule. Now for the details you are looking for:
- 45 CFR 164.308(a)(1) is the requirement to conduct a risk assessment. See my previous post for details, which include a graphic with the exact language of this citation. Everything in this earlier post is applicable to Stage 2 as well as Stage 1.
- 45 CFR 164.306(d)(3) details part of the framework of the of the HIPAA Security rule which specifies 42 security controls: a combination of 20 “required” security controls, and 22 which are “addressable”. 22 of these controls are termed “addressable” in order to provide flexibility to different organizations based on their size, the technologies they use, and risks involved. For each “addressable” control, a provider must evaluate whether it is “reasonable and appropriate” and would likely contribute to protecting its health information. If the control is “reasonable and appropriate” then it must implement the control. If it is not reasonable and appropriate, it must 1) Document why it is not reasonable and appropriate, and 2) Implement an equivalent alternative measure if reasonable and appropriate. See here for the exact language.
- 45 CFR 164.312(a)(2)(iv) is one of the 22 “addressable” controls. It states simply “Implement a mechanism to encrypt and decrypt electronic protected health information.”
So, Stage 2 is a continuation of the requirements of Stage 1, with encryption specifically called out. The feds are highlighting encryption due to the fact that hundreds of breaches are occurring due to lost or stolen laptops, flash drives, smartphones and other mobile devices – which would be secured if encryption was used. The Stage 2 rule also states that the risk assessment should be reviewed at least annually, once during each reporting period for meaningful use.