If nothing else, the Department of Health and Human Services (HHS) was very clear in the Stage 2 Meaningful Use final rule on security expectations for 2014. Much of what HHS outlines goes along with the Health Insurance Portability and Accountability Act (HIPAA), but security and privacy is still a portion of the rule that healthcare providers will need to stay on top of as they prepare for Stage 2.
Get to know 45 CFR 164.308(a)(1)
HHS wants providers to “conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.”
While HHS also maintains that this isn’t much different than Stage 1 security measures, it pointed out recent data breaches and how they could’ve been prevented had there been encryption. This part of the rule specifically calls for data that is stored in Certified EHR Technology (CEHRT) (data at rest) to be encrypted. It said that it proposed this measure because the implementation of CEHRT has privacy and security implications under 45 CFR 164.308(a)(1).
Hospitals won’t need to report on data encryption methods
Eligible hospitals and CAHs will not be required to report to the Centers for Medicare and Medicaid Services (CMS) or the states on specific data encryption methods used. But they will have to follow the 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3) requirements and encrypt and secure data at rest.
HHS does not believe Stage 2 security is overlapping HIPAA
We do not agree that this objective should not be included in meaningful use. Although we recognize that many issues concerning the privacy and security of electronic health information are subject to HIPAA requirements, we believe that establishing an objective to provide online access to health information is within the regulatory purview of the EHR Incentive Programs and consistent with the statutory requirements of meaningful use.
Some commenters thought 45 CFR 164.308(a)(1) was overkill because of similarities to the HIPAA rules. But HHS thinks that that security, by nature, is a huge part of meaningful use. And with the recent breaches in mind, there can never be too many encryption reminders given to healthcare providers.
Don’t fear secure messaging
We do not believe that secure electronic messaging poses greater risks to exposure of protected health information than other mediums such as telephone messaging, paper records, etc. In some cases secure electronic messaging can provide even greater protection of health information. We note that many patients grant access to health information to family members and caregivers to facilitate care, and we expect the same access to continue with secure electronic messaging. Nor do we believe that secure electronic messaging exposes providers to greater liability (for example, in areas of privacy protection or malpractice) than other mediums such as telephone, mail, paper records, etc. Previous research has demonstrated that better patient-provider communication reduces the likelihood of malpractice claims being filed.
Secure electronic messaging is reasonably priced, but requires security beyond that of common email services while maintaining ease of use. HHS refers to patient portals, PHRs, or other stand-alone secure messaging applications as the type of data providers need to encrypt for secure messaging.
Browse all our white papers by topic: