CMS Stage 2 Rule: No Provider Mandate, But Higher Emphasis on Encryption

The Centers for Medicare and Medicaid Services’ proposed rule for Stage 2 of the electronic health records meaningful use program does not mandate use of encryption, but it does emphasize increased consideration of encryption of data at rest in ambulatory and inpatient EHR systems.


The Centers for Medicare and Medicaid Services’ proposed rule for Stage 2 of the electronic health records meaningful use program does not mandate use of encryption, but it does emphasize increased consideration of encryption of data at rest in ambulatory and inpatient EHR systems.

Stage 1 meaningful use security requirements rely on HIPAA security rule provisions under federal code 45 CFR. Under HIPAA, encryption is an “addressable” specification, meaning a covered entity decides if it is a “reasonable and appropriate” technical security step to implement. The security rule enables an entity to adopt an alternative protective measure that achieves the same purpose if the alternative is reasonable and appropriate.

In the Stage 2 proposed rule, CMS specifically calls out the issue of encryption at rest and heightens the importance of analyzing the pros and cons of using the technology. A core objective for both hospitals and eligible providers requires they “conduct or review a security risk analysis in according with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.”

Federal officials in the proposed rule make clear that the huge volume of breaches reported under the breach notification rule demonstrates that consideration of encryption has not been taken seriously:

“Recent HHS analysis of reported breaches indicates that almost 40 percent of large breaches involve lost or stolen devices. Had these devices been encrypted, their data would have been secured. It is for these reasons that we specifically call out this element of the requirement under 45 CFR 164.308(a)(1) for the meaningful use measure.

“We do not propose to change the HIPAA security requirements, or require any more than what would be required under HIPAA. We only emphasize the importance of an EP or hospital including in its security risk analysis an assessment of the reasonable and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.”

The CMS Stage 2 rule is available now at the Federal Register Public Inspection Desk with publication scheduled for March 7. The Stage 2 rule from the Office of the National Coordinator for HIT, which would adopt standards, implementation specifications and certification criteria to ensure EHRs support Stage 2 objectives, is not yet available.

More for you

Loading data for hdm_tax_topic #reducing-cost...