The nation’s healthcare industry may be in the crosshairs of cybercrime, but provisions in the Stage 3 electronic health records Meaningful Use final rule to secure electronic protected health information remain virtually unchanged from Stage 2.

There is one notable exception. In Stage 2, providers must conduct or review a security risk analysis of electronic protected health information created or maintained in certified EHRs in accordance with HIPAA (including addressing use of encryption), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.

In Stage 3, not only are appropriate technical safeguards required, but so are administrative and physical safeguards, which already are required under HIPAA. “Technical safeguards alone are not enough to ensure the confidentiality, integrity and availability of ePHI,” CMS says in the rule. “Administrative safeguards (for example: risk analysis, risk management, training and contingency plans) and physical safeguards (for example: facility access controls and workstation security) are also required to protect against threats and impermissible uses or disclosures of ePHI created or maintained by CEHRT (certified EHR).”

Also See: New MU Rules Still Present Challenge for Provider CIOs

It is in the area of encryption that—in HIPAA and previous meaningful use rules—a laisse faire policy remains in Stage 3. The rule mentions encryption at least 20 times but only in passing. There is no mandate for encryption. As always, the use of encryption must be considered and if not adopted the justification must be documented.

The time for considering encryption comes in three ways. Providers participating in meaningful use must conduct a risk analysis of ePHI at least annually. They also must conduct risk analysis anytime a new certified EHR is implemented or an existing certified EHR is upgraded. And, a risk analysis must be conducted or reviewed for each EHR reporting period. In all cases, the analysis would include consideration of encryption.

In comments following release of the proposed Stage 3 rules, stakeholders generally appreciated the addition of administrative and physical safeguards to better align with their HIPAA efforts, and also appreciated that while similar, the requirements are narrower than those in HIPAA.

Some commenters on the proposed Stage 3 rule said the security objective was redundant; others said it was confusing because the HHS Office for Civil Rights also has authority over protecting patient information, and one commenter suggested acceptance of compliance with the HIPAA Security Rule should fulfill the objective.

CMS’s response was pointed: “We disagree. In fact, in our audits of providers who attested to the requirements of the EHR Incentive Program, this objective and measure are failed more frequently than another other requirement. We have included this objective in all Stages because of the importance of protecting patients’ ePHI.”

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access