Stage 2 Meaningful Use - AddressingEncryption/SecurityLast week, Health and Human Services Secretary Kathleen Sebelius rep...
As Redspin reported in our February 1st Breach Report 2011 - Protected Health Information:"Of the 385 incidents affecting ...
Upcoming SlideShare
Loading in...5
×

Stage 2 Meaningful Use - Addressing Encryption and Security

344

Published on

As we predicted, the government stopped short of a mandate. There is no movement afoot to change or add to the HIPAA security rule requirements. But in Stage 2 they emphasized that an EP or hospital should consider encrypting electronic protected health information as part of their security risk analysis, and where it is not “reasonable and appropriate,” adopt an equivalent alternative measure of securing data.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
344
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Stage 2 Meaningful Use - Addressing Encryption and Security"

  1. 1. Stage 2 Meaningful Use - AddressingEncryption/SecurityLast week, Health and Human Services Secretary Kathleen Sebelius reported that the number of hospitals usingelectronic health records (EHR) has more than doubled in the last two years from 16 to 35 percent. She also said that 85percent of all hospitals now report that by 2015 they intend to participate in The Centers for Medicare and MedicaidServices’ (CMS) EHR incentive program.Also last week, CMS released the proposed Stage 2 Meaningful Use requirements for public comment. The draft rule giveseligible hospitals and providers a good indication of where to focus their efforts as they continue their implementation andadoption of electronic health records throughout their organizations. Stage 1 was mostly about transferring data to EHRsand being able to share information, including electronic copies and visit summaries for patients. Stage 2 moves thegoalposts further down field, requiring that patients have online access to their health information and facilitation ofelectronic health information exchange between providers.The Stage 2 core requirement for IT security uses nearly identical language from Stage 1 regarding updating or conductinga HIPAA security risk analysis. Both Stage 1 and Stage 2 rely on the HIPAA security rule provisions under federal code45 CFR. HIPAA deems encryption an “addressable” specification, meaning a covered entity decides if it is a “reasonableand appropriate” technical security step to implement. The security rule enables an entity to adopt an alternativeprotective measure that achieves the same purpose.But the difference between Stage 1 and Stage 2 on this issue is subtle but significant. Stage 1 only mentioned the securityrisk analysis provision. However, by specifically calling out out the issue of encryption at rest in Stage 2 , CMS hasheightened the importance of analyzing the pros and cons of using the technology. The complete language of the coreobjective for both hospitals and eligible providers requires that they:“Conduct or review a security risk analysis in according with the requirements under 45 CFR 164.308(a)(1), includingaddressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as partof the provider’s risk management process.” WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM
  2. 2. As Redspin reported in our February 1st Breach Report 2011 - Protected Health Information:"Of the 385 incidents affecting 500 or more individuals, 55% involved unencrypted devices or media. The Federalgovernment is unlikely to mandate that all portable devices that store ePHI be encrypted, but it’s an obvious andsensible policy for a healthcare organization to adopt. Taking it further, why not require that all mobile devices in thehealthcare workplace be encrypted, even if ePHI is not allowed on them."As we predicted, the government stopped short of a mandate. There is no movement afoot to change or add to the HIPAAsecurity rule requirements. But in Stage 2 they emphasized that an EP or hospital should consider encrypting electronicprotected health information as part of their security risk analysis, and where it is not "reasonable and appropriate," adopt an equivalent alternative measure of securing data.Sometimes, you have to read between the lines... or in this case, read between the forward slash. Well be talking about thephrase "addressing theencryption/security of data at rest" for the next few years. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM

×