September 4, 2012. The Department of Health and Human Services (HHS) entities: Centers for Medicare & Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC), published their Final Rules for Meaningful Use Stage 2 in today’s Federal Register. This posting focuses on the preamble relating to the following Stage 2 security objective in the CMS Final Rule entitled Medicare and Medicaid Programs; Electronic Health Record Incentive Program: “Protect electronic health information created or maintained by the Certified EHR Technology [CEHRT] through the implementation of appropriate technical capabilities.” Reference numbers in brackets refer to the page number(s) in the September 4, 2012, Federal Register.
Associated with this objective is a Measure that is the same for Eligible Professionals [45 CFR 495.6(j)(16)(i) at p. 54154], and for Eligible Hospitals or Critical Access Hospitals (CAHs) [45 CFR 495.6(l)(15)(i) at p. 54156]: “Conduct or review a security risk analysis in accordance with the requirements [of the HIPAA Security Rule] under 45 CFR 164.308(a)(1) [Security Management Process Administrative Safeguard Standard], including addressing the encryption/security of data stored in Certified EHR Technology [CEHRT] in accordance with [HIPAA Security Rule] requirements under 45 CFR 164.312(a)(2)(iv) [Encryption and decryption addressable implementation specification of the Technical Safeguard Access Control Standard] and 45 CFR 164.306(d)(3) [Addressable requirements for Security Standard Implementation Specifications], and implement security updates as necessary and correct identified security deficiencies as part of the [EP’s, Eligible Hospitals, CAH’s] risk management process.”
Preamble comments include the following excerpts related to this measure:
“As noted in the proposed rule, this measure is the same as in Stage 1 except that we specifically highlight the encryption/security of data that is stored in CEHRT (data at rest). Recent HHS analysis of reported breaches indicates that almost 40 percent of large breaches (breaches affecting 500 or more individuals) involve lost or stolen devices. Had these devices been encrypted, their data would have been secured. It is for these reasons that we specifically call out this requirement under 45 CFR 308(a)(1). We did not propose to change the HIPAA Security Rule requirements, or require any more under this measure than is required under HIPAA. We only emphasize the importance of an EP or hospital including in its security risk analysis an assessment of the reasonable[ness] and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure. [pp. 54002-54003] …
“We do not proposes to change the HIPAA Security Rule requirements or impose additional requirements under this measure than those required under HIPAA. A [risk analysis] review must be conducted for each EHR reporting period and any security updates and deficiencies that are identified should be included in the provider’s risk management process and implemented or corrected as dictated by that process. [emphasis added] We refer providers to the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with the requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), of the HIPAA Security Rule. The scope of the security risk analysis for purposes of this meaningful use measure applies only to data created or maintained by CEHRT. This measure does not apply to data centers that are not part of CEHRT. However, we note that such data centers may be subject to the security requirements under 45 CFR 164.308(a)(1) and refer providers to the HIPAA Security Rules for compliance information. [p. 54003] …
“We are making a change in this final rule to the language of ‘data at rest’ to specify our intention of data that is stored in CEHRT…. We further specify that in order to meet this objective and measure, an EP, eligible hospital, or CAH must use the capabilities and standards of CEHRT at 45 CFR 170.314(d)(1) through 170.314(d)(8).”
These “capabilities and standards of CEHRT,” as referenced are published in the September 4, 2012, Federal Register in the ONC Final Rule entitled: Health Information Technology: Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, 2014 Edition; Revisions to the Permanent Certification Program for Health Information Technology. They are:
45 CFR 170.314: 2014 Edition electronic health record certification criteria
(d): Privacy and security [pp. 54289-54290]
(1) Authentication, access control, and authorization
(2) Auditable events and tamper-resistance
(3) Audit report(s)
(4) Amendments
(5) Automatic log-off
(6) Emergency access
(7) End-user device encryption
(8) Integrity