• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

CMS and ONC Publish Final Rules for Meaningful Use Stage 2 Security in Federal Register

September 3, 2012 American Recovery and Reinvestment Act, Health IT and HITECH, Privacy, Security No Comments

September 4, 2012.  The Department of Health and Human Services (HHS) entities:  Centers for Medicare & Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC), published their Final Rules for Meaningful Use Stage 2 in today’s Federal Register.  This posting focuses on the preamble relating to the following Stage 2 security objective in the CMS Final Rule entitled Medicare and Medicaid Programs; Electronic Health Record Incentive Program:  “Protect electronic health information created or maintained by the Certified EHR Technology [CEHRT] through the implementation of appropriate technical capabilities.”  Reference numbers in brackets refer to the page number(s) in the September 4, 2012,  Federal Register.

Associated with this objective is a Measure that is the same for Eligible Professionals [45 CFR 495.6(j)(16)(i) at p. 54154], and for Eligible Hospitals or Critical Access Hospitals (CAHs) [45 CFR 495.6(l)(15)(i) at p. 54156]: “Conduct or review a security risk analysis in accordance with the requirements [of the HIPAA Security Rule] under 45 CFR 164.308(a)(1) [Security Management Process Administrative Safeguard Standard], including addressing the encryption/security of data stored in Certified EHR Technology [CEHRT] in accordance with [HIPAA Security Rule] requirements under 45 CFR 164.312(a)(2)(iv) [Encryption and decryption addressable implementation specification of the Technical Safeguard Access Control Standard] and 45 CFR 164.306(d)(3) [Addressable requirements for Security Standard Implementation Specifications], and implement security updates as necessary and correct identified security deficiencies as part of the [EP’s, Eligible Hospitals, CAH’s] risk management process.”

Preamble comments include the following excerpts related to this measure:

“As noted in the proposed rule, this measure is the same as in Stage 1 except that we specifically highlight the encryption/security of data that is stored in CEHRT (data at rest).  Recent HHS analysis of reported breaches indicates that almost 40 percent of large breaches (breaches affecting 500 or more individuals) involve lost or stolen devices.  Had these devices been encrypted, their data would have been secured.  It is for these reasons that we specifically call out this requirement under 45 CFR 308(a)(1).  We did not propose to change the HIPAA Security Rule requirements, or require any more under this measure than is required under HIPAA.  We only emphasize the importance of an EP or hospital including in its security risk analysis an assessment of the reasonable[ness] and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure. [pp. 54002-54003] …

“We do not proposes to change the HIPAA Security Rule requirements or impose additional requirements under this measure than those required under HIPAA.  A [risk analysis] review must be conducted for each EHR reporting period and any security updates and deficiencies that are identified should be included in the provider’s risk management process and implemented or corrected as dictated by that process. [emphasis added]  We refer providers to the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with the requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), of the HIPAA Security Rule. The scope of the security risk analysis for purposes of this meaningful use measure applies only to data created or maintained by CEHRT.  This measure does not apply to data centers that are not part of CEHRT.  However, we note that such data centers may be subject to the security requirements under 45 CFR 164.308(a)(1) and refer providers to the HIPAA Security Rules for compliance information. [p. 54003] …

“We are making a change in this final rule to the language  of ‘data at rest’ to specify our intention of data that is stored in CEHRT…. We further specify that in order to meet this objective and measure, an EP, eligible hospital, or CAH must use the capabilities and standards of CEHRT at 45 CFR 170.314(d)(1) through 170.314(d)(8).”

These “capabilities and standards of CEHRT,” as referenced are published in the September 4, 2012, Federal Register in the ONC Final Rule entitled:  Health Information Technology:  Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, 2014 Edition; Revisions to the Permanent Certification Program for Health Information Technology.  They are:

45 CFR 170.314:  2014 Edition electronic health record certification criteria

(d):  Privacy and security [pp. 54289-54290]

(1)  Authentication, access control, and authorization

(2)  Auditable events and tamper-resistance

(3)  Audit report(s)

(4)  Amendments

(5)  Automatic log-off

(6)  Emergency access

(7)  End-user device encryption

(8)  Integrity



Tags: 45 CFR 16445 CFR 17045 CFR 495access controladdressableAdministrative Safeguardamendmentaudit reportauditable eventauthenticationauthorizationautomatic log-offbreachCAHcapabilities and standards of CEHRTCEHRTCenters for Medicare & Medicaid Servicescertification criteriacertified electronic health record technologyCMScompliancecritical access hospitaldata at restdata centerDEPARTMENT OF HEALTH AND HUMAN SERVICESEHR reporting periodelectronic health record incentive programeligible hospitaleligible professionalemergency accessencryptionencryption and decryptionend-user device encryptionFederal RegisterFinal rulehealth information technologyHHSHIPAA Security Ruleimplementation specificationintegritymeaningful use stage 2Office of the National Coordinator for Health Information TechnologyONCpermanent certification programpreamblereasonable and appropriatesafeguardsecured dataSecurity Management Processsecurity objectivesecurity risk analysisstandardtamper-resistanceTechnical Safeguard
No Comments
Share
0

You also might be interested in

CMS Issues Final Administrative Simplification Final Rules Regarding Identifiers and ICD-10 Code Set Compliance Delay

Aug 24, 2012

August 24, 2012.  Today, the Office of Management and Budget[...]

HITECH Guidance & RFI

Apr 17, 2009

HITECH GUIDANCE & RFI 45 CFR Parts 160 and 164[...]

HIPAA Final Rule: Modification of Business Associate Definition, Part (5)–Subcontractors

Feb 13, 2013

February 13, 2013.  Today, we finish examining (3)—the third paragraph[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next