Proposed Stage 2 Privacy, Security Criteria Successfully Raise Bar, ONC Group Says

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By Genevieve Douglas  

Proposed Stage 2 “meaningful use” criteria successfully address needed electronic health record capabilities for assessing security risks, amending patient information within an EHR, and ensuring patient access to data via a patient portal, members of the HIT Policy Committee privacy and security tiger team said March 19.

The objectives included in the proposed rule from the Centers for Medicare & Medicaid Services align with recommendations the tiger team submitted to the HIT Policy Committee, a federal advisory committee to the Office of the National Coordinator for Health IT.

“We made some victories here,” Paul Egerman, co-chair of the tiger team and health IT consultant, said in regard to raising the bar for privacy and security safeguards in the Medicare and Medicaid EHR incentive programs.

CMS released the proposed rule for Stage 2 Feb. 23, and it was published in the March 7 Federal Register (76 Fed. Reg. 13698)(see previous article).

ONC released a companion proposed rule Feb. 24 that also published in the March 7 Federal Register (76 Fed. Reg. 13832) on EHR standards, implementation specifications, and certification criteria for 2014 (see previous article). Comments for both rules are due May 7.

CMS did not, however, address other tiger team recommendations on digital certificates or extra authentication safeguards for patient portals, Deven McGraw, co-chair of the tiger team and director of the health privacy project at the Center for Democracy and Technology in Washington, said.

Furthermore, criteria for 2014 certified EHR systems only require that a base EHR system ensure privacy and security, not that every EHR module be secure, McGraw said.

The privacy and security tiger team plans to submit comments to both CMS and ONC on the proposed rules for the EHR incentive programs.

Stage 2 Privacy, Security Objectives.

Stage 2 of the EHR incentive programs would require eligible providers and hospitals to conduct security risk assessments, including requiring providers to address encryption of data at rest as part of that assessment, mirroring recommendations from the tiger team, McGraw said.

The privacy and security tiger team plans to submit comments to both CMS and ONC on the proposed rules for the EHR incentive programs.

Additionally, ONC proposed that by 2014 EHR systems have the capability to perform data transmissions that provide for encryption and integrity protection.

Proposed Stage 2 criteria from CMS and certification criteria from ONC also include the tiger team's recommendations for greater patient access to their health data via a patient portal.

Specifically, more than 10 percent of all unique patients seen by eligible professionals or hospitals must be able to view, download, or transmit to a third party their health information in order for doctors and hospitals to receive meaningful use program incentive payments.

Health Data Amendments.

New privacy and security criteria for Stage 2 of the EHR incentive programs also address providers' ability to amend health data stored in an EHR.

Proposed ONC certification criteria for 2014 would enable users to electronically amend patients' health records to:

  • replace existing information while still preserving the original data;
  • append patient supplied information, in free text or by scanning, directly to patients' health records; and
  • enable users to electronically append responses to patient supplied information.

ONC specifically requested comment on whether EHR technology should be required to be capable of appending patient supplied information in both free text and scanned format, or only one or these methods to be certified in the proposed certification criteria, McGraw said.

Materials from the tiger team meeting are available at by clicking on the March 19 meeting entry on the ONC federal advisory committee calendar and clicking on the meetings link.

The CMS proposed rule is available at

The ONC proposed rule is available at

Request Health Care on Bloomberg Law