Newly finalized rules for Stage 2 of the “meaningful use” electronic health records (EHR) incentive program take into consideration some of the ways mobile technology has changed how healthcare professionals and patients access health information.
Notably, the 672-page rule, which the Centers for Medicare and Medicaid Services (CMS) released Thursday, requires providers to conduct a risk assessment on whether they need to encrypt all personally identifiable health data while “at rest.” The standard for protecting data is the same as in the current Stage 1, but this time, CMS specifically mentions data at rest because of mobile devices, based on comments from the Health IT Policy Committee, a federal advisory board.
“Due to the number of breaches reported to HHS involving lost or stolen devices, the HIT Policy Committee recommended specifically highlighting the importance of an entity’s reviewing its encryption practices as part of its risk analysis. We agree that this is an area of security that appears to need specific focus. Recent HHS analysis of reported breaches indicates that almost 40 percent of large breaches involve lost or stolen devices. Had these devices been encrypted, their data would have been secured,” the lengthy CMS explanation says.
CMS also talks about mobile devices in the context of computerized physician order entry (CPOE). The new rule calls for providers to enter medication orders electronically for 60 percent of patients—double the Stage 1 standard—and also adds a 30 percent requirement for laboratory and radiology orders. CMS defines CPOE as “the provider’s use of computer assistance to directly enter medical orders … from a computer or mobile device. The order is then documented or captured in a digital, structured, and computable format for use in improving safety and efficiency of the ordering process.”
The final rule does dial back some thresholds from a proposal released in February, at least one of which seems relevant to mobile technology developers. Providers now only have to offer online access to health information and secure messaging for a minuscule 5% of patients, not 10%, as had been proposed.
The companion rule from the Office of the National Coordinator for Health Information Technology (ONC) regarding certification of EHR systems has quite a bit to say about mobile technology, however. Keep reading>>