The final rule for Stage 2 Meaningful Use is a whopping 672 pages. The biggest surprise was the lowering of thresholds for achieving certain measures like mandatory online access and electronic exchange of summary of care documents. They also served up an increased emphasis on encryption as a data security measure for what they call “data at rest.” This evidently is patient-identifiable records on servers, hard drives and portable devices.
Stage 1 had providers performing a “risk assessment” just like HIPAA had previously stated in their provisions. But the Office of the National Coordinator for Health Information Technology is getting serious about data breaches and they want to address the issue with an exclamation point!
Breach incidents have been highly publicized recently. One agency has claimed that more than 50,000 breaches have happened and that’s just since 2009. They are trying to put the kibosh on exposed medical records and the point is well taken.
The truth is that many of the breaches involved lost or stolen devices or disks. The new rules state “Had these devices been encrypted, their data would have been secured. It is for these reasons that we specifically call out this element.” They go on to say “We did not propose to change the HIPAA Security Rule requirements, or require any more than is required under HIPAA. We only emphasize the importance of an eligible provider including in its security risk analysis an assessment of the reasonable and appropriateness of encrypting electronic protected health information as a means of securing it.”