CMS Proposed Meaningful Use Stage 2 Regs: Increased Security

Hi All,

First of all, for all the expected dates for final regulations I gave you in my last missive, add 90-120 days.  The HHS calendar is already out of date, as items expected for release shortly have not even made it to OMB for final review, which can take a few months.  So, breathe deeply, and relax -- stay the course and keep moving toward what will likely be required in the regulations.  Eventually they'll see the light of day.

Well, even if we don't have finalize HIPAA changes from HHS, we do have new proposed Stage 2 Meaningful Use regulations, and those beef up the security requirements by specifically bringing attention to the encryption of data at rest and the use of secure messaging with patients by eligible professionals (EPs) but, curiously, not by hospitals and Critical Access Hospitals (CAHs).

In 42 CFR §495.6(j)(16) (for EPs) and (l)(15) (for hospitals and CAHs) the existing Stage 1 measures calling for a HIPAA Security Rule risk analysis would have added to them a new phrase, "including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3)" which means you really have to seriously look at encrypting portable devices holding data at rest.  The preamble specifically calls out the issue of breaches of data held on portable devices as the reason for the change.  It doesn't really change what you should be doing anyway, but does put some teeth into the notion that it's really time to lock down portable data.

In 42 CFR §495.6(j)(17) a new objective for eligible professionals is to use secure electronic messaging with at least 10% of patients.  Again, the preamble points out the necessity of security, here to get the trust of patients and get them involved in better communication with their providers.  But I'm a little puzzled as to why a requirement like this wasn't also put in for hospitals and CAHs, because they communicate with patients too, you know.  The mysteries of the regulatory process...

So what does all this mean?  Nothing much has changed, except that the emphasis on securing data at rest and in transit is growing, which shouldn't be a surprise to anyone -- they're only proposing regulations to deal with the clear problems revealed by breach notification.

The proposed regulation is at for now, and will be published in the Federal Register shortly.  The CMS fact sheet page is at: (or ).  I have extracted the relevant language from the NPRM and posted it here:



              Copyright © 2002-2019 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us