Federal regulators plan to extend Stage 2 of theHITECH Act electronic health record incentive program one year, giving healthcare providers and EHR software vendors more time to comply with requirements that include a variety of privacy and security provisions.
The Centers for Medicare and Medicaid Services, which administers payment of financial incentives to healthcare providers who participate in the HITECHEHRincentive program, says that under the proposed revised timeline, Stage 2 would be extended through 2016 and Stage 3 would begin in 2017 for those providers that have completed at least two years in Stage 2.
Participants can earn additional financial incentives from Medicare or Medicaid for achieving the requirements of each stage of the program. Stage 2 started for hospitals on Oct. 1; it will start for physicians and other clinicians on Jan. 1, 2014.
"The goal of this change is two-fold: first, to allow CMS and the Office of the National Coordinator for Health IT to focus efforts on the successful implementation of the enhanced patient engagement, interoperability and health information exchange requirements in Stage 2; and second, to utilize data from Stage 2 participation to inform policy decisions for Stage 3," says a blog posted late Dec. 6 on the website of the ONC. The office oversees standards and policy-setting for HITECH Act programs and administers the EHR software certification program. "The phased approach to program participation helps providers move from creating information in Stage 1, to exchanging health information in Stage 2 to focusing on improved outcomes in Stage 3. This approach has allowed us to support an aggressive yet smart transition for providers."
Additionally, regulators say the proposed revised timeline would have a number of benefits, such as:
- More analysis of feedback from stakeholders on Stage 2 progress and outcomes;
- More available data on Stage 2 adoption and measure calculations especially on new patient engagement measures and secure health information exchange objectives;
- More consideration of potential Stage 3 requirements;
- Additional time for preparation for enhanced Stage 3 requirements;
- Ample time for developers to create and distribute certified EHR technology before Stage 3 begins and incorporate lessons learned about usability and customization.
Notices of proposed rulemaking to formalize the revised timeline and Stage 3 requirements will likely be issued in the fall of 2014, according to the blog, with a final rule to be issued in the first half of 2015 after comments are reviewed.
Privacy and Security
The Stage 2 security andprivacyrequirements include:
- Under an EHRsoftware certificationrequirement, software must automaticallyencryptdata if it's stored on end-user devices, including mobile gear such as laptop computers and smart phones.
- Hospitals and physicians must attest to conducting arisk assessmentthat specifically describes protection of data at rest either through encryption or another reasonable and appropriate method, which they must document.
- Physicians and hospitals must demonstrate that 5 percent of their patients are taking advantage of the opportunity to securely view, download or transmit to third parties their electronic health information. To meet the requirement, organizations can, for example, provide patients with access to their health information through a secure portal.
- Clinicians must demonstrate that 5 percent of their patients are using secure messaging to communicate with them about relevant health information.
- Participants must electronically exchange summary of care documents for more than half of transitions of care and referrals.
The Healthcare Information and Management Systems Society (HIMSS) said it is "gratified" that the timeline has been extended for the HITECH Act program.