HIPAA Regulatory Alert: Development underway for Stage 3 rules

Almost $8 billion in meaningful incentives has been paid to 82,535 eligible providers and 1,474 hospitals for Stage 1 compliance, according to the Centers for Medicare and Medicaid Services.

As providers prepare for implementation of Stage 2 of the incentive program, which begins in 2014, the Healthcare IT (HIT) Policy Committee, which advises the Office of the National Coordinator for Health IT (ONC), a unit of the Department of Health and Human Services (HHS), began drafting proposals for Stage 3, which is scheduled to begin in 2016.

The HIT Policy Committee’s proposal draft addresses:

• requirement for the use of two-factor or higher authentication for providers remotely accessing protected health information;

• identification of other access environments that might require multiple factors to authenticate identity;

• permission of certification of electronic health record as a stand-alone application and/or electronic health record (HEr) along with third-party authentication service provider;

• provision of software certification criteria as it relates to secure information exchange with outside entities;

• issues related to patient identity matching to ensure records shared among entities are linked to the correct patient.

ONC is also evaluating a Stage 3 requirement for hospitals and physicians to provide documentation that staff has received training related to the Health Information Technology for Economic and Clinical Health Act (HITECH) security rule. Failure to provide security rule training for employees is one of the top five areas of non-compliance identified by the HHS Office for Civil rights.