New Meaningful Use Interim Standards Require Encryption Capabilities

HIPAA privacy and security officers need not revamp their entire policy and training program because of the "meaningful use" of electronic health records (EHR) guidelines published this month in the Federal Register.

If you're on the right track toward complying with HIPAA privacy and security requirements and protecting your patient's information, stay right there.

The EHR standards simply enable you to carry out certain aspects of HIPAA and HITECH better, such as encryption, says Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, of Margret\A Consulting, LLC.

CMS and the Office of the National Coordinator for Health Improvement Technology (ONC) released the two regulations regarding the definition of "meaningful use" of EHRs and the standards to improve the efficiency of health information technology used nationwide by hospitals and physicians last month.

EHR compliance does not guarantee HIPAA compliance.

ONC writes in its interim final rule, "Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology":

"While the capabilities provided by Certified EHR Technology may assist … in improving … technical safeguards in order to meet some or all of the HIPAA security rule's requirements or influence … the use of Certified EHR Technology alone does not equate to compliance with the HIPAA privacy or security rules."

One security standard ONC does require already in its meaningful use interim final rule is that EHR systems be capable of encryption.