New Meaningful Use Interim Standards Require Encryption Capabilities

For instance, if you take your laptop out of your facility with personal health information on it, you must have the capability to encrypt it. Or if you are going to send data to a Health Information Exchange (HIE), you can encrypt the transmission. It does not mean you have to encrypt the entire EHR, Amatayakul says.

"We believe a logical and practical next step … is to require Certified EHR Technology to be capable of encryption," ONC writes. "We hope that by requiring Certified EHR Technology to include this capability, that the use of encryption will become more prevalent."

Keep in mind the ONC interim final rule and CMS proposed rules are in a public comment stage now, with final rules expected in the spring. However, the interim final rule is in effect today.

Further, ONC says it may add layers of security standards to what's already established in HIPAA and HITECH.

"We believe that the HIPAA Security Rule serves as an appropriate starting point for establishing the capabilities for Certified EHR Technology," the ONC writes in the interim final rule. "That being said … we intend to … explore these areas and where possible to adopt new certification criteria and standards in the future to improve the capabilities Certified EHR Technology can provide to protect health information."