This column addresses a specific meaningful use requirement each month, looking at how it connects to health care quality priorities and previewing possible updates to the measure in future stages of meaningful use.

 Protect Electronic Health Information

Health Outcomes Policy Priority:	Ensure adequate privacy and security protections for personal health information.
Objective:	Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
Measure:	Conduct or review a security risk analysis per 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
Exclusion:	No exclusion.

Background:
With the proliferation of HIT, and especially EHRs in an interoperable national network, the criticality of safeguarding electronic protected health information (ePHI) was thrust once again into the limelight. That HIT's capability to protect sensitive information remained a concern for health care providers and organizations is evident in the authors' own words, which state that "hundreds" of comments were received during the public comment period requesting outright cancellation of the EHR incentive payment programs. The purpose of this objective, recommended by the HIT Policy Committee for inclusion into the core set, however, is to ensure that the implementation of certified EHR technology does not impede a provider's or organization's ability to comply with HIPAA. Given the importance of HIPAA, the authors of the meaningful use final rule felt it was crucial that eligible providers and hospitals evaluate the impact that daily use of EHRs might have on the compliance with HIPAA and the protection of ePHI in general.

Stage 2 Proposals:
Changes proposed include a modification of the wording of the current objective: Perform, or update, security risk assessment and address deficiencies. In addition, the revised objective also states: Attest to addressing encryption of data at rest. The Privacy and Security “Tiger Team” has also posed additional specific recommendations for consideration by the HIT Standards Committee. These include authentication of individual users of provider EHRs, including at least two factors for remote access and e-prescribing of controlled substances, authentication of provider entity using digital certificates, and authentication of patients viewing and downloading information from a provider’s EHR (user name and password at minimum) with the aim of using audit trails and data provenance confirmation. In short, expect a continuation of the risk mitigation work begun in stage 1 with a number of specific recommendations making EHR access more secure.