Compliance scorecard

Sept. 29, 2010
Meaningful use brings more attention to health info security

In July, the U.S. Department of Health and Human Services, along with the Centers for Medicare and Medicaid Services (CMS), issued a final regulation setting forth the criteria that hospitals and individual healthcare practices must meet in order to qualify for certain Medicare and Medicaid incentives under the HITECH Act of 2009.

The Health Information Technology for Economic and Clinical Health (HITECH) Act - part of last year's American Recovery and Reinvestment Act (popularly known as the stimulus bill) - called for a program by which eligible hospitals and clinicians could receive thousands of dollars in incentives for making "meaningful use" of electronic health records (EHR). The final rule released in July defines "meaningful use" and lays out its core elements.

This rule is certainly front-of-mind for many hospitals and healthcare practices, because the incentives directly impact the bottom line. It should also be in the minds of professionals in charge of information security at these organizations, because one of the core elements of meaningful use it defines is the implementation of systems to protect the privacy and security of patient data in the EHRs.

The adequacy of these protection systems is sure to be measured against other requirements, including HIPAA, which is in flux as of this writing. The HITECH Act also called for amendments to HIPAA, and those are currently being made through proposed rules that were published on the Federal Register in July. The proposed rules will remain open for public comment until Sept. 13 and should be finalized later this fall.

The HIPAA changes will broaden responsibility for violations and breach notification. They also mandate regular audits of compliance and define penalties, giving teeth to a previously toothless regulation. That alone should have caught the attention of healthcare management and security leaders by now. Add to that stick the carrot of incentives if security for EHR is achieved, among other core elements, and chances are this issue will continue to garner increased attention in the months to come.

To download the full final rule on meaningful use and incentives, visit To access or comment on the proposed rules for modifications to the HIPAA Privacy, Security and Enforcement rules, visit
Marleah Blades is senior editor for the Security Executive Council ( The Council maintains a large and growing list of laws, regulations, standards and guidelines ( Help the Council fill out the list and receive a complimentary metric presentation slide from its store.