Safe & Sound with Marianne Kolbasuk McGee

EHRs: Keeping Privacy, Security a Focus

Regulators Hammering Out HITECH Program Guidelines

As the HITECH Act electronic health record incentive program enters its final phases, federal regulators are weighing changes to the EHR software certification requirements as well as the "meaningful use" requirements for hospitals and physicians. Regulators must make it a priority to ensure that, as they make changes, privacy and security issues are adequately addressed.

See Also: Webinar | Mythbusting MDR

The EHR software certification criteria create "a minimum floor of function" for the applications that hospitals and doctors can use to achieve the meaningful use criteria for receiving HITECH Act financial incentives, Paul Tang, chairman of the HIT Policy Committee, explained at its May 7 meeting. The committee discussed ways of "optimizing" the EHR software certification program of the Office of the National Coordinator for Health IT, which oversees standards and policy for HITECH Act activities.

Sometimes, when vendors attempt to meet various technical requirements to have their EHR software successfully tested and certified, that translates into workflow challenges for the clinicians who end up buying and using the certified software. "This has caused angst" for many clinicians, Tang said.

Federal advisers have been holding hearings to address that issue, and numerous other concerns about EHR software certification, seeking comment from industry stakeholders.

They're also seeking feedback on a proposal that ONC adopt voluntary certification criteria, focused on interoperability, privacy and security, for EHR software used by healthcare providers who aren't eligible to participate in the HITECH incentive program. Those include professionals who provide care in behavioral health, post-acute and long-term care settings.

Secure Exchange

Among the reasons why ONC is considering voluntary certification criteria for EHRs used in these settings is because these providers often need to exchange patient information with hospitals and physicians that are eligible to participate in the HITECH incentive program.

It makes sense to me to offer this voluntary certification for EHR products that aren't part of the official program. Among voluntary certification criteria being considered are requirements for data segmentation and electronic consent management to help ensure the privacy of highly sensitive patient information, such as mental health or substance abuse treatment data, as it's exchanged between different types of healthcare providers (see What's the Role of Data Segmentation?).

Another proposal being weighed is that all EHR software that's considered for HITECH certification be evaluated as "modules," rather than "complete EHR technology." However, as consultant Dixie Baker, chair of the HIT Standards Committee's privacy and security workgroup, recently pointed out to me, certifying only EHR modules creates a major potential loophole when it comes to privacy and security. That's because "as of the 2014 Edition [Stage 2 of the meaningful use program], modules are no longer required to address any of the privacy and security certification criteria," she says.

Baker's workgroup has been trying to close that loophole with recommendations that were recently presented and approved by the HIT Standards Committee, which has passed on the suggestions to ONC. Those recommendations include ONC revising "each privacy and security criterion to specify the conditions under which it is applicable" for the software modules. For instance, privacy and security requirements for a particular module might be based on what function the software provides.

Baker points out that ONC took that approach with the end-user device encryption requirement for data at rest in Stage 2 - the 2014 Edition of EHR software certification criteria.

That requirement states that "EHR technology that is designed to locally store electronic health information on end-user devices must encrypt the electronic health information stored on such devices after use of EHR technology on those devices stops," she points out.

The bottom line: As federal regulators debate the next round of HITECH requirements, as well as voluntary standards for certain EHR software, it's critical that protecting the privacy and security of patient data is treated as a top priority and not downplayed in favor of appeasing certain vendors and healthcare providers.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.