EHR Certification Program OutlinedWill test for security functionality
Healthcare organizations must use certified software to qualify for the Medicare and Medicaid EHR incentive payment program under the HITECH Act. The proposed rule spells out how an organization can become a certifier and how it must conduct testing.
The rule calls for two certification programs, one temporary and one permanent, as the EHR incentive program is phased in.
The new rule for certification programs, called for under the HITECH Act, follows an earlier rule, unveiled Dec. 30, setting standards for the certified software itself.
That earlier rule states that to be certified, EHR software must use a generic form of encryption described as "a symmetric 128 bit fixed-block cipher algorithm capable of using a 128, 192 or 256 bit encryption key (e.g. FIPS 197 Advanced Encryption Standard.) The goal, according to the rule, is to ensure EHR software "is capable of using encryption according to user-defined preferences."
The certified software standards rule also says EHR software should offer an access control mechanism, but it stops short of setting a standard.
To read a story on the software certification rule, click here.
Yet another HITECH rule requiring organizations to notify those affected by a breach includes a "safe harbor" exemption for those that use a precisely-defined, standard form of encryption. That rule specifies use of encryption that meets the NIST Federal Information Processing 140-2 Standard. Organizations that use this specific form of encryption do not have to report breaches.
To read a story on the breach notification rule, click here.
Explaining the approach
In an interview at the HIMSS Conference in Atlanta, a member of the team that drafted the latest certification rules explained the thinking behind the security provisions tied to certification.
"We wanted to make sure that the certified technology had the capabilities built in for security to support the requirements that providers have under the HIPAA security rule," says Jodi Daniel, a director in the HHS Office of the National Coordinator for Health Information Technology.
"Instead of picking a particular encryption standard or a particular audit standard, we defined it functionally," she explained, referring to the encryption and access control descriptions unveiled in the earlier software standards rule. "We didn't want to lock people into a particular technology or a standard" because security technology is evolving so rapidly, she added.
The certification program rule sets detailed requirements for organizations that seek to become EHR certifiers. These certifiers will test complete EHRs as well as "modules" that address certain clinical functions. Most modules would face the same security requirements as complete EHRs.
The industry's one existing records software certifier, the Certification Commission for Health Information Technology, will have to apply to become a federally sanctioned certifier under the new program. And it could now face competing certification programs.