EHR Certification Program Outlined

Will test for security functionality
EHR Certification Program Outlined
Under a proposed federal rule unveiled March 2, organizations designated to certify electronic health records software will assess the applications' security functionality but not require the use of specific security standards.

Healthcare organizations must use certified software to qualify for the Medicare and Medicaid EHR incentive payment program under the HITECH Act. The proposed rule spells out how an organization can become a certifier and how it must conduct testing.

Two programs

The rule calls for two certification programs, one temporary and one permanent, as the EHR incentive program is phased in.

The new rule for certification programs, called for under the HITECH Act, follows an earlier rule, unveiled Dec. 30, setting standards for the certified software itself.

That earlier rule states that to be certified, EHR software must use a generic form of encryption described as "a symmetric 128 bit fixed-block cipher algorithm capable of using a 128, 192 or 256 bit encryption key (e.g. FIPS 197 Advanced Encryption Standard.) The goal, according to the rule, is to ensure EHR software "is capable of using encryption according to user-defined preferences."

The certified software standards rule also says EHR software should offer an access control mechanism, but it stops short of setting a standard.

To read a story on the software certification rule, click here.

Yet another HITECH rule requiring organizations to notify those affected by a breach includes a "safe harbor" exemption for those that use a precisely-defined, standard form of encryption. That rule specifies use of encryption that meets the NIST Federal Information Processing 140-2 Standard. Organizations that use this specific form of encryption do not have to report breaches.

To read a story on the breach notification rule, click here.

Explaining the approach

In an interview at the HIMSS Conference in Atlanta, a member of the team that drafted the latest certification rules explained the thinking behind the security provisions tied to certification.

"We wanted to make sure that the certified technology had the capabilities built in for security to support the requirements that providers have under the HIPAA security rule," says Jodi Daniel, a director in the HHS Office of the National Coordinator for Health Information Technology.

"Instead of picking a particular encryption standard or a particular audit standard, we defined it functionally," she explained, referring to the encryption and access control descriptions unveiled in the earlier software standards rule. "We didn't want to lock people into a particular technology or a standard" because security technology is evolving so rapidly, she added.

Picking certifiers

The certification program rule sets detailed requirements for organizations that seek to become EHR certifiers. These certifiers will test complete EHRs as well as "modules" that address certain clinical functions. Most modules would face the same security requirements as complete EHRs.

The industry's one existing records software certifier, the Certification Commission for Health Information Technology, will have to apply to become a federally sanctioned certifier under the new program. And it could now face competing certification programs.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.