EHRs and Security: Beyond HITECHGuidance for Software Used by Those Ineligible for Incentives
Aiming to promote secure health data exchange and interoperability across electronic health records systems, federal regulators have issued guidance for EHR vendors that serve healthcare providers who are ineligible to participate in the HITECH Act EHR incentive program.
The voluntary guidance, including insights on privacy and security measures, from the Office of the National Coordinator for Health IT is directed at vendors who sell EHR systems used by certain mental and behavioral health professionals and those who practice in long-term care and post-acute care settings. The HITECH incentive program applies primarily to acute care and critical access hospitals and a variety of clinicians, including physicians, nurses, midwives and dentists, who serve Medicare and Medicaid patients.
The guidance notes that providers ineligible for HITECH incentives "routinely interact with healthcare providers who are eligible for EHR incentive payments and face policy and technology challenges unique to their settings."
The document spotlights a number of key requirements related to privacy and security in the HITECH Act 2014 edition EHR certification criteria for Stage 2 of the HITECH Act "meaningful use" program. The highlighted capabilities specifically focus on interoperability "to enable electronic health information to be both exchanged and subsequently used by recipients," the guide states.
Having healthcare providers use an EHR system that has specific privacy and security features is helpful in terms of compliance with HIPAA, regardless of whether the healthcare provider is eligible for the HITECH Act incentive program, notes independent security consultant Tom Walsh.
"HIPAA Security Rule compliance is still required whether or not healthcare providers participate in [HITECH's] meaningful use [program]," he says. "The beauty of meaningful use is it finally forced vendors to build the technical security features required in the HIPAA Security Rule into their product. Prior to that, some healthcare providers could not meet the HIPAA Security Rule because their EHR or other clinical information system lacked these features."
While the guidance notes that the HITECH Act incentive program has driven significant adoption of EHRs among eligible providers, it acknowledges that many other healthcare providers not eligible for HITECH financial rewards who use EHR systems play important roles in the coordination of patient care.
David Hoffman, Ph.D., a clinical child and adolescent psychologist based in Connecticut, says the EHR package that he uses already includes many of the capabilities outlined in the guidance, even though he's not eligible to participate in the EHR incentive program. Nonetheless, the idea of promoting privacy and security standards in the EHR software used across care settings is a good one, he says.
"I need to interface with education, government, pediatricians, and physiatrists. Knowing that the tools we're all using have the same standards for protecting patient data would relieve some of the headache," he says.
Stage 2 of the HITECH meaningful use incentive program begins on Oct. 1 for eligible hospitals and on Jan. 1, 2014, for eligible professionals.
Among key requirements for software certified for participants in Stage 2 that the new guidance urges software vendors to include in the EHR products sold to non-eligible healthcare providers are:
- End user device encryption for data at rest, based on standards of the National Institute of Standards and Technology;
- Data integrity protection, using secure hashing standards, to verify that electronic health information has not been altered;
- User authentication, authorization and access control capabilities;
- Secure electronic viewing and download of data for patients and authorized representatives in accordance with the Consolidated Clinical Document Architecture standard, and the ability to transmit such data in accordance with the Direct Project transport specification;
- Tamper-resistance and capabilities to track in an audit log user actions related to electronic health information.
- Optional accounting of disclosure technology that is able to record in the EHR disclosures of patient information for treatment, payment and healthcare operations.
"This guidance is meant to serve as a building block for federal agencies and stakeholders to use as they work with different communities to achieve interoperable electronic health information exchange," the guidance states.
"The capabilities expressed by some of these certification criteria could, if implemented by both eligible and ineligible types of providers, open critical communication lines between eligible and ineligible healthcare providers in order to support broad healthcare goals, such as care coordination and reduced hospital readmissions."