HITECH EHR Certification Program NearsCommittee Tweaks Security Details
The HIT Policy Committee, an advisory body to the Office of the National Coordinator for Health Information Technology, has approved recommendations from workgroups for tweaks in security provisions and other components of the proposed rule.
David Blumenthal, M.D., who heads ONC, will consider the recommendations, which must ultimately be approved by the Department of Health and Human Services.
The privacy/security workgroup noted that the proposed rule does not "appropriately recognize that the security functionality that any specific EHR module needs to provide will vary depending upon the environment in which it is intended to be used."
It recommended that EHR modules be tested and certified for privacy and security functions unless "it would be technically infeasible for the module to be tested" or the module itself "is designed to perform a specific privacy and security capability." The workgroup asks HHS to provide specific examples of instances of technical infeasibility to clarify the circumstances that would justify granting a privacy/security testing exemption.
The certification/adoption workgroup also made numerous recommendations approved by the full committee, including giving ONC authority to decertify EHRs if patient safety concerns emerge.
Under the proposed rule unveiled March 2, organizations designated to certify electronic health records software will assess the applications' security functionality but not require the use of specific security standards.
Healthcare organizations must use certified software to qualify for the Medicare and Medicaid EHR incentive payment program under the HITECH Act. The proposed rule spells out how an organization can become a certifier and how it must conduct testing. The new rule for certification programs, called for under the HITECH Act, follows an earlier proposed rule setting standards for the certified software itself.