Interim HITECH Act EHR Rule ProposedSoftware Certification Update Would be Voluntary
The Office of the National Coordinator for Health Information Technology on Feb. 21 issued a proposal for an interim, updated edition of HITECH Act electronic health record software certification criteria, including privacy and security components.
Compliance with the proposed 2015 Edition criteria would be voluntary, ONC explains. EHR developers that have already certified their software meets the 2014 Edition criteria would not need to re-certify for 2015 Edition compliance in order for their customers to earn payments from Medicare and Medicaid under the ongoing HITECH "meaningful use" incentive program. As a result, healthcare providers would not be required to "upgrade" to EHR technology certified as meeting the 2015 Edition criteria.
"This provides the opportunity for developers and health care providers to move to the 2015 Edition on their own terms and at their own pace," says Karen DeSalvo, M.D., who heads ONC.
Under the HITECH Act's EHR incentive program, participating hospitals and physicians must attest that they are making "meaningful use" of software that meets current certification criteria. The program is now in what is commonly called Stage 2, and Stage 3 criteria are still on the horizon.
The new EHR software certification proposal "represents ONC's new regulatory approach that includes more incremental and frequent rulemaking," ONC says. "This approach allows ONC to update certification criteria more often to reference improved standards, continually improve regulatory clarity and solicit comments on potential proposals as a way to signal ONC's interest in a particular topic area. "
Security ProposalsThe 242-page ONC document includes a proposal for secure data transmission based on SOAP Transport and Security Specification and XDR/XDM for Direct Messaging.
The document also seeks comment on whether ONC should consider two-factor authentication requirements for its 2017 Edition rulemaking. "This requirement could ... more definitively support security requirements for remote access to EHR technology as well as any other EHR technology uses that may require two-factor authentication," the proposal says.
The proposed rule will be published in the Federal Register on Feb. 26, 2014. ONC will accept comments on the proposal through April 28, 2014. The final rule is expected to be issued this summer.
An ONC spokesman tells Information Security Media Group: "The new regulatory approach is one that is more incremental and frequent and allows us to publish proposed and final rules, say about every 12 to 18 months." This will enable ONC "to respond to stakeholder feedback, make 'bug' fixes and enhance interoperability," he says.