Analyzing Changes to EHR Certification PracticesAttorney Raises Concerns About Potential Impact on Ensuring Security of Records Systems
Recent changes by the Department of Health and Human Services to the certification program for electronic health record software could potentially weaken efforts to ensure EHRs meet federal requirements, including those that impact security, says healthcare attorney Maya Uppaluru, a former staff member at HHS' Office of the National Coordinator for Health IT.
To qualify for higher Medicare reimbursement, doctors and hospitals must use EHRs and other healthcare IT that are certified as meeting dozens of technology requirements.
On Thursday, ONC officials in a blog posting announced two major changes they said are designed to improve the certification program's efficiency and to "reduce the burden industrywide."
One change allows testing procedures for 30 of 55 certification criteria for health IT products to be "self-declarations" by developers, instead of requiring those developers to have the features scrutinized by ONC-authorized testing labs.
Among the 30 certification criteria that can now be "self-declared" by developers of EHRs and other healthcare IT are several security-related features. Those include end-user device encryption, automatic access time-out, emergency access, secure messaging, trusted connection, accounting of disclosures and auditing actions on health information.
The other significant change ONC is making involves "exercising discretion for randomized surveillance of certified health IT products." So, rather than having ONC-authorized certification bodies conduct random surveillance on health IT products to help ensure compliance with certification requirements, the scrutiny with be "complaint-driven," ONC says.
"There's an increased [ONC] focus on self-declaration [by developers] and a greater priority on complaint-driven surveillance, rather than random surveillance," Uppaluru notes.
Concerns About Changes
In an interview with Information Security Media Group (see audio link below photo), the attorney expresses concerns about the effectiveness of the new approach to certifying EHRs.
"Personally, I think randomized surveillance has a really big role to play, given that by the time [an issue] gets to complaint-driven surveillance, it's already a problem" in terms of software potentially missing the mark in encompassing all the features and functionality expected under the certification program, she says.
"Randomized surveillance can do a lot to detect issues and help consumers before you get to that point," she says.
For instance, in June, the Department of Justice announced that EHR vendor eClinicalWorks agreed to pay a $155 million financial settlement, as well as enter into a five-year corporate integrity agreement with HHS' Office of Inspector General, as a result of allegations that the company falsely claimed it met the HITECH Act EHR incentive program's certification requirements.
The eClinicalWorks case, which was complaint-driven, "took years of work to remedy ... So, I would like to see more emphasis on randomized surveillance," Uppaluru says.
When it comes to the ONC change that allows software developers to "self-declare" their health IT products meet certain certification requirements, Uppalaru says: "I realize there is a desire to reduce the regulatory burden and that ONC's [software certification] rule is long, as are a lot of federal regulations. But I personally feel the testing aspect is so important.
"There are other ways to reduce regulatory burden, such as reducing the number of things we're asking EHR technologies to certify to. But keeping testing strong is really important. So, I guess we'll see how this plays out."
In the interview, Uppaluru also discusses:
- Lessons the healthcare sector can learn from the recent massive data breach at Equifax;
- Security issues related to health IT application programming interfaces, wearable health devices and remote health monitoring technologies;
- Predictions about the regulatory and enforcement direction of HIPAA.
Before recently joining law firm Crowell & Moring's digital health practice and healthcare group, Uppaluru was a digital service expert on the healthcare team at the U.S. Digital Service and policy adviser to the U.S. Chief Technology Officer at the White House during the Obama administration. She also formerly was a member of ONC's innovation team and an attorney adviser at the Federal Communications Commission.