Standards for Certified EHRs ProposedEncryption, access control required
Federal regulators unveiled an interim final rule for EHR certification standards as last year drew to a close.
In the rule, federal regulators call the HIPAA Security Rule "an appropriate starting point for establishing the capabilities for certified EHR technology." But the interim final rule goes beyond HIPAA, specifying security components records software must include.
The Medicare and Medicaid EHR incentives were included in the economic stimulus bill, known as the American Recovery and Reinvestment Act. The Office of the National Coordinator for Health Information Technology (ONC), a unit of the U.S. Department of Health and Human Services (HHS), is developing the rules for the program.
One rule that's still pending will specify the organizations that will certify EHRs as well as their processes.
Under the certification standards interim final rule, to be certified, EHR software must use "a symmetric 128 bit fixed-block cipher algorithm capable of using a 128, 192 or 256 bit encryption key (e.g. FIPS 197 Advanced Encryption Standard.) The goal, according to the rule, is to ensure EHR software "is capable of using encryption according to user-defined preferences."
When healthcare organizations transmit records via Health Information Exchanges, that data must be encrypted, the rule further states. "A secure hashing algorithm must be used to verify that electronic health information has not been altered in transit," it specifies.
HITECH and encryption
In addition, the HITECH Act, which applies to all healthcare organizations and their business associates, regardless of whether they're receiving federal EHR incentives, strongly encourages encryption.
HITECH mandates that healthcare organizations report data breaches to the individuals affected. But breaches do not have to be reported if the data involved is rendered unreadable via encryption. Data encryption, however, must be NIST Federal Information Processing 140-2 Standard validated, according to the Interim Final Rule that further spelled out the breach notification requirements.
Major healthcare associations, including the Healthcare Information and Management Systems Society, the Medical Group Management Association and the American Health Information Management Association, are urging their members to adopt encryption of records as a best practice.
Companies selling EHR software need to do a better job of offering implementation assistance so that users take full advantage of all capabilities, including security features, says Dan Rode, vice president for policy and government relations at AHIMA. "We have to make sure that folks aren't just buying the technology and taking it out of the box but not actually using it correctly," he says.
Rode also is hopeful that hospitals and physician practices that are using somewhat older records software that lacks encryption capability will upgrade to newer versions that include more robust security functions, including encryption.
While most EHR vendors already offer encryption, some physician group practices and others choose not to turn on that function, says Rosemarie Nelson, principal with MGMA Health Care Consulting Group, Englewood, Colo.
A recent HIMSS survey found that only 44 percent of hospitals encrypt data "at rest" or stored in internal databases, notes Lisa Gallagher, senior director of privacy and security at HIMSS. So clearly, many organizations have a long way to go when it comes to encrypting.
Security consultant Kate Borten, president of the Marblehead (Mass.) Group, says many healthcare organizations follow the best practice of encrypting all confidential information transmitted over the Internet or wireless networks, as well as encrypting data at rest on portable devices.
But encrypting internal databases, while desirable, remains relatively rare, she says, because of the cost involved as well as perceptions that it can affect the performance of the applications involved.
One ambiguous clause in the interim final rule appears to give smaller organizations with limited budgets a way to circumvent the requirement to use certified software with encryption.
The rule states that an organization "must assess whether encryption as a method for safeguarding electronic protected health information is a reasonable and appropriate safeguard in its environment. Consequently, an (organization) could be in compliance with the HIPAA security rule if it determines that encryption is not reasonable and appropriate in its environment and if it documents its rationale and implements an equivalent alternative measure if reasonable and appropriate."
But what's a "reasonable and appropriate" alternative to encryption? Gallagher of HIMSS says her "best guess" is that an organization could implement some policy and procedural controls as well as physical controls, such as locks on doors. But she stresses that organizations participating in the EHR incentive program would have to defend the approach they're taking as an alternative to encryption if they were audited by regulators.
The interim final rule says EHR software should offer an access control mechanism, but it stops short of setting a standard. "We have not adopted a specific standard for access control because we believe that the industry will continue to innovate at a rapid pace in this area and better methods to implement this capability will be available faster than we would be able to adopt them via regulation."
Many EHR applications already offer some sort of role-based access control, says Nelson, the consultant. This enables, for example, a physician practice to give a nurse broader access to patient data than a receptionist. "But a lot of practices just give everyone the same role level," defeating the purpose of access control, she laments.
The interim final rule says users of certified EHRs must, at a minimum, use unique user names or numbers to track their identity and make sure access to records is limited to authorized users, notes Gallagher of HIMSS. "That's a generic description of access control."
In another proposed rule, federal regulators spelled out requirements for demonstrating "meaningful use" of EHRs to qualify for incentives. Those requirements include conducting a risk assessment of the software.