The Human Health Services (HHS) released two lengthy documents outlining the final rules for applicability to security and privacy. The two documents reviewed are:
- Medicare and Medicaid Programs: Electronic Health Record Incentive Program
- Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology
The length is deceiving (1,000+ pages) – the final rules are not very long comparatively, but these documents contain the comment response sections. These are massively important for understanding the intent and thoughts behind each requirement. This public feedback and public response is a welcomed process – especially within the complex world of information technology.
While diving through these documents several sections struck me as helpful and insightful. I have included those below for reference and comment:
“This means that to qualify for incentives, an eligible professional or eligible hospital must both adopt Certified EHR Technology and demonstrate meaningful use of this technology.”
Interesting clarification on the scope of this publication:
“The purpose of this final rule, therefore, is to adopt standards, implementation specifications, and certification criteria to test and certify that a Complete EHR or EHR Module provides certain capabilities, and where applicable, to require that those capabilities be implemented in accordance with adopted standards and implementation specifications. The adopted standards, implementation specifications, and certification criteria were not intended to impose independent requirements on the entities using Certified EHR Technology.”
A request was made to provide clarity in moving forward guidance and mandates. This was a timely question given how often the final rule and responses provided reference future publications and related legislation. The question submitted to HHS:
“…timelines for making changes to HIT, that it would benefit the HIT industry if we could provide a roadmap, framework, or more descriptive “glide path” for future standards adoption activities…”
“We plan to work closely with the HIT Standards Committee to develop a forward looking agenda and to make known in advance the types of standards, implementation specifications, and certification criteria on which we will seek
recommendations from the HIT Standards Committee.”
The concept of Complete EHR was clarified and provides useful guidance on what is included and what is excluded from the implied completeness of the term:
“…however, does not in any way preclude any additional capabilities from being included in a Complete EHR or implemented in a complementary fashion. The definition sets forth a floor, not a ceiling, and serves to signify that once tested and certified to all applicable certification criteria, a Complete EHR meets the definition of Certified EHR Technology.”
A comment was proposed to HHS regarding the scope and legality of these new standards as they are promoting better security and equally more detailed requirements than are mandated within HIPPA.
“What a HIPAA covered entity must do to remain in compliance with the HIPAA Security Rule is separate and distinct from the capabilities that a Complete EHR or EHR Module must include in order to be certified. We do not believe that we are precluded by the HITECH Act from adopting certification criteria that go beyond the requirements specified by the HIPAA Security Rule. We believe that the HITECH Act, while directing that standards, implementation specifications, and certification criteria be consistent with the HIPAA standards, authorizes the Secretary to adopt certification criteria more broadly for the electronic use and exchange of health information. Section 3004(b)(1) of the
PHSA, as added by the HITECH Act, requires the Secretary, for instance, to adopt an initial set of standards, implementation specifications, and certification criteria to enhance the interoperability, functionality, utility, and security of health information technology.”
A distinction was made regarding encryption, but can provide insight onto the broader intent of these certification technologies that is a key understanding to practitioners. The question is of capability versus necessary. This concept highlights the importance of a thorough and accurate risk management process holistically across the enterprise. The referenced quote is below:
“Certified EHR Technology must include the capability to encrypt and decrypt information regardless of the transmission method used. This certification criterion and related standard do not specify the circumstances under which encryption and decryption must be performed; they simply require the capability.”
As interesting documents surface during my research into these mandates and technology controls I will post them.