On March 7, 2012, the Office of the National Coordinator for Health Information Technology (ONC) of the Department of Health and Human Services (HHS) published in the Federal Register its notice of proposed rule making (NPRM) entitled Health Information Technology: Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record [EHR] Technology, 2014 Edition; Revisions to the Permanent Certification Program for Health Information Technology [pp. 13832-13885]. Comments to HHS may be made until 5 PM on May 7, 2012.
The summary of the NPRM is included here:
“Under section 3004 of the Public Health Service Act, the Secretary of Health and Human Services is proposing to revise the initial set of standards, implementation specifications, and certification criteria adopted in an interim final rule published on January 13, 2010, and a subsequent final rule that was published on July 28, 2010, as well as to adopt new standards, implementation specifications, and certification criteria. The proposed new and revised certification criteria would establish the technical capabilities and specify the related standards and implementation specifications that Certified Electronic Health Record (EHR) Technology would need to include to, at a minimum, support the achievement of meaningful use by eligible professionals [EPs], eligible hospitals, and critical access hospitals [CAHs] under the Medicare and Medicaid EHR Incentive Programs beginning with the EHR reporting periods in fiscal year and calendar year 2014. This notice of proposed rule making also proposes revisions to the permanent certification program for health information technology, which includes changing the program’s name.” [p. 13832]
The NPRM also provides an Overview of the 2014 Edition EHR Certification Criteria, an excerpt of which is provided here:
“We propose to adopt certification criteria that will support the proposed changes to the EHR Incentive Programs, including the new and revised objectives and measures for Stages 1 and 2 of MU [meaningful use] proposed by CMS [see preceding HIPAA.com posting]. The certification criteria we propose for adoption would also enhance care coordination, patient engagement, and the security, safety, and efficacy of EHR technology. For clarity, we refer to the certification criteria proposed for adoption as the 2014 Edition EHR certification criteria and the currently adopted certification criteria as the 2011 Edition EHR certification criteria….” [p.13833]
HIPAA.com has focused especially on privacy and security issues related to safeguarding protected health information (PHI). We commend the reader’s attention to the content in two sections of the NPRM:
45 CFR 170.210(e): Standards for health information technology to protect electronic health information created, maintained, and exchanged–(e) Record actions related to electronic health information, audit log status, and encryption of end-user devices. [p. 13880]
45 CFR 170.314(d): 2014 Edition electronic health record certification criteria–(d) Privacy and security:
(1) Authentication, access control, and authorization.
(2) Auditable events and tamper-resistance.
(3) Audit report(s).
(4) Amendments.
(5) Automatic log-off.
(6) Emergency access.
(7) Encryption of data at rest.
(8) Integrity.
(9) Optional–accounting of disclosures.
[p. 13883]