Comments Sought on Privacy/Security of Stage 3-Certified EHRs
The HIT Standards Committee is seeking public comment on Stage 3 privacy and security criteria that should be required of certified electronic health records in 2016.
The standards committee and its partner HIT Policy Committee advise federal officials on health information technology initiatives. The stakeholder-populated committees have substantial influence over development of meaningful use criteria.
Providers can use a certified Complete EHR or a set of EHR modules that collective meet the definition of a certified EHR, says Dixie Baker, a consultant with Martin, Blanck and Associates, and chair of the standards committee’s privacy and security workgroup.
But combining EHR modules can introduce several risks, Baker notes in a posting on the Office of the National Coordinator for HIT blog page:
“1. A single EHR Module may not provide the security functionality an enterprise needs to comply with HIPAA;
“2. The combination of certified EHR Modules may provide redundant security functionality that cannot be integrated with, and may even conflict with, enterprise security solutions within which all of the certified EHR Modules would operate; and
“3. The collective, system-wide behavior of separately developed certified EHR Modules operating together may result in system behaviors that put enterprise security at risk,” Baker writes.
Consequently, the workgroup in November issued preliminary recommendations for EHR Module certification in 2016 through three different approaches and now seeks comment. More information and a box to comment is available here.