HIT Standards CommitteePrivacy and Security WorkgroupStandards and Certification Requirements for Certified EHR Modules Dixie Baker, Chair Walter Suarez, Co-Chair November 2, 2012
Assigned Task Overview • 2014 Edition final rule modifies the certification processes ONC-Authorized Certification Bodies (ONC-ACBs) will need to follow for certifying EHR Modules in a manner that … reduces regulatory burden by eliminating the certification requirement that every EHR Module be certified to the “privacy and security” certification criteria. • Instead, the privacy and security capabilities are included in the Base EHR definition that every EP, EH, and CAH must meet as part of meeting the CEHRT definition.
2014 Edition: Complete EHRs and CEHRT • Complete EHR – EHR technology that meets the Base EHR definition and has been developed to meet, at a minimum, all mandatory 2014 Edition EHR certification criteria for either an ambulatory setting or inpatient setting • Certified EHR Technology (CEHRT) – EHR technology certified under the ONC HIT Certification Program to the 2014 Edition EHR certification criteria that has: (i) The capabilities required to meet the Base EHR definition; and(ii) All other capabilities that are necessary to meet the objectives and associated measures under 42 CFR 495.6 and successfully report the clinical quality measures selected by CMS in the form and manner specified by CMS (or the States, as applicable) for the stage of meaningful use that an eligible professional, eligible hospital, or critical access hospital seeks to achieve.
2014 Edition: Two Approaches for Meeting CEHRT Requirement EPs, EHs, and CAHs are required to meet CEHRT definition using certified Complete EHR or combination of certified EHR Modules ONC HIT Certification Program Certified Complete EHR Base EHR Def Base EHR Def Base EHR Def CEHRT Certified EHR Module Certified EHR Module Certified EHR Module Certified EHR Module
2014 Edition: Posnack Slide from Sept 2012 HITSC Presentation (showing Stage 2 examples only) 2014 Edition EHR Module Approaches 2014 Edition Complete EHR MU2 MU2 Menu MU2 Menu MU1 MU2 Menu Vendor C MU1 Core MU1 Core MU1 Core Vendor B Vendor X Vendor B Base EHR Base EHR Base EHR Base EHR Vendor A Stage 2 EP/EH Stage 2 EP/EH Stage 2 EP/EH w/exclusions
Privacy and Security Workgroup Task • Provide recommendations, targeted for the 2016 Edition of EHR certification. Specifically, they have asked us to identify the minimal set of privacy and security standards and certification criteria for certifying EHR Modules • Recommendations should anticipate future broad adoption of NSTIC-based authentication, and therefore should be compatible with the NSTIC* approach *National Strategy for Trusted Identities in Cyberspace
Questions to be Addressed (1 of 2) • What is the minimal set of privacy and security properties (i.e., left-hand column in the table above) that every certified EHR Module should exhibit (either natively or by using external services)? What standards can support these properties? • What privacy and security properties might a certified EHR Module need to exhibit conditionally? For example, an e-prescribing Module may need to support two-factor authentication; an integration Module may need to be able to encrypt data for transmission. What standards can support these properties? • What certification criteria can be used to certify the privacy and security properties of EHR Modules? If the Module depends upon an external service to meet these criteria, does the external service need to be certified? If not, how can the Module be tested for conformance with these criteria?
Questions to be Addressed (2 of 2) • Should the privacy and security services implemented in one EHR technology be accessible to, and interoperable with, other EHR Modules that are separately certified? • If not, is the minimal property set defined in 1 still valid? • If so, what functional interactions between EHR technology #1 and EHR technology #2 can and should be addressed by interoperability standards and certification criteria? • Given that the 2014 Edition EHR standards and certification criteria has been released, with no prerequisite privacy and security certification requirements for EHR Modules in order to be certified, should ONC offer guidance regarding appropriate or suggested EHR Module use of the privacy and security properties and services of other EHR technology?
ONC Background Steve Posnack, Will Phelps, Debbie Bucci • Factors Motivating Change in EHR Module Certification • NSTIC Compatibility Constraint