Federal panel okays EHR security, privacy standards

The Health IT Standards Committee today endorsed a set of security and privacy standards for electronic health record systems that it said would get progressively tougher without holding back wider health information sharing.

The committee’s security and privacy workgroup clarified requirements that electronic health record systems must meet so both vendors and healthcare providers could use a number of access controls in their electronic health record systems and practices by 2011.

The presentation to the Committee was made by workgroup member David McCallie, vice president for medical informatics at Cerner Corp.

McCallie said the standards were designed to ensure that the security of health IT systems is powerful enough to protect health information in a variety of private and public sector  settings while at the same time promoting the sharing of records.

For instance, organizations that want to swap information may have differing security and privacy requirements, making it a challenge to exchange data. “If they want to communicate with each other, do we rise to the most stringent system or  lower ourselves to the most common denominator?" he said.

The standards under discussion cover access control, authentication, authorization and transmission of health data. The group tried to make the guidance clear enough to make interoperability between organizations a reality, McCallie said.

“Security is a balance between ease-of-use, cost and bullet-proof protection,” added Dr. John Halamka, vice chairman of the Committee. The workgroup has tried to provide “a rational glide path to increasingly constrained security,” he added.

Under the standards approved today, by 2011 EHR systems would have to meet several standards for access control, including technical requirements of the security and privacy rules of the Health Insurance Portability and Accountability Act’s (HIPAA) and the Advanced Encryption Standard.

The HITECH provisions of the economic stimulus legislation toughened HIPAA’s security and privacy rules. The standards endorsed today cover the terms of those rules.

Under these standards, EHRs should be able to permit access only to those persons or applications that have been granted access rights. The standards also cover the ability to encrypt and decrypt electronic personal health information.   

In 2013, EHRs would have to meet additional standards to further tighten security, including Health Level 7 Role-based Access Control (BRAC), Security Assertion Mark-up Language (SAML) and WS-Trust, the name of an OASIS standard to construct secure messages.  

The work group also offered documentation to help vendors and providers implement the standards. For example, the National Institute for Standards and Technology has a guide for storing encryption technologies for devices, such as thumb drives.

Looking ahead, the Health IT Standards Committee has already started its work on 2013 meaningful use criteria, a process that started by naming Aneesh Chopra, the administration’s chief technology officer, to be chairman of a new work group on adoption and implementation.

Chopra said time is of the essence in getting the workgroup’s agenda underway. “Going forward, we have this map showing the way, but that doesn’t mean we don’t want folks to start sharing now – DOD and VA want this data now,” Chopra said.

About 70 percent of patients covered by the Defense and Veterans Affairs departments receive care in the private sector. Chopra said he wants to get feedback from those, such as DOD and VA, who want to share data now.

Chopra said that he would like to find a way to measure the current state of standards adoption as a baseline; identify the barriers that private sector health care executives face in reporting a variety of quality measure; and share best practices and lessons from organizations using standards.