Interim HITECH Act EHR Rule Proposed

Software Certification Update Would be Voluntary
Interim HITECH Act EHR Rule Proposed
Karen DeSalvo, M.D.

The Office of the National Coordinator for Health Information Technology on Feb. 21 issued a proposal for an interim, updated edition of HITECH Act electronic health record software certification criteria, including privacy and security components.

See Also: OnDemand | Making the Connection Between Cybersecurity and Patient Care

Compliance with the proposed 2015 Edition criteria would be voluntary, ONC explains. EHR developers that have already certified their software meets the 2014 Edition criteria would not need to re-certify for 2015 Edition compliance in order for their customers to earn payments from Medicare and Medicaid under the ongoing HITECH "meaningful use" incentive program. As a result, healthcare providers would not be required to "upgrade" to EHR technology certified as meeting the 2015 Edition criteria.

"This provides the opportunity for developers and health care providers to move to the 2015 Edition on their own terms and at their own pace," says Karen DeSalvo, M.D., who heads ONC.

Under the HITECH Act's EHR incentive program, participating hospitals and physicians must attest that they are making "meaningful use" of software that meets current certification criteria. The program is now in what is commonly called Stage 2, and Stage 3 criteria are still on the horizon.

The new EHR software certification proposal "represents ONC's new regulatory approach that includes more incremental and frequent rulemaking," ONC says. "This approach allows ONC to update certification criteria more often to reference improved standards, continually improve regulatory clarity and solicit comments on potential proposals as a way to signal ONC's interest in a particular topic area. "

Security Proposals

The 242-page ONC document includes a proposal for secure data transmission based on SOAP Transport and Security Specification and XDR/XDM for Direct Messaging.

The document also seeks comment on whether ONC should consider two-factor authentication requirements for its 2017 Edition rulemaking. "This requirement could ... more definitively support security requirements for remote access to EHR technology as well as any other EHR technology uses that may require two-factor authentication," the proposal says.

The proposed rule will be published in the Federal Register on Feb. 26, 2014. ONC will accept comments on the proposal through April 28, 2014. The final rule is expected to be issued this summer.

An ONC spokesman tells Information Security Media Group: "The new regulatory approach is one that is more incremental and frequent and allows us to publish proposed and final rules, say about every 12 to 18 months." This will enable ONC "to respond to stakeholder feedback, make 'bug' fixes and enhance interoperability," he says.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.