Privacy Protection Steps Advance

Policy Committee Acts on Authentication, Protecting Stored Data
Privacy Protection Steps Advance
The Health IT Policy Committee on June 8 accepted a recommendation that all organizations participating in the Nationwide Health Information Network initiative should use digital certificates that meet authentication standards already required for federal agencies.

The committee also recommended some preliminary "meaningful use" criteria for stage two of the HITECH Act electronic health records incentive program, including a requirement that participants verify how they're protecting stored information. Plus, it recommended giving certain participants an extra year to meet stage two requirements.

The Department of Health and Human Services ultimately must approve all HIT Policy Committee recommendations and determine whether to include them in various rules and regulations.

Digital Certificates Requirement

One of the main motivations for the digital certificate requirement is that most healthcare organizations, at some point, will have to exchange information with a federal agency, and that requires use of Federal Bridge standards.

The authentication recommendation, which came from the Privacy and Security Tiger Team, states, "all certificates used in NwHIN exchanges must meet Federal Bridge standards and must be issued by a certificate authority (or one of its authorized resellers) that is a member of the Federal PKI [Public Key Infrastructure] Framework."

Paul Egerman, tiger-team co-chair, told the committee that an electronic health records vendor, for example, could serve as a certificate reseller. Plus, about six certificate authorities now offer the Federal Bridge certificates at prices of $100 or less per organization, he added.

The Health IT Policy Committee advises HHS' Office of the National Coordinator for Health IT. ONC is working on a governance rule spelling out guidelines for participants in the NwHIN (see: Revised NHIN Governance Plan Advances). The certificate guidelines would be included in that rule.

NwHIN is not an actual network, but what amounts to a "brand" that signifies participants "comply with a set of policies, standards and services that enable the Internet to be used for secure and meaningful exchange of health information," according to the official government definition. The idea behind NwHIN is to pave the way for the exchange of electronic health records and other information coast-to-coast by linking various health information exchanges and other networks that all adhere to the same standards.

Certificate Interoperability

In making its authentication recommendation, the tiger team acknowledged that volunteers working on developing a Standards & Interoperability Framework to support health information exchange and electronic health records are studying certificate interoperability issues (see Digital Certificate Initiatives Launched). They're assessing the "cost, complexity and feasibility of providers acquiring, managing and using digital certificates that are cross-certified with the Federal Bridge," according to an earlier ONC announcement.

As a result, the HIT Policy Committee, in its recommendation, noted it will revisit the issue of digital certificates, or ask the HIT Standards Committee to revisit it, if the framework study "reveals new facts that call into question the conclusion that it is financially and operationally feasible for small or less-resourced provider entities" to obtain certificates that meet Federal Bridge standards.

The tiger team suggested this addition after two participants in The Direct Project pilot program questioned whether use of certificates that meet Federal Bridge standards would be practical for smaller organizations involved in simpler, direct exchanges, Egerman explained. Eventually, direct exchanges, as well as more complex exchanges, would be accomplished under the umbrella of NwHIN, said Joy Pritts, chief privacy officer at ONC.

EHR Incentive Criteria

Also on June 8, the HIT Policy Committee recommended preliminary criteria for stage two of the HITECH Act electronic health record incentive program. Among those are a tiger team recommendation, approved by the committee earlier, that participants should verify how they're keeping stored data secure, such as through encryption (see: Privacy, Security Proposals Advance).

This "meaningful use" requirement would reinforce the HIPAA Security Rule, but it would not require the use of encryption in all cases, Deven McGraw, tiger team co-chair, said at an earlier committee meeting. The team hopes that by calling attention to the issue of protecting stored data in the incentive program's stage two meaningful use requirements, it can "make a dent in the number of organizations that have to report breaches of data," McGraw said.

A stage one requirement to conduct or update a security risk analysis and implement security updates as necessary to mitigate identified risks would continue in stage two.

McGraw noted at the June 8 meeting that the tiger team would like the HIT Policy Committee to consider a stage three EHR incentive program requirement mandating compliance with the NwHIN governance policies that have yet to be developed. Many of the tiger team's recommendations ultimately could wind up in the NwHIN governance rule.

Meanwhile, the HIT Standards Committee will review a number of other tiger team recommendations for the EHR incentive program criteria, including authentication and audit trail standards for patient portals.

HHS is slated to issue a proposed rule setting requirements for stage two of the EHR incentive program by year's end, with a final rule due by mid-2012.

In light of that timeline, the HIT Policy Committee on June 8 recommended that HHS fine-tune the deadline for certain participants in the program to achieve stage two benchmarks. Under the revised plan, those that attest to qualifying for stage one in 2011 would have until 2014, instead of 2013, to demonstrate compliance with stage two requirements and earn additional incentive payments.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.