Health IT Policy Committee Recommends Two-Factor Authentication for EHRs

The Health IT Policy Committee on June 8 accepted a recommendation that all organizations participating in the Nationwide Health Information Network initiative (NwHIN) should use digital certificates that meet the same authentication standards already required for federal agencies. Ultimate approval for the recommendation falls on the Department of Health and Human Services.

One of the main motivations for the digital certificate requirement is that most healthcare organizations, at some point, will have to exchange information with a federal agency, and that requires use of Federal Bridge standards.

The authentication recommendation, which came from the Privacy and Security Tiger Team, states, “all certificates used in NwHIN exchanges must meet Federal Bridge standards and must be issued by a certificate authority (or one of its authorized resellers) that is a member of the Federal Public Key Infrastructure Framework.”

Paul Egerman, tiger-team co-chair, told the committee that an electronic health records (EHR) vendor, for example, could serve as a certificate reseller. Plus, about six certificate authorities now offer the Federal Bridge certificates at prices of $100 or less per organization.

In addition to the authentication recommendations, the committee recommended that for stage two of the HITECH Act electronic health record incentive program participants should verify how they’re keeping stored data secure, such as through encryption.

HHS is slated to issue a proposed rule setting requirements for stage two of the EHR incentive program by year’s end, with a final rule due by mid-2012.

In light of that timeline, the HIT Policy Committee on June 8 recommended that HHS fine-tune the deadline for certain participants in the program to achieve stage two benchmarks. Under the revised plan, those that attest to qualifying for stage one in 2011 would have until 2014, instead of 2013, […]

Electronic Health Records Help Bring Hospital Back On Line After Disaster

Just weeks before the powerful F5 tornado ripped though Joplin Missouri severely damaging the St. John’s Regional Medical Center, St. John’s had converted to a new electronic health records system. Having all their records online and backed up in another city, allowed the hospital to be up and running a 60 bed mobile hospital in less than a week.

“If the tornado had hit a month earlier, before installing the electronic health record system in Joplin, St. John’s would not have been able to bring up our mobile hospital within a week’s time. We still would not be operational at this point,” said Mike McCreary of Mercy Technology Services.

“Today, patients have continuity of care across all of our physician locations and the new St. John’s Mercy Hospital, and connection to the entire Mercy health system, because of our EHR and our ability to quickly re-establish communication services.” McCreary noted that St. John’s patients also have access to historical medical records. More current health information was stored within the new EHR, and older paper records had been scanned prior to the tornado and are securely stored on servers located in other communities.

Read the complete story at

Maine reverses decision on HIE Consent

After hearing objections from hospitals and physicians about a proposed “opt-in” approach to obtaining patient consent for health information exchange (HIE), the Maine legislature has dropped a proposal to switch from an “Opt-out” approach.

The original proposal would have been required to give patients an opt-in form that they would need to sign to authorize having their electronic health records shared over HealthInfoNet, the statewide HIE.

Concerns were expressed by the state hospital and medical associations  and HealthInfoNet that the “opt-in” approach would result in few people taking advantage of the benefits of the HIE. Other HIEs using the opt-in approach have found that a relatively small percentage of patients take the initiative to sign the form. Amy Landry, HealthInfoNet’s communications director stated that, “Unless a majority of state residents’ records are accessible via the HIE, physicians and hospitals are unlikely to use it because of its limited value”.

HealthInfoNet has always instructed participating providers to give patients a Notice of Privacy Practices, as required under HIPAA, that also describes that their data may be shared via the HIE and offers the opportunity to opt out.

Last year, the Health and Human Services Privacy and Security Tiger Team, which advises federal regulators, endorsed a “meaningful consent” approach that HIEs should take. It accommodates either the opt-in or opt-out approach, emphasizing educating patients about their privacy rights as well as HIE procedures.

The revised proposal, which awaits the governor’s signature, requires informing patients about the benefits and risks of the HIE and giving them the opportunity to “opt out.” Unless they take action to opt out, their information will automatically be accessible via the HIE, which stores certain records in a central data repository.

To view the revised Maine legislation, visit […]

HHS OIG finds Security Lacking in Health Information Technology Infrastructure

The Department’s Office of the National Coordinator (ONC) provides leadership for the development and nationwide implementation of an interoperable health information technology (HIT) infrastructure. ONC is charged with guiding the nationwide implementation of interoperable HIT to reduce medical errors, improve quality, produce greater value for health care expenditures, ensure that patients’ individually identifiable health information is secure and protected, and facilitate the widespread adoption of electronic health records (EHR).

On May 16, 2011, the Health and Human Services Office of the Inspector General (OIG) released the Audit of Information Technology Security Included in Health Information Technology Standards.

The Executive Summary states that the : “ONC had application information technology (IT) security controls in the interoperability specifications, but there were no HIT standards that included general information IT security controls. General IT security controls are the structure, policies, and procedures that apply to an entity’s overall computer operations, ensure the proper operation of information systems, and create a secure environment for application systems and controls.”

At the time of the initial audit, the interoperability specifications were the ONC HIT standards and included security features necessary for securely passing data between EHR systems (e.g., encrypting transmissions between EHR systems). These controls in the EHR systems were application security controls, not general IT security controls.

The OIG recommendations are as follows:

The ONC should broaden its focus from interoperability specifications to also include well-developed general IT security controls for supporting systems, networks, and infrastructures.
The ONC should use its leadership role to provide guidance to the health industry on established general IT security standards and IT industry security best practices.
The ONC should  emphasize to the medical community the importance of general IT security.
The ONC should coordinate its work with the Centers for Medicare […]

HHS Privacy and Security Tiger Team Findings Part 2

Last week, I summarized the Health and Human Services Health Information Technology Policy Committee Privacy and Security Tiger Team (Tiger Team)’s findings.

As a reminder, their charge was to “make short-term and long term recommendations to the Health Information Technology Policy Committee (HITPC) on privacy and security policies and practices that well help build public trust in health information technology and efficiency, particularly as related to the  American Recovery and Reinvestment Act (ARRA) of 2009 and the Affordable Care Act (ACA) which mandates a number of duties to the ONC relative to privacy and security.”

Their findings were put out for public comment April 11 –May 11, 2011. Below is a series of excerpts from the comments which represent the major points of discussion. The full set of comments can be viewed on the HHS Federal Advisory Committee Blog.

There should be a health industry discussion on general tracking and accounting of disclosures.  ARRA-HITECH proposed rules have not been released and there has been little industry discussion regarding how disclosures can be tracked especially in larger organizations where disclosure may occur. This is both a policy and a technology issue.
Methods for tracking exchange partners need to be developed.  Web site info with the ability for the patient to print should cover it, and maybe an annual signoff indicating they know where to find it if they want it. A NwHIN participant will have difficulty keeping track of all the potential indirect participants. If the level of HIEs gets to 225-250-plus keeping a list of the possible exchange partners becomes overwhelming and probably complicated for the individual to understand.
Confidentiality is crucial to reducing barriers to care for adolescents. It has long been recognized that if adolescents do not believe […]