Embed Size (px)
DESCRIPTION
Assigned Task Overview 2014 Edition final rule modifies the certification processes ONC- Authorized Certification Bodies (ONC-ACBs) will need to follow for certifying EHR Modules in a manner that … reduces regulatory burden by eliminating the certification requirement that every EHR Module be certified to the “privacy and security” certification criteria. Instead, the privacy and security capabilities are included in the Base EHR definition that every EP, EH, and CAH must meet as part of meeting the CEHRT definition.
Citation preview
HIT Standards CommitteeHIT Standards CommitteePrivacy and Security WorkgroupPrivacy and Security WorkgroupStandards and Certification Requirements for Standards and Certification Requirements for Certified EHR ModulesCertified EHR Modules
Dixie Baker, ChairWalter Suarez, Co-Chair
November 2, 2012
Agenda
10:00 am Call to Order/Roll Call-MacKenzie Robertson, Office of the National Coordinator
10:05 am Welcome & Assigned Task Overview-Dixie Baker, Chair-Walter Suarez, Co-Chair
10:15 am ONC Background:1)Factors Motivating Change in EHR Module Certification2)NSTIC Compatibility Constraint-Steve Posnack, Will Phelps and Debbie Bucci, Office of the National Coordinator
10:45 am Discussion of Minimal Requirements for EHR Module Certification-Workgroup
11:20 am Next Steps11:25 am Public Comment11:30 am Adjourn
Assigned Task Overview
• 2014 Edition final rule modifies the certification processes ONC-Authorized Certification Bodies (ONC-ACBs) will need to follow for certifying EHR Modules in a manner that … reduces regulatory burden by eliminating the certification requirement that every EHR Module be certified to the “privacy and security” certification criteria.
• Instead, the privacy and security capabilities are included in the Base EHR definition that every EP, EH, and CAH must meet as part of meeting the CEHRT definition.
2014 Edition: Base EHR Definition
2014 Edition: Complete EHRs and CEHRT
• Complete EHR – EHR technology that meets the Base EHR definition and has been developed to meet, at a minimum, all mandatory 2014 Edition EHR certification criteria for either an ambulatory setting or inpatient setting
• Certified EHR Technology (CEHRT) – EHR technology certified under the ONC HIT Certification Program to the 2014 Edition EHR certification criteria that has: (i) The capabilities required to meet the Base EHR definition; and(ii) All other capabilities that are necessary to meet the objectives and associated measures under 42 CFR 495.6 and successfully report the clinical quality measures selected by CMS in the form and manner specified by CMS (or the States, as applicable) for the stage of meaningful use that an eligible professional, eligible hospital, or critical access hospital seeks to achieve.
Certified EHR Module
2014 Edition: Two Approaches for Meeting CEHRT Requirement
Certified Complete
EHRBase EHR Def
CEHRT
Base EHR Def
Certified EHR Module
Base EHR Def
Certified EHR Module
Certified EHR Module
EPs, EHs, and CAHs are required to meet CEHRT definition using certified
Complete EHR or combination of certified EHR Modules
ONC HIT Certification Program
2014 Edition: Posnack Slide from Sept 2012 HITSC Presentation (showing Stage 2 examples only)
BaseEHR
MU1Core
MU2Menu
2014 Edition Complete EHR
Stage 2 EP/EH
Vend
or B
2014 Edition EHR Module Approaches
BaseEHR
MU1Core
MU2Menu
Vend
or X
Stage 2 EP/EH
w/exclusions
Stage 2 EP/EH
BaseEHR
MU1Core
MU2Menu
Vend
or A
Vend
or B
Vend
or C
Base EHR
MU2
MU1
Privacy and Security Workgroup Task
• Provide recommendations, targeted for the 2016 Edition of EHR certification. Specifically, they have asked us to identify the minimal set of privacy and security standards and certification criteria for certifying EHR Modules
• Recommendations should anticipate future broad adoption of NSTIC-based authentication, and therefore should be compatible with the NSTIC* approach
*National Strategy for Trusted Identities in Cyberspace
Questions to be Addressed (1 of 2)
1. What is the minimal set of privacy and security properties (i.e., left-hand column in the table above) that every certified EHR Module should exhibit (either natively or by using external services)? What standards can support these properties?
2. What privacy and security properties might a certified EHR Module need to exhibit conditionally? For example, an e-prescribing Module may need to support two-factor authentication; an integration Module may need to be able to encrypt data for transmission. What standards can support these properties?
3. What certification criteria can be used to certify the privacy and security properties of EHR Modules? If the Module depends upon an external service to meet these criteria, does the external service need to be certified? If not, how can the Module be tested for conformance with these criteria?
Questions to be Addressed (2 of 2)
4. Should the privacy and security services implemented in one EHR technology be accessible to, and interoperable with, other EHR Modules that are separately certified?
– If not, is the minimal property set defined in 1 still valid?
– If so, what functional interactions between EHR technology #1 and EHR technology #2 can and should be addressed by interoperability standards and certification criteria?
5. Given that the 2014 Edition EHR standards and certification criteria has been released, with no prerequisite privacy and security certification requirements for EHR Modules in order to be certified, should ONC offer guidance regarding appropriate or suggested EHR Module use of the privacy and security properties and services of other EHR technology?
ONC Background
Steve Posnack, Will Phelps, Debbie Bucci•Factors Motivating Change in EHR Module Certification•NSTIC Compatibility Constraint
