Standards panel: check security on EHR modules

Buyers and sellers of electronic health record modules, which offer optional features such as clinical decision support or e-prescribing, should check the impact of those components on the overall security and privacy of patient information across the EHR.

Some modules require information exchange and thus should be capable of separately locking down patient data through encryption or other means.

That was among a number of recommendations made by the Health IT Standards Committee on the Interim Final Rule (IF), which will set new (IFR) on standards and certification criteria.

The committee’s vice chairman, Dr. John Halamka, summarized the committee’s comments on the IFR in a March 9 blog post. The comments will soon be posted at www.regulations.gov.

Halamka noted that security standards – particularly those strengthening encryption –  evolve quickly. As a result, “we recommended that a list of acceptable technology standards be included in the certification process.”

Halamka is the CIO of Harvard Medical School and Beth Israel Deaconess Medical Center.

The IFR lays out requirements for certified electronic health records that physicians and hospitals must use to qualify for health IT incentives. ONC is accepting comments to polish the rule until March 15, although it took effect Feb. 12.

Among clinical operations, the committee’s letter urged that the IFR “specify broad families of standards,” such as the major version of each standard but accompanied by a “detailed implementation guide that serves as a floor,” Halamka said.

For instance, Health Level 7 Version 2 should be used for reporting lab results, and the descriptive guide to establish HL7 v.2.5.1 would be the recommended minimum. Doing so will accommodate advances in the standard version without having to change the regulation.

Another example of a standard family the committee recommended is extensible mark-up language (XML) for quality reporting, with the implementation guide for the Physician Quality Reporting Initiative (PQRI) XML 2008 Registry as the floor to transmit quality data to the Centers for Medicare and Medicaid Services.

The committee also recommended a controlled vocabulary for vital signs, such as Systematized Nomenclature of Medicine-Clinical Terms (SNOMED-CT) and Logical Observation Identifiers Names and Codes (LOINC), with LOINC the preference. “Vital signs are needed in 2011 for hypertension control and body mass index reporting,” Halamka said.

The IFR should provide either no guidance or very specific guidance on standards, but “vague guidance is not helpful,” Halamka said.

The committee recommended that the provision listing Representational State Transfer (REST) and Service Oriented Architecture Protocol (SOAP) for data transmission be removed because of the lack of detail, he said.