Mary Mosquera, Senior Editor
Mary Mosquera is a Washington, D.C.-based Senior Editor who covers healthcare policy, business and technology issues for all MedTech brands. Follow Mary on Twitter @GovHITreporter.
Federal panel approves EHR security, privacy standards
Aneesh Chopra, the administration's chief technology officer
WASHINGTON | September 16, 2009
The Health IT Standards Committee Tuesday endorsed a set of security and privacy standards for electronic health record systems that it said would get progressively tougher without holding back wider health information sharing.
The committee's security and privacy workgroup clarified requirements that electronic health record systems must meet so both vendors and healthcare providers could use a number of access controls in their electronic health record systems and practices by 2011.
Workgroup member David McCallie, vice president for medical informatics at Cerner Corp, made the presentation to the Committee.
McCallie said the standards were designed to ensure that the security of health IT systems is powerful enough to protect health information in a variety of private and public sector settings while at the same time promoting the sharing of records.
For instance, organizations that want to swap information may have differing security and privacy requirements, making it a challenge to exchange data. "If they want to communicate with each other, do we rise to the most stringent system or lower ourselves to the most common denominator?" he said.
The standards under discussion cover access control, authentication, authorization and transmission of health data. The group tried to make the guidance clear enough to make interoperability between organizations a reality, McCallie said.
"Security is a balance between ease-of-use, cost and bullet-proof protection," added John Halamka, MD, vice chairman of the Committee. The workgroup has tried to provide "a rational glide path to increasingly constrained security," he added.
Under the standards approved Tuesday, by 2011 EHR systems would have to meet several standards for access control, including technical requirements of the security and privacy rules of the Health Insurance Portability and Accountability Act's (HIPAA) and the Advanced Encryption Standard.
The HITECH provisions of the economic stimulus legislation toughened HIPAA's security and privacy rules. The standards endorsed today cover the terms of those rules.
Continued on next page...
Showing 2 Comments
Brian Ahier say: HIT Standards Meeting
September 17, 2009 | 00:22 AM GMT
I am very glad to see the leadership of Aneesh Chopra in this process. Dr. Blumenthal and the ONC staff are also doing a fine job, and the real unsung heroes in moving the puck forward for health IT are the many volunteers serving on committees, workgroup and HITSP Tiger Teams.
I have posted the rough draft transcript and meeting materials from the 9/15/09 HIT Standards Committee meeting here:
http://ahier.blogspot.com/2009/09/health-it-standards-committee-915.html
say: security approval from HIT
May I ask a question??? What does the title say HIT Approves Security... well on the two pages that was full of double and triple talk i did not see one bit of information as to what security measures will be in place. I did see a mention of encryption once in the two pages.. Guys Lades & Gentlemen, People, if you have something to say, SAY IT...
my program has the following security measures:
1- Password protection
2- 256 AES Encryption (expandable to 512 AES Encryption)
3- Separate encrypted folder for more personalized storage.
4- Guest portal is read only
5- any particular file can be excluded from printing out or transferring to another chip or computer...
So these 5 steps i guarantee you will be above those that HIT will establish if we ever find out what they are... I am waiting to hear something or see something in writing especially when you put in teaser headlines...