WASHINGTON – When the public gets its chance to comment on upcoming meaningful use rules, the government's advisory health IT panel will know if they got the standards piece of the entitlement package right.

The Health IT Standards Committee will weigh those comments before producing final recommendations for 2011 meaningful use requirements to the Office for the National Coordinator for Health IT (ONC), said John Halamka, MD, vice chairman of the committee, at its final meeting for the year.

"The comments that follow release of the meaningful use rule will guide the committee if they need to revise them," he said. "We won't know what is simple and good enough until the regulation comes out." Halamka is also chief information officer of Beth Israel Deaconess Medical Center and Harvard Medical School.

ONC is expected to publish an interim final rule on certification standards for meaningful use by the end of the month. In the meantime, the Centers for Medicare and Medicaid Services will separately propose rules defining meaningful use and provider eligibility for incentives under the HITECH Act.

In a wrap-up of its standards work Dec. 18, Halamka said the committee tried to walk a middle course by recommending standards that were general enough that small and large organizations could incorporate them but that still meet health IT requirements under the health IT stimulus law.

The committee will continue its standards work in 2010 in line with a set of principles "to simplify engineering for the little guy, reduce barriers and make sure we provide all the tools and education necessary to accelerate the work ahead," Halamka said.

Tough to grasp
However, some standards for 2011 - particularly those governing security and privacy - have been difficult to grasp, even for committee members. "They don't understand what we're recommending and how the pieces fit together," said Dixie Baker, chairman of the committee's privacy and security workgroup.

The security standards the committee has recommended are based on the HIPAA security and privacy rule, she said. Those include requirements to authenticate identity, control access to health information by authorized users, encrypt and decrypt information, and create an audit trail to track who has accessed data. 

In explaining the security standards for 2011, Baker said they "are used on a daily basis when we use the Web even if you don't realize it." For instance, the standard that the committee used for identity authentication is the same standard used to conduct commercial transactions securely over shopping Web sites, such as Amazon.

"When you're about to present a credit card (online) a picture of a lock appears in the lower corner (of the Website)," said Baker. "What locks that is an approach that's called the Transport Layer Security," which authenticates one or both ends of the exchange, she said.

The encryption standard is based on the widely used Advanced Encryption Standard algorithm, which the National Institute of Standards and Technology endorses.

Moving forward, the committee will have to do more to inspire trust in health IT, said Baker, who is also senior vice president and chief technology officer for health solutions at SAIC.

"We have to start figuring out how to secure the network itself and build layers of security," she said. "We need to minimize the complexity and remove the decision-making from the individual as much as possible," she said