Workgroup wants more flexibility for protection of patient info in MU Stage 2

There should be more integration of electronic health record infrastructures and specialized security products and services to protect electronic patient information in the next stage of the Meaningful Use incentive program, according to the Office of the National Coordinator for Health IT's Standards Committee Privacy and Security Workgroup. The group reported its recommendations at a meeting last week. 

The report, created by workgroup chair Dixie Baker from SAIC, and co-chair Walter Suarez, from Kaiser Permanente, recommended that to achieve that integration in Stage 2 of Meaningful Use, the ONC and the National Institutes of Standards and Technology should consider making the certification process more flexible. In doing so, each privacy and security certification criterion would be "addressable" and would either be a functionality within an EHR or integrated with a third party component or device. Currently, the functionality must be within an EHR, which discourages the use of stronger security mechanisms.

The workgroup also recommended other changes affecting privacy and security in EHR systems, such as:

  • Encryption of data at rest on end user devices controlled by the EHR;
  • A broader scope of audit logs, which should be called "activity auditing";
  • Clarification of what "automatic log off" means.

In addition, the workgroup made several new recommendations pertaining to privacy and security and consumer communications, including use of at least one factor authentication, such as a password, and using a warning before protected health information is downloaded as a guidance or best practice. 

To learn more:
- listen to the meeting or review the written materials