Washington Debrief: OIG Report Says Certified EHRs Lack Necessary Security

Sept. 10, 2014
A report from the Department of Health and Human Services’ (HHS) Office of the Inspector General (OIG) found that ONC’s authorized testing and certification bodies (ATCBs) neglected to comprehensively ensure that test procedures and standards adequately protect patient information contained in certified electronic health records (EHRs).

Top News

ONC Provides New Details on 10-year Interoperability Roadmap

Key Takeaway: At Tuesday’s health IT policy committee meeting and in an accompanying blog post, the Office of the National Coordinator for Health IT (ONC) shared additional details about its 10-year vision for interoperability and announced the interactive Nationwide Interoperability Roadmap Community to capture stakeholder feedback.

Why it Matters: In June, ONC released their interoperability vision paper entitled, “Connecting Health and Care for the Nation: A 10-Year Vision to Achieve an Interoperable Health IT Infrastructure.” At the health IT policy committee meeting on Aug. 6, 2014, additional details were shared concerning the development and goals of a nationwide interoperability roadmap to accompany ONC’s vision paper.

ONC launched the interactive Nationwide Interoperability Roadmap Community to allow stakeholders the opportunity offer input, raise questions and provide use cases during the formation of roadmap. Stakeholder comments are due September 12, 2014.

ONC describes the roadmap as a detailed plan for improving the exchange of health data between health IT systems. This roadmap will supplement the interoperability vision paper and detail how the nation can collectively achieve the 3, 6, and 10 year interoperability milestones.

ONC will present the draft roadmap at the joint Federal Advisory Committee meeting in October. The draft roadmap will be posted for public comment in early 2015. ONC expects to have the roadmap completed in March 2015.

OIG Report Finds Certified EHRs Lack Necessary Security

Key Takeaway: A report from the Department of Health and Human Services’ (HHS) Office of the Inspector General (OIG) found that ONC’s authorized testing and certification bodies (ATCBs) neglected to comprehensively ensure that test procedures and standards adequately protect patient information contained in certified electronic health records (EHRs).

Why it Matters: According to the OIG report released this week, ONC’s certification standards for electronic health records may not properly protect patients’ health information, citing password complexity and user privilege changes as specific areas of weakness.

The report also questioned the NIST (National Institute of Standards and Technology) testing requirements, saying testing was not sufficient to guarantee EHRs would adequately secure and protect patient health information.

OIG recommend that ONC strengthen EHR test procedure requirements to address such issues and to ensure providers have EHR systems that have adequate security and privacy features.

ONC officials responded to OIG, stating that the ATCBs in question are no longer involved in the ONC Certification Program, adding, that with the new 2014 Edition EHR Certification Criteria, strengthened test procedures for common security and privacy features of EHRs were instituted.

OIG disagreed with ONC’s response to the report, saying the 2014 criteria failed to require multifactor authentication. OIG argued that ONC needs the ability to decertify products if there are data breaches.


Final IPPS Rule has HIT Implications

Key Takeaway :The final Hospital Inpatient Prospective Payment Systems (IPPS) rule includes provisions to further align quality measure reporting across the Hospital Inpatient Quality Reporting (IQR) and Medicare EHR Incentive programs, and updates inpatient Medicare payment rates for general acute care and long-term care hospitals with the goal of reducing Medicare spending and improving care quality.

Why It Matters: The rule aligns IQR and MU submission deadlines and measures for FY 2015. EHs and CAHs are expected to be able to use reporting methods similar to the electronic reporting pilot used for Meaningful Use in 2012 and 2013 to make it easier for hospitals to report measures.

Aside from Meaningful Use and IQR, the following programs are also affected by quality measure changes: LTCH Quality Reporting and PPS-Exempt Cancer Hospital Quality Reporting Programs. Further, the Value Based Modifier program – a quality-based program established under the Affordable Care Act (ACA) – is scheduled to disburse incentive payments of about $1.4 billion in FY 2015 under the final rule. At the same time, the Hospital Readmissions Reduction Program continues its payment reduction schedule mandated by ACA by increasing the maximum payment reduction from 2 to 3 percent. Since its inception, the program has shown some success – in 2012 and 2013, the US reduced Medicare readmissions by 150,000.

Participating general acute care hospitals will have a payment increase of 1.4 percent and term care hospitals will be 0.9 percent in FY 2015. Medicare inpatient payments will be reduced by one percent for hospitals that score in the top 25 percent for hospital acquired conditions. Overall, the rule will reduce inpatient Medicare spending by $756 million for FY 2015.

CMS has provided the following fact sheets to help understand the final rule: Fact Sheet: FY 2015 Policy and Payment Changes for Inpatient Stays in Acute-Care Hospitals and Long-Term Care Hospitals and Fact Sheet: CMS to Improve Quality of Care during Hospital Inpatient Stays.  The provisions will take effect on Oct. 1, 2014.

2015-Edition Certification in Last Stage of Approval Process

Key Takeaway: ONC sent the much-criticized voluntary 2015-edition certification criteria to the Office of Management and Budget (OMB) for its final approval on Aug. 1, 2014. This effort was the first by ONC to release EHR certification criteria independent of rulemaking alongside CMS for the Meaningful Use Program.

Why It Matters: While the proposed rule focused on fixing a number of issues with the 2014-edition certification criteria, the rule also added many new focuses for EHR Certification. Many stakeholders were frustrated with the release of the 2015-edition certification as many hospitals and providers have yet to fully implement 2014-edition software and developers don’t necessarily have the resources to focus on these new functionalities.

Although CHIME agreed that incremental certification updates need to occur between Meaningful Use stages, the breadth of this rule and its voluntary nature were of concern. There’s much speculation around what will be included in the final rule, but we won’t know until the final rule is released – our wish list includes the patient matching criteria that resulted from the ONC patient matching study last year. The final rule can be expected by the end of the year.

Edited for style by Gabriel Perna

Sponsored Recommendations

Care Access Made Easy: A Guide to Digital Self-Service for MEDITECH Hospitals

Today’s consumers expect access to digital self-service capabilities at multiple points during their journey to accessing care. While oftentimes organizations view digital transformatio...

Going Beyond the Smart Room: Empowering Nursing & Clinical Staff with Ambient Technology, Observation, and Documentation

Discover how ambient AI technology is revolutionizing nursing workflows and empowering clinical staff at scale. Learn about how Orlando Health implemented innovative strategies...

Enabling efficiencies in patient care and healthcare operations

Labor shortages. Burnout. Gaps in access to care. The healthcare industry has rising patient, caregiver and stakeholder expectations around customer experiences, increasing the...

Findings on the Healthcare Industry’s Lag to Adopt Technologies to Improve Data Management and Patient Care

Join us for this April 30th webinar to learn about 2024's State of the Market Report: New Challenges in Health Data Management.