Healthcare
,
Industry Specific
,
Standards, Regulations & Compliance
CHIME, AHA, Others Contend Privacy, Security Burden Would Shift to Providers
Healthcare lobbyists are telling the U.S. federal government that proposals to eliminate longstanding health IT certification criteria – especially requirements related to privacy and security controls – will shift regulatory burden from health IT developers to healthcare providers.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
The Office of the National Coordinator for Health IT in December proposed slimming down 60 current health IT certification criteria to 34 and modifying seven others. The department said it intended to reduce redundant regulatory burdens for the makers of health IT and enable them to become more innovative.
Certified health IT encompasses software such as electronic health record modules, patient engagement tools, clinical decision support systems and other related products.
“We have observed over time that certification is likely no longer a primary factor driving improvements or compliance in particular areas, such as with respect to privacy and security,” the office, a component of the Department of Health and Human Services, said in the proposed rulemaking.
HHS health IT certification requirements – initially focusing on EHRs – first began in 2010, following the enactment of the HITECH Act of 2009. They have evolved, expanded and been modified.
The office also contends that certain current criteria – including health data privacy, security and trust expectations – are already set in other HHS regulatory provisions, such as those relating to its Trusted Exchange Framework and Common Agreement.
But some healthcare industry groups, including the College of Healthcare Information Management Executives – a professional association of health CIOs and CISOs – are pushing back on some of the various health IT certification criteria HHS is looking to drop, especially around privacy and security requirements.
“The proposed changes shift the ability for providers utilizing certified health IT to maintain the highest cybersecurity posture available to them,” CHIME said in its comments and in a letter co-signed by several other industry groups, including the American Academy of Pediatrics, American College of Physicians and the American Health Information Management Association.
“Removing authentication, access control and authorization from the Certification Program leaves providers who rely on these criteria vulnerable as it shifts responsibility for maintaining HIPAA compliance and safeguarding patient data on to them,” the letter said.
The groups said they recommend that HHS preserve these criteria and search for ways to strengthen privacy and security requirements within the certification program.
“In a sector that remains the most targeted for ransomware, deregulation in the privacy and security context must be carefully calibrated to avoid unintended patient safety and cybersecurity risks,” Chelsea Arnone, senior director of federal affairs at CHIME, told Information Security Media Group.
“Baseline privacy and security certification criteria are not peripheral features, they are foundational safeguards and core technical safeguards that hospitals operationalize within their enterprise security architecture,” Arnone said.
“Capabilities such as access controls, audit logging, and encryption form the backbone of how hospitals operationalize HIPAA compliance and incident response. If those baseline requirements are removed, the risk is not hypothetical,” she said.
In CHIME’s public comments, the group also told HHS that certain other criteria proposals – including a requirement that HHS is considering to ditch from its “transitions of care” certification criteria would also potentially negatively affect the privacy and security, as well as safety, of patients.
That transitions of care provision change proposes to remove the “create” requirements for patient matching – such as name, date of birth, current address, phone number and sex – within continuity of care documents.
“Currently that provision is the only criteria that references patient matching within the Certification Program,” CHIME said. “The inclusion of patient matching criteria within the continuity of care document improves patient safety and security by reducing instances of patient misidentification,” CHIME said.
The American Hospital Association, which represents 5,000 hospitals and health systems – in comments expressed similar concerns about proposed changes involving privacy and security certification criteria, as well as the transition of care criteria.
“AHA recognizes the important role of developers in fostering innovative health IT applications and agrees that the proposed changes could reduce barriers for them,” AHA said.
At the same time, innovation should be balanced with reasonable policies that protect sensitive patient data and ensure security and privacy, AHA wrote. “The proposed removal of all privacy and security certification criteria has risks that outweigh potential benefits.”
The AHA said it is concerned that removing the privacy and security criteria would inappropriately shift risk and cost to providers. “Developers may impose additional fees for these features since they would be considered ‘add-on’ services. Instead of saving costs and reducing burden, the costs and burden would shift to end users,” the AHA wrote.
“The agency also asserts that privacy and security criteria have been widely adopted. This may be true for existing certified health IT products, but it may not be true for new entrants and future certified technologies,” the AHA said.