We began with a discussion of the challenge of writing certification criteria for privacy and security, since the security of EHRs should depend primarily upon infrastructure assurances (networks, servers, storage, client devices, operating systems) and specialized security services. The EHR itself should provide only those security services which are specific to protecting the confidentiality, integrity, and availability of the electronic health information it manages.
The certification criteria that the Privacy and Security Workgroup developed are all “addressable”. To meet the criteria, each Complete EHR or EHR Module submitted for certification needs to either:
– Implement the required security functionality within the Complete EHR or EHR Module(s) submitted for certification or
– Assign the function to a third-party security component or service, and demonstrate how the certified EHR product, integrated with its third-party components and services, meets the criterion
We discussed the important topic of securing data at rest and recommended encryption for data on end-user devices controlled by EHR. However, we recognized that encryption of data in data centers is a risk management decision and out of scope for certification criteria.
We discussed audit trails and recognized that applications collect audit data in different formats using different architectures. The real value of an audit trail is the events it captures, not the format it stores them in. We selected the ASTM E2147-01 standard which specifies auditable events, leaving implementation details to each vendor. At some future time, it may be useful to standardize audit trail formats, but for now, there is limited value in imposing a standard audit trail format and architecture on existing products.
The HITSC approved the privacy and security certification criteria recommendations by consensus, with one small clarification of SHA-1/SHA-2 encryption requirements.
Next, we discussed the Standards and Interoperability Framework efforts on the NwHIN Exchange transport standards and transitions of care as well as a brief discussion of future work on radiology image exchange standards.
We agreed that additional testimony is needed from implementers of NwHIN exchange to understand their experiences with each component of the Exchange specification:
NHIN Messaging Platform Specification
NHIN Web Services Registry Specification
NHIN Authorization Framework Specification
NHIN Patient Discovery Specification
NHIN Query for Documents Specification
NHIN Retrieve Documents Specification
NHIN Access Consent Policies Specification
NHIN Health Information Event Messaging (HIEM) Specification
NHIN Document Submission Specification
NHIN Administrative Distribution Specification
We're developing a set of questions for implementers and will seek broad input from those in trenches who have coded or operated NwHIN Exchange environments.
We had a rich discussion about the consolidated CDA project. Consolidated CDA enhances and further constrains CCD/C32. Wes Rishel made the following comments:
Many standards experts who have been actively working on the Consolidated CDA project feel that it is a major accomplishment by HL7 to consolidate the specifications into a single document, organize them so that consistent XML structures are used for common data items in multiple document types, and to include well-specified data element names.
Many feel that the consolidated CDA alone will prevent as much as 50% of the programming errors found in C32 testing and that disagreements on the interpretations of the specifications will be far more easily resolved.
Programming, testing and resolution will all be enhanced again when the data element names are used in less highly nested XML and when Green CDA becomes accepted as the "over the wire" format.
HITSC will continue work on Consolidated CDA as it represents an important step forward for Transition of Care summaries.
Finally, we discussed the comments received about the Advanced Notice of Proposed Rulemaking. This input will be incorporated into the Notice of Proposed Rulemaking.
September and October were landmark meetings for the HITSC, with completion of the standards and certification criteria needed for Meaningful Use Stage 2. What's next? Based on my discussion with HITSC experts, I believe our work ahead includes:
*Continued refinement of the Consolidated CDA implementation guides and tools to enhance semantic interoperability including consistent use of business names in "Green" over-the-wire standards.
*Standardizing DICOM image objects for image sharing and investigating other possible approaches. We'll review image transfer standards, image viewing standards, and image reporting standards.
*Simplifying the specification for quality measures to enhance consistency of implementation.
*Query Health - distributed queries that send questions to data instead of requiring consolidation of the data
*Extending the quality measurement vocabularies to clinical summaries
*Finalizing a standardized lab ordering compendium
*Specifying how the metadata ANPRM be integrated into health exchange architectures
*Supporting additional NwHIN standards development (hearings about Exchange specification complexity, review/oversight of the S&I Framework projects on simplification of Exchange specifications). Further defining secure RESTful transport standards.
*Accelerating provider directory pilots (Microdata, RESTful query/response that separates the transaction layer from the schema) and rapidly disseminating lessons learned.
I look forward to our November meeting.