"It's good to finally see an explicit requirement for auditing even read-only access to patient records and another explicit requirement for encryption of health information," said Kate Borten, CISSP, CISM, president of The Marblehead Group, which provides privacy and security assessments, regulatory compliance audits, and program development guidance. "Both points were a bit fuzzy under the security rule, and some organizations skirted those requirements. So requiring these features in the EHR systems makes it much more likely they'll be used."
Those requirements—encryption and audits on access to patient records—apply to the technology itself, Borten notes. "It will still be up to the eligible provider to implement the security technologies in a reasonable manner," she says.
In all, Borten calls the security standards in the EHR certification program "all good security controls."
"Most are basic and have been required by the security rule since 2005 (like unique user IDs)," she adds. "Some that are 'addressable' in the security rule are required to be built into the EHR technology such as automatic logoff."
Georgina Verdugo, director of the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules, said her organization is viewing the new EHR program as an opportunity to strengthen privacy and security.
"The EHR certification rules are an outstanding opportunity for providers to revisit their privacy and security programs and improve the safeguards of health information," Verdugo said in an e-mail to HealthLeaders Media when asked about providers' concerns with privacy and security. "While adoption of EHRs poses new privacy and security challenges, we view this as an opportunity for improvement in these areas."