A year ago, we posed the question as to whether “cloud computing” was right for health IT. The central concern was more around privacy and security than it was around whether web-based Electronic Health Record (EHR) systems could offer the suite of features that the healthcare system needs in order to move away from paper and onto a digital platform.
When presenting the case for a web-based EHR, security and safety of data and of data exchange are among the foremost, consistent questions we get – “yes, it’s on the Internet, but is it safe? Is it HIPAA compliant?”
Since we posed the question over a year ago, much has evolved in the healthcare ecosystem. The most significant change has been the emergence of a new set of Certification standards for EHRs (both for inpatient systems and for ambulatory systems). The new standards, referred to as HHS Certification and also as ONC-ACTB Certification standards, are the required elements needed in order for clinicians and hospitals to access Meaningful Use incentive money beginning next year.
A central piece of contemporary Certification is rigorous demonstration of 8 core privacy and security modules – access control, emergency access, automatic log-off, audit log, data integrity, authentication, general encryption, and encryption when exchanging electronic health information. The criteria must be met by all certified EHRs, regardless of whether they are locally housed or are based on the web.
Last week, Practice Fusion announced it received ONC-ACTB Certification as an EHR Module, which includes Certification on all the privacy and security elements. Given that Practice Fusion is a completely web-based system – it was developed from scratch on an Internet platform, not “migrated onto” the Internet from a locally-installed legacy – this is significant. It answers the question about privacy and security for health IT on the web: yes (resoundingly), we can build a platform that is every bit as secure and safe as anything deployed locally, and can stand up to the same criteria used to evaluate any EHR anywhere. It’s not easy to do, but it can be done.
What about CCHIT certification? We still get that question a lot, and note than many organizations (such as many of the Regional Extension Centers that are trying to help physicians choose and implement an EHR) still use CCHIT certification as a criterion. Prior to this year, CCHIT was the sole legacy certifying body, and internally created the certification rules as well as “administered the test.” A major change in this process was carried out by the ONC under ARRA – the certification criteria would be created by one process, and the testing would be carried out by a separate process. CCHIT remains one of three ONC-ACTBs, and is certifying according to the new set of rules – their “certification” according to their legacy criteria-set is no longer something with much value – it is certainly not something that will grant access to Meaningful Use bonus money.
One of the criticisms we have had about legacy CCHIT criteria is that the entire certification domain around privacy and security was based on locally-installed systems. They were focused on the security of the local network (isolating it from the outside world), and assuring that client workstations within that network could communicate with the internal server. This is a “walled garden” approach that is characteristic of a legacy client/server environment. A web-based EHR is fundamentally different – the network (the Internet) is assumed to be intrinsically insecure (it is the public Internet, after all), and the rigorous build-out of a secure channel between any Internet-connected computer anywhere with our hosted web servers is the key. A secure local network is not a concept that a web-based system invokes. The new ONC-ACTB criteria recognize this; the legacy CCHIT criteria (diminishingly relevant) come from a different perspective.
As pioneers of a purely web-based EHR solution, we can now state with confidence that health IT does belong on the Internet. Safety and security of data and of data exchange can be done at the same high levels as anything deployed locally (perhaps even better). It’s not easy, but many of the tools and technologies are already in place – thank you Internet banking. And thank you to the insight of the ONC policy-makers, who recognize the potential of the web for healthcare, and who have created rules that hold everyone – locally-deployed efforts, and web-based efforts – to the same high standards.
Chief Medical Officer
Practice Fusion EMR
