The Office of the National Coordinator for Health Information Technology
is not doing enough to ensure data security
in electronic health records, argues a new report
from HHS' Office of Inspector General.
Currently, the ONC deputizes private bodies under its EHR
incentive program to certify records as meeting certain minimum technology standards. Providers can't use noncertified EHR software to attest to meaningful use.
The trouble, the report said, is that while providers may presume that their EHR systems will protect patient data, the procedures used by the certification bodies may not ensure that protection. The report specifically scrutinizes five certification bodies deputized under the ONC's now-defunct temporary program.
Under the temporary program requirements, the certifying bodies were supposed to conduct periodic re-evaluations of certified EHRs to ensure they remained compliant. But of the five certification bodies the report audited, three didn’t have procedures in place to re-evaluate certified EHRs. As a consequence, an EHR that was modified after certification might not comply with federal standards. The report noted this lack of oversight might have far-reaching consequences. For example, an EHR could be modified to encourage upcoding.
The Inspector General’s report also expressed concern that the certification bodies did not have enough training, and that testing procedures approved by the ONC were insufficient. As one serious example, current procedures allow certification bodies to approve EHRs that have a single-character password. User privilege standards were another area of concern.
The ONC said it believes the concerns raised by the Inspector General aren’t relevant because they focus on a system created under a temporary program. Since then, the agency has approved a permanent program. That program, the ONC said, has more stringent requirements for EHR evaluation.
But the Inspector General’s office also sees flaws in ONC’s permanent program. Some of its concerns, such as password length or user privileges, still apply for ONC’s 2014 certification criteria, the Inspector General’s office said. The ONC has not “directly address[ed]” its authority to remove an EHR from the certified product list, “absent improper conduct” from a certification body, the OIG report noted. “Therefore, if an EHR is exploited and used to conduct malicious activities, ONC is not able to remove the EHR, even temporarily, from the Product List to prevent further purchases,” the report stated. Follow Darius Tahir on Twitter: @dariustahir