My overall conclusion is that CMS and ONC have done a fantastic job of addressing Security, Privacy, and HIE transport. Yes I did say ‘fantastic’. There are some issues, but they can be fixed. There are improvements, but in many cases we need to take stepping stones today that are on the trajectory of the future. There are clear things that can and will happen in the future.
Security:They have made mostly minor changes to the security criteria. They are leveraging well known best practices and applying them only to Healthcare when there is something specific. They are leveraging the existing HIPAA Security rule and HITECH. The main changes this time around are added detail for Audit Logging, references to cryptography experts at NIST/FIPS, synchronization of clocks, and recommendations around encryption on end-user devices.
Privacy:They have included Privacy! They should be given kudos for this. Nothing earth shocking for any well done EHR or operational environment, but welcome guidance and encouragement for those that had not yet addressed Privacy. Their changes are directly to support HIPAA Privacy and HITECH. They have identified that security audit logging is an input to an Accounting of Disclosures, and a Access Log. They have defined what these reports would include. They have given stronger guidance on Amendments.
HIE Transport:They have given us one or two Push style transports, and recognized that they interoperate by way of a proxy service that can convert forward and backward. There is no real surprises here as ONC has spent much time developing the Direct Project. Healthcare Providers and EHR developers should really be focusing beyond Direct, but supporting minimal Direct is a good thing to do. It allows us as an industry to move away from the FAX, and start universally communicating and manipulating Documents. I will note that these more Exchange like HIE models would still be considered compliant under the optional third transport.
Conclusion:I will have more detailed blogs on all these topics. I will also be explaining why some want an Exchange style HIE vs using a Push style HIE. I will be discussing what should be done regarding Consent for nationwide exchanges. And I will be discussing other suggestions for Stage 3, with explanation of why I think it is ok for CMS/HHS/ONC to wait. I do still encourage vendors and providers to go above and beyond the minimum required by Meaningful Use.
Updated with links to further discussion: