The Health IT Standards Committee today endorsed a set of security and privacy standards for electronic health record systems that it said would get progressively tougher without holding back wider health information sharing. The committee’s security and privacy workgroup clarified requirements that electronic health record systems must meet so both vendors and healthcare providers could use a number of access controls in their electronic health record systems and practices by 2011...

Under the standards approved today, by 2011 EHR systems would have to meet several standards for access control, including technical requirements of the security and privacy rules of the Health Insurance Portability and Accountability Act’s (HIPAA) and the Advanced Encryption Standard.

The HITECH provisions of the economic stimulus legislation toughened HIPAA’s security and privacy rules. The standards endorsed today cover the terms of those rules.

Under these standards, EHRs should be able to permit access only to those persons or applications that have been granted access rights. The standards also cover the ability to encrypt and decrypt electronic personal health information.   

In 2013, EHRs would have to meet additional standards to further tighten security, including Health Level 7 Role-based Access Control (BRAC), Security Assertion Mark-up Language (SAML) and WS-Trust, the name of an OASIS standard to construct secure messages...

Read the complete article by Mary Mosquera in Government Health IT.