We have written quite a bit about the convergence between law, policy & technology that the HITECH Act embodies. Nowhere is this more evident than in HHS' recently released interim final rule ("IFR") regarding HIT Standards. This rule represents the codification of technology standards into law under the authority of the HITECH Act.This post will provide a short introduction into the adopted standards.
45 CFR Section 170 Subpart B – Standards and Implementation Specifications for Health Information Technology
Both the primary standard and the alternative standard for each "topic" is listed where applicable. This Rule encompasses an entire alphabet soup of standards (and their corresponding acronyms) that healthcare stakeholders involved in EHR implementations will have to become accustomed to.
§170.202 Transport standards for exchanging electronic health information.
Standard: Simple Object Access Protocol (SOAP): The SOAP standard is a way for a program running in one kind of operating system (such as Windows) to communicate with a program in the same or another kind of an operating system (such as Linux) by using the World Wide Web's Hypertext Transfer Protocol and Extensible Markup Language (XML) as the mechanisms for information exchange.
Alternative: A stateless, client-server, cacheable communications protocol that adheres to the principles of Representational State Transfer (REST) must be used. REST is not a standard but rather an "architectural style." It stands for "Representational State Transfer." Roy Fielding coined the term and explains it as follows:
REST is intended to evoke an image of how a well-designed Web application behaves: a network of web pages (a virtual state-machine), where the user progresses through an application by selecting links (state transitions), resulting in the next page (representing the next state of the application) being transferred to the user and rendered for their use.
§170.205 Content exchange and vocabulary standards for exchanging electronic health information.
(a) Patient summary record.
(1) Content Exchange Standards
Standard: Health Level Seven ("HL7") Clinical Document Architecture (CDA) Release 2, Level 2 Continuity of Care Document (CCD). HL7 is an organization involved in the development of international healthcare standards. HL7 is also used to refer to some of the specific standards created by the organization (e.g., HL7 CCD).
Alternative: ASTM E2369 Standard Specification for Continuity of Care Record ("CCR") and Adjunct to ASTM E2369. ASTM describes its CCR as follows:
The Continuity of Care Record (CCR) is a core data set of the most relevant administrative, demographic, and clinical information facts about a patient's healthcare, covering one or more healthcare encounters. It provides a means for one healthcare practitioner, system, or setting to aggregate all of the pertinent data about a patient and forward it to another practitioner, system, or setting to support the continuity of care.
(2) Nomenclature Standards
(i) Problem list.
Standard: The code set specified for the conditions specified at 45 CFR 162.1002(a)(1).
Alternative: International Health Terminology Standards Development Organization (IHTSDO) Systematized Nomenclature of Medicine Clinical Terms (SNOMED CT®) July 2009 version
(ii) Procedures.
Standard: The code set specified at 45 CFR 162.1002(a)(2).
Alternative: The code set specified at 45 CFR 162.1002(a)(5).
(iii) Laboratory orders and results.
Standard: Logical Observation Identifiers Names and Codes (LOINC®) version 2.27, when such codes were received within an electronic transaction from a laboratory.
(iv) Medication list.
Standard: Any code set by an RxNorm drug data source provider that is identified by the United States National Library of Medicine as being a complete data set integrated within RxNorm.
(b) Drug formulary check.
Standard: Drug formulary and benefits information must be transmitted in accordance with 42 CFR 423.160(b)(5).
(c) Electronically transmitting prescription information.
(1) Content Exchange Standards
Standard: An electronic prescription for a Medicare Part D covered drug that is prescribed for a Medicare Part D eligible individual must be transmitted in accordance with 42 CFR 423.160(b)(2)(ii), in all other circumstances, if consistent with applicable state and other Federal law, electronic prescriptions may be transmitted in accordance with 42 CFR 423.160(b)(2)(ii) or using the NCPDP SCRIPT Standard, Implementation Guide, Version 10.6
(2) Vocabulary Standards
Standard: Any code set by an RxNorm drug data source provider that is identified by the United States National Library of Medicine as being a complete data set integrated within RxNorm.
(d) Electronically exchange administrative transactions.
Content Exchange Standards and Implementation Specifications
(1) Standard and Implementation Specification: An eligibility for a health plan transaction as defined at 45 CFR 162.1201 must be conducted in accordance with:
(i) 45 CFR 162.1202(b) or for the period on and after January 1, 2012, in accordance with 45 CFR 162.1202(c); and
(ii) the operating rules specified in Phase 1 of the Council for Affordable Quality Healthcare (CAQH) Committee on Operating Rules for Information Exchange (CORE)
(2) Standard and Implementation Specifications: Eligibility inquiry and response transactions between dispensers and Part D sponsors for Part D prescription drugs must be conducted in accordance with 42 CFR 423.160(b)(3)(ii).
(3) Standard and Implementation Specifications: A health care claims or equivalent encounter information transaction as defined at 45 CFR 162.1101 must be conducted in accordance with 45 CFR 162.1102(b) or for the period on and after January 1, 2012, in accordance with 45 CFR 162.1102(c).
(e) Electronically exchange quality reporting information.
(1) Standard: The CMS Physician Quality Reporting Initiative (PQRI) 2008 Registry XML Specification
(2) Implementation specification: Physician Quality Reporting Initiative Measure Specifications Manual for Claims and Registry
(f) Electronic submission of lab results to public health agencies.
Content Exchange Standard
Standard: HL7 2.5.1.
Vocabulary Standard
Standard: Logical Observation Identifiers Names and Codes (LOINC®), version 2.27, when such codes were received within an electronic transaction from a laboratory.
(g) Electronic submission to public health agencies for surveillance or reporting.
Standard: HL7 2.3.1
Alternative: HL7 2.5.1
(h) Electronic submission to immunization registries.
Content Exchange Standards
Standard: HL7 2.3.1
Alternative: HL7 2.5.1
Vocabulary Standard
Standard: HL7 Standard Code Set CVX - Vaccines Administered, July 30, 2009 version
Standards for Protection of Electronic Information
(a) Encryption and decryption of electronic health information.
(1) General. A symmetric 128 bit fixed-block cipher algorithm capable of using a 128, 192, or 256 bit encryption key must be used.
(2) Exchange. An encrypted and integrity protected link must be implemented.
(b) Record actions related to electronic health information.
The date, time, patient identification, and user identification must be recorded when electronic health information is created, modified, deleted, or printed; and an indication of which action(s) occurred must also be recorded.
(c) Verification that electronic health information has not been altered in transit. Standard.
A secure hashing algorithm must be used to verify that electronic health information has not been altered in transit. The secure hash algorithm (SHA) used must be SHA-1 or higher.
(d) Cross-enterprise authentication.
A cross-enterprise secure transaction that contains sufficient identity information such that the receiver can make access control decisions and produce detailed and accurate security audit trails must be used.
(e) Record treatment, payment, and health care operations disclosures.
The date, time, patient identification, user identification, and a description of the disclosure must be recorded for disclosures for treatment, payment, and health care operations, as these
terms are defined at 45 CFR 164.501.
Looking for a best of breed HIPAA Training?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH / HIPAA experience?
.
