Healthcare,
Industry Specific,
Standards, Regulations & Compliance
Healthcare Groups Warn of Risks from HHS’ Proposed IT Certification Changes
Healthcare lobbyists are raising alarms about recent proposals from the U.S. government aimed at dismantling long-standing health IT certification criteria, particularly those related to privacy and security controls. They argue that such changes would shift the regulatory burden from health IT developers to healthcare providers, inadvertently increasing risks to patient data security.
The Office of the National Coordinator for Health IT released a proposal in December to reduce the existing health IT certification criteria from 60 to 34, while also modifying seven additional criteria. The intent articulated by officials was to lessen redundancies in regulation, thereby promoting innovation among health IT creators.
Current certified health IT includes various software applications such as electronic health record (EHR) modules and clinical decision support systems. However, according to officials, the relevance of certification to driving compliance in areas such as privacy and security has diminished over time. This assertion has sparked backlash from key industry stakeholders.
Organizations like the College of Healthcare Information Management Executives (CHIME), representing health CIOs and CISOs, have expressed strong opposition to the proposed reductions, particularly those concerning privacy and security measures. CHIME warns that these changes may compromise providers’ ability to uphold high cybersecurity standards.
In a letter co-signed by several health organizations, including the American Academy of Pediatrics and the American College of Physicians, CHIME stated, “Eliminating key criteria such as authentication and access control leaves healthcare providers vulnerable,” effectively transferring the responsibility of HIPAA compliance and data protection to the providers themselves.
This concern underscores the backdrop of heightened cybersecurity risks in healthcare, an industry infamous for being a prime target for cyberattacks. The removal of critical security requisites may not only exacerbate vulnerabilities but also lead to additional costs for healthcare providers as new privacy and security measures may be viewed as ancillary services by developers.
The American Hospital Association (AHA), representing thousands of healthcare facilities, has echoed similar concerns regarding the proposed changes. Although the AHA acknowledges the necessity for innovation in health IT, it emphasizes that any transformation should not compromise data protection and patient safety. They argue that removing such foundational security protocols may increase the risk to patient data integrity, potentially resulting in greater exposure to cyber threats.
As these discussions unfold, the implications for the healthcare sector resonate profoundly. With the pervasive threat of ransomware and other cyber offenses, the balance between deregulation for innovation and regulation for patient safety is being scrutinized. Stakeholders are calling on the Department of Health and Human Services to reconsider its approach, advocating for enhanced privacy and security requirements rather than their abrogation.