NIST standards to be incorporated into health IT certification process

NIST standards, already used by many federal agencies, will soon be worked into health IT certification programs being developed by the Office of the National Coordinator.

National Institute of Standards and Technology (NIST) standards, already incorporated into information systems

used by many federal agencies, are coming to health care.

NIST is reviewing feedback on health IT standards, and moving forward with plans to help the Office of the National Coordinator for Health Information Technology (ONC) develop a certification process for electronic health records (EHR).

NIST will consider the comments received through a “sources sought notice” on health IT usability, as well as input on certification models that ensure EHR systems conform to federal standards. The work complies with the American Recovery and Reinvestment Act of 2009 (ARRA), which mandated NIST standards-related research that supports the security and interoperability of EHR systems.

The work being conducted in health IT is an extension of the role NIST plays in guiding standards development for the government and the private industry, said Bettijoyce Lide, senior adviser and program coordinator for health IT at NIST. The institute was allocated $20 million in stimulus funding for its health IT work.

Toward that end, the institute recently awarded a $400,000 contract to Booz Allen Hamilton Inc. in McLean, Va., to provide program support as NIST advises the ONC about health IT certification models. The contract, known as a limited source justification, does not dictate that Booz Allen develop a certification program; rather, it is an extension of a previous contract NIST had with the consulting firm, Lide said. Because the ARRA work ramped up so quickly, “we needed the continuity of that administrative contract,” she said.

The Certification Commission for Health Information Technology (CCHIT) has been certifying vendor systems for several years, and at one time was the only officially recognized program for EHR systems. Last year, ONC said it wanted to make the certification process more competitive, and asked other organizations to submit plans to create testing programs.

NIST is getting into the vendor-certification business, officials said. At this point NIST is researching certification and studying best practices from the field, and will make recommendations to the ONC. The ONC then will determine what it wants in the certification process, which CCHIT or other certifying bodies, such as Austin, Texas-based Drummond Group Inc., will have to apply.

NIST is studying several of those testing programs and asking the industry to submit its best practices, Lide said. The institute’s contract with Booz Allen asks that the consultancy help NIST develop testing documents and frameworks, but it does not give NIST a final say in what the testing criteria will look like. The final decision belongs to the ONC, Lide said.

There are all sorts of subtleties in the process, and we’re walking ONC through that.

Bettijoyce Lide, senior adviser and program coordinator for health IT, National Institute of Standards and Technology

In addition, NIST might still conduct a competitive bid process regarding certification programs after it has reviewed comments and feedback from the industry. The Booz Allen contract does not take the place of that competitive process, Lide added.

What NIST is looking for in submissions from stakeholders includes a testing structure -- a laboratory setting for electronic systems, and a certification process that scores systems based on the results of lab tests. That information will be provided to ONC, Lide said. “There are all sorts of subtleties in the process, and we’re walking ONC through that,” she said.

For the usability component, NIST wants to develop a test process to determine whether health IT standards have been implemented properly in electronic systems. The goal of all the federal health IT work is to help the health care industry use technology easily and efficiently for care delivery. “If [the system] is not usable by the provider, it’s not going to provide its function,” Lide said.

NIST is working with standards development organizations to determine the most robust testing standards, and with standards harmonization panels to ensure that criteria are fair for various forms of EHR, Lide said.

NIST standards were discussed recently in a conference that addressed changes to the privacy and security provisions of the Health Insurance Portability and Accountability Act that affect providers and health IT vendors. Presenters during the Eighteenth National HIPAA Summit suggested following information security technical documents developed by the institute.

“In the world of security, the government does tend to defer to and rely on NIST” standards, said James Wieland, principal and chair of the health IT practice at Ober, Kaler, Grimes & Shriver, in Baltimore, during his presentation.

Let us know what you think about the story; email Jean DerGurahian, News Writer.

Dig deeper on Electronic health record system (EHR) certification

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.