Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Health Information Technology

Chairman Quayle, Ranking Member Edwards, and Members of the Subcommittee, I am Chuck Romine, Director of the Information Technology Laboratory at the Department of Commerce’s (DOC) National Institute of Standards and Technology (NIST). Thank you for the opportunity to appear before you today to discuss our roles in advancing the Administration’s commitment to enabling Electronic Health Records (EHRs) and to developing a Nationwide Health Information Network (NwHIN) that is reliable, usable, interoperable, and secure. I am pleased to testify today on NIST’s role in this endeavor, our collaboration with the Office of the National Coordinator for Health Information Technology (ONC) at the Department of Health and Human Services (HHS), the lessons we have learned to date, how we engage other stakeholders, such as standards development organizations (SDOs), and how our efforts to advance meaningful use requirements are moving us closer to the goal of an interoperable electronic health records system.

NIST Role and Collaboration with ONC

NIST has been hard at work toward fulfilling the mandate of making our Nation’s healthcare system safer, more accessible, and more affordable through the use of information technology. This objective remains a priority for the Department of Commerce, and the Acting Secretary.

NIST continues to collaborate with the public and private sectors to enhance the adoption of interoperable EHRs. Reaching our common goal of interoperable EHRs will improve care for all Americans through:

  • clinical decision support and improved performance by healthcare practitioners;
  • empowered patients who are involved in their own care and wellness regimen and who have access to electronically enabled communications with providers;
  • monitoring of, and research for, public health;
  • availability of care anytime, anywhere via telemedicine and mobile health applications; and
  • emerging technologies such as personalized medicine and body area networks.

NIST’s laboratory activities in measurements and standards for health Information Technology (IT) are at the core of our mission to promote U.S. innovation and industrial competitiveness to enhance economic security and improve quality of life. In fact, NIST has a long and effective history of working with public and private partners to improve our Nation’s healthcare infrastructure. Building on these interactions, shortly after the creation of ONC in 2004, NIST and HHS signed an interagency agreement to collaborate on the development, implementation, and maintenance of the HHS/ONC health IT strategic plan. NIST’s roles have been articulated in both Federal Health IT strategic plans (2008 – 2012 and 2011 – 2015) and in the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009.

The creation of an integrated healthcare information infrastructure depends on all parties involved in the healthcare enterprise—consumers, healthcare professionals, researchers, and insurers—and on having systems, tools, and information that are complete, correct, secure and interoperable. The basis for achieving this rests upon the availability of healthcare information standards that are complete, implementable, testable, and that contribute to interoperability.

Through direction in HITECH, ONC has responsibility for adopting standards and certification criteria, and for establishing certification programs to test and certify EHR technology that can be used to support providers’ attempts to achieve meaningful use. Some of their activities in this area are oversight of the HIT Standards Committee, engaging the public in providing feedback, and the Standards and Interoperability (S&I) Framework.

NIST’s Information Technology Laboratory (ITL) and ONC are collaborating with industry, healthcare informatics-related standards organizations, consortia, and government agencies to develop consensus-based complete and unambiguous standards and to build tools and prototypes to advance the adoption of IT within healthcare systems. NIST focuses its efforts on developing the key standards that ONC needs for current and future meaningful use criteria.

For the 2014 Edition Final Rule, “Standards, Implementation Specifications, and Certification Criteria for Electronic Health Records Technology; Revisions to the Permanent Certification Program for Health Information Technology,” recently published in the Federal Register by ONC1, NIST has been providing technical leadership on critical standards for areas such as secure messaging and document sharing. To support the ONC testing program, NIST is working with SDOs and others in areas such as electronic prescribing and public health. Each standard, test and test tool developed by NIST strengthens the infrastructure needed by ONC to certify systems to the Meaningful Use Stage 2 criteria and drives the healthcare enterprise towards interoperability.

For electronic prescribing, we are working with the National Council for Prescription Drug Programs (NCPDP), the American National Standards Institute (ANSI)- accredited standards organization responsible for the SCRIPT2 standard to be used to send new prescription requests to a pharmacy. NIST staff are working with NCPDP to ensure the NIST-developed conformance test tool and test procedures cover the required elements necessary for compliance to the implementation guide (standard) NCPDP developed.

NIST is collaborating with the Centers for Disease Control and Prevention (CDC) on the testing program for reporting for Public Health (specifically, Immunizations, Syndromic Surveillance, Electronic Laboratory Reporting, and Cancer Registry), for which NIST staff are working with the Health Level 7 (HL7) implementation guide authors for those criteria specified in the final rule. The CDC is responsible for receiving the reports identified in the public health criteria. NIST has actively engaged subject matter experts in the development of the test tooling and test procedures, so that any interpretation and intent of meaning issues in the standards are addressed and tested correctly in the certification process.

NIST technical leadership and collaboration with industry and relevant SDOs was the basis for providing standards that were complete and unambiguous in time for ONC to rely upon those standards for the ONC rulemaking. For future ONC requirements, including future stages of Meaningful Use, NIST is also providing technical leadership in evolving standards for interoperable EHRs as well as medical devices, genomics, imaging, text retrieval and analysis, and semantics.

Meaningful Use Stage 1

In August, 2010, NIST published an ONC-approved test method (test procedures, test data, test tools) for testing EHR technology to meet the 2011 Edition EHR certification criteria, including standards and implementation specifications. During the development of the test method, NIST and ONC collaborated to ensure that the relevant standards and certification criteria were consistent and effectively represented within the test procedures. The approved NIST- developed test method evaluates EHR technology for functionality related to electronic prescribing, submission of laboratory results, plotting and display of growth charts, and control of access so that only authorized users can retrieve information.

According to ONC, more than 2500 EHR products developed by more than 800 vendors are currently certified to the 2011 Edition EHR certification criteria. All these products were tested using NIST-developed and ONC-approved test procedures.

Engagement Efforts with Stakeholders in the Accreditation Process

The HITECH Act calls for ONC, in consultation with NIST, to recognize a program for the voluntary certification of health information technology as being in compliance with applicable certification criteria for EHR technology that can support meaningful use requirements.

Meaningful use is being implemented in three stages. Financial incentives to physicians are tied to how well they conform to criteria described in rules associated with each stage.

Under the temporary health IT certification program, testing organizations authorized by ONC use the NIST test method and conformance tools to evaluate EHR software and systems so doctors’ offices, hospitals and other healthcare providers have confidence in the systems they purchase. For the ONC HIT Certification Program, NIST’s National Voluntary Laboratory Accreditation Program (NVLAP) has been acknowledged by ONC, in regulation, as the Accreditation Body for Test Labs, i.e., NVLAP accredits the private sector labs that perform the testing.

As set forth in Part 285 of Title 15 of the U.S. Code of Federal Regulations, NVLAP accredits testing and calibration laboratories that are found competent to perform specific tests or calibrations. Technical requirements for accreditation are specific for each Laboratory Accreditation Program (LAP), and are developed based on relevant and impartial expert advice, ensuring that all interested parties have the opportunity for effective involvement. NVLAP’s regulations specify that advice may be obtained directly through public workshops or other suitable means.

For the healthcare IT program, NVLAP organized a public workshop on April 26, 2011. Attendees represented a range of federal and private sector stakeholders. Establishment of the program was also announced in the Federal Register. In the time since the health IT program was launched, NVLAP has successfully accredited five laboratories. NIST intends to host additional workshops as new tools are developed and released.

Lessons Learned

The Medicare and Medicaid EHR Incentive Programs, a financial incentive for achieving meaningful use of certified EHR technology, is successfully increasing the rate of adoption of health IT. This, in turn, is enabling the achievement of health and efficiency goals. The program is designed in a staged approach, with each stage “raising the bar,” that is, providing more rigor in what is expected in a certified product and in meaningful use.

Stage 1 standards and criteria, for example, set a baseline for electronic data capture and information sharing and were specifically selected to be achievable by the Nation’s providers. Stage 2 takes the next step by reducing the optionality found in Stage 1 and includes new standards, including those for online access for patients to their health information and electronic health information exchange between providers. To support these changes, the 2014 Edition EHR certification criteria also include new or updated requirements for security, usability (safety-enhanced design) and interoperability.

Some lessons learned about why these programs are succeeding and have received positive feedback from all sectors of the healthcare enterprise, including clinicians, consumers, developers, SDOs, and others include:

  • The programs’ staged approach, allowing vendors and providers adequate time for transitioning to more advanced health IT;
  • The programs’ commitment to engage the community in all parts of the process;
  • The programs’ reliance on an consensus-based standards development process that actively and successfully engages industry;
  • The programs’ commitment to solicit broad public comment and incorporate that as appropriate;
  • The programs’ engagement with the Federal Advisory Committees as established under the ARRA, as well as with working groups set up by those committees for advice and counsel; and
  • The programs’ commitment to transparency in its process, with outreach in multiple modalities.

NIST embraces all these principles and applies them to its health IT activities. We will continue to be guided by these lessons learned and are prepared to meet the challenges as each stage becomes more rigorous in its requirements for meaningful use and certification. At the same time, through these processes and stages, we will succeed in the ultimate goal of truly interoperable health records.

It is clear that the competencies of individual agencies alone cannot get this job done, and that the complementary expertise, experience, and subject matter experts of ONC and NIST are required to collaborate from the beginning and closely for alignment and success.

Security

Central to reaching the goals of health IT is ensuring secure use and sharing of health information, with the assurance of the confidentiality, integrity, and availability of that information. NIST works actively with government, industry, academia, and others to provide security tools, technologies, and methodologies that provide for the security and privacy of health information.

In 2011, NIST developed and issued a Health Insurance Portability and Accountability Act (HIPAA) Security Toolkit Application to help organizations better understand and implement the requirements of the HIPAA Security Rule, which establishes national standards to protect individuals’ electronic health information and provides the foundation for meaningful use security and privacy. With nearly ten thousand downloads to date, this toolkit is helping healthcare organizations of all sizes identify areas where security safeguards to protect electronic health information may need to be implemented or where existing implementations may need to be improved.

To assist organizations in addressing security and privacy concerns in the growing use of information technology in healthcare, NIST recently hosted its fifth annual HIPAA Security Rule conference, “Safeguarding Health Information: Building Assurance through HIPAA Security,” in June 2012. Co-sponsored with HHS’ Office for Civil Rights (OCR), the organization with delegated authority for the administration and enforcement of the HIPAA Security Rule, this event successfully highlighted the present state of health information security, as well as practical strategies, tips and techniques for implementing the HIPAA Security Rule. The prominent role of the ONC in this event, further reinforced the importance of security and privacy to the adoption and use of electronic health records and health information technology.

The adoption and use of mobile technologies by both physicians and patients may lead to increased access to electronic health information as well as to improvements in the cost and quality of healthcare. Mobile device features are constantly evolving, as are the threats and the security safeguards necessary to combat those threats. Development and implementation of mobile computing solutions that provide trusted ways for physicians and patients to communicate with one another while ensuring protection of electronic health information are critical. As NIST moves forward collaboratively with industry to bridge the security gaps presented by today’s smart phones, tablets, and other mobile devices, it welcomes the opportunity to work closely with ONC and other interested healthcare stakeholders to assist in this work. And such efforts are already under way, for example, NIST is collaborating with ONC on mobile device security practices and participated in the roundtable co-sponsored by ONC and OCR on this topic.

Small Business Outreach

Providing for the security and privacy of electronic health information is often particularly challenging for small healthcare providers, who may lack the security infrastructure or expertise of larger healthcare providers. The security challenge for small healthcare providers, as for small businesses everywhere, is to identify security safeguards that are practical and can be implemented cost-effectively. Such organizations also need greater security awareness and education so that limited resources are well applied to meet the most relevant and serious threats to the information entrusted to them. To address this need, NIST, the Small Business Administration (SBA), and the Federal Bureau of Investigation (FBI) co-sponsor a series of training workshops on computer security for small businesses that provide an overview of information security threats, vulnerabilities, and corresponding protective tools and techniques, with a special emphasis on providing useful information that small business personnel can apply directly. NIST looks forward to working with ONC to tailor this workshop series to the security needs of the healthcare community.

National Cybersecurity Center of Excellence

NIST recently announced a partnership with the State of Maryland and Montgomery County, Maryland, to establish the National Cybersecurity Center of Excellence (NCCoE), a public-private collaboration for accelerating the widespread adoption of integrated cybersecurity tools and technologies. The NCCoE will bring together experts from industry, government, and academia to design, implement, test, and demonstrate solutions and promote the wide-spread adoption of practical, interoperable cybersecurity solutions that address the real-world needs of complex IT systems across a variety of industry use cases including the secure use and exchange of health information.

NIST established its first NCCoE project around health IT by leveraging the experiences of the HHS Office for Civil Rights and the Office of the National Coordinator. Healthcare providers increasingly need to securely exchange electronic health information with each other. The confidentiality, integrity and availability of this information must be protected. The secure exchange of electronic health information is often particularly challenging for small healthcare providers, who, as noted above, may lack security infrastructure or expertise. The goal of this NCCoE project is to build and demonstrate a security platform that will enable small healthcare providers to securely and cost-effectively exchange electronic health information. The security platform will be based on commercial off-the-shelf components that meet cybersecurity standards and best practices. Following successful demonstrations, NIST will publish a description of the security platform and its performance characteristics sufficient to permit other organizations to develop and deploy solutions that meet the security objectives of the Nation’s small healthcare providers.

Usability

Improving the usability of EHR systems represents a key way to support healthcare organizations in improving the efficiency, effectiveness, user satisfaction and safety of these systems. In the 2014 Edition Standards and Certification Criteria Final Rule, ONC has included a certification criterion around safety-enhanced design that references NIST technical guidance in this area.

NIST research and development on usability is focused on assessing and validating that doctors, nurses, other clinicians and all other end users of EHR systems can use them effectively, efficiently and without use errors.

Over the past two years, NIST has developed and published, technical guidance to aid the EHR community in measuring and improving the usability and safety of EHR systems, including a three-step protocol to validate usability. NIST has reached out extensively to industry, academia, other government agencies, healthcare organizations, and other stakeholders to gain feedback and inform the development of this guidance.

NIST technical guidance on usability of EHR systems is incorporated in the 2014 Edition Standards and Certification Criteria, which includes a certification criterion for Safety-Enhanced Design. NIST is authoring the test procedure for this criterion. NIST’s work on EHR usability is also referenced in the Institute of Medicine’s landmark report on health IT and safety. This report applauds the rapid progress in health IT and makes recommendations on this path forward to continue optimizing Federal efforts for this national priority. In addition, NIST guidance is being incorporated into system acquisition requirements by the Veterans Administration and other public and private healthcare organizations.

Recently, NIST worked with leading healthcare organizations, human factors experts and patient safety experts, to publish a technical report, titled “A Human Factors Guide to Enhance EHR Usability of Critical User Interactions when Supporting Pediatric Patient Care,” (NIST IR 7865) which addresses how to improve the design, usability and safety of EHR systems used in the care of children, an example of a vulnerable population in need of special consideration.

Some important areas for future usability research include the usability of mobile health IT applications (The Healthcare Information and Management Systems Society, HIMSS, recently called on NIST to develop a validation protocol for mobile devices), consumer health IT systems (The National Academies of Sciences, NAS, recommended ONC and the Agency for Healthcare Research and Quality, AHRQ, partner with NIST to develop technical guidance in this area) and health IT workflow, especially as it relates to accountable care and other coordinated care models.

Interoperability

The HITECH Act directs NIST to “test… standards and implementation specifications, as appropriate, in order to assure the efficient implementation and use of such standards and implementation specifications.” This primarily refers to implementation and use—i.e., conformance testing. There is an important distinction between conformance testing and interoperability testing. In conformance testing, a single implementation is compared to the standard to be sure that the implementation does what the standard specifies. Conformance testing is seen as a means to increase the probability that systems will operate as intended.

Interoperability testing requires that several implementations be tested against each other, with the standard used as a reference to judge problems and incompatibilities, and as a guide to the functions that should be tested and the general behavior to be expected. Conformance testing, therefore, is used to verify that an implementation conforms to the established specifications of the standard. Interoperability testing may be viewed as a supplement to conformance testing, to verify that diverse implementations do indeed work together effectively to deliver the expected results. With NIST’s unique expertise in conformity assessment, and its mandate under the National Technology Transfer and Advancement Act (NTTAA - Public Law 104-113), NIST coordinates Federal, State, and local standards and conformity assessment activities with the private sector, with the goal of eliminating unnecessary duplication and complexity.

Each stage of meaningful use requirements and supporting standards is designed to advance interoperability. NIST has developed a conformance test tool that will be used for the certification testing program for the 2014 Standards and Certification Criteria that will also be an initial tool in a “test bed” that simulates exchange between a test EHR technology and a standards-compliant EHR technology. This will eventually allow for all levels of interoperability to be assessed in the electronic exchange of transition of care and referral summaries. This capability will also provide a platform for testing more comprehensive forms of interoperability between EHR technologies.

Conclusion

In addition to its collaborations on standards, testing, security, usability, interoperability and certification for meaningful use, NIST’s cutting-edge research, advanced measurement science, and participation in standards development are building the infrastructure for a future that offers even more promise for emerging healthcare breakthroughs in the United States. NIST initiatives are examining the best ways for humans to interact with next-generation health IT. They are significantly improving medical device interoperability and making healthcare safer in the process. NIST researchers are exploring innovative techniques by which critical patient diagnostic and treatment information can be collected and transmitted continuously in a safe and secure manner, that addresses patient privacy concerns. NIST is enabling the integration of the results of its research into interoperable EHRs and a nationwide health information network. NIST is pleased to contribute to making our exciting vision of health IT a reality.


1 Link is no longer active

2 SCRIPT is a standard created to facilitate the transfer of prescription data between pharmacies, prescribers, intermediaries, and payers. The current standard supports messages regarding new prescriptions, prescription changes, refill requests.

Created December 6, 2016, Updated July 18, 2019