Finally, A Reasonable Plan for Certification of EHR Technologies

A caution to readers: This post is about methods for certifying Electronic Health Record (EHR) technologies used by physicians, medical practices, and hospitals who hope to qualify for federal incentive payments under the so-called HITECH portion of the American Recovery and Reinvestment Act (ARRA). It may not be as critical as the larger health care reform effort or as entertaining as Sarah Palin, but it WILL matter to hundreds of thousands of physicians, influencing how difficult or easily those in small and medium size practices acquire health IT. And indirectly for the foreseeable future, it could affect millions of American patients, their ability to securely access their medical records, and the safety, quality, and the cost of  medical care.

Three weeks ago, on July 14-15, 2009, the ONC’s Health IT Policy Committee held hearings in DC to review and consider changes to CCHIT’s current certification process. The Policy Committee is one of two panels formed to advise the new National Coordinator for Health IT, David Blumenthal. In a session that was a model of open-mindedness and balance, the Committee heard from all perspectives: vendors, standards organizations, physician groups, and many others.

And then, on July 16, they released their final recommendations on what is now referred to as “HHS Certification.” The effects of their recommendations – these are available online and should be read in their entirety to grasp their extent – are potentially monumental, and could very positively change health IT for the foreseeable future.

At the heart of these hearings was the issue of who will define the certification criteria and who will evaluate vendors’ products. Among many others, we have voiced concerns that the Certification Commission for Health Information Technology (CCHIT), the body currently contracted by HHS to perform EHR certification, has been partial to traditional health IT vendors in defining the certification criteria, and in the ways certification is carried out, and thereby able to inhibit innovation in this industry sector. Despite its leaders’ claims that the certification process has been developed using an open framework, CCHT’s obvious ties to the old guard IT vendors have created an overwhelming appearance of conflict of interest. That appearance has not been refuted by CCHIT’s resistance to and delays in implementing interoperability standards, or by its focus on features and functions over safety, security, and standards compliance.

In the hearings that led to the recommendations, longtime IT watchers were treated to some extraordinary commentary, much of which dramatically undermined CCHIT’s position.

“HHS Certification means that a system is able to achieve government requirements for security, privacy, and interoperability, and that the system would enable the Meaningful Use results that the government expects…HHS Certification is not intended to be viewed as a ‘seal of approval’ or an indication of the benefits of one system over another.”

In other words, as the definition of Meaningful Use is now tied to specific quality and safety improvements and cost savings that result from health IT — among them e-Prescribing, quality and cost reporting, data exchange for care coordination, and patient access to summary health data — HHS Certification will closely follow. Rather than pertain to an EHR’s long list of features and functions, some of which have nothing to do with Meaningful Use, certification will be focused on each IT system’s ability to enable practices and hospitals to collect, store, and exchange health data securely.

Who Determines the Certification Criteria

The Office of the National Coordinator – not CCHIT – would determine certification criteria, which “should be limited to the minimum set of criteria that are necessary to: (a) meet the functional requirements of the statute, and (b) achieve the Meaningful Use Objectives.” As regulator, funder for this project, and a major purchaser of health services, the government, not users or vendors, will now determine HHS’ Certification criteria.

A New Emphasis on Interoperability

“Criteria on functions/features should be high level; however, criteria on interoperability should be more explicit.” That is, functions/features criteria will be broadly defined, but there will be a greater focus in the future on the specifics associated with bringing about straightforward data exchange.

Multiple Certifying Organizations

ONC would develop an accreditation process and select an organization to accredit certifying organizations, then allow multiple organizations to perform certification testing. In other words, the Committee recommended that CCHIT’s monopoly end.

Third Party Validation

The “Validation” process would be redefined to prove that an EHR technology properly implemented and used by physician or hospital can perform the requirements of Meaningful Use. Self-attestation, along with reporting and audits performed by a Third Party, could be used to monitor the validation program.

Broader Interpretation of HHS Certification

HHS Certification would be broadly interpreted to include open source, modular, and non-vendor EHR and PHR technologies and their components.

These bold, forward-thinking proposals from the HIT Policy Committee have not been accepted yet. But in our opinion they should be. These measures would encourage new technologies to enter the market for physician medical practices seeking EHR technology, and wrest control away from the legacy health IT vendors that have maintained barriers and delayed adoption, so you can be sure that the old guard players are doing everything possible to have them rejected.

But these are hugely progressive steps in the right direction, toward allowing HIT to enable improvements in care and cost efficiencies that would be in the best interests of users and the public at large. If implemented, the changes recommended by the HIT Policy Committee would create greater choice, more standardization, lower price, less interruption of the practices — as well as a check from CMS or Medicaid each year to help smooth the implementation, starting in 2011.

David C. Kibbe MD MBA is a Family Physician and Senior Advisor to the American Academy of Family Physicians who consults on health care professional and consumer technologies. Brian Klepper PhD is a health care market analyst. Their collected collaborative columns may be found here.

28 replies »

  1. MD as HELL,
    Nationwide EHR? You’re being facetious, right?
    We won’t be able to tap into 20% of the over 80% of hospitals currently without an EHR so I wouldn’t worry about a universal EHR until way after 2050. And I guess that won’t be our problem, will it? Unless you believe in reincarnation, of course.
    The first step is getting EMRs into hospitals and physician practices. This task alone is daunting. Many will be tossed out the door before completing implementation and hospitals will prefer the penalties than lose millions in futile efforts.
    The next task is giving EHR capabilities to these EMRs. An EHR is an EMR with the capability of being fully interoperable.
    The current politics going on are disempowering. Setting up the certification bodies will be a burdensome task.
    There is a late start into action. Hospitals have been halting implementations that are more than 2 years on the run. What the heck?!!! Physician practices are waiting to see what direction the market is taking.
    In reality there is all talk – no walk. I would be one of the first to know things are rolling but they are not. Healthcare IT Software companies have halted hiring. Hospitals are laying IT people off.
    There are no endowments so hospitals with all the losses they accumulate can NOT invest in technology.
    All these signs say that we will not achieve the goals set forth by the ARRA HITECH Act unless a miracle occurs.
    Anyways, I have to get back to working on a project for a hospital network in China. Sorry, but I had no choice other than to look for a “real” healthcare IT market. China is investing $120 billion and it has taken off so fast that many companies in the US are focuesed in that direction. I can’t wait until the cozy CIOs of our hospital system “react” instead of “proact”.
    So don’t worry about the security of your data since it will never be placed anywhere anytime soon. Forget about the virus your hospital system is infected with. And the hackers are probably flirting around with China firewalls and such.
    You see, healthcare modernization has become a big joke, once again.
    Have you read Gregg Braden’s book titled: “Fractal Time”? If you do you will come to realize that healthcare is going through it’s fractal pattern of failure. It can be mathematically proven too.
    Oh! Wait! Mayo Clinic just got some grants from the stimulus package. Let’s see what happens.
    The EHR Guy

  2. Should we abandon electric power because of the risk of being electrocuted? I have already responded to justine’s comment about technology being sometimes blamed for the failure to establish proper protocols or to follow them. I am sorry about your hospital’s network having been compomised. Actually, it makes me even more convinced that a nationwide system can provide better protection to patient information than a bunch of sloppily managed IT shops. I haven’t seen any reports about hackers breaking in to the Google or Microsoft PHR systems.

  3. Ever hear of Carnivore?
    Ever hear of J. Edgar Hoover?
    Ever hear of a hospital system being really secure? At this time my hospital system is infected with a virus.
    Do you think a nationwide EHR will not be a target of hackers smarter than usual IT people?

  4. MD as HELL, it’s up to the patient to decide who he/she wants to share their medical records with. Privacy, security and consent management considerations are at the heart of any EHR and HIE project. Why do you think that patient information is going to be published on the Internet for everybody to see? Are you familiar with the Google Health and Microsoft HealthVault systems?

  5. Medical records are part of the doctor -patient relationship and are PRIVATE.
    If you think anyone in their right mind is going to allow their private medical info out on a nationwide database for all to see you are CRAZY!! They will not tell anyone what a doctor needs to know about their problem!!
    Here ends the lesson.

  6. First, I’d have to agree with Alex’s comment about when something goes wrong. If everything is set up correctly, it is more common that a human will make the error (such as a security breach or improper use of information) than the technology.
    Second, the focus interoperability is a must. With so many EHR technologies out there, there needs to be a consistency and greater interoperability between them.

  7. Both optimists and pessimists contribute to our society. The optimist invents the airplane and the pessimist the parachute. ~Gil Stern
    On the serious note, I share justine’s patient safety concerns due to possible errors in important pieces of demographic or clinical information. Yes, EMR systems must (1) have data validation capabilities, where it makes sense, and (2) provide data correction tools. But, as with any other software application that requires user input, much more depends on business processes, which deal with patient information. In most cases, technology, if properly implemented and tested, is the last factor to blame if something goes wrong.

  8. hionit,
    I have asked through several FDA channels how can I obtain information of the EHR working group to no avail. If you search the internet you can’t find anything besides the fact that the working group was created.
    Many claim that the HIT vendors “force” them to sign a contract. This is what is not true. If the healthcare organization signs a contract it’s because they agree with the terms, period.
    Over 80% of healthcare facilities do not sign these contracts and hence they do not implement an EHR.
    And I believe that with this healthcare IT revolution many vendors will have to rewrite their contracts if they plan to reach the untapped market.
    It’s the combined responsibility of the healthcare organization and the HIT vendor to determine whether the use of the software is in accordance with patient safety.
    If you have ever tried implementing software in a hospital you are well aware of the difficulties implementation teams have getting everyone on board. It can be quite a frustrating experience for many.
    The EHR Guy

  9. Dear EHR Guy,
    Who is on the recently formed FDA working group?
    Didn’t Koppel and Kreda, referenced earlier, offer a commentary in JAMA on the topic brought to the fore by hosp exec?

  10. hosp exec,
    The FDA only recently formed a working group to determine whether or not they should regulate EHRs. It’s hard to know where this group stands due to the secrecy in FDA processes. Ironically they created a transperancy blog so that people could provide feedback. It’s also ludicrous that they only post comments of the sort: “the FDA is wonderful ….”. So it is for their transperancy.
    I don’t buy the “we are pressured by HIT vendors” argument. Who’s putting the money has the power to pressure.
    When a hospital executive pushes to make a purchase of several million dollars for obsolete legacy software something “fishy” is going on.
    Some hospital executives make it sound like the HIT vendors force them using mafia techniques to sign contracts where they can’t denounce the software flaws that lead to patient harm. This is hogwash at its maximum.
    The EHR Guy

  11. As hospital executives,we are pressured by HIT vendors to sign contracts that interfere with appropriate patient safety maintnenance.
    The companies know that their equipment has not been validated as safe and they do not want the public to know.
    If the deployments of these systems were carefully scrutinized for adverse events and the truth be known, there would be a ban on such patient care systems.
    The FDA has not done its job.

  12. Dear justine: I certainly agree with you that the safety of EHR technology and its usage has not received nearly enough attention over the years. It is receiving that attention now, though. Papers are being written/published, and there are conferences and meetings being held, on the unintended consequences of EHR technology implementation. Problems with the integrity of data and its accuracy is one of these, and can lead to safety problems for patients/consumers. Do a Google search on Ross Koppel, and you’ll find a number of journal articles regarding EMRs and safety.
    Potential safety problems associated with EHRs was not only ignored during the previous administration, it was taboo to mention it. I don’t think that is the case any longer.
    However, it should be emphasized and more clearly linked to Meaningful Use and HHS Certification. I agree with you, and will keep this in mind.
    Regards, dCK

  13. propensity,
    Certification can only guarantee that the functionality exists. Certification does not guarantee user-friendliness.
    In addition, technology as has developed (e.g. moused based input) is difficult to introduce into the clinicians workflow. This paradigm is for people who have the comfort to sit in front of a computer dedicated to inputting/extracting information from it.
    Unless technology is leveraged in an efficient way by exploiting other input technologies (e.g. voice recognition, hand writing, etc.) we will make little progress. Of course this era is an opportunity for these technologies to undergoe a huge revolution.
    Another body, such as the FDA, should govern the safety criteria of the applications used for patient care. These applications should be treated somewhat similar to medical devices. This is already being done with PACS viewing workstations which require a 510(k) before they are introduced in the market.
    The EHR Guy

  14. Have those commenting here ever evaluated and managed a patient with complex multi-organ disease using the user unfriendly and defective equipment being considered for certification?
    It is shocking that there is not one mention of safety in the deliberations.
    As UK leadership opined of its own, the same can be stated here, that the leadership of the US and this committee has been seduced by dreams of HIT.

  15. Carlos,
    I totally agree with you.
    The momentum that CCHIT currently has is difficult to catch up with but not impossible.
    But of course, CCHIT has to break out of the comfort zone and inertia they have put themselves into. They’ve also been in total silence since July 16th, 2009. On their website they have published next to nothing from that date and they went totally silent on social media (e.g. Twitter). What is going on? What’s their strategy?
    CCHIT has also lacked a strategy to break away from the big vendor marriage it is notoriously and publicly related to. Big vendors also know that their current EHR solutions are basically technologically obsolete necessary evils.
    Let’s see what happens. Small players will spawn and become big vendors in the future. Remember that Microsoft and Google started as small endeavors.
    The EHR Guy

  16. While having additional certification organizations is a goal that should be aggressively pursued, for the sake of transparency and because competition drives innovation, the reality is that other certifying organizations will need significant “ramp up” time, even if the best available talent participates.
    Gravity cannot be defied, CCHIT will remain a strong player in this space for quite some time. I use a “ton” of Google technology BUT I like the fact that MS is moving full steam ahead to the cloud. That said, they got some catching up to do. Certification, in whatever form it eventually takes, will encompass a non-trivial amount of complexity.

  17. I am incredulous that there is pie in the sky discussion about certification and meaningful use and which kool aid sellers will do it, when the basic safety of these instruments is being ignored.
    Why is it just assumed that these machines are safe?
    What validation is there that the electronic functions are accurate and that the digital data that is siloed is always retrieved without truncation or other defects?
    My position is that until this equipment is vaidated as safe, efficacious, and accurate, all of the certification headlines will not change the fact that the data being stored or manipulated on these machines is anything but HEARSAY.

  18. Exciting news. Progress should smoke along with full standards and process in place for certification right about the spring of 2012 I figure.
    Great seeing DC bureaucracy in action. So to speak.
    Good thing as the author says that EHR isn’t as important as other aspects of reform.
    PS… not sure why the misplaced reference to Governor Palin. Keep your brain engaged on that which you are charged to work on. Clearly that is a tough enough challenge for you.

  19. This is exciting news! Thanks David for reporting on this. This kind of progress is what the HIT industry needs to level the playing field and bring in new and exciting technologies. I think we could all agree that the iPhone is a great example to follow in some respects, but with the issues that have been brought to light in recent days (Google Voice Banning), we should be wary of one single certification body.
    Openness and transparency are going to be the best ways to induce and nurture innovation.

  20. MG: Yes, a considerable amount of work.
    We can only speculate, but it seems likely that ONC/NIST will look to the HIT Standards Committee for advice regarding an XML schema standard, either the CCR standard, or the CDA CCD, or perhaps both (they are easily convertible one into the other) for the designated data set which would become the baseline interoperability standard. So much of this work is already done that it might happen fairly quickly. The HIT Standards Committee has a hearing on August 20th, although the agenda has not yet been made public to my knowledge.
    The security aspect of HHS Certification is pretty straight forward to imagine, too. HIPAA privacy and security rule provisions will be determinative here, I would suppose.
    Finally, the HHS Certification process would likely contain a grid or list of Meaningful Use criteria that EHR technologies would need to meet or exceed. A component or modular approach would allow users to assemble the entire MU package from separate pieces, or from a single vendor. In either case, the MU objectives list is for 2011 primarily about data collection, storage, and transfer electronically.
    As Alexander says in his comment, the process will become much clearer when HHS releases accreditation requirements. But, all in all, I don’t think it is necessarily all that complicated a process.
    Regards, dCK

  21. I believe the picture of the EHR certification process will become clearer when we see HHS accreditation requirements for certifying organizations.

  22. DCK – Thanks for clarifying. It would a “thinner certification” process but still one that would require a substantial amount of work yet. I am interested though in your idea of IT testing laboratories being certified by HHS and added to the mix.
    The validation part is going to be an issue especially in the ambulatory segment due to the sheer size/number of practices. Only way it won’t be is if the 1-5 doc practices just decide the ARRA money isn’t worth the time & headache and take the Medicare penalty hit.

  23. It is clear that competing certification testing organizations would bring transparency and hopefully lower the costs of certification. $30k+ was always considered outrageous.
    The challenge is setting up these testing certification labs considering the deadlines we are dealing with. General testing labs out there have no idea of the intricacies of healthcare interoperability. I foresee a lot of pain and hassles for many, both labs and software developers, during the next couple of years.
    As an interoperability professional myself I am well aware of the challenge it is to “educate” non-healthcare IT people that eventually get involved in healthcare related contracts. They usually spend months in denial with respect to HL7 and DICOM. Eventually they surrender but only after placing the projects at an almost imminent risk of total failure.
    CCHIT still doesn’t have a mature system in place but at least it has something that has evolved a little but still it has more than others since they have created the necessary infrastructure and have acquired the “lessons learned” accumulated over the past 4-5 years.
    I have never said that CCHIT is the gold standard of certification as some have publihed in the blogsphere but I do believe that it is the only one we have to get started with.
    Also, CCHIT by introducing the EHR-M and EHR-S certification models they opened the doors to open source, small software developing companies, and even in-house development.
    I don’t want to make my comment longer than the post so I look forward to soon-to-appear contenders.
    The EHR Guy

  24. Dear MG: The changes being recommended here take a while to digest. Thanks for your comment, and here are some additional thoughts about how we heard this would work on a practical basis.
    The details of HHS Certificaiton will be worked out by NIST/ONC/HHS. Think about HHS Certification as being done by testing laboratories, and relevant only to a narrow definition of certification — security, interoperability, and Meaningful Use. This would be a much thinner certification process, and could be accomplished by any number of IT testing laboratories that do certification of a similar nature in other industries.
    CCHIT could continue to do its 450+ features and functions, thick certification, for the market and add value to users and vendors. I presume that will be the case. CCHIT will in effect be a “seal of approval” for certain products, which the HHS Certification will explicitly not try to be. Understanding this distinction is a very key part of understanding the changes being recommended.
    There is plenty of time to put this into effect, and a number of IT testing labs have already indicated their willingness to become accredited and do the work.
    Validation, on the other hand, applies to the physicians and hospitals, and is the process which they must go through to receive the incentive payments from CMS.
    Hope this helps. DCK

  25. Kibbe and Klepper are spot-on in their analysis and we applaud ONC’s bold steps that would effectively replace the oligopolistic EHR market with one that is truly free and fosters innovation.
    Technology has progressed quite rapidly in the decade or more since many of the legacy EHR systems were created. A market that promotes continued use of older technology serves no one well, as Paul Anthony’s tale (above) expresses clearly.
    Web based EHRs offer many advantages over their older client-server based breatheren. They’re cheaper and easier to update, for example. Virtually all other industry sectors have leveraged Web-based applications to create more customer-friendly applications…now, with ONC leading us forward, it’s likely that health care can finally catch up.
    Glenn Laffel MD, PhD
    Sr. VP Clinical Affairs
    Practice Fusion
    Free Web-based EHR

  26. Most of this is a step in the right direction except the ‘Multiple Certifying Organizations’ and ‘Third Party Validation.’ Maybe CCHIT is to beholden to the large HIT vendors and groups like EHVRA but the solution to this problem is to have multiple agencies with potentially overlapping & conflicting roles? Additionally it would add just even more confusion to a market place that needs more clarity regarding ARRA especially for ambulatory docs.
    Having multiple agencies in this type of role NEVER works well. It would be better to either reform CCHIT (which CCHIT has been pressured to do already to some degree) or designate another body/organization with the certification authority. The problem is that it is already kind of late in the game to do that and it would likely require a huge revision of timelines if this did occur.
    I don’t have an issue with the ‘Third Party Validation’ per-se but it is just generally pretty vague on several details. Who? How? I don’t think fraud is going to be a huge problem with the stimulus money but if you follow the rule of thumb in HC that there is generally 5-10% fraud you are still talking about a ton of money here.