HIT Policy Committee requests more transparency for certification oversight
In a letter to the Office of the National Coordinator for Health IT (ONC), a workgroup for the HIT Policy Committee recommended the creation of a web site that names EHR vendors and vendor product versions that have received certification, and shows which meaningful use stage has been tested and certified.
The Adoption-Certification Workgroup and the Privacy & Security Policy Workgroup for the HIT Policy Committee sent letters of recommendations to the National Coordinator, David Blumenthal, MD, concerning the Department of Health and Human Services' (HHS) proposed rulemaking regarding the establishment of two certification programs for purposes of testing and certifying health IT products.
“The workgroup strongly endorses a default rule that all EHR modules must meet all privacy and security certification criteria,” wrote Deven McGraw, director of the health privacy at CDT, and Rachel Block, deputy commissioner for health IT for N.Y. State, who are co-chairs for the Privacy and Security Workgroup.
The temporary certification program requires that EHR modules be tested and certified to all privacy and security certification criteria adopted by the HHS Secretary unless one of three following exceptions apply.
The first exception is when modules are presented as an integrated bundle, in which case they are certified similar to a complete EHR.
“[T]he Workgroup recommends that HHS provide further clarification on the circumstances under [the first exception] would apply,” wrote McGraw and Block. "If a group of modules are tested for privacy and security as a bundle, as if the bundle were a complete EHR, we recommend that certification should only apply to the entire bundle and not to any of the individual module components. A label should be required which indicates that certification only applies to the bundle, and the label should list the component parts.”
In addition to recommending a web site, Paul Egerman, CEO of eScription, and Mark Probst, CIO of Intermountain Healthcare, who are co-chairs for the Adoption-Certification Workgroup, recommended that certified EHR modules be required to be sold with a label indicating that HHS has not tested the module for interoperability with other modules.
The Adoption-Certification Workgroup also made the following recommendations:
For certification revocations, the workgroup recommended that the National Coordinator have the flexibility to revoke an ONC-Authorized Testing and Certification Body’s status based on his/her determination of the severity of the violation. As a result, the workgroup did not recommend establishing a specific number of Type-2 violations that cause automatic revocation.
Copies of the letters can be found here.
The Adoption-Certification Workgroup and the Privacy & Security Policy Workgroup for the HIT Policy Committee sent letters of recommendations to the National Coordinator, David Blumenthal, MD, concerning the Department of Health and Human Services' (HHS) proposed rulemaking regarding the establishment of two certification programs for purposes of testing and certifying health IT products.
“The workgroup strongly endorses a default rule that all EHR modules must meet all privacy and security certification criteria,” wrote Deven McGraw, director of the health privacy at CDT, and Rachel Block, deputy commissioner for health IT for N.Y. State, who are co-chairs for the Privacy and Security Workgroup.
The temporary certification program requires that EHR modules be tested and certified to all privacy and security certification criteria adopted by the HHS Secretary unless one of three following exceptions apply.
The first exception is when modules are presented as an integrated bundle, in which case they are certified similar to a complete EHR.
“[T]he Workgroup recommends that HHS provide further clarification on the circumstances under [the first exception] would apply,” wrote McGraw and Block. "If a group of modules are tested for privacy and security as a bundle, as if the bundle were a complete EHR, we recommend that certification should only apply to the entire bundle and not to any of the individual module components. A label should be required which indicates that certification only applies to the bundle, and the label should list the component parts.”
In addition to recommending a web site, Paul Egerman, CEO of eScription, and Mark Probst, CIO of Intermountain Healthcare, who are co-chairs for the Adoption-Certification Workgroup, recommended that certified EHR modules be required to be sold with a label indicating that HHS has not tested the module for interoperability with other modules.
The Adoption-Certification Workgroup also made the following recommendations:
- Applicants should be allowed to seek more limited authorization to test and certify complete EHRs for an ambulatory setting. Also, applicants should be allowed to seek authorization to test and certify complete EHRs for hospital settings.
- In the event that self-developed or open source software is tested at the site of a healthcare organization (including remote testing), it's recommended that any resulting certification should apply to that hospital or eligible provider only, and should be not transferable to other organizations. "These on-site certifications should not be permitted to have a label that allows marketing of those systems as being certified," Egerman and Probst wrote.
For certification revocations, the workgroup recommended that the National Coordinator have the flexibility to revoke an ONC-Authorized Testing and Certification Body’s status based on his/her determination of the severity of the violation. As a result, the workgroup did not recommend establishing a specific number of Type-2 violations that cause automatic revocation.
Copies of the letters can be found here.