Monday, April 5, 2010

HIT Certification from a Vendor Standpoint

On March 10th, 2010, the HHS released a proposed rule on establishing certification programs for health information technology with a request for comments. The document covers a lot of ground with respect to what will be certified, how the certification process will be organized, who will be certifying HIT, etc. Below, are the main points of specific interest to HIT vendors (though you are encouraged to read the entire document at your leisure.)

1. Definitions

a. Certification criteria means criteria: (1) To establish that health information technology meets applicable standards and implementation specifications adopted by the Secretary; or (2) that are used to test and certify that health information technology includes required capabilities.
b. Certified EHR Technology means a Complete EHR or a combination of EHR Modules, each of which: (1) meets the requirements included in the definition of a Qualified EHR; and (2) has been tested and certified in accordance with the certification program established by the National Coordinator as having met all applicable certification criteria adopted by the Secretary.
c. Complete EHR means EHR technology that has been developed to meet all applicable certification criteria adopted by the Secretary.
d. EHR Module means any service, component, or combination thereof that can meet the requirements of at least one certification criterion adopted by the Secretary.
e. Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

f. Qualified EHR means an electronic record of health-related information on an individual that: (1) Includes patient demographic and clinical health information, such as medical history and problem lists; and (2) has the capacity: (i) To provide clinical decision support; (ii) to support physician order entry; (iii) to capture and query information relevant to health care quality; and (iv) to exchange electronic health information with, and integrate such information from other sources.

2. Start of the Medicare EHR Incentive Program

The first payment year for eligible professionals was defined as calendar year 2011 (i.e., the year beginning January 1, 2011) and the first payment year for eligible hospitals was defined as fiscal year 2011 (i.e., the year beginning October 1, 2010). Since the Meaningful Use requirements explicitly state that incentive payments are contingent on the use of certified HIT, the HHS decided on establishing both temporary and permanent certification programs. The fundamental difference between two programs in application and accreditation requirements for Certification Bodies, and it does not significantly affect the actual HIT certification process.

Under the temporary certification program, ONC-Authorized Testing and Certification Bodies will be created, whose responsibilities will comprise performing "the testing and certification of Complete EHRs and/or EHR Modules". The certification will focus on Stage 1 objectives, which include "electronically capturing health information in a coded format; using that information to track key clinical conditions and communicating that information for care coordination purposes (whether that information is structured or unstructured), but in structured format whenever feasible; consistent with other provisions of Medicare and Medicaid law, implementing clinical decision support tools to facilitate disease and medication management; and reporting clinical quality measures and public health information."

Currently, there are two versions of the temporary program sunset process. According to the first one, “the temporary program would sunset once the permanent certification program is established and at least one certification body has been authorized by the National Coordinator.” The other version sets the program sunset date on December 31, 2011.

3. Testing and Certification

The document states, that “The test tools and functional testing techniques for the certification criteria adopted by the Secretary have been or will be developed by NIST.”

Both programs require EHR modules, regardless of their function, to be certified on Privacy and Security criteria. Exceptions are made in the following cases:

• the module is an integral part of a Complete EHR being certified in its entirety, unless the module resides outside of the provider network
• when it is infeasible to apply the criteria, for instance, if the module does not stores, maintains, or transfers PHI
• the module performs a specific privacy and security capability
Testing can be done:
• at the authorized testing facility
• at the site where a Complete EHR or EHR Module is developed
• at the site where the Complete EHR or EHR Module is installed and used
• remotely using secure electronic transmissions

As far as the validity of certification is concerned, the document offers the following clarification:

“Certification represents a snapshot, a fixed point in time, where it has been confirmed that a Complete EHR or EHR Module has met all applicable certification criteria adopted by the Secretary. From that point forward, a specific Complete EHR or EHR Module version which has been certified would be forever labeled "certified." However, as the Department adopts new or modified certification criteria, previously adopted certification criteria would no longer constitute all of the applicable certification criteria to which a Complete EHR or EHR Module would need to be tested and certified. As a result, Complete EHRs and EHR Modules that had been certified to a previously adopted set of certification criteria would no longer be considered "Certified EHR Technology" for purposes of enabling an eligible professional or eligible hospital to attempt to achieve a future stage of meaningful use.”

"The planned two-year schedule for updates to meaningful use objectives and measures and correlated certification criteria creates a natural expiration for the "certified status" of Complete EHRs and EHR Modules. Accordingly, after the Secretary has adopted new or modified certification criteria, the validity of the certification associated with previously certified Complete EHRs and EHR Modules will expire and those Complete EHRs and EHR Modules would need to be re-certified in order for eligible professionals and eligible hospitals to continue to possess HIT that meets "all applicable certification criteria adopted by the Secretary" and consequently also meets the definition of Certified EHR Technology.

Stated another way, regardless of the year and meaningful use stage at which an eligible professional or eligible hospital enters the Medicare or Medicaid EHR Incentive Program, the Certified EHR Technology that would be used would have to include the capabilities necessary to meet the most current certification criteria adopted by the Secretary... in order to meet the definition of Certified EHR Technology."

The rule makes clear distinction between Meaningful Use requirements for the users of HIT and HIT certification. For example, eligible providers and hospitals, whose first payment year is 2013, will have to meet Stage 1 requirements. At the same time, the HIT they use must be certified on Stage 2 criteria.

The document introduces the notion of differential certification, when a previously certified Complete EHR or EHR Module will have only to be certified on a set of new or substantially amended criteria.

The cost of certification is estimated to be in the range of $30,000-50,000 for a Complete EHR, and $5,000-35,000 for a Module.

No comments:

Post a Comment