Advisors Comment on Certification Rule

The HIT Policy Committee has sent two letters with a series of recommendations on the proposed rule to establish temporary and permanent programs to test and certify electronic health records systems.


The HIT Policy Committee has sent two letters with a series of recommendations on the proposed rule to establish temporary and permanent programs to test and certify electronic health records systems.

Recommendations from the committee's Adoption-Certification Workgroup cover the temporary certification program and include, among others:

* Certified EHRs being sold should have a label that indicates which specific meaningful use stage the product is certified as supporting. An EHR certified during 2010, for instance, should have a label indicating it has been certified for Stage 1 criteria only. Certified EHR modules, which are separate from certified complete EHRs, should have a label indicating the module has not been tested for interoperability with other modules.

* Certification of self-developed or open source EHRs tested at a provider organization's site should apply only to that hospital or eligible provider site and not be transferable to other organizations.

* The Office of the National Coordinator should have the flexibility to revoke the status of a testing and certification entity based on the coordinator's determination of the severity of violations, rather than establishing a specific number of violations that would cause automatic revocation.

* ONC and each testing and certification entity should maintain Web sites that identify the vendors and vendor version numbers of EHRs that have received certification, and which meaningful use stage has been tested.

The committee's Privacy and Security Workgroup made one recommendation, which the committee endorsed.

The proposed rule requires EHR modules to be tested and certified to all privacy and security certification criteria unless one of three exceptions applies. "The workgroup strongly endorses a default rule that all EHR modules must meet all privacy and security certification criteria," according to the recommendation, which the full committee adopted.

The letter to ONC then makes recommendations in case federal officials decide to retain the exceptions. For instance, the workgroup agreed that two of the three exceptions--when testing for some or all criteria would be technically infeasible or where the module is designed to perform a specific privacy or security capability--could reasonably exempt a module from having to meet certain criteria. Consequently, the workgroup recommends that such products have a label that indicates the scope of the certification.

The letter to ONC also asks for clarification on the circumstances under which another exemption would apply. Under this exemption, EHR modules presented as an "integrated bundle" could be certified similar to a complete EHR. "If a group of modules are tested for privacy and security as a bundle as if the bundle were a Complete EHR, we recommend that certification should only apply to the entire bundle and not to any of the individual components," according to the letter. "A label should be required which indicates that certification only applies to the bundle, and the label should list the component parts."

Further, the proposed rule says the "integrated bundle" exception does not apply to modules that are integrated but out of the end user's direct control. This, according to the privacy and security workgroup, is an "exception to the exception" that needs clarification.

For copies of both letters of recommendation, click here.

--Joseph Goedert