posted by Kevin Heubusch
Feb 03, 2010 03:35 pm
AHIMA Meaningful Use White Paper Series
Paper no. 4
Preceding papers in this series have reviewed requirements within the notice of proposed rulemaking on meaningful use, published by the Centers for Medicare and Medicaid Services on January 13, 2010. This fourth paper takes a look at a companion rule on EHR certification.
Providers and hospitals that wish to participate in the meaningful use incentive program must use EHR technology that meets federal requirements. Commonly referred to as certification criteria or certification standards, these requirements were officially published January 13, 2010, and become effective February 12. With the publication of the criteria, healthcare providers and vendors can begin to assess and align their systems accordingly.
The Office of the National Coordinator for Health Information Technology, or ONC, released the criteria in an interim final rule titled "Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology.” Given how closely the criteria are tied to the meaningful use program, the IFR’s publication was concurrent with the notice of proposed rulemaking on meaningful use that came from the Centers for Medicare and Medicaid Services.
Although the IFR is effective February 12, ONC will accept comments on it until March 13. There is potential for the rule to be changed before a final rule is published.
The IFR describes the certification criteria only. ONC will release a separate rule establishing the process by which products are certified against these criteria, including the requirements for organizations wishing to become certifying bodies. The federal government will set the certification criteria, but it will not certify products directly.
The meaningful use program recognizes that organizations are at widely varying levels of IT sophistication and that today’s health IT products offering varying levels of functionality. For this reason, the requirements of meaningful use will progress over time in three stages. The EHR criteria will increase according to the requirements in meaningful use stages. It is expected that future certification criteria will be expanded through health IT committees and regulatory activity.
Background and Overview
The IFR begins with a preamble describing the past and present role of ONC and the health IT policy and standard advisory committees formed under the 2009 HITECH legislation (p. 2015). A background section also discusses how the implementation specifications and certification criteria relate to the meaningful use requirements, HIPAA, and other HHS regulatory actions, including the HIPAA Transactions and Code Set Standards and Electronic Prescribing Standards (p. 2016).
Also briefly discussed is the relationship of certification to the Office of Inspector General’s safe harbor rules as published in 2006 and other work ONC has accomplished.
The next section describes the specifications and certification criteria processes before and after HITECH (p. 2018). This includes the work conducted by the American Health Information Community, the Healthcare Information Technology Standards Panel, and the Certification Commission for Healthcare Information Technology (CCHIT).
ONC specifies that the standard presented in the IFR will stand on its own for meaningful use consideration. In other words, previous certification criteria developed by CCHIT are not part of meaningful use certification.
The remainder of the section covers the HITECH legislative language and highlights the role of the health IT committees. ONC ends by covering the future updates it anticipates for the standards, implementation specifications, and certification criteria. It notes that updates will be an iterative approach to “enhancing the interoperability, functionality, utility, and security of HIT.”
Additionally, ONC specifies, “A number of factors including maturity, prevalence in the market, and implementation complexity informed our adoption of the standards, implementation specification, and certification criteria included in this IFR.”
Description of the Standards, Specifications, and Criteria
ONC undertakes a section-by-section review of the applicable standards, implementation specifications, and certification criteria that must be used to test and certify under the IFR. It begins by providing several definitions and how the interpretation was derived (p. 2021–22):
Standard: “A technical, functional, or performance-based rule, condition, requirement, or specification that stipulates instructions, fields, codes, data, materials, characteristics, or actions.”
Implementation Specification: “specific requirements or instructions for implementing a standard.” [same as HIPAA]
Certification Criteria: “criteria: (1) To establish that health information technology meets applicable standards and implementation specifications adopted by the Secretary; or (2) that are used to test and certify that health information technology includes required capabilities.”
Qualified Electronic Health Record: “an electronic record of health-related information on an individual that: (A) Includes patient demographic and clinical health information, such as medical history and problem lists; and (B) has the capacity: (i) To provide clinical decision support; (ii) to support physician order entry; (iii) to capture and query information relevant to health care quality; and (iv) to exchange electronic health information with, and integrate such information from other sources.” [same as HITECH statutory definition]
Complete EHR: “EHR technology that has been developed to meet all applicable certification criteria adopted by the Secretary.”
ONC intends that this definition will create a clear distinction between a “Complete EHR,” an “EHR Module,” and “Certified EHR Technology.” The definition not only provides such distinction within the IFR, but it could be used in future rules by CMS, ONC, and the Office for Civil Rights to define when an organization has a complete EHR that then causes it to be subject to other rules.
Certified EHR Technology: “A Complete EHR or a combination of EHR Modules, each of which: (1) Meets the requirements included in the definition of a Qualified EHR; and (2) has been tested and certified in accordance with the certification program established by the National Coordinator as having met all applicable certification criteria adopted by the Secretary.”
Within the definition ONC describes how different types of health IT might apply to different settings. It addresses the changes that will be forthcoming in alternative EHR products and the flexibility it hopes to permit under these definitions. Further, ONC acknowledges that some providers will seek products that provide capabilities beyond those necessary for the meaningful use program.
ONC also describes the potential for a system of modules to qualify as certified EHR technology (as opposed to one complete system). It concludes the definition with examples of complete EHRs that are tested and certified to meet all applicable certification criteria (p. 2023).
Disclosure: “the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.” This definition, taken from HIPAA, was needed so that the IFR’s criteria could also be adopted by the HHS secretary to facilitate a rule on accounting of disclosures.
Initial Set of Standards, Implementation Specifications, and Certification Criteria
The standards, implementation specifications, and certification criteria represent the initial set adopted by the HHS secretary to support stage 1 of meaningful use (pp. 2023–29). They serve as the basis for EHR testing and certification. ONC emphasizes that the criteria do not establish requirements for healthcare providers, such as eligible professionals or eligible hospitals; that is, these are technical specifications, not user specifications. Presumably the meaningful use criteria serve as the latter.
ONC describes the process through which the certification criteria were selected, including the relationship to the meaningful use matrix recommended by the Health IT Policy Committee, which serves as the underpinning of the meaningful use requirements for stage 1(p. 2024).
Within this discussion, ONC observes that certain types of standards, and specifically code sets, “must be maintained and frequently updated to serve their intended purpose effectively.” It states: “to address this need and accommodate industry practice, we have in this IFR indicated that certain types of standards will be considered a floor for certification. We have implemented this approach by preceding references to specific adopted standards with the phrase ‘at a minimum.’” ONC continues to explain how this “minimum” will be used in the future.
The certification criteria appear in table 1, mapped against the meaningful use stage 1 objectives.
The standards are organized into four categories: vocabulary, content exchange, transport, and privacy and security. ONC indicates that alternative standards have been chosen for certain purposes with regard to interoperability, and vocabulary standards have been limited in this initial proposal.
For the most part, ONC reviews the standards in a narrative description (pp. 2029–35). The section on transport standards addresses protocols and architectures that will be important to system designers. The content exchange and vocabulary section is outlined by the follow areas:
- Patient summary record
- Drug formulary check
- Electronic prescribing
- Administrative transactions
- Quality reporting
- Submission of lab results to public health agencies
- Submission to public health agencies for surveillance or reporting
- Submission to immunization registries
Table 2A lists the adopted content exchange and vocabulary standards for each exchange purpose specified.
Six privacy and security standards cover encryption and decryption (general and specific to HIE), authentication, and verification as well as “record actions related to electronic health information (i.e., audit log)” and “record treatment, payment, and health care operations disclosures.” The latter two categories are directly related to the upcoming requirement for accounting of disclosures.
Table 2B lists the adopted privacy and security standards for these requirements.
Source: U.S. Dept. of Health & Human Services. Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Interim Final Rule. (Federal Register, January 13, 2010)
ONC notes that there are very few implementation specifications for the proposed standards for stage 1 (p. 2035). ONC cites mature specifications for electronic prescribing and laboratory test results, but seeks public comment on whether other specifications exists to support meaningful use in stage 1.
Beyond e-prescribing and labs, ONC identifies the CMS Physician Quality Reporting Initiative (PQRI) 2008 Registry XML Specification as a specification for quality reporting, as well as the PQRI specifications Manual for Claims and Registry. ONC further notes that there are already some adopted standards and specifications for using applicable HIPAA transactions standards and specifically cites the Council for Affordable Quality Healthcare Committee on Operating Rules for Information Exchange (which AHIMA has endorsed). Again, ONC seeks feedback on these specifications and future needs for specifications as well.
In the section “Additional Considerations, Clarifications, and Requests for Public Comments” (p. 2036), ONC reviews its belief that the proposed IFR complies with and does not interfere with other federal regulations. It also discusses the need for coded information to be converted to “machine readable format” and how such a requirement plays out now and in the future. ONC seeks comment and suggestions in this regard.
Accounting of Disclosures
Finally, the IFR proposes the standards and criteria to support modifications to the HIPAA accounting of disclosure regulation (p. 2036). HITECH requires covered entities that use EHRs to begin accounting for disclosures made for purposes of treatment, payment, and operations. The statute requires HHS to adopt a standard and certification criteria that enable that accounting and then within six months issue regulations that specify the information that must be included in the accounting.
The IFR describes a “basic” set of criteria to cover date, time, patient identification (name or number), user identification (name or number), and a description of the disclosure. It believes this set will meet the HHS secretary’s needs and should be available in an electronic system.
ONC expresses a number of concerns on how the standard will relate to the regulation and the regulatory burden; previous regulations under HIPAA for disclosures beyond treatment, payment, and operations; and technical issues, including storage of the associated disclosure information. ONC asks for public comment on all of these issues.
Regulatory Impact Analysis
The IFR includes a regulatory impact analysis (pp. 2037–42), which includes the estimated cost for previously certified EHRs and then attempts to apply this estimate to potential costs and benefits. ONC recognizes a number of necessarily loose estimates in this analysis and asks for public input.
The regulation itself begins on page 2042.
Paper 5 in this series will cover functionality measure for eligible providers and eligible hospitals.
AHIMA. "Meaningful Use and EHR Certification." (AHIMA report, February 03, 2010).