The ACR supports CCHIT certification as an indication that the EHR system meets minimum functional, interoperable and security criteria. Potential buyers of EHR systems should recognize that they need to do additional work beyond relying on the CCHIT criteria to ensure that the system will be a good fit for their practice.
What is CCHIT?
CCHIT is a private, non-profit organization formed to certify EHRs against a minimum set of requirements for functionality, interoperability and security. CCHIT serves as the recognized US certification authority for EHR systems and their networks, and was officially designated as a recognized certification body in October of 2006. Despite the HHS contract, CCHIT is not an extension of the federal government.
The open, transparent process of determining requirements for certification is driven by balanced, multi-stakeholder participation in criteria and inspection process development, and decision-making. The 21-member board of commissioners includes at least two representatives each from the provider, payer and vendor stakeholder groups, as well as representatives from such other areas as quality improvement, medical informatics, health information exchanges and public health agencies. Work groups for ambulatory functionality, interoperability, security and privacy are similarly balanced. All development work is subject to several periods of public comment, response and refinement. The result is an authoritative and consensus-based approach to moving health IT forward with a common EHR denominator. CCHIT revises and updates its test criteria annually.
Certified products must demonstrate to trained, objective jurors all of the capabilities called for by the criteria. The criteria development and testing process builds in a number of checks and balances to position certification requirements so they advance the progress of EHR capabilities while being careful not to require IT vendors to do the impossible.
Besides specifying the criteria required in each certification year, the criteria documents include a “Roadmap” forecasting additional criteria to be required in the next two years. The “Roadmap” provides guidance to providers and the industry by offering a realistic timetable for incremental improvements in EHR systems. The roadmap takes into consideration the advance of software innovations and nationally recognized standards for healthcare data creation, storage and exchange, the capacity of EHR vendors to incorporate innovations and standards into their development cycles and adequately test the resulting products before release to new or currently supported customers, and timing, so as not to limit the innovation in system development.
Certification is voluntary, but in the first year after the commission began offering certification, nearly half of the EHR companies in the marketplace brought their products to the Commission for testing. Both large and small companies, serving practices of all sizes, now offer certified products.
It’s not necessary for vendors to recertify annually; they can use the certification seal for up to three years. A product that was tested against the 2006 criteria could be marketed up through 2009, but it has to carry that seal – indicating that it was only the 2006 criteria it was tested against. If a vendor comes back in 2007 and tests against the enhanced criteria, then they will receive a new seal and they will be able to advertise their products as tested against the newer, tougher 2007 criteria.
Beyond the criteria, buyers really need to make their own individualized checklists. In a broad sense, I think it’s very important that buyers look at the company, the support that company offers and what kind of training the company provides. These are areas that we are not able to test and inspect.
Click here for more information on the CCHIT evaluation process and criteria.
What CCHIT does not evaluate
CCHIT certifies EHRs based on criteria for functionality, interoperability and security. CCHIT does not evaluate factors such, and makes this point very clear in their educational materials.
Certification is not the final stop in selecting an EHR that may be right for your practice. Potential buyers of EHRs should recognize that they need to do additional work beyond relying on the CCHIT criteria. The CCHIT criteria list provides a preliminary checklist that helps buyers identify the core requirements for products regarding security, functionality, and interoperability. If an EHR system is certified, the potential buyer can avoid evaluation of these often very technical criteria, and can focus on the specific needs of their office (e.g., ease-of-use of EHR software products; financially viability of the company offering the EHR software; or, the quality of customer support offered by the software vendor).
EHR systems are developed to target various practice styles and settings. For example, some products may be best suited to a small office while others may be best suited to a very large practice. Other products may have special features for their specialty, style of practice, or style of documenting their work and creating notes. Buyers should also be looking at the companies they are buying from: Is the size of the company one that they’re comfortable working with? Do they feel confident in being able to get the support they need after they purchase the product?
Suggested additional evaluation steps are:
Work with the application to determine ease of use - get “hands-on” with the EHR
Talk with existing users to determine experiences - good and not so good - with the product and customer support
Create healthcare integration scenarios to ensure that the EHR can easily interface with other healthcare vendor or provider applications
Benefits of Certified EHR systems
Recently, as the importance of health IT is more widely recognized many new initiatives have emerged to stimulate the uptake of this technology. The majority have relied on Commission certification to qualify eligible health IT. These range from Federal Programs, such as the Medicare EHR Demonstration, to more than 20 State programs and another 25 private initiatives. In addition, nearly 60 medical centers have announced projects to supply EHRs to doctors under the exception and safe harbor of the Stark and Medicare anti-kickback laws, keyed to certification. Even several physician liability insurers are offering premium discounts for successful implementation of certified electronic records.
For more information, visit CCHIT on the web at www.cchit.org, or click here to access their document An Introduction to Healthcare Certification.
What do they evaluate?
Companies wishing to certify their product must submit for evaluation against comprehensive criteria assessing:
Functionality criteria can be summarized into:
Organizing patient data – demographics, clinical documentation and notes, medical history
Compiling lists – problems, medication, allergies, adverse reactions
Receiving information – test results, consents, authorizations, clinical documents from outside the practice
Creating orders – ordering medication or diagnostic tests; managing order sets, orders, referrals; generating and recording patient-specific instructions
Supporting decisions – presenting alerts and reminders for disease management, preventive services, wellness; checking for drug interactions and guiding appropriate responses; supporting standard care plans, guidelines and protocols; updating decision support guidelines
Authorized sharing – managing practitioner/patient relations, enforcing confidentiality, enabling concurrent use among multiple practitioners and healthcare personnel
Managing workflow – assigning and routing clinical tasks, managing the taking of medication and immunizations, communicating with a pharmacy
Administrative and billing support – using rules to assist with financial and administrative coding; verifying eligibility and determining insurance coverage 1
All electronically represented information enables improved access by clinicians. But the value multiplies as data becomes more structured, standardized and readily exchangeable among different information systems, bringing a new level of integration to our currently fragmented healthcare process. These are the building blocks of interoperability, and the Commission is methodically building interoperability into certified EHRs.
Before any data element can be shared between EHRs, for example, there has to be a technical standard for creating it, a common way of saying it, and a uniform and secure method of transporting it from one place to another. The Commission and its work group on interoperability have planned out a logical sequence of requirements, recognizing that construction of standard data elements comes first and that requiring interoperability makes sense only after EHRs can generate standard elements to share and process. For various technical reasons, it’s easier to develop a capability to send information out than to take information in. The next degree of difficulty is to enable an EHR to do something with the information it receives. Plans for the 10 cycle are to further require EHRs to use the XDS transactions to receive discrete elements of coded data. This is the point at which information from other points of origin can be used as needed in the receiving EHR—for example, selectively importing medications and adding them to the patient’s list of medications, or updating demographic information. 1
To be trusted by physicians and patients alike, EHRs must incorporate state-of-the-art technical standards and techniques for assuring that the personal health information created and shared by healthcare professionals is securely maintained and kept confidential. The provision of such security is a core aspect of certification dating to the first certified EHRs in the 06 cycle, and currently there are more than 40 security criteria related to:
Access controls based on user role or the context of a care situation.
Authenticating users before allowing access to protected health information.
Auditing the access and use of records according to certain rules or events.
Supporting protection of confidentiality.
Access control is important to regulate the balance between using patient information for its intended purpose—enabling clinicians to make fully-informed decisions about diagnosis and treatment—and restricting people without a specific need to know from seeing information. Audit trails allow monitoring for instances of unauthorized viewing, copying or diverting as a backup to access controls. 1
The Commission tests EHRs on hundreds of criteria within these areas. To be certified, a product must meet every criterion. The usefulness of some criteria—such as maintaining a comprehensive patient record, managing orders and results, gaining access to clinical decision support, and enabling quality reporting— is self-evident. Other requirements—such as exchanging data with laboratory and pharmacy systems, protecting the privacy of patient information, and ensuring that back-up copies of your data are created—may not be as obvious, but are critically important to your practice.
Criteria Development
These criteria and inspection processes are developed by CCHIT volunteer Work Groups for each domain. The development process includes assessing the market environment and available standards, drafting and finalizing certification requirements, publishing a future roadmap of certification requirements, and developing test scripts and a recommended certification process.
The Ambulatory Work Group keeps running minutes of each Work Group meeting, and are available for review. Review the Ambulatory Work Group meeting minutes.
The Ambulatory Work Group is composed of a diverse group of healthcare stakeholders and led by two co-chairs. All Certification Commission Work Group members are volunteers. Access the Ambulatory Work Group member list.
Certification Process
After the vendor submits application and has been accepted for testing, the vendor must prepare and submit self-attestation materials for a desktop review as required in Scenario #5, #6 and #7 of the Security Test Scripts. Testing is scheduled only after that review establishes that the product is eligible and ready for inspection.
Once the vendor’s EHR system has been deemed eligible and ready for inspection, he will be invited to schedule an available inspection date.
During the inspection, a jury of three EHR experts—including at least one practicing physician—observes a carefully scripted product demonstration. This inspection takes a full day and covers four distinct clinical scenarios. One script, for example, simulates a visit by a well child to a primary care physician and checks an EHR’s ability to:
Correctly identify the patient and his parent
Document and track immunization history, prescriptions, and lab reports
Provide guidelines for prevention and wellness care.
In another scenario, an elderly man with poorly controlled diabetes, hypertension, and other chronic conditions visits his doctor. In this case, the EHR under inspection must demonstrate that it can:
Monitor potential adverse drug reactions
Help with disease management
Provide treatment plans
Generate quality improvement reports.
Additional clinical scenarios are being developed as the Certification Commission expands its work into other areas 2. All criteria must be met in order for the product to be certified.
For more information, visit CCHIT on the web at www.cchit.org, or click here to access their document An Introduction to Healthcare Certification.
1 An Introduction to Health IT Certification
http://ehrdecisions.com/wp-content/files/CCHITIntroToHealthIT20090113.pdf
2 Physician's Guide to Certification for ’08 EHRs
http://cchit.org/files/CCHITPhysiciansGuide08.pdf
