The newly proposed rules for EHR certification, referred to by ONC as Certification Criteria for Electronic Health Record Technology, 2014 Edition, contains a few pleasant surprises that bode well for EHR users. There are provider-friendly changes in how CEHRT is defined; a new security requirement that may help with data breaches; and comments on data portability and mobile systems that indicate the ONC is mindful of the consequences of its actions on both providers and the EHR marketplace.
A New Approach to CEHRT
The proposed rule introduces the concept of a Base EHR defined as follows:
We propose to define a Base EHR as an electronic record of health-related information on an individual that: 1. Includes patient demographic and clinical health information, such as medical history and problem lists; 2. Has the capacity: i. To provide clinical decision support; ii. To support physician order entry; iii. To capture and query information relevant to health care quality; iv. To exchange electronic health information with, and integrate such information from other sources; v. To protect the confidentiality, integrity, and availability of health information stored and exchanged; and 3. Meets the certification criteria adopted by the Secretary at: § 170.314(a)(1) through (8); (b)(1) and(2); (c)(1) and (2); (d)(1) through (8); and (e)(1).
A Complete EHR is defined as:
EHR technology that has been developed to meet, at a minimum, all applicable certification criteria adopted by the Secretary.
Base EHRs must have the features/functions required to meet the fundamental requirements of MU. Base EHRs may then be adapted for specialists by adding support only for measures germane to a given specialty. On the other hand, Complete EHRs have features that support all MU criteria. Taken together, these changes seem to indicate that the ONC is allowing for needed flexibility in how providers acquire an EHR that meets MU criteria. If so, this move has the following implications:
- It may encourage more specialists to join the incentive programs because they may buy Base EHRs aimed at their specialty. In other words, no one would have to pay for unneeded EHR features simply to have CEHRT.
- It potentially encourages a new model for EHR products that consist of a core product with additional features provided by “modules.” This conforms, in principle, to the minimal EHR alluded to in “Software Architecture and Design, First Steps.” Maybe the days of platform EHRs, where new functionality is added easily via app-like modules, are on the horizon.
Privacy and Security
The proposed rules also make a few changes in privacy and security requirements. The most notable is the requirement that CEHRT provide functionality that encrypts data at rest on end-user devices such as tablets and laptops if PHI remains on the device after a session terminates. Alternatively, vendors may pass this certification requirement by proving that no data are ever stored on end-user devices. This is a good move, and may save EHR users HIPAA penalties and lawsuits by preventing questionable behaviors from occurring (i.e., no more fines for lost laptops with patient records). Audit trail requirements are more explicit and, if adopted, will allow for better tracking of EHR activity.
The ONC again shows support for end-users and vendors by the approach suggested for approving EHR software for mobile platforms, referred to as adaptations. Adaptations are defined as:
…an ‘‘adaptation’’ of a certified Complete EHR or certified EHR Module to be a software application designed to run on a different medium, which includes the exact same capability or capabilities included in the certified Complete EHR or certified EHR Module. For example, an adaptation of a certified Complete EHR that is capable of running on a tablet device or smart phone….
The great thing about EHR adaptations is that they would be covered by the main EHR product’s certification, removing the need to certify multiple instances of the same product version. Vendors should like this.
One of the ONC’s requests for comments, buried deep in the document, is worth noting. The ONC asks for feedback on whether data portability (i.e., having features that permit practices to easily move all of their data from one system to another) should be a requirement for certification. One reason given for asking the question is concern about preventing EHR buyers from being yoked to a product. How could this be a bad idea from an EHR buyer’s perspective? However, I doubt vendors will get any warm-fuzzies from this.
Overall, these are forward-looking rules. The Base EHR concept allows for less-complex systems that are faster to build and bring to market—possibly encouraging new companies to enter the market. In addition, this concept encourages modular EHR designs/architectures that promote easy extensibility via apps/modules. This could lead to less-expensive products that are easier to select and implement.
The proposed changes to EHR certification requirements and the comments requested indicate that the ONC is mindful of the influence it wields and the effects of its policies on end-users and vendors. The proposed rules demonstrate a thoughtful and reasonable approach to furthering EHR adoption. I, for one, am pleasantly surprised.