Healthcare Alert

ONC Establishes Temporary Certification Program for EHR Technology

June 22, 2010

ONC Establishes Temporary Certification Program for EHR Technology

On June 18, 2010, the Office of the National Coordinator for Health Information Technology (ONC) issued a final rule establishing a temporary certification program to test and certify health information technology (HIT), including electronic health records (EHRs).1 This temporary certification program will be used to ensure that “Certified EHR Technology” is available for adoption by eligible professionals, eligible hospitals and critical access hospitals (CAHs) for purposes of qualifying for incentives under the Health Information Technology for Economic and Clinical Health (HITECH) Medicare and Medicaid EHR Incentive Programs, 2 as established under the American Recovery and Reinvestment Act of 2009 (Pub. L. 111–5).

The final rule describes the process for selecting organizations to test and certify Complete EHRs and EHR Modules as Certified EHR Technology. ONC will address the specific standards, implementation specifications, and certification criteria required of Certified EHR Technology in a separate final rule to be released in the near future.

ONC has stated that it expects authorized organizations will be testing and certifying EHRs by the end of this summer, which will allow for certified EHR products to be on the market this fall. As more EHR technology products and systems become widely available, adoption of HIT will ideally accelerate as providers and hospitals are able to qualify for federal incentives. Below is a brief summary of highlights from ONC’s recently issued final rule.

Overview of Final Rule

In the final rule, ONC describes how an organization can become an ONC-Authorized Testing and Certification Body (ONC-ATCB), providing details of the application process, application review, testing and certification of Complete EHRs and EHR Modules, testing and certification of “minimum standards,” and authorized testing and certification methods. ONC-ATCBs that are authorized by the National Coordinator will test and certify that certain types of EHR technology (Complete EHRs and EHR Modules) meet the definition of Certified EHR Technology and are compliant with the standards, implementation specifications, and certification criteria adopted by HHS. ONC will consult with the National Institutes of Standards and Technology (NIST), and NIST will develop a test tool and test procedure for each certification criterion.

Notably, the final rule does not designate the Certification Commission for Health IT (CCHIT) as a temporary certification entity, despite CCHIT’s role in certifying EHR technology since 2006. Instead, CCHIT will need to apply to become an ONC-ATCB along with other interested organizations. In addition, the final rule does not provide automatic ONC certification (or "grandfathered" status) to existing EHRs, even if the systems had previously received certification from CCHIT.

Certification Criteria

In the final rule, ONC discusses the certification criteria that ONC-ATCBs will be required to use for testing and certification of Complete EHRs and EHR Modules. ONC’s discussion of privacy and security testing requirements for EHR Modules is of particular note. ONC received comments on its proposal that EHR Modules be tested and certified to all privacy and security certification criteria adopted by HHS unless the EHR Module falls into a specific exception, including—(1) that it is part of an integrated bundle of EHR modules such that it would otherwise constitute a Complete EHR (in which case it will be tested and certified in the same manner as a Complete EHR); (2) it is “technically infeasible” for the EHR Module to be tested and certified in accordance with some or all of the privacy and security certification criteria; or (3) it is designed to perform a specific privacy and security capability only. 3

In response to public comments, ONC revised the proposed exceptions, adding “inapplicable” to the “technically infeasible” exception to clarify that certain privacy and security capabilities may be inapplicable given a particular EHR Module’s anticipated function or point of integration. ONC also eliminated the third exception so that the rule will now require all modules so that only the first and second exceptions apply.4

“Self-Developed” EHRs

ONC responded to concerns and requests for clarification regarding its statements on “self-developed” EHRs, which include brand new Complete EHRs, EHR Modules developed by a provider or contractor, or previously purchased Complete EHR or EHR Modules subsequently modified to capabilities addressed by certification criteria adopted by HHS, and for which the testing and certification costs have been paid by the health care provider.5 Many of these comments came from hospitals and hospital associations. In response to the concerns about whether a modification to “an already certified Complete EHR or EHR Module would invalidate a certification and consequently require the eligible professional or eligible hospital to seek a new certification because it would be considered self-developed,” ONC elaborated on what it would consider an appropriate or inappropriate modification for purposes of invalidating certification status: ONC stated that it is possible that a modification would not have to affect an EHR’s certification status if “due diligence is taken to prevent such a modification from adversely affecting the certified capability or precluding its proper operation.”6

In determining whether a modification would invalidate an EHR’s certification, ONC suggested that providers take three general concepts into consideration: (1) that certification is meant to “provide assurance” that the technology will perform according to the criteria to which they were tested and certified; (2) any subsequent modification after the technology has been certified “has the potential to jeopardize [its] proper operation . . . and thus the eligible professional or eligible hospital’s ability to achieve meaningful use;” and (3) that to receive “absolute assurance” that a modification has not impacted “the proper operation of certified capabilities,” the eligible provider or eligible hospital “may find it prudent to seek to have the Complete EHR or EHR Module(s) retested and recertified.”7

Sunset Date and Permanent Certification Program

The temporary certification program was originally scheduled to sunset when ONC had authorized at least one ONC-Authorized Certification Body (ACB) under the permanent certification program, which is expected to be in place by 2012. The sunset date is now December 31, 2011, unless the permanent certification program is not fully constituted by then, in which case the National Coordinator will establish a later date.

ONC expects to issue regulations regarding establishment of the permanent certification program in the fall of 2010.

1 Office of the National Coordinator for Health Information Technology, Department of Health and Human Services, “Final Rule: Establishment of the Temporary Certification Program for Health Information” (June 18, 2010) [hereinafter “ONC Final Rule”]; display copy available here. ONC Final Rule to be published in the Federal Register June 24, 2010.

2 Department of Health and Human Services, “Fact Sheet: HITECH Temporary Certification Program for EHR Technology.” 

3 ONC Final Rule, at 80.

4 Id. at 83.

5 Id. at 123-24.

6 Id. at 125.

7 Id.