Toward Achieving Meaningful Use: HHS Establishes Certification Criteria for Electronic Health Record Technology

I. Introduction

On January 13, 2010, the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC), both part of the Department of Health and Human Services (HHS), issued two much-anticipated and coordinated sets of regulations establishing the requirements for eligible providers to earn Medicare and Medicaid electronic health record (EHR) incentives. The incentives, established by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), are part of the federal government’s decision to make a significant investment to facilitate the adoption of a nationwide health information network. On March 10, 2010, ONC published a proposed rule regarding temporary and permanent programs for testing and certifying that EHR technology meets the ONC’s certification requirements for supporting the achievement of meaningful use by eligible hospitals and professionals under the Medicare and Medicaid EHR incentive programs.

Under the three sets of regulations, qualified hospitals and professionals earn the incentives, in the form of enhanced Medicare and Medicaid reimbursement, by demonstrating that they are “meaningful users” of “Certified EHR Technology.” The ONC establishes by an interim final rule (the Interim Final Rule)¹Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Interim Final Rule, 75 Fed. Reg. 2013 (Jan. 13, 2010) (to be codified at 45 C.F.R. pt. 170), available at a http://frwebgate6.access.gpo.gov/cgi-bin/PDFgate.cgi?WAISdocID=79648995247+3+2+0&WAISaction=retrieve one set of regulations containing the standards, implementation specifications and certification criteria that EHR technology must meet to be Certified EHR Technology. CMS proposes a second set of regulations²Medicare and Medicaid Programs; Electronic Health Record Incentive Program; Proposed Rule, 75 Fed. Reg. 1843 (proposed January 13, 2010) (to be codified at 42 C.F.R. pts. 412, et al.) , available at http://frwebgate1.access.gpo.gov/cgi-bin/PDFgate.cgi?WAISdocID=796654179042+0+2+0&WAISaction=retrieve (Proposed Rule) containing criteria for demonstrating meaningful use of the certified EHR technology, which also includes proposed Medicare and Medicaid regulations for the calculation and payment of the HITECH Act’s incentives to qualified providers under Medicare Parts A and B, Medicare Advantage organizations under Medicare Part C and state Medicaid programs. The third set of regulations³Proposed Establishment of Certification Programs for Health Information Technology; Proposed rule, 75 Fed. Reg. 11328 (proposed March 10, 2010) (to be codified at 42 C.F.R. pts. 170), available at http://www.gpo.gov/fdsys/pkg/FR-2010-03-10/pdf/FR-2010-03-10.pdf addresses the temporary and permanent programs for testing and certifying that EHR technology meets the ONC’s certification requirements for supporting the achievement of meaningful use.

This article focuses on the initial set of standards, implementation specifications and certification criteria for EHR technology to become Certified EHR Technology, as described in the Interim Final Rule.

II. Overview of the Interim Final Rule

The HITECH Act set a December 31, 2009, deadline for the Secretary of HHS (Secretary) to adopt an initial set of standards, implementation specifications and certification criteria to enhance the interoperability, functionality, utility and security of health information technology and to support its meaningful use. To meet this deadline, ONC issued the Interim Final Rule on Certified EHR Technology. ONC explains that “this initial set of standards begins to define a common language to ensure accurate and secure health information exchange across different EHR systems.” The standards, implementation specifications and certification criteria in the Interim Final Rule are intended, in part, to assure that Certified EHR Technology supports the achievement of meaningful use by eligible professionals and eligible hospitals under the EHR incentive programs.

In particular, the standards, implementation specifications and criteria adopted by the Interim Final Rule establish the capabilities a Certified EHR Technology must have to support the achievement of the proposed Stage 1 “meaningful use” criteria established under the Proposed Rule on meaningful use.

III. Key Definitions Contained in the Interim Final Rule

The Interim Final Rule uses the following defined terms in the standards, implementation specifications and certification criteria that establish the required capabilities for Certified EHR Technology:

“Qualified EHR” means an electronic record of health-related information on an individual that: (1) includes patient demographic and clinical health information, such as medical history and problem lists; and (2) has the capacity: (a) to provide clinical decision support; (b) to support physician order entry; (c) to capture and query information relevant to health care quality; and (d) to exchange electronic health information with, and integrate such information from other sources.⁴Id. at 2043 (to be codified at 45 C.F.R. 170.102). ONC adopts the statutory definition of Qualified EHR without modification and notes that the capabilities included in the definition of Qualified EHR set the floor, or minimum standard, for the capabilities of Certified EHR Technology.⁵Id. at 2023.

“EHR Module” means any service, component or combination thereof that can meet the requirements of at least one certification criterion adopted by the Secretary.⁶Id. The ONC provides the following examples of EHR Modules: (1) an interface or other software program that provides the capability to exchange electronic health information; (2) an open source software program that enables individuals online access to certain health information maintained by EHR technology; (3) a clinical decision support rules engine; (4) a software program used to submit public health information to public health authorities; and (5) a quality measure reporting service or software program. ONC notes that the use of EHR Modules may enable an eligible professional or eligible hospital to create a combination of products and services that meets the definition of Certified EHR Technology. However, the eligible professional or eligible hospital bears the responsibility of ensuring that the certified EHR Modules selected are capable of working together to support the achievement of meaningful use and are interoperable.

“Complete EHR” means EHR technology that has been developed to meet all applicable certification criteria adopted by the Secretary.⁷Id. ONC clarifies that the term Complete EHR is meant to encompass EHR technology that can perform all of the applicable capabilities required by certification criteria and distinguish it from EHR technology that cannot perform those capabilities.⁸Id. at 2043 (to be codified at 45 C.F.R. 170.102). The use of the word applicable is intended to reflect the fact that some criteria apply to EHR technology used in the ambulatory setting by eligible physicians and others apply to EHR technology used by eligible hospitals in the inpatient setting.

“Certified EHR Technology” means a Complete EHR or a combination of EHR Modules, each of which: (1) meets the requirements included in the definition of a Qualified EHR; and (2) has been tested and certified in accordance with the certification program established by the ONC as having met all applicable certification criteria.⁹Id. This definition differs slightly from the definition in the HITECH Act.¹⁰HITECH Act §3000 (to be codified at 42 U.S.C. §300jj). The revised definition is intended to ensure consistency with the initial standards, implementation specifications and certification criteria set forth in the Interim Final Rule, and to allow eligible providers both the flexibility to adapt to innovations in a rapidly evolving industry and the ability to choose from a variety of product and service offerings ranging from subscription services, to vendor-based products, to open source products. ONC expects that it will be common in the near future for Certified EHR Technology to be assembled from several interchangeable EHR Modules.

Examples of Certified EHR Technology, include: (1) a complete EHR that is tested and certified to all applicable certification criteria and (2) the combination of two or more certified EHR modules that include all of the capabilities required by all certification criteria applicable to those modules.¹¹75 Fed. Reg. at 2043 (to be codified at 45 C.F.R. 170.102). ONC notes that in the circumstance of combined modules it is the user’s responsibility to determine whether the combination of the certified EHR Modules would meet all of the applicable certification criteria necessary to meet the definition of Certified EHR Technology.¹²Id. at 2022.

In contrast, ONC offers the following examples of what would not meet the definition of Certified EHR Technology: (1) Complete EHRs that have not been tested and certified in accordance with the certification program established by the ONC, even though it may be claimed that such technology provides the capabilities required by adopted certification criteria, and (2) the combination of three certified EHR modules that do not include all of the capabilities required by all applicable certification criteria. For example, if three certified EHR modules were purchased by an eligible professional and none of them included the capability to electronically prescribe, the combination of the three modules would not meet the definition of Certified EHR Technology.

IV. EHR Certification Criteria

The certification criteria adopted by ONC are set forth in the Table 1 of the IFR (Table 1 is available on pages 2025-2028 of the IFR, available at: http://edocket.access.gpo.gov/2010/pdf/E9-31216.pdf). The criteria focus on and describe the required capabilities that EHR technology must include to qualify as Certified EHR Technology. Certain certification criteria apply in either the ambulatory setting or inpatient setting. Others apply in only one or the other setting. Examples of certification criteria include enabling: computerized provider order entry for medications, laboratory tests, imaging and provider referrals; maintenance of a patient’s problem list; and maintenance of a patient’s medication allergy list.

To the extent Stage 1 meaningful use objectives under the Proposed Rule objectives are identical for eligible professionals and hospitals, the Interim Final Rule adopts identical, corresponding certification criteria for Complete EHRs or EHR Modules.¹³Id. For meaningful use Stage 1 objectives that differ for eligible professionals and hospitals or apply to only one or the other, the Interim Final Rule adopts specific certification criteria to assure that Certified EHR Technology includes the capabilities necessary to meet that objective.

V. Initial Standards and Implementation Specifications

The initial set of standards focuses on increased interoperability and privacy and security. Each certification criteria adopted by this Interim Final Rule does not include an applicable standard.

Implementation specifications provide specific configuration instructions and constraints for implementing a particular standard or set of standards. ONC states that because some standards can be implemented in many different ways, these specifications are critical in some cases to successfully achieve interoperability.¹⁴75 Fed. Reg. at 2035. However, ONC recognizes that very few implementation specifications are widely used and most are immature or too architecturally specific for adoption by large segments of the HIT industry before meaningful use Stage 2. Therefore, with a few exceptions¹⁵For example, ONC has adopted the Physician Quality Reporting Initiative Measure Specifications Manual for Claims and Registry as the implementation specification for the CMS PQRI 2008 Registry XML Specification standard for quality reporting., ONC does not believe that there are mature implementation specifications ready to adopt to support meaningful use Stage 1. ONC will consider adopting implementation specifications for any adopted standard provided that there is convincing evidence submitted in public comment of the specifications’ maturity and widespread usage.

ONC recognizes that certain types of standards, specifically those relating to code sets, must be maintained and frequently updated to serve their intended purpose effectively. For example, CPT codes will need to be updated to reflect the most recent changes in medical practice. Under some circumstances, the new codes must be disseminated and implemented quickly for patient safety and other public health purposes. To address this need, ONC will establish certain types of standards as a floor for certification. References to specific adopted standards that are preceded with the phrase “at a minimum” will require a Complete EHR or EHR Module to comply with the version of the code set that has been adopted through incorporation by reference or any subsequently released version of the code set.

ONC also ensures eligible physicians and eligible hospitals that if a code set is modified significantly (e.g., if a code set that uses 7-digit numeric codes is modified to require 9-digit alphanumeric codes), ONC will update the incorporation by reference to reflect the more recent version of the code set prior to requiring or permitting certification according to the newer version.

A. Content Exchange and Vocabulary Standards and Implementation Specifications

Table 2A of the IFR lists the adopted content exchange and vocabulary standards to support Stage 1 meaningful use under the Proposed Rule (Table 2A is available on pages 2033-2034 of the IFR, available at: http://edocket.access.gpo.gov/2010/pdf/E9-31216.pdf). Only a limited number of Stage 1-related certification criteria require Certified EHR Technology to be capable of using a specific vocabulary or code set and, in certain instances, these vocabularies and code sets are already required by other HHS regulations such as the HIPAA Transactions and Code Set Rule. Table 2A also lists candidate exchange and vocabulary standards that ONC believes should be adopted and required in certification criteria to support meaningful use Stage 2. The lack of vocabulary standards indicates that true interoperability among a patient’s providers in separate organizations is likely years away.

B. Transport Standards

Transport standards are distinguishable from content exchange standards in that transport standards are not domain specific. For transport standards, the Interim Final Rule adopts Simple Object Access Protocol (SOAP) version 1.2 and Representational State Transfer (REST) to establish standard ways for systems to interact with each other.¹⁶75 Fed. Reg. at 2044 (to be codified at 45 C.F.R. 170.210). SOAP is a protocol specification for exchanging structured information in the implementation of web services in computer networks. ONC adopted SOAP because it is widely used and versatile enough to allow for the use of different transport protocols and both platform and language independent. REST is a style of software architecture for distributed hypermedia systems (such as the internet).¹⁷Id. at 2031.

C. Privacy and Security Standards

ONC has aligned the certification criteria to applicable HIPAA security rule requirements so that the capabilities provided by Certified EHR Technology may facilitate and streamline compliance with federal and state privacy and security laws. The purposes of the privacy and security standards include: (1) general encryption and decryption of electronic health information; (2) encryption and decryption of electronic health information for exchange; (3) record actions related to electronic health information (i.e., audit log); (4) verification that electronic health information has not been altered in transit; (5) cross-enterprise authentication; and (6) record treatment, payment and health care operations disclosures.

The adopted certification criteria are intended to ensure that Certified EHR Technology is capable of supporting a Covered Entity’s efforts to comply with HIPAA privacy and security of protected health information when residing within, and exchanged by, Certified EHR Technology. As noted above, ONC has not adopted standards for all criteria in part because ONC did not want to preclude innovative approaches to addressing the required capabilities. For example, ONC did not establish a specific standard for access control because ONC believes that “the industry will continue to innovate at a rapid pace in this area and better methods to implement this capability will be available faster than we would be able to adopt them via regulation.”¹⁸Id. at 2034. In contrast, ONC has adopted certification criteria and standards for encryption because specific industry best practices and requirements exist with respect to encryption and the strength of encryption algorithms,¹⁹Id. and encryption is one method to “render protected health information unusable, unreadable or indecipherable to unauthorized individuals” and one that can exempt a Covered Entity from having to report a breach.²⁰Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for information, 74 Fed. Reg. 19006, 19006 (April 27, 2009).

VI. Interaction with HIPAA Administrative Simplification Regulations

ONC cautions that the Interim Final Rule focuses on the capabilities of Certified EHR Technology and does not change HIPAA requirements, guarantee compliance with those requirements or absolve a Covered Entity that adopts Certified EHR Technology from having to comply with HIPAA standards.²¹75 Fed. Reg. at 2035.

A. HIPAA Security Standards

ONC plans to look beyond the HIPAA security rule requirements when adopting new certification criteria and standards in the future to improve the capabilities that Certified EHR Technology can provide to protect health information.

B. HIPAA Electronic Transactions and Code Set Standards

HHS previously adopted and modified transactions and code sets standards for HIPAA Covered Entities (Covered Entities), including eligible professionals and eligible hospitals. Certified EHR Technology will enable eligible professionals and eligible hospitals to qualify for incentive payments and comply with these transactions and code set standards as well as any timeframes for compliance.²²For example, all Covered Entities are required to comply with ICD-10-CM and ICD-10-PSC on and after October 1, 2013. See Health Insurance Reform; Modifications to the Health Insurance Portability and Accountability Act (HIPAA); Final Rules, 74 Fed. Reg. 3295 (January 16, 2009) (to be codified at 45 CFR part 162). ONC’s adoption of future standards and implementation specifications for meaningful use Stage 2 and Stage 3 will continue to be consistent with the adoption and modification of HIPAA transactions and code sets standards and their respective timeframes for compliance.

C. Certification Criterion and Standards Regarding Accounting of Disclosures

The HITECH Act requires Covered Entities with EHRs to produce, upon an individual’s request, an accounting of all disclosures of the individual’s protected health information over a three-year period, including disclosures made for treatment, payment and health care operations. This expands current law, which limits accounting of disclosures requests to certain non-routine disclosures such as those for research. Covered Entities with EHRs as of January 1, 2009, must have the capacity to comply with this new requirement for disclosures made on and after January 1, 2014. The Secretary has the authority to set a later effective date for such Covered Entities, but the later date may not be after 2016. For Covered Entities that adopt EHRs after January 1, 2009, the Covered Entity must be able to provide for an accounting of disclosures made on or after the later of January 1, 2011, or the date that the Covered Entity acquires an electronic record. The Secretary has the authority to set a later date for Covered Entities acquiring EHRs after January 1, 2009, but the later date may not be later than 2013.

The HITECH Act requires HHS to adopt a certification criterion and standard in this Interim Final Rule regarding technologies that allow for an accounting of these disclosures through an EHR and to promulgate regulations to identify the information that must be collected about each of the disclosures. The Interim Final Rule adopts a basic certification criterion and standard to account for disclosures to provide a technical foundation for the information that HHS will later determine should be collected for treatment, payment and health care operations disclosures. This basic certification criterion requires the capability to record disclosures made for treatment, payment, and health care operations in accordance with the standard we have adopted. The adopted privacy and security standards set forth in Table 2B of the IFR requires a recorded disclosure for treatment, payment or health care operations to include: the date, time, patient identification (name or number), user identification (name or number) and a description of the disclosure (Table 2B is available on page 2035 of the IFR, available at: http://edocket.access.gpo.gov/2010/pdf/E9-31216.pdf). This first certification criterion and standard for accounting of disclosures is intended as an incremental step that will be refined as the technology develops and regulatory requirements are issued.²³75 Fed. Reg. at 2037. ONC did not go further at this time because it believes several significant technical challenges need to be addressed before it will be possible to record additional information about disclosures in an efficient manner. For example, it notes that the lack of any particular technology solution that is capable of automatically recognizing the difference between a “use” and a “disclosure,” as defined by HIPAA, as well as a concern over the amount of electronic storage that will be necessary to record three years’ of information related to treatment, payment and health care operations disclosures.²⁴Id.

Notably, the HITECH Act grants HHS discretion to modify the compliance date for the revised accounting for disclosure regulations, and ONC noted that HHS will address the compliance date for accounting for treatment, payment and health care operations disclosures in a later rulemaking.²⁵Id.

VII. Conclusion

The certification criteria recently published by the HHS for determining whether EHR Technology is Certified EHR Technology provides the first step towards enabling eligible hospitals and professionals to demonstrate “meaningful use” in order to qualify for Medicare and Medicaid incentives. Eligible hospitals and professionals will need to ensure that the EHR Technology they propose to implement or are in the midst of implementing either currently satisfies or will be modified or configured by their vendor to satisfy the certification criteria. Clear and specific contractual commitments from their vendor to address any functionality gaps will be essential. Vendors of EHR systems or EHR modules will need to ensure their products possess the requisite features and functionality to be certified and to enable eligible hospitals and professionals to demonstrate “meaningful use” in order to be competitive in this market.