CCHIT EHR Certification Criteria Problem

I’ve discussed a lot of problems (there are many) with the CCHIT EHR Certification in the past. However, one problem I’d never heard of was something that Lourdes from WebDMEMR said in a comment on my post about EHR certification recommendations:

WebDMEMR’s development schedule has been on par with the Meaningful Use Matrix Tagged for CCHIT Reference. This document lays out a generalized view of the functionality necessary to conform with meaningful use, not CCHIT. I actually took a look at the Preliminary ARRA criteria, can believe that there are some criteria that only apply to client-server EMRs? With no option for web based applications? These test scripts are geared towards client – server based technologies, I found that many of the criterion did not make sense for a web based EMR. For example, I noticed one requirement states that the technology must use Kerberos. This is technology is only primarily available and necessary for client – server based EMRs. Representing a web based company, how are we supposed test ourselves if the test scripts are based on the wrong technology? CCHIT’s answer was: the federal governement imposed that criteria.. we have no say in that.. I highly doubt the federal government would restrict all other emr technologies.. CCHIT is incompenent, and are playing on the EMR communities fears. I definitely will not buy into it.

The problem of having a criteria that only applies to a client server based EMR is a pretty serious problem since so many EMR these days are web based and wouldn’t need or want to use Kerberos. CCHIT should really find a way to deal with this problem. Issues like this could also be a problem for the HHS criteria, so it will be interesting to see if HHS can do a better job than CCHIT has done.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • John,

    If an EMR wanted to go the CCHIT route, CCHIT would likely evaluate the product with an asterisk for any outlier or “contradiction by definition” sort of issues.

    I doubt that CCHIT is intentionally trying to sandbag ASP/cloud systems.

    For many providers, CCHIT is the good housekeeping stamp of approval.

    Regarding certification bodies, platforms, etc., I remain as neutral and agnostic as possible.

    I have an ASP/cloud service on the runway AND a PC/LAN system. Providers though may decide that the cloud model hype is in part just a stab at Microsoft dominance (now almost a natural monopoly) because platform vendors are unwilling or unable to make a dent at the desktop level. In other words, there are not many places left to make a buck.

    Remember, the distributed computing model already
    leap-frogged the centralized, mainframe/timeshare model many years ago. The PC (I call mine a personal server) keeps getting more powerful, less expensive with more features and software.

  • Actually one of the biggest complaints of CCHIT certification is that it’s an all or nothing type of certification. Obviously not all certified EHR vendors are equal.

    I agree that CCHIT probably wasn’t intentionally trying to discriminate against ASP/hosted EMR systems. However, this is I believe the fourth iteration of CCHIT criteria. You’d think they’d have taken stuff like this into account in 4 major iterations.

  • I saw the same document this week – yes much of the language seems to assume that the Internet and SSL don’t exist. It makes one think that they just keep recycling specs from a few decades back.

    Griping about cchit has helped so far – at least the HIT committee heard it and they didn’t go for the recommendation from himms to just use the existing cchit cert as “thee” cert and they publicly invited competition. But all the griping is not going to change anything unless the competition actually materializes.

    On this page – – the first PDF file there outlines the requirements and process for becoming a “certifying body”. Section “X” says that the ONC currently only knows of one taker (that would be cchit) but they are prepared to evaluate as many as nine applicants. Does anyone know of any serious contenders that are planning to apply?

  • Russ,
    This is a very good point. I’ve heard rumors of groups talking with ONC about creating another certification, but that is all. I tried the link, but it’s not working. Can you point me to how you got to that link. I’d love to read the requirements.

    I agree with you that someone needs to put something together. The question is who is the right person/group to do it?

  • There are also other concerns for medical domains such as the Chiropractic world. There are many requirements even for the ARRA Preliminary Certification that do not apply to the Chiropractic community. Electronic prescribing being one of them, Chiropractors do not have the means to write prescriptions. If a vendor wants to be a one stop shop as a certified EHR technology, they must pass all 26 meaningful objectives (28 but 2 are GAP major) and the security and privacy criteria. How will a provider ever show meaningful use if they cannot write prescriptions (eRx)?

  • Craig,
    I heard a similar issue to this with a specialist that only wrote a couple prescriptions a week. Didn’t seem reasonable for them to have to learn the intricacies of ePrescribing for only a couple prescriptions.

    There is hope that ONC will make some exceptions to the criteria based on specialty.

  • CCHIT would like to clarify the Security standards issue in the first posting of this discussion :

    On September 15th, ONC’s Health IT Standards Committee released its recommended privacy and security standards, which included the criterion requiring Kerberos under row 16 of its spreadsheet under “H-1 Prod Cert Stds” tab. Please see the HHS URL below:

    On October 14th (after the date of our October 1 response quoted in the first post), ONC’s Health IT Standards Committee dropped its proposed requirement for Kerberos from its updated privacy and security standards. Please see the HHS URL below:

    Kerberos has always been an optional standard for CCHIT since we believed it to be problematic. It does not integrate well with other technologies, and the federal government has barred the use of Kerberos beyond 2011. As described above, the Health IT Standards Committee, itself, withdrew it on October 14, but has allowed its use by vendors during the 2011-2012 certification period.

    Just as importantly, CCHIT has always welcomed Web based applications and continues to welcome them as participants in both its Comprehensive and Preliminary ARRA programs. The continuing line of FUD that suggests we will only certify proprietary, client server products is just worn out now.

    Happy to chat with anyone who has questions about our programs.

    Sue Reber, outreach director, CCHIT

  • Sue,

    Did I say something like that above on Oct 16th? 🙂
    FUD doesn’t apply in traditional sense since you are not a direct competitor to EMR vendors, but I get your drift.

    — Jack

  • Sue,
    Thanks for the clarifications. As I said in my above comment, I don’t think CCHIT is trying to certify only proprietary, client server products. In fact, in the times I’ve heard Mark Leavitt I’ve always found him quite sincere in his efforts. It’s just that I find much of what’s being done not in the best interest of the doctors.

    I’d also be interested to hear more about CCHIT’s take on the above discussion about specialty areas where the meaningful use criteria doesn’t apply. I’m sure you’re still waiting to some extent on HHS/ONC/CMS direction on what is HHS EHR criteria, but it seems like CCHIT could provide some direction to HHS/ONC/CMS in this area. With all of your committees and representation from so many areas it seems like you could make a proposal for how MU (and therefore the certification criteria) should be modified to apply to the various specialties.

  • Nice way to admint a slip up CCHIT…
    I still find it hard to believe that with all of the competent people at the ONC and CCHIT that are well versed in technology, an error like this was possible. I am not a tech a person, my knowledge is basic, but EVEN I was able to catch that one. Other than blatent errors on CCHIT test scripts and criteria, I wonder what other missteps could have been “looked over”…?

  • In response to a couple of comments:

    Jack – In Health IT, FUD transcends.

    John – Yes, the conflict with specialty practice and and the meaningful use objectives is a sticky one. While CCHIT is trying to accelerate the addition of specialty options in its Comprehensive program, that won’t solve this problem. See our June 26 comments to ONC , including this topic, at In addition, our work groups are readying themselves to prepare public comment as HHS publishes its expected rules in December. Our work groups now include more specialty providers than ever. I would expect this topic would be included in those comments.

    Craig – great idea; we changed the home page message to reflect the availability of updates – some of which were just published today.

  • In a newsletter few months ago (, I briefly did my own assessment of the “certification” world according to HITECH. Personally, I think the temporary certification program will basically end up with a single vendor (CCHIT). I am hopeful (nothing against CCHIT) that when the Permanent Certification Program is official (where certification and testing are separated), more vendors are able to break into the current certification monopoly.
    Craig, regarding Chiro and others who are listed as “Eligible Professionals” but no way in hell they can qualify under the current 25 MU requirements, clarification should be coming. My source at ONC has told me that this was not a mistake. Due to time contstraints, ONC focused on Primary Care Providers initially with the intent to clarify for other provider types at a later time. I am hoping this clarification will come very soon.

  • David,
    “Personally, I think the temporary certification program will basically end up with a single vendor (CCHIT). ” I’ll take a wager on this one. I predict that there will be more than one EHR vendor. If CCHIT is the only one, then I take you to dinner. If there’s more, then you take me. I’m sure we’ll be at a conference or something at some point where we can collect.

  • please, can someone tell me, If a chiropractor does not write perscriptions, does he still have the same e-prescribing requirements for “meaningful use” ……?
    How does that work, does anyone know?

  • No, the chiropractor would not have the same e-prescribing requirements for MU. Page 61 of MU discusses the “inapplicability” of measures to various provider types.

    Basically, your chiropractor will have a denominator of “zero” for that measure. Also, on page 99 of MU, you find (talking about e-prescribing) “this objective and associated measure do not apply to any EP who writes fewer than one hundred prescriptions during the EHR reporting period.”

Click here to post a comment