ONC’s Guidance for EHR Certification Bodies

I’ve long been a proponent of having multiple EHR certification bodies. Competition does amazing things for a system and having one certification body would be a horrible thing for the EMR world. Certainly we all know that CCHIT is going to be there as an EHR certification body. The question is whether anyone is going to step forward and provide CCHIT some competition. Does anyone know of any groups that are applying to be a certification body? I’d love to know about them.

Russ Reese from MXSecure linked me to a PDF file that describes the features that an ONC approved EHR certification body (PDF) should have. There’s some HUGE problems with this criteria.

First and most important is that it basically requires the EHR certifying organization (they call it a Recognized Certification Body or RCB) be able to create certification criteria. If HHS is going to provide the criteria, then why should a new EHR certification body need the infrastructure and feedback loop to be able to create the criteria? The answer is that they don’t. Seriously, why should a new EHR certification body have to be able to “provide a publicly available roadmap for the development of future certification activities” to be a certifying body?

That’s just part of the problem. The requirements also state that you must have “a demonstrated process for, and experience in, certifying EHR software to criteria recognized by the Secretary.” That basically excludes EVERY organization except for CCHIT. Why should anyone apply?

Add in the requirements of the governing bodies, steering committees, board of directors from every group and you have a recipe for no competition with CCHIT. Certainly I can understand that diversity is important when creating a criteria. However, diversity on those groups, which will cost a lot of money to have in the first place, won’t be important if you’re just ensuring that HHS criteria is met.

At the bottom of the PDF file that talks about these criteria, there’s a place for public comment. Although, I haven’t been able to tell when this document was published to know if we’re within the 60 day window. If someone knows better than I, please let me know in the comments. I’ll be sending off a note myself to try and help change this document. The document is entitled “Interim Guidance Regarding the Recognition of Certification Bodies.” Hopefully the “Interim” means that we can still provide comment on the document.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • Jason,
    I figured so as well. However, the document is linked from the main site talking about EHR certifying bodies. So I’m wondering if they’ll reopen the discussion or if there’s another way to get David Blumenthal and company to take a look at this again.

  • I think that it is an older document because there are press releases on the web that state that CCHIT became an RCB in 2006.

    It was however, the only information that I could find on the HHS site regarding becoming an RCB.

    I don’t think it is impossible. A group could start right now by gathering together a few vendors, doctors, consultants and creating a certification process based on the first bits of meaningful use.

    They are saying that you have to already be in the business of certification for them to consider you, but that is not that difficult. For example, most of the meaningful use details for 2011 are known – so it wouldn’t be hard to create a company that offers “HHSMU Certification” for 2010 – which would be a subset of what we know is needed for 2011. Then that company would quickly certifiy a few vendors and the requirement is met.

    Mainly, I am curious to find out if anyone is already doing this.

  • The more I think about this the more amazed I become. Does it make sense to use a 3+ year old document to define an organization for certifying against a criteria that’s just being defined? I really hope they consider looking at this again.

    Sure someone could plausibly do it, but ONC would basically be having them waste money doing useless processes and building in governance that won’t be used. Sounds like government to me.

  • I propose a name for a new RCB. DCHIT (Doctor Certified Health Information Technology).

    The CGD (that pdf file) says that an RCB should have the following on it’s board:
    a. Health care providers;
    b. Employers, unions or other health care payors;
    c. Health care product vendors;
    d. Safety net providers;
    e. Health care consumers;
    f. Public health agencies;
    g. Quality improvement organizations;
    h. Clinical Researchers;
    i. Standards development and informatics experts

    It doesn’t say what the ratios should be. I suggest that there are ought to be hundreds of health care providers on that board and thousands of health care consumers. Then just one or two reps from every other group. Thus the name – emphasizing that this RCB has strong physician support.

    If a call was put out to start such a group, I think that many doctors would be interested and that the start up costs could possibly even be funded by collecting nominal “dues” from those who wish to participate.

    One criticism of CCHIT is that it was/is vendor funded and thus too heavily influenced by vendors. I think that a doctor funded and thus doctor driven RCB would be a great alternative to CCHIT. And I think that it could provide certification at a fraction of the cost that CCHIT is asking.

  • Russ,
    You have an interesting idea. The problem I have with the idea is that if you just decide to certify the HHS criteria, I don’t think you’re providing value to doctors outside of possibly helping them to get access to the EMR stimulus money. This is certainly a reasonable goal that will benefit doctors, but would have little need for doctor’s input to make happen.

    I think what you describe above would be interesting to put together and see if you could put together a better set of criteria that would actually provide value to doctors who are selecting an EMR. If we could create an EMR certification that actually was shown to improve successful adoption of EMR, then I’d be all for it. My problem is that I haven’t put together a nice way to be able to do that yet.

    The closest I’ve come is taking a small chunk and creating a “Provider Bill of Rights” which will outline things that EMR vendors should do to ensure that the provider owns and has access to the data in their EMR. Basically, EMR vendors could choose to be part of this and show that they have done things as listed.

    I’ll be blogging more about this soon. I think this type of movement will actually provide value to doctors.

  • One of the “interesting” things about the stimulus bill is that States can decide to give “Safety Net” providers incentive money even if they don’t adopt a certified EMR. The problem is that I have yet to find an objective definition of what a Safety Net provider is.

    Another question that I have is “how will the qualified physician PROVE meaningful use?” The answer must be some sort of reporting or an audit of their activity. So if an independent audit or report proves meaningful use (of data), then what does it matter what software was used to achieve that?

  • John:

    The above comments notwithstanding, I’d like to correct one thing from your post, above. CCHIT does not have a process for, nor does it have experience in certifying EHR software to criteria recognized by the Secretary of HHS. How could it, since these (meaningful use) criteria have yet to be released?

    What is more, CCHIT tends to focus on “structural” and “process” -oriented criteria, as opposed to results-oriented criteria of the sort that are being proposed (in draft) by ONC.

    This difference is hugely for the innovators in the EHR space like Saas-based Practice Fusion. Basically, we can show results, but we can’t show that we have servers configured in a certain way because, frankly, we don’t use servers!

    That said, there are plenty of certification agencies out there, that have experience working with the Feds (including agencies like NIST and CDC), and that have certification processes that are “results-oriented” and therefore more consistent with what ONC has in mind. One such outfit is Drummond Group (www.drummondgroup.com).

    Such organizations would seem to be highly qualified to serve in the role of a certifying body. I have no way to know whether such organizations are interested in this opportunity, but I hope they do!

    Thank you,
    Glenn Laffel, MD, PhD
    Sr. VP Clinical Affairs
    Practice Fusion
    Free, Web-based EHR

  • Glenn,
    You’re actually right that CCHIT doesn’t have that experience either. Yet, they are an approved RCB. Get that one.

    I think your concept of results oriented certification is interesting. However, it goes back to the overlapping of meaningful use and certification. If indeed certification is about results (and likely will be), then we’re all going to sit here wondering why it needs to be certified and we have to show meaningful use. Meaningful use would have just been enough.

    I’m excited to hear that there are groups like the Drummond Group. I might have to drop them a note and see if they’re going to consider taking part in the EHR certification process since I hope organizations like this join the process as well.

  • I have difficulty getting my arms around the “so what” factor regarding certification. The failure rate for implementing certified systems is not better than for non-certified and it does not address usability.

    To compound the issue, certifying a system and then modifying the system during implementation would apparently make the modified system differ from what was certified. That being the case, what value did certification bring about?

  • Russ,
    I got that press release and was just about to post it. I have some questions into the company and was hoping they’d respond.

    I agree. It’s great news.

Click here to post a comment