If you’ve been following this blog for a while, then you probably remember my many rants about the lack of value in EHR certification. In fact, Jim Tate asked me at HIMSS where my dislike of CCHIT came from. I think I told him that I probably got it from EMRUpdate. Certainly that’s where I learned a lot about EMR and EHR and certification in general. However, as I consider his question, my real distaste with CCHIT and quite frankly EHR certification is that it provides little to no value to doctors.
Looking back at all the discussions I had last week with those attending HIMSS, I’m really happy to say that EHR certification was almost never a discussion. Pretty much everyone either was a certified EHR or was almost done with the EHR certification process (which is in line with ONC’s desire that all EHR software be certified).
I still feel that certification provides little value, but I’m really happy to see that EHR certification has basically left the discussion. If everyone has it, then doctors don’t and won’t look to it as a way to select an EHR. I think that’s a very good thing.
As I’ve thought more about EHR certification, it’s funny that someone hasn’t come out with some healthcare IT certifications that would actually provide value to doctors and healthcare. Here’s just a few ideas off the top of my head of items that could be meaningfully certified:
- Data portability
- Freedom of data
- SaaS hosting services
The interesting thing is that many of these certifications could be provided well beyond EMR software and into other healthcare IT products (and even beyond if someone so desired). Certainly the existing EHR certifications try and provides some of these items, but they’re so general and non specific that they aren’t very useful.
For example, the privacy certification could include not only that the data is encrypted but could specify which type and level of encryption is used. Plus, the certification could actually test the encryption to make sure it was implemented properly. I know some eFax vendors that would love this type of certification.
A certification that provides value wouldn’t likely be a simple pass fail certification. Maybe you do set a bar for each requirement that allows you to place a certification badge on that product. However, users should be able to dig into the details of the certification and see what was found during the process. For example, if you make sure they handle passwords correctly, a certification should provide a list of protections that are built into the software that’s being certified (ie. minimum characters, required characters, 2 factor authentication, number of failed passwords before lockout, etc).
If I weren’t so busy with my healthcare IT blog network, I’d consider doing some of this myself. Not only is it a great business, but could really provide value to healthcare. If you start it, just save me a spot as an advisor.