Healthcare IT Certifications that Matter

If you’ve been following this blog for a while, then you probably remember my many rants about the lack of value in EHR certification. In fact, Jim Tate asked me at HIMSS where my dislike of CCHIT came from. I think I told him that I probably got it from EMRUpdate. Certainly that’s where I learned a lot about EMR and EHR and certification in general. However, as I consider his question, my real distaste with CCHIT and quite frankly EHR certification is that it provides little to no value to doctors.

Looking back at all the discussions I had last week with those attending HIMSS, I’m really happy to say that EHR certification was almost never a discussion. Pretty much everyone either was a certified EHR or was almost done with the EHR certification process (which is in line with ONC’s desire that all EHR software be certified).

I still feel that certification provides little value, but I’m really happy to see that EHR certification has basically left the discussion. If everyone has it, then doctors don’t and won’t look to it as a way to select an EHR. I think that’s a very good thing.

As I’ve thought more about EHR certification, it’s funny that someone hasn’t come out with some healthcare IT certifications that would actually provide value to doctors and healthcare. Here’s just a few ideas off the top of my head of items that could be meaningfully certified:

  • Privacy
  • Security
  • Data portability
  • Freedom of data
  • SaaS hosting services

The interesting thing is that many of these certifications could be provided well beyond EMR software and into other healthcare IT products (and even beyond if someone so desired). Certainly the existing EHR certifications try and provides some of these items, but they’re so general and non specific that they aren’t very useful.

For example, the privacy certification could include not only that the data is encrypted but could specify which type and level of encryption is used. Plus, the certification could actually test the encryption to make sure it was implemented properly. I know some eFax vendors that would love this type of certification.

A certification that provides value wouldn’t likely be a simple pass fail certification. Maybe you do set a bar for each requirement that allows you to place a certification badge on that product. However, users should be able to dig into the details of the certification and see what was found during the process. For example, if you make sure they handle passwords correctly, a certification should provide a list of protections that are built into the software that’s being certified (ie. minimum characters, required characters, 2 factor authentication, number of failed passwords before lockout, etc).

If I weren’t so busy with my healthcare IT blog network, I’d consider doing some of this myself. Not only is it a great business, but could really provide value to healthcare. If you start it, just save me a spot as an advisor.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • One thing about the certifications that worked for us was getting a list of all the vendors. So now I have the list… BUT how do I narrow it down? I would really like if the ONC web site the one where one is able to search, could tag all the vendors according to type of product they sell, whether it is a Saas, ASP, and/or client server product. Another feature I would like to be listed and have certification (security) for is whether a secure web fax is built into the document management system. I also agree with the secuirity/encryption aspect as well as data portability. We currently have a web based ASP EMR but want to update/upgrade to a SaaS product with more features. So now we have to deal with dataconversion or not. I think the criteria you mentioned are extremely important and should be part of certification. Ann

    Our office is 1 MD 1 FNP and 3 staff we are basically only looking for a Saas/ASP provider so I a sifting through each vendor looking for any Saas/ASP information

  • Ann,
    This is why I don’t like the pass/fail type of certification. More of these details should be available. One resource to help you narrow down your list is this EMR and EHR matrix wiki page: It doesn’t have all the EMR vendors, but it’s got a bunch of them.

    I’d also be remiss if I didn’t suggest you take a look at this EMR selection e-Book (free) I wrote: Since you are switching EMR software, you’ll not need some of it, but I’m sure you’ll find some useful information in it.

    You can also request demo or quotes to many EMR and EHR vendors on this page:

    Certainly lots of resources out there to look at. Good luck on the data conversion. I hope you don’t fall into the category where your EMR vendor holds your data for ransom like I talked about in this post:

  • As John alludes to, certifications tend to be baloney. They are a crutch for an HR department that doesn’t have the expertise to properly interview somebody…a filter point.

    Additionally, as mentioned, just because someone has a certification does not mean they have a clue as to what they are doing.

    To Ann’s point above: you are in what I would call the sweet spot for a web-base EHR. Still, before going with any web-based EHR try it from your office first…and not just during a demo, fiddle with it for at least an hour. Log out, log in, input a patient, pull records. Make sure it does what you want at a speed that won’t drive you crazy.

  • Get your ostrich-like head out of the emr sites and go visit AHIMA.
    they have a relavent, healthcare focused security/privacy credential.

    also, CPHIMS have security/privacy components.

    lastly, the terminal sec/priv credential, CISSP is thorough, yet focuses on core competencies that are relevant to both HIT and other industries. In short, you want your security/privacy team to have at least one CISSP.

  • Oh Blake. I’m not even sure how to respond to you when you go all personal saying my head is stuck in the EMR sites.

    I guess I find it pretty funny that you go off like this since you totally missed the whole point of this post. The certifications and credentials you mention have nothing to do with the certifications I’m talking about. You’re talking about certifications for individuals. I’m talking about certifications for software.

    Although, I’m quite sure we wouldn’t see eye to eye on certifications for people either since I’m definitely more of an experience over certification guy. I’m just far too practical I guess.

Click here to post a comment