ICSA Labs Questions Strength of ONC Certification Rules

You’ve undoubtedly heard the argument before: EHR certification is about assuring that systems meet minimum requirements for functionality and interoperability, but the certification process falls way short in terms of usability, privacy and security. But have you heard the argument from one of the ONC-authorized certification bodies?

This is an excerpt from an e-mail I received today:

Meaningful Use criteria have become a massive EHR certification driver for healthcare organizations. Hospitals and other providers rely on the criteria to ensure that their health IT systems meet minimum government-specified functionality and interoperability requirements to support Stage 1 of Meaningful Use.  Achieving Meaningful Use also ensures a health care organization qualifies for reimbursement under the American Recovery and Reinvestment Act as a way to incent adoption of e-health processes among health organizations. The ultimate goal is to improve our nation’s healthcare system by leveraging technology to allow greater access to important health information and empower patients to securely access their own health information.

However, as one of only five organizations authorized to test both complete and modular EHRs by the Office of the National Coordinator (ONC) for Health IT, ICSA Labs questions whether EHR certifications are enough as the criteria represents only minimum requirements. Amit Trivedi, healthcare program manager at ICSA Labs, believes providers should take further steps to heighten the security and privacy of their health IT systems. He also suggests vendors should look beyond the current regulations to address and improve usability, data portability, and information exchange in their products.

That’s right, ICSA Labs, one of five organizations currently authorized to test and certify complete EHRs on behalf of the Office of the National Coordinator for Health Information Technology, seems to think that the standards it tests EHRs against are inadequate, which is something that critics of certification—particularly critics of the Certification Commission for Healthcare Information Technology—have been saying for years. Critics of many of the larger vendors have been saying that, too. But it’s shockingly refreshing to hear this from an actual certification body.

In fact, the publicist for ICSA, a unit of Verizon Business, has offered interviews with executives of two lesser-known vendors,  Health System Technology and Design Clinicals, to talk about how they are going beyond the minimum certification requirements. Deadlines beckon, so I didn’t really have time to wait for the publicist to try to find me an schedule opening for one of the executives, but here’s a statement from a March 30 ICSA press release that is somewhat telling:

“This year we are expanding our certification programs into health IT, a much-needed area of focus to help modernize today’s health care system,” said George Japak, managing director for ICSA Labs. “With our new focus on safeguarding patient information within electronic health records, we are committed to helping accelerate the adoption of health IT.”

We don’t hear too much about security in the context of certification from too many other camps, so it’s nice to hear that at least one certification organization is critical of the rules it is under contract to follow. Perhaps we’ll see tougher usability, privacy and security standards in the permanent certification program ONC needs to have in place by the beginning of 2012 to support the forthcoming Stage 2 “meaningful use” requirements from CMS.

Wishful thinking?

About the author

Neil Versel

Neil Versel


  • What would you add to the standards? The 9 or so security criteria seem pretty robust to me. And they are in fact minimum requirements. The quickest way to get pointless bloated software is to develop for usability testing. We need fewer committees and regulations and more Steve Jobsian visionaries.

  • Is it just the stage 1 criteria that the ICSA is concerned about?

    It seems to me that as we progress through the stages of meaningful use, EMR will need to re-certify for the new meaningful use criteria. If ICSA is privy to some insider information and sees the roadmap of certification and meaningful use and is not confident then I think we may have something to be concerned about here.

    I have to agree with Brian though, the stage 1 minimum requirements seem like a good first step toward acclimating new practices to the real purpose of using an electronic system.

    It will be interesting to see where things go with stage 2 and a full year reporting period. With 90 days you get a second chance if you slip up, with stage 2 you only get one chance to do it right.

  • Government defined standards hamstring innovation and limit competition on anything but price but most egregiously government-defined standards set by committee with lobbyist intervention institutionalize mediocrity. The result in this case is that EMR vendors market products which meet the low ball standard that EPs need to make ensure their meaningful use attestations are within reach.

    Larger less agile less innovative companies lobby to set the bar where their minimum development cost line crosses its maximum sales point opportunity line. Smaller more agile and more innovative companies lack the government lobby and market presence to incrementally push the bar up higher and higher in a innovation duel with its competition without taking on the risk of pricing themselves out of an artificially defined and thereby performance constrained market.

    If there were true business advantage for EPs to adopt the most progressive EMR possible … raising the bar on practice effectiveness and efficiency … then competition amongst disruptive innovators would control the market. What ARRA and HITECH does is spend money ineffectively and inefficiently by ensuring a status quo mediocrity.

    ICSA Labs professional conscience may be warning the market it intends to unilaterally set higher bars in areas where government defined standards are lax in order to attract those EMR developers who want to define themselves by some measure other than cost. Alternatively, they may simply be signaling ONC that it wants Stage 2 standards set higher to bring value to their test and certification program in order to eliminate the current program where everyone passes.

    If there is little chance of failing … then there is little value in investing to win.

  • Neil, you stirred up the hornet’s nest with this one. Stage 1 security requirements are definately on the low side (I guess that is why they call it Stage 1) and we’ll have to see what comes in Stage 2 and 3. There is no doubt that there are EHRs and Modules listed on the CMS CHPL site that meet the minimum requirments but are terrible unacceptable products by any stretch of the imagination. That is the open secret. The ONC-ATCBs have to test based on what is in the Final Rule and the NIST Test Procedures. They have no choice when testing for ONC.

  • Brian,
    I’m working on a guest post from ICSA labs where they detail more of the things they see missing. It should be interesting.

    You know that we love stirring up the hornet’s nest. Provides some of the most interesting conversations.

Click here to post a comment