Under the temporary program requirements, the certifying bodies were supposed to conduct periodic re-evaluations of certified EHRs to ensure they remained compliant. But of the five certification bodies the report audited, three didn’t have procedures in place to re-evaluate certified EHRs. As a consequence, an EHR that was modified after certification might not comply with federal standards. The report noted this lack of oversight might have far-reaching consequences. For example, an EHR could be modified to encourage upcoding.
The Inspector General’s report also expressed concern that the certification bodies did not have enough training, and that testing procedures approved by the ONC were insufficient. As one serious example, current procedures allow certification bodies to approve EHRs that have a single-character password. User privilege standards were another area of concern.
The ONC said it believes the concerns raised by the Inspector General aren’t relevant because they focus on a system created under a temporary program. Since then, the agency has approved a permanent program. That program, the ONC said, has more stringent requirements for EHR evaluation.
But the Inspector General’s office also sees flaws in ONC’s permanent program. Some of its concerns, such as password length or user privileges, still apply for ONC’s 2014 certification criteria, the Inspector General’s office said. The ONC has not “directly address[ed]” its authority to remove an EHR from the certified product list, “absent improper conduct” from a certification body, the OIG report noted. “Therefore, if an EHR is exploited and used to conduct malicious activities, ONC is not able to remove the EHR, even temporarily, from the Product List to prevent further purchases,” the report stated.
Follow Darius Tahir on Twitter: @dariustahir