The Office of the National Coordinator for Health Information Technology's new certification rule, released Friday, may signal a new direction for the agency: ensuring that electronic health-record systems perform as advertised.
The ONC is proposing a two-pronged approach to achieve that goal. It will increase EHR transparency for providers and will encourage certifying bodies to raise their minimum EHR certification standards.
“This will, at least, create another level of accountability,” said Cletis Earle, the chief information officer of St. Luke's Cornwall Hospital, Newburgh, N.Y., of the effort to promote greater accountability for EHR systems being marketed to providers and practices.
“We're all challenged by lack of functionality to hit these (meaningful-use) measures,” he said. “It's because these systems are not truly ready.”
The problem is a common one. Providers and practices purchase a "complete" EHR, certified as complying with the meaningful-use program—only to find that they have to pay extra to achieve the program's goals.
The certification program was supposed to give a client assurance that what's being purchased can perform the tasks required by the meaningful-use program. The process is conducted by certifying bodies, which inspect records in a controlled environment—a lab—and then with checks to see if it works in the field.
But some buyers say the certified records do not perform as promised, and action is needed to ensure they do. Earle and St. Luke's Cornwall Hospital provide one example.
When the second stage of the meaningful-use incentive program rolled out, Earle's hospital was using Meditech Magic, version 5.66. According to the government's EHR list, the program is certified for the “view, download and transmit” function, which allows patients to access their data and transport it elsewhere.
Earle said, however, that the software didn't actually have that capability. So he was forced to either buy a module from Meditech or a third party, or to build one.
Earle chose the former, which meant costs of “tens of thousands of dollars.” Meditech did not respond to a request for comment.
“It's time and time again, that I'm going back to my vendors, and saying, 'Look, these are the regulatory requirements, and you're not necessarily making sure we fit those initiatives,' ” he said.
Charles Christian, the CIO of St. Francis Hospital in Columbus, Ga., said he'd had similar experiences with his hospital's EHR and direct messaging using the C-CDA standard, which allows hospitals to exchange patient data. His vendor attempted to sell the capability as an extra, despite the EHR purporting to be “complete.”
“After expressing my disappointment that they would use this as a revenue opportunity, I was successful in getting the services turned on without additional costs,” he said.
Dr. Farzad Mostashari, the former head of ONC, and current CEO of startup Aledade, said that such problems likely spurred the agency to act. “I don't think that every vendor did this, or every certification requirement was treated this way. But enough vendors are doing it in enough certification criteria, that I think it has caused ONC to push harder.”
To win certification, the agency now proposes, developers need to disclose more information about the use of their system, including more on the expected method of implementing EHRs and about how much it would cost to make the record perform as certified.
The other prong of the agency's proposal is to increase surveillance requirements. Currently, certifying bodies inspect EHRs in the field. The agency believes higher minimum requirements will stimulate more thorough surveillance. The intent is for the certifying bodies to investigate whether the records are performing in the field as they do in the lab.
That will be accomplished through two methods: “reactive” surveillance, in which a certifying body responds to complaints and critiques made by customers in the field; and “randomized” surveillance, in which a body spends time proactively inspecting EHRs used by clinicians.
In the latter instance, the agency proposes, a given certifying body would have to randomly select 10% of its certified products per year to inspect for compliance.
Fortifying the inspection requirements is critical, Mostashari said, because of the way certification has worked to date. Vendors, he said, “develop the functionality in order to pass the test.”
“They don't bother re-working the whole product, to make that function or feature a core part of their production environment, of how that product is intended to be used,” he said.
Earle worries that the auditors testing the systems might not be up to the job, saying they need to have clinical experience to understand why a certain functionality might fail.
Others are concerned about the potential consequences of a failed test. As a part of the proposed rule, the ONC is considering how to go about “decertification”—stripping an EHR's certification. The problem with decertification is the potential for collateral damage, Christian and Mostashari warned.
Decertifying a product means it cannot be used to attest for meaningful use—which affects all of the providers and hospitals using that product. They might have to switch systems or hope the product can somehow regain certification.
“There has to be a lot of thought given to the process, to the due process, and how to minimize the potential impact to the innocent bystanders,” Mostashari said.
So far, the agency has decertified two products made by small vendor EHRMagic; no one had tried to use them for the incentive program.
Others are convinced that transparency-and-surveillance tactics won't be effective, or are going after the wrong targets.
"Price transparency might not reduce ongoing fees, which can be substantial revenue for health IT vendors—about 15% to 20% of the upfront costs, said Saurabh Singh, an analyst for Morgan Stanley. “Usually there are just a handful of vendors who are credible when someone is looking to replace their legacy EHR.”
“Price is not the main factor in a decision,” he said.
