Certification Guidance for EHR Technology Developers Serving

Certification Guidance for EHR Technology Developers

Serving Health Care Providers Ineligible for

Medicare and Medicaid EHR Incentive Payments

I. Background

The Medicare and Medicaid EHR Incentive Programs, authorized by the Health Information

Technology for Economic and Clinical Health (HITECH) Act, have driven significant electronic health

record (EHR) adoption by health care providers eligible to receive incentive payments. Eligible

professionals and hospitals must demonstrate “meaningful use” of EHR technology that has been

certified under the ONC HIT Certification Program to qualify for the Medicare and Medicaid EHR

incentive payments. Despite this progress, many other types of health care providers equally important

to the care continuum are not eligible to receive EHR incentive payments under the HITECH Act (e.g.,

certain mental and behavioral health professionals, and certain professionals who practice in long-term

and post-acute care settings). These “ineligible” types of providers routinely interact with health care

providers who are eligible for EHR incentive payments and face policy and technology challenges

unique to their settings.

II. Purpose

This guidance is meant to serve as a building block for federal agencies and stakeholders to use as

they work with different communities to achieve interoperable electronic health information exchange.

It identifies the 2014 Edition EHR certification criteria from the ONC HIT Certification Program that

specifically focus on interoperability – to enable electronic health information to be both exchanged and

subsequently used by recipients.

While these certification criteria were specifically adopted to support

health care providers seeking to achieve meaningful use, we believe that they are generally applicable to

ONC follows the definition of “interoperability” provided by the Institute for Electrical and Electronics Engineering

Computer Dictionary which defines interoperability to mean: “the ability of two or more systems or components to exchange

information and to use the information that has been exchanged.” See IEEE Standard Computer Dictionary: A Compilation

of IEEE Standard Computer Glossaries (New York, NY: 1990).

Page 2 of 5

many health care settings. In addition, the capabilities expressed by some of these certification criteria

could, if implemented by both eligible and ineligible types of providers, open critical communication

lines between eligible and ineligible health care providers in order to support broad health care goals,

such as care coordination and reduced hospital readmissions.

III. Interoperability-focused 2014 Edition EHR Certification Criteria

The following 2014 Edition EHR certification criteria address several use cases for which

interoperable health information exchange may be beneficial between eligible and ineligible health care

providers as well as between ineligible health care providers and knowledge resources, clinical

laboratories, and public health agencies. Health care providers eligible to receive incentive payments

under the Medicare and Medicaid EHR Incentive Programs will, depending on the stage of meaningful

use they seek to achieve, need to have EHR technology certified to these criteria. We encourage EHR

technology developers serving ineligible health care providers to also seek certification to these criteria.

Table 1. The three certification criteria listed in Table 1 specifically support interoperable summary

care record exchange – a fundamental capability necessary to enable care coordination across different

health care settings. To further emphasize the importance of summary care record exchange, ONC will

list EHR technology certified to all three of the certification criteria identified in Table 1 on the Certified

Health IT Product List (CHPL)

with an added designation to indicate the EHR technology’s ability to

support interoperable summary care record exchange.

2014 Edition EHR

Certification Criterion

Short Description

45 CFR §170.314(b)(1)

45 CFR §170.314(b)(2)

Transitions of Care

These two certification criteria require EHR technology to be, at a minimum,

capable of: A) electronically creating and receiving summary care records with a

common data set in accordance with the Consolidated Clinical Document

Architecture (CCDA) standard; and B) electronically exchanging in accordance

with the Direct transport specification.

45 CFR §170.314(b)(4)

Clinical Information

Reconciliation

Require EHR technology to allow a user to electronically reconcile the data that

represent a patient’s active medication, problem, and medication allergy list.

The CHPL is located at http://oncchpl.force.com/ehrcert?q=chpl.

For more information about these certification criteria and the standards adopted and included within them, please visit:

http://www.healthit.gov/policy-researchers-implementers/meaningful-use-stage-2-0/standards-hub

Page 3 of 5

Table 2. The following certification criteria represent other EHR capabilities that support different

types of interoperability functions.

2014 Edition EHR

Certification Criterion

Short Description

45 CFR §170.314(a)(8)

Clinical Decision Support

Provides the option for EHR technology to be certified to the HL7 Context-Aware

Knowledge Retrieval Standard (“Infobutton”) standard to electronically retrieve

linked-referential clinical decision support information from content/knowledge

resources.

45 CFR §170.314(a)(15)

Patient-Specific

Education Resources

Requires EHR technology to be able to use “Infobutton” standard to electronically

retrieve patient-specific education from content/knowledge resources.

45 CFR §170.314(b)(3)

E-Prescribing

Requires EHR technology to be capable of electronically creating prescriptions and

prescription-related information and electronically transmitting such information

using the NCPDP SCRIPT version 10.6; with medications represented in RxNorm.

45 CFR §170.314(b)(5)

Incorporate Laboratory

Tests and Values/Results

Requires EHR technology designed for an ambulatory setting to be capable of

electronically receiving, incorporating, and displaying clinical laboratory tests and

values/results in accordance with the HL7 Version 2.5.1 Implementation Guide:

S&I Framework Lab Results Interface (LRI) and with laboratory tests represented

in LOINC®.

45 CFR §170.314(b)(6)

Transmission of Electronic

Laboratory Tests and

Values/Results to

Ambulatory Providers

Requires EHR technology designed for an inpatient setting to be able to generate

laboratory test reports for electronic transmission to ambulatory provider’s EHR

systems in accordance with the HL7 Version 2.5.1 Implementation Guide: S&I

Framework LRI and with laboratory tests represented in LOINC®.

45 CFR §170.314 (b)(7)

Data Portability

Requires EHR technology to be able to electronically create a set of export

summaries for all patients, formatted in accordance with the CCDA.

45 CFR §170.314(c)(1)-(3)

Clinical Quality Measures

Requires EHR technology to be capable of capturing, exporting, importing,

calculating, and electronically submitting the information necessary for clinical

quality measures.

45 CFR §170.314(e)(1)

View, Download, and

Transmit to 3

Party

Requires EHR technology to be capable of providing secure online access to health

information for patients and authorized representatives to electronically view,

download their health information in accordance with the CCDA standard, and

transmit such information in accordance with the Direct transport specification.

45 CFR §170.314(e)(2)

Clinical Summaries

Requires EHR technology to enable a user to create a clinical summary in

accordance with the CCDA standard in order to provide it to a patient.

45 CFR §170.314(f)(2)

Transmission to

Immunization Registries

Requires EHR technology to be able to electronically generate immunization

information for electronic transmission using the HL7 2.5.1 Implementation Guide

for Immunization Messaging, Release 1.4, and using the HL7 Standard Code Set

CVX - Vaccines Administered vocabulary standard.

45 CFR §170.314(f)(3)

Transmit Syndromic

Surveillance to Public

Health Agencies

Requires EHR technology to be able to electronically generate syndromic

surveillance information for electronic transmission to public health agencies using

the HL7 2.5.1 standard and, for the inpatient setting, a specific implementation

guide.

For more information about these certification criteria and the standards adopted and included within them, please visit:

http://www.healthit.gov/policy-researchers-implementers/meaningful-use-stage-2-0/standards-hub

Page 4 of 5

2014 Edition EHR

Certification Criterion

Short Description

45 CFR §170.314(f)(4)

Transmit Lab Results to

Public Health Agencies

Requires EHR technology to be capable of electronically generating reportable

laboratory test values and results information for electronic transmission to public

health agencies using the HL7 Version 2.5.1 Implementation Guide for Electronic

Laboratory Reporting to Public Health as well as SNOMED CT® and LOINC®.

45 CFR §170.314 (f)(6)

Optional -Transmit to

Cancer Registries

Requires EHR technology to be able to electronically generate cancer case

information for electronic transmission using the HL7 Clinical Document

Architecture, Release 2.0, Implementation Guide for Ambulatory Healthcare

Provider Reporting to Central Cancer Registries and SNOMED CT® and

LOINC®.

IV. Privacy and Security-focused 2014 Edition EHR Certification Criteria

Table 3 below references the adopted privacy and security-focused 2014 Edition EHR

certification criteria. These certification criteria help assure that electronic health information is

protected when it is stored and transmitted as well as that only authorized personnel can access the

information. Many of these certification criteria are generally applicable to EHR technology developed

for any setting. Thus, we encourage EHR technology developers that serve ineligible health care

providers to seriously consider seeking certification to these certification criteria when doing so for the

interoperability-focused certification criteria referenced above in Tables 1 and 2.

Table 3.

2014 Edition EHR

Certification Criterion

Short Description

45 CFR §170.314(d)(1)

Authentication, Access

Control, and Authorization

Requires EHR technology to be capable of authenticating a user, authorizing them,

and establishing their ability to access electronic health

45 CFR §170.314(d)(2)

Auditable Events and

Tamper-Resistance

Requires EHR technology to be capable of:

• Recording user actions related to electronic health information in an audit

health information locally stored on end user devices is disabled or

enabled.

• Being set by default to record actions related to electronic health

information in an audit log, and recording audit log status or encryption

status.

• Only enabling specific users to disable an audit log, if possible.

• Protecting actions and statuses related to the recording of electronic health

information, audit log status, and encryption status from being changed,

overwritten, or deleted by the EHR technology.

•

Detecting when the audit log has been altered.

45 CFR §170.314(d)(3)

Audit Report(s)

Requires EHR technology to be capable of :

• Enabling a user to generate an audit report for a specific time period, and

• Sort entries in the audit log according to the data elements specified in the

audit log content standard

Page 5 of 5

2014 Edition EHR

Certification Criterion

Short Description

45 CFR §170.314(d)(4)

Amendments

Requires EHR technology to be capable of enabling a user to capture a patient’s

(accepted or denied) request for an amendment to their electronic health

information.

45 CFR §170.314(d)(5)

Automatic Log-Off.

Requires EHR technology to be capable of preventing a user from gaining further

access to an electronic session after a predetermined time of inactivity.

45 CFR §170.314(d)(6)

Emergency Access

Requires EHR technology to be able to permit an identified set of users to access

electronic health information during an emergency.

45 CFR §170.314(d)(7)

End-User Device

Encryption

Requires EHR technology to be capable of encrypting electronic health

information (following security standards from the National Institute of Standards

and Technology) when it is designed to store such information on end-user devices

after use on those devices stops.

45 CFR §170.314(d)(8)

Integrity

Requires EHR technology to be able to use secure hashing standards to verify that

electronic health information has not been altered.

45 CFR §170.314(d)(9)

Optional – Accounting of

Disclosures

Requires EHR technology to be able to record treatment, payment, and health care

operations

disclosures. The date, time, patient identification, user identification,

and a description of the disclosure must be recorded for disclosures for treatment,

payment, and health care operations.