Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

What Does Direct Messaging Look Like for MU2?

Posted on June 11, 2014 I Written By

Julie Maas is Founder and CEO of EMR Direct, a HISP (Health Information Service Provider) whose mission is to simplify interoperability in healthcare through the use of Direct messaging EHR integration and other applications. EMR Direct works with a large developer community to enable Direct for MU2 and other workflows using a custom, rapid-integration API that’s part of the phiMail Direct Messaging platform. Julie is passionate about improving quality of care and software user experience, and manages ongoing interoperability testing within DirectTrust. Find Julie on Twitter @JulieWMaas.

I’m often asked what EHR integrations of Direct are supposed to look like.  In the simplest sense, I liken it to a Share button and suggest that such a button—typically labeled “Transmit”—be placed in context near the CCDA that’s the target of the transmit action, or in a workflow-friendly spot on a patient record screen.

Send a CCD Using Direct Messaging

Send CCD using Direct in OpenEMR

The receive side is similarly intuitive: the practice classifies how their incoming records are managed today and we map that process to one or more Direct addresses.  If we get stuck, I ask, “What is the workflow for faxes today–how many fax numbers are there, and how are they allocated?”  This usually helps clear things up:  as a starting point, a Direct address can be assigned to replace each fax endpoint.

The address structure raises an important question, because it is tightly tied to the Direct messaging user interface.  Should there be a Direct address for every EHR user?  Provider?  Department? Organization?  A separate address for the patient portal?  A patient portal that spans multiple provider organizations? One for every patient?

The rules around counting Direct messages for Transitions of Care (ToC) attestation do not require each provider to have their own Direct address, as long as the EHR can count transactions correctly for attestation.  As far as meaningful use is concerned, any reasonable address assignment method should be acceptable in ToC use cases (check the rules themselves, for full details).  Here are some examples. is clearly an address that could be shared by multiple users, though it could be used by just one person, and might be used for both transitions of care and patient portal transmit. could also be dual-purpose.  Jane might be the only authorized user of this address, or this address may be managed by a group of people at her practice that does not necessarily even include Jane.  Alternatively, this address could be used for Jane’s ToC transactions, while a address could be used for patient portal transmit.

So, any of the options proposed above are possible conventions for assigning Direct addresses.  Also, a patient does not need their own Direct address to Transmit from as part of the View, Download, Transmit measure (170.314(e)(1)), but might have their own address to transmit to.  Note that adding a little extra data can elevate a View, Download, Transmit implementation to BlueButton+ status.

It makes sense for patients and providers to have their own Direct addresses if they are using Direct for Secure Messaging – 170.314(e)(3) – for which Direct is an optional solution.  Or, if patients have their own Personal Health Record (PHR) and Direct address, Direct is a great way to deliver data to the PHR.  Incidentally, there are free services such as Microsoft HealthVault and many others that issue patient Direct addresses.

Direct addresses are nearly indistinguishable from regular email addresses, but a word of caution: Direct is incompatible with regular email, and has additional requirements beyond traditional S/MIME.  Although it’s not a requirement, you’ll often find the word “direct” somewhere in the domain part of a Direct address, to help distinguish a regular email address from a Direct address.

Now that you know what Direct is, and what Direct Messaging and Direct addresses look like, I’m sure you’ll start noticing Direct popping up in more and more places.  So, be a not-so-early adopter and go get yourself a Direct address!

Should Doctors Say Goodbye To Meaningful Use?

Posted on January 7, 2014 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Of late there’s been a lot of concern about doctors exiting the Meaningful Use program, with many saying the financial reward was simply not worth the trouble. This trend, of course, has the medical world abuzz with discussion as to what will happen if doctors drop Meaningful Use like a stone.

Meanwhile, a few months ago, an EMR vendor brought the discussion more heat when it announced that it would no longer be Meaningful Use certified. ComChart Medical Software said, in a letter to the EMR community, “unfortunately, will not be able to meet the Stage 2 (or greater) Meaningful Use certification requirements as its requirements are technically extremely difficult to implement.”

If I were running a medical practice, and my vendor took away from me the choice of complying with Meaningful Use or not, I might be angry, but I might breathe a sigh of relief.  After all, complying with Stage 2 will be a major accomplishment for virtually any practice, and if my vendor takes the choice of complying or not complying with Meaningful Use out of my hands, I won’t have people breathing down my neck saying I’m not a team player.

But even if my vendor continues to support a certified EMR for now and into the future, it’s still worth wondering whether it’s worth the trouble for doctors, half of whom are in smallish practices that don’t have much of an IT budget.  After all, if my practice has completed Stage 1 I’ve already realized most of the financial benefits the program offers, notes Modern Healthcare.

So what do you think readers? Do the next stages of Meaningful Use pay off in other ways that make the struggle for compliance worth the trouble?

Will Rip and Replace EHR Software Ever Be a Thing of the Past?

Posted on April 25, 2012 I Written By

As Social Marketing Director at Billian, Jennifer Dennard is responsible for the continuing development and implementation of the company’s social media strategies for Billian’s HealthDATA and Porter Research. She is a regular contributor to a number of healthcare blogs and currently manages social marketing channels for the Health IT Leadership Summit and Technology Association of Georgia’s Health Society. You can find her on Twitter @JennDennard.

I heard an interesting statistic a few days ago during a very informative webinar – “The Future of Meaningful Use, EHRs and Accountable Care” – hosted by Greenway Medical’s Justin Barnes. He shared a huge amount of information during the hour-long presentation, but the fact that most stood out to me was that, according to Barnes, between 35 and 50 percent of EMRs will eventually be replaced after just one year of use. (Don’t quote him on the “year,” but I’m pretty sure that’s what he said.) His point being, of course, that providers need to think long and hard about what type of solution they need to fit their workflows before they spend time and money implementing an EMR.

This sentiment was echoed by Kimberly Harding of BCBS Florida in a panel at the iHT2 Summit in Atlanta. As part of a greater discussion on Meaningful Use, she made the comment that just because a healthcare IT product is certified doesn’t mean it’s the best fit for a particular facility.

My takeaway from both of these statements is that providers looking to adopt new healthcare IT tools like EMRs need to take a long, hard look at what their current needs are and what their future needs might be before they even think about demoing products.

They also need to adopt technologies that fit their workflows, not necessarily technologies that have a ton of bells and whistles. Added features won’t do anyone any good if they’re never used properly, never used at all, or used to the detriment of a physician’s productivity.

I kept this sentiment in mind when I read the results of a recent study of 250 hospitals and healthcare systems by consulting firm KPMG. The survey found that “71% of respondents’ organizations are more than 50% finished with their EHR adoptions. Will this 71% be satisfied with their EMRs once fully installed and adopted? How many will realize their product of choice wasn’t the right call? If we apply the Greenway statistic, that could be as many as 125 facilities!

So where is the disconnect? Why are providers making poor choices with presumably the best of intentions? Why has the term “rip and replace” become so well known in healthcare? Are physicians misinformed, or not educated enough? Are they feeling so rushed by Meaningful Use deadlines that they don’t perform proper due diligence? Are vendors part of the problem? If so, shouldn’t they be part of the solution? What role do regional extension centers have to play in all this?

If you have answers, please let me know in the comments below.

Intermediaries for Meaningful Use Stage 1 – Prime Opportunity?

Posted on September 6, 2011 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now enjoys writing about healthcare, science and technology.

John’s recent post about ONC trained participants finding it difficult to find jobs struck a chord. A different post over at HIMSS had me thinking in overdrive.

Dr. Noam Arzt has a post on Meaningful Use and public health reporting. In it he discusses the problems faced by providers in submitting health information to public health bodies in ways that are also Meaningful Use Stage 1 compliant.

Health records in provider offices are sometimes stored in disparate silos that are cannot/do not communicate with one another. As Dr. Arzt explains with an immunization records example, there is no demonstrable Meaningful Use if an uncertified system makes the data submissions to public health.

Of course, adding additional functionality to the EHR system with a simultaneous revamping of uncertified system to provide Meaningful Use share data with one another is one (costly) solution. Getting the secondary data system certified is another one. A third approach, which Dr. Arzt touches on, is for Health Information Exchanges to act as/provide for certified intermediaries that bridge the data flow between an uncertified system and one that is Meaningful Use certified.

Here’s what HHS had to say about the subject a month ago:

If an intermediary performs a capability specified in an adopted certification criterion and a provider intends to use the capability the intermediary provides to satisfy a correlated meaningful use requirement (submission to public health according to adopted standards), the capability provided by the intermediary would need to be certified as an EHR Module

This intermediary need can be filled, especially by innovative software vendors or those looking to break into the EHR IT industry. From plain data conversions to web services, IT companies have plenty of tricks up their sleeve to assist HIEs. The technology is there, all we need are savvy techies (companies, people) to see the opportunity this presents and act on it.

Guest Post: ONC-ATCB ICSA Labs – The Future of EHR Testing Requires Security and Privacy Enhancements

Posted on August 25, 2011 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Guest Post – Amit Trivedi – As the healthcare program manager for ICSA Labs, Amit Trivedi spearheads the lab’s overall efforts in the healthcare industry, including launching and managing the 2011/2012 Office of the National Coordinator (ONC) Authorized Testing and Certification Body (ATCB) certification program.

We all know there is no such thing as perfect security. All we can do is try to mitigate as many risks as possible. In this regard, there are areas related to information security that the current ONC-ATCB 2011/2012 (commonly referred to as meaningful use) certification testing does not yet address and that the health IT community should be aware of when implementing systems.

ICSA Labs is an Office of the National Coordinator-Authorized Testing and Certification Body (ONC-ATCB), designated to test both complete and modular electronic health record (EHR) technologies under the auspices of the federal government’s Temporary Certification Program. ICSA Labs has a history rich in the certification of security products. We have been testing security products and developing test criteria for more than two decades and we understand the importance of raising security awareness in the health IT community and helping Eligible Providers and Hospitals understand what meaningful use EHR certification testing does and doesn’t cover.

It is important to remember that regardless of the number of security features a product has, an incorrect or incomplete implementation can introduce vulnerabilities or compromise the security of the system. Certification testing can really only demonstrate that a product is capable of being used securely, not that its security can never be compromised.

Testing bodies must test products within the scope of approved test procedures. As an organization that has developed testing procedures and methodologies, we understand that there is a delicate balancing act when developing requirements so that general concepts and capabilities are covered by the testing, but the testing process is not designed so specifically as to stifle innovation in new products. As such, we recommend that end users and implementers be aware of these requirements when deploying ONC-ATCB 2011/2012 certified products.

Encryption Requirements Do Not Address the “What”

Consider the encryption requirements (criteria 170.302.u and 170.302.v). The current testing criteria require FIPS 140-2 level encryption. This an excellent way to require products to support some of the best levels of encryption available today, and that they are also in line with other federal encryption requirements.

One could compare encryption to a bank vault. You might purchase the most secure, unbreakable vault in the world, but if you don’t put your valuables in the vault, it won’t be of any help when there is a break-in. The current meaningful use testing procedures do not dictate what must be encrypted. Ultimately it falls to end users to make a determination as to how they want to implement security – hopefully basing the decision on a risk-based approach. Fortunately, meaningful use testing and certification follows a staged approach to getting from where we are today to where we’d like to be in the future. The meaningful use certification is planned to be rolled out in three stages. Right now, we are in the midst of Stage 1. Some recommendations to the ONC for Stage 2 security criteria include addressing things like encrypting data at rest (including data in datacenters and mobile devices) – something that is not part of the Stage 1 requirements.

Negative Testing Examines the Unexpected

Another area to highlight is related to negative testing, which is currently out of scope for ONC-ATCBs. The testing performed today relies on giving the EHR an expected input and verifying that the expected result is met. Negative testing, however, is the concept of giving unexpected or invalid inputs to a system and verifying receipt of an expected result (typically, that the data is not accepted or an error is generated that does not crash the system). Negative testing is common throughout ICSA Labs’ proprietary security testing programs and something we feel should be incorporated into future testing of EHR technologies under the ONC Certification program.

Consider the authentication and access control requirements (criteria 170.302.t and 170.302.o). Some of you may be aware of an old Unix bug that resulted in the operating system being unable to correctly support passwords over eight characters. If the password was 12 characters long, a user only needed to enter the first 8 characters to be allowed to login. This made password cracking on Unix servers much easier, and because the system allowed the entry of a longer password, most users were unaware of this limitation.

ICSA Labs has discovered the same or similar problems when testing products in our proprietary security certification programs, and the primary way we discover this is by negative testing. For example, we configure a password greater than eight characters, and then we attempt to login to the system using only the first eight characters. This should be treated as invalid by the system and rejected. However, the meaningful use EHR testing only tests that the system accepts valid passwords. There is no testing done on the system’s acceptance or rejection of invalid passwords.

The Future of EHR Testing Must Increase Security, Privacy

As we progress to the next stages of meaningful use certification, the requirements should begin to look at other areas of security, such as application testing for vulnerabilities like buffer overflows, SQL Injection, and cross-site scripting attacks. These are all examples of security testing best practices. In many instances, ONC has signaled its flexibility in allowing third-party products to complement functionality of EHR technologies, which means that not all of the functionality needs to be native to the product. This can allow EHR developers to focus on functionality that their customers are looking for, while at the same time keeping security as an important consideration in the product life cycle development.

It is our hope that future stages of meaningful use testing will raise the bar and specify how and when features like encryption should be used and the scope of testing will be expanded to include things like negative testing. As the meaningful use criteria evolve, it is critical that both the criteria and testing procedures are developed in ways that consider the long-term security and privacy of patient health records.  

101 Tips to Make Your EMR and EHR More Useful – EHR Tips 56-60

Posted on August 22, 2011 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Time for the next entry covering Shawn Riley’s list of 101 Tips to Make your EMR and EHR More Useful. I hope you’re enjoying the series.

If you want to see my analysis of the other 101 EMR and EHR tips, I’ll be updating this page with my 101 EMR and EHR tips analysis. So, click on that link to see the other EMR tips.

60. Reporting, reporting, reporting, reports
What’s the point in collecting the data if you can’t report on it? I’ve before about the types of EMR reports that you can get out of the EMR system. The reports a hospital require will be much more robust than an ambulatory practice. In fact, outside of the basic reports (A/R, Appointments, etc), most ambulatory practices that I know don’t run very many reports. I’d say it’s haphazard report running at best.

Although, I won’t be surprised if the need to report data from your EHR increases over the next couple years. Between the meaningful use reporting requirements and the movement towards ACO’s, you can be sure that being able to have a robust reporting system built into your EHR will become a necessity.

59. Are the meaningful use (MU) guidelines covered by your product?
Assuming you want to show meaningful use, make sure your EHR vendor is certified by an ONC-ATCB. Next, talk to some of their existing users that have attested to meaningful use stage 1. Third, ask them about their approach for handling meaningful use stage 2 and 3. Fourth, evaluate how they’ve implemented some of the meaningful use requirements so you get an idea of how much extra work you’ll have to do beyond your regular documenting to meet meaningful use.

58. It they aren’t CCHIT certified take a really really hard look
Well, it looks like this tip was written pre-ONC-ATCB certifying bodies. Of course, readers of this site and its sister site, EMR and HIPAA, will be aware that CCHIT Has Become Irrelevant. Now it’s worth taking a hard look if the EHR isn’t an ONC-ATCB certified EHR. There are a few cases where it might be ok, but they better have a great reason not to be certified. Not because the EHR certification provides you any more value other than the EHR vendor will likely need that EHR certification to stay relevant in the current EHR market.

57. What billing systems do you interface with?
These days it seems in vogue to have an integrated EMR and PMS (billing system). Either way, it’s really important to evaluate how your EMR is going to integrate with your billing. Plus, there can be tremendous benefits to the tight integration if done right.

56. How much do changes and customizations cost?
In many cases, you can see and plan for the customization that you’ll need as part of the EHR implementation. However, there are also going to be plenty of unexpected customizations that you don’t know about until you’re actually using your EHR (Check out this recent post on Unexpected EHR Expenses). Be sure to have the pricing for such customizations specified in the contract. Plus, as much as possible try to understand how open they are to doing customizations for their customers.

Check out my analysis of all 101 EMR and EHR tips.

Certified Open Source EHR

Posted on August 10, 2011 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve been writing about the various open source EHR software options for about 5.5 years right now. I’ve been intrigued with open source for much longer, so it just made natural sense for one of the first things for me to look at would be the various open source EHR options.

5.5 years ago the open source EHR market (although EHR really wasn’t in vogue yet back then) had a solid foundation, but still had quite a ways to go for it to be a great option for doctors interested in an open source EHR option.

I haven’t done an in depth look at the various open source EHR options for a while (I should), but I think the fact that many open source EHR software are now certified EHR and can help physicians show meaningful use and receive EHR incentive money is a good sign. Most of you know that I’m not a big fan of EHR certification, but I do believe that EHR certification takes a certain level of commitment to be able to achieve. Therefore, I think it’s a great sign that the open source EHR options have enough steam and commitment behind them to become certified EHR.

A recent Open Health News post listed the following certified open source EHR:
Ambulatory Open Source EHR
Tolven eCHR
Vista (inpatient) Open Source EHR
WorldVistA EHR
Other (inpatient) Open Source EHR
Indian Health Services’ RPMS

I’d love to hear reviews and experiences that people have working with open source EHR software.

Subsidiary Modules in Certified EHR Products

Posted on June 2, 2011 I Written By

When Carl Bergman isn’t rooting for the Washington Nationals or searching for a Steeler bar, he’s Managing Partner of, a free service for matching users and EHRs. For the last dozen years, he’s concentrated on EHR consulting and writing. He spent the 80s and 90s as an itinerant project manger doing his small part for the dot com bubble. Prior to that, Bergman served a ten year stretch in the District of Columbia government as a policy and fiscal analyst.

Carl Bergman, from, sent me the following email which poses some interesting questions about various certified EHR vendors and the software that they depend on to be certified.

Many of the [certified EHR] products relied on several other software companies to function. Usually this was Dr. First’s Rocopia, Surescripts, etc. However, many others had required several subsidiary modules to work. For example, Pearl EMR lists: MS .NET Framework 3.5 Cryptographic Service Provider; SureScripts; BCA Lab Interface; Oracle TDE.

There is nothing inherently wrong with this, but it raises three questions. Does the vendor include the price, if any, for subsidiary software? More importantly, how well integrated are these programs integrated into the main program? Does the vendor take responsibility if the subsidiary software changes making them incompatible?

He definitely asks some interesting questions. I’d say that in most cases, there will be little issues with the dependent software. Any changes by the dependent software are going to have to be dealt with or in some cases replaced by the EMR vendor. That will just be part of the EMR upgrade process that the EMR vendor does for you.

The only exception might be things like the third party ePrescribing software. Depending on how this is integrated it could be an issue. In most cases, integration with the ePrescribing software can be very much like an interface with a PMS system or even a lab interface. If you’ve had the (begin sarcasm) fun (end sarcasm) of dealing with these types of interfaces you know how it can be problematic and often a pain to manage. I believe the interface with an ePrescribing module is less problematic, but it will exhibit similar issues depending on how the EMR software works with the ePrescribing.

Personally, I don’t have much problem with these types of integrations. As long as the EMR vendor is providing all of the software for you. The reason this is important is because if you get the EMR software from one vendor and the ePrescribing software from another vendor and then tell them to work together, you’re just asking for a lot of finger pointing. However, if your EMR software chooses to integrate a third party software to flesh out the certified EMR requirements and provides you all of the software, then you’re in a much better position. As they say, then you only have one neck to ring if something goes wrong. You don’t want to have to call both vendors and have each vendor point the finger at the other. That’s a position that no one enjoys.

Which EHR Certifying Body?

Posted on March 3, 2011 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Many of you will probably remember my post about Jim Tate and all his EHR certification experience. As I said in that post, Jim Tate knows his stuff when it comes to the EHR certification bodies (ONC-ATCB). So, I found his advice for EHR vendors on HITECH Answers pretty interesting when it comes to selecting which ONC-ATCB an EHR company should use.

You can go read the whole article, or here’s the Cliff notes version: Responsiveness and Support of the EHR certifying body is most important.

Heard in the HIMSS Hallway – Government Wants All EHR Software Easily Certified and Doctors Showing Meaningful Use

Posted on February 22, 2011 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Today, the most interesting thing I heard in the hallway of HIMSS was about ONC and the government’s perspective on the current EHR certification and meaningful use stage 1.

Someone I spoke told me that ONC is vry focused on getting all EHR software certified. It won’t quite be a basic rubber stamp, but ONC-ATCB’s are to work with the EHR vendors to help as many EHR vendors be certified as possible.

Similar to that, ONC wants doctors to easily be able to show meaningful use stage 1. Then, they’ll tighten down on future stages.

On face, this might not seem like a big deal. No doubt, ONC wants as many certified EHR vendors and doctors that are meaningful users as possible.

However, I find it interesting to think that they’re deliberately trying to get as many people as possible meaningfully using a certified EHR even if those users and EHR vendors aren’t likely to be able to comply with future more stringent requirements.

Will this mean we’ll have a whole wave of EHR users having to switch EHR software once the more stringent standards are implemented? Or will doctors just take the meaningful use stage 1 EHR incentive money and then not worry about the rest of the government handout?

I’m not sure the outcome, but it’s definitely something worth thinking about.