John’s recent post about ONC trained participants finding it difficult to find jobs struck a chord. A different post over at HIMSS had me thinking in overdrive.

Dr. Noam Arzt has a post on Meaningful Use and public health reporting. In it he discusses the problems faced by providers in submitting health information to public health bodies in ways that are also Meaningful Use Stage 1 compliant.

Health records in provider offices are sometimes stored in disparate silos that are cannot/do not communicate with one another. As Dr. Arzt explains with an immunization records example, there is no demonstrable Meaningful Use if an uncertified system makes the data submissions to public health.

Of course, adding additional functionality to the EHR system with a simultaneous revamping of uncertified system to provide Meaningful Use share data with one another is one (costly) solution. Getting the secondary data system certified is another one. A third approach, which Dr. Arzt touches on, is for Health Information Exchanges to act as/provide for certified intermediaries that bridge the data flow between an uncertified system and one that is Meaningful Use certified.

Here’s what HHS had to say about the subject a month ago:

If an intermediary performs a capability specified in an adopted certification criterion and a provider intends to use the capability the intermediary provides to satisfy a correlated meaningful use requirement (submission to public health according to adopted standards), the capability provided by the intermediary would need to be certified as an EHR Module

This intermediary need can be filled, especially by innovative software vendors or those looking to break into the EHR IT industry. From plain data conversions to web services, IT companies have plenty of tricks up their sleeve to assist HIEs. The technology is there, all we need are savvy techies (companies, people) to see the opportunity this presents and act on it.

Guest Post – Amit Trivedi – As the healthcare program manager for ICSA Labs, Amit Trivedi spearheads the lab’s overall efforts in the healthcare industry, including launching and managing the 2011/2012 Office of the National Coordinator (ONC) Authorized Testing and Certification Body (ATCB) certification program.

We all know there is no such thing as perfect security. All we can do is try to mitigate as many risks as possible. In this regard, there are areas related to information security that the current ONC-ATCB 2011/2012 (commonly referred to as meaningful use) certification testing does not yet address and that the health IT community should be aware of when implementing systems.

ICSA Labs is an Office of the National Coordinator-Authorized Testing and Certification Body (ONC-ATCB), designated to test both complete and modular electronic health record (EHR) technologies under the auspices of the federal government’s Temporary Certification Program. ICSA Labs has a history rich in the certification of security products. We have been testing security products and developing test criteria for more than two decades and we understand the importance of raising security awareness in the health IT community and helping Eligible Providers and Hospitals understand what meaningful use EHR certification testing does and doesn’t cover.

It is important to remember that regardless of the number of security features a product has, an incorrect or incomplete implementation can introduce vulnerabilities or compromise the security of the system. Certification testing can really only demonstrate that a product is capable of being used securely, not that its security can never be compromised.

Testing bodies must test products within the scope of approved test procedures. As an organization that has developed testing procedures and methodologies, we understand that there is a delicate balancing act when developing requirements so that general concepts and capabilities are covered by the testing, but the testing process is not designed so specifically as to stifle innovation in new products. As such, we recommend that end users and implementers be aware of these requirements when deploying ONC-ATCB 2011/2012 certified products.

Encryption Requirements Do Not Address the “What”

Consider the encryption requirements (criteria 170.302.u and 170.302.v). The current testing criteria require FIPS 140-2 level encryption. This an excellent way to require products to support some of the best levels of encryption available today, and that they are also in line with other federal encryption requirements.

One could compare encryption to a bank vault. You might purchase the most secure, unbreakable vault in the world, but if you don’t put your valuables in the vault, it won’t be of any help when there is a break-in. The current meaningful use testing procedures do not dictate what must be encrypted. Ultimately it falls to end users to make a determination as to how they want to implement security – hopefully basing the decision on a risk-based approach. Fortunately, meaningful use testing and certification follows a staged approach to getting from where we are today to where we’d like to be in the future. The meaningful use certification is planned to be rolled out in three stages. Right now, we are in the midst of Stage 1. Some recommendations to the ONC for Stage 2 security criteria include addressing things like encrypting data at rest (including data in datacenters and mobile devices) – something that is not part of the Stage 1 requirements.

Negative Testing Examines the Unexpected

Another area to highlight is related to negative testing, which is currently out of scope for ONC-ATCBs. The testing performed today relies on giving the EHR an expected input and verifying that the expected result is met. Negative testing, however, is the concept of giving unexpected or invalid inputs to a system and verifying receipt of an expected result (typically, that the data is not accepted or an error is generated that does not crash the system). Negative testing is common throughout ICSA Labs’ proprietary security testing programs and something we feel should be incorporated into future testing of EHR technologies under the ONC Certification program.

Consider the authentication and access control requirements (criteria 170.302.t and 170.302.o). Some of you may be aware of an old Unix bug that resulted in the operating system being unable to correctly support passwords over eight characters. If the password was 12 characters long, a user only needed to enter the first 8 characters to be allowed to login. This made password cracking on Unix servers much easier, and because the system allowed the entry of a longer password, most users were unaware of this limitation.

ICSA Labs has discovered the same or similar problems when testing products in our proprietary security certification programs, and the primary way we discover this is by negative testing. For example, we configure a password greater than eight characters, and then we attempt to login to the system using only the first eight characters. This should be treated as invalid by the system and rejected. However, the meaningful use EHR testing only tests that the system accepts valid passwords. There is no testing done on the system’s acceptance or rejection of invalid passwords.

The Future of EHR Testing Must Increase Security, Privacy

As we progress to the next stages of meaningful use certification, the requirements should begin to look at other areas of security, such as application testing for vulnerabilities like buffer overflows, SQL Injection, and cross-site scripting attacks. These are all examples of security testing best practices. In many instances, ONC has signaled its flexibility in allowing third-party products to complement functionality of EHR technologies, which means that not all of the functionality needs to be native to the product. This can allow EHR developers to focus on functionality that their customers are looking for, while at the same time keeping security as an important consideration in the product life cycle development.

It is our hope that future stages of meaningful use testing will raise the bar and specify how and when features like encryption should be used and the scope of testing will be expanded to include things like negative testing. As the meaningful use criteria evolve, it is critical that both the criteria and testing procedures are developed in ways that consider the long-term security and privacy of patient health records.  

Time for the next entry covering Shawn Riley’s list of 101 Tips to Make your EMR and EHR More Useful. I hope you’re enjoying the series.

If you want to see my analysis of the other 101 EMR and EHR tips, I’ll be updating this page with my 101 EMR and EHR tips analysis. So, click on that link to see the other EMR tips.

60. Reporting, reporting, reporting, reports
What’s the point in collecting the data if you can’t report on it? I’ve before about the types of EMR reports that you can get out of the EMR system. The reports a hospital require will be much more robust than an ambulatory practice. In fact, outside of the basic reports (A/R, Appointments, etc), most ambulatory practices that I know don’t run very many reports. I’d say it’s haphazard report running at best.

Although, I won’t be surprised if the need to report data from your EHR increases over the next couple years. Between the meaningful use reporting requirements and the movement towards ACO’s, you can be sure that being able to have a robust reporting system built into your EHR will become a necessity.

59. Are the meaningful use (MU) guidelines covered by your product?
Assuming you want to show meaningful use, make sure your EHR vendor is certified by an ONC-ATCB. Next, talk to some of their existing users that have attested to meaningful use stage 1. Third, ask them about their approach for handling meaningful use stage 2 and 3. Fourth, evaluate how they’ve implemented some of the meaningful use requirements so you get an idea of how much extra work you’ll have to do beyond your regular documenting to meet meaningful use.

58. It they aren’t CCHIT certified take a really really hard look
Well, it looks like this tip was written pre-ONC-ATCB certifying bodies. Of course, readers of this site and its sister site, EMR and HIPAA, will be aware that CCHIT Has Become Irrelevant. Now it’s worth taking a hard look if the EHR isn’t an ONC-ATCB certified EHR. There are a few cases where it might be ok, but they better have a great reason not to be certified. Not because the EHR certification provides you any more value other than the EHR vendor will likely need that EHR certification to stay relevant in the current EHR market.

57. What billing systems do you interface with?
These days it seems in vogue to have an integrated EMR and PMS (billing system). Either way, it’s really important to evaluate how your EMR is going to integrate with your billing. Plus, there can be tremendous benefits to the tight integration if done right.

56. How much do changes and customizations cost?
In many cases, you can see and plan for the customization that you’ll need as part of the EHR implementation. However, there are also going to be plenty of unexpected customizations that you don’t know about until you’re actually using your EHR (Check out this recent post on Unexpected EHR Expenses). Be sure to have the pricing for such customizations specified in the contract. Plus, as much as possible try to understand how open they are to doing customizations for their customers.

Check out my analysis of all 101 EMR and EHR tips.

I’ve been writing about the various open source EHR software options for about 5.5 years right now. I’ve been intrigued with open source for much longer, so it just made natural sense for one of the first things for me to look at would be the various open source EHR options.

5.5 years ago the open source EHR market (although EHR really wasn’t in vogue yet back then) had a solid foundation, but still had quite a ways to go for it to be a great option for doctors interested in an open source EHR option.

I haven’t done an in depth look at the various open source EHR options for a while (I should), but I think the fact that many open source EHR software are now certified EHR and can help physicians show meaningful use and receive EHR incentive money is a good sign. Most of you know that I’m not a big fan of EHR certification, but I do believe that EHR certification takes a certain level of commitment to be able to achieve. Therefore, I think it’s a great sign that the open source EHR options have enough steam and commitment behind them to become certified EHR.

A recent Open Health News post listed the following certified open source EHR:
Ambulatory Open Source EHR
ClearHealth
OpenEMR
Tolven eCHR
Vista (inpatient) Open Source EHR
WorldVistA EHR
OpenVistA
vxVistA
Other (inpatient) Open Source EHR
Indian Health Services’ RPMS

I’d love to hear reviews and experiences that people have working with open source EHR software.

Our next edition of EMR and EHR interviews covers the experience of Jan Patterson and the West Broadway Clinic’s path to meaningful use. The full EMR interview with Jan Patterson can be found on the new EHR and EMR interviews website. The following is a summary of that interview written by Kathy Bongiovi.

If you’re a doctor, nurse, practice manager, EHR consultant, CEO or executive of an EHR vendor, etc with EMR experience that’s interested in being interviewed, let us know on our Contact Us page.

West Broadway Clinic is one of the first clinics to show Meaningful Use. Jan Patterson, the office manager of West Broadway Clinic explained it was the clinic’s desire, from day one, to start using an EHR. The EHR certification is a vital piece for meeting the CME incentive requirements. Additionally the providers felt by using an EHR on day one they could ensure a continuity of care, regardless of which provider a patient might see in the clinic.

The clinic had heard about Cerner Corporation through one of the local hospitals. After interviewing several other vendors it felt that the integration of Cerner’s Practice Management System and Ambulatory EHR would suit its needs best.

West Broadway began using its EHR in May of 2008 and Patterson stated it was able to meet at least 9 of the meaning use requirements because of its EHR. Patterson felt two of the major factors contributing to meeting those requirements so easily were the elements already built into the EHR and the use of the Cerner EHR. As the clinic encountered issues it was able to contact Cerner’s Meaning Use team to assist in the process of attestation.

Additionally, attending Webinars set up by Cerner Corporation, examining materials provided by Medical Group Management Association (MGMA), and attending an MU Summit set up by Cerner Corporation to highlight some of the more important segments of MU, all played an integral role in ensuring West Broadway Clinic would meet Meaningful Use requirements.

The most challenging Meaningful Use requirement was encouraging all of the providers to use the electronic prescriptions function. After reaching MU in just over three months, just two days after attestation opened, Jan Patterson states the clinic continues to maintain its high level of entering the patients’ correct and necessary data and the numbers of electronic prescriptions being sent to pharmacies are increasing.

The benefits to patient care are immediate access to the most current visit information and patient history at its finger tips. Patients receive more continuity of care due to the fact that regardless of what provider they are seeing within their office , the provider can quickly and easily track what services and/or medications a different provider has provided the patient. Components such as eprescribe, medicine/drug interactions, allergy checks, complete documentation, immunization schedules and growth charts etc., have made the clinic more efficient throughout the office.

Patterson’s advice to anyone starting the MU process is to make sure you have gathered all the information and facts first and ensure all physicians/staff are not only fully advised of what is required to meet MU but are also committed to following the process through to its completion. It is important they understand the benefits and necessity of Meaningful Use. After three years of being on an EHR, Patterson cannot imagine functioning as efficiently on a paper system. Although Patterson acknowledges the money as an incentive, the real benefit in successfully attesting is the benefit to their patients. As Patterson suggests, “The increased benefits of safety cannot be undersold. With the assistance of the EHR, we are practicing better, safer medicine than we could on paper records.”

Read the full transcript of Jan Patterson’s interview.

Many of you will probably remember my post about Jim Tate and all his EHR certification experience. As I said in that post, Jim Tate knows his stuff when it comes to the EHR certification bodies (ONC-ATCB). So, I found his advice for EHR vendors on HITECH Answers pretty interesting when it comes to selecting which ONC-ATCB an EHR company should use.

You can go read the whole article, or here’s the Cliff notes version: Responsiveness and Support of the EHR certifying body is most important.

I’ve had a number of EMR companies ask me where they can get help to become a certified EHR. There’s certainly plenty of resources online, but I find that most EMR companies want some real hands on experience and help to be able to navigate the EHR certification process. Whenever I’m asked this question, I always tell those people to go and talk with Jim Tate.

I still remember when I first met Jim Tate at HIMSS last year. I was hanging around the HIMSS exhibit floor because I was early to a meeting with a vendor. I’m sure I was in a partially lost state since I was trying to figure out what to do with the few minutes I had available before my meeting when I heard someone say my name.

I looked up from my lost state to see who was saying my name and saw an all too familiar face for which I couldn’t place. The person then said, “You’re techguy right?” (I’m @techguy on Twitter, and @ehrandhit as well). Then, everything clicked and I said, “You’re Jim Tate right?” See the funny thing was that Jim and I had never met in person, but obviously both of us had seen each others healthcare IT tweets many times before (I think he enjoyed reading my rips on CCHIT pre-HITECH). It’s always interesting (and usually fun) to meet someone in person that you feel like you already know online.

Personal stories aside, I’ve still gotten to know Jim Tate more online than I did in person. I hope that will change at HIMSS this year. Even if it’s just running across Jim on the HIMSS exhibit floor or one of the various parties. Jim has an incredible amount of knowledge and experience in EMR certification. I’m not sure what it says about me that I find the idea of sitting around with Jim listening to old EMR certification “war stories” to be really interesting.

Of course, what prompted my storytelling about Jim Tate? A tweet Jim recently sent that said he’d worked with 90+ HIT vendors. He has a great EMR certification page on his website which has over 75 Ambulatory and Inpatient EMR vendors that he’s worked with. That’s A LOT of EMR companies. You can see the image of EMR companies he’s helped at the bottom of this post.

One ONC-ATCB recently told me that many of the EHR companies that come to them are incredibly well informed, others are just missing some of the details and others are just completely lost. I’m quite sure Jim Tate’s EMR companies fall into the first category.

Now Jim Tate is starting to share his expertise even more broadly as he partners with HITECH Answer and their Virtual Extension Center. Seems like meaningful use consulting will be Jim Tate and EMR Advocate’s next step and probably a very good one. Or as Jim said it:

Time 2 put my shoulder 2 the #Meaningfuluse wheel: http://twurl.nl/it22nb free for EPs, EHs , medical soc, RECs #HITsm #ONC #EHR #healthit

February 10, 2011 1:24 pm via TweetDeckReplyRetweetFavorite

@jimtate

Jim Tate

Jim also gets my funniest tweet of the year award too. In response to @motorcycle_guy’s tweet about who should replace Dr. Blumenthal as ONC head? Jim replied:

Mubarak needs a job. RT @motorcycle_guy: [MG] Who should replace Dr. Blumenthal as #ONC Head? http://goo.gl/fb/l8fPB

February 4, 2011 9:36 am via TweetDeckReplyRetweetFavorite

@jimtate

Jim Tate

I’m not sure how many of you find it interest, but I know I have at least a reasonable number of EHR vendors out there that read this site. Plus, the number of available certified EHR vendors should be interesting to anyone that participates in the industry.

The EMR Daily News recently did a post breaking down the official ONC CHPL list of certified EHR vendors. Here’s my general summary of the numbers:
Total EHR Certifications: 329
Certified Ambulatory EHR: 234
Certified In Patient EHR: 95

I just checked the list myself and found 350 total EHR vendors, 250 ambulatory certified EHR, and 100 Certified In Patient EHR. Although, since those numbers are so round, I’m going to assume that EMR Daily News did a better job looking at the list. I just went off the numbers that the website provided.

Either way, 329 EHR companies is a lot of companies. Granted, that’s not 329 full comprehensive EHR vendors, but the majority of them are or will be. Is there any wonder that there’s such a thirst for tools to help people narrow down the EHR vendor selection process?

EMR Daily news also broke down which ONC-ATCB companies are certifying the 329 EHR vendors:
CCHIT: 54%
Drummond Group: 35%
InfoGard: 11%

I know that SLI is talking to a lot of EHR vendors and I imagine the Verizon associated ATCB is too. Of course, this says to me that there’s still a lot of EHR vendors that are going to be added to this list.

I talked to one industry person about the number of EHR vendors and they said they had 600 on their EHR vendor list. From the looks of this, they might not be all that far off with that number.

Drummond Group has updated their FAQ with an interesting question about how to obtain a CMS EHR certification ID and the difference between the CMS EHR certification ID and the ONC EHR Certification ID that Drummond Group issues.

Q: How do I obtain a CMS EHR Certification ID? Is it the same as my ONC EHR Certification ID I received from Drummond Group?

A: The unique ONC EHR Certification ID issued by Drummond Group is associated with the CMS EHR Certification ID but distinct from it. The ONC EHR Certification ID is one of the “inputs” into the calculation and creation of the CMS EHR Certification ID. However, it is ultimately the CMS EHR Certification ID number which EPs and hospitals will use for the incentive payments.

The ONC Certified Health Product Listing functionality was updated December 24, 2010 and it now has the addition of a shopping cart to create CMS EHR Certification ID number. Users can obtain the CMS EHR Certification ID number by following these steps:

1. Go the ONC CHPL website: http://onc-chpl.force.com/ehrcert

2. Following the instructions on the site, search for the certified EHR products. There are many ways to search, but one option is to search by the ONC EHR Certification ID assigned to the vendor.

3. When the EHR product(s) is found, select the link on its row called “Add to Cart”. There is a shopping cart icon next to it.

4. When all EHR products used by the EP or hospital have been added to the cart, select the “View Cart” link at the top right which also has a shopping cart icon next to it.

5. Now in the Certification Cart section, verify the products in the cart are correct. Then, select the “Get CMS EHR Certification ID” button in the top right corner to request a CMS EHR Certification ID. However, the button will not be activated until the items in your cart meet 100% of the required criteria. If your EHR product(s) do not meet 100% of the Meaningful Use incentives, then a CMS EHR Certification ID number can not be issued.

6. Finally, you will see the CMS EHR Certification ID. It is typically a 15 digit string made up alphanumeric characters.

Interesting that the CHPL website has been redesigned to be able to know which EHR are certified to which module and knows if you’ve reached a 100% certified set of software.

Looks like it also pays off to have a number for your EHR product name so that you’re listed first on the CHPL site.

Ok, was that enough abbreviations in the title of a post? Well, if you care about this post, you’ll probably recognize all of the abbreviations.

In a post I did on EMR and HIPAA about SureScripts as an ePrescribing ATCB, there was a comment made that possibly some of the ATCB were “in bed” with ONC in order to get their EHR certification body status. In response to the comment, Mark Joyce from SLI Global Solutions (an ATCB) provided some good insight into the process and costs associated with becoming an ATCB that can certify EHR software.

As the team lead for SLI’s application to the ONC I can assure you that our company has no political connections, traded favors or made contributions that won us our certification by the ONC. It was 10 weeks of grueling research by two independent companies (one company focusing on testing and the other certification) that resulted in a 1200 page application.

The application was in two parts: part one required both companies to expand and/or create a Quality Management System for the new process. It’s no easy task to develop both a 17025 and a Guide 65 conformant QMS. Part two required the applicant to have a thorough understanding of EHR architectures as well the NIST testing procedures and tools.

It was evident by the followup questions from the ONC that the application had been very carefully reviewed.

Obtaining certification from the ONC was no easy task. I am proud to be a part of our companies significant investment in the ATCB testing and certification process.

Yes, becoming an ONC-ATCB is definitely not a walk in the park to achieve. Anyone that says otherwise, likely hasn’t ever been through the process.