United States: Final Rule Establishes The Permanent Certification Program For EHR Technology

The Office of the National Coordinator of Health Information Technology has finalized the permanent electronic health record (EHR) certification program under which EHR technology will be tested and certified as meeting meaningful use stage 2 certification requirements under the Medicare and Medicaid EHR incentive programs beginning in 2012.

On January 7, 2011, the Office of the National Coordinator of Health Information Technology (ONC) published the permanent electronic health record (EHR) certification program final rule (Final Rule) establishing the permanent process by which organizations will be selected to test and certify that EHR technology is Certified EHR Technology.¹ Certified EHR Technology is EHR technology that meets the ONC's technological capability, functionality and security requirements (EHR Certification Requirements)² for supporting the achievement of meaningful use³ by eligible hospitals and professionals (collectively, Eligible Providers) under the Medicare and Medicaid EHR incentive programs. The Final Rule also establishes parameters under which approved testing and certifying bodies determine that EHR technology meets the EHR Certification Requirements. The Final Rule was effective on February 7, 2011.⁴

The permanent certification program replaces the current temporary EHR certification program beginning on January 1, 2012, unless the ONC determines that the permanent certification program is not fully constituted at that time and delays implementation.⁵ Testing and certification bodies accredited under the permanent certification program will certify that EHR technology meets the EHR Certification Requirements under development for meaningful use stage 2. Both the temporary and the permanent certification programs are of keen interest both to EHR technology vendors that must obtain certification of their technology to serve the Eligible Provider market and to Eligible Providers that need Certified EHR Technology in order to qualify for Medicare and Medicaid EHR incentive payments.

Testing and Certifying Bodies

As proposed in the ONC's temporary and final certification proposed rule (Proposed Rule),⁶ the Final Rule separates the testing and certification functions.⁷ "Testing" describes the process used to determine the degree to which a Complete EHR or EHR Module (each defined below) meets specific, predefined, measurable, quantitative requirements. "Certification" describes the determination and assertion that a Complete EHR or EHR Module has met all the applicable Certification Requirements made by an authorized certifying organization after analyzing the quantitative results rendered from testing along with other qualitative factors.

A Complete EHR is EHR technology that has been developed to meet all of the applicable EHR Certification Requirements. The use of the word "applicable" reflects the fact that some Certification Requirements apply to EHR technology used in the ambulatory setting by eligible professionals and other Certification Requirements apply to EHR technology used by eligible hospitals in the inpatient setting. An EHR Module is any service, component or combination thereof that can meet at least one of the certification "criteria" included in the EHR Certification Requirements.

Under the temporary certification program, the testing and certification functions are separate functions, but each ONCAuthorized Testing and Certification Body (ONC-ATCB) is responsible for both functions. Under the permanent certification program, the ONC separates the responsibilities between accredited testing bodies and accredited certification bodies and establishes separate processes for their selection and accreditation, which are discussed below. However, an organization that desires to perform both functions may apply for accreditation to perform both functions.

ACCREDITATION OF TESTING LABORATORIES

The National Voluntary Laboratory Accreditation Program (NVLAP), as administered by the National Institute of Standards and Technology (NIST), will be responsible for accrediting testing laboratories and determining their competency for purposes of the permanent certification program.⁸ The accredited testing laboratories test Complete EHRs and EHR Modules prior to their consideration for certification by an ONC-Authorized Certification Bodies (ONC-ACBs). The process for accreditation of ONCACBs is discussed below.

SELECTION OF THE ONC-AA

As proposed, the ONC appoints an ONC-Approved Accreditor (ONC-AA) to accredit ONC-ACBs to certify EHR technology. The ONC approves only one ONC-AA every three years. On February 8, 2011, the ONC published a notice in the Federal Register that began the 30-day period during which an organization may submit its request for status as the ONC-AA to the ONC.⁹

ACCREDITATION OF ONC-ACBS

Organizations seeking authority to certify EHR technology must first apply to the ONC-AA for accreditation as an ONC-ACB. Once accredited as an ONC-ACB, an organization must submit an application to the ONC demonstrating that it is accredited, obtain approval from the ONC and execute an agreement with the ONC to adhere to the Principles of Proper Conduct for ONCACBs included in the Final Rule. An ONC-ACB must renew its status every three years. ONC-ACBs may only certify health information technology (HIT), including Complete EHRs and/or EHR Modules, that has first been tested by an NVLAPaccredited testing laboratory.¹⁰

CERTIFICATION BODY FOR STARK LAW EXCEPTION AND ANTI-KICKBACK STATUTE SAFE HARBOR

Consistent with the ONC's temporary certification program final rule,¹¹ the Final Rule provides that the ONC-ATCBs selected under the temporary certification program and the ONC-ACBs selected under the permanent certification program are authorized to certify that EHR technology is "interoperable" for purposes of compliance with the EHR donation exception under the Stark Law and the EHR donation safe harbor under the federal health care program anti-kickback statute.¹² The Certification Commission for Health Information Technology (CCHIT) no longer serves as the sole certifying body for purposes of the Stark exception and anti-kickback safe harbor.

Prohibition on the Imposition of Additional Certification Requirements

The Final Rule clarifies that the primary responsibility of ONC-ACBs is to certify that a Complete EHR or EHR Module (and potentially other types of HIT in the future) meets the applicable Certification Requirements and not to certify HIT under any additional certification criteria.¹³ While an ONC-ACB may decide to offer multiple options for the certification of HIT, some of which may impose other certification criteria or include additional certification criteria beyond the Certification Requirements, an ONC-ACB cannot require the Complete EHR or EHR Module to be certified to any other certification criteria beyond the Certification Requirements.¹⁴ Furthermore, HIT that meets the definition of a Complete EHR or EHR Module and is certified to the Certification Requirements must have its certified status as a Complete EHR or EHR Module noted separately and distinctly from any other certification the ONC-ACB may issue based on its own certification criteria.¹⁵

Continuing Validity of Temporary Program Certification

The ONC emphasized that the permanent certification program in the Final Rule does not render invalid any certifications issued by ONC-ATCBs under the temporary certification program for the 2011 and 2012 incentive payment program years.¹⁶ However, once the permanent certification program is fully constituted and after the ONC has adopted new or revised Certification Requirements (expected in 2012, based on the two-year rulemaking cycle), Complete EHRs and EHR Modules that were previously certified under the temporary certification program by ONC-ATCBs must become certified by an ONC-ACB.¹⁷

Gap Certification

ONC-ATCBs approved to test and certify EHR products under the temporary certification program are not automatically approved for the permanent certification program. Accreditation must be obtained under the process defined by the Final Rule. However, the permanent program allows for "gap certification," which permits EHRs that have been certified previously to be tested only on new or revised criteria as they are established. Gap certification will be available as an option for ONC-ACBs to offer as soon as ONC-ACBs are authorized to begin performing certifications under the permanent certification program.¹⁸ Furthermore, ONC-ACBs will be permitted to accept the results of testing performed on Complete EHRs and EHR Modules by ONC-ATCBs under the temporary certification program for the purpose of gap certification.¹⁹

EHR Module Issues

COMPATIBILITY OF EHR MODULES

Consistent with its approach in the temporary certification program final rule, the Final Rule does not require ONC-ACBs to certify that an EHR Module would properly integrate or be compatible with another EHR Module (unless the EHR Modules were presented together for testing and certification).²⁰ Requiring ONC-ACBs to certify EHR Module-to-EHR Module integration was deemed impractical because of the numerous potential combinations of EHR Modules and the associated technical, logistical and financial costs of determining such integration. Rather than require certification of compatibility, the ONC allows developers to choose to integrate their EHR Modules with other EHR Modules for the purpose of making their products more marketable, thereby achieving integration where necessary and beneficial.²¹ EHR Module developers may reconcile compatibility issues among constituent EHR Modules and present such EHR Modules together as a pre-coordinated, integrated bundle for testing and certification as a Complete EHR.²² The bundle will only be certified, however, if it is capable of meeting all of the Certification Requirements applicable to the EHR Modules.²³ While an ONC-ACB may offer a service to certify EHR Module-to-EHR Module integration, the service will not be considered part of the permanent certification program.²⁴

INAPPLICABLE PRIVACY AND SECURITY CERTIFICATION REQUIREMENTS

Consistent with the temporary certification program final rule and the permanent certification proposed rule, the ONC only requires an EHR Module developer to satisfy each technically feasible and applicable privacy and security Certification Requirement.²⁵ Thus, an EHR Module must be certified to all privacy and security certification criteria of the Certification Requirements unless (1) the EHR Module is presented for certification as a pre-coordinated, integrated bundle of EHR Modules, which would otherwise meet the definition of and constitute a Complete EHR, and one or more of the constituent EHR Modules is demonstrably responsible for providing all of the privacy and security capabilities for the entire bundle of EHR Modules, or (2) the EHR Module is presented for certification with documentation that a privacy and security certification criterion is inapplicable or that it would be technically infeasible for the EHR Module to be certified in accordance with the criterion.²⁶

The ONC anticipates that an EHR Module developer would request a testing lab to test only those privacy and security certification criteria which the EHR Module developer believes are technically feasible and applicable for its EHR Module. For the purposes of certification, an individual or entity that presents an EHR Module for certification must provide sufficient documentation to the ONC-ACB to support its assertion that a particular privacy and security certification criterion is inapplicable or that satisfying the certification criterion is technically infeasible. Based on this documentation, the ONC-ACB must make a reasonable determination as to whether the EHR Module should be exempt from the particular criterion. The ONC encourages EHR Module developers to carefully consider those privacy and security certification criteria they believe are inapplicable or technically infeasible prior to seeking testing.

An Eligible Provider must ensure that adopted EHR Modules properly work together, if choosing a custom approach, and meet all Certification Requirements. The alternative would be the adoption of Complete EHRs and pre-coordinated, integrated bundles of EHR Modules already certified by an ONC-ACB as meeting all of the Certification Requirements.

Self-Developed EHR Technology

The ONC defined "self-developed" Complete EHR or EHR Modules in the Proposed Rule as Complete EHRs and EHR Modules that have been designed, modified, or created by, or under contract for, a person or entity that will assume the total costs for its testing and certification and will be a primary user of the Complete EHR or EHR Module. These EHRs could include a brand new Complete EHR or EHR Modules developed by a health care provider, or a previously purchased Complete EHR or EHR Module that has been modified to include the capabilities addressed by Certification Requirements.²⁷

In the Final Rule, the ONC explains that an Eligible Provider's modifications to a certified Complete EHR or EHR Module would not automatically make the Complete EHR or EHR Module "self-developed" and consequently require a new certification.²⁸ Thus, an Eligible Provider may modify a Complete EHR or EHR Module's capabilities certified under the Certification Requirements without compromising the Complete EHR's or EHR Module's certification. However, any modification made after the EHR was certified has the potential to adversely affect the capabilities that supported the initial certification such that it no longer performs as it did when it was tested and certified and to thereby compromise an Eligible Provider's ability to achieve meaningful use.²⁹ For complete assurance that a Complete EHR or EHR Module's capabilities were not adversely affected by post-certification modifications, an Eligible Provider may choose to have the Complete EHR or EHR Module retested and recertified.³⁰

Users of a self-developed EHR with post-certification modifications also run the risk of being identified through surveillance conducted by an ONC-ACB.³¹ If surveillance identifies EHR technology that no longer meets the Certification Requirements, the Eligible Provider would be required to refund any meaningful use incentive payments that were paid based on use of the uncertified technology.

Footnotes

^{1 76 Fed. Reg. 1262 (January 7, 2011).}

^{2 75 Fed. Reg. 44,589 (July 28, 2010).}

^{3 75 Fed. Reg. 44,313 (July 28, 2010).}

^{4 76 Fed. Reg. 1262.}

^{5 For more information on the temporary certification program, see the BNA Article: "HHS Issues Proposed Rule Establishing Certification Programs for Health Information Technology" at http://www.mwe.com/info/pubs/BNA%20Article%20HHS%20Issues%20Proposed%20Rule% and McDermott's White Paper, "Final Rule Establishes the Temporary Certification Program for EHR Technology," at http://www.mwe.com/index.cfm/fuseaction/publications.nldetail/object_id/200f9f56-bfe1-47fe-b697-68ee40e4c36a.cfm .}

^{6 75 Fed. Reg. 11,327 (March 10, 2010).}

^{7 76 Fed. Reg. 1328 (to be codified at 45 C.F.R. § 170.523(h)).}

^{8 Id.}

^{9 76 Fed. Reg. 6794 (February 8, 2011).}

^{10 76 Fed. Reg. 1328 (to be codified at 45 C.F.R. § 170.523(h)).}

^{11 75 Fed. Reg. 36,186.}

^{12 76 Fed. Reg. 1265.}

^{13 Id. at 1329 (to be codified at 45 C.F.R. § 170.545(b) and 45 C.F.R. § 170.550(b)).}

^{14 Id. at 1271-72. .}

^{15 Id. at 1272.}

^{16 Id. at 1304.}

^{17 Id.}

^{18 76 Fed. Reg. 1326, 1329 (to be codified at 45 C.F.R. § 170.502, 45 C.F.R. § 170.545(c), and 45 C.F.R. § 170.550(c)).}

^{19 Id. at 1328 (to be codified at 45 C.F.R. § 170.523(h)).}

^{20 Id. at 1273.}

^{21 Id.}

^{22 Id.}

^{23 Id. at 1329 (to be codified at 45 C.F.R. § 170.550(e)).}

^{24 76 Fed. Reg. 1273.}

^{25 Id. at 1292-93.}

^{26 Id. at 1329 (to be codified at 45 C.F.R. § 170.550(e)).}

^{27 Id. at 1300.}

^{28 Id. at 1301.}

^{29 Id.}

^{30 76 Fed. Reg. 1301.}

^{31 Id.}

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.