Readers Write: Twenty Things Vendors Need to Know About ONC’s New 2015 (Stage 3) Certification Program, But Were Afraid to Ask
Twenty Things Vendors Need to Know About ONC’s New 2015 (Stage 3) Certification Program, But Were Afraid to Ask
By Frank Poggio
On March 23, late on a Friday afternoon, ONC published two drafts of the proposed revisions to the 2015 Test Criteria along with new Stage 3 provider MU attestation requirements. Two separate large documents were published:
- Electronic Health Record Incentive Program, Stage 3 Draft Rule, (300+ page PDF)
- 2015 Edition Health Information Technology (Health IT) Certification Criteria, ONC Health IT Certification Program Modifications (400+ page PDF)
The first covers the proposed rules for MU Attestation for Providers under Stage 3. The second addresses proposed test criteria and requirements for vendors and revised operating rules for the Accredited Certification Bodies (ACB).
Already there has been a great deal of discussion on the first MU requirements document since it impacts all providers, while the second document is aimed at vendors and system developers and has received little attention . I commented on the MU provider piece on HIStalk earlier this week and will focus now on the impact on vendors and system developers. Some of my vendor clients have been calling and emailing me asking, “What’s changed for us?” Others are afraid to ask.
Suffice it to say there are some major additions and revisions to the test criteria and process that will give system developers heartburn, or maybe a K51.914 (ICD10=ulcer).
Before I dive into the document, let’s remember that back in 2013 ONC disconnected the MU Stages from the certification test versions. The concept that a vendor is Stage 2 or Stage 3 certified is almost meaningless since a provider could MU attest to Stage 2 using either modified 2011 test criteria or the 2104 criteria. With the eventual issuance of these new 2015 criteria, for a short period providers can Stage 2 attest using a vendor’s 2014 certified product, or if available, the vendor’s 2015 certified product.
All 2015 Test Criteria are now referred to as the 170.315 regulations. At this time, these are just draft proposals that will be formally published in the Federal Register on March 30, 2015. Then after a 90-day comment period, some revisions will be made, with the final regulations issued in the July-August timeframe.
Using the last two cycles of draft rules versus final issued regulations, I predict that some 90 percent of what is now proposed will be adopted into law. So fasten your seat belts — here we go. Some highlights (or lowlights? are:
- Privacy and Security (170.315 d1-d7). There are some minor changes in several of these tests, such as access, time outs, integrity, device encryption and audit logs. But now under 2105 testing, they have become mandatory if a vendor wants to test out on other criteria, such as Demographics. The P&S tests were mandatory under 2011 (Stage1), then ONC made them optional for 2014, now they are back in the mandatory column. To paraphrase ONC, it’s all due to the never-ending march of data breaches. An added requirement to P&S which is stated in the MU regs, but not in any specific test criteria, is vendors now must attest to having completed a HIPAA risk analysis of their product whenever they install new releases or updates. Here’s why. In order for providers to be compliant with MU and HIPAA, they will have to get an attestation from the vendor before they install any update, the provider MU regulations state on page 64: EPs, eligible hospitals, and CAHs must conduct the security risk analysis upon installation of CEHRT or upon upgrade to a new Edition of certified EHR Technology.
- Demographics 170.315a4. ONC wants coding for language and ethnicity to support all 900 OMB codes and all RFC 5646 ethnicity codes. But ONC acknowledges that a drop-down list of 900 data elements might cause workflow problems, so they have said a full drop-down list is not required. You just need to show in a test you support all the codes and can tailor the list for each provider client.
- Vital Signs 170.315 a6. All values must have LOINC codes. Data elements have been expanded and pediatric vitals have separate criteria.
- Advance Directive (170.315 a17). Now you have to electronically capture and track the AD. No more just check a box and who cares what file drawer it’s in.
- Medical Implants (170.315 a20). Must now be tracked and reported.
- Social, Psychological, and Behavioral data must now be captured and tracked using LOINC and SNOMED coding. (170.315 a21).
- Clinical Decision Support tools must be linked to Knowledge Artifacts formatted in the HeD standard Release 1.2. (170.315 a22).
- New “decision support – service” (170.315 g6) certification criterion requires technology to electronically make an information request with patient data and receive in return electronic clinical guidance in accordance with an HeD 1.2 standard.
- New CDA standard (170.315 b1). The C-CDA standard is now the single standard permitted for certification and the representation of summary care records. An updated version, HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for ClinicalNotes (US Realm), Draft Standard for Trial Use, Release 2.076 includes the following changes: addition of new structural elements: new document sections and data entry templates: New Document Templates for: Care Plan; Referral Note; Transfer Summary. New Sections for: Goals; Health Concerns; Health Status Evaluation/Outcomes; Mental Status; Nutrition; Physical Findings of Skin, etc.
- CDA system performance (170.315 g6). As part of the focus on interoperability, ONC is requiring performance standards for data transfers of CCA/CCR. Data transmission of CDAs will be tested for volume and response times.
- XDM packing of View/Download/ Transmit and CCR/CCD with incorporation of industry APIs using the IHE-IT infrastructure standard.
- Data Portability has been broken out into Send /Receive as separate components (170.315 b6).
- Care plans (170.315 b9). ONC proposes to include the “assessment and plan of treatment,” “goals,” and “health concerns” in the “Common Clinical Data Set” for certification to the 2015 Edition. The “assessment and plan of treatment,” “goals,” and “health concerns” are intended to replace the concept of the “care plan field(s), including goals and instructions” which is part of the “Common MU Data Set” in the 2014 Edition.
- CQM (170.315 c1). Has been expanded into separate segments: filters, create, import, and calculate.
- Quality Management System (170.315g4-g5). Now includes an “access-ability technical component” in accordance with ADA. The QMS must be mapped to a federal guideline or industry standard. (No more home-grown QMS process/tools.)
- Safety Enhanced Design – SED (170.315g3). Expanded and requires specific and detailed usability test documentation. ONC recommends following NISTIR 7804176 “Technical Evaluation, Testing, and Validation of the Usability of Electronic Health Records” for human factors validation testing of the final product to be certified. They recommend a minimum of 15 representative test participants for each category of anticipated clinical end users who conduct critical tasks where the user interface design could impact patient safety.
- Authorized Testing Bodies (testing agencies) are now required to conduct surveillance (audits) on at least 5 percent of vendor installs (or max of 10) every year to verify that the certified system in fact meets each certified test criteria.
- Attestation for Price transparency. ONC wants vendors to disclose on their web site and in marketing materials material system limitations. The vendor must also disclose any material add-on costs such as transaction fees to support interfaces/interoperability, etc. and supply any requesting entity a reasonably accurate cost estimate of total system costs. That’s ANY requesting entity, not just prospects or for bid requests.
- ONC wants monthly reports from the testing agencies on provider complaints and counts of vendor updates and modifications. If the number of updates/modifications exceed a set number, ACB is to call vendor back in for re-testing.
- ONC predicts the rules and test criteria will be finalized by mid-summer and vendors will work “aggressively” in 2016-17 to modify products and meet the target date of 2018 to support Stage 3 provider attestations, which will require a full year of calendar data from providers.
ONC estimates that all vendors together will have to invest approximately $300 to $400 million to effect all these changes. They calculate there are 81 unique vendors with certified products, hence an average cost of $4-5 million each, which does not include the time and cost to go through the test process.
ONC states they will continue with the “Gap” test process, meaning if you passed a test criteria under 2014 and there were no (or minimal) changes for the 2015 criteria, you get a bye. Given the preceding, my advice is if you’re a vendor that is not yet 2014 certified, you really want to get it done sooner rather than later. My experience tells me that being 2014-certified for as many criteria as you can before the 2015 criteria are cast in stone will be a better place to be.
Lastly, ONC states that the 2105 Test Criteria and Stage 3 Provider MU Attestation rules will be the last Stage for MU, but that the rules and test requirements will continue to be revised and expanded as ONC deems necessary. I guess we can next expect Stage 3.1, along with revised test criteria 2015 dot 1,dot 2 … can anyone see a light at the end of this tunnel?
Frank Poggio is president of The Kelzon Group.