Home » News » Currently Reading:

HITlaw 8/29/11

August 29, 2011 News 10 Comments

Certification Obfuscation

This HITlaw installment was conceived before my July posting. I spent a tremendous amount of time over the past few months researching and discussing the issue presented here. Approached with concerns from hospitals, physicians, vendors, and consultants and having no sound, defendable answer to impart to any of them, I rolled up my sleeves and waded in.

The issue involves the unintentional consequences resulting from the certification of EHR product bundles.

Whether the certified bundle is classified as modular or complete is immaterial for the purposes of this writing. The absolute heart of the issue is recognizing that in some cases, multiple products that are marketed individually by a vendor are grouped together for testing and are ultimately certified together and not separately.

The problem is that not all customers of any given vendor have licensed all component products included in the vendor’s certified (and bundled) EHR “product”. In fact, I will go out on a limb and say that no vendor can state that 100% of its applicable customer base has licensed all components (that are otherwise individually marketed) included in the certified, yet bundled, product. If that were the case, they would have already packaged the products together in their marketing efforts. The fact that they have not supports my statement.

Unfortunately no accommodation is made for the reality that some certified EHR products are comprised of separate, individually marketed products and that provider customers have licensed only a subset of those individual products. The market mandates availability of the individual products; certification options should mimic the market.

Please do not take from this the impression that I believe vendors have done this maliciously, which I do not, or that I am maligning the Office of the National Coordinator (ONC), which I am not. I am simply the one who has chosen to raise his hand and be heard on this topic in the honest hope that others will pitch in and help.


We know from ONC FAQ #9-10-005-1 that a single certification of a bundle of separately marketed products does not propagate certification from the bundled “product” to the subset of individual products. However, ONC also states that vendors may have the subset of products certified individually during the overall certification process. This is the very foundation needed for a very simple solution, but please be patient and read on.

We know that possession of, or a legally enforceable right to use, all components of a certified product permits a provider to add or substitute a product from a different vendor to satisfy a subset of Meaningful Use criteria, as stated in ONC FAQ #12-10-021-1, and

that ONC FAQ #9-10-014-1 permits duplicative or overlapping capabilities acquired from different vendors. However, in each case ONC requires the provider to acquire the full product as certified.


Vendor X has certified an EHR solution that is actually comprised of four individually marketed products. The certification is for the “bundle” and not for four individual pieces. Hospital W previously licensed three of the four products but never licensed the fourth piece and now desires to obtain similar functionality (and achieve associated Meaningful Use criteria using that product) from Vendor Q.

However, according to ONC, Hospital W cannot acquire Vendor Q’s product (for Meaningful Use reimbursement purposes) without also acquiring Vendor X’s fourth piece, regardless of cost or dissatisfaction with the product. Or worse, if Hospital W already acquired Vendor Q’s product, it now must acquire Vendor X’s fourth piece in order to meet ONC’s requirements, even if the product will never be used. In the first scenario, the hospital has a choice, but in the second, the hospital has no option but to invest twice in similar functionality because of a vendor’s certification method and ONC’s requirements. ONC’s suggestions that the provider and vendor negotiate low cost or no cost terms for the missing piece(s) is, in my opinion, off base, as it fails to recognize the issue of the bundled products (see FAQ #12-10-021-1). If the vendor historically offered only the bundled option to its customers, then there would be no issue whatsoever.

Playing this out to the extreme, what if a provider in this situation (probably the small practice) simply makes the right choices for its operation and selects the products that best fit its needs, forgoing incentive money because it chooses not to (or is not able to) duplicate costs for multiple EHR product pieces? In the end, this provider will be penalized, not because they did not implement an EHR (which they did), but because they did not implement a “single-source” EHR that was certified in a manner inconsistent with how the applicable vendor’s products are offered in the market. This is a dramatic interpretation, I admit, but remember I am the one hearing this type of comment from members of the industry.

The Best Solution

Going forward, ONC should require vendors that choose to certify “bundled” EHR solutions to also certify any individually marketed products included in the bundle. Existing certifications of bundled products must be revisited for individual component certification. This is the simplest, most effective method for correcting the situation, and it will work.

One Alternative Solution

ONC could clarify that providers are not required to obtain all sub-products comprising a vendor’s certified product, if marketed individually by the vendor. This would enable the provider to attest to some Meaningful Use criteria using some of the sub-products that were certified as a bundle by the vendor. Being the lawyer that I am, I further suggest that this path should also have ONC clarify that attestation by providers that certain Meaningful Use criteria, but not all criteria, are met using a certain certified EHR product does not mean that they are attesting to, or representing or warranting that, they have full license or other right to use all components of that certified EHR product, or that they are meeting all possible Meaningful Use criteria associated with that product.

This would also require a redo of ONC’s Certified Health IT Product List system, because it automatically selects all criteria associated with a certified product and the user is not able to select a subset of criteria met or deselect from the complete list of criteria (this is a topic unto itself, for another day). Whew. None of this would be necessary with the first solution.

If ONC does not change its policy to require certification of components, and in fact maintains the requirement that attestation truly be “all or nothing”, meaning that in order to use portions of a certified bundled product for meeting Meaningful Use criteria a provider must acquire, from that same vendor without regard to choice or market competition, any components not previously licensed, then:

1. ONC should clarify for the nation’s providers and vendors that this is the case (which would be an egregious ruling, in my humble opinion), probably by way of a new FAQ; and

2. Vendors themselves should correct the problem by going back to the certifying entity and retesting their component products (which together were originally certified as a bundled offering) for individual certification as currently marketed. This testing can be done relatively quickly and at far less cost than the initial certification, and quite frankly, it is the right thing to do. Some vendors have heard from their customers, listened, and are already doing this.

To sum it all up as simply as possible:

Part One

Hospital executives and eligible professionals are alarmed by the fact that if their vendor certifies individually marketed products as a bundled, certified EHR solution, and if they have not licensed all of those individual products, then the only solution permitted by ONC is for the provider to acquire the balance of the products from that EHR vendor alone, eliminating all others from consideration, in sharp contrast to market reality. Yes they are free to acquire “replacement” products once they have the entire certified EHR, but the initial requirement does not sit well and does not make sense when there is a simpler solution.

Part Two

Providers and smaller vendors are hurt by the bundling of EHR products for certification purposes, because ONC requires providers to obtain all products comprising a vendor’s certified (and bundled) product, as stated in Part One.

It is not unreasonable to suggest that fair and free competition will be dramatically effected unless this situation is resolved, in which case the incumbent vendors will be unjustly rewarded because providers do not want to lose reimbursement.

The solution is simple. Vendors should be required to certify products at the same component level as marketed to the general public. This would solve the problem entirely. They may certainly certify as a bundle, but should also then certify at the component level.

Careful caveat here: if two or more otherwise individually marketed components must be certified together to meet any Meaningful Use criteria (and neither would meet the criteria on its own) then obviously they cannot be certified separately.

Part Three

Recognition by appropriate authorities of the absolute need to clarify and correct this situation in a timely and effective manner is essential for the nation’s healthcare providers and HIT vendors.

In Closing

The very fact that vendors can correct this oversight in the certification process is perhaps the most incredible part of the story. Hopefully there is enough substance here to make intelligent minds in all related aspects of the ARRA/HITECH/HIT world take notice and then action. For the people at ONC and the certification/testing entities, let us please make the solution a reward and not a penalty. In this case, “go with the flow” is sound advice. The HIT industry has started the correction on its own. Please step in and make it all work.

Open invite: please contact me if you would like to participate and lend your insight, either in support of my views or in contradiction. Whether vendor, consultant, hospital executive, physician, legislator… come one come all.

Here is the question that I submitted to ONC.Certification@hhs.gov:

Why does ONC permit EHR vendors to certify bundles of individually marketed products as a single EHR solution without also requiring the vendors to certify the individually marketed products? Not every customer of a vendor licenses all the individual products in a bundled EHR “product.”

Perhaps if ONC receives a few more questions like this it might merit FAQ status.


William O’Toole is the founder of O’Toole Law Group of Duxbury, MA.

HIStalk Featured Sponsors


Currently there are "10 comments" on this Article:

  1. Firstly, this is a great write-up. The best post I have ever read on the folly of EHR Certification.

    Let me suggest two other alternatives:

    1. Scrap certification altogether. It is absolutely useless. The only requirement should be meaningful use.

    2. Assuming ONC and CMS don’t see the light, self-certification is the way to avoid all of this stuff with modular or bundled EHRs.

  2. The government wants doctors to drive cars and is willing to pay doctors more money if they drive a car.

    Doctors have been saying that vendors sell them lemons so the government requires vendors to certify that the cars they sell or that the parts they sell (tires, brakes, engine) actually work.

    The government requires that if a doctor wants extra tax-payer money that a doctor needs to have (1) all of the certified parts to build a car, (2) a whole certified car, or (3) some certified parts and parts of a certified car with a right to buy the missing parts of the certified car if the doctor wants them.

    If a doctor wants to use certified, high-performance tires and buy a certified car except the tires, the government just requires the doctor to get a contract saying that the car vendor will sell the tires that are part of the certified car if the doctor wants them. This way if the high-performance tires don’t work right with the car that the doctor bought, the government knows that the doctor has the legal option of buying everything needed to drive.

    This way when a doctor doesn’t make it to the big cash hand-out, the government won’t accept excuses about the tires not fitting and the car breaking down.

    How much is the legal right to buy something from a vendor worth? Sam’s Club charges $35 but it is free with a coupon.

  3. One of the points the author fails to account for is that vendors sell products in modules because that is often the way a client installs the product and who wants to pay for something before you install it. Second, the certification criteria require all products which are to be certified as a module, to also pass the privacy and security criteria. Many “modules” from an EHR supplier could not pass the security and privacy criteria without some of the other modules. CPOE is a good example. Almost every EHR supplier has a CPOE module, but this module could not be installed on its own, it must be installed with other modules of the EHR. However, the CPOE module is often sold separately because it is installed in a later phase of an implementation or project. Bottom line, the authors assumption that because a supplier sells a module separately that it should be certified as an independent module ignores the reality of many integrated products, some thing the ONC recognized when they required all modules to support the privacy and security criteria.

  4. Bill, thanks for shining a light on this issue. I wish we could wave a wand and make it right but I’m afraid it will be some time before the dust settles. Many stakeholders including hospitals, vendors, and the regulatory bodies do not yet understand that there is even a problem. You have a wolf by the ears and I for one hope you don’t let go. Keep up the good work.

    Jim Tate

  5. Regarding HIEguy’s comments:

    I agree with his first point, which I state in my article. “The market mandates availability of the individual products.”

    And as for the second point, I understand this as well, which is why I included my “Careful Caveat”, which I intended to be a catch-all to acknowledge that there are situations where products cannot be certified individually.

    “Careful caveat here: if two or more otherwise individually marketed components must be certified together to meet any Meaningful Use criteria (and neither would meet the criteria on its own) then obviously they cannot be certified separately.”

    My overall intention was to address a real situation, yet also recognize that in some cases certification of multiple products as a “bundle” might be necessary.

    Thank you for your comments HIEguy, I do appreciate the input.

  6. Great article – it shines a needed light on the unintentional ramifications of the current regs. Nothing personal, but I can’t buy into HIEguy’s assertions about how hard it is for the big vendors to unbundle. That’s exactly what the big vendors want the ONC to hear. The reality is that several companies have certified stand-alone solutions (even CPOE) which means they also pass the privacy and security criteria. It’s just not that hard. And yet, this isn’t about big vendor vs. little vendor – it’s about PROVIDERS’ ability to choose the best software to meet MU objectives (Will Weider is spot on!). If providers need to pay for TWO certified solutions to be able to meet certification requirements, but ultimately use ONE certified solution in practice to best meet MU objectives – something is wrong and needs to be corrected. Otherwise, providers will end up using a less desired solution or needlessly wasting $$ to also purchase the one that will bring about adoption rates. That doesn’t seem to jive with the spirit of HITECH.

  7. Not sure I agree with the statement that the vendors are not doing something untoward. My ambulatory vendor has decided to go the “bundled” route and now I have to buy modules that I don’t need and won’t install (patient portal and secure messaging).

    Call me a skeptic, but the vendors are making hay with this.

  8. Interesting… So this certification bundling farce is forcing Arkansas Dave to purchase software he neither wants or will install? If you’ve missed it thus far, the answer is YES!, and that’s EXACTLY the unintended consequences mentioned in Bill’s article as well as a serious waste of health IT funds. Dave’s vendor could easily rectify this by certifying its patient portal and secure messaging separately, but why would they unless the ONC changes the terms or enough folks raise their hand and stop putting up with this?

    Arkansas Dave, you’re right on the money in saying there are folks making hay with this, and your ambulatory vendor isn’t the only one “kindly warning” folks they must purchase every module in their bundle in order to meet certification – and lockout competition. Thanks for your post.

  9. Bill,
    Great points.

    The reality is if you were going to create a fair, through, multi-faceted program like this it would take years of planning to make sure you allowed for the complexity of the HIT industry. Six months just isn’t enough.

    As another example, one of our well known vendors who first received full EHR certification, did as you suggest, got Module certification for their Anesthesia system. The system was certified for all the usual criteria, AND also certified for tracking ER wait times! Just what every anesthesia system needs.

    You echoed what I have been saying all along…
    The feds are building this boat as it floats down the Niagara river. Picking up whatever flotsam comes by. We can only hope they get it done before…

  10. Interesting Blog!!

    I think many, but not all, the leading EMR companies have used their own certified technology rather than use bundling. Bundled parts would never work as well together as if they had been developed in-House to work as one application. Unlike billing/EMR interaces, where you really deal with two different applications, in this case of the features that ONC demands for certification, they all need to work seamlessly as a unit.

    However, I think most of us did not realize that this was an issue until you brough it up, so we did not make claims.. As far as Praxis EMR, we certified every one of our own components all developed in-house, not relying on outside certifications.

    Keep up your excellent notes.

    Richard Low MD
    Praxis Electronic Medical Records

Text Ads


  1. Thank you for the blast from the past of Azyxxi & Amalga memories! I sold Amalga for 3 years. Easy…

  2. I read the FNN article by Tom Temin. That's not what I got out of it. They aren't attempting to…

  3. From the article: "Reginald Cummings, the deputy chief information officer for infrastructure operations explained on the panel, he’s moving VistA…


Founding Sponsors


Platinum Sponsors




















































Gold Sponsors











Sponsor Quick Links