Certification Requirements for Health Information Technology: A 2011 Primer for Providers

Second Quarter 2011Newsletters Staying Well Within the Law

Weeding through the thicket of health information technology (HIT)-related regulations promulgated by the U.S. Department of Health and Human Services (HHS) over the past couple of years is not a task for the distracted or sleep-deprived. Only the most intrepid and focused readers will emerge with the realization that regulations issued by the Centers for Medicare & Medicaid Services (CMS) within HHS pertaining to meaningful use of electronic health record (EHR) technology are distinct from, albeit related to, regulations issued by the Office of the National Coordinator for Health Information Technology (ONC) within HHS pertaining to certification of EHR. In fact, as explained by the ONC in the “Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Information Technology” published July 28, 2010 (“Initial Certification Rule”),1 a number of the nearly 400 timely comments it received on the Interim Final Rule with request for comments2 were really intended for CMS and pertained to the CMS meaningful use regulations:

[D]ue to the simultaneous publication and topical similarity of the notice of proposed rulemaking for meaningful use Stage 1, commenters inadvertently submitted comments to our regulation docket … instead of … [CMS] and vice versa. Recognizing this oversight, CMS and ONC shared misplaced comments between the offices and we included within our review all comments that could reasonably be identified as comments on the Initial Certification Rule.3

The interplay between meaningful use of EHR and certification of HIT undoubtedly lends to the confusion, as do the multiple implementation phases and lengthy, technical regulations associated with both meaningful use and certification. The “simultaneous publication” of ONC and CMS rules dated last summer certainly did not help to clear the dense thicket of HIT and EHR-related information.

Many health care providers have focused on meeting the requirements for “meaningful use” of EHR. On the same date of ONC’s Initial Certification Rule publication, CMS published a Final Rule4 setting forth requirements for the incentive payments authorized by the American Recovery and Reinvestment Act of 20095 (ARRA) (EHR Incentive Program Final Rule). The EHR Incentive Program Final Rule and its preamble, consisting of more than 250 single-spaced, mini-font pages, describe the way in which providers must develop and meaningfully use EHRs in order to qualify for the Medicare and Medicaid payment incentives. Under the Medicare EHR incentive program, eligible providers must adopt and meaningfully use certified EHR technology before receiving incentive payments. Under the Medicaid EHR incentive program, eligible providers may receive incentive payments if they adopt, implement or upgrade to certified EHR technology within their first year of participation in the incentive program.

Providers looking to qualify EHR for the Anti-Kickback Statute EHR safe harbor6 and/or the Stark physician self-referral prohibition exception7 must use HIT “deemed” by the Secretary of HHS to be “interoperable.” HIT is “deemed to be interoperable if a certifying body recognized by the Secretary has certified the software within no more than 12 months prior to the date it is provided to the recipient.”8 Thus, providers seeking Medicare and/or Medicaid incentive payments, as well as providers seeking protection for EHR technology donations under the Anti-Kickback Statute or Stark law, must be sure the EHR technology is certified.

Background on the Certification Rule

On June 24, 2010, the ONC published a final rule establishing a temporary certification program for HIT.9 On January 7, 2011, the ONC published a “Final Rule for the Establishment of the Permanent Certification Program for Health Information Technology” (Final Certification Rule).10 As explained in its news release issued January 3, 2011, the Final Certification Rule was developed to enhance “the comprehensiveness, transparency, reliability, and efficiency of the current processes used in the certification” of EHR technology.11 In short, the ONC has outlined a process by which HIT will become “permanently” certified:

  • The ONC will request that the National Institute of Standards and Technology (NIST), through its National Voluntary Laboratory Accreditation Program (NVLAP), develop a laboratory accreditation program for organizations to be accredited to test HIT for permanent certification.
  • Once NIST/NVLAP has developed accreditation standards, the ONC will select an Approved Accreditor (ONC-AA). The ONC-AA will then approve applicants seeking designation as Authorized Certification Bodies (ONC-ACBs) or Authorized Certification and Testing Bodies (ONC-ACTBs).
  • ONC-ACB/ACTBs must demonstrate to ONC-AA its competency and ability to test and and/or certify Complete EHRs, EHR Modules and/or other types of HIT as specified by the Secretary of HHS.
  • After becoming an ONC-ACB/ACTB, an organization may test and/or certify the product of an HIT vendor or developer as constituting an “EHR Module” or a “Complete EHR” (i.e., an EHR that meets, at a minimum, all of the applicable certification criteria required by the Secretary as per regulatory requirements set forth in the Initial Certification Rule).
  • Following certification of the HIT pursuant to the process described above, the ONC-ACB/ACTB will provide the ONC, no less frequently than weekly, a current list of Complete EHRs and EHR Modules that have been certified. The ONC will post the information on its web site in its Certified HIT Products List (CHPL).12

Buyer Beware Caveats

The process, while detailed, is relatively straightforward and contains information more immediately or directly relevant to HIT developers and vendors. However, there are a few “buyer beware” caveats lurking amidst the Interim Final Rule and the Permanent Certification Rule provisions for providers purchasing new or upgraded HIT systems.

First, despite the “Permanent Certification Rule” label, the process set forth in the rule makes it clear that certification is not necessarily permanent, as it is only valid as long as the certification criteria have not been modified. “In other words, if the applicable certification criteria have been altered or changed, then an eligible professional or eligible hospital can no longer represent that a certified Complete EHR or a combination of certified EHR Modules continues to constitute Certified EHR Technology based on the certifications that were previously issued.”13 The ONC explains that it expects the requirements for meaningful use will be adjusted every two years, and that the Secretary will then adopt certification criteria every two years to correlate with the changes to the meaningful use requirements. So, if a Complete EHR was certified in 2010 to meet criteria for the 2011 and 2012 payment years, it must be certified again in 2012 to meet the 2013 and 2014 criteria. Fortunately, though, Complete EHRs and EHR Modules that were certified under temporary certification criteria adopted for the 2011-2012 payment years will not require recertification simply because the Final Certification Rule has been promulgated.

Purchasers should also beware of buying components of a Complete EHR and expecting the component to qualify as an EHR Module. As explained by the ONC in a frequently asked question (FAQ) response, “[s]tand-alone, separate components of a certified Complete EHR do not derive their own separate certified status based solely on the fact that they were included as part of the Complete EHR when it was tested and certified.”14 Purchasers should make sure the EHR vendor has received specific EHR Module certification for each component of the Complete EHR if the purchaser wants to buy only certain component parts (perhaps at a cost that is less than the cost of purchasing the Complete EHR).

Similarly, purchasers using a combination of EHR Modules will need “to ensure that a combination of EHR Modules properly work together to meet all of the required capabilities necessary” to meet required privacy and security requirements. The Permanent Certification Rule requires EHR Modules to be certified to all privacy and security certification criteria adopted by HHS, unless the Module(s) is presented for certification as a pre-coordinated, integrated bundle and one or more of the constituent Modules is “demonstrably responsible” for providing all of the privacy and security capabilities of the entire bundle, or it is presented for certification and the presenter can show that a privacy and security certification criterion is inapplicable or that it would be technically infeasible to certify the Module in accordance with the criterion.15 A purchaser of bundled modules should, therefore, make sure it plans to use the entire bundle or that it fully understands potential limits associated with use of a single Module or portion of the bundle. Since privacy and security capabilities are a key feature of a provider’s HIT (and the absence of these capabilities can result in breaches and problems far beyond those associated with the failure to qualify for a meaningful use incentive payment), the provider should carefully review these features in the context of how it intends to adopt and use EHR Modules.

Health care attorneys advising HIT-purchasing or using clients would be wise to focus on the representations and warranties included in vendor contracts, make sure their clients have a complete understanding of the purpose for and way in which the HIT will be used, and should have at least a general understanding of the symbiotic, but distinct, relationship between HIT certification and meaningful use.

For more information about this topic, please contact Elizabeth G. Litten at 609.895.3320 or [email protected].

This article previously appeared in the American Health Lawyers Association Health Information & Technology Practice Group HIT News and is reprinted here with permission. Copyright 2011 American Health Lawyers Association, Washington, DC. Reprint permission granted.

  1. 75 Fed. Reg. 44590(July 28, 2010). See also 75 Fed. Reg. 62,686 (Oct. 13, 2010)(revisions to Initial Certification Rule).
  2. 75 Fed. Reg. 2014 (Jan. 13, 2010).
  3. 75 Fed. Reg. at 44591.
  4. 75 Fed. Reg. 44314 (July 28, 2010) See also 75 Fed. Reg. 81885 (Dec. 29,2010)(final rule correcting amendment to EHR Incentive Program Final Rule).
  5. Pub. L. 111-5 (2009).
  6. 42 C.F.R. 1001.952(y).
  7. 42 C.F. R. 411.357(w).
  8. Id
  9. 75 Fed. Reg. 36,158 (June 24, 2010).
  10. 76 Fed. Reg. 1262 (Jan. 7, 2011).
  11. http://www.hhs.gov/news/press/2011pres/01/20110103a.html.
  12. http://onc-chpl.force.com/ehrcert.
  13. 76 Fed. Reg. at 1302.
  14. http://healthit.hhs.gov/portal/server.pt/community/onc_regulations_faqs/3163.
  15. 76 Fed. Reg. at 1329