ONC Health IT Certification Relaxation: More Harm Than Good?

By Vibhore Gupta, Senior Business Analyst, Spectramedix

With recent announcement made by ONC related to EHR attestation requirements, it is surely going to reduce burden on developers. The question arises on the implications and downstream consequences of such a move on the healthcare landscape.

Details on changes to the health IT certification process

There are two changes that have been announced.

  1. The first change is that CMS will make more than 50 percent of test procedures “self-declaration only,” meaning health IT developers will no longer have to allocate time to test those procedures with ONC.
  2. The second change will provide ONC’s Authorized Certification Bodies (ACBs) more discretion regarding randomized surveillance of certified health IT products.

My concern here is focused on first change where the relaxation of 30 test criteria could leave hospitals and physicians with mediocre products. Such relaxation can lead to developers being complacent on regulations. The change covers “functionality-based certification criteria.” The modules are named below:

  1. 170.315 (a) Clinical Processes- All 15 criteria present under this module have been added to the category of self-declaration where an EHR vendor doesn’t have to showcase the product functionality or submit documentation to ONC that the product met functionality and regulatory standards.
  2. 170.315 (d) Privacy and Security – All 11 criteria are made self-declarable. This module addresses a very important aspect of healthcare data transmission and related security measures being adopted in conformance to HIT regulations. Self-declaration of such criteria can jeopardize patient care, care coordination and physician success in the QPP program.

There are 4 other criteria that are also a part of this change:

  1. 170.315(f)(5) – Transmission to public health agencies – electronic case reporting.
  2. 170.315(g)(7) – Application access – patient selection.
  3. 170.315(e)(3) – Patient health information capture
  4. 170.315(e)(2) – Secure messaging.

I am not disagreeing to the fact that such relaxation will allow providers, vendors and the government to better focus on interoperability and other pressing matters but deregulating this area could cause more harm than good. I suspect such a move is going to result in better products as there is no incentive for the vendors to meet the requirements at the first instance.

ONC will review and investigate any non-conformity complaints received and associated with these certification criteria. Isn’t this more of a hit and trial relaxation, where if the self-declaration went wrong the damage is caused to healthcare entities and vital healthcare data? Also we should not forget the recent eClinical works flouting the MU certification requirements and got sued for $155 million. ECW falsely obtained that certification for its EHR software when it concealed from its certifying entity that its software did not comply with the requirements for certification. For example, in order to pass certification testing without meeting the certification criteria for standardized drug codes, the company modified its software by “hardcoding” only the drug codes required for testing. Isn’t this a perfect example that such relaxation will only lead to sub-par products in market? Time will tell as we all monitor how these ONC changes may affect product quality down the road, be it for better or worse.

This article was originally published on Vibhore Gupta’s LinkedIn profile and is republished here with permission.