The Health IT Policy Committee endorsed comments on a plan by the Office of the National Coordinator to offer permanent certification of electronic health record systems, including a provision to monitor EHRs after they are purchased to ensure providers are installing the proper technology.
The advisory panel okayed this and other features of permanent certification described in a proposed rule published by ONC in March. The ONC is expected to finalize its plan for permanent certification of EHRs sometime before the end of the year.
Permanent certification describes requirements for testing whether EHRs deliver the functions required for meaningful use. A separate temporary certification plan has been designed containing a more limited set of requirements to help providers get EHRs up and running in the first year of the meaningful use program.
The committee praised ONC's overall approach to certification. "By separating the certification process from the testing process, and by utilizing existing international testing, accreditation and certification standards, ONC is improving the objectivity and transparency of the certification and testing processes," said Paul Egerman, the panel's co-chairman.
Among the features of the permanent certification plan, ONC had sought suggestions for developing a surveillance process to monitor whether EHRs that had been purchased and put into operation by providers actually conformed to testing criteria.
EHRs would also be checked to see if they were labeled correctly to identify the stage of meaningful use for which the system was certified, as well as the accuracy of how certification and compliance was represented. Labels should also include information about how providers could report problems related to certification.
"Because of potential confusion in the marketplace, labeling requirements are very important," Egerman said.
If the post-certification monitoring produces evidence of serious technical problems or patient safety concerns, ONC should have the authority to decertify an EHR to protect purchasers, but only in "egregious situations," the committee said.
Among other recommendations, vendors should be able to receive "differential certification" or approval of what is different between two software versions or two stages of requirements as long as the testing criteria is the same.
The certification process should also help improve privacy and security, the committee said. For instance, EHR components or module must meet all privacy and security certification criteria. To avoid gaps in privacy and security safeguards when modules are incorporated in an integrated system, vendors should provide a lot of information about their modules as part of certification and also supply that information in product labels for purchasers, the panel said.
That will provide eligible providers and hospitals with the information "that will enable them to integrate the module with other EHR modules so that all privacy and security certification criteria can be met by the integrated set of modules," said Deven McGraw, co-chairman of the privacy and security work group and director of the Health Privacy Project at the Center for Democracy and Technology.
