2015 Edition EHR FAQs

What You Need to Know for the 2015 Edition Certification

Get Answers to Frequently Asked Questions that pertain to the 2015 edition criteria, Deadlines, MACRA

Drummond Group hears your concerns and has answers to ease the challenge! With hundreds of Health IT products tests under our belts, Drummond Group gained valuable insight to offer our clients. To provide some clarity so you can get started with the new requirements, we've compiled a list of the most frequently asked questions about the new criteria, MACRA requirements, and secure messaging, and we are eager to share this knowledge with you. 

Questions to be reviewed during this webinar:

  • When will the 2014 edition certification no longer be valid?
  • How difficult is the new 2015 Edition criteria?
  • When should I be certified 2015 Edition?
  • What is the impact of the MACRA Final Rule?
  • Secure Messaging Changes
  • Important Deadlines to know

Plus, gain insight into why it's important to review these requirements with a Drummond Group test proctor in the early stages of development. This webinar will cover all of these questions with time at the end for Q&A.


1) Is my 2014 Ed product required to be updated to the 2015 Ed program?

Your 2014 certified EHR technology can be used for meaningful use attestation through 2017. Effective Jan 1, 2018 all EPs attesting for meaningful use, regardless of stage, will be required to use Health IT software certified to the 2015 edition.

2) Will I be able to certify to both the 2014 Ed and 2015 Ed program?

Any type of dual certification is not technically feasible and strongly discouraged from a development and testing perspective. While some 2014 edition modules will be eligible for gap inheritance, the 2015 edition criteria is substantially different and more complex.

3) How long does it take to test to the 2015 Ed program?

For vendors previously certified to the 2014 Edition, we estimate approximately three days to complete 2015 Edition testing based on testing for Meaningful Use (MU)-related modules only. For EHR clients with technology is not previously certified and wishing to test all MU-related, test time may be approximately four days.

4) How much will 2015 Edition testing cost and when can I begin?

Pricing, and other logistics related to 2015 Edition testing, including test procedures, will be finalized in 1Q2016. At that time, Drummond Group will announce the start of the 2015 Edition test and certification process via our e-newsletter. To join our newsletter list, please register here.

5) Did CMS make changes to Meaningful Use for this year?

Yes. The Center for Medicaid and Medicare Services (CMS) issued a Final Rule addressing changes in Meaningful Use for 2015-2017 and establishing Stage 3 starting in 2018. There is substantial information in this rule, but the key changes are:

  • All providers and hospitals are moving to what is called Modified Stage 2 starting in 2015.
  • Reporting period for 2015 is 90 consecutive days, and the attestation period will be opening up in January 2016. Reporting periods for 2016 and 2017 are still one calendar year for returning providers.
  • Providers and hospitals will report on the same reporting period of calendar year; fiscal year will no longer apply.
  • In 2017, providers &hospitals may elect to start Stage 3, but it is not mandatory. However, if doing Stage 3 in 2017, providers &hospitals can use a 90 consecutive day reporting period instead of a full year.
  • In 2018, all providers & hospitals must start on Stage 3.
  • Both Stage 3 and Modified Stage 2 dramatically streamlined the Meaningful Use measures, including dropping those which have topped out and no longer need to be reported.

6) What stage of Meaningful Use will providers & hospitals submit attestations on in CY 2015?

In 2015, ALL providers and hospitals move to what is now called Modified Stage 2, regardless of whether they were scheduled to do Stage 1 under previous CMS rules. Modified Stage 2 uses a set of 10 objectives for providers and 9 objectives for hospitals, and replaces the core and menu objective approach.

7) What measures are required in Modified Stage 2 and how can I learn more about it?

The CMS landing page, which outlines the 2015 program year requirements, is an excellent start. Once on that page, refer to PDF tip sheets and a recorded webinar, at the bottom, for valuable information.

8) What is the relationship between Stage 3 and Modified Stage 2?

Modified Stage 2 and Stage 3 are closely aligned. While some measures are different and some objectives have been combined, the idea is to make Modified Stage 2 closely resemble Stage 3.

9) What does Stage 3 require?

For a better explanation of Stage 3, refer to the CMS webinar PDF slides.

10) Does my 2014 Edition certified product need to be updated to meet Modified Stage 2?

No. 2014 Edition certifications, which “worked” in calendar year 2014 for Meaningful Use, will also work in calendar year 2015.

11) Does my 2014 Edition certified product need to be updated to meet Stage 3?

Yes. Only the new ONC criteria, 2015 Edition, can be used for Stage 3. As it currently stands in the regulation, all Health IT systems will need to be certified to 2015 Edition no later than December 31, 2017 so that providers and hospitals can do their full reporting year with their 2015 Edition CEHRT in CY 2018.

12) What criteria are required to certify to the 2015 edition?

ONC has published the 2015 Edition Health IT Certification Criteria which includes new, revised, and some gap-eligible criteria. Drummond Group is currently developing overview documents to help make the regulation easier to understand and more efficient for testing preparation. Once these are complete, Drummond Group will communicate the release via our e-newsletter.

13) Why is a Complete EHR certification not part of the 2015 Edition program?

Beginning with the 2015 Edition, “Complete EHR” certifications will no longer be issued, and only “Health IT Module” certifications will be issued. This will allow the ONC Health IT Certification Program to be more open and accessible to other Health care/practice settings. Drummond Group will be providing a certification track highlighting criteria required for the Meaningful Use Program to support vendors who have this goal.

14) What is the Privacy and Security criteria for 2015 Edition?

The 2015 Edition Criteria uses many of the same privacy and security criteria as 2014 Edition, but also introduces two new criteria, Trust Connection (d.9) and Auditing Actions on Health Information (d.10). The full list:
315.d.1: Authentication, access control, and authorization
315.d.2: Auditable events and tamper-resistance
315.d.3: Audit report(s)
315.d.4: Amendments
315.d.5: Automatic access time-out
315.d.6: Emergency access
315.d.7: End-user device encryption
315.d.8: Integrity
315.d.9: Trusted Connection
315.d.10: Auditing Actions on Health Information
315.d.11: Accounting of Disclosures

15) What are the changes to Privacy and Security functionality?

The 2015 Edition introduces the “Privacy and Security Certification Framework” which lays out privacy and security certification criteria applicable to a Health IT module presented for certification based on other capabilities included in the Health IT module and for which certification is sought. The intent is to require privacy and security functionality which would typically be needed for patient safety based on the respective criteria being used. This framework is as follows:

Criteria Requires
Clinical [170.315.a.1-15] 170.315.d.1-d.7
Care Coordination [170.315.b.1-b.9] 170.315.d.1-d.3, d.5-d.8
Clinical Quality Measures [170.315.c.1-c.4] 170.315.d.1-d.3, d.5
VDT [170.315.e.1] 170.315.d.1-d.3, d.5, d.7, d.9
Secure Messaging and Patient Health Information Capture [170.315.e.2-e.3] 170.315.d.1-d.3, d.5, d.9
Public Health [170.315.f.1-f.7] 170.315.d.1-d.3, d.7
API [170.315.g.7-g.9] 170.315.d.1, d.9 and d.2 OR d.10
Transport Methods [170.315.h.1-h.2] 170.315.d.1-d.3

For example, an HEALTH IT Module presented for certification of CPOE criteria (315.a.1-a.3) would at a minimum only be required to be certified in criteria 315.d.1-d.7. However, if that same Health IT Module added Transition of Care criteria (315.b.1), this Health IT Module would also have to be certified in criteria 315.d.8 as well.

16) Does my Health IT Module have to be tested repeatedly on privacy and security criteria for every criteria in the framework. For example, if I am certifying in criteria 315.a.1-a.15, do I have to test 315.d.1-d.7 all fifteen times?

No, with just a few minor exceptions. ONC has clarified that a Health IT Module would only need to be tested once to each applicable privacy and security criterion as long as the Health IT developer attests that such privacy and security capabilities apply to the full scope of capabilities included in the requested certification. However, there are two exceptions to this:

i. A Health IT Module presented for certification to 315.e.1 (VDT) MUST be separately tested on 315.d.9 (Trusted Connection)
ii. A Health IT Module presented for certification to 315.e.2 (Secure Messaging) MUST be separately tested on 315.d.9 (Trusted Connection)

This is because these patient engagement features, which often reside in patient portals, may have different architecture design than the EHR system being tested and, thus, need separate testing of this security functionality.

17) What if my Health IT Module does not support some of the criteria required by the Privacy and Security framework?

It is possible to have an exception of sorts to the testing required in the privacy and security framework. The privacy and security framework can be met either by completing the required testing (Approach #1), or the vendor may submit system documentation (Approach #2) which explains how the respective Health IT Module has implemented service interfaces which allow it to be integrated to other Health IT systems and, then, access external services necessary to meet the privacy and security criteria.

For example, a Health IT Module is developed for clinical quality measures (c.1-c.4) and is designed to be integrated within a hospital system. On its own, this software does not provide audit log capabilities as required by the framework criteria 315.d.3. However, the Health IT Module has API which allows it to access the hospital’s main EHR system and provide logging information. Thus, this Health IT Module can report its logging information in the hospital’s main EHR system. Documentation is shown to the test proctor explaining this and confirmed for certification.

For any vendor choosing Approach #2, it is vital this information is shared with the test proctor early in the testing process so that it can be evaluated and confirmed satisfactory or, if deemed insufficient, to allow the vendor sufficient time to resolve the problem before the test event is complete.

18) Will the proposed changes enhance interoperability with new or updated implementation specifications for the various certification criteria?

The 2015 Edition criteria seeks to support the establishment of the interoperable nationwide Health information infrastructure. Some of the highlighted areas include:

§ Improve interoperability for specific purposes by adopting new and updated vocabulary and content standards for the structured recording and exchange of Health information, including a Common Clinical Data Set composed primarily of data expressed using adopted standards; and rigorously testing an identified content exchange standard [Consolidated Clinical Document Architecture (C-CDA)];
§ Facilitate the accessibility and exchange of data by including enhanced data export, transitions of care, and application programming interface (API) capabilities in the 2015 Edition Base Electronic Health Record (EHR) definition;
§ Establish a framework that makes the Office of the National Coordinator for Health Information Technology (ONC) Health IT Certification Program open and accessible to more types of Health IT, Health IT that supports a variety of care and practice settings, various HHS programs, and public and private interests;
§ Ensure all Health IT presented for certification possess the relevant privacy and security capabilities;
§ Provide Health IT developers with more flexibility, opportunities, and time for development and certification of Health IT that supports interoperability, usability, and innovation.

19) With the proposed changes for the 2015 Edition Meaningful Use program overseen by the ONC, what has changed regarding the surveillance aspect of EHR software products?

ONC has expanded existing surveillance responsibilities for authorized certification bodies (ONC-ACBs) by adding “in-the-field” surveillance and updates to transparency and disclosure requirements. ONC-ACBs are required each calendar year to randomly select at least 2% of the Complete EHRs and Health IT modules for which it has issued a certification. Additionally, “reactive” surveillance are required for any certified product based on complaints or other information about potential non-conformities. Drummond Group will release further information regarding “Surveillance and Maintenance of Certification” once our testing process has been finalized.

20) With the release of MIPS and APM NRPM introduced at the end of April, how does that impact certification testing of 2015 Edition?

By and large, it does not impact the criteria meaning 2015 Edition criteria is unchanged. However, it does impact the measure reporting requirements, and therefore ONC is going to be updating the test data for measure reporting required in the test procedure of criteria 315(g)(1)/(g)(2). Due to regulatory restrictions, they likely won’t have this data ready until 4Q-2016 and therefore ONC is putting a hold on testing and certifying 315(g)(1)/(g)(2) until that test data can be updated.
For those planning on certifying this year, please take this into consideration.
For those who are planning to finish testing of all criteria, including 315(g)(1)/(g)(2), before 4Q-16, please work with your test proctor or other Drummond Group team members on alternative arrangements.


2014 Edition EHR FAQs

For the 2014 Edition EHR FAQs please click here



Copyright © 2016 Drummond Group  Follow DrummondGrpTest on Twitter