Your 2014 certified EHR technology can be used for meaningful use attestation through 2017. Effective Jan 1, 2018 all EPs attesting for meaningful use, regardless of stage, will be required to use Health IT software certified to the 2015 edition.
Any type of dual certification is not technically feasible and strongly discouraged from a development and testing perspective. While some 2014 edition modules will be eligible for gap inheritance, the 2015 edition criteria is substantially different and more complex.
For vendors previously certified to the 2014 Edition, we estimate approximately three days to complete 2015 Edition testing based on testing for Meaningful Use (MU)-related modules only. For EHR clients with technology is not previously certified and wishing to test all MU-related, test time may be approximately four days.
Pricing, and other logistics related to 2015 Edition testing, including test procedures, will be finalized in 1Q2016. At that time, Drummond Group will announce the start of the 2015 Edition test and certification process via our e-newsletter. To join our newsletter list, please register here.
Yes. The Center for Medicaid and Medicare Services (CMS) issued a Final Rule addressing changes in Meaningful Use for 2015-2017 and establishing Stage 3 starting in 2018. There is substantial information in this rule, but the key changes are:
In 2015, ALL providers and hospitals move to what is now called Modified Stage 2, regardless of whether they were scheduled to do Stage 1 under previous CMS rules. Modified Stage 2 uses a set of 10 objectives for providers and 9 objectives for hospitals, and replaces the core and menu objective approach.
The CMS landing page, which outlines the 2015 program year requirements, is an excellent start. Once on that page, refer to PDF tip sheets and a recorded webinar, at the bottom, for valuable information.
Modified Stage 2 and Stage 3 are closely aligned. While some measures are different and some objectives have been combined, the idea is to make Modified Stage 2 closely resemble Stage 3.
For a better explanation of Stage 3, refer to the CMS webinar PDF slides.
No. 2014 Edition certifications, which “worked” in calendar year 2014 for Meaningful Use, will also work in calendar year 2015.
Yes. Only the new ONC criteria, 2015 Edition, can be used for Stage 3. As it currently stands in the regulation, all Health IT systems will need to be certified to 2015 Edition no later than December 31, 2017 so that providers and hospitals can do their full reporting year with their 2015 Edition CEHRT in CY 2018.
ONC has published the 2015 Edition Health IT Certification Criteria which includes new, revised, and some gap-eligible criteria. Drummond Group is currently developing overview documents to help make the regulation easier to understand and more efficient for testing preparation. Once these are complete, Drummond Group will communicate the release via our e-newsletter.
Beginning with the 2015 Edition, “Complete EHR” certifications will no longer be issued, and only “Health IT Module” certifications will be issued. This will allow the ONC Health IT Certification Program to be more open and accessible to other Health care/practice settings. Drummond Group will be providing a certification track highlighting criteria required for the Meaningful Use Program to support vendors who have this goal.
The 2015 Edition Criteria uses many of the same privacy and security criteria as 2014 Edition, but also introduces two new criteria, Trust Connection (d.9) and Auditing Actions on Health Information (d.10). The full list:
315.d.1: Authentication, access control, and authorization
315.d.2: Auditable events and tamper-resistance
315.d.3: Audit report(s)
315.d.5: Automatic access time-out
315.d.6: Emergency access
315.d.7: End-user device encryption
315.d.9: Trusted Connection
315.d.10: Auditing Actions on Health Information
315.d.11: Accounting of Disclosures
The 2015 Edition introduces the “Privacy and Security Certification Framework” which lays out privacy and security certification criteria applicable to a Health IT module presented for certification based on other capabilities included in the Health IT module and for which certification is sought. The intent is to require privacy and security functionality which would typically be needed for patient safety based on the respective criteria being used. This framework is as follows:
Clinical [170.315.a.1-15] 170.315.d.1-d.7
Care Coordination [170.315.b.1-b.9] 170.315.d.1-d.3, d.5-d.8
Clinical Quality Measures [170.315.c.1-c.4] 170.315.d.1-d.3, d.5
VDT [170.315.e.1] 170.315.d.1-d.3, d.5, d.7, d.9
Secure Messaging and Patient Health Information Capture [170.315.e.2-e.3] 170.315.d.1-d.3, d.5, d.9
Public Health [170.315.f.1-f.7] 170.315.d.1-d.3, d.7
API [170.315.g.7-g.9] 170.315.d.1, d.9 and d.2 OR d.10
Transport Methods [170.315.h.1-h.2] 170.315.d.1-d.3
For example, an HEALTH IT Module presented for certification of CPOE criteria (315.a.1-a.3) would at a minimum only be required to be certified in criteria 315.d.1-d.7. However, if that same Health IT Module added Transition of Care criteria (315.b.1), this Health IT Module would also have to be certified in criteria 315.d.8 as well.
No, with just a few minor exceptions. ONC has clarified that a Health IT Module would only need to be tested once to each applicable privacy and security criterion as long as the Health IT developer attests that such privacy and security capabilities apply to the full scope of capabilities included in the requested certification. However, there are two exceptions to this:
i. A Health IT Module presented for certification to 315.e.1 (VDT) MUST be separately tested on 315.d.9 (Trusted Connection)
ii. A Health IT Module presented for certification to 315.e.2 (Secure Messaging) MUST be separately tested on 315.d.9 (Trusted Connection)
This is because these patient engagement features, which often reside in patient portals, may have different architecture design than the EHR system being tested and, thus, need separate testing of this security functionality.
It is possible to have an exception of sorts to the testing required in the privacy and security framework. The privacy and security framework can be met either by completing the required testing (Approach #1), or the vendor may submit system documentation (Approach #2) which explains how the respective Health IT Module has implemented service interfaces which allow it to be integrated to other Health IT systems and, then, access external services necessary to meet the privacy and security criteria.
For example, a Health IT Module is developed for clinical quality measures (c.1-c.4) and is designed to be integrated within a hospital system. On its own, this software does not provide audit log capabilities as required by the framework criteria 315.d.3. However, the Health IT Module has API which allows it to access the hospital’s main EHR system and provide logging information. Thus, this Health IT Module can report its logging information in the hospital’s main EHR system. Documentation is shown to the test proctor explaining this and confirmed for certification.
For any vendor choosing Approach #2, it is vital this information is shared with the test proctor early in the testing process so that it can be evaluated and confirmed satisfactory or, if deemed insufficient, to allow the vendor sufficient time to resolve the problem before the test event is complete.
The 2015 Edition criteria seeks to support the establishment of the interoperable nationwide Health information infrastructure. Some of the highlighted areas include:
§ Improve interoperability for specific purposes by adopting new and updated vocabulary and content standards for the structured recording and exchange of Health information, including a Common Clinical Data Set composed primarily of data expressed using adopted standards; and rigorously testing an identified content exchange standard [Consolidated Clinical Document Architecture (C-CDA)];
§ Facilitate the accessibility and exchange of data by including enhanced data export, transitions of care, and application programming interface (API) capabilities in the 2015 Edition Base Electronic Health Record (EHR) definition;
§ Establish a framework that makes the Office of the National Coordinator for Health Information Technology (ONC) Health IT Certification Program open and accessible to more types of Health IT, Health IT that supports a variety of care and practice settings, various HHS programs, and public and private interests;
§ Ensure all Health IT presented for certification possess the relevant privacy and security capabilities;
§ Provide Health IT developers with more flexibility, opportunities, and time for development and certification of Health IT that supports interoperability, usability, and innovation.
ONC has expanded existing surveillance responsibilities for authorized certification bodies (ONC-ACBs) by adding “in-the-field” surveillance and updates to transparency and disclosure requirements. ONC-ACBs are required each calendar year to randomly select at least 2% of the Complete EHRs and Health IT modules for which it has issued a certification. Additionally, “reactive” surveillance are required for any certified product based on complaints or other information about potential non-conformities. Drummond Group will release further information regarding “Surveillance and Maintenance of Certification” once our testing process has been finalized.
By and large, it does not impact the criteria meaning 2015 Edition criteria is unchanged. However, it does impact the measure reporting requirements, and therefore ONC is going to be updating the test data for measure reporting required in the test procedure of criteria 315(g)(1)/(g)(2). Due to regulatory restrictions, they likely won’t have this data ready until 4Q-2016 and therefore ONC is putting a hold on testing and certifying 315(g)(1)/(g)(2) until that test data can be updated.
For those planning on certifying this year, please take this into consideration.
For those who are planning to finish testing of all criteria, including 315(g)(1)/(g)(2), before 4Q-16, please work with your test proctor or other Drummond Group team members on alternative arrangements.
For the 2014 Edition EHR FAQs please click here