ICSA Labs Questions Strength of ONC Certification Rules

Posted on August 11, 2011 I Written By

You’ve undoubtedly heard the argument before: EHR certification is about assuring that systems meet minimum requirements for functionality and interoperability, but the certification process falls way short in terms of usability, privacy and security. But have you heard the argument from one of the ONC-authorized certification bodies?

This is an excerpt from an e-mail I received today:

Meaningful Use criteria have become a massive EHR certification driver for healthcare organizations. Hospitals and other providers rely on the criteria to ensure that their health IT systems meet minimum government-specified functionality and interoperability requirements to support Stage 1 of Meaningful Use.  Achieving Meaningful Use also ensures a health care organization qualifies for reimbursement under the American Recovery and Reinvestment Act as a way to incent adoption of e-health processes among health organizations. The ultimate goal is to improve our nation’s healthcare system by leveraging technology to allow greater access to important health information and empower patients to securely access their own health information.

However, as one of only five organizations authorized to test both complete and modular EHRs by the Office of the National Coordinator (ONC) for Health IT, ICSA Labs questions whether EHR certifications are enough as the criteria represents only minimum requirements. Amit Trivedi, healthcare program manager at ICSA Labs, believes providers should take further steps to heighten the security and privacy of their health IT systems. He also suggests vendors should look beyond the current regulations to address and improve usability, data portability, and information exchange in their products.

That’s right, ICSA Labs, one of five organizations currently authorized to test and certify complete EHRs on behalf of the Office of the National Coordinator for Health Information Technology, seems to think that the standards it tests EHRs against are inadequate, which is something that critics of certification—particularly critics of the Certification Commission for Healthcare Information Technology—have been saying for years. Critics of many of the larger vendors have been saying that, too. But it’s shockingly refreshing to hear this from an actual certification body.

In fact, the publicist for ICSA, a unit of Verizon Business, has offered interviews with executives of two lesser-known vendors,  Health System Technology and Design Clinicals, to talk about how they are going beyond the minimum certification requirements. Deadlines beckon, so I didn’t really have time to wait for the publicist to try to find me an schedule opening for one of the executives, but here’s a statement from a March 30 ICSA press release that is somewhat telling:

“This year we are expanding our certification programs into health IT, a much-needed area of focus to help modernize today’s health care system,” said George Japak, managing director for ICSA Labs. “With our new focus on safeguarding patient information within electronic health records, we are committed to helping accelerate the adoption of health IT.”

We don’t hear too much about security in the context of certification from too many other camps, so it’s nice to hear that at least one certification organization is critical of the rules it is under contract to follow. Perhaps we’ll see tougher usability, privacy and security standards in the permanent certification program ONC needs to have in place by the beginning of 2012 to support the forthcoming Stage 2 “meaningful use” requirements from CMS.

Wishful thinking?