Office of the Secretary, HHS.
By this document we are informing the public of the Secretary's recognition of certain Certification Commission for Healthcare Information Technology (CCHIT) criteria for ambulatory EHR functionality, interoperability, security and reliability standards. This list of recognized criteria is available by clicking the applicable link at http://www.hhs.gov/healthit.
The CCHIT was created in 2004 by an industry coalition of the American Health Information Management Association (AHIMA), the Health Information and Management Systems Society (HIMSS) and the National Alliance for Health Information Technology. CCHIT's mission is to accelerate the adoption of HIT by creating an efficient, credible and sustainable product certification program.
During the three comment cycles that generated the ambulatory EHR criteria that the Secretary has recognized, CCHIT received over 1500 comments from a wide range of stakeholders. Further outreach was achieved through the establishment of several large Town Hall presentations with attendances in the range of 500-1000 at Healthcare Information Management Systems Society (HIMSS) conferences as well as at more than thirty smaller presentations to a variety of associations, organizations and the press gatherings.
CCHIT grouped its ambulatory EHR certification criteria recommendations into three groups, “functionality,” “interoperability” and “security/reliability.” For ease of understanding, the Secretary broke the security and reliability recommendations into separate categories. Definitions of these categories, and an example that illuminates the various functions of each category are as follows:
1. Functionality criteria identify minimum required and provisional product features for documenting and managing a typical patient encounter. For example, a physician needs to be able to access his/her patient's laboratory test results, so an example of a functional requirement is that an EHR would need to provide the capability of displaying laboratory test results.
2. Interoperability criteria establish standards for how products interact with other products within and across care settings. For example, to ensure interoperability, the physician EHR noted above would need to be able to receive laboratory test results from another physician's (within care settings) as well as from laboratory systems (across care settings).
3. Security and reliability criteria are designed to help the security inspector assess a product's ability to protect, manage and audit access to sensitive patient data. For clarity, we have broken these criteria into the two separate categories, security and reliability.
a. Security  addresses the appropriate access to data by appropriate parties and the protection of data from improper manipulation. For example, laboratory test results should be accessible to a Start Printed Page 44296treating physician, but inaccessible to a clerical employee who does not need such access to accomplish their job. Security also involves ensuring that data have not been altered or tampered with.
b. Reliability goes to the accessibility and consistency with which data is retrieved and displayed. For example, the physician should be able to easily and consistently access laboratory test results through some consistent display mechanism that can be counted on to be available whenever it is needed.
At HHS' request, the CCHIT-recommended ambulatory EHR certification criteria were presented to the American Health Information Community (AHIC) on May 16, 2006. After consideration, the AHIC recommended that the Secretary recognize CCHIT identified ambulatory EHR certification criteria that CCHIT recommended for use in 2006. This recommendation informed the Secretary's decision to recognize these criteria.
The Secretary also based his decision to recognize these criteria on the need for such criteria in the Departments recently published final rules for exceptions to the physician self-referral law and safe harbors to the Anti-kickback statute for electronic prescribing and EHR arrangements (RIN #0938-AN69 and 0991-AB36 respectively). These rules are premised on:
1. HHS having recognized one or more EHR certifying bodies, and
2. HHS having recognized criteria for the certification of EHRs.
A separate notice of availability has been published in the Federal Register to notify the public about the availability of a certification Guidance Document that provides interim guidance on the recognition of certification bodies. This document is also available at http://www.hhs.gov/healthit. The CCHIT criteria that the Secretary has recognized serve to establish the initial EHR certification criteria that are referenced in the final physician self-referral law and Anti-kickback statute rules.
The Secretary also based his decision to recognize the CCHIT criteria on a belief that providers will be more willing to invest in health IT if there is a way of ensuring that the products would perform as advertised. Stories abound about providers making large investments in EHRs only to discover that they do not meet their functionality, interoperability security and/or reliability needs. Certification could respond to investment fears generated by stories about failed investments. A reduction of such fears could further the Department's goal of higher rates of sustained health IT adoption and interoperability.
Finally, the Secretary's decision to recognize these criteria was informed by the fact that the criteria have been validated through prototype testing. Any criteria not fully validated by the Pilot Test (fewer than 10% fell in this category) were not considered for recognition.
In light of the consensus basis, HHS reliance, industry impact and demonstrated utility of the CCHIT criteria for functionality, interoperability, security and reliability, the Secretary has recognized these criteria. He has delegated authority to ONC to coordinate and oversee the incorporation of these criteria in relevant activities among Federal agencies and other partner organizations, as appropriate.Start Further Info
FOR FURTHER INFORMATION CONTACT:
John W. Loonsk, M.D. at (202) 205-0242.Start Signature
Dated: August 1, 2006.
Acting Deputy National Coordinator for Health IT.
1. HHS notes that the requirements of the HIPAA Security Rule continue to be applicable.Back to Citation
[FR Doc. 06-6690 Filed 8-1-06; 1:25 p.m.]
BILLING CODE 4150-24-P