The Office of the National Coordinator for Health Information Technology coordinated its September 4, 2012, release of the 2014 Edition Electronic Health Record (EHR) Certification Criteria with the Centers for Medicare & Medicaid Services' release on the same day of updated meaningful use (MU) criteria for eligible providers to demonstrate MU and earn EHR incentive payments under Stage 2 of the Medicare and Medicaid EHR Incentive Programs.

On September 4, 2012, the Office of the National Coordinator for Health Information Technology (ONC) of the U.S. Department of Health and Human Services (HHS) published the 2014 Edition of the criteria (2014 Edition EHR Certification Criteria) and related standards and implementation specifications for electronic health record (EHR) technology to qualify as Certified EHR Technology (CEHRT) under the Medicare and Medicaid EHR Incentive Programs. Physicians and other eligible professionals (EPs), eligible hospitals (EHs) and critical access hospitals (CAHs) that adopt CEHRT and subsequently use the CEHRT in accordance with meaningful use (MU) criteria established by the Centers for Medicare & Medicaid Services (CMS) are eligible to earn reimbursement incentive payments and avoid reimbursement penalties under the EHR Incentive Programs. Such incentives and penalties are designed and intended to promote and accelerate the adoption of EHRs and ultimately a U.S.-wide health information network.

The ONC coordinated the release of the 2014 Edition EHR Certification Criteria with CMS's release on the same day of the final Stage 2 MU Rule that establishes the criteria for demonstrating MU under Stage 2 of the EHR Incentive Programs and makes certain changes to the Stage 1 MU criteria. For more information on the Stage 2 MU Rule, see McDermott's On the Subject "CMS Seeks Improved Quality of Care, Patient Engagement Through Stage 2 Meaningful Use Criteria." [LINK TO: http://www.mwe.com/CMS-Seeks-Improved-Quality-of-Care-Patient-Engagement-Through-Stage-2-Meaningful-Use-Criteria-09-13-2012/] The 2014 Edition EHR Certification Criteria and the Stage 2 MU Rule together are the second step in the U.S. government's incremental plan to enhance the interoperability, functionality, utility and security of EHR technology and to support MU of CEHRT.

The 2014 Edition EHR Certification Criteria build upon the 2011 Edition EHR Certification Criteria that the ONC published on July 13, 2010. For more information about the 2011 Edition, see McDermott's White Paper " Navigating the Government's Final Rules for Earning Incentive Dollars Through 'Meaningful Use' of E-Health Record Technology."

EPs must use EHR technology certified under the 2014 Edition EHR Certification Criteria to earn incentive payments beginning in calendar year (CY) 2014, and EHs and CAHs must begin using it in Medicare fiscal year (FY) (October 1 to September 30) 2014.

This On the Subject discusses the following significant aspects of the components of the 2014 Edition EHR Certification Criteria and their implications for EHR vendors and EPs, EHs and CAHs (collectively, eligible providers):

  • When eligible providers must adopt CEHRT meeting the 2014 Edition EHR Certification Criteria
  • Gap certification of EHR technology previously certified under the 2011 Edition EHR Certification Criteria
  • Highlights from the 2014 Edition EHR Certification Criteria

Certification of EHR Technology

For EHR technology to qualify as CEHRT under the 2014 Edition EHR Certification Criteria, it must be certified by an ONC-Authorized Certification Body under the ONC HIT Certification Program. Certification under the 2011 Edition EHR Certification Criteria will no longer be valid in 2014.

However, to streamline the process for re-certification of EHR technology previously certified under the 2011 Edition EHR Certification Criteria, the ONC permits ONC-Authorized Certification Bodies to use prior certification test results (from the 2011 Edition testing process) if a certification criterion is the same in the two editions of the certification criteria. Such "gap certification" will only require new testing under a new or revised criterion. For more information about the ONC HIT Certification Program, see McDermott's White Paper " Final Rule Establishes the Permanent Certification Program for EHR Technology."

CEHRT Adoption Timing Issues for Eligible Providers

In order to earn incentive payments and avoid payment penalties under the EHR Incentive Programs, an eligible provider must use CEHRT in accordance with the applicable MU criteria. Prior to CY 2014 (for EPs) and FY 2014 (for EHs and CAHs), eligible providers may use CEHRT certified in three ways. First, CEHRT may be certified in accordance with the 2011 Edition EHR Certification Criteria. Second, an eligible provider may upgrade some, but not all, modules of CEHRT certified under the 2011 Edition EHR Certification Criteria to modules certified under the 2014 Edition EHR Certification Criteria. Third, an eligible provider may use CEHRT certified under the 2014 Edition EHR Certification Criteria.

After CY 2014 and FY 2014, as applicable, an eligible provider must use EHR technology certified under the 2014 Edition EHR Certification Criteria in order to earn incentive payments and, beginning in 2015, to avoid payment penalties for failing to achieve MU. This is the case even if an eligible provider is demonstrating MU under CMS's Stage 1 MU criteria.

2014 Edition EHR Certification Criteria

To the extent that CMS added, revised or removed MU objectives, measures or reporting requirements in the Stage 2 MU Rule, the ONC made conforming changes to the associated EHR certification criteria in the 2014 Edition EHR Certification Criteria.

New Certification Criteria

The following sections discuss the new EHR certification criteria that apply to both the ambulatory (e.g., physician office) and inpatient settings, to the ambulatory setting only and to the inpatient settings only.

Ambulatory and Inpatient Settings

The 2014 Edition EHR Certification Criteria include nine new certification criteria applicable to both the ambulatory and inpatient settings that require the following EHR technical capabilities:

  • Record, change, access and search electronic notes in patient records
  • Indicate availability of and enable electronic access to imaging results (including images and interpretations)
  • Record, change and access family health history
  • Select a record affected by a patient's request for an amendment to electronic health information; for an accepted amendment, append the amendment to the affected record or include a link to the amendment; and for a denied amendment, append the request and denial of the request to the affected record or include a link that indicates this information's location
  • Provide patients and their authorized representatives with an online means to view, download and transmit to third parties certain demographic and clinical data elements (which are specified in the certification criterion) through a secure channel
  • Include certain safety-enhanced design processes for the following functions of the EHR technology: computerized provider order entry capability; drug-drug and drug-allergy interaction checks; medication list; medication allergy list; clinical decision support capability; verification of electronic medication administration records; electronic prescribing; and electronic reconciliation of a patient's active medication, problem and medication allergy list
  • Use a quality management system in the development, testing, implementation and maintenance of each capability that the EHR technology includes and for which certification is sought (ONC had adopted a general and flexible criterion that does not mandate any particular quality management system or process)
  • Create a set of export summaries for all patients in EHR technology containing certain demographic and clinical data specified in the certification criterion and formatted according to the 2014 Edition EHR Certification Criteria's content exchange standard
  • Create a report or file that enables a user to review the patients or actions that would make the patient or actions eligible to be included in the numerator of a percentage-based MU measure

Ambulatory Setting

The 2014 Edition EHR Certification Criteria include three new certification criteria applicable only to the ambulatory setting, which require the following EHR technical capabilities:

  • Create a set of export summaries for all patients in EHR technology containing certain demographic and clinical data specified in the certification criterion and formatted according to the 2014 Edition EHR Certification Criteria's content exchange standard
  • Record, change and access cancer case information (provided that this criterion is optional)
  • Create cancer case information for electronic transmission (provided that this criterion is optional)

Inpatient Setting

The 2014 Edition EHR Certification Criteria include three new certification criteria applicable only to the inpatient settings, which require the following EHR technical capabilities:

  • Verify that a patient to whom a medication is to be administered matches the medication to be administered, the medication matches the medication order, the dose matches the dose ordered, the route of medication delivery matches the order, and the time that the medication was ordered to be administered matches the current time
  • Create discharge prescriptions and prescription-related information for electronic transmission (consistent with the e-prescribing criterion for the ambulatory setting)
  • Create electronic laboratory test reports with lab test values and results to ambulatory providers

Revised Certification Criteria Improve Security of Electronic Information

The 2014 Edition EHR Certification Criteria include various revised versions of the 2011 Edition EHR Certification Criteria. In particular, the ONC revised the following criteria in an effort to enhance the security of electronic health information stored and processed by EHR technology.

Encryption

The 2011 Edition EHR Certification Criteria included a certification criterion and related standard that require EHR technology to encrypt and decrypt electronic health information in accordance with any encryption algorithm identified by the National Institute of Standards and Technology as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140–2, unless the Secretary of HHS determines that the use of such algorithm would pose a significant security risk for CEHRT.

The 2014 Edition EHR Certification Criteria revise the encryption criterion (but not the related encryption standard) to focus on the security of end-user devices. Under the revised criterion, EHR technology must either prevent electronic health information from being locally stored on end-user devices after use of EHR technology on those devices stops, or it must encrypt the electronic health information stored on such devices after use of EHR technology on those devices stops. As under the 2011 Edition EHR Certification Criteria, the technology must comply with the related encryption standard by employing an encryption algorithm identified in Annex A of the FIPS Publication 140–2. EHR technology must be set by default to perform this capability and, unless this configuration cannot be disabled by any user, the ability to change the configuration must be restricted to a limited set of identified users.

Auditable Events, Tamper-Resistance and Audit Reports

The 2011 Edition EHR Certification Criteria (and related standards) require that EHR technology have the capability to record the date, time, patient identification and user identification when electronic health information is created, modified, accessed or deleted, and an indication of which action(s) occurred and by whom, and to generate an audit log for a specific time period and to sort entries in the audit log according to any of the foregoing recorded elements.

The 2014 Edition EHR Certification Criterion (consistent with the 2011 Edition EHR Certification Criterion for auditing system activity) requires EHR technology to record certain actions related to electronic health information and information about such actions. The 2014 Edition EHR Certification Criteria expand on this criterion to require the following additional audit controls, which the ONC believes can assist eligible providers to detect and investigate electronic information security breaches:

  • Record the audit log status (enabled or disabled) in accordance with related security standards included in the 2014 Edition EHR Certification Criteria unless it cannot be disabled by any user
  • Record the encryption status (enabled or disabled) of electronic health information locally stored on end-user devices by EHR technology unless the EHR technology prevents electronic health information from being locally stored on end-user devices
  • Enable EHR technology by default for the following audit capabilities: record the actions (e.g., creation, modification, access or deletion of electronic health information) and related information noted above; and, where applicable, record audit log status and record encryption status (enabled or disabled) of electronic health information locally stored on end-user devices by EHR technology
  • Restrict the ability to disable the audit capabilities of the preceding bullet point to a limited set of identified users
  • Ensure that the EHR technology does not allow the actions and the audit log and encryption statuses recorded using the audit capabilities to be changed, overwritten or deleted by the EHR technology
  • Enable a user to create an audit report for a specific time period and to sort entries in the audit log based on the recorded data elements

Accounting of Disclosures Criterion Remains Optional

The 2014 Edition EHR Certification Criteria leave unchanged the optional 2011 Edition EHR Certification Criterion for accounting (i.e., recording) disclosures made through the EHR technology for treatment, payment and health care operations. The continuation of the optional status of the criterion reflects that the HHS Office for Civil Rights (OCR) still has not finalized a revised accounting of disclosures standard to implement the expansion of the accounting for disclosures standard under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The HITECH Act provision requires health care providers, health plans and other HIPAA-covered entities to account for disclosures of protected health information made through an electronic health record for treatment, payment and health care operations purposes.

The ONC stated that it is waiting to consider the implications of a final, amended accounting of disclosures standard. For more information about the proposed accounting of disclosures standard, see McDermott's White Paper " OCR's Proposed Revisions to Accounting for Disclosures Standard Produces Strong Opposition from Many Covered Entities."

Conclusion and Next Steps

EHR vendors and eligible provider organizations should consider the following steps to respond to the 2014 Edition EHR Certification Rule and other changes included in the 2014 Edition EHR Certification Criteria:

  • EHR vendors should begin planning for the software development effort needed to upgrade EHR technology certified under the 2011 Edition EHR Certification Criteria, including implementation of an appropriate quality management system for the development, testing, implementation and maintenance of each capability of the EHR technology for which certification is sought (if one is not already in place). Vendors should adopt policies and procedures to document the quality management system.
  • An organization that has implemented CEHRT certified under the 2011 Edition EHR Certification Criteria should contact its EHR vendor to discuss timing for upgraded EHR technology meeting the 2014 Edition EHR Certification Criteria.
  • Eligible provider organizations should consider taking steps to prepare for compliance with the 2014 Edition EHR Certification Criteria.
  • Eligible provider organizations that have not adopted CEHRT, but want to earn incentives and avoid Medicare payment penalties, should select CEHRT and make implementation plans with an eye on the first payment adjustment year coming in FY 2015 for EHs and CAHs and CY 2015 for EPs.
  • Eligible provider organizations that already have implemented CEHRT under the 2011 Edition EHR Certification Criteria should determine when their EPs, EHs and CAHs must begin to meet the more demanding MU Stage 2 objectives and measures; contact the vendors of their EHR systems to discuss plans for addressing the 2014 Edition EHR Certification Criteria; and develop an implementation work plan that includes training for physicians and other affected personnel on the measure requirements.

While the need for immediate action may not seem pressing, health care organizations that are prepared to address the 2014 Edition EHR certification standards on a timely basis will assure their prospects of receiving the next round of EHR incentives payments and avoiding penalties. Both health care organizations and vendors that are prepared will maintain or establish a sustainable leadership position in the continually evolving health care industry.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.