InfoGard Laboratories Approved to Certify EHR: Third ONC-ATCB
Press Release issued on September 20, 2010, San Luis Obispo, California.
InfoGard Laboratories, the nation’s first accredited IT security testing laboratory, is approved by the Health and Human Services, Office of the National Coordinator for Health IT as an ONC-Authorized Testing and Certification Body (ONC-ATCB) for the certification of Complete EHRs and EHR Modules for both ambulatory and inpatient settings. Eligible professionals and hospitals may collect incentive payments through meaningful use of EHR technology capable of meeting the criteria to support meaningful use under the American Recovery and Reinvestment Act (ARRA).

“We are pleased to be among the first IT laboratories to be authorized by ONC to certify EHRs” said Maclynn Brinton, President of InfoGard Laboratories. “Subsequent to accreditation by NIST in 1995 as the nation’s first IT security testing laboratory, InfoGard has developed and participated in numerous government and private sector certification testing programs. We have successfully adapted our processes to support the ONC meaningful use EHR certification requirements for stage one and we will work with both ONC and NIST as requirements are developed for the stage two program. InfoGard will be the source of many healthcare IT compliance services, including HIT certification to current and future regulatory requirements.

Recent polls confirm that preventing healthcare breaches is the number one concern of health IT decision-makers (http://www.healthcareitnews.com/news/survey-data-breach-prevention-top-mind-it-decision-makers). In addition, surveys indicate that providers will not fully embrace e-prescriptions until applications can accommodate controlled substances. Both breach safe harbor and e-prescription of controlled substances require the implementation of NIST privacy and security standards. InfoGard is the only ATCB that is also NIST accredited to assist EHR vendors with achieving compliance with these NIST standards. 

About InfoGard Laboratories 
InfoGard has been instrumental in developing a number of government and private sector test and certification programs, including NIST’s Cryptographic Module Validation Program, programs for postage metering systems in five western countries, and two programs for the payment card industry. InfoGard is also an accredited Common Criteria laboratory. This experienced has provided InfoGard the ability to collaborate successfully with many different organizations in the development of testing and certification programs. InfoGard is independent, self-funded, and employee owned. We offer no hardware, software, or system products and we do not provide contract hardware or software design services.     

In the early 1990s, InfoGard’s founders collaborated with NIST on FIPS 140-1 using a worked example to develop testing requirements. Then, when the USPS was experiencing $350 million per year of postal meter fraud, InfoGard developed validation testing requirements for the first cryptographically secure postage meters. In the late 1990s, InfoGard collaborated with Visa to develop and implement the first testing program for PIN Entry Devices (point-of-sale terminals and ATMs). More recently, InfoGard collaborated with the Payment Card Industry Council (a corporation owned by VISA, MasterCard, American Express, Discover Card, and JCB) to develop and implement a certification process for approving vendors that scan merchant networks for security flaws. 

InfoGard’s consistent success with these programs demonstrates our ability to apply IT security knowledge, project management, and most importantly, collaborative skills. This has enriched our interactions with key constituencies and propagated successful new testing and certification programs.  
#              #                  #

ONC Regulations FAQs Related to Certification
Posted on ONC site on 9/22/2010.

Download all 20 Questions and Answers [PDF - 79 KB]

1. Question [9-10-001-1]: What certification criteria will ONC-ATCBs use to certify EHR technology for purposes of the “deeming” provision of the Physician Self-Referral Prohibition and Anti-Kickback Electronic Health Record (EHR) Exception and Safe Harbor Final Rules?

Answer:  Both the Physician Self-Referral Prohibition EHR Exception and the Anti-kickback EHR Safe Harbor regulations, at 42 CFR 411.357(w) and 42 CFR 1001.952(y), respectively, provide that software “is deemed to be interoperable if a certifying body recognized by the Secretary has certified the software within no more than 12 months prior to the date it is provided to the recipient.”  The “recognition” of certification bodies process referred to in these regulations, as discussed in the Temporary Certification Program Final Rule (the Final Rule) (75 FR 36185) has been superseded or folded into the ONC-ATCB and ONC-ACB “authorization” processes.  Consequently, the ONC-ATCB and ONC-ACB “authorization” processes will constitute the Secretary’s “recognition” of a certification body.  With that said, as further explained in the Final Rule, ONC-ATCBs are required to test and certify EHR technology to all applicable certification criteria adopted by the Secretary at 45 CFR part 170, subpart C.  We believe that the certification criteria adopted by the Secretary specify essential interoperability requirements and build the foundation for more advanced interoperability in the future.  Any questions regarding compliance with the exception or safe harbor should be directed to the Centers for Medicare & Medicaid Services (CMS) and the HHS Office of Inspector General (OIG), respectively.

2. Question [9-10-002-1]: If my EHR technology is capable of submitting batch files to an immunization registry using the adopted standards (HL7 2.3.1 or 2.5.1 and CVX), is that sufficient for demonstrating compliance with the certification criterion specified at 45 CFR 170.302(k)?

Answer: The certification criterion at 45 CFR 302(k) does not specify, and is not intended to specify, when submissions should be made or the periodicity of the submissions. Consequently, submitting batch files to an immunization registry, provided that they are formatted according to one or both of the adopted standards, is not prohibited by this certification criterion and would be acceptable.

3. Question [9-10-003-1]: In the “Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology” Final Rule published on July 28, 2010, the Secretary adopted the following implementation specifications at 45 CFR 170.205(d)(2) for HL7 2.5.1 – Public Health Information Network HL7 Version 2.5 Message Structure Specification for National Condition Reporting Final Version 1.0 and Errata and Clarifications National Notification Message Structural Specification. We believe that these implementation specifications may have been adopted in error because they only provide direction to public health agencies on how to report to the Centers for Disease Control and Prevention (CDC). Therefore, their adoption does not appear to either provide the appropriate or requisite implementation guidance for the adopted standard, HL7 2.5.1, or more importantly, to enable the user to “electronically record, modify, retrieve, and submit syndrome-based public health surveillance information…,” as required by the adopted certification criterion, 45 CFR 170.302(l). Please clarify whether these implementation specifications are appropriate for the intended capability specified by the public health surveillance certification criterion at 45 CFR 170.302(l)?

Answer: We have received numerous requests seeking clarification regarding these adopted implementation specifications. Based on additional discussions with various stakeholders, input from public health agencies, and the CDC, and after further review of the implementation specifications, we have determined that these implementation specifications were adopted in error. As questioners correctly point out, the implementation specifications are not appropriate for the intended capability specified by the adopted certification criterion. They provide guidance to public health agencies on the structure and methodology for using HL7 2.5.1 to report Nationally Notifiable Conditions to CDC and do not provide additional clarity for how EHR technology would need to be designed to implement the adopted standard or enable compliance with the capability identified in the certification criterion adopted at 45 CFR 170.302(l).

Accordingly, we anticipate issuing an interim final rule in the near future to remove the implementation specifications adopted at 45 CFR 170.205(d)(2). We also intend to issue compliance guidance to ONC-Authorized Testing and Certification Bodies to clarify how they may continue to test and certify EHR technology in accordance with the related certification criterion until publication of the interim final rule removing “Public Health Information Network HL7 Version 2.5 Message Structure Specification for National Condition Reporting Final Version 1.0 and Errata and Clarifications National Notification Message Structural Specification.”

4. Question [9-10-004-1]: I currently use EHR version 1.3 which I purchased from EHR technology developer XYZ. EHR technology developer XYZ has informed me that it is not going to seek certification for EHR version 1.3. Can I seek certification for EHR version 1.3 or can I partner with a group of other health care providers that also use version 1.3 to split the cost of certification? Additionally, if EHR version 1.3 becomes certified can anyone else using EHR version 1.3 rely on the certification issued to EHR version 1.3?

Answer: In response to your first question, yes, any individual health care provider, group of health care providers, other type of affiliation, or organization is permitted to seek to have EHR technology tested and certified. The Temporary Certification Program regulations do not specify who may ask an ONC-ATCB to test and certify EHR technology. However, we note that any party that seeks testing and certification for the EHR technology would typically assume the associated costs. We would also note that prior to presenting EHR technology for testing and certification, it may be prudent to conduct an analysis of the certification criteria with which, for example, EHR version 1.3 would be compliant (i.e., it may only be capable of meeting some, but not all, adopted certification criteria and could therefore only be certified as an EHR Module). Additionally, if the purchaser and EHR technology developer have entered into an agreement, the purchaser may want to review the terms and conditions of the agreement to see what, if any, restrictions have been placed on either of the parties in seeking certification of the EHR technology.

In response to the follow-up question, yes, regardless of who seeks (and/or incurs the costs) to have the EHR technology tested and certified by an ONC-ATCB, once the EHR technology is certified, the certification associated with that EHR technology is applicable to all identical copies (for example, all identical copies of EHR version 1.3). In addition, the ONC-ATCB would report to ONC that the particular EHR technology had been certified, and we would make this information available on our website through the Certified HIT Products List (CHPL).

5. Question [9-10-005-1]: I am an EHR technology developer. I have sought and achieved certification for the Complete EHR that I sell. The Complete EHR, however, is also designed to be sold in separate components so that I can offer my customers different prices based on the capabilities they seek to implement. Is it possible for me to sell components of my certified Complete EHR separately as certified EHR Modules, or do I need to seek testing and certification for each of the separate components that I plan to sell as certified EHR Modules?

Answer: Stand-alone, separate components of a certified Complete EHR do not derive their own separate certified status based solely on the fact that they were included as part of the Complete EHR when it was tested and certified. The separate component(s) would no longer meet the definition of a Complete EHR, nor would it have independently demonstrated that it can still properly perform capabilities for which certification is required in the absence of the capabilities with which it was previously certified as part of the Complete EHR. Additionally, the separate component(s) would not satisfy the requirements of 45 CFR 170.450(c) related to the privacy and security testing and certification of EHR Modules.

This concept is similar to our treatment of integrated bundles of EHR Modules. We clarified in the Temporary Certification Program final rule (75 FR 36191) that EHR Modules, once certified as part of a bundle, would not each separately inherit a certification just because they were certified as part of a bundle.

Therefore, EHR technology developers must have the separate components of a certified Complete EHR tested and certified as EHR Modules before the components may be sold separately as certified EHR Modules. Because ONC-ATCBs that are authorized to test and certify Complete EHRs are also, by default, authorized to test and certify all types of EHR Modules, such ONC-ATCBs are not precluded from issuing separate certifications for the separate components of a Complete EHR as EHR Modules at the same time the Complete EHR is presented for testing and certification, provided that the ONC-ATCB satisfies its responsibilities under 45 CFR 170.450 as well as other such responsibilities related to EHR Modules (e.g., 45 CFR 170.423 the Principles of Proper Conduct for ONC-ATCBs).

6. Question [9-10-006-1]: I submitted a Complete EHR for certification, but it has not passed a test for one or more of the certification criteria. Can I request that the ONC-ATCB certify the EHR technology that I submitted as an EHR Module instead (i.e., certify only those capabilities that have been tested successfully)?

Answer: Yes, an ONC-ATCB that is authorized to test and certify Complete EHRs has the discretion to change the type of certification it would issue based on an EHR technology developer’s request. Whether the ONC-ATCB would choose to honor a request for a change, as well as any costs associated with a change, would depend upon the arrangement between the EHR technology developer and the ONC-ATCB. Along those lines, if an ONC-ATCB permits a developer or presenter to request a different type of certification for the EHR technology it has submitted, the ONC-ATCB should be cognizant of other responsibilities it may need to satisfy for EHR Modules (e.g., 45 CFR 170.450).

7. Question [9-10-007-1]: My hospital purchased a certified EHR Module that provides approximately 75% of the capabilities we need to meet the definition of Certified EHR Technology. The other 25% are provided by our own self-developed system(s). Can we have our self-developed system tested and certified as an EHR Module and then subsequently use the combination of our self-developed certified EHR Module with the certified EHR Module we purchased to meet the definition of Certified EHR Technology? As a follow up, do we need to have the combination of the purchased certified EHR Module and our self-developed certified EHR Module tested and certified together as a Complete EHR (above and beyond the certifications they have already been issued)?

Answer:  Yes, you may seek testing and certification for only those systems that have not been certified as an EHR Module (in this case, the self-developed system), and no, you do not need to have the combination of certified EHR Modules certified again as a Complete EHR in order to meet the definition of Certified EHR Technology. In relation to this question, we reiterate paragraph two of the definition of Certified EHR Technology at 45 CFR 170.102. “Certified EHR Technology means: … (2) A combination of EHR Modules in which each constituent EHR Module of the combination has been tested and certified in accordance with the certification program established by the National Coordinator as having met all applicable certification criteria adopted by the Secretary, and the resultant combination also meets the requirements included in the definition of a Qualified EHR.” As we discussed in the Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology” Final Rule (75 FR 44597), only proper combinations of EHR Modules would meet the definition of Certified EHR Technology. We encourage eligible health care providers who seek to implement certified EHR Modules to consider ahead of time the types of certified EHR Modules that may be needed to ensure that all applicable criteria will be met.

8. Question [9-10-008-1]: If an EHR Module addresses multiple certification criteria (thus providing multiple capabilities), does it need to be tested and certified to the applicable privacy and security certification criteria as a whole or for each capability?

Answer: EHR Module means any service, component, or combination thereof that meets at least one certification criterion adopted by the Secretary. An EHR Module could provide a single capability required by one certification criterion or it could provide all capabilities but one required by the certification criteria for a Complete EHR.  In other words, for example, we would call HIT tested and certified to one certification criterion an “EHR Module” and HIT tested and certified to nine certification criteria an “EHR Module,” where ten certification criteria are required for a Complete EHR.

If an EHR Module addresses multiple certification criteria the EHR Module as a whole would be tested and certified to all privacy and security certification criteria unless the EHR Module is presented for testing and certification, and the presenter can demonstrate and provide documentation to the ONC–ATCB that a privacy and security certification criterion is inapplicable or that it would be technically infeasible for the EHR Module to be tested and certified in accordance with such certification criterion (see 45 CFR 170.450(c)(2)).

9. Question [9-10-009-1]: I’m an EHR technology developer and I’ve had my Complete EHR certified. I work with business partners/distributors and permit them to sell my (unmodified) certified Complete EHR under their own brand/name/label. Is this business practice permitted? Is there anything that I should do or be aware of?

Answer: Yes, this business practice is permitted. However, the ONC-ATCB that certified your Complete EHR is required to ensure that you adhere to the terms and conditions of the certification it issues, including communication of the information specified at 45 CFR 170.423(k). Thus, if you permit business partners/distributors to re-brand or rename your certified Complete EHR and represent that it has been certified, the ONC-ATCB that issued the certification for your Complete EHR may require you (consistent with Section 14 of Guide 65) to ensure that your business partners/distributors adhere to the requirements of 170.423(k) that apply to you. We encourage you to make arrangements with your business partners/distributors to ensure that they appropriately convey the information specified at 170.423(k).

Additionally, an ONC-ATCB is responsible for reporting to ONC a current list of the EHR technology it has tested and certified. Only EHR technologies reported by ONC-ATCBs to ONC will appear on ONC’s “Certified HIT Products List (CHPL).” Therefore, if you are an EHR technology developer that expects to work with business partners/distributors that will re-brand or rename your certified Complete EHR and represent that it has been certified, we encourage you to work with your ONC-ATCB to identify (up front, if possible, or on an ongoing basis) the different names under which your certified Complete EHR may be distributed. Otherwise, those re-branded or renamed Complete EHR(s) will not appear on the CHPL.

An ONC-ATCB is permitted to report information to ONC related to re-branded or renamed Complete EHRs that it has certified. We anticipate that we would list the re-branded or renamed Complete EHR(s) on the CHPL using the same unique certification identification that is assigned to your certified Complete EHR.

10. Question [9-10-010-1]: My EHR technology is designed to receive demographic data from a registration system or a practice management system. The data from these other IT systems is then used by my EHR technology to demonstrate compliance with one or more certification criteria. Do these other IT systems that act as data sources to my EHR technology need to be certified?

Answer: No, other IT systems that act as data sources and are not intended to perform required capabilities in accordance with adopted certification criteria do not need to be certified simply because they supply data to a Complete EHR or EHR Module. Obviously, if the other IT systems have not been developed to, and cannot, perform required capabilities in accordance with adopted certification criteria then certification of those other IT systems would not be available.

For the purposes of certification, an EHR technology developer must be able to demonstrate to an ONC-ATCB that its Complete EHR or EHR Module can perform the capabilities specified by all applicable certification criteria. Thus, in circumstances where the Complete EHR or EHR Module is designed to be implemented in multiple ways, including the ability to receive data from a different IT system, the EHR technology developer would need to demonstrate during testing that regardless of the source from which the Complete EHR or EHR Module receives data, it is compliant with all applicable certification criteria for which testing and certification has been sought.

11. Question [9-10-011-1]: I’ve identified that I am using two different EHR technologies to meet a single certification criterion (my document management system receives and displays summary records (45 CFR 306(f)(1)) and my EHR technology from EHR technology developer XYZ transmits summary records (45 CFR 306(f)(2)). Do both EHR technologies need to be certified?

Answer: Yes, in order to possess EHR technology that meets the definition of Certified EHR Technology, both the document management system and the EHR technology from EHR technology developer XYZ together need to meet this certification criterion in its entirety. As a result, (assuming you are not implementing a certified Complete EHR) you could elect to seek testing and certification yourself for these two systems as an EHR Module or implement a certified EHR Module that meets this certification criterion in its entirety.

12. Question [9-10-012-1]: How many clinical quality measures must EHR technology be capable of calculating in order to get certified?

Answer: It depends on whether the EHR technology is designed to be used in an ambulatory setting or in an inpatient setting as we have adopted a specific certification criterion for each setting to correspond to the correlated meaningful use requirements for which eligible professionals and eligible hospitals and critical access hospitals must satisfy (45 CFR 170.304(j) and 45 CFR 170.306(i), respectively).

For EHR technology designed for an ambulatory setting, it must be tested and certified as being compliant with all 6 of the core (3 core and 3 alternate core) clinical quality measures specified by CMS for eligible professionals as well as at a minimum 3 of the additional clinical quality measures CMS has identified for eligible professionals.

For EHR technology designed for an inpatient setting, it must be tested and certified as being compliant with all of the clinical quality measures specified by CMS for eligible hospitals and critical access hospitals.

The HIT Standards and Certification Criteria final rule provides a more detailed discussion of this issue at 75 FR 44610. Additionally, eligible health care providers should be aware that ONC–Authorized Testing and Certification Bodies (ONC-ATCBs) are required to report to the National Coordinator (among other data) the clinical quality measures to which a Complete EHR or EHR Module has been tested and certified, and further, that the Complete EHR or EHR Module developer would need to make sure this information is available and communicated to prospective purchasers as part of the Complete EHR or EHR Module’s certification.

13. Question [9-10-013-1]: I plan on sending/transferring meaningful use quality reporting data from my EHR technology to my “data warehouse” and have the data warehouse submit/report out the data to CMS. Does my data warehouse need to be certified?

Answer: Yes, if you plan to use your data warehouse to submit calculated clinical quality measures to CMS or States for meaningful use, your data warehouse would need to be certified in order for you to meet the definition of Certified EHR Technology. This is so because your data warehouse would be performing a capability for which the Secretary has adopted a certification criterion (45 CFR 170.304(j) or 45 CFR 170.306(i)) and for which you as an eligible health care provider have a correlated meaningful use requirement to satisfy.

14. Question [9-10-014-1]: I’ve selected a certified Complete EHR [or certified EHR Module] from EHR technology developer XYZ. That being said, I prefer the certified CPOE EHR Module designed by EHR technology developer ABC over the CPOE capability included in EHR technology developer XYZ’s Complete EHR. Can I use the certified CPOE EHR Module from EHR technology developer ABC instead of the CPOE capability included in EHR technology developer XYZ’s certified Complete EHR? Alternatively, can I use both of the certified CPOE capabilities included in EHR technology developer XYZ and ABC’s EHR technologies at the same time? In other words, can I use duplicative or overlapping certified capabilities of different certified EHR technologies without jeopardizing my ability to meaningfully use Certified EHR Technology?

Answer:  Meeting the definition of Certified EHR Technology can be achieved in numerous ways; including using EHR technologies that perform duplicative or overlapping capabilities (if that is what an eligible health care provider chooses to do) so long as all of the applicable certification criteria adopted by the Secretary have been met and those EHR technologies are certified. Consequently, an eligible health care provider could use both certified capabilities (e.g., CPOE) at the same time in two different sections/departments of its organization. The eligible health care provider would however be responsible for reconciling the data between those two certified capabilities for purposes of reporting to CMS or the States.

Eligible health care providers who take such an approach should use ONC’s “Certified HIT Products List (CHPL)” webpage to generate a unique certification combination identification in order to accurately attest to CMS or the States the aggregate of certified EHR technologies used during the EHR reporting period.

15. Question [9-10-015-1]: I am an EHR technology developer preparing my EHR technology for certification. I am relying on a 3rd party software program to demonstrate my compliance with a specific certification criterion. Does this 3rd party software program need to be independently certified?Answer: No, the 3^rd party software program that your EHR technology relies upon does not need to be independently certified. In principle, when presenting your EHR technology to an ONC-ATCB you must be able to demonstrate that your EHR technology is in compliance with the certification criterion regardless of whether your EHR technology natively performs the specified capability or relies upon a 3^rd party software program. Thus, in practice, if you rely upon a 3^rd party software program to successfully demonstrate compliance with a certification criterion, the certification you are issued encompasses the 3^rd party software program.

In the context of relied upon software, we require ONC-ATCBs:

1. To include certain information about software that is relied upon when reporting your certification to the National Coordinator, which will result in your EHR technology’s entry on the Certified HIT Products List (45 CFR 170.423(h)(6)); and
2. To ensure that you convey this information on your website and in all marketing materials, communications statements, and other assertions related to your EHR technology’s certification (45 CFR 170.423(k)(1)(ii)).

16. Question [9-10-016-1]: I’m in the process of implementing EHR technology developer XYZ’s certified Complete EHR [or certified EHR Module] “E-HealthSystem2010.”

Scenario 1: I have determined that E-HealthSystem2010 needs to be reconfigured in order to connect with one of my patient registration systems. Can I reconfigure E-HealthSystem2010 without compromising the certified status of my implementation of E-HeatlhSystem2010?

Scenario 2: EHR technology developer XYZ communicated to my organization that they relied upon a 3rd party software program “PatientInfoTracker 2.0” for the purposes of demonstrating compliance with the “generate patient lists” certification criterion specified at 45 CFR 170.302(i) in achieving E-HeatlhSystem2010’s certification. I have already implemented, use, and would like to continue using “SuperListGenerator 7.0.” I have determined that I can reconfigure SuperListGenerator 7.0 to work with E-HeatlhSystem2010. Can I use SuperListGenerator 7.0 in lieu of PatientInfoTracker 2.0 without compromising the certified status of my implementation of E-HeatlhSystem2010?

Answer:  With respect to Scenario 1, yes, you can reconfigure your implementation of E-HealthSystem2010 without compromising its certified status, but you assume the risks associated with modifying a certified capability after it has been certified. You are also responsible for ensuring that these modifications do not adversely affect the performance of E-HealthSystem2010 and, as a result, your ability to demonstrate meaningful use. We encourage eligible providers to use caution when modifying certified Complete EHRs or EHR Modules.

With respect to Scenario 2, no, you cannot use a different 3^rd party program to perform a certified capability unless:

• EHR technology developer XYZ already has a separate certification for E-HealthSystem2010 that identifies SuperListGenerator 7.0 as a relied upon software program; or
• You seek certification for SuperListGenerator 7.0 as an EHR Module.

17. Question [9-10-017-1]: Under the Medicare and Medicaid EHR Incentive Programs Final Rule, eligible health care providers are permitted to defer certain meaningful use objectives and measures and still receive an EHR incentive payment. However, it is our understanding that in order for us to have our EHR technology certified, we must implement all of the applicable capabilities specified in the adopted certification criteria regardless of whether we intend to use all of those capabilities to qualify for our EHR incentive payment. Is our understanding correct?

Answer: Yes, this understanding is correct.  The flexibility offered as part of the Medicare and Medicaid EHR Incentive Programs Final Rule is not mirrored in the Initial Set of Standards, Implementation Specifications, and Certification Criteria Final Rule because we believe that it is important to accommodate eligible health care providers’ ability to achieve meaningful use. We recognize that in some circumstances an eligible health care provider may not know which meaningful use measures they will seek to defer until they begin implementation and in others an individual provider (even within a specialty) will want to choose different measures to defer based on their local situation and implementation experience. Thus, in order to possess EHR technology that meets the definition of Certified EHR Technology, it must be tested and certified by an ONC-ATCB to all applicable certification criteria adopted by the Secretary.

18. Question [9-10-018-1]: I use or would like to use an “interface” to submit data to a public health agency/registry. Does this interface need to be certified?

Answer:  It depends. We recognize that the term “interface” has several different meanings depending on the context in which it is used, the IT infrastructure of which it is a part, and the capability it performs. Consequently, depending on various factors, an interface may or may not need to be certified.

“NO”

• The answer to your question would be “no,” if the interface provided a user with the ability to directly enter data to the public health agency/registry. In that scenario, the interface would not be providing a capability for which the Secretary has adopted a certification criterion and that Certified EHR Technology must include.
• Similarly, if the interface would solely be serving as a conduit between your EHR technology and the public health agency/registry and providing the underlying communication protocol to transport data from point A to point B, it would not need to be certified. In this case, the interface would simply be providing the connection between you and the public health agency/registry and the means for the submission to occur. The interface would not be providing the capability specified in the certification criterion adopted by Secretary, which Certified EHR Technology must include.

“YES”

• If, however, the interface were to perform a capability specified in an adopted certification criterion and the interface was intended to satisfy a correlated meaningful use requirement, it would need to be certified. Why? Because you are required to use Certified EHR Technology to qualify for your respective EHR incentive program. As an example, if the interface was intended to provide the capability of electronically recording, modifying, retrieving and submitting immunization information in a standardized format (45 CFR 170.302(k)), it would need to be certified.

19. Question [9-10-019-1]: The “electronic copy of health information” certification criteria (45 CFR 170.304(f) and 45 CFR 170.306(d)) each require that Certified EHR Technology “enable a user to create an electronic copy of a patient’s clinical information… in: (1) Human readable format; and (2) On electronic media or through some other electronic means….” Is there more than one way to demonstrate compliance with these certification criteria?

Answer: Yes, as discussed in the Initial Set of Standards, Implementation Specifications, and Certification Criteria Final Rule, there is more than one way to demonstrate compliance with this certification criterion.  For this certification criterion, Certified EHR Technology must be capable of generating two outputs to produce an electronic copy (i.e., a copy in human readable format and a copy as a CCD or CCR).  If the Certified EHR Technology is capable of generating one copy that could meet both of these requirements, we would also consider that to be a compliant implementation of this capability.

20. Question [9-10-020-1]: The certification criterion at 45 CFR 170.302(n) specifies that “[f]or each meaningful use objective with a percentage-based measure, electronically record the numerator and denominator and generate a report including the numerator, denominator, and resulting percentage associated with each applicable meaningful use measure.” Is it possible for the action of “record” in the certification criterion to be implemented in different ways and still remain in compliance with the certification criterion? For example, could “record” comprise the ability of a centralized analytics EHR Module to accept or retrieve raw data from another EHR Module or EHR Modules, and upon receipt of this raw data, the centralized analytics EHR Module would calculate the numerator, denominator, and the resulting percentage as specified by 45 CFR 170.302(n)?

Answer: Yes, it is possible for the action of “record” in this certification criterion to be implemented in different ways. The example in this question appears to be one possible way to demonstrate compliance with this certification criterion. Other possible methods could include a Complete EHR that accepts or retrieves raw data, analyzes the data, and then generates a report based on the analysis; a Complete EHR that separately tracks each capability with a percentage-based meaningful use measure and later aggregates the numbers and generates a report; or an integrated bundle of EHR Modules in which each of the EHR Modules that is part of the bundle categorizes relevant data, identifies the numerator and denominator and calculates, when requested, the percentage associated with the applicable meaningful use measure. In each of these examples, the action of “record” means to obtain the information necessary to generate the relevant numerator and denominator.

Additional FAQs

• Standards and Certification Criteria Final Rule: Frequently Asked Questions
• Temporary Certification Program: Frequently Asked Questions