ONC eases EHR certification attestation requirements

September 29, 2017
Medicare Web

The Office of the National Coordinator of Health IT (ONC) is rolling back EHR certification attestation requirements. The change is designed to ease administrative burden on developers and achieve savings that will be passed down to providers, the agency said in a September 21 blog post.

Vendors will be able to self-attest to meeting 30 out of 55 certification criteria. Previously, vendors had to test their products with an ONC authorized testing laboratory (ONC-ATL). Testing generally consisted of a visual demonstration or submitting documentation for the required functionality.

The ONC is also relaxing enforcement of randomized surveillance of certified health IT products. Randomized surveillance is conducted by ONC authorized certification bodies (ONC-ABC). The ONC-ABCs were previously required to survey a minimum of 2% of health IT certifications they issue. The ONC will not be auditing ONC-ABCs for compliance on randomized surveillance requirements and also will not enforce the requirements. The agency also will not consider failure to implement the surveillance requirement a violation of an ONC-ABC’s compliance or good standing.

Although the ONC is loosening its standards, it will still act on non-conformity complaints, according to the agency’s blog post.

It is difficult to determine the downstream impact of the agency’s EHR certification changes, but relaxing federal oversight could cause organizations to encounter problems that might otherwise have been caught at the attestation stage, says Chris Apgar, CISSP, president of Apgar and Associates in Portland, Oregon. Products with functionality bumps or poor security could hit the market at a time when reimbursement is being tied more closely to reporting measures and organizations are facing a barrage of sophisticated cyberattacks.

“I think the decision will make EHRs less secure and potentially result in measurements used by clinicians to demonstrate they have addressed required measures inaccurate,” Apgar says. “It amounts to telling the vendors that if they state, ‘It’s in there,’ that’s OK. The vendors don’t have to prove the functionality is there and working correctly.”

Related Topics: 
HIM/HIPAA