TO BE OR NOT TO BE... CERTIFIED?
That is the Question
Now that the ONCHIT Certification process is in full swing and there are three ‘interim’
firms designated as Authorized Testing and Certification Bodies (ATCB), and over 100
products and about 70 firms have been approved, the key question is should you as a
vendor or in house system developer get certified or not? This document will attempt to
answer that critical question.
First, I think we all can agree that if you sell a full EMR or EHR system to a health
provider certification is a must. If you do not get certified it is unlikely you will install
another new client, and worse, your current clients will start leaving in droves. But what
if you are a niche vendor? What if you sell a Best of Breed (BoB) package such as a
lab system, or a therapy or a dietary system? And what about vendors that sell smart
For these situations, according to a strict interpretation of the rules you do not have to
get certified, unless of course your clients and prospective clients request that you do.
And therein is the rub. ONCHIT is not telling vendors they must get certified before they
can sell systems (as does the FDA for blood bank software). ONCHIT is going to let the
market tell you.
The potential impact of the Meaningful Use bonus/penalties can add up to millions of
dollars over the next five years for a given health facility. The responsibility for realizing
bonuses and avoiding penalties will fall on the CIO (or maybe COO) of the health
facility. If the facility misses out on a bonus or gets hit with a penalty, it is likely that the
responsible executive’s job is on the line. Given that real personal concern, it is fair to
assume the CIO /COO will purchase only certified systems, and de-install ones that are
Even in situations where a niche product does not directly deal with certification
‘modules’ it could put meeting MU approval at risk. In a recent discussion about
certification by the HiTECH Policy Committee it was explained that if you have a
ONCHIT certified clinical data warehouse and use it to generate quality and MU
performance measures, if a non-certified system accesses the warehouse, and/or
places data into the warehouse, the warehouse could be deemed non-certified. I call it
“contamination through association”.
Considering the vast amount of PHI and clinical data that moves daily to and from
interface engines while finding its way into, and passing through multiple systems, you
can see where a CIO/COO would not want to take a chance on a non-certified product,
Regardless of how insignificant the application may be to the overall facility’s operation.
This ‘contamination’ issue is not unique to facilities that favor best of breed solutions. It
cannot be avoided by purchasing an EMR from a single vendor, since no single vendor
covers the complete waterfront for all applications needed by a provider.
In fact, many medical device vendors will be faced with the same challenge. For
example, if a device such as an IV pump, drug dispensing cabinet, or digital imaging
equipment are considered ‘smart’, that is, receive and communicate patient information,
and communicate the data over the core hospital infrastructure, then if the device is not
ONCHIT certified it could be deemed as a potential ‘contaminator’, thereby rendering
the entire EMR as non-compliant, not eligible for MU. Remember fail just one criteria
and no bonus.
Unfortunately, or fortunately depending on your view, there is a now a new minimum
cost of doing business in the health systems marketplace, ONCHIT certification. The
unfortunate outcome may be that this is a new barrier to entry and will scare off new HIT
start-ups while further embedding the current ones.
The second challenge for a niche IT vendor, or device manufacturer, is how to navigate
your way through the MU ‘module’ tests. There are forty-four certification criteria today
and additional ones promised for years two and three that will increase the list by
orders of magnitude. As a niche player your product(s) are considered an ‘EMR
Module’ and do not have to meet all test criteria. You are required to meet eight privacy
and security tests, and just one of the remaining thirty-five.
But this may create a real competitive concern. What if you are a BoB or have a smart
medical device and none of the thirty-five criteria apply to your application? From a
regulatory standpoint you do not need to go through certification. Yet, your arch
competitor’s application touches just one module criteria and they submit on that one
along with the eight P&S criteria, and get certified. Whose product or software will the
CIO be most comfortable with?
On the surface you may think it best to try to meet as many criteria as you can, but
there are real risks and costs in doing that. Selecting which to pursue, and which to
pass on, must be both a strategic marketing and critical development decision.
In summary, it’s hard to see how a niche player can avoid not diving into this pool. The
more important question is; how deep?
This article was recently featured on HISTalk