Twenty things vendors need to know about ONC’s new
2015 (Stage 3) Certification Program  
...but were afraid to ask!

On March 23rd 2015, late on a Friday afternoon, ONC published two ‘Drafts’ of the proposed
revisions to the 2015 Test Criteria along with new ‘Stage 3’ provider MU attestation requirements.
Two separate large documents were published:

     1)  Electronic Health Record Incentive Program - Stage 3 – Draft Rule, (
300+ PDF)
     2)  2015 Edition Health Information Technology (Health IT) Certification Criteria,
          ONC Health IT Certification Program Modifications (
400+ PDF)

The first covers the proposed rules for MU Attestation for Providers under Stage 3, the second,
addresses proposed test criteria and requirements for vendors and revised operating rules for the
Accredited Certification Bodies (ACB).

Already there has been a great deal of discussion on the first MU requirements document since it
impacts all providers, while the second document is aimed at vendors/system developers and has
received little attention . I will focus now on the impact on vendors and system developers. Some of
my vendor clients have been calling and e-mailing me asking ’What’s changed for us?” others are
afraid to ask.  Suffice it to say there are some major additions and revisions to the test criteria and
process that will give system developers ‘heartburn’, or maybe a K51.914 (ICD10=ulcer) !

Before I dive into the document let’s remember that back in 2013 ONC disconnected the ‘MU Stages’
from the certification test versions. The concept that a vendor is Stage 2 or Stage 3 certified is
almost meaningless since a provider could MU attest to Stage 2 using either modified 2011 test
criteria, or the 2104 criteria. With the eventual issuance of these new 2015 criteria for a short period
providers can Stage 2 attest using a vendors 2014 certified product, or if available the vendors 2015
certified product.

All 2015 Test Criteria are now referred to as the 170.315 regulations. At this time these are just draft
proposals that will be formally published in the Federal Register on 3/30/2015. Then after a 90 day
comment period some revisions will be made, with the final regulations issued in the July-August time-
frame. Using the last two cycles of draft rules versus final issued regulations I predict that some 90%
of what is now proposed will be adopted into law. So fasten your seat belts, here we go.
Some highlights (or low-lights?) are:

    1) Privacy and Security (170.315 d1-d7) – there are some minor changes in several of these
    tests such as, access, time outs, integrity, device encryption and audit logs. But now under
    2105 testing they have become mandatory if a vendor wants to test out on other criteria, such
    as Demographics. The P&S tests were mandatory under 2011 (Stage1) then ONC made them
    optional for 2014, now they are back in the mandatory column. To paraphrase ONC, it’s all
    due to the never ending march of data breaches.

    An added requirement to P&S which is stated in the MU regs, but not in any specific test
    criteria, is vendors now must attest to having completed a HIPAA risk analysis of their product
    whenever they install new releases or updates. Here's why. In order for providers to be
    compliant with MU and HIPAA they will have to get an attestation from the vendor before they
    install any update, the provider MU regulations state on page 64: EPs, eligible hospitals, and
    CAHs must conduct the security risk analysis upon installation of CEHRT or upon upgrade to a
    new Edition of certified EHR Technology.    

    2) Demographics 170.315a4 – ONC wants coding for language and ethnicity to support all
    900 OMB codes, and all RFC 5646 ethnicity codes. But ONC acknowledges that a drop down
    list of 900 data elements might cause workflow problems so they have said a full drop down list
    is not required, you just need to show in a test you support all the codes and can tailor the list
    for each provider client.

    3) Vital Signs 170.315 a6 – all values must have LOINC codes. Data elements have been
    expanded and pediatric vitals have separate criteria.

    4) Advance Directive (170.315 a17) – now you have to electronically capture and track the
    AD. No more just check a box and who cares what file drawer it’s in.

    5) Medical Implants (170.315 a20) must now be tracked and reported.

    6) Social, Psychological and Behavioral data must now be captured and tracked using LOINC
    and Snomed coding. (170.315 a21)

    7) Clinical Decision Support tools must be linked to Knowledge Artifacts formatted in the HeD
    standard Release 1.2. (170.315 a22)

    8) New “decision support – service” (170.315 g6) certification criterion requires technology to
    electronically make an information request with patient data and receive in return electronic
    clinical guidance in accordance with an HeD 1.2 standard.

    9) New CDA standard (170.315 b1) - the C-CDA standard is now the single standard
    permitted for certification and the representation of summary care records. An updated
    version, HL7 Implementation Guide for CDA® Release 2: Consolidated CDA Templates for
    ClinicalNotes (US Realm), Draft Standard for Trial Use, Release 2.076 includes the following
    - Addition of new structural elements: new document sections and data entry templates: New
    Document Templates for: Care Plan; Referral Note; Transfer Summary.  New Sections for:
    Goals; Health Concerns; Health Status Evaluation/Outcomes; Mental Status; Nutrition;
    Physical Findings of Skin, etc.

    10)  CDA system performance (170.315 g23) – as part of the focus on interoperability ONC is
    requiring performance standards for data transfers of CCA/CCR. Data transmission of CDAs
    will be tested for volume and response times.

    11)  XDM packing of View/Download/ Transmit and CCR/CCD with incorporation of industry
    APIs using the IHE-IT infrastructure standard.

    12)  Data Portability has been broken out into Send /Receive as separate components
    (170.315 b6)

    13)  Care plans – (170.315 b9) ONC proposes to include the “assessment and plan of
    treatment,” “goals,” and “health concerns” in the “Common Clinical Data Set” for certification
    to the 2015 Edition. The “assessment and plan of treatment,” “goals,” and “health concerns”
    are intended to replace the concept of the “care plan field(s), including goals and instructions”
    which is part of the “Common MU Data Set” in the 2014 Edition.

    14)  CQM – (170.315 c1) has been expanded into separate segments: filters, create, import
    and calculate.

    15)  Quality Management System- (170.315g4-g5) now includes an ‘access-ability technical
    component’ in accordance with ADA. The QMS must be mapped to a federal guideline or
    industry standard. (No more home-grown QMS process/tools.)

    16)  Safety Enhanced Design – SED, (170.315g3) is expanded and requires specific and
    detailed usability test documentation. ONC recommends following NISTIR 7804176 “Technical
    Evaluation, Testing, and Validation of the Usability of Electronic Health Records” for human
    factors validation testing of the final product to be certified. They recommend a minimum of 15
    representative test participants for each category of anticipated clinical end users who
    conduct critical tasks where the user interface design could impact patient safety.

    17)  Authorized Testing Bodies (testing agencies) are now required to conduct surveillance
    (audits) on at least 5% of vendor installs (or max of 10) every year to verify that the certified
    system in fact meets each certified test criteria.

    18)  Attestation for Price transparency – ONC wants vendors to disclose on their web site and
    marketing materials, material system limitations, the vendor must also disclose any material
    add-on costs such as transaction fees to support interfaces/interoperability, etc. and supply
    any requesting entity a reasonably accurate cost estimate of total system costs. That's ANY
    requesting entity, not just prospects or for bid requests.

    19)  ONC wants monthly reports from the testing agencies on provider complaints and counts
    of vendor updates and modifications. If the number of updates/modifications exceed a set
    number ACB is to call vendor back in for re-testing.

    20)  ONC predicts the rules and test criteria will be finalized by mid-summer and vendors will
    work ‘aggressively’ in 2016-17 to modify products and meet the target date of 2018 to support
    Stage 3 provider attestations, which will require a full year of calendar data from providers.  

ONC estimates that all vendors together will have to invest approximately $300 to $400 million to
effect all these changes. They calculate there are 81 unique vendors with certified products, hence
an average cost of $4-5 million each, which does not include the time and cost to go through the test

ONC states they will continue with the ‘Gap’ test process meaning if you passed a test criteria under
2014 and there were no (or minimal) changes for the 2015 criteria, you get a ‘buy’. Given the
preceding, my advice is if you’re a vendor that is not yet 2014 certified you really want to get it done
sooner rather than later. My experience tells me that being 2014 certified for as many criteria as you
can before the 2015 criteria are cast in stone will be a better place to be.

Lastly, ONC states that the 2105 Test Criteria and Stage 3 Provider MU Attestation rules will be the
last Stage for MU, but that the rules and test requirements will continue to be revised /expanded as
ONC deems necessary. I guess we can next expect Stage 3.1, along with revised test criteria 2015
dot 1,dot 2…can anyone see a light at the end of this tunnel?

Frank Poggio
The Kelzon Group
Copyright 2015
All rights Reserved
Contact TKG to learn how we can
help you
get your Product Certified