Setting guidelines for electronic health records is a complex task

Building and applying the technology of the electronic health record (EHR) is a decidedly non-magical process far more complex and less instantaneous than just making the paper disappear into a wastebasket. Quality concerns about EHR systems must be addressed, which is why the Certification Commission for Healthcare Information Technology (CCHIT) exists. A voluntary, private-sector initiative based in Chicago, CCHIT was established in 2004 to foster the adoption of robust, interoperable health IT in the United States through product certification. In 2005, CCHIT received a three-year contract from the Department of Health and Human Services, making it the key entity to develop and evaluate criteria for the testing and certification of EHR systems in the United States.

"Certification can reduce the risks when providers purchase and implement electronic health record products, and we believe that one of the major barriers right now is this perceived risk," says Mark Leavitt, MD, PhD, and chairman of CCHIT.

Certification is designed to help stakeholders avoid having to independently evaluate whether various EHR systems would specifically qualify for incentives while assuring that the systems meet expectations in quality and safety.

Along with narrowing the field of products for providers, CCHIT certification eventually could save time and resources for all.

THE PROCESS

CCHIT's EHR certification is split into three phases. The first phase covers ambulatory EHRs; the second sets standards for inpatient EHRs; and the third phase will deal with the infrastructure within which EHR systems operate. Certification by CCHIT for ambulatory EHRs has begun, with the announcement of the initial batch of products scheduled at the end of this month or in early July with additional certified products announced at regular intervals. Certification for inpatient EHRs is slated for the first half of 2007, and certification for infrastructure is scheduled for the first half of 2008.

CCHIT certification is a voluntary process, and initial criteria were composed with current EHR products in mind.

"We didn't want to set it up and suddenly find that there were no products in the marketplace, and we were years away from having a product that could be certified," Dr. Leavitt says.

To receive certification, vendors pay a fixed fee to have their product evaluated through a four- to six-hour testing process of scenarios that consist of more than 250 steps. Vendor personnel run their product with a CCHIT proctor and three jurors witnessing via telephone and the Web, who follow step-by-step before independently voting on whether a product is compliant in terms of functionality and interoperability. Products must complete every step successfully to receive certification. Products that do not initially pass certain steps are permitted to retest those steps with a different panel, and an appeals process is also in place if the product fails upon retesting.

CCHIT also evaluates product security by looking at its documentation, known as "self-attestation," and during the demonstration itself by having a juror with an IT background determine whether log-ins and audit trails meet standards.

"You can spend hundreds of thousand of dollars testing security, but you have to pick some reasonable level that assures you that the product is secure and protects the privacy of information," Dr. Leavitt says. "We're trying to hit that sweet spot, and I think we have a reasonable balance."

CCHIT's work will also progress the murky areas of EHRs' privacy and their validity as medical legal records, but with almost no uniform regulations among the 50 states, certification will not be a cure-all. "Our first test [of EHR systems] will be a big step up from what there is now, which is almost nothing," Dr. Leavitt says.