Certification Guidance for EHR Technology Developers

Serving Health Care Providers Ineligible for

Medicare and Medicaid EHR Incentive Payments

I. Background

The Medicare and Medicaid EHR Incentive Programs, authorized by the Health Information

Technology for Economic and Clinical Health (HITECH) Act, have driven significant electronic health

record (EHR) adoption by health care providers eligible to receive incentive payments. Eligible

professionals and hospitals must demonstrate “meaningful use” of EHR technology that has been

certified under the ONC HIT Certification Program to qualify for the Medicare and Medicaid EHR

incentive payments. Despite this progress, many other types of health care providers equally important

to the care continuum are not eligible to receive EHR incentive payments under the HITECH Act (e.g.,

certain mental and behavioral health professionals, and certain professionals who practice in long-term

and post-acute care settings). These “ineligible” types of providers routinely interact with health care

providers who are eligible for EHR incentive payments and face policy and technology challenges

unique to their settings.

II. Purpose

This guidance is meant to serve as a building block for federal agencies and stakeholders to use as

they work with different communities to achieve interoperable electronic health information exchange.

It identifies the 2014 Edition EHR certification criteria from the ONC HIT Certification Program that

specifically focus on interoperability – to enable electronic health information to be both exchanged and

subsequently used by recipients. 1 While these certification criteria were specifically adopted to support

health care providers seeking to achieve meaningful use, we believe that they are generally applicable to

1
ONC follows the definition of “interoperability” provided by the Institute for Electrical and Electronics Engineering
Computer Dictionary which defines interoperability to mean: “the ability of two or more systems or components to exchange
information and to use the information that has been exchanged.” See IEEE Standard Computer Dictionary: A Compilation
of IEEE Standard Computer Glossaries (New York, NY: 1990).
many health care settings. In addition, the capabilities expressed by some of these certification criteria

could, if implemented by both eligible and ineligible types of providers, open critical communication

lines between eligible and ineligible health care providers in order to support broad health care goals,

such as care coordination and reduced hospital readmissions.

III. Interoperability-focused 2014 Edition EHR Certification Criteria

The following 2014 Edition EHR certification criteria address several use cases for which

interoperable health information exchange may be beneficial between eligible and ineligible health care

providers as well as between ineligible health care providers and knowledge resources, clinical

laboratories, and public health agencies. Health care providers eligible to receive incentive payments

under the Medicare and Medicaid EHR Incentive Programs will, depending on the stage of meaningful

use they seek to achieve, need to have EHR technology certified to these criteria. We encourage EHR

technology developers serving ineligible health care providers to also seek certification to these criteria.

Table 1. The three certification criteria listed in Table 1 specifically support interoperable summary

care record exchange – a fundamental capability necessary to enable care coordination across different

health care settings. To further emphasize the importance of summary care record exchange, ONC will

list EHR technology certified to all three of the certification criteria identified in Table 1 on the Certified

Health IT Product List (CHPL) 2 with an added designation to indicate the EHR technology’s ability to

support interoperable summary care record exchange.

2014 Edition EHR

Short Description 3
Certification Criterion
45 CFR §170.314(b)(1) These two certification criteria require EHR technology to be, at a minimum,
45 CFR §170.314(b)(2) capable of: A) electronically creating and receiving summary care records with a
common data set in accordance with the Consolidated Clinical Document
Transitions of Care Architecture (CCDA) standard; and B) electronically exchanging in accordance
with the Direct transport specification.
45 CFR §170.314(b)(4) Require EHR technology to allow a user to electronically reconcile the data that
Clinical Information represent a patient’s active medication, problem, and medication allergy list.
Reconciliation

2
The CHPL is located at http://oncchpl.force.com/ehrcert?q=chpl.
3
For more information about these certification criteria and the standards adopted and included within them, please visit:
http://www.healthit.gov/policy-researchers-implementers/meaningful-use-stage-2-0/standards-hub
Page 2 of 5
 Table 2. The following certification criteria represent other EHR capabilities that support different

types of interoperability functions.

2014 Edition EHR

Short Description 4
Certification Criterion
Provides the option for EHR technology to be certified to the HL7 Context-Aware
45 CFR §170.314(a)(8) Knowledge Retrieval Standard (“Infobutton”) standard to electronically retrieve
Clinical Decision Support linked-referential clinical decision support information from content/knowledge
resources.
45 CFR §170.314(a)(15)
Requires EHR technology to be able to use “Infobutton” standard to electronically
Patient-Specific
retrieve patient-specific education from content/knowledge resources.
Education Resources
Requires EHR technology to be capable of electronically creating prescriptions and
45 CFR §170.314(b)(3)
prescription-related information and electronically transmitting such information
E-Prescribing
using the NCPDP SCRIPT version 10.6; with medications represented in RxNorm.
Requires EHR technology designed for an ambulatory setting to be capable of
45 CFR §170.314(b)(5) electronically receiving, incorporating, and displaying clinical laboratory tests and
Incorporate Laboratory values/results in accordance with the HL7 Version 2.5.1 Implementation Guide:
Tests and Values/Results S&I Framework Lab Results Interface (LRI) and with laboratory tests represented
in LOINC®.
45 CFR §170.314(b)(6)
Requires EHR technology designed for an inpatient setting to be able to generate
Transmission of Electronic
laboratory test reports for electronic transmission to ambulatory provider’s EHR
Laboratory Tests and
systems in accordance with the HL7 Version 2.5.1 Implementation Guide: S&I
Values/Results to
Framework LRI and with laboratory tests represented in LOINC®.
Ambulatory Providers
45 CFR §170.314 (b)(7) Requires EHR technology to be able to electronically create a set of export
Data Portability summaries for all patients, formatted in accordance with the CCDA.
Requires EHR technology to be capable of capturing, exporting, importing,
45 CFR §170.314(c)(1)-(3)
calculating, and electronically submitting the information necessary for clinical
Clinical Quality Measures
quality measures.
Requires EHR technology to be capable of providing secure online access to health
45 CFR §170.314(e)(1)
information for patients and authorized representatives to electronically view,
View, Download, and
download their health information in accordance with the CCDA standard, and
Transmit to 3rd Party
transmit such information in accordance with the Direct transport specification.
45 CFR §170.314(e)(2) Requires EHR technology to enable a user to create a clinical summary in
Clinical Summaries accordance with the CCDA standard in order to provide it to a patient.
Requires EHR technology to be able to electronically generate immunization
45 CFR §170.314(f)(2)
information for electronic transmission using the HL7 2.5.1 Implementation Guide
Transmission to
for Immunization Messaging, Release 1.4, and using the HL7 Standard Code Set
Immunization Registries
CVX - Vaccines Administered vocabulary standard.
45 CFR §170.314(f)(3) Requires EHR technology to be able to electronically generate syndromic
Transmit Syndromic surveillance information for electronic transmission to public health agencies using
Surveillance to Public the HL7 2.5.1 standard and, for the inpatient setting, a specific implementation
Health Agencies guide.

4
For more information about these certification criteria and the standards adopted and included within them, please visit:
http://www.healthit.gov/policy-researchers-implementers/meaningful-use-stage-2-0/standards-hub
Page 3 of 5
 2014 Edition EHR
Short Description 4
Certification Criterion
Requires EHR technology to be capable of electronically generating reportable
45 CFR §170.314(f)(4)
laboratory test values and results information for electronic transmission to public
Transmit Lab Results to
health agencies using the HL7 Version 2.5.1 Implementation Guide for Electronic
Public Health Agencies
Laboratory Reporting to Public Health as well as SNOMED CT® and LOINC®.
Requires EHR technology to be able to electronically generate cancer case
45 CFR §170.314 (f)(6) information for electronic transmission using the HL7 Clinical Document
Optional -Transmit to Architecture, Release 2.0, Implementation Guide for Ambulatory Healthcare
Cancer Registries Provider Reporting to Central Cancer Registries and SNOMED CT® and
LOINC®.

IV. Privacy and Security-focused 2014 Edition EHR Certification Criteria

Table 3 below references the adopted privacy and security-focused 2014 Edition EHR

certification criteria. These certification criteria help assure that electronic health information is

protected when it is stored and transmitted as well as that only authorized personnel can access the

information. Many of these certification criteria are generally applicable to EHR technology developed

for any setting. Thus, we encourage EHR technology developers that serve ineligible health care

providers to seriously consider seeking certification to these certification criteria when doing so for the

interoperability-focused certification criteria referenced above in Tables 1 and 2.

Table 3.

2014 Edition EHR

Short Description
Certification Criterion
45 CFR §170.314(d)(1) Requires EHR technology to be capable of authenticating a user, authorizing them,
Authentication, Access and establishing their ability to access electronic health
Control, and Authorization
Requires EHR technology to be capable of:
• Recording user actions related to electronic health information in an audit
log in addition to when the audit log or the encryption status of electronic
health information locally stored on end user devices is disabled or
enabled.
45 CFR §170.314(d)(2) • Being set by default to record actions related to electronic health
Auditable Events and information in an audit log, and recording audit log status or encryption
Tamper-Resistance status.
• Only enabling specific users to disable an audit log, if possible.
• Protecting actions and statuses related to the recording of electronic health
information, audit log status, and encryption status from being changed,
overwritten, or deleted by the EHR technology.
• Detecting when the audit log has been altered.
Requires EHR technology to be capable of :
45 CFR §170.314(d)(3) • Enabling a user to generate an audit report for a specific time period, and
Audit Report(s) • Sort entries in the audit log according to the data elements specified in the
audit log content standard

Page 4 of 5
 2014 Edition EHR
Short Description
Certification Criterion
Requires EHR technology to be capable of enabling a user to capture a patient’s
45 CFR §170.314(d)(4)
(accepted or denied) request for an amendment to their electronic health
Amendments
information.
45 CFR §170.314(d)(5) Requires EHR technology to be capable of preventing a user from gaining further
Automatic Log-Off. access to an electronic session after a predetermined time of inactivity.
45 CFR §170.314(d)(6) Requires EHR technology to be able to permit an identified set of users to access
Emergency Access electronic health information during an emergency.
Requires EHR technology to be capable of encrypting electronic health
45 CFR §170.314(d)(7)
information (following security standards from the National Institute of Standards
End-User Device
and Technology) when it is designed to store such information on end-user devices
Encryption
after use on those devices stops.
45 CFR §170.314(d)(8) Requires EHR technology to be able to use secure hashing standards to verify that
Integrity electronic health information has not been altered.
Requires EHR technology to be able to record treatment, payment, and health care
45 CFR §170.314(d)(9)
operations disclosures. The date, time, patient identification, user identification,
Optional – Accounting of
and a description of the disclosure must be recorded for disclosures for treatment,
Disclosures
payment, and health care operations.

Page 5 of 5