The EHR vendors have not been sharing HOW their products are being certified. Currently, it is a black box. This is VERY frustrating. Especially since hospitals and doctors are supposed to be using the EHRs as cerified. Often there are many ways for an EHR to accomplish a testing objective. The current certification just produces a check box and a pretty certificate. How do we deploy and use the product in a certified way is a mystery. My EHR vendors have not been forthcoming with this informtation (slippery is a term that comes to mind).
During a HIMSS meeting with an ONC official, it became apparent to me that ONC now realizes this is a problem. There was a discussion that the vendors should provide screen shots for each step to share this with their customers. ONC can compel them to do this, but I would like to see the vendors do this on their own.
For me, this is one more reason to take the self certification route.
flpoggio says
Good point Will,
And it gets ‘more slippery’ as you look under the covers. As one who is working with many vendors through the ONCHIT certification process, in most cases the tester really doesn’t care about HOW you do it…just that you can do it. For example some of the criteria were written for legacy systems, like integrity checks. To pass the integrity check you must show the hash key and changing hash totals. But more modern web based products and SaaS products have no need for that. So to pass the test the vendor pulls up some old shareware like 7Zip shows it and he passes. Thing is he will never use it in his deployment, so if you ask him how…no answer. Furthermore the account rep is the last guy who would know the answer to a how question.
Lastly you as a CIO will have to attest to these to meet MU regs. It’s sure not fair asking you to legally attest to something when you don’t know how it got there.
Frank Poggio
The Kelzon Group