TO BE OR NOT TO BE... CERTIFIED?
That is the Question
November 2010
Now that the ONCHIT Certification process is in full swing and there are three
‘interim’ firms designated as Authorized Testing and Certification Bodies
(ATCB), a key question is, should a vendor get certified or not? This article will
attempt to answer that critical question.
First, I think we all can agree that if you sell a full EMR or EHR system to a health
provider certification is a must. If you do not get certified it is unlikely you will
install another new client, and worse, your current clients will start leaving in
droves. But what if you are a niche vendor? What if you sell a Best of Breed
(BoB) package such as a lab system, or a therapy or a dietary system? And
what about vendors that sell smart medical devices?
For these situations, according to a strict interpretation of the rules you do not
have to get certified, unless of course your clients and prospective clients
request that you do. And therein is the rub. ONCHIT is not telling vendors they
must get certified before they can sell systems (as does the FDA for blood bank
software). ONCHIT is going to let the market tell you.
The potential impact of the Meaningful Use bonus/penalties can add up to
millions of dollars over the next five years for a given health facility. The
responsibility for realizing bonuses and avoiding penalties will fall on the CIO (or
maybe COO) of the health facility. If the facility misses out on a bonus or gets hit
with a penalty, it is likely that the responsible executive’s job is on the line. Given
that real personal concern, it is fair to assume the CIO /COO will purchase only
certified systems, and de-install ones that are not.
Even in situations where a niche product does not directly deal with certification
criteria, a non-certified product could put a provider's meeting MU approval at
risk. In a recent discussion about certification by the HiTECH Policy Committee
it was explained that if you have a ONCHIT certified clinical data warehouse and
used it to generate quality and MU performance measures, if a non-certified
system access that warehouse, and/or places data into the warehouse, the
warehouse could be deemed non-certified. I call it “contamination through
association”.
Considering the vast amount of PHI and clinical data that moves daily to and
from interface engines while finding its way into, and passing through multiple
systems, you can see where a CIO/COO would not want to take a chance on a
non-certified product, Regardless of how insignificant the application may be to
the overall facility’s operation. This ‘contamination’ issue is not unique to
facilities that favor best of breed solutions. It cannot be avoided by purchasing
an EMR from a single vendor, since no single vendor covers the complete
waterfront for all applications needed by a provider.
In fact, many medical device vendors will be faced with the same challenge. For
example, if a device such as an IV pump, drug dispensing cabinet, or digital
imaging equipment are considered ‘smart’, that is, receive and communicate
patient information, and communicate the data over the core hospital
infrastructure, then if the device is not ONCHIT certified it could be deemed as a
potential ‘contaminator’, thereby rendering the entire EMR as non-compliant, not
eligible for MU. Remember if a provider fails just one criteria, then no bonus.
Unfortunately, or fortunately depending on your view, there now is a new
minimum cost of doing business in the health systems marketplace, ONCHIT
certification. The unfortunate outcome may be that this is a new barrier to entry
and will scare off new HIT start-ups while further embedding the current ones.
The second challenge for a niche IT vendor, or device manufacturer, is how to
navigate your way through the MU ‘module’ tests. There are over forty module
criteria today and additional ones promised for years two and three that will
increase the list by orders of magnitude. As a niche player your product(s) are
considered an ‘EMR Module’ and do not have to meet all test criteria. You must
submit to all of the eight privacy and security tests, and just one of the remaining
thirty-three, just nine total criteria.
But this may create a real competitive concern. What if you are a BoB and none
of the criteria apply to your application? From a regulatory standpoint you do not
need to go through certification. Yet, your arch competitor’s application touches
just one criteria and they use it, along with meeting the P&S criteria, to get
certified. Whose software will the CIO be most comfortable with?
On the surface you may think it best to try to meet as many criteria as you can,
but there are real risks and costs in doing that. Selecting which to pursue, and
which to pass on, must be both a strategic marketing and critical development
decision.
In summary, it’s hard to see how a niche player can avoid not diving into this
pool. The more important question is; how deep?
This article was recently featured on HISTalk
That is the Question
November 2010
Now that the ONCHIT Certification process is in full swing and there are three
‘interim’ firms designated as Authorized Testing and Certification Bodies
(ATCB), a key question is, should a vendor get certified or not? This article will
attempt to answer that critical question.
First, I think we all can agree that if you sell a full EMR or EHR system to a health
provider certification is a must. If you do not get certified it is unlikely you will
install another new client, and worse, your current clients will start leaving in
droves. But what if you are a niche vendor? What if you sell a Best of Breed
(BoB) package such as a lab system, or a therapy or a dietary system? And
what about vendors that sell smart medical devices?
For these situations, according to a strict interpretation of the rules you do not
have to get certified, unless of course your clients and prospective clients
request that you do. And therein is the rub. ONCHIT is not telling vendors they
must get certified before they can sell systems (as does the FDA for blood bank
software). ONCHIT is going to let the market tell you.
The potential impact of the Meaningful Use bonus/penalties can add up to
millions of dollars over the next five years for a given health facility. The
responsibility for realizing bonuses and avoiding penalties will fall on the CIO (or
maybe COO) of the health facility. If the facility misses out on a bonus or gets hit
with a penalty, it is likely that the responsible executive’s job is on the line. Given
that real personal concern, it is fair to assume the CIO /COO will purchase only
certified systems, and de-install ones that are not.
Even in situations where a niche product does not directly deal with certification
criteria, a non-certified product could put a provider's meeting MU approval at
risk. In a recent discussion about certification by the HiTECH Policy Committee
it was explained that if you have a ONCHIT certified clinical data warehouse and
used it to generate quality and MU performance measures, if a non-certified
system access that warehouse, and/or places data into the warehouse, the
warehouse could be deemed non-certified. I call it “contamination through
association”.
Considering the vast amount of PHI and clinical data that moves daily to and
from interface engines while finding its way into, and passing through multiple
systems, you can see where a CIO/COO would not want to take a chance on a
non-certified product, Regardless of how insignificant the application may be to
the overall facility’s operation. This ‘contamination’ issue is not unique to
facilities that favor best of breed solutions. It cannot be avoided by purchasing
an EMR from a single vendor, since no single vendor covers the complete
waterfront for all applications needed by a provider.
In fact, many medical device vendors will be faced with the same challenge. For
example, if a device such as an IV pump, drug dispensing cabinet, or digital
imaging equipment are considered ‘smart’, that is, receive and communicate
patient information, and communicate the data over the core hospital
infrastructure, then if the device is not ONCHIT certified it could be deemed as a
potential ‘contaminator’, thereby rendering the entire EMR as non-compliant, not
eligible for MU. Remember if a provider fails just one criteria, then no bonus.
Unfortunately, or fortunately depending on your view, there now is a new
minimum cost of doing business in the health systems marketplace, ONCHIT
certification. The unfortunate outcome may be that this is a new barrier to entry
and will scare off new HIT start-ups while further embedding the current ones.
The second challenge for a niche IT vendor, or device manufacturer, is how to
navigate your way through the MU ‘module’ tests. There are over forty module
criteria today and additional ones promised for years two and three that will
increase the list by orders of magnitude. As a niche player your product(s) are
considered an ‘EMR Module’ and do not have to meet all test criteria. You must
submit to all of the eight privacy and security tests, and just one of the remaining
thirty-three, just nine total criteria.
But this may create a real competitive concern. What if you are a BoB and none
of the criteria apply to your application? From a regulatory standpoint you do not
need to go through certification. Yet, your arch competitor’s application touches
just one criteria and they use it, along with meeting the P&S criteria, to get
certified. Whose software will the CIO be most comfortable with?
On the surface you may think it best to try to meet as many criteria as you can,
but there are real risks and costs in doing that. Selecting which to pursue, and
which to pass on, must be both a strategic marketing and critical development
decision.
In summary, it’s hard to see how a niche player can avoid not diving into this
pool. The more important question is; how deep?
This article was recently featured on HISTalk
Frank Poggio
The Kelzon Group
All rights reserved
The Kelzon Group
All rights reserved