[Federal Register Volume 71, Number 150 (Friday, August 4, 2006)]
[Notices]
[Pages 44295-44296]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 06-6690]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


Notice of Availability: Secretarial Recognition of Certain 
Certification Commission for Healthcare Information Technology (CCHIT) 
Functionality, Interoperability, Security and Reliability Criteria for 
Ambulatory Electronic Health Records

AGENCY: Office of the Secretary, HHS.

    Authority: EO 13335 (``Incentives for the Use of Health 
Information Technology and Establishing the Position of the National 
Health Information Technology Coordinator'') and Pub. L. 109-149 
(``Departments of Labor, Health and Human Services, and Education, 
and Related Agencies Appropriations Act, 2006'').

SUMMARY: By this document we are informing the public of the 
Secretary's recognition of certain Certification Commission for 
Healthcare Information Technology (CCHIT) criteria for ambulatory EHR 
functionality, interoperability, security and reliability standards. 
This list of recognized criteria is available by clicking the 
applicable link at http://www.hhs.gov/healthit.
    The CCHIT was created in 2004 by an industry coalition of the 
American Health Information Management Association (AHIMA), the Health 
Information and Management Systems Society (HIMSS) and the National 
Alliance for Health Information Technology. CCHIT's mission is to 
accelerate the adoption of HIT by creating an efficient, credible and 
sustainable product certification program.
    During the three comment cycles that generated the ambulatory EHR 
criteria that the Secretary has recognized, CCHIT received over 1500 
comments from a wide range of stakeholders. Further outreach was 
achieved through the establishment of several large Town Hall 
presentations with attendances in the range of 500-1000 at Healthcare 
Information Management Systems Society (HIMSS) conferences as well as 
at more than thirty smaller presentations to a variety of associations, 
organizations and the press gatherings.
    CCHIT grouped its ambulatory EHR certification criteria 
recommendations into three groups, ``functionality,'' 
``interoperability'' and ``security/reliability.'' For ease of 
understanding, the Secretary broke the security and reliability 
recommendations into separate categories. Definitions of these 
categories, and an example that illuminates the various functions of 
each category are as follows:
    1. Functionality criteria identify minimum required and provisional 
product features for documenting and managing a typical patient 
encounter. For example, a physician needs to be able to access his/her 
patient's laboratory test results, so an example of a functional 
requirement is that an EHR would need to provide the capability of 
displaying laboratory test results.
    2. Interoperability criteria establish standards for how products 
interact with other products within and across care settings. For 
example, to ensure interoperability, the physician EHR noted above 
would need to be able to receive laboratory test results from another 
physician's (within care settings) as well as from laboratory systems 
(across care settings).
    3. Security and reliability criteria are designed to help the 
security inspector assess a product's ability to protect, manage and 
audit access to sensitive patient data. For clarity, we have broken 
these criteria into the two separate categories, security and 
reliability.
    a. Security \1\ addresses the appropriate access to data by 
appropriate parties and the protection of data from improper 
manipulation. For example, laboratory test results should be accessible 
to a

[[Page 44296]]

treating physician, but inaccessible to a clerical employee who does 
not need such access to accomplish their job. Security also involves 
ensuring that data have not been altered or tampered with.
---------------------------------------------------------------------------

    \1\ HHS notes that the requirements of the HIPAA Security Rule 
continue to be applicable.
---------------------------------------------------------------------------

    b. Reliability goes to the accessibility and consistency with which 
data is retrieved and displayed. For example, the physician should be 
able to easily and consistently access laboratory test results through 
some consistent display mechanism that can be counted on to be 
available whenever it is needed.
    At HHS' request, the CCHIT-recommended ambulatory EHR certification 
criteria were presented to the American Health Information Community 
(AHIC) on May 16, 2006. After consideration, the AHIC recommended that 
the Secretary recognize CCHIT identified ambulatory EHR certification 
criteria that CCHIT recommended for use in 2006. This recommendation 
informed the Secretary's decision to recognize these criteria.
    The Secretary also based his decision to recognize these criteria 
on the need for such criteria in the Departments recently published 
final rules for exceptions to the physician self-referral law and safe 
harbors to the Anti-kickback statute for electronic prescribing and EHR 
arrangements (RIN 0938-AN69 and 0991-AB36 respectively). These 
rules are premised on:
    1. HHS having recognized one or more EHR certifying bodies, and
    2. HHS having recognized criteria for the certification of EHRs.
    A separate notice of availability has been published in the Federal 
Register to notify the public about the availability of a certification 
Guidance Document that provides interim guidance on the recognition of 
certification bodies. This document is also available at http://www.hhs.gov/healthit. The CCHIT criteria that the Secretary has 
recognized serve to establish the initial EHR certification criteria 
that are referenced in the final physician self-referral law and Anti-
kickback statute rules.
    The Secretary also based his decision to recognize the CCHIT 
criteria on a belief that providers will be more willing to invest in 
health IT if there is a way of ensuring that the products would perform 
as advertised. Stories abound about providers making large investments 
in EHRs only to discover that they do not meet their functionality, 
interoperability security and/or reliability needs. Certification could 
respond to investment fears generated by stories about failed 
investments. A reduction of such fears could further the Department's 
goal of higher rates of sustained health IT adoption and 
interoperability.
    Finally, the Secretary's decision to recognize these criteria was 
informed by the fact that the criteria have been validated through 
prototype testing. Any criteria not fully validated by the Pilot Test 
(fewer than 10% fell in this category) were not considered for 
recognition.
    In light of the consensus basis, HHS reliance, industry impact and 
demonstrated utility of the CCHIT criteria for functionality, 
interoperability, security and reliability, the Secretary has 
recognized these criteria. He has delegated authority to ONC to 
coordinate and oversee the incorporation of these criteria in relevant 
activities among Federal agencies and other partner organizations, as 
appropriate.

FOR FURTHER INFORMATION CONTACT: John W. Loonsk, M.D. at (202) 205-
0242.

    Dated: August 1, 2006.
Karen Bell,
Acting Deputy National Coordinator for Health IT.
[FR Doc. 06-6690 Filed 8-1-06; 1:25 p.m.]
BILLING CODE 4150-24-P