New Certification Criteria for APMs…Is This the Right Approach?

CMS and ONC are considering tying the new Alternative Payment Models (APM) being designed per the MACRA legislation to prescriptive criteria for “use” of certified EHR technology, and considering development of new certification criteria specifically created for APMs.  In doing so, do they risk going beyond congressional intent for the APM program and stifling innovation by imposing requirements on health IT beyond what is sought in the market, perhaps pursuing a strategy that may not be the best way to accomplish their end-goals – the rapid shift to value-based reimbursement and more integrated care?  Read “Health IT, Value-Based Payment, and Innovation: Let’s Get it Right”<> by Mark Segal, PhD (EHRA Chair Emeritus and Vice President of Government and Industry Affairs for GE Healthcare IT) on the GE blog page.

When Health IT is Personal

Leigh Burchell, EHRA Chair and VP for Policy and Government Affairs for Allscripts, recently wrote about her own experience with health IT and how that has broadened her perspectives as both vendor and patient.  An excerpt:  “Recently…health IT has been personalized for me in an entirely different way, and I understand it from a new perspective. Thankfully, unlike many people who speak about the challenges they’re still encountering, my experience has largely been positive since becoming a breast cancer patient.”

Read the full post at




Privacy and Security, and Building Patient Trust

Earlier this year, ONC published an updated “Guide to Privacy and Security of Electronic Health Information” to help healthcare providers and ambulatory practices understand existing federal law on protected health information (PHI).  It provides guidance on how providers can use certified electronic medical record technology (CEHRT) to provide secure communications with their patients and, via secure and interoperable health IT, share patient data with other care providers.

There is a great deal of practical information provided in this guide that helps explain who is and who is not a business associate (BA), per the HIPAA regulations.   It also provides clear guidance as to when it is permissible to disclose PHI, when patient authorizations are required, and how to provide patient access to their health information.  In addition, there is a useful section on general cybersecurity explaining the threat of cyber-attacks, the use of mobile devices, and email and texting among providers and their patients.

Possibly the most valuable section is Chapter 6 where ONC defines a seven-step approach for implementing a security management process.  The guide helps explain how the security management process standard is a HIPAA requirement, and that the role of CEHRT and meaningful risk analysis is only one important component.  In Chapter 7, the ONC guide discusses what constitutes a breach, when public notification is required, and what breaches are investigated by OCR.  It also describes options to reduce the risk of unauthorized access or disclosures such as data encryption to avoid a reportable breach.

Why is this important to health IT companies, and particularly those that develop EHRs?  In a recent ONC data brief published in June 2015, it was found that 75% of individuals have concerns about the security of their medical records.  The data brief also shows that 76% of individuals want their provider to use an EHR, despite any potential privacy or security concerns.

We work with our customers every day to ensure that they achieve their objectives to improve the quality and efficiency of healthcare delivery for their patients and their organizations.  An essential component of the services we provide relates to privacy and security issues as providers employ health IT in pursuit of their organizational objectives.  We all must not only be well versed in these issues, but must also educate and advise our customers to ensure they understand the regulations and make the right decisions.  Check out the ONC guide and share it with your colleagues.  Your company and your customers will learn a lot!


William Kinsley, CISSP (Enterprise Architect, Ambulatory, NextGen)

EHRA Privacy & Security Workgroup Chair


Sayee Balaji Chandrasekaran (Application Security Engineer, Allscripts)

EHRA Privacy &  Security Workgroup Vice Chair


Looking Back at 2014 and Forward to 2015

(January 2015)   As 2015 begins, the EHRA leadership has taken some time to put together what we see as the major achievements for our association in 2014, in the context of the challenges we and our customers have faced.

  • We’ve successfully continued our ongoing dialog with policymakers in the Administration (e.g. ONC and CMS) and on Capitol Hill to provide education and insights about the impacts and opportunities of the meaningful use (MU) program, the push for increased interoperability, and patient safety oversight concepts, along with a number of other timely and high priority issues.
  • We continued and increased our collaborative relationship with provider organizations – including the American Medical Association (AMA), the American College of Physicians (ACP), and the Medical Group Management Association (MGMA), among others – to align on usability and other EHR-related issues.
  • In 2014, our members continued to deploy certified software to meet updated MU and certification requirements on tight timelines to hundreds of thousands of providers across the US. This accomplishment is particularly notable given the complexity and uncertainty of many of these requirements, especially the uncertainty around electronic clinical quality measures (eCQMs) and related testing tools.
  • Finally, EHR developers, both EHRA members and non-members, have demonstrated their support by signing up for the EHR Developer Code of Conduct – launched in June 2013 with first adopters, now 21 total companies have signed the Code.

Moving into 2015, we expect continued challenges and opportunities related to requirements for new payment and delivery models and the need to balance regulatory requirements with an increasing focus on usability and our customers’ demand for innovation. We look forward to these important opportunities and milestones in the coming year:

  • Our members will continue to work with customers to meet meaningful use requirements, including increased interoperability, which will also require EHR developers to work even more collaboratively with other EHR developers and health IT suppliers.
  • Advancing true interoperability and overcoming barriers such as challenges in patient matching will require ongoing focus. We will continue to work with ONC, CMS, and others to provide education regarding technology and business drivers, and to set realistic but sufficiently ambitious expectations to ensure that proposed standards are mature and timelines achievable.
  • As we await the imminent release of the MU Stage 3/”2017 edition” certification proposed rules, we anticipate a concentrated project to review them in detail. Our feedback will address the specifics of the proposed rules as published and also emphasize the need for a more focused approach to these programs, realistic timelines, and improved certification processes and eCQM deployment.
  • We will continue to engage in conversations with Congress and policy makers about potential health IT safety legislation, regulation, and potential oversight.
  • Our work with provider organizations and industry on usability will also continue, focused on efforts to develop actionable and high impact recommendations for both health IT developers, their customers, and regulators.
  • We will continue to engage with policy efforts to shift provider payment to a more value-based focus, with an emphasis on the central role of EHR-based quality measurement.
  • Recognizing the increasing use of mobile, cloud, emerging standards like HL7 FHIR, and expansion of existing standards including HL7 CCDA and IHE profiles, we will educate our members as we provide them opportunities to engage with their peers through Association workgroup activities that relate to these initiatives.
  • Finally, as an association and as individual companies, we will respond to increased and evolving needs for effective consumer engagement mechanisms.

Along with these challenges for HIT developers in 2015, we also recognize the “perfect storm” for providers of meaningful use, ICD-10, and payment reform efforts, which will accelerate in 2015 and create additional opportunities for policy work and customer support. So, let’s also look forward to a new year, energized by what we’ve accomplished and with renewed enthusiasm for the good and important work ahead of us.

Mark Segal, PhD, EHRA Chair (GE Healthcare IT)

Sarah Corley, MD, EHRA Vice Chair (NextGen Healthcare)