New Certification Criteria for APMs…Is This the Right Approach?

CMS and ONC are considering tying the new Alternative Payment Models (APM) being designed per the MACRA legislation to prescriptive criteria for “use” of certified EHR technology, and considering development of new certification criteria specifically created for APMs.  In doing so, do they risk going beyond congressional intent for the APM program and stifling innovation by imposing requirements on health IT beyond what is sought in the market, perhaps pursuing a strategy that may not be the best way to accomplish their end-goals – the rapid shift to value-based reimbursement and more integrated care?  Read “Health IT, Value-Based Payment, and Innovation: Let’s Get it Right”<> by Mark Segal, PhD (EHRA Chair Emeritus and Vice President of Government and Industry Affairs for GE Healthcare IT) on the GE blog page.

Privacy and Security, and Building Patient Trust

Earlier this year, ONC published an updated “Guide to Privacy and Security of Electronic Health Information” to help healthcare providers and ambulatory practices understand existing federal law on protected health information (PHI).  It provides guidance on how providers can use certified electronic medical record technology (CEHRT) to provide secure communications with their patients and, via secure and interoperable health IT, share patient data with other care providers.

There is a great deal of practical information provided in this guide that helps explain who is and who is not a business associate (BA), per the HIPAA regulations.   It also provides clear guidance as to when it is permissible to disclose PHI, when patient authorizations are required, and how to provide patient access to their health information.  In addition, there is a useful section on general cybersecurity explaining the threat of cyber-attacks, the use of mobile devices, and email and texting among providers and their patients.

Possibly the most valuable section is Chapter 6 where ONC defines a seven-step approach for implementing a security management process.  The guide helps explain how the security management process standard is a HIPAA requirement, and that the role of CEHRT and meaningful risk analysis is only one important component.  In Chapter 7, the ONC guide discusses what constitutes a breach, when public notification is required, and what breaches are investigated by OCR.  It also describes options to reduce the risk of unauthorized access or disclosures such as data encryption to avoid a reportable breach.

Why is this important to health IT companies, and particularly those that develop EHRs?  In a recent ONC data brief published in June 2015, it was found that 75% of individuals have concerns about the security of their medical records.  The data brief also shows that 76% of individuals want their provider to use an EHR, despite any potential privacy or security concerns.

We work with our customers every day to ensure that they achieve their objectives to improve the quality and efficiency of healthcare delivery for their patients and their organizations.  An essential component of the services we provide relates to privacy and security issues as providers employ health IT in pursuit of their organizational objectives.  We all must not only be well versed in these issues, but must also educate and advise our customers to ensure they understand the regulations and make the right decisions.  Check out the ONC guide and share it with your colleagues.  Your company and your customers will learn a lot!


William Kinsley, CISSP (Enterprise Architect, Ambulatory, NextGen)

EHRA Privacy & Security Workgroup Chair


Sayee Balaji Chandrasekaran (Application Security Engineer, Allscripts)

EHRA Privacy &  Security Workgroup Vice Chair


Meaningful Use Stage 3 Is Here and We’re Ready to Respond

We recently saw the release of the 732 pages of the CMS Stage 3 Meaningful Use Proposed Rule and ONC’s Proposed Rule on 2015 Edition Certification. The EHRA Meaningful Use and Certification Workgroups have been gearing up to review and comment on these rules for a while so we have already started looking at the eight proposed objectives and 68 proposed certification criteria. The scope of what is proposed for certification in this NPRM goes beyond what is proposed to be part of the Meaningful Use program, so other EHRA workgroups are also focused on reviewing the material pertinent to their areas of expertise.  We’re committed to detailed review and developing EHRA’s responses for submission by the May 29th deadline.

Our work depends on the deep expertise of EHRA members and their users!  We strongly encourage your involvement. You’ll have the opportunity to learn from the insights of industry experts in our educational calls, discussions, and consensus based positioning. Participating in EHRA’s work will give you an advantage when working on your own company’s feedback.  Also, you’ll be well positioned to engage your users in what the new proposals might mean for their practices and to encourage them to participate in the public comment process.

EHRA workgroups will evaluate whether the proposals focus on features that add value for EHR users, integrate well in clinical workflows, and promote our key priority goals of interoperability and coordinated quality measurement.

With our development expertise, we are also well positioned to assess whether there is sufficient time to develop, test, and implement new and revised functionality.  As we have in the past, we’ll work with our members will estimate the time required to design, develop, test, and certify new features.  And we’ll work with other industry partners and stakeholder organizations to learn from one another and identify opportunities for alignment.

We hope we’ve convinced you to join our efforts!  Please contact EHRA’s program manager, Angie Gorden (, if you want to get involved with or provide input to our workgroups’ efforts to shape the direction of MU Stage 3 and future EHR certification.

                                                       Sasha TerMaat (Epic), Chair, Meaningful Use Workgroup

                                                       Rick Reeves (CPSI), Chair, Certification Workgroup

Federal Health IT Policy: Where is it heading and why should you care?

(November 4, 2014)  Mark Segal, EHRA Chair (GE Healthcare IT), comments on future directions in federal health IT policy that are taking shape.  We are starting to see clear, reinforcing themes from Congress, the Administration, policy experts, and key stakeholders. See more at:

Is federal regulation of health IT going to ease up to allow for more innovation?

(July 14, 2014) Read EHRA Chair Mark Segal’s post on how he sees regulators responding to persistent requests from the private sector and a variety of stakeholder organizations (including EHRA) to design Stage 3 of the meaningful use incentive program to build on lessons learned from Stages 1 and 2, and focus on interoperability and alignment of quality measures and reporting across government programs.