Home > EHR, meaningful use, Medicare > OIG Report on ONC HIT Certification Raises Questions… About OIG

OIG Report on ONC HIT Certification Raises Questions… About OIG

On August 4, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) released a report addressing the HHS Office of the National Coordinator for HIT’s (ONC) oversight of the testing and certification of EHR technology. The OIG’s two primary concerns, based on a review of the requirements and processes of the now-defunct Temporary Certification Program (replaced at the end of 2012 by the permanent “ONC HIT Certification Program”), were the lack of periodic review of certified products and insufficient log-in/security within certified products.

Interestingly, the report recommended that ONC work with the National Institute of Standards and Technology (NIST) to enhance the product log-in/security requirements via the test procedures for labs and certification bodies that review HIT products. This recommendation was peculiar, and perhaps a little alarming, in that the test procedures are mere guidance for how the responsible bodies should test products against ONC’s EHR certification criteria regulations. The NIST-developed (and future stakeholder-developed), ONC-approved test procedures are not, themselves, the regulatory requirements. ONC would not be able to use the test tools to implement more stringent security in certified products than what is required by ONC’s EHR certification criteria regulations in 45 CFR Part 170.

The OIG’s recommendation, then, indicates the authors do not fully understand the nuances of ONC’s regulations and processes governing the testing and certification of EHR technology—the very subject of their review. That could be a reflection of the confusing complexity of the program (and, for that matter, all things Meaningful Use), or something else (political pressure, etc.) could have resulted in this rare misfire from OIG.

ONC’s official response to the report described the differences between the old Temporary Certification Program, upon which the OIG report is based, and the current HIT Certification Program. It also mentioned the current program features various pre- and post-certification product evaluation processes. Importantly, ONC correctly recognized that enforcing more stringent log-in/security requirements for HIT products would require a rulemaking to revise the federal regulations before making those changes to the guidance for testing labs and certification bodies.

Categories: EHR, meaningful use, Medicare
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s