Industry Groups Urge ONC to Reorient Goals of EHR Reporting Program, Focus on Health IT Safety, Security

Many healthcare industry groups would like to see the Electronic Health Record (EHR) Reporting Program for health IT developers include a strong focus on patient safety-related usability, EHR training, transparency on EHR vendors’ cybersecurity practices as well as cost transparency.

This feedback came in response to a request for information (RFI) issued by the Office of the National Coordinator for Health IT (ONC) in late August seeking public input on reporting criteria under the EHR Reporting Program for health IT developers, as required by the 21^st Century Cures Act. The public comment period ended Oct. 17.

ONC issued the RFI on criteria to measure the performance of certified electronic health record technology (CEHRT). The Cures Act requires that health IT developers report information on certified health IT as a condition of certification and maintenance of certification under the ONC Health IT Certification Program.

According to the Cures Act, the EHR Reporting Program should examine several different functions of EHRs and reporting criteria should address the following five categories: security; interoperability; usability and user-centered design; conformance to certification testing; and other categories, as appropriate to measure the performance of certified EHR technology.

In its comments to ONC, the Bethesda, Md.-based American Medical Informatics Association (AMIA) questioned what it views as the “constrained scope” of the EHR Reporting Program to “provide publicly available, comparative information on certified health IT,” to “inform acquisition upgrade, and customization decisions that best support end users’ needs.”

Rather, AMIA urged ONC to develop the EHR Reporting Program to measure performance to improve CEHRT security, interoperability, and usability, and not be used simply to provide data for “acquisition decision makers.”

“Especially when viewed alongside the additional provisions in newly developed CEHRT Conditions of Certification, the EHR Reporting Program should be leveraged to bring transparency to how CEHRT performs in production environments with live patient data,” AMIA stated.

“ONC should develop an EHR Reporting Program that more closely approximates a post-implementation surveillance ecosystem, not a government-sponsored ‘consumer reports’,” AMIA wrote in its comments.

Such an ecosystem, AMIA stated, would “illuminate CEHRT performance used in production and would generate product performance data automatically, without users having to submit reporting criteria.”

As proof of concept, AMIA pointed to ONC’s existing nascent surveillance and oversight program for CEHRT that could be leveraged for the EHR Reporting Program. The group also referenced the Food and Drug Administration’s (FDA) Digital Health Software Precertification Program as another example of a federal program that looks to utilize real-world production data.

In addition, AMIA recommends ONC develop interoperability reporting criteria for the EHR Reporting Program by building on previous RFIs meant to “measure interoperability,” including the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) and ONC’s “Proposed Interoperability Standards Measurement Framework.”

And, the industry group also urged ONC to prioritize an additional measure that demonstrates a capability to provide patients with “a complete copy of their health information from an electronic record in a computable form.” “This focus would align with top-level HHS priorities to improve patient access to their data,” AMIA noted.

AMIA also recommends alignment between the EHR Reporting Program and other aspects of the Cures-mandated Conditions of Certification.

“The EHR Reporting Program is one more vital piece in improving both EHR performance and care quality,” AMIA president and CEO Douglas B. Fridsma, M.D., Ph.D., said in a statement. “We have a tremendous opportunity to leverage Cures provisions if we hone our focus on EHR performance in the real world.”

In its comments, the College of Healthcare Information Management Executives (CHIME) advises ONC against establishing any complex rating methodologies for scoring vendors. ONC should also consider establishing benchmarks by which to monitor interoperability progress among vendors, CHIME wrote. The organization noted that patients need better education on the risks of using application programming interfaces (APIs), and ONC should partner with their federal partners and stakeholders on this issue, CHIME said.

Many organizations, including CHIME, would like more information about vendors' ongoing support practices, such as the estimated costs of maintenance and software. The Medical Group Management Association (MGMA) recommended making software pricing structures for upfront and ongoing software, training and maintenance costs part of the Reporting Program, as well as all interoperability “connection” fees. MGMA also urged ONC to consider incorporating into the Reporting Program testing criteria that focused on the effectiveness of the EHR’s integration with practice management system software, and costs associated with it.

The American Health Information Management Association (AHIMA) recommended that comparative information made publicly available under the EHR Reporting Program should also contain reporting criteria that reflects the entire lifecycle of the certified health IT product, including acquisition, implementation, ongoing maintenance, upgrades, additional product and/or application integration, and replacement.

Focus on Patient Safety-Related Usability and EHR Training

In its comments, AMIA also urged ONC to view health IT safety as a measurable byproduct of usable CEHRT deployed in live environments. “To understand CEHRT usability performance in situ, ONC should supplement user-reported measures with measure concepts that reflect the safety of health IT,” AMIA wrote.

MGMA recommended that the Reporting Program report on the ability of the software to identify and address patient safety issues. “Poor usability and inefficient clinician workflow can not only fail to prevent adverse events but can actually contribute to them,” the organization wrote.

In comments it submitted to ONC, Pew Charitable Trusts noted that the establishment of the EHR Reporting Program “has the potential to give health care providers, EHR developers, and other organizations better data to address barriers in the effective, efficient, and safe use of health information technology, and improve systems accordingly.”

“In particular, this program could unearth key details on how clinicians utilize EHRs to meet ONC’s goal of reducing clinician burden while improving patient safety. ONC should ensure that the reporting criteria focused on usability—which refers to the design of systems and how they are used by clinicians—also incorporate safety-related provisions,” Pew wrote in its letter.

Pew recommended reporting criteria focus primarily on testing EHR usability to promote patient safety. To this end, Pew identified four principles to guide usability-related reporting criteria—the adoption of a life-cycle approach to developing usability-related criteria; incorporating quantitative, measurable data; limiting burden on end-users; and ensuring transparent methods that prevent gamesmanship.

Pew also provided ideas for existing sources of information that could be adapted into or utilized as safety-related usability reporting criteria, such as the Leapfrog CPOE tool, safety surveillance data from ONC, the ONC SAFER Guides or a 2016 health IT safety measure report from NQF.

“As ONC implements this program, the agency should ensure that the usability aspects of the program focus on the facets of EHR usability that can contribute to unintended patient harm. To achieve that goal, ONC should consider the aforementioned principles in identifying reporting criteria, and data sources that could become part of the program,” Pew wrote in its comments.

Orem, Utah-based KLAS Research and the Arch Collaborative recommended the EHR Reporting Program include criteria focused on EHR training, as better clinician training is critical to EHR usability and clinician satisfaction, the two groups said. The Arch Collaborative is a KLAS-affiliated initiative with more than 130 provider members.

The KLAS-Arch comment cited research findings based on responses by more than 50,000 physicians from more than 100 provider organizations around the globe that suggests EHR satisfaction and usability are directly related to the extent and quality of training users have received. The research indicates that organizations that focus on training to support clinician workflows have higher EHR satisfaction than those that don’t. What’s more, the higher the levels of personalization tool use by the clinicians, the higher the EHR satisfaction score, according to KLAS.

“EHRs are not simple enough to be operated efficiently without ample instruction. It is essential that new providers spend enough time learning how to use the EHR, and it is requisite that providers have the option to participate in ongoing training each year,” Taylor Davis, vice president of innovation at KLAS Research, wrote in the letter. “When an EHR training program is well designed, there will be a demand to attend. A trend that has been noted is that success begets success; when providers share how EHR training has improved their efficiency, their peers become more likely to participate. The key is that the providers must have the option to choose what works for them.”

Need for Greater Focus on Security Posture

The Healthcare and Public Health Sector Coordinating Council's cybersecurity working group highlighted, in its comments on the RFI, the need for more transparency on EHR vendors' cybersecurity posture as part of the criteria of the EHR Reporting Program.

“The challenges to our sector are abundant and we believe these attacks pose direct threats to patient safety,” the group wrote in its comments. The group urged ONC to factor into the EHR Reporting Program the growing incidences of cybersecurity attacks on the sector and the need to work collaboratively to address the threats.

The group outlined a number of items that would better inform providers of a vendors’ security practices, such as access to an auditor’s statement regarding the security posture of the vendor and its products, upon provider request, as well as a software security analysis, whether two-factor authentication is in use, information on role-based access controls and how roles are configured, and, with each release and update, the number of patches provided to address security-related issues.

The group also recommended ONC consider developing a more standard way for vendors to report vulnerabilities with health IT upgrades and releases.