Consumer Empowerment Workgroup: February 2007 Meeting Materials

CCHIT Testimony on PHR Standards and Certification

Alisa Ray, Executive Director, CCHIT

Presented before the AHIC Consumer Empowerment Workgroup

February 16, 2007

CCHIT is pleased to offer the following responses to questions raised by the AHIC Consumer Empowerment Workgroup regarding potential benefits and concerns about certification of Personal Health Records (PHRs):

1. Does CCHIT have the appropriate charter and expertise to certify PHRs?

CCHIT has undergone a significant transition in the past few months to become a fully independent, nonprofit 501(c)3 IRS determination is pending at this time organization with a public mission to accelerate the adoption of robust, interoperable health IT. As such, CCHIT’s charter is not restricted to EHRs or provider-facing applications. Health consumers are currently one of several stakeholder groups represented on the Commission. However, if CCHIT were to begin addressing the PHR space, it would first ensure there was adequate representation of health consumers on the Commission and relevant workgroups.

As evidence of CCHIT’s expertise and credibility in certifying health IT applications, we offer the following facts. CCHIT has been formally recognized by HHS as a certification body. In the first 9 months since launch of ambulatory certification, 55 products have been certified all on a voluntary basis. Acceptance by health IT end-users in this case, office-based physicians is attested to by endorsement from professional organizations including the AAFP, AAP, ACP, AEP, MGMA and others. Payers are also starting to embrace certification of EHRs as a prerequisite for their IT incentive grant programs.

2. What is the appropriate timing of certification, given the need to have standards available first?

Based on CCHIT’s experience in two domains (ambulatory and hospital EHRs), the process of developing certification criteria and launching a certification process for a new domain takes 18 24 months. Of course, standards must be available against which to certify compliance, and vendors require development time to implement those standards. To ensure an orderly progression, the Commission has a policy of allowing 12 months after the specification of a standard before requiring product compliance. With the recent ballot approval of the Continuity of Care Document (CCD), the likely foundational standard for EHR-to-PHR data exchange has already emerged. Standards availability should no longer be considered an impediment to getting started on any realistic timeline of certification development.

3. Given the immature state of the PHR market, would certification create barriers to entry and dampen innovation?

The Markle Foundation’s survey of consumer attitudes toward PHRs, published December 7, 2006, indicated that the major barrier to PHR adoption was consumer concerns about identity theft, fraud, and misuse of personal data. Certification of PHRs for privacy and security could help overcome this barrier. We believe the positive effects of accelerating adoption by consumers would far outweigh any hypothetical “innovation dampening” effect on PHR vendors, especially if certification focuses first on security and interoperability rather than functionality.

4. Would the cost of certification create a barrier to entry for early-stage PHR creators?

This concern is understandable, if one were to assume that CCHIT’s business model for provider EHR certification would be applied unchanged to the PHR space. Given the very early stage of the PHR marketplace, CCHIT believes a different funding structure is required, at least initially. CCHIT would likely seek grants from some combination of public and private sector organizations to fund both criteria development and performance of inspections for PHRs, rather than relying on fees paid by PHR developers.

CCHIT has surveyed key characteristics of its certified EHR vendors. They are highly diverse, with annual EHR revenues differing by more than a 100:1 ratio, with market shares ranging from over 10% to less that 0.1%. There is no evidence that health IT certification as delivered by CCHIT favors larger companies; on the contrary, certification is creating a level playing field on which a wide diversity of vendors can compete fairly.

5. What would be the benefit of certification in ensuring security of PHRs?

CCHIT has data indicating that one of it’s greatest impacts on EHR products has been a significant “raising of the bar” in information security. To become certified, vendors have added stronger password protection, audit trails, and other security enhancements even though their physician end-users were not directly demanding them. Health care consumers are even less likely to have the technical knowledge to evaluate a PHR product’s data security. Certification is needed to close this gap and protect consumers.

6. How would certification ensure privacy, which is a matter of policies and behaviors rather than technology?

Privacy policies as well as security technologies are needed to protect consumers against the potentially devastating consequences of inappropriate health information disclosures. Consequently, inspection of PHR applications would have to include assessment of the offering organization’s policies as well as the PHR technology itself. CCHIT would look to AHIC, its workgroups, or nongovernmental organizations such as the Markle Foundation, as the source of these guidelines against which to certify compliance.

7. What would be the benefit of certification in ensuring the interoperability of PHRs, and what types of interoperability would it address?

Because CCHIT certifies EHRs and all forms of EHR interoperability, the organization is well positioned to standardize one end of the EHR-PHR connection. However, unless PHRs are similarly certified for security and interoperability, providers may be reluctant to allow data exchange with PHRs because of their own privacy and data integrity concerns.

It may be helpful to compare personal health applications to personal financial applications such as Quicken. Without the ability to electronically download bank statements or pay bills, few people find these financial applications useful. A PHR that cannot exchange data electronically with the consumer’s health care providers would suffer the same limitation. Data interchange with caregivers is a key requisite for broad adoption of PHRs, and certification is needed to ensure that this will occur reliably and securely.

8. With the functionality of PHRs not yet defined, is certification appropriate?

Because PHR applications are at a much earlier developmental stage than EHRs, CCHIT agrees that certification of functionality would not be appropriate as an initial focus.