Last week, the ONC published two final rules. Here we focus on the 21st Century Cures Act Final Rule and its implications for EHR vendors. The big headline for this Final Rule should be “ONC Embraces the FHIR Standard”. 2015 Edition CEHRT and the whole certification process will undergo substantial changes. This blog will focus on the certification requirements and timeline. We’ll address some other aspects: The “information blocking” provisions, the voluntary pediatric certification, and the payer API provisions in future blogs.
US Code Data for Interoperability (USCDI) Version 1 replaces the “Common Clinical Data Set”
Fast Health Interoperability Resources (FHIR) 4.01 now required for API, so 170.315(g)(8) will be replaced by 170.315(g)(10).
“Electronic Health Information (EHI) export” in 170.315(b)(10) replaces 170.315(b)(6).
Multi-factor authentication is now required (with some exceptions).
There’s actually some good news for EHR vendors looking to certify or re-certify in that some criteria from 2015 Edition CEHRT have been removed effective 60 days after publication (at effective date):
Although these will be removed, the expectation is that vendors will retain the functionality. Many of them are “topped out” in the sense that everyone already has the functionality, so no need for government intervention. More good news: There are only two new criteria that EHR vendors who have already certified for 2015 Edition must certify – 170.315(b)(10) and 170.315(g)(10) (see next blog, "21st Century Cures Act: EHI Export").
Several criteria have been updated to accommodate new versions of standards:
The CCDA-related criteria, 170.315(b)(1), (b)(2), (b)(9), (e)(1), (f)(5) and (g)(6) have been updated per the USCDI/C-CDA companion guide, as has the 170.315(g)(9) “Application Access – All Data” criterion.
Security-related criteria have been revised to meet new ASTM standards.
Vendors have 24 months from the issuance of the Final Rule to update their software and distribute to clients.
USCDI Replaces Common Clinical Dataset (CCDS)
Think of USCDI as a superset of the CCDS. According to ONC, it “sets a foundation for broader sharing of electronic health information to support patient care”. USCDI adds three types of data for CCDS:
Clinical notes: both structured and unstructured.
Provenance: an audit trail of the data, showing where it came from. It is metadata or information about the data, that shows who created it and when.
Pediatric Vital Signs
USCDI Version 1 differs from the Proposed Rule USCDI, as follows:
The Final Rule also provides a foresighted provision to allow new versions of standards like FHIR and USCDI to be adopted and incorporated into the CEHRT requirements.
There’s a new API certification criterion that’s been added to the 2015 Edition Base EHR definition:
170.315(g)(10) Standardized API for patient and population services
EHR developers have 24 months from the publication date to “update their technology and make such available to their customers” according to CMS. Later they clarify that the updated certified health IT software must be provided to all customers within this 24-month window. Now we have fair warning! Also, note that there’s a six-month window for any “Certified API Developer” to “publish all terms and conditions for its certified API technology, including any fees, restrictions, limitations, obligations, registration process requirements or other similar requirements.” So for those with non-FHIR APIs certified to 170.315(g)(7) through (9), these publication requirements precede FHIR requirements.
In addition to mandating FHIR r4, this new criterion has some other interesting requirements concerning API capabilities: