The EHR Labyrinth: Untangling the myths and realities of Certified Health IT

“Do I need a certified EHR?”

One of the most common and foundational decisions in digital health, it’s oft-discussed and written. With the fuel of the pandemic leading to a massive rise in virtual and hybrid care practices, the off-spring of the first generation of Teladocs, Livongos, and Doctor on Demands, the question has only intensified. Several have written about adjacent topics:

• “To E(HR) or not to E(HR)” tackled it from the pure perspective of the relative challenges of building or buying.

• “The Digital Health Provider’s Guide to Selecting an EHR” went deeper into the principles of EHR selection

• “Headless EHRs” detailed the murky space between build and buy, separating FHIR-based application development platforms and decoupled EHRs as sub-categories of headless EHRs

While the road to choosing a path has become much more clear, the root question has been of handwavy explanations and quick references to dense regulatory literature:

“To E(HR) or not to E(HR)”

“The Digital Health Provider’s Guide to Selecting an EHR”

Thus, the baseline assumption among prospective EHR users who will be seeing patients who are covered by government programs such as Medicare and Medicaid is that they need one that is “ONC certified. In the EHR build/buy decision, this looming, poorly defined specter is one of the two main drivers that can shift a potential EHR builder to become an EHR buyer.

But if you ask people what “ONC certified” actually means or when it’s truly required, you’ll likely get a blank stare. And for good reason - it turns out that the answer is quite complicated. And shockingly, the statement that “most providers need to use a certified EHR” is perhaps not necessarily true.

We’re truly sorry about that and we’re here to do better.

Let’s right that wrong and finally answer “Do I need a certified EHR”, journeying into the maze a la young Jennifer Connelly and David Bowie in Jim Henson’s (somehow hit) movie Labyrinth. We’ve dug through the regulations and government websites so you don’t have to. By the end of this, you should have a solid understanding of what “ONC certified” means, and, more importantly, what you need to be looking for as you evaluate EHRs.

What does “ONC certification” mean?

In a vacuum, an electronic health record can mean a heck of a lot of different things. “Vertical SaaS but for doctors” cannot possibly do justice to the variety and variation that medicine demands. Just as we divide the animal kingdom all the way down to genus and species, so too can the roles and responsibilities of practitioners and administrative staff in healthcare be fractally divided. Doctors, nurses, schedulers, registrars, revenue cycle managers, and so much more, all packed into a single piece of software? On top of that, you layer in two drastically different domains with barely related workflows between inpatient and outpatient and sprinkle in a variety of specialties that do completely dissimilar things.

The CMS’ Certified EHR Definition

Okay, we’ve established a federal agency’s definition of an EHR. That must be what I, a digital health provider, need to use, or the ONC will come after me, right?

The labyrinth does not stop there, friends. While the ONC provides this core definition and a well-structured certification program for health technology developers, its regulatory authority does not lend itself to enforcement, encouragement, or requirements regarding what providers must do, at least regarding certified EHRs.

Instead, another federal agency, the CMS, has been the primary driver of adoption through a variety of programs since the initial Health Information Technology for Economic and Clinical Health (HITECH) Act. In that initial model, while CMS established the criteria for meaningful use and managed the incentive payments, ONC specified the technical capabilities required for EHR systems to support meaningful use objectives.

Steven Posnack, Deputy National Coordinator of the ONC, has some nice historical perspective on the evolution:

As the nation’s largest payer, the CMS has financial levers to ensure providers are using EHRs and embracing new technologies. This is structured today through two main CMS programs:

1. Medicare Promoting Interoperability Program – Medicare-eligible hospitals and critical access hospitals must use Certified Electronic Health Record Technology (CEHRT) to avoid downward payment adjustments from Medicare.

2. Quality Payment Program (QPP) – Medicare-eligible clinicians participating in the Merit-based Incentive Payment System (MIPS) must use CEHRT to receive full points in the Promoting Interoperability category, which ultimately impacts the payments you receive from CMS.

   1. Clinicians who participate in Alternative Payment Models (APMs) are similarly required to use CEHRT. However, the each alternative payment model can have their own definition of CEHRT in order to pull in the criteria that program deems necessary for success.

It is the CMS that defines a certified EHR, which has evolved over the past two decades. This definition began during Meaningful Use and was listed in42 CFR 495 (the regulatory text surrounding the Electronic Health Record Incentive Program). Before 2019, they spelled out a laundry list of specific criteria:

However, that definition shifted in 2019:

The CMS copies this definition into MIPS here, with one addition: any providers participating in Alternative Payment Models have a slightly different definition of CEHRT, where the specific APM can dictate what additional criteria beyond ONC’s Base EHR definition are needed for that payment model:

To summarize, our result, then, is that there are technically four definitions of an EHR by the government:

• Base EHR

  • The ONC’s definition of certification criteria that forms the lower bound and is often included in other definitions

• Certified Electronic Health Record Technology (CEHRT) for Medicare Promoting Interoperability

  • The CMS’ definition in 42 CFR § 495

  • This is currently ONC’s Base EHR as well as family health history, PHI capture, measure calculation, and CQM functionality

• Certified Electronic Health Record Technology (CEHRT) for QPP MIPS

  • The same as “CEHRT” for Medicare P, but redefined in 42 C.F.R. § 414.1305

  • This is currently ONC’s Base EHR as well as family health history, PHI capture, measure calculation, and CQM functionality

• Certified Electronic Health Record Technology (CEHRT) for QPP APM

  • The CMS’ definition in 42 C.F.R. § 414.1305

  • The ONC’s Base EHR and any additional criteria defined in the specific APM

Of the 173 products that were full Base EHRs, only 133 are fully certified EHRs across 104 vendors by the MIPS and Medicare Promoting Interoperability definition.

Promoting Interoperability Criteria

Folks, this may surprise you, but we’re not done yet. The road is long and winding, filled with twists, turns, acronyms, and compounding regulatory references. In addition to the criteria that make up a certified EHR, the CMS specifically requires additional capabilities to fulfill measures in the Medicare Promoting Interoperability program (inpatient) and Promoting Interoperability requirements for MIPS reporting (outpatient).

Calculus has nothing on parsing the truth from EHR regs

The Medicare Promoting Interoperability program has four main objectives, with measures that change and evolve each year as the CMS adds, removes, or updates them. For 2024, here are the objectives and measures:

Source

These measures are often (but not always) tied to ONC-certified criteria. This linkage is enumerated helpfully by the CMS in the ZIP file here, referencing these criteria:

• Clinical information reconciliation and incorporation

• Electronic prescribing

• View, download, and transmit to 3rd party

• Transmission to immunization registries

• Transmission to public health agencies — syndromic surveillance

• Transmission to public health agencies — reportable laboratory tests and value/results

• Transmission to public health agencies — electronic case reporting

• Transmission to public health agencies — antimicrobial use and resistance reporting

• Transmission to public health agencies — health care surveys (optional)

Noticeably missing from the list is criteria (f)(4) Transmission to cancer registries. This is because, despite nearly identical naming, the criteria required in MIPS Promoting Interoperability diverges from Medicare Promoting Interoperability slightly, subtracting the antimicrobial reporting andadding cancer reporting as an option to Public Health Registry reporting:

Death, taxes, Kyle Meadors from the rafters with obscure CEHRT lore

Overall, the mandatory criteria set is lighter for MIPS Promoting Interoperability, with fewer required public health and clinical data exchange measures. Syndromic surveillance is optional and Electronic Lab Reporting is omitted altogether for MIPS:

• Transmission to immunization registries

• Transmission to public health agencies — electronic case reporting

• Transmission to public health agencies — syndromic surveillance (optional)

• Transmission to public health agencies — antimicrobial use and resistance reporting (optional)

• Transmission to public health agencies — health care surveys (optional)

When factoring in the Promoting Interoperability measures, only 57 products of the 137 certified EHRs include all necessary criteria, showing that most expect their customers to use other certified products they or partners make alongside the core EHR functionality.

Who does “ONC certification” actually apply to?

With a comprehensive and perhaps overly detailed synopsis of what ONC certification really, truly, and deeply means, the next layer of the EHR onion is who should actually care. The popular narrative (“everyone needs a certified EHR”) isn’t true in a blanket sense as expected.

ONC Certification Hot Takes

We’ve zoomed in to a tremendous level of detail on what EHR certification is and who it affects, but facts, even simplified, are only so interesting. Analysis and opinions are why you are all here, so let’s stray a bit from God’s light (the federal government regulations), read between the lines a bit for some takeaways, and make some predictions.

1. The removal of Medicaid means some specialties and their EHRs just don’t care anymore

While Medicare encompasses a broad swathe of specialties, it specifically excludes non-medically necessary dental and vision care:

What a nice advertisement by the CMS for MA plans

This differs a bit from Medicaid, where:

• States must provide dental care to children and can optionally provide dental care to adults (with all states but the exceeding random trio of Alabama, Delaware, and Maryland providing some level of coverage)

• Eye exams, eyeglass frames, and lenses are available for children under 21 under the Early and Periodic Screening, Diagnostic, and Treatment (EPSDT) program and 33 states include vision as a benefit

As noted earlier, the Medicaid portion of the Promoting Interoperability program ended in 2021. So it’s unsurprising to see that many dental and vision EHRs have let their certifications lapse:

• Open Dental, Dentrix, DentiMax, Denticon, Eaglesoft, and Umbie DentalCare are all certified for 2014 criteria, but only Dentrix is still active today (and lacks newer criteria like (g)(1), a FHIR API)

Fun fact - it is written into the dentistry bylaws that all dentistry EHRs need to include “Dent” in their name, but Eaglesoft uses a little-known loophole that their software is literally 30+ years old

• Although a few EHRs dropped off from 2014 to now, optometry and ophthalmology-specific EHRs fare a bit better here, with major players like RevolutionEHR, ModMed EMA, and Eyefinity all certified including (g)(10).

The example of dentistry (and to a lesser extent, optometry) shows that the contours and boundaries of the CMS programs do affect vendors’ choices to certify or not.

If you believe that the burden of regulation is a moat against disruption, it logically feels like there’s an opportunity to prove this out with EHRs for these specialties that don’t have certification requirements. The dental and ophthalmology EHRs are pretty mediocre, so go forth and disrupt, young padawan.

1. Providers and specialty EHR vendors need to pay attention to shifts in MIPS eligibility

The CMS is increasingly looping more and more providers into the certified EHR realm by removing them as exempted provider types. As mentioned before, several specialties were previously exempted, but are included this year and onward.

• Physical therapists

• Occupational therapists

• Qualified speech-language pathologists

• Qualified audiologists

• Clinical psychologists

• Registered dieticians or nutrition professionals

These provider types are also the ones that often have software that’s not the big, generalized EHRs (Epic, Cerner, athenahealth, etc) and instead hyper-specific to their specialty:

• Physical therapists frequently use EHRs like WebPT or Clinicient.

  • Neither is certified today.

• Similarly, the software landscape for mental health professionals is extremely fragmented across a slew of behavioral health-specific EHRs: ICANotes, SimplePractice, TheraNest, TherapyNotes, Osmind, Therapyzen, CounSol, and many more

  • Mental health professionals have long lagged in terms of certified EHR adoption. As Thomas Novak notes, Meaningful Use originally excluded mental health professionals from their definition of eligible professionals for incentives in the HITECH Act, although there have been recent legislative efforts to fix that via the Behavioral Health Information Technology Coordination Act

  • Capterra lists 300+ for mental health, G2 lists 185, and Reddit has a bunch of threads with therapists discussing myriad options.

  • Reviewing a few, only the ICANotes EHR appears to be certified in CHPL but lacks more recent criteria, such as (g)(10). However, ICANotes confirmed they have a FHIR API when contacted, indicating that CHPL updates may be delayed.

It will be interesting to track how EHRs serving these niches handle certification, given that those services are reimbursed under Medicare Part B.

1. Tech-enabled practices and virtual care companies need to think strategically as they build on a headless or decoupled EHR

The headless EHRs can support elements of CEHRT, but they do not provide fully certified solutions out of the box. For example, Medplum and Aidbox are both compliant with data-oriented criteria like (b)(10)’s EHI Export or (g)(10)’s FHIR API but aren’t certified against any other criteria.

Thus, if you choose to build on top of a headless EHR and are hoping to participate in MIPS, you’ll need to ensure you fully meet the CEHRT requirements via a combination of your in-house technology and other off-the-shelf solutions.

Similarly, decoupled EHRs like Canvas Medical, Healthie, or Elation range between “almost a base EHR, but needing a Direct messaging partner for (h)(1)” and “certified EHR”, but still require additional certified products for functionalities related to MIPS Promoting Interoperability measures. These vendors typically have preferred partners or complementary vendors that fill those gaps, so make sure to engage your support team to understand their recommended approach here.

1. Renewed legislative activity to strengthen and expand regulatory authority here could be beneficial for the ecosystem and innovation

There’s a popular take that Meaningful Use was a mistake. The logic goes that the EHR certification program encouraged the adoption of bad technology, in that the software it forced providers to adopt was different from the digital tools they really needed. It argues that the available software at the time was immature and not ready to cross the chasm, but that the tailwinds foisted it upon doctors in a way that now makes it impregnable to disrupt. Thought leaders opine that the current EHR landscape is one of regulatory capture. I find it all particularly tired and misguided.

Looking at the criteria in EHR certification now, it largely lines up with the criteria a modern practice or hospital needs. The criteria are either super basic table stakes (like electronic order entry or the ability to record demographics) or capabilities that the government wants to see at scale (the ability to send data between providers, the ability to report for public health, etc). While it does represent a bar that any competing software has to clear to full displace the incumbent, these are things you will ultimately need to do anyway if you want to make a competing EHR.

Whether they know it or not, startups and other innovators in healthcare actually pine for more, not less, regulation. Digital applications constantly ask for a uniform set of capabilities to connect to EHRs. One path to that outcome is outright and complete dominance by one or two EHR platforms (akin to iOS and Android). Barring that, the EHR certification program is the main mechanism to enforce consistency across a disparate and fragmented landscape. As seen with our dental example, software vendors that are not regulated do not opt to voluntarily expose capabilities, especially standards-based exchange mechanisms. The expansion of regulatory agency authority (such as the aforementioned Behavioral Health Information Technology Coordination Act) to include broader types of providers or even ancillary applications, such as the picture archiving and communication system (PACS), is necessary to promote uniformity.

Tried to fit the impending Chevron Doctrine decision into the meme, but had to leave some things on the cutting room floor

1. AI companies better pay attention

I didn’t want to dive into the specifics of each criteria in this post, but given no good post can do numbers these days without an AI mention, I think it is important to link to my recent post about Decision Support Interventions (b)(11):

This is a taste - there’s more. If you think it’s salient to you, click the link

“Technology that supports decision-making based on algorithms or models that derive relationships from training data and then produce an output that results in prediction, classification, recommendation, evaluation, or analysis” covers a lot of ground. While the ONC reined in the software explicitly regulated by this in the transition from proposed to finalized rule, it’s still worthwhile for generative AI startups to understand this provision (and perhaps pursue it voluntarily).

As phonetically close as AI is to API, I am still distinctly in amateur status for the former. That being said, it feels like these constraints around sourcing, authorship, equity, and more will be challenging for startups not running their own models.

Conclusion

With that, we’ve done it. We’ve mapped the labyrinth (nearly two decades of overlapping rules), rescuing our baby brother (operating margin) from the clutches of the metaphoric Goblin King (CMS downward payments). We’ve hopefully saved our heroes (your company’s product team) from wandering aimlessly and wasting valuable time.

If you’re an EHR vendor or tech-enabled practice who’s newly considering certification and feeling a bit overwhelmed, feel free to reach out to Brendan and the HTD team:

Contact!