Posted September 24, 2008 by Lygeia Ricciardi
Next Monday the Certification Commission for Health IT (CCHIT) will be posting for a 30-day public comment period its draft criteria for testing and certification of PHRs. It will also be launching a new web site and blog about PHRs. To its credit, CCHIT has been reaching out actively to consumer groups and other stakeholders to participate in its process.
CCHIT is a recognized certification body that already certifies electronic health records and their networks. It’s an independent, voluntary, private-sector initiative formed and funded in 2004 by three leading industry associations in healthcare information management and technology:American Health Information Management Association (AHIMA), Healthcare Information and Management Systems Society (HIMSS), and The National Alliance for Health Information Technology (Alliance). Since then others (including the California HealthCare Foundation, which supports Project HealthDesign) have provided additional funding.
Over the summer, CCHIT’s Personal Health Records Advisory Task Force issued an initial set of recommendations for PHR certification, which probably foreshadow the release next week. The Task Force is a group of industry and non-profit PHR experts who were called together to develop high level guidance to CCHIT and its work groups. Actual certification is slated to begin in summer of 2009.
So is CCHIT’s certification of PHRs a good thing? In the long run, probably yes, but open questions remain about the most appropriate timing to begin certification and the specifics of what it should entail.
Some say certification will encourage the PHR market to grow by helping developers and purchasers alike to agree on a standard set of features. Purchasers, in theory, whether they are members of the public buying PHRs for themselves or employers, plans, providers or others buying them on behalf of employees/patients, may be more likely to buy a certified product than an un-certified one.
On the flip side, though, certification could stifle innovation by too stringently defining features while the PHR market is still developing. A couple of my colleagues on the Project HealthDesign team have made the point that competition around features may be an important force in shaping the market. In addition, high costs associated with certification could disproportionately hurt smaller developers (which are often among the most innovative) and end up driving PHR product prices up overall.
When CCHIT began certifying EMRs in 2006, some people, such as doctor/EMR developer Alberto Borges sent letters of complaint to the FTC and other agencies about the “onerous” process and high costs (“up to $28,000.00 a year just to maintain an updated certification”), Dr Borges alleged that CCHIT and its supporting members, who belong to the large association founders and in many cases develop their own EMRs—were using certification to undercut competition.
For PHRs, the Task Force recommendations of last summer make no mention of costs, though in the past CCHIT has talked about exploring funding sources other than PHR developer/vendor fees. As far as functionality goes, the Task Force’s definition of PHRs, which is borrowed from the Connecting for Health Common Framework for Personal Health Information, is very broad, encompassing both PHR applications (which collect, store, and use personal health data), and platforms that act as a conduit of information among numerous sources. Particularly with such a broad view of PHRs, it’s important to leave a lot of leeway for variation and evolution.
In response to that point, the Task Force recommends limiting certification of functionality requirements in the first year to those necessary to support privacy, security, and interoperability. This sounds like a good initial strategy, and focusing on security and interoperability makes a lot of sense. I’m less sure about privacy, which, the Task Force says “should be the #1 goal of certification”.
I couldn’t agree more that encouraging public trust in PHRs by strengthening privacy protections is a good thing—particularly since many PHRs are not covered by HIPAA. But is certification the best mechanism to do it? Certification should be one of many mechanisms–-including law, regulation, and industry best practices-–that together strengthen privacy. And certification should probably take a back seat to those other mechanisms in this context.
The CCHIT Task Force’s strong push on privacy concerns me a little given the extent to which consumer groups and privacy advocates have been struggling (with limited results) to get stronger privacy protections into law and regulation for health information exchange in the last few years. Could CCHIT’s appearing to “solve” the privacy problem be used by policymakers as an excuse not to address it in ways that would in fact be much more effective?
In January of 2007 the AHIC Consumer Empowerment Workgroup recommended that HHS encourage a certification process for PHRs. At that time, five members of the group (including Project HealthDesign’s Steve Downs) dissented, stating in a letter to Secretary Leavitt and the AHIC members that “certification should not be a focus at this time,” and that “the risks outweigh any potential benefits.”
How much has changed since then? And if we are not yet ready for PHR certification, how will we know when the time is right?