Self-certification?

I’ve just read open-source advocate Fred Trotter’s blog post regarding the meeting the open-source community had with the Certification Commission for Healthcare Information Technology at HIMSS09. (CCHIT recorded the session and posted the audio and presentation slides here.)

Trotter says he was authorized by some of his colleagues to “go nuclear” and perhaps launch an alternative EHR certification program if CCHIT didn’t listen to their concerns. That was not necessary, he says, because the commission Chairman Mark Leavitt and Director Dennis Wilson gave them a fair hearing and agreed to consider the impact of CCHIT rules on developers of free and open-source software.

The most serious problem for open source seems to be that the true cost of certification is not the actual testing and maintenance fees, but the expense of continually updating products to meet standards that get more stringent each year. Since the whole idea behind open-source is to share code rather than protect it with licensing fees, the first FOSS developer to build to CCHIT standards will effectively be paying the bulk of the certification cost, while competitors will benefit from that investment when the first company releases its source code.

Trotter explains: “Under the current certification model I could wait for ClearHealth Inc. to figure out how to pass the current CCHIT tests, and then republish the changes to the current ClearHealth codebase required to pass CCHIT. ThenI could apply for CCHIT certification with my friendly fork of ClearHealth…. So I would be getting a certification for about 1/10th the price that ClearHealth pays.”

Thus, there is a definite disincentive for ClearHealth to spend big bucks—Trotter estimates $300,000 a year—on creating a product that will pass CCHIT testing.

Some of the comments that follow Trotter’s report then veer into uncharted territory, namely the prospect of self-certification. Since CCHIT makes its testing requirements public, there are those that suggest small vendors should get together and run their own testing program, following CCHIT protocols.

I’m sure there are some small EHR vendors out there telling their customers that their products are just as good as anything that has passed CCHIT testing, but I wonder about both liability and copyright issues. One commenter, Tim Cook, suggests that CCHIT should put together a self-certification affidavit that companies can sign to make sure CCHIT is not held liable for any software faults or resulting medical errors.

This makes me wonder several things:

  • Would CCHIT even consider this if it became clear that someone was starting a competing certification program?
  • Would more than a fringe group of the EHR customers—hospitals, physician practices and other care providers—want the risk that comes with using a “self-certified” product?
  • How much money would vendors save anyway if they’re still updating their products to meet the same standards? Granted, they wouldn’t be paying the testing fees, but the consensus seems to be that the real cost of certification is in the development, not the actual testing.
  • And, of course, the biggest question remains, will non-certified EHRs still be eligible for stimulus money?