On October 10, CCHIT hosted a Town Call on PHR certification. The hour-long call provided two avenues to ask questions—via phone or via online comment.
CCHIT has provided its responses to those questions below.
For those of you who missed the call, the slides are provided, below. You can listen to the call by pressing the “play” button above, or by downloading the mp3.
Responses to questions
Kary asked: Can you tell us how you are addressing the standard medical language especially with consideration being given to a interoperable PHR world wide? What format is likely to to utilized given that even CPT is modified specifically for the US?
Since much of the data arriving in a PHR originates from systems in care provider systems (EHRs), the coding standards for EHRs are the most likely ones to be used eventually in PHRs. Regarding a universal, coded ‘medical language’ that will work worldwide, that is still a ways off in the future.
V J Kulkarni asked: Will there be “conditional” certification like the one for EHRs?
Conditional certification for EHRs is available for products that have all the necessary features, but have not yet been installed in a ‘live’ site. We don’t know yet if conditional certification will need to be offered for PHRs, since there’s less of an issue with installation.
Lee Castonguay asked: I’m concerned that it may be premature for CCHIT with so many models coming out. MS says Healthvault is NOT a PHR. How are you going to avoid confusing the public?
The Advisory Task Force and the PHR Work Group are working hard to have certification accommodate all the various models for delivering personal health information to consumers, but be simple enough not to confuse the public. It is possible that there may be several ‘flavors’ of PHR certification. Some examples could include linked PHRs, independent PHRs or perhaps even PHR platforms. But again, the more we try to differentiate, the more potential for complexity and confusion. Perhaps the best thing is to determine which distinctions are absolutely imperative to make and then keep it as straightforward as possible.
Dennis Melamed asked: With whom can I follow up the question about doctor/patient privilege. Your answer stating that information coming from a doctor and stored in PHRs is news. I’ve not heard that anywhere. Once it is in the patient’s possession, how can it automatically be PHI. For example, fitness for duty reports, which has patient information in them, are not considered to contain PHI by HIPAA. So I’d like to further explore the distinction you are making.
The legal status of information in PHRs is a new and complex area that can’t be dealt with properly in a short Q&A format. We did not mean to imply a particular interpretation of HIPAA, or what constitutes PHI under HIPAA law, in our answer to your question. CCHIT endeavors to apply industry standards, rather than create them; however the health information privacy policy area is far from standard at this point. It is an area that will continue to require more analysis and consideration.
VJ asked: Will the PHR be required to meet one hundred percent of criteria, how many yrs will the certification be good for, conditional certification?
Yes, our policy is to inspect and require compliance with all criteria. It is possible, however, that some criteria will apply only to certain PHR models.
We haven’t determined for certain the duration of certification for PHRs, but in all our other domains the certification is valid for 2 years.
Phil Beenhouwer asked: Will you be certifying Google’s ‘Google Health’ and Microsoft’s ‘HealthVault’?
Certification will be open to all PHR product and service providers. We don’t know yet who will apply, or which ones will pass inspection. We’ll start finding out next July!
Lawrence Williams asked: As an active technical committee member of HITSP’s Emergency Responder Use Case (which covers PHR patient data interoperability from on-scene emergency responder care through emergency room treatment) and given the fact that CCHIT states that one of the primary benefits of having a PHR is to “save your life in an emergency”, I urge CCHIT to modify it’s first draft of ‘09 interoperability criteria to reflect the PHR interoperability requirements of HITSP’s Emergency Responder Use Case IS-04.
Thank you for your participation in the call today and for highlighting the emergency responder issues with regard to personal health records. PHRs hold great promise for utility in many aspects of people’s lives in and out of the traditional healthcare settings. CCHIT will continue to keep the emergency responder use case on the list for consideration. We will remain flexible based on feedback from the community at large regarding priorities for 09 inclusion or beyond.
Deven McGraw asked: Is there a key for the “criteria reference” section of the draft criteria?
Good point – we need to add that and we will.
Jim asked: Can you describe how this standard effort compares to the effort to standardize the EMR? Is there a set of data that they have in common and are you working toward the two records communicating?
CCHIT’s PHR certification is a parallel effort to CCHIT’s work in certifying EMRs (we use the abbreviation EHR) for doctors’ offices, hospitals, and emergency rooms. The efforts are being closely coordinated to make sure EHRs and PHRs will be “interoperable” (can communicate and share data).
John Ritter asked: Will a PHR system that has been certified by CCHIT, interoperate with a PHR system that has been certified by other nations?
CCHIT is in discussions with officials from other nations about that kind of long term goal, but we don’t think it is achievable in the next year or two. As long as your PHR is accessible via web browser or other standard technology, you should be able to access it worldwide.
Lynne Chartier asked: I have read the 3 year criteria, and have submitted comments to a central location in my organization. We intend to comment together. In addition, I participate on the PHR workgroup with HL7. The requirements I saw indicate they are in the categories of privacy, security and interoperability. Where are the functionality requirements that Dr. Pettit referred to?
Thank you for your interest. As our guidance from the PHR Advisory Task Force suggested, the Work Group has focused on Privacy, Security, and Interoperability for the first (09) certification year. There are only 2 functionality criteria for 09 at this point in time. They are: PHR 30.01 and PHR 31.01. “the system shall provide the ability to capture account holder provider contact information” and “the system shall provide the ability for the account holder to record his or her own health observations” respectively.
Rita Zielstorff asked: I think that a consumer may be confused between “PHR” and the professional medical record. I don’t see that a specific distinction has been drawn. The consumer should be made aware that the “provider” of a PHR may not be the patient’s health care provider, and that the certification criteria are not meant to apply to the professional provider’s medical record.
We agree that there is need to educate consumers about what constitutes a PHR. Our first version of the Consumers Guide to Certification of Personal Health Records is only an introduction to the PHR topic. In future versions, we hope to begin explaining about various sources of information brought into a PHR, and clearly differentiate between information in the PHR and the original information in a professional provider’s medical record.
VJ asked: How would these criteria apply to patient portals of EHR vendors? Will this be separately tested?
If an EHR vendor wants to display the CCHIT seal to patients using the portal, its PHR capabilities would need to be tested according to the PHR criteria and certified as such. One of the major issues to resolve is regarding the critical differences between portals (or linked) and independent PHRs. Writing test scripts for two different sets of privacy milieus really highlights the ‘apples and oranges’ issue. Suggestions welcome! Thank you for this question.
Kathleen Furtado asked: How are you funded?
We are a 501(c)3 nonprofit organization. Currently we receive about half our funding from a contract with the Office of the National Coordinator for Health IT, under the US Department of Health and Human Services; the other half of our funding comes from application fees charged when vendors apply for certification.
Peter Harrison, MD asked: HL7 is working on a PHR system functional model, and has issues with the US centric definition of many PHRs developed in the US. What do you see as the relationship between CCHIT and HL7 and how do you plan to reconcile the differences between the two organizations (for example, CCHIT’s definition could be a profile of the HL7 functional model definition)?
The PHR Work Group is drawing heavily on the HL7 PHR functional model, but takes many other sources of information into account as well. There is substantial liaison going on between the work of the two organizations.
Philip Marshall asked: In a prior powerpoint, it was noted that a user would be given the ability to remove their data (or disable their account) if certification was lost, but this isn’t specifically called out in the criteria. Is it assumed that the ability to expunge data (criteria 19.05) covers this situation?
The issue of expungement has been a hot topic of discussion. It is another area where the answer is heavily dependent on the nature of the PHR. An independent PHR may offer the option of complete expungement of the record, but the linked PHR – whose information actually resides in a provider’s record — may only offer the option of removing PHR access to the record.
This is a good catch - we did discuss this as you mentioned earlier but didn’t specifically address the ‘lost certification’ issue in the criteria. It may be covered by 19.05 but we will add this to the discussion for the PHR WG. Thank you.
John asked: Seems the CCHIT concept of PHR is only an online web-based system. Is there no place for disconnected PHR? Is there no place for a PHR on a USB memory stick? The CCHIT Criteria seem to be a mixture of functional requirements similar to the Ambulatory requirements, yet also others are like a service similar to the Network requirements. Is CCHIT looking to a PHR as a service model? Is CCHIT then going to get into reviewing policies of the PHR?
The PHR Advisory Task Force specifically guided our development efforts to accommodate the widest possible variety of PHR models, and not to limit it to online web-based architectures. Some PHRs will look more like software products, others like web services, and everything in between. The Work Group is trying to develop criteria that can be applied across this spectrum.
Kathleen Furtado asked: I’d like to hear how you explain the difference between a PHR and the personal health information that is available on a healthcare provider’s patient portal? How do you explain why we need our records in both places?
The PHR Advisory Task Force recognized that there are several models through which patients may access their health information. We are using the term “independent” to describe PHR services offered and maintained by entities other than the individual’s healthcare providers or health plans; and “linked” for PHR services offered by providers and plans (what you have called a patient portal). We intend to offer certification for both models, but some of the criteria may have to be different.
We are not taking a position on which is better, or whether both are needed by any given patient. It is up to the individual to decide that.
Philip Marshall asked: The CCHIT criteria pertained mostly to privacy, security, interoperability and authentication. There was very little on the functions of the PHR itself. Was that deliberate based on the nascent nature of the PHR industry? Will there be a separate effort to specify criteria for the features and functions required of a PHR?
Yes, we believe it’s appropriate to limit our attempts to specify functionality because of the early stage of PHR development. We are requiring functionality needed to support the privacy, security, and interoperability requirements. More functionality may be added in future years if it appears it would be helpful to accelerating adoption of the technology or needed to protect consumers.
Lloyd Tribley asked: The 2000 US Census identified nearly 20 % of the US population with disabilities. Most Web-based applications are not technically accessible to persons with disabilities using assistive technology not even factoring in sound usability design. It is likely that existing proprietary PHR products are not accessible for use by persons with disabilities.
Assuming that CCHIT is committed to making sure that PHR products “work properly and safely” for all users, what accessible electronic and information technology (AeIT) criteria (such as Section 508 of the Rehabilitation Act) will be used to address these deficits? How will you activity involve persons with disabilities as stakeholders in PHR usability and accessibility product testing?
Thank you for bringing this issue into the limelight, it is a very important consideration and one that the PHR WG has not tackled to any significant degree at this point. We will certainly add it to our work list.
Jim Tate asked: What is the fee structure for PHR Certification? Once certified, how long will the PHR have active certification status? Will the testing process be similar to the current Ambulatory process? (Self-attestation followed by live script demo viewed by jurors)
The fee structure has not been set. First, the criteria have to be developed, the test scripts created, and the pilot test performed. That lets CCHIT determine how much effort is involved in the inspection so fees can be set accordingly.
Naturally, we will draw upon our experience in testing other health IT. We use a combination of documentation review, jury-observed virtual demonstration, and technical testing for EHRs and it is likely we’ll use those tools for PHRs as well.
Jim Kretz asked: For a topic of such importance to the future of healthcare, why is the conference call scheduled for late on a Friday afternoon preceeding a three day weekend?
We’re sorry if the time proved inconvenient for you. In covering multiple time zones and many different stakeholders, there’s really no time slot that’s perfect for everyone. But for those who could not join the call, we’re going to post the recording online, as well as posting all the online questions and answers, so you won’t miss anything.
Jim Tate said: Glad to see that CCHIT’s Certification for PHRs is gathering steam. The certification process for EHRs brought stability and direction to a badly fragmented market. I bet we’ will see the same positive outcome for PHRs.
Thank you for your support and encouragement!
Have more questions? Feel free to post additional questions here, and we’ll be happy to provide a response. And remember, CCHIT is accepting Public Comment on PHR Criteria until October 28.
