Captain Alicia Morton: ONC to remain in the EHR certification business

The Office of the National Coordinator for Health IT intends to forge on with its certification activities even though the Certification Commission for Health Information Technology will no longer be part of electronic health record certification, according to Captain Alicia Morton, the new head of the agency's health IT certification program.

Morton, in an interview with, said that CCHIT was not integral to ONC's activities.

"We still do have three certification bodies and five testing labs without CCHIT's engagement at this point," she said. "We anticipate continued future rulemaking around what products need to have in there to meet minimum conformance criteria."

CCHIT left the certification business in January and ceased operations Nov. 14.

Morton also pointed out that ONC's certification program is an activity separate from the Meaningful Use program, and that Meaningful Use is only one program that uses certification as a baseline for its operations. For example, ONC is turning to certification for providers who don't participate in the program, such as long-term care providers. CMS' physician payment rule for 2015 for the first time will reimburse for chronic care management but only if the physician is using certificated EHR technology.

Despite Morton's assurances, stakeholders have expressed concern about the continued viability of the EHR certification program. ONC proposed a 2015 voluntary edition of EHR certification criteria; it was so poorly received that the agency abandoned the idea in September.

Moreover, the U.S. Department of Health and Human Services Office of Inspector General (OIG) in August found that ONC's lackluster monitoring of the Authorized Testing and Certified Bodies (ATCBs) did not fully ensure that test procedures and standards could secure and protect patient information in EHRs, which could allow hackers to penetrate the systems. The OIG also noted that the 2014 certification criteria did not address specific security criteria nor meet industry best practices, such as multifactor authentication.  

To learn more:
- here's the article