Hope For FOSS In Electronic Health Records

Fred Trotter writes "CCHIT is the dominant Electronic Health Record certification body in the US. It is also decidedly anti-FOSS and has been for years. Certification of one kind or another will be required for EHR systems to qualify for funding under the Stimulus Act. If CCHIT is chosen as the certification body, and the current certification strategies continue, it will not be possible to have a funded EHR that is both certified and truly FOSS. Now, however, CCHIT has agreed to meet the FOSS Health IT community at HIMSS 09 to address this issue." We discussed the shortcomings in the stimulus bill as it relates to FOSS a few days back.

As I am going to this...

[imamac]

I will pay special attention to it.

Re:Frosty piss

We analyzed your frosty piss... and you're pregnant.

Anti-FOSS?

[FooGoo]

So let me get this strait...CCHIT is considered anti-FOSS because they charge fees that for certification that the FOSS folks cannot afford?

Sounds like we need a welfare program for FOSS apps to be able to play in the big leagues. How do you think CCHIT gets their operating budget? Through fees I would expect.

Re:Anti-FOSS?

[Compholio]

Sounds like we need a welfare program for FOSS apps to be able to play in the big leagues. How do you think CCHIT gets their operating budget? Through fees I would expect.

Sounds to me like this organization should be getting funded a better way. It's pretty commonly accepted that certification groups that get their budget from fees have a pretty significant conflict of interest wrt. properly executing their duties.

Re:Anti-FOSS?

[Frosty+Piss]

It's pretty commonly accepted that certification groups that get their budget from fees have a pretty significant conflict of interest wrt. properly executing their duties.

And a 25 to 35k entry fee with a 5k yearly fee is a prety BIG conflict of interest.

Re:Anti-FOSS?

[ColdWetDog]

Sounds like they're charging a lot for what you get. From the "CCHIT Physician's Guide 2008":

A jury of three EHR experts--including at least one practicing physician--observes a carefully scripted product demonstration. This inspection takes a full day and covers four distinct clinical scenarios. The Roadmap provides guidance to providers and the industry by offering a realistic time table for incremental improve- ments in EHR systems. Each year the Roadmap is extended to project criteria two years into the future.

From TFA (well, not exactly an article):

The first issue is pricing. It will cost a $25,000 to $35,000 one-time fee to perform the test. After certification, an annual fee based on sales will be required which will be at least $5,000 a year.

Which is a pretty expensive "field trip". The Physician's guide seems to imply that the ONLY thing CCHIT really does is to watch this "carefully scripted product demonstration". And write up their results on the web site. W00t! Deep, thorough analysis here.... Then they wander off to claim that they are the "Underwriter's Laboratory" of the EMR world.

Surprisingly enough, the Guide is heavy on "why you need to buy an EHR now". I'm sorry, I am just not impressed with this. Aside from the obvious conflict of interest, it doesn't sound like it's any more rigorous then a couple of folks with a clipboard.

Re:Anti-FOSS?

Bullshit. The GP is 100% correct. You're just making up another excuse. You FOSS people just have a problem with the whole concept of making a living from your work... well, for anyone else that is. When it's your own work you want to roll in the cash but you "can't understand" why others need to make a profit.

Re:Anti-FOSS?

[sumdumass]

Outside of the entire Fees for OSS idea, I think it is preposterous to think that once you certify a program or application to do a certain thing, you have to continue paying them based on annual sale of your program or application to keep that certification.

We don't need welfare for OSS, we need something different in place. A certification process shouldn't be dependent on future fees paid nor should it base any of the fees on the sales of the software. If you want to know why health care is so expensive, it's shit like this.

Think about it, 25K can go into 25 copies sold $1000 at a time. That isn't so much when considering what the software brings to the table. But an annual $5000 on top of that based on sales means the same program that was certified at $1000 a pop is now not certified if more money isn't paid. The question is, is that 5k a version sold?, up to 25 licenses sold? or is it 5 licenses sold? Now licenses could be a misnomer too, Take MS servers for instance, you need a license for the server, a license for the workstation's MS operating system, a license for the network connections to the server, and a license for all the MS applications running on those systems. Lets say MS Office is a given and for shits and giggles, lets say MS dynamics CRM is installed. Now, that means 1 server license, 1 workstation, 1 connection, 1 office and 1 CRM, that's 5 licenses just to be up and running. OF course more workstations will need less licenses but in the certification ordeal with CCHIT, how many of those licenses count as sales? I mean the ERM software could have modular features and easily require 5 licenses, so with the 5k based on sales, if that is for every 5 licenses, then you might need to recover 5k per workstation on top of your profit and expenses for creating the damn thing.

It's a racket that shouldn't be allowed. If we are going to require certification, then there should be some rules and guidelines and limits on costs instead of creating a get rich quick scheme that drives the cost of health care up so some damn politicians can fool the people when they claim to be fixing the problem. The opposite of that would be to open up the ability for other companies or organizations to become certifies and forbid lock ins to certain companies or organizations so competition can drive costs down to something more reasonable.

Re:Anti-FOSS?

[FooGoo]

FOSS is the ultimate conflict of interest. God forbid I need to make some money in order to get my FOSS software product in use in the medical industry. The community will think I sold out :((

Re:Anti-FOSS?

[Sleepy]

I must say sir, that your herring is a lovely shade of rouge.

Re:Anti-FOSS?

[DragonWriter]

It's pretty commonly accepted that certification groups that get their budget from fees have a pretty significant conflict of interest wrt. properly executing their duties.

That's actually the point of such certification groups; they serve their paying clients by creating a competitive advantage for the existing big players that any new competitor has trouble meeting. That's even moreso, often, the point of such groups when certification through them is required by government regulation, as such regulations are shaped often crafted to serve the interests of the existing major players in the industry, and its more effective of a barrier to competition when those who can't afford the certification don't just have more trouble selling their product, but are outright banned from doing so.

Re:Anti-FOSS?

[obarthelemy]

35k+5k is trivial compared to the other costs of developping and maintaining such a complex system.

Re:Anti-FOSS?

oh yes. we should make the cert cost a hundred bucks so every yahoo out there can bug the shit out of a standards community trying to get certified for their software. what a great way to keep the standards as standards!

standards need a high bar in cases like this to keep those away who do not approach the process seriously. these records can not stand even a single flaw for the sake of everyone involved.

Re:Anti-FOSS?

[jellomizer]

When you choose to make your Product FOSS, you should realize you are automatically putting yourself at a disadvantage, by closing off the most direct and profitable revenue stream. So when the industry demands certification and standards if you want to keep going you need to pay for them. I am sorry that is the case.

If you want to be a Medical Doctor you need to pay for enough college for an MD. I am sure there are a lot of people without MD who could be great doctors and have the knowledge and skills to be such. But they can't be a doctor until they get their MD. So they will need to spend a lot of money to get that Certification/degree. In New York State teachers need a teaching certificate so they need to pay for to get this certificate.

By the Article Logic Slashdot, or any website is Anti-Amish because you need to use a computer and electricity to access the site.

If a FOSS group pays the money they will be treated equally. That is not unfair. Giving FOSS a break because they don't have the funds is unfair to the other companies though, because part of the reason for the Certification is to prove that your product isn't a fly-by-night operation. And sorry to say a lot of open source projects are fly-by-night operations which may continue for a while then die in a few months or perhaps a year. So if the FOSS is unable to come up with the money, it means they may not have the overall support that they need to continue.

But also lets realize your primary users are Doctors. And Doctors have money. If your Open Source product is that great and Doctors really love it and find value. And you go to them and say you used this product for free. We want to get it CCHIT certified can you help pay for the certification. I am enough will to get it certified.

If they don't care for your product then then you haven't made a good enough product. And when they need to go CCHIT Certified they will pay for a program that is.

Re:Anti-FOSS?

[budgenator]

Sounds like we need a welfare program for FOSS apps to be able to play in the big leagues. How do you think CCHIT gets their operating budget? Through fees I would expect.

Sounds to me like this organization should be getting funded a better way. It's pretty commonly accepted that certification groups that get their budget from fees have a pretty significant conflict of interest wrt. properly executing their duties.

Well lets see

The Certification Commission is a private nonprofit organization with the sole public mission of accelerating the adoption of robust, interoperable health information technology by creating a credible, efficient certification process. Certification Commission

Well it seems to me that the authority of the CCHIT is self-assumed, they are a private organization, not a public one; being non-profit simply means they have to spend all their money each year, not that they are good or charitable or even that they are anything more than a "good "ol' boys" network protecting their own pork-barrel.

To add some meat or beef or whatever...

[davidsyes]

Here are a few more links...

List of open source healthcare software:
http://en.wikipedia.org/wiki/List_of_open_source_healthcare_software

Welcome to openEHR:
http://www.openehr.org/home.html

"openEHR is about enabling ICT to effectively support healthcare, medical research and related areas. Today ICT is used ubiquitously elsewhere, but is far from effective in Healthcare. The main problem in health is the lack of shareable and computable information.

The principal challenge for health ICT is to represent the semantics of the sector, which are far more complex than in other industries. Doing this requires a knowledge-oriented computing framework that includes ontologies, terminology and a semantically enabled health computing platform in which complex meaning can be represented and shared. At the same time it must support the economically viable construction of maintainable and adaptable health computing systems and patient-centric electronic health records (EHRs).

The openEHR endeavour is about creating specifications, open source software and tools in the technical space for such a platform. In the clinical space, it is about creating high-quality, re-usable clinical models of content and process - known as archetypes - along with formal interfaces to terminology."

If the US has idiots in onbstructionist ways working in positions of power, then maybe, if other countries are technologically superior in such areas, offer help to them so they can grow and come back to haunt and compel the USA to "get with it, already!".

Re:Frosty piss

[Frosty+Piss]

When it freezes over in hell and they allow FOSS, they can have frosty piss for medical analysis...

I'm ready and willing to provide a sample if my HMO covers the cost...

Speaking of cost... 25 to 35K one time fee and 5k a year? What kind of *scam* is that? One gurenteed to make it possible only for those with a huge finantial interest (and thus low OSS interest) to gain entry. Total bullshit. Who made these yahoos incharge?

Re:To add some meat or beef or whatever... Alterna

[davidsyes]

tively...

Screenshot of OpenEMR:
http://sourceforge.net/projects/openemr/#item3rd-2

The resources that already exist in the USA can be brought to bear by offering these to as MANY doctors as possible. It will first requiring conducting info gathering on providers, their electronic systems, having some insiders in the many types of medical offices to come in and user-test/kick the tires on these apps, and get THEIR opinions as to whether the software is worthy of being supported. It appears that some of the open source software might be qualified to pass the end-user-suitability-test (for lack of a better description). If ANY of these apps are found to be half-baked, like many apps written BY developers FOR developers (rather than BY developers FOR end-users), then they should by all means be shunned so they are forced to be upgraded to suitability for the office. After all, if medical, dental, and other offices reject the software, why should regulatory and office personnel even *listen*?

But, again, some/most of these apps *seem* to have what it takes; they seem to be the survivors of the past few years that i've noticed their names (since, oh, ~2001/2003).

Beyond that, the biggest hurdle will be lobbyists/SIGs (Special Interest Groups) that could be working on behalf of defense contractor-named companies (your Lockheed/GE/ and others-- who, incidentally have their hands in ship passenger reservation/assignment software, too...) who want NO competition that would undermine their self-anointed positions of high income.

This article says a lot about FOSS...

[murdocj]

The author unwittingly says more than he intended when he complains about the cost of certification:

Suppose I pay the fee to have MirrorMed (my project of choice) certified. There is no way for me to guarentee that only I benifit from the "seal". My competitors which have full access to the code that I would have certified would be able to correctly claim that the code had been certified, and would benifit with me.

For years, FOSS advocates have talked about how freely redistributable open source software is the better model, and how it's still possible to make money off open source software. Well, if open source is the better, more powerful model for developing software, the certification fee shouldn't be a problem. But as the author points out, he pays the fee, his competitors take the certified software and sell. This just shines a spotlight on the basic problem with commercializing FOSS.

Re:This article says a lot about FOSS...

[db32]

No...it says a lot about requiring certification fees and that in all likely hood and little about commercializing FOSS. In fact, it has pretty much nothing to do with commercializing FOSS unless you are talking about a market that has a government mandated certification process and a certification board dumb enough to let someone take the source code of a certified FOSS project and reeuse that code without forcing that organization to get their individual product certified. So...really what we are talking about here is insane certification requirements and behaviors brought on by government mandate...not FOSS commercialization. Nice try though.

Re:This article says a lot about FOSS...

[sumdumass]

The problem is that the model breaks when the software environment breaks because of fees to make the software useful.

Requiring a certification isn't part of the normal software process or model. It's actually an add on that isn't necessarily needed but has advantages. If the model was changed and the vendor certified the software in house to pass a third party review and the customer had to cover the expense from a third party verification service, it would be the same model and nothing would be broke. But no where else in software, do you have to pay someone in order for your software to be used unless your licensing someone else' product. Of course if your licensing someone else' product and they don't want it open sourced, you can't open source your product that contains theirs.

And something you should note, it's only a problem currently because of the outrageous costs associated with certification. If the costs were lower and more reasonable, the problem disappears. It's disingenuous to associate the problems with the FOSS model or commercializing FOSS software without pointing to what broke it. It isn't like many other software packages ever require third party certifications that require large sums of money either. And of those that might, the sums generally aren't as outrageous and ongoing like this.

Something the poster didn't mention that could negate most all of his fears and black out the point you raised is that they could certify the software under a trademark name and do the releases with the normal name. This would lock the certification into something only he could use. For instance, he likes the program MirrorMed. Now he can create a company called Trotter inc. and certify MirrorMed as "Trotter's certified MirrorMed" software. He then distributes it under that name "Trotter's Certified MirrorMed" and distribute his code as MirrorMed. No one else could claim MirrorMed was certified under his certification because they couldn't use his trademark "Trotter's certified" in the name of the product even though he distributed the code and the certification is in his trademarked name.

In short, the certification would be locked to the "trotter's certified" which is the over package he provides instead of just the software MirrorMed. He could control this because MirrorMed itself as a name wouldn't have been certified. Now the code would have technically been certified so everyone else wanting to do the same could certify it themselves without fear of it failing, and most likely they would certify it under their own trademarked name too.

Re:This article says a lot about FOSS...

[DragonWriter]

For years, FOSS advocates have talked about how freely redistributable open source software is the better model, and how it's still possible to make money off open source software. Well, if open source is the better, more powerful model for developing software, the certification fee shouldn't be a problem.

Certification requirements are a government-imposed market distortion that, if imposed in a way which attaches the cost to the developer systematically disadvantages FOSS software. Of course, since certification requirements, however loudly they are trumpeted as serving a public interests, are almost invariably crafted with the cooperation of the major commercial vendors in the field with the primary intent of reinforcing their position against any possible upstart competitors, this isn't exactly an unintended feature.

Re:This article says a lot about FOSS...

[ion.simon.c]

In short, the certification would be locked to the "trotter's certified"...

That's strange. However, it jives with what I've learned from my experience w/ US governmental IT certification organizations. (The process is infuriatingly slow and inefficient, let me tell you what...)

Re:This article says a lot about FOSS...

[westlake]

And something you should note, it's only a problem currently because of the outrageous costs associated with certification. If the costs were lower and more reasonable, the problem disappears.

The medical records system has to get it right the first time. The cert is not going to be easy to get. It is not going to be cheap.

Now the code would have technically been certified so everyone else wanting to do the same could certify it themselves without fear of it failing

This sounds --- simplistic.

Is it the code that that is being certified here - or is it the implementation of a turn-key medical records system?

Isn't it responsible to demand that you demonstrate a deep understanding of how the thing works?

That you have the resources to maintain your system, upgrade it, provide service and support?

Re:This article says a lot about FOSS...

[db32]

Please ignore

and that in all likely hood

Brain apparently shifted gears on me and I didn't notice before I hit submit.

Re:This article says a lot about FOSS...

[murdocj]

I guess I hit a nerve... all I did was point out that the author of the article, who wants to use FOSS, complained about the problem that once his software is certified, ANYONE can sell it, w/o sharing the cost of certification, and I instantly got modded into oblivion. Just to repeat, here's what the author of TFA article said:

"Suppose I pay the fee to have MirrorMed (my project of choice) certified. There is no way for me to guarentee that only I benifit from the "seal". My competitors which have full access to the code that I would have certified would be able to correctly claim that the code had been certified, and would benifit with me."

You can mod me down if you want to, that doesn't make the problem go away.

one of FOSS's problems.

[MonoSynth]

If the law states that there should be a 'view but not save/copy/print' right (like here in the Netherlands), how could you enforce that *and* be truly open source? You have to certificate each and every release of the full software on a source code level (and provide authorization based on the (i.e.) md5 sum of the executable) to enforce such rights. One simple edit & recompile and you can save/print those x-ray pics, which is against the law.

At the very least, forking, maintaining your own version and fixing bugs for your (employer's) own use is either impossible or very expensive.

Re:one of FOSS's problems.

[DragonWriter]

If the law states that there should be a 'view but not save/copy/print' right (like here in the Netherlands), how could you enforce that *and* be truly open source?

The same way you would do that for commercial programs.

Being open source doesn't mean that there is an absence of government regulations that restrict your ability to distribute and/or use modified versions.

You have to certificate each and every release of the full software on a source code level (and provide authorization based on the (i.e.) md5 sum of the executable) to enforce such rights. One simple edit & recompile and you can save/print those x-ray pics, which is against the law.

And...so, what? Its always possible for the user to modify either the software, the software environment in which the application software runs, or the hardware platform on which the software runs to avoid such restrictions. Certification of software only provides assurance for the software in the form it is sold, not anything that is done by the purchaser after they have received it. Other enforcement measures, like on-site audits, are necessary, whether or not the software is open source, to assure that the user uses the software in a manner which complies with the law.

At the very least, forking, maintaining your own version and fixing bugs for your (employer's) own use is either impossible or very expensive.

It doesn't add any cost that isn't added to purchased software, even if the certification requirement is on software used and not software sold for a purpose, since you are going to be paying the cost of certification for any software you purchase, as well. OTOH, since the modification and use of software in house is part of the internal practices, it makes more sense to include those in whatever regulation and certification requirements exist for internal practices, rather than in the kind of certification requirements that are imposed on software sold for a regulated purpose.

Re:one of FOSS's problems.

[sumdumass]

Opensource is about the code in question and the freedom to adapt it to your needs.

That being said, the ability to give the code away again is still there even with certification is the certification is assigned like a patent or copyright. In this case, the assignment of the certification would be a specific implementation by a specific company or person or person representing the company.

To walk through this just so we are clear, if I create an open source product called "Little Dog" and I get it certified, if the certification is assigned to me for version 1.0, then version 1.2 or 1.45 or whatever would need a new certification. And because the certification is assigned to me, if you decided to take the code and offer your own product or even improve it, you wouldn't be able to claim it was certified because only the person assigned the certification could do that. Technically, the code would have been certified so you could get a certification in your name without fear of failing but you couldn't lay claim to my certification.

Now, I believe this follows along with the open source model and principle because you can get the code, you can distribute the code, you can modify it, you can still do anything you want with it. The only thing you couldn't do is make claims or representations over a certification for use that was assigned to me. Think of it like this, if Time magazine said you were the hero of the month because of some open source program you created, I couldn't accurately take the code, distribute it, and claim Time Magazine called me the hero of the month even though I would be using the same code you created that caused them to notice you.

I hope I didn't just write in circles and confuse my point.

Re:one of FOSS's problems.

[maxume]

It might be cost effective to have a third party certify patches (but probably not).

Re:one of FOSS's problems.

[lawpoop]

Yeah, but do you really think the end users of any certified open-source medical software ( i.e. Doctors, nurses, hospital staff ) are going to be messing with *any* source code, at all?

I think the more likely scenario is that certain versions or releases of any FOSS software would be certified. A health care organization is only going to be running binaries. If there's a concern about a bad actor within the health-care organization re-compiling FOSS code to run renegade binaries, I'll bet that person has enough technical savvy to get around HIPAA laws with much less effort -- screenshots, for example.

Re:one of FOSS's problems.

[Javit]

I commend you on your excellent written English. However, you seem to have run across one of the language's many "gotchas." "I.e." stands for "id est" and means "that is"; I believe you meant to use "e.g.," which stands for "exempli gratia" and means "for example".

Re:one of FOSS's problems.

[fermion]

Point in fact, this already happens with PDF viewers. Most follow the rules. It is true that an individual user can get into the code and change it, but, given the spec, any individual user can always get into any file and do whatever they want with it.

This is where the laws and audits come in. It is just like keeping records in a filing cabinet. There is nothing inherent in the file cabinet that prevents users from copying information, taking the records home, etc. It is simply policy that is enforced with a set of consequences up to national criminal or civil penalties.

Re:one of FOSS's problems.

Disclaimer: I also work in the industry and have been through CCHIT certification processes.

I'm not the biggest fan of CCHIT for a variety of reasons, but sumdumass is overstating things on multiple accounts.

The CCHIT handbook (http://www.cchit.org/files/certification/08/Forms/CCHITCertified08Handbook.pdf) has information on this subject. The requirements for recertification if a change is made are listed in section 4.5. There is exclusion for "minor change", and recertification is not needed for every change of version. I think it is reasonable for CCHIT to require that products that have major changes -- ie something that might affect the way the test outcome.

I don't think it's addressed how this would work if 2 companies were involved, but after working with the folks at CCHIT, I don't think they are trying to be unreasonable.

CCHIT is trying to ensure that the software at least is able to be configured to do the right things (correction: what **they** think are the right things which may be different from what customers think). I don't think they have a bias toward proprietary vendors. Rather, I get the impression that they would LOVE to have open source solutions be certified.

That said, I haven't seen any opensource EHR software that would come close to pass. I'm pretty sure that even VISTA would fail current requirements for generating and accepting CCD, doing e-prescribing, and medication reconcile.

Re:one of FOSS's problems.

I work in an ED in the Netherlands, and all programs we use that let me view x-ray images also have the option to print them.

Re:one of FOSS's problems.

You have summed it up quite well Sumdumass. I led the CCHIT certification effort for WorldVistA EHR, the only FOSS EHR to have achieved certification so far, and we came to the same conclusions about how FOSS could dance with certification.

Joseph

OH CCHIT

nt

Bigger Issue

[hax0r_this]

I see a bigger issue here than the scam this particular group is running.

As I understand it, the stimulus bill allocates $17B to help hospitals across the country pay for medical record systems. Think about that number, $17 Billion.

There is absolutely no reason to distribute $17 Billion to a long list of organizations to individually license an EMRS. For far less than $17B the Federal government could buy any medical record system in the world to be deployed wherever and whenever they want at a fraction of the cost. Or, alternatively, for a lot less than $17B they could sponsor development of a standard, open source EMRS that could, again, be deployed by anyone who wants to at a fraction of what it would otherwise cost.

Obviously there are costs associated with deploying these systems, but the current "plan" amounts to a giveaway of $17B to Semens, GE and whatever other companies produce "certified" EMRS.

Re:Bigger Issue

[obarthelemy]

That's right in theory, and would be the best, but there are issues:
- government-lead IT has a long track record of failures: look only at what in happening in the UK for their healthcare IT right now.
- the hardest part is the design and speccing. once that it done, actual coding should be trivial, but then deployment/training will be hard. FOSS only adresses the easy middle of the equation; the designing probably takes too much effort for a FOSS-type service company to do all the investment up front, and then hope to recoup it with consultancy type work if they win the contract.

Re:Bigger Issue

[TehDuffman]

I don't get what is so hard about setting up EMRS, I am in the Marines and I know we are much smaller than the population overall but the Navy has a Electronic Medical Records system up and working right now. It doesn't seem like it would be to difficult to expand the program to meet larger populations.

Sure I make sure I keep my physical records too but that's just because the Navy used to be so bad at keeping med records that you would get the same shot 7 times when you needed it only once.

Re:Bigger Issue

[ilo.v]

I don't get what is so hard about setting up EMRS

The major software expense is the integration with all of the other crappy old proprietary systems that the typical hospital uses (billing, staffing, bed control/scheduling, inventory, labs, pharmacy, etc.) Billing is particularly a problem, which is something the Marines don't have to deal with since they are predominantly running a single-payer health care system.

Re:Bigger Issue

[Richard_at_work]

How much of that $17b will go toward actual licensing costs, and how much of it will go toward actual implementation costs? Buying or creating the system would, by experience, be the much lesser cost when implementation of said system is ever taken into account.

Re:Bigger Issue

[sirlatrom]

About those issues:
- FOSS is by licence and definition not restricted to being government-lead.
- If $17 bn is available, I'm sure you could find an FOSS-type service company who would make the design effort for a tenth of that amount.

Re:Bigger Issue

[budgenator]

I finally refused the shots, the medic said he'd charge me for refusing a direct order, I countered by telling him I'd counter charge him with dereliction of duty for failing to properly record the shots he had given me last month in my health records properly; he solved the problem in two minuted.

Re:What do you FOSS fags take everything personall

No, you are wrong. CCHIT just happens to be full of CCHIT!

Let's not bring another made-up word into software

[sphealey]

> You have to certificate each and every release

I have no idea why the aviation world decided that the perfectly good words "certify" and "certified", used to describe those concepts since the dawn of aviation regulation, should be replaced with abominations such as "certificate" and "certificated". But let's not bring yet another set of made-up words into the realm of software - we already have too many of them as it is.

sPh

Re:To add some meat or beef or whatever... Alterna

[jkx]

For a discussion of FOSS medical records systems, circa 2005, see http://www.ssrc.org/wiki/posa/index.php/F/OSS_Opportunities_in_the_Health_Care_Sector

Re:It's just been announced!

That's ironic, as I've seen many people here mention that they had just shit out an Obama.

There are two kinds of people in the world, those who shit, and those who wipe asses.

Re:Let's not bring another made-up word into softw

[MonoSynth]

Sorry, English is not my first language and I already thought that I didn't use the right word. I even used my dictionary, but to no avail.

Re:To add some meat or beef or whatever... Alterna

[davidsyes]

Thanks....Interesting, additional and refresher information!

Re:What do you FOSS fags take everything personall

So, the problem is that I have a small penis. Damn.

Re:Frosty piss

I'm surprised nobody has commented on having an almost sensible first post for a change - this is a frost piss that isn't terribly annoying

Re:To add some meat or beef or whatever... Alterna

[Unordained]

Also, consider that the US government has already paid to develop several healthcare systems itself. VistA and RPMS (they're related) serve the VA and Indian Health Services. They're free to download, and local sites often create, apply, distribute, and support various patches independently of any central control. It's free and open-source, at least in a sense. Installation and support (and hardware) aren't free, but a FOIA request will get your the code for free, at least. There's at least one other piece of such software in use for active military personnel, I remember it being mentioned on /. within the last few weeks (but I'm too lazy to find the link.)

Re:Frosty piss

[MrNaz]

You mean someone mated with an anonymous coward? And they say promiscuity is going out of fashion!

Get out of your mother's basement

[nacturation]

Speaking of cost... 25 to 35K one time fee and 5k a year? What kind of *scam* is that? One gurenteed to make it possible only for those with a huge finantial interest (and thus low OSS interest) to gain entry. Total bullshit. Who made these yahoos incharge?

I assume you have some basis for your outrage? Do you know how many hours of work goes into the one-time certification process? What sort of legal review is required? How much money in third party disbursements are involved?

Seriously, if you don't have $30K to pony up for the certification, what are the odds that you've spent the necessary money to ensure full compliance with all aspects of relevant legislation? Have you gone over your application with a team of lawyers to ensure full compliance? Have you hired UI designers to come up with a sane user interface and paid for a panel of doctors from various professions to perform UI testing and implement any suggested changes? Do you also have professional liability insurance to cover any errors and omissions that you might have made? How large is your support department, what's your SLA for support turnaround times, and what's the SLA for any bug fixes or feature improvements? What kind of physical and network-based authentication and permission policies do you employ in your office? If someone were to break into your office during the night and you've been examining data from my systems to track down a bug, can you guarantee that the data won't get compromised because proper information handling procedures have been followed? What's your two year roadmap for the product so that people comparing it against offerings can see where you're headed?

What it boils down to is that the $25K - $35K in fees is partly to cover the actual costs of the certification and partly a statement that "if you can't afford these costs, don't waste our time because odds are good you won't be in business in a year from now". Seriously, that's the salary and overhead cost of a half decent developer for a few months let alone all the other support staff you'll need to maintain a viable business.

Also from the article:

The "seal of approval" model is also problematic. Suppose I pay the fee to have MirrorMed (my project of choice) certified. There is no way for me to guarentee[sic] that only I benifit[sic] from the "seal". My competitors which have full access to the code that I would have certified would be able to correctly claim that the code had been certified, and would benifit[sic] with me. As with the original pricing there is no way to fairly spread these kinds of costs across a community.

Waah... cry him a river. He's complaining that because he's choosing to make his code available for everybody at no cost, that he's putting himself at a disadvantage because others can use his code at no cost? What the FUCK, dude? Choosing to use the GPL means that you've also chosen all the consequences of that particular license. If you don't like the consequences, then don't ask for special treatment because you think the GPL automatically gives you some kind of entitlement. Change your license!

Re:Get out of your mother's basement

[Achromatic1978]

Mod parent up, insightful and informative, speaking as someone in the Healthcare IT field. On both the certification angle and the GPL issue.

Re:Get out of your mother's basement

"if you can't afford these costs, don't waste our time because odds are good you won't be in business in a year from now"

And that's what you're going to tell all the solo pediatricians and family practitioners who currently use paper charts and who are going to have to suck up that cost when they buy a certified EMR?

Also, he's technically wrong about whatever bizarre thing he's freaking out on over the GPL. Last I heard, CCHIT requires that any major changes be re-certified, so if MirrorMed gets certified and someone else tries to take that code and turn it into something that's not MirrorMed, they're going to have to pay up for a new certification.

Re:Get out of your mother's basement

[jfmiller]

If what you suggest were actually done, you might have a point, but all the EMR software I've seen has a nightmare interface, numerous features disabled (and done on paper instead) because they don't comply with the law, and a security model that is modeled after having physical access to a terminal because that is how the paper charts are secured!

Honestly the current software out there makes Diebold look like a secure and competent vendor.

Re:Get out of your mother's basement

[kullnd]

Exactly right, and anyone who works in Medical IT, deals with Medical Records, has had to deal with all of the interfacing between medical applications, and in the future will be dealing with new standards which include sharing of medical record information across organizations, knows that $35k had better not be a big deal for any vendor you work with, shit we pay more than that a year in support contracts for some applications! If you have developed an EMR application and you can't afford this, don't count on me recommending you to any facility that I work with. Medical applications cost a lot of money, if you are a facility that decides to try and save some money on the front end and go with the cheap option, don't be surprised when you find yourself in a hole because suddenly you don't meet some federal or state standard. When this happens the cost to change over to something that is compliant is going to cost you more than just spending a couple dollars more and getting one from a company that realizes the value of being certified in the first place. The cost of maintaining these systems to these standards is very expensive.

Re:Get out of your mother's basement

[kullnd]

That's odd, because I've seen some pretty sweet medical records systems in the past year...

Re:Get out of your mother's basement

[nacturation]

if you can't afford these costs, don't waste our time because odds are good you won't be in business in a year from now"

And that's what you're going to tell all the solo pediatricians and family practitioners who currently use paper charts and who are going to have to suck up that cost when they buy a certified EMR?

If you have five people in your minuscule company with salaries, benefits, office space, equipment, legal and accounting fees, insurance, and other overhead of $100,000 per year for each employee (and really, that's low for anybody decently skilled) then $30,000 represents 6% of the total cost. Over the course of ten years, the cost of acquiring and maintaining certification, assuming your expenses don't go up at all, represents an average of 1.5% of your total expenses.

So in answer to your question: no, if I were running such a software business I don't think I'd tell practitioners that certification costs represent an average of 1.5% of the business's operating costs because nobody's going to give a shit. Do you scream bloody murder when your movie ticket price goes from $10.00 to $10.15?

Re:Get out of your mother's basement

then $30,000 represents 6% of the total cost

I know it's like when people get upset over an 800 billion dollar stimulus package. It's only 7$ of an 11 trillion dollar debt. sheesh.

Re:Get out of your mother's basement

[dave87656]

Seriously, if you don't have $30K to pony up for the certification, what are the odds that you've spent the necessary money to ensure full compliance with all aspects of relevant legislation?

30k is alot of money. In our shop we have regulatory requirements with respect to watch lists, credit cards and so on. Fulfilling those duties cost significantly less than 30k.

25k + 5k/year is a barrier to entry to keep the big boys protected from competition, nothing else.

Re:Get out of your mother's basement

[dave87656]

... $30,000 represents 6% of the total cost. Over the course of ten years, the cost of acquiring and maintaining certification, assuming your expenses don't go up at all, represents an average of 1.5% of your total expenses.

Interesting that you neglect to include the 5k yearly fee in your calculations, which changes the number from $30,000 to $80,000.

That's a signficant barrier to entry.

Also interesting that you assume that personal costs are $100,000/year.

When someone bends numbers to such an extent, on one hand to make one number look as small as possible and, to further their argument, to inflate another number as much as possible, you have to question the validity of their argument in the first place.

Re:Get out of your mother's basement

[WaywardGeek]

As with many new standards, there should be an open-source reference implementation, which has achieved certification. We do this with most other standards. I don't see why this is different.

Re:Get out of your mother's basement

[budgenator]

Medical applications cost a lot of money, if you are a facility that decides to try and save some money on the front end and go with the cheap option, don't be surprised when you find yourself in a hole because suddenly you don't meet some federal or state standard. When this happens the cost to change over to something that is compliant is going to cost you more than just spending a couple dollars more and getting one from a company that realizes the value of being certified in the first place. The cost of maintaining these systems to these standards is very expensive.

From what I've seen most of these vendors don't maintain to the standards with the rigor that I'd assume would be required from reading the standards, and I assume it's because of the expense. Furthermore a lot of these companies either tank from trying or get bought-out by a company that only does a half-assed job for a few months, then forces an "upgrade" to less capable system and you lose half your data in the conversion. At least with an open standard, your data wouldn't be held hostage to one company.

Re:Get out of your mother's basement

[nacturation]

5 employees @ $100,000/year (everything included) = $500,000/year
10 years @ $500,000/year = $5,000,000 over 10 years
$30K first year + 9 years @ $5K = $75,000
$75,000 / $5,000,000 = 1.5%

Have a nice day.

As to your assertion that $100,000 per year per employee is inflated, Oracle averaged $153,000 in operating expenses per employee over the last 12 years[1]. Red Hat was almost $250,000 in operating expenses per employee[2]. So $100,000 per year is low in the software industry and it's doubtful you'll find any company with a lower figure than that.

If you're going to doubt my math, how about you bother to do some yourself? Your emotional hand waving arguments have no substance.

[1] http://www.ecommercetimes.com/story/65518.html
[2] http://finance.yahoo.com/q/ks?s=RHT

Re:Get out of your mother's basement

[godefroi]

So, I'm going to go out on a limb here and say that I'm one of the few here that has gone through the CCHIT certification.

I can say that it's an involved processes. The fee is justified. The EMR and HIE spaces aren't places where one-guy-in-a-basement can play, they're BIG deals involving BIG money and LOTS of CRITICAL (i.e. people die if you get it wrong) data.

I can also say that CCHIT are not anti-FOSS, from what I can see. The certification itself involved several FOSS tools (and some of them were mighty broken...). I have to agree with nacturation here, this guy is bitching because he doesn't like the consequences of the GPL. Tough luck, dude.

Re:Get out of your mother's basement

30k is alot of money.

Yeah... to a starving child in Africa.

Re:Let's not bring another made-up word into softw

[sphealey]

> Sorry, English is not my first language and I already
> thought that I didn't use the right word. I even used
> my dictionary, but to no avail.

My apologies - I did not mean to criticize the English skills of a non-native-speaker. In general United States English usage a person or object is granted (or possesses) a certificate, and is then said to be certified. As I noted the world of aviation recently (within the last 10 years) started using the word "certificated" (ser-tif-eh-cate-ed). English has so many variants of everything that that word might appear in a comprehensive dictionary. But it was not used AFAIK until about 10 years ago.

sPh

FOSS is dead. Stick a fork in it.

Funny to see that the next story which is about Blockbuster video has gotten over twice as many posts in half the time. Used to be that people would give a fuck about open source around here. Now it's all about digital entertainment. That's why stories about DRM and copyright get huge posts over anything else anymore, save some political bullshit.

Slashdot knows where it's bread is buttered. The editors give fuck all about coding and computing anymore. It's all about free songs and movies today.

FOSS health sys IS *MASSIVELY* deployed in USA

Ever heard of the VA? They use an open source system that is sound at it's core though a bit outmoded on it's face. Of course being open source folks will continue to improve it and so the VA (the largest provider of healthcare in the US? ) will continue to improve. Why not drive folks to adopt it if they want their share of the $17BB? BTW larger medical groups are fully electronicified already (using EPIC and the likes) it is only the many many smallers sites that are not.

CCHIT?

Disclaimer: I work in this industry.

To be blunt, CCHIT is among the least significant and cheapest of the regulatory considerations in healthcare software, particularly when you're talking hospital-caliber systems. Far more onerous are the FDA regulations and oversight (at this level, healthcare software is regulated as a medical device), and similar bodies in other countries. Software bugs can also create enormous legal risks; malpractice or wrongful death claims are never cheap, and bad code or human error does not get you off the hook. All of this means enormous testing and documentation costs, shared by both the software companies and the hospitals. (The VA, as an arm of the federal government, enjoys some legal advantages over other hospitals in this regard.)

Combine this with the enormous complexity and the domain expertise required to model what can occur in a hospital, and you have a market with a very high cost to enter - not the best opportunity for open source. Indeed, there's been several highly-capitalized and failed attempts to enter the market by tech giants ...

That said, most modern healthcare software contains and uses healthy quantities of open-source code, but generally not of the GPL variety. We regularly contribute to the projects we use, inasmuch as our employment contracts permit. However, generally speaking, these projects are not specifically healthcare oriented (though there are exceptions - hapi is a personal favorite.)

Re:CCHIT?

[ilo.v]

Software bugs can also create enormous legal risks; malpractice or wrongful death claims are never cheap, and bad code or human error does not get you off the hook

What, you mean I can't make every shmuck that comes in my hospital click on an EULA that says that they can't sue me even if I kill them?

Re:CCHIT?

[dkf]

What, you mean I can't make every shmuck that comes in my hospital click on an EULA that says that they can't sue me even if I kill them?

Sure you can! But the courts will ignore it I bet; some types of clause are generally reckoned to be unconscionable and "can't sue me if I kill you" would be a prime candidate for that sort of thing.

Re:CCHIT?

[ilo.v]

... some types of clause are generally reckoned to be unconscionable and "can't sue me if I kill you" would be a prime candidate for that sort of thing

That hasn't stopped Microsoft or most of the rest of the software industry from doing exactly that. Their EULAs basically all say that if defects in their software cause harm, they are only liable for the cost of refunding the purchase price. If their software defects kill someone, they are trying to be not liable. To my knowledge that type of clause hasn't ever been ruled unconscionalbe yet, but there isn't much case law on EULAs.

Getting a second opinion

There is a HUGE problem with this issue of electronic records and it relates to the philosophy of who should be responsible for what. IMHO each person should be responsible for his own records. When you use medical services, you always receive the records produced during those services, and the provider will keep a record as they always have. But these records should not be shared with anyone nor go into any kind of national database. These records can be in a standardized electronic format if that makes life easier, but paper records are just fine. When you use medical services in the future, it is up to you whether you wish to provide the records you have or not, and to select which records to provide. This is your body. It's nobody's business to read all the gory details unless you wish to provide them.

Why?

Many reasons, but I'll provide just one for brevity: It's called GETTING A SECOND OPINION

Suppose you have some condition. You go to a doctor and he says the only solution is to chop off your arms, legs, and while he's at it, your head, too. Shit, that sounds like a serious problem. You want to know what another doctor thinks. If that second doctor is required to punch up your ID in the national health system and read all prior records, he will see what the prior doctor said and that will influence his thinking. You want to get a second opinion without revealing to the second doctor anything you already know about the condition.

The excuse that a medication might conflict with another medication you're already taking is NO REASON to go produce a national health care record system wherein is located everything from the exact force applied when the delivery doctor slapped you on your ass, in a manner that reveals more than you might want to reveal.

Just another example of why

[Presto+Vivace]

the open source movement needs to be active on standards bodies. Standards selection is vendor selection.

CCHIT is SH*T

[Omega1045]

I spent a few years working as a software engineer for two electronic medical records companies. The second company certified some of its software with CCHIT. From that experience I can tell you that the CCHIT requirements are idiotic, and don't lead to better patient care, or better software for that matter. They are a hoop businesses jump through (both software companies and clinics). There are states that offer tax incentives for physicians that use CCHIT certified software. I know we spent a lot of time and effort implementing stupid features that were supposed to enhance security around patient data, help the physician provide better patient care, etc. In many cases these "CCHIT features" did just the opposite.

Its really disheartening when you write software all year to provide useful tools for doctors that improve the standard of care, and then have a bunch of useless and counterproductive features slapped on because of an upcoming CCHIT certification.

Cart Before Horse Alert!

So a National Medical Records initiative has been extensively debated and decided upon overwhelming majority consensus?

If so, a whole bunch of your personal privacy and mine just went up in smoke. A point where FOSS is reduced to a bad joke since the debate now is over reception of Fed Gov spoils?

So we allow this fucking monstrosity to be build because it supplies stimulus money and a few can get rich?

And I'm supposed to give a shit whether or not some giant demagogic database capable of achieving damn near sentience is accessible with FOSS?

That should be the least of concerns at this point.

IS the FOSS system that the VA system certified ?

[waferhead]

IIRC the VA uses a pretty robust system, and it is FOSS (public domain).

Is there some paricular reason it cannot (or isn't) certified, and or become the reference system?

Re:IS the FOSS system that the VA system certified

Try to imagine what the average developer is likely to produce given a non-relational database with no schema enforcement, and a forty-year old untyped write-only language that will eval snippets of source code with no sandboxing. You could port that crap to Perl and still be better off, if only it weren't inconceivably hard.

GPL Issue

[Morosoph]

The question here is about what it is reasonable for the certificating authority to do given a piece of code, rather than what it is reasonable for a programmer to do. Certainly, the argument for the fee may still hold, but the license requirement must be bias, since to oppose the GPL is to state that the GPL model intrisically yields poor code.

Of course the programmer can choose another license, but to require that of the programmer can only be a special interest. If this were made law, it would be a clear instance of 'regulatory capture'.

recompiling and security

One simple edit & recompile and you can save/print those x-ray pics, which is against the law.

How is this different than taking a closed-source system, stopping the processes, adding a LD_PRELOAD and starting them up against? Binary, on-the-fly patching has been around for a long time (IBM did it with OS/2 and Windows 3.11 binaries).

Are you also going to patch the OS with DRM to disable any 'print screen' functionality? If you can grab an screen shot regardless of application it's a lost cause as well.

Security is about mitigating risk. What are your attack vectors?

It's simple

[uassholes]

A standards organization that charges these big fees is part of the problem rather than part of the solution to the stated goal of reducing health care costs.

Re:Let's not bring another made-up word into softw

[david+duncan+scott]

Although I am inclinated toward your position, agreement-wise, I think we should conversate about this before decisionating the matter.

Original Author replies

[tr0tt3r]

I would like to respond generally to some of the high ranked comments.

First, one of the assumptions is that an EHR is -one- kind of thing and it needs to be certified. This is much more a category buster, like a car. If a required car certification mandated that all cars should have beds like a truck, be able to off-road and break 150 mph, then you would have a tremendous change in how the auto-industry works. Even if you have seemingly reasonable requirements like "auto-door locks" or "automatic transmission". Not everyone -wants- a car like that.

To further complicate the problem, clinical clients typically have no idea what they want or need. Dr. Valdes (of LinuxMedNews is fond of saying "doctors have no idea what they want and programmers give it to them"

Also an important thing to recognize is that CCHIT is not primarily targeted at hospital systems, but "ambulatory" clinics. Hospitals are much smarter buyers and so certification has less power there. In the "ambulatory" market, the certification is taken as a short-cut for "good". If the certification is mandated you have a real problem

The other thing is that cost is only one part of the reason that the standard is broken. It is fundamentally incompatible with the FOSS model.

Consider a large company, like IBM that starts to sell support for a FOSS EHR project (like they did with GNU/Linux). Lets imagine that the supported OpenEMR.

OpenEMR is made up of 5-15 small companies (often one man shops) that have developed a pretty impressive EHR, given their resources. If IBM decide to support the codebase however, IBM would suddenly have 100s of clients, but would have contributed nothing to the actual development, which has been going on for close to a decade.

Then IBM takes OpenEMR to get certified. Because they have 100 clients that is a justifiable cost for them, they can split the cost between their clients.

Now, Rod Roark over at SunsetSystems is a core OpenEMR developer and might have 10 clients. (who knows how many he actually has of course)

So does IBM's CCHIT certified OpenEMR allow Rod to advertise his code as certified?

If the answer is "yes" then IBM has footed the bill for Rod's certification (This is essentially what WorldVistA did, but remember, they are a non-profit). IBM would not be happy about that.

If the answer is "no" then Rod cannot compete with IBM on a codebase that he has contributed far more to than IBM. OpenEMR is 'certifiable' because of Rod's work, but he has no benefit yet. Instead he has to go and spend $100k -again- to get -his- version of the codebase certified. But he does not have the clients to support the certification cost, even if he were able to pass all of the tests.

So I am not saying I want a "handout" for FOSS systems. But as you can see, the whole philosophy of CCHIT certification is designed to work with a company and a proprietary 'product'. Rather than a community of people and companies and a 'project'.

Some of your comments seem to reflect this, but others do not. I hope this makes my position clearer.

Thanks for reading!!

Fred Trotter