Vendor Selection Help
Description of Terms in Afia’s Vendor Selection Tool
Functionality
This section clarifies some of the features listed in the Vendor Selection Tool.
Common
CMM5 – Has speech recognition features
System will convert your speech into text that can be pasted into a text box. The system should be compatible with third party speech recognition tools, such as Dragon Naturally Speaking. In our experience, this does not save much time due to the need to proofread and fix errors.
CMM8 – Permit simultaneous user access
This requirement allows multiple users to access the same patient or record at the same time.
Patient Registration / Demographics
DEM4 – Provides a current directory of practitioners with demographics
Does the system list the Doctors / Physican’s Assistants / etc. contact information from a central menu?
Appointment Scheduling
APT8 – Ability to integrate with external calendar systems (Outlook, Google, etc.)
Does the system integrate and exchange information with other calender applications? Ideally, you should have the ability to maintain one calendar application that will link to other systems. The alternative is to maintain multiple calendars which is inefficient.
Clinical Decision Support
CDS1 – Utilizes clinical information from all parts of the chart to provide decision support
Pulls patient data from all areas in the chart and displays in an organized summary or patient dashboard.
CPOE – ePrescribing
eP7 – Must be Surescripts Certified
Surescripts is the leading certification for ePrescribing, which will ensure integration with the most systems. You can verify your vendor’s status on Surescripts website.
CPOE – Labs and Results Management
LAB2 – Can send lab orders and receive structured results electronically to/from laboratories, hospitals, etc.
To maximize integration possibilities, the system should accept structured data from labs or hospitals. The lab will parse the results into recognizable pieces. Structured data is data that resides in fixed fields within a record or file. Relational databasesand spreadsheets are examples of structured data. Contrast with unstructured data such as images, PDFs, or word processing files.
Messaging / Communication
COM2 – Supports secure electronic communication between providers (CCR or CCD formats)
The system should allow you to communicate your data with outside entities utilizing a standard format. Currently, the 2 standards used are CCR or CCD. This is a way to format the data so it can be understood by other applications. The vendor should support CCR, CCD, or both CCD and CCR.
System Administration
ADM2 – Manages the sets of access-control permissions granted to users
The system grants the on-site administrator the ability to edit the permissions granted to users. For example, if someone in Finance does not have access to billing, then the local system administrator could grant that access. You should not rely on the vendor for this type of change.
ADM4 – Provides administrators with audit trail of user actions
Allows an on-site administrator to review the audit trail of user actions. This is in contrast to systems where only the Vendor may access this information.
ADM5 – Ability to participate in a single sign on solution
This allows the user to have one username and password to access the computer and the system, preventing multiple username/passwords for each application which is not user friendly and requires additional maintenance and resources.
Technology
This section defines all of the technology terms used in the Vendor Selection Tool.
Compatibility
C1 – System must be Mac compatible
System will work on Apple’s Mac computers or other computers running Apple’s operating system.
C2 – System must be Windows compatible
System will work on computers running Microsoft Windows. It is useful to specify a minimum Windows operating system to use as a standard throughout your organization, e.g. Windows XP or Windows Vista
C3– System must work with tablet computers
Tablet refers to mobile computers with a screen that is designed for a user to touch the screen directly or use a stylus for input by using selectable options (buttons, checkboxes, radiobuttons, etc.) in lieu of text entry.
Performance and Availability
PER1 – System should support form refresh times of under << x seconds>> on minimum hardware with full load
The refresh time refers to how long it takes a form to reload information and display it on the screen. ’Form’ refers to the page of information you are viewing in the application.
PER2 – System should provide 99.999% availability
The system will have less than 6 minutes of downtime per year. This is considered ‘Continuous Availability.’ Downtime is any time when the system is not available or not functioning properly which limits productivity. Ideally the system would have no downtime. However, it is important to note that there is a cost associated with limiting downtime. As the amount of downtime decreases, the cost increases.
PER3 – System should provide 99.99% availability
The system will have less than 1 hour of downtime per year. This is considered ‘High Availability.’ Downtime is any time when the system is not available or not functioning properly which limits productivity. Ideally the system would have no downtime. However, it is important to note that there is a cost associated with limiting downtime. As the amount of downtime decreases, the cost increases.
PER4 – System should provide 99.9% availability
The system will have less than 9 hours of downtime per year. This is also considered ‘High Availability.’ Downtime is any time when the system is not available or not functioning properly which limits productivity. Ideally the system would have no downtime. However, it is important to note that there is a cost associated with limiting downtime. As the amount of downtime decreases, the cost increases.
PER5 – System must support << x>> concurrent users
The system must run smoothly with no lag time when < > different users are utilizing the system simultaneously.
Security
SEC1 – System must provide role-based security
This allows for the setup of generic levels of access, instead of setting up access for each user. A user will be assigned one, or multiple, roles based on the level of permissions they have. For example, you may want to limit claim processing to the Finance department. You can setup permissions for a Finance role and designate the appropriate users as Finance.
SEC2 – System should encrypt critical patient information in the database
Critical or private information should be stored as encrypted data, which is decrypted on system access. This protects against unauthorized access to the data; if someone gains access to the database, they will not be able to read the data.
SEC3 – System supports all current HIPAA security requirements
HIPAA is the Health Insurance Portability and Accountability Act that requires you to maintain confidentiality, integrity, and availability of data. This includes, but is not limited to: implement updated virus protection; require a secure login and password protect files; and encrypt any data that is transmitted. For more information, visit the U.S. Department of Health and Human Services and their Health Information Technology page.
SEC4 – System maintains audit trail of all events
The system tracks the time someone logged in, the records that were changed, the changes that were made, and the time the user logged out. This data should be available to the system administrator.
SEC5 – System will automatically sign out after << x minutes>> of inactivity
This prevents unauthorized users from accessing the system. If a user forgets to logout and walks away from his workstation, the system will automatically sign out after a set amount of time.
SEC6 – System passwords expire after << x days>>
Passwords expire after a set number of days, requiring you to enter a new password. If a password is somehow acquired, then it will only work temporarily until a new password is created.
SEC7 – System limits user access to patients within their<< department, area, office>>
Role-based security will limit a user’s capabilities (billing, patient charts, ePrescribing, etc.) within the system, but does the system restrict the user to only those patients treated at their site? This may be important for larger organizations with multiple offices.
SEC8 – System implements encryption (TLS/SSL) when transmitting data
The system should encrypt data before transmitting it over an untrusted network, such as the internet. The most common methods implement the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols.
Disaster Recovery
DIS1 – System should be restored within << x hrs>> of system failure
If the system goes down and data is lost, this is the maximum amount of downtime that is acceptable before the system is back in place.
DIS2 – System must provide << daily,weekly,monthly>> backups
This defines how often the system creates automatic backups of your data.
DIS3 – System backups should be stored offsite
A backup of your system is stored offsite, which will protect your data from any physical damage to your on-site servers caused by water, fire, etc.
Architecture
ARC1 – System should have a modular design
A modular design breaks the application into smaller pieces that work independently and exchange data through established protocols, which may facilitate integration with your current system. Implementing specialized features could be accomplished by updating a module or two, instead of reworking the entire application.
ARC2 – System should be built on a Service Oriented Architecture
Service Oriented Architecture (SOA) is an IT style that transforms your organization into a set of compartmentalized services, or functions, linked through a network (intranet or internet). Web Services are used to integrate the services. Adopting this architecture empowers your organization to utilize vendors across the globe to quickly adapt to your ever-changing needs.
Integration
INT1 – System is HL7 compliant
Health Level 7 (HL7) is a non-profit that developed standards for electronic interchange of clinical, financial, and administrative information among health care computer systems. Most importantly, the Messaging Standards lay out requirements for data packaging and exchange between systems.
INT2 – System shares data between modules (PM / EHR) seamlessly without dual entry
Data entered in one area is applied throughout the system. For example, patient demographics entered in the ‘scheduling’ area would also be used in the ‘billing’ area. The user should not be required to enter the same information more than once.
INT3 – PM / EHR system shares data seamlessly with specialty software without dual entry
When buying separate PM and EHR systems (or other specialty systems) it is important to ask detailed questions regarding data integration. The user should not be required to enter the same information more than once.
INT4 – System interfaces with obligatory third-party software (HIE, Labs, Specialists)
If required, the system should support data exchange with an outside organization such as a Health Information Exchange(HIE), hospital Lab, or another specialist.
Accessibility
ACC1 – System must be accessible via the Internet
Accessing the system over the internet allows staff to work from office, home, or any other location. The system must have a secure login to keep out unauthorized users.
ACC2 – System must NOT be accessible via the Internet
Restricting access to the company intranet adds another layer of security. All work must be done from the office.
ACC3 – Can accommodate visually impaired users (color blind, poor eyesight, legally blind)
System should allow text to be resized, discern different items by more than color alone, and comply with all Section 508 requirements.
Components
CMP1 – System does not use third-party components
A third-party component is software developed by another entity other than the PM/EHR vendor. Your vendor will not have the ability to alter this code if it does not fit your organization’s needs.
CMP2 – System supports << x type>> database (MS SQL, Oracle, mySQL, etc.)
If you have an existing database setup, then you may not want to purchase and install another database system. There are many database applications and this is only a partial list of available options.
CMP3 – System does not require local component installation
The system will run without installing a component on the local computer. For example, a system may require the installation of an ActiveX component, but if you do not have appropriate (Administrator) rights to install software on your computer then the system will not work without IT intervention.
Installation and Hosting
INS1 – System installed locally
The system is installed on server(s) maintained by your organization. Your IT department is responsible for software availability, and your software vendor might not support software updates.
INS2 – System available in ASP Model
ASP stands for Application Service Provider and is used in conjunction with Service Oriented Architecture (SOA) to provide ‘Software as a Service’ (SaaS). The software runs on the vendor’s servers and is accessed using an internet browser. With this method, the software vendor is responsible for maintenance and software updates.
General
This section defines selected general features listed in the Vendor Selection Tool.
Certification
CER1 – Product is CCHIT (or equivalent) certified
Has the product been tested and approved by a reputable organization, such as Certification Commission for Health Information Technology (CCHIT)?
