Tim.Churches wrote: > > I think that the key question is: what does certification involve? How > is it done? Is the $25000 certification fee required in order to employ > a team of High Priests who use magical incantations and crystal balls to > determine whether a particular software product should be certified, or > is there an objective list of criteria which products must meet or > fulfil? Hopefully the latter. Clearly these criteria should be
I think in CCHIT's case it's the latter. They're very open about their criteria. I haven't reviewed it all, but it seems reasonable. I don't see how the fees can be gotten around in any case. It's really a matter of a group's ability to financially absorb the cost. Certification is not magic. Real work that involves cost is involved to run tests and validate that an application conforms to specific standards. There are legal implications by certification as well, which I would not want to take on as a certification body without a sizeable fee. So, I would say $25,000 is quite reasonable. They may have to raise the rate though. Software certification in some form is already done, BTW, in the U.S. by JACHO. It's just that the USE of a system in a healthcare organization is certified, but not the system itself. So, CCHIT's program could lower the cost of JACHO compliance depending on the criteria. For example, with OpenEMed, we're quickly running up against the requirement to demonstrate that the product running out of the box is HIPAA compliant. CCHIT's costs can be cheaper to demonstrate that than going it alone. Furthermore, I believe if a group is developing any kind of software for the ENTIRE health care market and they havent' figured out how to recoup enough money to cover CCHIT (or similar) certification, then perhaps the development effort isn't meant produce software to manage real health care data anyway. I hate to be the antagonist on this point ... but the world doesn't expect to get open source software for $0 total investment. And health care Open Source development groups have a responsibility to ensure their work lives up to some standard. > published, and publishers of medical software should be encouraged to > document how their product meets these criteria. The cost of certifying > a product for which its vendor/publisher has done all the hard work for > the certifying agency by documenting how it meets the certification > criteria should cost a lot less to have certified than system without > such documentation. The vendor/publisher-provided certification > documentation might comprise things like reference to design documents, > automated tests to demonstrate compliance with certain prescribed or > proscribed behaviours, or reference to the source code for the product. You bring up a good point. Certification of proprietary products is also probably more costly than an open source certification. Just using documentation only though to certify products assumes that the documentation accurately and truthfully describes a product's compliance. Defeats the purpose of an independent review, really. This makes open source certification by a CCHIT-like organization that much more attractive to me as a developer. > Now, one can see why vendors of proprietary medical software would not > want to make such certification documentation publicly available - it > would reveal a great deal to their competitors about the engineering of > their product and would probably require access to source code and a > working copy of the product in order to be useful anyway - neither of > which would be publicly available - so there would be little point. I will allow that it's possible to validate the functioning of a software product without looking at the source code, assuming there are no "hidden features." But, certification of an open source product could set a higher standard, too. > Obviously there is still a high cost to certification for proprietary > vendors and open source projects alike, but at least with the model > described above, or variations on it, those costs can be distributed > across a community of users and developers, and the certification can > evolve and be maintained alongside the open source software itself, > rather than having to be redone from scratch by behind-doors certifiers > for each new release or version. I agree, but the cost needs to be collected and paid for somehow... and, (deep breath) an official certification needs to be sought by some real entity with real money that can version lock a real product and manage a real release - not just a nebulous group who doesn't expect to get paid. Certification is just one cost. Constantly updating applications of any kind to meet changing regulations is another cost many open source developers don't take into account. CCHIT, fees and all, can help communicate to the public where an open source project complies with government regulations. Richard Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/openhealth/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/