The HHS Office of the National Coordinator for Health Information Technology (ONC) gained the authority to directly review certified health information technology (IT) products in circumstances that may pose a risk to public health or safety, or when practical challenges make it difficult for ONC-authorized certification bodies (ONC-ACBs) to do so. In an advance release of a Final rule to be published in the Federal Register on October 19, 2016, the ONC created a regulatory framework for such review. It also established a process allowing it to oversee accredited testing laboratories to align with its existing oversight of ONC-ACBs and made identifiable surveillance results of certified health IT publicly available.
ONC-ACBs issue certifications for health IT and are responsible for conducting ongoing surveillance, based on adopted certification criteria, to ensure that certified health IT continues to conform with program requirements. However, their assessments may not involve interactions among certified capabilities and other capabilities or products that are not certified under the program, and may be limited to certain functional outcomes. Because the ONC is better suited to perform evaluations without such limitations, the Final rule grants it the authority to perform reviews both independent of, and in addition to, ONC-ACBs.
Circumstances of review
Section 3001 of the Public Health Service Act (PHSA) (42 U.S.C. §6A) permits the ONC to directly review health IT in a broad range of circumstances. However, the agency will use its limited resources to directly review products only in circumstances in which it believes that certified health IT is causing or contributing to serious risks to public health or safety, or in which practical challenges make it difficult for ONC-ACBs to effectively investigate or respond to non-conformities. For example, the ONC may have access to confidential information related to non-conformities that is unavailable to ONC-ACBs. Other investigations may require concurrent or overlapping investigations by multiple ONC-ACBs or may exceed the ONC-ACBs’ resources or expertise. The ONC will exercise its right not to review certified health IT for potential non-conformities, especially in circumstances in which it thinks other HHS agencies are better suited to oversee or enforce laws, including in circumstances involving threats to protected health information (PHI).
CAPs, suspensions, and terminations
Where the ONC determines that non-conformities may exist, it may require entities to follow corrective action plans (CAPs) and may suspend or terminate certification for failure to comply with CAPs. Furthermore, it will ban a health IT developer from obtaining future certification where the developer’s current complete electronic health record (EHR) or health IT module is: terminated by the ONC; withdrawn by an ONC-ACB at the developer’s request when it was the subject of a potential or actual non-conformity; or withdrawn by an ONC-ACB at the developer’s request when it was the subject of pending or actual surveillance. However, the ONC will allow developers to respond to ONC concerns and appeal suspensions and terminations. The Final rule requires developers participating in CAPs to notify potentially affected customers of non-conformities and plans for resolution, and requires suspended or terminated developers to notify customers of the suspension or termination.
ONC-ACBs are only permitted to accept testing results from laboratories from laboratories accredited by the National Voluntary Laboratory Accreditation Program (NVLAP). The Final rule will require NVLAP-accredited labs to apply to become ONC-Authorized Testing Labs (ONC-ATLs), allowing the ONC direct oversight.
To increase transparency and the availability of certified health IT information, the Final rule requires ONC-ACBs to post identifiable surveillance results on the publicly accessible Certified Health IT Product List (CHPL) on a quarterly basis. The ONC believes that, because most developers are conforming with certification criteria and other program requirements, the posted surveillance data will reassure stakeholders, while encouraging those developers that are not conforming to comply with requirements.