ONC will directly review certified health IT products

The HHS Office of the National Coordinator for Health Information Technology (ONC) gained the authority to directly review certified health information technology (IT) products in circumstances that may pose a risk to public health or safety, or when practical challenges make it difficult for ONC-authorized certification bodies (ONC-ACBs) to do so. In an advance release of a Final rule to be published in the Federal Register on October 19, 2016, the ONC created a regulatory framework for such review. It also established a process allowing it to oversee accredited testing laboratories to align with its existing oversight of ONC-ACBs and made identifiable surveillance results of certified health IT publicly available.

Direct review

ONC-ACBs issue certifications for health IT and are responsible for conducting ongoing surveillance, based on adopted certification criteria, to ensure that certified health IT continues to conform with program requirements. However, their assessments may not involve interactions among certified capabilities and other capabilities or products that are not certified under the program, and may be limited to certain functional outcomes. Because the ONC is better suited to perform evaluations without such limitations, the Final rule grants it the authority to perform reviews both independent of, and in addition to, ONC-ACBs.

Circumstances of review

Section 3001 of the Public Health Service Act (PHSA) (42 U.S.C. §6A) permits the ONC to directly review health IT in a broad range of circumstances. However, the agency will use its limited resources to directly review products only in circumstances in which it believes that certified health IT is causing or contributing to serious risks to public health or safety, or in which practical challenges make it difficult for ONC-ACBs to effectively investigate or respond to non-conformities. For example, the ONC may have access to confidential information related to non-conformities that is unavailable to ONC-ACBs. Other investigations may require concurrent or overlapping investigations by multiple ONC-ACBs or may exceed the ONC-ACBs’ resources or expertise. The ONC will exercise its right not to review certified health IT for potential non-conformities, especially in circumstances in which it thinks other HHS agencies are better suited to oversee or enforce laws, including in circumstances involving threats to protected health information (PHI).

CAPs, suspensions, and terminations

Where the ONC determines that non-conformities may exist, it may require entities to follow corrective action plans (CAPs) and may suspend or terminate certification for failure to comply with CAPs. Furthermore, it will ban a health IT developer from obtaining future certification where the developer’s current complete electronic health record (EHR) or health IT module is: terminated by the ONC; withdrawn by an ONC-ACB at the developer’s request when it was the subject of a potential or actual non-conformity; or withdrawn by an ONC-ACB at the developer’s request when it was the subject of pending or actual surveillance. However, the ONC will allow developers to respond to ONC concerns and appeal suspensions and terminations. The Final rule requires developers participating in CAPs to notify potentially affected customers of non-conformities and plans for resolution, and requires suspended or terminated developers to notify customers of the suspension or termination.


ONC-ACBs are only permitted to accept testing results from laboratories from laboratories accredited by the National Voluntary Laboratory Accreditation Program (NVLAP). The Final rule will require NVLAP-accredited labs to apply to become ONC-Authorized Testing Labs (ONC-ATLs), allowing the ONC direct oversight.

Surveillance results

To increase transparency and the availability of certified health IT information, the Final rule requires ONC-ACBs to post identifiable surveillance results on the publicly accessible Certified Health IT Product List (CHPL) on a quarterly basis. The ONC believes that, because most developers are conforming with certification criteria and other program requirements, the posted surveillance data will reassure stakeholders, while encouraging those developers that are not conforming to comply with requirements.

HHS funds cybersecurity sharing center to disseminate information about health care threats

HHS agencies have awarded the National Health Information Sharing and Analysis Center (NH-ISAC) $350,000 in cooperative agreements to allow it to disseminate information about cybersecurity threats among health care stakeholders. The agency hopes that increased information sharing in the health care community will alert stakeholders to threats more quickly, so that they can avoid them or mitigate the damages caused by breaches more efficiently. This type of information sharing was one goal of the Cybersecurity Information Sharing Act (CISA), enacted as part of the Consolidated Appropriations Act, 2016 (P.L. 114-113) and is part of the HHS’ ongoing efforts to reduce breaches among Health Care Portability and Accountability Act (HIPPA) (P.L. 104-191) covered entities and business associates (see Changes to ACA requirements, COOL, cybersecurity, and more in Appropriations Act, Health Law Daily, December 21, 2015).

The NH-ISAC is a member-owned non-profit that that offers non-profit and for-profit health care stakeholders, including independent hospitals, health insurance payers, and medical schools, a forum for sharing cyber and physical threat indicators. The HHS funding will prepare NH-ISAC to receive cyberthreat information from HHS and share it with stakeholders. Small providers, in particular, are expected to benefit from this process, which will alert them to threats and provide them with advice for responding to those threats. The agreements will also support NH-ISAC’s ability to receive threat information from stakeholders to provide other stakeholders with information about system breaches, including ransomware attacks.

The Office of the National Coordinator for Health Information Technology (ONC), which coordinates national health information technology and promotes the exchange of electronic health information, awarded $250,000 to build NH-ISAC’s capacity to receive and share cyber threat information with stakeholders and HHS and provide education about cyberthreats and appropriate responses. The Assistant Secretary for Preparedness and Response (ASPR), which prepares the nation to respond and recover from adverse health effects of emergencies, awarded a separate $150,000.

$87M in IT enhancements to ‘unlock’ data, improve health center quality

HHS will provide $87 million in funding to support information technology (IT) enhancements in 1,310 health centers throughout the United States and its territories. The funding is intended to support the health centers’ transition to value-based models of care, promote information-sharing to improve quality of care, allow the centers to use information to support better decisions, and increase their engagement in transforming delivery systems. HHS Secretary Sylvia Burwell stated that the funding “will help unlock health care data and put it to work.”

Health Resources and Services Administration (HRSA) health centers provide comprehensive preventive and primary health care to patients regardless of their ability to pay, adjusting fees based on that ability. Section 10503 of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) established an $11 billion, five-year Community Health Center (CHC) Fund to strengthen the centers, which was extended by the Medicare Access and CHIP Reauthorization Act (MACRA) (P.L. 114-10) of 2015. Funding for the IT enhancements comes from the CHC Fund.

Health centers that use the funding to purchase or upgrade electronic health record (EHR) systems must ensure that the technology is certified by the Office of the National Coordinator for Health Information Technology (ONC).

Kusserow on Compliance: New HIPAA risk analysis tool released

The HHS Office for Civil Rights (OCR) and Office of the National Coordinator of Health Information Technology (ONC) released a new jointly developed downloadable Security Risk Assessment (SRA) Tool to assist providers and professionals to perform HIPAA compliance risk assessments. It was designed primarily for small and medium-sized covered entities and business associates. The Tool is a self-contained, operating system (OS) independent application that is available at no cost, can be downloaded from Apple’s App Store. It guides users through each HIPAA requirement by presenting questions answerable as “yes” or “no” to indicate if there is a need for corrective action for any of the 156 question items. Guidance provides assistance in:

  • Understanding the context of the question
  • Considering the potential impacts to your PHI if the requirement is not met
  • Seeing the actual safeguard language of the HIPAA Security Rule

The Tool can serve as the local repository for the information and does not send your data anywhere else. At any time during the risk assessment process, you can pause to view your current results. The results are available in printable PDF and Excel formats. For details on how to use the tool, download the SRA Tool User Guide. A paper-based version of the tool is also available:

Camella Boateng, an experienced HIPAA consultant, makes the point that “Covered Entities and Business Associates are not mandated to use this tool; however they are required to conduct regular, organization-wide risk analyses for HIPAA compliance. Much of my work over the last year has been assisting clients in conducting a system-wide HIPAA compliance reviews. Using the tool greatly assists in doing this. If you monitor the OCR website, it is clear from the many recent HIPAA enforcement actions that many organizations have not performed such analyses properly.”

Suzanne Castaldo, JD, notes, “OCR can be counted upon to include review of risk analyses of organization during the Phase 2 HIPAA audits and that results from these reviews will result in many Business Associates being notified of having a desk audit before the end of this year. OCR plans following up with field audits for both Covered Entities and Business Associate beginning in 2017 that will have twin objectives of learning more about HIPAA compliance in general, as well as having some of the audits finding cases that warrant becoming enforcement investigations of HIPAA violations.”

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.