ONC Certification Rule Scales Back in Scope from Proposal on Oversight of Health IT

The Office of the National Coordinator for Health Information Technology (ONC) finalized its proposed Enhanced Oversight and Accountability Rule (the Oversight Rule) which alters the Health IT Certification Program (Certification Program or Program). It establishes ONC’s authority to directly review certified health information technology (health IT). This represents a significant increase in oversight by ONC but is scaled back from the proposal in March in response to comments that argued that the proposal exceeded ONC’s statutory authority.

This may impact health IT developers that are subjected to ONC oversight and health care providers that must make their systems available for ONC review.

New Direct Review Authority

The most important aspect of this rule is that ONC is asserting authority to directly review certified health IT to determine whether it conforms to the requirements of the Program. This rule would authorize ONC to conduct direct oversight of certified health IT in two situations:

1. When the certified health IT may be causing or contributing to serious risks to public health or safety.
2. When there are suspected non-conformities that certification bodies may be unable to effectively investigate or respond to (such as when there is confidential information).

ONC asserts authority to review whether certified health IT may fail to perform as it should when it interacts with uncertified capabilities within the product or with other technology, but states that it will focus on certified capabilities.

ONC will require corrective action for non-conformities and, when necessary, suspend, or terminate a certification issued to a Complete EHR or Health IT Module. In addition, ONC included a certification ban on the future certification of any of a health IT developer’s product if it has been terminated by ONC or withdrawn due to non-conformity, suspected non-conformity, or surveillance action. Health IT developers would be required to notify all potentially affected customers of any non-conformity and the plan for a resolution. In addition, developers must notify customers when the certification of their health IT is suspended or terminated, which ONC will also publicly post.

While ONC has limited the scope of the rule from what was proposed based on claims that ONC overstepped its authority, it leaves open the possibility of asserting authority for direct review in other circumstances in the future.

Transparency

In this rule, ONC requires certification bodies to make identifiable surveillance results publicly available on the Certified Health IT Product List (CHPL) on a quarterly basis. ONC states that the purpose of this is twofold: to motivate some health IT developers to improve their maintenance efforts and to reassure customers and users of certified health IT.

Impact

This new authority will impact health IT developers who may be subject to added scrutiny by federal regulators and may subject health care providers and hospitals to requests by federal regulators to access their systems to investigate conformance of their EHR systems. It also will affect health care providers if an EHR system they are using loses its certification and the health system must transition to another EHR.

This regulation will also add costs, estimated by ONC to be on average $6,597,033 annually, with costs potentially being as high as $650 million in one year. The costs include: (1) costs for health IT developers to correct non-conformities; (2) costs for ONC and health IT developers related to an ONC inquiry; (3) costs for health IT developers and ONC associated with the appeal process following a suspension/termination of certification; (4) costs for health care providers to transition to another certified health IT product when health IT certification of an EHR that they currently use is terminated; and (5) costs for ONC-ACBs to publicly report (submit) identifiable surveillance results.