All Alerts & Newsletters

ONC Seeks Comment on Proposed Changes to Oversight and Transparency in Health IT Certification Program


Earlier this month, the Office of the National Coordinator for Health Information Technology (ONC) announced its proposed Enhanced Oversight and Accountability Rule (the Oversight Rule) which, if finalized, will have significant impacts on the ONC Health IT Certification Program (Certification Program or Program). Over the past five years, ONC has promulgated certification rules to implement two separate, but related authorities under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009: (1) to identify voluntary standards, implementation specifications, and certification criteria for health IT; and (2) to create a program to certify that health IT meets these established standards and criteria. The Certification Program embodies these authorities and requires providers and hospitals that are part of the CMS Electronic Health Record (EHR) Incentive program to use Certified EHR Technology (CEHRT) to maintain eligibility for participation.

Now, ONC seeks to implement new processes to:

  • Establish the agency’s direct authority in the evaluation of CEHRT.
  • Establish enhanced oversight of ONC Authorized Certification Bodies (ONC-ACBs) and accredited testing labs (ATLs).
  • Require greater transparency of surveillance results.

The ONC is accepting public comments on the Oversight Rule until 5:00 p.m. on May 2, 2016 and has provided a template in order to make it simpler for stakeholders to submit comments. ONC also held a webinar on March 22nd to explain the Oversight Rule’s proposals (with an accompanying slide presentation) and will hold a second educational webinar on April 21st.

Overview of the Oversight Rule’s Areas for Public Comment

As stated in the ONC’s press release, the Oversight Rule focuses on three areas: Direct Review, Enhanced Oversight, and Greater Transparency and Accountability. In summary, the Oversight Rule seeks input on the following topics within each of these areas:

Direct Review

  • Factors that ONC should consider in deciding whether and under what circumstances to directly review certified and uncertified aspects of health IT capabilities.
  • The proposed processes for ONC’s direct review authority, including the agency’s issuance of non-conformity determinations, corrective action plans, suspensions, and terminations for CEHRT.
  • How health IT developers can appeal ONC’s suspensions or terminations of CEHRT.

Although not identified as issues for comment by ONC, there may also be questions about:

  • Whether ONC should assert direct review authority and if it would affect the impartiality of the Certification Program.
  • The scope of ONC’s direct review authority and whether it should cover issues beyond those that are required for certification.
  • The types and amount of information that ONC may request and review and whether there should be criteria or other limitations on access to company information.

Enhanced Oversight

  • How the scope of ONC-ACB’s authority should differ from and be subject to ONC’s own oversight authority.
  • Whether to implement a pathway for certification of NVLAP1-ATLs as ONC-ATLs and how much oversight ONC should have over such ONC-ATLs.

Greater Transparency and Accountability

  • How CEHRT customers should be notified of suspended or terminated CEHRT product certifications and the extent to which such adverse actions should limit the health IT developer’s ability to certify new products with ONC-ACBs.
  • What identifiable surveillance results ONC-ACBs should be required to publish for the public’s review.

All of the above topics have far-reaching impacts on the Program, but health IT developers should particularly consider submitting comments on the issues we describe in this alert.

“New” Authority Over Uncertified Aspects of Health IT

The Oversight Rule proposes to establish processes for ONC to directly review health IT certified under the Certification Program and take action when necessary, including requiring the correction of non-conformities found in CEHRT and suspending and terminating certifications issued to Complete EHRs and Health IT Modules. ONC could initiate a direct review based on information from ONC-ACBs, from interested stakeholders, or the general public.

If the Oversight Rule is finalized as proposed, it would allow ONC to directly review CEHRT and to prescribe corrective actions to address non-conformities in certified and uncertified aspects of health IT and the interaction of a CEHRT’s capabilities with other products. As stated in ONC’s March 22nd slides, the agency could launch a direct review if it believes that public health or patient safety concerns, “systemic, widespread, or complex issues,” or other “exigencies” are present. In taking this position, ONC seeks to maximize what it can do to monitor patient safety without a lot of guidance about how these determinations will be made or sufficient prior notice of the criteria to which developers or the products will be held. Although the Oversight Rule states that ONC’s exercise of its new review authority would be “relatively infrequent” and “would focus on situations that pose a risk to public health or safety,” health IT developers should note that the Oversight Rule does not impose any standard or restriction that would prevent ONC from more frequent use of this authority to address other uncertified features.

The Oversight Rule states that ONC-ACBs have concurrent review authority, meaning that both ONC and the ONC-ACB can review the same product, which can be burdensome and duplicative for health IT developers. Moreover, ONC puts forward vague criteria for review that would provide the agency with broad discretion for the length of time allowed for review and the amount of access to health IT developers’ records. Thus, ONC’s evaluation may go beyond criteria established in existing regulations, and may result in certification suspensions for incredibly vague reasons2. Given this lack of clarity, it is still questionable whether the ONC has sufficient authority to decertify products on grounds not currently required for certification.

Enhanced Program Enforcement Capabilities

Another important area is the potential impact of ONC’s new enforcement capabilities against all participants in the Program – from certifying bodies to health IT developers. Specifically, the Oversight Rule provides the ONC with increased capability to monitor the activities of ONC-ACBs and the newly created ONC-ATLs that would fall under ONC’s supervisory purview. Entities that seek to become ONC-ACBs and ONC-ATLs should understand that ONC would have greater means to authorize, retain, levy corrective action against, suspend, and revoke the status of these entities under the Program.

In addition, ONC’s actions against ONC-ACBs and ONC-ATLs could potentially be used to prompt the direct review of products previously certified by these bodies, which could create more uncertainty for health IT developers. The Oversight Rule describes an extremely broad slate of actions that the ONC can use to directly review and sanction the certified and uncertified capabilities of the CEHRT. These actions include, but are not limited to:

  • Prescribing corrective actions for health IT developers.
  • Requiring developers to investigate and report on root cause analyses of the non-conformities and to notify affected customers.
  • Suspending and/or terminating a certification issued to health IT under the Program.

ONC-ACBs, potential ONC-ATLs, and health IT developers should review the timelines that ONC proposes for requiring and evaluating corrective actions as well as the scope of consequences of suspensions and terminations. For instance, the Oversight Rule would require entities with suspended or terminated CEHRT products to fully correct issues identified under one CEHRT product across their entire scope of certified products before any new products could be certified. It would be especially important to advise ONC of whether the proposed timelines and consequences are realistic. In addition, even though the Oversight Rule would provide appeal rights against suspension and termination of certifications under the Program, stakeholders should review and consider whether these appeal rights are sufficient.

Transparency and Accountability

Finally, potential commenters should consider how the Oversight Rule’s transparency and public reporting requirements could further complicate the relationship between health IT developers and the government. ONC can request any information that it deems important for its direct review of the CEHRT, which would provide the agency with near-complete access to health IT developers’ research and testing results. These records could be voluminous and could include information that health IT developers would not have to share with ONC-ACBs.

As ONC emphasized in the March 22nd webinar slides, ONC may suspend certification at any time and may terminate CEHRT status prior to imposing corrective action. The subsequent review of health IT developers’ records could further delay ONC’s determinations subsequent to these adverse actions, which would greatly impact the developers’ ability to participate in ONC initiatives. Similarly, ONC’s involvement could undermine the prior work of ONC-ACBs and NVLAP-/ONC-ATLs and prevent users of suspended or terminated CEHRT products from achieving required metrics under the EHR Incentive Programs.

ONC proposes to require ONC-ACBs to publish, on a quarterly basis, identifiable surveillance results of certified health IT. ONC states that the purpose is that identifiable surveillance results would serve to inform providers currently using certified health IT as well as those that may consider switching their certified health IT or purchasing certified health IT for the first time and would illuminate “good performance and continued compliance.” The Oversight Rule would also require public posting of corrective action plans (CAPs) that result from ONC’s direct review of CEHRT. But, combined with the ONC’s new direct authority and the expanded scope of its enforcement capabilities, requiring the publication of surveillance results and CAPs could also expose additional vulnerabilities of CEHRT or unnecessarily decrease public confidence in CEHRT products3. Even temporary publication of issues identified by ONC or ONC-ACBs in reviewing health IT products could have long-term unintended consequences for additional improvements in health IT. ONC attempts to allay these concerns by assuring that, consistent with the Freedom of Information Act, information that is proprietary, trade secret, or confidential would not be publicly available as part of these surveillance results, but stakeholders may want to request specific examples of situations where this protection from public disclosure would be available.


The ONC is taking a comprehensive approach to establishing its direct involvement in the review and enforcement of CEHRT in the Certification Program. It is attempting to address concerns about safety in light of FDA’s exercise of enforcement discretion for health IT products. But, the agency is also seeking comments on whether it fully assessed alternatives to the approach that it proposed in the Oversight Rule. It is important for stakeholders to make their concerns known and help the ONC to better define its plans for overseeing the Program in ways that are consistent with business operation.

1 National Voluntary Laboratory Accreditation Program.

2 For example: The proposed rule states that ONC may suspend a product if “ONC believes that the certified health IT poses a potential risk to public health or safety … Contributing to a patient’s health information being unsecured and unprotected in violation of applicable law; … or undermining a more effective marketplace, greater competition, greater systems analysis, and increased consumer choice…” [emphasis added].

3 This is contrary to ONC’s statement in the March 22nd slides that “the prospect of publicly identifiable surveillance results would motivate some health IT developers to improve their maintenance efforts, but also believe that most published surveillance results would reassure customers and users of certified health IT.”

Email Twitter LinkedIn Facebook Google+

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

Jodi G. Daniel
Partner – Washington, D.C.
Phone: +1 202.624.2908

Stephanie D. Willis
Associate – Washington, D.C.
Phone: +1 202.624.2721