The Office of the National Coordinator for Health Information Technology (“ONC”) began the month of March and the HIMSS Annual Conference with the announcement of an unexpected proposed rule, the Enhanced Oversight and Accountability Rule (the “Oversight Rule”). The Oversight Rule would expand ONC’s role in the ONC Health IT Certification Program (“Program”). Specifically, the Oversight Rule provides ONC with express powers to directly review health IT certified under the Program and employ review, suspension, and termination processes to address “non-conformities” found in certified health IT.  The ONC is seeking comment on key issues such as the scope of ONC’s proposed direct review authority, its processes for reviewing certified and uncertified health IT capabilities, and the agency’s potential overlap with the authority of other agencies.  All public comments will be due to ONC on or before May 1, 2016.

As stated in the ONC’s press release, the Oversight Rule focuses on three areas: Direct Review, Enhanced Oversight, and Greater Transparency and Accountability.

New Direct Review Authority

If the Oversight Rule is finalized as proposed, the ONC would supplement and even supplant the existing review capabilities of ONC Authorized Certification Bodies (“ONC-ACBs”). The proposed rule proposes to establish processes for ONC to directly review health IT certified under the Program and take action when necessary, including requiring the correction of non-conformities found in health IT certified under the Program and suspending and terminating certifications issued to Complete EHRs and Health IT Modules.The Oversight Rule notes that as proposed the ONC’s exercise of its new review authority would be “relatively infrequent” and “would focus on situations that pose a risk to public health or safety.”  For instance, the ONC could initiate a direct review based on information from the general public, interested stakeholders, ONC-ACBs, or others indicating that health IT may not conform to the requirements of the certification or is leading to medical errors, breaches in PHI or other outcomes contrary to the ONC’s responsibilities.

With the new review authority, ONC appears to be maximizing what it can do to monitor patient safety despite lacking the requisite powers or funding to fully monitor patient safety issues, and in light of the Food & Drug Administration’s policy in the 2014 FDASIA Health IT Report to not exercise its oversight authority over patient safety issues for “health management” health IT, which would include functions covered by the ONC Certification Program.

Enhanced Oversight Capabilities

Notwithstanding the ONC’s stance that it would exercise its new direct review authorities infrequently, the Oversight Rule would provide for a very broad scope of actions that the ONC can engage in to review and sanction the certified capabilities and non-certified capabilities of the certified health IT. These actions include:

  • prescribing corrective actions for health IT developers that could require the developers to investigate and report on root cause analyses of the non-conformities; notify affected customers; to fully correct identified issues across a health IT developer’s customer base; and to take other appropriate remedial actions.
  • suspending and/or terminating a certification issued to health IT under the Program.

The Oversight Rule would also provide Health IT developers the ability to appeal suspension or termination determinations by ONC under the Program.

In addition, the Oversight Rule provides the ONC increased capability to monitor the activities of ONC-ACBs and creates a process for NVLAP-accredited testing labs to become ONC-Authorized Testing Labs (ONC-ATLs) that would also fall under ONC’s supervisory purview. ONC would have greater means to authorize, retain, suspend, and revoke the status of these entities under the Program.

Transparency and Accountability

Finally, the Oversight Rule supports greater accountability for health IT developers. ONC proposes to publish identifiable surveillance results of certified health IT regarding the overall performance of certified health IT. The agency anticipates that surveillance results would also illuminate “good performance and continued compliance.” In order to ensure health IT developers their information that is proprietary, trade secret, or confidential will not be publicly available as part of these surveillance results, the ONC would also implement “appropriate safeguards to ensure, to the extent permissible with federal law, that any proprietary business information or trade secrets that ONC might encounter by accessing the health IT developer’s records would be kept confidential by ONC.”

We will be providing further analysis on the issues addressed in the Oversight Rule where ONC seeks public comment in the coming days.