[Federal Register Volume 76, Number 5 (Friday, January 7, 2011)]
[Rules and Regulations]
[Pages 1262-1331]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-33174]
[[Page 1261]]
-----------------------------------------------------------------------
Part III
Department of Health and Human Services
-----------------------------------------------------------------------
45 CFR Part 170
Establishment of the Permanent Certification Program for Health
Information Technology; Final Rule
��Federal Register / Vol. 76, No. 5 / Friday, January 7, 2011 / Rules
and Regulations��
[[Page 1262]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Part 170
RIN 0991-AB59
Establishment of the Permanent Certification Program for Health
Information Technology
AGENCY: Office of the National Coordinator for Health Information
Technology, Department of Health and Human Services.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule establishes a permanent certification program
for the purpose of certifying health information technology (HIT). This
final rule is issued pursuant to the authority granted to the National
Coordinator for Health Information Technology (the National
Coordinator) by section 3001(c)(5) of the Public Health Service Act
(PHSA), as added by the Health Information Technology for Economic and
Clinical Health (HITECH) Act. The permanent certification program will
eventually replace the temporary certification program that was
previously established by a final rule. The National Coordinator will
use the permanent certification program to authorize organizations to
certify electronic health record (EHR) technology, such as Complete
EHRs and/or EHR Modules. The permanent certification program could also
be expanded to include the certification of other types of HIT.
DATES: These regulations are effective February 7, 2011. The
incorporation by reference of certain publications listed in the rule
is approved by the Director of the Federal Register as of February 7,
2011.
FOR FURTHER INFORMATION CONTACT: Steven Posnack, Director, Federal
Policy Division, Office of Policy and Planning, Office of the National
Coordinator for Health Information Technology, 202-690-7151.
SUPPLEMENTARY INFORMATION:
Acronyms
APA Administrative Procedure Act
ARRA American Recovery and Reinvestment Act of 2009
CAH Critical Access Hospital
CCHIT Certification Commission for Health Information Technology
CGD Certification Guidance Document
CHPL Certified Health Information Technology Products List
CMS Centers for Medicare & Medicaid Services
CORE Committee on Operating Rules for Information Exchange[supreg]
CAQH Council for Affordable Quality Healthcare
EHR Electronic Health Record
FACA Federal Advisory Committee Act
FFP Federal Financial Participation
FFS Fee for Service (Medicare Program)
HHS Department of Health and Human Services
HIPAA Health Insurance Portability and Accountability Act of 1996
HIT Health Information Technology
HITECH Health Information Technology for Economic and Clinical
Health
ILAC International Laboratory Accreditation Cooperation
ISO International Organization for Standardization
IT Information Technology
LAP Laboratory Accreditation Program
MA Medicare Advantage
MRA Mutual/Multilateral Recognition Arrangement
NIST National Institute of Standards and Technology
NPRM Notice of Proposed Rulemaking
NVCASE National Voluntary Conformity Assessment System Evaluation
NVLAP National Voluntary Laboratory Accreditation Program
OIG Office of Inspector General
OMB Office of Management and Budget
ONC Office of the National Coordinator for Health Information
Technology
ONC-AA ONC-Approved Accreditor
ONC-ACB ONC-Authorized Certification Body
ONC-ATCB ONC-Authorized Testing and Certification Body
OPM Office of Personnel Management
PHSA Public Health Service Act
RFA Regulatory Flexibility Act
RIA Regulatory Impact Analysis
SDO Standards Development Organization
SSA Social Security Act
Table of Contents
I. Background
A. Previously Defined Terminology
B. Legislative and Regulatory History
1. Legislative History
a. Standards, Implementation Specifications, and Certification
Criteria
b. Medicare and Medicaid EHR Incentive Programs
i. Medicare EHR Incentive Program
ii. Medicaid EHR Incentive Program
c. HIT Certification Programs
2. Regulatory History and Related Guidance
a. Initial Set of Standards, Implementation Specifications, and
Certification Criteria Interim and Final Rules
b. Medicare and Medicaid EHR Incentive Programs Proposed and
Final Rules
c. HIT Certification Programs Proposed Rule and the Temporary
and Permanent Certification Programs Final Rules
d. Recognized Certification Bodies as Related to the Physician
Self-Referral Prohibition and Anti-Kickback EHR Exception and Safe
Harbor Final Rules
II. Overview of the Permanent Certification Program
III. Provisions of the Permanent Certification Program; Analysis of
and Response to Public Comments on the Proposed Rule
A. Overview
B. Scope and Applicability
C. Definitions
1. Day or Days
2. Applicant
3. ONC-ACB
4. ONC-AA
D. ONC-AA Status, Ongoing Responsibilities and Reconsideration
of Request for ONC-AA Status
1. ONC-AA Status
2. On-going Responsibilities
3. Reconsideration of Request for ONC-AA Status
E. Correspondence
F. Certification Options for ONC-ACBs
1. Distinction Between Testing and Certification
2. Types of Certification
a. Complete EHRs for Ambulatory or Inpatient Settings
b. Integrated Testing and Certification of EHR Modules
G. ONC-ACB Application Process
1. Application
2. Principles of Proper Conduct for ONC-ACBs
a. Maintain Accreditation
b. ONC Visits to ONC-ACB Sites
c. Lists of Certified Complete EHRs and EHR Modules
i. ONC-ACB Lists
ii. Certified HIT Products List
d. Records Retention
e. NVLAP-Accredited Testing Laboratory
i. Separation of Testing and Certification
ii. Accreditation, Test Tools and Test Procedures, and ONC-ACBs'
Permitted Reliance on Certain Test Results
f. Surveillance
g. Refunds
h. Suggested New Principles of Proper Conduct
3. Application Submission
4. Overall Application Process
H. ONC-ACB Application Review, Reconsideration, and ONC-ACB
Status
1. Application Review
2. Application Reconsideration
3. ONC-ACB Status
I. Certification of Complete EHRs, EHR Modules and Other Types
of HIT
1. Complete EHRs
2. EHR Modules
a. Applicable Certification Criterion or Criteria
b. Privacy and Security Certification
c. Identification of Certified Status
3. Other Types of HIT
J. Certification of ``Minimum Standards''
K. Authorized Certification Methods
L. Good Standing as an ONC-ACB, Revocation of ONC-ACB Status,
and Effect of Revocation on Certifications Issued by a Former ONC-
ACB
1. Good Standing as an ONC-ACB
2. Revocation of ONC-ACB Status
3. Effect of Revocation on Certifications Issued by a Former
ONC-ACB
M. Dual-Accredited Testing and Certification Bodies
N. Concept of ``Self-Developed''
O. Validity of Complete EHR and EHR Module Certification and
Expiration of Certified Status
P. Differential or Gap Certification
[[Page 1263]]
Q. Barriers to Entry for Potential ONC-ACBs and an ONC-Managed
Certification Process
R. General Comments
S. Comments Beyond the Scope of This Final Rule
IV. Provisions of the Final Regulation
V. Collection of Information Requirements
A. Collection of Information: Required Documentation for
Requesting ONC-Approved Accreditor Status Under the Permanent
Certification Program
B. Collection of Information: Application for ONC-ACB Status
Under the Permanent Certification Program
C. Collection of Information: ONC-ACB Collection and Reporting
of Information Related to Complete EHR and/or EHR Module
Certifications
D. Collection of Information: Records Retention Requirements
E. Collection of Information: Submission of Surveillance Plan
and Surveillance Results
VI. Regulatory Impact Analysis
A. Introduction
B. Why this Rule is Needed?
C. Executive Order 12866--Regulatory Planning and Review
Analysis
1. Comment and Response
2. Executive Order 12866 Final Analysis
a. Permanent Certification Program Estimated Costs
i. Request for ONC-AA Status
ii. Application Process for ONC-ACB Status
iii. Testing and Certification of Complete EHRs and EHR Modules
iv. Costs for Collecting, Storing, and Reporting Certification
Results
v. Costs for Retaining Certification Records
vi. Submission of Surveillance Plan and Surveillance Results
vii. Overall Average Annual Costs by Entity
b. Permanent Certification Program Benefits
D. Regulatory Flexibility Act
E. Executive Order 13132--Federalism
F. Unfunded Mandates Reform Act of 1995
I. Background
A. Previously Defined Terminology
In addition to the new terms and definitions created by this rule,
the following terms have the same meaning as provided at 45 CFR
170.102.
Certification criteria
Certified EHR Technology
Complete EHR
Day or days
Disclosure
EHR Module
Implementation specification
Qualified EHR
Standard
The definition of the term ONC-Authorized Testing and Certification
Body (ONC-ATCB) can be found at 45 CFR 170.402.
B. Legislative and Regulatory History
1. Legislative History
The HITECH Act, Title XIII of Division A and Title IV of Division B
of the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L.
111-5), was enacted on February 17, 2009. The HITECH Act amended the
PHSA and created ``Title XXX--Health Information Technology and
Quality'' (Title XXX) to improve health care quality, safety, and
efficiency through the promotion of HIT and electronic health
information exchange. Section 3001 of the PHSA establishes the Office
of the National Coordinator for Health Information Technology (ONC).
Title XXX of the PHSA provides the National Coordinator for Health
Information Technology (the National Coordinator) and the Secretary of
Health and Human Services (the Secretary) with new responsibilities and
authorities related to HIT. The HITECH Act also amended several
sections of the Social Security Act (SSA) and in doing so established
the availability of incentive payments to eligible professionals and
eligible hospitals to promote the adoption and meaningful use of
Certified EHR Technology. References to ``eligible hospitals'' in this
final rule shall mean ``eligible hospitals and/or critical access
hospitals'' unless otherwise indicated.
a. Standards, Implementation Specifications, and Certification Criteria
With the passage of the HITECH Act, two new Federal advisory
committees were established, the HIT Policy Committee and the HIT
Standards Committee (sections 3002 and 3003 of the PHSA, respectively).
Each is responsible for advising the National Coordinator on different
aspects of standards, implementation specifications, and certification
criteria. The HIT Policy Committee is responsible for, among other
duties, recommending priorities for the development, harmonization, and
recognition of standards, implementation specifications, and
certification criteria, while the HIT Standards Committee is
responsible for recommending standards, implementation specifications,
and certification criteria for adoption by the Secretary under section
3004 of the PHSA consistent with the ONC-coordinated Federal Health IT
Strategic Plan.
Section 3004 of the PHSA defines how the Secretary adopts
standards, implementation specifications, and certification criteria.
Section 3004(a) of the PHSA defines a process whereby an obligation is
imposed on the Secretary to review standards, implementation
specifications, and certification criteria and identifies the
procedures for the Secretary to follow to determine whether to adopt
any group of standards, implementation specifications, or certification
criteria included among National Coordinator-endorsed recommendations.
b. Medicare and Medicaid EHR Incentive Programs
Title IV, Division B of the HITECH Act establishes incentive
payments under the Medicare and Medicaid programs for eligible
professionals and eligible hospitals that meaningfully use Certified
EHR Technology. The Centers for Medicare & Medicaid Services (CMS) is
charged with developing the Medicare and Medicaid EHR Incentive
Programs.
i. Medicare EHR Incentive Program
Section 4101 of the HITECH Act added new subsections to section
1848 of the SSA to establish incentive payments for the meaningful use
of Certified EHR Technology by eligible professionals participating in
the Medicare Fee-for-Service (FFS) program beginning in calendar year
(CY) 2011, and beginning in CY 2015, downward payment adjustments for
covered professional services provided by eligible professionals who
are not meaningful users of Certified EHR Technology. Eligible
professionals for the Medicare EHR incentive program are physicians as
defined in section 1861(r) of the SSA. A hospital-based eligible
professional furnishes substantially all of his or her Medicare-covered
professional services in a hospital inpatient or emergency room
setting. Hospital-based eligible professionals are not eligible for the
Medicare incentive payments. Section 4101(c) of the HITECH Act added a
new subsection to section 1853 of the SSA that provides incentive
payments to Medicare Advantage (MA) organizations for their affiliated
eligible professionals who meaningfully use Certified EHR Technology
beginning in CY 2011 and beginning in CY 2015, downward payment
adjustments to MA organizations to account for certain affiliated
eligible professionals who are not meaningful users of Certified EHR
Technology.
Section 4102 of the HITECH Act added new subsections to section
1886 of the SSA that establish incentive payments for the meaningful
use of Certified EHR Technology by subsection (d) hospitals (defined
under section 1886(d)(1)(B) of the SSA) that participate in the
Medicare FFS program
[[Page 1264]]
beginning in Federal fiscal year (FY) 2011 and beginning in FY 2015,
downward payment adjustments to the market basket updates for inpatient
hospital services provided by such hospitals that are not meaningful
users of Certified EHR Technology. Section 4102(b) of the HITECH Act
amends section 1814 of the SSA to provide critical access hospitals
that meaningfully use Certified EHR Technology with an incentive
payment based on the hospitals' reasonable costs beginning in FY 2011
and downward payment adjustments for inpatient hospital services
provided by such hospitals that are not meaningful users of Certified
EHR Technology for cost reporting periods beginning in FY 2015. Section
4102(c) of the HITECH Act adds a new subsection to section 1853 of the
SSA to provide incentive payments to MA organizations for certain
affiliated eligible hospitals that meaningfully use Certified EHR
Technology and beginning in FY 2015, downward payment adjustments to MA
organizations for those affiliated hospitals that are not meaningful
users of Certified EHR Technology.
ii. Medicaid EHR Incentive Program
Section 4201 of the HITECH Act amends section 1903 of the SSA to
provide 100 percent Federal financial participation (FFP) for States'
expenditures for incentive payments to eligible health care providers
participating in the Medicaid program to adopt, implement, or upgrade
and meaningfully use Certified EHR Technology and 90 percent FFP for
States' reasonable administrative expenses related to the
administration of the incentive payments. For the Medicaid EHR
incentive program, eligible professionals are physicians (primarily
doctors of medicine and doctors of osteopathy), dentists, nurse
practitioners, certified nurse midwives, and physician assistants
practicing in a Federally Qualified Health Center led by a physician
assistant or Rural Health Clinic that is so led. Eligible hospitals
that can participate in the Medicaid EHR incentive program are acute
care hospitals (including cancer and critical access hospitals) and
children's hospitals.
c. HIT Certification Programs
Section 3001(c)(5) of the PHSA provides the National Coordinator
with the authority to establish a certification program or programs for
the voluntary certification of HIT. Specifically, section 3001(c)(5)(A)
specifies that the ``National Coordinator, in consultation with the
Director of the National Institute of Standards and Technology, shall
keep or recognize a program or programs for the voluntary certification
of health information technology as being in compliance with applicable
certification criteria adopted under this subtitle'' (i.e.,
certification criteria adopted by the Secretary under section 3004 of
the PHSA). The certification program(s) must also ``include, as
appropriate, testing of the technology in accordance with section
13201(b) of the [HITECH] Act.''
Section 13201(b) of the HITECH Act requires that with respect to
the development of standards and implementation specifications, the
Director of the National Institute of Standards and Technology (NIST),
in coordination with the HIT Standards Committee, ``shall support the
establishment of a conformance testing infrastructure, including the
development of technical test beds.'' The United States Congress also
indicated that ``[t]he development of this conformance testing
infrastructure may include a program to accredit independent, non-
Federal laboratories to perform testing.''
2. Regulatory History and Related Guidance
a. Initial Set of Standards, Implementation Specifications, and
Certification Criteria Interim and Final Rules
In accordance with section 3004(b)(1) of the PHSA, the Secretary
issued an interim final rule with request for comments entitled
``Health Information Technology: Initial Set of Standards,
Implementation Specifications, and Certification Criteria for
Electronic Health Record Technology'' (75 FR 2014, Jan. 13, 2010) (the
``HIT Standards and Certification Criteria interim final rule''), which
adopted an initial set of standards, implementation specifications, and
certification criteria. After consideration of the public comments
received on the interim final rule, a final rule was issued to complete
the adoption of the initial set of standards, implementation
specifications, and certification criteria and realign them with the
final objectives and measures established for meaningful use Stage 1.
Health Information Technology: Initial Set of Standards, Implementation
Specifications, and Certification Criteria for Electronic Health Record
Technology; Final Rule, 75 FR 44590 (July 28, 2010) (the ``HIT
Standards and Certification Criteria final rule''). On October 13,
2010, an interim final rule was issued to remove certain implementation
specifications related to public health surveillance that had been
previously adopted in the HIT Standards and Certification Criteria
final rule (75 FR 62686).
The standards, implementation specifications, and certification
criteria adopted by the Secretary establish the capabilities that
Certified EHR Technology must include in order to, at a minimum,
support the achievement of meaningful use Stage 1 by eligible
professionals and eligible hospitals under the Medicare and Medicaid
EHR Incentive Programs final rule (see 75 FR 44314 for more information
about meaningful use and the Stage 1 requirements).
b. Medicare and Medicaid EHR Incentive Programs Proposed and Final
Rules
On January 13, 2010, CMS published in the Federal Register (75 FR
1844) the Medicare and Medicaid EHR Incentive Programs proposed rule.
The rule proposed a definition for Stage 1 meaningful use of Certified
EHR Technology and regulations associated with the incentive payments
made available under Division B, Title IV of the HITECH Act.
Subsequently, CMS published a final rule for the Medicare and
Medicaid EHR Incentive Programs in the Federal Register (75 FR 44314)
on July 28, 2010 (the ``Medicare and Medicaid EHR Incentive Programs
final rule''), simultaneously with the publication of the HIT Standards
and Certification Criteria final rule. The final rule published by CMS
established the objectives and associated measures that eligible
professionals and eligible hospitals must satisfy in order to
demonstrate ``meaningful use'' during Stage 1.
c. HIT Certification Programs Proposed Rule and the Temporary and
Permanent Certification Programs Final Rules
Section 3001(c)(5) of the PHSA specifies that the National
Coordinator ``shall keep or recognize a program or programs for the
voluntary certification of health information technology as being in
compliance with applicable certification criteria adopted [by the
Secretary] under this subtitle.'' Based on this authority, we proposed
both a temporary and permanent certification program for HIT in a
notice of proposed rulemaking entitled ``Proposed Establishment of
Certification Programs for Health Information Technology'' (75 FR
11328, Mar. 10, 2010) (the ``Proposed Rule''). In the Proposed Rule, we
proposed to use the certification programs for the purposes of testing
and
[[Page 1265]]
certifying HIT. We also specified the processes the National
Coordinator would follow to authorize organizations to perform the
certification of HIT. We stated in the Proposed Rule that we expected
to issue separate final rules for each of the certification programs.
Consistent with our proposal, we issued a final rule to establish a
temporary certification program, which was published in the Federal
Register (75 FR 36158) on June 24, 2010 (the ``Temporary Certification
Program final rule''). To conclude our proposed approach, we are
issuing this final rule to establish a permanent certification program
whereby the National Coordinator will authorize organizations to
certify Complete EHRs, EHR Modules, and/or other types of HIT. As
provided in the Temporary Certification Program final rule, the
temporary certification program will sunset on December 31, 2011, or on
a subsequent date if the permanent certification program is not fully
constituted at that time.
d. Recognized Certification Bodies as Related to the Physician Self-
Referral Prohibition and Anti-Kickback EHR Exception and Safe Harbor
Final Rules
In August 2006, the Department of Health and Human Services (HHS)
published two final rules in which CMS and the Office of Inspector
General (OIG) promulgated an exception to the physician self-referral
prohibition and a safe harbor under the anti-kickback statute,
respectively, for certain arrangements involving the donation of
interoperable EHR software to physicians and other health care
practitioners or entities (71 FR 45140 and 71 FR 45110, respectively).
The exception and safe harbor provide that EHR software will be
``deemed to be interoperable if a certifying body recognized by the
Secretary has certified the software no more than 12 months prior to
the date it is provided to the [physician/recipient].'' ONC published
separately a Certification Guidance Document (CGD) (71 FR 44296) to
explain the factors ONC would use to determine whether to recommend to
the Secretary an organization for ``recognized certification body''
status. The CGD served as a guide for ONC to evaluate applications for
``recognized certification body'' status and provided the information
an organization would need to apply for and obtain such status. Under
the process specified in the CGD, the Certification Commission for
Health Information Technology (CCHIT) was the only organization that
both applied for and had been granted ``recognized certification body''
status.
In section VI of the CGD, ONC notified the public, including
potential applicants, that the recognition process explained in the CGD
would be formalized through notice and comment rulemaking and that when
a final rule has been promulgated to govern the process by which a
``recognized certification body'' is determined, certification bodies
recognized under the CGD would be required to complete new applications
and successfully demonstrate compliance with all requirements of the
final rule.
In the Proposed Rule, we began the formal notice and comment
rulemaking described in the CGD. We stated that the processes we
proposed for the temporary certification program and permanent
certification program, once finalized, would supersede the CGD, and the
authorization process would constitute the new established method for
``recognizing'' certification bodies, as referenced in the physician
self-referral prohibition and anti-kickback EHR exception and safe
harbor final rules. As a result of our proposal, certifications issued
by a certification body ``authorized'' by the National Coordinator
would constitute certification by ``a certifying body recognized by the
Secretary'' in the context of the physician self-referral EHR exception
and anti-kickback EHR safe harbor. After consideration of the public
comments we received on this proposal, we determined that the ONC-ATCB
and ONC-ACB ``authorization'' processes would constitute the
Secretary's ``recognition'' of a certification body and finalized our
proposal for both the temporary certification program and permanent
certification program in the Temporary Certification Program final rule
(75 FR 36186). Any questions regarding compliance with the exception or
safe harbor should be directed to CMS and OIG, respectively.
II. Overview of the Permanent Certification Program
The permanent certification program provides a process by which an
organization or organizations may become an ONC-Authorized
Certification Body (ONC-ACB) authorized by the National Coordinator to
perform the certification of Complete EHRs and/or EHR Modules. ONC-ACBs
may also be authorized under the permanent certification program to
perform the certification of other types of HIT in the event that
applicable certification criteria are adopted by the Secretary. We
note, however, that the certification of Complete EHRs, EHR Modules, or
potentially other types of HIT under the permanent certification
program would not constitute a replacement or substitution for other
Federal requirements that may be applicable.
Under the permanent certification program, the National Coordinator
will accept applications for ONC-ACB status after the effective date of
this final rule and at any time during the existence of the permanent
certification program. In order to become an ONC-ACB, an organization
or organizations must submit an application to the National Coordinator
to demonstrate its competency and ability to certify Complete EHRs, EHR
Modules, and/or potentially other types of HIT by documenting its
accreditation by the ONC-Approved Accreditor (ONC-AA) and by meeting
other specified application requirements. These organizations will be
required to remain in good standing by adhering to the Principles of
Proper Conduct for ONC-ACBs. ONC-ACBs will also be required to follow
the conditions and requirements applicable to the certification of
Complete EHRs, EHR Modules, and/or potentially other types of HIT as
specified in this final rule. The permanent certification program will
eventually replace the temporary certification program that was
established previously by a final rule (75 FR 36158). Testing and
certification under the permanent certification program is expected to
begin on January 1, 2012, or upon a subsequent date when the National
Coordinator determines that the permanent certification program is
fully constituted. The permanent certification program has no
anticipated sunset date. ONC-ACBs are required to renew their status
every three years under the permanent certification program.
III. Provisions of the Permanent Certification Program; Analysis of and
Response to Public Comments on the Proposed Rule
A. Overview
This section discusses and responds to the comments that were
timely received on the proposed provisions of the permanent
certification program that were set forth in the Proposed Rule. As
explained in the Proposed Rule, we chose to propose both the temporary
certification program and the permanent certification program in the
same notice of proposed rulemaking in order to offer the public a
broader context for each of the programs and an opportunity to make
more informed comments on our proposals. We noted that we expected to
receive public comments that were
[[Page 1266]]
applicable to both of the proposed certification programs due to the
fact that we had proposed certain elements that were the same or
similar for both programs. As anticipated, we received comments in
response to the Proposed Rule that were applicable to both
certification programs. In the Temporary Certification Program final
rule, we discussed and responded to all of the comments that were
applicable to the temporary certification program. Because some of
those comments are also related to provisions of the permanent
certification program, we discuss them again in this final rule and
respond to them in the context of the permanent certification program.
Many of the common elements that we proposed for both the temporary and
the permanent certification programs are based on the same or similar
underlying policy reasons or objectives. As a result, we often reach
the same or similar conclusions in this final rule as we did in the
Temporary Certification Program final rule. In responding to comments
in this final rule, we often make reference to or restate parts of our
responses to comments that we provided in the Temporary Certification
Program final rule due to the various similarities that exist between
the temporary and permanent certification programs.
We have structured this section of the final rule based on the
proposed regulatory sections of the permanent certification program and
discuss each regulatory section sequentially. For each discussion of a
regulatory provision, we first restate or paraphrase the provision as
proposed in the Proposed Rule as well as identify any correlated issues
for which we sought public comment. Second, we summarize the comments
received. Lastly, we provide our response to the comments and indicate
whether we are finalizing the provision as proposed in the Proposed
Rule or modifying the proposed provision in response to public comment,
to provide clarification, or to correct inadvertent errors. Comments on
dual-accredited testing and certification bodies, the concept of
``self-developed,'' validity and expiration of certifications,
differential or ``gap'' certification, barriers to entry for potential
ONC-ACBs, an ONC-managed certification program, general comments, and
comments beyond the scope of this final rule are discussed towards the
end of the preamble.
B. Scope and Applicability
In the Proposed Rule, we indicated in Sec. 170.500 that the
permanent certification program would serve to implement section
3001(c)(5) of the PHSA, and that subpart E would also set forth the
rules and procedures related to the permanent certification program for
HIT administered by the National Coordinator. Under Sec. 170.501, we
proposed that subpart E would establish the processes that applicants
for ONC-ACB status must follow to be granted ONC-ACB status by the
National Coordinator, the processes the National Coordinator would
follow when assessing applicants and granting ONC-ACB status, and the
requirements of ONC-ACBs for certifying Complete EHRs and/or EHR
Modules in accordance with the applicable certification criteria
adopted by the Secretary in subpart C of part 170. We also proposed
that subpart E would establish the processes that accreditation
organizations would follow to request approval from the National
Coordinator, the processes the National Coordinator would follow to
approve an accreditation organization under the permanent certification
program, and the ongoing responsibilities of an ONC-AA.
Comments. We received comments that expressed general support for
the permanent certification program. We also received a few comments
regarding the extension of the scope of the permanent certification
program to other types of HIT. One commenter asserted that there was a
need for the permanent certification program to focus on the
implementation of the nationwide health information network.
Response. We appreciate the comments expressing support for the
permanent certification program. We intend to address the governance
mechanisms for the nationwide health information network through a
separate rulemaking. We will more specifically address the comments
related to other types of HIT when we discuss proposed Sec. 170.553
later in this preamble, but we note here that we are revising Sec.
170.501 to acknowledge the possibility for ONC-ACBs to certify ``other
types of HIT'' under the permanent certification program. We are also
revising Sec. 170.501 to clearly state that this subpart includes
requirements that ONC-ACBs must follow to maintain their status as ONC-
ACBs under the permanent certification program. These references were
inadvertently left out of Sec. 170.501 in the Proposed Rule although
they were included elsewhere in the preamble discussion and regulation
text.
C. Definitions
In the Proposed Rule, we proposed to define four terms related to
the permanent certification program.
1. Day or Days
We proposed to add the definition of ``day or days'' to Sec.
170.102. We proposed to define ``day or days'' to mean a calendar day
or calendar days. We added this definition to Sec. 170.102 in the
Temporary Certification Program final rule. Further, we did not receive
any comments on this definition related to the permanent certification
program. Therefore, references to ``day'' or ``days'' in provisions of
subpart E have the meaning provided to them in Sec. 170.102.
2. Applicant
We proposed in Sec. 170.502 to define ``applicant'' to mean a
single organization or a consortium of organizations that seek to
become an ONC-ACB by requesting and subsequently submitting an
application for ONC-ACB status to the National Coordinator. We did not
receive any comments on this proposed definition. We are, however,
revising the definition of ``applicant'' by removing the condition that
an ``applicant'' must ``request'' an application. We clearly indicated
in the Proposed Rule preamble that, unlike under the temporary
certification program, ``applicants'' for ONC-ACB status would no
longer need to request an application.
3. ONC-ACB
We proposed in Sec. 170.502 to define an ``ONC-Authorized
Certification Body'' or ``ONC-ACB'' to mean an organization or a
consortium of organizations that has applied to and been authorized by
the National Coordinator pursuant to subpart E to perform the
certification of, at minimum, Complete EHRs and/or EHR Modules using
the applicable certification criteria adopted by the Secretary.
Comments. A commenter noted that the proposed definition would not
preclude an ONC-ACB from certifying other types of HIT, but would
require an ONC-ACB to be able to certify Complete EHRs and/or EHR
Modules. The commenter contended that this requirement will prevent
organizations that may want to certify only other types of HIT (and not
Complete EHRs or EHR Modules) from becoming ONC-ACBs.
Response. We did not intend to preclude an organization from
seeking authorization to certify only other types of HIT besides
Complete EHRs and EHR Modules, when and if the option becomes
available. To the contrary, as noted in proposed Sec. 170.510, we
indicated that an applicant could seek authorization to certify
Complete EHRs, EHR Modules, other types of HIT, or any
[[Page 1267]]
combination of the three. However, as we specified in the Proposed Rule
preamble and in proposed Sec. 170.510, the Secretary must first adopt
applicable certification criteria under subpart C of part 170 before
authorization to certify other types of HIT could be granted to ONC-
ACBs.
In response to the comment and to be consistent with our intent as
expressed in Sec. 170.510, we are removing ``at a minimum'' from the
definition of ONC-ACB. This will allow an organization or consortium of
organizations to become an ONC-ACB that is authorized to certify only
other types of HIT besides Complete EHRs and/or EHR Modules. We are
also revising the definition by replacing ``using the applicable
certification criteria adopted by the Secretary'' with ``under the
permanent certification program.'' We believe this revision more
clearly reflects the focus of an ONC-ACB and is more consistent with
the definition of an ONC-ATCB that we finalized in the Temporary
Certification Program final rule. We note that ONC-ACBs that are
authorized to certify Complete EHRs and/or EHR Modules will be required
to perform certifications using the applicable certification criteria
adopted by the Secretary based on the provisions of Sec. Sec. 170.545
and 170.550.
4. ONC-AA
We proposed in Sec. 170.502 to define the term ``ONC-Approved
Accreditor'' or ``ONC-AA'' to mean an accreditation organization that
the National Coordinator has approved to accredit certification bodies
under the permanent certification program.
We did not receive any comments on this proposed definition.
Therefore, we are finalizing this definition without modification.
D. ONC-AA Status, On-going Responsibilities and Reconsideration of
Request for ONC-AA Status
In the Proposed Rule, we proposed processes for requesting ONC-AA
status, the process for reviewing and approving an ONC-AA, the ongoing
responsibilities of an ONC-AA, and the process for an accreditation
organization to request reconsideration of its denied request for ONC-
AA status.
1. ONC-AA Status
We proposed in Sec. 170.503 that the National Coordinator would
approve only one ONC-AA at a time. We proposed that in order for an
accreditation organization to become an ONC-AA, it would need to submit
a request in writing to the National Coordinator along with certain
information to demonstrate its ability to serve as an ONC-AA. This
information included: A detailed description of how the accreditation
organization conforms to ISO/IEC17011:2004 (ISO 17011) and its
experience evaluating the conformance of certification bodies to ISO/
IEC Guide 65:1996 (Guide 65); a detailed description of the
accreditation organization's accreditation requirements and how the
requirements complement the Principles of Proper Conduct for ONC-ACBs;
detailed information about the accreditation organization's procedures
that would be used to monitor ONC-ACBs; detailed information, including
education and experience, about the key personnel who would review
organizations for accreditation; and the accreditation organization's
procedures for responding to, and investigating, complaints against
ONC-ACBs.
We proposed that the National Coordinator would be permitted up to
30 days to review a request for ONC-AA status from an accreditation
organization upon receipt and issue a determination on whether the
organization is approved. We proposed that the National Coordinator's
determination would be based on the information and the completeness of
the descriptions provided, as well as each accreditation organization's
overall accreditation experience. We proposed that the National
Coordinator would review requests by accreditation organizations for
ONC-AA status in the order they were received and would approve the
first qualified accreditation organization based on the information
required to be submitted with a request for ONC-AA status. We proposed
that an ONC-AA's status would expire not later than 3 years from the
date its status was granted by the National Coordinator. We further
proposed that beginning 120 days prior to the expiration of the then-
current ONC-AA's status, the National Coordinator would again accept
requests for ONC-AA status.
We specifically requested comment on whether it would be in the
best interest of the ONC-ACB applicants and Complete EHR and EHR Module
developers to allow for more than one ONC-AA at a time and whether we
should extend the duration of an ONC-AA's term to 5 years, shorten it
to 2 years, or identify a different period of time.
Comments. Commenters expressed support for an independent
accreditation body, which they stated would provide an open and
transparent process. One commenter, however, asked for clarification as
to why we proposed to have an accreditor independent of ONC. The
commenter stated that the proposal seemed to introduce unnecessary
overhead. A commenter also requested clarification of the requirement
for an ONC-AA to conform to ISO 17011. Another commenter recommended
that we require an ONC-AA to be recognized under the NIST National
Voluntary Conformity Assessment Systems Evaluation, or ``NVCASE''
program. The commenter further recommended that the ONC-AA should
demonstrate its ISO 17011 compliance for the ISO Guide 65 scope by
being a signatory to the International Accreditation Forum's Mutual/
Multilateral Recognition Agreement (MRA) for product certification,
which is verified by regular peer assessments. The commenter stated
that such a requirement would mirror a benchmark set elsewhere for
similar Federal agency program requirements for an accreditation body
(i.e., the U.S. EPA ``WaterSense'' program requirements).
Many commenters recommended that there be only one ONC-AA to ensure
consistency, while only two commenters expressed openness to having
more than one ONC-AA at a time. One of the commenters favoring more
than one ONC-AA opined that the approval of more than one accreditor
would ensure that all potential ONC-ACBs could be timely accredited and
that the unique needs of potential ONC-ACBs would be adequately
addressed, such as in the case of organizations that seek to certify
other types of HIT besides Complete EHRs and EHR Modules. The other
commenter suggested that we consider approving more than one ONC-AA if
we anticipate a high volume of applicants for ONC-ACB status. One
commenter stated that, given the importance of the ONC-AA in ensuring
that the accredited certification bodies operate in a fair and
effective manner, the ONC-AA should be chosen through an open
competition that would allow for the comparison of the strengths and
weaknesses of all interested accreditation organizations.
Commenters expressed support for either 3-year or 5-year terms for
an ONC-AA. Some commenters suggested 5 years would provide more
reliability and consistency. One commenter suggested an interim review
of the ONC-AA after 3 years and granting an ``extension'' to 5 years
based on the results of the review. One commenter suggested that an
ONC-AA should not be allowed to ``renew'' its status at the end of the
proposed 3-year term. The commenter contended that this would prevent
an ONC-AA from overly
[[Page 1268]]
influencing how certification bodies are accredited. A commenter
recommended that we begin accepting and reviewing requests for ONC-AA
status sooner than 120 days prior to the expiration of the then-current
ONC-AA's status and suggested 180 days as a possible alternative. The
commenter reasoned that more time may be necessary to review and
approve an ONC-AA. A couple of commenters requested clarification
regarding how we would address concerns with an ONC-AA's operations and
how we would remove or replace an ineffective ONC-AA.
Response. We do not believe that the use of an accreditor is
unnecessary overhead. As stated in the Proposed Rule, we believe that
accreditation (and the use of an accreditor) is the optimal and most
practical approach for the long term because specialized accreditors in
the private sector are better equipped to react effectively and
efficiently to changes in the HIT market and to rigorously oversee the
certification bodies they accredit. Further, the impartiality,
knowledge, and experience of an accreditor will instill additional
confidence in HIT developers, eligible professionals and eligible
hospitals, and the general public regarding the ONC-ACB selection
process. We believe that conformance to ISO 17011 is an appropriate
measure to assess an accreditation organization's ability to perform
accreditation under the permanent certification program, among the
other submission requirements specified in Sec. 170.503. ISO 17011 was
developed by the International Organization for Standardization (ISO)
and specifies the general requirements for accreditation bodies that
accredit conformity assessment bodies. As noted in the Proposed Rule,
an ONC-AA and the ONC-ACBs would be analogous to an accreditation body
and the conformity assessment bodies, respectively, as referred to in
ISO 17011. The introductory section of ISO 17011 explains that a system
to accredit conformity assessment bodies is designed to provide
confidence to the purchaser and the regulator through impartial
verification that conformity assessment bodies are competent to perform
their tasks. ISO 17011 and Guide 65 are standards that have been
developed by a voluntary consensus standards body, as required by the
National Technology Transfer and Advancement Act of 1995 and the Office
of Management and Budget (OMB) Circular A-119, and we are aware of no
alternative voluntary consensus standards that would serve the purpose
for which these standards are intended to serve.
We appreciate the recommendations by the commenter, but we do not
believe that it is necessary or appropriate to require an accreditation
organization to be recognized under the NVCASE program or as a
signatory to the International Accreditation Forum's MRA. It is our
understanding that some of the requirements for recognition under the
NVCASE program are similar to the requirements we have proposed for an
accreditation organization to be approved as an ONC-AA. For example,
the NVCASE Program Handbook states that the generic requirements for
recognition as an accreditor are based on the ISO/IEC 17011 standard,
and recognized accreditors of certification bodies must accredit those
bodies to ISO/IEC Guide 65.\1\ Therefore, we do not believe that a
sufficient additional benefit would result from requiring accreditation
organizations to be recognized under the NVCASE program. Adding such a
requirement at this point may not provide sufficient notice and time
for accreditation organizations that are not currently recognized by
the NVCASE program to obtain NVCASE recognition in time to be eligible
for approval as the ONC-AA at the start of the permanent certification
program. Although we will not require an accreditation organization to
be a signatory to the International Accreditation Forum's MRA, this
information could be provided as part of an accreditation
organization's detailed description of its accreditation experience to
be included in its submitted request for ONC-AA status.
---------------------------------------------------------------------------
\1\ National Institute of Standards and Technology, U.S. Dep't
of Commerce, NVCASE Program Handbook, NISTIR 6440 2004 ED (Dec.
2004), available at http://gsi.nist.gov/global/index.cfm/L1-4/L2-38.
---------------------------------------------------------------------------
We agree with the commenters that, as proposed, granting ONC-AA
status to only one accreditation body at a time is the best way to
ensure consistency among ONC-ACBs. In addition, we believe that one
ONC-AA will be able to address and support the needs of the market
based on our projection of approximately 6 ONC-ACBs operating under the
permanent certification program. We also agree with the commenter that
suggested the ONC-AA should be chosen based on a competitive process
that would allow us to evaluate all interested accreditation
organizations in comparison to each other and select the organization
that is best qualified to serve as the ONC-AA. Under the process we
proposed, the National Coordinator would review requests for ONC-AA
status in the order they are received and select as the ONC-AA the
first accreditation organization that is deemed to be qualified based
on the factors specified in Sec. 170.503(b). We recognize the
limitations of this approach in that it would prevent the National
Coordinator from considering all of the requests for ONC-AA status that
are submitted and selecting the accreditation organization that is
found to be the best qualified in comparison to the entire pool of
organizations that submitted requests for ONC-AA status. We believe
that the permanent certification program would benefit from a more
competitive approach to selecting the ONC-AA. A competitive process
will ensure the best qualified organization that submits a request is
chosen as the ONC-AA, which will improve the overall quality of the
program and instill confidence in the general public as well as
industry stakeholders.
We are revising Sec. 170.503 to eliminate the provision for the
National Coordinator to review requests for ONC-AA status in order of
receipt and approve the first qualified accreditation organization.
Instead, under this revised Sec. 170.503, the National Coordinator
will review all timely requests for ONC-AA status in one batch and
choose the best qualified accreditation organization to serve as the
ONC-AA. We are revising Sec. 170.503(b) to provide a 30-day period
during which all interested accreditation organizations may submit
requests for ONC-AA status. We will publish a notice in the Federal
Register to announce this submission period. We are revising Sec.
170.503(c) to permit the National Coordinator up to 60 days to review
all timely submissions and determine which accreditation organization
is best qualified to serve as the ONC-AA based on the information
provided in the submissions and each organization's overall
accreditation experience. We originally proposed to permit the National
Coordinator up to 30 days to review a request for ONC-AA status and
make a decision. Based on the changes to the ONC-AA approval process,
the National Coordinator will likely need more time to review and
compare all of the requests for ONC-AA status in one batch and
determine which accreditation organization is best qualified to be the
ONC-AA out of a potential pool of multiple organizations. The National
Coordinator will select the best qualified accreditation organization
as the ONC-AA on a preliminary basis and subject to the resolution of
the reconsideration process in Sec. 170.504. The accreditation
organization that is selected on a preliminary basis is not
[[Page 1269]]
permitted to represent itself as the ONC-AA or perform any
accreditation(s) under the permanent certification program, unless and
until it is notified by the National Coordinator that it has been
approved as the ONC-AA on a final basis. All other accreditation
organizations will be notified that their requests for ONC-AA status
have been denied.
Any accreditation organization that submits a timely request for
ONC-AA status and is denied may request reconsideration of that
decision pursuant to Sec. 170.504. In order to request reconsideration
under revised Sec. 170.504(b), an accreditation organization must
submit to the National Coordinator, within 15 days of its receipt of a
denial notice, a written statement with supporting documentation
contesting the decision to deny its request for ONC-AA status. The
submission must demonstrate that clear, factual errors were made in the
review of its request for ONC-AA status and that it would have been
selected as the ONC-AA pursuant to Sec. 170.503(c) if those errors had
been corrected. Requests for reconsideration that are not received
within the specified timeframe may be denied. We are revising Sec.
170.504(c) such that the National Coordinator will have up to 30 days
to review all timely submissions and determine whether an accreditation
organization has met the standard specified in Sec. 170.504(b) (i.e.,
its submission has demonstrated that clear, factual errors were made in
the review of its request for ONC-AA status and that it would have been
selected as the ONC-AA pursuant to Sec. 170.503(c) if those errors had
been corrected). In determining whether an accreditation organization
would have been selected as the ONC-AA, the National Coordinator will
evaluate those accreditation organizations that demonstrate clear,
factual errors, in comparison to each other as well as to the
accreditation organization that was initially selected as the ONC-AA on
a preliminary basis.
We are adding a new paragraph (d) to Sec. 170.503 and revising
Sec. 170.504(d) such that if the National Coordinator determines that
an accreditation organization has demonstrated that clear, factual
errors were made in the review of its request for ONC-AA status and
that it would have been selected as the ONC-AA pursuant to Sec.
170.503(c) if those errors had been corrected, then that organization
will be approved as the ONC-AA on a final basis. All other
accreditation organizations will be notified that their requests for
reconsideration have been denied. Conversely, if the National
Coordinator determines that no accreditation organization has met the
standard specified in Sec. 170.504(b), then the organization that was
initially selected as the ONC-AA on a preliminary basis will be
approved as the ONC-AA on a final basis. An accreditation organization
has not been granted ``ONC-AA status'' unless and until it is notified
by the National Coordinator that it has been approved as the ONC-AA on
a final basis, as stated in revised paragraph (f) of Sec. 170.503.
We believe that it is appropriate to provide a 3-year term for an
ONC-AA. A 5-year term may provide more consistency and reliability, but
we believe a 3-year term provides an appropriate interval to fully
assess an ONC-AA's performance under the permanent certification
program and provide an opportunity for other interested organizations
to seek ONC-AA status. We believe all interested accreditation
organizations should be given the opportunity to request ONC-AA status
when the National Coordinator is seeking to approve an ONC-AA. An
interested accreditation organization should not be barred from
``reapplying'' simply because it previously served as an ONC-AA. Such a
preclusion could prevent the National Coordinator from approving the
best qualified accreditation organization or the only interested
organization.
We agree with the commenter that we should begin to accept requests
for ONC-AA status sooner than 120 days prior to the expiration of the
then-current ONC-AA's status as we originally proposed. Similar to the
commenter's recommendation, the National Coordinator will begin to
accept requests for ONC-AA status at least 180 days prior to the
expiration of the then-current ONC-AA's status. We believe this will
give the market more time to transition to a new ONC-AA if we were to
approve a different accreditation organization as the ONC-AA. We note,
however, that if we were to approve a different accreditation
organization as the ONC-AA, its status would not become effective until
after the end of the then-current ONC-AA's term. As with the approval
of the first ONC-AA and in accordance with the revised Sec.
170.503(b), we will notify the public of the 30-day period for
requesting ONC-AA status by publishing a notice in the Federal
Register. Consistent with this discussion, we are revising Sec.
170.503(f)(3) to specify that the National Coordinator will accept
requests for ONC-AA status, in accordance with paragraph (b), at least
180 days before the then-current ONC-AA's status is set to expire.
As pointed out by the commenters, we did not propose a formal
process for the National Coordinator to remove or take other corrective
action against an ONC-AA that is performing poorly. We recognize that
an ONC-AA, like an ONC-ACB, has significant responsibilities under the
permanent certification program that are inextricably linked to the
success of the permanent certification program. We agree with the
commenters that a specified process for the National Coordinator to
address poor performance or inappropriate conduct by an ONC-AA would be
beneficial for the permanent certification program and would ensure
that an ONC-AA is held accountable for its actions. Accordingly, we
intend to issue a notice of proposed rulemaking (NPRM) that will
address improper conduct by an ONC-AA, the potential consequences for
engaging in such conduct, and a process by which the National
Coordinator may take corrective action against an ONC-AA. We expect to
issue this NPRM in the near future and do not believe it will
unnecessarily delay the implementation of the permanent certification
program.
2. On-Going Responsibilities
We proposed in Sec. 170.503(e) that an ONC-AA would be required
to, at minimum: Maintain conformance with ISO 17011; in accrediting
certification bodies, verify conformance to, at a minimum, Guide 65;
verify that ONC-ACBs are performing surveillance in accordance with
their respective annual plans; and review ONC-ACB surveillance results
to determine if the results indicate any substantive non-conformance
with the terms set by the ONC-AA when it granted the ONC-ACB
accreditation. We specifically requested public comment on these
proposed responsibilities and whether there are other responsibilities
that we should require an ONC-AA to fulfill.
Comments. A couple of commenters expressed agreement with the
outlined responsibilities. One commenter suggested that the ONC-AA
should provide annual reports of the results of their responsibilities.
The commenter also recommended that the ONC-AA should review and/or
audit all ONC-ACB processes, such as bylaws and standard operating
procedures, no less than annually.
Response. We appreciate the expression of confidence in the ongoing
responsibilities we have proposed for an ONC-AA. We also appreciate the
commenter's recommendations for annual reports on the ONC-AA's
[[Page 1270]]
responsibilities and annual reviews and/or audits by the ONC-AA of all
ONC-ACBs' processes. We believe, however, that annual reports from the
ONC-AA are unnecessary. As stated above, the approval of an ONC-AA
every three years will serve as a sufficient periodic review of the
ONC-AA. There will also be opportunities to assess an ONC-AA's
performance of its responsibilities at other junctures during the
permanent certification program. The Principles of Proper Conduct for
ONC-ACBs require ONC-ACBs to submit annual surveillance plans and to
annually report surveillance results to the National Coordinator. Our
review of an ONC-ACB's surveillance results should give an indication
of whether the ONC-AA is performing its responsibilities to review ONC-
ACB surveillance results and verify that ONC-ACBs are performing
surveillance in accordance with their surveillance plans. We also
expect that our review and analysis of surveillance plans and results
will not only include feedback from the ONC-ACBs but also from the ONC-
AA. The ONC-AA feedback will provide us with additional information on
the ONC-AA's performance of its monitoring and review responsibilities
related to ONC-ACB surveillance activities.
ISO 17011 specifies that an accreditation body (i.e., an ONC-AA)
shall require a conformance assessment body (i.e., an ONC-ACB) to
commit to fulfill continually the requirements for accreditation set by
the accreditation body, cooperate as is necessary to enable the
accreditation body to verify fulfillment of requirements for
accreditation, and report changes that may affect its accreditation to
the accreditor. ISO 17011 also contains provisions that require an ONC-
AA to review an ONC-ACB periodically, but no less than every two years,
and to do so in a manner prescribed under ISO 17011. Moreover, as one
of its ongoing responsibilities, the ONC-AA will be required to verify
that ONC-ACBs continue to conform to the provisions of Guide 65 at a
minimum as a condition of continued accreditation. We believe these
provisions will enable the ONC-AA to sufficiently oversee (i.e., review
and/or audit) the ONC-ACBs for the purposes of the permanent
certification program. For instance, if the ONC-AA finds that an ONC-
ACB is not in compliance with its accreditation requirements, then the
ONC-ACB may lose its accreditation and subsequently its ONC-ACB status.
The Principles of Proper Conduct for ONC-ACBs will also provide
additional assurance that ONC-ACBs are operating in an acceptable
manner under the permanent certification program.
We are revising Sec. 170.503(e)(4) to state that the ONC-AA will
be responsible for reviewing ONC-ACB surveillance results to determine
if the results indicate any substantive non-conformance by ONC-ACBs
``with the conditions of their respective accreditations.'' We believe
this clarification more accurately accounts for the possibility that
different accreditation organizations may be approved to serve as the
ONC-AA.
3. Reconsideration of Request for ONC-AA Status
We proposed in Sec. 170.503(d) that an accreditation organization
could appeal a decision to deny its request for ONC-AA status in
accordance with Sec. 170.504, but only if no other accreditation
organization had been granted ONC-AA status. We proposed in Sec.
170.504 to use generally the same procedures for reconsideration of an
accreditation organization's request for ONC-AA status as we did for
reconsideration of applications for ONC-ACB status with a few
substantive distinctions. We proposed that an accreditation
organization could ask the National Coordinator to reconsider a
decision to deny its request for ONC-AA status only if no other
accreditation organization had been granted ONC-AA status and it could
demonstrate that clear, factual errors were made in the review of its
request for ONC-AA status and that the errors' correction could lead to
the accreditation organization obtaining ONC-AA status. We proposed
that an accreditation organization that wished to contest its denial
would be required to submit, within 15 days of receipt of a denial
notice, a written statement to the National Coordinator contesting the
decision to deny its request for ONC-AA status and explaining with
sufficient documentation what factual error(s) it believes can account
for the denial. We proposed that if the National Coordinator did not
receive the accreditation organization's written statement within the
specified timeframe that its request for reconsideration could be
rejected. We proposed that the National Coordinator would have up to 15
days to consider a timely reconsideration request. We further proposed
that if, after reviewing an applicant's reconsideration request, the
National Coordinator determined that the applicant did not identify any
factual errors, that correction of those factual errors would not
remove all identified deficiencies, or that a qualified ONC-AA had
already been approved, the National Coordinator could reject the
applicant's reconsideration request and that this decision would be
final and not subject to further review.
We did not receive any comments on these provisions. We are,
however, revising Sec. 170.503(c) and (d) and Sec. 170.504 consistent
with the changes we discussed earlier in this section of the preamble.
E. Correspondence
We proposed in Sec. 170.505 to require applicants for ONC-ACB
status and ONC-ACBs to correspond and communicate with the National
Coordinator by e-mail, unless otherwise necessary. We proposed that the
official date of receipt of any e-mail between the National Coordinator
and an applicant for ONC-ACB status or an ONC-ACB would be the day the
e-mail was sent. We further proposed that in circumstances where it was
necessary for an applicant for ONC-ACB status or an ONC-ACB to
correspond or communicate with the National Coordinator by regular or
express mail, the official date of receipt would be the date of the
delivery confirmation.
We did not receive any comments on these proposals. We are,
however, revising Sec. 170.505 to include ``or an ONC-ACB'' in
paragraph (b) to clarify that either an applicant for ONC-ACB status or
an ONC-ACB may, when necessary, utilize the specified correspondence
methods. This reference was inadvertently left out of Sec. 170.505(b)
in the Proposed Rule. We are also revising this section to apply the
correspondence requirements to accreditation organizations that submit
requests for ONC-AA status and the ONC-AA. These organizations are
similarly situated to applicants for ONC-ACB status and ONC-ACBs with
respect to corresponding with ONC. In particular, with our revisions
that establish a specific time period for submitting requests for ONC-
AA status, application of Sec. 170.505 to accreditation organizations
requesting ONC-AA status will provide a clear understating of when a
request will be deemed received by the National Coordinator. Overall,
we believe that applying the correspondence requirements to
accreditation organizations requesting ONC-AA status and the ONC-AA
will increase the efficiencies of the permanent certification program
and lessen the correspondence burden on these organizations.
[[Page 1271]]
F. Certification Options for ONC-ACBs
1. Distinction Between Testing and Certification
We stated in the Proposed Rule that there is a distinct difference
between the ``testing'' and ``certification'' of a Complete EHR and/or
EHR Module. We described ``testing'' as the process used to determine
the degree to which a Complete EHR or EHR Module can meet specific,
predefined, measurable, and quantitative requirements. We noted that
such results would be able to be compared to and evaluated in
accordance with predefined measures. In contrast, we described
``certification'' as the assessment (and subsequent assertion) made by
an organization, once it has analyzed the quantitative results rendered
from testing along with other qualitative factors, that a Complete EHR
or EHR Module has met all of the applicable certification criteria
adopted by the Secretary. We noted that qualitative factors could
include whether a Complete EHR or EHR Module developer has a quality
management system in place, or whether the Complete EHR or EHR Module
developer has agreed to the policies and conditions associated with
being certified (e.g., proper logo usage). We further stated that the
act of certification typically promotes confidence in the quality of a
product (and the Complete EHR or EHR Module developer that produced
it), offers assurance that the product will perform as described, and
helps consumers to differentiate which products have met specific
criteria from others that have not.
To further clarify, we stated that a fundamental difference between
testing and certification is that testing is intended to result in
objective, unanalyzed data. In contrast, certification is expected to
result in an overall assessment of the test results, consideration of
their significance, and consideration of other factors to determine
whether the prerequisites for certification have been achieved. To
illustrate an important difference between testing and certification,
we provided the example that we recite below.
An e-prescribing EHR Module developer that seeks to have its EHR
Module certified would first submit the EHR Module to be tested. To
successfully pass the established testing requirements, the e-
prescribing EHR Module would, among other functions, need to transmit
an electronic prescription using mock patient data according to the
standards adopted by the Secretary. Provided that the e-prescribing EHR
Module successfully passed this test it would next be evaluated for
certification. Certification could require that the EHR Module
developer agree to a number of provisions, including, for example,
displaying the EHR Module's version and revision number so potential
purchasers could discern when the EHR Module was last updated or
certified. If the EHR Module developer agreed to all of the applicable
certification requirements and the EHR Module achieved a passing test
result, the e-prescribing EHR Module would be certified. In these
situations, both the EHR Module passing the technical requirements
tests and the EHR Module vendor meeting the other certification
requirements would be required for the EHR Module to achieve
certification.
Comments. Multiple commenters asked for additional clarification
for the distinction between testing and certification. Commenters were
concerned that ONC-ACBs would have too much discretion related to
certification. The commenters asserted that ONC-ACBs should only be
empowered to assess whether adopted certification criteria have been
met or whether other applicable policies adopted by the National
Coordinator through regulation, such as ``labeling'' policies, have
been complied with. Commenters expressed specific concern with one of
our examples of potential qualitative factors, which was the need to
have ``a quality management system in place.'' The commenters suggested
that a requirement to have a quality management system in place is
vague and gives too much discretion to an ONC-ACB.
Response. Our response to these comments is similar to the response
we provided in the Temporary Certification Program final rule due to
similarities that exist between the two certification programs. We
require as a Principle of Proper Conduct that ONC-ACBs shall maintain
their accreditation, which will, at minimum, require ONC-ACBs to
operate their certification programs in accordance with Guide 65. As
noted above, the ONC-AA will be required to verify that ONC-ACBs
continue to conform to Guide 65 at a minimum as a condition of
maintaining their accreditation. Guide 65 specifies the requirements
that an organization must follow to operate a certification program.
Moreover, because Guide 65 states in section 4.6.1 that a
``certification body shall specify the conditions for granting,
maintaining and extending certification,'' we believe that it would be
inappropriate to dictate every specific aspect related to an ONC-ACB's
certification program operations. We understand the concerns expressed
by commenters over our example of a ``quality management system'' as
another factor that ONC-ACBs may choose to include, in accordance with
Guide 65, as part of their certification requirements for assessing
Complete EHRs and/or EHR Modules and have considered how to best
address such concerns.
With respect to those commenters who requested that we clarify the
purview of ONC-ACBs related to certification and expressed concerns
about the level of discretion afforded to ONC-ACBs, we agree that
additional clarity is necessary regarding our intent and expectations
of ONC-ACBs as initially expressed in our discussion of the differences
between testing and certification in the Proposed Rule. We believe
commenters were expressing a concern that certification could include
other factors beyond the certification criteria adopted by the
Secretary in subpart C of part 170, which could prevent them from
receiving a certification in a timely manner if they were not aware of
those factors. We agree with commenters that this is a legitimate
concern. We did not intend to convey through our examples that we would
adopt additional requirements for certification in this final rule
beyond the certification criteria adopted by the Secretary in subpart C
of part 170 and the other requirements imposed on ONC-ACBs in subpart E
of part 170.
We seek to make clear that the primary responsibility of ONC-ACBs
under the permanent certification program is to certify Complete EHRs
and EHR Modules, and potentially other types of HIT at some point in
the future, in accordance with the certification criteria adopted by
the Secretary. In consideration of the comments and the preceding
discussion, we are adding new provisions to Sec. 170.545 (paragraph
(b)) and Sec. 170.550 (paragraph (b)) to make it explicitly clear that
an ONC-ACB must offer the option for a Complete EHR or EHR Module to be
certified solely to the applicable certification criteria adopted by
the Secretary and not to any additional certification criteria. In
other words, if a developer makes a request for its Complete EHR or EHR
Module to be certified solely to the applicable certification criteria
adopted by the Secretary, an ONC-ACB cannot require the Complete EHR or
EHR Module to be certified to any other certification criteria beyond
those that have been adopted by the Secretary. In complying with such a
request, the ONC-ACB would still be expected to issue
[[Page 1272]]
certifications in accordance with the requirements specified by subpart
E of part 170 (for example, Sec. 170.523(k)). As a matter of its own
business practices, however, an ONC-ACB may decide to offer multiple
options for the certification of HIT, some of which could potentially
impose other requirements for certification or include additional
certification criteria beyond what has been adopted by the Secretary.
If an ONC-ACB chooses to offer multiple certification options for HIT,
we expect it would be done consistent with the requirements of the ONC-
ACB's accreditation. Additionally, in accordance with Guide 65, section
6, the ONC-ACB would be required to ``give due notice of any changes it
intends to make in its requirements for certification'' and ``take
account of views expressed by interested parties before deciding on the
precise form and effective date of the changes.''
We note, however, that while we do not preclude an ONC-ACB from
certifying HIT in accordance with its own requirements that may be
unrelated to and potentially exceed the certification criteria adopted
by the Secretary, such activities would not be within the scope of an
ONC-ACB's authority granted under the permanent certification program
and should not be considered to be endorsed or approved by the National
Coordinator or the Secretary. Accordingly, we have added as a component
of a new principle in the Principles of Proper Conduct for ONC-ACBs
(discussed in more detail in section O. Validity of Complete EHR and
EHR Module Certification and Expiration of Certified Status) that any
certifications that are based solely on the applicable certification
criteria adopted by the Secretary at subpart C must be separate and
distinct from any other certification(s) that are based on other
criteria or requirements. To further clarify, HIT that meets the
definition of a Complete EHR or EHR Module and is certified to the
certification criteria adopted by the Secretary as well as to an ONC-
ACB's own additional certification criteria must have its certified
status as a Complete EHR or EHR Module noted separately and distinctly
from any other certification the ONC-ACB may issue based on its own
certification criteria. For example, an ONC-ACB should indicate that
the HIT has been certified as a ``Complete EHR in accordance with the
applicable certification criteria adopted by the Secretary of Health
and Human Services'' and, if applicable, separately indicate that the
HIT meets ``XYZ certification criteria as developed and/or required by
[specify certification body].''
2. Types of Certification
We proposed in Sec. 170.510 that applicants for ONC-ACB status may
seek authorization from the National Coordinator to perform Complete
EHR certification, EHR Module certification, and/or certification of
other types of HIT for which the Secretary has adopted certification
criteria under subpart C of this part.
We received multiple comments on the types of certification that
ONC-ACBs can and should perform. These comments were in direct response
to our requests for public comments on whether ONC-ACBs should certify
the integration of EHR Modules and on whether applicants for ONC-ACB
status should be permitted to apply to certify only Complete EHRs
designed for an ambulatory setting or only Complete EHRs designed for
an inpatient setting.
a. Complete EHRs for Ambulatory or Inpatient Settings
We requested public comment in the Proposed Rule on whether the
National Coordinator should permit applicants under the permanent
certification program to seek authorization to certify only Complete
EHRs designed for an ambulatory setting or, alternatively, only
Complete EHRs designed for an inpatient setting. Under our proposal, an
applicant seeking authorization to perform Complete EHR certification
would be required to certify Complete EHRs designed for both ambulatory
and inpatient settings.
Comments. We received comments ranging from support for providing
the option for applicants to certify Complete EHRs for either
ambulatory or inpatient settings to support for our proposal to require
an ONC-ACB to perform certification for both settings. Some commenters
thought that our proposal could stifle competition and expressed
concern that there may not be enough entities capable of performing
Complete EHR certification for both settings. These commenters stated
that allowing for Complete EHR certification for either an ambulatory
or inpatient setting could enhance competition and expedite
certifications. Conversely, a few commenters stated that providing the
option would multiply the National Coordinator's application workload
and slow the authorization of ONC-ACBs. One commenter also thought that
the option may lead to applicants for ONC-ACB status competing for
limited resources, such as specialized staff for conducting
certification.
Some commenters expressed concern that if the National Coordinator
were to allow applicants to certify Complete EHRs for either ambulatory
or inpatient settings, there would not be enough ONC-ACBs to certify
Complete EHRs for each setting. Therefore, these commenters' support
for the option was conditioned on the National Coordinator ensuring
that there were an adequate number of ONC-ACBs for each setting. One
commenter only supported giving ONC-ACBs an option to certify Complete
EHRs for either ambulatory or inpatient settings if the option included
certification of EHR Module level interactions necessary for the
exchange of data between ambulatory and inpatient Complete EHRs.
Some commenters stated that the option could lead to ``almost
complete'' EHRs, which could then lead to eligible professionals and
eligible hospitals paying large sums for niche EHR Modules based on
complicated certification criteria such as biosurveillance or quality
reporting. One commenter asserted that under our current proposal an
applicant for ONC-ACB status could seek authorization to certify EHR
Modules that together would essentially constitute a Complete EHR for
an ambulatory setting (or an inpatient setting). Therefore, the
commenter contended that we should allow an applicant for ONC-ACB
status the option to seek authorization to certify Complete EHRs for
either ambulatory or inpatient settings because an applicant for ONC-
ACB status could essentially choose that option by seeking all the
necessary EHR Module authorizations for either ambulatory or inpatient
settings.
Response. In the Temporary Certification Program final rule, based
on the concerns expressed by the commenters, we determined that it was
inappropriate under the temporary certification program to allow
applicants for ONC-ATCB status to seek authorization to test and
certify Complete EHRs for either only ambulatory settings or only
inpatient settings. We stated that we would reconsider the option for
the permanent certification program based on any additional comments we
received on the proposed permanent certification program.
The comments discussed above include comments we received that were
applicable to both the temporary certification program and the
permanent certification program as well as comments focused solely on
the permanent certification program. As mentioned, we discussed the
comments that were applicable to the temporary
[[Page 1273]]
certification program in the Temporary Certification Program final
rule. The comments that were focused solely on the permanent
certification program did not contain any additional information or
rationale that would cause us to conclude that the option to allow
applicants for ONC-ACB status to seek authorization to certify Complete
EHRs for only ambulatory settings or only inpatient settings would be
appropriate for the permanent certification program. Accordingly, we
are not permitting this option in the permanent certification program.
To address the commenters' concerns about ``almost complete'' EHRs,
we reiterate that for EHR technology to be considered a Complete EHR,
it must have been developed to meet, at a minimum, all of the
applicable certification criteria adopted by the Secretary. For
example, a Complete EHR for an ambulatory setting must have been
developed to meet all of the certification criteria adopted at Sec.
170.302 and Sec. 170.304. Therefore, if we were to provide the option
for ONC-ACBs to seek authorization to certify Complete EHRs for only
ambulatory settings or only inpatient settings, the Complete EHRs that
they certify must have been developed to meet all of the applicable
certification criteria adopted by the Secretary.
We agree with the commenter that an applicant for ONC-ACB status
could seek authorization to certify certain types of EHR Modules that
together could potentially include all of the capabilities required by
the applicable certification criteria for an ambulatory setting. The
important distinction between the commenter's suggested approach and
the option we proposed is that under the commenter's approach the ONC-
ACB would not be able to issue a ``Complete EHR certification'' for a
combination of EHR Modules because the ONC-ACB had not received
authorization to certify Complete EHRs. Consequently, if a Complete EHR
developer wanted to obtain Complete EHR certification, they could not
seek such certification from an ONC-ACB that did not have authorization
to grant Complete EHR certifications. We would assume that a potential
applicant for ONC-ACB status would consider this impact on its customer
base when determining what type of authorization to seek.
Consistent with this discussion, we are finalizing proposed Sec.
170.510 without modification.
b. Integrated Testing and Certification of EHR Modules
In the Proposed Rule, we requested public comment on whether ONC-
ACBs should be required to certify that any EHR Module presented by one
EHR Module developer for testing and certification would properly work
(i.e., integrate or be compatible) with other EHR Modules presented by
different EHR Module developers.
Comments. Multiple commenters stated that certifying EHR Modules
based on their ability to integrate with one another is a worthwhile
endeavor. These commenters stated that such certification would make it
easier for eligible professionals and eligible hospitals to purchase
certified EHR Modules that are compatible and could be used together to
achieve meaningful use and could increase or improve interoperability
among HIT in general. Conversely, many other commenters strongly
disagreed with requiring EHR Modules to be certified for compatibility
and raised various concerns. Overall, these commenters asserted that it
would be technically infeasible as well as both logistically (e.g.,
multiple certification sites and multiple EHR Module developers) and
financially impractical to attempt to certify whether two or more EHR
Modules were compatible given the huge and shifting numbers of possible
combinations. Another concern indicated that a mandatory requirement
for ONC-ACBs to perform this type of certification would be challenging
for ONC-ACBs because the EHR Module concept as defined in regulation is
relatively new and because there is limited available guidance and
mature testing and certification processes for this type of
certification. One commenter opined that certification was not
necessary because EHR Module developers would likely strive for
integration on their own as a marketing tool for their EHR Modules.
Some commenters suggested that EHR Modules could be certified as
``integrated bundles.'' One commenter recommended that if we were to
pursue any type of EHR Module-to-EHR Module integration, it should be
no earlier than when we adopt the next set of standards, implementation
specifications, and certification criteria, and then it should only be
done selectively based on meaningful use requirements. Another
commenter suggested that ONC-ACBs be given the option, but not be
required, to determine if EHR Modules are compatible.
Response. We believe that including a mandatory provision requiring
ONC-ACBs to certify whether two or more EHR Modules are compatible
would not be prudent due to the various impracticalities that were
raised by commenters. We arrived at the same conclusion for the
temporary certification program as explained in the Temporary
Certification Program final rule. We believe that requiring ONC-ACBs to
certify EHR Module-to-EHR Module integration is inappropriate primarily
because of the impracticalities pointed out by commenters related to
the numerous combinations of EHR Modules that will likely exist and the
associated technical, logistical, and financial costs of determining
EHR Module-to-EHR Module integration. We also agree with the commenter
who suggested that developers will choose, most likely selectively, to
integrate their EHR Modules with other EHR Modules for the purposes of
making their products more marketable. Consequently, we believe that
the market through business decisions and agreements may work to
achieve integration where necessary and beneficial.
An EHR Module developer or developers may present EHR Modules
together as a pre-coordinated, integrated bundle for certification
pursuant to Sec. 170.550(e) for the purpose of satisfying the privacy
and security certification criteria adopted at subpart C of part 170.
An ONC-ACB, however, is only permitted to certify a pre-coordinated,
integrated bundle of EHR Modules if it is capable of meeting all of the
applicable certification criteria and would otherwise meet the
definition of and constitute a Complete EHR. We assume that the EHR
Module developer(s), for business and potentially other reasons, would
have reconciled any compatibility issues among the constituent EHR
Modules that make up the pre-coordinated, integrated bundle before the
bundle is presented for testing and certification.
We note that nothing in this final rule precludes an ONC-ACB or
other entity from offering a service to certify EHR Module-to-EHR
Module integration. However, to be clear, although we do not require or
specifically preclude an ONC-ACB from certifying EHR Module-to-EHR
Module integration, any EHR Module-to-EHR Module certification
performed by an ONC-ACB or other entity will be done without specific
authorization from the National Coordinator and will not be considered
part of the permanent certification program. We understand that
certification for EHR Module-to-EHR Module integration may be
advantageous in certain instances, but
[[Page 1274]]
we do not believe, based on the impracticalities discussed above, that
we could set all the necessary parameters for certification of EHR
Module-to-EHR Module integration.
Consistent with this discussion, we are finalizing proposed Sec.
170.510 without modification.
G. ONC-ACB Application Process
1. Application
We proposed in Sec. 170.520 that an application would need to be
submitted to the National Coordinator and that the application would
need to contain certain information to be considered complete. We also
noted that applications would be made available on ONC's Web site and
could be submitted by e-mail.
Similar to the temporary certification program, we proposed to
require an applicant for ONC-ACB status to indicate on its application
the type of certification it seeks authorization to perform under the
permanent certification program. Consistent with proposed Sec.
170.510, an applicant could indicate that it seeks authorization to
certify Complete EHRs, EHR Module(s), and/or other types of HIT for
which the Secretary has adopted certification criteria. If the
applicant were to request authorization to certify EHR Module(s), we
proposed to require the applicant to identify the type(s) of EHR
Module(s) that it seeks to certify.
We proposed that an applicant must provide general identifying
information, including the applicant's name, address, city, State, zip
code, and Web site. We proposed that an applicant also must designate
an authorized representative and provide the name, title, phone number,
and e-mail address of the person who would serve as the applicant's
point of contact. We proposed that an applicant must submit
documentation confirming the applicant's accreditation by an ONC-AA.
Lastly, we proposed that an applicant must submit an executed agreement
to adhere to the ``Principles of Proper Conduct for ONC-ACBs.''
We proposed that if the Secretary adopts certification criteria for
HIT other than Complete EHRs and EHR Modules, an ONC-ACB would be
required to submit an addendum to its original application if it wished
to request authorization to certify this other type of HIT.
Additionally, we proposed that if a new organization wanted to be
authorized to certify another type of HIT, it would need to follow the
rules for becoming an ONC-ACB, including first receiving accreditation
from an ONC-AA.
Comments. We received comments expressing agreement with the
application requirements, including the need for an applicant to be
accredited before it applies. One commenter suggested that if an
organization fails to become accredited on the first attempt that the
organization should be given another opportunity. Another commenter
suggested that, similar to the temporary certification program, we
institute a ``proficiency examination'' for ``key personnel.'' The
commenter stated that such a competency test, adherence to
credentialing standards such as ASTM International 2659, or a more
formal and ongoing personnel certification program in accordance with
ISO 17024 may have long-term benefits for the permanent certification
program. A commenter also requested clarification on what information
the National Coordinator would deem sufficient to confirm the
applicant's accreditation. The commenter suggested that a current
letter of accreditation, as opposed to the re-submission of supporting
documentation that was submitted previously to the ONC-AA, could
fulfill the requirement to confirm an ONC-ACB's accreditation.
Response. We appreciate the support for the proposed application
requirements. We wish to further clarify these requirements for
applicants who seek authorization to certify EHR Modules. In addition
to identifying the specific type(s) of EHR Module(s) that they wish to
certify, these applicants are expected to identify as part of their
application the certification criterion or criteria that they believe
should be included within the scope of their authorization for the EHR
Module(s) they have identified. We believe requiring applicants to
provide this information will ensure that an applicant and the National
Coordinator will have a shared understanding of the scope of the
authorization requested by the applicant, which could otherwise be
difficult to discern based solely on the name(s) or type(s) of EHR
Module(s) that the applicant identifies in its application.
In response to the commenter, we note that the ONC-AA will develop
and manage the accreditation process for organizations that intend to
apply for ONC-ACB status, including the number of times an organization
may attempt to become accredited. We appreciate the commenter's
recommendation for ONC-ACB personnel to undergo competency testing and/
or a formal credentialing program, and we understand the potential
benefits associated with such requirements. We do not, however, believe
that ONC should independently require personnel of applicants for ONC-
ACB status to pass a certain exam or possess certain credentials before
the applicant applies ONC-ACB status. We believe that accreditation by
the ONC-AA will be sufficient to ensure that an applicant for ONC-ACB
status will have personnel who are qualified to perform certifications
of Complete EHRs, EHR Modules, and/or other types of HIT. Further, we
will require ONC-ACBs to attend ONC mandatory training and to maintain
training programs for their own personnel, which we believe are
adequate measures to ensure that ONC-ACB personnel will remain
competent. Lastly, to properly document an ONC-ACB applicant's
accreditation, the applicant should provide a copy of its accreditation
record consistent with the accreditation record that the ONC-AA must
keep in accordance with section 7.14 of ISO 17011. We believe that a
copy of the record will allow the National Coordinator to properly
confirm the extent of an applicant's accreditation.
In the Temporary Certification Program final rule, we noted a
commenter's suggestion that we should establish a process that would
enable ONC-ATCBs to apply for additional authorization to test and
certify additional types of EHR Modules. We declined to establish a
process separate from the application process that we had proposed for
the temporary certification program, but we indicated that we would
consider whether an alternative process would be appropriate for the
permanent certification program. In other words, if an ONC-ACB is
authorized to certify a certain type(s) of EHR Module(s) and wants to
expand the scope of its current authorization so that it may certify
other types of EHR Modules, should there be a way for it to obtain this
authorization without following the application process outlined in
Sec. 170.520. After considering this possibility, we have decided to
adopt a more streamlined process for ONC-ACBs that want to expand the
scope of their current authorization to include Complete EHRs, other
types of EHR Modules, and/or other types of HIT if it becomes an
option. In order to request additional authorization under this
process, an ONC-ACB must specify in writing the type of authorization
it is seeking (including, for EHR Module(s) authorization,
identification of the certification criterion or criteria that it
believes should be included within the scope of its authorization) and
provide documentation of its current accreditation that would support
the
[[Page 1275]]
type of authorization it seeks, as described in Sec. 170.520(a) and
(c), respectively. The ONC-ACB would not be required to resubmit the
other information specified in Sec. 170.520, unless any of that
information had changed since it was last provided to ONC. In deciding
whether to grant an ONC-ACB's request to expand the scope of its
current authorization, the National Coordinator may also consider
whether the ONC-ACB has completed any mandatory training as may be
required by Sec. 170.523(b), which would confirm whether the ONC-ACB
is competent to certify the specific type(s) of HIT for which it seeks
authorization. For example, an ONC-ACB that is authorized to certify a
certain type of EHR Module may request authorization to certify other
types of EHR Modules that may include different capabilities and thus
implicate different certification criteria adopted by the Secretary.
The National Coordinator may require the ONC-ACB to complete mandatory
training to ensure that the ONC-ACB understands the test tools and test
procedures used for testing to the different certification criteria and
can competently certify the other types of EHR Modules. We believe a
more streamlined process will benefit both ONC-ACBs and developers of
Complete EHRs, EHR Modules, and other types of HIT because it will
enable ONC-ACBs to expand the scope of their authorization more
efficiently and consequently provide additional certification services
to developers. Overall, we believe this could potentially benefit the
market for HIT by increasing the speed with which certified Complete
EHRs, EHR Modules and potentially other types of HIT are available for
purchase and/or implementation.
We are revising Sec. 170.520(c) such that the documentation
provided by the applicant must confirm that the applicant has been
accredited by ``the ONC-AA,'' instead of ``an ONC-AA'' as proposed. We
believe the revision more clearly reflects that there will be only one
ONC-AA at a time.
2. Principles of Proper Conduct for ONC-ACBs
We received multiple comments on the proposed Principles of Proper
Conduct for ONC-ACBs. Many of those comments were also relevant to the
proposed Principles of Proper Conduct for ONC-ATCBs because several
identical Principles were proposed for both ONC-ACBs and ONC-ATCBs. As
explained earlier in this preamble, given the similarities that exist
between the temporary and permanent certification programs, the
responses we provide below are often similar or identical to our
responses to comments on the proposed Principles of Proper Conduct for
ONC-ATCBs that we provided in the Temporary Certification Program final
rule.
We did not receive any comments on the Principles of Proper Conduct
proposed in paragraphs (b), (c) and (d) of Sec. 170.523. Therefore, we
are finalizing these Principles of Proper Conduct without modification.
While we received comments on all of the other proposed Principles of
Proper Conduct for ONC-ACBs and suggestions for additional principles
of proper conduct, the majority of the comments were focused on or
related to the proposed Principles that would require ONC-ACBs to
provide ONC, no less frequently than weekly, a current list of Complete
EHRs and EHR Modules that have been certified; only certify HIT that
has been tested by a NVLAP-accredited testing laboratory; and submit an
annual surveillance plan and annually report surveillance results.
a. Maintain Accreditation
We proposed in Sec. 170.523(a) that an ONC-ACB would be required
to maintain its accreditation. As discussed earlier, the ONC-AA will be
required as part of its ongoing responsibilities to verify that ONC-
ACBs are continuing to operate in accordance with Guide 65 at a minimum
in order to maintain their accreditation.
Comments. A few commenters expressed opinions that accreditation
was an appropriate requirement for ONC-ACBs. One commenter recommended
that we review the processes of other accreditation organizations such
as the American National Standards Institute, the Joint Commission, and
the ISO to assist in the development of the accreditation program for
the permanent certification program, while another commenter
recommended that we only require compliance with select, appropriate
provisions of Guide 65 as part of accreditation instead of all of Guide
65.
Response. We have reviewed the processes of other accreditation
organizations and have concluded, as proposed, that the standards
developed by the ISO (specifically, ISO 17011 and Guide 65) should
serve as the foundation for developing the accreditation element of the
permanent certification program. In particular, we have stated that we
expect the ONC-AA will accredit ONC-ACBs based on the guidelines
specified in ISO 17011. Further, we believe that all of the provisions
of Guide 65 would be applicable to the accreditation program and thus
we proposed that accreditation would include verification of a
certification body's conformance, at minimum, to Guide 65. We believe
that requiring ONC-ACBs to be accredited will ensure that ONC-ACBs are
qualified to perform certifications and will continue to be capable of
properly performing certifications.
b. ONC Visits to ONC-ACB Sites
We proposed in Sec. 170.523(e) to require an ONC-ACB to allow ONC,
or its authorized agent(s), to periodically observe on site
(unannounced or scheduled) any certifications performed to demonstrate
compliance with the requirements of the permanent certification
program.
Comments. A commenter expressed agreement with our proposal stating
that both scheduled and unannounced visits are appropriate. Another
commenter stated that if visits are unannounced, then there can be no
assurance that a certification will actually be underway upon the
arrival of an ONC representative. Therefore, the commenter recommended
that we should revise the requirement to require an ONC-ACB to respond
within 2 business days to an ONC request to observe certification by
providing the date, time, and location of the next scheduled
certification. Another commenter recommended that all visits should be
planned because staff may not be available and ``clearances'' may need
to be arranged well in advance of a site visit. A commenter also stated
that ONC observers for site visits would likely need to execute
confidentiality and/or business associate agreements because some HIT
developers treat their software screens and other elements as trade
secrets.
Response. Our proposal gave us the option to conduct either
scheduled or unannounced visits. After considering the comments, we
believe it is appropriate to maintain both options, as we did in the
context of the temporary certification program. If we determine that
there is a specific certification that would be appropriate for us or
our authorized agent(s) to observe, we may find it is more prudent to
schedule a visit. However, to monitor compliance with the provisions of
the permanent certification program and to maintain the integrity of
the program, we believe that unannounced visits are appropriate. We
anticipate that ONC ``authorized agents'' could potentially include
individuals or entities under contract with ONC, personnel from an
entity with which ONC has a regulatory relationship (e.g., personnel
from the
[[Page 1276]]
ONC-AA), or personnel from other Federal agencies with certification
expertise (e.g., NIST). We expect to establish ahead of time for ONC-
ACBs the parameters around announced or unannounced on-site visits. In
establishing these parameters, we expect ONC-ACBs to ensure that any
``clearances'' for ONC or its authorized agents are obtained in a
timely manner given the possibility of an unannounced site visit. We
also expect ONC-ACBs will take the necessary steps to address any
potential confidentiality issues with their customers (for example,
through a confidentiality agreement that would enable ONC and its
authorized representatives to observe the certification of a customer's
HIT). Therefore, we are finalizing this Principle of Proper Conduct
with only a minor modification. We are revising Sec. 170.523(e) to
clarify that site visits will be conducted during normal business
hours. This condition was inadvertently left out of the proposed
provision, but is consistent with our original intent as shown in the
proposed and final versions of the analogous provision for ONC-ATCBs.
c. Lists of Certified Complete EHRs and EHR Modules
i. ONC-ACB Lists
We proposed in Sec. 170.523(f) to require an ONC-ACB to provide
ONC, no less frequently than weekly, a current list of Complete EHRs
and/or EHR Modules that have been certified which includes, at a
minimum, the vendor name (if applicable), the date certified, the
product version, the unique certification number or other specific
product identification, and where applicable, the certification
criterion or certification criteria to which each EHR Module has been
certified.
Comments. Many commenters expressed appreciation for the proposed
requirement and the proposed frequency for which the lists were to be
updated. In relation to the information ONC-ACBs must report, a
commenter specifically expressed support for making timely, complete,
and useful information available to eligible professionals and eligible
hospitals as they purchase and implement Certified EHR Technology that
will enable them to attempt to demonstrate meaningful use.
Some commenters requested clarification and made recommendations
for revisions to the provision. One commenter suggested that the
provision should be revised to require an ONC-ACB to notify ONC within
a week of successful certification of new Complete EHRs and/or EHR
Modules. Additionally, the commenter contended that the proposed
provision was unclear as to whether an ONC-ACB was required to send a
complete, current list or only new additions and whether the list could
be sent via e-mail. Another commenter suggested revising the provision
to require an ONC-ACB to also report a current list of ``applicants''
and their status in the certification queue.
Response. As proposed and as already finalized for the temporary
certification program, we will require ONC-ACBs to provide the National
Coordinator, no less frequently than weekly, with a current list of
Complete EHRs and/or EHR Modules that have been certified. We
anticipate only requiring weekly updates, but ONC-ACBs are free to
provide more frequent updates. We believe weekly updates are sufficient
for providing current information to the public on the status of
certified Complete EHRs and EHR Modules without placing an
administrative burden on ONC-ACBs. In this regard, we have previously
stated and continue to expect that ONC-ACBs will provide the
information electronically, such as through e-mail. We also agree with
the commenter that it would be unnecessary for an ONC-ACB to continue
to report on previously certified Complete EHRs and/or EHR Modules and,
therefore, only expect these weekly reports to include new
certifications issued between the last weekly report and the newly
submitted weekly report. Additionally, we do not believe any
substantial benefit would result from requiring ONC-ACBs to report on
the status of Complete EHRs and/or EHR Modules that are in the process
of being certified. The time needed for the certification of Complete
EHRs and EHR Modules will likely vary based on many factors and, in
some cases, may not be completed due to various reasons. Therefore, we
do not believe that the reporting of products in an ONC-ACB's queue
should be a requirement at this time.
We agree with the commenter who indicated that useful information
should be made available to eligible professionals and eligible
hospitals as they decide which Certified EHR Technology to adopt. We
note that much of the information that will be reported by ONC-ACBs
will also be included in the Certified HIT Products List (CHPL) that
will be made publicly available on ONC's Web site. After consideration
of the public comments received and our own programmatic objectives, we
will require ONC-ACBs to report information related to the two
additional elements that we already finalized for ONC-ATCBs in the
Temporary Certification Program final rule. Our intention in including
these two additional elements is to make more information widely
available about the technology that has been certified, which will
benefit eligible professionals, eligible hospitals, and other
interested parties who wish to adopt certified Complete EHRs and EHR
Modules. The two additional elements that we will require ONC-ACBs to
report are the clinical quality measures to which a Complete EHR or EHR
Module has been certified and, where applicable, any additional
software that a Complete EHR or EHR Module relied upon to demonstrate
its compliance with a certification criterion or criteria adopted by
the Secretary. As with the other information that ONC-ACBs must report,
these two additional elements will enable eligible professionals and
eligible hospitals to make better informed purchasing decisions,
consistent with the commenter's suggestion.
The reporting of clinical quality measures to which a Complete EHR
or EHR Module has been certified will enable an eligible professional
or eligible hospital to identify and adopt a Complete EHR or EHR Module
that includes the clinical quality measures they seek to implement.
Knowledge of the additional software a Complete EHR or EHR Module has
relied upon to demonstrate compliance with a certification criterion or
criteria will be useful, and in some cases essential, for eligible
professionals and eligible hospitals who are deciding which Complete
EHR or EHR Module to adopt. Eligible professionals and eligible
hospitals could use this information to assess whether a specific
certified Complete EHR or EHR Module may be incompatible with their
current information technology (IT) or would require them to install
additional IT. We stress that this reporting requirement only relates
to software that is relied upon by a Complete EHR or EHR Module to
demonstrate compliance with a certification criterion or criteria
adopted by the Secretary. We do not intend or expect this requirement
to be construed as a comprehensive specifications list or similar type
of inclusive list. Rather, as with the temporary certification program,
our rationale for including this requirement is to ensure that eligible
professionals and eligible hospitals who adopt a certified Complete EHR
or EHR Module understand what is necessary for the Complete EHR or EHR
Module to
[[Page 1277]]
operate in compliance with the certification criterion or criteria to
which it was certified. For example, if a Complete EHR relied upon an
operating system's automatic log-off functionality to demonstrate its
compliance with this certification criterion, we would expect the
operating system relied upon to be reported. Conversely, if a Complete
EHR included its own automatic log-off capability, even though the
Complete EHR may have been certified using a particular operating
system, we would not require the operating system to be reported
because it was not relied upon to demonstrate compliance with the
certification criterion.
We are revising Sec. 170.523(f) to correct an inadvertent
reference to vendors of Complete EHRs or EHR Modules. As proposed, the
section would require ONC-ACBs to report the names of certified
Complete EHR or EHR Module vendors, if applicable. Our use of the word
``vendor'' was not intended to exclude information related to self-
developers from the reporting requirements of Sec. 170.523(f).
Throughout the Proposed Rule and this final rule, we have collectively
referred to self-developers and commercial vendors as ``developers'' of
Complete EHRs and EHR Modules. Therefore, we are replacing ``vendor''
with ``Complete EHR or EHR Module developer'' in Sec. 170.523(f)(1).
We also believe it would be helpful to clarify the specific
information that should be reported with respect to pre-coordinated,
integrated bundles of EHR Modules that are certified in accordance with
Sec. 170.550(e). ONC-ACBs are required by Sec. 170.523(f)(4) to
report the unique certification number or other specific product
identification of Complete EHRs and EHR Modules that have been
certified. They are also required by Sec. 170.523(f)(7) to report,
where applicable, the certification criterion or criteria to which each
EHR Module has been certified. Based on these provisions, ONC-ACBs
should identify and include in their reports to the National
Coordinator: the pre-coordinated, integrated bundles of EHR Modules
that they certify; the list of constituent EHR Modules that comprise
each bundle; and, where applicable, identify for each constituent EHR
Module the certification criterion or criteria to which that particular
EHR Module has been certified.
Finally, as with the temporary certification program, we note that
our required reporting elements constitute a minimum. We do not
preclude ONC-ACBs from including in their weekly reports additional
information that prospective purchasers and users of Complete EHRs and
EHR Modules would find useful, such as specifying the Complete EHR or
EHR Module's compatibility with other software or compatibility with
other EHR Modules. If not reported to the National Coordinator, we
encourage ONC-ACBs to consider making such information available on
their own Web sites to better inform prospective purchasers and users
of Complete EHRs and EHR Modules.
We are revising Sec. 170.523(f) consistent with our discussion
above.
ii. Certified HIT Products List
We stated in the Proposed Rule that in an effort to make it easier
for eligible professionals and eligible hospitals to cross-validate
that they have in fact adopted Certified EHR Technology, the National
Coordinator intends to make a master CHPL of all Complete EHRs and EHR
Modules certified by ONC-ACBs available on the ONC Web site. The CHPL
would be a public service and would be a single, aggregate source of
all the certified product information ONC-ACBs provide to the National
Coordinator. The CHPL would also represent all of the Complete EHRs and
EHR Modules that could be used to meet the definition of Certified EHR
Technology. We also noted that, over time, we anticipate adding
features to the Web site, which could include interactive functions to
help eligible professionals and eligible hospitals determine whether a
particular combination of certified EHR Modules could potentially
qualify as Certified EHR Technology.
Comments. Many commenters expressed support for our decision to
create a list of certified Complete EHRs and EHR Modules and to post a
link to that list on our Web site. Many commenters also provided
recommendations for how to enhance the list. One commenter endorsed an
online system whereby physicians could type in or select information on
the Complete EHR or EHR Module they planned on using to determine
whether their selected combination would enable them to meet the CMS
Medicare and Medicaid EHR Incentive Programs requirements. The
commenter reasoned that the steps were necessary because eligible
professionals, especially in smaller practices, did not have the
technical expertise or support to ascertain whether or not a Complete
EHR, EHR upgrades, EHR Module(s), or a combination of EHR Modules would
enable them to perform the meaningful use requirements. Another
commenter requested an explicit commitment from ONC that the use of
certified Complete EHRs and/or EHR Modules on the CHPL will support
their ability to report all required meaningful use measures.
Some commenters expressed a preference that the CHPL contain
information on the capabilities of certified Complete EHRs and EHR
Modules associated with adopted certification criteria. Other
commenters requested that the CHPL contain information on whether
certified Complete EHRs or EHR Modules are compatible with other types
of HIT. In particular, commenters stated that it was important to
eligible professionals and eligible hospitals for Complete EHR and EHR
Module developers to fully disclose the functions for which their
products are certified, which software components are necessary to meet
certification criteria, and to also fully disclose any compatibility
issues. A few commenters also suggested that the CHPL contain data on
usability features of certified Complete EHRs and EHR Modules.
One commenter recommended that ONC and each ONC-ACB maintain a list
of certified Complete EHRs and EHR Modules. Another commenter
recommended that, in order to prevent the conveyance of potentially
inaccurate information and confusion in the market, an ONC-ACB should
not maintain on its own Web site a current list of the Complete EHRs
and/or EHR Modules that it has certified, but instead reference the
CHPL on ONC's Web site for the complete list of certified Complete EHRs
and EHR Modules.
Response. We appreciate the commenters' support for the CHPL and
their recommendations for its enhancement. As previously explained in
the Temporary Certification Program final rule, we intend for the CHPL
to be a single, aggregate source of all certified Complete EHRs and EHR
Modules reported by ONC-ACBs to the National Coordinator. The CHPL will
include all of the certified Complete EHRs and EHR Modules that could
be used to meet the definition of Certified EHR Technology. It will
also include the other pertinent information we require ONC-ACBs to
report to the National Coordinator, such as a certified Complete EHR's
version number. Eligible professionals and eligible hospitals that
elect to use a combination of certified EHR Modules may also use the
CHPL webpage to validate whether the EHR Modules they have selected
satisfy all of the applicable certification criteria that are necessary
to meet the definition of Certified EHR Technology. The CHPL webpage
will include a unique identifier (e.g., an alphanumeric
[[Page 1278]]
identifier) for each certified Complete EHR and each combination of
certified EHR Modules that meets the definition of Certified EHR
Technology. The unique identifier provided by the CHPL webpage could
subsequently be used to submit to CMS for attestation purposes.
Consistent with the temporary certification program, we believe
that only ONC should maintain the CHPL to ensure that the CHPL is
accurate and comprehensive. However, we do not believe that it is
appropriate to preclude an ONC-ACB from maintaining on its own Web site
a list of Complete EHRs and/or EHR Modules that it certified. An ONC-
ACB's own list could have benefits for the market in identifying the
specific ONC-ACB that certified a Complete EHR or EHR Module. The ONC-
ACB may also create a link on its Web site to the CHPL, which
conceivably would be a user-friendly feature.
d. Records Retention
We proposed in Sec. 170.523(g) to require an ONC-ACB to retain all
records related to the certification of Complete EHRs and/or EHR
Modules for a minimum of 5 years.
Comments. Commenters recommended that our records retention
requirement be consistent with CMS's requirement for eligible
professionals and eligible hospitals who seek to qualify for Medicare
or Medicaid incentive payments for meaningful use, plus an additional
two years to ensure that records are available during an audit process.
Response. As stated in the Proposed Rule, the record retention
requirement is based on our consultations with NIST regarding standard
industry practice. As also stated in the Proposed Rule, the purpose of
our records retention requirement is twofold. An ONC-ACB's records
would be directly relevant to a determination by the National
Coordinator that the ONC-ACB committed a Type-2 violation and/or to
revoke the ONC-ACB's status. Second, ONC-ACBs' certification records
will likely be necessary for ONC-ACBs to conduct surveillance under the
permanent certification program. In addition to the records retention
requirement of Sec. 170.523(g), ONC-ACBs are expected to retain
records consistent with the terms of their accreditation, which will
include the requirements of Guide 65. Lastly, our records retention
requirement should be construed as an independent requirement and is
not intended to replace or supplant any other requirements imposed by
law or otherwise agreed to by ONC-ACBs. Accordingly, we will, as
proposed, require ONC-ACBs to retain all records related to the
certification of Complete EHRs and/or EHR Modules for a minimum of 5
years.
e. NVLAP-Accredited Testing Laboratory
In the Proposed Rule, we proposed to separate the responsibilities
for testing and certification in the permanent certification program.
We proposed that the National Coordinator's authorization granted to
ONC-ACBs under the permanent certification program would not extend to
the testing of Complete EHRs or EHR Modules. Instead, we proposed that
the National Voluntary Laboratory Accreditation Program (NVLAP), as
administered by NIST, would be responsible for accrediting testing
laboratories and determining their competency. In this role, NVLAP
would be solely responsible for overseeing accreditation activities
related to testing laboratories for purposes of the permanent
certification program. We mentioned NVLAP's experience with developing
specific laboratory accreditation programs (LAPs) for testing and
calibration laboratories in response to legislative or administrative
actions, requests from government agencies or, in special
circumstances, from private sector entities. We proposed that the
National Coordinator would decide whether to issue a request to NVLAP
to develop a LAP for testing laboratories after considering public
comments on our proposals for the permanent certification program. To
ensure that ONC-ACBs review test results from legitimate and competent
testing laboratories, we further proposed in Sec. 170.523(h) to
require ONC-ACBs to only certify HIT, including Complete EHRs and/or
EHR Modules, that has been tested by a NVLAP-accredited testing
laboratory.
We received a number of comments on these proposals and have
divided them into two categories: Separation of testing and
certification; and accreditation, test tools and test procedures, and
ONC-ACBs' permitted reliance on certain test results.
i. Separation of Testing and Certification
Comments. Commenters expressed general support for our proposal to
establish a permanent certification program that includes the use of
independent, accredited testing laboratories. Commenters stated that
the separation of the testing and certification processes will provide
more transparency and result in a more rigorous permanent certification
program. Conversely, a few commenters were not certain that separation
or an accredited testing process were even necessary. One of these
commenters was concerned that separation would lead to increased costs,
particularly for self-developers that will require on-site testing and
certification. Another commenter was concerned that separation, if not
managed properly, could unintentionally result in confusion and delay
the certification of HIT products. Although a commenter assumed that
HIT products will be tested before they are certified, the commenter
noted that we did not clearly delineate the order of testing and
certification in the Proposed Rule.
Response. We appreciate the comments of support for our proposal to
separate the testing process from the certification process in the
permanent certification program. We believe that the separation of
testing laboratories and certification bodies is appropriate because it
will result in a more transparent and demanding permanent certification
program, as the commenters noted. We also believe these program
qualities will be enhanced by the use of specialized accreditation
organizations from the private sector to accredit the certification
bodies that ultimately will become ONC-ACBs. As discussed in the
Proposed Rule, these accreditation organizations will be better
equipped than ONC to react effectively and efficiently to changes in
the HIT market and rigorously oversee the certification bodies they
accredit. Additionally, as noted in the Proposed Rule, we have observed
in other industries, such as the manufacturing of water-conserving
products, that testing and certification processes are typically
handled independently and separately.
We expect that the separation of testing and certification will be
managed properly by accredited testing laboratories and ONC-ACBs,
respectively, and will not lead to undue delays or confusion. If
necessary, we may issue program guidance at some point in the future in
order to address questions or confusion about the elements and
processes of the permanent certification program as well as the
eventual transition from testing and certification under the temporary
certification program. As for possible delays, we believe that any
customer and/or product could experience delays under a testing and
certification program for various reasons, but we do not anticipate any
undue delays that would be specifically attributable to the separation
of testing and certification under the permanent certification program.
We expect that the ONC-ACBs
[[Page 1279]]
and accredited testing laboratories, having achieved accreditation,
will have the ability to manage requests for certification and testing,
respectively, in a timely manner. We also expect that these bodies will
be able to answer questions about requests for certification and/or
testing, as applicable, and provide other guidance to HIT developers
based on the training and instruction they receive from ONC and NVLAP.
We appreciate the commenter's concern about the potential costs of
testing and certification. The commenter seems to suggest that the
costs associated with the testing and certification of Complete EHRs
and EHR Modules will be higher because of the separation of the testing
and certification processes, particularly for self-developers. We agree
that the costs to Complete EHR and EHR Module developers could
potentially increase due to the separation of the testing and
certification processes, but we believe that any potential increases
will not be prohibitive for developers. Our Regulatory Impact Analysis
(RIA) in both the Proposed Rule and this final rule accounts for
potential cost increases due to the separation of the testing and
certification processes. The RIA states that our estimated costs for
the testing and certification of Complete EHRs and EHR Modules under
the permanent certification program include the costs of separate
testing and certification as well as on-site testing and certification.
We have provided a range for the potential costs of testing and
certification under the permanent certification program. We did not
receive any comments demonstrating that the costs associated with
testing and certification will be higher than our estimates in the
Proposed Rule because of the separation of the testing and
certification processes. In addition, the actual costs of testing and
certification may be lower than our estimates due to factors such as
competitive pricing and/or lower costs attributable to gap
certification. We further discuss the processes and costs associated
with gap certification in section P. Differential or Gap Certification
and in the RIA. Lastly, we note that ONC-ACBs may also become
accredited testing laboratories under the permanent certification
program, which may result in costs savings for developers that choose
to have their Complete EHR and/or EHR Module tested and certified by
the same organization.
The commenter correctly assumed that Complete EHRs and EHR Modules
must first be tested before they can be certified under the permanent
certification program. As we discussed in the Proposed Rule and this
final rule, the concept of ``certification'' requires an ONC-ACB to
analyze the quantitative results of testing and subsequently assess
whether a Complete EHR or EHR Module has met all of the applicable
certification criteria adopted by the Secretary. The chronological
order of testing and certification is also addressed in Sec.
170.523(h), which requires an ONC-ACB to only certify HIT that has been
tested in accordance with the provisions of that section. For these
reasons, it would be impracticable for a Complete EHR or EHR Module to
be certified by an ONC-ACB before it undergoes testing.
ii. Accreditation, Test Tools and Test Procedures, and ONC-ACBs'
Permitted Reliance on Certain Test Results
Comments. Commenters generally requested more information about the
accreditation of testing laboratories under the permanent certification
program. One commenter asked whether NVLAP will develop a specific
field of accreditation for EHR technology and whether it will provide
an application for entities interested in becoming an accredited
testing laboratory. Another commenter supported our proposal to ask
NVLAP to develop a LAP and requested that the LAP be designed
specifically for Complete EHR and EHR Module testing. Commenters
requested that we provide detailed information explaining how ONC and
NIST will coordinate efforts to ensure that the accredited testing
laboratories overseen by NVLAP are established within a timeframe that
is consistent with ONC's efforts to authorize certification bodies. The
commenters also requested information explaining how it will be
determined whether testing laboratories have sufficient technical
expertise and capacity to support the demand for testing in a timely
manner. Many commenters recommended that testing laboratories be
required to offer remote and on-site testing. Additionally, a commenter
requested guidance as to how an ONC-ACB would know that a testing
organization is NVLAP-accredited and suggested listing NVLAP-accredited
testing laboratories on ONC's Web site as a reasonable solution.
Response. As discussed in the Proposed Rule, section 3001(c)(5) of
the PHSA authorizes the National Coordinator, in consultation with the
Director of NIST, to establish a program or programs for the voluntary
certification of HIT, and such program(s) ``shall include, as
appropriate, testing of the technology in accordance with section
13201(b) of the [HITECH] Act.'' Section 13201(b) of the HITECH Act
provides that the Director of NIST, in coordination with the HIT
Standards Committee, ``shall support the establishment of a conformance
testing infrastructure * * *, '' the development of which ``may include
a program to accredit independent, non-Federal laboratories to perform
testing.'' Consistent with this statutory authority, we are finalizing
our proposal that NVLAP, as administered by NIST, will be responsible
for establishing and managing a program for the accreditation of
laboratories to perform HIT testing under the permanent certification
program.
As noted in the Proposed Rule, we are confident that NVLAP has the
necessary scientific staff with specialized technical capabilities to
develop an accreditation program for the testing of HIT. NVLAP has been
responsible for developing a biometrics LAP for the Department of
Homeland Security, a program to accredit laboratories for conducting
security evaluations for the National Security Agency, a program to
accredit laboratories to test hardware and software for voting systems,
as well as many other programs for accrediting testing laboratories in
response to Federal agencies' requests. Additionally, NIST scientific
staff has exhibited their expertise with HIT by developing the test
tools and test procedures for the temporary certification program.
Based on our discussions with NIST, these experts will also be involved
in developing the LAP for the permanent certification program. Given
the demonstrated scope of NVLAP's and NIST's technical expertise, the
National Coordinator will request that NVLAP develop a LAP specifically
for HIT and the permanent certification program. The National
Coordinator anticipates that the LAP will align with the programmatic
goals of the permanent certification program, including the program's
current focus on EHR technology.
We are currently working closely with NIST to achieve programmatic
objectives related to the testing of Complete EHRs and EHR Modules
under the temporary certification program. We expect this close
relationship and degree of coordination will extend into the permanent
certification program as the HIT LAP is developed. To further align our
efforts with NIST, we are issuing this final rule a year in advance of
the anticipated sunset of the temporary certification program and the
start of testing and certification under the permanent certification
program. During this period
[[Page 1280]]
of time, we expect NVLAP will develop the HIT LAP for the permanent
certification program after receiving the National Coordinator's
request and will subsequently begin the accreditation of testing
laboratories. We also expect to complete the process of approving the
ONC-AA during this timeframe, which will enable certification bodies to
attempt to become accredited and apply for ONC-ACB status.
We anticipate that NVLAP, based on their aforementioned experience
in developing other LAPs, will develop a LAP for the permanent
certification program that will ensure accredited testing laboratories
have the necessary technical expertise and the capacity to support
market demand. We also anticipate that NVLAP will take into account
current HIT industry testing practices and market demands, such as the
use of remote testing and the need for on-site testing in some
instances, when developing the LAP for accrediting testing
laboratories. Even if the LAP developed by NVLAP does not expressly
address remote and/or on-site testing, we expect accredited testing
laboratories would offer such testing options if there was market
demand. Lastly, as the commenter recommended, we expect to coordinate
efforts with NIST and NVLAP to ensure that the public is made aware of
NVLAP-accredited testing laboratories by listing them on our respective
Web sites and identifying them through other appropriate means.
Comments. Commenters requested more specificity about the
development and implementation of test tools, test procedures, and test
scripts. Commenters requested clarity as to whether NIST, the
accredited testing laboratories, or another entity would be responsible
for developing the test tools and test procedures. One commenter stated
that if NIST would be responsible, then NIST should provide information
on how it will address the testing of open source Complete EHRs and EHR
Modules. Some commenters recommended that a collaborative process be
used in the development and implementation of test tools and test
procedures. A commenter suggested that we create an advisory body for
the development of test tools and test procedures, while other
commenters suggested that consultations with Standards Development
Organizations (SDOs) should be a requirement. One commenter recommended
the use of the EHR System Functional Model (EHR-S FM). Alternatively,
most commenters simply requested an open, transparent and industry
consensus-based approach to developing and implementing test methods
that allows for a user-friendly feedback process. Another commenter
requested that we ensure that states be prohibited from requiring
separate and additional testing processes.
Response. We can assure commenters that, as with the temporary
certification program, only test tools and test procedures that have
been approved by the National Coordinator can be used to test Complete
EHRs, EHR Modules and potentially other types of HIT in order for them
to be eligible for certification by an ONC-ACB under the permanent
certification program. This requirement is imposed on ONC-ACBs under
Sec. 170.523(h). We believe by having the National Coordinator approve
test tools and test procedures, we will ensure the best test tools and
test procedures are utilized. We also believe the National
Coordinator's approval will instill greater certainty and confidence in
developers and users of Complete EHRs, EHR Modules and other types of
HIT. Lastly, we believe that by having the National Coordinator approve
the test tools and test procedures for the permanent certification
program, we can provide greater consistency in the testing of Complete
EHRs, EHR Modules and potentially other types of HIT.
In the Temporary Certification Program final rule, we adopted a
process for approving test tools and test procedures, and we intend to
use this same process for the permanent certification program. For the
permanent certification program, a person or entity may submit a test
tool and/or test procedure to the National Coordinator to be considered
for approval to be used by NVLAP-accredited testing laboratories. The
submission should identify the developer of the test tool and/or test
procedure; specify the certification criterion or criteria that is/are
addressed by the test tool and/or test procedure; and explain how the
test tool and/or test procedure would evaluate a Complete EHR's, EHR
Module's, or if applicable, other type of HIT's compliance with the
applicable certification criterion or criteria. The submission should
also provide information describing the process used to develop the
test tool and/or test procedure, including any opportunity for the
public to comment on the test tool and/or test procedure and the degree
to which public comments were considered. In determining whether to
approve a test tool and/or test procedure for purposes of the permanent
certification program, the National Coordinator will consider whether
it is clearly traceable to a certification criterion or criteria
adopted by the Secretary; whether it is sufficiently comprehensive
(i.e., assesses all required capabilities) for NVLAP-accredited testing
laboratories to use in testing a Complete EHR's, EHR Module's, or other
type of HIT's compliance with the certification criterion or criteria
adopted by the Secretary; whether an appropriate public comment process
was used during the development of the test tool and/or test procedure;
and any other relevant factors. When the National Coordinator has
approved test tools and/or test procedures for purposes of the
permanent certification program, we will publish a notice of
availability in the Federal Register and identify the approved test
tools and test procedures on the ONC Web site.
Once test tools and test procedures have been approved by the
National Coordinator, we expect NVLAP-accredited testing laboratories
will have some degree of responsibility and flexibility to configure
their own test scripts (i.e., specific scenarios using the approved
test tools and test procedures). This could involve, for example, the
creation of a testing sequence that a NVLAP-accredited testing
laboratory believes is the most efficient way to test a certain suite
of capabilities. Of course, this responsibility and flexibility may be
constrained by the accreditation requirements applicable to the NVLAP-
accredited testing laboratories. Given the level and types of
adjustments that have been made by ONC-ATCBs for the temporary
certification program, we do not believe that it will be possible for
NVLAP-accredited testing laboratories to include significant variations
in their test scripts such that a Complete EHR or EHR Module will pass
a test administered by one laboratory but fail a test administered by a
different laboratory.
Based on our stated approach to the development of test tools and
test procedures under the permanent certification program, we do not
believe that an advisory board will be necessary for the development of
test tools and test procedures. In deciding whether to approve specific
test tools and test procedures, the National Coordinator will consider
whether public feedback was a part of the process for developing those
tools and procedures. Although public feedback could take many
different forms, we expect it might potentially include some or all of
the methods that were mentioned by the commenters (e.g., transparent
processes, collaborative and HIT industry consensus-based approaches,
consultations with SDOs, and/or utilization of EHR-S FM). In response
to commenters' questions about NIST's
[[Page 1281]]
role in the development of test tools and test procedures, we
anticipate that many of the test tools and test procedures that were
developed by NIST and approved for the temporary certification program
will likely be applicable to and may be approved for use in performing
testing under the permanent certification program, particularly if the
adopted certification criteria have not been revised when testing
begins under the permanent certification program. As for the future
development of test tools and test procedures, we expect to continue to
consult with NIST in the development of test tools and test procedures
as needed for the testing of HIT to new and/or revised certification
criteria adopted by the Secretary. In addition, as previously
discussed, any person or entity may submit test tools and test
procedures for the National Coordinator's consideration for use in the
permanent certification program. We expect that open source Complete
EHRs and EHR Modules will be tested in the same manner as proprietary
Complete EHRs and EHR Modules because we intend for them to be
certified in the same manner as proprietary Complete EHRs and EHR
Modules. Lastly, we are not familiar with State law requirements that
may be applicable to testing laboratories and thus are unable to
provide a fully informed response to the commenter's suggestion.
Comments. Commenters recommended that only one accreditor be
permitted to accredit testing laboratories in order to ensure
consistency in the accreditation process. Multiple commenters supported
the recognition of NVLAP as the accreditor, pointing out that NVLAP is
an internationally recognized testing laboratory accreditation program,
while other commenters objected to the use of NVLAP as the sole
accreditor. The commenters stated that there are at least 4 laboratory
accreditation bodies in the United States that are considered
equivalent to NVLAP under the International Laboratory Accreditation
Cooperation (ILAC) Mutual Recognition Arrangement (MRA). The commenters
asserted that, as a signatory to the ILAC MRA, NVLAP is obligated to
promote the acceptance of other signatories' accreditations as being
equivalent to their own. Further, the commenters recommended that the
current proposal for ONC-ACBs to certify only HIT that has been tested
by a NVLAP-accredited testing laboratory should be rescinded and
replaced with a principle of proper conduct that allows ONC-ACBs to
certify HIT that has been tested by testing laboratories accredited by
any ILAC MRA signatory. Possibly as an alternative approach, one of
these commenters suggested that NVLAP could validate and acknowledge
the other accreditations by ILAC MRA signatories and thereby authorize
those accredited testing laboratories to conduct the testing of
Complete EHRs and/or EHR Modules under the permanent certification
program. The commenter asserted that such an approach would be
consistent with the ILAC MRA.
Response. We strongly believe, as supported by the commenters, that
consistency in accreditation will be an important element of the
permanent certification program. We have already demonstrated our
commitment to such consistency by concluding that there should be only
one ONC-AA at a time. Similarly, we believe that there should be only
one accreditor for testing laboratories under the permanent
certification program. We believe NVLAP is the best qualified
accreditation organization to fill the role of the sole accreditor for
testing laboratories based on the reasons we articulated above in
support of our decision to ask NVLAP to develop a HIT LAP for the
permanent certification program.
We disagree with the commenters' suggestion that ONC-ACBs should be
allowed to rely on testing results from laboratories that have been
accredited by any signatory to the ILAC MRA. Although commenters stated
that other accreditation bodies are considered to be equivalent to
NVLAP based on the ILAC MRA, we are unable to independently verify this
assertion and thus cannot rely on it for purposes of assessing the
competence of other accreditation bodies. More importantly, as
previously discussed, the use of multiple accreditation bodies may
undermine our programmatic goal of ensuring consistency in
accreditation. Further, considering that the National Coordinator
intends to ask NVLAP to develop a HIT LAP, requiring ONC-ACBs to use
test results from NVLAP-accredited testing laboratories will ensure
accreditation is performed according to a LAP that the National
Coordinator believes is appropriate for the permanent certification
program. As for the commenter's suggestion that NVLAP could validate
and acknowledge the accreditations of testing laboratories by ILAC MRA
signatories, we believe such a decision would be within the purview of
NVLAP. Under Sec. 170.523(h), ONC-ACBs are only permitted to certify
HIT that was tested by a NVLAP-accredited testing laboratory or, in
certain circumstances, by an ONC-ATCB. For purposes of that section, a
testing laboratory must be accredited by NVLAP in accordance with the
HIT LAP that the National Coordinator will ask NVLAP to develop. NVLAP
could decide to pursue the approach of validating or acknowledging the
testing laboratory accreditations of ILAC MRA signatories. In order for
an ONC-ACB to certify HIT that was tested by one of those testing
laboratories, however, the testing laboratory must also receive a
separate accreditation from NVLAP.
Consistent with this discussion, we are revising Sec. 170.523(h)
to state that an ONC-ACB may only certify HIT, including Complete EHRs
and/or EHR Modules, that has been tested by a NVLAP-accredited testing
laboratory using test tools and test procedures that have been approved
by the National Coordinator. We are also revising Sec. 170.523(h) to
allow ONC-ACBs, under certain circumstances, to rely on testing that
has been performed by ONC-ATCBs, which must also have been done using
test tools and test procedures that have been approved by the National
Coordinator. The circumstances when an ONC-ACB may rely on testing
performed by an ONC-ATCB are more fully discussed under sections O.
Validity of Complete EHR and EHR Module Certification and Expiration of
Certified Status and P. Differential or Gap Certification of this
preamble.
f. Surveillance
We proposed that ONC-ACBs would be required to conduct surveillance
of Complete EHRs and/or EHR Modules that they had previously certified.
As part of its surveillance efforts, we proposed in Sec. 170.523(i) to
require an ONC-ACB to submit an annual surveillance plan to the
National Coordinator and annually report to the National Coordinator
its surveillance results. Noting that ONC-ACBs will be accredited to
the requirements of Guide 65 at a minimum, we stated that we expect
ONC-ACBs to perform surveillance in accordance with Guide 65 at a
minimum, which in section 13 provides that the ``certification body [or
`ONC-ACB'] shall periodically evaluate the marked [or `certified']
products to confirm that they continue to conform to the [adopted]
standards.'' We further clarified that this would require ONC-ACBs to
evaluate and reevaluate previously certified Complete EHRs and/or EHR
Modules to determine whether the Complete EHRs and/or EHR Modules they
had certified in a controlled environment also performed in an
acceptable, if not the same, manner in the field.
[[Page 1282]]
We proposed that the ONC-AA must have processes in place to ensure
that the certification bodies it accredits properly conduct
surveillance. In this regard, we stated that ONC-ACBs should be given
the flexibility to conduct surveillance in accordance with their
accreditation. We acknowledged that the HIT industry could potentially
benefit from the development of common elements of surveillance and
requested comments on what those elements should include as well as
specific approaches to surveillance that have been successful in other
industries and should be replicated for HIT. We indicated that we
expected to issue annual guidance for ONC-ACBs identifying ONC's
priorities regarding certain elements of surveillance that could be
considered for inclusion in their surveillance plans.
We noted that we expected to use the results of ONC-ACB
surveillance as feedback on the operations of the permanent
certification program and to make information publicly available
regarding the implementation and performance of Complete EHRs and EHR
Modules in the field. We further noted that surveillance results could
also be used by prospective purchasers of Complete EHRs and/or EHR
Modules as a tool for evaluating specific products. We emphasized that
surveillance results obtained by ONC-ACBs and reported to the National
Coordinator would not immediately affect a Complete EHR or EHR Module's
certification. We stated that, if after an ONC-ACB reevaluated a
Complete EHR it had previously certified and reported that the Complete
EHR no longer met a certification criterion or criteria because, for
example, an individual had taken actions to alter a capability provided
by the Complete EHR such that it no longer performed according to its
original design or improperly installed the Complete EHR, such a result
would not automatically invalidate the Complete EHR's certification. We
also stated that we would expect ONC-ACBs upon the identification of a
pattern of poorly performing previously certified Complete EHRs and/or
EHR Modules to determine whether they had properly certified the
Complete EHR or EHR Module in the past. Further, we requested public
comment on whether the National Coordinator should consider taking
proactive steps to protect purchasers of Complete EHRs and/or EHRs
Modules through actions such as ``de-certifying'' Complete EHRs and/or
EHR Modules if a pattern of unsatisfactory surveillance results emerges
and the ONC-ACB has not taken any measures to evaluate the poor
performance.
Comments. We received many comments related to surveillance with
commenters supporting the concept of surveillance as well as offering
recommendations for the focus/elements of surveillance plans. An
overarching theme expressed in the comments was that surveillance
conducted by ONC-ACBs under the permanent certification program should
have uniform and consistent elements. Commenters expressed various
opinions about the focus/elements of surveillance plans. One commenter
noted that Guide 65, Section 13 does not specifically identify post-
market surveillance of products that are being used by purchasers. This
commenter also mentioned that Guide 65 is currently under review by ISO
and requested clarification as to how the National Coordinator would
address any changes to Guide 65. Another commenter expressed a concern
that the term ``surveillance'' might be associated with FDA post-market
activities of drugs and devices, which would suggest that surveillance
involves the reporting of only adverse events. Therefore, the commenter
suggested using the term ``monitoring'' to describe the surveillance
process because the commenter asserted that ``monitoring'' better
conveys the process of assessing the performance, and encouraging the
adoption of, Certified EHR Technology. A commenter expressed concerns
about surveillance from a practical perspective and gave the example
that the surveillance of MRI or CT devices for radiation doses is of a
different scope than overseeing the functionality of Certified EHR
Technology. The commenter further asserted that, for clinical systems,
it will be important that any type of surveillance activity to measure
system safety not become overly prescriptive or stringent. Another
commenter requested clarification of whether surveillance would be
limited to the certified Complete EHR or EHR Module or extend to
include the end user's use of the Complete EHR and EHR Module,
including the assembly of certified EHR Modules into Certified EHR
Technology.
Multiple commenters asserted that surveillance should focus only on
adopted certification criteria and whether certified products meet the
criteria in operation. Consistent with this position, commenters
suggested that surveillance plans should contain elements such as
testing whether certified Complete EHRs and EHR Modules are performing
in ``live'' environments as certified, ensuring that Complete EHR and
EHR developers ``label'' certified Complete EHRs and EHR Modules
according to their certifications, and monitoring that the versions of
Complete EHRs and EHR Modules that are being used are certified
versions. Some commenters suggested that surveillance could assess
patient and/or provider satisfaction. More specifically, commenters
suggested that surveillance could attempt to assess eligible
professionals' and eligible hospitals' success in achieving meaningful
use with the certified Complete EHRs and EHR Modules. However, many
commenters recognized that surveillance of concepts such as
satisfaction and success would implicate additional variables, such as
training and implementation, as well as other factors such as
subjective observations.
Response. Our proposed approach to surveillance was based on the
concept that eligible professionals and eligible hospitals must be able
to rely on the certifications that are issued by ONC-ACBs. ONC-ACBs
have a responsibility to ensure that the certifications they issue
serve as an indication of a Complete EHR and/or EHR Module's
capabilities and compliance with the certification criteria adopted by
the Secretary. We expect ONC-ACBs, consistent with their accreditation
and Guide 65, to conduct surveillance of the Complete EHRs and/or EHR
Modules they have previously certified. An ONC-ACB would focus its
surveillance activities on whether the Complete EHRs and/or EHR Modules
it has certified continue to perform ``in the field'' or in a ``live''
environment as they did when they were certified. Many commenters
understood this to be the scope of our proposal and agreed with this
approach. Other commenters, however, suggested that we consider other
aspects of performance that are less directly related to whether a
previously certified Complete EHR or EHR Module continues to perform in
a manner consistent with its certification (e.g., the assessment of a
provider's success in achieving meaningful use). While we appreciate
these additional suggestions, we do not believe that they are
appropriate to include as requirements for ONC-ACBs in this final rule
because they would not accomplish our stated objective for
surveillance, namely, to confirm that previously certified Complete
EHRs and EHR Modules continue to perform ``in the field'' or in a
``live'' environment as they did when they were certified.
We believe the term ``surveillance'' was readily understood by
commenters
[[Page 1283]]
and is a more appropriate term to use than ``monitoring'' as suggested
by a commenter. As discussed here and noted in the Proposed Rule, we
anticipate surveillance will involve the assessment of whether
certified Complete EHRs and EHR Modules are continuing to function as
intended when they are in operational settings (i.e., ``in the field''
or in a ``live'' environment). We noted in the Proposed Rule that if a
certified Complete EHR or EHR Module was not functioning in a manner
consistent with its certification, we would expect the ONC-ACB to
identify the reason(s) the Complete EHR or EHR Module was not
functioning properly. We expect surveillance results will indicate the
reason(s) behind a Complete EHR or EHR Module's failure to function
properly, such as an implementation error, a misapplication by a user,
or other factors.
To further illustrate our expectations for surveillance, we offer
the following examples based on the capabilities included in three
certification criteria. When ONC-ACBs perform surveillance, we would
expect them to verify that a certified Complete EHR or, if applicable,
a certified EHR Module properly performs drug-drug, drug-allergy
interaction checks in accordance with Sec. 170.302(a) in an
operational setting. This could include, for example, the use of
scenarios or test data to determine whether the certified Complete EHR
or EHR Module correctly generates automatic notifications of
contraindications. If the certified Complete EHR or EHR Module does not
correctly generate automatic notifications, we would expect the ONC-ACB
to identify the cause of this problem, to the extent that the ONC-ACB
is reasonably able to do so. The ONC-ACB might find, for example, that
the notifications were turned off by a user or technician, or that the
Complete EHR or EHR Module was improperly installed. As a similar
example using the capabilities required by Sec. Sec. 170.304(e)(2) and
170.306(c)(2), a certified Complete EHR or, if applicable, a certified
EHR Module must correctly generate (based on the clinical decision
support rules it includes) an automatic notification when a scenario or
test data would cause such a notification to be triggered. If the
certified Complete EHR or EHR Module does not correctly generate an
automatic notification, we would expect the ONC-ACB to identify and the
surveillance results to reflect the reason(s) why this failed to occur.
As a final example, we would expect an ONC-ACB performing surveillance
to verify whether a certified Complete EHR or, if applicable, a
certified EHR Module correctly generates patient reminder lists as
required by Sec. 170.304(d). If patient reminder lists are not
correctly generated in an operational setting, then as with the
preceding examples, we would expect the ONC-ACB to determine why the
patient reminder lists are not being correctly generated to the extent
it is reasonably able to do so. We believe these examples should
clarify for commenters the extent to which ONC-ACBs will be expected to
assess as part of surveillance an end user's use of Certified EHR
Technology and the ``assembly'' of Certified EHR Technology.
We appreciate the broad range of responses and opinions from
commenters who suggested possible areas or topics that surveillance
could address. As we indicated in the Proposed Rule, we anticipate that
we will issue guidance on an annual basis in order to identify specific
elements of surveillance that we consider to be a priority. For
example, the guidance could specify as a priority specific capabilities
required by an adopted certification criterion (e.g., electronic
prescribing) or categories of capabilities required by adopted
certification criteria (e.g. ``safety-related'' capabilities, which
could include computerized provider order entry (CPOE); clinical
decision support (CDS); drug-drug, drug-allergy interaction checks;
electronic prescribing; and other similar capabilities required by
adopted certification criteria). The purpose of this guidance will be
to assist ONC-ACBs as they develop their annual surveillance plans by
providing them with information on topics that could be addressed in
those plans. It will also convey information to other industry
stakeholders, such as HIT developers and users, regarding ONC's
priorities for surveillance. We presume that this guidance could
include topics that would be consistent from year to year, but that it
might also include specific focus areas in certain cases, such as when
a new certification criterion has been adopted that we believe is
important to assess. In developing any future guidance regarding
surveillance, we will consider the comments received in the course of
this rulemaking, and we expect that the input provided by commenters
will prospectively inform our thinking on this topic.
In response to our surveillance proposals, a commenter indicated
that Guide 65 does not explicitly call for post-market surveillance.
While the words ``post-market surveillance'' are not expressly included
in Guide 65, we interpret Section 13.4 to include this concept when it
states that certification bodies ``shall periodically evaluate the
marked products to confirm that they continue to conform to the
standards.'' With respect to the comment regarding potential revisions
to Guide 65, if such revisions were to occur and be finalized, the
National Coordinator would evaluate the revised version in the context
of the permanent certification program and determine what action to
take based on that evaluation.
Comments. Commenters recommended that surveillance be consistent
among ONC-ACBs and be conducted using reliable assessment measures that
will produce valid and objective results. To ensure consistency,
multiple commenters recommended a centralized approach to surveillance
with one commenter recommending that the ONC-AA be responsible for
ensuring a consistent approach to surveillance among the ONC-ACBs it
accredits. Commenters suggested various methods for conducting
surveillance, but generally agreed that the methods should meet
scientific and industry best practices regarding sampling, statistical
significance, independence and transparency of evaluation. One
commenter suggested conducting surveys of Complete EHR and EHR Module
purchasers. Another commenter recommended that surveillance be
conducted through actual inspection and/or testing, rather than through
a passive form of review. Some commenters contended that surveillance
must be conducted at more than one individual site to ensure a
statistically valid sample. To obtain a valid sample, commenters
recommended using a representative sample, such as a percentage of a
Complete EHR or EHR Module developer's customer base or an assessment
based on no less than five customer sites. A few commenters suggested
that intervals of surveillance be clearly specified.
Response. Although we stated in the Proposed Rule that ONC-ACBs
should have flexibility in developing their approaches to surveillance,
we strongly agree with the commenters that there should be consistency
among these surveillance approaches and that surveillance should be
conducted through methods that meet scientific and industry best
practices regarding sampling, statistical significance, independence
and transparency of evaluation. To achieve a necessary degree of
consistency, we believe and agree with the commenter who suggested that
the ONC-AA should be responsible for ensuring that all of the
certification bodies it accredits will use
[[Page 1284]]
similar and comparable surveillance approaches. Therefore, we are
revising proposed paragraph (b)(2) of Sec. 170.503 to require an
accreditation organization that seeks to become the ONC-AA to submit a
detailed description of how its accreditation requirements will ensure
that the surveillance approaches employed by ONC-ACBs will include the
use of consistent, objective, valid, and reliable methods. We are also
revising paragraph (e)(2) of Sec. 170.503 to state that an ONC-AA
must, in accrediting certification bodies, not only verify conformance
to, at minimum, Guide 65, but also ensure that the surveillance
approaches across all of the certification bodies that it accredits
include the use of consistent, objective, valid, and reliable methods.
We believe that these parameters will still provide sufficient
flexibility for ONC-ACBs to develop their surveillance plans and
conduct surveillance, but also meet our programmatic goals and
addresses concerns expressed by commenters, such as ensuring that the
sampling mechanisms used by ONC-ACBs are appropriate and that one ONC-
ACB will not use appreciably more stringent surveillance methods than
another ONC-ACB.
Comments. A few commenters recommended that we should conduct and
make publicly available a study and/or analysis to evaluate the options
for surveillance, provide specific proposals for surveillance based on
the results, and obtain feedback from stakeholders through a process of
public notice and comment. Similarly, commenters asserted that if the
National Coordinator intends to specify the elements of surveillance
that will be required as part of ONC-ACBs' surveillance plans, then the
public should have an opportunity to comment on the specific elements.
A commenter requested that before ONC-ACBs are instructed to conduct
surveillance, ONC should provide additional information and an
opportunity for the industry to comment on ONC's positions,
particularly with respect to various questions raised by the commenter.
One commenter suggested that all ONC-ACB surveillance plans should be
subject to review and public comment to allow input from technology
vendors.
Response. We do not believe it is necessary at this time to conduct
a study or analysis of potential approaches to surveillance because, as
explained above, we have provided an approach to surveillance that we
believe is appropriate for the permanent certification program. We did
not intend to imply as some commenters may have interpreted that there
would be a formal opportunity for the public to comment on the
surveillance plans that will be submitted by ONC-ACBs or ONC's
recommendations on specific elements that could be addressed in those
plans. In order to apply for ONC-ACB status, a certification body first
must develop its surveillance approach in accordance with Guide 65 and
then seek accreditation by the ONC-AA. The ONC-AA in turn will
subsequently evaluate whether the certification body's proposed
approach to surveillance is consistent with Guide 65 in general and
more specifically with section 13 that addresses the concept of
surveillance. As we explained in the Proposed Rule, Guide 65
constitutes a minimum threshold that certification bodies will need to
meet in order to become accredited, and as such, the ONC-AA could
specify additional requirements for surveillance as part of its program
to accredit certification bodies. With respect to the annual
surveillance plans submitted to the National Coordinator, we expect
that these plans will be based on and consistent with the requirements
of an ONC-ACB's accreditation. As we mentioned in the Proposed Rule and
further discussed above, we expect to issue annual guidance to ONC-ACBs
to inform their understanding of topics or elements that may be
addressed in the surveillance plans. As we develop that guidance, we
will take into account the comments discussed above and may seek
additional input from the public if necessary, such as through the HIT
Policy Committee.
Comments. Commenters suggested that surveillance should include the
input of eligible professionals and eligible hospitals. These
commenters suggested that efficient feedback could be achieved either
through a feedback process incorporated into Certified EHR Technology
or by requiring a ``label'' on Complete EHRs and EHR Modules that
provides instructions for reporting complaints or concerns. One
commenter suggested such a ``complaint process'' could be patterned
after the Council for Affordable Quality Healthcare (CAQH's) Committee
on Operating Rules for Information Exchange (CORE) policies and
processes for documenting and correcting compliance violations. A
commenter also stated that, to ensure objectivity and eliminate bias,
Complete EHR and EHR Module developers should be prevented from
influencing evaluations.
Commenters suggested that the publication of surveillance results
would be a beneficial tool for eligible professionals and eligible
hospitals seeking to purchase Certified EHR Technology in an effort to
qualify for incentive payments under the Medicare and Medicaid EHR
Incentive Programs. Commenters expressed opinions, however, that
Complete EHR and EHR Module developers should have an opportunity to
respond to ``negative input'' before surveillance results are published
and that surveillance results should not be used to influence specific
purchasing decisions because this might implicate a conflict of
interest in the role of an ONC-ACB.
Response. In general, eligible professionals and eligible hospitals
should have the opportunity to provide feedback through a complaints
process established by Complete EHR and EHR Module developers. Guide
65, Section 15 instructs an ONC-ACB to ensure that the developers of
the HIT that it certifies have a process in place for receiving and
addressing complaints related to certified products. Section 15 also
requires that the HIT developers make complaint records available to
the ONC-ACB upon request. We anticipate that eligible professionals and
eligible hospitals may also have the opportunity to provide feedback
about the capabilities of the Complete EHRs and EHR Modules that they
possess in those cases where they are contacted by an ONC-ACB to
participate in surveillance.
Because an ONC-ACB's accreditation and credibility is at stake with
respect to the certifications it issues, we believe it will take the
proper steps to prevent EHR technology developers from inappropriately
influencing the outcomes of surveillance. However, we also expect that
through the procedures developed by ONC-ACBs for performing
surveillance, Complete EHR and EHR Module developers will be provided
an opportunity to give input to an ONC-ACB, where appropriate,
regarding the surveillance results obtained by the ONC-ACB prior to it
reporting such results to the National Coordinator. Therefore, we do
not expect it will be necessary to provide for any additional
opportunity for input from Complete EHR and EHR Module developers after
surveillance results have been submitted by an ONC-ACB to the National
Coordinator. Lastly, although we indicated in the Proposed Rule that we
expected to make the surveillance results that we receive from ONC-ACBs
publicly available, we have not yet determined whether or in what form
these results will be made available.
Comments. We received comments both supporting and opposing the
option for the National Coordinator to take proactive steps to protect
purchasers of certified technology (for
[[Page 1285]]
example, by ``decertifying'' the technology) if a pattern of
unsatisfactory surveillance results emerges and an ONC-ACB has not
taken any measures to evaluate the poor performance. Commenters
expressed support for the idea of ``decertification'' if a pattern of
unsatisfactory surveillance results emerged because it is important to
protect purchasers of Complete EHRs and/or EHRs Modules. Alternatively,
a commenter suggested that if the ONC-ACB in question does not take any
measures to evaluate the poor performance of a certified Complete EHR
or EHR Module, then the National Coordinator should have another ONC-
ACB conduct the evaluation or the National Coordinator should conduct
the evaluation before proceeding with decertification. Some commenters
stated that any form of decertification should be left to the
discretion of the ONC-ACBs. Other commenters asked us to explain how a
decertification process would be conducted and to provide an
opportunity for the public to comment on the process. Multiple
commenters recommended that we should consider the impact
decertification would have on eligible professionals and eligible
hospitals that are using the affected certified Complete EHR or EHR
Module to meet the requirements of the Medicare and Medicaid EHR
Incentive Programs.
Response. We appreciate the thoughtful comments that were submitted
on this matter, although we will not use this final rule to establish a
process for the decertification of Complete EHRs and/or EHR Modules.
After ONC-ACBs begin to conduct surveillance and submit the results to
the National Coordinator, we will have an opportunity to assess the
results and determine whether ONC-ACBs are taking appropriate action to
address any patterns of unsatisfactory results. If we determine that
unsatisfactory surveillance results are not being addressed, or if the
results indicate certified Complete EHRs or EHR Modules are adversely
affecting public health or safety or the programmatic goals of the
permanent certification program, we will consider what steps are
necessary to respond to the particular situation at issue at that time.
In taking any action, commenters can be assured that the National
Coordinator will consider the impact on eligible professionals and
eligible hospitals who are using certified products to meet the
requirements of the Medicare and Medicaid EHR Incentive Programs. We
believe the potential consequences of failing to fulfill their
responsibilities, such as facing corrective action under the permanent
certification program or losing reputational standing and business in
the market, will sufficiently motivate the ONC-AA and the ONC-ACBs to
take the necessary actions to ensure surveillance plans are followed
and unsatisfactory surveillance results are properly addressed. We also
believe that the potential for surveillance results to be made publicly
available as we proposed will sufficiently motivate developers of
Complete EHRs and/or EHR Modules to improve their products and address
any shortcomings identified by the ONC-ACB surveillance process.
g. Refunds
We proposed in Sec. 170.523(j) to require an ONC-ACB to promptly
refund any and all fees received for certifications that will not be
completed.
Comments. Commenters requested that we clarify that refunds would
only be required where an ONC-ACB's conduct caused the certification to
be incomplete as opposed to the failure of a developer of Complete
EHRs, EHR Modules and/or other types of HIT to meet certification
requirements. One commenter contended that this provision should only
apply when an ONC-ACB has its accreditation status revoked. Another
commenter suggested that our proposed requirement for ONC-ACBs to
return funds should also apply to situations where developers are
required to recertify their products because of misconduct by an ONC-
ACB.
Response. We agree with the commenters that suggested our proposed
refund requirement needs clarification. As advocated by the commenters
and as clarified for ONC-ATCBs in the Temporary Certification Program
final rule, it was our intention to require ONC-ACBs to issue refunds
only in situations where an ONC-ACB's conduct caused certification to
not be completed. We also agree with the one commenter that this would
include situations where a Complete EHR and/or EHR Module is required
to be recertified because of the conduct of an ONC-ACB. Similarly, if
an ONC-ACB were to be suspended by the National Coordinator under the
suspension provisions we have incorporated in this final rule, an ONC-
ACB would be required to refund all fees paid for certification if a
Complete EHR or EHR Module developer withdraws a request for
certification while the ONC-ACB is under suspension.
We are revising Sec. 170.523(j) consistent with our discussion
above.
h. Suggested New Principles of Proper Conduct
We received a few comments that suggested we should adopt
additional principles of proper conduct. These comments concerned the
impartiality and business practices of ONC-ACBs.
Comments. A commenter recommended that applicants for ONC-ACB
status should be required not to have an interest, stake and/or
conflict of interest in more than one entity receiving ONC-ACB status
nor have any conflict of interest with EHR product companies actively
promoting EHR products in the marketplace. Another commenter
recommended that we adopt a principle of proper conduct that requires
an ONC-ACB to establish, publish and adhere to a non-discriminatory
protocol to ensure that requests for certification are processed in a
timely manner beginning on the date the ONC-ACB sets for accepting
requests for certification. One commenter recommended that all requests
for certification be required to be processed within 6 months of
receipt by an ONC-ACB.
Response. Applicants for ONC-ACB status and ONC-ACBs must be
accredited, which requires adherence to the requirements of Guide 65 at
a minimum. These requirements explicitly obligate certification bodies
to conduct business in an impartial manner. For instance, an applicant
for ONC-ACB status and/or an ONC-ACB must have a documented structure
which safeguards impartiality, including provisions to ensure the
impartiality of the operations of the certification body and that
activities of related bodies do not affect the confidentiality,
objectivity and impartiality of its certifications. Guide 65 also
specifically states that ``access shall not be conditional upon the
size of the [Complete EHR or EHR Module developer] or membership [in]
any association or group, nor shall certification be conditional upon
the number of certificates already issued.'' We believe these
provisions as well as other impartiality provisions contained in Guide
65 will adequately address any potential conflicts of interest,
potential discriminatory practices, or other situations that might
jeopardize the integrity of the permanent certification program. We
will not require requests for certification to be completed within six
months as the commenter proposed. A predetermined timeframe is not
realistic because the time it takes for a product to be certified will
likely vary based on factors such as the current number of ONC-ACBs,
the volume of
[[Page 1286]]
requests for certification, the type of product that is submitted for
certification, and an ONC-ACB's specific business practices.
3. Application Submission
We proposed in Sec. 170.525 to allow an applicant for ONC-ACB
status to submit its application either electronically via e-mail (or
web submission if available), or by regular or express mail at any time
during the existence of the permanent certification program. We did not
receive any comments on this proposal. We are, however, revising Sec.
170.525 to clarify that an applicant for ONC-ACB status may submit its
application at any time after the permanent certification program has
been established by this final rule.
4. Overall Application Process
We received a few comments regarding the overall application
process.
Comment. One commenter contended that there is an optimal number of
ONC-ACBs that can effectively perform certification in both the near
and long term. The commenter reasoned that if there are too few ONC-
ACBs, then the ONC-ACBs will be unable to handle the demand for
certifications that can be expected at the outset of the permanent
certification program. Alternatively, the commenter reasoned that if
there are too many ACBs, the demand for their services may not be
sufficient for all of them to remain financially viable. The commenter
believed the key to the appropriate number of ONC-ACBs is for ONC to
determine the ONC-ACBs' ability to handle the needs of the market.
Another commenter suggested that the number of ONC-ACBs be limited to
5. The commenter reasoned that there might be variances in
certification processes if there are too many ONC-ACBs, while limiting
the number of ONC-ACBs to 5 organizations will ensure that an ONC-AA
will be able to effectively monitor the ONC-ACBs. One commenter
suggested that applicants for ONC-ACB status preferably be not-for-
profit organizations.
Response. We believe it is appropriate to allow all qualified
applicants to apply and obtain ONC-ACB status and that organizations
will determine whether pursuing ONC-ACB status can be a successful
business venture. We believe that a greater number of successful
applicants for ONC-ACB status will benefit the market in terms of
increased competition and more options for the certification of
Complete EHRs, EHR Modules, and/or other types of HIT. Restricting the
number of ONC-ACBs or imposing arbitrary eligibility requirements on
applicants, such as requiring an applicant to be a not-for-profit
organization, will only limit these potential benefits. Further, we
believe that the requirements of the permanent certification program,
including requiring accreditation from a sole ONC-AA and adherence to
the Principles of Proper Conduct for ONC-ACBs, will ensure the
necessary consistency in certifications granted by ONC-ACBs.
Comments. A commenter recommended that we provide for ``provisional
acceptance'' of an organization before requiring an organization to go
through full accreditation to become an ONC-ACB. The commenter believed
this would lessen the risk for organizations in pursuing ONC-ACB
status.
Response. Based on the structure of the permanent certification
program and the important role played by the ONC-AA, we do not believe
that we could properly evaluate the qualifications of an organization
until after it had obtained the appropriate accreditation. Therefore,
we do not believe we could offer any form of ``provisional acceptance''
without fundamentally altering the permanent certification program's
structure.
H. ONC-ACB Application Review, Reconsideration, and ONC-ACB Status
In the Proposed Rule, we proposed to review an application for ONC-
ACB status and issue a decision within 30 days in most cases. We
proposed that if an applicant was issued a denial notice and certain
criteria were met, an applicant could seek reconsideration of the
denied application. We proposed that if an applicant's application were
deemed satisfactory, we would make it publicly known that the applicant
had achieved ONC-ACB status and that the ONC-ACB would be able to begin
certifying consistent with the authorization granted by the National
Coordinator. We further proposed that an ONC-ACB's status would expire
two years from the date it was granted unless it was renewed.
1. Application Review
We proposed in Sec. 170.530 that we would review completed
applications in the order in which we received them and that the
National Coordinator would issue a decision within 30 days of receipt
of an application submitted for the first time.
We proposed that the National Coordinator would be able to request
clarification of statements and the correction of inadvertent errors or
minor omissions. In these cases, before issuing a formal deficiency
notice, we proposed that the National Coordinator may request such
information from the applicant's authorized representative as an
addendum to its application. We further proposed that if the applicant
failed to provide such information to the National Coordinator within
the timeframe specified, which would not be less than 5 days, the
National Coordinator could issue a formal deficiency notice. In other
circumstances, the National Coordinator could immediately send a formal
deficiency notice if it was determined that significant deficiencies
existed which could not be addressed by a clarification or correction
of a minor omission.
We proposed that the National Coordinator would identify any
deficiencies in an application and provide an applicant with an
opportunity to correct any deficiencies by submitting a revised
application in response to a deficiency notice. We proposed that an
applicant would have 15 days to submit a revised application in
response to a deficiency notice and that the National Coordinator would
be permitted up to 15 days to review a revised application once it has
been received. We further proposed that if the National Coordinator
determined that a revised application still contained deficiencies, the
applicant would be issued a denial notice indicating that the applicant
would no longer be considered for authorization under the permanent
certification program.
We proposed that an applicant could request reconsideration of the
decision in accordance with Sec. 170.535. We proposed that an
application would be deemed satisfactory if it met all of the
application requirements. We further proposed that once the applicant
was notified of this determination, the applicant would be able to
represent itself as an ONC-ACB and begin certifying Complete EHRs, EHR
Modules and/or other types of HIT consistent with its authorization.
Comments. We did not receive any comments specific to Sec.
170.530. We did, however, receive two comments on the temporary
certification program application review provisions during the
permanent certification program public comment period that are equally
applicable to Sec. 170.530. A commenter expressed agreement and
support for the proposed process affording the National Coordinator
discretion to request clarifications of statements or corrections of
errors or omissions, but the commenter did not agree that such requests
should be limited to only
[[Page 1287]]
inadvertent or minor errors. The commenter reasoned that given the time
constraints and complexity of the application process, the National
Coordinator should be able to consider requesting clarifications or
corrections in a collaborative process with applicants, as appropriate.
The commenter also expressed general agreement with our proposal that
an applicant be provided up to 15 days to respond to a formal
deficiency notice. The commenter suggested, however, that considering
our position that not many organizations will be capable of obtaining
authorization under the certification programs, the National
Coordinator should have the discretion to grant an extension beyond the
15-day response period upon a showing of good cause by the applicant.
Response. Based on the comments received, we believe that certain
modifications to the ONC-ACB application review process would be
beneficial for ONC-ACB applicants as well as the permanent
certification program as a whole. We made similar modifications to the
ONC-ATCB application review process in the Temporary Certification
Program final rule.
We agree with the commenter that the process for the National
Coordinator to seek corrections of errors and omissions should be
revised. Therefore, as recommended by the commenter, we are removing
the words ``inadvertent'' and ``minor'' from Sec. 170.530(b)(1).
Although we anticipate that the National Coordinator would likely seek
correction of only minor errors or omissions (e.g., missing contact
information of an authorized representative as opposed to a more
significant deficiency such as not providing sufficient documentation
that confirms that the applicant has been accredited by the ONC-AA),
these revisions will provide the National Coordinator with more
flexibility to allow an applicant to correct an error or omission
instead of issuing a deficiency notice to the applicant. This
flexibility will be beneficial for applicants and the permanent
certification program itself considering the limited opportunities and
short timeframes for correcting applications. Similarly, we believe
that the application review process would be improved if the National
Coordinator could also request the clarification of statements and the
correction of errors or omissions in a revised application. This change
will make the application review process more collaborative as
suggested by the commenter. Therefore, we are also revising Sec.
170.530 to allow the National Coordinator to request clarification of
statements and the correction of errors or omissions during the 15-day
period provided for review of a revised application.
We are making additional revisions to Sec. 170.530 in response to
the commenter's recommendation that the National Coordinator should
have the discretion, upon a showing of good cause by the applicant, to
grant an extension beyond 15 days for an applicant to submit a revised
application in response to a deficiency notice. We agree with the
commenter's recommendation and are revising Sec. 170.530 to allow an
applicant for ONC-ACB status to request an extension of the 15-day
period for submitting a revised application in response to a deficiency
notice and to provide the National Coordinator with the option of
granting an applicant's request for additional time to respond to a
deficiency notice upon a showing of good cause by the applicant. In
determining whether good cause exists, the National Coordinator will
consider factors such as: change in ownership or control of the
applicant organization; the unexpected loss of a key member of the
applicant's personnel; damage to or loss of use of the applicant's
facilities, working environment or other resources; or other relevant
factors that would prevent the applicant from submitting a timely
response to a deficiency notice.
We believe it is unnecessary to establish a predetermined period of
time for a good cause extension. Instead, the duration of an extension
will be determined based on an applicant's particular circumstances
that constitute good cause for the extension. For example, if an
applicant is accredited but fails to submit sufficient documentation of
its accreditation, a good cause extension could be granted for a period
of time that would allow the applicant to obtain and submit the
appropriate documentation.
We proposed in Sec. 170.530(c)(4) that if the National Coordinator
determines that a revised application still contains deficiencies, the
applicant will be issued a denial notice indicating that the applicant
will no longer be considered for authorization under the permanent
certification program. We believe this section should be modified in
order to allow unsuccessful applicants to reapply for ONC-ACB status
after a period of time has passed. Although we proposed in Sec.
170.535 that applicants could submit a request for the National
Coordinator to reconsider a denial notice, this reconsideration process
is only applicable to an application that is the subject of a denial
notice and only in limited circumstances. We believe revisions to Sec.
170.530(c)(4) are necessary because, as discussed below, it could
significantly compromise the quality of the permanent certification
program if qualified applicants are unable to reapply for ONC-ACB
status because they were previously issued a denial notice.
Consequently, we are revising this section to state that a denial
notice will indicate that the applicant cannot reapply for ONC-ACB
status for a period of six months from the date of the denial notice.
As proposed, Sec. 170.530(c)(4) would prevent applicants from
reapplying and being considered for ONC-ACB status if they have been
issued a denial notice for the permanent certification program. Once a
denial notice has been issued, the unsuccessful applicant would be
permanently barred from submitting any subsequent applications for ONC-
ACB status. We believe that a permanent bar on reapplying for ONC-ACB
status could potentially have detrimental effects on the permanent
certification program. Unlike the temporary certification program, the
permanent certification program has no anticipated sunset date and is
expected to continue indefinitely. We believe an applicant for ONC-ACB
status that receives a denial notice should be given an opportunity to
correct the deficiency or deficiencies on which the denial notice was
based. For example, an applicant that is otherwise qualified to serve
as an ONC-ACB could be issued a denial notice if its accreditation is
suspended or revoked while its ONC-ACB application is under review. The
application review process finalized in this rule is intended to
provide applicants with multiple opportunities to correct problems with
their applications. We recognize, however, that an applicant may need
more time to have its accreditation reinstated than would be possible
within the timeframe for application review, even if the applicant
could show good cause for an extension. We believe it would be unfair
and contrary to the program's best interests not to allow such an
applicant to reapply for ONC-ACB status. As another example, an
otherwise qualified applicant may be barred from reapplying if it
receives a denial notice because it unintentionally missed an
established deadline for responding to a deficiency notice and did not
request a good cause extension for submitting a revised application. As
previously noted, we expect that only a limited number of organizations
will possess the requisite qualifications that would enable them to
become ONC-
[[Page 1288]]
ACBs. Permanently barring qualified applicants from reapplying solely
because they had been issued a denial notice would unnecessarily
restrict the limited supply of organizations that are qualified to
serve as ONC-ACBs. We believe such a restriction would not be in the
best interest of the permanent certification program and would
undermine our objective to encourage a competitive market for the
certification of HIT. Moreover, an applicant that is denied
authorization to certify Complete EHRs and/or EHR Modules may still be
qualified to certify other types of HIT. We believe such organizations
should be given a chance to apply for ONC-ACB status in the event that
other types of HIT are included in the permanent certification program
after the Secretary adopts applicable certification criteria.
We believe that 6 months is a reasonable period of time for an
applicant to wait before it may reapply. By way of comparison, an
organization that has had its ONC-ACB status revoked for a Type-1
violation must wait 1 year in accordance with Sec. 170.565(h)(3)
before it may reapply for ONC-ACB status. It would be inequitable as
well as inconsistent with our program goals to permanently bar an
organization from reapplying because it received a denial notice, while
allowing an organization that had its ONC-ACB status revoked to reapply
after a year. In light of the fact that Type-1 violations include
violations of law or permanent certification program policies that
threaten or significantly undermine the integrity of the permanent
certification program, we believe that an organization's inability to
meet the application requirements of Sec. 170.520 deserves a far
lesser consequence than a permanent bar on reapplying for ONC-ACB
status. We believe that a 6-month waiting period will in many cases
provide sufficient time for an applicant to evaluate and correct the
deficiencies with its application (assuming the deficiencies are
capable of correction) and will deter unqualified applicants from
repeatedly applying. Accordingly, we are revising paragraph (c)(4) of
Sec. 170.530 consistent with the preceding discussion.
We proposed an identical provision in Sec. 170.430(c)(4) for the
temporary certification program, which we finalized in the Temporary
Certification Program final rule. Under that provision, an applicant
that is issued a denial notice cannot reapply and be considered for
ONC-ATCB status, which we believe is appropriate for the temporary
certification program. We anticipate that the temporary certification
program will only remain in existence for a short period of time and
expect that it will sunset on December 31, 2011. We expect that a vast
majority of certifications will be conducted early in the temporary
certification program based on the associated meaningful use
requirements and reporting periods of the Medicare and Medicaid EHR
Incentive Programs. Further, any applicant that is permanently barred
from reapplying for ONC-ATCB status will still be able to apply for
ONC-ACB status under the permanent certification program. Therefore,
due to the short duration of the temporary certification program and
the fact that an unsuccessful applicant for ONC-ATCB status may apply
for ONC-ACB status under the permanent certification program, the
consequences of a permanent bar on reapplication are not nearly as
severe as they would have been under the permanent certification
program had we not revised our proposal.
We state in Sec. 170.530(d) that the National Coordinator will
notify the applicant's authorized representative of its satisfactory
application and its successful achievement of ONC-ACB status and that
once notified, the applicant may represent itself as an ONC-ACB and
begin certifying HIT consistent with its authorization. We believe it
is important to clarify that there is a distinction between the point
at which an organization is notified that it has been granted ONC-ACB
status and the point when it may begin to perform certifications
consistent with the authorization that it has been granted. To
illustrate this distinction with an example, an applicant may be
notified in October 2011 that it has been granted ONC-ACB status,
although the permanent certification program is not scheduled to begin
until at least January 1, 2012. After receiving notice, the ONC-ACB may
begin to represent and market itself as ONC-ACB and participate in
mandatory ONC training for ONC-ACBs, but its authorization to perform
certifications would not become effective until the commencement of the
permanent certification program on January 1, 2012 or on a subsequent
date when the National Coordinator determines that the permanent
certification program is fully constituted. At that time, the ONC-ACB
may begin to certify the type(s) of HIT that fall within the scope of
its authorization. Similarly, after the ONC-ACB has participated in the
permanent certification program for a period of time, it may choose to
submit a request to the National Coordinator to expand the current
scope of its authorization (for example, to include other types of EHR
Modules or Complete EHRs). If the National Coordinator grants its
request based on the information it submits and the completion of any
applicable mandatory ONC training, then the ONC-ACB's authorization
would be expanded effective as of the date specified by the National
Coordinator. In both cases (the initial granting of ONC-ACB status and
the subsequent expansion of the ONC-ACB's authorization), the National
Coordinator would make publicly available the date of the ONC-ACB's
authorization and the type(s) of certification included within its
authorization, pursuant to Sec. 170.540(a).
2. Application Reconsideration
We proposed in Sec. 170.535 that an applicant after receiving a
denial notice may request that the National Coordinator reconsider the
denied application only if the applicant can demonstrate that clear,
factual errors were made in the review of the application and that
their correction could lead to the applicant obtaining ONC-ACB status.
We proposed that an applicant would be required to submit, within 15
days of receipt of a denial notice, a written statement to the National
Coordinator contesting the decision to deny its request for ONC-ACB
status and explaining with sufficient documentation what factual errors
it believes can account for the denial. We proposed that if the
National Coordinator did not receive the applicant's submission within
the specified timeframe that its request could be rejected. We proposed
that the National Coordinator would have up to 15 days to consider and
issue a decision on a timely reconsideration request. We further
proposed that if, after reviewing an applicant's reconsideration
request, the National Coordinator determined that the applicant did not
identify any factual errors or that correction of those factual errors
would not remove all identified deficiencies in the application, the
National Coordinator could reject the applicant's reconsideration
request and that this decision would be final and not subject to
further review.
Comments. A commenter expressed agreement with our proposed ONC-ACB
application reconsideration process. Another commenter stated, however,
that the National Coordinator should have discretion to reconsider an
application for reasons besides clear factual errors that could lead to
the applicant receiving ONC-ACB status. The commenter suggested that
the National Coordinator should consider
[[Page 1289]]
several factors in determining whether to reconsider an application,
including the severity and type of the deficiency, the implications of
the deficiencies, the applicant's level of responsiveness and
cooperation, and the remedial efforts taken by the applicant.
Response. We appreciate the one commenter's expression of support
for our proposals. We do not agree with the commenter that the National
Coordinator should reconsider all applications for any reason. Rather,
as we determined for the temporary certification program in the
Temporary Certification Program final rule, we believe that the
National Coordinator should only reconsider an application if the
applicant for ONC-ACB status can demonstrate that there were clear
factual errors in the review of its application that could lead to the
applicant obtaining ONC-ACB status. We believe that the application
requirements and application review processes that we have proposed
ensure that only qualified applicants are timely authorized to be ONC-
ACBs. The application requirements proposed, particularly the
requirement that an applicant be accredited by an ONC-AA, are designed
to ensure that applicants are qualified. Our review process is designed
to ensure the veracity of an application and to confirm that an
applicant has the necessary capabilities to be authorized to conduct
the certification sought by the applicant. Our review process is also
designed to reach final decisions in a timely manner. Overall, we
believe the application review process is efficient yet fair by
providing opportunities for the National Coordinator to request
clarifications and corrections to the application, opportunities for an
applicant to respond to a deficiency notice, and opportunities to
request reconsideration of a denial notice if there are clear, factual
errors that, if corrected, could lead to the applicant obtaining ONC-
ACB status. We also note that if an applicant is unable to demonstrate
that clear, factual errors were made in the review of its application,
it still would have the ability to reapply for ONC-ACB status after
waiting a period of six months. Accordingly, we are finalizing Sec.
170.535 without modification.
3. ONC-ACB Status
We proposed in Sec. 170.540 that the National Coordinator will
acknowledge and make publicly available the names of ONC-ACBs,
including the date each was authorized and the type(s) of certification
each has been authorized to perform. We proposed that each ONC-ACB
would be required to prominently and unambiguously identify on its Web
site and in all marketing and communications statements (written and
oral) the scope of its authorization. We also proposed that an ONC-
ACB's status would expire two years from the date it was granted by the
National Coordinator unless it was renewed. To renew its status, we
proposed that an ONC-ACB submit a renewal request (i.e., an updated
application) to the National Coordinator 60 days prior to the
expiration of its status.
In association with these proposals, we specifically requested that
the public comment on whether there was any additional information an
ONC-ACB should provide the National Coordinator in order to have its
status renewed, such as documentation of the ONC-ACB's current
accreditation status and any additional information or updates to the
original application that would aid in the National Coordinator's
review of the renewal request.
Comments. A commenter expressed an opinion that it is important to
the industry that the National Coordinator makes distinctions as to
what a certifying body is authorized to certify. One commenter
recommended that our requirements related to marketing and
communications be limited to the ONC-ACB's Web site and all marketing
and communications pertaining to its role in the certification of
Complete EHRs, EHR Modules and/or other types of HIT under the
permanent certification program. As currently written, the commenter
contended that the requirements apply to all marketing and
communications made by the entity even if unrelated to their ONC-ACB
status.
Commenters expressed agreement with having an ONC-ACB's status
expire after two years, while others suggested 3-year and 4-year terms.
The commenters requesting longer terms stated that a longer term would
promote more stability and lessen overhead costs for ONC-ACBs. A
commenter that suggested a 3-year term reasoned that a 3-year term
could run concurrent with the ONC-AA's term. The commenter also
requested that in cases where the ONC-AA has its status revoked or not
renewed, ONC-ACBs should be allowed to retain their status with ONC
until at least 12 months after a new ONC-AA has been appointed by ONC.
The commenter reasoned that this would allow time for
``reaccreditation'' by the approved accreditation organization.
In terms of what information we should consider for the renewal of
an ONC-ACB's status, commenters generally agreed that an ONC-ACB should
provide updated accreditation information and demonstrate compliance
with the Principles of Proper Conduct for ONC-ACBs. Commenters also
suggested that ONC request and consider Complete EHR and EHR Module
developers' evaluations of ONC-ACBs' performance, documentation
regarding the handling of customer complaints by ONC-ACBs, the
percentage of certifications in relation to requests for certification,
the total number of previous certifications granted, the number of
certifications granted after two or more attempts, and surveillance
results.
Response. We appreciate the support for our proposals and reiterate
that, as proposed, an ONC-ACB will only be able to certify Complete
EHRs, EHR Modules and/or other types of HIT consistent with the scope
of authorization granted by the National Coordinator. Additionally, as
proposed, the ONC-ACB will have to prominently and unambiguously
display the scope of authorization granted to it by the National
Coordinator. To address the commenter's concern about the overreach of
our proposed requirement that an ONC-ACB ``identify on its Web site and
in all marketing and communications statements (written and oral) the
scope of its authorization'' we have clarified the language to clearly
state that the requirement only applies to activities conducted by the
ONC-ACB under the permanent certification program. Specifically, we
have revised the provision to state, in relevant part, ``each ONC-ACB
must prominently and unambiguously identify the scope of its
authorization on its Web site, and in all marketing and communications
statements (written and oral) pertaining to its activities under the
permanent certification program.''
We believe, after consideration of public comments, that an ONC-ACB
should be allowed to maintain its status for three years, instead of
the proposed two years, from the date it is granted before being
required to renew its status. Considering that an applicant could
obtain ONC-ACB status at any time during the permanent certification
program, it would be impossible to align the tenure of the ONC-AA with
that of the ONC-ACBs. However, a three-year term for ONC-ACBs will
offer additional stability for those HIT developers seeking
certification under the permanent certification program as well as for
ONC-ACBs. It will also lessen the reapplication burden for ONC-ACBs. We
anticipate by beginning the process to approve an ONC-AA at least 180
days prior to the end of the then-current ONC-AA's term, there will
[[Page 1290]]
be minimal disruption in the accreditation processes if we were to
select a different ONC-AA. As previously noted in this final rule, we
intend to issue an NPRM that will address improper conduct by an ONC-AA
and propose a corrective action process. At that time, we will consider
the implications for ONC-ACBs if an ONC-AA's status is revoked or other
corrective action is taken.
We do not believe that there is a need to require an ONC-ACB to
provide any of the information suggested by the commenters for ONC to
consider in determining whether to renew an ONC-ACB's status. The
Principles of Proper Conduct for ONC-ACBs require an ONC-ACB to submit
a weekly list of certified Complete EHRs, EHR Modules, and/or other
types of HIT, attend mandatory training, and submit an annual
surveillance plan and annually report surveillance results.
Accreditation requires an ONC-ACB to be compliant with Guide 65 at a
minimum, which requires an ONC-ACB to have a complaints process that
includes documentation of the resolution of complaints. Accreditation
also involves a regular review of an ONC-ACB's processes and
performance. Consequently, we believe that by maintaining its
accreditation and adhering to the Principles of Proper Conduct for ONC-
ACBs, an ONC-ACB will be more than adequately situated to pursue
renewal.
To renew its status, an ONC-ACB must submit to the National
Coordinator the information specified in Sec. 170.520(a) and (c) that
would otherwise be required to apply for ONC-ACB status and, if
applicable, include any requests to expand the current scope of its
authorization. We expect that an ONC-ACB will be providing updates to
the information specified in Sec. 170.520(b) as part of its compliance
with the Principles of Proper Conduct for ONC-ACBs. Therefore, we do
not expect an ONC-ACB to submit its ``general identifying information''
unless the information that is on record with ONC is outdated or
otherwise incorrect. Lastly, we do not believe it will be necessary for
an ONC-ACB to execute and submit a new agreement to adhere to the
Principles of Proper Conduct for ONC-ACBs because the initial agreement
that was executed when the organization obtained ONC-ACB status will
remain valid as long as the organization maintains its ONC-ACB status.
We are revising Sec. 170.540 consistent with this discussion,
including clarifying the representation requirements of ONC-ACBs,
extending the term of ONC-ACB status to 3 years and clarifying that a
renewal request must include any updates to the information specified
in Sec. 170.520.
I. Certification of Complete EHRs, EHR Modules and Other Types of HIT
In the Proposed Rule, we described the scope of authority that
would be granted to certification bodies that become ONC-ACBs. We also
specified which certification criterion or criteria ONC-ACBs would be
required to use to certify Complete EHRs, EHR Modules and/or other
types of HIT. As discussed below, the comments we received on these
proposed provisions were in many cases also applicable to analogous
provisions of the temporary certification program. As a result of the
similarities that exist between the temporary and permanent
certification programs, our responses to the comments below are often
similar or identical to responses we provided in the Temporary
Certification Program final rule.
1. Complete EHRs
We proposed in Sec. 170.545 that to be authorized to certify
Complete EHRs under the permanent certification program, an ONC-ACB
would need to be capable of certifying Complete EHRs to all applicable
certification criteria adopted by the Secretary at subpart C of part
170. We further proposed that an ONC-ACB that had been authorized to
certify Complete EHRs would also be authorized to certify all EHR
Modules under the permanent certification program.
Comments. Commenters expressed agreement with our proposals that,
in order to be authorized to certify Complete EHRs under the permanent
certification program, an ONC-ACB must be capable of certifying
Complete EHRs to all applicable certification criteria and that such an
ONC-ACB would also be authorized to certify all EHR Modules under the
permanent certification program. One commenter recommended that we
require ONC-ACBs authorized to certify Complete EHRs to also certify
EHR Modules.
Response. We appreciate the commenters' support for our proposals,
but we do not adopt the one commenter's recommendation that we require
an ONC-ACB that is authorized to certify Complete EHRs to also certify
EHR Modules. We clearly acknowledged in the preamble of the Proposed
Rule and in our proposed regulatory provision that an ONC-ACB
authorized to certify Complete EHRs would also have the capability and,
more importantly, the authorization from the National Coordinator to
certify EHR Modules. We do not, however, believe that we should require
an ONC-ACB that is authorized to certify Complete EHRs to also certify
EHR Modules. An ONC-ACB, despite its authorization to do so, might have
multiple business justifications for choosing not to certify EHR
Modules, such as an insufficient number of qualified employees to
conduct the certification of EHR Modules in addition to conducting
certification of Complete EHRs, or that doing both would not be as
profitable a business model.
Based on consideration of the comments received and review of the
proposed provision, we are revising Sec. 170.545(a) to state that
``When certifying Complete EHRs, an ONC-ACB must certify Complete EHRs
in accordance with all applicable certification criteria adopted by the
Secretary at subpart C of this part.'' This revision is consistent with
our description of certification of Complete EHRs in the Proposed Rule
preamble, as well as the approach we finalized for the temporary
certification program. It also makes explicit that ONC-ACBs must not
only be capable, but as with EHR Modules, are required to certify
Complete EHRs to all of the applicable certification criteria adopted
by the Secretary under subpart C of part 170. We are also redesignating
proposed paragraph (b) as paragraph (e) because of additional revisions
we are making to Sec. 170.545. These revisions are discussed in
sections F. Certification Options for ONC-ACBs, O. Validity of Complete
EHR and EHR Module Certification and Expiration of Certified Status and
P. Differential or Gap Certification of this preamble.
2. EHR Modules
a. Applicable Certification Criterion or Criteria
We proposed in Sec. 170.550(a) and (b) that an ONC-ACB must
certify EHR Modules in accordance with the applicable certification
criterion or criteria adopted by the Secretary at subpart C of part
170. In the preamble of the Proposed Rule, we clarified that a single
certification criterion would encompass all of the specific
capabilities referenced below the first paragraph level. For example,
45 CFR 170.302, paragraph ``(f)'' (the first paragraph level)
identifies that this certification criterion relates to recording and
charting vital signs. It includes three specific capabilities at
(f)(1), (2), and (3) (the second paragraph level): the ability to
record, modify, and retrieve patients' vital signs; the ability to
calculate body mass index (BMI); and
[[Page 1291]]
the ability to plot and display growth charts. We stated that we viewed
the entire set of specific capabilities required by paragraph ``(f)''
(namely, (f)(1), (2), and (3)) as one certification criterion. The
specific capability to calculate BMI, for example, would not be
equivalent to one certification criterion.
Comments. We received two comments on our proposal. One commenter
expressed agreement with our proposal, including the appropriateness of
requiring an EHR Module to be capable of performing all the functions
specified at the paragraph level of a certification criterion. The
commenter reasoned that to allow certification at a lower level
(subparagraph) would result in a very large number of EHR Modules that
would overcomplicate the certification program. The commenter stated
that the only exception might be if there were a very large number of
subparagraphs within a criterion or a very large number of criteria
within a single objective. In that case, the commenter asserted that
the EHR Module might be divided into two or more logically related
groups. But in general, the commenter stated that having a range of 20-
25 certification criteria, and therefore potential EHR Modules, was an
appropriate level of granularity.
The other commenter stated that requiring an EHR Module to perform
all of the listed functions or capabilities associated with a specific
certification criterion would create a problem. In particular, the
commenter stated that for the ``drug-drug, drug-allergy, drug-formulary
checks'' certification criterion specified in the HIT Standards and
Certification Criteria interim final rule, there did not appear to be a
single EHR Module in the current HIT marketplace that performs all of
the four listed capabilities under the criterion. Therefore, the
commenter recommended that we narrow the scope of EHR Module
certification to one of the capabilities or functions (subparagraphs)
of a criterion. The commenter stated that this solution would
necessitate that the ONC-ACB provide EHR Modules that only perform such
discrete functions with a ``conditional certification'' that carries
the caveat that the EHR Module must be used in conjunction with other
certified EHR Modules to offer full and complete functionality for the
applicable criterion.
Response. We agree with the first commenter that, as proposed, EHR
Modules should be certified to the first paragraph level of a
certification criterion, as described in our example above. We believe
that this is the most appropriate level for certification of EHR
Modules because, in most cases, this level of a criterion most fully
represents the capabilities that are needed to perform the associated
meaningful use objectives. We addressed the concern expressed by the
other commenter about the ``drug-drug, drug-allergy, drug-formulary
checks'' certification criterion by adopting separate certification
criteria in the HIT Standards and Certification Criteria final rule.
We are modifying Sec. 170.550 to remove proposed paragraph (b)
because it is repetitive of the requirements set forth in paragraph
(a). We made a similar modification to Sec. 170.450 in the Temporary
Certification Program final rule.
b. Privacy and Security Certification
With respect to EHR Modules, we discussed in the Proposed Rule when
ONC-ACBs would be required to certify EHR Modules to the privacy and
security certification criteria adopted by the Secretary. We proposed
in Sec. 170.550(c) that EHR Modules must be certified to all privacy
and security certification criteria adopted by the Secretary unless the
EHR Module(s) is/are presented for certification in one of the
following manners:
The EHR Module(s) are presented for certification as a
pre-coordinated, integrated bundle of EHR Modules, which could
otherwise constitute a Complete EHR. In such instances, the EHR
Module(s) shall be certified in the same manner as a Complete EHR. Pre-
coordinated, integrated bundles of EHR Module(s) which include EHR
Module(s) that would not be part of a local system and under the end
user's direct control are excluded from this exception. The constituent
EHR Modules of such a pre-coordinated, integrated bundle must be
separately certified to all privacy and security certification
criteria;
An EHR Module is presented for certification, and the
presenter can demonstrate to the ONC-ACB that it would be technically
infeasible for the EHR Module to be certified in accordance with some
or all of the privacy and security certification criteria; or
An EHR Module is presented for certification, and the
presenter can demonstrate to the ONC-ACB that the EHR Module is
designed to perform a specific privacy and security capability. In such
instances, the EHR Module may only be certified in accordance with the
applicable privacy and security certification criterion/criteria.
Comments. A number of commenters supported our proposed approach
and agreed that EHR Modules should be certified to all adopted privacy
and security certification criteria unless there were justifiable
reasons for which they should not. Other commenters suggested changes
to one or more of the stated exceptions and posed questions for our
consideration. Some commenters recommended that we deem certification
criteria ``addressable'' similar to the Health Insurance Portability
and Accountability Act (HIPAA) Security Rule's application of the word
``addressable'' to certain implementation specifications (in the HIPAA
context) within a security standard (in the HIPAA context). Other
commenters noted that with respect to the second exception, involving
the demonstration that it would be technically infeasible for an EHR
Module to be certified to some or all privacy and security
certification criteria, that the term ``inapplicable'' should be added
as a condition in addition to ``technically infeasible.'' Another
commenter stated that we should remove the third exception, involving
the demonstration that an EHR Module is designed to perform a specific
privacy and security capability, because, depending on how the privacy
and security EHR Module is developed, it may also need to include
certain capabilities, such as an audit log.
One commenter noted that, under the permanent certification
program, an EHR Module developer would first be required to demonstrate
to a testing laboratory that it is technically infeasible to certify an
EHR Module to a particular privacy and security certification
criterion, which would require the testing laboratory to make an
independent subjective decision on technical feasibility. The commenter
recommended that ONC and/or NIST develop an ``applicability matrix'' to
reduce subjectivity and ensure consistent determinations among testing
laboratories and ONC-ACBs related to the applicability of privacy and
security certification criteria to EHR Modules. Another commenter
expressed an understanding of our privacy and security certification
approach to EHR Modules, but cautioned that to ensure the privacy and
security of an EHR system in its entirety, that the entire combination
needs to be tested for privacy and security due to variances that can
occur in how EHR Modules perform once they are ``linked.'' The
commenter suggested that an EHR Module developer should be required to
[[Page 1292]]
explain how the EHR Module will be ``securely'' assembled.
Response. We appreciate commenters' support for our proposed
approach and the thoughtfulness of the responses. While we understand
and appreciate the similarities some commenters saw with respect to the
HIPAA Security Rule and leveraging the ``addressable'' concept, we do
not believe that making each privacy and security certification
criterion ``addressable'' in the way it is implemented under the HIPAA
Security Rule is an appropriate approach for the purposes of certifying
EHR Modules.
In the context of the HIPAA Security Rule, HIPAA covered entities
must assess whether each addressable implementation specification (in
the HIPAA Security Rule) is a reasonable and appropriate safeguard in
its environment. If a HIPAA covered entity determines that an
addressable implementation specification is reasonable and appropriate,
then the covered entity is required to implement it. If a HIPAA covered
entity determines that an addressable implementation specification is
not reasonable and appropriate, the covered entity is required to: (1)
document why it would not be reasonable and appropriate to implement
the addressable implementation specification; and (2) implement an
equivalent alternative measure if reasonable and appropriate. While
this is a sensible approach for HIPAA covered entities, we do not
believe that it translates well into the certification of EHR Modules.
All HIPAA covered entities are required to comply with the HIPAA
Security Rule with respect to their electronic protected health
information, regardless of their size and resources. Accordingly, the
HIPAA Security Rule provides for a flexible approach, allowing a HIPAA
covered entity to implement safeguards that are reasonable and
appropriate for its unique environment. We do not believe that this
approach is appropriate for certifying EHR Modules because one purpose
of certification is to assure eligible professionals and eligible
hospitals that an EHR Module includes a specified capability or set of
capabilities. For these reasons and as we concluded in the Temporary
Certification Program final rule, we believe that the proposed standard
of ``technically infeasible'' is more appropriate than the HIPAA
Security Rule's ``addressable'' concept for the purposes of certifying
EHR Modules. Thus, an EHR Module developer must satisfy each privacy
and security criterion where it is technically feasible.
To complement our ``technically infeasible'' standard, we agree
with those commenters that recommended the addition of the word
``inapplicable'' to the second proposed exception. We believe that in
some cases a privacy and security certification criterion may be
inapplicable to an EHR Module while technically feasible to implement,
and in other cases a privacy and security certification criterion may
be applicable but technically infeasible to implement. For example, it
may be technically feasible to implement an automatic log-off or
emergency access capability for several types of EHR Modules, but such
capabilities may be inapplicable given the EHR Module's anticipated
function and/or point of integration.
In response to the comment regarding the assessment of privacy and
security certification criteria by testing labs, we anticipate that an
EHR Module developer would request a testing lab to only test the
privacy and security certification criteria to which the EHR Module
developer believes are appropriate for its EHR Module. In other words,
a testing lab would test what is requested by an EHR Module developer
and not be responsible for determining whether other privacy and
security certification criteria (not requested for testing) may in fact
be applicable or technically feasible for the EHR Module developer to
implement. This responsibility would be an ONC-ACB's and, for the
purposes of certification, we require that an individual or entity that
presents an EHR Module for certification must provide sufficient
documentation to the ONC-ACB to support its assertion that a particular
privacy and security certification criterion is inapplicable or that
satisfying the certification criterion is technically infeasible. Based
on this documentation, the ONC-ACB shall independently assess and make
a reasonable determination as to whether the EHR Module should be
exempt from having to satisfy particular privacy or security
certification criteria. As a result, there could be situations where
despite an EHR Module developer's belief that a privacy and security
certification criterion is inapplicable or technically infeasible an
ONC-ACB makes a determination to the contrary. We believe that these
instances would be the exception and not the rule but, nonetheless, we
encourage EHR Module developers to carefully consider those privacy and
security certification criteria they believe are inapplicable or
technically infeasible prior to seeking testing. Finally, we recognize
that this approach provides a certain amount of discretion among the
ONC-ACBs, but we believe that any inconsistent application that emerges
could be mitigated by guidance from the National Coordinator.
A commenter expressed a concern about the overall privacy and
security of a combination of EHR Modules. As we stated in the Proposed
Rule and the HIT Standards and Certification Criteria interim final
rule, it is incumbent on the eligible professional or eligible hospital
to ensure that a combination of EHR Modules properly work together to
meet all of the required capabilities necessary to meet the definition
of Certified EHR Technology. Thus, the flexibility and customization
provided through the use of EHR Modules may also include some
additional work on the part of an eligible professional or eligible
hospital to ensure that adopted EHR Modules properly work together.
Alternatives to this custom approach, as we have discussed, include the
adoption of Complete EHRs and pre-coordinated, integrated bundles of
EHR Modules.
We also agree with the commenter who stated that we should remove
the third exception and simply require all EHR Modules, if not included
in a pre-coordinated integrated bundle, to follow the same approach. As
a result, and as we did in the context of the temporary certification
program, only the first and second exception of proposed Sec.
170.550(c) will be finalized. We recognize that, with respect to an EHR
Module that is focused exclusively on providing one or more privacy and
security capabilities, the remaining privacy and security certification
criteria may be inapplicable or compliance with them may be technically
infeasible. However, we do not believe it is prudent to presume that
this will always be the case.
Comments. Several commenters asked for clarification of the
circumstances under which the first exception we proposed applied in
relation to a pre-coordinated, integrated bundle of EHR Modules, the
carve out to this exception related to EHR Modules that were ``not be
part of a local system,'' and our use of the term ``end user.''
Response. Overall, the premise behind the first exception is to
omit the general requirement that each individual EHR Module must be
certified to all of the adopted privacy and security criteria. We
believe it would be pragmatic to eliminate this requirement in
situations where several EHR Module developers (e.g., different
vendors) or a single EHR Module developer presents a collection of EHR
Modules as a pre-coordinated, integrated bundle to an ONC-ACB for
[[Page 1293]]
certification. In these circumstances, the pre-coordinated, integrated
bundle of EHR Modules would otherwise meet the definition of and
constitute a Complete EHR. Therefore, consistent with our approach in
the Temporary Certification Program final rule, we clarify that in the
circumstances where a pre-coordinated, integrated bundle of EHR Modules
is presented for certification and one or more of the constituent EHR
Modules is/are demonstrably responsible for providing all of the
privacy and security capabilities for the entire bundle of EHR Modules,
that those other EHR Modules would be exempt from being certified to
the adopted privacy and security certification criteria. To illustrate,
four EHR Module developers each develop one EHR Module (EHR Modules A,
B, C, and D) and form an affiliation. The EHR Module developers present
their EHR Modules for certification as a pre-coordinated, integrated
bundle and identify that EHR Module ``C'' is responsible for providing
the privacy and security capabilities for the rest of the entire bundle
(EHR Modules A, B, and D). In this scenario, EHR Modules A, B, and D
would be exempt from also being certified to the adopted privacy and
security certification criteria.
With respect to the proposed carve out to this exception related to
EHR Modules that would ``not be part of a local system,'' we sought to
limit those circumstances where a group of EHR Module developers could
claim that a collection of EHR Modules was a ``pre-coordinated,
integrated bundle,'' yet it would be technically infeasible for one or
all of the EHR Modules in the collection to be demonstrably responsible
for providing all of the privacy and security capabilities for the rest
of the EHR Modules. We believe this would occur in situations where a
``pre-coordinated, integrated bundle'' of EHR Modules includes one or
more services offered by different EHR Module developers that have been
implemented on different technical architectures or hosted over the
Internet on one or multiple different servers. In this situation we do
not believe that it would be possible for one or more of the EHR
Modules to be demonstrably responsible for providing all of the privacy
and security capabilities for the rest of the EHR Modules. For example,
we do not believe that it is possible, at the present time, for a web-
based EHR Module to offer authentication for another EHR Module that
may be installed on an eligible professional's laptop, nor do we
believe that one or more web-based services could provide an audit log
for actions that took place outside of that service.
We believe that with this additional clarity the explicit mention
of the first exception's carve out is no longer necessary and have
revised the first exception accordingly to include the clarifying
concepts we discuss above. This revision has also resulted in the
removal of the term ``end user,'' which commenters requested we
clarify. We are redesignating proposed Sec. 170.550(c) as Sec.
170.550(e). The entire provision at Sec. 170.550(e), including the
changes from both of our responses above, will read:
EHR Modules shall be certified to all privacy and security
certification criteria adopted by the Secretary unless the EHR
Module(s) is presented for certification in one of the following
manners:
(1) The EHR Modules are presented for certification as a pre-
coordinated, integrated bundle of EHR Modules, which would otherwise
meet the definition of and constitute a Complete EHR, and one or more
of the constituent EHR Modules is demonstrably responsible for
providing all of the privacy and security capabilities for the entire
bundle of EHR Modules; or
(2) An EHR Module is presented for certification, and the presenter
can demonstrate and provide documentation to the ONC-ACB that a privacy
and security certification criterion is inapplicable or that it would
be technically infeasible for the EHR Module to be certified in
accordance with such certification criterion.
We made similar modifications to Sec. 170.450(c) in the Temporary
Certification Program final rule.
We would like to clarify a few points related to pre-coordinated,
integrated bundles of EHR Modules. First, a pre-coordinated, integrated
bundle of EHR Modules will qualify for the exception at Sec.
170.550(e)(1) if, and only if, the bundle would otherwise meet the
definition of and constitute a Complete EHR. In other words, the pre-
coordinated, integrated bundle of EHR Modules must meet, at a minimum,
all of the applicable certification criteria adopted by the Secretary
in subpart C of part 170, even though the bundle and its constituent
EHR Modules would not have been developed as a Complete EHR. For
example, three EHR Modules may be integrated and ``bundled'' together,
but if the bundle does not satisfy all of the applicable certification
criteria that have been adopted, it will not qualify for this specific
exception. In those cases, we would view such a bundle as an EHR Module
that provides multiple capabilities. Second, because a pre-coordinated,
integrated bundle of EHR Modules would otherwise meet the definition of
and constitute a Complete EHR, we expect to list it as a ``Complete
EHR'' and not an ``EHR Module'' on the CHPL, but would provide a
designation noting that it is a pre-coordinated, integrated bundle of
EHR Modules. Based on experience, we may determine that a more
effective method for listing pre-coordinated, integrated bundles of EHR
Modules on the CHPL would be appropriate and will periodically evaluate
if another method would be beneficial. As previously discussed in this
preamble, we expect ONC-ACBs will specifically identify pre-
coordinated, integrated bundles of EHR Modules as part of their
reporting obligations under Sec. 170.523(f). Finally, in case it is
unclear from the context, we clarify that references to EHR Module(s)
in other provisions of Sec. 170.550 are intended to include pre-
coordinated, integrated bundles of EHR Modules.
Comments. A few commenters requested that we clarify whether there
could be specific privacy and security-focused EHR Modules. That is, in
the context of the definition of EHR Module, whether we intended to
permit EHR Modules to exist that only addressed one or more adopted
privacy and security certification criteria. One commenter asked for
clarification as to whether a specific privacy and security-focused EHR
Module would meet a certification criterion if its purpose was to call
or assign the actual capability required by a certification criterion
to another function or service.
Response. Yes, as we stated in the Temporary Certification Program
final rule, we believe that there could be specific privacy and
security-focused EHR Modules and do not preclude such EHR Modules from
being presented for certification. However, with respect to the second
comment and request for clarification, we believe that an EHR Module
itself must be capable of performing a capability required by an
adopted privacy and security certification criterion and that
delegating the responsibility to another service or function would not
be acceptable. In those cases, there would be no proof that the EHR
Module could actually perform the specific capability, only that it
could direct another service or function to do it.
c. Identification of Certified Status
We proposed in Sec. 170.550(d) to require ONC-ACBs authorized to
certify EHR Modules to clearly indicate the certification criterion or
criteria to which an EHR Module has been certified in the EHR Module's
certification documentation.
[[Page 1294]]
Comments. We received two comments requesting that we standardize
the certification documentation requirements or at least provide clear
guidelines for ``certificate'' design. The commenters were concerned
that if left to the discretion of ONC-ACBs, the resulting certification
``certificates'' could look quite different and result in marketplace
confusion. One commenter recommended that the certification
``certificate,'' which will figure prominently in EHR software vendor
marketing, should be uniform in appearance and depict HHS authority and
assurance.
Response. We agree with the commenters that ``certificate''
documentation should be designed in a way that does not lead to market
confusion. Therefore, we are establishing a new Principle of Proper
Conduct for ONC-ACBs regarding the proper identification of Complete
EHRs and EHR Modules, similar to the new Principle of Proper Conduct
for ONC-ATCBs we finalized in the Temporary Certification Program final
rule. We further discuss the basis for this new Principle of Proper
Conduct for ONC-ACBs under the heading titled ``O. Validity of Complete
EHR and EHR Module Certification and Expiration of Certified Status''
later in this preamble. Consistent with this decision, we are modifying
Sec. 170.550 to remove proposed paragraph (d). This modification will
eliminate any potential redundancy with the new Principle of Proper
Conduct on the proper identification of Complete EHRs and EHR Modules.
3. Other Types of HIT
We proposed in Sec. 170.553 that an ONC-ACB could be authorized to
certify HIT, other than Complete EHRs and/or EHR Modules, in accordance
with the applicable certification criterion or criteria adopted by the
Secretary at subpart C of part 170. In association with this proposed
provision, we invited public comment on the need for additional HIT
certifications, the types of HIT that would be appropriate for
certification, and on any of the potential benefits or challenges
associated with certifying other types of HIT.
Comments. We received numerous comments on our proposal to utilize
the permanent certification program for the certification of other
types of HIT, with commenters overwhelmingly in favor of this proposal.
Commenters also made suggestions of other types of HIT that could be
certified, such as personal health records, health information
organizations, pharmacy and laboratory systems, ancillary clinical
systems including radiology information systems, picture archiving and
communication systems, cardiology systems, vital signs and point-of-
care medical devices, and telehealth and remote patient care solutions.
Conversely, a few commenters did not believe that there was a current
need for the certification of other types of HIT and suggested that we
should first determine whether a private market would develop for the
certification of other types of HIT. A few other commenters suggested
that the permanent certification program should first focus on the
certification of Complete EHRs and EHR Modules and that further
certification of other types of HIT should be done with the intent of
supporting meaningful use efforts.
Response. We appreciate the support for the certification of other
types of HIT under the permanent certification program. Consistent with
our discussion in the Proposed Rule, we maintain that section
3001(c)(5) of the PHSA provides the National Coordinator with the
authority to establish a voluntary certification program or programs
for other types of HIT besides Complete EHRs and EHR Modules. We agree
with the commenters, however, that the initial focus of the permanent
certification program should be on the certification of Complete EHRs
and EHR Modules in support of efforts by eligible professionals and
eligible hospitals who seek to demonstrate meaningful use under the
Medicare and Medicaid EHR Incentive Programs. Moreover, as we stated in
the Proposed Rule, the Secretary must first adopt certification
criteria applicable to other types of HIT before the National
Coordinator could subsequently authorize an ONC-ACB to certify such HIT
under the permanent certification program. In the event that the
Secretary adopts such applicable certification criteria and future
circumstances suggest the need or demand for the certification of other
types of HIT, we will further consider the comments received in
determining how to proceed, including those comments suggesting
specific types of other HIT that would be appropriate for
certification. As previously noted in this preamble, if the scope of
the permanent certification program is eventually expanded to include
other types of HIT, certification would not constitute a replacement or
substitution for other Federal requirements that may be applicable to
those other types of HIT. Consistent with this discussion, we are
finalizing Sec. 170.553 without modification.
J. Certification of ``Minimum Standards''
In the Proposed Rule, we summarized the approach set forth in the
HIT Standards and Certification Criteria interim final rule (75 FR
2014) to treat certain vocabulary code set standards as ``minimum
standards.'' We noted that the establishment of ``minimum standards''
for specific adopted code sets would, in certain circumstances, allow a
Complete EHR and/or EHR Module to be tested and certified to a
permitted newer version of an adopted code set without the need for
additional rulemaking. Additionally, we noted that this approach would
enable Certified EHR Technology to be upgraded to a permitted newer
version of a code set without adversely affecting its certified status.
At the end of this summary, we reiterated a previously identified
limitation of the ``minimum standards'' approach with respect to
significant revisions to adopted code sets. We stated that a newer
version of an adopted ``minimum standard'' code set would be permitted
for use in testing and certification unless it was a significant
revision to a code set that represented a ``modification, rather than
maintenance or a minor update of the code set.'' In those cases, we
reiterated that the Secretary would likely proceed with notice and
comment rulemaking to adopt a significantly revised code set standard.
We proposed two methods through which the Secretary could identify
new versions of adopted ``minimum standard'' code sets. The first
method would allow any member of the general public to notify the
National Coordinator about a new version. Under the second method, the
Secretary would proactively identify newly published versions. After a
new version has been identified, a determination would be issued as to
whether the new version constitutes maintenance efforts or minor
updates to the adopted code set and consequently may be permitted for
use in certification. We proposed, as described in Sec. 170.555, that
once the Secretary has accepted a new version of an adopted ``minimum
standard'' code set that:
(1) Any ONC-ACB may test and certify Complete EHRs and/or EHR
Modules according to the new version;
(2) Certified EHR Technology may be upgraded to comply with the new
version of an adopted minimum standard accepted by the Secretary
without adversely affecting the certification status of the Certified
EHR Technology; and
[[Page 1295]]
(3) ONC-ACBs would not be required to test and certify Complete
EHRs and/or EHR Modules according to the new version until we updated
the incorporation by reference of the adopted version to a newer
version.
Finally, we stated that for either method, we would regularly
publish on a quarterly basis, either by presenting to the HIT Standards
Committee or by posting a notification on our Web site, any Secretarial
determinations that have been made with respect to ``minimum standard''
code sets. We requested public comment on the frequency of publication,
any other approaches we should consider to identify newer versions of
adopted code set standards, and whether both methods described above
should be used.
Comments. Many commenters supported our proposed approaches. These
commenters also encouraged us to pursue both of the proposed approaches
(notification of the National Coordinator by the general public and
proactive identification by the Secretary). Some commenters recommended
that we establish open lines of communication with the organizations
responsible for maintaining identified ``minimum standard'' code sets
in order to facilitate the process of identifying newer versions.
Response. We appreciate the commenters' support for our proposals.
We first note that we inadvertently referenced ``testing'' in proposed
Sec. 170.555. As specified in this final rule, the National
Coordinator will authorize ONC-ACBs to perform certifications and not
testing under the permanent certification program. Therefore, we are
removing references to ``testing'' in Sec. 170.555. Second, based on
the commenters' feedback, we have decided to adopt both of the proposed
approaches for the permanent certification program, as we did for the
temporary certification program. In addition, we expect to work, as
appropriate, with the maintenance organizations for the ``minimum
standard'' code sets, as well as the HIT Standards Committee, to
identify new versions when they become available.
Comments. A few commenters recommended that ONC-ACBs not be
required to use an accepted newer version of a ``minimum standard''
code set for certification. Along those lines, a few other commenters
recommended that there be a delay period between the Secretary's
acceptance of a new version and when it would be required for
certification. One commenter noted that supporting multiple versions of
standards should be avoided and that there would be differences in what
was certified versus what was implemented, while another commenter
noted that even permitting the use of a minor update could affect
interoperability. Some commenters specifically requested clarification
regarding the timeline associated with the Secretary's acceptance of a
newer version and its publication and what requirement there would be
for its inclusion in certification.
Response. We believe that some commenters misunderstood the
implications of the Secretary's acceptance of a newer version of a
``minimum standard'' code set. We therefore clarify that if the
Secretary accepts a newer version of a ``minimum standard'' code set,
nothing is required of ONC-ACBs, Complete EHR or EHR Module developers,
or the eligible professionals and eligible hospitals who have
implemented Certified EHR Technology. We provided similar clarification
for the temporary certification program in the final rule establishing
that program. In the Proposed Rule, we used a three-pronged approach in
order to provide greater flexibility and accommodate industry practice
with respect to code sets that must be maintained and frequently
updated. The first prong would permit, but not require, ONC-ACBs to use
an accepted newer version of a ``minimum standard'' code set to certify
Complete EHRs and/or EHR Modules if the accepted newer version has been
incorporated into a product by a Complete EHR or EHR Module developer.
In these instances, we believe this approach benefits Complete EHR or
EHR Module developers because they would be able to adopt a newer
version of a code set voluntarily and have their Complete EHR or EHR
Module certified according to it, rather than having to use an older
version for certification. The second prong would permit, but not
require, eligible professionals and eligible hospitals who are already
using Certified EHR Technology to receive an upgrade from their
Complete EHR or EHR Module developer or voluntarily upgrade themselves
to an accepted newer version of a ``minimum standard'' code set without
adversely affecting the certification status of their Certified EHR
Technology. Again, we believe this is a benefit to eligible
professionals and eligible hospitals and provides greater flexibility.
The third prong explicitly states that an ONC-ACB would not be required
to use any other version of a ``minimum standard'' code set beyond the
one adopted at 45 CFR 170 subpart B until the Secretary incorporates by
reference a newer version of that code set.
We recognize that a few different versions of adopted ``minimum
standards'' could all be implemented at the same time and before a
subsequent rulemaking potentially changes what constitutes the
``minimum.'' We also understand the point raised by the commenter who
expressed concerns about this approach because it could potentially
create a situation where there could be differences in what was
certified versus what was implemented. Along those lines, we also
appreciate the point made by the commenter that a minor update could
affect interoperability. We acknowledge these concerns and considered
them as part of our analysis in determining whether to adopt minimum
standards and to permit such standards to be exceeded when newer
versions had been made available for use. However, we would like to
make clear that we provide this flexibility on a voluntary basis and
believe that the benefit of accepting newer versions of a ``minimum
standard'' (namely, enabling the HIT industry to keep pace with new
code sets) outweighs any potential or temporary risk to
interoperability.
In light of the discussion above, we do not believe it is necessary
to change any of our proposals, and we hope the additional
clarification above addresses the concerns and questions raised by
commenters. Accordingly, except for removing references to ``testing,''
we are finalizing Sec. 170.555 without modification.
Comments. Some commenters requested that we clarify the process the
Secretary would follow before accepting a newer version of an adopted
``minimum standard'' code set, including specifying the timeframes for
publication.
Response. We expect that after a new version of an adopted
``minimum standard'' code set has been identified (either through the
general public's notification of the National Coordinator or the
Secretary proactively identifying its availability), the National
Coordinator would ask the HIT Standards Committee to assess and solicit
public comment on the new version. We expect that the HIT Standards
Committee would subsequently issue a recommendation to the National
Coordinator which would identify whether the Secretary's acceptance of
the newer version for voluntary implementation and certification would
burden the HIT industry, negatively affect interoperability, or cause
some other
[[Page 1296]]
type of unintended consequence. After considering the recommendation of
the HIT Standards Committee, the National Coordinator would determine
whether or not to seek the Secretary's acceptance of the new version of
the adopted ``minimum standard'' code set. If the Secretary approves
the National Coordinator's request, we would issue guidance on an
appropriate but timely basis indicating that the new version of the
adopted ``minimum standard'' code set has been accepted by the
Secretary.
K. Authorized Certification Methods
We proposed in Sec. 170.557 that, as a primary method, an ONC-ACB
would be required to be capable of certifying Complete EHRs and/or EHR
Modules at its facility. We also proposed that an ONC-ACB would be
required to have the capacity to certify Complete EHRs and/or EHR
Modules through one of the following secondary methods: at the site
where the Complete EHR or EHR Module has been developed; or at the site
where the Complete EHR or EHR Module resides; or remotely (i.e.,
through other means, such as through secure electronic transmissions
and automated web-based tools, or at a location other than the ONC-
ACB's facility).
Comments. We received many comments on our proposal. We received
varying recommendations and proposals, but the majority of commenters
did not agree with certification at an ONC-ACB's facility as the
primary method. Commenters noted that to require eligible professionals
or eligible hospitals with self-developed Complete EHRs to physically
move their Complete EHRs to another location for certification would
not only be burdensome but in many cases impossible. Instead, many
commenters recommended that we require ONC-ACBs to have the capacity to
certify products through all of the secondary methods we proposed. Some
commenters supported secondary methods without preference, while many
commenters recommended that we require ONC-ACBs to offer remote
certification as the primary method because of its efficiency and low
cost to Complete EHR and EHR Module developers. Commenters also noted
that ONC-ACBs could offer other methods, including performing
certification at an ONC-ACB's facility. One commenter recommended that,
as the primary method, ONC-ACBs should be required to support
certification at the Complete EHR or EHR Module developer's site, which
could include a development or deployment site. Another commenter
stated that each method should be considered equal because different
methods may be appropriate for different developers. Some commenters
recommended that we clarify whether we expected Complete EHRs and EHR
Modules to be ``live'' at customer sites before they can be certified.
The commenters asserted that such a prerequisite will significantly
delay the roll out of customer upgrades.
Response. We appreciate the many options and preferences expressed
by the commenters. We believe that in order to adequately and
appropriately address the commenters' concerns, an ONC-ACB must have
the capacity to provide remote certification for both development and
deployment sites. For the purposes of the permanent certification
program, a development site is the physical location where a Complete
EHR, EHR Module or other type of HIT was developed. For the purposes of
the permanent certification program, a deployment site is the physical
location where a Complete EHR, EHR Module or other type of HIT resides
or is being or has been implemented. As discussed in the Proposed Rule,
remote certification would include the use of methods that do not
require the ONC-ACB to be physically present at the development or
deployment site. This could include the use of web-based tools or
secured electronic transmissions. In addition to remote certification,
an ONC-ACB may also offer certification at its facility or at the
physical location of a development or deployment site, but we are not
requiring that an ONC-ACB offer such certification. As indicated by
commenters and our own additional research, the market currently
utilizes predominantly remote methods for the certification of HIT. On-
site certification was cited as costly and inefficient. Therefore,
consistent with our requirements of ONC-ATCBs under the temporary
certification program, we are not requiring ONC-ACBs to offer such
certification, but anticipate that some ONC-ACBs will offer on-site
certification if there is a market demand. In response to those
commenters who requested clarification regarding ``live''
certification, we want to make clear that we do not believe that a
Complete EHR, EHR Module or other type of HIT must be ``live at a
customer's site'' in order to qualify for certification by an ONC-ACB.
As stated above, a Complete EHR, EHR Module or other type of HIT could
be certified at the development site of a developer of Complete EHRs,
EHR Modules or other types of HIT. Consistent with this discussion, we
are revising Sec. 170.557 to require an ONC-ACB to provide remote
certification for both development and deployment sites and have
included the definitions of ``development site,'' ``deployment site,''
and ``remote certification'' in Sec. 170.502.
L. Good Standing as an ONC-ACB, Revocation of ONC-ACB Status, and
Effect of Revocation on Certifications Issued by a Former ONC-ACB
We proposed requirements that ONC-ACBs would need to meet in order
to maintain good standing under the permanent certification program,
the processes for revoking an ONC-ACB's status for failure to remain in
good standing, the effects that revocation would have on a former ONC-
ACB, and the potential effects that revocation could have on
certifications issued by a former ONC-ACB.
1. Good Standing as an ONC-ACB
We proposed in Sec. 170.560 that, in order to maintain good
standing, an ONC-ACB would be required to adhere to the Principles of
Proper Conduct for ONC-ACBs; refrain from engaging in other types of
inappropriate behavior, including misrepresenting the scope of its
authorization or certifying Complete EHRs and/or EHR Modules for which
it was not given authorization; and follow all applicable Federal and
State laws.
Comments. Commenters expressed appreciation for our proposed
standards of conduct for ONC-ACBs. One commenter encouraged us to
evaluate compliance with the Principles of Proper Conduct on an ongoing
basis and at the time for ``re-authorization,'' particularly if either
a Type-1 or Type-2 violation had occurred.
Response. We believe that our proposed Principles of Proper Conduct
for ONC-ACBs are essential to maintaining the integrity of the
permanent certification program, as well as ensuring public confidence
in the program and the Complete EHRs, EHR Modules, and other types of
HIT that may be certified under the program. We intend to monitor
compliance with the Principles of Proper Conduct for ONC-ACBs on an
ongoing basis by, among other means, ensuring that ONC-ACBs are
attending all mandatory ONC training. It is also expected that ONC-ACBs
will maintain relevant documentation of their compliance with the
Principles of Proper Conduct for ONC-ACBs because such documentation
would be necessary, for instance, to rebut a notice of noncompliance
with the Principles of Proper Conduct issued by the National
Coordinator under Sec. 170.565. At the time of renewal, an ONC-ACB
will be assessed based on the updated
[[Page 1297]]
application it provides in accordance with Sec. 170.540, which would
entail reviewing an ONC-ACB's current accreditation and adherence to
the Principles of Proper Conduct. Accordingly, we are finalizing Sec.
170.560 without modification.
2. Revocation of ONC-ACB Status
We proposed in Sec. 170.565 that the National Coordinator could
revoke an ONC-ACB's status if it committed a Type-1 violation or if it
failed to timely or adequately correct a Type-2 violation. We defined
Type-1 violations to include violations of law or permanent
certification program policies that threaten or significantly undermine
the integrity of the permanent certification program. These violations
include, but are not limited to: false, fraudulent, or abusive
activities that affect the permanent certification program, a program
administered by HHS or any program administered by the Federal
government.
We defined Type-2 violations as noncompliance with Sec. 170.560,
which would include without limitation, failure to adhere to the
Principles of Proper Conduct for ONC-ACBs, engaging in other types of
inappropriate behavior, or failing to follow other applicable laws. We
proposed that if the National Coordinator were to obtain reliable
evidence that an ONC-ACB may no longer be in compliance with Sec.
170.560, the National Coordinator would issue a noncompliance
notification. We proposed that an ONC-ACB would have 30 days from
receipt of a noncompliance notification to submit a written response
and accompanying documentation that demonstrates that no violation
occurred or that the alleged violation had been corrected. We further
proposed that the National Coordinator would have up to 30 days from
the time the response is received to evaluate the response and
determine whether a violation had occurred and whether it had been
adequately corrected.
We proposed that the National Coordinator could propose to revoke
an ONC-ACB's status if the ONC-ACB committed a Type-1 violation. We
proposed that the National Coordinator could propose to revoke an ONC-
ACB's status if, after an ONC-ACB has been notified of a Type-2
violation, the ONC-ACB fails to rebut an alleged Type-2 violation with
sufficient evidence showing that the violation did not occur or that
the violation had been corrected, or if the ONC-ACB did not submit a
written response to a Type-2 noncompliance notification within the
specified timeframe. We proposed that an ONC-ACB would have up to 10
days from receipt of the proposed revocation notice to submit a written
response explaining why its status should not be revoked. We proposed
that the National Coordinator would have up to 30 days from the time
the response is received to review the information submitted by the
ONC-ACB and reach a decision. We further proposed that an ONC-ACB would
be able to continue its operations under the permanent certification
program during the time periods provided for the ONC-ACB to respond to
a proposed revocation notice and the National Coordinator to review the
response.
We proposed that if the National Coordinator determined that an
ONC-ACB's status should not be revoked, the National Coordinator would
notify the ONC-ACB's authorized representative in writing of the
determination. We also proposed that the National Coordinator could
revoke an ONC-ACB's status if it is determined that revocation is
appropriate after considering the ONC-ACB's response to the proposed
revocation notice or if the ONC-ACB did not respond to a proposed
revocation notice within the specified timeframe. We further proposed
that a decision to revoke an ONC-ACB's status would be final and not
subject to further review unless the National Coordinator chose to
reconsider the revocation.
We proposed that a revocation would be effective as soon as the
ONC-ACB received the revocation notice. We proposed that a
certification body that had its ONC-ACB status revoked would be
prohibited from accepting new requests for certification and would be
required to cease its current certification operations under the
permanent certification program. We further proposed that if a
certification body had its ONC-ACB status revoked for a Type-1
violation, it would be prohibited from reapplying for ONC-ACB status
under the permanent certification program for one year.
We proposed that failure to promptly refund any and all fees for
uncompleted certifications of Complete EHRs and EHR Modules after the
revocation of ONC-ACB status would be considered a violation of the
Principles of Proper Conduct for ONC-ACBs. We proposed that the
National Coordinator would consider such violations in the event that a
certification body reapplied for ONC-ACB status under the permanent
certification program.
In association with these proposals, we specifically requested that
the public comment on three additional proposals. First, we requested
that the public comment on whether the National Coordinator should
consider proposing the revocation of an ONC-ACB's status for repeatedly
committing Type-2 violations even if the ONC-ACB adequately corrected
the violations each time. In conjunction with this request, we asked
how many corrected Type-2 violations would be sufficient for proposing
revocation of an ONC-ACB and to what extent the frequency of these
violations should be a consideration. Second, we requested that the
public comment on whether the proposed 1-year bar on reapplying for
ONC-ACB status imposed on a revoked certification body should be
shortened or lengthened and whether alternative sanctions should be
considered. In addition we noted that, depending on the type of
violation that led to the former ONC-ACBs status being revoked, it was
possible that the former ONC-ACB would also lose its accreditation.
Third, we requested that the public comment on whether the National
Coordinator should also include a process to suspend an ONC-ACB's
status.
Comments. We received general support for our proposed revocation
process with commenters encouraging us to take a stringent position
regarding Type-1 and Type-2 violations out of concern that a lack of
confidence in the qualifications or integrity of an ONC-ACB could
seriously undermine the permanent certification program's objectives.
Commenters requested that developers of HIT and eligible professionals
and eligible hospitals be notified if an ONC-ACB is suspended, the
National Coordinator proposes to revoke an ONC-ACB's status, and/or an
ONC-ACB's status is revoked.
A commenter recommended that there not be a ``broad'' categorical
Type-1 violation bar on reapplying for ONC-ACBs that had their status
revoked. A few commenters suggested a shorter bar on reapplying could
be possible if the organization demonstrated good faith and timely
addressed the reasons for revocation, while other commenters supported
the proposed 1-year bar or extending the bar to at least three years.
Commenters recommending a longer bar on reapplying reasoned that a
longer bar would be a stronger deterrent and provide sufficient time
for a certification body to ``re-organize'' itself. These commenters
also recommended that a ``re-authorized'' former ONC-ACB serve a
probationary period. A commenter recommended that an ONC-ACB should
have its accreditation permanently revoked if it commits three Type-1
violations. The commenter also noted that it was unlikely that the
market
[[Page 1298]]
would support an ONC-ACB that committed repeated violations.
We received a few comments on whether we should revoke an ONC-ACB's
status for committing multiple Type-2 violations even if the violations
were corrected. A couple of commenters suggested that an ONC-ACB should
have its status revoked for committing multiple violations. One
commenter recommended that the National Coordinator retain the
discretion to review and judge each situation as opposed to setting a
certain threshold for automatic revocation.
We received multiple comments on our proposed alternative of a
suspension process with all of the commenters suggesting that there
could be value in a suspension process. One commenter stated that our
goal should be first and foremost to protect the needs of product
purchasers and patients. Commenters stated that suspension could be
warranted in lieu of proposing revocation and/or during the period
between a proposed revocation and a final decision on revocation. Some
commenters recommended that an ONC-ACB be allowed to continue
operations during a suspension or be provided ``due process'' rights
before being suspended, while other commenters suggested that allowing
an ONC-ACB to continue during instances where an investigation is
ongoing and violations are being resolved could jeopardize the
industry's confidence level in the certification process. One commenter
suggested that an ONC-ACB be allowed to continue operations unless the
alleged violation would or could adversely impact patient safety and/or
quality of care. Some commenters also requested that the fees paid by a
Complete EHR and/or EHR Module developer for certification be refunded
if the ONC-ACB is suspended.
Response. We believe that Type-1 violations as described are not
too ``broad'' in that they must also ``threaten or significantly
undermine the integrity of the permanent certification program.'' As
noted in the Proposed Rule, we believe such a violation could
significantly undermine the public's faith in our permanent
certification program. Therefore, we believe that revocation and
barring a former ONC-ACB from reapplying for ONC-ACB status is an
appropriate remedy. In reaching any conclusion to revoke an ONC-ACB's
status, we believe that we have provided appropriate due process (i.e.,
an appropriate appeals process).
We noted in the Temporary Certification Program final rule that we
believed a 1-year bar on reapplying for ONC-ACB status was appropriate
for the temporary certification program, but we would reconsider the
appropriate length of the bar and whether a probationary period would
be appropriate for the permanent certification program. Having
considered these issues in the context of the permanent certification
program, we continue to believe that a 1-year bar on reapplying is
appropriate and have adopted this position for the permanent
certification program. We believe that the l-year bar on reapplying
will allow the former ONC-ACB a sufficient amount of time to address
the reasons for the Type-1 violation before reapplying. In addition,
when assessing a former ONC-ACB's application for ``reinstatement,'' we
will be able to determine if the applicant is accredited by the ONC-AA.
The accreditation process, itself, will be managed by the ONC-AA in
accordance with ISO 17011. The ONC-AA will be responsible for
determining appropriate sanctions for non-conformance with
accreditation requirements in accordance with ISO 17011 and its
accreditation program. However, considering accreditation is a
requirement to become an ONC-ACB, we believe that accreditation will be
another means of ensuring that a former ONC-ACB has fully addressed the
reasons for revocation and, therefore, do not believe that a
``probationary period'' will be necessary. Once ``re-authorized,'' an
ONC-ACB will be subject to the same requirements for maintaining its
status and consequences for not adhering to those requirements.
We do not believe that it is appropriate to initiate revocation
proceedings against an ONC-ACB for any amount of corrected Type-2
violations under the permanent certification program. We did not
originally propose to initiate revocation proceedings for multiple
corrected Type-2 violations, but requested public comment on the
possibility. Commenters appeared to agree that initiating revocation
proceedings against an ONC-ACB for committing multiple Type-2
violations, even if corrected, was an acceptable proposition under
certain conditions. While we agree that committing multiple Type-2
violations, even if corrected, is cause for concern, it would be
difficult to establish a sufficiently objective and equitable standard
for initiating revocation proceedings on that basis against an ONC-ACB.
As evidenced by the comments, it is difficult to determine the
appropriate number of corrected Type-2 violations that would lead to
revocation proceedings. An ONC-ACB could commit and correct two Type-2
violations involving a missed training or a timely update to ONC on a
key personnel change. In such a situation, we do not believe that
automatically initiating revocation proceedings would be warranted. We
also do not believe it would be appropriate to adopt the one
commenter's recommendation to allow the National Coordinator to use
discretion to address such instances. This would not give an ONC-ACB
sufficient notice of what Type-2 violation, even if corrected, could
lead to revocation proceedings nor an indication of the amount or
frequency of the violations that could lead to revocation proceedings.
Therefore, we believe that an ONC-ACB should remain in good standing if
it sufficiently corrects a Type-2 violation, no matter how many times
an ONC-ACB commits a Type-2 violation. Violations will be a matter of
public record that, as noted by a commenter, may influence Complete
EHR, EHR Module and HIT developers' decisions on which ONC-ACB to
select for the certification of their Complete EHRs, EHR Modules and/or
other types of HIT.
We agree with the commenters that suspension could be an effective
way to protect purchasers of certified products and ensure patient
health and safety. As a result, we agree with the commenter and believe
that the National Coordinator should have the ability to suspend an
ONC-ACB's operations under the permanent certification program when
there is reliable evidence indicating that the ONC-ACB committed a
Type-1 or Type-2 violation and that the continued certification of
Complete EHRs, EHR Modules and/or other types of HIT could have an
adverse impact on patient health or safety. As mentioned in the
Proposed Rule, the National Coordinator's process for obtaining
reliable evidence would involve one or more of the following methods:
fact-gathering; requesting information from an ONC-ACB; contacting an
ONC-ACB's customers; witnessing an ONC-ACB perform certification; and/
or reviewing substantiated complaints.
Due to the disruption a suspension may cause for an ONC-ACB, and
more so for the market, we believe that suspension is appropriate in
only the limited circumstances described above and have revised Sec.
170.565 to provide the National Coordinator with the discretion to
suspend an ONC-ACB's operations accordingly. An ONC-ACB would first be
issued a notice of proposed suspension. Upon receipt of a notice of
proposed suspension, an ONC-ACB will be permitted up to 3
[[Page 1299]]
days to submit a written response to the National Coordinator
explaining why its operations should not be suspended. The National
Coordinator will be permitted up to 5 days to review the ONC-ACB's
response and issue a determination. In the determination, the National
Coordinator will either rescind the proposed suspension, suspend the
ONC-ACB's operations until it has adequately corrected a Type-2
violation, or propose revocation in accordance with Sec. 170.565(c)
and suspend the ONC-ACB's operations for the duration of the revocation
process. The National Coordinator may also make any one of the above
determinations if an ONC-ACB fails to submit a timely response to a
notice of proposed suspension. A suspension will become effective upon
an ONC-ACB's receipt of a notice of suspension. We believe that this
process addresses both the commenters' concerns about due process and
about maintaining the industry's confidence in the permanent
certification program by not allowing an ONC-ACB to continue operations
while an investigation is ongoing and/or violations are being resolved
related to patient health or safety.
We are designating the new suspension provision as paragraph (d) of
Sec. 170.565. Proposed paragraphs (d) through (g) are being
redesignated as paragraphs (e) through (h), respectively. As discussed
in a previous section of this preamble, we are revising Sec.
170.523(j) to clarify that an ONC-ACB would have to refund any fees
paid by a Complete EHR or EHR Module developer that seeks to withdraw a
request for testing and certification while an ONC-ACB is suspended.
We intend to provide public notification via our Web site and list
serve if an ONC-ACB is suspended, issued a notice proposing its
revocation, and/or has its status revoked. We also note that we are
revising Sec. 170.565(c)(1) to state that ``[t]he National Coordinator
may propose to revoke an ONC-ACB's status if the National Coordinator
has reliable evidence that the ONC-ACB committed a Type-1 violation.''
The term ``reliable'' was inadvertently left out of the provision in
the Proposed Rule.
3. Effect of Revocation on Certifications Issued by a Former ONC-ACB
We proposed in Sec. 170.570 to allow the certified status of
Complete EHRs and/or EHR Modules certified by an ONC-ACB that
subsequently had its status revoked to remain intact unless a Type-1
violation was committed that called into question the legitimacy of the
certifications issued by the former ONC-ACB. In such circumstances, we
proposed that the National Coordinator would review the facts
surrounding the revocation of the ONC-ACB's status and publish a notice
on ONC's Web site if the National Coordinator believed that Complete
EHRs and/or EHR Modules were fraudulently certified by a former ONC-ACB
and the certification process itself failed to comply with regulatory
requirements. We further proposed that if the National Coordinator
determined that Complete EHRs and/or EHR Modules were improperly
certified, the ``certified status'' of affected Complete EHRs and/or
EHR Modules would remain intact for 120 days after the National
Coordinator published the notice. We specifically requested that the
public comment on our proposed approach and the timeframe for re-
certification.
Comments. Multiple commenters expressed agreement and understanding
with the need to protect the integrity of the permanent certification
program by ensuring the legitimacy of certifications issued by a former
ONC-ACB and requiring recertification of Complete EHRs and/or EHR
Modules where it is found that they were improperly certified. Many
commenters stated, however, that we should only require recertification
of the affected areas and elements and/or determine whether an
improperly certified product negatively and substantially affected the
performance of a Complete EHR or EHR Module in achieving a meaningful
use objective before requiring recertification. Other commenters stated
that ``good faith'' eligible professionals and eligible hospitals who
can demonstrate meaningful use with a previously certified Complete EHR
or EHR Module should continue to qualify for payments under the
Medicare and Medicaid EHR Incentive Programs. Commenters further stated
that providers should be allowed to wait and replace the previously
certified product when new certification criteria have been finalized
for the affected meaningful use criteria, or when their own strategic
and technical requirements necessitate an upgrade, whichever comes
first. Some commenters contended that the only overriding factor that
should require recertification is if there is a demonstrable risk to
patient safety from the use of improperly certified Complete EHRs and/
or EHR Modules.
A few commenters expressed concerns about the potential negative
financial impact recertification would have on Complete EHR and EHR
Module developers, eligible professionals and eligible hospitals as
well as the potential for legal liability related to eligible
professionals and eligible hospitals making attestations to Federal and
State agencies that they are using Certified EHR Technology.
Some commenters agreed with our 120-day proposal, while many
commenters recommended 6, 9, 12, and 18-month ``grace periods'' for
improperly certified Complete EHRs and/or EHR Modules. One commenter
recommended an extension of the 120-day grace period if there were less
than 6 ONC-ACBs at the time of decertification, which is the number of
ONC-ACBs we estimate will exist under the permanent certification
program.
Response. In instances where the National Coordinator determines
that Complete EHRs and/or EHR Modules were improperly certified, we
believe that recertification is necessary to maintain the integrity of
the permanent certification program and to ensure the efficacy and
safety of certified Complete EHRs and EHR Modules. By requiring
recertification, eligible professionals and eligible hospitals as well
as Complete EHR and EHR Module developers can have confidence in the
permanent certification program and, more importantly, in the Complete
EHRs and EHR Modules that are certified under the program. As we stated
in the Proposed Rule, we believe it would be an extremely rare
occurrence for an ONC-ACB to have its status revoked and for the
National Coordinator to determine that Complete EHRs and/or EHR Modules
were improperly certified. If such events were to occur, the regulatory
provisions enable the National Coordinator to focus recertification on
specific Complete EHRs and/or EHR Modules that were improperly
certified in lieu of requiring recertification of all Complete EHRs and
EHR Modules certified by the former ONC-ACB.
In this regard, the National Coordinator has a statutory
responsibility to ensure that Complete EHRs and EHR Modules certified
under the permanent certification program are in compliance with the
applicable certification criteria adopted by the Secretary. We do not
believe that the alternatives suggested by the commenters, such as
whether a ``good faith'' eligible professional or eligible hospital can
demonstrate meaningful use with a previously certified Complete EHR or
EHR Module, would enable the National Coordinator to fulfill this
statutory responsibility. Consequently, if the National Coordinator
determines that a Complete EHR or EHR Module was improperly certified,
then recertification by an ONC-ACB is the
[[Page 1300]]
only means by which to ensure that the Complete EHR or EHR Module
satisfies the certification criteria. Moreover, an attestation by a
Complete EHR or EHR Module developer and/or user of a Complete EHR or
EHR Module would not be an acceptable alternative to recertification
because the National Coordinator could not sufficiently confirm that
all applicable certification criteria are met.
We appreciate the concerns expressed by commenters related to the
potential financial burden of recertification, the potential legal
liability for eligible professionals and eligible hospitals attesting
to the use of Certified EHR Technology, and the perceived insufficient
amount of time to have a Complete EHR and/or EHR Module recertified. We
believe, however, that some of these concerns may be unfounded. Any
decertification of a Complete EHR or EHR Module will be made widely
known to the public by ONC through publication on our Web site and list
serve, which we believe will help eligible professionals and/or
eligible hospitals identify whether the certified status of their
Certified EHR Technology is still valid. We also believe that
programmatic steps, such as identifying ONC-ACB(s) that could be used
for recertification, could be taken to assist Complete EHR and/or EHR
Module developers with achieving timely and cost effective
recertifications. Most importantly, in the rare circumstance that
recertification is required, we believe that the need to protect the
public from potentially unsafe Complete EHRs and/or EHR Modules
outweighs the concerns expressed by the commenters. Accordingly, we are
finalizing Sec. 170.570 without modification.
M. Dual-Accredited Testing and Certification Bodies
In the Proposed Rule, we explained that the authorization given to
ONC-ACBs by the National Coordinator would be valid only for performing
certifications under the permanent certification program. We noted that
this limitation was not intended to preclude an organization from also
performing testing. In fact, we clarified that in order for a single
organization (which may include subsidiaries or components) to perform
both testing and certification under the permanent certification
program it would need to be: 1) accredited by an ONC-AA and
subsequently become an ONC-ACB; and 2) accredited under the NVLAP. We
requested public comment on whether we should give organizations who
are ``dual accredited'' and also become an ONC-ACB a special
designation to indicate to the public that such an organization would
be capable of performing both testing and certification under the
permanent certification program.
Comments. We received a few comments expressing support for the
concept of allowing organizations to conduct both testing and
certification under the permanent certification program and giving a
special designation to such organizations. Commenters stated that it
would be convenient and efficient for Complete EHR and EHR Module
developers if organizations are permitted to conduct both testing and
certification. A commenter also noted that a special designation would
provide clarity for the market.
Response. We agree with the commenters that organizations that are
accredited and authorized to perform both testing and certification
under the permanent certification program may be able to offer
convenience and efficiencies as well as other benefits to HIT
developers. We do note, however, that these types of organizations must
adhere to the respective requirements of their accreditations. For
instance, under the permanent certification program, ONC-ACBs must
maintain their accreditation, which requires them to conform to Guide
65 at a minimum. Several different sections of Guide 65 require
certification bodies to maintain impartiality in their organizational
structure and practices. The impartiality requirement will safeguard
against the risk that the certification component of an organization
will be improperly influenced to certify HIT that has been tested by
the testing component of that same organization.
We also agree with the commenters that a unique designation for
organizations that are both ONC-ACBs and NVLAP-accredited testing labs
is appropriate and will provide clarity to the market. We will indicate
on our Web site those organizations that are both ONC-ACBs and NVLAP-
accredited testing labs. We also suspect that such an organization will
publicize its status as an ONC-ACB and NVLAP-accredited testing lab in
an effort to increase market share.
N. Concept of ``Self-Developed''
In the Proposed Rule, we interpreted the HIT Policy Committee's use
of the word ``self-developed'' to mean a Complete EHR or EHR Module
that has been designed, modified, or created by, or under contract for,
a person or entity that will assume the total costs for its testing and
certification and will be a primary user of the Complete EHR or EHR
Module. We noted that self-developed Complete EHRs and EHR Modules
could include brand new Complete EHRs or EHR Modules developed by a
health care provider or their contractor. We further noted that ``self-
developed'' could also include a previously purchased Complete EHR or
EHR Module that is subsequently modified by the health care provider or
their contractor and where such modifications are made to capabilities
addressed by certification criteria adopted by the Secretary. We
specifically stated that we would limit the scope of ``modification''
to only those capabilities for which the Secretary has adopted
certification criteria because other capabilities (e.g., a different
graphical user interface (GUI)) would not affect the underlying
capabilities a Complete EHR or EHR Module would need to include in
order to be tested and certified. Accordingly, we stated that we would
only refer to the Complete EHR or EHR Module as ``self-developed'' if
the health care provider paid the total costs to have the Complete EHR
or EHR Module tested and certified.
Comments. Multiple hospitals and hospital associations requested
that we clarify the definition of ``self-developed'' to include an
indication of the extent to which modifications may be made to
previously certified Complete EHRs or EHR Modules without requiring a
Complete EHR or EHR Module to be certified as ``self-developed.'' The
commenters noted that we have clearly stated that eligible
professionals and eligible hospitals bear full responsibility for
making certified EHR Modules work together. Therefore, the commenters
contended that providers must be permitted to make necessary
modifications to certified EHR Modules in order to fulfill that
responsibility. The commenters stated that often there is a need for
custom configurations or settings within the parameters of certified
EHRs, including modifications that may be necessary to ensure that the
EHR works properly when implemented within an organization's entire HIT
environment. The commenters further stated that such modifications may
affect, or even enhance, the capabilities addressed by the
certification criteria by providing additional and specific decision-
support functions or allowing for additional quality improvement
activities. The commenters asserted that as long as the Complete EHR or
EHR Module can still perform the function(s) for which it was
originally certified, such modifications should not trigger a
[[Page 1301]]
requirement for the Complete EHR or EHR Module to be certified as self-
developed, even if the changes affect the capabilities addressed by the
certification criteria.
The commenters stated that clarity was needed due to the
substantial resources that will be required for certification of self-
developed systems. In addition, commenters stated that, for legal
compliance purposes, clarity will enable providers to be confident in
the attestations they submit to Federal and State agencies regarding
the certification status of the EHR technology they use.
Response. As we stated in the Temporary Certification Program final
rule, we understand the unique needs and requirements of eligible
professionals and eligible hospitals with respect to the successful
implementation and integration of HIT into operational environments. We
provided a description of the term ``self-developed'' in the Proposed
Rule's preamble for two main reasons. First, in order to provide
greater clarity for stakeholders regarding who would be responsible for
the costs associated with certification, and second, to clearly
differentiate in our regulatory impact analysis those Complete EHRs and
EHR Modules that would be certified once and most likely sold to many
eligible professionals and eligible hospitals from those that would be
certified once and used primarily by the person or entity who paid for
the testing and certification. We believe that many commenters were not
concerned about the fact that brand new, ``built from scratch'' self-
developed Complete EHRs and EHR Modules would need to be certified.
Rather, it appeared that commenters were concerned about whether any
modification to a Complete EHR or EHR Module that had been certified
already, including those modifications that would be enhancements or
required to integrate several EHR Modules, would compromise the
technology's certification or certifications and consequently require
the eligible professional or eligible hospital to seek a new
certification because the EHR technology would be considered self-
developed. We believe this concern stems from the following statement
we made in the preamble of the Proposed Rule:
``Self-developed Complete EHRs and EHR Modules could include
brand new Complete EHRs or EHR Modules developed by a health care
provider or their contractor. It could also include a previously
purchased Complete EHR or EHR Module which is subsequently modified
by the health care provider or their contractor and where such
modifications are made to capabilities addressed by certification
criteria adopted by the Secretary. We limit the scope of
``modification'' to only those capabilities for which the Secretary
has adopted certification criteria because other capabilities (e.g.,
a different graphical user interface (GUI)) would not affect the
underlying capabilities a Complete EHR or EHR Module would need to
include in order to be tested and certified.''
In response to these concerns, we offer further clarification of
the intent of our statements. We agree with commenters that not every
modification would or should require a previously certified Complete
EHR or EHR Module to be certified again as self-developed. We provided
an example in the Proposed Rule, quoted above, regarding modifications
that would not affect any of the capabilities addressed by the
certification criteria adopted by the Secretary. In the Temporary
Certification Program final rule, we acknowledged that a certified
Complete EHR or EHR Module may not automatically meet a health care
provider's needs when it is implemented in an operational environment.
We also cautioned eligible professionals and eligible hospitals in the
HIT Standards and Certification Criteria interim final rule that, if
they choose to use EHR Modules to meet the definition of Certified EHR
Technology, they alone would be responsible for properly configuring
multiple EHR Modules in order to make them work together. Given that
many of the certification criteria adopted by the Secretary express
minimum capabilities, which may be added to or enhanced by eligible
professionals and eligible hospitals to meet their health care delivery
needs (e.g., multiple rules could be added to the clinical decision
support capability), we believe it is unrealistic to expect that the
capabilities included within adopted certification criteria applicable
to a Complete EHR or EHR Module will not be modified in some cases. As
a result, we believe it is possible for an eligible professional or
eligible hospital to modify a Complete EHR or EHR Module's capabilities
for which certification criteria have been adopted without compromising
the Complete EHR or EHR Module's certification. Stated differently, an
eligible professional or eligible hospital's modifications to a
certified Complete EHR or EHR Module would not automatically make the
Complete EHR or EHR Module ``self-developed'' and consequently require
the eligible professional or eligible hospital to obtain a new
certification for the modified product. While we cannot review or
address in this final rule every potential modification to determine
whether it could possibly compromise a Complete EHR or EHR Module's
certification, we strongly urge eligible professionals and eligible
hospitals to consider the following. Certification is meant to provide
assurance that a Complete EHR or EHR Module will perform according to
the certification criteria to which it was tested and certified. Any
modification to a Complete EHR or EHR Module after it has been
certified has the potential to adversely affect the capabilities for
which certification criteria have been adopted such that the Complete
EHR or EHR Module no longer performs as it did when it was tested and
certified, which in turn may compromise an eligible professional or
eligible hospital's ability to achieve meaningful use. If an eligible
professional or eligible hospital wants complete assurance that a
Complete EHR or EHR Module's capabilities for which certification
criteria have been adopted were not adversely affected by modifications
that were made post-certification, they may choose to have the Complete
EHR or EHR Module retested and recertified. Additionally, any post-
certification modifications that adversely affect a Complete EHR or EHR
Module's capabilities for which certification criteria have been
adopted may be identified through surveillance conducted by an ONC-ACB.
O. Validity of Complete EHR and EHR Module Certification and Expiration
of Certified Status
In the Proposed Rule, we discussed the validity of ``certified
status'' of Complete EHRs and EHR Modules, as well as the expiration of
that status as it related to the definition of Certified EHR
Technology. We stated that certification represented ``a snapshot, a
fixed point in time, where it has been confirmed that a Complete EHR or
EHR Module has met all applicable certification criteria adopted by the
Secretary.'' We went on to say that as the Secretary adopts new or
modified certification criteria, the previously adopted set of
certification criteria would no longer constitute all of the applicable
certification criteria to which a Complete EHR or EHR Module would need
to be tested and certified. Thus, we clarified that after the Secretary
has adopted new or modified certification criteria, a previously
certified Complete EHR or EHR Module's certification would no longer be
valid for purposes of meeting the definition of Certified EHR
Technology. In other words, because new or modified certification
criteria had been adopted, previously
[[Page 1302]]
issued certifications would no longer indicate that a Complete EHR or
EHR Module possessed all of the capabilities necessary to support an
eligible professional's or eligible hospital's achievement of
meaningful use. Accordingly, we noted that Complete EHRs and EHR
Modules that had been certified to the previous set of adopted
certification criteria would no longer constitute ``Certified EHR
Technology.''
We also discussed that the planned two-year schedule for updates to
meaningful use objectives and measures and correlated certification
criteria created a natural expiration with respect to the validity of a
previously certified Complete EHR's or EHR Module's certified status
and its continued ability to be used to meet the definition of
Certified EHR Technology. We stated that after the Secretary has
adopted new or modified certification criteria, previously certified
Complete EHRs and EHR Modules must be recertified in order to continue
to qualify as Certified EHR Technology.
With respect to EHR Modules, we noted that there could be
situations where measures associated with a meaningful use objective
may change, but the capability a certified EHR Module would need to
provide would not change. As a result, we stated that it may be
impracticable or unnecessary for the EHR Module to be re-certified.
Therefore, we requested public comment on whether there should be
circumstances where EHR Modules should not have to be re-certified.
We clarified that regardless of the year and meaningful use stage
at which an eligible professional or eligible hospital enters the
Medicare or Medicaid EHR Incentive Programs, the Certified EHR
Technology that would need to be used must include the capabilities
necessary to meet the most current set of certification criteria
adopted by the Secretary at 45 CFR 170 subpart C in order to satisfy
the definition of Certified EHR Technology. Finally, we asked for
public comment on the best way to assist eligible professionals and
eligible hospitals that begin meaningful use in 2013 or 2014 at Stage 1
in identifying Complete EHRs and/or EHR Modules that have been
certified to the most current set of adopted certification criteria and
therefore could be used to meet the definition of Certified EHR
Technology.
Comments. Several commenters disagreed with our position that
Complete EHRs and EHR Modules need to include the capabilities
necessary to meet the most current set of certification criteria
adopted by the Secretary at 45 CFR 170 subpart C in order to satisfy
the definition of Certified EHR Technology. Other commenters agreed and
contended that Certified EHR Technology should always be as up-to-date
and as current as possible. Of those commenters that disagreed, their
concerns focused on two areas: the validity/expiration of certified
status; and the effect on eligible professionals and eligible hospitals
who adopt Certified EHR Technology in the year before we anticipate
updating adopted standards, implementation specifications, and
certification criteria for a future stage of meaningful use.
Commenters asserted that some certification criteria were unlikely
to change between meaningful use stages and that a Complete EHR or EHR
Module's certification should remain valid and not expire until the
Secretary has adopted updated certification criteria. These commenters
requested that ONC only make changes to certification criteria on a
cyclical basis and only when necessary for meaningful use or to advance
interoperability.
A number of commenters expressed concerns about our position and
contended that it would require eligible professionals and eligible
hospitals who adopt Certified EHR Technology in 2012 (and attempt
meaningful use Stage 1 in 2012) to upgrade their Certified EHR
Technology twice in two years in order to continue to be eligible for
meaningful use incentives during 2013 when they would still only have
to meet meaningful use Stage 1 (according to the staggered approach for
meaningful use stages that was proposed by CMS). Some of these
commenters viewed this as a penalty and disagreed with our position
that eligible professionals and eligible hospitals should be required
to use Certified EHR Technology that had been certified to the most
recently adopted certification criteria. Additionally, these commenters
stated that it is not in the best interest of eligible professionals
and eligible hospitals to require that they use Certified EHR
Technology that includes more advanced capabilities than are necessary
to qualify for the meaningful use stage that they are attempting to
meet. Finally, one commenter requested that we offer a graphical
depiction to more clearly convey our position.
Response. In the Temporary Certification Program final rule, we
discussed the concept of validity as it relates to the definition of
Certified EHR Technology and the certifications that are issued to
Complete EHRs and EHR Modules. We believe it is necessary to clarify
that discussion in this final rule. We explained that an eligible
professional or eligible hospital cannot assert that a certification
issued to a particular Complete EHR or EHR Module is valid for purposes
of satisfying the definition of Certified EHR Technology if the
certification criteria (including the standards and implementation
specifications referenced by the criteria) that are related to a
particular capability have been modified. In other words, if the
applicable certification criteria have been altered or changed, then an
eligible professional or eligible hospital can no longer represent that
a certified Complete EHR or combination of certified EHR Modules
continues to constitute Certified EHR Technology based on the
certifications that were previously issued.
As mentioned in both the HIT Standards and Certification Criteria
final rule and the Medicare and Medicaid EHR Incentive Programs final
rule, it is anticipated that the requirements for meaningful use will
be adjusted every two years. We expect the Secretary will adopt
certification criteria through rulemaking every two years in
correlation with the changes to the meaningful use requirements. We
also recognize, however, that circumstances may necessitate a deviation
from the expected two-year rulemaking cycle, such as with the interim
final rule published on October 13, 2010 (75 FR 62686) to remove the
previously adopted implementation specifications related to public
health surveillance. Future rulemakings could potentially include the
adoption of new and revised certification criteria in addition to those
already adopted. We consider new certification criteria to be those
that specify capabilities for which the Secretary has not previously
adopted certification criteria. New certification criteria would also
include certification criteria that were previously adopted for
Complete EHRs or EHR Modules designed for a specific setting and are
subsequently adopted for Complete EHRs or EHR Modules designed for a
different setting (for example, if the Secretary previously adopted a
certification criterion at Sec. 170.304 only for Complete EHRs or EHR
Modules designed for an ambulatory setting and then subsequently adopts
that certification criterion at Sec. 170.306 for Complete EHRs or EHR
Modules designed for an inpatient setting). We consider revised
certification criteria to be certification criteria previously adopted
by the Secretary that are modified to add, remove, or otherwise alter
the specified capabilities and/or the standard(s) or implementation
specification(s) referred to by the
[[Page 1303]]
certification criteria. Revised certification criteria would also
include certification criteria that were previously adopted as optional
but are subsequently adopted as mandatory (for example, if the optional
criterion at Sec. 170.302(w) is subsequently adopted as a mandatory
criterion).
Only when eligible professionals or eligible hospitals are in
possession of a Complete EHR or EHR Module that has been certified to
all of the applicable certification criteria, including new and revised
certification criteria, that have been adopted by the Secretary at
subpart C of part 170, will they be able to assert that they possess a
Complete EHR or EHR Module with a certification that would be
considered valid for purposes of satisfying the definition of Certified
EHR Technology. For example, based on our expectation that the
meaningful use requirements will be modified every two years, we
anticipate that the Secretary will adopt certification criteria during
2012 for the 2013 and 2014 payment years of the Medicare and Medicaid
EHR Incentive Programs (referenced in Table 1 below). A Complete EHR
that was previously certified in 2010 to the certification criteria
adopted for the 2011 and 2012 payment years must be certified again as
compliant with all of the applicable certification criteria adopted for
the 2013 and 2014 payment years in order for that Complete EHR to
continue to meet the definition of Certified EHR Technology. As we
discuss in the next section of this preamble (P. Differential or Gap
Certification), the permanent certification program will include the
option of ``gap certification'' in an effort to provide a more
efficient and streamlined process for the certification of previously
certified Complete EHRs and EHR Modules.
We explained in the HIT Standards and Certification Criteria final
rule that additional flexibility and specificity can be introduced into
future cycles of rulemaking through the adoption and designation of
``optional'' standards, implementation specifications, and
certification criteria. We acknowledged that these would be voluntary
and would not be required for testing and certifying a Complete EHR or
EHR Module, although they could help to prepare the HIT industry for
future mandatory certification requirements. Thus, in certain
instances, the Secretary may adopt through rulemaking additional
standards and/or implementation specifications that would be referenced
as optional by a previously adopted certification criterion or
criteria, in an effort to provide EHR technology developers more
flexibility with respect to what is permitted to achieve certification
for a Complete EHR or EHR Module. We emphasize that this would not
affect the validity of certifications that were previously issued to
Complete EHRs and EHR Modules. In other words, a previously certified
Complete EHR or EHR Module would not be required to be certified
according to new optional standard(s) or implementation specifications
in order for it to continue to be used to meet the definition of
Certified EHR Technology.
As we stated in the Proposed Rule, if a previously certified
Complete EHR is not tested and certified as compliant with all of the
applicable certification criteria adopted by the Secretary, it would
not lose its certification, but it also would no longer satisfy the
definition of Certified EHR Technology. Many commenters acknowledged
that especially in situations where certification criteria have been
adopted to improve the interoperability of EHR technology,
certification to new and revised certification criteria would be needed
and justified in order to meet the definition of Certified EHR
Technology. With respect to the validity of a Complete EHR or EHR
Module's certification, we ask commenters to consider how they would
expect to meet the requirements of a subsequent stage of meaningful use
without the technical capabilities necessary to do so. A Complete EHR
or EHR Module's certification is only as good as the capabilities that
can be associated with that certification. If the Secretary adopts new
or revised certification criteria, Complete EHRs and likely many EHR
Modules may no longer provide all of the capabilities that would be
necessary to support an eligible professional's or eligible hospital's
attempt to meet the requirements of a particular stage of meaningful
use.
In its final rule, CMS indicated that ``[t]he stages of criteria of
meaningful use and how they are demonstrated are described further in
this final rule and will be updated in subsequent rulemaking to reflect
advances in HIT products and infrastructure. We note that such future
rulemaking might also include updates to the Stage 1 criteria.'' 75 FR
44323 (emphasis added). We believe that the commenters who expressed
concerns and objected to our discussion of the expiration/validity of a
Complete EHR or EHR Module's certified status did not account for the
possibility that the requirements for an eligible professional or
eligible hospital to meet meaningful use Stage 1 in 2013 or 2014 could
be different and possibly more demanding than they were for meaningful
use Stage 1 in 2012. Contrary to some commenters' assumptions and
consistent with the statement by CMS quoted above, it is possible that
in a subsequent rulemaking to establish the objectives and measures for
meaningful use Stage 2, CMS could change what is required to
successfully demonstrate meaningful use Stage 1 in 2013. Consequently,
such changes could include additional requirements that are based on
advances in HIT and go beyond the requirements that have been finalized
by CMS for meaningful use Stage 1 in 2011 and 2012. Therefore, an
eligible professional or eligible hospital who demonstrates meaningful
use for the first time in 2012 may potentially need Certified EHR
Technology with new or additional capabilities in order to satisfy the
meaningful use Stage 1 requirements in 2013.
Because the HITECH Act requires eligible professionals and eligible
hospitals to use Certified EHR Technology in order to qualify for
incentive payments under the Medicare and Medicaid EHR Incentive
Programs, we reaffirm our position expressed in the Proposed Rule.
Regardless of the year and meaningful use stage at which eligible
professionals or eligible hospitals enter the Medicare or Medicaid EHR
Incentive Programs, they must use Certified EHR Technology that has
been certified to all of the applicable certification criteria adopted
by the Secretary at subpart C of part 170, which includes new and
revised certification criteria that have been adopted since their EHR
technology was previously certified. We believe this position takes
into account the best interests of eligible professionals and eligible
hospitals because those who implement EHR technology that meets the
definition of Certified EHR Technology will have the assurance that
their EHR technology includes the requisite capabilities to support
their attempts to demonstrate meaningful use. Moreover, our position
ensures that all Certified EHR Technology will have been tested and
certified to the same standards and implementation specifications and
provide the same level of interoperability, which would not be the case
if we were to permit different variations of Certified EHR Technology
to exist.
To further address concerns raised by the commenters, we clarify as
we did in the Temporary Certification Program final rule that if the
temporary certification program sunsets on December 31, 2011, and the
permanent certification program is fully constituted at the start of
2012, Complete EHRs and
[[Page 1304]]
EHR Modules that were previously certified by ONC-ATCBs to the
certification criteria adopted by the Secretary for the 2011/2012
payment years will not need to be recertified as having met the
certification criteria for those years. In other words, the fact that
the permanent certification program has replaced the temporary
certification program will not automatically render certifications that
were issued by ONC-ATCBs pursuant to the certification criteria adopted
for the 2011/2012 payment years invalid for the purpose of meeting the
definition of Certified EHR Technology. However, once the permanent
certification program is fully constituted and after the Secretary has
adopted new or revised certification criteria (which we expect will
occur in 2012, based on the two-year rulemaking cycle), Complete EHRs
and EHR Modules that were previously certified under the temporary
certification program by ONC-ATCBs must be certified by an ONC-ACB.
We provide the following illustration overlaid on ``Table 1--Stage
of Meaningful Use Criteria by Payment Year'' from the Medicare and
Medicaid EHR Incentive Programs final rule (75 FR 44323) to more
clearly convey the discussion above. This illustration would also be
applicable to the Medicaid program.
---------------------------------------------------------------------------
\2\ If the permanent certification program is fully constituted
and the temporary certification program sunsets on December 31,
2011, all new requests made after that date for certification of
Complete EHRs or EHR Modules to the 2011/2012 certification criteria
will be processed by ONC-ACBs.
Table 1--Stage of Meaningful Use Criteria by Payment Year
----------------------------------------------------------------------------------------------------------------
Payment Year
First Payment Year --------------------------------------------------------------------------------
2011 2012 2013 2014
----------------------------------------------------------------------------------------------------------------
2011........................... Stage 1........... Stage 1........... Stage 2.......... Stage 2.
2012........................... .................. Stage 1........... Stage 1.......... Stage 2.
2013........................... .................. .................. Stage 1.......... Stage 1.
2014........................... .................. .................. ................. Stage 1.
----------------------------------------------------------------------------------------------------------------
Complete EHRs and EHR Modules
certified by ONC-ATCBs or ONC-ACBs
\2\ to all of the applicable
certification criteria adopted for
the 2011 & 2012 payment years meet
the definition of Certified EHR
Technology.
Complete EHRs and EHR Modules
certified by ONC-ACBs to all of the
applicable certification criteria
adopted for the 2013 & 2014 payment
years meet the definition of
Certified EHR Technology.
----------------------------------------------------------------------------------------------------------------
Comments. In response to our question about how to identify those
Complete EHRs and/or EHR Modules that have been certified to the most
current set of adopted certification criteria (and thus would
constitute Certified EHR Technology), several commenters offered
suggestions regarding ``labeling'' conventions for Complete EHRs and
EHR Modules. Overall, commenters indicated that specific ``labeling''
parameters would help clarify whether a Complete EHR or EHR Module's
certification is current. These commenters offered a variety of
suggested techniques, including identifying Complete EHRs and EHR
Modules according to: the applicable meaningful use stage they could be
used for; the month and year they had been certified; and the year
associated with the most current set of adopted standards,
implementation specifications, and certification criteria.
Additionally, in light of the EHR Module ``pre-coordinated, integrated
bundle'' concept we proposed with respect to the certification of EHR
Modules to the adopted privacy and security certification criteria, one
commenter recommended that we assign specific ``labeling'' constraints
to certifications issued to pre-coordinated, integrated bundles of EHR
Modules. Another comment suggested ``labeling'' constraints be assigned
when a Complete EHR or EHR Module had been certified at an eligible
professional or eligible hospital's site (e.g., at the hospital where
the Complete EHR is deployed).
Response. We agree with the commenters who requested more specific
requirements surrounding how a Complete EHR or EHR Module's certified
status should be represented and communicated. We believe more
specificity will assist eligible professionals and eligible hospitals
with their purchasing decisions by helping them to identify those
Complete EHRs and EHR Modules that have a current and valid
certification issued by an ONC-ACB. As previously discussed, the ONC-AA
must verify that ONC-ACBs conform to Guide 65 at a minimum, which
includes in section 14 a requirement that certification bodies (i.e.,
ONC-ACBs) exercise control over the use and display of ``certificates''
and marks of conformity. To ensure consistency in how the certified
status of a Complete EHR or EHR Module is represented and communicated,
and in response to those comments, we are adding a new principle to the
Principles of Proper Conduct for ONC-ACBs at Sec. 170.523(k). We added
a similar new Principle of Proper Conduct for ONC-ATCBs in the
Temporary Certification Program final rule. The new Principle of Proper
Conduct requires ONC-ACBs to ensure adherence to the following
requirements when issuing a certification to Complete EHRs and/or EHR
Modules:
(1) A Complete EHR or EHR Module developer must conspicuously
include the following on its Web site and in all marketing materials,
communications statements, and other assertions related to the Complete
EHR or EHR Module's certification:
(i) ``This [Complete EHR or EHR Module] is 20[XX]/20[XX] compliant
and has been certified by an ONC-ACB in accordance with the applicable
certification criteria adopted by the Secretary of Health and Human
Services. This certification does not represent an endorsement by the
U.S. Department of Health and Human Services or guarantee the receipt
of incentive payments.''; and
(ii) The information an ONC-ACB is required to report to the
National Coordinator under paragraph (f) of this section for the
specific Complete EHR or EHR Module at issue;
(2) A certification issued to a pre-coordinated, integrated bundle
of EHR
[[Page 1305]]
Modules shall be treated the same as a certification issued to a
Complete EHR for the purposes of paragraph (k)(1) of this section
except that the certification must also indicate each EHR Module that
is included in the bundle; and
(3) A certification issued to a Complete EHR or EHR Module based
solely on the applicable certification criteria adopted by the
Secretary at subpart C of this part must be separate and distinct from
any other certification(s) based on other criteria or requirements.
This new Principle of Proper Conduct is based on our assumption
that the Secretary will adopt certification criteria through rulemaking
every two years in correlation with the expected modifications to the
meaningful use requirements. With respect to the requirement in Sec.
170.523(k)(1)(i) regarding ``20[XX]/20[XX] compliant,'' we expect ONC-
ACBs will indicate the years ``2011/2012 compliant'' for all Complete
EHRs and EHR Modules that are certified to the certification criteria
adopted by the Secretary for the 2011 and 2012 payment years of the
Medicare and Medicaid EHR Incentive Programs. Continuing our assumption
of a two-year rulemaking cycle, we expect ONC-ACBs to follow this
convention as the Secretary adopts certification criteria for
subsequent payment years. For example, if the Secretary adopts
certification criteria as expected in 2012 for the 2013 and 2014
payment years, ONC-ACBs would indicate ``2013/2014 compliant.''
Given the clarification we provided as to when a Complete EHR or
EHR Module's certification will be considered valid for purposes of
meeting the definition of Certified EHR Technology, we believe it would
be inappropriate and misleading to adopt an identification requirement
that is solely associated with the meaningful use stages. We also
believe it would be inappropriate to identify a Complete EHR or EHR
Module based on whether its certification could be attributed to a
particular entity at a particular location. While unlikely, we do not
want to presume that such a certified Complete EHR or EHR Module would
not be useful to another eligible professional or eligible hospital.
We do, however, agree with the commenter who suggested the specific
constraint for a pre-coordinated, integrated bundle of EHR Modules. As
we explained, we would expect that EHR Module developer(s) will have
addressed any issues related to the compatibility of EHR Modules that
make up a pre-coordinated, integrated bundle before the bundle is
presented for certification pursuant to Sec. 170.550(e)(1). The pre-
coordinated, integrated bundle of EHR Modules is greater than the sum
of the individual EHR Modules that make up the bundle, and for that
reason, we clarify that individual EHR Modules that are certified as
part of a pre-coordinated, integrated bundle would not each separately
inherit a certification just because they had been certified as part of
a bundle. For example, if EHR Modules A, B, C, and D are certified as a
pre-coordinated, integrated bundle, EHR Module C would not on its own
be certified just by virtue of the fact that it was part of a certified
pre-coordinated, integrated bundle. If an EHR Module developer wanted
to make EHR Module C available for use by eligible professionals and
eligible hospitals as a single certified EHR Module independent of and
separate from the bundle, then it must have EHR Module C separately
certified by an ONC-ACB.
As we discussed in the Proposed Rule, there may be situations where
the measures associated with a meaningful use objective may change as a
result of subsequent rulemaking, but the capability a certified EHR
Module would need to provide would not change. As a hypothetical
example, during the expected 2012 rulemaking cycle, the threshold of
the meaningful use Stage 1 measure associated with the ``record patient
demographics'' objective could be increased from 50% to 75%. When the
Secretary adopts certification criteria for the 2013/2014 payment
years, however, the certification criterion or criteria that are
applicable to an EHR Module designed to record patient demographics
could potentially remain unchanged.
We recognize it may not be practical or beneficial for the EHR
Module in this example to be certified again, where the certification
criterion or criteria to which it was previously certified have not
been revised and no new certification criteria have been adopted that
are applicable to it. However, in accordance with Sec. 170.423(k)(1)
or Sec. 170.523(k)(1), the ONC-ATCB or ONC-ACB that certified the EHR
Module would have required the EHR Module developer to include certain
information on its Web site and in other materials related to the
payment years associated with the certification criteria to which the
EHR Module was previously certified. To ensure that the information
required by Sec. 170.523(k)(1)(i) remains accurate and reflects the
correct payment years, we will permit ONC-ACBs to provide updated
certifications to previously certified EHR Modules.
We define ``providing or provide an updated certification'' as the
action taken by an ONC-ACB to ensure that the developer of a previously
certified EHR Module shall update the information required by Sec.
170.523(k)(1)(i), after the ONC-ACB has verified that the certification
criterion or criteria to which the EHR Module was previously certified
have not been revised and that no new certification criteria adopted
for privacy and security are applicable to the EHR Module. To verify
that the certification criterion or criteria have not been revised, an
ONC-ACB would compare the certification criterion or criteria to which
the EHR Module was previously certified with all of the certification
criteria adopted by the Secretary for the relevant payment years (in
the example above, the 2013/2014 payment years). To verify whether new
certification criteria adopted for privacy and security are applicable
to the EHR Module, an ONC-ACB would complete the analysis described in
Sec. 170.550(e)(2) to determine, upon a request to provide an updated
certification, whether the EHR Module developer has demonstrated and
provided documentation that such certification criteria are
inapplicable or that it would be technically infeasible for the EHR
Module to be certified in accordance with such certification criteria.
We believe that providing updated certifications is a pragmatic
approach for the treatment of previously certified EHR Modules and that
it is consistent with requirements specified in Guide 65, section 12
(Decision on certification), which requires certification bodies to
issue certifications specifying the scope of the certification, the
effective date of the certification, and any applicable terms. We also
believe that this approach is consistent with Guide 65, section 14 (Use
of licenses, certificates and marks of conformity), which requires the
certification body to exercise proper control over the use and display
of certificates and marks of conformity, including addressing incorrect
references to the certification system or misleading use of
certificates or marks. The information required by Sec. 170.523(k)(1)
is intended to assist eligible professionals and eligible hospitals in
identifying specific EHR technology that could be purchased and adopted
for the purpose of meeting the definition of Certified EHR Technology
and attempting to demonstrate meaningful use. ONC-ACBs must be able to
ensure that this information is kept current and accurate if it is to
be
[[Page 1306]]
helpful to prospective purchasers of EHR technology and to instill
confidence in the certifications issued under the permanent
certification program. We are defining ``providing or provide an
updated certification'' in Sec. 170.502 and are adding a new provision
to Sec. 170.550, designated as paragraph (d), to permit ONC-ACBs to
provide updated certifications to previously certified EHR Module(s).
ONC-ACBs may choose to provide updated certifications but are not
required to do so, because we recognize situations could exist where an
ONC-ACB is not comfortable providing an updated certification. For
instance, an ONC-ACB may not want to provide an updated certification
if it did not issue the original certification to the EHR Module or if
there has been an extended period of time since the EHR Module was
tested and/or certified. If an ONC-ACB elects not to provide updated
certifications, an EHR Module developer may choose to have its EHR
Module recertified and/or retested, even though the certification
criterion or criteria to which the EHR Module was previously certified
have not been revised and no new certification criteria have been
adopted that are applicable to the EHR Module. In order to make the
certification process as efficient as possible in this scenario, we
will permit ONC-ACBs to rely on prior testing completed by an ONC-ATCB.
Accordingly, we are revising Sec. 170.523(h) to permit ONC-ACBs to
rely on the results of testing performed by ONC-ATCBs for the purpose
of certifying a previously certified EHR Module(s) if the certification
criterion or criteria to which the EHR Module(s) was previously
certified have not been revised and no new certification criteria are
applicable to the EHR Module(s).
Comments. Several commenters requested that we clarify whether each
updated version of a Complete EHR or EHR Module would need to be
recertified in order for its certification to remain valid, and whether
there would be a mechanism available to accommodate routine changes and
product maintenance without the need for full recertification of each
updated version of a previously certified Complete EHR or EHR Module.
Some of these commenters stressed that they provide bug-fixes and other
maintenance upgrades to customers on a regular basis and that those
versions are normally denoted by a new ``dot release'' (e.g., version
7.1.1 when 7.1 received certification). Another commenter requested
that we consider the impact of potentially more dynamic software
development/release models, such as those related to cloud computing
and software-as-a-service, that may not fit a traditional (major/minor/
maintenance) release schedule. The commenter indicated that there may
be more frequent software updates for these types of EHR technologies.
Response. We understand that Complete EHR and EHR Module developers
will conduct routine maintenance. We also recognize that at times
Complete EHR and EHR Module developers will provide new or modified
capabilities either to make the Complete EHR or EHR Module perform more
efficiently and/or to improve user experiences related to certain
functionality (e.g., a new graphical user interface (GUI)). Our main
concern is whether these changes adversely affect the capabilities of a
Complete EHR or EHR Module that has already been certified and whether
the changes are such that the Complete EHR or EHR Module would no
longer support an eligible professional or eligible hospital's
achievement of meaningful use. Accordingly, we clarify that a
previously certified Complete EHR or EHR Module may be updated for
routine maintenance or to include new or modified capabilities without
the need for recertification, and such changes may affect capabilities
that are related or unrelated to the certification criteria adopted by
the Secretary.\3\ However, we do not believe that it would be wise to
simply permit a Complete EHR or EHR Module developer to claim without
any verification that the routine maintenance or new/modified
capabilities included in a newer version do not adversely affect the
proper functioning of the capabilities for which certification was
previously granted. An ONC-ACB should, at a minimum, review an
attestation submitted by a Complete EHR or EHR Module developer
explaining the changes that were made and the reasons for those
changes, as well as other information and supporting documentation that
would be necessary for the ONC-ACB to evaluate the potential effects of
the changes on previously certified capabilities. We believe this
process is consistent with the requirements placed on certification
bodies by Guide 65, sections 4.6.2 (related to conditions and
procedures for granting, maintaining, extending, suspending and
withdrawing certification) and 12.4 (related to decisions on
certifications).
---------------------------------------------------------------------------
\3\ We understand that Complete EHR and EHR Module developers
typically consider a ``minor version release'' to be, for example, a
version number change from 3.0 to 3.1 and consider a ``major version
release'' to be, for example, a version number change from 4.0 to
5.0. In providing for this flexibility, we do not presume the
version numbering schema that a Complete EHR or EHR Module developer
may choose to utilize. As a result, we do not preclude a Complete
EHR or EHR Module developer from submitting an attestation to an
ONC-ACB for a Complete EHR or EHR Module whose version number may
represent a minor or major version change.
---------------------------------------------------------------------------
As a result, we are adding a new provision to Sec. 170.545,
designated as paragraph (d), that requires an ONC-ACB to accept
requests for a newer version of a previously certified Complete EHR to
inherit the certified status of the previously certified Complete EHR
without requiring the newer version to be recertified. We are also
adding a similar provision to Sec. 170.550, designated as paragraph
(f), that requires an ONC-ACB to accept requests for a newer version of
a previously certified EHR Module(s) to inherit the certified status of
the previously certified EHR Module(s) without requiring the newer
version to be recertified. However, consistent with both of these new
provisions, the developer of the Complete EHR or EHR Module(s), must
submit an attestation as described above in the form and format
specified by the ONC-ACB that the newer version does not adversely
affect any capabilities for which certification criteria have been
adopted. After reviewing the attestation, the ONC-ACB must determine
whether the Complete EHR's or EHR Module's capabilities, for which
certification criteria have been adopted, have been adversely affected
(which would consequently require the newer version to be recertified),
or whether to grant a certification to the newer version of the
previously certified Complete EHR or EHR Module that is based on the
previous certification. In determining whether the newer version should
be recertified, the ONC-ACB may also determine whether retesting is
necessary.
If the ONC-ACB issues a certification to a newer version of a
previously certified Complete EHR or EHR Module, the ONC-ACB must
include this certification in its weekly report to the National
Coordinator. We believe that for the purposes of associating a
certification with a given EHR technology, this policy is appropriate
regardless of the software development/release approach employed by an
EHR technology developer. As we have stated before, certification
represents a snapshot, a fixed point in time, where it has been
confirmed (in this case by an ONC-ACB) that a Complete EHR or EHR
Module has met all applicable certification criteria adopted by the
Secretary. Thus, if a different version of a Complete EHR or EHR Module
is made available and the EHR technology
[[Page 1307]]
developer seeks to have this version inherit a prior version's
certification, the prior version's certification needs to be formally
associated with this newer version and subsequently reported to the
National Coordinator. Without this association, an EHR technology
developer would not be able to assert that the updated or modified EHR
technology was ``certified,'' nor would eligible professionals or
eligible hospitals be able to verify on ONC's Certified HIT Products
List (CHPL) that the EHR technology is certified.
Aside from the requirements discussed above, we do not specify the
fees or any other processes that an ONC-ACB must follow before granting
certified status to a newer version of a previously certified Complete
EHR or EHR Module based on the submitted attestation. We encourage ONC-
ACBs to develop streamlined approaches for attestations in order to
accommodate different software release models and schedules.
P. Differential or Gap Certification
We stated in the Proposed Rule that, after Complete EHRs and EHR
Modules have been certified as being in compliance with the
certification criteria associated with meaningful use Stage 1, it may
benefit both Complete EHR and EHR Module developers as well as eligible
professionals and eligible hospitals if some form of differential
certification were available. We described differential certification
as the certification of Complete EHRs and/or EHR Modules to the
differences between the certification criteria adopted by the Secretary
associated with one stage of meaningful use and a subsequent stage of
meaningful use. As an example, we stated that if the Secretary were to
adopt 5 new certification criteria to support meaningful use Stage 2
and those were the only additional capabilities that needed to be
certified in order for a Complete EHR's certification to be valid again
(i.e., all other certification criteria remained the same) for the
purposes of meaningful use Stage 2, then the Complete EHR would only
have to be tested and certified to those 5 criteria rather than the
entire set of certification criteria again.
We noted that differential certification could be a valuable and
pragmatic approach for the future and that it may further reduce costs
for certification and expedite the certification process. Accordingly,
we requested public comments on whether we should require ONC-ACBs to
offer differential certification, what factors we should consider in
determining when differential certification would be appropriate and
when it would not, and when differential certification should begin. To
further clarify these requests and inform commenters, we noted the
factors we thought were appropriate for consideration in determining
when to allow for differential certification. These factors included
whether the standard(s) associated with a certification criterion or
criteria changed and whether additional certification criteria changed
in such a way that they affected other previously certified
capabilities of a Complete EHR or EHR Module. We specifically asked
whether differential certification should be permitted to begin with
Complete EHRs and EHR Modules certified under the temporary
certification program (i.e., the differences between 2011 and 2013) or
after all Complete EHRs and EHR Modules had been certified once under
the permanent certification program (i.e., the differences between 2013
and 2015). Regarding these options, we asked commenters to consider the
differences in rigor that we expect Complete EHRs and EHR Modules will
go through to get certified under the permanent certification program.
Comments. Commenters overwhelmingly supported some form of
differential certification based on, as we noted, the potential for
efficiencies and lower certification costs. These commenters expressed
general agreement with the factors we specified for determining when
differential certification would be appropriate. That is, they stated
that testing and certifying a Complete EHR or EHR Module to only new or
revised certification criteria would be appropriate as long as other
required capabilities (as specified in other adopted certification
criteria) of a Complete EHR or other EHR Modules were not also affected
by the new or revised certification criteria. Conversely, a few
commenters did not believe that differential certification would be
appropriate based on various concerns. One commenter suggested that
testing to only new or revised certification criteria could be time
consuming and cost prohibitive. Another commenter contended that
differential certification will create ``tiers'' in the market of fully
certified versus differentially certified Complete EHRs and EHR
Modules, which could lead to confusion among purchasers. A couple of
commenters expressed concern about ONC-ACBs guaranteeing the compliance
of all capabilities required by adopted certification criteria of a
Complete EHR without testing all of the components. A couple of
commenters also noted that if differential certification is allowed,
ONC-ACBs should not be required to offer it as an option for
certification. Rather, it should be up to each ONC-ACB to decide
whether to conduct differential certification.
Commenters who were in favor of differential certification
indicated strong support for beginning differential certification with
the differences between the 2011 and 2013 certification criteria
adopted by the Secretary. These commenters reasoned that the potential
for lower certification costs and reduced certification times should be
made available to the market as soon as possible, particularly if the
separate testing and certification processes of the permanent
certification program could increase the time for certified Complete
EHRs and EHR Modules to reach the market. Alternatively, a few
commenters stated that it would be more appropriate for Complete EHRs
and EHR Modules to be tested and certified at least once under the
proposed more rigorous permanent certification program before they
would be considered eligible for differential certification.
Response. We understand based on our research that the term ``gap
certification'' is commonly used by the HIT industry to refer to the
concept we have described as ``differential certification.'' As a
result, for consistency and ease of reference, we will use the term
``gap certification'' instead of ``differential certification'' for
purposes of the permanent certification program. The description of
``differential certification'' that we gave in the Proposed Rule
focused on the differences between adopted certification criteria as
related to the stages of meaningful use. As noted earlier in this final
rule, however, the Medicare and Medicaid EHR Incentive Programs final
rule indicated that the meaningful use Stage 1 requirements may be
updated in future rulemaking, such as when the requirements for Stage 2
are established. As a result, the concept of gap certification must
allow for the possibility that the Secretary may adopt certification
criteria through future rulemaking that would encompass and be
associated with both the revised Stage 1 requirements and newly
established Stage 2 requirements. This possibility is consistent with
our position that, regardless of the year and meaningful use stage at
which an eligible professional or eligible hospital enters the Medicare
or Medicaid EHR Incentive Programs, they must use Certified EHR
Technology that has been certified to all of the applicable
certification criteria adopted by the Secretary at subpart C of part
170. Thus,
[[Page 1308]]
gap certification must focus on the differences between certification
criteria that are adopted through rulemaking at different points in
time rather than the differences between the stages of meaningful use.
We define and will use the term gap certification to mean the
certification of a previously certified Complete EHR or EHR Module to:
(1) All applicable new and/or revised certification criteria adopted by
the Secretary at subpart C of this part based on the test results of a
NVLAP-accredited testing laboratory; and (2) all other applicable
certification criteria adopted by the Secretary at subpart C of this
part based on the test results used previously to certify the Complete
EHR or EHR Module. We believe this definition of gap certification is
conceptually analogous to the description of differential certification
in the Proposed Rule as well as common industry usage of the term.
While a commenter asserted that testing to only new or revised
certification criteria could be more time consuming and cost
prohibitive, commenters overwhelmingly agreed with our premise that gap
certification would likely be a less costly and time-consuming
certification option for Complete EHR and EHR Module developers.
Further, we believe that the potential lower costs and expedited
certification timeframes that gap certification will presumably offer
outweigh the concerns some commenters raised about the reliability of
testing under the temporary certification program. As previously stated
in this final rule, the testing and certification performed under the
temporary certification program is conducted by testing and
certification bodies that are determined to be qualified and have been
authorized by the National Coordinator. Complete EHRs and EHR Modules
are tested by ONC-ATCBs using test tools and test procedures approved
by the National Coordinator and should be expected to perform
consistent with their certifications. Therefore, ONC-ACBs should be
confident in relying upon the test results provided by ONC-ATCBs when
performing gap certification under the permanent certification program.
Accordingly, gap certification will be available as an option for ONC-
ACBs to offer as soon as ONC-ACBs are authorized to begin performing
certifications under the permanent certification program.
A few commenters suggested that gap certification would lead to
``tiers'' in the market of ``fully tested and certified'' Complete EHRs
and EHR Modules and ``partially tested and certified'' Complete EHRs
and EHR Modules, while a couple of other commenters expressed concern
about ONC-ACBs guaranteeing the compliance of all capabilities of a
Complete EHR without testing all of the components. We believe, as
suggested by commenters, that the decision on whether to conduct gap
certification is best left to each ONC-ACB. However, as discussed
above, we believe that the testing performed by ONC-ATCBs or by any
NVLAP-accredited testing laboratory will be valid and reliable.
Therefore, when gap certifying a Complete EHR or EHR Module, an ONC-ACB
will be expected to issue a certification for the entire Complete EHR
or EHR Module that it gap certifies. For these reasons, the HIT market
should consider a Complete EHR or EHR Module that has been gap
certified to be equal to a Complete EHR or EHR Module that has been
fully tested and certified to all applicable certification criteria
adopted by the Secretary. In addition, as discussed earlier in this
preamble, ONC-ACBs will be expected to conduct annual surveillance of
the Complete EHRs and/or EHR Modules that they certify under the
permanent certification program. Surveillance should provide additional
assurances to the HIT market that Complete EHRs and EHR Modules will
continue to perform in an operational setting or ``live'' environment
as they did when they were certified.
Consistent with this discussion, we are adding the definition of
gap certification to Sec. 170.502 and adding new provisions to Sec.
170.545 (paragraph (c)) and Sec. 170.550 (paragraph (c)) to permit
ONC-ACBs to provide the option of and to perform gap certification
under the permanent certification program. In addition to these
revisions, we are revising Sec. 170.523(h) to permit ONC-ACBs to
accept the results of testing performed on Complete EHRs and EHR
Modules by ONC-ATCBs under the temporary certification program for the
purpose of gap certification. These testing results may be necessary
for conducting gap certification under the permanent certification
program when previously certified Complete EHRs and EHR Modules were
last tested under the temporary certification program.
Q. Barriers to Entry for Potential ONC-ACBs and an ONC-Managed
Certification Process
We noted in the Proposed Rule that the overall success of the
Medicare and Medicaid EHR Incentive Programs could be jeopardized if
the certification program for EHR technology fails to operate properly.
We requested public comment on specific issues related to the proposed
permanent certification program that could adversely affect the
operation of that program. First, we asked whether the proposed
provisions of the permanent certification program created high barriers
to market entry for potential ONC-ACBs and, if so, how we could revise
the proposed requirements to lower those barriers and encourage
participation. Second, we expressed concern about the potential risks
to the permanent certification program if no ONC-ACBs were authorized
or only one ONC-ACB was authorized and engaged in monopolistic
behavior. We requested public comment on potential approaches that
could be pursued to stimulate market involvement or remedy these
situations if they were to develop, including the possibility of the
National Coordinator establishing a temporary ONC-managed certification
process that would include some type of certification review board. We
noted that this option was not preferred and would come with
significant limitations. In particular, section 3001(c)(5) of the PHSA
does not expressly authorize the National Coordinator or the Secretary
to assess and collect fees related to the certification of HIT and
subsequently retain and use those fees to administer an ONC-managed
certification process if it were established.
Comments. Commenters stated that the proposed provisions of the
permanent certification program did not present high barriers to entry
for potential ONC-ACBs. Commenters also generally agreed that we should
eliminate any identified barriers to entry with one commenter
specifically suggesting that the National Coordinator could waive
certain conditions that are creating barriers to entry as long as it
would not adversely impact patient safety or quality of care. Another
commenter noted that the proposed permanent certification program
permits multiple entry points for organizations to pursue ONC-ACB
status, allowing the market to decide how many ONC-ACBs are acceptable.
Most commenters expressed agreement with our proposal for a
temporary ONC-managed certification process to stimulate market
involvement or remedy the situations described above and in the
Proposed Rule. Some commenters suggested that if there were fewer than
two ONC-ACBs at the start of the permanent certification program we
should continue the temporary certification program or allow ONC-ATCBs
in good standing under the temporary certification program to
[[Page 1309]]
become ONC-ACBs under the permanent certification program without
having to meet any of the application requirements of the permanent
certification program. Another commenter suggested that if these
options were not immediately viable then we should allow for self-
attestation by Complete EHR and EHR Module developers to the
certification criteria until there are a sufficient number of ONC-ACBs.
Conversely, some commenters contended that if there was only one ONC-
ACB it would not necessarily be the result of the permanent
certification program requirements. Although these commenters stated
that the authorization of more than one ONC-ACB would be preferable to
handle requests for certification, they asserted that one ONC-ACB could
be a good starting point for the permanent certification program, at
least until other ONC-ACBs became operational. A commenter reasoned
that the accreditation guidelines that ONC-ACBs must adhere to should
be sufficient to preclude a single ONC-ACB from acting in a
monopolistic or other improper manner.
Response. We agree with many of the sentiments expressed by the
commenters. We agree that there are multiple entry points for qualified
organizations who seek to become ONC-ACBs, such as applying to become
an ONC-ACB for only Complete EHRs, only EHR Modules, or only limited
types of EHR Modules. We also agree that the market will likely
determine the appropriate number of ONC-ACBs and that only one ONC-ACB
may be sufficient for starting (and potentially operating long term)
the permanent certification program. For comparison, consistent with
our estimate, there are currently 5 ONC-ATCBs under the temporary
certification program. We acknowledge, however, that there remains the
remote possibility that there may be no ONC-ACBs under the permanent
certification program, that one ONC-ACB will not be sufficient to meet
demand, or that only one ONC-ACB will be authorized and could engage in
conduct that is detrimental to the permanent certification program.
To begin the permanent certification program, we believe that we
have established an approach that addresses the concerns expressed by
some commenters and is consistent with the solutions they offered.
Section 170.490 provides that the temporary certification program will
sunset on December 31, 2011, or if the permanent certification program
is not fully constituted at that time, then upon a subsequent date that
is determined to be appropriate by the National Coordinator. We stated
in the Temporary Certification Program final rule that in determining
whether the permanent certification program is fully constituted, the
National Coordinator would consider whether there are a sufficient
number of ONC-ACBs and accredited testing laboratories to address the
current market demand. We believe this approach will ensure that the
permanent certification program functions properly at the outset. If we
determine at a later time under the permanent certification program
that an insufficient number of ONC-ACBs exists, we will consider what
steps may be taken to remedy the situation. This may include
implementing a temporary ONC-managed certification process and/or
evaluating other means for stimulating the market, such as revising or
waiving certain ONC-ACB requirements or taking other actions as
suggested by the commenters.
R. General Comments
We received comments that were not attributable to a specific
provision of the permanent certification program, but were still
reasonably within the scope of the program. These comments addressed
the timing of the permanent certification program; ``grandfathering''
of previously certified technology; the potential for a backlog of
requests for certification; the costs of certification; and the safety
of Complete EHRs, EHR Modules and other types of HIT.
Comments. Although we did not propose or discuss the concept of
``grandfathering'' in the Proposed Rule, several commenters made
recommendations on the subject. To summarize the discussion of comments
in the Temporary Certification Program final rule, in general, the
concept of grandfathering would allow technology that had been
certified prior to the inception of the temporary and/or permanent
certification programs to be deemed Certified EHR Technology.
Response. In the Temporary Certification Program final rule, we
responded to comments on the concept of grandfathering and concluded
that any form of grandfathering would be inappropriate for purposes of
our certification programs and inconsistent with the statutory
requirements for Certified EHR Technology set forth in the PHSA. 75 FR
36186-36187. Our position on grandfathering as stated in the Temporary
Certification Program final rule remains valid.
Comments. Commenters requested that we take action to prevent
testing and certification monopolies and backlogs of requests for
testing and certification. Commenters also requested that we mandate
pricing for certification or at least establish a reasonable fee
requirement.
Response. We believe that through the policies we have established
in this final rule, the permanent certification program is inclusive of
as many potential applicants for ONC-ACB status as possible, and that
we have created an environment that is likely to result in multiple
ONC-ACBs. Further, we believe that multiple ONC-ACBs and market
dynamics, particularly competition, will address the commenters'
concerns about potential monopolies, appropriate costs for
certification, and the timely and efficient processing of requests for
the certification of Complete EHRs and EHR Modules. Accreditation will
require that potential ONC-ACBs comply with Guide 65, which requires
certification bodies to make their services accessible to all
applicants whose activities fall within its declared field of operation
(i.e., the permanent certification program), including not having any
undue financial or other conditions. As noted throughout this rule, an
ONC-ACB must maintain its accreditation to remain in good standing
under the permanent certification program.
Comments. A commenter requested that the National Coordinator
establish a single application process for the testing and
certification of developers' HIT. By doing so, the commenter contended
that this would alert accredited testing laboratories and ONC-ACBs of a
developer's readiness and intent to apply for testing and/or
certification.
Response. We do not believe it is necessary or appropriate to
create such an ``application process.'' Each accredited testing
laboratory and ONC-ACB is capable of establishing their own customer
base based on a multitude of factors including pricing, efficiency,
services offered, and prior relationships. Further, we assume that a
HIT developer's readiness and ``intent'' to apply may fluctuate based
on multiple factors, including whether their Complete EHR and/or EHR
Module successfully passed testing or whether they determine testing
and/or certification of their HIT should be delayed. Accordingly, we
believe it is appropriate for each accredited testing laboratory and
ONC-ACB to establish its own process for soliciting and accepting
requests for testing and certification, as applicable.
Comments. A few commenters expressed concern over the potential
safety risks that could be associated with poorly planned, implemented,
and
[[Page 1310]]
used EHR technology and suggested that patient safety should be
considered in the development and implementation of the permanent
certification program.
Response. We understand and are acutely aware of the concerns
expressed by the commenters regarding patient health and safety. We
believe that the permanent certification program has been sufficiently
constituted to ensure that ONC-ACBs will competently certify Complete
EHRs, EHR Modules and potentially other types of HIT. We have
established a process in the permanent certification program that the
National Coordinator could use to immediately suspend an ONC-ACB's
authority to issue certifications if there is reliable evidence
indicating that allowing the ONC-ACB to continue issuing certifications
would pose an adverse risk to patient health and safety. The permanent
certification program also includes a post-market surveillance program
that is designed to ensure that certified Complete EHRs and EHR Modules
perform in the market as certified and may also shed light on any
safety concerns reported by eligible professionals and eligible
hospitals.
S. Comments Beyond the Scope of This Final Rule
In response to the Proposed Rule, some commenters chose to raise
issues that are beyond the scope of our proposals. We do not summarize
or respond to those comments in this final rule. However, we will
review the comments and consider whether other actions may be
necessary, such as addressing the comments in later rulemakings or
through guidance clarifying program operating procedures, based on the
information or suggestions in the comments.
IV. Provisions of the Final Regulation
For the most part, this final rule incorporates the provisions of
the Proposed Rule. Those provisions of this final rule that differ from
the Proposed Rule are as follows:
In Sec. 170.501, we added language, based on our proposal
and public comments, that expands the scope of the permanent
certification program to ``other types of HIT.'' We also added ``the
requirements that ONC-ACBs must follow to maintain their status'' to
properly identify that this subpart contains requirements that ONC-ACBs
must follow to maintain their status under the permanent certification
program.
In Sec. 170.502, we revised the definition of applicant
by removing the condition that an applicant must ``request'' an
application. We revised the definition of ONC-ACB by removing ``at a
minimum'' from the definition to allow an organization or consortium of
organizations to become an ONC-ACB that is authorized to certify only
types of HIT besides Complete EHRs and/or EHR Modules. We also revised
this definition by replacing ``using the applicable certification
criteria adopted by the Secretary'' with ``under the permanent
certification program.'' In addition to revising the definitions of
applicant and ONC-ACB, we added the definitions of ``deployment site,''
``development site,'' ``gap certification,'' ``providing or provide an
updated certification,'' and ``remote certification'' to this section.
In Sec. 170.503, we revised paragraph (b) to provide for
a 30-day time period in which all interested accredited organizations
may submit requests for ONC-AA status. We revised (b)(2) to specify
that a request for ONC-AA status must include a detailed description of
how the accreditation organization will ensure that the surveillance
approaches used by ONC-ACBs include the use of consistent, objective,
valid, and reliable methods. We revised paragraph (c) to permit the
National Coordinator up to 60 days to review all timely submissions and
determine which accreditation organization is best qualified to serve
as the ONC-AA. We revised paragraph (c) to provide for the selection of
an ONC-AA on a preliminary basis and subject to the resolution of the
reconsideration process in Sec. 170.504. We included in paragraph (c)
the option, originally specified in proposed paragraph (d), for an
accreditation organization to request reconsideration of the National
Coordinator's decision to deny an accreditation organization ONC-AA
status. We established a new provision, designated as paragraph (d),
that specifies the final approval process for ONC-AA status. We revised
paragraph (e)(2) to require an ONC-AA, in accrediting certification
bodies, to ensure that surveillance approaches include the use of
consistent, objective, valid and reliable methods. We revised paragraph
(e)(4) to state that the ONC-AA will be required to review ONC-ACB
surveillance results to determine if the results indicate any
substantive non-conformance by ONC-ACBs ``with the conditions of their
respective accreditations.'' We revised paragraph (f) to specify that
an accreditation organization has not been granted ONC-AA status unless
and until it is notified by the National Coordinator that it has been
approved as the ONC-AA on a final basis pursuant to paragraph (d) of
this section. We also revised paragraph (f) to specify that the
National Coordinator will accept requests for ONC-AA status, in
accordance with paragraph (b), at least 180 days before the then
current ONC-AA's status is set to expire.
In Sec. 170.504, consistent with our revisions to Sec.
170.503, we revised paragraph (a) to state that an accreditation
organization that submits a timely request for ONC-AA status in
accordance with Sec. 170.503 and is denied may ask the National
Coordinator to reconsider the decision to deny its request for ONC-AA
status. We revised paragraph (b) to state that the accreditation
organization's request for reconsideration must demonstrate that clear,
factual errors were made in the review of its request for ONC-AA status
and that the accreditation organization would have been selected as the
ONC-AA pursuant to Sec. 170.503(c) if those errors had been corrected.
We revised paragraph (c) to permit the National Coordinator up to 30
days to review all timely received reconsideration requests and
determine whether an accreditation organization has met the standard
specified in paragraph (b) of this section. We revised paragraph (d) to
state that if the National Coordinator determines that an accreditation
organization has met the standard specified in paragraph (b) of this
section, then that organization will be approved as the ONC-AA on a
final basis and all other accreditation organizations will be notified
that their requests for reconsideration have been denied.
In Sec. 170.505, we revised paragraph (b) by adding ``or
ONC-ACB'' to clarify that either an applicant for ONC-ACB status or an
ONC-ACB may, when necessary, utilize the specified correspondence
methods. We also revised this section to apply its correspondence
requirements to accreditation organizations that submit requests for
ONC-AA status and the ONC-AA.
In Sec. 170.520, we revised paragraph (c) such that the
documentation provided by the applicant must confirm that the applicant
has been accredited by ``the ONC-AA,'' instead of ``an ONC-AA'' as
proposed.
In Sec. 170.523, we revised paragraph (e) by clarifying
that site visits will be conducted during normal business hours. We
revised paragraph (f) by replacing ``vendor'' with ``Complete EHR or
EHR Module developer.'' We also revised paragraph (f) by specifying
that an ONC-ACB will be required to additionally report the clinical
quality measures to which a Complete EHR or
[[Page 1311]]
EHR Module has been certified and, where applicable, any additional
software a Complete EHR or EHR Module relied upon to demonstrate its
compliance with a certification criterion or criteria adopted by the
Secretary. We revised paragraph (h) to require ONC-ACBs to only certify
HIT, including Complete EHRs and/or EHR Module(s), that has been tested
by a NVLAP-accredited testing laboratory using test tools and test
procedures that have been approved by the National Coordinator. We also
revised paragraph (h) to allow ONC-ACBs, under certain circumstances,
to rely on testing that has been performed by ONC-ATCBs, which must
also have been done using test tools and test procedures that have been
approved by the National Coordinator. We revised paragraph (j) to
clarify that an ONC-ACB will only be responsible for issuing refunds in
situations where the ONC-ACB's conduct caused certification to be
suspended and a request for certification is withdrawn, and in
instances where the ONC-ACB's conduct caused the certification not to
be completed or necessitated the recertification of Complete EHRs and/
or EHR Module(s) that had been previously certified. Lastly, we added a
new Principle of Proper Conduct for ONC-ACBs and designated it as
paragraph (k). The new Principle of Proper Conduct will require ONC-
ACBs to ensure that all Complete EHRs and EHR Modules are properly
identified and marketed.
In Sec. 170.525, we revised paragraph (b) by removing
``during the existence of the permanent certification program.''
In Sec. 170.530, in response to public comment, we
revised paragraph (b)(1) by removing the terms ``inadvertent'' and
``minor.'' We revised paragraph (c)(1), also in response to public
comment, to allow an applicant for ONC-ACB status to request an
extension of the 15-day period provided to submit a revised application
in response to a deficiency notice. We revised paragraph (c)(2) to
state that the National Coordinator can grant an applicant's request
for an extension of the 15-day period based on a finding of good cause.
We revised paragraph (c)(3) to permit the National Coordinator to
request clarification of statements and the correction of errors or
omissions in a revised application during the 15-day period that the
National Coordinator has to review a revised application. Finally, we
revised paragraph (c)(4) to state that a denial notice issued to an
applicant will indicate that the applicant cannot reapply for ONC-ACB
status for a period of six months from the date of the denial notice.
In Sec. 170.540, we revised paragraph (b) to state, in
relevant part, ``Each ONC-ACB must prominently and unambiguously
identify the scope of its authorization on its Web site, and in all
marketing and communications statements (written and oral) pertaining
to its activities under the permanent certification program.'' We
clarified in paragraph (c) that an ONC-ACB must include any updates to
the information required to be provided under Sec. 170.520 when
requesting to have its status renewed. We also revised paragraph (c) to
state that an ONC-ACB will need to have its status renewed every three
years instead of every two years. We similarly revised paragraph (d) to
state that an ONC-ACB's status will expire three years from the date it
was granted by the National Coordinator unless it is renewed.
In Sec. 170.545, we revised paragraph (a) to state that
``When certifying Complete EHRs, an ONC-ACB must certify Complete EHRs
in accordance with all applicable certification criteria adopted by the
Secretary at subpart C of this part.'' We redesignated proposed
paragraph (b) as paragraph (e). We added three new provisions. We added
a new provision, designated as paragraph (b), which states that an ONC-
ACB must provide the option for a Complete EHR to be certified solely
to the applicable certification criteria adopted by the Secretary at
subpart C of this part. We added a new provision, designated as
paragraph (c), to permit ONC-ACBs to provide the option for and perform
gap certification. Finally, we added a new provision, designated as
paragraph (d), which requires an ONC-ACB to accept requests for a newer
version of a previously certified Complete EHR to inherit the certified
status of the previously certified Complete EHR without requiring the
newer version to be recertified.
In Sec. 170.550, we removed proposed paragraphs (b) and
(d) because they were redundant of other regulatory requirements within
this subpart. We redesignated proposed paragraph (c) as paragraph (e)
and revised it to state that EHR Modules shall be certified to all
privacy and security certification criteria adopted by the Secretary
unless the EHR Module(s) is presented for certification in one of the
following manners: (1) The EHR Modules are presented for certification
as a pre-coordinated, integrated bundle of EHR Modules, which would
otherwise meet the definition of and constitute a Complete EHR, and one
or more of the constituent EHR Modules is demonstrably responsible for
providing all of the privacy and security capabilities for the entire
bundle of EHR Modules; or (2) An EHR Module is presented for
certification, and the presenter can demonstrate and provide
documentation to the ONC-ACB that a privacy and security certification
criterion is inapplicable or that it would be technically infeasible
for the EHR Module to be certified in accordance with such
certification criterion. We added four new provisions. We added a new
provision, designated as paragraph (b), which states that an ONC-ACB
must provide the option for an EHR Module(s) to be certified solely to
the applicable certification criteria adopted by the Secretary at
subpart C of this part. We added a new provision, designated as
paragraph (c), to permit ONC-ACBs to provide the option for and perform
gap certification. We added a new provision, designated as paragraph
(d), which permits an ONC-ACB to provide an updated certification to a
previously certified EHR Module(s). Finally, we added a new provision,
designated as paragraph (f), which requires an ONC-ACB to accept
requests for a newer version of a previously certified EHR Module(s) to
inherit the certified status of the previously certified EHR Module(s)
without requiring the newer version to be recertified.
In Sec. 170.555, we removed inadvertent references to
testing under the permanent certification program.
In Sec. 170.557, we revised the section to require that
an ONC-ACB provide remote certification for both development and
deployment sites.
In Sec. 170.565, we revised paragraph (c)(1) to state
that ``[t]he National Coordinator may propose to revoke an ONC-ACB's
status if the National Coordinator has reliable evidence that the ONC-
ACB committed a Type-1 violation.'' The term ``reliable'' was
inadvertently left out of the Proposed Rule. We also established a new
provision. We designated this provision as paragraph (d) and
redesignated proposed paragraphs (d) through (g) as paragraphs (e)
through (h), respectively. Paragraph (d) provides the National
Coordinator with the discretion to suspend an ONC-ACB's operations if
there is reliable evidence indicating that the ONC-ACB has committed a
Type-1 or Type-2 violation and that the continued certification of
Complete EHRs, EHR Modules and/or other types of HIT by the ONC-ACB
could have an adverse impact on patient health or safety. An ONC-ACB
will have 3 days to respond to a notice of proposed suspension by
explaining in writing why its operations should not be suspended. The
National Coordinator
[[Page 1312]]
will be permitted up to 5 days to review the response and issue a
determination to the ONC-ACB. The National Coordinator will make a
determination to either rescind the proposed suspension, suspend the
ONC-ACB until it has adequately corrected a Type-2 violation, or
propose revocation in accordance with Sec. 170.565(c) and suspend the
ONC-ACB's operations for the duration of the revocation process. The
National Coordinator may also make any one of the above determinations
if an ONC-ACB fails to submit a timely response to a notice of proposed
suspension. A suspension will become effective upon an ONC-ACB's
receipt of a notice of suspension.
We added Sec. 170.599 to incorporate by reference ISO
17011 and Guide 65.
V. Collection of Information Requirements
Under the Paperwork Reduction Act of 1995 (PRA), agencies are
required to provide 60-day notice in the Federal Register and solicit
public comment on a proposed collection of information before it is
submitted to the Office of Management and Budget (OMB) for review and
approval. In order to fairly evaluate whether an information collection
should be approved by OMB, section 3506(c)(2)(A) of the PRA requires
that we solicit comment on the following issues:
1. Whether the information collection is necessary and useful to
carry out the proper functions of the agency;
2. The accuracy of the agency's estimate of the information
collection burden;
3. The quality, utility, and clarity of the information to be
collected; and
4. Recommendations to minimize the information collection burden on
the affected public, including automated collection techniques.
In the Proposed Rule, we solicited public comment on each of these
issues for the information collections set forth in 45 CFR Sec. Sec.
170.503(b), 170.520, and 170.523(f) and (g). The final rule also
specifies another information collection requirement pertaining to the
annual submission by an ONC-ACB of a surveillance plan and surveillance
results to the National Coordinator as required by Sec. 170.523(i).
The information collection requirement of Sec. 170.523(i) was not
specifically identified in the Proposed Rule, but was available for
comment during the 60-day public comment period for the Proposed Rule
and included in our request to OMB. Please refer to section E below for
this information collection.
A. Collection of Information: Required Documentation for Requesting
ONC-Approved Accreditor Status Under the Permanent Certification
Program
Section 170.503(b) requires an accreditation organization to submit
specific information to the National Coordinator to be considered for
ONC-AA status under the permanent certification program. We estimated
in the Proposed Rule that there will only be two accreditation
organizations that will prepare and submit the information sought by
the National Coordinator to be considered for ONC-AA status. We also
provided estimates for the amount of time we believe will be necessary
to collect and provide the information requested by the National
Coordinator in Sec. 170.503(b). Specifically, we estimated that it
will take approximately:
20 minutes for an accreditation organization to provide a
detailed description of the accreditation organization's conformance to
ISO 17011 and experience evaluating the conformance of certification
bodies to Guide 65;
20 minutes for an accreditation organization to provide a
detailed description of the accreditation organization's accreditation
requirements and how the requirements complement the Principles of
Proper Conduct for ONC-ACBs;
5 minutes for an accreditation organization to provide a
copy of the procedures that would be used to monitor ONC-ACBs;
10 minutes for an accreditation organization to provide
detailed information, including education and experience, about the key
personnel who review certification bodies for accreditation; and
5 minutes for an accreditation organization to provide a
copy of the procedures for responding to, and investigating, complaints
against ONC-ACBs.
We did not receive any comments on our estimates for the burden
associated with Sec. 170.503(b). We added the requirement that
accreditation organizations specify how their accreditation
requirements will ensure the surveillance approaches used by ONC-ACBs
include the use of consistent, objective, valid, and reliable methods.
We do not believe that this additional requirement will appreciably
increase the burden for accreditation organizations requesting ONC-AA
status and that any potential increase in the burden can be accounted
for in the 20 minutes allotted for providing a detailed description of
the accreditation organization's accreditation requirements and how the
requirements complement the Principles of Proper Conduct for ONC-ACBs.
Therefore, we have maintained the same burden estimates we provided in
the Proposed Rule.
----------------------------------------------------------------------------------------------------------------
Number of Average burden
Type of respondent Number of responses per hours per Total burden
respondents respondent response hours
----------------------------------------------------------------------------------------------------------------
Accreditation Organization................ 2 1 1 2
----------------------------------------------------------------------------------------------------------------
B. Collection of Information: Application for ONC-ACB Status Under the
Permanent Certification Program
Section 170.520 requires an organization to submit specific
information to the National Coordinator to be considered for ONC-ACB
status under the permanent certification program. We estimated in the
Proposed Rule that there would be no more than 6 applicants for ONC-ACB
status under the permanent certification program. We also provided
estimates for the amount of time we believe will be necessary to
complete an application for ONC-ACB status, i.e., meet the requirements
of Sec. 170.520. Specifically, we estimated that it will take
approximately:
10 minutes to provide the general identifying information
requested in the application;
30 minutes to assemble the information necessary to
provide documentation of accreditation by an ONC-AA; and
20 minutes to review and agree to the ``Principles of
Proper Conduct for ONC-ACBs.''
Our burden estimates were based on the assumption that potential
applicants will be familiar with many of the application requirements
and will, for example, already have a majority--if not all--of the
documentation requested
[[Page 1313]]
already developed and available before applying for ONC-ACB status.
Comments. We received one comment expressing agreement that most
potential applicants would likely have a majority of the necessary
documentation available when applying for ONC-ACB status. The commenter
contended, however, that we should add a minimum of an additional 200
hours of staff time in consideration of the effort that will be
required by an organization to become accredited, which the commenter
noted is a prerequisite for applying for ONC-ACB status.
Response. We believe that the commenter's concerns related to the
effort to become accredited are best addressed in our discussion of
accreditation costs for potential ONC-ACB applicants under the
regulatory impact analysis section of this final rule. The burden
described under this section is for PRA purposes and is confined to the
actual collection and submission of information required to apply for
ONC-ACB status as specified in Sec. 170.520. We note, however, that in
the Proposed Rule we did not specifically attribute an amount of time
(i.e., burden) to identifying the type of authorization sought by a
potential applicant. Although identifying the type of authorization
sought is a requirement of Sec. 170.520, we believe any time utilized
to provide this information can be accounted for within the 10 minutes
we have allotted for providing the requested general identifying
information. Accordingly, our estimate of the burden for an applicant
to collect and submit the information necessary to apply for ONC-ACB
status remains the same as specified in the Proposed Rule.
Estimated Annualized Burden Hours
----------------------------------------------------------------------------------------------------------------
Number of
Type of respondent Number of responses per Burden hours Total burden
respondents respondent per response hours
----------------------------------------------------------------------------------------------------------------
Applicant................................... 6 1 1 6
----------------------------------------------------------------------------------------------------------------
C. Collection of Information: ONC-ACB Collection and Reporting of
Information Related to Complete EHR and/or EHR Module Certifications
Section 170.523(f) requires an ONC-ACB to provide ONC, no less
frequently than weekly, a current list of Complete EHRs and/or EHR
Modules that have been certified as well as certain minimum information
about each certified Complete EHR and/or EHR Module.
We did not receive any comments on this collection of information.
We have, however, as we did for the related temporary certification
program provision, specified in this final rule two additional
reporting elements that must be submitted by ONC-ACBs on a weekly basis
(i.e., clinical quality measures to which a Complete EHR or EHR Module
has been certified and, where applicable, any additional software a
Complete EHR or EHR Module relied upon to demonstrate its compliance
with a certification criterion or criteria adopted by the Secretary).
ONC-ACBs will be capturing these additional reporting elements in
conjunction with the other information we request that they report on a
weekly basis. Consequently, we do not believe that the reporting of
these two additional elements will increase the reporting burden for
ONC-ACBs.
For the purposes of estimating the potential burden, we have
maintained our prior assumptions. We assume that all of the estimated
applicants will apply and become ONC-ACBs (i.e., 6 applicants). We also
assume that ONC-ACBs will report weekly (i.e., respondents will respond
52 times per year). Finally, we assume that the information collections
will be accomplished through electronic data collection and storage,
which will be part of the normal course of business for ONC-ACBs.
Therefore, with respect to this proposed collection of information, the
estimated burden is limited to the actual electronic reporting of the
information to ONC.
Estimated Annualized Burden Hours
----------------------------------------------------------------------------------------------------------------
Number of Average burden
Type of respondent Number of responses per hours per Total burden
respondents respondent response hours
----------------------------------------------------------------------------------------------------------------
ONC-ACB Certification Results............... 6 52 1 312
----------------------------------------------------------------------------------------------------------------
D. Collection of Information: Records Retention Requirements
Section 170.523(g) requires ONC-ACBs to retain certification
records for 5 years. In the Proposed Rule, we stated our belief, based
on our consultations with NIST, that the 5-year requirement was in line
with common industry practice and, consequently, would not represent an
additional cost to ONC-ACBs. We did not receive any comments related to
our assertion and, therefore, maintain our belief that the 5-year
record retention requirement will not create a burden or additional
cost for ONC-ACBs.
E. Collection of Information: Submission of Surveillance Plan and
Surveillance Results
Section 170.523(i) requires an ONC-ACB to submit an annual
surveillance plan to the National Coordinator and annually report to
the National Coordinator its surveillance results.
For the purposes of estimating the potential burden, we assume that
all of the estimated number of applicants for the permanent
certification program (i.e., six) will become ONC-ACBs. We anticipate
that the burden for each ONC-ACB will be the same based on the
following assumptions. We assume that all surveillance plans will be
fairly comparable. We also assume that all ONC-ACBs will, on average,
have a similar burden in submitting results. Finally, we assume that an
ONC-ACB will submit a copy of their annual surveillance plan and
annually report surveillance results by either electronic transmission
or paper submission. In either instance, we believe that an ONC-ACB
will spend a similar amount of time and effort in organizing,
categorizing and submitting the requested information. Therefore, we
estimate that an ONC-ACB will annually allocate 1 hour to submit the
[[Page 1314]]
plan (response 1) and 1 hour to report the results (response
2). Our estimates are expressed in the table below.
Estimated Annualized Burden Hours
----------------------------------------------------------------------------------------------------------------
Number of Average burden
Type of respondent Number of responses per hours per Total burden
respondents respondent response hours
----------------------------------------------------------------------------------------------------------------
ONC-ACB Surveillance Plan and Results....... 6 2 1 12
----------------------------------------------------------------------------------------------------------------
As required by section 3504(h) of the PRA, we have submitted a copy
of this document to OMB for its review of these information collection
requirements.
VI. Regulatory Impact Analysis
A. Introduction
We have examined the impacts of this final rule as required by
Executive Order 12866 on Regulatory Planning and Review (September 30,
1993, as further amended), the Regulatory Flexibility Act (RFA) (5
U.S.C. 601 et seq.), section 202 of the Unfunded Mandates Reform Act of
1995 (2 U.S.C. 1532), Executive Order 13132 on Federalism (August 4,
1999), and the Congressional Review Act (5 U.S.C. 804(2)).
Executive Order 12866 directs agencies to assess all costs and
benefits of available regulatory alternatives and, if regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, public health and safety
effects, distributive impacts, and equity). A regulatory impact
analysis (RIA) must be prepared for major rules with economically
significant effects ($100 million or more in any one year). Based on
the analysis of costs and benefits that follows, we have determined
that this final rule covering the permanent certification program is
not an economically significant rule because we estimate that the
overall costs and benefits associated with the permanent certification
program, including the costs associated with the testing and
certification of Complete EHRs and EHR Modules, to be less than $100
million per year. Nevertheless, because of the public interest in this
final rule, we have prepared an RIA that to the best of our ability
presents the costs and benefits of the final rule.
B. Why is this rule needed?
As stated in earlier sections of this final rule, section
3001(c)(5) of the PHSA provides the National Coordinator with the
authority to establish a certification program or programs for the
voluntary certification of HIT. This final rule is needed to outline
the processes by which the National Coordinator would exercise this
authority to authorize certain organizations to certify Complete EHRs,
EHR Modules, and/or other types of HIT. As to Complete EHRs and EHR
Modules, once certified, they will be able to be used by eligible
professionals and eligible hospitals as, or be combined to create,
Certified EHR Technology. Eligible professionals and eligible hospitals
who seek to qualify for incentive payments under the Medicare and
Medicaid EHR Incentive Programs are required by statute to use
Certified EHR Technology.
C. Executive Order 12866--Regulatory Planning and Review Analysis
1. Comment and Response
Comments. As recited in the Temporary Certification Program final
rule, we received a few comments that expressed concerns that the costs
we attributed in the Proposed Rule related to the testing and
certification of Complete EHRs and EHR Modules were too high,
unrealistic, and unreliable. One commenter requested that we remove our
cost estimates because they believed they were based on a monopolistic
pricing structure. Other commenters indicated that we should regulate
the pricing related to testing and certification in order to ensure
that prices were not exorbitant and did not preclude smaller Complete
EHR and EHR Module developers from being able to attain certification
for their EHR technology.
Response. We understand the commenters' concerns; however, we have
a responsibility to put forth a good faith effort to estimate the
potential costs associated with this final rule. Part of that effort
includes using the best available data to inform our assumptions and
estimates. While we were open to revising our cost estimates in
response to public comment, in no instance did a commenter provide
alternative estimates or reference additional information from which we
could base revisions. Conversely, we believe that commenters who
expressed concerns about the potential costs, largely did so from the
perspective of stating a request that we ensure the costs for testing
and certification were not prohibitively high.
While we understand these commenters' perspectives, we do not
believe that it is appropriate to dictate the minimum or maximum amount
an ONC-ACB should be able to charge for certifying a Complete EHR or
EHR Module. Based on the number of applicants we have granted ONC-ATCB
status, we anticipate that we will there will be multiple ONC-ACBs that
will compete for market share under the permanent certification
program. As a result of this expected competition, we believe that
there could also be increased downward pressure on the costs associated
with testing and certification. If that cost pressure occurs, we
believe that the upper ranges of the cost estimates we provide in this
final rule could be overestimates.
Comments. We received one comment expressing agreement that most
potential applicants would likely have a majority of the necessary
documentation available when applying for ONC-ACB status. The commenter
contended, however, that we should add a minimum of an additional 200
hours of staff time in consideration of the effort that will be
required by an organization to become accredited.
Response. We believe that attributing 200 hours of staff time for
preparing and participating in the accreditation process is reasonable.
We also believe that it is appropriate to calculate the cost of the
staff time at a position equivalent to a Federal GS-15, Step 1
employee. Accordingly, we have supplemented our original cost estimates
to account for this staff time and have provided revised total cost
estimates for accreditation and the ONC-ACB application process under
the section titled ``Application Process for ONC-ACB Status'' in this
RIA.
Comments. Some commenters questioned our estimates related to the
number of EHR Modules we expected to be tested and certified. One
commenter suggested that the number of self-developed EHR Modules
should be much higher than we estimated. Other commenters expressed
that this rule
[[Page 1315]]
needed to account for other costs associated with testing and
certification (e.g., reprogramming a Complete EHR or EHR Module) and
not just the costs associated with the application process and for
Complete EHRs and EHR Modules to be tested and certified. One commenter
suggested that if our estimates of the number of EHR Modules and
Complete EHRs that will be tested and certified and the costs for
testing and certification are accurate, then the commenter contended
that there will not be a sufficient market for sustaining ONC-ACBs and,
therefore, ONC should assume all costs for testing and certification.
Response. As discussed in the Temporary Certification Program final
rule (75 FR 36197), the certification programs final rules are part of
a coordinated rulemaking effort. Each rule accounts for its specific
effects. In the ``Health Information Technology: Initial Set of
Standards, Implementation Specifications, and Certification Criteria
for Electronic Health Record Technology'' interim final rule (75 FR
2038), we summarized these effects as follows:
While there is no bright line that divides the effects of this
interim final rule and the other two noted above, we believe that
each analysis properly focuses on the direct effects of the
provisions it creates. This interim final rule estimates the costs
commercial vendors, open source developers, and relevant Federal
agencies will incur to prepare Complete EHRs and EHR Modules to be
tested and certified to adopted standards, implementation
specifications, and certification criteria. The Medicare and
Medicaid EHR Incentive Programs proposed rule estimates the impacts
related to the actions taken by eligible professionals or eligible
hospitals to become meaningful users, including purchasing or self-
developing Complete EHRs or EHR Modules. The HIT Certification
Programs proposed rule estimates the testing and certification costs
for Complete EHRs and EHR Modules.
As result, we estimate in this final rule, as we had before, the
effects of the application process for ONC-ACB status and the costs for
Complete EHRs and EHR Modules to be tested and certified by ONC-ACBs.
The HIT Standards and Certification Criteria final rule (75 FR 44590)
provides our final analysis of the estimated costs commercial vendors,
open source developers, and relevant Federal agencies will incur to
prepare Complete EHRs and EHR Modules to be tested and certified to
adopted standards, implementation specifications, and certification
criteria, while the Medicare and Medicaid EHR Incentive Programs final
rule (75 FR 44314) provides a final analysis of the impacts related to
the actions taken by eligible professionals or eligible hospitals to
become meaningful users, including purchasing or self-developing
Complete EHRs or EHR Modules.
As we stated in the Temporary Certification Program final rule,
with respect to EHR Modules, especially self-developed EHR Modules, we
agree with those commenters regarding our estimates and have provided
revised estimates that factor in a potential larger number of self-
developed EHR Modules. While neither commenter who offered this concern
related to EHR Modules provided any data to substantiate their claims,
we determined that this revision was necessary because we had
previously grouped self-developed Complete EHRs and EHR Modules
together. Upon further review and other comments addressed above
regarding EHR Modules, we believe that in order to provide a more
accurate estimate, self-developed Complete EHRs and EHR Modules should
be separately accounted for. We believe our prior estimates related to
self-developed Complete EHRs and EHR Modules are more appropriately
attributable to the number of self-developed Complete EHRs.
Accordingly, we have developed new estimates (captured in the
discussion and tables below) for the number of self-developed EHR
Modules that we believe will be presented for testing and certification
under the permanent certification program. We believe that our new
estimates indicate that there will be a sufficient market to sustain an
appropriate amount of ONC-ACBs necessary for the success of the
permanent certification program. Further, we do not believe that it is
appropriate for ONC to enter the market where private entities have
concluded that there is a sufficient market for the testing and
certification of HIT to be willing to perform the testing and
certification of HIT. This conclusion has arguably been validated by
the fact that 5 private entities have already become ONC-ATCBs under
the temporary certification program.
2. Executive Order 12866 Final Analysis
As required by Executive Order 12866, we have examined the economic
implications of this final rule as it relates to the permanent
certification program. Executive Order 12866 directs agencies to assess
all costs and benefits of available regulatory alternatives and, when
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety, and other advantages; distributive impacts; and
equity). Executive Order 12866 classifies a regulation as significant
if it meets any one of a number of specified conditions, including
having an annual effect on the economy of $100 million, or in a
material way adversely affecting the economy, a sector of the economy,
competition, or jobs. While this final rule is therefore not
``economically significant,'' as defined by Executive Order 12866, OMB
has determined that this final rule constitutes a ``significant
regulatory action'' as defined by Executive Order 12866 because it
raises novel legal and policy issues.
a. Permanent Certification Program Estimated Costs
i. Request for ONC-AA Status
Costs for Accreditation Organizations
We believe that at most two accreditation organizations will
prepare and submit the information sought by the National Coordinator.
Additionally, we estimate that it will take 1 hour to prepare and
submit a request for ONC-AA status. We believe that an employee
equivalent to the Federal Salary Classification of GS-15 Step 1 would
be responsible for preparing and submitting the required information.
We have utilized the corresponding employee hourly rate for the
locality pay area of Washington, DC, as published by the OPM, to
calculate our cost estimates. We have also calculated the costs of an
employee's benefits while preparing and submitting the required
information to be considered for ONC-AA status. We have calculated
these costs by assuming that an accreditation organization expends
thirty-six percent (36%) of an employee's hourly wage on benefits for
the employee. We have concluded that a 36% expenditure on benefits is
an appropriate estimate because it is the routine percentage used by
HHS for contract cost estimates. Our cost estimates are expressed in
Table 2 below.
[[Page 1316]]
Table 2--Permanent Certification Program: Cost to Accreditation Organizations To Submit the Information Required
To Become an ONC-AA
----------------------------------------------------------------------------------------------------------------
Employee Cost of employee
Requirement Employee Burden hourly wage benefits per Total cost per
equivalent hours rate hour applicant
----------------------------------------------------------------------------------------------------------------
Submission of Request for ONC-AA GS-15 Step 1...... 1 $59.30 $21.35 $80.65
Status.
----------------------------------------------------------------------------------------------------------------
Using our estimates above, we believe that the cost to submit the
information required to become an ONC-AA will be $81 and the total cost
for the two accreditation organizations that we estimate will submit
requests for ONC-AA status will be $161. Based on our estimate of two
accreditation organizations submitting the required documentation to be
considered for ONC-AA status and on the requirement that an ONC-AA be
selected every three years, we estimate the annualized cost of
requesting ONC-AA status to be $54.
Costs to the Federal Government
We anticipate that there will be costs associated with reviewing
the information provided by accreditation organizations requesting to
become an ONC-AA under the permanent certification program. We believe
that a GS-15 Step 1 employee will review the submissions and the
National Coordinator (or designated representative) will issue final
decisions on all submissions. We anticipate that it will take 40 hours
to review all submissions and reach a final decision on the best
qualified accreditation organization. This estimate includes the time
necessary to review the additional documentation that is now required
to be submitted related to an accreditation organization's proposed
administration of surveillance by ONC-ACBs and to prepare a briefing
for the National Coordinator on approving the best qualified ONC-AA.
This estimate also includes the time of the National Coordinator and
other senior executive officials devoted to reaching a decision on the
best qualified ONC-AA. Their time has been included in the 40 hour
estimate at the GS-15 cost level. We estimate the Federal government's
overall cost to review the submissions and approve an ONC-AA to be
$3,226. Based on our estimate of two accreditation organizations
submitting the required documentation to be considered for ONC-AA
status and on the requirement that an ONC-AA be selected every three
years, the annualized cost to the Federal government for reviewing the
submissions for ONC-AA status will be $1,075. If we notify the public
of the selection of the ONC-AA by posting the information on our Web
site and/or by issuing a press release, we believe that we will incur
negligible costs from these actions.
ii. Application Process for ONC-ACB Status
Costs for Applicant
Similar to the temporary certification program, an applicant for
ONC-ACB status will be required to submit an application. However,
unlike the temporary certification program, an applicant for ONC-ACB
status must be accredited in order to be a qualified ONC-ACB applicant.
As specified in the Proposed Rule, we estimate that there will be 6
applicants for ONC-ACB status under the permanent certification program
and that those 6 applicants will first seek and become accredited by an
ONC-AA. Because accreditation will include a demonstration of
conformance to Guide 65 for all organizations that seek to be
accredited, we do not believe that there will be a difference in the
cost of accreditation for organizations who seek to become ONC-ACBs for
EHR Modules versus ONC-ACBs for Complete EHRs.
Based on our consultations with NIST, we estimate that it will take
approximately 2 to 5 days for an ONC-AA to complete the accreditation
process. We anticipate that accreditation applicants with incur an
estimated $5,000 administrative fee and the cost of the accreditation
assessment will be approximately $15,000. In response to public
comment, we have calculated a cost for the staff time necessary to
prepare and participate in the accreditation assessment. We have
accepted the commenter's suggestion that 200 hours of staff time is
appropriate to attribute to preparation and participation in the
accreditation assessment and have calculated the corresponding cost for
this time based on the assumption that an employee equivalent to a
Federal GS-15 employee would be responsible for preparation and
participation in the accreditation assessment. A GS-15 employee's
hourly wage with benefits is approximately $80.65. Therefore, the
estimated staff cost for accreditation is $16,130.
We expect that the accreditation renewal process will occur once
between 2012 and 2016 for each ONC-ACB and assume that the
accreditation renewal process will be less onerous than the initial
accreditation process because an ONC-ACB will be able to rely on the
information it previously prepared for its initial accreditation as
well as any such information it has produced during the ongoing
maintenance of its accreditation. Additionally, because the estimated
number of organizations that could become an ONC-AA is small, we
believe that it is reasonable to assume that the ONC-ACB would be
accredited by the same ONC-AA and thus a completely new review of the
ONC-ACB may not be necessary. We believe a completely new review would
likely not be necessary because the ONC-AA will already be familiar
with the ONC-ACB and have its documentation on file, and we do not
expect that an ONC-ACB will make such drastic changes to its policies
or procedures which will necessitate a lengthy assessment of their
competency by an ONC-AA.
We estimate that it will take no more than 3 days to conduct the
accreditation renewal process and that the accreditation assessment
will cost $10,000. In addition, we have similarly added a cost estimate
to account for staff time to prepare and participate in the
accreditation renewal process. As with our other renewal cost
estimates, we anticipate that a reduced amount of staff time will be
required. We have estimated that an employee equivalent to a GS-15
Federal employee will be responsible for preparation and participation
in the accreditation renewal process and that no more than 100 hours of
the employee's time will be required. As noted, a GS-15 employee's
hourly wage with benefits is approximately $80.65. Therefore, the
estimated staff cost for an accreditation renewal assessment is $8,065.
The total estimated cost for an ONC-ACB to become accredited is
$36,130 and the total estimated cost for it to renew its accreditation
is $18,065. These estimated costs are expressed in Table 4 below.
After becoming accredited by an ONC-AA, an applicant for ONC-ACB
[[Page 1317]]
status will incur minimal costs to prepare and submit an application to
the National Coordinator. As noted in the collection of information
section, we believe that it will take 10 minutes to provide the general
information requested in the application, 30 minutes to assemble the
information necessary to provide documentation of accreditation by an
ONC-AA, and 20 minutes to review and agree to the ``Principles of
Proper Conduct for ONC-ACBs.'' We believe that these time estimates
will also hold true when applying to renew ONC-ACB status.
Based on our consultations with NIST, we believe that an employee
equivalent to the Federal Salary Classification of GS-9 Step 1 could
provide the required general identifying information and documentation
of accreditation status. We believe that an employee equivalent to the
Federal Salary Classification of GS-15 Step 1 would be responsible for
reviewing and agreeing to the ``Principles of Proper Conduct for ONC-
ACBs.'' We have taken these employee assumptions and utilized the
corresponding employee hourly rates for the locality pay area of
Washington, DC, as published by the OPM, to calculate our cost
estimates. We have also calculated the costs of an employee's benefits
while completing the application. We have calculated these costs by
assuming that an applicant expends thirty-six percent (36%) of an
employee's hourly wage on benefits for the employee. We have concluded
that a 36% expenditure on benefits is an appropriate estimate because
it is the routine percentage used by HHS for contract cost estimates.
We believe that these same assumptions hold true for applying to renew
ONC-ACB status. Our cost estimates are expressed in Table 3 below.
Table 3--Permanent Certification Program: Cost to Applicants To Apply To Become ONC-ACBs and Cost for ONC-ACBs
To Apply for Status Renewal
----------------------------------------------------------------------------------------------------------------
Employee Cost of
Requirement Employee Burden hours hourly wage employee ben- Cost per
equivalent rate efits per hour applicant
----------------------------------------------------------------------------------------------------------------
General Identifying GS-9 Step 1..... 10/60 $22.39 $8.06 $5.07
Information.
Documentation of Accreditation GS-9 Step 1..... 30/60 22.39 8.06 15.23
Principles of Proper Conduct.. GS-15 Step 1.... 20/60 59.30 21.35 26.88
---------------------------------------------------------------
Total Cost per Applicant.................................................................... $47.18
----------------------------------------------------------------------------------------------------------------
We have estimated the applicant costs and ONC-ACB renewal costs
through 2016, but no further, because we believe that it is premature
to assume how the meaningful use requirements will change when
incentive payments are no longer available for eligible professionals
and eligible hospitals under the Medicare EHR incentive program and
what impact, if any, those potential changes will have on the permanent
certification program. Using our estimates above, we believe that the
average initial cost for an applicant to become accredited and apply to
be an ONC-ACB will be approximately $36,177 and the total cost for all
6 applicants will be approximately $217,062. We estimate that between
2012 and 2016 that all applicants will renew their accreditation and
ONC-ACB status once. As noted, we assume that the costs for an ONC-ACB
to renew its status with the National Coordinator will be similar in
burden to its initial application. We believe that the average cost for
an ONC-ACB to renew its accreditation and ONC-ACB status will be
approximately $18,112 and the total renewal costs for all ONC-ACBs will
be approximately $108,672. We estimate that the total costs of the
accreditation, application and renewal processes under the proposed
permanent certification program between 2012 and 2016 would be
approximately $54,289 per applicant/ONC-ACB and approximately $325,734
for all applicants/ONC-ACBs. Based on our cost estimate timeframe of 5
years (2012 through 2016), the annualized cost would be $65,147.
Table 4--Permanent Certification Program: Total Costs of Certification Accreditation, Applying for ONC Certification Authorization, and Accreditation
and Authorization Renewal Between 2012 and 2016
--------------------------------------------------------------------------------------------------------------------------------------------------------
Cost to apply
Cost of for Cost to renew Cost to Total cost
Anticipated number of applicants accreditation certification accreditation renew ONC- estimate per
per applicant authorization per applicant ACB status applicant/ ONC-
per applicant ACB
--------------------------------------------------------------------------------------------------------------------------------------------------------
6.................................................................. $36,130 $47 $18,065 $47 $54,289
------------------------------------------------------------------------------------
Total Cost of Accreditation, Application and Renewal.............................................................................. $325,734
--------------------------------------------------------------------------------------------------------------------------------------------------------
Costs to the Federal Government
We estimate the cost to develop the ONC-ACB application to be $350
based on the 5 hours of work we believe it will take a Federal Salary
Classification GS-14 Step 1 employee located in Washington, DC to
develop an application form. We also anticipate that there will be
costs associated with reviewing applications under the permanent
certification program. We expect that a GS-15 Step 1 employee will
review the applications and the National Coordinator (or designated
representative) will issue final decisions on all applications. We
anticipate that it will take approximately 20 hours to review and reach
a final decision on each application. This estimate assumes a
satisfactory application (i.e., no formal deficiency notifications) and
includes the time necessary to verify the information in each
application and prepare a briefing for the National Coordinator. We
estimate the cost for the application review process to be $10,392. As
a result, we estimate the Federal government's overall cost of
administering the entire application process at approximately $10,742.
Based on our cost estimate timeframe of 5 years (2012 through 2016),
the
[[Page 1318]]
annualized cost to the Federal government will be $2,148.
As previously noted, we will also post the names of applicants
granted ONC-ACB status on our Web site. We believe that there will be
minimal cost associated with this action and have calculated the
potential cost to be approximately $312 on an annual basis for posting
and maintaining the information on our Web site (a maximum of 6 hours
of work for a Federal Salary Classification GS-12 Step 1 employee
located in Washington, DC).
iii. Testing and Certification of Complete EHRs and EHR Modules
Section 3001(c)(5)(A) of the PHSA indicates that certification is a
voluntary act; however, due to the fact that the Medicare and Medicaid
EHR Incentive Programs require eligible professionals and eligible
hospitals to use Certified EHR Technology in order to qualify for
incentive payments, we anticipate that Complete EHR and EHR Module
developers will seek to have their HIT tested and certified under the
permanent certification program.
As previously stated in our discussion of the appropriate timeframe
for estimating costs for the ONC-ACB application process, we estimate
costs through 2016, but no further, because we believe that it is
premature to assume how the meaningful use requirements will change
when incentive payments are no longer available for eligible
professionals and eligible hospitals under the Medicare EHR incentive
program. Although CMS intends to promulgate updates to the meaningful
use stages every 2 years, we assume that there could be more time
between stages (i.e., greater than 2 years) in years when incentive
payments are no longer available under the Medicare EHR incentive
program based on evaluations of earlier meaningful use stages, public
feedback, and other factors, which could affect when Complete EHRs and/
or EHR Modules would need to be recertified. However, we do expect
meaningful use requirements between 2012 and 2016 to become more
demanding and iterate every 2 years. Therefore, we can assume that
Complete EHRs and EHR Modules will need to be tested and certified
twice during this time period.
As specified in the Temporary Certification Program final rule, we
believe that approximately 93 commercial/open source Complete EHRs and
50 EHR Modules will be tested and certified to the 2011/2012
certification criteria adopted by the Secretary. In addition to the
testing and certification of these Complete EHRs and EHR Modules, we
anticipate that a percentage of eligible professionals and eligible
hospitals will themselves incur the costs associated with the testing
and certification of their self-developed Complete EHR or EHR Module(s)
to the 2011/2012 certification criteria adopted by the Secretary.
With respect to the potential for eligible professionals to seek
testing and certification for a self-developed Complete EHR, DesRoches
found that only 5% of physicians are in large practices of over 50
doctors.\4\ Of these large practices, 17% use an ``advanced EHR
system'' that could potentially be tested and certified if it were
self-developed (we assume that smaller physician practices do not have
the resources to self-develop a Complete EHR). We are unaware of any
reliable data on the number of large practices who may have a self-
developed Complete EHR for which they would seek to be tested and
certified. As a result, we have developed an estimate based on
currently available data. We believe that the total number of eligible
professionals in large practices who both possess an IT staff with the
resources to develop and support a Complete EHR and would seek to have
such a self-developed Complete EHR tested and certified will be low--no
more than 10%. By taking CMS's estimate of approximately 550,000
eligible professionals (75 FR 44548) we multiply through by the numbers
above (550,000 x .05 x .17 x .10) and then divide by a practice size of
at least 50 which yields approximately 9 self-developed Complete EHRs
designed for an ambulatory setting that could be submitted for testing
and certification to the 2011/2012 certification criteria adopted by
the Secretary. Additionally, we believe that a reasonable estimate for
the number of large practices with the IT staff and resources to self-
develop an EHR Module and that would seek to have such an EHR Module
tested and certified can also be derived from the calculation above but
with a few differences. We start with the total number of large
practices from the calculation above (~94). We then assume an average
number (1.25) of self-developed EHR Modules for this group of large
practices and further refine this estimate by providing low and high
probability assumptions (10% and 70%, respectively) to represent the
likelihood that any one of these large practices possesses a self-
developed EHR Module that they would seek to have tested and certified.
Our calculations produce a minimum estimate of 12 and a maximum
estimate of 82 EHR Modules that may be presented for testing and
certification to the 2011/2012 certification criteria adopted by the
Secretary. Given that no commenter provided data to further support
this estimate, we believe that our maximum number of self-developed EHR
Modules estimate is generous. While we do not dispute that practice
sizes smaller than 50 could also possess self-developed EHR Modules, we
believe those smaller practices will be the exception, not the rule,
and that separately calculating a total for these smaller practices
would produce a negligible amount of EHR Modules to add to our overall
range.
---------------------------------------------------------------------------
\4\ DesRoches, CM et al. Electronic Health Records in Ambulatory
Care--A National Survey of Physicians, New England Journal of
Medicine, July 2008; 359:50-60.
---------------------------------------------------------------------------
With respect to eligible hospitals, similar to eligible
professionals, we believe that only large eligible hospitals would have
the IT staff and resources available to possess a self-developed
Complete EHR that they would seek to have tested and certified. Again,
we are unaware of any reliable data on the number of eligible hospitals
who may have a self-developed Complete EHR for which they would seek to
be tested and certified. Further, we believe that with respect to EHR
Modules the probability varies across different types of eligible
hospitals regarding their IT staff resources and ability to self-
develop an EHR Module and seek to have it tested and certified. As a
result, we have developed estimates based on currently available data.
We have based our calculations on the Medicare eligible hospital table
CMS provided in its final rule (Table 25) (75 FR 44553) which conveys
hospital IT capabilities according to three levels of adoption by
hospital size according to the 2008 AHA annual survey. These three
levels included: (1) Hospitals which had already implemented relatively
advanced systems that included CPOE systems for medications; (2)
hospitals which had implemented more basic systems through which lab
results could be shared, but not CPOE for medications; and (3)
hospitals starting from a base level either neither CPOE or lab
reporting. CMS indicated that CPOE for medication standard was chosen
because expert input indicated that the CPOE standard in the proposed
meaningful use definition will be the hardest one for hospitals to
meet.
As stated above, we believe that only large hospitals (defined in
Table 25 as those with 400+ beds) would have the IT staff and resources
to develop, support, and seek the testing and certification of a self-
developed
[[Page 1319]]
Complete EHR. CMS estimated that 379 large hospitals had met either
``level 1'' or ``level 2.'' As a result, we estimate that approximately
10% of these large eligible hospitals have a self-developed Complete
EHR and would seek to have it tested and certified. This equals about
38 self-developed Complete EHRs that we could expect to be tested and
certified to the 2011/2012 certification criteria adopted by the
Secretary. We believe that this estimate is generous and that a good
portion of the eligible hospitals that would likely seek to qualify for
incentive payments with self-developed Complete EHRs would only do so
for meaningful use Stage 1. After meaningful use Stage 1 we anticipate
that the number of eligible hospitals that would incur the costs of
testing and certification themselves will go down because the effort
involved to maintain a Complete EHR may be time and cost prohibitive as
the Secretary continues to adopt additional certification criteria to
support future stages of meaningful use.
With respect to hospital self-developed EHR Modules, we believe the
probability varies across different types of eligible hospitals (CAHs,
Small/Medium, and Large) regarding their IT staff resources and ability
to self-develop EHR Modules. For each hospital type, we have estimated
a minimum and a maximum number of EHR Modules that we could expect to
be self-developed and presented for testing and certification to the
2011/2012 certification criteria adopted by the Secretary. For CAHs, we
estimate a minimum of 7 and a maximum of 68 EHR Modules. For small and
medium hospitals, we estimate a minimum of 163 and a maximum of 488.
For large hospitals, we estimate a minimum of 190 and a maximum of 531.
Again, we believe that our maximum estimates of self-developed EHR
Modules are generous; however, to examine how we reached our estimates,
please review our calculations specified in Table 5 below.
Table 5--Estimated Number of Self-Developed EHR Modules Designed for an Inpatient Setting Stratified by Type of Eligible Hospital for Testing and
Certification to the 2011/2012 Certification Criteria Adopted by the Secretary
--------------------------------------------------------------------------------------------------------------------------------------------------------
Average number
Percent with Percent with of EHR Miniml number Maximum number
Type of eligible hospital Number of EHs EHR Module EHR Module Modules, if of EHR of EHR Modules
(low) (high) any Modules
--------------------------------------------------------------------------------------------------------------------------------------------------------
CAH..................................................... 616 1 10 1.1 7 68
S/M..................................................... 2169 5 15 1.5 163 488
Large................................................... 379 25 70 2.0 190 531
-----------------------------------------------------------------------------------------------
Total............................................... 3164 .............. .............. .............. 360 1087
--------------------------------------------------------------------------------------------------------------------------------------------------------
Even though under the permanent certification program the costs for
testing and certification could presumably be attributed to different
entities (i.e., testing costs to a NVLAP-accredited testing laboratory
and certification costs to an ONC-ACB), we have included them together
in an effort to reflect the overall effect of this final rule. In
addition, our cost range for the testing and certification of Complete
EHRs and EHR Modules includes consideration of how the testing and
certification will be conducted (i.e., by remote testing and
certification, on-site testing and certification, or at the ONC-ATCB
and for the complexity of an EHR Module).
As recited in the Proposed Rule, CCHIT testified on July 19, 2009
in front of the HIT Policy Committee on the topic of EHR certification,
including the certification of EHR Modules. CCHIT estimated that ``EHR-
comprehensive'' according to CCHIT certification criteria would have
testing and certification costs that would range from approximately
$30,000 to $50,000. CCHIT also estimated that the testing and
certification of EHR Modules would range from approximately $5,000 to
$35,000 depending on the scope of the testing and certification. We
believe that these estimates provide a reasonable foundation and have
used them for our cost estimates for the temporary certification
program and as the basis for estimating costs for the permanent
certification program. However, we assume that competition in the
testing and certification markets will reduce the costs of testing and
certification as estimated by CCHIT but we are unable to provide a
reliable estimate at this time of what the potential reduction in costs
might be.
In creating tables 6 through 13 below, we made the following
assumptions:
The cost for testing and certification will remain the
same in the permanent certification program as they were in the
temporary certification program even with the additional requirement of
surveillance on the part of ONC-ACBs (which we would expect to be
included in the cost they charge Complete EHR and/or EHR Module
developers). We believe this is a reasonable assumption because of the
low and high cost ranges we have estimated.
That testing and certification costs will be unevenly
distributed across subsequent years. We assume that there will be an
increase in the year preceding the next stage of meaningful use and a
decline between stages because Complete EHR and EHR Module developers
will likely want to have their products certified as soon as possible
to new standards and certification criteria so that they can be
available to eligible professionals and hospitals for meaningful use
purposes. With respect to the peak years for when testing and
certification costs would most likely occur, we assume that those peak
years will be 2012 and 2014, the years preceding the proposed start
dates of meaningful use Stages 2 and 3, respectively. We assume that an
increase would encompass 85% of the Complete EHRs and EHR Modules to be
certified, which would represent most, if not all, Complete EHRs and
EHR Modules previously certified to the 2011/2012 certification
criteria adopted by the Secretary and that the remaining 15% of testing
and certification costs for 2013 would likely represent new EHR Module
entrants to the HIT marketplace and Complete EHR or EHR Module
developers who were late to get certified.
We assume that commercial/open source Complete EHR
developers will continue to consolidate due to mergers and acquisitions
and that this consolidation would occur at a rate of 5% between
meaningful use stages. Therefore, we believe that fewer commercial/open
source Complete EHRs will need to be tested and certified prior to each
meaningful use stage.
[[Page 1320]]
Conversely, we assume that the number of commercial/open
source-developed EHR Modules that would need to be tested and certified
to meet associated meaningful use Stage 2 (2013/2014) certification
criteria and beyond will grow at a rate of 20% between meaningful use
stages (i.e., based on our prior estimate of 50 EHR Modules between
2010 and 2012, there would be 10 new modules developed during 2012 and
during meaningful use Stage 2 to meet certification criteria associated
with meaningful use Stage 2). We believe our growth rate is reasonable
because the cost barrier for EHR Modules to enter the market will be
much less than a Complete EHR. Coupled with the ability of small or
start-up HIT developers to enter the market we believe that the
potential of EHR Modules will lead to a constant stream of new entrants
year after year.
The number of eligible professionals and eligible
hospitals that incur the testing and certification costs for their
self-developed Complete EHRs for meaningful use Stage 2 will drop by
50% in 2012 and another 25% in 2014 and level out after 2014 due to our
assumption, that by 2014, and the proposed start of meaningful use
Stage 3, all of the eligible professionals and eligible hospitals who
still have a self-developed Complete EHR are likely to maintain their
HIT rather than switch to a commercial product.
The number of eligible professionals and eligible
hospitals that incur the testing and certification costs for their
self-developed EHR Modules will remain in the range we have provided
for testing and certification to the 2011/2012 certification criteria
adopted by the Secretary. We believe this is the most reliable estimate
at this time for a couple of reasons. First, we have provided a
generous maximum estimate of EHR Modules that we believe will be self
developed and should account for any potential increase in self-
developed EHR Modules during future meaningful use stages. Second, and
most importantly, we have no information that would suggest a
particular direction for the market. We see the potential for a variety
of ways that the market could progress, some of which include multiple
self-developed EHR Modules being replaced by one commercial/open source
EHR Module, more self-developed EHR Modules being created, or an
equilibrium being created by eligible professionals and eligible
hospitals switching from commercial to self-developed EHR Modules and
vice versa. Without knowing the direction of the market, we believe
that our estimated range of EHR Modules for testing and certification
to the 2011/2012 certification criteria adopted by the Secretary is the
most appropriate and reliable estimate to use for establishing
projected testing and certification costs for meaningful use Stages 2
and 3.
We assume that gap certification, as described in this
final rule, will likely reduce the costs of certification. However,
because of unknown variables such as the number of Complete EHRs and
EHR Modules that will be eligible for gap certification and how readily
ONC-ACBs will use gap certification, our cost estimates may vary from
the actual costs for testing and certification to certification
criteria associated with later stages of meaningful use.
As previously mentioned, we anticipate that the temporary
certification program will sunset on December 31, 2011, or on a
subsequent date that is determined to be appropriate by the National
Coordinator. Therefore, it is quite possible that the permanent
certification program could commence at the start of 2012 and ONC-ACBs
would begin conducting certifications at that time. Taking this into
consideration, as similarly calculated for the temporary certification
program costs (75 FR 36201), we have estimated and attributed to the
permanent certification program's costs the 2012 costs for testing and
certifying 15% of the overall number of Complete EHRs and EHR Modules
that could potentially be tested and certified to the 2011/2012
certification criteria adopted by the Secretary. This 15% 2012 cost for
testing and certification is represented by 15% of the number of each
type of Complete EHR and EHR Module we have estimated would be tested
and certified to the 2011/2012 certification criteria adopted by the
Secretary multiplied by the appropriate estimated costs for testing and
certification. The overall cost is expressed in Table 6 below. It
should be noted that the cost estimates are different than the cost
estimates expressed in the Temporary Certification Program final rule
for 2012 because they are based on an increased number of large
practice groups and eligible hospitals that may self-develop a Complete
EHR and/or EHR Module as specified in the Medicare and Medicaid EHR
Incentive Programs final rule (75 FR 44548, 44553).
Table 6--Distributed Total Costs for the Testing and Certification of Complete EHRs and EHR Modules to the 2011/
2012 Certification Criteria Adopted by the Secretary Under the Permanent Certification Program
----------------------------------------------------------------------------------------------------------------
Total low cost Total high cost Total average cost
Year Ratio estimate estimate estimate
($M) ($M) ($M)
----------------------------------------------------------------------------------------------------------------
2012 15% $.95 $7.46 $3.30
----------------------------------------------------------------------------------------------------------------
The following tables represent estimated permanent certification
program costs for the testing and certification of Complete EHRs and
EHR Modules to meaningful use (MU) Stages 2 and 3 and include:
MU Stage 2: Commercial/Open Source Complete EHRs and EHR
Modules--Table 7;
MU Stage 2: Self-developed Complete EHRs--Table 8;
MU Stage 2: Self-developed EHR Modules--Table 9;
MU Stage 3: Commercial/Open Source Complete EHRs and EHR
Modules--Table 10;
MU Stage 3: Self-developed Complete EHRs--Table 11;
MU Stage 3: Self-developed EHR Modules--Table 12.
Table 7 illustrates the costs for testing and certification of
commercial/open source Complete EHRs and EHR Modules to meaningful use
Stage 2. We have factored in the assumed 5% reduction in the estimated
number of Complete EHRs presented for meaningful use Stage 1 and 20%
increase of the estimated number of EHR Modules presented for
meaningful use Stage 1. That is, we believe there will be approximately
88 commercial/open source Complete EHRs and 60 EHR Modules that will be
tested and certified to meaningful use Stage 2.
[[Page 1321]]
Table 7--MU Stage 2: Costs for Testing and Certification of Commercial/Open Source Complete EHR and EHR Module under the Permanent Certification Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
Cost per complete EHR/EHR Module ($M) Total cost for all complete EHRs/EHR
Number ----------------------------------------- Modules over 3-year period ($M)
Type tested and --------------------------------------
certified Low High Mid-point Low High Mid-point
--------------------------------------------------------------------------------------------------------------------------------------------------------
Commercial/Open Source Complete EHR........................ 88 $0.03 $0.05 $0.04 $2.64 $4.40 $3.52
Commercial/Open Source EHR Module.......................... 60 0.005 0.035 0.02 0.30 2.10 1.20
--------------------------------------------------------------------------------------------
Total.................................................. 148 ............ ............ ........... 2.94 6.55 4.72
--------------------------------------------------------------------------------------------------------------------------------------------------------
Table 8 illustrates the costs for testing and certification of
eligible professional and eligible hospital self-developed Complete
EHRs to meaningful use Stage 2. We have factored in the assumed 50%
reduction of the estimated number of Complete EHRs presented for
meaningful use Stage 1. That is, we believe there will be approximately
5 self-developed Complete EHRs for an ambulatory setting and 19 self-
developed Complete EHRs for an inpatient setting that will be tested
and certified to meaningful use Stage 2.
Table 8--MU Stage 2: Costs for Testing and Certification of Self-Developed Complete EHRs Under the Permanent Certification Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
Cost per complete EHR ($M) Total cost for all complete EHRs over
Number --------------------------------------- 3-year period ($M)
Type tested and --------------------------------------
certified Low High Mid-point Low High Mid-point
--------------------------------------------------------------------------------------------------------------------------------------------------------
Self Developed Complete EHRs Ambulatory Setting.............. 5 $0.03 $0.05 $0.04 $0.15 $0.25 $0.20
Self-Developed Complete EHRs Inpatient Setting............... 19 0.03 0.05 0.04 0.57 0.95 0.76
------------------------------------------------------------------------------------------
Total.................................................... 23 ........... ........... ........... 0.72 1.20 0.96
--------------------------------------------------------------------------------------------------------------------------------------------------------
Table 9 illustrates the costs for testing and certification of
eligible professional and eligible hospital self-developed EHR Modules
to meaningful use Stage 2. Based on our assumption, the estimated range
of EHR Modules that will be presented for testing and certification to
meaningful use Stage 2 will remain the same as for meaningful use Stage
1. That is, we believe there will be between 12 and 82 self-developed
EHR Modules for an ambulatory setting attributable to large eligible
professional practice groups that will be tested and certified to
meaningful use Stage 2. In addition, we believe there will be between
360 and 1087 self-developed Complete EHRs for an inpatient setting
attributable to CAHs, small/medium hospitals, and large hospitals that
will be tested and certified to meaningful use Stage 2. In total, we
believe there will be a minimum of 372 and a maximum of 1,169 self-
developed EHR Modules that will be tested and certified to meaningful
use Stage 2.
Table 9--MU Stage 2: Costs for Testing and Certification of Self-Developed EHR Modules Under the Permanent Certification Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
Cost per EHR Module ($M) Total cost for all EHR Modules over
Number --------------------------------------- 3-year period ($M)
Self-Developed EHR Modules tested and --------------------------------------
certified Low High Mid-point Low High Mid-point
--------------------------------------------------------------------------------------------------------------------------------------------------------
Min number of EHR Modules.................................... 372 $0.005 $0.035 $0.02 $1.86 $13.02 $7.44
Max number of EHR Modules.................................... 1,169 0.005 0.035 0.02 5.85 40.92 23.38
--------------------------------------------------------------------------------------------------------------------------------------------------------
Table 10 illustrates the costs for testing and certification of
commercial/open source Complete EHRs and EHR Modules to meaningful use
Stage 3. We have factored in the assumed 5% reduction in the estimated
number of Complete EHRs presented for meaningful use Stage 2 and 20%
increase in the estimated number of EHR Modules presented for
meaningful use Stage 2. That is, we believe there will be approximately
84 commercial/open source Complete EHRs and 72 EHR Modules that will be
tested and certified to meaningful use Stage 3.
[[Page 1322]]
Table 10--MU Stage 3: Costs for Testing and Certification of Commercial/Open Source Complete EHRs and EHR Modules Under the Permanent Certification
Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
Cost per complete EHR/EHR Module ($M) Total cost for all complete EHRs/EHR
Number --------------------------------------- Modules over 3-year period ($M)
Type tested and --------------------------------------
certified Low High Mid-point Low High Mid-point
--------------------------------------------------------------------------------------------------------------------------------------------------------
Commercial/Open Source Complete EHR.......................... 84 $0.03 $0.05 $0.04 $2.52 $4.20 $3.36
Commercial/Open Source EHR Module............................ 72 0.005 0.035 0.02 0.36 2.52 1.44
------------------------------------------------------------------------------------------
Total.................................................... 156 ........... ........... ........... 2.88 6.72 4.80
--------------------------------------------------------------------------------------------------------------------------------------------------------
Table 11 illustrates the costs for testing and certification of
eligible professional and eligible hospital self-developed Complete
EHRs to meaningful use Stage 3. We have factored in the assumed 25%
reduction in the estimated number of Complete EHRs presented for
meaningful use Stage 2. That is, we believe there will be approximately
4 self-developed Complete EHRs for an ambulatory setting and 14 self-
developed Complete EHRs for an inpatient setting that will be tested
and certified to meaningful use Stage 3.
Table 11--MU Stage 3: Costs for Testing and Certification of Self-Developed Complete EHRs Under the Permanent Certification Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
Cost per complete EHR ($M) Total cost for all complete EHRs over
Number --------------------------------------- 3-year period ($M)
Type tested and --------------------------------------
certified Low High Mid-point Low High Mid-point
--------------------------------------------------------------------------------------------------------------------------------------------------------
Self Developed Complete EHRs Ambulatory Setting.............. 4 $0.03 $0.05 $0.04 $0.12 $0.20 $0.16
Self-Developed Complete EHRs Inpatient Setting............... 14 0.03 0.05 0.04 0.42 .70 .56
------------------------------------------------------------------------------------------
Total.................................................... 18 ........... ........... ........... 0.54 .90 0.72
--------------------------------------------------------------------------------------------------------------------------------------------------------
Table 12 illustrates the costs for testing and certification of
eligible professional and eligible hospital self-developed EHR Modules
to meaningful use Stage 3. Based on our assumption, the estimated range
of EHR Modules that will be presented for testing and certification to
meaningful use Stage 3 will remain the same as it did for meaningful
use Stages 1 and 2. That is, we believe there will be between 12 and 82
self-developed EHR Modules for an ambulatory setting attributable to
large eligible professional practice groups that will be tested and
certified to meaningful use Stage 3. In addition, we believe there will
be between 360 and 1087 self-developed Complete EHRs for an inpatient
setting attributable to CAHs, small/medium hospitals, and large
hospitals that will be tested and certified to meaningful use Stage 3.
In total, we believe there will be a minimum of 372 and a maximum of
1,169 minimum self-developed EHR Modules that will be tested and
certified to meaningful use Stage 3.
Table 12--MU Stage 3: Costs for Testing and Certification of Self-Developed EHR Modules Under the Permanent Certification Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
Cost per complete EHR Module ($M) Total cost for all EHR Modules over
Number --------------------------------------- 3-year period ($M)
Self-developed EHR Modules tested and --------------------------------------
certified Low High Mid-point Low High Mid-point
--------------------------------------------------------------------------------------------------------------------------------------------------------
Min number of EHR Modules.................................... 372 $0.005 $0.035 $0.02 $1.86 $13.02 $7.44
Max number of EHR Modules.................................... 1,169 0.005 0.035 0.02 5.85 40.92 23.38
--------------------------------------------------------------------------------------------------------------------------------------------------------
Table 13 illustrates the 85% and 15% testing and certification cost
distributions we estimate would be attributable to meaningful use
Stages 2 and 3 (i.e., between 2012 and 2016) under the permanent
certification program. Additionally, we assume that 100% of self-
developed Complete EHRs and EHR Modules would be certified in year that
precedes the next meaningful use stage (i.e., 2012 and 2014) because
eligible professionals and eligible hospitals who remain self-
developers will be motivated to ensure that their HIT can meet the
definition of Certified EHR Technology prior to the beginning of a new
meaningful use stage in order to avoid missing out on the incentives or
being subject to downward payment adjustments. As a result, the costs
for self-developers to get their Complete EHRs or EHR Modules are only
attributed in Table 13 to the years 2012 and 2014. The totals
multiplied by their respective percentages are derived from the tables
above.
[[Page 1323]]
Table 13--Estimated Distributed Yearly Costs for the Testing and Certification of Complete EHRs and EHR Modules
Associated With Meaningful Use Stages 2 and 3 Under the Permanent Certification Program
----------------------------------------------------------------------------------------------------------------
Meaningful Use State and Mid-point
Year(s) Percentage Type Low ($M) High ($M) ($M)
-----------------------------------------------------------------------------------------------------
Stage 2:
2012....................... 85 Commercial/ $2.50............ $5.57 $4.01
100 Open Source 2.58............. 42.12 16.37
SElf-
Developed
2013/2014.................. 15 Commercial/ 0.44............. 0.98 .71
0 Open Source 0................ 0 0
Self-
Developed
Stage 3:
2014....................... 85 Commercial/ 2.45............. 5.71 4.08
100 Open Source 2.40............. 41.82 16.13
Self-
Developed
2015/2016.................. 15 Commercial/ 0.43............. 1.01 0.72
0 OpenSource 0................ 0 0
Self-
Developed
----------------------------------------------------------------------------------------------------------------
iv. Costs for Collecting, Storing, and Reporting Certification Results
Costs to ONC-ACBs
Under the permanent certification program, ONC-ACBs will be
required to provide ONC, no less frequently than weekly, an up-to-date
list of Complete EHRs and/or EHR Modules that have been tested and
certified as well as certain minimum information about each certified
Complete EHR and/or EHR Module.
As stated in the collection of information section, we will require
the reporting of this information on a weekly basis and that it will
take ONC-ACBs about an hour to prepare and electronically transmit the
information to ONC each week (i.e., respondents will respond 52 times
per year). As also noted in the collection of information section and
consistent with the Temporary Certification Program final rule, we have
specified in this final rule two additional reporting elements that
must be submitted by ONC-ACBs on a weekly basis (i.e., clinical quality
measures to which a Complete EHR or EHR Module has been tested and
certified and, where applicable, any additional software a Complete EHR
or EHR Module relied upon to demonstrate its compliance with a
certification criterion or criteria adopted by the Secretary). ONC-ACBs
will be capturing these additional reporting elements in conjunction
with the other information we request that they report on a weekly
basis. Consequently, we do not believe that the reporting of these two
additional elements will increase the reporting burden or costs for
ONC-ACBs.
We believe that an employee equivalent to the Federal
Classification of GS-9 Step 1 could complete the transmissions of the
requested information to ONC. We have utilized the corresponding
employee hourly rate for the locality pay area of Washington, DC, as
published by OPM, to calculate our cost estimates. We have also
calculated the costs of the employee's benefits while completing the
transmissions of the requested information. We have calculated these
costs by assuming that an ONC-ACB expends thirty-six percent (36%) of
an employee's hourly wage on benefits for the employee. We have
concluded that a 36% expenditure on benefits is an appropriate estimate
because it is the routine percentage used by HHS for contract cost
estimates. Our cost estimates are expressed in Table 14 below.
Table 14--Annual Costs for an ONC-ACB To Report Certifications to ONC
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annual burden Employee
Program requirement Employee equivalent hours per ONC- Employee hourly benefits hourly Total cost per
ACB wage rate cost ONC-ACB
--------------------------------------------------------------------------------------------------------------------------------------------------------
ONC-ACB Certification Results................... GS-9 Step 1....................... 52 $22.39 $8.06 $1,583.40
--------------------------------------------------------------------------------------------------------------------------------------------------------
To estimate the highest possible cost, we assume that all of the
estimated applicants (i.e., six) that we anticipate will apply under
the permanent certification program will become ONC-ACBs. Therefore, we
estimate the total annual reporting cost under the permanent
certification program to be $9,500.40.
Costs to the Federal Government
As stated previously in this final rule, we will post a
comprehensive list of all certified Complete EHRs and EHR Modules on
our Web site. We believe that there will be minimal cost associated
with this action and have calculated the potential cost, including
weekly updates, to be $10,784 on an annualized basis. This amount is
based on 208 hours of yearly work of a Federal Salary Classification
GS-12 Step 1 employee located in Washington, DC
[[Page 1324]]
v. Costs for Retaining Certification Records
We stated in the Proposed Rule that we believe that the requirement
for ONC-ACBs to retain certification records for five years, as
specified in Sec. 170.523(g), is in line with common industry
practices and, consequently, does not represent additional costs to
ONC-ACBs. This determination was based on our consultations with NIST.
We did not receive any public comments contrary to our determination
and continue to adhere to our determination.
vi. Submission of Surveillance Plan and Surveillance Results
Costs to ONC-ACBs
Under the permanent certification program, ONC-ACBs will be
required to submit an annual surveillance plan to the National
Coordinator and annually report to the National Coordinator their
surveillance results.
As stated in the collection of information section, we anticipate
that the burden for each ONC-ACB will be the same based on the
following assumptions. We assume that all surveillance plans will be
fairly comparable. We also assume that all ONC-ACBs will, on average,
have a similar burden in submitting results. Finally, we assume that an
ONC-ACB will submit a copy of their annual surveillance plan and
surveillance results by either electronic transmission or paper
submission. In either instance, we believe that an ONC-ACB will spend a
similar amount of time and effort in organizing, categorizing and
submitting the requested information. Therefore, we estimate that an
ONC-ACB will annually allocate 1 hour to submit the surveillance plan
and 1 hour to submit the surveillance results.
We believe that an employee equivalent to the Federal
Classification of GS-9 Step 1 could complete the transmissions of the
surveillance plan and surveillance results to ONC. We have utilized the
corresponding employee hourly rate for the locality pay area of
Washington, DC as published by OPM, to calculate our cost estimates. We
have also calculated the costs of the employee's benefits while
completing the transmissions of the surveillance plan and surveillance
results. We have calculated these costs by assuming that an ONC-ACB
expends thirty-six percent (36%) of an employee's hourly wage on
benefits for the employee. We have concluded that a 36% expenditure on
benefits is an appropriate estimate because it is the routine
percentage used by HHS for contract cost estimates. Our cost estimates
are expressed in Table 15 below.
Table 15--Annual Costs for an ONC-ACB To Submit a Surveillance Plan and Surveillance Results
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annual burden Employee
Program requirement Employee equivalent hours per ONC- Employee hourly benefits hourly Total cost per
ACB wage rate cost ONC-ACB
--------------------------------------------------------------------------------------------------------------------------------------------------------
ONC-ACB Surveillance Plan and Surveillance GS-9 Step 1....................... 2 $22.39 $8.06 $60.90
Results.
--------------------------------------------------------------------------------------------------------------------------------------------------------
To estimate the highest possible cost, we assume that all of the
estimated applicants (i.e., six) that we anticipate will apply under
the permanent certification program will become ONC-ACBs. Therefore, we
estimate the total annual costs for submitting surveillance plans and
surveillance results will be $365.40.
Costs to the Federal Government
We believe that we will incur negligible costs in receiving ONC-
ACBs' transmissions of surveillance plans and surveillance results.
vii. Overall Average Annual Costs by Entity
The following table provides a summary of our overall estimated
annual costs for the entities that we project will incur costs under
the permanent certification program (as specified in the RIA of this
final rule). For ONC-AA applicants, we have averaged the application
costs over a 3-year period because the duration of an ONC-AA's term is
3 years. For ONC-ACB applicants, we have averaged the application costs
over a 5-year period to coincide with the timeframe used to estimate
testing and certification costs for this final rule. In estimating the
overall annual costs for an ONC-ACB, we averaged the estimated costs of
ONC-ACB status renewal over a 3-year period because the duration of an
ONC-ACB's term is 3 years. For commercial, open source and self-
developers, we have provided the average of the mid-point estimated
costs for the testing and certification of Complete EHRs and EHR
Modules to certification criteria associated with meaningful use stages
2 and 3 over a 5-year period (see also Table 13). Estimated annual
costs for the Federal government are averaged over the appropriate
timeframe. For example, costs for reviewing and approving an ONC-AA are
averaged over a 3-year period, while costs for reviewing ONC-ACB
applications are averaged over a 5-year period. Table 16 is expressed
in thousands of dollars ($1,000). To illustrate, $27 is expressed as
.027 and $6.5 million is expressed as $6,500.00.
Table 16--Overall Average Annual Costs for Entities Under the Permanent Certification Program
--------------------------------------------------------------------------------------------------------------------------------------------------------
Commercial/open
ONC-AA applicant ONC-AA ONC-ACB applicant ONC-ACB source developers Self-developers Federal Government
--------------------------------------------------------------------------------------------------------------------------------------------------------
.027 N/A 7.24 7.68 1,900.00 6,500.00 14.32
--------------------------------------------------------------------------------------------------------------------------------------------------------
* Costs are expressed in thousands of dollars ($1,000).
b. Permanent Certification Program Benefits
We believe that several benefits will accrue from the establishment
of the permanent certification program. The permanent certification
program will provide a stable, consistent and reliable program for the
certification of Complete EHRs, EHR Modules and potentially other types
of HIT. The permanent certification program will allow eligible
professionals and eligible hospitals to adopt and implement Certified
EHR Technology for future
[[Page 1325]]
meaningful use stages, such as Stages 2 and 3, and thus potentially
qualify for incentive payments under the CMS Medicare and Medicaid EHR
Incentive Programs. We further believe that the permanent certification
program will meet our overall goals of accelerating health IT adoption
and increasing levels of interoperability. At this time, we cannot
predict how fast all of these savings will occur or their precise
magnitude as they are partly dependent on future final rules for
meaningful use and the subsequent standards and certification criteria
adopted by the Secretary.
D. Regulatory Flexibility Act
The RFA requires agencies to analyze options for regulatory relief
of small businesses if a rule has a significant impact on a substantial
number of small entities. For more information on the Small Business
Administration's (SBA's) size standards, see the SBA's Web site.\5\ For
purposes of the RFA, small entities include small businesses, nonprofit
organizations, and small governmental jurisdictions. When conducting a
RFA we are required to assess the potential effects of our rule on
small entities and to make every effort to minimize the regulatory
burden that might be imposed on small entities. We believe that the
entities that are likely to be directly affected by this final rule are
applicants for ONC-ACB status. Furthermore, we believe that these
entities would either be classified under the North American Industry
Classification System (NAICS) codes 541380 (Testing Laboratories) or
541990 (Professional, Scientific and Technical Services).\6\ We believe
that there will be up to 6 applicants for ONC-ACB status. According to
the NAICS codes identified above, this would mean SBA size standards of
$12 million and $7 million in annual receipts, respectively.\7\ Because
this segment of the HIT industry is in a nascent stage and is comprised
of very few entities, we have been unable to find reliable data from
which to determine what realistic annual receipts would be. However,
based on our total estimates for Complete EHRs and EHR Modules to be
tested and certified, we assume that the annual receipts of any one
ONC-ACB could be in the low millions of dollars. Moreover, it is
unclear, whether these entities may be involved in other testing and
certification programs which would increase their annual receipts and
potentially place them outside the SBA's size standards.
---------------------------------------------------------------------------
\5\ http://sba.gov/idc/groups/public/documents/sba_homepage/serv_sstd_tablepdf.pdf.
\6\ See 13 CFR 121.201.
\7\ The SBA references that annual receipts means ``total
income'' (or in the case of a sole proprietorship, ``gross income'')
plus ``cost of goods sold'' as these terms are defined and reported
on Internal Revenue Service tax return forms. http://www.sba.gov/idc/groups/public/documents/sba_homepage/guide_to_size_standards.pdf.
---------------------------------------------------------------------------
We believe that we have established the minimum amount of
requirements necessary to accomplish our policy goals and that no
appropriate regulatory alternatives could be developed to lessen the
compliance burden for applicants for ONC-ACB status as well as ONC-ACBs
once they have been granted such status by the National Coordinator.
Moreover, we believe that this final rule will create direct positive
effects for entities because their attainment of ONC-ACB status will
permit them to test and certify Complete EHRs, EHR Modules, and/or
possibly other types of HIT. Thus, we expect that their annual receipts
will increase as a result of becoming an ONC-ACB.
We did not receive any comments related to our RFA analysis on the
permanent certification program. As a result, we examined the economic
implications of this final rule and have concluded that it will not
have a significant impact on a substantial number of small entities.
The Secretary certifies that this final rule will not have a
significant impact on a substantial number of small entities.
E. Executive Order 13132--Federalism
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a rule that imposes substantial
direct requirement costs on State and local governments, preempts State
law, or otherwise has federalism implications.
Nothing in this final rule imposes substantial direct requirement
costs on State and local governments, preempts State law or otherwise
has federalism implications. We are not aware of any State laws or
regulations that conflict with or are impeded by our permanent
certification program, and we did not receive any comments to the
contrary in response to the Proposed Rule.
F. Unfunded Mandates Reform Act of 1995
Title II of the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-
4) requires cost-benefit and other analyses before any rulemaking if
the rule includes a ``Federal mandate that may result in the
expenditure by State, local, and Tribal governments, in the aggregate,
or by the private sector, of $100,000,000 or more (adjusted annually
for inflation) in any 1 year.'' The current inflation-adjusted
statutory threshold is approximately $135 million. We did not receive
any comments related to the permanent certification program on our
analysis presented in the Proposed Rule. Therefore, we have determined
that this final rule will not constitute a significant rule under the
Unfunded Mandates Reform Act, because it imposes no mandates.
OMB reviewed this final rule.
List of Subjects in 45 CFR Part 170
Computer technology, Electronic health record, Electronic
information system, Electronic transactions, Health, Health care,
Health information technology, Health insurance, Health records,
Hospitals, Incorporation by reference, Laboratories, Medicaid,
Medicare, Privacy, Reporting and recordkeeping requirements, Public
health, Security.
0
For the reasons set forth in the preamble, 45 CFR subtitle A,
subchapter D, part 170, is amended as follows:
PART 170--HEALTH INFORMATION TECHNOLOGY STANDARDS, IMPLEMENTATION
SPECIFICATIONS, AND CERTIFICATION CRITERIA AND CERTIFICATION
PROGRAMS FOR HEALTH INFORMATION TECHNOLOGY
0
1. The authority citation for part 170 continues to read as follows:
Authority: 42 U.S.C. 300jj-11; 42 U.S.C. 300jj-14; 5 U.S.C.
552.
0
2. Add a new subpart E to part 170 to read as follows:
Subpart E--Permanent Certification Program for HIT
Sec.
170.500 Basis and scope.
170.501 Applicability.
170.502 Definitions.
170.503 Requests for ONC-AA status and ONC-AA ongoing
responsibilities.
170.504 Reconsideration process for requests for ONC-AA status.
170.505 Correspondence.
170.510 Types of certification.
170.520 Application.
170.523 Principles of proper conduct for ONC-ACBs.
170.525 Application submission.
170.530 Review of application.
170.535 ONC-ACB application reconsideration.
170.540 ONC-ACB status.
170.545 Complete EHR certification.
170.550 EHR Module certification.
170.553 Certification of health information technology other than
Complete EHRs and EHR Modules.
170.555 Certification to newer versions of certain standards.
170.557 Authorized certification methods.
170.560 Good standing as an ONC-ACB.
[[Page 1326]]
170.565 Revocation of ONC-ACB status.
170.570 Effect of revocation on the certifications issued to
Complete EHRs and EHR Modules.
170.599 Incorporation by reference.
Subpart E--Permanent Certification Program for HIT
Sec. 170.500 Basis and scope.
This subpart implements section 3001(c)(5) of the Public Health
Service Act and sets forth the rules and procedures related to the
permanent certification program for health information technology (HIT)
administered by the National Coordinator for Health Information
Technology.
Sec. 170.501 Applicability.
This subpart establishes the processes that applicants for ONC-ACB
status must follow to be granted ONC-ACB status by the National
Coordinator; the processes the National Coordinator will follow when
assessing applicants and granting ONC-ACB status; the requirements that
ONC-ACBs must follow to maintain ONC-ACB status; and the requirements
of ONC-ACBs for certifying Complete EHRs, EHR Module(s), and other
types of HIT in accordance with the applicable certification criteria
adopted by the Secretary in subpart C of this part. It also establishes
the processes accreditation organizations must follow to request
approval from the National Coordinator and that the National
Coordinator in turn will follow to approve an accreditation
organization under the permanent certification program as well as
certain ongoing responsibilities for an ONC-AA.
Sec. 170.502 Definitions.
For the purposes of this subpart:
Applicant means a single organization or a consortium of
organizations that seeks to become an ONC-ACB by submitting an
application for ONC-ACB status to the National Coordinator.
Deployment site means the physical location where a Complete EHR,
EHR Module(s) or other type of HIT resides or is being or has been
implemented.
Development site means the physical location where a Complete EHR,
EHR Module(s) or other type of HIT was developed.
Gap certification means the certification of a previously certified
Complete EHR or EHR Module(s) to:
(1) All applicable new and/or revised certification criteria
adopted by the Secretary at subpart C of this part based on the test
results of a NVLAP-accredited testing laboratory; and
(2) All other applicable certification criteria adopted by the
Secretary at subpart C of this part based on the test results used to
previously certify the Complete EHR or EHR Module(s).
ONC-Approved Accreditor or ONC-AA means an accreditation
organization that the National Coordinator has approved to accredit
certification bodies under the permanent certification program.
ONC-Authorized Certification Body or ONC-ACB means an organization
or a consortium of organizations that has applied to and been
authorized by the National Coordinator pursuant to this subpart to
perform the certification of Complete EHRs, EHR Module(s), and/or other
types of HIT under the permanent certification program.
Providing or provide an updated certification means the action
taken by an ONC-ACB to ensure that the developer of a previously
certified EHR Module(s) shall update the information required by Sec.
170.523(k)(1)(i), after the ONC-ACB has verified that the certification
criterion or criteria to which the EHR Module(s) was previously
certified have not been revised and that no new certification criteria
adopted for privacy and security are applicable to the EHR Module(s).
Remote certification means the use of methods, including the use of
web-based tools or secured electronic transmissions, that do not
require an ONC-ACB to be physically present at the development or
deployment site to conduct certification.
Sec. 170.503 Requests for ONC-AA status and ONC-AA ongoing
responsibilities.
(a) The National Coordinator may approve only one ONC-AA at a time.
(b) Submission. The National Coordinator will publish a notice in
the Federal Register to announce the 30-day period during which
requests for ONC-AA status may be submitted. In order to be considered
for ONC-AA status, an accreditation organization must submit a timely
request in writing to the National Coordinator along with the following
information to demonstrate its ability to serve as an ONC-AA:
(1) A detailed description of the accreditation organization's
conformance to ISO/IEC17011:2004 (incorporated by reference in Sec.
170.599) and experience evaluating the conformance of certification
bodies to ISO/IEC Guide 65:1996 (incorporated by reference in Sec.
170.599);
(2) A detailed description of the accreditation organization's
accreditation, requirements as well as how those requirements would
complement the Principles of Proper Conduct for ONC-ACBs and ensure the
surveillance approaches used by ONC-ACBs include the use of consistent,
objective, valid, and reliable methods;
(3) Detailed information on the accreditation organization's
procedures that would be used to monitor ONC-ACBs;
(4) Detailed information, including education and experience, about
the key personnel who review organizations for accreditation; and
(5) Procedures for responding to, and investigating, complaints
against ONC-ACBs.
(c) Preliminary selection.
(1) The National Coordinator is permitted up to 60 days from the
end of the submission period to review all timely submissions that were
received and determine which accreditation organization is best
qualified to serve as the ONC-AA.
(2) The National Coordinator's determination will be based on the
information provided, the completeness of an accreditation
organization's description of the elements listed in paragraph (b) of
this section, and each accreditation organization's overall
accreditation experience.
(3) The accreditation organization that is determined to be the
best qualified will be notified that it has been selected as the ONC-AA
on a preliminary basis, subject to the resolution of the
reconsideration process in Sec. 170.504. All other accreditation
organizations will be notified that their requests for ONC-AA status
have been denied. The accreditation organization that is selected on a
preliminary basis shall not represent itself as the ONC-AA or perform
accreditation(s) under the permanent certification program unless and
until it receives written notice from the National Coordinator that it
has been approved as the ONC-AA on a final basis pursuant to paragraph
(d) of this section.
(4) Any accreditation organization that submits a timely request
for ONC-AA status and is denied may request reconsideration in
accordance with Sec. 170.504.
(d) Final approval.
(1) If the National Coordinator determines that an accreditation
organization has met the standard specified in Sec. 170.504(b), then
that organization will be approved as the ONC-AA on a final basis. The
accreditation organization that was selected as the ONC-AA on a
preliminary basis pursuant to paragraph (c) of this section will be
notified of this final decision and cannot request reconsideration or
further review.
[[Page 1327]]
(2) If the National Coordinator determines that no accreditation
organization has met the standard specified in Sec. 170.504(b), then
the organization that was selected as the ONC-AA on a preliminary basis
pursuant to paragraph (c) of this section will be approved as the ONC-
AA on a final basis.
(e) ONC-AA ongoing responsibilities. An ONC-AA must:
(1) Maintain conformance with ISO/IEC 17011:2004 (incorporated by
reference in Sec. 170.599);
(2) In accrediting certification bodies, verify conformance to, at
a minimum, ISO/IEC Guide 65:1996 (incorporated by reference in Sec.
170.599) and ensure the surveillance approaches used by ONC-ACBs
include the use of consistent, objective, valid, and reliable methods;
(3) Verify that ONC-ACBs are performing surveillance in accordance
with their respective annual plans; and
(4) Review ONC-ACB surveillance results to determine if the results
indicate any substantive non-conformance by ONC-ACBs with the
conditions of their respective accreditations.
(f) ONC-AA status.
(1) An accreditation organization has not been granted ONC-AA
status unless and until it is notified by the National Coordinator that
it has been approved as the ONC-AA on a final basis pursuant to
paragraph (d) of this section.
(2) An ONC-AA's status will expire not later than 3 years from the
date its status was granted by the National Coordinator.
(3) The National Coordinator will accept requests for ONC-AA
status, in accordance with paragraph (b) of this section, at least 180
days before the current ONC-AA's status is set to expire.
Sec. 170.504 Reconsideration process for requests for ONC-AA status.
(a) An accreditation organization that submits a timely request for
ONC-AA status in accordance with Sec. 170.503 and is denied may
request reconsideration of the decision to deny its request for ONC-AA
status.
(b) Submission requirement. To request reconsideration, an
accreditation organization is required to submit to the National
Coordinator, within 15 days of receipt of a denial notice, a written
statement with supporting documentation contesting the decision to deny
its request for ONC-AA status. The submission must demonstrate that
clear, factual errors were made in the review of its request for ONC-AA
status and that the accreditation organization would have been selected
as the ONC-AA pursuant to Sec. 170.503(c) if those errors had been
corrected. If the National Coordinator does not receive an
accreditation organization's submission within the specified timeframe,
then its request for reconsideration may be denied.
(c) Review of submissions. The National Coordinator is permitted up
to 30 days to review all timely submissions that were received and
determine whether an accreditation organization has met the standard
specified in paragraph (b) of this section.
(d) Decision.
(1) If the National Coordinator determines that an accreditation
organization has met the standard specified in paragraph (b) of this
section, then that organization will be approved as the ONC-AA on a
final basis. All other accreditation organizations will be notified
that their requests for reconsideration have been denied.
(2) Final decision. A reconsideration decision issued by the
National Coordinator is final and not subject to further review.
Sec. 170.505 Correspondence.
(a) Correspondence and communication with the National Coordinator
shall be conducted by e-mail, unless otherwise necessary. The official
date of receipt of any e-mail between the National Coordinator and an
accreditation organization requesting ONC-AA status, the ONC-AA, an
applicant for ONC-ACB status, or an ONC-ACB is the date on which the e-
mail was sent.
(b) In circumstances where it is necessary for an accreditation
organization requesting ONC-AA status, the ONC-AA, an applicant for
ONC-ACB status, or an ONC-ACB to correspond or communicate with the
National Coordinator by regular or express mail, the official date of
receipt will be the date of the delivery confirmation.
Sec. 170.510 Types of certification.
Applicants may seek authorization from the National Coordinator to
perform the following types of certification:
(a) Complete EHR certification; and/or
(b) EHR Module certification; and/or
(c) Certification of other types of HIT for which the Secretary has
adopted certification criteria under subpart C of this part.
Sec. 170.520 Application.
Applicants must include the following information in an application
for ONC-ACB status and submit it to the National Coordinator for the
application to be considered complete.
(a) The type of authorization sought pursuant to Sec. 170.510. For
authorization to perform EHR Module certification, applicants must
indicate the specific type(s) of EHR Module(s) they seek authorization
to certify. If qualified, applicants will only be granted authorization
to certify the type(s) of EHR Module(s) for which they seek
authorization.
(b) General identifying, information including:
(1) Name, address, city, state, zip code, and Web site of
applicant; and
(2) Designation of an authorized representative, including name,
title, phone number, and e-mail address of the person who will serve as
the applicant's point of contact.
(c) Documentation that confirms that the applicant has been
accredited by the ONC-AA.
(d) An agreement, properly executed by the applicant's authorized
representative, that it will adhere to the Principles of Proper Conduct
for ONC-ACBs.
Sec. 170.523 Principles of proper conduct for ONC-ACBs.
An ONC-ACB shall:
(a) Maintain its accreditation;
(b) Attend all mandatory ONC training and program update sessions;
(c) Maintain a training program that includes documented procedures
and training requirements to ensure its personnel are competent to
certify HIT;
(d) Report to ONC within 15 days any changes that materially affect
its:
(1) Legal, commercial, organizational, or ownership status;
(2) Organization and management including key certification
personnel;
(3) Policies or procedures;
(4) Location;
(5) Personnel, facilities, working environment or other resources;
(6) ONC authorized representative (point of contact); or
(7) Other such matters that may otherwise materially affect its
ability to certify HIT.
(e) Allow ONC, or its authorized agent(s), to periodically observe
on site (unannounced or scheduled), during normal business hours, any
certifications performed to demonstrate compliance with the
requirements of the permanent certification program;
(f) Provide ONC, no less frequently than weekly, a current list of
Complete EHRs and/or EHR Modules that have been certified, which
includes, at a minimum:
(1) The Complete EHR or EHR Module developer name (if applicable);
[[Page 1328]]
(2) The date certified;
(3) The product version;
(4) The unique certification number or other specific product
identification;
(5) The clinical quality measures to which a Complete EHR or EHR
Module has been certified;
(6) Where applicable, any additional software a Complete EHR or EHR
Module relied upon to demonstrate its compliance with a certification
criterion or criteria adopted by the Secretary; and
(7) Where applicable, the certification criterion or criteria to
which each EHR Module has been certified.
(g) Retain all records related to the certification of Complete
EHRs and/or EHR Module(s) for a minimum of 5 years;
(h) Only certify HIT, including Complete EHRs and/or EHR Module(s),
that has been tested, using test tools and test procedures approved by
the National Coordinator, by a/an:
(1) NVLAP-accredited testing laboratory; or
(2) ONC-ATCB when:
(i) Certifying previously certified EHR Module(s) if the
certification criterion or criteria to which the EHR Module(s) was
previously certified have not been revised and no new certification
criteria are applicable to the EHR Module(s); or
(ii) Performing gap certification.
(i) Submit an annual surveillance plan to the National Coordinator
and annually report to the National Coordinator its surveillance
results; and
(j) Promptly refund any and all fees received for:
(1) Requests for certification that are withdrawn while its
operations are suspended by the National Coordinator;
(2) Certifications that will not be completed as a result of its
conduct; and
(3) Previous certifications that it performed if its conduct
necessitates the recertification of Complete EHRs and/or EHR Module(s);
(k) Ensure adherence to the following requirements when issuing a
certification to a Complete EHR and/or EHR Module(s):
(1) A Complete EHR or EHR Module developer must conspicuously
include the following on its Web site and in all marketing materials,
communications statements, and other assertions related to the Complete
EHR or EHR Module's certification:
(i) ``This [Complete EHR or EHR Module] is 20[XX]/20[XX] compliant
and has been certified by an ONC-ACB in accordance with the applicable
certification criteria adopted by the Secretary of Health and Human
Services. This certification does not represent an endorsement by the
U.S. Department of Health and Human Services or guarantee the receipt
of incentive payments.''; and
(ii) The information an ONC-ACB is required to report to the
National Coordinator under paragraph (f) of this section for the
specific Complete EHR or EHR Module at issue;
(2) A certification issued to a pre-coordinated, integrated bundle
of EHR Modules shall be treated the same as a certification issued to a
Complete EHR for the purposes of paragraph (k)(1) of this section,
except that the certification must also indicate each EHR Module that
is included in the bundle; and
(3) A certification issued to a Complete EHR or EHR Module based
solely on the applicable certification criteria adopted by the
Secretary at subpart C of this part must be separate and distinct from
any other certification(s) based on other criteria or requirements.
Sec. 170.525 Application submission.
(a) An applicant for ONC-ACB status must submit its application
either electronically via e-mail (or web submission if available), or
by regular or express mail.
(b) An application for ONC-ACB status may be submitted to the
National Coordinator at any time.
Sec. 170.530 Review of application.
(a) Method of review and review timeframe.
(1) Applications will be reviewed in the order they are received.
(2) The National Coordinator is permitted up to 30 days from
receipt to review an application that is submitted for the first time.
(b) Application deficiencies.
(1) If the National Coordinator identifies an area in an
application that requires the applicant to clarify a statement or
correct an error or omission, the National Coordinator may contact the
applicant to make such clarification or correction without issuing a
deficiency notice. If the National Coordinator has not received the
requested information after five days, the National Coordinator may
issue a deficiency notice to the applicant.
(2) If the National Coordinator determines that deficiencies in the
application exist, the National Coordinator will issue a deficiency
notice to the applicant and return the application. The deficiency
notice will identify the areas of the application that require
additional information or correction.
(c) Revised application.
(1) An applicant is permitted to submit a revised application in
response to a deficiency notice. An applicant may request from the
National Coordinator an extension for good cause of the 15-day period
provided in paragraph (c)(2) of this section to submit a revised
application.
(2) In order for an applicant to continue to be considered for ONC-
ACB status, the applicant's revised application must address the
specified deficiencies and be received by the National Coordinator
within 15 days of the applicant's receipt of the deficiency notice,
unless the National Coordinator grants an applicant's request for an
extension of the 15-day period based on a finding of good cause. If a
good cause extension is granted, then the revised application must be
received by the end of the extension period.
(3) The National Coordinator is permitted up to 15 days to review a
revised application once it has been received and may request
clarification of statements and the correction of errors or omissions
in a revised application during this time period.
(4) If the National Coordinator determines that a revised
application still contains deficiencies, the applicant will be issued a
denial notice indicating that the applicant cannot reapply for ONC-ACB
status for a period of six months from the date of the denial notice.
An applicant may request reconsideration of this decision in accordance
with Sec. 170.535.
(d) Satisfactory application.
(1) An application will be deemed satisfactory if it meets all the
application requirements, as determined by the National Coordinator.
(2) The National Coordinator will notify the applicant's authorized
representative of its satisfactory application and its successful
achievement of ONC-ACB status.
(3) Once notified by the National Coordinator of its successful
achievement of ONC-ACB status, the applicant may represent itself as an
ONC-ACB and begin certifying health information technology consistent
with its authorization.
Sec. 170.535 ONC-ACB application reconsideration.
(a) An applicant may request that the National Coordinator
reconsider a denial notice only if the applicant can demonstrate that
clear, factual errors were made in the review of its application and
that the errors' correction could lead to the applicant obtaining ONC-
ACB status.
(b) Submission requirement. An applicant is required to submit,
within 15 days of receipt of a denial notice, a written statement to
the National
[[Page 1329]]
Coordinator contesting the decision to deny its application and
explaining with sufficient documentation what factual error(s) it
believes can account for the denial. If the National Coordinator does
not receive the applicant's reconsideration request within the
specified timeframe, its reconsideration request may be rejected.
(c) Reconsideration request review. If the National Coordinator
receives a timely reconsideration request, the National Coordinator is
permitted up to 15 days from the date of receipt to review the
information submitted by the applicant and issue a decision.
(d) Decision.
(1) If the National Coordinator determines that clear, factual
errors were made during the review of the application and that
correction of the errors would remove all identified deficiencies, the
applicant's authorized representative will be notified of the National
Coordinator's determination and the applicant's successful achievement
of ONC-ACB status.
(2) If, after reviewing an applicant's reconsideration request, the
National Coordinator determines that the applicant did not identify
factual errors or that the correction of the factual errors would not
remove all identified deficiencies in the application, the National
Coordinator may reject the applicant's reconsideration request.
(3) Final decision. A reconsideration decision issued by the
National Coordinator is final and not subject to further review.
Sec. 170.540 ONC-ACB status.
(a) Acknowledgement and publication. The National Coordinator will
acknowledge and make publicly available the names of ONC-ACBs,
including the date each was authorized and the type(s) of certification
each has been authorized to perform.
(b) Representation. Each ONC-ACB must prominently and unambiguously
identify the scope of its authorization on its Web site and in all
marketing and communications statements (written and oral) pertaining
to its activities under the permanent certification program.
(c) Renewal. An ONC-ACB is required to renew its status every three
years. An ONC-ACB is required to submit a renewal request, containing
any updates to the information requested in Sec. 170.520, to the
National Coordinator 60 days prior to the expiration of its status.
(d) Expiration. An ONC-ACB's status will expire three years from
the date it was granted by the National Coordinator unless it is
renewed in accordance with paragraph (c) of this section.
Sec. 170.545 Complete EHR certification.
(a) When certifying Complete EHRs, an ONC-ACB must certify in
accordance with all applicable certification criteria adopted by the
Secretary at subpart C of this part.
(b) An ONC-ACB must provide the option for a Complete EHR to be
certified solely to the applicable certification criteria adopted by
the Secretary at subpart C of this part.
(c) Gap certification. An ONC-ACB may provide the option for and
perform gap certification of previously certified Complete EHRs.
(d) Inherited certified status. An ONC-ACB must accept requests for
a newer version of a previously certified Complete EHR to inherit the
certified status of the previously certified Complete EHR without
requiring the newer version to be recertified.
(1) Before granting certified status to a newer version of a
previously certified Complete EHR, an ONC-ACB must review an
attestation submitted by the developer of the Complete EHR to determine
whether any change in the newer version has adversely affected the
Complete EHR's capabilities for which certification criteria have been
adopted.
(2) An ONC-ACB may grant certified status to a newer version of a
previously certified Complete EHR if it determines that the
capabilities for which certification criteria have been adopted have
not been adversely affected.
(e) An ONC-ACB that has been authorized to certify Complete EHRs is
also authorized to certify all EHR Modules under the permanent
certification program.
Sec. 170.550 EHR Module certification.
(a) When certifying EHR Module(s), an ONC-ACB must certify in
accordance with the applicable certification criteria adopted by the
Secretary at subpart C of this part.
(b) An ONC-ACB must provide the option for an EHR Module(s) to be
certified solely to the applicable certification criteria adopted by
the Secretary at subpart C of this part.
(c) Gap certification. An ONC-ACB may provide the option for and
perform gap certification of previously certified EHR Module(s).
(d) An ONC-ACB may provide an updated certification to a previously
certified EHR Module(s).
(e) Privacy and security certification. EHR Module(s) shall be
certified to all privacy and security certification criteria adopted by
the Secretary, unless the EHR Module(s) is presented for certification
in one of the following manners:
(1) The EHR Modules are presented for certification as a pre-
coordinated, integrated bundle of EHR Modules, which would otherwise
meet the definition of and constitute a Complete EHR, and one or more
of the constituent EHR Modules is demonstrably responsible for
providing all of the privacy and security capabilities for the entire
bundle of EHR Modules; or
(2) An EHR Module is presented for certification, and the presenter
can demonstrate and provide documentation to the ONC-ACB that a privacy
and security certification criterion is inapplicable or that it would
be technically infeasible for the EHR Module to be certified in
accordance with such certification criterion.
(f) Inherited certified status. An ONC-ACB must accept requests for
a newer version of a previously certified EHR Module(s) to inherit the
certified status of the previously certified EHR Module(s) without
requiring the newer version to be recertified.
(1) Before granting certified status to a newer version of a
previously certified EHR Module(s), an ONC-ACB must review an
attestation submitted by the developer(s) of the EHR Module(s) to
determine whether any change in the newer version has adversely
affected the EHR Module(s)' capabilities for which certification
criteria have been adopted.
(2) An ONC-ACB may grant certified status to a newer version of a
previously certified EHR Module(s) if it determines that the
capabilities for which certification criteria have been adopted have
not been adversely affected.
Sec. 170.553 Certification of health information technology other
than Complete EHRs and EHR Modules.
An ONC-ACB authorized to certify health information technology
other than Complete EHRs and/or EHR Modules must certify such health
information technology in accordance with the applicable certification
criterion or certification criteria adopted by the Secretary at subpart
C of this part.
Sec. 170.555 Certification to newer versions of certain standards.
(a) ONC-ACBs may certify Complete EHRs and/or EHR Module(s) to a
newer version of certain identified minimum standards specified at
subpart B of this part if the Secretary has accepted a newer version of
an adopted minimum standard.
(b) Applicability of an accepted newer version of an adopted
minimum standard.
[[Page 1330]]
(1) ONC-ACBs are not required to certify Complete EHRs and/or EHR
Module(s) according to newer versions of an adopted minimum standard
accepted by the Secretary until the incorporation by reference
provision of the adopted version is updated in the Federal Register
with a newer version.
(2) Certified EHR Technology may be upgraded to comply with newer
versions of an adopted minimum standard accepted by the Secretary
without adversely affecting the certification status of the Certified
EHR Technology.
Sec. 170.557 Authorized certification methods.
An ONC-ACB must provide remote certification for both development
and deployment sites.
Sec. 170.560 Good standing as an ONC-ACB.
An ONC-ACB must maintain good standing by:
(a) Adhering to the Principles of Proper Conduct for ONC-ACBs;
(b) Refraining from engaging in other types of inappropriate
behavior, including an ONC-ACB misrepresenting the scope of its
authorization, as well as an ONC-ACB certifying Complete EHRs and/or
EHR Module(s) for which it does not have authorization; and
(c) Following all other applicable Federal and State laws.
Sec. 170.565 Revocation of ONC-ACB status.
(a) Type-1 violations. The National Coordinator may revoke an ONC-
ACB's status for committing a Type-1 violation. Type-1 violations
include violations of law or permanent certification program policies
that threaten or significantly undermine the integrity of the permanent
certification program. These violations include, but are not limited
to: False, fraudulent, or abusive activities that affect the permanent
certification program, a program administered by HHS or any program
administered by the Federal government.
(b) Type-2 violations. The National Coordinator may revoke an ONC-
ACB's status for failing to timely or adequately correct a Type-2
violation. Type-2 violations constitute noncompliance with Sec.
170.560.
(1) Noncompliance notification. If the National Coordinator obtains
reliable evidence that an ONC-ACB may no longer be in compliance with
Sec. 170.560, the National Coordinator will issue a noncompliance
notification with reasons for the notification to the ONC-ACB
requesting that the ONC-ACB respond to the alleged violation and
correct the violation, if applicable.
(2) Opportunity to become compliant. After receipt of a
noncompliance notification, an ONC-ACB is permitted up to 30 days to
submit a written response and accompanying documentation that
demonstrates that no violation occurred or that the alleged violation
has been corrected.
(i) If the ONC-ACB submits a response, the National Coordinator is
permitted up to 30 days from the time the response is received to
evaluate the response and reach a decision. The National Coordinator
may, if necessary, request additional information from the ONC-ACB
during this time period.
(ii) If the National Coordinator determines that no violation
occurred or that the violation has been sufficiently corrected, the
National Coordinator will issue a memo to the ONC-ACB confirming this
determination.
(iii) If the National Coordinator determines that the ONC-ACB
failed to demonstrate that no violation occurred or to correct the
area(s) of non-compliance identified under paragraph (b)(1) of this
section within 30 days of receipt of the noncompliance notification,
then the National Coordinator may propose to revoke the ONC-ACB's
status.
(c) Proposed revocation.
(1) The National Coordinator may propose to revoke an ONC-ACB's
status if the National Coordinator has reliable evidence that the ONC-
ACB has committed a Type-1 violation; or
(2) The National Coordinator may propose to revoke an ONC-ACB's
status if, after the ONC-ACB has been notified of a Type-2 violation,
the ONC-ACB fails to:
(i) To rebut the finding of a violation with sufficient evidence
showing that the violation did not occur or that the violation has been
corrected; or
(ii) Submit to the National Coordinator a written response to the
noncompliance notification within the specified timeframe under
paragraph (b)(2) of this section.
(d) Suspension of an ONC-ACB's operations.
(1) The National Coordinator may suspend the operations of an ONC-
ACB under the permanent certification program based on reliable
evidence indicating that:
(i) The ONC-ACB committed a Type-1 or Type-2 violation; and
(ii) The continued certification of Complete EHRs, EHR Module(s),
and/or other types of HIT by the ONC-ACB could have an adverse impact
on the health or safety of patients.
(2) If the National Coordinator determines that the conditions of
paragraph (d)(1) of this section have been met, an ONC-ACB will be
issued a notice of proposed suspension.
(3) Upon receipt of a notice of proposed suspension, an ONC-ACB
will be permitted up to 3 days to submit a written response to the
National Coordinator explaining why its operations should not be
suspended.
(4) The National Coordinator is permitted up to 5 days from receipt
of an ONC-ACB's written response to a notice of proposed suspension to
review the response and make a determination.
(5) The National Coordinator may make one of the following
determinations in response to the ONC-ACB's written response or if the
ONC-ACB fails to submit a written response within the timeframe
specified in paragraph (d)(3) of this section:
(i) Rescind the proposed suspension; or
(ii) Suspend the ONC-ACB's operations until it has adequately
corrected a Type-2 violation; or
(iii) Propose revocation in accordance with Sec. 170.565(c) and
suspend the ONC-ACB's operations for the duration of the revocation
process.
(6) A suspension will become effective upon an ONC-ACB's receipt of
a notice of suspension.
(e) Opportunity to respond to a proposed revocation notice.
(1) An ONC-ACB may respond to a proposed revocation notice, but
must do so within 10 days of receiving the proposed revocation notice
and include appropriate documentation explaining in writing why its
status should not be revoked.
(2) Upon receipt of an ONC-ACB's response to a proposed revocation
notice, the National Coordinator is permitted up to 30 days to review
the information submitted by the ONC-ACB and reach a decision.
(f) Good standing determination. If the National Coordinator
determines that an ONC-ACB's status should not be revoked, the National
Coordinator will notify the ONC-ACB's authorized representative in
writing of this determination.
(g) Revocation.
(1) The National Coordinator may revoke an ONC-ACB's status if:
(i) A determination is made that revocation is appropriate after
considering the information provided by the ONC-ACB in response to the
proposed revocation notice; or
(ii) The ONC-ACB does not respond to a proposed revocation notice
within the specified timeframe in paragraph (e)(1) of this section.
(2) A decision to revoke an ONC-ACB's status is final and not
subject to further review unless the National
[[Page 1331]]
Coordinator chooses to reconsider the revocation.
(h) Extent and duration of revocation.
(1) The revocation of an ONC-ACB is effective as soon as the ONC-
ACB receives the revocation notice.
(2) A certification body that has had its ONC-ACB status revoked is
prohibited from accepting new requests for certification and must cease
its current certification operations under the permanent certification
program.
(3) A certification body that has had its ONC-ACB has its status
revoked for a Type-1 violation, is not permitted to reapply for ONC-ACB
status under the permanent certification program for a period of 1
year.
(4) The failure of a certification body that has had its ONC-ACB
status revoked to promptly refund any and all fees for certifications
of Complete EHRs and EHR Module(s) not completed will be considered a
violation of the Principles of Proper Conduct for ONC-ACBs and will be
taken into account by the National Coordinator if the certification
body reapplies for ONC-ACB status under the permanent certification
program.
Sec. 170.570 Effect of revocation on the certifications issued to
Complete EHRs and EHR Module(s).
(a) The certified status of Complete EHRs and/or EHR Module(s)
certified by an ONC-ACB that had its status revoked will remain intact
unless a Type-1 violation was committed that calls into question the
legitimacy of the certifications issued by the former ONC-ACB.
(b) If the National Coordinator determines that a Type-1 violation
occurred that called into question the legitimacy of certifications
conducted by the former ONC-ACB, then the National Coordinator would:
(1) Review the facts surrounding the revocation of the ONC-ACB's
status; and
(2) Publish a notice on ONC's Web site if the National Coordinator
believes that Complete EHRs and/or EHR Module(s) were improperly
certified by the former ONC-ACB.
(c) If the National Coordinator determines that Complete EHRs and/
or EHR Module(s) were improperly certified, the certification status of
affected Complete EHRs and/or EHR Module(s) would only remain intact
for 120 days after the National Coordinator publishes the notice. The
certification status of affected Complete EHRs and/or EHR Module(s) can
only be maintained thereafter by being re-certified by an ONC-ACB in
good standing.
Sec. 170.599 Incorporation by reference.
(a) Certain material is incorporated by reference into this subpart
with the approval of the Director of the Federal Register under 5
U.S.C. 552(a) and 1 CFR part 51. To enforce any edition other than that
specified in this section, the Department of Health and Human Services
must publish notice of change in the Federal Register and the material
must be available to the public. All approved material is available for
inspection at the National Archives and Records Administration (NARA).
For information on the availability of this material at NARA, call 202-
741-6030 or go to http://www.archives.gov/federal_register/code_of_federal_regulations/ibr_locations.html. Also, it is available for
inspection at U.S. Department of Health and Human Services, Office of
the National Coordinator for Health Information Technology, Hubert H.
Humphrey Building, Suite 729D, 200 Independence Ave., SW., Washington,
DC 20201, call ahead to arrange for inspection at 202-690-7151, and is
available from the source listed below.
(b) International Organization for Standardization, Case postale
56, CH[middot]1211, Geneve 20, Switzerland, telephone +41-22-749-01-11,
http://www.iso.org.
(1) ISO/IEC 17011:2004 Conformity Assessment--General Requirements
for Accreditation Bodies Accrediting Conformity Assessment Bodies
(Corrected Version), February 15, 2005, IBR approved for Sec. 170.503.
(2) ISO/IEC GUIDE 65:1996--General Requirements for Bodies
Operating Product Certification Systems (First Edition), 1996, IBR
approved for Sec. 170.503.
(3) [Reserved]
Dated: December 14, 2010.
Kathleen Sebelius,
Secretary.
[FR Doc. 2010-33174 Filed 1-3-11; 4:15 pm]
BILLING CODE 4150-45-P