80 FR 16804 - 2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications
DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary
Federal Register Volume 80, Issue 60 (March 30, 2015)
Page Range
16804-16921
FR Document
2015-06612
This notice of proposed rulemaking introduces a new edition of certification criteria (the 2015 Edition health IT certification criteria or ``2015 Edition''), proposes a new 2015 Edition Base EHR definition, and proposes to modify the ONC Health IT Certification Program to make it open and accessible to more types of health IT and health IT that supports various care and practice settings. The 2015 Edition would also establish the capabilities and specify the related standards and implementation specifications that Certified Electronic Health Record (EHR) Technology (CEHRT) would need to include to, at a minimum, support the achievement of meaningful use by eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) under the Medicare and Medicaid EHR Incentive Programs (EHR Incentive Programs) when such edition is required for use under these programs.
Federal Register, Volume 80 Issue 60 (Monday, March 30, 2015)
[Federal Register Volume 80, Number 60 (Monday, March 30, 2015)]
[Proposed Rules]
[Pages 16804-16921]
From the Federal Register Online [www.thefederalregister.org]
[FR Doc No: 2015-06612]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Part 170
RIN 0991-AB93
2015 Edition Health Information Technology (Health IT)
Certification Criteria, 2015 Edition Base Electronic Health Record
(EHR) Definition, and ONC Health IT Certification Program Modifications
AGENCY: Office of the National Coordinator for Health Information
Technology (ONC), Department of Health and Human Services (HHS).
ACTION: Notice of proposed rulemaking with comment period.
-----------------------------------------------------------------------
SUMMARY: This notice of proposed rulemaking introduces a new edition of
certification criteria (the 2015 Edition health IT certification
criteria or ``2015 Edition''), proposes a new 2015 Edition Base EHR
definition, and proposes to modify the ONC Health IT Certification
Program to make it open and accessible to more types of health IT and
health IT that supports various care and practice settings. The 2015
Edition would also establish the capabilities and specify the related
standards and implementation specifications that Certified Electronic
Health Record (EHR) Technology (CEHRT) would need to include to, at a
minimum, support the achievement of meaningful use by eligible
professionals (EPs), eligible hospitals, and critical access hospitals
(CAHs) under the Medicare and Medicaid EHR Incentive Programs (EHR
Incentive Programs) when such edition is required for use under these
programs.
DATES: To be assured consideration, written or electronic comments must
be received at one of the addresses provided below, no later than 5
p.m. on May 29, 2015.
ADDRESSES: You may submit comments, identified by RIN 0991-AB93, by any
of the following methods (please do not submit duplicate comments).
Because of staff and resource limitations, we cannot accept comments by
facsimile (FAX) transmission.
Federal eRulemaking Portal: Follow the instructions for
submitting comments. Attachments should be in Microsoft Word, Microsoft
Excel, or Adobe PDF; however, we prefer Microsoft Word. http://www.regulations.gov.
Regular, Express, or Overnight Mail: Department of Health
and Human Services, Office of the National Coordinator for Health
Information Technology, Attention: 2015 Edition Health IT Certification
Criteria Proposed Rule, Hubert H. Humphrey Building, Suite 729D, 200
Independence Ave SW., Washington, DC 20201. Please submit one original
and two copies.
Hand Delivery or Courier: Office of the National
Coordinator for Health Information Technology, Attention: 2015 Edition
Health IT Certification Criteria Proposed Rule, Hubert H. Humphrey
Building, Suite 729D, 200 Independence Ave SW., Washington, DC 20201.
Please submit one original and two copies. (Because access to the
interior of the Hubert H. Humphrey Building is not readily available to
persons without federal government identification, commenters are
encouraged to leave their comments in the mail drop slots located in
the main lobby of the building.)
Enhancing the Public Comment Experience: To facilitate public
comment on this proposed rule, a copy will be made available in
Microsoft Word format. We believe this version will make it easier for
commenters to access and copy portions of the proposed rule for use in
their individual comments. Additionally, a separate document will be
made available for the public to use to provide comments on the
proposed rule. This document is meant to provide the public with a
simple and organized way to submit comments on the certification
criteria, associated standards and implementation specifications, and
respond to specific questions posed in the preamble of the proposed
rule. While use of this document is entirely voluntary, we encourage
commenters to consider using the document in lieu of unstructured
comments or to use it as an addendum to narrative cover pages. Roughly
30% of the public comments submitted to our past two editions of
certification criteria proposed rules used the provided template, which
greatly assisted in our ability to rapidly process and more accurately
categorize public comments. Because of the technical nature of this
proposed rule, we believe that use of the document may facilitate our
review and understanding of the comments received. The Microsoft Word
version of the proposed rule and the document that can be used for
providing comments can be found at http://www.regulations.gov as part
of this proposed rule's docket and on ONC's Web site (http://www.healthit.gov).
Inspection of Public Comments: All comments received before the
close of the comment period will be available for public inspection,
including any personally identifiable or confidential business
information that is included in a comment. Please do not include
anything in your comment submission that you do not wish to share with
the general public. Such information includes, but is not limited to: a
person's social security number; date of birth; driver's license
number; state identification number or foreign country equivalent;
passport number; financial account number; credit or debit card number;
any personal health information; or any business information that could
be considered proprietary. We will post all comments that are received
before the close of the comment period at http://www.regulations.gov.
Docket: For access to the docket to read background documents or
comments received, go to http://www.regulations.gov or the Department
of Health and Human Services, Office of the National Coordinator for
Health Information Technology, Hubert H. Humphrey Building, Suite 729D,
200 Independence Ave SW., Washington,
[[Page 16805]]
DC 20201 (call ahead to the contact listed below to arrange for
inspection).
FOR FURTHER INFORMATION CONTACT: Michael Lipinski, Office of Policy,
Office of the National Coordinator for Health Information Technology,
202-690-7151.
SUPPLEMENTARY INFORMATION:
Commonly Used Acronyms
API Application Programming Interface
CAH Critical Access Hospital
CDA Clinical Document Architecture
CDC Centers for Disease Control and Prevention
CDS Clinical Decision Support
CEHRT Certified Electronic Health Record Technology
CFR Code of Federal Regulations
CHPL Certified Health IT Product List
CLIA Clinical Laboratory Improvement Amendments
CMS Centers for Medicare & Medicaid Services
CQM Clinical Quality Measure
EHR Electronic Health Record
HHS Department of Health and Human Services
HISP Health Information Service Providers
HIT Health Information Technology
HITPC HIT Policy Committee
HITSC HIT Standards Committee
HL7 Health Level Seven
IG Implementation Guide
LOINC[supreg] Logical Observation Identifiers Names and Codes
ONC Office of the National Coordinator for Health Information
Technology
SNOMED CT[supreg] Systematized Nomenclature of Medicine Clinical
Terms
Table of Contents
I. Executive Summary
A. Purpose of Regulatory Action
B. Summary of Major Provisions
1. Overview of the 2015 Edition Health IT Certification Criteria
2. Base EHR Definition and Certified EHR Technology Definition
3. The ONC Health IT Certification Program and Health IT Module
C. Costs and Benefits
II. Background
A. Statutory Basis
1. Standards, Implementation Specifications, and Certification
Criteria
2. HIT Certification Programs
B. Regulatory History
1. Standards, Implementation Specifications, and Certification
Criteria Rules
2. Medicare and Medicaid EHR Incentive Programs Rules
3. ONC Health IT Certification Programs Rules
III. Provisions of the Proposed Rule Affecting Standards,
Implementation Specifications, Certification Criteria, and
Definitions
A. 2015 Edition Health IT Certification Criteria
1. Applicability
2. Standards and Implementation Specifications
3. Certification Criteria
4. 2015 Edition Gap Certification Eligibility Table
5. Pharmacogenomics Data--Request for Comment
B. Definitions
1. Base EHR Definitions
2. Certified EHR Technology Definition
3. Common Clinical Data Set Definition
4. Cross-Referenced FDA Definitions
IV. Provisions of the Proposed Rule Affecting the ONC Health IT
Certification Program
A. Subpart E--ONC Health IT Certification Program
B. Modifications to the ONC Health IT Certification Program
1. Health IT Modules
2. ``Removal'' of Meaningful Use Measurement Certification
Requirements
3. Types of Care and Practice Settings
4. Referencing the ONC Health IT Certification Program
C. Health IT Module Certification Requirements
1. Privacy and Security
2. Design and Performance (Sec. 170.315(g))
D. Principles of Proper Conduct for ONC-ACBs
1. ``In-the-Field'' Surveillance and Maintenance of
Certification
2. Transparency and Disclosure Requirements
3. Open Data Certified Health IT Product List (CHPL)
4. Records Retention
5. Complaints Reporting
6. Adaptations and Updates of Certified Health IT
E. ``Decertification'' of Health IT--Request for Comment
V. Response to Comments
VI. Incorporation by Reference
VII. Collection of Information Requirements
VIII. Regulatory Impact Statement
A. Statement of Need
B. Overall Impact
1. Executive Orders 12866 and 13563--Regulatory Planning and
Review Analysis
2. Regulatory Flexibility Act
3. Executive Order 13132--Federalism
4. Unfunded Mandates Reform Act of 1995
I. Executive Summary
A. Purpose of Regulatory Action
Building on past rulemakings, this proposed rule further identifies
how health IT certification can support the establishment of an
interoperable nationwide health information infrastructure. It reflects
stakeholder feedback received through various outreach initiatives,
including the regulatory process, and is designed to broadly support
the health care continuum through the use of certified health IT. To
achieve this goal, this rule proposes to:
Improve interoperability for specific purposes by adopting
new and updated vocabulary and content standards for the structured
recording and exchange of health information, including a Common
Clinical Data Set composed primarily of data expressed using adopted
standards; and rigorously testing an identified content exchange
standard (Consolidated Clinical Document Architecture (C-CDA));
Facilitate the accessibility and exchange of data by
including enhanced data portability, transitions of care, and
application programming interface (API) capabilities in the 2015
Edition Base EHR definition;
Establish a framework that makes the ONC Health IT
Certification Program open and accessible to more types of health IT,
health IT that supports a variety of care and practice settings,
various HHS programs, and public and private interests;
Support the Medicare and Medicaid EHR Incentive Programs
(EHR Incentive Programs) through the adoption of a set of certification
criteria that align with proposals for Stage 3;
Address health disparities by providing certification: To
standards for the collection of social, psychological, and behavioral
data; for the exchange of sensitive health information (Data
Segmentation for Privacy); and for the accessibility of health IT;
Ensure all health IT presented for certification possess
the relevant privacy and security capabilities;
Improve patient safety by: Applying enhanced user-center
design principles to health IT, enhancing patient matching, requiring
relevant patient information to be exchanged (e.g., Unique Device
Identifiers), improving the surveillance of certified health IT, and
making more information about certified products publicly available and
accessible;
Increase the reliability and transparency of certified
health IT through surveillance and disclosure requirements; and
Provide health IT developers with more flexibility and
opportunities for certification that support both interoperability and
innovation.
B. Summary of Major Provisions
1. Overview of the 2015 Edition Health IT Certification Criteria
The 2015 Edition health IT certification criteria (``2015
Edition'') would facilitate greater interoperability for several
clinical health information purposes and enable health information
exchange through new and enhanced certification criteria, standards,
and implementation specifications. It incorporates changes that are
designed to spur innovation, open new market opportunities, and provide
more choices to providers when it comes to electronic
[[Page 16806]]
health information exchange. To achieve these goals, we propose a new
``Application Access to Common Clinical Data Set'' certification
criterion that would require the demonstration of an API that responds
to data requests for any one of the data referenced in the Common
Clinical Data Set as well as for all of the data referenced in the
Common Clinical Data Set. To further validate the continued
interoperability of certified health IT and the ability to exchange
health information, we propose a new certification criterion that would
rigorously assess a product's C-CDA creation performance (for both C-
CDA version 1.1 and 2.0) when presented for certification for such
capabilities.
2. Definitions
a. Base EHR Definitions
We propose to adopt a Base EHR definition specific to the 2015
Edition (i.e., a 2015 Edition Base EHR definition) at Sec. 170.102 and
rename the current Base EHR definition at Sec. 170.102 as the 2014
Edition Base EHR definition. For the proposed 2015 Edition Base EHR
definition, it would differ from the 2014 Edition Base EHR definition
in the following ways:
It does not include privacy and security capabilities and
certification criteria. We believe privacy and security capabilities
would be more appropriately addressed through our new proposed approach
for the privacy and security certification of Health IT Modules to the
2015 Edition, as discussed under ``Privacy and Security'' in section
IV.C.1 of the preamble. Our new privacy and security approach would
eliminate eligible professionals (EPs)', eligible hospitals', and
critical access hospitals (CAHs)' responsibilities to ensure that they
have technology certified to all the necessary privacy and security
criteria. Rather, as part of certification, health IT developers would
need to meet applicable privacy and security certification criteria.
It only includes the capability to record and export CQM
data (Sec. 170.315(c)(1)). To note, the capabilities to import,
calculate and report CQM data are not included in the proposed 2015
Edition Base EHR definition or any other CQM-related requirements.
Please refer to the ``Clinical Quality Measures'' section (III.A.3)
later in the preamble for a more detailed discussion of the CQM
certification criteria. Please also see the EHR Incentive Programs
Stage 3 proposed rule published elsewhere in this issue of the Federal
Register for proposals related to CQMs, including the CEHRT definition
proposal.
It includes the 2015 Edition ``smoking status,''
``implantable device list,'' and ``application access to Common
Clinical Data Set'' certification criteria. For a detailed discussion
of these certification criteria, please refer to section III.A.3 of the
preamble.
It includes the proposed 2015 Edition certification
criteria that correspond to the remaining 2014 Edition certification
criteria referenced in the ``2014 Edition'' Base EHR definition (i.e.,
Computerized Provider Order Entry (CPOE), demographics, problem list,
medication list, medication allergy list, clinical decision support
(CDS), transitions of care, data portability, and relevant transport
certification criteria). On the inclusion of transport certification
criteria, we propose to include the ``Direct Project'' criterion (Sec.
170.315(h)(1)) as well as the ``Direct Project, Edge Protocol and XDR/
XDM'' \1\ criterion (Sec. 170.315(h)(2)) as equivalent alternative
means for meeting the 2015 Edition Base EHR definition for the reasons
discussed under ``Transport Methods and Other Protocols'' in section
III.A.3 of the preamble.
---------------------------------------------------------------------------
\1\ XDR stands for Cross-Enterprise Document Reliable
Interchange. XDM stands for Cross-Enterprise Document Media
Interchange.
---------------------------------------------------------------------------
We refer readers to section III.B.1 for a more detailed discussion
of the proposed 2015 Edition Base EHR definition.
b. CEHRT Definition
We propose to remove the Certified EHR Technology (CEHRT)
definition from Sec. 170.102 for the following reasons. The CEHRT
definition has always been defined in a manner that supports the EHR
Incentive Programs. As such, the CEHRT definition would more
appropriately reside solely within the EHR Incentive Programs
regulations. This would also be consistent with our approach in this
proposed rule to make the ONC Health IT Certification Program more open
and accessible to other types of health IT beyond EHR technology and
for health IT that supports care and practice settings beyond those
included in the EHR Incentive Programs. Further, this approach should
add administrative simplicity in that regulatory provisions, which EHR
Incentive Programs participants must meet (e.g., the CEHRT definition),
would be defined within the context of rulemakings for those programs.
We understand that the CEHRT definition proposed by CMS would continue
to include the Base EHR definition(s) defined by ONC, including the
2015 Edition Base EHR definition proposed in this proposed rule. We
also refer readers to Table 2 (``2015 Edition Proposed Certification
Criteria Associated with the EHR Incentive Programs Stage 3'') found in
section III.A.3 of this preamble. Table 2 crosswalks proposed 2015
Edition certification criteria with the proposed CEHRT definition and
proposed EHR Incentive Programs Stage 3 objectives.
c. Common Clinical Data Set
We propose to revise the ``Common MU Data Set'' definition in Sec.
170.102. We propose to change the name to ``Common Clinical Data Set,''
which aligns with our approach throughout this proposed rule to make
the ONC Health IT Certification Program more open and accessible to
other types of health IT beyond EHR technology and for health IT that
supports care and practice settings beyond those included in the EHR
Incentive Programs. We also propose to change references to the
``Common MU Data Set'' in the 2014 Edition (Sec. 170.314) to ``Common
Clinical Data Set.''
We propose to revise the definition to account for the new and
updated standards and code sets we propose to adopt in this proposed
rule that would improve and advance interoperability through the
exchange of the Common Clinical Data Set. We also propose to revise the
definition to support patient safety through clearly referenced data
elements and the inclusion of new patient data. These proposed
revisions would not change the standards, codes sets, and data
requirements specified in the Common Clinical Data Set for 2014 Edition
certification. They would only apply to health IT certified to the 2015
Edition Health IT certification criteria that reference the Common
Clinical Data Set.
3. The ONC Health IT Certification Program and Health IT Module
We propose to change the name of the ONC HIT Certification Program
to the ``ONC Health IT Certification Program'' (referred to as the
``ONC Health IT Certification Program'' throughout this proposed rule).
We also propose to modify the ONC Health IT Certification Program in
ways that would further open access to other types of health IT beyond
EHR technology and for health IT that supports care and practice
settings beyond the ambulatory and inpatient settings. These
modifications would also serve to support other public and private
programs that may reference the use of health IT certified under the
ONC Health IT Certification Program. When we established the
certification
[[Page 16807]]
program (76 FR 1294), we stated our initial focus would be on EHR
technology and supporting the EHR Incentive Programs, which focus on
the ambulatory setting and inpatient setting. Our proposals in this
proposed rule would permit other types of health IT (e.g., laboratory
information systems (LISs)), and technology implemented by health
information service providers (HISPs) and health information exchanges
(HIEs)) to receive appropriate attribution and not be referenced by a
certificate with ``EHR'' in it. Our proposals also support health IT
certification for other care and practice settings such as long-term
post-acute care (LTPAC), behavioral health, and pediatrics. Further,
the proposals in this rule would make it simpler for certification
criteria and certified health IT to be referenced by other HHS programs
(e.g., Medicaid and Medicare payment programs and various grant
programs), other public programs, and private entities and
associations.
As part of our approach to evolve the ONC Health IT Certification
Program, we have replaced prior rulemaking use of ``EHR'' and ``EHR
technology'' with ``health IT.'' The term health IT is reflective of
the scope of ONC's authority under the Public Health Service Act (Sec.
3000(5) as ``health information technology'' is so defined), and
represents a broad range of technology, including EHR technology. It
also more properly represents some of the technology, as noted above,
that has been previously certified to editions of certification
criteria under the ONC Health IT Certification Program and may be
certified to the proposed 2015 Edition in the future. Similarly, to
make the ONC Health IT Certification Program more open and accessible,
we propose to rename the EHR Module as ``Health IT Module'' and will
use this term throughout the proposed rule.
We propose not to require ONC-Authorized Certification Bodies
(ACBs) to certify all Health IT Modules to the 2015 Edition
``meaningful use measurement'' certification criteria (Sec.
170.315(g)(1) ``automated numerator recording'' and Sec. 170.315(g)(2)
``automated measure calculation''). We note that CMS has proposed to
include the 2015 Edition ``meaningful use measurement'' certification
criteria in the CEHRT definition as a unique program requirement for
the EHR Incentive Programs.
We propose a new, simpler, straight-forward approach to privacy and
security certification requirements for Health IT Modules certified to
the 2015 Edition. In essence, we identify the privacy and security
certification criteria that would be applicable to a Health IT Module
presented for certification based on the other capabilities included in
the Health IT Module and for which certification is sought. Under the
proposed approach, a health IT developer would know exactly what it
needed to do in order to get its Health IT Module certified and a
purchaser of a Health IT Module would know exactly what privacy and
security functionality against which the Health IT Module had to be
tested in order to be certified.
We propose new and revised principles of proper conduct (PoPC) for
ONC-ACBs. We propose to require ONC-ACBs to report an expanded set of
information to ONC for inclusion in the open data file that would make
up the Certified Health IT Product List (CHPL). We propose to revise
the PoPC in order to provide for more meaningful disclosure of certain
types of costs and limitations that could interfere with the ability of
users to implement certified health IT in a manner consistent with its
certification. We propose that ONC-ACBs retain records longer and
consistent with industry standards. We propose to require that ONC-ACBs
obtain a record of all adaptations and updates, including changes to
user-facing aspects, made to certified health IT, on a monthly basis
each calendar year. We propose to require that ONC-ACBs report to the
National Coordinator complaints received on certified health IT. We
propose to adopt new requirements for ``in-the-field'' surveillance
under the ONC Health IT Certification Program that would build on ONC-
ACBs' existing surveillance responsibilities by specifying requirements
and procedures for in-the-field surveillance. We believe these proposed
new and revised PoPC would promote greater transparency and
accountability for the ONC Health IT Certification Program. We also
include a request for comment on the potential ``decertification'' of
health IT that proactively blocks the sharing of information.
C. Costs and Benefits
Our estimates indicate that this proposed rule is an economically
significant rule as its overall costs for health IT developers may be
greater than $100 million in at least one year. We have, therefore,
projected the costs and benefits of the proposed rule. The estimated
costs expected to be incurred by health IT developers to develop and
prepare health IT to be tested and certified in accordance with the
2015 Edition health IT certification criteria (and the standards and
implementation specifications they include) are represented in monetary
terms in Table 1 below. We note that this proposed rule does not impose
the costs cited as compliance costs, but rather as investments which
health IT developers voluntarily take on and expect to recover with an
appropriate rate of return.
The dollar amounts expressed in Table 1 are expressed in 2013
dollars.
Table 1--Distributed Total Development and Preparation Costs for Health IT Developers (4-Year Period)--Totals
Rounded
----------------------------------------------------------------------------------------------------------------
Total high Total average
Year Ratio (%) Total low cost cost estimate cost estimate
estimate ($M) ($M) ($M)
----------------------------------------------------------------------------------------------------------------
2015............................................ 25 49.36 101.80 75.58
2016............................................ 30 59.23 122.16 90.70
2017............................................ 30 59.23 122.16 90.70
2018............................................ 15 29.61 61.08 45.35
---------------------------------------------------------------
4-Year Totals............................... .............. 197.43 407.20 302.32
----------------------------------------------------------------------------------------------------------------
We believe that there will be several significant benefits that may
arise from this proposed rule for patients, health care providers, and
health IT developers. The 2015 Edition continues to improve health IT
interoperability through the adoption of new and updated standards and
implementation specifications. For example, many
[[Page 16808]]
proposed certification criteria include standards and implementation
specifications for interoperability that directly support the EHR
Incentive Programs, which include objectives and measures for the
interoperable exchange of health information and for providing patients
electronic access to their health information in structured formats. In
addition, proposed certification criteria that support the collection
of patient data that could be used to address health disparities would
not only benefit patients, but the entire health care delivery system
through improved quality of care. The 2015 Edition also supports
usability and patient safety through new and enhanced certification
requirements for health IT.
Our proposals to make the ONC Health IT Certification Program open
and accessible to more types of health IT and for health IT that
supports a variety of care and practice settings should benefit health
IT developers, providers practicing in other care/practice settings,
and consumers through the availability and use of certified health IT
that includes capabilities that promote interoperability and enhanced
functionality.
II. Background
A. Statutory Basis
The Health Information Technology for Economic and Clinical Health
(HITECH) Act, Title XIII of Division A and Title IV of Division B of
the American Recovery and Reinvestment Act of 2009 (the Recovery Act)
(Pub. L. 111-5), was enacted on February 17, 2009. The HITECH Act
amended the Public Health Service Act (PHSA) and created ``Title XXX--
Health Information Technology and Quality'' (Title XXX) to improve
health care quality, safety, and efficiency through the promotion of
HIT and electronic health information exchange.
1. Standards, Implementation Specifications, and Certification Criteria
The HITECH Act established two new federal advisory committees, the
Health IT Policy Committee (HITPC) and the Health IT Standards
Committee (HITSC) (sections 3002 and 3003 of the PHSA, respectively).
Each is responsible for advising the National Coordinator for Health
Information Technology (National Coordinator) on different aspects of
standards, implementation specifications, and certification criteria.
The HITPC is responsible for, among other duties, recommending
priorities for the development, harmonization, and recognition of
standards, implementation specifications, and certification criteria.
Main responsibilities of the HITSC include recommending standards,
implementation specifications, and certification criteria for adoption
by the Secretary under section 3004 of the PHSA, consistent with the
ONC-coordinated Federal Health IT Strategic Plan.
Section 3004 of the PHSA identifies a process for the adoption of
health IT standards, implementation specifications, and certification
criteria and authorizes the Secretary to adopt such standards,
implementation specifications, and certification criteria. As specified
in section 3004(a)(1), the Secretary is required, in consultation with
representatives of other relevant federal agencies, to jointly review
standards, implementation specifications, and certification criteria
endorsed by the National Coordinator under section 3001(c) and
subsequently determine whether to propose the adoption of any grouping
of such standards, implementation specifications, or certification
criteria. The Secretary is required to publish all determinations in
the Federal Register.
Section 3004(b)(3) of the PHSA titled, Subsequent Standards
Activity, provides that the Secretary shall adopt additional standards,
implementation specifications, and certification criteria as necessary
and consistent with the schedule published by the HITSC. We consider
this provision in the broader context of the HITECH Act to grant the
Secretary the authority and discretion to adopt standards,
implementation specifications, and certification criteria that have
been recommended by the HITSC and endorsed by the National Coordinator,
as well as other appropriate and necessary health IT standards,
implementation specifications, and certification criteria. Throughout
this process, the Secretary intends to continue to seek the insights
and recommendations of the HITSC.
2. Health IT Certification Programs
Section 3001(c)(5) of the PHSA provides the National Coordinator
with the authority to establish a certification program or programs for
the voluntary certification of health IT. Specifically, section
3001(c)(5)(A) specifies that the National Coordinator, in consultation
with the Director of the National Institute of Standards and
Technology, shall keep or recognize a program or programs for the
voluntary certification of health information technology as being in
compliance with applicable certification criteria adopted under this
subtitle (i.e., certification criteria adopted by the Secretary under
section 3004 of the PHSA).
The certification program(s) must also include, as appropriate,
testing of the technology in accordance with section 13201(b) of the
[HITECH] Act. Overall, section 13201(b) of the HITECH Act requires that
with respect to the development of standards and implementation
specifications, the Director of the National Institute of Standards and
Technology (NIST), in coordination with the HITSC, shall support the
establishment of a conformance testing infrastructure, including the
development of technical test beds. The HITECH Act also indicates that
the development of this conformance testing infrastructure may include
a program to accredit independent, non-Federal laboratories to perform
testing.
B. Regulatory History
1. Standards, Implementation Specifications, and Certification Criteria
Rules
The Secretary issued an interim final rule with request for
comments titled, ``Health Information Technology: Initial Set of
Standards, Implementation Specifications, and Certification Criteria
for Electronic Health Record Technology'' (75 FR 2014, Jan. 13, 2010)
(the ``S&CC January 2010 interim final rule''), which adopted an
initial set of standards, implementation specifications, and
certification criteria. After consideration of the public comments
received on the S&CC January 2010 interim final rule, a final rule was
issued to complete the adoption of the initial set of standards,
implementation specifications, and certification criteria and realign
them with the final objectives and measures established for the EHR
Incentive Programs Stage 1 (formally titled: Health Information
Technology: Initial Set of Standards, Implementation Specifications,
and Certification Criteria for Electronic Health Record Technology;
Final Rule, (75 FR 44590, July 28, 2010) and referred to as the ``2011
Edition final rule''). The 2011 Edition final rule also established the
first version of the Certified EHR Technology (CEHRT) definition.
Subsequent to the 2011 Edition final rule (October 13, 2010), we issued
an interim final rule with a request for comment to remove certain
implementation specifications related to public health surveillance
that had been previously adopted in the 2011 Edition final rule (75 FR
62686).
The standards, implementation specifications, and certification
criteria
[[Page 16809]]
adopted by the Secretary in the 2011 Edition final rule established the
capabilities that CEHRT must include in order to, at a minimum, support
the achievement of EHR Incentive Programs Stage 1 by EPs, eligible
hospitals, and CAHs under the EHR Incentive Programs Stage 1 final rule
(the ``EHR Incentive Programs Stage 1 final rule'') (see 75 FR 44314
for more information about meaningful use and the Stage 1
requirements).
The Secretary issued a proposed rule with request for comments
titled ``Health Information Technology: Standards, Implementation
Specifications, and Certification Criteria for Electronic Health Record
Technology, 2014 Edition; Revisions to the Permanent Certification
Program for Health Information Technology'' (77 FR 13832, March 7,
2012) (the ``2014 Edition proposed rule''), which proposed new and
revised standards, implementation specifications, and certification
criteria. After consideration of the public comments received on the
2014 Edition proposed rule, a final rule was issued to adopt the 2014
Edition set of standards, implementation specifications, and
certification criteria and realign them with the final objectives and
measures established for the EHR Incentive Programs Stage 2 as well as
Stage 1 revisions (Health Information Technology: Standards,
Implementation Specifications, and Certification Criteria for
Electronic Health Record Technology, 2014 Edition; Revisions to the
Permanent Certification Program for Health Information Technology (77
FR 54163, Sept. 4, 2012) (the ``2014 Edition final rule''). The
standards, implementation specifications, and certification criteria
adopted by the Secretary in the 2014 Edition final rule established the
capabilities that CEHRT must include in order to, at a minimum, support
the achievement of the EHR Incentive Programs Stage 2 by EPs, eligible
hospitals, and CAHs under the EHR Incentive Programs Stage 2 final rule
(the ``EHR Incentive Programs Stage 2 final rule'') (see 77 FR 53968
for more information about the EHR Incentive Programs Stage 2
requirements).
On December 7, 2012, an interim final rule with a request for
comment was jointly issued and published by ONC and CMS to update
certain standards that had been previously adopted in the 2014 Edition
final rule. The interim final rule also revised the EHR Incentive
Programs by adding an alternative measure for the Stage 2 objective for
hospitals to provide structured electronic laboratory results to
ambulatory providers, corrected the regulation text for the measures
associated with the objective for hospitals to provide patients the
ability to view online, download, and transmit information about a
hospital admission, and made the case number threshold exemption policy
for clinical quality measure (CQM) reporting applicable for eligible
hospitals and CAHs beginning with FY 2013. The rule also provided
notice of CMS's intent to issue technical corrections to the electronic
specifications for CQMs released on October 25, 2012 (77 FR 72985). On
September 4, 2014, a final rule (Medicare and Medicaid Programs;
Modifications to the Medicare and Medicaid Electronic Health Record
(EHR) Incentive Program for 2014 and Other Changes to the EHR Incentive
Program; and Health Information Technology: Revisions to the Certified
EHR Technology Definition and EHR Certification Changes Related to
Standards; Final Rule) (79 FR 52910) was published adopting these
proposals.
On November 4, 2013, the Secretary published an interim final rule
with a request for comment, 2014 Edition Electronic Health Record
Certification Criteria: Revision to the Definition of ``Common
Meaningful Use (MU) Data Set'' (78 FR 65884), to make a minor revision
to the Common MU Data Set definition. This revision was intended to
allow more flexibility with respect to the representation of dental
procedures data for EHR technology testing and certification.
On February 26, 2014, the Secretary published a proposed rule
titled ``Voluntary 2015 Edition Electronic Health Record (EHR)
Certification Criteria; Interoperability Updates and Regulatory
Improvements'' (79 FR 10880) (``Voluntary Edition proposed rule''). The
proposed rule proposed a voluntary edition of certification criteria
that was designed to enhance interoperability, promote innovation, and
incorporate ``bug fixes'' to improve upon the 2014 Edition. A
correction notice was published for the Voluntary Edition proposed rule
on March 19, 2014, entitled ``Voluntary 2015 Edition Electronic Health
Record (EHR) Certification Criteria; Interoperability Updates and
Regulatory Improvements; Correction'' (79 FR 15282). This correction
notice corrected the preamble text and gap certification table for four
certification criteria that were omitted from the list of certification
criteria eligible for gap certification for the 2015 Edition EHR
certification criteria. On September 11, 2014, a final rule was
published titled ``2014 Edition Release 2 Electronic Health Record
(EHR) Certification Criteria and the ONC HIT Certification Program;
Regulatory Flexibilities, Improvements, and Enhanced Health Information
Exchange'' (79 FR 54430) (``2014 Edition Release 2 final rule''). The
final rule adopted a small subset of the original proposals in the
Voluntary Edition proposed rule as optional and revised 2014 Edition
EHR certification criteria that provide flexibility, clarity, and
enhance health information exchange. It also finalized administrative
proposals (i.e., removal of regulatory text from the Code of Federal
Regulations (CFR)) and proposals for the ONC HIT Certification Program
that provide improvements.
On May 23, 2014, CMS and ONC jointly published the ``Medicare and
Medicaid Programs; Modifications to the Medicare and Medicaid
Electronic Health Record Incentive Programs for 2014; and Health
Information Technology: Revisions to the Certified EHR Technology
Definition'' proposed rule (79 FR 29732). The rule proposed to update
the EHR Incentive Programs Stage 2 and Stage 3 participation timeline.
It proposed to revise the CEHRT definition to permit the use of EHR
technology certified to the 2011 Edition to meet the CEHRT definition
for FY/CY 2014. It also proposed to allow EPs, eligible hospitals, and
CAHs that could not fully implement EHR technology certified to the
2014 Edition for an EHR reporting period in 2014 due to delays in the
availability of such technology to continue to use EHR technology
certified to the 2011 Edition or a combination of EHR technology
certified to the 2011 Edition and 2014 Edition for the EHR reporting
periods in CY 2014 and FY 2014. On September 4, 2014, a final rule
(``CEHRT Flexibility final rule'') was published (79 FR 52910) adopting
these proposals.
2. Medicare and Medicaid EHR Incentive Programs Rules
On January 13, 2010, CMS published the EHR Incentive Programs Stage
1 proposed rule (75 FR 1844). The rule proposed the criteria for Stage
1 of the EHR Incentive Programs and regulations associated with the
incentive payments made available under Division B, Title IV of the
HITECH Act. Subsequently, CMS published a final rule (75 FR 44314) for
Stage 1 and the EHR Incentive Programs on July 28, 2010, simultaneously
with the publication of the 2011 Edition final rule. The EHR Incentive
Programs Stage 1 final rule established the objectives, associated
measures, and other requirements that EPs, eligible hospitals, and CAHs
must satisfy to meet Stage 1.
On March 7, 2012, CMS published the EHR Incentive Programs Stage 2
[[Page 16810]]
proposed rule (77 FR 13698). Subsequently, CMS published a final rule
(77 FR 53968) for the EHR Incentive Programs on Sept. 4, 2012,
simultaneously with the publication of the 2014 Edition final rule. The
EHR Incentive Programs Stage 2 final rule established the objectives,
associated measures, and other requirements that EPs, eligible
hospitals, and CAHs must satisfy to meet Stage 2 as well as revised
some Stage 1 requirements.
As described above in Section II.B.1, ONC and CMS jointly issued an
interim final rule with a request for comment that was published on
December 7, 2012 and a final rule that published on September 4, 2014.
Also, as described above in Section II.B.1, ONC and CMS jointly issued
proposed and final rules that were published on May 23, 2014 and
September 4, 2014, respectively.
3. ONC Health IT Certification Program Rules
On March 10, 2010, ONC published a proposed rule (75 FR 11328)
titled, ``Proposed Establishment of Certification Programs for Health
Information Technology'' (the ``Certification Programs proposed
rule''). The rule proposed both a temporary and permanent certification
program for the purposes of testing and certifying HIT. It also
specified the processes the National Coordinator would follow to
authorize organizations to perform the certification of HIT. A final
rule establishing the temporary certification program was published on
June 24, 2010 (75 FR 36158) (``Temporary Certification Program final
rule'') and a final rule establishing the permanent certification
program was published on January 7, 2011 (76 FR 1262) (``the Permanent
Certification Program final rule'').
On May 31, 2011, ONC published a proposed rule (76 FR 31272) titled
``Permanent Certification Program for Health Information Technology;
Revisions to ONC-Approved Accreditor Processes.'' The rule proposed a
process for addressing instances where the ONC-Approved Accreditor
(ONC-AA) engaged in improper conduct or did not perform its
responsibilities under the permanent certification program, addressed
the status of ONC-Authorized Certification Bodies in instances where
there may be a change in the accreditation organization serving as the
ONC-AA, and clarified the responsibilities of the new ONC-AA. All these
proposals were finalized in a final rule published on November 25, 2011
(76 FR 72636).
The 2014 Edition final rule made changes to the permanent
certification program. The final rule adopted a proposal to change the
Permanent Certification Program's name to the ``ONC HIT Certification
Program,'' revised the process for permitting the use of newer versions
of ``minimum standard'' code sets, modified the certification processes
ONC-ACBs need to follow for certifying EHR Modules in a manner that
provides clear implementation direction and compliance with the new
certification criteria, and eliminated the certification requirement
that every EHR Module be certified to all the mandatory ``privacy and
security'' certification criteria.
The Voluntary Edition proposed rule included proposals that focused
on improving regulatory clarity, simplifying the certification of EHR
Modules that are designed for purposes other than meeting Meaningful
Use requirements, and discontinuing the use of the Complete EHR
definition. As noted above, we issued the 2014 Edition Release 2 final
rule to complete the rulemaking for the Voluntary Edition proposed
rule. The 2014 Edition Release 2 final rule discontinued the ``Complete
EHR'' certification concept beginning with the proposed 2015 Edition,
adopted an updated standard (ISO/IEC 17065) for the accreditation of
ONC-ACBs, and adopted the ``ONC Certified HIT'' certification and
design mark for required use by ONC-ACBs under the ONC Health IT
Certification Program.
III. Provisions of the Proposed Rule Affecting Standards,
Implementation Specifications, and Certification Criteria
A. 2015 Edition Health IT Certification Criteria
This rule proposes new, revised, and unchanged certification
criteria that would establish the capabilities and related standards
and implementation specifications for the certification of health IT,
including EHR technology. We refer to these new, revised, and unchanged
certification criteria as the ``2015 Edition health IT certification
criteria'' and propose to add this term and its definition to Sec.
170.102. As noted in the Executive Summary, we also refer to these
criteria as the ``2015 Edition'' in this preamble. We propose to codify
the 2015 Edition in Sec. 170.315 to set them apart from other editions
of certification criteria and make it easier for stakeholders to
quickly determine the certification criteria the 2015 Edition includes.
Health IT certified to these proposed certification criteria and
associated standards and implementation specifications could be
implemented as part of an EP's, eligible hospital's, or CAH's CEHRT and
used to demonstrate meaningful use (as identified in Table 2 below). We
note that Table 2 does not identify certification criteria that are
included in conditional certification requirements, such as privacy and
security, safety-enhanced design, and quality management system
certification criteria. We do, however, classify these types of
certification criteria as ``associated'' with the EHR Incentives
Programs Stage 3 for the purposes of the regulatory impact analysis we
performed for this proposed rule (see section VIII.B.1).
Health IT certified to the proposed certification criteria and
associated standards and implementation specifications could also be
used to meet other HHS program requirements (e.g., grant and contract
requirements) or referenced by private sector associations and
entities.
Table 2--2015 Edition Proposed Certification Criteria Associated With the EHR Incentive Programs Stage 3
----------------------------------------------------------------------------------------------------------------
Relationship to the
proposed CEHRT \2\
Proposed CFR citation Certification Proposed inclusion in 2015 definition and
criterion edition base EHR definition proposed stage 3
objectives
----------------------------------------------------------------------------------------------------------------
Sec. 170.315(a)(1)............... Computerized Provider Included \3\............... Objective 4.
Order Entry (CPOE)--
medications.
Sec. 170.315(a)(2)............... CPOE--laboratory...... Included \4\............... Objective 4.
Sec. 170.315(a)(3)............... CPOE--diagnostic Included \5\............... Objective 4.
imaging.
[[Page 16811]]
Sec. 170.315(a)(4)............... Drug-drug, Drug- Not included............... Objective 3.
allergy Interaction
Checks for CPOE.
Sec. 170.315(a)(5)............... Demographics.......... Included................... No additional
relationship beyond
the Base EHR
definition.
Sec. 170.315(a)(7)............... Problem List.......... Included................... No additional
relationship beyond
the Base EHR
definition.
Sec. 170.315(a)(8)............... Medication List....... Included................... No additional
relationship beyond
the Base EHR
definition.
Sec. 170.315(a)(9)............... Medication Allergy Included................... No additional
List. relationship beyond
the Base EHR
definition.
Sec. 170.315(a)(10).............. Clinical Decision Included................... Objective 3.
Support.
Sec. 170.315(a)(11).............. Drug-formulary and Not included............... Objective 2.
Preferred Drug List
Checks.
Sec. 170.315(a)(12).............. Smoking Status........ Included................... No additional
relationship beyond
the Base EHR
definition.
Sec. 170.315(a)(14).............. Family Health History. Not included............... CEHRT \6\.
Sec. 170.315(a)(15).............. Family Health History-- Not included............... CEHRT \7\.
pedigree.
Sec. 170.315(a)(17).............. Patient-specific Not included............... Objective 5.
Education Resources.
Sec. 170.315(a)(19).............. Patient Health Not included............... CEHRT
Information Capture. Objective 6.
Sec. 170.315(a)(20).............. Implantable Device Included................... No additional
List. relationship beyond
the Base EHR
definition.
Sec. 170.315(b)(1)............... Transitions of Care... Included................... Objective 7.
Sec. 170.315(b)(2)............... Clinical Information Not included............... Objective 7.
Reconciliation and
Incorporation.
Sec. 170.315(b)(3)............... Electronic Prescribing Not included............... Objective 2.
Sec. 170.315(b)(6)............... Data Portability...... Included................... No additional
relationship beyond
the Base EHR
definition.
Sec. 170.315(c)(1) \8\........... Clinical Quality Included................... CEHRT.
Measures--record and
export.
Sec. 170.315(e)(1)............... View, Download, and Not included............... Objective 5
Transmit to Third Objective 6.
Party.
Sec. 170.315(e)(2)............... Secure Messaging...... Not included............... Objective 6.
Sec. 170.315(f)(1)............... Transmission to Not included............... Objective 8.\9\
Immunization
Registries.
Sec. 170.315(f)(2)............... Transmission to Public Not included............... Objective 8.
Health Agencies--
syndromic
surveillance.
Sec. 170.315(f)(3)............... Transmission to Public Not included............... Objective 8.
Health Agencies--
reportable laboratory
tests and values/
results.
Sec. 170.315(f)(4)............... Transmission to Cancer Not included............... Objective 8.
Registries.
Sec. 170.315(f)(5)............... Transmission to Public Not included............... Objective 8.
Health Agencies--case
reporting.
Sec. 170.315(f)(6)............... Transmission to Public Not included............... Objective 8.
Health Agencies--
antimicrobial use and
resistance reporting.
Sec. 170.315(f)(7)............... Transmission to Public Not included............... Objective 8.
Health Agencies--
health care surveys.
Sec. 170.315(g)(1)............... Automated Numerator Not included............... CEHRT.
Recording.
Sec. 170.315(g)(2)............... Automated Measure Not included............... CEHRT.
Calculation.
Sec. 170.315(g)(7)............... Application Access to Included................... Objective 5
Common Clinical Data Objective 6.
Set.
Sec. 170.315(h)(1)............... Direct Project........ Included \10\.............. No additional
relationship beyond
the Base EHR
definition.
Sec. 170.315(h)(2)............... Direct Project, Edge Included \11\.............. No additional
Protocol, and XDR/XDM. relationship beyond
the Base EHR
definition.
----------------------------------------------------------------------------------------------------------------
\2\ CMS' CEHRT definition would include the criteria adopted in the Base EHR definition. For more details on the
CEHRT definition, please see the CMS EHR Incentive Programs proposed rule published elsewhere in this issue of
the Federal Register.
\3\ Technology needs to be certified to Sec. 170.315(a)(1), (a)(2), or (a)(3).
\4\ Technology needs to be certified to Sec. 170.315(a)(1), (a)(2), or (a)(3).
\5\ Technology needs to be certified to Sec. 170.315(a)(1), (a)(2), or (a)(3).
\6\ Technology needs to be certified to Sec. 170.315(a)(14) or (a)(15).
\7\ Technology needs to be certified to Sec. 170.315(a)(14) or (a)(15).
\8\ As discussed in the preamble for the ``clinical quality measures--report'' criterion, additional CQM
certification policy may be proposed in or with CMS payment rules in CY15. As such, additional CQM
certification criteria may be proposed for the Base EHR and/or CEHRT definitions.
\9\ For the public health certification criteria in Sec. 170.315(f), technology would only need to be
certified to those criteria that are required to meet the options the provider intends to report in order to
meet the proposed Objective 8: Public Health and Clinical Data Registry Reporting.
\10\ Technology needs to be certified to Sec. 170.315(h)(1) or (h)(2) to meet the proposed Base EHR
definition.
\11\ Technology needs to be certified to Sec. 170.315(h)(1) or (h)(2) to meet the proposed Base EHR
definition.
[[Page 16812]]
1. Applicability
Section 170.300 establishes the applicability of subpart C--
Certification Criteria for Health Information Technology. We propose to
revise paragraph (d) of Sec. 170.300 to add in a reference to Sec.
170.315 and revise the parenthetical in the paragraph to say ``i.e.,
apply to any health care setting'' instead of ``i.e., apply to both
ambulatory and inpatient settings.'' These proposed revisions would
clarify which specific capabilities within a certification criterion
included in Sec. 170.315 have general applicability (i.e., apply to
any health care setting) or apply only to an inpatient setting or an
ambulatory setting. The proposed revision to change the language of the
parenthetical aligns with our proposed approach to make the ONC Health
IT Certification Program more agnostic to health care settings and
accessible to health IT that supports care and practice settings beyond
the ambulatory and inpatient settings. We refer readers to section IV.B
of this preamble for a detailed discussion of our proposals to modify
the ONC Health IT Certification Program.
We note that, with the proposed 2015 Edition, we no longer label
certification criteria as either optional or ambulatory/inpatient (at
the second paragraph level). For example, the proposed 2015 Edition
certification criterion for electronic medication administration record
is simply ``electronic medication administration record'' instead of
``inpatient setting only--electronic medication administration
record.'' Similarly, the proposed 2015 Edition certification criterion
for ``accounting of disclosures'' is simply ``accounting of
disclosures'' instead of ``optional--accounting of disclosures.'' These
simplifications are possible given that, beginning with the 2015
Edition health IT certification criteria, ``Complete EHR''
certifications will no longer be issued (see 79 FR 54443-45).
Therefore, there is no longer a need to designate an entire
certification criterion in this manner. Again, this approach supports
our goal to make the ONC Health IT Certification Program more agnostic
to health care settings and accessible to health IT that supports care
and practice settings beyond the ambulatory and inpatient settings.
We propose to replace the term ``EHR technology'' in paragraphs
(d)(1) and (d)(2) with ``health IT'' to align with our proposed
approach to make the ONC Health IT Certification Program more clearly
open to the certification of all types of health IT. Again, we refer
readers to section IV.B of this preamble for a detail discussion of our
proposals to modify the ONC Health IT Certification Program.
2. Standards and Implementation Specifications
a. National Technology Transfer and Advancement Act
The National Technology Transfer and Advancement Act (NTTAA) of
1995 (15 U.S.C. Sec. 3701 et. seq.) and the Office of Management and
Budget (OMB) Circular A-119 \12\ require the use of, wherever
practical, technical standards that are developed or adopted by
voluntary consensus standards bodies to carry out policy objectives or
activities, with certain exceptions. The NTTAA and OMB Circular A-119
provide exceptions to selecting only standards developed or adopted by
voluntary consensus standards bodies, namely when doing so would be
inconsistent with applicable law or otherwise impractical. In this
proposed rule, we refer to voluntary consensus standards, except for:
---------------------------------------------------------------------------
\12\ http://www.whitehouse.gov/omb/circulars_a119.
---------------------------------------------------------------------------
The standards adopted in Sec. 170.202. (These standards
were developed by groups of industry stakeholders committed to
advancing the Direct Project,\13\ which included initiatives under the
Standards and Interoperability (S&I) Framework.\14\ These groups used
consensus processes similar to those used by other industry
stakeholders and voluntary consensus standards bodies.);
---------------------------------------------------------------------------
\13\ http://www.healthit.gov/policy-researchers-implementers/direct-project.
\14\ http://www.healthit.gov/policy-researchers-implementers/standards-interoperability-si-framework.
---------------------------------------------------------------------------
The standards we propose to adopt at Sec.
170.205(a)(5)(iii) and (iv) for electronic submission medical
documentation (esMD) (These standards were developed by groups of
industry stakeholders committed to advancing esMD,\15\ which included
initiatives under the Standards and Interoperability (S&I)
Framework.\16\ These groups used consensus processes similar to those
used by other industry stakeholders and voluntary consensus standards
bodies.);
---------------------------------------------------------------------------
\15\ http://wiki.siframework.org/esMD+-+Author+of+Record and
http://wiki.siframework.org/esMD+-+Provider+Profiles+Authentication.
\16\ http://www.healthit.gov/policy-researchers-implementers/standards-interoperability-si-framework.
---------------------------------------------------------------------------
The standards we propose to adopt at Sec. 170.205(d)(4)
and (e)(4) for reporting of syndromic surveillance and immunization
information to public health agencies, respectively (These standards go
through a process similar within the public health community to those
used by other industry stakeholders and voluntary consensus standards
bodies.);
The standard we propose to adopt at Sec. 170.207(f)(2)
for race and ethnicity; and
Certain standards related to the protection of electronic
health information adopted in Sec. 170.210.
We are aware of no voluntary consensus standard that would serve as
an alternative to these standards for the purposes that we have
identified in this proposed rule.
b. Compliance With Adopted Standards and Implementation Specifications
In accordance with Office of the Federal Register regulations
related to ``incorporation by reference,'' 1 CFR part 51, which we
follow when we adopt proposed standards and/or implementation
specifications in any subsequent final rule, the entire standard or
implementation specification document is deemed published in the
Federal Register when incorporated by reference therein with the
approval of the Director of the Federal Register. Once published,
compliance with the standard and implementation specification includes
the entire document unless we specify otherwise. For example, if we
adopted the HL7 Laboratory Orders Interface (LOI) implementation guide
(IG) proposed in this proposed rule, health IT certified to
certification criteria referencing this IG would need to demonstrate
compliance with all mandatory elements and requirements of the IG. If
an element of the IG is optional or permissive in any way, it would
remain that way for testing and certification unless we specified
otherwise in regulation. In such cases, the regulatory text would
preempt the permissiveness of the IG.
c. ``Reasonably Available'' to Interested Parties
The Office of the Federal Register has established new requirements
for materials (e.g., standards and implementation specifications) that
agencies propose to incorporate by reference in the Federal Register
(79 FR 66267; 1 CFR 51.5(a)). To comply with these requirements, in
section VI (``Incorporation by Reference'') of this preamble, we
provide summaries of, and uniform resource locators (URLs) to, the
standards and implementation specifications we propose to adopt and
subsequently incorporate by reference in the Federal Register. To note,
we also provide relevant information about
[[Page 16813]]
these standards and implementation specifications throughout this
section of the preamble (section III), including URLs.
d. ``Minimum Standards'' Code Sets
We propose to adopt newer versions of four previously adopted
minimum standards code sets in this proposed rule for the 2015 Edition.
These code sets are the September 2014 Release of the U.S. Edition of
SNOMED CT[supreg], LOINC[supreg] version 2.50, the February 2, 2015
monthly version of RxNorm, and the February 2, 2015 version of the CVX
code set. We also propose to adopt two new minimum standards code sets
(the National Drug Codes (NDC)--Vaccine Codes, updates through January
15, 2015 and the ``Race & Ethnicity--CDC'' code system in the PHIN
Vocabulary Access and Distribution System (VADS) Release 3.3.9 (June
17, 2011)). As we have previously articulated (77 FR 54170), the
adoption of newer versions improve interoperability and health IT
implementation, while creating little additional burden through the
inclusion of new codes. As many of these minimum standards code sets
are updated frequently throughout the year, we will consider whether it
may be more appropriate to adopt a version of a minimum standards code
set that is issued before we publish a final rule for this proposed
rule. In making such determination, as we have done with these proposed
versions of minimum standards code sets, we will give consideration to
whether it includes any new substantive requirements and its effect on
interoperability. If adopted, a newer version of a minimum standards
code set would serve as the baseline for certification. As with all
adopted minimum standards code sets, health IT can be certified to
newer versions of the adopted baseline version minimum standards code
sets for purposes of certification, unless the Secretary specifically
prohibits the use of a newer version (see Sec. 170.555 and 77 FR
54268).
e. Object Identifiers (OIDs) for Certain Code Systems
We are providing the following table of OIDs for certain code
systems to assist health IT developers in the proper identification and
exchange of health information coded to the vocabulary standards
proposed in this proposed rule.
------------------------------------------------------------------------
Code system OID Code system name
------------------------------------------------------------------------
2.16.840.1.113883.6.96................. IHTSDO SNOMED CT.[supreg]
2.16.840.1.113883.6.1.................. LOINC.[supreg]
2.16.840.1.113883.6.88................. RxNorm.
2.16.840.1.113883.12.292............... HL7 Standard Code Set CVX-
Vaccines Administered.
2.16.840.1.113883.6.69................. National Drug Code Directory.
2.16.840.1.113883.6.8.................. Unified Code of Units of
Measure (UCUM \17\).
2.16.840.1.113883.6.13................. Code on Dental Procedures and
Nomenclature (CDT).
2.16.840.1.113883.6.4.................. International Classification of
Diseases, 10th Revision,
Procedure Coding System (ICD-
10-PCS).
2.16.840.1.113883.6.238................ Race & Ethnicity--Centers for
Disease Control and Prevention
(CDC).
2.16.840.1.113883.6.316................ Tags for Identifying Languages--
Request for Comment (RFC) 5646
(preferred language).
------------------------------------------------------------------------
f. Subpart B--Standards and Implementation Specifications for Health
Information Technology
In Sec. 170.200, we propose to remove term ``EHR Modules'' and add
in its place ``Health IT Modules.'' In Sec. 170.210, we propose to
remove the term ``EHR technology'' and add in its place ``health IT.''
These proposals are consistent with our overall approach to this
rulemaking as discussed in the Executive Summary.
---------------------------------------------------------------------------
\17\ Copyright (copyright) 1998-2013, Regenstrief Institute,
Inc. and the UCUM Organization. All rights reserved.
---------------------------------------------------------------------------
3. Certification Criteria
We discuss the certification criteria that we propose to adopt as
the 2015 Edition below. In a header for each criterion, we specify
where the proposed certification criteria would be included in Sec.
170.315. We discuss each certification criterion in the chronological
order in which it would appear in the CFR. In other words, the preamble
that follows will discuss the proposed certification criteria in Sec.
170.315(a) first, then Sec. 170.315(b), and so on.
We identify the certification criteria as new, revised, or
unchanged in comparison to the 2014 Edition. In the 2014 Edition final
rule we gave meaning to the terms ``new,'' ``revised,'' and
``unchanged'' to both describe the differences between the 2014 Edition
certification criteria and the 2011 Edition certification criteria as
well as establish what certification criteria in the 2014 Edition were
eligible for gap certification (see 77 FR 54171, 54202, and 54248).
Given that beginning with the 2015 Edition ``Complete EHR''
certifications will no longer be issued (see also 79 FR 54443-45) and
that our proposals in this proposed rule to make the ONC Health IT
Certification Program more open and accessible to other health care/
practice settings, we propose to give new meaning to these terms for
the purpose of a gap certification analysis.
``New'' certification criteria are those that as a whole
only include capabilities never referenced in previously adopted
certification criteria editions and to which a Health IT Module
presented for certification to the 2015 Edition could have never
previously been certified. As a counter example, the splitting of a
2014 Edition certification criterion into two criteria as part of the
2015 Edition would not make those certification criteria ``new'' for
the purposes of a gap certification eligibility analysis.
``Revised'' certification criteria are those that include
within them capabilities referenced in a previously adopted edition of
certification criteria as well as changed or additional new
capabilities; and to which a Health IT Module presented for
certification to the 2015 Edition could not have been previously
certified to all of the included capabilities.
``Unchanged'' certification criteria would be
certification criteria that include the same capabilities as compared
to prior certification criteria of adopted editions; and to which a
Health IT Module presented for certification to the 2015 Edition could
have been previously certified to all of the included capabilities.
We explain the proposed certification criteria and provide
accompanying rationale for the proposed certification criteria,
including citing the recommendations of the HITPC and HITSC, where
appropriate. For 2015 Edition health IT certification criteria
[[Page 16814]]
that have been revised in comparison to their 2014 Edition
counterparts, we focus the discussion on any revisions and
clarifications in comparison to the 2014 Edition version of the
criteria. A revised 2015 Edition certification criterion would also
include all the other capabilities that were included in the 2014
Edition version. For example, we propose to adopt a 2015 Edition
``drug-drug, drug-allergy interaction checks for CPOE'' certification
criterion (Sec. 170.315(a)(4)) that is revised in comparison to the
2014 Edition ``drug-drug, drug-allergy interaction checks'' criterion
(Sec. 170.314(a)(2)). We only discuss clarifications (e.g., the
criterion name change) and revisions we propose as part of the 2015
Edition ``drug-drug, drug-allergy interaction checks for CPOE''
certification criterion. However, the 2015 Edition criterion also
includes all the other capabilities of the 2014 Edition ``drug-drug,
drug allergy interaction checks'' criterion. We refer readers to Sec.
170.315 of the proposed regulation text near the end of this document,
which specifies all the capabilities included in each proposed 2015
Edition certification criterion.
We include an appendix (Appendix A) to this proposed rule, which
provides a table with the following data for each proposed 2015 Edition
certification criterion, as applicable: (1) Proposed CFR citation; (2)
estimated development hours; (3) proposed privacy and security
certification requirements (approach 1); \18\ (4) conditional
certification requirements (Sec. 170.550); (5) gap certification
eligibility; (6) proposed inclusion in the 2015 Edition Base EHR
definition; and (7) relationship to proposed Stage 3 of the EHR
Incentive Programs, including the CEHRT definition.
---------------------------------------------------------------------------
\18\ Please see section IV.C.1 (``Privacy and Security'') for a
detailed discussion of approach 1.
---------------------------------------------------------------------------
We propose, and readers should interpret, that the following terms
used in the proposed 2015 Edition have the same meanings we adopted in
the 2014 Edition final rule (77 FR 54168-54169), in response to public
comment: ``user,'' ``record,'' ``change,'' ``access,'' ``incorporate,''
``create,'' and ``transmit,'' but apply to all health IT not just ``EHR
technology.'' For the term ``incorporate,'' we also direct readers to
the additional explanation we provided under the ``transitions of
care'' certification criterion (77 FR 54218) in the 2014 Edition final
rule and in the Voluntary Edition proposed rule (79 FR 10898). We
propose that the scope of a 2015 Edition certification criterion is the
same as the scope previously assigned to a 2014 Edition certification
criterion (for further explanation, see the discussion at 77 FR 54168).
That is, certification to proposed 2015 Edition health IT certification
criteria at Sec. 170.315 would occur at the second paragraph level of
the regulatory section and encompass all paragraph levels below the
second paragraph level. We also propose to continue to use the same
specific descriptions for the different types of ``data summaries''
established in the 2014 Edition final rule (77 FR 54170-54171) for the
proposed 2015 Edition health IT certification criteria (i.e., ``export
summary,'' ``transition of care/referral summary,'' ``ambulatory
summary,'' and ``inpatient summary.'')
As with the adoption of the 2011 and 2014 editions of certification
criteria (see the introductory text to Sec. Sec. 170.302, 170.304,
170.306, and 170.314), all capabilities mentioned in certification
criteria are expected to be performed electronically, unless otherwise
noted. Therefore, we no longer include ``electronically'' in
conjunction with each capability included in a certification criterion
proposed under Sec. 170.315 because the proposed introductory text to
Sec. 170.315 (which covers all the certification criteria included in
the section) clearly states that health IT must be able to
electronically perform the following capabilities in accordance with
all applicable standards and implementation specifications adopted in
the part.
Computerized Provider Order Entry
In the 2014 Edition Release 2 final rule, we adopted separate
computerized provider order entry (CPOE) certification criteria based
on the clinical purpose (i.e., medications, laboratory, and diagnostic
imaging) (79 FR 54435-36). We propose to take the same approach for the
2015 Edition and propose to adopt three certification criteria for
CPOE, as compared to a single criterion that would include combined
functionality for all three clinical purposes (e.g., Sec.
170.314(a)(1)).
We request comment on whether we should specify, for the purposes
of testing and certification to the 2015 Edition CPOE criteria, certain
data elements that a Health IT Module must be able to include in a
transmitted order. In particular, we request comment on whether a
Health IT Module should be able to include any or all of the following
data elements: secondary diagnosis codes; reason for order; and comment
fields entered by the ordering provider, if they are provided to the
ordering provider in their order entry screen. We also request comment
on whether there are any other data elements that a Health IT Module
should be able to include as part of an order for the purposes of
testing and certification. We clarify, however, that any specific data
requirements for a transmitted order that may be adopted in a final
rule would only apply in the absence of a standard for testing and
certification. As discussed below, we propose a laboratory order
standard for the ambulatory setting. If we were to adopt this standard
in a final rule, any potential required data elements for a transmitted
order adopted in response to this proposal would not be made applicable
to the ambulatory setting for the ``CPOE--laboratory'' certification
criterion.
Computerized Provider Order Entry--Medications
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(1) (Computerized provider order entry--medications)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition CPOE certification criterion
specific to medication ordering. This proposed criterion does not
reference any standards or implementation specifications and is
unchanged in comparison to the 2014 Edition CPOE--medications criterion
adopted at Sec. 170.314(a)(18).
Computerized Provider Order Entry--Laboratory
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(2) (Computerized provider order entry--laboratory)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition CPOE certification criterion
specific to laboratory ordering that is revised in comparison to the
CPOE--laboratory criterion adopted at Sec. 170.314(a)(19) as well as
Sec. 170.314(a)(1).
We propose to adopt and include in this criterion, for the
ambulatory setting, the HL7 Version 2.5.1 Implementation Guide: S&I
Framework Laboratory Orders (LOI) from EHR, Draft Standard for Trial
Use, Release 2--US Realm (``Release 2'').\19\ Due to the absence of a
consensus standard for the purpose of sending laboratory orders from
EHRs to laboratories, this standard was developed in conjunction with
laboratories representative of the industry, health IT developers, and
[[Page 16815]]
provider stakeholders through an open consensus-based process under the
Standards and Interoperability Framework (S&I Framework). Release 1 of
the standard was balloted and approved through HL7, a standards
developing organization. Release 2 is currently under ballot
reconciliation with HL7 and should be published in the next few months.
Release 2 would:
---------------------------------------------------------------------------
\19\ http://www.hl7.org/special/committees/projman/searchableprojectindex.cfm?action=edit&ProjectNumber=922 and http://www.hl7.org/participate/onlineballoting.cfm?ref=nav#nonmember.
Access to the current draft of the LOI Release 2 IG is freely
available for review during the public comment period by
establishing an HL7 user account.
---------------------------------------------------------------------------
Implement common formats across US Realm IGs for
consistent reader experience (e.g., sequence of sections, formatting,
layout, and terminology);
Adopt HL7 version 2.8 fields developed to fill gaps
identified in the development of Release 1;
Include harmonized data type ``flavors'' for use across
the US Realm Lab IGs;
Introduce initial requirements for error reporting
conditions and severity (hard/soft errors) and system/application
acknowledgements;
Harmonize data element usage and cardinality requirements
with LOI Release 1, and the electronic Directory of Services (eDOS) IG;
Incorporate US Lab Realm value sets developed for clarity
and consistency across all laboratory IGs; and
Use a new publication method for value sets that allows
for precision usage at point of use and provides ``at a glance''
comprehensive usage at the field and component-level across all
laboratory IGs; and synced with value set activities (HL7, VSAC, etc.).
Overall, we propose to adopt Release 2 of the standard because it
addresses errors and ambiguities found in Release 1 and harmonizes
requirements with other laboratory standards we propose to adopt in
this proposed rule. Release 2 would also make implementation of the LOI
IG clearer and more consistent for health IT developers and
laboratories, as well as improve interoperability. We propose to adopt
Release 2 at Sec. 170.205(l)(1).
Commenters on the Voluntary Edition proposed rule noted that for
optimal interoperability we need to also adopt the most recent version
of the HL7 Version 2.5.1 Implementation Guide: S&I Framework Laboratory
Test Compendium Framework, Release 2, (also referred to as the
``electronic Directory of Services (eDOS) IG''), as it is the companion
IG to the LOI IG. We agree with the commenters' assessment and propose
to include the most recent version of the eDOS IG in this criterion for
certification to all health care settings (i.e., not confining it to
only the ambulatory setting) and adopt it at Sec. 170.205(l)(2). The
most recent version of the eDOS IG will be Release 2, Version 1.2,
which is scheduled to publish in the next few months. Release 2,
Version 1.2 is currently under ballot reconciliation.\20\ In general,
the eDOS IG provides requirements and guidance for the delivery of an
electronic Directory of Services (test compendium) from a laboratory
(compendium producer) to an EHR or other system (compendium consumer)
where it is used to produce electronic orders (LOI-conformant messages)
for laboratory tests. Version 1.2 of the eDOS IG addresses errors and
ambiguities in the prior version as well as harmonizes with Release 2
of the LOI IG.
---------------------------------------------------------------------------
\20\ http://www.hl7.org/participate/onlineballoting.cfm?ref=nav#nonmember. Access to the current draft
of the eDOS IG, Release 2, Version 1.2 is freely available for
review during the public comment period by establishing an HL7 user
account.
---------------------------------------------------------------------------
We also propose, for the purposes of certification, to require a
Health IT Module to be able to use, at a minimum, the version of
Logical Observation Identifiers Names and Codes (LOINC[supreg]) adopted
at Sec. 170.207(c)(3) (version 2.50) as the vocabulary standard for
laboratory orders. This is the most recent version of LOINC[supreg]. We
refer readers to section III.A.2.d (``Minimum Standards'' Code Sets)
for further discussion of our adoption of LOINC[supreg] as a minimum
standards code set and our proposal to adopt version 2.50, or
potentially a newer version if released before a subsequent final rule,
as the baseline for certification to the 2015 Edition.
We note that the LOI Release 2 IG requires the information for a
test requisition as specified in the Clinical Laboratory Improvement
Amendments (CLIA), 42 CFR 493.1241(c)(1) through (c)(8), to be included
in the content message. Therefore, inclusion of this standard for
certification may also facilitate laboratory compliance with CLIA.
Computerized Provider Order Entry--Diagnostic Imaging
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(3) (Computerized provider order entry--diagnostic
imaging)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition CPOE certification criterion
specific to diagnostic imaging. This proposed criterion does not
reference any standards or implementation specifications, and is
unchanged in comparison to the 2014 Edition CPOE--diagnostic imaging
criterion adopted at Sec. 170.314(a)(20). To note, we also propose to
adopt the title of ``diagnostic imaging,'' which is the title we gave
to the 2014 Edition version of this certification criterion in the 2014
Edition Release 2 final rule (79 FR 54436).
Drug-Drug, Drug-Allergy Interaction Checks for CPOE
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(4) (Drug-drug, drug-allergy interaction checks for
CPOE)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``drug-drug, drug-allergy
interaction checks for CPOE'' certification criterion that is revised
in comparison to the 2014 Edition ``drug-drug, drug-allergy interaction
checks'' criterion (Sec. 170.314(a)(2)). We propose to clarify that
the capabilities included in this criterion are focused on CPOE by
including ``for CPOE'' in the title of this criterion.
We also propose to include in this criterion the capabilities to
record user actions for drug-drug, drug-allergy interaction (DD/DAI)
interventions and to enable a user to view the actions taken for DD/DAI
interventions (also referred to as ``checks''). Specifically, we
propose that a Health IT Module must be able to record at least one
action taken and by whom in response to drug-drug or drug-allergy
interaction checks. To be certified to this criterion, a Health IT
Module (at a user's request) must also be able to generate either a
human readable display or human readable report of actions taken and by
whom in response to drug-drug or drug-allergy interaction checks.
We solicited comment in the Voluntary Edition proposed rule on
whether health IT should be able to track (which means ``record'' and
will be referred to as ``record'' throughout this preamble) provider
(referred to as ``user'' for the purposes of this proposed
certification criterion) actions for DD/DAI interventions, including
recording if and when the user viewed, accepted, declined, ignored,
overrode, or otherwise commented on the DD/DAI interventions. We
received comments that supported recording user actions for DD/DAI
interventions (79 FR 54449). We also received comments recommending
that we consider including recording user actions in response to CDS
interventions. We discuss those comments under the CDS certification
criterion in this section (III.A.3) of the preamble.
We believe that recording user actions for DD/DAI interventions
could assist with quality improvement and patient safety. While some
commenters expressed concern that functionality for recording user
actions would be
[[Page 16816]]
burdensome to develop, we believe the potential benefits of improved
care and reduced adverse events that can come from using such
functionality and being able to subsequently analyze user actions for
DD/DAI interventions outweighs the development burden. To provide
health IT developers with flexibility and the opportunity to innovate,
we have explicitly not specified the types of actions a Health IT
Module must be able to record to meet this criterion. Health IT
developers would need to simply demonstrate that their Health IT Module
can record at least one user action for DD/DAI checks. For example, a
Health IT Module could include the capability to record whether the
user viewed, accepted, declined, ignored, overrode, provided a
rationale or explanation for the action taken, took some other type of
action not listed here or otherwise commented on the DD/DAI check. We
solicit comment on whether we should focus this proposed requirement to
record at least one user action taken for DD/DAI interventions on a
subset of DD/DAI interventions, such as those of highest patient safety
concern, and what sources we should consider for defining this subset.
We note, however, that we do not intend with this proposed
requirement to infer a specific workflow or user interface in order to
achieve conformance to this criterion. While appropriate documentation
in accordance with clinical, safety, and system design best practices
for these DD/DAI interventions is beyond the scope of certification for
this criterion, we would encourage health IT developers to consider
these best practices in developing this functionality and attempt to
not interrupt a provider's workflow unnecessarily to meet this
criterion. This criterion also does not propose to establish the uses
for the ``user action'' information, whom should be able to view the
information, or who could adjust the capability. Further, based on
stakeholder feedback, there does not appear to be a consensus method or
standard for characterizing the severity of patient DD/DAI reactions.
Therefore, until the stakeholder community determines if there should
be a set of methods, standards, or clinical guidelines for determining
the severity of a patient DD/DAI reaction, we believe that users should
determine these definitions for their organization and/or setting.
While this proposed certification criterion focuses on DD/DAI
checking at the point when a user enters a computerized order, we
believe that there are instances when a user should be aware of a
patient's DD/DAI when new medications or medication allergies are
entered into the patient record. Therefore, we strongly encourage
health IT developers to build in functionality, including but not
limited to clinical decision support, that would inform a user of new
or updated DD/DAI when the medication or medication allergy lists are
updated. We also seek comment on whether we should include this
functionality in certification and whether this functionality should be
included in an existing certification criterion (e.g., medication list,
medication allergy list, clinical decision support) or a standalone
criterion.
Demographics
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(5) (Demographics)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``demographics'' certification
criterion that is revised as described below in comparison to the 2014
Edition certification criterion (Sec. 170.314(a)(3)).
Sex
We propose that, for certification (and testing) to this criterion,
health IT must be capable of recording sex in accordance with HL7
Version 3 (``AdministrativeGender'') and a nullFlavor value attributed
as follows: male (M); female (F); and unknown (UNK). This proposal
serves as another means of improving interoperability through the use
of consistent standards.
We propose in a later section of this rule that using HL7 Version 3
for recording sex would be required under the ``Common Clinical Data
Set'' definition for certification to the 2015 Edition. Please see
section III.B.3 ``Common Clinical Data Set'' of this preamble for
further discussion of this associated proposal.
Race and Ethnicity
We propose that, for certification (and testing) to this criterion,
a Health IT Module must be capable of recording each one of a patient's
races and ethnicities in accordance with, at a minimum, the ``Race &
Ethnicity--CDC'' code system in the PHIN Vocabulary Access and
Distribution System (VADS), Release 3.3.9.\21\ We also propose that a
Health IT Module must be able to aggregate each one of a patient's
races and ethnicities to the categories in the OMB standard for race
and ethnicity, which we previously adopted for the 2011 Edition and
2014 Edition ``demographics'' certification criteria.
---------------------------------------------------------------------------
\21\ https://phinvads.cdc.gov/vads/ViewCodeSystem.action?id=2.16.840.1.113883.6.238#.
---------------------------------------------------------------------------
As discussed in the 2014 Edition final rule (77 FR 54208), the OMB
standard for the classification of data on race and ethnicity requires
that the option for selecting one or more racial designations be
provided. The standard also permits the use of more than the minimum
standard categories for race and ethnicity, but requires that the data
can be ``rolled up'' or mapped to the minimum standard categories as
well as aggregated. The ``Race & Ethnicity--CDC'' code system in PHIN
VADS (at a minimum, Release 3.3.9) permits a much more granular
structured recording of a patient's race and ethnicity with its
inclusion of over 900 concepts for race and ethnicity. The recording
and exchange of patient race and ethnicity at such a granular level can
facilitate the accurate identification and analysis of health
disparities based on race and ethnicity. Further, the ``Race &
Ethnicity--CDC'' code system has a hierarchy that rolls up to the OMB
minimum categories for race and ethnicity and, thus, supports
aggregation and reporting using the OMB standard. Accordingly, we
propose the adoption and inclusion of both these standards in this
certification criterion as described.
For the purposes of testing and certification to this
``demographics'' criterion, we would test that a Health IT Module can
record each one of a patient's races and ethnicities using any of the
900 plus concepts in the ``Race & Ethnicity--CDC'' code system. We
would not, however, expect the user interface to include a drop-down
menu of all 900 plus ``Race & Ethnicity--CDC'' code system concepts for
race and ethnicity, as we believe doing so could have negative workflow
effects. Rather, we expect that health IT developers and health care
providers would work together to establish the appropriate
implementation given the care setting.
We refer readers to section III.A.2.d (``Minimum Standards'' Code
Sets) for further discussion of our proposal to adopt ``Race &
Ethnicity--CDC'' code system in PHIN VADS as a minimum standards code
set and Release 3.3.9, or potentially a newer version if released
before a subsequent final rule, as the baseline for certification to
the 2015 Edition.
We propose in a later section of this proposed rule that the ``Race
& Ethnicity--CDC'' code system in PHIN VADS (at a minimum, Release
3.3.9) and the OMB standard would become the race and ethnicity
standards under the ``Common Clinical Data Set'' definition for
certification to the 2015
[[Page 16817]]
Edition. Please see section III.B.3 ``Common Clinical Data Set'' of
this preamble for further discussion of this associated proposal.
Preferred Language
Based on specific HITSC recommendations from 2011, we adopted ISO
639-2 constrained by ISO 639-1 for recording preferred language in the
2014 Edition ``demographics'' certification criterion (77 FR
54208).\22\ More specifically, this means that technology is required
to be capable of using the alpha-3 codes of ISO 639-2 to represent the
corresponding alpha-2 code in ISO-639-1. To provide further clarity, we
issued FAQ 27 \23\ in which we stated that where both a bibliographic
code and terminology code are present for a required ISO 639-2
language, technology is expected to be capable of representing the
language in accordance with the (T) terminology codes (ISO 639-2/T) for
the purposes of certification. After we issued FAQ 27, we issued FAQ 43
\24\ in which we acknowledge that our constrained approach to the use
of ISO 639-2 unintentionally excluded multiple languages that are
currently in use, such as sign language and Hmong. Additionally, ISO
639-2 is meant to support written languages, which may not be the
language with which patients instinctively respond when asked for their
preferred language.
---------------------------------------------------------------------------
\22\ http://www.loc.gov/standards/iso639-2/php/code_list.php.
\23\ http://www.healthit.gov/policy-researchers-implementers/27-question-10-12-027.
\24\ http://www.healthit.gov/policy-researchers-implementers/43-question-11-13-043.
---------------------------------------------------------------------------
To improve the situation described above, we propose to adopt the
Internet Engineering Task Force (IETF) Request for Comments (RFC) 5646
\25\ standard for preferred language. RFC 5646 entitled ``Tags for
Identifying Languages, September 2009'' is the coding system that is
commonly used to encode languages on the web and is the most current
RFC for this purpose and listed as a ``best current practice.'' \26\
The first part of the code relies on the shortest ISO-639 code for the
language. That means a 2-character code if the language is specified in
ISO 639-1 or a 3-character code from ISO 639-2 or -3, if the language
is only listed in one of those two ISO standards. We are also aware
that RFC 5646 supports dialects.
---------------------------------------------------------------------------
\25\ http://www.rfc-editor.org/info/rfc5646.
\26\ http://www.rfc-editor.org/info/rfc5646.
---------------------------------------------------------------------------
After consideration of comments we received on the Voluntary
Edition proposed rule (79 FR 54450) and further research, we believe
that RFC 5646 is the most appropriate standard to support preferred
language interoperability. It is our understanding that this standard
is compatible with the C-CDA Release 2.0 and that other preferred
language standards in use today can be efficiently mapped to it, such
as ISO 639-1, 639-2, and 639-3. Therefore, for the purposes of testing
and certification to this ``demographics'' criterion, we would test
that a Health IT Module can record a patient's preferred language using
any of the codes in RFC 5646.
We emphasize that this requirement would apply to a Health IT
Module presented for certification and not health care providers. In
other words, a Health IT Module certified to this criterion would need
to support the recording of preferred language in RFC 5646 and should
in no way be interpreted or imply the way in which health care
providers use the capability to record preferred language or the
preferred language values they are presented with to select a patient's
preferred language. For example, we would not expect the user interface
to include a drop-down menu of all RFC 5646 codes for language, as we
believe doing so could have negative workflow effects. Rather, we
expect that health IT developers and health care providers would work
together to establish the appropriate implementation given the care
setting.
We propose in a later section of this proposed rule that RFC 5646
would also become the preferred language standard under the ``Common
Clinical Data Set'' definition for certification to the 2015 Edition.
Please see section III.B.3 (``Common Clinical Data Set'') of this
preamble for further discussion of this associated proposal.
Preliminary Cause of Death and Date of Death
We propose to include in the 2015 Edition the capability to enable
a user to electronically record, change, and access the ``date of
death'' as a required capability that EHR technology designed for the
inpatient setting must demonstrate. We previously included this
capability as part of the 2011 Edition ``demographics'' certification
criterion and inadvertently omitted it from the 2014 Edition. While we
heard from commenters in response to the Voluntary Edition proposed
rule that they were unaware of any developer removing this capability,
we believe it is appropriate to specifically include this capability in
the 2015 Edition criterion for testing and certification purposes and
to align with the data required by the Meaningful Use criteria of the
EHR Incentive Programs. To note, this functionality would be in
addition to the inclusion in the 2015 Edition ``demographics''
certification criterion of the same capability to enable a user to
electronically record, change, and access ``preliminary cause of
death'' in case of mortality, as is included in the 2014 Edition
``demographics'' certification criterion.
Vital Signs, Body Mass Index (BMI), and Growth Charts
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(6) (Vital signs, body mass index, and growth charts)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``vital signs, BMI, and growth
charts'' certification criterion that is revised in comparison to the
2014 Edition ``vital signs, BMI, and growth charts'' criterion (Sec.
170.314(a)(4)). Specifically, we propose to: 1) Expand the types of
vital signs for recording; 2) require that each type of vital sign have
a specific LOINC[supreg] code attributed to it; 3) that The Unified
Code of Units of Measure, Revision 1.9, October 23, 2013 (``UCUM
Version 1.9'') \27\ be used to record vital sign measurements; and 4)
that certain metadata accompany each vital sign, including date, time,
and measuring- or authoring-type source.
---------------------------------------------------------------------------
\27\ http://unitsofmeasure.org/trac/.
---------------------------------------------------------------------------
Proposed Approach for Vital Signs
In the Voluntary Edition proposed rule (79 FR 10889-10890), we
solicited comment on whether we should require health IT to record
vital signs in standardized vocabularies. We solicited comments on
whether we should require that vital signs be recorded in standardized
vocabularies natively within the health IT system or only during
transmission. We also solicited comment on whether we should require
vital signs be recorded with specific metadata for contextual purposes.
Many commenters recommended that the industry should standardize
how vital signs are represented and collected. To this end, we are
aware that several stakeholder groups are working to define unique,
unambiguous representations/definitions for clinical concepts along
with structured metadata that together provide improved context for the
system to interpret information, including vital signs. This approach
can help increase data standardization at a granular level so that
clinical elements and associated values/findings can be consistently
represented and exchanged. For example, blood pressure is represented
in current systems using a variety of formats, which creates
[[Page 16818]]
significant challenges to aggregate, compare, and exchange data across
systems. This occurs despite the numeric nature of blood pressure,
resulting in costly and time-consuming manual translation to integrate
this data across systems.
Some commenters supported requiring standardized vocabularies for
vital signs during data exchange rather than natively within the health
IT system. While we agree that data should be exchanged in a standard
way, we also believe that the granularity necessary to unambiguously
represent this data should be implemented within health IT systems so
that data is captured with the same level of specificity to enable
consistent and reliable interpretation by other data users and
receivers without requiring mapping. Thus, we propose that health IT
demonstrate it is able to record vital signs data natively as specified
below. Overall, these proposals reflect our interest in ensuring that
the data a user enters into a health IT system is semantically and
syntactically identical to the information coming out of the system and
being exchanged. We believe this would increase the confidence that the
data exchanged is what the provider intended.
The 2014 Edition ``vital signs'' certification criterion requires
health IT to enable a user to electronically record, change, and access
a patient's height/length, weight, and blood pressure. We propose to
include BMI, heart rate, respiratory rate, temperature, oxygen
saturation in arterial blood by pulse oximetry, and mean blood pressure
as we understand that these vital signs are commonly captured or
calculated (i.e., BMI) in the routine course of clinical encounters
across a wide variety of both inpatient and ambulatory settings. We
also propose to further specify that health IT would need to be able to
record diastolic and systolic blood pressure as separate vital signs
rather than ``blood pressure'' (unspecified) as a single vital sign. We
clarify that this list of vital signs is not intended to be
comprehensive. Rather, these listed vital signs indicate our interest
in a more specific approach to recording and exchanging vital signs
data that could promote unambiguous interpretation. These vital sign
concepts derive from the C-CDA standard and the Public Health
Information Network Vocabulary Access and Distribution System value set
for vital sign result types \28\ (2.16.840.1.113883.3.88.12.80.62),
which was developed by the Health IT Standards Panel.\29\ Therefore, we
believe the health care community has experience with collecting these
vital sign concepts because they have been defined for some time as
part of previous collaborative stakeholder work.
---------------------------------------------------------------------------
\28\ https://phinvads.cdc.gov/vads/ViewValueSet.action?oid=2.16.840.1.113883.3.88.12.80.62.
\29\ The Health IT Standards Panel was established in 2005 as a
strategic public-private partnership in contract with the U.S.
Department of Health and Human Services to achieve a widely accepted
and useful set of standards to enable and support widespread
interoperability among healthcare software applications. The Health
IT Standards Panel's contract with HHS concluded on April 30, 2010.
http://www.hitsp.org/.
---------------------------------------------------------------------------
We propose to require that a Health IT Module be able to attribute
a specific LOINC[supreg] code to each type of vital sign using the
following identifiers:
``Systolic blood pressure'' with LOINC[supreg] code 8480-
6;
``Diastolic blood pressure'' with LOINC[supreg] code 8462-
4;
``Body height'' with LOINC[supreg] code 8302-2;
``Body weight measured'' with LOINC[supreg] code 3141-9;
``Heart rate'' with LOINC[supreg] code 8867-4;
``Respiratory rate'' with LOINC[supreg] code 9279-1;
``Body temperature'' with LOINC[supreg] code 8310-5;
``Oxygen saturation in arterial blood by pulse oximetry''
with LOINC[supreg] code 59408-5;
``Body mass index (BMI) [Ratio]'' with LOINC[supreg] code
39156-5; and
``Mean blood pressure'' with LOINC[supreg] code 8478-0.
We understand that the industry is commonly identifying these vital
signs using LOINC[supreg] codes today.
We also propose to require that a Health IT Module enable a user to
record these vital signs with at least the following metadata:
date and time of vital sign measurement or end time of
vital sign measurement with optional certification in accordance with
the clock synchronization standard adopted at Sec. 170.210(g); and
the measuring- or authoring-type source of the vital sign
measurement (such as the user who documented the vital sign or the
medical device that was used to measure the vital sign).
In some cases, the provider documenting the vital sign may record
the date and time of vital sign measurement manually and enter the data
into a health IT system at a later time; therefore, it would not be
necessary to use the clock synchronization standard. However, use of
the clock synchronization standard may be useful for situations where
the vital sign data comes from a device and should be synchronized with
the health IT system.
For ``oxygen saturation in arterial blood by pulse oximetry,'' we
propose that a Health IT Module enable a user to record ``inhaled
oxygen concentration'' with LOINC[supreg] code 3150-0 as metadata
associated with the vital sign. We understand that ``inhaled oxygen
concentration'' is frequently provided to assist with interpretation of
the ``oxygen saturation in arterial blood by pulse oximetry'' value.
For all units of measure associated with a vital sign value, we
propose to require that health IT be able to record an applicable unit
of measure in accordance with UCUM Version 1.9 (e.g., the UCUM unit
``mm[Hg]'' for systolic blood pressure; e.g., the UCUM unit
``[lb_av],'' ``g,'' ``kg,'' or ``[oz_av]'' for body weight). We note
that LOINC provides a translation table \30\ that enumerates the UCUM
syntax for a subset of UCUM codes that are commonly used in health IT
that may be a useful reference for stakeholders.
---------------------------------------------------------------------------
\30\ https://loinc.org/downloads/usage/units.
---------------------------------------------------------------------------
Proposed ``Optional'' Pediatric Vital Signs
We propose to offer optional certification for health IT to be able
to electronically record, change, and access:
Body mass index (BMI) [Percentile] per age and sex (with
LOINC[supreg] code 59576-9) for youth 2-20 years of age; and
Weight for length per age and sex (with LOINC[supreg] code
to be established in a newer version of LOINC[supreg] prior to the
publication of a subsequent final rule) and/or Head occipital-frontal
circumference by tape measure (with LOINC[supreg] code 8287-5) for
infants less than 3 years of age.
We propose to require that a Health IT Module enable each optional
vital sign to be recorded with an applicable unit of measure in
accordance with UCUM Version 1.9. CDC recommends the collection of
these anthropomorphic indices for youth 2-20 years of age and infants
less than 3 years of age, respectively, as part of best care
practices.\31\
---------------------------------------------------------------------------
\31\ http://www.cdc.gov/growthcharts/clinical_charts.htm#Set1
and http://www.cdc.gov/growthcharts/clinical_charts.htm#Set2.
---------------------------------------------------------------------------
A Health IT Module certified to the ``BMI percentile per age and
sex,'' ``weight for length per age and sex,'' or ``head occipital-
frontal circumference by tape measure'' vital signs would also need to
record metadata for the date and time or end time of vital sign
[[Page 16819]]
measurement, the measuring- or authoring-type source of the vital sign
measurement, the patient's date of birth, and the patient's sex in
accordance with the standard we propose to adopt at Sec.
170.207(n)(1). We believe offering optional certification to these
three vital signs can provide value in settings where pediatric and
adolescent patients are provided care.
Request for Comments on Vital Signs Proposal
We intend that the LOINC[supreg] codes proposed for attribution to
the vital signs in the list above are neutral to, and therefore can
encompass, any clinically reasonable method of measurement that is
commonly used in obtaining vital signs in the course of clinical
encounters in a wide variety of contexts, including but not limited to,
primary-care office/clinic visits, emergency department visits, and
routine inpatient admissions processes. For example, this would mean
the system would attribute ``body height'' to LOINC[supreg] code 8302-2
for the measurement of how tall or long the patient is. This
measurement is collected as part of routine vital signs observation
regardless of whether this clinical observation was made by measuring a
standing or supine adult/child, or a supine infant, or by estimating
through clinically reasonable methods the height/length of an adult or
child who cannot be measured in a standing or fully supine position.
Likewise, we propose to attribute a specific LOINC[supreg] code for
body temperature regardless of whether the temperature was measured by
a liquid-filled, digital/electronic, or infrared (non-contact)
thermometer. The choice of UCUM unit code will indicate whether the
measurement was taken in English or metric units. The metadata
describing the source of the measurement would provide the context of
the device that was used to perform the measurement. We reiterate that
the intent behind this ``vital signs'' proposal is to ensure that the
data a user enters into a health IT system is semantically and
syntactically identical to the information coming out of the system and
being exchanged, allowing other users to unambiguously and consistently
interpret the information. We anticipate that stakeholders may want to
expand the list of metadata beyond the date, time, and source of vital
sign measurement. We welcome comment on additional vital sign metadata
that we should consider for inclusion and the best available standards
for representing the metadata (e.g., LOINC[supreg] or a similar
standard).
Health IT users may currently capture vital signs in more granular
LOINC[supreg] codes that specify the method of measurement. We
therefore solicit comment on the feasibility and implementation
considerations for our proposals that rely on less granular
LOINC[supreg] codes for attribution to vital sign measurements and the
inclusion of accompanying metadata. Additionally, we solicit comment on
the following issues:
Support for or against the proposal to require attribution
of vital sign values using specific LOINC[supreg] codes and associated
metadata;
whether our proposal will accomplish the stated goal of
ensuring that the vital signs data a user enters into a health IT
system is semantically and syntactically identical to the information
coming out of the system and being exchanged;
whether the LOINC[supreg] codes proposed above are the
correct ones for representing the vital sign concepts broadly,
including any method of measurement; and
standards for recording the source of the vital sign
measurement.
We also solicit comment on whether we should require a Health IT
Module to be able to record metadata specific to particular vital signs
results/findings. This could provide additional contextual information
(e.g., position for diastolic and systolic blood pressure, whether the
patient is breathing supplemental oxygen, the site of the temperature
such as oral or rectal, pregnancy status for BMI, and whether the vital
sign was measured or self-reported). Because the LOINC[supreg] code
associated with some vital sign concepts we are proposing may include
whether the vital sign was measured or self-reported (e.g., body weight
measured), we also request comment on which specific vital signs should
include metadata on whether it was measured or self-reported. If we
were to require a Health IT Module to be able to record metadata
specific to particular vital signs, we solicit comment on what
additional metadata should be required for certification and what
standards (e.g., LOINC[supreg] or a similar standard) we should
consider for representing that data.
We note, with respect to arterial oxygen saturation, that we are
proposing here the type of measurement that we understand to be
commonly performed as part of vital signs observation across a wide
variety of clinical settings. We are aware that in some clinical
circumstances oxygen saturation in arterial blood by pulse oximetry is
not a sufficiently precise measurement to support sound clinical
decisions. We therefore invite comment as to whether we should consider
defining the arterial blood oxygen saturation vital sign in a more
method-agnostic way, and whether we should also require capture and
exchange of more robust metadata to ensure technology could reliably
identify to clinicians seeking to use the value whether it was measured
by pulse oximetry or a more precise but more invasive and, in most
clinical contexts, less commonly performed arterial blood gas (ABG)
test.
We propose in a later section of this proposed rule that vital
signs be represented in same manner for the ``Common Clinical Data
Set'' definition as it applies to the certification of health IT to the
2015 Edition. Note that the optional portions of the proposed vital
signs criterion would not be required for the ``Common Clinical Data
Set'' (i.e., BMI percentile per age and sex for youth, weight for
length for infants, head occipital-frontal circumference by tape
measure, calculating BMI, and plotting and displaying growth charts.)
Please see section III.B.3 (``Common Clinical Data Set'') of this
preamble for further discussion of this associated proposal.
Problem List
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(7) (Problem list)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``problem list'' certification
criterion that is revised in one way as compared to the 2014 Edition
``problem list'' certification criterion (Sec. 170.314(a)(5)). We
propose to include the September 2014 Release of the U.S. Edition of
SNOMED CT[supreg] in the 2015 Edition ``problem list'' certification
criterion as the baseline version permitted for certification to this
criterion. The 2014 Edition ``problem list'' criterion included the
July 2012 Release of SNOMED CT[supreg] (International Release and the
U.S. Extension) as the baseline version permitted for certification. We
also refer readers to section III.A.2.d (``Minimum Standards'' Code
Sets) for further discussion of our adoption of SNOMED CT[supreg] as a
minimum standards code set and our proposal to adopt the September 2014
Release (U.S. Edition), or potentially a newer version if released
before a subsequent final rule, as the baseline for certification to
the 2015 Edition.
Medication List
[[Page 16820]]
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(8) (Medication list)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``medication list''
certification criterion that is unchanged as compared to the 2014
Edition ``medication list'' certification criterion (Sec.
170.314(a)(6)). To note, this proposed criterion does not reference any
standards or implementation specifications.
Medication Allergy List
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(9) (Medication allergy list)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``medication allergy list''
certification criterion that is unchanged as compared to the 2014
Edition ``medication allergy list'' certification criterion (Sec.
170.314(a)(7)).
We received comments in response to the Voluntary Edition proposed
rule suggesting that a ``medication allergy list'' criterion should
include also other types of allergies and intolerances, such as food
and environmental allergies (79 FR 54451-52). We are aware of a number
of vocabularies and code sets that could support food and environmental
allergies as well as medications, but believe that the industry is
working on identifying ways that multiple vocabularies and code sets
can be used together in an interoperable way to support coding of
allergies. Therefore, at this time, there is no ready solution for
using multiple vocabularies to code allergies that could be adopted for
the purposes of certification.
Clinical Decision Support
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(10) (Clinical decision support)
------------------------------------------------------------------------
Health IT is key component of advanced health models and delivery
system reform. CDS is a primary means of supporting the implementation
of best evidence and new knowledge at the point of care and in real
time (see our definition of ``CDS intervention'' discussed at 77 FR
13847). When effective decision support is presented in a useful
manner, it enhances usability and helps providers and patients avoid
medical errors. Therefore, we believe that clinical decision support is
a crucial feature of certified health IT.
We propose to adopt a 2015 Edition ``clinical decision support''
certification criterion that is revised in comparison to the 2014
Edition ``CDS'' criterion (Sec. 170.314(a)(8)). We propose to adopt
and include an updated ``Infobutton'' \32\ standard and two updated
associated IGs. We propose to require certification only to the
Infobutton standard (and an associated IG) for identifying diagnostic
or therapeutic reference information. We propose to require that a
Health IT Module presented for certification to this criterion be able
to record users' actions in response to CDS interventions. Last, we
have revised the regulation text in comparison to the 2014 Edition CDS
criterion to provide more clarity for certification to this proposed
criterion as well as guidance for certification to the 2014 Edition CDS
criterion.
---------------------------------------------------------------------------
\32\ Infobutton'' is typically the shorthand name used to refer
to the formal standard's name: HL7 Version 3 Standard: Context-Aware
Retrieval Application (Infobutton)
---------------------------------------------------------------------------
Infobutton Standard and IGs
We propose to adopt and include the updated Infobutton standard
(Release 2, June 2014) \33\ in the proposed 2015 Edition CDS criterion.
Infobutton provides a standard mechanism for health IT systems to
request context-specific clinical or health knowledge from online
resources. We propose to adopt and include the HL7 Implementation
Guide: Service-Oriented Architecture Implementations of the Context-
aware Knowledge Retrieval (Infobutton) Domain, Release 1, August 2013
(``SOA Release 1 IG'') \34\ in the CDS criterion. The SOA Release 1 IG
includes additional conformance criteria, redesigns extensions, revises
possible values, and includes support for an additional format for
representing knowledge responses. We also propose to adopt and include
in the proposed 2015 Edition CDS criterion the updated Infobutton URL-
based IG (HL7 Version 3 Implementation Guide: Context-Aware Knowledge
Retrieval (Infobutton), Release 4, June 2014) (``URL-based Release 4
IG'').\35\ The IG provides a standard mechanism for health IT to submit
knowledge requests to knowledge resources over the HTTP protocol using
a standard URL format.
---------------------------------------------------------------------------
\33\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=208.
\34\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=283.
\35\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=22.
---------------------------------------------------------------------------
We propose to adopt the updated Infobutton standard with the SOA
Release 1 IG at Sec. 170.204(b)(3). We propose to adopt the updated
Infobutton standard with the URL-based Release 4 IG at Sec.
170.204(b)(4). We clarify that as proposed, a Health IT Module
presented for certification would need to demonstrate the ability to
electronically identify for a user diagnostic and therapeutic reference
information in accordance with Sec. 170.204(b)(3) or (b)(4) (i.e.,
Infobutton and the SOA Release 1 IG or Infobutton and the URL-based
Release 4 IG).
For certification to the 2014 Edition CDS criterion, we permit a
health IT to be certified if it can electronically identify for a user
diagnostic and therapeutic reference information using the Infobutton
standard or another method (Sec. 170.314(a)(8)(ii)). For the 2015
Edition CDS criterion, we propose to require that a Health IT Module
must be able to identify linked referential CDS information using the
Infobutton standard only, as we believe this is the best consensus-
based standard available to support this use case. We have taken this
approach because certification focuses on the capabilities health IT
can demonstrate (where applicable, according to specific standards) and
not on how it is subsequently used. Thus, with this focus we believe we
can refrain from continuing a regulatory requirement (i.e., requiring
``another method'' for certification) from the 2014 Edition to the 2015
Edition.
For the proposed 2015 Edition ``patient-specific education
resources'' certification criterion discussed later in this section of
the preamble, we propose, for the purposes of certification, to require
that a Health IT Module be able to request patient-specific education
resources based on a patient's preferred language. We believe this
capability would assist providers in addressing and mitigating certain
health disparities. We solicit comment on whether we should require
this functionality as part of the CDS certification criterion for
reference materials identified using the Infobutton standards,
including examples of use cases for which this functionality would be
appropriate. We note that if should require a Health IT Module to be
able to request patient-specific education resources based on a
patient's preferred language as part of the CDS criterion, the
availability of resources in a patient's preferred language depends on
the material supported by the content provider. Therefore, to clarify,
testing and certification would focus on the ability of the Health IT
Module to make the request using a preferred language and Infobutton.
CDS Intervention Response Documentation
We solicited comment in the Voluntary Edition proposed rule on
whether a Health IT Module should be able to record users' responses to
the DD/DAI checks that are performed,
[[Page 16821]]
including if and when the user viewed, accepted, declined, ignored,
overrode, or otherwise commented on the product of a DD/DAI check. We
also received comments recommending we broaden our consideration to
include functionality for recording user responses for all CDS
interventions. We believe that this functionality could be valuable for
all CDS interventions, not solely DD/DAI checks, because it could
assist with enhancing CDS intervention design and implementation,
quality improvement, and patient safety.
As such, we propose that the CDS criterion include functionality at
Sec. 170.315(a)(10)(vi) that would require a Health IT Module to be
able to record at least one action taken and by whom when a CDS
intervention is provided to a user (e.g., whether the user viewed,
accepted, declined, ignored, overrode, provided a rationale or
explanation for the action taken, took some other type of action not
listed here, or otherwise commented on the CDS intervention). We also
propose that a Health IT Module be able to generate either a human
readable display or human readable report of the responses and actions
taken and by whom when a CDS intervention is provided.
We note that we do not believe that a Health IT Module's ability to
record user responses should increase provider burden in order to just
meet this criterion. For example, we would not encourage
implementations that would unnecessarily (e.g., for a non-clinical or
safety-related reason) interrupt a provider's workflow and require the
provider to document the reason just to meet this criterion. Rather, we
encourage health IT developers to leverage current best practices for
presenting, documenting, and facilitating the safest and most
appropriate clinical options in response to CDS interventions.
Clarifying ``Automatically'' and ``Triggered'' Regulatory Text
CDS can include a broad range of decision support interventions and
are not solely limited to alerts. Our 2014 Edition ``CDS'' criterion
uses the terms ``automatically'' and ``triggered'' when referencing
interventions. The use of ``trigger'' and ``automatic'' can be
associated with CDS rules or alerts, but may not encompass all kinds of
CDS interventions. For example, CDS could be seamlessly presented in
the user interface (e.g., a dashboard display) or selected by the user
within the workflow (e.g., Infobutton or documentation flowsheets). The
use of ``automatically'' and ``trigger'' as related to CDS
interventions in the 2014 Edition ``CDS'' caused confusion as to what
types of CDS interventions were permitted. To clarify, our intent is to
encompass all types of CDS interventions without being prescriptive on
how the interventions are deployed (e.g., automatic, triggered,
selected, seamless, or queried). As such, we are not using the terms
``automatically'' and ``trigger'' as related to CDS interventions in
the regulatory text for this 2015 Edition certification criterion.
However, we do not propose to change the regulatory text language in
the 2014 Edition ``CDS'' certification criterion as current testing and
certification under the ONC Health IT Certification Program permits the
other types of interventions we have described above.
2014 Edition ``Clinical Decision Support'' Certification Criterion--
Corrections
We propose to revise the cross-reference in Sec.
170.314(a)(8)(iii)(B)(2) (CDS configuration) to more specifically
cross-reference the 2014 ToC criterion (Sec. 170.314(b)(1)(iii)(B)).
This more specific cross reference aligns with the our other proposed
revision to this criterion, which is to add a cross-reference to Sec.
170.314(b)(9)(ii)(D). We inadvertently omitted the cross-reference to
Sec. 170.314(b)(9)(ii)(D) in the 2014 Edition Release 2 final rule.
These revised cross-references would more clearly indicate that health
IT certified to the 2014 Edition CDS criterion would need to enable CDS
interventions when a patient's medications, medication allergies, and
problems are incorporated from a transition of care/care referral
summary.
Drug Formulary and Preferred Drug List Checks
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(11) (Drug-formulary and preferred drug list checks)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``drug formulary checks and
preferred drug list'' certification criterion that is revised in
comparison to the 2014 Edition ``drug formulary checks'' certification
criterion (Sec. 170.314(a)(10)). We propose a criterion that is split
based on drug formularies and preferred drug lists. For drug
formularies, we propose that a Health IT Module must (1) automatically
check whether a drug formulary exists for a given patient and
medication and (2) receive and incorporate a formulary and benefit file
according to the NCPDP Formulary and Benefit Standard v3.0 (``v3.0'').
We propose to adopt v3.0 at Sec. 170.205(n)(1), but also solicit
comment on more recent versions of the NCPDP Formulary and Benefit
Standard. For preferred drug lists, we propose that a Health IT Module
must automatically check whether a preferred drug list exists for a
given patient and medication. This situation applies where the health
IT system does not use external drug formularies, such as in a hospital
health IT system. We also propose, for both drug formularies and
preferred drug lists, that a Health IT Module be capable of indicating
the last update of a drug formulary or preferred drug list as part of
certification to this criterion. We believe that health IT should
indicate the last update of the drug formulary or preferred drug list
so the provider knows how recently the information was last updated. We
also solicit comment on the best standard for individual-level, real-
time formulary benefit checking to address the patient co-pay use case,
and whether we should offer health IT certification to the standard for
this use case.
As described in more detail in the Voluntary Edition proposed rule
(79 FR 10892), CMS finalized a proposal to recognize NCPDP Formulary
and Benefit Standard v3.0 as a backwards compatible version of NCPDP
Formulary and Benefit Standard 1.0 for the period of July 1, 2014
through February 28, 2015, and to retire version 1.0 and adopt version
3.0 as the official Part D e-Prescribing standard on March 1, 2015 (78
FR 74787-74789). In response to the Voluntary Edition proposed rule, we
received comments supporting adoption of the NCPDP Formulary and
Benefit Standard v3.0 (``v3.0'') for this edition of certification
criteria. Those commenters in support of adopting v3.0 noted the
potential to reduce file sizes, which is beneficial when checking
thousands of drug formularies on a daily basis. We agree with those
commenters that v3.0 is the best available option for standardizing the
implementation of drug-formulary checks in health IT and for its
potential to reduce file sizes. As noted above, the adoption of v3.0
would also align with CMS' adoption of version 3.0 as the official Part
D e-Prescribing standard beginning March 1, 2015.
We are aware that more recent versions of the NCPDP Formulary and
Benefit Standard. Versions 4.0 (``v4.0'') (January 2013), 4.1
(``v4.1'') (October 2013), and 42 (October 2014) (``v42'') \36\ have
been published and are available for industry use. At the time of this
[[Page 16822]]
proposed rule, we understand that the NCPDP is currently developing and
balloting Version 43 (``v43''). Version 4.0 has minor changes compared
to v3.0, including removal of values from an unused diagnosis code,
typographical corrections, and a change to the standard length of the
name field. Version 4.1 removes files to support electronic prior
authorization (ePA) transactions since these have been added to the
NCPDP SCRIPT Standard Implementation Guide v2013011 (January 2013) and
later versions, makes typographical corrections, adds a new coverage
type for ePA routing, and adds an RxNorm qualifier to some data
elements. V42 includes changes to reduce the file size. Stakeholder
feedback has indicated that v4.0, v4.1, and v42 are backwards
compatible with v3.0 for the elements that are the same as compared to
v3.0.
---------------------------------------------------------------------------
\36\ Please note a change to the naming convention to Version 42
and Version 43, as NCPDP accepted a change request to remove the
period in version numbering.
---------------------------------------------------------------------------
We received mixed comments in response to the Voluntary Edition
proposed rule on whether it is more appropriate to adopt v4.0 instead
of v3.0 (79 FR 54454). Some commenters were concerned about known
problems with v3.0 and indicated v4.0 could fix these known problems.
Conversely, other commenters stated that v4.0 was too unstable and new
for an edition of certification criteria that was anticipated to be
adopted and in use in 2014. With these comments in mind, we solicit
comment on whether we should adopt v4.0, v4.1, or v42 of the NCPDP Drug
and Formulary Benefit Standard instead of v.3.0 for the proposed 2015
Edition ``drug formulary checks and preferred drug list'' criterion and
what unintended impacts this could have on the industry given the Part
D requirements.
We believe there is value in certifying that health IT is able to
receive and incorporate a formulary and benefit file in accordance with
the NCPDP Formulary and Benefit Standard v3.0. Systems would be able to
incorporate more updated or complete formulary and benefit files to
inform providers as they make determinations about which medications to
prescribe their patients. We seek to understand the potential system
burden in incorporating formulary and benefit files and, therefore,
seek comment on this issue.
In the Voluntary Edition proposed rule, we noted that the NCPDP
Formulary and Benefit Standard v3.0 did not address individual-level,
real-time formulary benefit checking. Comments in response to the
Voluntary Edition proposed rule noted that the ASC X12 270/271 Health
Care Eligibility Benefit Inquiry and Response standard could perform
individual-level, real-time formulary benefit checking in addition to
the NCPDP Telecommunication Standard. Commenters also noted that e-
prescribing networks could provide this service to customers within
proprietary networks. We are aware of a recently established NCPDP task
group that is defining potential use cases and business requirements
for real-time benefit checking.
We continue to believe in the value of providers and patients
knowing what the patient's cost sharing responsibilities are at the
point of care for a given medication to inform discussions about a
patient's care. Therefore, for this use case, we ask commenters to
identify the best standard(s) for individual-level, real-time (at the
point of care) formulary benefit checking and describe how the standard
addresses this use case. We also solicit comment on whether we should
offer certification for this use case using the appropriate standard
for individual-level, real-time formulary benefit checking and whether
it should be part of the 2015 Edition ``drug formulary and preferred
drug list checks'' certification criterion or a standalone
certification criterion.
Smoking Status
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(12) (Smoking status)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``smoking status'' certification
criterion that is revised in comparison to the 2014 Edition ``smoking
status'' criterion (Sec. 170.314(a)(11)). We propose that a Health IT
Module must be able to record, change, and access smoking status in any
of the available codes for smoking status in, at a minimum, the
September 2014 Release of the U.S. Edition of SNOMED CT[supreg].\37\ We
have taken this more flexible approach because there is no longer a
proposed meaningful use objective and measure associated with this
requirement and, thus, no specific requirement for certain codes to be
used toward numerator calculation.
---------------------------------------------------------------------------
\37\ We refer readers to section III.A.2.d (``Minimum
Standards'' Code Sets) for further discussion of our adoption of
SNOMED CT[supreg] as a minimum standards code set and our proposal
to adopt the September 2014 Release (U.S. Edition), or potentially a
newer version if released before a subsequent final rule, as the
baseline for certification to the 2015 Edition.
---------------------------------------------------------------------------
We note, however, that the 8 smoking status SNOMED CT[supreg] codes
identified in Sec. 170.207(h) \38\ remain the same codes as identified
for the 2014 Edition. They are also the value set included in the
Common Clinical Data Set for the 2015 Edition and the only codes
permitted for representing smoking status for electronic transmission
in a summary care record for the purposes of certification. Therefore,
a Health IT Module certified to certification criteria that reference
the Common Clinical Data Set (i.e., the ToC, data portability, VDT,
Consolidated CDA creation performance, and application access to the
Common Clinical Data Set certification criteria) would need to be able
to code smoking status in only the 8 smoking status codes, which may
mean mapping other smoking status codes to the 8 codes.
---------------------------------------------------------------------------
\38\ These 8 codes are: Current every day smoker, 449868002;
current some day smoker, 428041000124106; former smoker, 8517006;
never smoker, 266919005; smoker--current status unknown, 77176002;
unknown if ever smoked, 266927001; heavy tobacco smoker,
428071000124103; and light tobacco smoker, 428061000124105.
---------------------------------------------------------------------------
We also note that we would not expect the user interface to include
a drop-down menu of all available SNOMED CT[supreg] smoking status
codes, as we believe doing so could have negative workflow effects.
Rather, we expect that health IT developers and health care providers
would work together to establish the appropriate implementation given
the care setting.
We propose to include the 2015 Edition ``smoking status''
certification criterion in the 2015 Edition Base EHR definition. Please
see section III.B.1 of this preamble for further discussion of this
associated proposal.
Image Results
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(13) (Image results)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``image results'' certification
criterion that is unchanged in comparison to the 2014 Edition ``image
results'' criterion (Sec. 170.314(a)(12)).
Family Health History
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(14) (Family health history)
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(15) (Family health history--pedigree)
------------------------------------------------------------------------
We propose to adopt two 2015 Edition ``family health history''
(FHH) certification criteria. Both proposed criteria are revised in
comparison to the 2014 Edition FHH certification criterion (Sec.
170.314(a)(13)). The proposed 2015 Edition FHH certification criterion
at Sec. 170.315(a)(14) would require
[[Page 16823]]
technology to enable a user to record, change, and access a patient's
FHH electronically according to, at a minimum, the concepts or
expressions for familial conditions included in the September 2014
Release of the U.S. Edition of SNOMED CT[supreg]. We refer readers to
section III.A.2.d (``Minimum Standards'' Code Sets) for further
discussion of our adoption of SNOMED CT[supreg] as a minimum standards
code set and our proposal to adopt the September 2014 Release (U.S.
Edition), or potentially a newer version if released before a
subsequent final rule, as the baseline for certification to the 2015
Edition.
The proposed 2015 Edition FHH--pedigree certification criterion at
Sec. 170.315(a)(15) would require technology to enable a user to
create and incorporate a patient's FHH according to HL7 Pedigree
standard and the HL7 Pedigree IG, HL7 Version 3 Implementation Guide:
Family History/Pedigree Interoperability, Release 1.\39\ We believe
that this approach gives the most flexibility to health IT developers
and providers to develop, adopt, and implement technology that supports
their clinical documentation needs, while still enabling
interoperability. For example, some providers may only need technology
that supports FHH coding in SNOMED CT[supreg]. Other providers may also
want technology that supports genomic coding, which HL7 Pedigree can
support. The adoption of two separate criteria can more effectively
support different use cases and clearly identify the capabilities to
which health IT has been certified.
---------------------------------------------------------------------------
\39\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=301.
---------------------------------------------------------------------------
As part of the 2014 Edition final rule, we incorrectly assigned the
HL7 Pedigree standard to Sec. 170.207 where we adopt ``vocabulary''
standards. Accordingly, for the 2015 Edition, we have placed the HL7
Pedigree standard and its IG in Sec. 170.205(m)(1) to more accurately
place it in the ``content'' exchange standards section of the CFR.
Patient List Creation
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(16) (Patient list creation)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``patient list creation''
certification criterion that is unchanged in comparison to the 2014
Edition ``patient list creation'' criterion (Sec. 170.314(a)(14)). We
propose to incorporate our guidance provided in FAQ 39 \40\ into the
2015 Edition ``patient list creation'' criterion. Specifically, the
text of the 2015 Edition ``patient list creation'' certification
criterion provides that a Health IT Module must demonstrate its
capability to use at least one of the more specific data categories
included in the ``demographics'' certification criterion (Sec.
170.315(a)(5)) (e.g., sex or date of birth).
---------------------------------------------------------------------------
\40\ http://www.healthit.gov/policy-researchers-implementers/39-question-04-13-039.
---------------------------------------------------------------------------
Patient-Specific Education Resources
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(17) (Patient-specific education resources)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``patient-specific education
resources'' certification criterion that is revised in comparison to
the 2014 Edition ``patient-specific education resources'' certification
criterion (Sec. 170.314(a)(15)). We propose that certification would
only focus on the use of Infobutton for this certification criterion
instead of Infobutton and any means other than Infobutton as required
by the 2014 Edition criterion. We have reviewed the regulatory burden
posed by the 2014 Edition criterion and determined that there is
diminished value in continuing to frame the 2015 Edition certification
criterion in this way. We continue to believe, however, that the
Infobutton capability is important to be available to providers to have
and use to identify patient-specific education resources.
We propose to adopt the updated Infobutton standard (Release 2 and
the associated updated IGs (SOA-based IG and URL-based IG)). These are
discussed in more detail under the ``CDS'' certification criterion
earlier in this section of the preamble. We also note that we no longer
include a requirement that health IT be capable of electronically
identifying patient-specific education resources based on ``laboratory
values/results.'' We understand from stakeholder feedback on the 2014
Edition version of this criterion and our own research that the
Infobutton standard cannot fully support this level of data
specificity. For example, Infobutton could likely provide something
useful for results that are a concept like ``E.coli,'' but not
necessarily a numerical laboratory result.
We also propose that a Health IT Module be able to request patient-
specific education resources based on a patient's preferred language as
this would assist providers in addressing and mitigating certain health
disparities. More specifically, we propose that a Health IT Module must
be able to request that patient-specific education resources be
identified (using Infobutton) in accordance with RFC 5646. We are
aware, however, that Infobutton only supports a value set of ISO 639-1
for preferred language and, therefore, testing and certification of
preferred language for this certification criterion would not go beyond
the value set of ISO 639-1. To note, we also understand that the
language of patient education resources returned through Infobutton is
dependent on what the source can support. Thus, we reiterate that
testing and certification would focus on the ability of the Health IT
Module to make the request using a preferred language and Infobutton.
Electronic Medication Administration Record
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(18) (Electronic medication administration record)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition electronic medication
administration record (eMAR) certification criterion that is unchanged
in comparison to the 2014 Edition ``eMAR'' criterion (Sec.
170.314(a)(16)).
Patient Health Information Capture
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(19) (Patient health information capture)
------------------------------------------------------------------------
We propose to adopt a new 2015 Edition ``patient health information
capture'' certification criterion that would ``replace'' the 2014
Edition ``advance directives'' certification criterion (Sec.
170.314(a)(17)) for the purposes of certification to the 2015 Edition.
The HITPC recommended, as part of their EHR Incentive Programs Stage 3
recommendations, that we adopt a certification criterion for ``advance
directives'' that would require a Health IT Module to be capable of
storing an advance directive and/or including more information about
the advance directive, such as a link to the advance directive or
instructions regarding where to find the advance directive or more
information about it.\41\ We agree with this recommendation in that
more functionality should be demonstrated for certification as it
relates to advance directives. Further, we believe that the
functionality described by the HITPC can be more broadly applicable
and, thus, have named this certification criterion to reflect
functionality that can be applied to various patient health information
documents. For example,
[[Page 16824]]
we believe such capabilities could be applicable to birth plans as well
as advance directives.
---------------------------------------------------------------------------
\41\ http://www.healthit.gov/facas/sites/faca/files/HITPC_MUWG_Stage3_Recs_2014-04-01.pdf.
---------------------------------------------------------------------------
For certification to this criterion, we propose that a Health IT
Module would need to properly identify health information documents for
users (e.g., label health information documents as advance directives
and birth plans). A Health IT Module would also need to be able to
demonstrate that it could enable a user to record (capture and store)
and access (ability to examine or review) health information documents.
We further propose that a Health IT Module would need to be able to
reference health information documents, which means providing narrative
information on where to locate a specific health information document.
A Health IT Module would also need to demonstrate that it can link to
patient health information documents. ``Linking'' would require a
Health IT Module to demonstrate it could link to an internet site
storing a health information document. While an intranet link to a
health information document might suffice for provider use, a Health IT
Module would still need to demonstrate the ability to link to an
external site via the internet for the purposes of certification.
We also propose that a Health IT Module would be required to
demonstrate that it could enable a user to record and access
information directly and electronically shared by a patient. This could
come from multiple sources, including patient information provided
directly from a mobile device. To note, we have not proposed any
specific standards for this criterion related to receiving and
accepting information directly and electronically shared by a patient.
We clarify that these capabilities may not be applicable to every
patient health information document, but a Health IT Module would need
to be able to perform all of these capabilities electronically for
certification to this criterion.
Implantable Device List
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(20) (Implantable device list)
------------------------------------------------------------------------
We propose to adopt a new 2015 Edition certification criterion
focused on the ability of a Health IT Module to record, change, and
access a list of unique device identifiers (UDIs) \42\ corresponding to
a patient's implantable devices (``implantable device list''), parse
certain data from a UDI, retrieve the ``Device Description'' attribute
associated with a UDI in the Global Unique Device Identification
Database (GUDID), and make accessible to a user both the parsed and
retrieved data. The proposed criterion represents a first step towards
enabling health IT to facilitate the widespread availability and use of
unique device identifiers to prevent device-related adverse events,
enhance clinical decision-making related to devices, improve the
ability of clinicians to respond to device recalls and device-related
safety information, and achieve other important benefits, consistent
with the fundamental aims of the HITECH Act \43\ and the HHS Health IT
Patient Safety Action and Surveillance Plan.\44\
---------------------------------------------------------------------------
\42\ A UDI is a unique numeric or alphanumeric code that
consists of two parts: (1) a device identifier (DI), a mandatory,
fixed portion of a UDI that identifies the labeler and the specific
version or model of a device, and (2) a production identifier (PI),
a conditional, variable portion of a UDI that identifies one or more
of the following when included on the label of a device: the lot or
batch number within which a device was manufactured; the serial
number of a specific device; the expiration date of a specific
device; the date a specific device was manufactured; the distinct
identification code required by 21 CFR 1271.290(c) for a human cell,
tissue, or cellular and tissue-based product (HCT/P) regulated as a
device. http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/UniqueDeviceIdentification/.
\43\ Specifically, the certification criterion supports the
National Coordinator's responsibility under the HITECH Act to ensure
that the nation's health IT infrastructure supports activities that
reduce medical errors, improve health care quality, improve public
health activities, and facilitate the early identification and rapid
response to public health threats and emergencies. 42 U.S.C. 300jj-
11(b)(2) & (7).
\44\ ONC, HHS Health IT Patient Safety Action and Surveillance
Plan (July 2013), http://www.healthit.gov/policy-researchers-implementers/health-it-and-patient-safety (hereinafter ``Health IT
Safety Plan''). The first objective of the Health IT Safety Plan is
to use health IT to make care safer. See id. at 7. The Plan
specifically contemplates that ONC will update its standards and
certification criteria to improve safety-related capabilities and
add new capabilities that enhance patient safety.
---------------------------------------------------------------------------
FDA issued the Unique Device Identification System final rule on
September 24, 2013.\45\ The rule implements a statutory directive to
establish a ``unique device identification system'' for medical devices
that will enable adequate identification of devices through
distribution and use.\46\ It accomplishes this objective by requiring
device labelers (usually the device manufacturer) to include a UDI on
the label and packages of most medical devices subject to FDA
jurisdiction. In addition, for each device with a UDI, the labeler must
submit a standard set of identifying data elements to the FDA-
administered GUDID, which will be publicly accessible.\47\ Full
implementation of the UDI system for devices that are implantable,
life-saving, and life-sustaining is required by September 2015.\48\
---------------------------------------------------------------------------
\45\ 78 FR 58786.
\46\ 21 U.S.C. 360i(f).
\47\ See FDA, Global Unique Device Identification Database
(GUDID) Guidance for Industry and Food and Drug Administration Staff
(June 27, 2014), available at http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM369248.pdf.
\48\ Pursuant to 21 U.S.C. 360i(f), FDA must implement the
Unique Device Identification System Final Rule with respect to
devices that are implantable, life-saving, and life sustaining not
later than 2 years after the rule was finalized. Other
implementation and compliance dates are detailed in the final rule.
Compliance dates for UDI implementation will be phased in based on
the existing risk-based classification of medical devices: September
2014 for devices classified by FDA at the highest risk level (Class
III); September 2015 for implantable, life-supporting or life-
sustaining devices; September 2016 for moderate risk (Class II)
devices; and September 2018 for low risk (Class I) devices.
---------------------------------------------------------------------------
We first proposed to adopt a certification criterion for
implantable devices in the Voluntary Edition proposed rule (79 FR
10894). We received a large volume of comments on our proposal, many of
which supported the adoption of a UDI-related certification criterion
focused on implantable device list functionality. Some supporters of
our proposal suggested that we wait to adopt it in our next rulemaking
cycle in order to allow relevant standards and use cases to mature.
Other commenters, mostly health IT developers, suggested that the
proposed criterion would be applicable only to health IT systems
designed for surgical or specific inpatient settings in which devices
are implanted, and therefore suggested that we reduce the scope of the
criterion to those settings.\49\ For the reasons stated in the 2014
Edition Release 2 final rule,\50\ we finalized only a small subset of
the criteria we had originally proposed in the Voluntary Edition
proposed rule. These criteria focused on adding flexibility and making
improvements to the 2014 Edition. Consistent with this reduced scope,
we did not finalize an implantable device list criterion at that time,
stating instead our intention to propose such a criterion in our next
rulemaking that would provide additional detail and clarity, as well as
respond to concerns raised by commenters.
---------------------------------------------------------------------------
\49\ For a detailed summary of the comments we received on our
earlier implantable device list proposal, see the 2014 Edition,
Release 2, final rule (79 FR 54458).
\50\ 79 FR 54458.
---------------------------------------------------------------------------
We continue to believe that incorporating UDIs in health IT is
important and necessary to realize the significant promise of UDIs and
FDA's
[[Page 16825]]
Unique Device Identification System to protect patient safety and
improve health care quality and efficiency. Crucially, recording and
exchanging UDIs in patients' electronic health records would enable
this information to travel with patients as they move among providers
and throughout the health care system. With access to this information
at the point of care, clinicians can accurately identify a patient's
implantable devices and prevent adverse events resulting from
misidentification or non-identification of the device and its
associated safety characteristics (such as MRI compatibility and latex
content). Health IT could also be leveraged in conjunction with
automated identification and data capture (AIDC) or other technologies
to streamline the capture and exchange of UDIs and associated data for
patients' devices. As UDIs become ubiquitous, UDI capabilities in
health IT could facilitate better post-market surveillance of devices,
better and more accurate reporting of device-related events, and more
effective corrective and preventative action in response to device
recalls and alerts.
Fully implementing UDIs will take time and require addressing a
number of challenges. A key challenge is that UDIs may initially be
captured in any of a variety of clinical, inventory, registry, or other
IT systems. Robust adoption and use of UDIs will require bridging these
different components and changing IT and administrative processes to,
among other things, ensure that UDIs are properly captured and
associated with patients' electronic health records.
In December 2014, the Brookings Institution with collaboration from
FDA published a detailed roadmap for effective UDI implementation.\51\
Significantly, the roadmap's recommendations stated that ``while the
path to full implementation is complex, there are relatively
straightforward steps that can be done now'' to begin realizing the
benefits of UDI implementation across the health care system. The
roadmap's recommendations specifically urged ONC to support the
incorporation of UDIs into certification criteria for health IT.
---------------------------------------------------------------------------
\51\ The Brookings Institution, Unique Device Identifiers
(UDIs): A Roadmap for Effective Implementation (December 2014)
(available at http://www.brookings.http://www.brookings.edu/~/media/
research/files/papers/2014/12/
05%20medical%20device%20tracking%20system/udi%20final%2012052014).
---------------------------------------------------------------------------
We agree that a key initial step towards solving these challenges
is incorporating UDIs in certified health IT. We believe now is the
appropriate time to take that first step. Major efforts have been
underway for some time to harmonize and pilot health IT standards and
specifications in support of a variety of UDI use cases, and
substantial progress has been achieved to standardize the electronic
exchange of UDIs.\52\ In addition, FDA plans to implement the GUDID in
early 2015 and require UDIs for all implantable devices by September
2015.\53\ In light of this progress on technical standards and FDA's
timeline for UDI implementation, we believe it is feasible for health
IT developers to begin implementing the baseline functionality
necessary to use and exchange UDIs, and in particular for UDIs
associated with patient's implantable devices. Once implanted, these
devices cannot be inspected with the naked eye and are therefore more
susceptible to misidentification and resulting patient harm.
---------------------------------------------------------------------------
\52\ For example, the Brookings Institution and FDA convened a
UDI Implementation Work Group comprising device manufacturers,
payers, health IT developers, academics, clinicians, and other
stakeholders to explore opportunities and challenges associated with
capturing UDIs in claims, identifying steps for implementation and
integration of UDIs within EHRs and other health care IT
infrastructure, and utilizing UDIs as a tool for improved patient
and provider connectivity. http://www.brookings.edu/about/centers/health/projects/development-and-use-of-medical-devices/udi. The Work
Group held a series of expert workshops and in December 2014
published a detailed roadmap for effective UDI implementation. The
Brookings Institution, Unique Device Identifiers (UDIs): A Roadmap
for Effective Implementation (December 2014) (available at http://www.brookings.http://www.brookings.edu/~/media/research/files/
papers/2014/12/05%20medical%20device%20tracking%20system/
udi%20final%2012052014). Concurrently, the HL7 Technical Steering
Committee has established a UDI Task Force to ensure that UDI is
implemented in a consistent and interoperable manner across the
suite of HL7 standards. See http://hl7tsc.org/wiki/index.php?title=TSC_Minutes_and_Agendas. And through an S&I
Framework Structured Data Capture Initiative, ONC, AHRQ, FDA, and
NLM are collaborating with industry stakeholders to include UDI data
for devices in health IT adverse event reporting. See http://wiki.siframework.org/Structured+Data+Capture+Initiative. AHRQ has
already incorporated UDI and associated data attributes in its
Common Formats for adverse event reporting. See AHRQ Data
Dictionary, Common Formats Hospital Version 1.2, at 87, available at
https://www.psoppc.org/c/document_library/get_file?p_l_id=375680&folderId=431263&name=DLFE-15061.pdf.
\53\ http://www.fda.gov/MedicalDevices/ResourcesforYou/Industry/ucm427496.htm; see also 21 U.S.C. 360i(f).
---------------------------------------------------------------------------
To meet this criterion, a Health IT Module would have to enable a
user to record, change, and access a patient's implantable device list,
which would consist solely of one or more UDIs associated with a
patient's implantable devices. The Health IT Module would also have to
be able to parse the following data elements from a UDI:
Device Identifier;
Batch/lot number;
Expiration date;
Production date; and
Serial number.
In addition to parsing the UDI, a Health IT Module presented for
certification would have to be able to retrieve the optional ``device
description'' data element associated with the Device Identifier in the
GUDID, if the data element has been populated. This could be
accomplished using the GUDID's web interface, web services,
downloadable module, or any other method of retrieval permitted under
FDA's GUDID guidance.
For each UDI in a patient's implantable device list, a Health IT
Module presented for certification would have to enable a user to
access the UDI and the data elements identified above (including the
``device description,'' if it exists). Also, in addition to enabling a
user to record and access UDIs for a patient's implantable devices and
as noted above, a Health IT Module would be required to provide the
capability to change UDIs from a patient's implantable device list in
order to meet this criterion. This functionality would allow a user to
delete erroneous or duplicative entries from a patient's implantable
device list and update the list in the event that a device were removed
from the patient. We seek comment on whether such functionality is
necessary and whether there is a safer or more effective way to
maintain the accuracy of this information.
We believe that, in addition to capturing UDIs, health IT should
facilitate the exchange of UDIs in order to increase the overall
availability and reliability of information about patients' implantable
and other devices. Therefore, we propose in a later section of this
rule to include the 2015 Edition ``implantable device list''
certification criterion in the 2015 Edition Base EHR definition and
propose to include a patient's unique device identifier(s) as data
within the Common Clinical Data Set definition for certification to the
2015 Edition. Please see section III.B of this preamble for further
discussion of these associated proposals.
We have also proposed to modify Sec. 170.102 to include new
definitions for ``Device Identifier,'' ``Implantable Device,'' ``Global
Unique Device Identification Database (GUDID),'' ``Production
Identifier,'' and ``Unique Device Identifier.'' This will prevent any
ambiguity in interpretation and ensure that each term's specific
meaning reflects the same meaning given to them in the Unique Device
Identification System final rule and in 21 CFR 801.3. Capitalization
was purposefully applied
[[Page 16826]]
to each word in these defined phrases in order to signal to readers
that they have specific meanings. Please see section III.B of this
preamble for further discussion of these associated proposals.
In several respects the scope of this proposed implantable device
list criterion is narrower than the criterion we proposed in the
Voluntary Edition proposed rule. We received comments in response to
the Voluntary Edition proposed rule recommending clear standards and
use cases for an ``implantable device list'' criterion. With
consideration of these comments, unlike in the Voluntary Edition
proposed rule, we do not propose that health IT certified to the 2015
Edition ``implantable device list'' criterion be required to exchange
or display contextual information (such as a procedure note) associated
with a UDI because we believe additional standards and use case
development will be needed to support these capabilities. We request
comment on whether we have overlooked the need for or feasibility of
requiring this functionality.
We also do not propose any requirements on health IT to facilitate
the ``capture'' of UDIs at the point of care. As discussed above, UDIs
may initially be captured in any of a variety of clinical and non-
clinical contexts, many of which are beyond the current scope of health
IT certified under the ONC Health IT Certification Program. Prescribing
a requirement for capturing UDIs in certified health IT would also be
complicated by the range of data capture tools permitted under the UDI
final rule, including several different types of AIDC technology.
Moreover, as several commenters pointed out in response to our proposal
in the Voluntary Edition proposed rule, only a subset of certified
health IT users--generally surgeons or other clinicians who perform or
assist with operations involving implantable devices--would have a need
for such data capture functionality, and presumably health IT
developers who specialize in health IT for these settings can develop
appropriate solutions for these users.
Given the scope of our program and the current state of UDI
adoption, we do not believe that it would be useful to address these
``upstream'' issues at this time through rulemaking. Hence our proposal
focuses on: (1) Ensuring that certified health IT can record and
exchange UDIs for implantable devices as part of a patient's core
electronic health record using appropriate standards for
interoperability and exchange so that regardless of how UDIs are
captured, they can be readily integrated with patients' electronic
health records; (2) providing all users of certified health IT with the
ability to access basic information about patients' implantable
devices, thereby promoting greater awareness of and stimulating
additional demand for UDIs and UDI-related capabilities in health IT;
and (3) encouraging health IT developers to begin implementing GUDID
functionality. We believe that focusing on these three areas of
baseline UDI functionality will provide the greatest value to our
stakeholders and efforts to promote adoption of UDIs and realize the
significant benefits of UDIs and FDA's Unique Device Identification
System described in this proposal.
Social, Psychological, and Behavioral Data
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(21) (Social, psychological, and behavioral data)
------------------------------------------------------------------------
We propose a new 2015 Edition ``social, psychological, and
behavioral data'' certification criterion that would require a Health
IT Module to be capable of enabling a user to record, change, and
access a patient's social, psychological, and behavioral data based on
SNOMED CT[supreg] and LOINC[supreg] codes. This would include the
ability to record a patient's decision not to provide the information.
An individual's health is shaped largely by life circumstances that
fall outside the traditional health care system and include social,
psychological, and behavioral factors. These factors include, but are
not limited to, family support systems, stress, housing, nutrition,
income, and education. This proposed certification criterion to further
the collection and use of such patient data is not intended to be
comprehensive; rather, it reflects efforts to further HHS priorities to
transform health delivery, to reduce health disparities, and to achieve
the overarching goals of the National Quality Strategy. In particular,
the proposed certification criterion supports efforts to reduce
disparities and efforts to collect patient social, psychological, and
behavioral data for improved health care, such as by aligning with
recommendations from HHS and the Institute of Medicine.\54\
---------------------------------------------------------------------------
\54\ U.S. Department of Health and Human Services, Office of
Minority Health, 2011, HHS Action Plan to Reduce Racial and Ethnic
Disparities: A Nation Free of Disparities in Health and Health Care
(available at: http://www.minorityhealth.hhs.gov/npa/files/Plans/HHS/HHS_Plan_complete.pdf); U.S. Department of Health and Human
Services, Office of the Assistant Secretary for Planning and
Evaluation, 2011, Implementation Guidance on Data Collection
Standards for Race, Ethnicity, Sex, Primary Language, and Disability
Status (available at: http://aspe.hhs.gov/datacncl/standards/ACA/4302/index.pdf); and Institute of Medicine (IOM), November 2014,
Washington, DC, The National Academies Press, 2014, Capturing Social
and Behavioral Domains and Measures in Electronic Health Records:
Phase 2 (available at: http://iom.edu/Reports/2014/EHRdomains2.aspx).
---------------------------------------------------------------------------
We believe that offering certification that would require a Health
IT Module to enable a user to record, change, and access a patient's
social, psychological, and behavioral data would assist a wide array of
stakeholders (e.g., providers, consumers, payors, community-based
organizations, and state and local governments) in better understanding
how this data may adversely affect health. Ultimately, this can lead to
better health outcomes for these populations through improved patient
care, quality improvement, health equity, and clinical decision support
based on individual factors.
We also believe the self-reporting of information by individuals in
response to the questions included in these social, psychological, and
behavioral measures (i.e., the question and answer sets below) could be
utilized for the EHR Incentive Programs Stage 3 which proposes an
objective on patient engagement, including patient-generated health
data. For more information, please refer to the EHR Incentive Programs
Stage 3 proposed rule published elsewhere in this issue of the Federal
Register.
We have heard from many stakeholders recommending that we
prioritize the use of available measures and instruments for the
structured recording of social, psychological, and behavioral data, and
have followed those recommendations here. The measures (questions and
answers sets below) will have LOINC[supreg] codes (or in the case of
sexual orientation and gender identity, SNOMED CT[supreg] codes for the
answers--but no specific questions) used to identify them. Therefore,
we propose, for certification to this criterion, that social,
psychological, and behavioral data be coded in accordance with, at a
minimum, version 2.50 of LOINC[supreg] as attributed in the table
below.\55\ Please note that some question-answer sets for specific
domains do not currently have a LOINC[supreg] code in place; in these
instances it is expected that LOINC[supreg] codes will be established
in a newer version of LOINC[supreg] prior to the
[[Page 16827]]
publication of a subsequent final rule. Please further note that we
propose to include sexual orientation and gender identity within this
certification criterion as described after this table.
---------------------------------------------------------------------------
\55\ We refer readers to section III.A.2.d (``Minimum
Standards'' Code Sets) for further discussion of our adoption of
LOINC[supreg] as a minimum standards code set and our proposal to
adopt version 2.50, or potentially a newer version if released
before a subsequent final rule, as the baseline for certification to
the 2015 Edition.
----------------------------------------------------------------------------------------------------------------
LOINC[supreg]
Question(s) Answer(s) Codes for question- LOINC[supreg]
Domain [LOINC[supreg] [LOINC[supreg] answer list Answer list ID
name] answer code] combination
----------------------------------------------------------------------------------------------------------------
Financial Resource Strain How hard is it for For example: Very LOINC[supreg] code LOINC[supreg] code
(Overall financial resource you to pay for hard, Somewhat pending. pending.
strain from CARDIA). the very basics hard, Not hard,
like food, at all.\56\
housing, medical
care, and
heating? Would
you say it is . .
.
Education (Educational What is the [0] Never attended/ 63504-5........... LL1069-5.
attainment). highest level of kindergarten only.
school you have [1] 1st grade.....
completed or the [2] 2nd grade.....
highest degree [3] 3rd grade.....
you have [4] 4th grade.....
received? \57\ [5] 5th grade.....
[6] 6th grade.....
[7] 7th grade.....
[8] 8th grade.....
[9] 9th grade.....
[10] 10th grade...
[11] 11th grade...
[12] 12th grade,
no diploma.
[13] High school
graduate.
[14] GED or
equivalent.
[15] Some college,
no degree.
[16] Associate
degree:
occupational,
technical, or
vocational
program.
[17] Associate
degree; academic
program.
[18] Bachelor's
degree (e.g., BA,
AB, BS).
[19] Master's
degree (e.g., MA,
MS, MEng, MEd,
MSW, MBA).
[20] Professional
school degree
(example: MD,
DDS, DVM, JD).
[21] Doctoral
degree (example:
PhD, EdD).
[77] Refused......
[99] Don't know...
Stress (from Elo et al) \58\.... Stress means a For example: LOINC[supreg] code LOINC[supreg] code
situation in Likert scale pending. pending.
which a person ranging from 1--
feels tense, indicating not at
restless, all, 2--a little
nervous, or bit, 3--somewhat,
anxious, or is 4--quite a bit,
unable to sleep to 5--indicating
at night because very much.
his/her mind is
troubled all the
time. Do you feel
this kind of
stress these
days?
Depression (PHQ-2).............. [Patient Health N/A............... 55757-9........... N/A.
Questionnaire 2
item (PHQ-2)
[Reported]].
Little interest or [0] Not at all, 44250-9........... LL358-3.
pleasure in doing [1] Several days,
things in last 2 [2] More than
weeks half the days,
[Reported.PHQ]. [3] Nearly every
day.
Feeling down, [0] Not at all, 44255-8........... LL358-3.
depressed or [1] Several days,
hopeless in last [2] More than
2 weeks half the days,
[Reported.PHQ]. [3] Nearly every
day.
[Patient Health For example: 0-6.. 5578-7............ Answer is in UCUM
Questionnaire 2 units.\59\
item (PHQ-2)
total score
[Reported]].
Physical Activity (Exercise How many days of For example: 68515-6........... Answer is in UCUM
Vital Signs). moderate to 1,2,3,4,5,6,7, units.\60\
strenuous etc.
exercise, like a
brisk walk, did
you do in the
last 7 days?
[SAMHSA].
On those days that For example: 10, 68516-4........... Answer is in UCUM
you engage in 20, etc. units.
moderate to
strenuous
exercise, how
many minutes, on
average, do you
exercise?
[SAMHSA].
Alcohol Use (AUDIT-C)........... [Alcohol Use N/A............... 72109-2........... N/A.
Disorder
Identification
Test--Consumption
[AUDIT-C].
[[Page 16828]]
How often do you [a] Never......... 68518-0........... LL2179-1.
have a drink [b] Monthly or
containing less.
alcohol? [SAMHSA]. [c] 2-4 times a
month.
[d] 2-3 times a
week.
[e] 4 or more
times a week.
How many standard [a] 1 or 2........ 68519-8........... LL2180-9.
drinks containing [b] 3 or 4........
alcohol do you [c] 5 or 6........
have on a typical [d] 7 to 9........
day? [SAMHSA]. [e] 10 or more....
How often do you [a] Never......... 68520-6........... LL2181-7.
have six or more [b] Less than
drinks on one monthly.
occasion? [c] Monthly.......
[SAMHSA]. [d] Weekly........
[e] Daily or
almost daily.
[Total score N/A \61\.......... .................. N/A.
[AUDIT-C]].
Social Connection and Isolation Are you married or For example, these LOINC[supreg] code LOINC[supreg] code
(NHANES III). living together categories form pending. pending.
with someone in a an ordinal scale
partnership at assessing the
the time of number of types
questioning? of social
In a typical week, relationships on
how many times do which a person is
you talk on the connected and not
telephone with isolated, and has
family, friends, standard scoring.
or neighbors?. Individuals
How often do you receive one point
get together with for each of the
friends or following: Being
relatives?. married or living
How often do you together with
attend church or someone in a
religious partnership at
services?. the time of
How often do you questioning,
attend meetings averaging three
of the clubs or or more social
organizations you interactions per
belong to?. week (assessed
with questions
one and two,
above), reporting
attending church
or other
religious
services more
than four times
per year
(assessed with
question three,
above), and
reporting that
they belong to a
club or
organization
(assess with
question four,
above). A score
of 0 represents
the highest level
of social
isolation and a
score of 4
represents the
lowest level of
social isolation.
\62\
Exposure to violence: Intimate Within the last Pending........... LOINC[supreg] code LOINC[supreg] code
partner violence (HARK 4Q). year, have you pending. pending.
been humiliated
or emotionally
abused in other
ways by your
partner or ex-
partner?
Within the last ..................
year, have you
been afraid of
your partner or
ex-partner?
Within the last ..................
year, have you
been raped or
forced to have
any kind of
sexual activity
by your partner
or ex-partner?
Within the last ..................
year, have you
been kicked, hit,
slapped, or
otherwise
physically hurt
by your partner
or ex-partner?
----------------------------------------------------------------------------------------------------------------
We propose to require that a Health IT Module enable a user to
record, change, and access a patient's sexual orientation and gender
identity as part of this certification criterion. We propose that
sexual orientation be coded in accordance with, at a minimum, the
September 2014 Release of the U.S. Edition of SNOMED CT[supreg] \63\
and HL7 Version 3 attributed as follows:
---------------------------------------------------------------------------
\56\ The answer is then scored from a scale of 1 (very hard) to
3 (not at all), and unknown answers are scored as a negative number.
\57\ LOINC[supreg] Component used for the table.
\58\ Elo, A.-L., A. Lepp[auml]nen, and A. Jahkola. 2003.
Validity of a single-item measure of stress symptoms. Scandanavian
Journal of Work, Environment & Health 29(6):444-451.
\59\ Note that LOINC[supreg] provides a translation table at
https://loinc.org/downloads/usage/units that enumerates the UCUM
syntax for a subset of UCUM codes that are commonly used in health
IT that may be a useful reference for stakeholders.
\60\ Note that LOINC[supreg] provides a translation table at
https://loinc.org/downloads/usage/units that enumerates the UCUM
syntax for a subset of UCUM codes that are commonly used in health
IT that may be a useful reference for stakeholders.
\61\ The Alcohol Use Disorders Identification Test C (AUDIT-C)
is scored on a scale of 0 to 12. Each of the three AUDIT-C questions
has 5 answer choices with points ranging from 0 to 4. A screen is
considered positive for unhealthy alcohol use or hazardous drinking
if the AUDIT-C score is 4 or more points for men or 3 or more points
for women.
\62\ Pantell et al., 2013.
[[Page 16829]]
------------------------------------------------------------------------
Sexual orientation Code
------------------------------------------------------------------------
Homosexual................................ SNOMED CT[supreg] 38628009.
Heterosexual.............................. SNOMED CT[supreg] 20430005.
Bisexual.................................. SNOMED CT[supreg] 42035005.
Other..................................... HL7 V3
nullFlavor OTH.
Asked but unknown......................... HL7 V3
nullFlavor ASKU.
Unknown................................... HL7 V3
nullFlavor UNK.
------------------------------------------------------------------------
We propose that gender identity be coded in accordance with, at a
minimum, the September 2014 Release of the U.S. Edition of SNOMED
CT[supreg] \64\ and HL7 Version 3 attributed as follows:
---------------------------------------------------------------------------
\63\ We refer readers to section III.A.2.d (``Minimum
Standards'' Code Sets) for further discussion of our adoption of
SNOMED CT[supreg] as a minimum standards code set and our proposal
to adopt the September 2014 Release (U.S. Edition), or potentially a
newer version if released before a subsequent final rule, as the
baseline for certification to the 2015 Edition.
\64\ We refer readers to section III.A.2.d (``Minimum
Standards'' Code Sets) for further discussion of our adoption of
SNOMED CT[supreg] as a minimum standards code set and our proposal
to adopt the September 2014 Release (U.S. Edition), or potentially a
newer version if released before a subsequent final rule, as the
baseline for certification to the 2015 Edition.
------------------------------------------------------------------------
Gender identity Code
------------------------------------------------------------------------
Identifies as male gender................. SNOMED CT[supreg]
446151000124109.*
Identifies as female gender............... SNOMED CT[supreg]
446141000124107.*
Female-to-male transsexual................ SNOMED CT[supreg] 407377005.
Male-to-female transsexual................ SNOMED CT[supreg] 407376001.
Identifies as non-conforming gender....... SNOMED CT[supreg]
446131000124102.*
Other..................................... HL7 V3
nullFlavor OTH.
Asked but unknown......................... HL7 V3
nullFlavor ASKU
------------------------------------------------------------------------
* These new concepts will appear in the March 2015 release of the U.S.
Edition of SNOMED CT[supreg] and are now viewable at https://uscrs.nlm.nih.gov/main.xhtml.
We note that the functionality under consideration to record the
data discussed above has no bearing on whether a patient chooses to
provide this information or whether a health care provider chooses to
record the information or would be required to do so through the EHR
Incentive Programs or other programs. However, we believe the
structured recording of these types of data as described is the best
available method for reliably capturing and maintaining accurate
reflections of this information. For this proposed certification
criterion, we seek comment on whether:
The appropriate measures have been included for the listed
social, psychological, and behavioral data;
There should be standardized questions associated with the
collection of sexual orientation and gender identity data (and if so,
what vocabulary standard would be best suited for coded these
standardized questions);
We should set a minimum number of data measures for
certification (e.g., at a minimum: One, 3, or all); and
These measures should be part of one certification
criterion or separate certification criteria. We note that our proposal
for an ``Open Data Certified Health IT Products List,'' as discussed in
section IV.D.3 of this preamble, would result in more granular
identification of certified health IT. Specific to this criterion, the
CHPL would include information regarding each of the data measures
(e.g., education, depression, and sexual orientation) that were
certified as part of a Health IT Module's certification to this
criterion.
Work Information--Industry/Occupation Data
The Institute of Medicine identified patients' work information as
valuable data that could be recorded by health IT and used by both
health care providers and public health agencies.\65\ Similarly, the
2012 HHS Environmental Justice Strategy and Implementation Plan echoed
the potential benefits of having work information in EHR
technology.\66\ The combination of industry and occupation (I/O)
information provides opportunities for health care providers to improve
patient health outcomes--for health issues wholly or partially caused
by work and for health conditions whose management is affected by work.
For example, ``Usual'' (longest-held) I/O information can be key for
health care improvement and population-based health investigations, and
is already a required data element for cancer reporting.\67\ Health
care providers also can use current I/O information to assess symptoms
in the context of work activities and environments, inform patients of
risks, obtain information to assist in return-to-work determinations,
and evaluate the health and informational needs of groups of patients.
---------------------------------------------------------------------------
\65\ IOM (Institute of Medicine). 2011. ``Incorporating
Occupational Information in Electronic Health Records: A Letter
Report''. Available at: http://www.nap.edu/catalog.php?record_id=13207.
\66\ U.S. Department of Health and Human Services. February,
2012. 2012 HHS Environmental Justice Strategy and Implementation
Plan. Available at: http://www.hhs.gov/environmentaljustice/strategy.html.
\67\ CDC (2) (Centers for Disease Control and Prevention). 2012.
Implementation Guide for Ambulatory Healthcare Provider Reporting to
Central Cancer Registries, HL7 Clinical Document Architecture (CDA)
Release 1.0, August 2012. Available at: http://www.cdc.gov/phin/library/guides/Implementation_Guide_for_Ambulatory_Healthcare_Provider_Reporting_to_Central_Cancer_Registries_August_2012.pdf.
---------------------------------------------------------------------------
Since publication of the Voluntary Edition proposed rule (79 FR
10924) in which we requested comment on I/O information for the
purposes of certification, we have considered health IT developer
feedback on the need to adopt consensus standards for capturing I/O
information in health IT and continue to work with the National
Institute for Occupational Health and Safety (NIOSH) to explore avenues
to record I/O data in health IT. NIOSH also continues to work with
various industry stakeholders and health IT developers to assess the
incorporation of patient I/O fields into commercial EHRs, develop
occupationally related CDS, and to investigate practices and systems to
achieve accurate, automated coding of I/O information. Given the value
of I/O information as noted above and the progress being made by NIOSH
and others, we are making a refined request for comments as part of a
future edition of certification criteria. We invite commenters to
consider what additional support might be needed for health IT
developers, implementers, and users to effectively include a
certification criterion that would require health IT to enable a user
to record, change, and access (all electronically) the following data
elements in structured format:
Patients' employment status and primary activities (e.g.,
volunteer work);
Patients' current I/O, linked to one another and with
time-stamp, including start date;
Patients' usual I/O, linked to one another and with time-
stamp, including start year and duration in years; and
Patients' history of occupation with a time and date stamp
for when the history was collected (to note, this is focused on the
capability to record a history, not a requirement that a history must
be recorded or that a patient history be recorded for a certain
historical period of time).
We solicit public comment on the experience health IT developers
and health care providers have had in recording, coding, and using I/O
data. This would include any innovation that is making I/O data more
useful for providers.
To better understand the health care needs associated with work
data, we specifically solicit public comment from health care
providers, provider
[[Page 16830]]
organizations, and patients on the following:
The usefulness for providers to be able to access current
and usual I/O and related data in the EHR, including whether additional
data elements, such as work schedule, are useful.
The usefulness of a history of positions provided as
current I/O, with data from each position time-stamped, linked,
retained, and accessible as part of the longitudinal patient care
(medical) record.
Narrative text (vs. codes) for both current and usual I/O.
CDC_Census codes for both current and usual I/O; available
through PHIN VADS at https://phinvads.cdc.gov/vads/SearchVocab.action.
SNOMED CT[supreg] codes for occupation (current codes or
potentially developed codes).
Other standards and codes that may be in use by the health
IT industry for both current and usual I/O.
U.S. Uniformed/Military Service Data
In the Voluntary Edition proposed rule (79 FR 10924), we outlined
rationale for a potential certification criterion that would assess the
capability of health IT to enable a user to record, change, and access
U.S. military service or all uniformed service (including commissioned
officers of the U.S. Public Health Service (USPHS) and the National
Oceanographic and Atmospheric Administration (NOAA) as they too are
eligible for military health services, veterans benefits, and related
services). We reiterate the rationale here as we continue to believe it
is persuasive for adopting such a certification criterion. In recent
years, U.S. Military service members have been returning from service
in Iraq and Afghanistan and other various combat duty stations. A
portion of these service members are returning with traumatic brain
injuries, major limb injuries, and diagnoses of post-traumatic stress
disorder as reported by the Department of Defense and Department of
Veterans Affairs. We believe recording U.S. uniformed/military service
information can have many benefits. It can help in identifying
epidemiological risks for patients such as those noted above. It can
assist in ensuring that a patient receives all the health care benefits
he or she is entitled to by alerting medical professionals to the
patient's service history, which can facilitate the coordination of
benefits. This information can also increase the ability to assemble a
longitudinal record of care for a U.S. service member, such as by
requesting or merging of a patient's electronic health record stored by
the Department of Defense, Veteran's Health Administration, and/or
another health care provider.
In response to the request for comment on a ``U.S. uniformed/
military service'' certification criterion in the Voluntary Edition
proposed rule, commenters indicated that vocabulary standards for
capturing such history may not be mature enough yet. Specifically,
commenters noted that SNOMED CT [supreg] currently has relevant codes,
such as ``history relating to military service,'' and ``duration of
military service,'' but not codes to cover all potential military
service statuses, capture military service in an unambiguous way (e.g.,
capturing current employed as well as history of military service) and
military service in foreign locales. To improve coding of military and
all uniformed history, we believe a promising path forward would be to
add codes to the U.S. Extension of SNOMED-CT [supreg]. Therefore, we
request comment on the following:
Whether a potential certification criterion should be
focused solely on U.S. military service or all uniformed service
members (e.g., commissioned officers of the USPHS and NOAA);
Whether the U.S. Extension of SNOMED-CT [supreg] is the
most appropriate vocabulary code set or whether other vocabulary code
sets may be appropriate; and
The concepts/values we should use to capture U.S. military
service or all uniformed service status. We ask commenters to consider
the work of NIOSH on I/O information as it relates to capturing
military service.
Other Social, Psychological, and Behavioral Data
We seek comment on whether there are additional social,
psychological, and behavioral data that we should include for
certification as well as the best available standards for representing
such data.
Decision Support--Knowledge Artifact
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(22) (Decision support--knowledge artifact)
------------------------------------------------------------------------
We propose a new ``decision support--knowledge artifact''
certification criterion in the 2015 Edition for technology to
electronically send and receive clinical decision support knowledge
artifacts in accordance with a Health eDecisions (HeD) standard.
A previous ONC-sponsored S&I initiative, HeD, defined two use cases
(UC) with the goals of expressing CDS interventions in a standardized
format for sharing (UC 1) and requesting/receiving knowledge artifacts
from a CDS service provider (UC 2). We discuss UC 2 further in the
proposal for a 2015 Edition ``decision support--service'' certification
criterion in this section of the preamble. HeD UC 1 defined the
functional requirements needed to build a standard schema for the
contents of three ``CDS Knowledge Artifact'' \68\ types: event
condition action (ECA) rules, order sets, and documentation
templates.\69\ UC 1 was based on the scenario of a ``CDS Knowledge
Artifact supplier'' making a computable CDS Knowledge Artifact
available to a ``CDS Artifact integrator.'' For example, in accordance
with the HeD standard, health IT could automatically integrate
medication order sets based on best practice clinical guidelines in a
machine-readable format without the need for human interpretation.
---------------------------------------------------------------------------
\68\ A CDS Knowledge Artifact is the encoding of structured CDS
content as a rule to support clinical decision making in many areas
of the health care system, including quality and utilization
measures, disease outbreaks, comparative effectiveness analysis,
efficacy of drug treatments, and monitoring health trends.
\69\ HL7 Implementation Guide: Clinical Decision Support
Knowledge Artifact Implementation Guide, Release 1 (January 2013)
(``HeD standard'').
---------------------------------------------------------------------------
In the Voluntary Edition proposed rule, we proposed to adopt the
HL7 Implementation Guide: Clinical Decision Support Knowledge Artifact
Implementation Guide, Release 1 (January 2013) (``HeD standard'').\70\
We stated that the HeD standard would greatly assist the industry in
producing and sharing machine-readable files for representations of
clinical guidance. We did not adopt the HeD standard as we agreed with
commenters that more clarity is needed regarding the HeD proposals (79
FR 54453).
---------------------------------------------------------------------------
\70\ http://wiki.siframework.org/file/detail/implementation_guide_working_final_042413_lse_uploaded-1.docx.
---------------------------------------------------------------------------
As the HeD initiative has completed, a new S&I initiative has
launched, the Clinical Quality Framework (CQF), which builds on the HeD
work and expands the scope to harmonize both CDS and electronic
clinical quality measurement (eCQM) standards. The CQF initiative has
created an updated and more modular HeD implementation guide for
sharing CDS artifacts, HL7 Version 3 Standard: Clinical Decision
Support Knowledge Artifact Specification, Release 1.2 DSTU (July
2014).\71\ The modularity allows for portions of the HeD standard
Release 1.2 to be updated without requiring updates
[[Page 16831]]
to the entire standard. As the CQF work continues, this more recent
standard will be leveraged heavily to produce a harmonized clinical
quality expression language for both CDS and eCQMs.
---------------------------------------------------------------------------
\71\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=337.
---------------------------------------------------------------------------
We continue to believe that the HeD standard would greatly assist
the industry in producing and sharing machine readable files for
representations of clinical guidance. We therefore propose to adopt the
HL7 Version 3 Standard: Clinical Decision Support Knowledge Artifact
Specification, Release 1.2 DSTU (July 2014) (``HeD standard Release
1.2'') at Sec. 170.204(d)(1) and offer testing and certification for
health IT demonstrate it can electronically send and receive a CDS
artifact formatted in the HeD standard Release 1.2.
We solicited comment in the Voluntary Edition proposed rule on what
we should test and certify to when it comes to testing and
certification for acceptance and incorporation of CDS Knowledge
Artifacts (79 FR 54453). Commenters suggested that we focus testing on
a few types of CDS Knowledge Artifacts, but not on all possible types
included in the HeD standard. We note that HHS is developing publicly
available CDS interventions in HL7 draft standard formats,\72\
including the HeD standard Release 1.2, that will be available at
www.ushik.org. We welcome comment on specific types of CDS Knowledge
Artifacts on which we should focus testing and certification to the HeD
standard Release 1.2. We also invite comments on versions of standards
we should consider as alternative options, or for future versions of
this certification criterion, given the ongoing work to harmonize CDS
and quality measurement standards as discussed under the ``CQM--record
and export'' certification criterion later in this section of the
preamble.
---------------------------------------------------------------------------
\72\ This site may also include CDS interventions formatted to
the Quality Improvement and Clinical Knowledge Model (QUICK)
standard which we discuss in the preamble for the ``Clinical quality
measures--record and export'' certification criterion.
---------------------------------------------------------------------------
Decision Support--Service
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(23) (Decision support--service)
------------------------------------------------------------------------
We propose a new ``decision support--service'' certification
criterion in the 2015 Edition for technology to electronically make an
information request with patient data and receive in return electronic
clinical guidance in accordance with the standard in accordance with an
HeD standard.
A previous ONC-sponsored S&I initiative, HeD, defined two use cases
(UC) with the goals of expressing CDS interventions in a standardized
format for sharing (HeD UC 1) and requesting/receiving knowledge
artifacts from a CDS service provider (HeD UC 2). We discuss HeD UC 1
further in the proposal for a 2015 Edition ``decision support--
knowledge artifact'' certification criterion above. HeD UC 2 defines
the interface requirements needed to send patient data and receive CDS
guidance based on one scenario: a request for clinical guidance made to
a CDS guidance supplier. The HeD S&I initiative considered the
following interactions with a CDS guidance supplier: Drug dosing
calculation; immunization forecasting; disease management; quality
measure evaluation; transition of care support; test appropriateness
scores (e.g., radiology tests); prediction rule evaluation (e.g.,
APACHE score, AHRQ Pneumonia Severity Index); and severity of illness
assessment (e.g., Charlson Index). The HeD initiative created the HL7
Implementation Guide: Decision Support Service, Release 1--US Realm
DSTU (January 2014) (``Decision Support Service IG''),\73\ which
defines SOAP and REST web service interfaces for CDS guidance services.
---------------------------------------------------------------------------
\73\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=334.
---------------------------------------------------------------------------
We proposed to adopt the Decision Support Service IG in the
Voluntary Edition proposed rule because the implementation of this IG
would promote systems whereby a health care provider can send a query
about a patient to a CDS guidance supplier and receive CDS guidance
back in near real-time. Although we received general support for
adopting the Decision Support Service IG, we did not adopt it because
the 2014 Edition Release 2 final rule focused on the adoption and
revision of a small number of 2014 Edition certification criteria that
add flexibility and make improvements to the existing set of 2014
Edition certification criteria.
We are aware of a more recent release of the Decision Support
Service IG, HL7 Implementation Guide: Decision Support Service, Release
1.1 (March 2014), US Realm DSTU Specification (``Release 1.1'').\74\
Release 1.1 utilizes the latest available version of the HL7 Virtual
Medical Record specification. Given the general support we received in
the Voluntary Edition proposed rule, we propose to adopt the HL7
Implementation Guide: Decision Support Service, Release 1.1 (March
2014), US Realm DSTU Specification at Sec. 170.204(e)(1) and offer
testing and certification for health IT to demonstrate the ability to
send and receive electronic clinical guidance according to the
interface requirements defined in Release 1.1. We also invite comments
on versions of standards we could consider as alternative options, or
for future versions of this certification criterion, given the ongoing
work to harmonize CDS and quality measurement standards as discussed
under the ``CQM--record and export'' certification criterion later in
this section of the preamble.
---------------------------------------------------------------------------
\74\ http://www.hl7.org/documentcenter/public/standards/dstu/HL7_DSS_IG%20_R1_1_2014MAR.zip.
---------------------------------------------------------------------------
Transitions of Care
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(b)(1) (Transitions of care)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition certification criterion for
``transitions of care'' (ToC) that is a continuation and extension of
the ToC certification criterion adopted as part of the 2014 Edition
Release 2 final rule at Sec. 170.314(b)(8). This proposed criterion
also reflects the corresponding structural and clarifying changes that
we adopted in the 2014 Edition Release 2 final rule that correspond to
``clinical information reconciliation and incorporation'' certification
criterion also adopted as part of the 2014 Edition final rule.
Accordingly, the 2015 Edition ToC certification criterion we
propose to adopt would include many of the same capabilities adopted at
Sec. 170.314(b)(8) with the exception of the following revisions and
additions.
Updated C-CDA Standard
As expressed in the 2014 Edition final rule, the C-CDA standard is
now the single standard permitted for certification and the
representation of summary care records. It is also referenced in other
proposed 2015 Edition certification criteria. Industry stakeholders
have continued to work to improve and refine the C-CDA standard since
the 2014 Edition final rule, including publishing additional guidance
for its consistent implementation.\75\ An updated version, HL7
Implementation Guide for CDA[supreg] Release 2: Consolidated CDA
Templates for Clinical Notes (US Realm), Draft
[[Page 16832]]
Standard for Trial Use, Release 2.0,\76\ which was balloted through
2014, includes the following changes, which we believe provide
important clarifications and enhancements:
---------------------------------------------------------------------------
\75\ http://wiki.siframework.org/Companion+Guide+to+Consolidated+CDA+for+MU2.
\76\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=379. Access to the IG is freely
available for review during the public comment period by
establishing an HL7 user account.
---------------------------------------------------------------------------
Addition of new structural elements: new document sections
and data entry templates:
[cir] New Document Templates for: Care Plan; Referral Note;
Transfer Summary.
[cir] New Sections for: Goals; Health Concerns; Health Status
Evaluation/Outcomes; Mental Status; Nutrition; Physical Findings of
Skin.
[cir] New organizers and many new entries (e.g. Wound Observation).
Some sections/entries were deprecated (i.e., should no
longer be used).
Updates to (versioning of) template/section/entry object
identifiers (OIDs).
[cir] This includes a new chapter describing HL7's approach to
template versioning.
Tighter data constraints/requirements.
[cir] For example, some data elements with a ``MAY'' requirement
now have a ``SHOULD'' requirement. Likewise, some with a ``SHOULD''
requirement now have a ``MUST'' requirement.
Updated Vocabulary/Value Set constraints.
[cir] For example: two SNOMED CT [supreg] codes were added to the
Current Smoking Status value set and the Tobacco Use value set to
support the 2014 Edition vocabulary requirements for patient smoking
status.
[cir] NLM's Value Set Authority Center (VSAC) was named as
reference for Value Sets used in C-CDA.
In the Voluntary Edition proposed rule, we proposed to adopt the C-
CDA Release 2.0 standard and reference its use in the other
certification criteria in which this standard would have also been
applicable. At the time of that proposal, the C-CDA Release 2.0 had not
yet completed its balloting cycle within HL7 and stakeholder comments
on the Voluntary Edition proposed rule expressed concern related to the
C-CDA Release 2.0 standard's stability. Given that the C-CDA Release
2.0 has completed balloting and is now published as the next C-CDA
version, we believe that the continued attention it received through
HL7 balloting has resulted in a standard that is the best available for
adoption in this proposed rule and for future implementation in the
coming years. Thus, we propose to adopt C-CDA Release 2.0 at Sec.
170.205(a)(4) as part of this certification criterion. We note that
compliance with the C-CDA Release 2 cannot include the use of the
``unstructured document'' document-level template for certification to
this criterion.
To address a technical implementation challenge sometimes referred
to as ``bilateral asynchronous cutover,'' (which is meant to convey the
complexity of continued interoperability among exchange partners as
each upgrades their health IT at different times and with different
standards capabilities), we propose that the 2015 Edition ToC
certification criterion reference both the C-CDA Release 1.1 and
Release 2.0 standards. In other words, a Health IT Module presented for
certification to this criterion would need to demonstrate its
conformance and capability to create and parse both versions (Release
1.1 and 2.0) of the C-CDA standards. Under this proposal, the sending
Health IT Module would send two documents (one conforming to C-CDA R1.1
and other conforming to C-CDA R2.0) and the receiving Health IT Module
would receive both versions of the documents and choose the appropriate
version for downstream processing.
While we recognize that this proposal is not ideal, we have
proposed this more conservative approach as a way to mitigate the
potential that there would be interoperability challenges for ToC as
different health care providers adopt Health IT Modules certified to
the 2015 Edition criterion at different times that include C-CDA
Release 2.0 capabilities. However, we request public comment,
especially from health IT developers with experience implementing the
C-CDA, on an alternative approach related to the creation of C-CDA-
formatted documents. The alternative approach would be focused on C-CDA
creation and receipt capabilities related to whether the health IT
system could produce one, ``dually compliant,'' C-CDA that addresses
both C-CDA versions at once. We understand that this approach is
possible, may be preferred from an implementation perspective, and
could help prevent potential data duplication errors that could result
if a Health IT Module is required to be able to produce two separate C-
CDA files (one in each version) as part of certification.
Our proposal to adopt C-CDA Release 2.0 is applicable to all of the
other certification criteria in which the C-CDA is referenced.
Similarly, unless C-CDA Release 2.0 is explicitly indicated as the sole
standard in a certification criterion, we propose to reference both C-
CDA versions in each of these criteria for the reasons just discussed.
Valid/Invalid C-CDA System Performance
As we considered stakeholder feedback and reviewed the additional
public dialogue surrounding the variability of CEHRT in recognizing
valid/invalid documents formatted according to the C-CDA 1.1 standard,
including structured content by different health IT developers,\77\ we
recognized that an expanded ToC certification criterion with a specific
capability focused principally on health IT system behavior and
performance related to recognizing valid/invalid C-CDAs would be
beneficial. Thus, we propose to include within the 2015 Edition ToC
certification criterion a specific focus on this technical system
behavior. We believe this type of error checking and resilience is an
important and necessary technical prerequisite in order to ensure that
as data in the system is parsed from a C-CDA for incorporation as part
of the ``clinical information reconciliation and incorporation''
certification criterion the user can be assured that the system has
appropriately interpreted the C-CDA it received. Further, we believe
this level of rigorous testing will better enable Health IT Modules to
properly recognize C-CDA-based documents and prepare the necessary
information for reconciliation and other workflow needs.
---------------------------------------------------------------------------
\77\ D'Amore JD, et al. J Am Med Inform Assoc 2014;21:1060-1068.
---------------------------------------------------------------------------
We propose that this specific aspect of the certification criterion
would focus on and require the following technical outcomes be met. The
Health IT Module would need to demonstrate the ability to detect valid
and invalid C-CDA documents, including document, section, and entry
level templates for data elements specified in 2014 and 2015 edition.
Specifically, this would include:
The ability of the Health IT Module to detect invalid C-
CDA documents. Thus, any data in the submitted C-CDA document that does
not conform to either the C-CDA 1.1 or 2.0 standard (in addition to
data coding requirements specified by this regulation) would be
considered invalid;
The ability to identify valid C-CDA document templates
(e.g., CCD, Discharge Summary, Progress Note) and process the required
data elements, section and entries, specific to the document templates
and this regulation.
The ability to detect invalid vocabularies and codes not
specified in
[[Page 16833]]
either the C-CDA 1.1 or 2.0 standard or required by this regulation
(e.g., using a SNOMED CT [supreg] code where a LOINC [supreg] code is
required or using a code which does not exist in the specified value
set).
The ability to correctly interpret empty sections and
nullFlavor combinations per the C-CDA 1.1 or 2.0 standard. For example,
we anticipate testing could assess a Health IT Module's ability to
continue to process a C-CDA when a nullFlavor is used at the section
template level.
We expect these capabilities would be tested by providing several
C-CDA documents with valid and invalid data. We do not expect Health IT
Modules presented for certification to have a common C-CDA handling
process, however, we do expect that they would have a baseline
capability to identify valid and invalid C-CDA documents and prepare
the necessary data for clinical information reconciliation and
incorporation. Further, we expect that Health IT Modules will have some
mechanism to track errors encountered when assessing received C-CDA's
and we have proposed that health IT be able to track the errors
encountered and allow for a user to be notified of errors or review the
errors produced. The Health IT Module would not need to support both
and how this technical outcome is accomplished is entirely up to the
health IT developer.
We direct readers to the proposed ``Consolidated CDA creation
performance'' certification criterion (Sec. 170.315(g)(6)) under which
we seek comment on a potential requirement for this certification
criterion or the ``Consolidated CDA creation performance''
certification criterion that would evaluate the completeness of the
data included in a C-CDA in order to ensure that the data recorded by
health IT is equivalent to the data included in a created C-CDA.
XDM Package Processing
As indicated in the earlier paragraphs, a Health IT Module
presented for certification to this certification criterion will need
to support one of the edge protocols referenced in the Edge IG version
1.1 (i.e., the ``IHE XDR profile for Limited Metadata Document
Sources'' edge protocol or an SMTP-focused edge protocol (SMTP alone or
SMTP in combination with either IMAP4 or POP3)). However industry
feedback has indicated that the use of XDM packages has grown within
the stakeholder community using Direct, which most often happens when
Edge System A using XDR sends content and metadata to its HISP-A, who
in turn packages that content and metadata into an XDM ZIP and sends it
within a Direct message to HISP-B, which then ultimately sends the
message containing the XDM package to Edge System B using an SMTP-based
edge.
Therefore, if Edge System B does not support XDM package
processing, interoperability could be impacted when HISP-B forwards XDM
packages to Edge System B via the SMTP protocol. To mitigate this
potential incompatibility, we propose to include a specific capability
in this certification criterion that would require a Health IT Module
presented for certification that is also being certified to the SMTP-
based edge to demonstrate its ability to accept and process an XDM
package it receives, which would include extracting relevant metadata
and document(s). That is, this additional requirement only applies to a
Health IT Module presented for certification with an SMTP-based edge
implementation and not an XDR edge implementation). Additionally,
because we expect XDM packaging to be created in accordance with the
specifications included in IHE IT Infrastructure Technical Framework
Volume 2b (ITI TF-2b),\78\ we propose to adopt this as the standard (at
Sec. 170.205(p)(1)) for assessing whether the XDM package was
successfully processed.
---------------------------------------------------------------------------
\78\ http://www.ihe.net/Technical_Framework/upload/IHE_ITI_TF_Rev7-0_Vol2b_FT_2010-08-10.pdf.
---------------------------------------------------------------------------
Common Clinical Data Set
We propose to include an updated Common Clinical Data Set for the
2015 Edition that includes references to new and updated vocabulary
standards code sets. Please also see the Common Clinical Data Set
definition proposal in section III.B.3 of this preamble.
Encounter Diagnoses
For encounter diagnoses, we are carrying over the requirement from
the 2014 Edition ``ToC'' certification criterion that a Health IT
Module must enable a user to create a transition of care/referral
summary that also includes encounter diagnoses using either SNOMED CT
[supreg] (September 2014 Release of the U.S. Edition as a baseline for
the 2015 Edition) or ICD-10 codes.
``Create'' and Patient Matching Data Quality
In 2011, both the HITPC and HITSC made recommendations to ONC on
patient matching. The HITPC made recommendations in the following five
categories: Standardized formats for demographic data fields;
internally evaluating matching accuracy; accountability; developing,
promoting and disseminating best practices; and supporting the role of
the individual/patient.\79\ The HITSC made the following four
recommendations: Detailing patient attributes that could be used for
matching (in order to understand the standards that are needed); data
quality; formats for these data elements; and what data are returned
from a match request.\80\ The standards recommended by the HITSC are as
follows:
---------------------------------------------------------------------------
\79\ http://www.healthit.gov/sites/default/files/hitpc-transmittal-letter-priv-sectigerteam-020211.pdf.
\80\ http://www.healthit.gov/FACAS/sites/default/files/standards-certification/8_17_2011Transmittal_HITSC_Patient_Matching.pdf.
---------------------------------------------------------------------------
Basic Attributes: Given Name; Last Name; Date of Birth;
Administrative Gender.\81\
---------------------------------------------------------------------------
\81\ Despite its inclusion of the word ``gender,''
``Administrative Gender'' is generally used in standards to
represent a patient's ``sex,'' such as male or female. See: http://ushik.ahrq.gov/ViewItemDetails?system=hitsp&itemKey=83680000.
---------------------------------------------------------------------------
Other Attributes: Insurance Policy Number; Medical Record
Number; Social Security Number (or last 4 digits); Street Address;
Telephone Number; Zip Code.
Potential Attributes: Email Address; Voluntary
Identifiers; Facial Images; Other Biometrics.
In July 2013, ONC launched an initiative to reinvigorate public
discussion around patient matching, to perform a more detailed analysis
of patient matching practices, and to identify the standards, services,
and policies that would be needed to implement the HITPC and HITSC's
recommendations. The initiative's first phase focused on a common set
of patient attributes that could be leveraged from current data and
standards referenced in our certification criteria. Given the initial
findings, we proposed to include a limited set of standardized data as
a part of the ``Create'' portion of the ToC criterion in the Voluntary
Edition proposed rule to improve the quality of the data included in
outbound summary care records. Overall, the vast majority of commenters
supported the proposed policy that standardized patient attributes
should be required for use in as part of the transitions of care
certification criterion. Commenters overwhelmingly supported the
inclusion of the proposed constrained specifications for last name/
family name, maiden name, suffix, first/given name, middle/second name,
maiden name, date of birth, current address and historical address,
phone number, and sex in support of patient matching. However, given
our approach in the 2014 Edition Release 2 final rule
[[Page 16834]]
to only adopt a small subset of the proposed certification criteria to
provide flexibility, clarity, and enhance health information exchange,
we decided not adopted this proposal.
We again propose to include a limited set of standardized data as a
part of the ``Create'' portion of the ToC criterion in the 2015 Edition
to improve the quality of the data included in outbound summary care
records. To be clear, this proposal does not require a Health IT Module
to capture the data upon data entry, but rather at the point when the
data is exchanged (an approach commonly used for matching in HL7
transactions, IHE specifications,\82\ C-CDA specification, and the
eHealth Exchange). The proposed standardized data include: first name,
last name, middle name (including middle initial), suffix, date of
birth, place of birth, maiden name, phone number, and sex. In the
bulleted list below, we identify more constrained specifications for
some of the standardized data we propose. Based on our own research, we
do not believe that the proposed constraints to these data conflict
with the C-CDA. That being said, some proposed constraints may further
restrict the variability as permitted by existing specifications and
others may create new restrictions that do not currently exist within
the C-CDA. We propose that:
---------------------------------------------------------------------------
\82\ http://www.ihe.net/Technical_Frameworks/.
---------------------------------------------------------------------------
For ``last name/family name'' the CAQH Phase II Core 258:
Eligibility and Benefits 270/271 Normalizing Patient Last Name Rule
version 2.1.0 \83\ (which addresses whether suffix is included in the
last name field) be followed.
---------------------------------------------------------------------------
\83\ http://www.caqh.org/pdf/CLEAN5010/258-v5010.pdf.
---------------------------------------------------------------------------
For ``suffix,'' that the suffix should follow the CAQH
Phase II Core 258: Eligibility and Benefits 270/271 Normalizing Patient
Last Name Rule version 2.1.0 (JR, SR, I, II, III, IV, V, RN, MD, Ph.D.,
ESQ) \84\ and that if no suffix exists, the field should be marked as
null.
---------------------------------------------------------------------------
\84\ http://www.caqh.org/pdf/CLEAN5010/258-v5010.pdf.
---------------------------------------------------------------------------
For ``date of birth,'' that the year, month and date of
birth should be required fields while hour, minute and second should be
optional fields. If hour, minute and second are provided then either
time zone offset should be included unless place of birth (city,
region, country) is provided; in the latter local time is assumed. If
date of birth is unknown, the field should be marked as null.
For ``phone numbers,'' the ITU format specified in ITU-T
E.123 \85\ and ITU-T E.164 \86\ be followed and that the capture of
home, business, and cell phone numbers be allowed.\87\ Further, that if
multiple phone numbers are present in the patient's record, all should
be included in the C-CDA and transmitted.
---------------------------------------------------------------------------
\85\ http://www.itu.int/rec/T-REC-E.123-200102-I/e.
\86\ http://www.itu.int/rec/T-REC-E.164-201011-I/en.
\87\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=186.
---------------------------------------------------------------------------
For ``sex'' we propose to require developers to follow the
HL7 Version 3 Value Set for Administrative Gender and a nullFlavor
value attributed as follows: M (Male), F (Female), and UNK (Unknown).
While the Patient Matching Initiative's recommendations included
standardizing current and historical address, we have not included a
specific standardized constraint for that data at this time due to a
lack of consensus around the proper standard. In response to the
Voluntary Edition proposed rule, commenters also suggested that we
delay support for international standards for address until future
editions of certification criteria. To reiterate, the data we propose
for patient matching would establish a foundation based on leveraging
current data and standards in certification criteria. We welcome
comments on this approach and encourage health IT developers to
consider and support the use other patient data that would improve
patient matching for clinical care and many types of clinical research.
Direct Best Practices
In the past couple of years we have heard feedback from
stakeholders regarding health IT developers limiting the transmission
or receipt of different file types via Direct. We wish to remind all
stakeholders of the following best practices for the sharing of
information and enabling the broadest participation in information
exchange with Direct: http://wiki.directproject.org/Best+Practices+for+Content+and+Workflow.
Certification Criterion for C-CDA and Common Clinical Data Set
Certification
We note that no proposed 2015 Edition health IT certification
criteria includes just the C-CDA Release 2.0 and/or the Common Clinical
Data Set, particularly with the 2015 Edition not including a proposed
``clinical summary'' certification criterion as discussed later on in
this preamble. Health IT certified to simply the C-CDA Release 2.0 with
or without certification to the Common Clinical Data Set may be
beneficial for other purposes, including participation in HHS payment
programs. We request comment on whether we should adopt a separate 2015
Edition health IT certification criterion for the voluntary testing and
certification of health IT to the capability to create a summary record
formatted to the C-CDA Release 2.0 with or without the ability to meet
the requirements of the Common Clinical Data Set definition.
C-CDA Data Provenance Request for Comment
As the exchange of health data increases, so does the demand to
track the provenance of this data over time and with each exchange
instance. Confidence in the authenticity, trustworthiness, and
reliability of the data being shared is fundamental to robust privacy,
safety, and security enhanced health information exchange. The term
``provenance'' in the context of health IT refers to evidence and
attributes describing the origin of electronic health information as it
is captured in a health system and subsequently persisted in a way that
supports its lifespan. As described in the President's Council of
Advisors on Science and Technology (PCAST) Report ``Realizing the Full
Potential of Health Information Technology to Improve Healthcare for
Americans'' \88\, provenance includes information about the data's
source and the processing that the data has undergone. The report
refers to ``tagged data elements'' as units of data accompanied by a
``metadata tag'' that describes the attributes, provenance, and
required security protections of the data.
---------------------------------------------------------------------------
\88\ PCAST Report to the President: Realizing the Full Potential
of Health Information Technology to Improve Healthcare for
Americans: The Path Forward, http://www.whitehouse.gov/sites/default/files/microsites/ostp/pcast-health-it-report.pdf.
---------------------------------------------------------------------------
In April 2014, ONC launched the Data Provenance Initiative within
the Standards and Interoperability (S&I) Framework to identify the
standards necessary to capture and exchange provenance data, including
provenance at time of creation, modification, and time of exchange.\89\
The stakeholder community represented a wide variety of organizations
including health IT developers; federal, state, and local agencies;
healthcare professionals; research organizations; payers; labs; and
individuals within academia. In the fall of 2014, the HL7 IG for CDA
Release 2: Data Provenance, Release 1 (US Realm) (DSTU) \90\ was
published. This IG
[[Page 16835]]
clarifies existing content from various standards within HL7 \91\ and
describes how provenance information for a CDA document in a health IT
system should be applied, and what vocabulary should be used for the
metadata. This includes provenance metadata in the CDA at the header,
section and entry levels. We seek comment on the maturity and
appropriateness of this IG for the tagging of health information with
provenance metadata in connection with the C-CDA. Additionally, we seek
comment on the usefulness of this IG in connection with certification
criteria, such as ToC and VDT certification criteria.
---------------------------------------------------------------------------
\89\ http://wiki.siframework.org/Data+Provenance+Initiative.
\90\ http://wiki.hl7.org/index.php?title=HL7_Data_Provenance_Project_Space and http://gforge.hl7.org/gf/project/cbcc/frs/?action=FrsReleaseBrowse&frs_package_id=240.
\91\ Standards including HL7 Clinical Documentation Architecture
Release 2 (CDA R2), HL7 Implementation Guide: Data Segmentation for
Privacy (DS4P), Release 1, and HL7 Version 2 Vocabulary &
Terminology Standards (all are normative standards).
---------------------------------------------------------------------------
Clinical Information Reconciliation and Incorporation
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(b)(2) (Clinical information reconciliation and
incorporation)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``clinical information
reconciliation and incorporation'' certification criterion that is a
revised (but largely similar to the 2014 Edition Release 2) version of
the ``clinical information reconciliation and incorporation'' criterion
adopted at Sec. 170.314(b)(9).
Incorporation System Performance
As we considered public comments made after the 2014 Edition final
rule and reviewed the additional public dialogue surrounding the
variability of certified health IT in incorporating C-CDAs including
structured content by different health IT developers \92\, we
recognized the need to expand the existing ``clinical information
reconciliation and incorporation'' certification criterion to focus on
health IT system behavior and performance related to incorporating C-
CDAs including structured content. We believe that testing a Health IT
Module's capability to reconcile and incorporate, at a minimum:
problems, medications, and medication allergies from multiple C-CDAs
will improve the overall clinical effectiveness.
---------------------------------------------------------------------------
\92\ D'Amore JD, et al. J Am Med Inform Assoc 2014; 21:1060-
1068.
---------------------------------------------------------------------------
We expect that testing for this specific system performance would
include the ability to incorporate valid C-CDAs with variations of data
elements to be reconciled (e.g., documents with no medications,
documents having variations of medication timing data). In addition we
believe we can further strengthen this certification criterion by
proposing to require that a C-CDA be created based on the
reconciliation and incorporation process in order to validate the
incorporation results. We anticipate that the generated C-CDA would be
verified using test tools for conformance and can be checked against
the information that was provided to incorporate.
Accordingly, we propose that the following technical system
behavior and performance also be addressed as part of the clinical
information reconciliation and incorporation certification criterion:
The Health IT Module must demonstrate the ability to reconcile problem,
medication, and medication allergy data from valid C-CDAs (both Release
1.1. and 2.0) with variations of data elements to be reconciled and
then generate a conformant C-CDA document based on the reconciled
information. For example, a test could include assessing a Health IT
Module's capability to reconcile and incorporate medication information
with different timing information.
Electronic Prescribing (e-Prescribing)
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(b)(3) (Electronic prescribing)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition certification criterion for e-
prescribing that is revised in comparison to the 2014 Edition ``e-
prescribing'' criterion (Sec. 170.314(b)(3)). First, for the purposes
of certification, we propose to require a Health IT Module to be able
to receive and respond to additional NCPDP SCRIPT Standard
Implementation Guide Version 10.6 (v10.6) transactions or segments,
namely Change Prescription, Refill Prescription, Cancel Prescription,
Fill Status, and Medication History. Second, for the purposes of
certification, we propose to require that a Health IT Module
demonstrate that directions for medication use transmitted as e-
prescriptions are codified in a structured format. Third, for the
purposes of certification, we propose to require a Health IT Module be
able to limit a user to e-prescribing all medications in the metric
unit standard only, follow NCPDP-recommended conventions for use of
leading zeroes before a decimal, and avoid use of trailing zeroes after
a decimal when e-prescribed.
e-Prescribing Transactions or Segments
For 2014 Edition testing and certification to this criterion, a
Health IT Module presented for certification must demonstrate that it
can create a new prescription according to the NCPDP SCRIPT v10.6 New
Prescription transaction (NEWRX). Stakeholders have recommended we
consider expanding testing to a greater number of NCPDP SCRIPT v10.6
transactions and segments in order to better facilitate prescriber and
pharmacist communications to provide better care for patients.
Stakeholders have indicated that there is variable uptake and
inconsistent implementation of the transactions in the NCPDP SCRIPT
Standard v10.6 despite their added value for patient safety and
improved communication between prescribers and pharmacists. In
consideration of stakeholder input, we propose to include additional
NCPDP SCRIPT v10.6 transactions in addition to the New Prescription
transaction for health IT testing and certification. We propose that
testing and certification would require a Health IT Module to
demonstrate the ability to send and receive end-to-end prescriber-to-
receiver/sender-to-prescriber transactions (bidirectional
transactions). The transactions and reasons for inclusion for testing
and certification are outlined in Table 3 below.
[[Page 16836]]
Table 3--Proposed Additional \93\ NCPDP SCRIPT v10.6 Transactions for Testing and Certification to e-Prescribing
Certification Criterion
----------------------------------------------------------------------------------------------------------------
NCPDP SCRIPT v10.6 transaction or Problem addressed/value in
segment Use case(s) testing for certification
----------------------------------------------------------------------------------------------------------------
Change Prescription (RXCHG, CHGRES).. Allows a pharmacist to request a Facilitates more efficient,
change of a new prescription or a standardized electronic
``fillable'' prescription. communication between
Allows a prescriber to respond to prescribers and pharmacists
pharmacy requests to change a for changing prescriptions.
prescription.
Cancel Prescription (CANRX, CANRES).. Notifies the pharmacist that a Facilitates more efficient,
previously sent prescription should be standardized electronic
canceled and not filled. communication between
prescribers and pharmacists
for cancelling
prescriptions.
Sends the prescriber
the results of a
prescription cancellation
request.
Refill Prescription (REFREQ, REFRES). Allows the pharmacist to request Facilitates more efficient,
approval for additional refills of a standardized electronic
prescription beyond those originally communication between
prescribed. prescribers and pharmacists
for refilling prescriptions.
Allows the prescriber to grant
the pharmacist permission to provide a
patient additional refills or decline to
do so.
Fill Status (RXFILL)................. Allows the pharmacist to notify the Allows the prescriber to know
prescriber about the status of a whether a patient has picked
prescription in three cases: 1) to notify up a prescription, and if
of a dispensed prescription, 2) to notify so, whether in full or in
of a partially dispensed prescription, 3) part. This information can
to notify of a prescription not inform assessments of
dispensed. medication adherence.
Medication History (RXHREQ, RXHRES).. Allows a requesting entity to Allows a requesting entity to
generate a patient-specific medication receive the medication
history request. history of a patient. A
The responding entity can respond prescriber may use this
with a patient's medication history, information to perform
including source, fill number, follow-up medication utilization
contact, date range, as information is review, medication
available. reconciliation, or other
medication management to
promote patient safety.
----------------------------------------------------------------------------------------------------------------
We solicit comment on including the proposed transactions and
segments for testing and certification to this certification criterion
as outlined in Table 3, and on the problems addressed/value in testing
for certification. We also solicit comment on the following issues:
---------------------------------------------------------------------------
\93\ We are proposing to keep the ``New Prescription''
transaction for testing and certification.
---------------------------------------------------------------------------
Other NCPDP SCRIPT v10.6 transactions that should be
considered for testing and certification, and for what use cases/value;
What factors we should consider for end-to-end prescriber-
to-receiver testing.
We also propose to adopt and include the February 2, 2015 monthly
version of RxNorm in this criterion as the baseline version minimum
standards code set for coding medications (see section III.A.2.d
(``Minimum Standards'' Code Sets) of this preamble).
Structured and Codified ``Sig''
Medications can be e-prescribed using a free text format, and
typically the instructions include the medication name, dose, route of
administration, frequency of administration, and other special
instructions. This set of prescribing instructions is referred to as
the ``Sig.'' In a free text format, non-standard or conflicting
language may be used that is not understood by the pharmacist filling
the prescription. Where systems do facilitate creation of the Sig, some
systems may auto-concatenate the field length and thus the tail end of
the Sig is lost. This has implications for communication between
prescribers and pharmacists as well as for patient safety. Prescribers
and pharmacists may have to engage in back-and-forth communication to
clarify what is intended in the Sig instructions. Therefore, there is
an opportunity to streamline prescriber-pharmacist communication, allow
more time for direct activities of patient care, and reduce confusion
during the pharmacy verification and dispensing processes.
We are aware that the NCPDP SCRIPT v10.6 standard includes
structured Sig segments that are used to codify the prescribing
directions in a structured format.\94\ Providing Sig instructions in a
structured format promotes accurate, consistent, and clear
communication of the prescribing information as intended by the
prescriber.
---------------------------------------------------------------------------
\94\ NCPDP's Structured and Codified Sig Format Implementation
Guide v1.2 is adopted within SCRIPT v10.6.
---------------------------------------------------------------------------
In one study of the structured and codified Sig within NCPDP SCRIPT
v10.5, the Sig format fully represented 95% of ambulatory prescriptions
tested.\95\ While we believe that the results of this study give an
indication of the scope of the structured and codified Sig within NCPDP
SCRIPT v10.5, we note that the Sig standard was tested in the lab
environment and not with live end-users. Stakeholders have also
indicated the limitations of the structured and codified Sig within
NCPDP SCRIPT v10.6 to represent all Sig instructions, particularly
complex Sigs requiring multi-step directions. For example, stakeholders
have noted that the Sig segment within the NCPDP SCRIPT v10.6 standard
limits the field length to 140 characters whereas later versions of the
NCPDP SCRIPT standard (from v201311 onward) have expanded the character
length to 1000. Despite these potential limitations, we see
standardizing and codifying the majority of routine prescriptions as a
means to promote patient safety as well as reduce disruptions to
prescriber workflow through a reduction in pharmacy call-backs.
---------------------------------------------------------------------------
\95\ Liu H, Burkhart Q and Bell DS. Evaluation of the NCPDP
Structured and Codified Sig Format for e-prescriptions. J Am Med
Inform Assoc. 2011 Sep-Oct;18(5):645-51.
---------------------------------------------------------------------------
We note the flexibility to create complex unstructured Sigs remains
through use of existing e-prescribing workflow and appropriate use of
the free text field. There is, however, low uptake of structured Sig
according to the NCPDP SCRIPT v10.6 standard, which includes a
combination of mandatory and conditional structured Sig segments.
We believe that medication Sig instructions should be codified in a
[[Page 16837]]
structured format for the benefits outlined above. Therefore, we
propose to require that a Health IT Module enable a user to enter,
receive, and transmit codified Sig instructions in a structured format
in accordance with NCPDP Structured and Codified Sig Format
Implementation Guide v1.2 which is embedded within NCPDP SCRIPT v10.6
for certification to the e-prescribing criterion in the 2015
Edition.\96\ We propose that this requirement apply to the New
Prescription, Change Prescription, Refill Prescription, Cancel
Prescription, Fill Status, and Medication History prescription
transactions or segments as we understand that the NCPDP Structured and
Codified Sig Format can be used for all NCPDP SCRIPT v10.6 prescription
transactions that include the medication field. We also propose to
require that a Health IT Module include all structured Sig segment
components enumerated in NCPDP SCRIPT v10.6 (i.e., Repeating Sig, Code
System, Sig Free Text String, Dose, Dose Calculation, Vehicle, Route of
Administration, Site of Administration, Sig Timing, Duration, Maximum
Dose Restriction, Indication and Stop composites).
---------------------------------------------------------------------------
\96\ NCPDP's Structured and Codified Sig Format Implementation
Guide v1.2 is within the NCPDP SCRIPT v10.6 standard.
---------------------------------------------------------------------------
We are aware that NCPDP has recently published recommendations for
implementation of the structured and Codified Sig format for a subset
of component composites that represent the most common Sig segments in
the NCPDP SCRIPT Implementation Recommendations Version 1.29.\97\ We
therefore welcome comment on this proposal, including whether we should
require testing and certification to a subset of the structured and
codified Sig format component composites that represent the most common
Sig instructions rather than the full NCPDP Structured and Codified Sig
Format Implementation Guide v1.2. As previously noted, prescribers
would still be able to be able to create unstructured Sigs through the
use of the free text field, and our proposal only discusses the
capability of technology to enable a user to enter, receive, and
transmit codified Sig instructions using the NCPDP Structured and
Codified Sig Format.
---------------------------------------------------------------------------
\97\ http://www.ncpdp.org/NCPDP/media/pdf/SCRIPTImplementationRecommendationsV1-29.pdf.
---------------------------------------------------------------------------
Medication Dosing
In the Voluntary Edition proposed rule, we solicited comment on
whether we should propose health IT certification for oral liquid
medication dosing to the metric standard (e.g., mL or milliliters) for
patient safety reasons (79 FR 10926-10927). Use of the metric standard
offers more precision in medication dose than the Imperial standard
(e.g., teaspoons), which can decrease preventable adverse drug events.
A number of health care and standards developing organizations,
including the AAP \98\ and NCPDP,\99\ support the use of the metric
standard for dosing volumetric medications. Additionally, the FDA's
Safe Use Initiative is working with CDC, NCPDP, and other stakeholders
to encourage adoption of the NCPDP's recommendations for standardizing
dosing designations on prescription container labels of oral liquid
medications.\100\ Recent research has demonstrated that parents who
used milliliter-only dosing instruments were less likely to make dosing
errors than parents who used teaspoons or tablespoon units.\101\
---------------------------------------------------------------------------
\98\ AAP Council on Clinical Information Technology Executive
Committee, 2011-2012. Policy Statement--Electronic Prescribing in
Pediatrics: Toward Safer and More Effective Medication Management.
Pediatrics 2013; 131;824.
\99\ http://www.ncpdp.org/NCPDP/media/pdf/wp/DosingDesignations-OralLiquid-MedicationLabels.pdf.
\100\ http://www.fda.gov/Drugs/DrugSafety/SafeUseInitiative/ucm188762.htm#overdoses.
\101\ Unit of Measurement Used and Parent Medication Dosing
Errors. Pediatrics 134:2 August 1, 2014. Pp. e354-e361.
---------------------------------------------------------------------------
We received a number of comments to the comment solicitation. Many
commenters noted that the structured Sig segment of the NCPDP SCRIPT
Standard v10.6 supports use of the metric standard for liquid
medication dosing. One ONC-ACB commented that in their experience,
vendors have struggled to properly codify medication dosing information
within the C-CDA in terms of consistency across all health IT systems.
Many provider organizations and patient advocacy organizations were in
support of requiring use of the metric standard for oral liquid
medication dosing. Additionally, many commenters were in favor of
providing the metric standard as one option to record liquid medication
doses. We also received comments recommending the proper use of leading
and trailing zeroes in dosing designations. NCPDP has recommended that
dose amounts should always use leading zeroes before the decimal point
for amounts less than one, and should not use trailing zeroes after a
decimal point for oral liquid medications.\102\
---------------------------------------------------------------------------
\102\ http://www.ncpdp.org/NCPDP/media/pdf/wp/DosingDesignations-OralLiquid-MedicationLabels.pdf.
---------------------------------------------------------------------------
Our intent is for health IT to be able to more precisely dose
prescriptions in order to reduce dosing errors and improve patient
safety. We also believe that use of the metric standard could improve
patient safety and potentially reduce dosing errors for all medications
in addition to oral liquid medications. We therefore propose, for
certification to this criterion, that a Health IT Module be capable of
limiting a user's ability to electronically prescribe all medications
in only the metric standard. Prescription labels contain the dosing
instructions specified by the prescriber. Thus, if the prescriber doses
using the metric standard, the label will contain dosing instructions
in the metric standard and potentially reduce dosing errors during
administration. We also propose to require that a Health IT Module be
capable of always inserting leading zeroes before the decimal point for
amounts less than one when a user electronically prescribes medications
as well as not allow trailing zeroes after a decimal point. We welcome
comment on these proposals, including the feasibility of implementing
the metric standard for e-prescribing all medications.
Incorporate Laboratory Tests and Values/Results
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(b)(4) (Incorporate laboratory tests and values/results)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``incorporate laboratory tests
and values/results'' certification criterion that is revised in
comparison to the 2014 Edition ``incorporate laboratory tests and
values/results'' criterion (Sec. 170.314(b)(5)). We propose to adopt
and include the HL7 Version 2.5.1 Implementation Guide: S&I Framework
Lab Results Interface, Draft Standard for Trial Use, Release 2, US
Realm (``LRI Release 2'') in the proposed 2015 Edition ``transmission
of laboratory test reports'' criterion for the ambulatory setting. LRI
Release 2 is currently under ballot reconciliation with HL7 and should
be published in the next few months.\103\ LRI Release 2 would:
---------------------------------------------------------------------------
\103\ http://www.hl7.org/participate/onlineballoting.cfm?ref=nav#nonmember. Access to the current draft
of the LRI Release 2 IG is freely available for review during the
public comment period by establishing an HL7 user account.
---------------------------------------------------------------------------
Implement common formats across US Realm IGs for
consistent reader
[[Page 16838]]
experience (e.g., sequence of sections, formatting, layout, and
terminology);
Incorporates all previous errata, LRI Release 1 DSTU
comments and change requests;
Adopt HL7 version 2.8 fields developed to fill gaps
identified in the development of Release 1;
Include harmonized data type ``flavors'' for use across
the US Realm Lab IGs;
Introduce initial requirements for error reporting
conditions and severity (hard/soft errors) and system/application
acknowledgements;
Harmonize data element usage and cardinality requirements
with LOI Release 1, and the electronic Directory of Services (eDOS) IG;
Incorporate US Lab Realm value sets developed for clarity
and consistency across all laboratory IGs; and
Use a new publication method for value sets that allows
for precision usage at point of use and provides ``at a glance''
comprehensive usage at the field and component-level across all
laboratory IGs; and synced with value set activities (HL7, VSAC, etc.).
Overall, we propose to adopt LRI Release 2 because it addresses
errors and ambiguities found in LRI Release 1 and harmonizes
interoperability requirements with other laboratory standards we
propose to adopt in this proposed rule (e.g., the HL7 Version 2.5.1
Implementation Guide: S&I Framework Laboratory Orders from EHR, DSTU
Release 2, US Realm, 2013 \104\).
---------------------------------------------------------------------------
\104\ We have proposed to adopt this implementation guide for
the 2015 Edition ``CPOE for laboratory orders'' certification
criterion.
---------------------------------------------------------------------------
As compared to the 2014 Edition certification criterion, we also
propose more specific requirements for how a Health IT Module must be
capable of electronically displaying the information included in a test
report. This specificity would improve the consistency with how
laboratory tests and values/results are displayed, which would also
assist with laboratory compliance with CLIA. To meet this criterion, a
Health IT Module would be required to display the following information
included in laboratory test reports it receives: (1) the information
for a test report as specified in 42 CFR 493.1291(a)(1) through (a)(3)
and (c)(1) through (c)(7); the information related to reference
intervals or normal values as specified in 42 CFR 493.1291(d); the
information for alerts and delays as specified in 42 CFR 493.1291(g)
and (h); and the information for corrected reports as specified in 42
CFR 493.1291(k)(2).
We also propose, for the purposes of certification, to require a
Health IT Module to be able to use, at a minimum, the version of
Logical Observation Identifiers Names and Codes (LOINC[supreg]) adopted
at Sec. 170.207(c)(3) (version 2.50) as the vocabulary standard for
laboratory orders. This is the most recent version of LOINC[supreg]. We
refer readers to section III.A.2.d (``Minimum Standards'' Code Sets)
for further discussion of our adoption of LOINC[supreg] as a minimum
standards code set and our proposal to adopt version 2.50, or
potentially a newer version if released before a subsequent final rule,
as the baseline for certification to the 2015 Edition.
We propose to adopt the updated LRI Release 2 at Sec.
170.205(j)(2), which requires the modification of the regulatory text
hierarchy in Sec. 170.205(j) to designate the standard referenced by
the 2014 Edition version of this certification criterion at Sec.
170.205(j) to be at Sec. 170.205(j)(1). This regulatory structuring of
the IGs would make the CFR easier for readers to follow.
EHR-S Functional Requirements LRI IG/Testing and Certification
Requirements
We seek comment on the HL7 EHR-S Functional Requirements for the
V2.5.1 Implementation Guide: S&I Framework Lab Results Interface R2,
Release 1, US Realm, Draft Standard for Trial Use, Release 1 (``EHR-S
IG''). The EHR-S IG is currently under ballot reconciliation with
HL7.\105\ The focus of the EHR-S IG is the definition of EHR system
functional requirements related to the receipt of laboratory results
that are compliant with the LRI Release 2. The EHR-S IG also includes
additional requirements as set forth in CLIA as well as clinical best
practices beyond the scope of LRI Release 2.
---------------------------------------------------------------------------
\105\ http://www.hl7.org/participate/onlineballoting.cfm?ref=nav#nonmember. Access to the current draft
of the EHR-S IG is freely available for review during the public
comment period by establishing an HL7 user account.
---------------------------------------------------------------------------
We specifically seek comment on the clarity and completeness of the
EHR-S IG in describing the requirements related to the receipt and
incorporation of laboratory results for measuring conformance of a
Health IT Module to LRI Release 2. In addition, we seek comment on how
a Health IT Module should be tested and certified consistently and
uniformly for the incorporation of laboratory results data. For
example, should testing and certification require the Health IT Module
to demonstration the ability to associate the laboratory result with an
order or patient, to recall the result for display or for submission to
another technology, and/or to use the result for automated clinical
decision support interventions? Further, what, if any, specific
capabilities currently included in the EHR-S IG should be part of
testing and certification for this criterion?
Transmission of Laboratory Test Reports
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(b)(5) (Transmission of laboratory test reports)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``transmission of laboratory
test reports'' certification criterion that is revised in comparison to
the 2014 Edition ``transmission of electronic laboratory tests and
values/results to ambulatory providers'' criterion (Sec.
170.314(b)(6)). We have renamed this criterion to more clearly indicate
its availability for the certification of health IT used by any
laboratory. We propose to adopt and include the HL7 Version 2.5.1
Implementation Guide: S&I Framework Lab Results Interface, Draft
Standard for Trial Use, Release 2, US Realm (``LRI Release 2'') in the
proposed 2015 Edition ``transmission of laboratory test reports''
criterion. LRI Release 2 is currently under ballot reconciliation with
HL7 and should be published in the next few months.\106\ We propose to
adopt this standard for the same reasons discussed in the 2015 Edition
``incorporate laboratory tests and values/results'' above. We refer
readers to the description of the LRI Release 2 IG and our rationale
for its adoption discussed in that criterion.
---------------------------------------------------------------------------
\106\ Access to the current draft of the LRI Release 2 IG is
freely available for review during the public comment period by
establishing an HL7 user account.
---------------------------------------------------------------------------
As also discussed in the 2015 Edition ``incorporate laboratory
tests and values/results'' above, the LRI Release 2 IG requires the
information for a test report as specified at 42 CFR 493.1291(a)(1)
through (3), (c)(1) through (c)(7), (d), (g), (h) and (k)(2) to be
included in the content message. Therefore, inclusion of this standard
for certification should not only facilitate improved interoperability
of electronically sent laboratory test reports (as discussed in more
detail in the 2015 Edition ``incorporate laboratory tests and values/
results'' criterion), but also facilitate laboratory compliance with
CLIA as it relates to the incorporation and display of test results in
a receiving system.
We also propose, for the purposes of certification, to require a
Health IT
[[Page 16839]]
Module to be able to use, at a minimum, the version of Logical
Observation Identifiers Names and Codes (LOINC[supreg]) adopted at
Sec. 170.207(c)(3) (version 2.50) as the vocabulary standard for
laboratory orders. This is the most recent version of LOINC[supreg]. We
refer readers to section III.A.2.d (``Minimum Standards'' Code Sets)
for further discussion of our adoption of LOINC[supreg] as a minimum
standards code set and our proposal to adopt version 2.50, or
potentially a newer version if released before a subsequent final rule,
as the baseline for certification to the 2015 Edition.
We propose to adopt the updated LRI Release 2 at Sec.
170.205(j)(2), which requires the modification of the regulatory text
hierarchy in Sec. 170.205(j) to designate the standard referenced by
the 2014 Edition version of this certification criterion at Sec.
170.205(j) to be at Sec. 170.205(j)(1). This regulatory structuring of
the IGs would make the CFR easier for readers to follow.
Data Portability
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(b)(6) (Data portability)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``data portability''
certification criterion that is revised in comparison to the 2014
Edition ``data portability'' certification criterion (Sec.
170.314(b)(7)). Similar to the 2014 Edition version, we propose to
include the 2015 Edition ``data portability'' criterion in the Base EHR
definition (i.e., the 2015 Base EHR definition).
For the 2014 Edition ``data portability'' criterion, we expressed
that the criterion was intended to enable an EP, eligible hospital, or
CAH to create a set of export summaries for all patients in EHR
technology formatted according to the C-CDA that includes each
patient's most recent clinical information. (77 FR 54193). We also
included this criterion in the Base EHR definition as a way to ensure
that the capability was delivered to EPs, eligible hospitals, or CAHs.
By including the criterion in the Base EHR definition, an EP, eligible
hospital, or CAH must have EHR technology certified to this criterion
in order to possess EHR technology that meets the CEHRT definition.
In the years since the 2014 Edition final rule was issued
(September 2012) and the subsequent implementation and use of this
capability by EPs, eligible hospitals, and CAHs, we have received two
types of feedback. From health IT developers, we have received requests
for clarification about this certification criterion's scope. For
example, requests for clarifications about the data that must be
produced and from how far back in time the data must be produced.
Whereas from providers (and the implementation professionals and third
party developers with which they work), we have generally received more
substantive critiques about the overall usefulness of the capability
and the ways in which health IT developers met the certification
criterion's requirements but did not necessarily deliver on its intent.
Such ``user'' comments conveyed that some health IT developers provided
a capability that was difficult or non-intuitive to use, difficult to
find to even use (e.g., ``hidden''), and in some cases either required
developer personnel to assist the provider in executing the capability
or limited its execution to only being done by the developer at the
provider's request. We have also received feedback that the scope of
testing has not rigorously assessed the ability of health IT to create
large quantities of export summaries. As a result, some providers have
reported challenges and poor performance associated with this
capability.
We believe that this feedback from CEHRT users indicates that the
data portability certification criterion adopted in the 2014 Edition
has not provided the data accessibility to providers we believed would
occur as a result of its adoption. It also indicates that some health
IT developers have (intentionally or unintentionally) obstructed the
certification criterion's true intent--to give providers easy access
and an easy ability to export clinical data about their patients for
use in a different EHR technology or even a third party system for the
purpose of their choosing.
To address provider critiques as well as to provide additional
developer requested clarity, we propose a revised 2015 Edition ``data
portability'' certification criterion as compared to the 2014 Edition
version. The proposed data portability certification criterion at Sec.
170.315(b)(6) approaches data portability from a slightly different
angle than the 2014 Edition version and focuses on the following
specific capabilities.
1. As a general rule, we emphasize that this capability would need
to be user-focused and user driven. A user must be able to set the
configuration options included within the more detailed aspects of the
criterion and a user must be able to execute these capabilities at any
time the user chooses and without subsequent developer assistance to
operate. We expect that testing of a Health IT Module presented for
certification to this criterion would include a demonstration that the
Health IT Module enables a user to independently execute this
capability without assistance from the health IT developer beyond
normal orientation/training.
2. The criterion would require that a user be able to configure the
Health IT Module to create an export summary for a given patient or set
of export summaries for as many patients selected. It would also
require that these export summaries be able to be created according to
any of the following document-template types included in the C-CDA R2.0
(also proposed as the content standard in this criterion): CCD;
Consultation Note; History and Physical; Progress Note; Care Plan;
Transfer Summary; and Referral Note. We also propose that the Discharge
Summary document template be included for a Health IT Module developed
for the inpatient setting.
3. From a data perspective, we propose that the minimum data that a
Health IT Module must be capable of including in an export summary are:
the data represented by the Common Clinical Data Set and:
Encounter diagnoses (according to the standard specified
in Sec. 170.207(i) (ICD-10-CM) or, at a minimum, the version of the
standard at Sec. 170.207(a)(4) (September 2014 Release of the U.S.
Edition of SNOMED CT[supreg]) \107\;
---------------------------------------------------------------------------
\107\ We refer readers to section III.A.2.d (``Minimum
Standards'' Code Sets) for further discussion of our adoption of
SNOMED CT[supreg] as a minimum standards code set and our proposal
to adopt the September 2014 Release (U.S. Edition), or potentially a
newer version if released before a subsequent final rule, as the
baseline for certification to the 2015 Edition.
---------------------------------------------------------------------------
Cognitive status;
Functional status;
For the ambulatory setting only. The reason for referral;
and referring or transitioning provider's name and office contact
information; and
For the inpatient setting only. Discharge instructions.
4. We propose that a user would need to be able to be able to
configure the technology to set the time period within which data would
be used to create the export summary or summaries. And that this must
include the ability to enter in a start and end date range as well as
the ability to set a date at least three years into the past from the
current date.
5. We propose that a user would need to be able to configure the
technology to create an export summary or summaries based on the
following user selected events:
A relative date or time (e.g., the first of every month);
[[Page 16840]]
A specific date or time (e.g., on 10/24/2015); and
When a user signs a note or an order.
6. We propose that a user would need to able to configure and set
the storage location to which the export summary or export summaries
are intended to be saved.
Again, we emphasize that all these capabilities would need to be
able to be configured and executed by a user without the aid of
additional health IT developer personnel and without the need to
request developer action. Further, we also reiterate that we have
expanded the nature and focus of this criterion to more precisely
address provided critiques as well as to expand the anticipated and
potential uses providers can deploy based on this more configuration
focused criterion.
Data Segmentation for Privacy
We propose to adopt two new certification criteria that would focus
on the capability to separately track (``segment'') individually
identifiable health information that is protected by rules that are
more privacy-restrictive than the HIPAA Privacy Rule. This type of
health information is sometimes referred to as sensitive health
information. The HIPAA Privacy Rule serves as the federal baseline for
health information privacy protections. It also generally permits the
use or disclosure of protected health information (PHI) for limited
specific purposes (such as treatment and payment) without a patient's
permission.\108\
---------------------------------------------------------------------------
\108\ http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/.
---------------------------------------------------------------------------
The HIPAA Privacy Rule does not override (or preempt) more privacy-
protective federal and state privacy laws. A number of federal and
state health information privacy laws and regulations are more privacy-
protective than the HIPAA Privacy Rule. Typically, these rules require
a patient's permission (often referred to as ``consent'' in these
rules) in writing in order for the individually identifiable health
information regulated by those laws to be shared. One example is the
Federal Confidentiality of Alcohol and Drug Abuse Patient Records
regulations (42 CFR part 2) (``part 2'') that apply to information
about treatment for substance abuse from federally funded
programs.\109\ There are also federal laws protecting certain types of
health information coming from covered U.S. Department of Veterans
Affairs facilities and programs (38 U.S.C. 7332). These laws and
comparable state laws were established, in part, to address the social
stigma associated with certain medical conditions by encouraging people
to get treatment and providing them a higher degree of control over how
their health information may be shared. These laws place certain
responsibilities on providers to maintain the confidentiality of such
information. More restrictive state laws also protect certain
categories of individually identifiable health information, such as
information regarding minors or teenagers, intimate partner/sexual
violence, genetic information, and HIV-related information.\110\ These
laws and regulations remain in effect and changes to these laws and
regulations are not within the scope of this proposed rule.\111\
However, with these laws in mind, the proposals that follow seek to
encourage the development and use of a technical capability that
permits users to comply with these existing laws and regulations. These
proposals are also in line with the Connecting Health and Care for the
Nation: A Shared Nationwide Interoperability Roadmap Version 1.0.\112\
HHS is committed to encouraging the development and use of policy and
technology to advance patients' rights to access, to amend, and to make
choices for the disclosure of their electronic individually
identifiable health information. HHS also noted support for the
development of standards and technology to facilitate patients' ability
to control the disclosure of specific information that is considered by
many to be sensitive in nature (such as information related to
substance abuse treatment, reproductive health, mental health, or HIV)
in an electronic environment.\113\
---------------------------------------------------------------------------
\109\ http://www.healthit.gov/sites/default/files/privacy-security/gwu-data-segmentation-final-cover-letter.pdf.
\110\ http://www.healthit.gov/providers-professionals/patient-consent-electronic-health-information-exchange/health-information-privacy-law-policy.
\111\ For a policy discussion, see Substance Abuse and Mental
Health Services Administration (SAMHSA)'s recent public listening
session pertaining to the federal confidentiality of regulations:
https://www.federalregister.gov/articles/2014/05/12/2014-10913/confidentiality-of-alcohol-and-drug-abuse-patient-records.
\112\ http://www.healthit.gov/sites/default/files/nationwide-interoperability-roadmap-draft-version-1.0.pdf.
\113\ http://www.healthit.gov/sites/default/files/nationwide-interoperability-roadmap-draft-version-1.0.pdf.
---------------------------------------------------------------------------
Technological advances are creating opportunities to share data and
allow patient preferences to electronically persist in health IT. In
2012, ONC launched the Data Segmentation for Privacy (DS4P) initiative
through ONC's Standards and Interoperability (S&I) Framework.\114\ The
DS4P initiative aimed to provide technical solutions and pilot
implementations to help meet existing legal requirements in an
increasingly electronic environment.\115\ The DS4P initiative worked to
enable the implementation and management of varying disclosure policies
in an electronic health information environment in an interoperable
manner. Overall, the DS4P initiative and its subsequent pilots focused
on the exchange of health information in the context of 42 CFR part 2
and sought to develop technical standards that would enable a provider
to adopt health IT that could segment electronic sensitive health
information regulated by more restrictive laws and make compliance with
laws like Part 2 more efficient. Since the sunset of the DS4P
initiative in April 2014, there have been live implementations and
public testimony regarding the success and practical application of the
DS4P standard. Organizations including the Substance Abuse and Mental
Health Services Administration (SAMHSA), the U.S. Department of
Veterans Affairs (VA), and private companies that participated in the
initiative have moved to production use of DS4P. For example, a
stakeholder who implemented the DS4P part 2 solution noted that the
DS4P technical capability implemented in parts of Florida has saved
some hospitals millions of dollars associated with the cost of care
because the patients they treat with substance use issues or behavioral
health issues were able to send an electronic referral and get a
discharge performed earlier in the process.\116\ Another technology
stakeholder incorporated the DS4P technical functionality into its
behavioral health and general hospital health IT solutions released
this year. Most recently, SAMHSA developed an open source technology
for patient consent management that uses the DS4P standard.\117\ In
September 2014, this technical solution was deployed into a live
environment at a public health department.
---------------------------------------------------------------------------
\114\ http://wiki.siframework.org/Data+Segmentation+for+Privacy+Use+Cases.
\115\ For more information about enabling privacy through data
segmentation technology, see http://www.healthit.gov/providers-professionals/enabling-privacy.
\116\ See Health IT Policy Committee's (HITPC) Privacy and
Security Tiger Team Public Meeting, Transcript, (Apr. 16, 2014), p.
14, http://www.healthit.gov/facas/sites/faca/files/PSTT_Transcript_Final_2014-04-16.pdf.
\117\ http://www.healthit.gov/providers-professionals/ds4p-initiative.
---------------------------------------------------------------------------
The technical specifications are outlined in the HL7 Version 3
Implementation Guide: DS4P, Release 1
[[Page 16841]]
(DS4P IG), Part 1: CDA R2 and Privacy Metadata.\118\ The DS4P IG
describes the technical means of applying security labels (privacy
metadata) which can be used to enact any security or privacy law,
regulation, or policy so that the appropriate access control decisions
will be made regarding downstream use, access or disclosure for
specially protected data so that appropriate metadata tags are applied.
---------------------------------------------------------------------------
\118\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=354. Completed Normative Ballot in
January 2014 and was successfully reconciled in February 2014. HL7
approved the final standard for publication and ANSI approved in May
2014.
---------------------------------------------------------------------------
Conceptually, the DS4P approach utilizes metadata applied in layers
(e.g. metadata applied to the header, section, or entry levels of a C-
CDA document). The DS4P technical approach defaults to privacy metadata
tagging at the document level. If an organization chooses to apply
additional privacy metadata tagging within a document, that optional
technical capability is also described within the IG for CDA. If a
receiving system is unable to process section or entry level privacy
metadata, the default is tagging at the document level. The approach
relies on certain electronic actions being taken by both the sending
system and the receiving system. The sending system must:
1. Identify information that requires enhanced protection or is
subject to further restrictions;
2. Verify that the patient's privacy consent decision allows for
the disclosure of health information; \119\ and
---------------------------------------------------------------------------
\119\ http://www.healthit.gov/providers-professionals/patient-consent-electronic-health-information-exchange.
---------------------------------------------------------------------------
3. Add privacy metadata to the health information being disclosed.
In turn, the receiving system must:
1. Be able to process the privacy metadata associated with the
received health information; and
2. Verify the patient's consent before re-disclosure, if the
receiving system has a need to re-disclose the information.
Data segmentation technology emerged to enable health care
providers' use of technology to comply with existing privacy laws,
regulations, and policies. The term ``data segmentation'' is often used
to describe the electronic labeling or tagging of a patient's health
information in a way that allows patients or providers to
electronically share parts,\120\ but not all, of a patient record. For
example, data segmentation technology can be applied to the sharing of
electronic sensitive health information, because that information is
afforded greater protections under various state and federal laws,\121\
as is discussed above. In this proposed rule, we propose to offer two
certification criteria that would allow for health IT to be presented
for testing and certification to the DS4P standard. We view the
proposed offering of certification to these criteria as an initial step
on technical standards towards the ability of an interoperable health
care system to compute and persist the applicable permitted access, use
or disclosure; whether regulated by state or federal laws regarding
sensitive health information or by an individual's documented choices
about downstream access to, or use or disclosure to others of, the
identifiable individual's health information. The application of the
DS4P standard at the document level is an initial step. We understand
and acknowledge additional challenges surrounding the prevalence of
unstructured data, sensitive images, and potential issues around use of
sensitive health information by CDS systems. The adoption of document
level data segmentation for structured documents will not solve these
issues, but will help move technology in the direction where these
issues can be addressed.
---------------------------------------------------------------------------
\120\ The HL7 approved standard does allow for tagging at the
data element level, but this proposed rule is suggesting just
applying the DS4P to the document level.
\121\ http://www.healthit.gov/providers-professionals/patient-consent-electronic-health-information-exchange/health-information-privacy-law-policy.
---------------------------------------------------------------------------
For example, today, electronic sensitive health information is not
typically kept in the same repository as non-sensitive data. If
security labels were applied to C-CDA documents at the time they are
created (see ``data segmentation for privacy--send'' certification
criterion), the receiving system would have more choices about how to
store and use that sensitive information. If the receiving system had
the capability to grant access to the tagged documents by using the
security labels as part of the access control decision, then co-
mingling the tagged, sensitive health information with the non-
sensitive data becomes more achievable.
In July 2014, the HITPC provided recommendations on the use of DS4P
technology to enable the electronic implementation and management of
disclosure policies that originate from the patient, the law, or an
organization, in an interoperable manner, so that electronic sensitive
health information may be appropriately shared.\122\ The HITPC noted a
clear need to provide coordinated care for individuals with mental
health and/or behavioral health issues. The HITPC recognized that the
ability of patients to withhold consent to disclose information remains
a concern for providers. In particular, providers want to provide the
best care for patients, but they have concerns about incomplete records
due to both professional obligation and liability considerations. While
the need for providers to act on incomplete information is not
necessarily new, the use of health IT may create an expectation of more
complete information.\123\ In recognition of the consumer, business,
clinical, and technical complexities, the HITPC suggested a framework
of two glide paths for the exchange of 42 CFR part 2-protected data,
based on whether the subject is sending or receiving information.\124\
As a first step in the glide path, the HITPC recommended that we
include Level 1 (document level tagging) send and receive
functionality.\125\ Document level is the most basic level of privacy
metadata tagging described in the DS4P standard. The following two
proposals would implement the HITPC's recommendations.
---------------------------------------------------------------------------
\122\ See Health IT Policy Committee (HITPC) Recommendation
Letter to ONC, July 2014, http://www.healthit.gov/facas/sites/faca/files/PSTT_DS4P_Transmittal%20Letter_2014-07-03.pdf; see also
HITPC's Privacy and Security Tiger Team Public Meeting, Transcript,
May 12, 2014, http://www.healthit.gov/facas/sites/faca/files/PSTT_Transcript_Final_2014-05-12.pdf; Public Meeting, Transcript,
May 27, 2014, http://www.healthit.gov/facas/sites/faca/files/PSTT_Transcript_Final_2014-05-27.pdf.
\123\ Id.
\124\ For more details on the two glide paths for part 2-
protected data, see http://www.healthit.gov/facas/sites/faca/files/PSTT_DS4P_Transmittal%20Letter_2014-07-03.pdf.
\125\ Id. See also, related HITPC recommendations pertaining to
data segmentation submitted to ONC in September 2010: http://www.healthit.gov/sites/faca/files/hitpc_transmittal_p_s_tt_9_1_10_0.pdf.
---------------------------------------------------------------------------
Data Segmentation for Privacy--Send
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(b)(7) (Data segmentation for privacy--send)
------------------------------------------------------------------------
A provider currently cannot send sensitive patient information
electronically without some technical capability to indicate
information is subject to restrictions, such as a prohibition on re-
disclosure without consent, consistent with 42 CFR part 2. The sending
provider also must have confidence that the receiver can properly
handle electronically sent 42 CFR part 2-covered data. Because neither
of these functionalities are currently supported in certification,
sensitive health information such as 42 CFR part 2-covered data is
often only
[[Page 16842]]
shared via paper and fax. We propose, consistent with the HITPC
recommendations, that for certification to this criterion, a Health IT
Module must be able to send documents using document level tagging
(Level 1) in accordance with the DS4P IG. Document level tagging
enables health IT to send the 42 CFR part 2-covered data along with the
appropriate privacy metadata tagging and keep it sequestered from other
data. The DS4P IG, which includes Level 1 functionality, provides
guidance to allow, with proper authorization, a system to send a C-CDA
with tags indicating any restrictions (such as a prohibition on re-
disclosure without consent). While the DS4P IG specifies the technical
means for applying privacy metadata tagging to C-CDA documents, it also
optionally supports use of privacy metadata tagging within the document
(at the section and entry levels). We only propose to require the
document level functionality for sending as part of certification to
this criterion.
Data Segmentation for Privacy--Receive
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(b)(8) (Data segmentation for privacy--receive)
------------------------------------------------------------------------
In general, 42 CFR part 2-covered data is not currently provided
electronically to healthcare providers through electronic exchange.
Instead, the status quo remains to share 42 CFR part 2-covered data via
paper and fax. In line with the HITPC recommendations, we propose a
certification criterion that would require a Health IT Module to be
able to receive 42 CFR part 2-covered data in accordance with the DS4P
IG. DS4P at the document level (Level 1) of the recommendations allows
recipient health IT to receive, recognize, and view documents with
privacy metadata tagging indicating certain restrictions from 42 CFR
part 2 providers with the document sequestered from other health IT
data. A recipient provider could use document level tagging to
sequester the document from other documents received and help prevent
unauthorized re-disclosure, while allowing the sensitive data to flow
more freely to authorized recipients. Thus, consistent with the HITPC
recommendations, we propose that a Health IT Module be able to receive
documents tagged with privacy metadata tagging (Level 1).
Care Plan
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(b)(9) (Care plan)
------------------------------------------------------------------------
We propose to adopt a new 2015 Edition certification criterion that
would reflect a Health IT Module's ability to enable a user to record,
change, access, create and receive care plan information in accordance
with the ``Care Plan document template'' in the C-CDA Release 2.0
standard.
The S&I Framework Longitudinal Coordination of Care (LCC)
Longitudinal Care Plan Sub-Work Group defined a ``care plan'' as ``the
synthesis and reconciliation of the multiple plans of care produced by
each provider to address specific health concerns. It serves as the
blueprint shared by all participants to guide the individual's care. As
such, it provides the structure required to coordinate care across
multiple sites, providers, and episodes of care.'' \126\ The care plan
helps multiple providers and caregivers align and coordinate care,
which is especially valuable for patients living with chronic
conditions and/or disabilities. It also provides a structure to promote
the consideration of a patient's future goals and expectations in
addition to managing their currently active health issues.
---------------------------------------------------------------------------
\126\ http://wiki.siframework.org/file/view/Care%20Plan%20Glossary_v25.doc/404538528/Care%20Plan%20Glossary_v25.doc.
---------------------------------------------------------------------------
The C-CDA Release 2.0 contains a Care Plan document template that
reflects these principles and provides a structured format for
documenting information such as the goals, health concerns, health
status evaluations and outcomes, and interventions. Note that the Care
Plan document template is distinct from the ``Plan of Care Section'' in
previous versions of the C-CDA. The Care Plan document template
represents the synthesis of multiple plans of care (for treatment) for
a patient, whereas the Plan of Care Section represented one provider's
plan of care (for treatment). To make this distinction clear, the C-CDA
Release 2.0 has renamed the previous ``Plan of Care Section'' as the
``Plan of Treatment Section (V2).''
Given the value for improved coordination of care, we propose a new
2015 Edition certification criterion for ``care plan'' that would
require a Health IT Module to enable a user to record, change, access,
create, and receive care plan information in accordance with the ``Care
Plan document template'' in the HL7 Implementation Guide for
CDA[supreg] Release 2: Consolidated CDA Templates for Clinical
Notes.\127\ The IG provides guidance for implementing CDA documents,
including the Care Plan document template. The ``transitions of care''
certification criterion proposed elsewhere in this section of the
preamble would require a Health IT Module enable a user to send and
receive transitions of care/referral summaries according to the C-CDA
Release 2.0, which would include the Care Plan document template.
Therefore, this criterion would focus only on a Health IT Module's
ability to enable a user to record, change, access, create, and receive
care plan information. We welcome comment on our proposal, including
whether we should require certain ``Sections'' that are currently
deemed optional as part of the Care Plan document template for
certification to this criterion. For example, we invite comment on
whether we should require the optional ``Health Status Evaluations and
Outcomes Section'' and ``Interventions Section (V2)'' as part of
certification to this criterion, and if so, for what value/use case.
---------------------------------------------------------------------------
\127\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=379.
---------------------------------------------------------------------------
Clinical Quality Measures--Record and Export
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(c)(1) (Clinical quality measures--record and export)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition certification criterion for
``clinical quality measures (CQM)--record and export'' that is revised
in comparison to the 2014 Edition ``CQM--capture and export''
certification criterion (Sec. 170.314(c)(1)). In order to align with
our use of the term ``record'' used in other 2014 and 2015 Edition
certification criteria, we propose to call this certification criterion
``CQM--record and export.'' We explain the term ``record'' in the 2014
Edition final rule at 77 FR 54168.\128\ We propose to require that a
system user be able to export CQM data at any time the user chooses and
without subsequent developer assistance to operate. We also propose to
require that this certification criterion be part of the set of
criteria necessary to satisfy the ``2015 Edition Base EHR'' definition
(see also section III.B.1 of this preamble for a discussion of the
proposed 2015 Edition Base EHR definition). Last, we solicit comment on
the version of standards we should adopt for this certification
criterion.
---------------------------------------------------------------------------
\128\ ``Record'' is used to mean the ability to capture and
store information in technology.
---------------------------------------------------------------------------
Standards for Clinical Quality Measures
In the 2014 Edition ``CQM--capture and export'' certification
criterion, we require that technology must be able to export a data
file formatted in
[[Page 16843]]
accordance with the HL7 Implementation Guide for CDA Release 2: Quality
Reporting Document Architecture (QRDA), DSTU Release 2 (July 2012)
standard. We understand that the industry is working to harmonize both
clinical quality measurement and CDS standards through initiatives such
as the Clinical Quality Framework (CQF) S&I initiative. CDS guides a
clinician to follow a standard plan of care, while CQMs measure
adherence to a standard plan of care. Thus, these two areas are closely
related and would benefit from standard ways to reference patient data
within health IT as well as common logic to define a sub-population.
The CQF S&I initiative is working to define a shared format,
terminology, and logic between CQMs and CDS for improved efficiency,
cost, and quality of care.
In order to harmonize CQM and CDS standards, the industry is using
pieces of existing CQM standards (e.g., Health Quality Measures Format
(HQMF), QRDA Categories I and III, and the Quality Data Model (QDM))
and CDS standards (e.g., Clinical Decision Support Knowledge Artifact
Specification (also known as HeD Schema) and the Virtual Medical
Record). HL7 issued an errata (September 2014) \129\ that reflects
updates based on an incremental version of the harmonized CQM and CDS
standards (i.e., QDM-based HQMF Release 2.1).\130\ This errata is meant
to be used in conjunction with the July 2012 QRDA IG we adopted in the
2014 Edition. Our understanding is that the fully harmonized CQM and
CDS standards will be based on the Quality Improvement and Clinical
Knowledge (QUICK) data model,\131\ and that the industry expects to
ballot a QUICK FHIR-based DSTU serving the same function as the HQMF
standard at the May 2015 HL7 meeting. Subsequent standards for
electronically processing and reporting CQMs and CDS would then be
expected to be built on the QUICK data model, including a QRDA-like
standard based on the anticipated QUICK FHIR-based DSTU.
---------------------------------------------------------------------------
\129\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=35. Please note that in order to access
the errata, the user should download the ``HL7 Implementation Guide
for CDA Release 2: Quality Reporting Document Architecture--Category
I, DSTU Release 2 (US Realm)'' package.
\130\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=97.
\131\ http://www.hl7.org/special/Committees/projman/searchableProjectIndex.cfm?action=edit&ProjectNumber=1045.
---------------------------------------------------------------------------
Given the timing of this proposed rule and the expected
deliverables for harmonized CQM and CDS standards as described above,
we solicit comment on the version of QRDA or the QRDA-like standards we
should adopt for this certification criterion. Specifically, we solicit
comment on the following three options:
HL7 Implementation Guide for CDA Release 2: Quality
Reporting Document Architecture (QRDA), DSTU Release 2 (July 2012);
HL7 Implementation Guide for CDA Release 2: Quality
Reporting Document Architecture (QRDA), DSTU Release 2 (July 2012) and
the September 2014 Errata; or
A QRDA-like standard based on the anticipated QUICK FHIR-
based DSTU.CQM standards we should adopt for this certification
criterion.
We anticipate that the QUICK data model will not be available to
review during the public comment period of this NPRM, and welcome
stakeholder input on the usefulness of adopting the current (July 2012)
QRDA standard alone or in conjunction with the September 2014 errata
given that we anticipate there will be harmonized CQM and CDS standards
available in mid-2015. We also seek to understand the tradeoffs
stakeholders perceive in adopting each standard provided that the EHR
Incentive Programs Stage 3 proposed rule is proposing that technology
certified to the 2015 Edition would not be required until January 1,
2018, but that technology certified to the 2015 Edition ``CQM--record
and export'' certification criterion would be needed for EPs, eligible
hospitals, and CAHs participating in the EHR Incentive Programs Stage 3
objectives and measures in 2017. Thus, we welcome input on recommended
QRDA standards for the ``CQM--record and export'' certification
criterion factoring in where the industry may be with adoption of CQM
and CDS standards over the next few years.
User Ability To Export CQM Data
We have received stakeholder feedback that some systems certified
to the 2014 Edition ``CQM--capture and export'' certification criterion
do not provide users with the ability to export data ``on demand'' nor
to export batches of multiple patients simultaneously. Rather, some
users of certified health IT must request this functionality from the
health IT developer. Our intent is that users should be able to export
CQM data formatted to the QRDA standard at any time the user chooses
for one or multiple patients and without additional assistance. Thus,
as proposed, when a Health IT Module is presented for certification to
this criterion, we would expect that testing of the Health IT Module
would include demonstration of a user's ability to export CQM data
without subsequent health IT developer assistance beyond normal
orientation/training.
Clinical Quality Measures--Import and Calculate
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criteria
Sec. 170.315(c)(2) (Clinical quality measures--import and calculate)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition certification criterion for
``clinical quality measures (CQM)--import and calculate'' that is
revised in comparison to the 2014 Edition ``CQM--import and calculate''
certification criterion (Sec. 170.314(c)(2)). We propose to require
that a system user be able to import CQM data at any time the user
chooses and without subsequent health IT developer assistance to
operate. We also no longer include an exemption that would allow a
Health IT Module presented for certification to all three CQM
certification criteria (Sec. Sec. 170.315(c)(1), (c)(2), and (c)(3))
to not have to demonstrate the data import capability. Last, we solicit
comment on our intended direction for testing and certifying health IT
and the version of standards we should adopt for this certification
criterion.
User Ability To Import CQM Data
We have received stakeholder feedback that some systems certified
to the 2014 Edition ``CQM--import and calculate'' certification
criterion do not provide users the ability to import data ``on
demand,'' and rather users must request this functionality from the
system developer or vendor. Our intent is that users should be able to
import CQM data formatted to the QRDA standard for one or multiple
patients at any time the user chooses and without additional
assistance. Thus, when a Health IT Module is presented for
certification to this criterion, we would expect that testing of the
Health IT Module would include demonstration of a user's ability to
import CQM data without subsequent health IT developer assistance
beyond normal orientation/training.
Import of CQM Data
For the 2014 Edition, we do not require systems that certify to
Sec. 170.314(c)(1) (CQM--capture and export), Sec. 170.314(c)(2)
(CQM--import and calculate), and Sec. 170.314(c)(3) (CQM--electronic
submission) to have to demonstrate that they can import data files in
accordance with the QRDA
[[Page 16844]]
standard. In 2012, we adopted this policy because we did not believe
that systems that could perform capture, export, and electronic
submission functions would need to import CQM data as they were in
essence ``self-contained'' (77 FR 54231). However, we have received
stakeholder input recommending that all systems should be able to
import CQM data and that there could be instances were a provider using
one technology to record CQM data could not subsequently import such
data into a different technology. We agree with this feedback.
Therefore, this exemption will no longer carry forward as part of the
proposed 2015 Edition version of this certification criterion. This
means that a Health IT Module presented for certification to this
certification criterion (Sec. 170.315(c)(2)) would need to be able to
demonstrate the ability to import data in order to be certified to this
certification criterion even if they also certify to provide ``record
and export'' and ``electronic submission/report'' functions.
Testing of Import and Calculate Functionalities
The testing procedures for the 2014 Edition ``CQM--import and
calculate'' certification criterion only test that technology can
import a small number of test records and use those for calculation of
CQM results. We have received feedback that technology should be able
to import a larger number of test records and that we should test this
ability to reflect real-world needs for technology. With the import of
a large number of records, technology also needs to be able to de-
duplicate records for accurate calculation of CQM results. Therefore
for testing and certification to the proposed 2015 Edition ``CQM--
import and calculate'' certification criterion, we intend for testing
to include that technology can import a larger number of test records
compared to testing for the 2014 Edition and automatically de-duplicate
them for accurate CQM calculation. We welcome comment on our proposed
intentions to test a larger number of test records compared to the 2014
Edition test procedure and that a Health IT Module could eliminate
duplicate records. We also request comment on the number of test
records we should consider testing a Health IT Module for performing
import and calculate functions.
Standards for Clinical Quality Measures
We describe above in the preamble for the proposed 2015 Edition
``CQM--record and export'' certification criterion our understanding of
the industry's timeline and expected deliverables for harmonized CQM
and CDS standards. Given the discussion above, we also solicit comment
on the QRDA standards we should consider adopting for this 2015 Edition
``CQM--import and calculate'' certification criterion.
Clinical Quality Measures--Report
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criteria
Sec. 170.315(c)(3) [Reserved]
------------------------------------------------------------------------
In the 2014 Edition, we adopted a ``CQM--electronic submission''
certification criterion that requires technology to enable a user to
electronically create a data file for transmission of CQM data in
accordance with QRDA Category I and III standards and ``that can be
electronically accepted by CMS'' (Sec. 170.314(c)(3)). We have
received stakeholder feedback recommending we better align our
certification policy and standards for electronically-specified CQM
(eCQM) reporting with other CMS programs that include eCQMs, such as
the Physician Quality Reporting System (PQRS) and Hospital Inpatient
Quality Reporting (IQR) programs. The PQRS and Hospital IQR programs
update their measure specifications on an annual basis through
rulemaking in the Physician Fee Schedule (PFS) and Inpatient
Prospective Payment Systems (IPPS) rules respectively.
To better align with the reporting requirements of other CMS
programs, we intend to propose certification policy for reporting of
CQMs in or with annual PQRS and/or Hospital IQR program rulemaking. We
anticipate we will propose standards for reporting of CQMs that reflect
CMS' requirements for the ``form and manner'' of CQM reporting (e.g.,
CMS program-specific QRDA standards), allowing for annual updates of
these requirements as necessary. Under this approach, the ``CQM--
report'' certification policy and associated standards for the 2015
Edition that support achieving EHR Incentive Program requirements would
be proposed jointly with the calendar year (CY) 2016 PFS and/or IPPS
proposed rules. We anticipate these proposed and final rules will be
published in CY 2015. We clarify that we anticipate removing
``electronic'' from the name of this certification criterion. As
described in the preamble, we expect that all functions proposed in the
2015 Edition certification criteria are performed or demonstrated
electronically. Thus, it is not necessary to specifically include this
requirement in the title of this certification criterion. We also
anticipate naming this certification criterion ``report'' instead of
``submission'' to better align with the language we use in other
certification criteria that also require demonstration of the same
functionality to submit data.
Clinical Quality Measures--Filter
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(c)(4) (Clinical quality measures--filter)
------------------------------------------------------------------------
We propose to adopt a new 2015 Edition certification criterion for
CQM filtering. In the Voluntary Edition proposed rule, we proposed a
new certification criterion that would require health IT to be able to
record structured data for the purposes of being able to filter CQM
results to create different patient population groupings by one or more
of a combination of certain patient characteristics \132\ (79 FR 10903-
04). We proposed this capability to support eCQM reporting where the
reporting entity is not an individual provider but rather a group
practice or an accountable care organization (ACO). We also proposed
certain patient characteristics that would support identification of
health disparities, help providers identify gaps in quality, and
support a provider in delivering more effective care to sub-groups of
their patients. We did not adopt this certification criterion in the
2014 Edition Release 2 final rule as we received comments recommending
we further refine the use cases and perform more analysis of which data
elements are being captured in standardized ways (79 FR 54462).
---------------------------------------------------------------------------
\132\ Practice site and address; Tax Identification Number
(TIN), National Provider Identifier (NPI), and TIN/NPI combination;
diagnosis; primary and secondary health insurance, including
identification of Medicare and Medicaid dual eligible; demographics
including age, sex, preferred language, education level, and
socioeconomic status.
---------------------------------------------------------------------------
CMS offers various options for providers to report quality data as
part of a group instead of individually reporting as individual
providers. For example, the PQRS offers the Group Practice Reporting
Option (GPRO) that allows for assessment and payment (or adjustment)
based on reporting of data on quality measures at the group level.
Similarly, there are group reporting options, including the GRPO under
the PQRS for reporting data used to assess quality for purposes of the
Value Modifier under the Medicare Physician Fee Schedule. Another CMS
group reporting option is the Comprehensive Primary Care (CPC)
initiative. In the CPC initiative, participating primary
[[Page 16845]]
care practices receive care management fees to support enhanced,
coordinated services. In the CPC initiative, each physical site
location is counted as a ``practice.'' A group practice may encompass
several primary care sites, of which some, but not all, are
participating in CPC. Because the unit of analysis in CPC is the
practice site, CMS requires all CPC participants to report CQMs at the
level of the practice rather than at the level of the individual
provider. Each CPC practice's quality results, which include
performance on patient experience and claims measures as well as CQMs,
are tied to the distribution of any Medicare shared savings calculated
and earned at the level of the Medicare population of each region
participating in the initiative.
ACO models and programs, such as the Medicare Shared Savings
Program (MSSP) and CMS Pioneer ACO Model, include groups of doctors,
hospitals, and other health care providers who come together
voluntarily to give coordinated high quality care to their patients. In
ACO models and programs, the providers that participate in the ACO
share responsibility for the care and outcomes of their patients. For
example, MSSP participants are rewarded if the ACO lowers the growth in
its health care costs while meeting performance standards on quality of
care. ACOs are required to internally report on cost and quality
metrics associated with the activities of their practitioners, to
promote the use of evidence-based medicine, and to support the care
coordination activities of their practitioners. Understanding the
practice patterns of individual practitioners for services provided on
behalf of the ACO is therefore important for such organizations.
In some cases, not all providers practicing at a particular
practice site location or in an ACO will be participating in the group
practice or ACO reporting options. The National Provider Identifier
(NPI) is insufficient by itself to attribute a provider's performance
to a particular group practice or ACO, as the provider could practice
in multiple health care organizations. Likewise, a health care
organization may have multiple Tax Identification Numbers (TINs).
Currently, data may be accessed by filtering on either the TIN or the
NPI, but not in combination due, in part, to current CMS reporting
requirements and limitations of health IT being used by providers. The
ability to filter by a combination of NPI/TIN could allow for more
specific and proper attribution of a provider's performance to the
correct organization for aggregating group practice or ACO quality
measure results.
Health IT should support an organization's ability to filter both
individual patient level and aggregate level eCQM results by data that
would support administrative reporting as well as identification of
health disparities and gaps in care for patients being treated at
particular group practice sites or in a given ACO. We, therefore,
propose a new certification criterion for CQM filtering that would
require health IT to be able to record data (according to specified
standards, where applicable) and filter CQM results at both patient and
aggregate levels by each one and any combination of the following data:
TIN;
NPI;
Provider type;
Patient insurance;
Patient age;
Patient sex in accordance with the standard specified in
Sec. 170.207(n)(1) (HL7 Version 3);
Patient race and ethnicity in accordance with the
standards specified in Sec. 170.207(f)(1) (OMB standard) and, at a
minimum, (f)(2) (``Race & Ethnicity--CDC'' code system in the PHIN
VADS);
Patient problem list data in accordance with, at a
minimum, the version of the standard specified in Sec. 170.207(a)(4)
(September 2014 Release of the U.S. Edition of SNOMED CT[supreg]); and
Practice site address.
We clarify that a Health IT Module must be able to filter by any
combination of the proposed data elements (i.e., by any one (e.g.,
provider type) or a combination of any of the data elements (e.g.,
combination of TIN and NPI or combination of all data)). We also note
that this combination requirement is different than other proposed
certification criteria in that it requires all combinations to be
demonstrated for certification and not just one. We anticipate that if
adopted, stakeholders may want to expand the list of data in this
certification criterion and support the reporting needs of additional
programs over time. Our intent with this proposal is to continue to
work with CMS and other stakeholders to ensure that this list of data
represents a common and relatively stable set across program needs in
support of program alignment.
For certain data elements, we have specified vocabulary standards
(as identified above) to maintain consistency in the use of adopted
national standards. As part of the 2014 Edition, technology is
certified to record patient race, ethnicity, and problem lists in
accordance with standards. In this proposed rule, for the
``demographics'' certification criterion and other criteria, we propose
to certify a Health IT Module to record patient sex, race, and
ethnicity in accordance with standards we propose to adopt as part of
the 2015 Edition. We also propose to certify a Health IT Module to the
record patient problem lists in accordance with the latest version of
the SNOMED CT[supreg] standard. Please refer to the proposed
``demographics'' and ``problem list'' certification criteria discussed
earlier in this section of the preamble for a more detailed discussion
about the standards. We are also aware that patient sex, race, and
ethnicity are being collected as supplemental data to the Quality
Reporting Data Architecture (QRDA) Category I and III files for eCQM
reporting to CMS. Collection of patient date of birth is currently
required as part of the 2014 Edition ``demographics'' certification
criterion, and is being proposed for the 2015 Edition ``demographics''
certification criterion. Therefore, we believe there should not be a
large developmental burden to enable a Health IT Module to record these
data because they are already being collected through policy
established in the 2014 Edition and/or are being proposed as part of
2015 Edition certification criteria discussed elsewhere in this
proposed rule.
We are aware that patient insurance can be collected using a payer
value set that denotes whether the patient has Medicare, Medicaid, and/
or another commercial insurance. We solicit comment on other payer
value sets that could be leveraged to support this proposal. We believe
that provider type could also inform quality improvement if there are
differences in quality measure results by different types of providers.
We are aware of the Healthcare Provider Taxonomy Code Set designed to
categorize the type, classification, and/or specialization of health
care providers.\133\ Health care providers applying for an NPI must
select a Healthcare Provider Taxonomy Code or code description during
the application process. We solicit comment on the appropriateness of
this code set for classifying provider types as well as other standards
that could be used classify provider types.
---------------------------------------------------------------------------
\133\ http://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/MedicareProviderSupEnroll/Taxonomy.html
---------------------------------------------------------------------------
In order to support the identification of CQM results for a
particular practice, we propose to include practice site address in the
list of data. We note that
[[Page 16846]]
while this information may not be needed for CQM filtering at the ACO
level, certification would require that health IT enables a user to
record practice site address, but not dictate that a user must include
this information. We believe the industry is aware of the need to
identify a standard way to represent address. While such a standard is
being developed, we believe that to support group or practice
reporting, having the address is one of the key data elements that
would allow a provider using health IT to filter CQM results at the
practice or group level. We solicit comment on standards for collecting
address data that could be leveraged to support this functionality.
We solicit comment on the appropriateness of the proposed data
elements for CQM filtering, including whether they are being captured
in standardized vocabularies. We also solicit comment on additional
data elements that we should consider for inclusion and standardized
vocabularies that might be leveraged for recording this information in
health IT.
Authentication, Access Control, and Authorization
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(1) (Authentication, access control, and authorization)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``authentication, access
control, and authorization'' certification criterion that is unchanged
in comparison to the 2014 Edition ``authentication, access control, and
authorization'' criterion (Sec. 170.314(d)(1)).
Auditable Events and Tamper-Resistance
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(2) (Auditable events and tamper-resistance )
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``auditable events and tamper-
resistance'' certification criterion that is unchanged in comparison to
the 2014 Edition ``auditable events and tamper-resistance'' criterion
(Sec. 170.314(d)(2)). We seek comment, however, on two issues. In
August 2014, the HHS Office of Inspector General (OIG) released a
report entitled ``The Office of the National Coordinator for Health
Information Technology's Oversight of the Testing and Certification of
Electronic Health Records.'' \134\ In that report, the OIG found that
ONC approved test procedures did not address common security issues,
including ``logging emergency access or user privilege changes.'' The
OIG therefore recommended ``. . . that ONC work with NIST to strengthen
EHR test procedure requirements so that the ATCBs [ONC-Authorized
Testing and Certification Bodies] can ensure that EHR vendors
incorporate common security and privacy features into the development
of EHRs.'' \135\
---------------------------------------------------------------------------
\134\ http://oig.hhs.gov/oas/reports/region6/61100063.pdf
\135\ http://oig.hhs.gov/oas/reports/region6/61100063.pdf
---------------------------------------------------------------------------
The standards adopted at Sec. 170.210(e) and referenced by the
2014 Edition ``auditable events and tamper-resistance'' and ``audit
report(s)'' certification criteria require that technology must be able
to record audit log information as specified in sections 7.2 through
7.4, 7.6 and 7.7 of the standard adopted at 45 CFR 170.210(h). The
standard adopted at Sec. 170.210(h) is ASTM E2147.\136\ Section 7.6 of
ASTM E2147 specifies that audit log content needs to include the ``type
of action'' and references six ``actions:'' Additions, deletions,
change, queries, print, and copy. Section 7.7 requires that the audit
log record when patient data is accessed. So while not explicitly
referenced in section 7.6, the action of ``access'' or viewing of a
patient's information is also required to be recorded for
certification. Moreover, we clarify that an ``emergency access'' event
is expected to be recorded (just like any other access) in accordance
with section 7.7.
---------------------------------------------------------------------------
\136\ http://www.astm.org/Standards/E2147.htm. The standard is
also incorporated by reference at 45 CFR 170.299(c)(1) and available
at the Office of the Federal Register.
---------------------------------------------------------------------------
Because it does not appear that the ASTM standard indicates
recording an event when an individual's user privileges are changed, we
seek comment on whether we need to explicitly modify/add to the overall
auditing standard adopted at 170.210(e) to require such information to
be audited or if this type of event is already audited at the point of
authentication (e.g., when a user switches to a role with increased
privileges and authenticates themselves to the system). We also seek
comments on any recommended standards to be used in order to record
those additional data elements.
In a 2013 report entitled ``Not All Recommended Safeguards Have
Been Implemented in Hospital EHR Technology (OEI-01-11-00570),'' \137\
the OIG recommended that ONC should propose a revision to this
certification criterion to require that EHR technology keep the audit
log operational whenever the EHR technology is available for updates or
viewing or, alternatively, CMS could update its meaningful use criteria
to require providers to keep the audit log operational whenever EHR
technology is available for updates or viewing.\138\ As a result of
that report, in the Voluntary Edition proposed rule, we proposed an
``auditable events and tamper resistance'' certification criterion that
would have required technology to prevent all users from being able to
disable an audit log. While several commenters supported the proposal,
an equal share expressed concern, including the HITSC. The HITSC
recommended against implementing this proposal, indicating that the
requirements of the 2014 Edition certification criterion (identifying
only a limited set of users that could disable the audit log and
logging when and by whom an audit log was disabled and enabled)
provided sufficient parameters to determine the accountable party in
the event of a security incident.\139\ Other commenters contended that
including an absolute prohibition would be problematic because there
are valid and important reasons for users to disable the audit log,
including allowing a system administrator to disable the audit log for
performance fixes, stability, disaster recovery, and system updates or
allowing a system administrator to disable it when there is rapid
server space loss which is hindering a provider from accessing needed
clinical information in a timely manner.
---------------------------------------------------------------------------
\137\ https://oig.hhs.gov/oei/reports/oei-01-11-00570.pdf.
\138\ https://oig.hhs.gov/oei/reports/oei-01-11-00570.pdf.
\139\ http://www.healthit.gov/FACAS/sites/faca/files/Baker_PSWG_2015editionnprm_public_comment_V2.pdf.
---------------------------------------------------------------------------
We reiterate our policy first espoused with the adoption of the
2014 Edition ``auditable events and tamper resistance'' certification
criterion in that the ability to disable the audit log must be
restricted to a limited set of users to meet this criterion. The
purpose of this certification criterion is to require health IT to
demonstrate through testing and certification that it has certain
security capabilities built in. As we have evaluated both OIG's input
and that of commenters, we believe our certification criterion is
appropriately framed within the parameters of what our regulation can
reasonably impose as a condition of certification. This regulation
applies to health IT and not to the people who use it. Thus, how an
individual provider or entity chooses to ultimately implement health IT
that has been certified to this or any other certification criterion
does so outside the scope of this regulation.
[[Page 16847]]
We also received feedback to the Voluntary Edition proposed rule
that there may be some events recorded in the audit log that may be
more critical to record than other events. Commenters noted that there
may be a critical subset of events that should remain enabled at all
times, while other events could be turned off during critical times or
for system updates by a subset of users. As noted above, the standards
adopted at Sec. 170.210(e) and referenced by the 2014 Edition
``auditable events and tamper-resistance'' certification criterion
requires that health IT technology must be able to record additions,
deletions, changes, queries, print, copy, access. The 2014 Edition also
required the log to record when the audit log is disabled and by whom
and that such capability must be restricted to a limited set of
identified users. As a result, we again seek comment on whether:
There is any alternative approach that we could or should
consider;
There is a critical subset of those auditable events that
we should require remain enabled at all times, and if so, additional
information regarding which events should be considered critical and
why; and
Any negative consequences may arise from keeping a subset
of audit log functionality enabled at all times.
Audit Report(s)
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(3) (Audit report(s))
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``audit reports(s)''
certification criterion that is unchanged in comparison to the 2014
Edition ``audit reports(s)'' criterion (Sec. 170.314(d)(3)).
Amendments
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(4) (Amendments)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``amendments'' certification
criterion that is unchanged in comparison to the 2014 Edition
``amendments'' criterion (Sec. 170.314(d)(4)). We note that this
certification criterion only partially addresses the amendment of
protected health information (PHI) requirements of 45 CFR 164.526.
Automatic Access Time-Out
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(5) (Automatic access time-out)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``automatic access time-out''
certification criterion that is unchanged (for the purposes of gap
certification) in comparison to the 2014 Edition ``automatic log-off''
criterion (Sec. 170.314(d)(5)). The 2014 Edition ``automatic log-off''
criterion requires a Health IT Module to ``prevent a user from gaining
further access to an electronic session after a predetermined time of
inactivity.'' In June 2014, the Privacy and Security Workgroup (PSWG)
of the HITSC assessed the automatic log-off criterion.\140\ While the
2014 Edition criterion refers to ``sessions,'' the PSWG noted the need
to recognize that many systems are not session-based. Instead, systems
may be stateless, clientless, and/or run on any device. The PSWG
further noted that the risk that this criterion addresses is the
potential that protected health information could be disclosed through
an unattended device. The HITSC recommended that this certification
criterion should not be overly prescriptive so as to inhibit system
architecture flexibility.
---------------------------------------------------------------------------
\140\ http://www.healthit.gov/facas/sites/faca/files/HITSC_PSWG_2015NPRM_Update_2014-06-17.pdf.
---------------------------------------------------------------------------
To clarify this intent and eliminate the reference to ``session,''
the PSWG suggested to the HITSC that this criterion by refined to state
``automatically block access to protected health information after a
predetermined period of inactivity through appropriate means until the
original user re-authenticates or another authorized user
authenticates.'' We agree in substance with the PSWG work and HITSC
recommendations. Accordingly, we propose a 2015 Edition ``automatic
access time-out'' certification criterion that reflects the HITSC
recommendations and the work of the PSWG. Specifically, the criterion
would require a Health IT Module to demonstrate that it can
automatically stop user access to health information after a
predetermined period of inactivity and require user authentication in
order to resume or regain the access that was stopped. We note,
however, that we do not believe this would have any impact on testing
and certification as compared to testing and certification to the 2014
Edition ``automatic log-off'' criterion (i.e., the 2015 ``automatic
access time-out'' criterion would be eligible for gap certification).
We welcome comments on this assessment.
Emergency Access
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(6) (Emergency access)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``emergency access''
certification criterion that is unchanged in comparison to the 2014
Edition ``emergency access'' criterion (Sec. 170.314(d)(6)).
End-User Device Encryption
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(7) (End-user device encryption)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``end-user device encryption''
certification criterion that is unchanged (for the purposes of gap
certification) in comparison to the 2014 Edition ``end-user device
encryption'' criterion (Sec. 170.314(d)(7)). We propose to require
certification to this criterion consistent with the most recent version
of Annex A: Approved Security Functions (Draft, October 8, 2014) for
Federal Information Processing Standards (FIPS) Publication 140-2.\141\
The purpose of this document is to provide a list of the approved
security functions applicable to FIPS PUB 140-2. To maintain and update
our certification requirements to the most recent NIST-approved
security functions, we propose to move to the updated version of Annex
A (Draft, October 8, 2014). We proposed to adopted this updated version
of Annex A at Sec. 170.210(a)(3). We note, however, that we do not
believe that this would have any impact on testing and certification as
compared to testing and certification to the 2014 Edition ``end-user
device encryption'' criterion (i.e., the 2015 ``end-user device
encryption'' criterion would be eligible for gap certification). We
welcome comments on this assessment.
---------------------------------------------------------------------------
\141\ http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf.
---------------------------------------------------------------------------
Integrity
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(8) (Integrity)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``integrity'' certification
criterion that is unchanged in comparison to the 2014 Edition
``integrity'' criterion (Sec. 170.314(d)(8)). However, we propose a
change in how a Health IT Module would be tested and certified to this
criterion. The 2011 and 2014 editions of this criterion have been
available for individual testing and certification. We propose that the
2015 Edition ``integrity'' criterion would be tested and certified to
support the context for which it was adopted--upon receipt of a summary
record in order to ensure the integrity of the information exchanged
[[Page 16848]]
(see Sec. 170.315(d)(8)(ii)). Therefore, we expect that this
certification criterion would most frequently be paired with the ToC
certification criterion for testing and certification.
In the 2014 Edition propose rule, we sought comment on whether we
should leave the standard for the 2014 Edition ``integrity''
certification criterion as SHA-1 \142\ or replace it with SHA-2,\143\
as SHA-2 is a much stronger security requirement. In the 2014 Edition
final rule (77 FR 54251), we determined that the SHA-1 standard should
serve as a floor and technology could be certified to the 2014 Edition
``integrity'' certification criterion if it included hashing algorithms
with security strengths equal to or greater than SHA-1. We also noted
that the Direct Project specification requires that SHA-1 and SHA-256
(one type of SHA-2 hash algorithms) be supported, which still remains
the case today.
---------------------------------------------------------------------------
\142\ http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf.
\143\ http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf.
---------------------------------------------------------------------------
It is our understanding that many companies, including Microsoft
and Google, plan to sunset (deprecate) SHA-1 no later than January 1,
2017.\144\ While the SHA-1 standard serves as the baseline standard for
certification to the proposed 2015 Edition ``integrity'' certification
criterion and health IT could be certified to a security strength
greater than SHA-1 (e.g., SHA-2), we seek comments on if, and when, we
should set the baseline for certification to the 2015 Edition
``integrity'' certification criterion at SHA-2. For example, we could
adopt and move to SHA-2 as the baseline certification requirement with
the effective date of a subsequent file rule. This would likely be in
late 2015 (considering the start of testing and certification), and
consistent with the current trajectory of the industry in this area.
Alternatively, we could set an effective date within the criterion for
when the baseline for certification would shift from SHA-1 to SHA-2
(e.g., beginning 2017).
---------------------------------------------------------------------------
\144\ http://www.symantec.com/en/au/page.jsp?id=sha2-transition.
---------------------------------------------------------------------------
Accounting of Disclosures
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(9) (Accounting of disclosures)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``accounting of disclosures''
certification criterion that is unchanged in comparison to the 2014
Edition ``accounting of disclosures'' criterion (Sec. 170.314(d)(9)).
We note that the 2015 Edition criterion is no longer designated
``optional'' because such a designation is no longer necessary given
that we have discontinued the Complete EHR definition and Complete EHR
certification beginning with the 2015 Edition health IT certification
criteria.
View, Download, and Transmit to 3rd Party (VDT)
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(e)(1) (View, download, and transmit to 3rd party)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``VDT'' criterion that is
revised in comparison to the 2014 Edition ``VDT'' criterion (Sec.
170.314(e)(1)).
Clarified Introductory Text for 2015 Edition VDT Certification
Criterion
In the Voluntary Edition proposed rule, we proposed to make
clarifying changes to the introductory text at Sec. 170.315(e)(1) to
make it clear that this health IT capability is patient-facing and for
patients to use. Commenters generally supported clarifying the
introductory text of VDT. Commenters stressed the importance of
allowing authorized representatives the ability to perform the VDT
functionality. However, due to our approach to only finalize a subset
of modifications in the 2014 Edition Release 2 final rule, we chose not
to make that revision in the 2014 Edition Release 2 final rule.
Therefore, we again propose to revise the introductory text to lead
with ``Patients (and their authorized representatives) must be able to
use health IT to . . .'' We also propose to use this same phrase at the
beginning of each specific capability for VDT to reinforce this point.
We note that this proposed requirement included in this criterion does
not override an individual's right to access protected health
information (PHI) in a designated record set under 45 CFR 164.524.
Common Clinical Data Set, Updated C-CDA, and Diagnostic Image Reports
We propose to include an updated Common Clinical Data Set for the
2015 Edition that includes references to new and updated vocabulary
standards code sets. Please also see the Common Clinical Data Set
definition proposal in section III.B.3 of this preamble. For the same
reasons discussed in the proposed 2015 Edition ToC certification
criterion, we also propose to reference the updated version of the C-
CDA (Draft Standard for Trial Use, Release 2.0) for this certification
criterion; and note, for the reasons discussed under the 2015 ToC
certification criterion, compliance with Release 2.0 cannot include the
use of the ``unstructured document'' document-level template for
certification to this criterion.
We also propose that a Health IT Module must demonstrate that it
can make diagnostic image reports available to the patient in order to
be certified. A diagnostic imaging report contains a consulting
specialist's interpretation of image data. It is intended to convey the
interpretation to the referring (ordering) physician, and becomes part
of the patient's medical record. We believe it is important to include
this information in a patient's record to improve care. Therefore, we
propose to include diagnostic imaging reports in the certification
criterion as something a Health IT Module must be able to make
accessible to patients. Again, to prevent any misinterpretation, we
reiterate for stakeholders that this proposed rule and proposed
certification criterion apply to a Health IT Module with regard to what
must be demonstrated for the Health IT Module to be certified and does
not govern its use.
We request comment on whether we should require testing and
certification for the availability of additional patient data through
the view, download, transmit, and API (discussed below) capabilities.
For example, should patient data on encounter diagnoses, cognitive
status, functional status, or other information also be made available
to patients (or their authorized representatives) through these
capabilities? Additionally, similar to our proposals for the data
portability certification criterion, we request comment on including
requirements in this criterion to permit patients (or their authorized
representatives) to select their health information for, as applicable,
viewing, downloading, transmitting, or API based on a specific date or
time (e.g., on 10/24/2015), a period of time (e.g., the last 3 years),
or all the information available.
VDT--Application Access to Common Clinical Data Set
To complement the API capabilities in the proposed ``Application
Access to Common Clinical Data Set'' criterion at Sec. 170.315(g)(7),
which are intended to be used by health IT purchasers in the context of
providing application access to the Common Clinical Data Set, we also
propose to require that the same capabilities be met as part of the
2015 Edition VDT certification criterion. While in some respects it
could be argued that repeating these capabilities in the VDT
certification criterion are duplicative, we believe the contexts under
which the capabilities proposed by this criterion and proposed at
[[Page 16849]]
Sec. 170.315(g)(7) would be used and the contexts under which
certification to this criterion would be sought are distinct enough to
warrant this repetition (i.e., in some cases a health IT developer may
seek certification solely to this criterion). In recognition of the
fact that some health IT developers will choose to build a more tightly
integrated system that could rely on the same underlying capabilities
developed to meet Sec. 170.315(g)(7), we clarify that health IT
developers could provide the information necessary to satisfy the
``documentation'' and ``terms of use'' requirements in Sec.
170.315(e)(1)(iii)(D) and (E) of this criterion and Sec.
170.315(g)(7)(iv) and (v) only once so long as the information
addresses any potential technical differences in the application access
capabilities provided (e.g., a RESTful web service for Sec.
170.315(e)(1) versus a SOAP web service for Sec. 170.315(g)(7)). As
proposed as part of certification in conjunction with Sec.
170.315(g)(7), we similarly propose for this criterion to require ONC-
ACBs to submit a hyperlink (as part of a product certification
submission to the CHPL) that would allow any interested party to access
the API's documentation and terms of use. This hyperlink would first
need to be provided by the health IT developer to the ONC-ACB.
Including these capabilities in the VDT certification criterion
could address several aspects that currently pose challenges to
individuals (and their families) accessing their health information
(e.g., multiple ``portals''). Additionally, we have coordinated with
CMS to have the proposed meaningful use measure for VDT revised to
allow for responses to data requests executed by the API functionality
to count in the measure's numerator (please see the EHR Incentive
Programs Stage 3 proposed rule published elsewhere in this issue of the
Federal Register). This combination of technological capability and
measurement flexibility could enhance an individual's ability to
converge their data in the application of their choice. Furthermore, by
including these capabilities in this criterion, we ensure that health
IT developers who seek certification only to this criterion but not
(g)(7) because of their market focus, will equally be required to
include an API available as part of their technology.
We note that readers should also review the proposed ``API''
certification criterion in this section of the preamble for requests
for comments that may impact the finalization of the API proposal
included in this certification criterion. For example, we request
public comment on what additional requirements might be needed to
ensure the fostering of an open ecosystem around APIs so that patients
can share their information with the tools, applications, and platforms
of their own choosing.
Activity History Log
In the Voluntary Edition proposed rule, we proposed to include two
new data elements for the activity history log: transmission status and
addressee. Due to the approach we took with the 2014 Edition Release 2
final rule, we did not finalize either proposal. However, we received
support for our proposal to include the addressee as a data element in
the history log. Therefore, we propose to include ``addressee'' as a
new data element in the 2015 Edition VDT criterion related to the
activity history log. Although the 2014 Edition VDT criterion requires
that the action of ``transmit'' be recorded, we did not specify that
the intended destination be recorded. We believe this transactional
history is important for patients to be able to access, especially if a
patient actively transmits their health information to a 3rd party or
another health care provider.
Patient Access to Laboratory Test Reports
In February 2014, CMS, the CDC, and the Office for Civil Rights
(OCR) issued a final rule that addressed the interplay between the CLIA
rules, state laws governing direct patient access to their laboratory
test reports, and the HIPAA Privacy Rule.\145\ The final rule permits
laboratories to give a patient, a patient's ``personal
representative,'' or a person designated by the patient, as applicable,
access to the patient's completed test reports upon the patient's or
patient's personal representative's request.\146\ The final rule also
eliminated the exception under the HIPAA Privacy Rule to an
individual's right to access his or her protected health information
when it is held by a CLIA-certified or CLIA-exempt laboratory. While
patients can continue to get access to their laboratory test reports
from their doctors, these changes give patients a new option to obtain
their test reports directly from the laboratory while maintaining
strong protections for patients' privacy.
---------------------------------------------------------------------------
\145\ CMS is generally responsible for regulatory laboratory
oversight under CLIA, while CDC provides scientific and technical
advice to CMS related to CLIA and OCR administers the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy
Rule.
\146\ https://www.federalregister.gov/articles/2014/02/06/2014-02280/clia-program-and-hipaa-privacy-rule-patients-access-to-test-reports.
---------------------------------------------------------------------------
We seek to ensure that the test reports that are delivered by
providers to patients through the VDT capabilities adhere to the CLIA
test reporting requirements and, therefore, propose that a Health IT
Module presented for certification to this criterion must demonstrate
that it can provide patient laboratory test reports that include the
information for a test report specified in 42 CFR 493.1291(c)(1)
through (7); the information related to reference intervals or normal
values as specified in 42 CFR 493.1291(d); and the information for
corrected reports as specified in 42 CFR 493.1291(k)(2).
Web Content Accessibility Guidelines (WCAG)
We reaffirm for stakeholders that the proposed 2015 Edition VDT
criterion includes the WCAG 2.0 Level A (Level A) conformance
requirements for the ``view'' capability. This is the same requirement
we include in the 2014 Edition VDT criterion. We do, however, propose
to modify the regulatory text hierarchy at Sec. 170.204(a) to
designate this standard at Sec. 170.204(a)(1) instead of Sec.
170.204(a). This would also require the 2014 Edition VDT certification
criterion to be revised to correctly reference Sec. 170.204(a)(1). We
also seek comment on whether we should adopt WCAG 2.0 Level AA (Level
AA) conformance requirements for the ``view'' capability included in
the 2015 Edition VDT criterion (instead of Level A).
The most recent set of guidelines (WCAG 2.0) were published in 2008
\147\ and are organized under 4 central principles with testable
success criteria: Perceivable, Operable, Understandable, and Robust.
Each guideline offers 3 levels of conformance: A, AA, and AAA. Level A
conformance corresponds to the most basic requirements for displaying
Web content. Level AA conformance provides for a stronger level of
accessibility by requiring conformance with Level A success criteria as
well as Level AA specific success criteria. WCAG 2.0 Level AAA (Level
AAA) conformance comprises the highest level of accessibility within
the WCAG guidelines and includes all Level A and Level AA success
criteria as well as success criteria unique to Level AAA.
---------------------------------------------------------------------------
\147\ http://www.w3.org/TR/WCAG20/.
---------------------------------------------------------------------------
In the 2014 Edition final rule (77 FR 54179) we considered public
comment and ultimately adopted Level A for accessibility, but indicated
our interest in raising this bar over time. As part of the Voluntary
Edition proposed rule, we again proposed that health IT be compliant
with Level AA for the
[[Page 16850]]
proposed VDT certification criterion. We received a limited and mixed
response to this proposal (79 FR 54465). In particular, some health IT
developers opposed the increased level citing the cost and burden to
reach Level AA, while others supported the move and offered no
concerns. In both cases, health IT developers noted that WCAG
conformance tools are somewhat sparse and that they have had difficulty
finding viable tools.
Level AA provides a stronger level of accessibility and addresses
areas of importance to the disabled community that are not included in
Level A. For example, success criteria unique to Level AA include
specifications of minimum contrast ratios for text and images of text,
and a requirement that text can be resized without assistive technology
up to 200 percent without loss of content or functionality. We
recognize that Level AA is a step up from Level A, but also note that
is has been nearly 3 years since we adopted Level A for the purposes of
certification to the ``view'' capability. Accordingly, we once again
request comment on the appropriateness of moving to Level AA for
certification of the ``view'' capability included in the 2015 Edition
VDT certification criterion.
We understand that there are not separate guidelines for ``mobile
accessibility'' and that mobile is considered by the W3C Web
Accessibility Initiative to be covered by the WCAG 2.0 guidelines.\148\
Further, we would note that in September 2013, the W3C published a
working group note consisting of ``Guidance on Applying WCAG 2.0 to
Non-Web Information and Communications Technologies (WCAG2ICT).'' \149\
We again request public comment (especially from health IT developers
that have sought or considered certification to the 2014 Edition VDT
certification criterion with a ``non-web'' application) on what, if
any, challenges exist or have been encountered when applying the WCAG
2.0 standards.
---------------------------------------------------------------------------
\148\ http://www.w3.org/WAI/mobile/.
\149\ http://www.w3.org/TR/wcag2ict/.
---------------------------------------------------------------------------
``Transmit'' Request for Comment
In the 2014 Edition Release 2 final rule, we modified the
``transmit'' portion of the 2014 Edition VDT certification criterion to
consistently allow for C-CDA ``content'' capabilities to be separately
certified from ``transport'' capabilities using Direct. In so doing, we
modified the transmit portion of the certification criterion to allow
it to be met in one of two ways: (1) Following the Direct Project
specification (for HISPs); or (2) following the Edge Protocol IG. Given
this change to ``transmit'' that we have duplicated in the proposed
2015 Edition VDT certification criterion and our proposal to include an
API capability as part of the proposed 2015 Edition VDT certification
criterion, we request comment on whether stakeholders believe that it
would be beneficial to include the Direct Project's Implementation
Guide for Direct Project Trust Bundle Distribution specification \150\
as part of certification to the first way described above (following
the Direct Project specification (for HISPs)) for the 2015 Edition VDT
certification criterion. This trust bundle specification's focuses on
``guidance on the packaging and distribution of Trust Bundles to
facilitate scalable trust between Security/Trust Agents (STAs).'' As we
understand, including this specification as part of certification could
enable patient-facing technology to be configured to trust externally
hosted bundles of S/MIME certificates. In addition, we have continued
to hear concerns regarding the difficulties related to exchanging
Direct messages across platforms and ``trust communities'' in the
context of patient-directed transmissions. Therefore, we also request
comments on whether any additional requirements are needed to support
scalable trust between STAs as well as ways in which ONC, in
collaboration with other industry stakeholders, could support or help
coordinate a way to bridge any gaps.
---------------------------------------------------------------------------
\150\ http://wiki.directproject.org/file/view/Implementation+Guide+for+Direct+Project+Trust+Bundle+Distribution+v1.0.pdf.
---------------------------------------------------------------------------
C-CDA Creation Capability Request for Comment
We request public comment on a potential means to provide explicit
implementation clarity and consistency as well as to further limit
potential burdens on health IT developers. Specifically, should we
limit the scope of C-CDA creation capability within this certification
criterion to focus solely on the creation of a CCD document template
based on the C-CDA Release 2.0? This approach could also have the
benefit of creating clear expectations and predictability for other
health IT developers who would then know the specific document template
implemented for compliance with this criterion.
C-CDA Data Provenance Request for Comment
We refer readers to the request for comment under the same heading
(``C-CDA Data Provenance Request for Comment'') in the ToC
certification criterion earlier in this section of the preamble
(section III). The request for comment focuses on the maturity of the
HL7 IG for CDA Release 2: Data Provenance, Release 1 (US Realm) (DSTU)
\151\ and its potential use in connection with the C-CDA.
---------------------------------------------------------------------------
\151\ http://wiki.hl7.org/index.php?title=HL7_Data_Provenance_Project_Space and http://gforge.hl7.org/gf/project/cbcc/frs/?action=FrsReleaseBrowse&frs_package_id=240.
---------------------------------------------------------------------------
Clinical Summary
We note that we are not proposing a 2015 Edition ``clinical
summary'' certification criterion because past versions of this
certification criterion were adopted in direct support of the EHR
Incentive Programs. The proposals found in the EHR Incentive Programs
Stage 3 proposed rule published elsewhere in this issue of the Federal
Register rely on patients being provided with the ability to view,
download, and transmit their health information via online access.
Therefore, we believe the capabilities included in the 2015 Edition
``view, download, and transmit to 3rd party'' certification criterion
appropriately and sufficiently support the proposals of the EHR
Incentive Programs.
Secure Messaging
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(e)(2) (Secure messaging)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``secure messaging''
certification criterion that is unchanged in comparison to the 2014
Edition ``secure messaging'' criterion (Sec. 170.314(e)(3)).
Transmission to Immunization Registries
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(f)(1) (Transmission to immunization registries)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``transmission to immunization
registries'' certification criterion that is revised in comparison to
the 2014 Edition ``transmission to immunization registries'' criterion
(Sec. 170.314(f)(2)). We propose to adopt an updated IG, require
National Drug Codes (NDC) for recording administered vaccines, require
CVX codes for historical vaccines, and require a Health IT Module
presented for certification to
[[Page 16851]]
this criterion to be able to display an immunization history and
forecast from an immunization registry. These proposals are described
in more detail below.
Implementation Guide for Transmission to Immunization Registries
The 2014 Edition certification criterion for transmission to
immunization registries at Sec. 170.314(f)(2) references the following
IG for immunization messaging: HL7 Version 2.5.1: Implementation Guide
for Immunization Messaging, Release 1.4. Since the publication of the
2014 Edition final rule, the CDC has issued an updated IG (HL7 Version
2.5.1: Implementation Guide for Immunization Messaging, Release 1.5)
(October 2014) that promotes greater interoperability between
immunization registries and health IT. Release 1.5 focuses on known
issues from the previous release and revises certain HL7 message
elements to reduce differences between states and jurisdictions for
recording specific data elements. Specifically, Release 1.5: \152\
---------------------------------------------------------------------------
\152\ http://www.cdc.gov/vaccines/programs/iis/technical-guidance/downloads/hl7guide-1-5-2014-11.pdf.
---------------------------------------------------------------------------
Is organized into profiles, including separate profiles
for VXU and ACK (acknowledgement) messages;
Clarifies and tightens conformance statements;
Corrects ACK (acknowledgment) messages to support improved
messaging back to the EHR about the success/failure of a message; and
Includes query and response changes such as V2.7.1 MSH
user constraints, minimum requirements for a response message, and
corrected profiles for response to errors and no match situations.
We believe these improvements are important to the IG and will
continue to support our ultimate goal for this certification
criterion--bidirectional immunization data exchange. Given the
improvements included in the updated IG, we propose to adopt it at
Sec. 170.205(e)(4) and include it in the 2015 Edition ``transmission
to immunization registries'' certification criterion.
National Drug Codes for Administered Vaccinations
In the Voluntary Edition proposed rule, we solicited comment for
future editions on whether we should replace CVX codes for representing
vaccines with NDC codes,\153\ and on options for recording historical
immunizations (79 FR 10908-9). NDC codes offer a number of benefits
compared to CVX codes because:
---------------------------------------------------------------------------
\153\ http://www.fda.gov/drugs/informationondrugs/ucm142438.htm.
---------------------------------------------------------------------------
They can support pharmaceutical inventory management
within immunization registries and are built into the provider's
workflow;
Are built into 2D barcodes, which have been successfully
piloted for vaccines, and can improve quality and efficiency of data
entry of information such as vaccine lot and expiration date; and
Can improve patient safety with better specificity of
vaccine formulation.
NDC codes also include packaging information as well as support
linking to the unit of use and sale, whereas CVX codes do not provide
this information as efficiently. These data elements are important for
supporting vaccine inventory management.
Immunization registries are tightly linked to inventory management
functions. This is largely due to the administration of the Vaccines
for Children (VFC) program, a federally funded program that provides
vaccines at no cost to children who might not otherwise be vaccinated
because of inability to pay. CDC purchases vaccines at a discount and
distributes them to grantees, which are state health departments and
local and territorial public health agencies. The grantees distribute
the VFC vaccines at no charge to private providers' offices and public
health clinics registered as VFC providers. Because of the way this
program is administered, immunization registries, which are maintained
by public health agencies, have been developed to include vaccine
inventory functions that help the grantees and providers manage their
VFC vaccine stock. Due to the coupling of inventory functions within
registries, many systems that can transmit immunization information to
registries are also able to support these inventory management
functions. NDC codes are used by many immunization registries to order
vaccines and for inventory purposes.
We believe NDC codes for vaccines may be best suited to support
immunization inventory management, as well as for providing the
benefits stated above for 2D barcoding and patient safety. Both the HL7
Version 2.5.1: Implementation Guide for Immunization Messaging, Release
1.5 and the C-CDA Release 2.0 IG support coding of immunizations using
both CVX and NDC codes. CDC also provides a publicly available mapping
of NDC codes for vaccines to CVX codes.\154\
---------------------------------------------------------------------------
\154\ http://www2a.cdc.gov/vaccines/iis/iisstandards/vaccines.asp?rpt=ndc. See also: http://www2a.cdc.gov/vaccines/iis/iisstandards/ndc_tableaccess.asp.
---------------------------------------------------------------------------
NDC codes for vaccines include a portion that identifies the
product, and thus cannot be used to code historical vaccinations of
unknown formulation. Historical vaccinations are self-reported
vaccinations given prior to the office visit. Patients can report
historical vaccinations to providers without supporting documentation,
such as a written or electronic vaccination history, and therefore the
provider does not know the manufacturer and/or formulation of the
product. In terms of options for recording historical vaccinations of
unspecified/unknown formulation, we solicited comments on two options
in the Voluntary Edition proposed rule:
Option 1: Continue to use CVX codes for historical
vaccinations only;
Option 2: Use the NDC syntax and create a new value set
for the product portion of the code for vaccines of unspecified formula
(e.g., influenza vaccine of unspecified formula) for historical
vaccinations (resulting in an ``NDC-like'' code).
The majority of commenters were opposed to Option 2 for creating an
``NDC-like'' code. Commenters believed it would add complexity to
coding NDC codes and be burdensome to maintain in the long-term. We
agree with commenters and therefore believe Option 1 is a more viable
solution for recording historical vaccinations. We believe health IT
should be able to record historical vaccinations to provide the most
complete record possible for a provider to use in determining which
vaccines a patient may need.
We received comments that recommended we consider moving to
RxNorm[supreg] codes for immunizations. However, RxNorm[supreg] does
not support inventory management nor does it support recording
historical vaccinations. Therefore, we do not believe RxNorm[supreg] is
the best available option for coding vaccinations at this time.
We also received public comment that, in certain circumstances, NDC
codes can be reused. Commenters expressed concerned about potential
confusion for vaccine products when NDC codes are reused. In
consultation with FDA, we understand that FDA does not intend to allow
reuse of NDC codes for vaccine products going forward. Thus, we do not
believe that reuse of NDC codes will be an issue for vaccine coding.
Given the discussion above on the benefits of NDC codes for coding
vaccinations and in consideration of public comment, we propose to
require for certification that a Health IT Module be able to
electronically create
[[Page 16852]]
immunization information for electronic transmission to immunization
registries using NDC codes for vaccines administered (i.e., the
National Drug Code Directory--Vaccine Codes, updates through January
15, 2015 \155\). For historical vaccines, we propose to continue the
use of CVX codes and propose to adopt the HL7 Standard Code Set CVX--
Vaccines Administered, updates through February 2, 2015,\156\ as the
baseline version for certification to the 2015 Edition. We refer
readers to section III.A.2.d (``Minimum Standards'' Code Sets) for
further discussion of our proposal to adopt the National Drug Code
Directory--Vaccine Codes as a minimum standards code set and the
``January 15, 2015 version,'' or potentially a newer version if
released before a subsequent final rule, as the baseline for
certification to the 2015 Edition. We also refer readers to section
III.A.2.d (``Minimum Standards'' Code Sets) for further discussion of
our adoption of CVX codes as a minimum standards code set and our
proposal to adopt the ``February 2, 2015 version,'' or potentially a
newer version if released before a subsequent final rule, as the
baseline for certification to the 2015 Edition.
---------------------------------------------------------------------------
\155\ http://www2a.cdc.gov/vaccines/iis/iisstandards/ndc_tableaccess.asp.
\156\ http://www2a.cdc.gov/vaccines/iis/iisstandards/vaccines.asp?rpt=cvx.
---------------------------------------------------------------------------
In addition to soliciting comments on this proposal, we solicit
comment on whether we should allow use of NDC codes for administered
vaccines as an option for certification, but continue to require CVX
codes for administered vaccines for the 2015 Edition. Allowing for
optional use of NDC codes for administered vaccines could provide
health IT developers and health care providers an implementation period
before we would consider requiring NDC codes for administered vaccines.
We also solicit comment on whether we should require CVX plus the HL7
Standard Code Set MVX--Manufacturers of Vaccines Code Set (October 30,
2014 version) \157\ as an alternative to NDC codes for administered
vaccines. MVX codes identify the manufacturer of a vaccine and support
recording the vaccine at the trade name level when paired with the CVX
code. MVX codes do not, however, independently include the trade name,
package, or unit of use/unit of sale. CVX codes plus MVX codes could
provide more information than CVX codes alone, but not as much
information as NDC codes. As part of this comment solicitation, we also
invite comments on the implementation burden for health IT developers
and health care providers of requiring CVX plus MVX codes versus NDC
codes for administered vaccines.
---------------------------------------------------------------------------
\157\ http://www2a.cdc.gov/vaccines/iis/iisstandards/vaccines.asp?rpt=mvx.
---------------------------------------------------------------------------
Immunization History and Forecast
In the Voluntary Edition proposed rule, we solicited comment on the
maturity of bidirectional immunization data exchange activities and
whether we should propose to include bidirectional immunization
exchange in our certification rules. Commenters supported inclusion of
bidirectional immunization data exchange. We understand that the HL7
Version 2.5.1: Implementation Guide for Immunization Messaging, Release
1.5 we are proposing to adopt for this criterion provides improvements
that support bidirectional exchange between health IT and immunization
registries, including segments for querying a registry, receiving
information, and sending a response to the registry. Additionally, we
received comments specifically recommending that immunization forecast
information and CDS guidance provide results in accordance with the
Advisory Committee on Immunization Practice's (ACIP) \158\
recommendations.
---------------------------------------------------------------------------
\158\ http://www.cdc.gov/vaccines/acip/.
---------------------------------------------------------------------------
We believe that bidirectional exchange between health IT and
immunization registries is important for patient safety and improved
care. Immunization registries can provide information on a patient's
immunization history to complement the data in the EHR. Immunization
registries also provide immunization forecasting recommendations
according to the ACIP's recommendations. This information allows for
the provider to access the most complete and up-to-date information on
a patient's immunization history to inform discussions about what
vaccines a patient may need based on nationally recommended
immunization recommendations.
Provided the discussion above, we propose that, for certification
to this criterion, a Health IT Module would need to enable a user to
request, access, and display a patient's immunization history and
forecast from an immunization registry in accordance with the HL7
Version 2.5.1: Implementation Guide for Immunization Messaging, Release
1.5. We welcome comment on this proposal. We also welcome comments on
whether we should include an immunization history information
reconciliation capability in this criterion and the factors we should
consider regarding the reconciliation of immunization history
information.
Exchange of the Common Clinical Data Set--NDC and CVX Codes
For transmission of immunization information across settings using
the C-CDA standard, NDC codes carry more information than CVX codes,
specifically for inventory management and safety functions (e.g., trade
name, package, and unit of use/unit of sale). For quality reporting of
immunization coverage data using the QRDA Category I standard,
inventory management data may not be needed, and therefore a CVX code
is sufficient for submission of quality reporting data. However, ONC is
supportive of moving towards collection of vaccine administration data
within the EHR with the patient's clinical data regardless of the
requirements in the QRDA Category I standard. We believe it is
appropriate to use mapping from NDC codes to CVX codes and a mapping
table is available.\159\ We understand that the C-CDA Release 2.0 can
support NDC codes as a translational data element, but the CVX code is
required to accompany it. The additional information NDC codes contain
could assist with vaccine tracking for clinical trials and adverse
events. Therefore, we propose in a later section of this rule to
include the representation of immunizations in both CVX codes and NDC
codes as part of the ``Common Clinical Data Set'' definition for
certification to the 2015 Edition. Please see section III.B.3 ``Common
Clinical Data Set'' of this preamble for further discussion of this
associated proposal. We note that this means that a Health IT Module
certified to certification criteria that include the Common Clinical
Data Set (e.g., the ToC criterion) must demonstrate the capability to
represent immunizations in CVX codes and NDC codes. This approach
ensures that health IT would be able to support a provider's attempt to
send immunization information that includes NDC information.
---------------------------------------------------------------------------
\159\ http://www2a.cdc.gov/vaccines/iis/iisstandards/vaccines.asp?rpt=ndc. See also: http://www2a.cdc.gov/vaccines/iis/iisstandards/ndc_tableaccess.asp.
---------------------------------------------------------------------------
Immunization Information Certification Criterion
In response to the Voluntary Edition proposed rule, we received
comments recommending we discontinue the ``immunization information''
certification criterion for future editions because the necessary data
elements are enumerated in the IG for reporting to immunization
registries required for the
[[Page 16853]]
``transmission to immunization registries'' criterion. These commenters
did not see any additional value in having a standalone certification
criterion for ``immunization information'' as the value lies in being
able to transmit the immunization message. We agree with these
comments. Therefore, we are not proposing an ``immunization
information'' criterion as part of the 2015 Edition. We welcome
comments on this approach.
Transmission to Public Health Agencies--Syndromic
Surveillance
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition EHR Certification Criterion
Sec. 170.315(f)(2) (Transmission to public health agencies--syndromic
surveillance)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition certification criterion for
transmission of syndromic surveillance to public health agencies that
is revised in comparison to the 2014 Edition version (Sec.
170.314(f)(3)) for the inpatient setting. We note, however, that this
proposed certification criterion is unchanged (for the purposes of gap
certification) for the ambulatory setting. As discussed in the 2014
Edition Release 2 final rule, we understand that ambulatory providers
may be using different methods for sending syndromic surveillance
information to public health agencies, including HL7 2.5.1 and query-
based messages (79 FR 54439-54441). It is our understanding that these
methods are still being implemented and refined within the industry and
the public health community. Therefore, given the varied adoption of
methods for transmitting syndromic surveillance information to public
health agencies from ambulatory settings, we propose to continue to
distinguish between ambulatory and emergency department, urgent care,
and inpatient settings.
Emergency Department, Urgent Care, and Inpatient Settings
We propose to adopt the PHIN Messaging Guide for Syndromic
Surveillance: Emergency Department, Urgent, Ambulatory Care, and
Inpatient Settings, Release 2.0, September 2014 (``Release 2.0'').\160\
Release 2.0 provides improvements over previous versions by:
---------------------------------------------------------------------------
\160\ http://www.cdc.gov/phin/library/guides/SyndrSurvMessagGuide2_MessagingGuide_PHN.pdf
---------------------------------------------------------------------------
Re-purposing of the HL7 2.5.1 messaging structure for all
type of messages/trigger events, and combining all specifications in
one profile;
Re-structuring chapters, making them more concise and
placing supporting information into Appendixes;
Adding more implementation comments and better field name
descriptions within segment profile attributes;
Making examples better aligned to the business process;
Adding new conformance statements that simplify testing of
messages;
Making more user-friendly navigation through the document
(adding a more detailed Table of Contents, updating a format of
implementation comments, etc.);
Simplifying collection and management of data by
addressing requests for only using a text format for the ``Chief
Complaint/Reason for Visit'' Data Element; and
Correcting errors that were discovered in Version 1.9.
We believe these improvements are important to the IG and will
continue to support interoperability and data exchange of syndromic
surveillance information. As we adopted Release 1.8 of the IG in 2012
for the 2014 Edition, we believe the industry has had sufficient time
to implement Release 1.8 and could benefit from the updates in Release
2.0. Release 2.0 also updates errors and known issues from Release 1.9
that commenters noted in response to the Voluntary Edition proposed
rule as discussed in the Voluntary Edition final rule (79 FR 54440).
Given the improvements included in Release 2.0 of the IG, we propose to
adopt it at Sec. 170.205(d)(4) and include it in the 2015 Edition
``transmission to public health agencies--syndromic surveillance''
certification criterion for emergency department, urgent care, and
inpatient settings.
Ambulatory Syndromic Surveillance
We propose to permit, for ambulatory setting certification, the use
of any electronic means for sending syndromic surveillance data to
public health agencies as well as optional certification to certain
syndromic surveillance data elements. In the 2014 Edition Release 2
final rule, we adopted a certification criterion for ambulatory
syndromic surveillance at Sec. 170.314(f)(7) that permits use of any
electronic means of sending syndromic surveillance data to public
health agencies for ambulatory settings (79 FR 54440-01). We adopted
this criterion to provide EPs under the EHR Incentive Programs to meet
the Stage 2 syndromic surveillance objective with the use of CEHRT.
Because there were no IGs to support HL7 2.5.1 messaging or query-based
syndromic surveillance for ambulatory settings, we expanded our policy
to provide more flexibility to EPs to meet the syndromic surveillance
objective.
As part of the 2014 Edition criterion, we also provide the option
for technology presented for certification to demonstrate that it can
electronically produce syndromic surveillance information that contains
patient demographics, provider specialty, provider address, problem
list, vital signs, laboratory results, procedures, medications, and
insurance. Public health agencies and stakeholders that piloted query-
based models for transmitting ambulatory syndromic surveillance data
send all of these data elements. We offered this optional list of data
elements for certification to provide clarity and a path forward to
health IT developers on the data elements they should focus on for
creating syndrome-based public health transmissions in support of
query-based models, including any potential certification requirements
introduced through future rulemaking. Due to the continued lack of
mature IGs at this time, we propose to take the same approach for 2015
Edition syndromic surveillance certification for the ambulatory
setting.
Transmission to Public Health Agencies--Reportable
Laboratory Tests and Values/Results
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(f)(3) (Transmission to public health agencies--reportable
laboratory tests and values/results)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition certification criterion that is
revised in comparison to the 2014 Edition ``transmission of reportable
laboratory tests and values/results'' criterion (Sec. 170.314(f)(4)).
We have named this criterion ``transmission to public health agencies--
reportable laboratory tests and values/results'' to clearly convey the
capabilities included in this criterion as they relate to the intended
recipient of the data. We propose to include and adopt an updated IG
for laboratory reporting to public health, an updated version of SNOMED
CT[supreg], and an updated version of LOINC[supreg]. We also propose to
make a technical amendment to the regulation text for the 2014 Edition
criterion in order to have it continue to reference the appropriate
standard and implementation specifications \161\ after we restructure
[[Page 16854]]
the regulatory text hierarchy at Sec. 170.205(g) to accommodate our
2015 Edition proposal.
---------------------------------------------------------------------------
\161\ HL7 2.5.1 and HL7 Version 2.5.1: Implementation Guide:
Electronic Laboratory Reporting to Public Health, Release 1 with
Errata and Clarifications and ELR 2.5.1 Clarification Document for
EHR Technology Certification.
---------------------------------------------------------------------------
CDC worked in conjunction with the HL7 Public Health Emergency
Response Workgroup to develop an updated IG (HL7 Version 2.5.1
Implementation Guide: Electronic Laboratory Reporting to Public Health,
Release 2 (US Realm), DSTU R1.1, 2014 or ``Release 2, DSTU R1.1'') that
address technical corrections and clarifications for interoperability
with laboratory orders and other laboratory domain implementation
guides. Specifically, ``Release 2, DSTU R1.1'': \162\
---------------------------------------------------------------------------
\162\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=329.
---------------------------------------------------------------------------
Corrects errata;
Updates Objective Identifiers;
Applies conformance statements from the LRI DSTU;
Provides technical corrections; and
Updates usage for consistent treatment of modifier fields.
As we adopted Release 1 of the IG in 2012 for the 2014 Edition, we
believe the industry has had sufficient time to implement Release 1 and
could benefit from the updates in ``Release 2, DSTU R1.1.'' Given the
improvements included in the updated IG (Release 2, DSTU R1.1), we
propose to adopt it at Sec. 170.205(g)(2) and include it in the 2015
Edition ``transmission of reportable laboratory tests and values/
results'' certification criterion at Sec. 170.315(f)(3). As noted
above, to properly codify this proposal in regulation, we would have to
modify the regulatory text hierarchy in Sec. 170.205(g) to designate
the standard and implementation specifications referenced by the 2014
Edition ``transmission of reportable laboratory tests and values/
results'' certification criterion at Sec. 170.205(g)(1) instead of its
current designation at Sec. 170.205(g).
We propose to include the September 2014 Release of the U.S.
Edition of SNOMED CT[supreg] and LOINC[supreg] version 2.50 in this
criterion. We refer readers to section III.A.2.d (``Minimum Standards''
Code Sets) for further discussion of our adoption of SNOMED CT[supreg]
and LOINC[supreg] as minimum standards code sets and our proposals to
adopt the versions cited above, or potentially newer versions if
released before a subsequent final rule, as the baselines for
certification to the 2015 Edition.
Transmission to Cancer Registries
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(f)(4) (Transmission to cancer registries)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``transmission to cancer
registries'' certification criterion that is revised in comparison to
the 2014 Edition ``transmission to cancer registries'' certification
criterion (Sec. 170.314(f)(6)). We propose to adopt an HL7 version
cancer reporting IG, adopt an updated version of SNOMED CT[supreg], and
adopt an updated version of LOINC[supreg]. We also propose to make a
technical amendment to the regulation text for the 2014 Edition
certification criterion so that it continues to reference the
appropriate standard \163\ in the regulatory text hierarchy at Sec.
170.205(i), while accommodating our 2015 Edition proposal.
Specifically, we propose to modify the 2014 Edition certification
criterion to reference Sec. 170.205(i)(1) to establish the regulatory
text hierarchy necessary to accommodate the standard and IG referenced
by the proposed 2015 Edition certification criterion.
---------------------------------------------------------------------------
\163\ Standard. HL7 Clinical Document Architecture (CDA),
Release 2.0, Normative Edition (incorporated by reference in Sec.
170.299). Implementation specifications. Implementation Guide for
Ambulatory Healthcare Provider Reporting to Central Cancer
Registries, HL7 Clinical Document Architecture (CDA), Release 1.0
(incorporated by reference in Sec. 170.299).
---------------------------------------------------------------------------
The 2014 Edition ``transmission to cancer registries'' criterion at
Sec. 170.314(f)(6) references the following IG for cancer reporting:
Implementation Guide for Ambulatory Healthcare Provider Reporting to
Central Cancer Registries, HL7 Clinical Document Architecture (CDA),
Release 1.0. Since the publication of the 2014 Edition Final Rule, CDC
worked with HL7 to introduce the IG to the standards developing
organization processes. In doing so, an updated IG has been developed
to address technical corrections and clarifications for
interoperability with EHRs and cancer registries (HL7 Implementation
Guide for CDA(copyright) Release 2: Reporting to Public Health Cancer
Registries from Ambulatory Healthcare Providers Release 1 or ``HL7 IG
Release 1''). Specifically, HL7 IG Release 1: \164\
---------------------------------------------------------------------------
\164\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=383.
---------------------------------------------------------------------------
Aligns with C-CDA Release 2.0 templates, where possible;
Adds new data elements, including grade, pathologic TNM
stage,\165\ family history of illness, height and weight, discrete
radiation oncology items, planned medications, and planned procedures;
---------------------------------------------------------------------------
\165\ The TNM Classification of Malignant Tumours (TNM) is a
cancer staging system that describes the extent of a person's
cancer.
---------------------------------------------------------------------------
Changes optionality for some data elements in response to
cancer community input and to align with C-CDA Release 2.0 templates;
Improves documentation and aligns conformance statements
with table constraints;
Adds some new vocabulary links and a new reportability
list for ICD-10-CM;
Fixes some within-document references;
Fixes some LOINC[supreg] codes;
Fixes some Code System and Value Set Object Identifiers;
Fixes some conformance verbs;
Improves sample XML snippets;
Fixes some conformance verbs and data element names in
Appendix B ``Ambulatory Healthcare Provider Cancer Event Report--Data
Elements''; and
Fixes a value in the value set.
These improvements will continue to promote interoperability
between health IT and cancer registries for improved cancer case
reporting to public health agencies. As we adopted the non-HL7 Release
1 of the IG in 2012 for the 2014 Edition, we believe the industry has
had sufficient time to implement that IG and could benefit from the
updates in HL7 IG Release 1. Therefore, given the improvements that
will be included in HL7 IG Release 1 as described above, we propose to
adopt it at Sec. 170.205(i)(2) and include it in the proposed 2015
Edition ``transmission to cancer registries'' certification criterion.
We propose to include the September 2014 Release of the U.S.
Edition of SNOMED CT[supreg] and LOINC[supreg] version 2.50 in this
criterion. We refer readers to section III.A.2.d (``Minimum Standards''
Code Sets) for further discussion of our adoption of SNOMED CT[supreg]
and LOINC[supreg] as minimum standards code sets and our proposals to
adopt the versions cited above, or potentially newer versions if
released before a subsequent final rule, as the baselines for
certification to the 2015 Edition.
Cancer Case Information
In response to the Voluntary Edition proposed rule, we received
comments recommending we discontinue proposing and adopting a ``cancer
case information'' certification criterion for future editions because
the necessary data elements are enumerated in the IG for reporting to
cancer registries that we include in editions of ``transmission to
cancer registries'' criteria. We agree with this assessment. Therefore,
we are not proposing a 2015 Edition ``cancer case information''
certification criterion
[[Page 16855]]
similar to the one we adopted for the 2014 Edition. We welcome comments
on this approach.
Transmission to Public Health Agencies--Case Reporting
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(f)(5) (Transmission to public health agencies--case
reporting)
------------------------------------------------------------------------
We propose to adopt a new certification criterion in the 2015
Edition for electronic transmission of case reporting information to
public health agencies.
Health IT standards continue to evolve to address new and emerging
use cases for health care. The utility of health IT for supplemental
purposes has been limited due to a lack of uniformity in the
terminology and definitions of data elements across health IT systems.
This limitation is compounded by the fact that provider workflow often
records patient information in unstructured free-text well after
episodes of care. Linking data in EHR systems with other data in a
uniform and structured way could accelerate quality and safety
improvement, population health, and research.
Toward this end, the S&I Structured Data Capture \166\ (SDC)
initiative is a multi-stakeholder group working on standards-based
architecture so that a set of structured data can be accessed from
health IT and stored for merger with comparable data for other relevant
purposes. The SDC initiative is developing a set of standards that will
enable health IT to capture and store structured data. These standards
will build upon and incorporate existing standards, including the IHE
Retrieve Form for Data Capture (RFD) profile. As part of this work, the
SDC initiative has developed a surveillance case report form for public
health reporting of notifiable diseases as part of the IHE Quality,
Research, and Public Health Technical Framework Supplement, Structured
Data Capture, Trial Implementation (September 5, 2014) standard.\167\
The case report form can be further specified and used to
electronically report vital statistics, vaccine adverse event
reporting, school/camp/daycare physical, early hearing detection and
intervention/newborn hearing screening, and cancer registry reporting,
among other public health reporting data.
---------------------------------------------------------------------------
\166\ http://wiki.siframework.org/Structured+Data+Capture+Initiative.
\167\ http://www.ihe.net/uploadedFiles/Documents/QRPH/IHE_QRPH_Suppl_SDC.pdf.
---------------------------------------------------------------------------
We believe that case reporting from health care providers to public
health agencies could be more real-time, structured, and efficient
through the use of the standard case report form that the SDC
initiative has developed. Therefore, we propose to adopt a
certification criterion for electronic transmission of case reporting
information to public health that would require a Health IT Module to
be able to electronically create case reporting information for
electronic transmission in accordance with the IHE Quality, Research,
and Public Health Technical Framework Supplement, Structured Data
Capture, Trial Implementation (September 5, 2014) standard, which we
propose to adopt at Sec. 170.205(q)(1). As mentioned above, this
standard and our proposal include compliance with other existing
standards. One such standard is the CDA Release 2.0, which is a
foundational standard for use in sending and receiving case reporting
information.
To note, for testing to this criterion, a Health IT Module would
need to demonstrate that it can create and send a constrained
transition of care document to a public health agency, accept a URL in
return, be able to direct end users to the URL, and adhere to the
security requirements for the transmission of this information.
We recognize that the Fast Health Interoperability Resource
(FHIR[supreg]) REST API and FHIR-based standard specifications will
likely play a role in an interoperable health IT architecture. FHIR
resources that implement SDC concepts and support the use of case
reporting to public health would likely play a role in that scenario.
The current HL7 FHIR Implementation Guide: Structure Data Capture
(SDC), Release 1 \168\ is a ``draft for comment'' with a DSTU ballot
planned for mid-2015. Given this trajectory, we solicit comment on
whether we should consider adopting the HL7 FHIR Implementation Guide:
SDC DSTU that will be balloted in mid-2015 in place of, or together
with, the IHE Quality, Research, and Public Health Technical Framework
Supplement. We are aware of a proposed HL7 working group known as the
Healthcare Standards Integration Workgroup that will collaborate on
FHIR resources considered co-owned with the IHE-HL7 Joint Workgroup
\169\ within IHE. The implementation guides created from the S&I SDC
Initiative is part of this joint workgroup's area of responsibility.
Therefore, we intend to work with these coordinated efforts to ensure a
complementary and coordinated approach for case reporting using SDC.
---------------------------------------------------------------------------
\168\ http://hl7.org/implement/standards/FHIR-Develop/sdc.html.
\169\ http://wiki.ihe.net/index.php?title=IHE-HL7_Joint_Workgroup.
---------------------------------------------------------------------------
Transmission to Public Health Agencies--Antimicrobial Use
and Resistance Reporting
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(f)(6) (Transmission to public health agencies--
antimicrobial use and resistance reporting)
------------------------------------------------------------------------
We propose to adopt a new 2015 Edition certification criterion for
transmission of antimicrobial use and resistance data to public health
agencies that would require a Health IT Module to be able to
electronically create antimicrobial use and resistance reporting
information for electronic transmission in accordance with specific
sections of the HL7 Implementation Guide for CDA [supreg] Release 2--
Level 3: Healthcare Associated Infection Reports, Release 1, U.S. Realm
(August 2013).
Collection and analysis of data on antimicrobial use and
antimicrobial resistance are important components of antimicrobial
stewardship programs throughout the nation and efforts by health care
organizations and public health agencies aimed at detecting,
preventing, and responding to resistant pathogens. Surveillance
provides vital data for use by health care facilities, local, state,
and federal agencies, research and development teams, policymakers, and
the public. Electronic submission of antimicrobial use and
antimicrobial resistance data to a public health registry can promote
timely, accurate, and complete reporting, particularly if data is
extracted from health IT systems and delivered using well established
data exchange standards to a public health registry. The HL7
Implementation Guide for CDA [supreg] Release 2--Level 3: Healthcare
Associated Infection Reports, Release 1--US Realm--August 2013 \170\
(``HAI IG'') is an ANSI-approved standard for electronic reporting of
antimicrobial use and antimicrobial resistance data to the CDC's
National Healthcare Safety Network (NHSN), the largest health care-
associated infection (HAI) reporting system in the United States with
over 9,000 health care facilities participating. The HAI IG provides
details for reporting from EPs, eligible hospitals, and CAHs.
---------------------------------------------------------------------------
\170\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=20.
---------------------------------------------------------------------------
We propose to test and certify a Health IT Module for conformance
with the following sections of the IG:
[[Page 16856]]
HAI Antimicrobial Use and Resistance (AUR) Antimicrobial
Resistance Option (ARO) Report (Numerator) specific document template
in Section 2.1.2.1 (pages 69-72);
Antimicrobial Resistance Option (ARO) Summary Report
(Denominator) specific document template in Section 2.1.1.1 (pages 54-
56); and
Antimicrobial Use (AUP) Summary Report (Numerator and
Denominator) specific document template in Section 2.1.1.2 (pages 56-
58).
We propose to adopt these specific sections of the IG in Sec.
170.205(r)(1). Note that the specific document templates referenced
above include conformance to named constraints in other parts of the
IG, and we would expect a Health IT Module presented for certification
to this criterion to conform to all named constraints within the
specified document template.
Transmission to Public Health Agencies--Health Care
Surveys
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(f)(7) (Transmission to public health agencies--health
care surveys)
------------------------------------------------------------------------
We propose to adopt a new 2015 Edition certification criterion for
transmission of health care surveys to public health agencies. We
propose to adopt a certification criterion for transmission of health
care survey information to public health agencies that would require a
Health IT Module to be able to create health care survey information
for electronic transmission in accordance with the HL7 Implementation
Guide for CDA [supreg] Release 2: National Health Care Surveys (NHCS),
Release 1--US Realm, Draft Standard for Trial Use (December 2014),\171\
which we propose to adopt at Sec. 170.205(s)(1).
---------------------------------------------------------------------------
\171\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=385.
---------------------------------------------------------------------------
The National Ambulatory Medical Care Survey (NAMCS) is a national
survey designed to meet the need for objective, reliable information
about the provision and use of ambulatory medical care services in the
U.S. Findings are based on a sample of visits to non-federal employed
office-based physicians who are primarily engaged in direct patient
care.
The National Hospital Ambulatory Medical Care Survey (NHAMCS) is
designed to collect data on the utilization and provision of ambulatory
care services in hospital emergency and outpatient departments.
Findings are based on a national sample of visits to the emergency
departments and outpatient departments of general and short-stay
hospitals.
The kinds of data contained in this survey are:
Patient demographics such as date of birth, sex, race and
ethnicity;
Vital signs such as height, weight and blood pressure;
Reason for visit or chief complaint;
Diagnoses associated with the visit;
Chronic conditions that the patient has at the time of the
visit;
Procedures provided or ordered;
Diagnostic tests ordered or provided;
New or continued medications at the time of the visit; and
Other variables such as tobacco use, whether the provider
is the patient's primary care provider, how many times has the patient
been seen in the practice in the past 12 months, which type of
providers were seen at the visit, amount of time spent with the
provider, and visit disposition.
Automating the survey process using the CDA standard streamlines
the collection of data and increases the sample pool by allowing all
providers who want to participate in the surveys to do so. The HL7
Implementation Guide for CDA [supreg] Release 2: National Health Care
Surveys (NHCS), Release 1--US Realm, Draft Standard for Trial Use
(December 2014) defines the electronic submission of the data to the
CDC. We clarify that the IG is intended for the transmission of survey
data for both the NAMCS (e.g., for ambulatory medical care settings)
and NHAMCS (e.g., for hospital ambulatory settings including emergency
departments and outpatient departments). Templates included in this IG
align with the C-CDA standard. Additionally, the templates in this IG
expand on the scope of the original NAMCS and NHAMCS survey data
elements and do not constrain the data collected to the narrow lists on
the survey instruments; rather they allow any service, procedure or
diagnosis that has been recorded.
Automated Numerator Recording
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(g)(1) (Automated numerator recording)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``automated numerator
recording'' certification criterion that is unchanged in comparison to
the 2014 Edition ``automated numerator recording'' criterion. We note,
however, that the test procedure for this criterion would be different
from the 2014 Edition ``automated numerator recording'' certification
criterion in order to remain consistent with the applicable objectives
and measures required under the EHR Incentive Programs.
Automated Measure Calculation
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(g)(2) (Automated measure calculation)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``automated measure
calculation'' certification criterion that is unchanged in comparison
to the 2014 Edition ``automated measure calculation'' criterion. We
propose to apply the guidance provided for the 2014 Edition ``automated
measure calculation'' certification criterion in the 2014 Edition final
rule in that a Health IT Module must be able to support all CMS-
acceptable approaches for measuring a numerator and denominator in
order for the Health IT Module to meet the proposed 2015 Edition
``automated measure calculation'' certification criterion.\172\ We also
propose that the interpretation of the 2014 Edition ``automated measure
calculation'' certification criterion in FAQ 32 \173\ would apply to
the proposed 2015 Edition ``automated measure calculation''
certification criterion.
---------------------------------------------------------------------------
\172\ 77 FR 54244-54245.
\173\ http://www.healthit.gov/policy-researchers-implementers/32-question-11-12-032.
---------------------------------------------------------------------------
We note that the test procedure for this criterion would be
different from the 2014 Edition ``automated measure calculation''
certification criterion in order to remain consistent with the
applicable objectives and measures required under the EHR Incentive
Programs.
Safety-Enhanced Design
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(g)(3) (Safety-enhanced design)
------------------------------------------------------------------------
We propose to adopt a 2015 Edition ``safety-enhanced design'' (SED)
certification criterion that is revised in comparison to the 2014
Edition ``safety-enhanced design'' criterion. We propose to add
certification criteria to this criterion that we believe include
capabilities that pose a risk for patient harm and, therefore, an
opportunity for error prevention. We propose to provide further
compliance clarity for the data elements described in NISTIR 7742 \174\
that are required to be submitted as part of the summative usability
test results and to specifically include these data
[[Page 16857]]
elements as part of the certification criterion.
---------------------------------------------------------------------------
\174\ http://www.nist.gov/manuscript-publication-search.cfm?pub_id=907312. NISTIT 7742 is a valid and reliable
publication for user-centered design processes.
---------------------------------------------------------------------------
Certification Criteria Identified in the SED Criterion for UCD
Processes
We propose to include seventeen (17) certification criteria (seven
are new) in the 2015 Edition SED certification criterion, as listed
below (emphasis added for new criteria). For each of the referenced
certification criteria and their corresponding capabilities presented
for certification, user-centered design (UCD) processes must have been
applied in order satisfy this certification criterion.
Sec. 170.315(a)(1) Computerized provider order entry--
medications
Sec. 170.315(a)(2) Computerized provider order entry--
laboratory
Sec. 170.315(a)(3) Computerized provider order entry--
diagnostic imaging
Sec. 170.315(a)(4) Drug-drug, drug-allergy interaction
checks
Sec. 170.315(a)(5) Demographics
Sec. 170.315(a)(6) Vital signs, BMI, and growth charts
Sec. 170.315(a)(7) Problem list
Sec. 170.315(a)(8) Medication list
Sec. 170.315(a)(9) Medication allergy list
Sec. 170.315(a)(10) Clinical decision support
Sec. 170.315(a)(18) Electronic medication administration
record
Sec. 170.315(a)(20) Implantable device list
Sec. 170.315(a)(22) Decision support--knowledge artifact
Sec. 170.315(a)(23) Decision support--service
Sec. 170.315(b)(2) Clinical information reconciliation
and incorporation
Sec. 170.315(b)(3) Electronic prescribing
Sec. 170.315(b)(4) Incorporate laboratory tests/results
The continued submission of summative usability test results
promotes transparency and can foster health IT developer competition,
spur innovation, and enhance patient safety. With this in mind, we also
seek comment on whether there are other certification criteria that we
omitted from this proposed SED criterion that commenters believe should
be included.
NISTIR 7742 Submission Requirements
In the 2014 Edition final rule, we specified that the information
listed below from the NISTIR 7742 ``Customized Common Industry Format
Template for Electronic Health Record Usability Testing'' (NIST 7742)
\175\ was required to be submitted for each and every one of the
criteria specified in the 2014 Edition SED criterion (77 FR 54188). For
the 2015 Edition SED criterion, we propose to include the information
below in the regulation text of the 2015 Edition SED criterion to
provide more clarity and specificity for the information requested to
be provided to demonstrate compliance with this certification
criterion. The findings that would be required to be submitted for each
and every one of the criteria specified in the 2015 Edition SED
criterion (and become part of the test results publicly available on
the Certified Health IT Product List (CHPL)) are:
---------------------------------------------------------------------------
\175\