80 FR 62601 - 2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications
DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary
Federal Register Volume 80, Issue 200 (October 16, 2015)
Page Range
62601-62759
FR Document
2015-25597
This final rule finalizes a new edition of certification criteria (the 2015 Edition health IT certification criteria or ``2015 Edition'') and a new 2015 Edition Base Electronic Health Record (EHR) definition, while also modifying the ONC Health IT Certification Program to make it open and accessible to more types of health IT and health IT that supports various care and practice settings. The 2015 Edition establishes the capabilities and specifies the related standards and implementation specifications that Certified Electronic Health Record Technology (CEHRT) would need to include to, at a minimum, support the achievement of meaningful use by eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) under the Medicare and Medicaid EHR Incentive Programs (EHR Incentive Programs) when such edition is required for use under these programs.
Federal Register, Volume 80 Issue 200 (Friday, October 16, 2015)
[Federal Register Volume 80, Number 200 (Friday, October 16, 2015)]
[Rules and Regulations]
[Pages 62601-62759]
From the Federal Register Online [www.thefederalregister.org]
[FR Doc No: 2015-25597]
[[Page 62601]]
Vol. 80
Friday,
No. 200
October 16, 2015
Part II
Department of Health and Human Services
-----------------------------------------------------------------------
Office of the Secretary
-----------------------------------------------------------------------
45 CFR Part 170
2015 Edition Health Information Technology (Health IT) Certification
Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition,
and ONC Health IT Certification Program Modifications; Final Rule
��Federal Register / Vol. 80 , No. 200 / Friday, October 16, 2015 /
Rules and Regulations��
[[Page 62602]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Part 170
RIN 0991-AB93
2015 Edition Health Information Technology (Health IT)
Certification Criteria, 2015 Edition Base Electronic Health Record
(EHR) Definition, and ONC Health IT Certification Program Modifications
AGENCY: Office of the National Coordinator for Health Information
Technology (ONC), Department of Health and Human Services (HHS).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule finalizes a new edition of certification
criteria (the 2015 Edition health IT certification criteria or ``2015
Edition'') and a new 2015 Edition Base Electronic Health Record (EHR)
definition, while also modifying the ONC Health IT Certification
Program to make it open and accessible to more types of health IT and
health IT that supports various care and practice settings. The 2015
Edition establishes the capabilities and specifies the related
standards and implementation specifications that Certified Electronic
Health Record Technology (CEHRT) would need to include to, at a
minimum, support the achievement of meaningful use by eligible
professionals (EPs), eligible hospitals, and critical access hospitals
(CAHs) under the Medicare and Medicaid EHR Incentive Programs (EHR
Incentive Programs) when such edition is required for use under these
programs.
DATES: These regulations are effective January 14, 2016, except for
Sec. 170.523(m) and (n), which are effective on April 1, 2016.
The incorporation by reference of certain publications listed in
the rule is approved by the Director of the Federal Register as of
January 14, 2016.
FOR FURTHER INFORMATION CONTACT: Michael Lipinski, Office of Policy,
Office of the National Coordinator for Health Information Technology,
202-690-7151.
SUPPLEMENTARY INFORMATION:
Commonly Used Acronyms
API Application Programming Interface
CAH Critical Access Hospital
CDA Clinical Document Architecture
CDC Centers for Disease Control and Prevention
CDS Clinical Decision Support
CEHRT Certified Electronic Health Record Technology
CFR Code of Federal Regulations
CHPL Certified Health IT Product List
CLIA Clinical Laboratory Improvement Amendments
CMS Centers for Medicare & Medicaid Services
CQM Clinical Quality Measure
EHR Electronic Health Record
FDA Food and Drug Administration
HHS Department of Health and Human Services
HISP Health Information Service Providers
HIT Health Information Technology
HITPC HIT Policy Committee
HITSC HIT Standards Committee
HL7 Health Level Seven
IG Implementation Guide
LOINC[supreg] Logical Observation Identifiers Names and Codes
NIST National Institute of Standards and Technology
ONC Office of the National Coordinator for Health Information
Technology
SDO Standards Developing Organization
SNOMED CT[supreg] Systematized Nomenclature of Medicine Clinical
Terms
Table of Contents
I. Executive Summary
A. Purpose of Regulatory Action
B. Summary of Major Provisions
1. Overview of the 2015 Edition Health IT Certification Criteria
2. Health IT Definitions
3. The ONC Health IT Certification Program and Health IT Module
C. Costs and Benefits
II. Background
A. Statutory Basis
1. Standards, Implementation Specifications, and Certification
Criteria
2. HIT Certification Programs
B. Regulatory History
1. Standards, Implementation Specifications, and Certification
Criteria Rules
2. Medicare and Medicaid EHR Incentive Programs Rules
3. ONC Health IT Certification Programs Rules
III. Provisions of the Proposed Rule Affecting Standards,
Implementation Specifications, Certification Criteria, and
Definitions
A. 2015 Edition Health IT Certification Criteria
1. Applicability
2. Standards and Implementation Specifications
3. Adopted Certification Criteria
4. 2015 Edition Gap Certification Eligibility Table
5. Not Adopted Certification Criteria
B. Health IT Definitions
1. Base EHR Definitions
2. Certified EHR Technology Definition
3. Common Clinical Data Set Definition
4. Cross-Referenced FDA Definitions
IV. Provisions of the Proposed Rule Affecting the ONC Health IT
Certification Program
A. Subpart E--ONC Health IT Certification Program
B. Modifications to the ONC Health IT Certification Program
1. Health IT Modules
2. ``Removal'' of Meaningful Use Measurement Certification
Requirements
3. Types of Care and Practice Settings
4. Referencing the ONC Health IT Certification Program
C. Health IT Module Certification Requirements
1. Privacy and Security
2. Design and Performance (Sec. 170.315(g))
D. Principles of Proper Conduct for ONC-ACBs
1. ``In-the-Field'' Surveillance and Maintenance of
Certification
2. Transparency and Disclosure Requirements
3. Open Data Certified Health IT Product List (CHPL)
4. Records Retention
5. Complaints Reporting
6. Adaptations and Updates of Certified Health IT
E. ``Decertification'' of Health IT--Request for Comments
V. Incorporation by Reference
VI. Collection of Information Requirements
VII. Regulatory Impact Statement
A. Statement of Need
B. Overall Impact
1. Executive Orders 12866 and 13563--Regulatory Planning and
Review Analysis
2. Regulatory Flexibility Act
3. Executive Order 13132--Federalism
4. Unfunded Mandates Reform Act of 1995
Regulation Text
I. Executive Summary
A. Purpose of Regulatory Action
Building on past rulemakings, we issued a proposed rule (``Proposed
Rule'') (80 FR 16804) that identified how health IT certification to
the proposed 2015 Edition health IT certification criteria could
support the establishment of an interoperable nationwide health
information infrastructure. The Proposed Rule reflected stakeholder
feedback received through various outreach initiatives, including the
regulatory process, and was designed to broadly support the health care
continuum through the use of certified health IT. This final rule,
taking into account public comments received on the Proposed Rule,
continues to focus on the establishment of an interoperable nationwide
health information infrastructure, through the same means identified in
the Proposed Rule and recited below, but with an additional focus on
reducing health IT developer and provider burden as compared to the
Proposed Rule. To this end, this final rule will:
Improve interoperability for specific purposes by adopting
new and updated vocabulary and content standards for the structured
recording and exchange of health information, including a Common
Clinical Data Set composed primarily of data expressed using adopted
standards; and rigorously testing an identified content exchange
[[Page 62603]]
standard (Consolidated Clinical Document Architecture (C-CDA));
Facilitate the accessibility and exchange of data by
including enhanced data export, transitions of care, and application
programming interface (API) capabilities in the 2015 Edition Base
Electronic Health Record (EHR) definition;
Establish a framework that makes the Office of the
National Coordinator for Health Information Technology (ONC) Health IT
Certification Program open and accessible to more types of health IT,
health IT that supports a variety of care and practice settings,
various HHS programs, and public and private interests;
Support the Centers for Medicare & Medicaid Services (CMS)
Medicare and Medicaid EHR Incentive Programs (EHR Incentive Programs)
through the adoption of a set of certification criteria that align with
proposals for Stage 3;
Address health disparities by providing certification: to
standards for more granular capture of race and ethnicity; the
collection of sexual orientation, gender identity, social,
psychological, and behavioral data; for the exchange of sensitive
health information (Data Segmentation for Privacy); and for the
accessibility of health IT;
Ensure all health IT presented for certification possess
the relevant privacy and security capabilities;
Improve patient safety by: applying enhanced user-centered
design principles to health IT, enhancing patient matching, requiring
health IT to be capable of exchanging relevant patient information
(e.g., Unique Device Identifiers), improving the surveillance of
certified health IT, and making more information about certified
products publicly available and accessible;
Increase the reliability and transparency of certified
health IT through surveillance and disclosure requirements; and
Provide health IT developers with more flexibility,
opportunities, and time for development and certification of health IT
that supports interoperability, usability, and innovation.
B. Summary of Major Provisions
1. Overview of the 2015 Edition Health IT Certification Criteria
The 2015 Edition health IT certification criteria (``2015 Edition''
or ``2015 Edition certification criteria'') facilitates greater
interoperability for several clinical health information purposes and
enables health information exchange through new and enhanced
certification criteria, standards, and implementation specifications.
It incorporates changes that are designed to spur innovation, open new
market opportunities, and provide more choices to providers when it
comes to electronic health information exchange. To achieve these
goals, new ``application access'' (also known as ``API'') certification
criteria have been adopted that will require the demonstration of an
API that responds to data requests for any one category of the data
referenced in the Common Clinical Data Set as well as for all of the
data referenced in the Common Clinical Data Set. We note that in
response to comments, we have separated this criterion into 3 criteria
to provide health IT developers and providers more flexibility. To
further validate the continued interoperability of certified health IT
and the ability to exchange electronic health information with health
IT certified to the 2014 Edition, 2015 Edition, and potentially future
editions, a new ``transitions of care'' certification criterion will
rigorously assess a product's ability to create and receive an
interoperable C-CDA. We have also adopted certification criteria that
both support interoperability and other settings and use cases, such as
the ``Common Clinical Data Set summary record,'' ``data segmentation
for privacy,'' and ``care plan'' certification criteria.
We refer readers to section III.A for an overview table (Table 2)
of certification criteria adopted in this final rule as compared to the
certification criteria proposed in the Proposed Rule and the adopted
2014 Edition. We also refer readers to sections III.A.3 and III.A.5 of
this preamble for full discussions of certification criteria adopted as
part of the 2015 Edition in this final rule (III.A.3) and the proposed
certification criteria not adopted in this final rule (III.A.5).
2. Health IT Definitions
a. Base EHR Definitions
This final rule adopts a Base EHR definition specific to the 2015
Edition (i.e., a 2015 Edition Base EHR definition) at Sec. 170.102 and
renames the current Base EHR definition at Sec. 170.102 as the 2014
Edition Base EHR definition. The 2015 Edition Base EHR definition
differs from the 2014 Edition Base EHR definition in the following
ways:
It does not include privacy and security capabilities and
certification criteria.
It only includes capabilities to record and export
clinical quality measure (CQM) data (Sec. 170.315(c)(1)) and not other
CQM capabilities such as import, calculate, and ``report to CMS.''
It includes the 2015 Edition ``smoking status''
certification criterion as patient demographic and clinical health
information data consistent with statutory requirements.\1\
---------------------------------------------------------------------------
\1\ A Base EHR is the regulatory term we have given to what the
HITECH Act defines as a ``qualified EHR.'' Our Base EHR
definition(s) include all capabilities found in the ``qualified
EHR.'' Please see the 2014 Edition final rule (77 FR 54262) for
further explanation.
---------------------------------------------------------------------------
It includes the 2015 Edition ``implantable device list''
certification criterion as patient demographic and clinical health
information data consistent with statutory requirements.\2\
---------------------------------------------------------------------------
\2\ A capability included in the Base EHR definition, which
originates from the ``qualified EHR'' definition found in the HITECH
Act.
---------------------------------------------------------------------------
It includes the 2015 Edition ``API'' certification
criteria as capabilities that support both the capture and query of
information relevant to health care quality and exchange electronic
health information with, and integrate such information from other
sources.\3\
---------------------------------------------------------------------------
\3\ These are capabilities included in the Base EHR definition,
which originate from the ``qualified EHR'' definition found in the
HITECH Act.
---------------------------------------------------------------------------
It includes the proposed 2015 Edition certification
criteria that correspond to the remaining 2014 Edition certification
criteria referenced in the ``2014 Edition'' Base EHR definition (i.e.,
CPOE, demographics, problem list, medication list, medication allergy
list, CDS, transitions of care, data portability, and relevant
transport certification criteria). For the transport certification
criteria, we include the ``Direct Project'' criterion (Sec.
170.315(h)(1)) as well as the ``Direct Project, Edge Protocol and XDR/
XDM'' criterion (Sec. 170.315(h)(2)) as equivalent alternative means
for meeting the 2015 Edition Base EHR definition.
We refer readers to section III.B.1 of this preamble for a more
detailed discussion of the 2015 Edition Base EHR definition and to
section III.A.3 of this preamble for a full discussion of the criteria
that have been included in the Base EHR definition. Of note, the
``demographics'' certification criterion (Sec. 170.315(a)(5)) now
includes sexual orientation and gender identity as data elements, the
``smoking status'' certification criterion (Sec. 170.315(a)(11)) is
now only a functional requirement, the ``API'' criterion has been
separated into 3 distinct criteria as mentioned above, and the Direct-
related criteria have been updated from ``unchanged'' to ``revised'' to
incorporate updated and necessary interoperability standards.
As discussed in more detail under the ``privacy and security''
heading in section IV.C.1 of this preamble, Health
[[Page 62604]]
IT Modules presented for certification to criteria listed in the 2015
Base EHR definition and other 2015 Edition certification criteria will
be subject to the applicable privacy and security criteria for the
purposes of certification.
The CQM capabilities noted above as not included in the 2015
Edition Base EHR definition have, however, been included the Certified
EHR Technology (CEHRT) definition under the EHR Incentive Programs. We
refer readers to the next section (``b. CEHRT definition'') for further
information and guidance on the relationship of the 2015 Edition Base
EHR definition and the 2015 Edition certification criteria with the
CEHRT definition. We also refer readers to the CEHRT definition
finalized in the EHR Incentive Programs Stage 3 and Modifications final
rule published elsewhere in this issue of the Federal Register as the
authoritative source for the requirements to meet the CEHRT definition.
b. CEHRT Definition
This final rule removes the CEHRT definition from Sec. 170.102 for
the following reasons. The CEHRT definition has always been defined in
a manner that supports the EHR Incentive Programs. As such, the CEHRT
definition more appropriately resides solely within the EHR Incentive
Programs regulations. This is also consistent with our approach in this
final rule to make the ONC Health IT Certification Program more open
and accessible to other types of health IT beyond EHR technology and
for health IT that supports care and practice settings beyond those
included in the EHR Incentive Programs. Further, this adds
administrative simplicity in that regulatory provisions, which EHR
Incentive Programs participants must meet (e.g., the CEHRT definition),
are defined within the context of rulemakings for those programs.
We note that the CEHRT definition finalized by CMS continues to
include the Base EHR definition(s) defined by ONC, including the 2015
Edition Base EHR definition adopted in this final rule. We also refer
readers to Table 4 (``2015 Edition Health IT Certification Criteria
Associated with the EHR Incentive Programs Stage 3'') found in section
III.A.3 of this preamble. Table 4 crosswalks 2015 Edition certification
criteria with the finalized CEHRT definition and EHR Incentive Programs
Stage 3 objectives. It also identifies mandatory and conditional
certification requirements (i.e., the application of certain
certification criteria to Health IT Modules) that Health IT Modules
presented for certification must meet regardless of the setting or
program the Health IT Module is designed to support.
For the full requirements to meet the CEHRT definition under the
EHR Incentive Programs, including for years before 2018 and for 2018
and subsequent years, we refer readers to the EHR Incentive Programs
Stage 3 and Modifications final rule published elsewhere in this issue
of the Federal Register.
c. Common Clinical Data Set
We revised the ``Common MU Data Set'' definition in Sec. 170.102.
We changed the name to ``Common Clinical Data Set,'' which aligns with
our approach throughout this final rule to make the ONC Health IT
Certification Program more open and accessible to other types of health
IT beyond EHR technology and for health IT that supports care and
practice settings beyond those included in the EHR Incentive Programs.
We also changed references to the ``Common MU Data Set'' in the 2014
Edition (Sec. 170.314) to ``Common Clinical Data Set.''
We revised the definition to account for the new and updated
standards and code sets we have adopted in this final rule for the 2015
Edition that will improve and advance interoperability through the
exchange of the Common Clinical Data Set. We also revised the
definition to support patient safety and improve care through clearly
referenced data elements (``care plan data'') and the inclusion of new
patient data (e.g., Unique Device Identifiers (UDIs) and immunizations
(with standards)). These revisions will not change the standards, codes
sets, and data requirements specified in the Common Clinical Data Set
for 2014 Edition certification, which remain unchanged. They only apply
to health IT certified to the 2015 Edition certification criteria that
reference the Common Clinical Data Set.
We refer readers to section III.B.3 of this preamble for a detailed
discussion of the Common Clinical Data Set and a table listing the data
and standards included in the Common Clinical Data Set for both the
2014 and 2015 Editions.
3. The ONC Health IT Certification Program and Health IT Module
We have changed the name of the ONC HIT Certification Program to
the ``ONC Health IT Certification Program.'' We have also modified the
ONC Health IT Certification Program in ways that will make it more
accessible to other types of health IT beyond EHR technology and for
health IT that supports care and practice settings beyond the
ambulatory and inpatient settings. These modifications will also serve
to support other public and private programs that may reference the use
of health IT certified under the ONC Health IT Certification Program.
When we established the certification program (76 FR 1262),\4\ we
stated our initial focus would be on EHR technology and supporting the
EHR Incentive Programs, which at the time, focused on the ambulatory
setting and inpatient setting (76 FR 1294).
---------------------------------------------------------------------------
\4\ Please see section II.B.3 of this preamble for a regulatory
history of the ONC Health IT Certification Program, including
changes to the program's name.
---------------------------------------------------------------------------
This final rule permits other types of health IT, such as
technology implemented by health information service providers (HISPs)
and health information exchanges (HIEs), to receive appropriate
attribution and not be referenced by a certificate with ``EHR''
included in it. This final rule also supports health IT certification
for other care and practice settings, such as long-term post-acute care
(LTPAC), behavioral health, and pediatrics. Further, this final rule
will make it simpler for certification criteria and certified health IT
to be referenced by other HHS programs (e.g., Medicare and Medicaid
payment programs and various grant programs), other public programs,
and private entities and associations.
a. Program Alignment Changes
As part of our approach to evolve the ONC Health IT Certification
Program, we have replaced prior rulemaking use of ``EHR'' and ``EHR
technology'' with ``health IT.'' The term health IT is reflective of
the scope of ONC's authority under the Public Health Service Act (Sec.
3000(5) as ``health information technology'' is so defined), and
represents a broad range of technology, including EHR technology. It
also more properly represents some of the technology, as noted above,
that has been previously certified to editions of certification
criteria under the ONC Health IT Certification Program and may be
certified to the 2015 Edition. Similarly, to make the ONC Health IT
Certification Program more open and accessible, we have renamed the EHR
Module as ``Health IT Module.''
b. ``Meaningful Use Measurement''
We have adopted our proposed approach in that we will not require
ONC-Authorized Certification Bodies (ONC-ACBs) to certify Health IT
Modules to the 2015 Edition ``meaningful use measurement''
certification criteria. We note, however, that CMS has included the
2015 Edition
[[Page 62605]]
``meaningful use measurement'' certification criteria in the CEHRT
definition as a program requirement for the EHR Incentive Programs.
Accordingly, we encourage health IT developers supporting providers
participating in the EHR Incentive Programs or providers' quality
improvement needs to seek certification to these criteria as
appropriate for their Health IT Modules (e.g., a Health IT Module is
presented for certification to a criterion that supports a Stage 3
objective with a percentage-based measure and the Health IT Module can
meet the ``automated numerator recording'' criterion or ``automated
measure calculation'' criterion).
c. Privacy and Security Certification Framework
We have adopted a new, simpler, straight-forward approach to
privacy and security certification requirements for Health IT Modules
certified to the 2015 Edition. In sum, the privacy and security
certification criteria applicable to a Health IT Module presented for
certification is based on the other capabilities included in the Health
IT Module and for which certification is sought. Under the 2015 Edition
privacy and security certification framework, a health IT developer
will know exactly what it needs to do in order to get its Health IT
Module certified and a purchaser of a Health IT Module will know
exactly what privacy and security functionality against which the
Health IT Module had to be tested in order to be certified.
d. Principles of Proper Conduct (PoPC) for ONC-ACBs
We have adopted new and revised PoPC for ONC-ACBs. ONC-ACBs are now
required to report an expanded set of information to ONC for inclusion
in the open data file that would make up the Certified Health IT
Product List (CHPL). ONC-ACBs must ensure that health IT developers
provide more meaningful disclosure of certain types of costs and
limitations that could interfere with the ability of users to implement
certified health IT in a manner consistent with its certification. ONC-
ACBs must retain records for a period of time that will support HHS
program needs. ONC-ACBs must also obtain a record of all adaptations
and updates affecting ``safety-enhanced design'' criteria on a
quarterly basis each calendar year. ONC-ACBs must also report to the
National Coordinator complaints received on certified health IT. We
have also adopted new requirements for ``in-the-field'' surveillance
under the ONC Health IT Certification Program that clarify and expand
ONC-ACBs' existing surveillance responsibilities by specifying
requirements and procedures for in-the-field surveillance. We believe
these new and revised PoPC promote greater transparency and
accountability for the ONC Health IT Certification Program.
C. Costs and Benefits
Our estimates indicate that this final rule is an economically
significant rule as its overall costs for health IT developers may be
greater than $100 million in at least one year. We have, therefore,
projected the costs and benefits of the final rule. The estimated costs
expected to be incurred by health IT developers to develop and prepare
health IT to be tested and certified in accordance with the 2015
Edition certification criteria (and the standards and implementation
specifications they include) are represented in monetary terms in Table
1 below. We note that this final rule does not impose the costs cited
as compliance costs, but rather as investments which health IT
developers voluntarily take on and may expect to recover with an
appropriate rate of return. We further note that, based on the
estimates provided by a health IT developer association in response to
the Proposed Rule, we have reduced the estimated burden of the 2015
Edition by over 40,000 burden hours per health IT developer by not
adopting certain proposed certification criteria, functionality and
standards.
The dollar amounts expressed in Table 1 are expressed in 2014
dollars.
Table 1--Distributed Total 2015 Edition Development and Preparation Costs for Health IT Developers (4-year
period)--Totals Rounded
----------------------------------------------------------------------------------------------------------------
Total high Total average
Year Ratio (%) Total low cost cost estimate cost estimate
estimate ($M) ($M) ($M)
----------------------------------------------------------------------------------------------------------------
2015............................................ 15 39.07 60.48 49.77
2016............................................ 35 91.15 141.12 116.14
2017............................................ 35 91.15 141.12 116.14
2018............................................ 15 39.07 60.48 49.77
---------------------------------------------------------------
4-Year Totals............................... .............. 260.44 403.19 331.82
----------------------------------------------------------------------------------------------------------------
As noted above, we expect that health IT developers will recover an
appropriate rate of return for their investments in developing and
preparing their health IT for certification to the 2015 Edition
certification criteria adopted in this final rule. However, we do not
have data available to quantify these benefits or other benefits that
will likely arise from health IT developers certifying their health IT
to the 2015 Edition.
We believe that there will be several significant benefits that may
arise from this final rule for patients, health care providers, and
health IT developers. The 2015 Edition continues to improve health IT
interoperability through the adoption of new and updated standards and
implementation specifications. For example, many proposed certification
criteria include standards and implementation specifications for
interoperability that directly support the EHR Incentive Programs,
which include objectives and measures for the interoperable exchange of
health information and for providing patients electronic access to
their health information in structured formats. In addition, the
adopted certification criteria that support the collection of patient
data that could be used to address health disparities would not only
benefit patients, but the entire health care delivery system through
improved quality of care. The 2015 Edition also supports usability and
patient safety through new and enhanced certification requirements for
health IT.
This final rule also makes the ONC Health IT Certification Program
open and accessible to more types of health IT and for health IT that
supports a variety of care and practice settings. This should benefit
health IT developers, providers practicing in
[[Page 62606]]
other care/practice settings, and consumers through the availability
and use of certified health IT that includes capabilities that promote
interoperability and enhanced functionality.
II. Background
A. Statutory Basis
The Health Information Technology for Economic and Clinical Health
(HITECH) Act, Title XIII of Division A and Title IV of Division B of
the American Recovery and Reinvestment Act of 2009 (the Recovery Act)
(Pub. L. 111-5), was enacted on February 17, 2009. The HITECH Act
amended the Public Health Service Act (PHSA) and created ``Title XXX--
Health Information Technology and Quality'' (Title XXX) to improve
health care quality, safety, and efficiency through the promotion of
HIT and electronic health information exchange.
1. Standards, Implementation Specifications, and Certification Criteria
The HITECH Act established two new federal advisory committees, the
Health IT Policy Committee (HITPC) and the Health IT Standards
Committee (HITSC) (sections 3002 and 3003 of the PHSA, respectively).
Each is responsible for advising the National Coordinator for Health
Information Technology (National Coordinator) on different aspects of
standards, implementation specifications, and certification criteria.
The HITPC is responsible for, among other duties, recommending
priorities for the development, harmonization, and recognition of
standards, implementation specifications, and certification criteria.
Main responsibilities of the HITSC include recommending standards,
implementation specifications, and certification criteria for adoption
by the Secretary under section 3004 of the PHSA, consistent with the
ONC-coordinated Federal Health IT Strategic Plan.
Section 3004 of the PHSA identifies a process for the adoption of
health IT standards, implementation specifications, and certification
criteria and authorizes the Secretary to adopt such standards,
implementation specifications, and certification criteria. As specified
in section 3004(a)(1), the Secretary is required, in consultation with
representatives of other relevant federal agencies, to jointly review
standards, implementation specifications, and certification criteria
endorsed by the National Coordinator under section 3001(c) and
subsequently determine whether to propose the adoption of any grouping
of such standards, implementation specifications, or certification
criteria. The Secretary is required to publish all determinations in
the Federal Register.
Section 3004(b)(3) of the PHSA titled, Subsequent Standards
Activity, provides that the Secretary shall adopt additional standards,
implementation specifications, and certification criteria as necessary
and consistent with the schedule published by the HITSC. We consider
this provision in the broader context of the HITECH Act to grant the
Secretary the authority and discretion to adopt standards,
implementation specifications, and certification criteria that have
been recommended by the HITSC and endorsed by the National Coordinator,
as well as other appropriate and necessary health IT standards,
implementation specifications, and certification criteria.
2. Health IT Certification Programs
Section 3001(c)(5) of the PHSA provides the National Coordinator
with the authority to establish a certification program or programs for
the voluntary certification of health IT. Specifically, section
3001(c)(5)(A) specifies that the National Coordinator, in consultation
with the Director of the National Institute of Standards and Technology
(NIST), shall keep or recognize a program or programs for the voluntary
certification of health information technology as being in compliance
with applicable certification criteria adopted under this subtitle
(i.e., certification criteria adopted by the Secretary under section
3004 of the PHSA).
The certification program(s) must also include, as appropriate,
testing of the technology in accordance with section 13201(b) of the
[HITECH] Act. Overall, section 13201(b) of the HITECH Act requires that
with respect to the development of standards and implementation
specifications, the Director of the NIST, in coordination with the
HITSC, shall support the establishment of a conformance testing
infrastructure, including the development of technical test beds. The
HITECH Act also indicates that the development of this conformance
testing infrastructure may include a program to accredit independent,
non-Federal laboratories to perform testing.
B. Regulatory History
1. Standards, Implementation Specifications, and Certification Criteria
Rules
The Secretary issued an interim final rule with request for
comments titled, ``Health Information Technology: Initial Set of
Standards, Implementation Specifications, and Certification Criteria
for Electronic Health Record Technology'' (75 FR 2014, Jan. 13, 2010)
(the ``S&CC January 2010 interim final rule''), which adopted an
initial set of standards, implementation specifications, and
certification criteria. After consideration of the comments received on
the S&CC January 2010 interim final rule, a final rule was issued to
complete the adoption of the initial set of standards, implementation
specifications, and certification criteria and realign them with the
final objectives and measures established for the EHR Incentive
Programs Stage 1 (formally titled: Health Information Technology:
Initial Set of Standards, Implementation Specifications, and
Certification Criteria for Electronic Health Record Technology; Final
Rule, (75 FR 44590, July 28, 2010) and referred to as the ``2011
Edition final rule''). The 2011 Edition final rule also established the
first version of the CEHRT definition. Subsequent to the 2011 Edition
final rule (October 13, 2010), we issued an interim final rule with a
request for comment to remove certain implementation specifications
related to public health surveillance that had been previously adopted
in the 2011 Edition final rule (75 FR 62686).
The standards, implementation specifications, and certification
criteria adopted by the Secretary in the 2011 Edition final rule
established the capabilities that CEHRT must include in order to, at a
minimum, support the achievement of EHR Incentive Programs Stage 1 by
eligible professionals (EPs), eligible hospitals, and critical access
hospitals (CAHs) under the Medicare and Medicaid Programs; Electronic
Health Record Incentive Program; Final Rule (75 FR 44314) (the ``EHR
Incentive Programs Stage 1 final rule'').
The Secretary issued a proposed rule with request for comments
titled ``Health Information Technology: Standards, Implementation
Specifications, and Certification Criteria for Electronic Health Record
Technology, 2014 Edition; Revisions to the Permanent Certification
Program for Health Information Technology'' (77 FR 13832, March 7,
2012) (the ``2014 Edition proposed rule''), which proposed new and
revised standards, implementation specifications, and certification
criteria. After consideration of the comments received on the 2014
Edition proposed rule, a final rule was issued to adopt the 2014
Edition set of standards, implementation specifications, and
certification criteria and realign them with the final objectives and
measures established for
[[Page 62607]]
the EHR Incentive Programs Stage 2, as well as Stage 1 revisions
(Health Information Technology: Standards, Implementation
Specifications, and Certification Criteria for Electronic Health Record
Technology, 2014 Edition; Revisions to the Permanent Certification
Program for Health Information Technology (77 FR 54163, Sept. 4, 2012)
(the ``2014 Edition final rule''). The standards, implementation
specifications, and certification criteria adopted by the Secretary in
the 2014 Edition final rule established the capabilities that CEHRT
must include in order to, at a minimum, support the achievement of the
EHR Incentive Programs Stage 2 by EPs, eligible hospitals, and CAHs
under the Medicare and Medicaid Programs; Electronic Health Record
Incentive Program--Stage 2 final rule ( 77 FR 53968) (the ``EHR
Incentive Programs Stage 2 final rule'').
On December 7, 2012, an interim final rule with a request for
comment was jointly issued and published by ONC and CMS to update
certain standards that had been previously adopted in the 2014 Edition
final rule. The interim final rule also revised the EHR Incentive
Programs by adding an alternative measure for the Stage 2 objective for
hospitals to provide structured electronic laboratory results to
ambulatory providers, corrected the regulation text for the measures
associated with the objective for hospitals to provide patients the
ability to view online, download, and transmit information about a
hospital admission, and made the case number threshold exemption policy
for clinical quality measure (CQM) reporting applicable for eligible
hospitals and CAHs beginning with FY 2013. In addition, the interim
final rule provided notice of CMS's intent to issue technical
corrections to the electronic specifications for CQMs released on
October 25, 2012 (77 FR 72985). On September 4, 2014, a final rule
(Medicare and Medicaid Programs; Modifications to the Medicare and
Medicaid Electronic Health Record (EHR) Incentive Program for 2014 and
Other Changes to the EHR Incentive Program; and Health Information
Technology: Revisions to the Certified EHR Technology Definition and
EHR Certification Changes Related to Standards; Final Rule) (79 FR
52910) was published adopting these proposals.
On November 4, 2013, the Secretary published an interim final rule
with a request for comment, 2014 Edition Electronic Health Record
Certification Criteria: Revision to the Definition of ``Common
Meaningful Use (MU) Data Set'' (78 FR 65884), to make a minor revision
to the Common MU Data Set definition. This revision was intended to
allow more flexibility with respect to the representation of dental
procedures data for EHR technology testing and certification.
On February 26, 2014, the Secretary published a proposed rule
titled ``Voluntary 2015 Edition Electronic Health Record (EHR)
Certification Criteria; Interoperability Updates and Regulatory
Improvements'' (79 FR 10880) (``Voluntary Edition proposed rule''). The
proposed rule proposed a voluntary edition of certification criteria
that was designed to enhance interoperability, promote innovation, and
incorporate ``bug fixes'' to improve upon the 2014 Edition. A
correction notice was published for the Voluntary Edition proposed rule
on March 19, 2014, entitled ``Voluntary 2015 Edition Electronic Health
Record (EHR) Certification Criteria; Interoperability Updates and
Regulatory Improvements; Correction'' (79 FR 15282). This correction
notice corrected the preamble text and gap certification table for four
certification criteria that were omitted from the list of certification
criteria eligible for gap certification for the 2015 Edition EHR
certification criteria. On September 11, 2014, a final rule was
published titled ``2014 Edition Release 2 Electronic Health Record
(EHR) Certification Criteria and the ONC HIT Certification Program;
Regulatory Flexibilities, Improvements, and Enhanced Health Information
Exchange'' (79 FR 54430) (``2014 Edition Release 2 final rule''). The
final rule adopted a small subset of the original proposals in the
Voluntary Edition proposed rule as optional and revised 2014 Edition
EHR certification criteria that provide flexibility, clarity, and
enhance health information exchange. It also finalized administrative
proposals (i.e., removal of regulatory text from the Code of Federal
Regulations (CFR)) and proposals for the ONC HIT Certification Program
that provide improvements.
On May 23, 2014, CMS and ONC jointly published the ``Medicare and
Medicaid Programs; Modifications to the Medicare and Medicaid
Electronic Health Record Incentive Programs for 2014; and Health
Information Technology: Revisions to the Certified EHR Technology
Definition'' proposed rule (79 FR 29732). The rule proposed to update
the EHR Incentive Programs Stage 2 and Stage 3 participation timeline.
It proposed to revise the CEHRT definition to permit the use of EHR
technology certified to the 2011 Edition to meet the CEHRT definition
for FY/CY 2014. It also proposed to allow EPs, eligible hospitals, and
CAHs that could not fully implement EHR technology certified to the
2014 Edition for an EHR reporting period in 2014 due to delays in the
availability of such technology to continue to use EHR technology
certified to the 2011 Edition or a combination of EHR technology
certified to the 2011 Edition and 2014 Edition for the EHR reporting
periods in CY 2014 and FY 2014. On September 4, 2014, a final rule
(``CEHRT Flexibility final rule'') was published (79 FR 52910) adopting
these proposals.
On March 30, 2015, the Secretary published a proposed rule titled
``2015 Edition Health Information Technology (Health IT) Certification
Criteria; 2015 Edition Base Electronic Health Record (EHR) Definition,
and ONC Health IT Certification Program Modifications'' (80 FR 16804)
(``2015 Edition Proposed Rule'' or ``Proposed Rule''). The Proposed
Rule proposed an edition of certification criteria that was designed to
enhance interoperability and is the subject of this final rule.
2. Medicare and Medicaid EHR Incentive Programs Rules
On January 13, 2010, CMS published the Medicare and Medicaid
Programs; Electronic Health Record Incentive Program; Proposed Rule (75
FR 1844). The rule proposed the criteria for Stage 1 of the EHR
Incentive Programs and regulations associated with the incentive
payments made available under Division B, Title IV of the HITECH Act.
Subsequently, CMS published a final rule (75 FR 44314) for Stage 1 of
the EHR Incentive Programs on July 28, 2010, simultaneously with the
publication of the 2011 Edition final rule. The EHR Incentive Programs
Stage 1 final rule established the objectives, associated measures, and
other requirements that EPs, eligible hospitals, and CAHs must satisfy
to meet Stage 1.
On March 7, 2012, CMS published the Medicare and Medicaid Programs;
Electronic Health Record Incentive Program--Stage 2; Proposed Rule (77
FR 13698). Subsequently, CMS published a final rule (77 FR 53968) for
the EHR Incentive Programs on September 4, 2012, simultaneously with
the publication of the 2014 Edition final rule. The EHR Incentive
Programs Stage 2 final rule established the objectives, associated
measures, and other requirements that EPs, eligible hospitals, and CAHs
must satisfy to meet Stage 2. It also revised some Stage 1
requirements.
As described above in Section II.B.1, ONC and CMS jointly issued an
interim final rule with a request for comment that was published on
December 7, 2012 and a final rule that was published on
[[Page 62608]]
September 4, 2014. Also, as described above in Section II.B.1, ONC and
CMS jointly issued proposed and final rules that were published on May
23, 2014 and September 4, 2014, respectively.
On March 30, 2015, CMS published the Medicare and Medicaid
Programs; Electronic Health Record Incentive Program--Stage 3; Proposed
Rule (80 FR 16732) (``EHR Incentive Programs Stage 3 proposed rule'')
outlining objectives, associated measures, and other requirements that
EPs, eligible hospitals, and CAHs would need to meet to participate in
Stage 3 of the EHR Incentives Programs.
On April 15, 2015, CMS published the Medicare and Medicaid
Programs; Electronic Health Record Incentive Program--Modifications to
Meaningful Use in 2015 Through 2017; Proposed Rule (80 FR 20346) (``EHR
Incentive Programs Modifications proposed rule'') proposing
modifications to the EHR Incentive Programs for the EHR reporting
periods and meaningful use measures in 2015 through 2017.
3. ONC Health IT Certification Program Rules
On March 10, 2010, ONC published a proposed rule (75 FR 11328)
titled, ``Proposed Establishment of Certification Programs for Health
Information Technology'' (the ``Certification Programs proposed
rule''). The rule proposed both a temporary and permanent certification
program for the purposes of testing and certifying HIT. It also
specified the processes the National Coordinator would follow to
authorize organizations to perform the certification of HIT. A final
rule establishing the temporary certification program was published on
June 24, 2010 (75 FR 36158) (``Temporary Certification Program final
rule'') and a final rule establishing the permanent certification
program was published on January 7, 2011 (76 FR 1262) (``the Permanent
Certification Program final rule'').
On May 31, 2011, ONC published a proposed rule (76 FR 31272) titled
``Permanent Certification Program for Health Information Technology;
Revisions to ONC-Approved Accreditor Processes.'' The rule proposed a
process for addressing instances where the ONC-Approved Accreditor
(ONC-AA) engaged in improper conduct or did not perform its
responsibilities under the permanent certification program, addressed
the status of ONC-Authorized Certification Bodies in instances where
there may be a change in the accreditation organization serving as the
ONC-AA, and clarified the responsibilities of the new ONC-AA. All these
proposals were finalized in a final rule published on November 25, 2011
(76 FR 72636).
The 2014 Edition final rule made changes to the permanent
certification program. The final rule adopted a proposal to change the
Permanent Certification Program's name to the ``ONC HIT Certification
Program,'' revised the process for permitting the use of newer versions
of ``minimum standard'' code sets, modified the certification processes
ONC-ACBs need to follow for certifying EHR Modules in a manner that
provides clear implementation direction and compliance with the new
certification criteria, and eliminated the certification requirement
that every EHR Module be certified to the ``privacy and security''
certification criteria.
The Voluntary Edition proposed rule included proposals that focused
on improving regulatory clarity, simplifying the certification of EHR
Modules that are designed for purposes other than meeting requirements
of the EHR Incentive Programs, and discontinuing the use of the
Complete EHR definition. As noted above, we issued the 2014 Edition
Release 2 final rule to complete the rulemaking for the Voluntary
Edition proposed rule. The 2014 Edition Release 2 final rule
discontinued the ``Complete EHR'' certification concept beginning with
the proposed 2015 Edition, adopted an updated standard (ISO/IEC 17065)
for the accreditation of ONC-ACBs, and adopted the ``ONC Certified
HIT'' certification and design mark for required use by ONC-ACBs under
the ONC Health IT Certification Program.
As noted above, on March 30, 2015, the Secretary published the
Proposed Rule which, in addition to proposing the 2015 Edition,
proposed revisions to the ONC Health IT Certification Program.
III. Provisions of the Proposed Rule Affecting Standards,
Implementation Specifications, and Certification Criteria
A. 2015 Edition Health IT Certification Criteria
This rule finalizes new, revised, and unchanged certification
criteria that establish the capabilities and related standards and
implementation specifications for the certification of health IT,
including EHR technology. We refer to these new, revised, and unchanged
certification criteria as the ``2015 Edition health IT certification
criteria'' and have added this term and its definition to Sec.
170.102. As noted in the Executive Summary, we also refer to these
criteria as the ``2015 Edition'' in this preamble. We codified the 2015
Edition in Sec. 170.315 to set them apart from other editions of
certification criteria and make it easier for stakeholders to quickly
determine the certification criteria included in the 2015 Edition.
In the Proposed Rule, we identified the 2015 Edition certification
criteria as new, revised, or unchanged in comparison to the 2014
Edition. In the 2014 Edition final rule we gave meaning to the terms
``new,'' ``revised,'' and ``unchanged'' to both describe the
differences between the 2014 Edition certification criteria and the
2011 Edition certification criteria, as well as establish what
certification criteria in the 2014 Edition were eligible for gap
certification (see 77 FR 54171, 54202, and 54248). Given that beginning
with the 2015 Edition, ``Complete EHR'' certifications will no longer
be issued (see also 79 FR 54443-45) and that we proposed to make the
ONC Health IT Certification Program more open and accessible to other
health care/practice settings, we also proposed to give new meaning to
these terms for the purpose of a gap certification analysis as so
specified:
``New'' certification criteria are those that as a whole
only include capabilities never referenced in previously adopted
certification criteria editions and to which a Health IT Module
presented for certification to the 2015 Edition could have never
previously been certified. As a counter example, the splitting of a
2014 Edition certification criterion into two criteria as part of the
2015 Edition would not make those certification criteria ``new'' for
the purposes of a gap certification eligibility analysis.
``Revised'' certification criteria are those that include
within them capabilities referenced in a previously adopted edition of
certification criteria as well as changed or additional new
capabilities; and to which a Health IT Module presented for
certification to the 2015 Edition could not have been previously
certified to all of the included capabilities.
``Unchanged'' certification criteria are those that
include the same capabilities as compared to prior certification
criteria of adopted editions; and to which a Health IT Module presented
for certification to the 2015 Edition could have been previously
certified to all of the included capabilities.
Comments. While we received no specific comments on these terms, we
received comments both supporting and opposing the adoption of
certification
[[Page 62609]]
criteria that go beyond specifically supporting an objective and
measure under the EHR Incentive Programs.
Response. We continue to maintain the same meanings for the terms
``new,'' ``revised,'' and ``unchanged'' as described in the Proposed
Rule with a slight modification to the meaning of ``unchanged'' to
state that ``unchanged'' certification criteria are certification
criteria that include the same or less of the same capabilities as
compared to prior certification criteria of adopted editions. We refer
readers to section III.A.4 (``2015 Edition Gap Certification
Eligibility Table'') of this preamble for a complete description of gap
certification and the identification of 2015 Edition certification
criteria eligible for gap certification. In sum, ``unchanged'' criteria
are eligible for gap certification. For health IT previously certified
to the 2011 or 2014 Edition certification criteria, this permits, where
applicable, the use of prior test results for certification to the 2015
certification criteria. This creates efficiencies and substantially
reduces burden.
As described in the Proposed Rule and Executive Summary of this
final rule as well as discussed in more detail in section IV.B of this
preamble, we believe the availability and use of certified health IT
for other use cases and health care settings beyond the EHR Incentive
Programs has significant value. Therefore, we have adopted
certification criteria that support those purposes. Table 2 below
provides an overview of certification criteria adopted in this final
rule as compared to the certification criteria proposed in the Proposed
Rule and the adopted 2014 Edition.
Table 2--2015 Edition Health IT Certification Criteria
------------------------------------------------------------------------
------------------------------------------------------------------------
Not Adopted Proposed Criteria (14)
------------------------------------------------------------------------
Vital Signs
Image Results
Family Health History--Pedigree
Patient List Creation
Electronic Medication Administration
Record
Decision Support--Knowledge Artifact
Decision Support--Service
Incorporate Laboratory Tests and Values/
Results
Transmission of Laboratory Test Reports
Accessibility Technology
SOAP Transport and Security
Specification and XDR/XDM for Direct
Messaging
Healthcare Provider Directory--Query
Request
Healthcare Provider Directory--Query
Response
Electronic Submission of Medical
Documentation
------------------------------------------------------------------------
Unchanged Criteria as Compared to the 2014 Edition (Gap Certification
Eligible) (16)
------------------------------------------------------------------------
Computerized Provider Order Entry
(CPOE)--Medications
CPOE--Laboratory
CPOE--Diagnostic Imaging
Drug-Drug, Drug-Allergy Interaction
Checks for CPOE
Medication List
Medication Allergy List
Drug-Formulary and Preferred Drug List
Checks
Smoking Status
Authentication, Access Control,
Authorization
Audit Report(s)
Amendments
Automatic Access Time-Out
Emergency Access
End-User Device Encryption
Accounting of Disclosures
Transmission to Public Health Agencies--
Reportable Laboratory Tests and Values/
Results
------------------------------------------------------------------------
Revised Criteria as Compared to the 2014 Edition (25)
------------------------------------------------------------------------
Demographics
Problem List
Clinical Decision Support
Family Health History
Patient-Specific Education Resources
Transitions of Care
Clinical Information Reconciliation and Incorporation
Electronic Prescribing
Data Export
Clinical Quality Measures--Record and Export
Clinical Quality Measures--Import and Calculate
Clinical Quality Measures--Report
View, Download, and Transmit to \3rd\ Party
Transmission to Immunization Registries
Transmission to Public Health Agencies--Syndromic Surveillance
Transmission to Cancer Registries
Automated Numerator Recording
Automated Measure Calculation
[[Page 62610]]
Safety-enhanced Design
Quality Management System
Auditable Events and Tamper-Resistance*
Integrity*
Secure Messaging*
Direct Project*
Direct Project, Edge Protocol, and XDR/XDM*
------------------------------------------------------------------------
New Criteria as Compared to the 2014 Edition (19)
------------------------------------------------------------------------
Implantable Device List
Social, Psychological, and Behavioral Data
Data Segmentation for Privacy--Send
Data Segmentation for Privacy--Receive
Care Plan
Common Clinical Data Set Summary Record-- New criteria based on request
Create. for comment in the Proposed
Rule.
Common Clinical Data Set Summary Record--
Receive
Clinical Quality Measures--Filter
Trusted Connection...................... New for privacy and security
certification framework and
API approach.
Auditing Actions on Health Information.. New for privacy and security
certification framework and
API approach.
Patient Health Information Capture.
Transmission to Public Health Agencies--
Electronic Case Reporting.
Transmission to Public Health Agencies--
Antimicrobial Use and Resistance
Reporting.
Transmission to Public Health Agencies--
Health Care Surveys.
Consolidated CDA Creation Performance.
Application Access--Patient Selection... Split the proposed API
criterion into three criteria
based on public comments.
Application Access--Data
Category Request.
Application Access--All Data Request
Accessibility--centered Design.
------------------------------------------------------------------------
* The criterion was proposed as unchanged, but has been adopted as
revised in this final rule.
We proposed that readers should interpret the following terms used
in the 2015 Edition with the same meanings we adopted in the 2014
Edition final rule (77 FR 54168-54169), in response to comment:
``User,'' ``record,'' ``change,'' ``access,'' ``incorporate,''
``create,'' and ``transmit,'' but apply to all health IT, not just
``EHR technology.'' For the term ``incorporate,'' we also proposed that
readers should interpret the term as we further explained it under the
``transitions of care'' certification criterion (77 FR 54218) in the
2014 Edition final rule and in the Voluntary Edition proposed rule (79
FR 10898). We proposed that the scope of a 2015 Edition certification
criterion was the same as the scope previously assigned to a 2014
Edition certification criterion (for further explanation, see the
discussion at 77 FR 54168). That is, certification to the 2015 Edition
certification criteria at Sec. 170.315 would occur at the second
paragraph level of the regulatory section and encompass all paragraph
levels below the second paragraph level. We also proposed to continue
to use the same specific descriptions for the different types of ``data
summaries'' established in the 2014 Edition final rule (77 FR 54170-
54171) for the 2015 Edition certification criteria (i.e., ``export
summary,'' ``transition of care/referral summary,'' ``ambulatory
summary,'' and ``inpatient summary.'')
We received no specific comments on these proposals and have
adopted these meanings and approaches for certification to the 2015
Edition.
As with the adoption of the 2011 and 2014 editions of certification
criteria (see the introductory text to Sec. Sec. 170.302, 170.304,
170.306, and 170.314), all capabilities mentioned in certification
criteria are expected to be performed electronically, unless otherwise
noted. Therefore, we no longer include ``electronically'' in
conjunction with each capability included in a certification criterion
under Sec. 170.315 because the introductory text to Sec. 170.315
(which covers all the certification criteria included in the section)
clearly states that health IT must be able to electronically perform
the following capabilities in accordance with all applicable standards
and implementation specifications adopted in the part.
Health IT certified to the 2015 Edition certification criteria and
associated standards and implementation specifications can be
implemented as part of an EP's, eligible hospital's, or CAH's CEHRT and
used to demonstrate meaningful use (as identified in Table 4 of section
III.A.3 below). We note that Table 4 also identifies certification
criteria that are mandatory and conditional certification requirements
for Health IT Modules, such as safety-enhanced design (conditional),
and quality management system (mandatory), accessibility-centered
design (mandatory), and privacy and security certification criteria
(conditional). To note, we use the term mandatory to mean that all
Health IT Modules must be certified to the certification criterion (see
also Sec. 170.550(g)(2) and (3)). Conditional means that certification
to the certification criterion (e.g., the ``Consolidated CDA creation
performance,'' ``safety-enhanced design,'' ``automatic access
timeout,'' or ``integrity'' certification criterion) depends on what
other certification criteria a Health IT Module is presented for
certification to (see Sec. 170.550(g)(1) and (4) and Sec.
170.550(f)). For more information on ``conditional'' certification
related to privacy and security, we also refer readers to section
IV.C.1 (``Privacy and Security'') of this preamble.
[[Page 62611]]
Health IT certified to the 2015 Edition certification criteria and
associated standards and implementation specifications can also be used
to meet other HHS program requirements (e.g., Medicare chronic care
management services) or private sector requirements (e.g., The Joint
Commission performance measurement initiative (``ORYX'' vendor)). We
refer readers to section IV.B.4 of this preamble for further programs
that reference the use of certified health IT.
1. Applicability
Section 170.300 establishes the applicability of subpart C--
Certification Criteria for Health Information Technology. We proposed
to revise paragraph (d) of Sec. 170.300 to add in a reference to Sec.
170.315 and revise the parenthetical in the paragraph to say ``i.e.,
apply to any health care setting'' instead of ``i.e., apply to both
ambulatory and inpatient settings.''
We received no comments on these specific proposed revisions and
have adopted the proposed revisions. As noted in the Proposed Rule,
these revisions clarify which specific capabilities within a
certification criterion included in Sec. 170.315 have general
applicability (i.e., apply to any health care setting) or apply only to
an inpatient setting or an ambulatory setting. The revision to change
the language of the parenthetical aligns with our approach to make the
ONC Health IT Certification Program more agnostic to health care
settings and accessible to health IT that supports care and practice
settings beyond the ambulatory and inpatient settings. We refer readers
to section IV.B of this preamble for a detailed discussion of
modifications to the ONC Health IT Certification Program responses to
public comments received on the proposed modifications.
We note that, with the 2015 Edition, we no longer label an entire
certification criterion as either optional or ambulatory/inpatient (at
the second paragraph level of Sec. 170.315). For example, the 2015
Edition certification criterion for transmission to cancer registries
is simply ``transmission to cancer registries'' instead of ``optional--
ambulatory setting only--transmission to cancer registries.''
Similarly, the 2015 Edition certification criterion for ``accounting of
disclosures'' is simply ``accounting of disclosures'' instead of
``optional--accounting of disclosures.'' These simplifications are
possible given that, beginning with the 2015 Edition certification
criteria, ``Complete EHR'' certifications will no longer be issued (see
79 FR 54443-45). Therefore, there is no longer a need to designate an
entire certification criterion in this manner. Again, this approach
also supports our goal to make the ONC Health IT Certification Program
more agnostic to health care settings and accessible to health IT that
supports care and practice settings beyond the ambulatory and inpatient
settings. We note that we still use ``optional,'' ``inpatient setting
only,'' and ``ambulatory setting only'' designations within
certification criteria to provide flexibility and reduce burden where
feasible and appropriate.
We proposed to replace the term ``EHR technology'' in paragraphs
(d)(1) and (d)(2) of Sec. 170.300 with ``health IT'' to align with our
approach to make the ONC Health IT Certification Program more clearly
open to the certification of all types of health IT. We received no
comments on this specific proposal and have replaced ``EHR technology''
with ``health IT'' in the referenced paragraphs. Again, we refer
readers to section IV.B of this preamble for a detailed discussion of
modifications to the ONC Health IT Certification Program and responses
to public comments received on the proposed modifications.
2. Standards and Implementation Specifications
a. National Technology Transfer and Advancement Act
The National Technology Transfer and Advancement Act (NTTAA) of
1995 (15 U.S.C. 3701 et. seq.) and the Office of Management and Budget
(OMB) Circular A-119 \5\ require the use of, wherever practical,
technical standards that are developed or adopted by voluntary
consensus standards bodies to carry out policy objectives or
activities, with certain exceptions. The NTTAA and OMB Circular A-119
provide exceptions to selecting only standards developed or adopted by
voluntary consensus standards bodies, namely when doing so would be
inconsistent with applicable law or otherwise impractical. In this
final rule, we refer to voluntary consensus standards, except for:
---------------------------------------------------------------------------
\5\ http://www.whitehouse.gov/omb/circulars_a119.
---------------------------------------------------------------------------
The standards adopted in Sec. 170.202. (These industry
standards were developed by groups of industry stakeholders committed
to advancing the Direct Project,\6\ which included initiatives under
the Standards and Interoperability (S&I) Framework.\7\ These groups
used consensus processes similar to those used by voluntary consensus
standards bodies.);
The standards adopted at Sec. 170.205(d)(4) and (e)(4)
for reporting of syndromic surveillance and immunization information to
public health agencies, respectively (These standards go through a
process similar within the public health community to those used by
other industry stakeholders and voluntary consensus standards bodies.);
The standard adopted at Sec. 170.207(f)(2) for race and
ethnicity; and
Certain standards related to the protection of electronic
health information adopted in Sec. 170.210.
---------------------------------------------------------------------------
\6\ http://www.healthit.gov/policy-researchers-implementers/direct-project.
\7\ http://www.healthit.gov/policy-researchers-implementers/standards-interoperability-si-framework.
---------------------------------------------------------------------------
We are aware of no voluntary consensus standard that would serve as
an alternative to these standards for the purposes that we have
identified in this final rule.
b. Compliance With Adopted Standards and Implementation Specifications
In accordance with Office of the Federal Register regulations
related to ``incorporation by reference,'' 1 CFR part 51, which we
follow when we adopt proposed standards and/or implementation
specifications in a final rule, the entire standard or implementation
specification document is deemed published in the Federal Register when
incorporated by reference therein with the approval of the Director of
the Federal Register. Once published, compliance with the standard and
implementation specification includes the entire document unless we
specify otherwise. For example, for the Health Level Seven (HL7)
Implementation Guide (IG) for CDA Release 2: National Health Care
Surveys (NHCS), Release 1 adopted in this final rule, health IT
certified to the certification criterion referencing this IG will need
to demonstrate compliance with all mandatory elements and requirements
of the IG. If an element of the IG is optional or permissive in any
way, it will remain that way for testing and certification unless we
specified otherwise in regulation. In such cases, the regulatory text
preempts the permissiveness of the IG.
c. ``Reasonably Available'' to Interested Parties
The Office of the Federal Register has established new requirements
for materials (e.g., standards and implementation specifications) that
agencies incorporate by reference in the Federal Register (79 FR 66267;
1 CFR 51.5(b)). To comply with these requirements, in section V
(``Incorporation by Reference'') of this
[[Page 62612]]
preamble, we provide summaries of, and uniform resource locators (URLs)
to, the standards and implementation specifications we have adopted and
incorporated by reference in the Federal Register. To note, we also
provide relevant information about these standards and implementation
specifications throughout this section of the preamble (section III),
including URLs.
``Minimum Standards'' Code Sets
In the Proposed Rule, we proposed to adopt newer versions of four
previously adopted minimum standards code sets for the 2015 Edition.
The code sets proposed were: The September 2014 Release of the U.S.
Edition of SNOMED CT[supreg], LOINC[supreg] version 2.50, the February
2, 2015 monthly version of RxNorm, and the February 2, 2015 version of
the CVX code set. We also proposed to adopt two new minimum standards
code sets (the National Drug Codes (NDC)--Vaccine Codes, updates
through January 15, 2015 and the ``Race & Ethnicity--CDC'' code system
in the PHIN Vocabulary Access and Distribution System (VADS) Release
3.3.9 (June 17, 2011)). We reiterated, as we have previously
articulated (77 FR 54170), the adoption of newer versions improve
interoperability and health IT implementation, while creating little
additional burden through the inclusion of new codes. We further stated
that, as many of these minimum standards code sets are updated
frequently throughout the year, we would consider whether it may be
more appropriate to adopt a version of a minimum standards code set
that is issued before we publish a final rule for the Proposed Rule.
Comments. A number of commenters were supportive of the proposal to
adopt more recent versions of the U.S. Edition of SNOMED CT[supreg],
LOINC[supreg], RxNorm, and the CVX code set. Commenters supported
adoption of NDC codes for vaccines, but also recommended we adopt the
MVX codes for vaccine manufacturer as part of this list. One commenter
requested identification of the steward for the PHIN VADS ``Race &
Ethnicity--CDC'' code system, noting that it did not appear to have
been updated since 2007. This commenter also requested verification
that the code set has been reviewed on a regular basis.
A few commenters suggested that we do not specify an exact version
and release of a standard (e.g., allow for adoption of version/release
1.x of the HL7 Implementation Guide for CDA Release 2: National Health
Care Surveys (NHCS) where ``x'' could be any version/release within the
version/release 1 family). Another commenter suggested that we consider
adopting a ``rolling'' upgrade cycle for all standardized code systems
and value sets. Specifically, the commenter recommended that a
certified Health IT Module should not be more than two versions behind
the most currently released version of the code system or value set.
Commenters also suggested that the vocabulary code set versions in the
Proposed Rule are now outdated and have since been updated per a
regular update cycle. Commenters suggested we adopt these more recent
versions of these vocabulary code sets as they provide the most up-to-
date clinical information for clinical relevance and interoperability.
Response. As many of the proposed minimum standards code sets are
updated frequently throughout the year, we considered whether it was
more appropriate to adopt versions of minimum standards code sets that
were issued after the Proposed Rule and before we published this final
rule. In making such determination, as we have done with prior
finalized versions of minimum standards code sets, we gave
consideration to whether these newer versions included any new
substantive requirements and their effects on interoperability. We have
found no negative effects on interoperability with the newer versions
we have adopted as compared to the proposed versions. Rather, these
newer versions will further support and improve the structured
recording of data. To note, the adopted newer version of a minimum
standards code set will serve as the baseline for certification. As
with all adopted minimum standards code sets, health IT can be
certified to newer versions of the adopted baseline version minimum
standards code sets for purposes of certification, unless the Secretary
specifically prohibits the use of a newer version (see Sec. 170.555
and 77 FR 54268).
We have adopted newer versions of four 2014 Edition minimum
standards code sets in this final rule for the 2015 Edition. These code
sets are the September 2015 Release of the U.S. Edition of SNOMED
CT[supreg], LOINC[supreg] version 2.52, the September 8, 2015 monthly
version of RxNorm, and the August 17, 2015 version of the CVX code set.
We have also adopted three new minimum standards code sets. These code
sets are the National Drug Codes (NDC)--Vaccine NDC Linker, updates
through August 17, 2015; the CDC Race and Ethnicity Code Set Version
1.0 (March 2000); \8\ and the Crosswalk: Medicare Provider/Supplier to
Healthcare Provider Taxonomy, April 2, 2015.
---------------------------------------------------------------------------
\8\ We have more specifically identified the CDC Race and
Ethnicity code set as compared to the identification in the Proposed
Rule. We note this code set remains part of the PHIN Vocabulary
Access and Distribution System (VADS) Release 3.3.9. http://www.cdc.gov/phin/resources/vocabulary/index.html.
---------------------------------------------------------------------------
We have not adopted MVX codes for vaccine manufacturers as detailed
further in the discussion on the ``transmission to immunization
registries'' certification criterion in section III.A.3 of the
preamble. Therefore, we do not see a need to include MVX codes in this
list of code sets.
We confirm that CDC continues to steward the CDC Race and Ethnicity
Code Set, Version 1.0 (March 2000). We also confirm that we have
reviewed this version and believe it is appropriate to adopt it as the
minimum standard code set for race and ethnicity. Any updates to the
code set, including the issuance of newer versions, are within the
oversight of the CDC.
As we stated in the 2014 Edition final rule (77 FR 54169-54170),
the Office of the Federal Register regulations related to
``incorporation by reference'' are limited to a specific version that
is approved rather than future versions or revisions of a given
publication. Thus, we do not include regulation language that refers to
a version/release as, for example ``Version/Release 1.X'' when ``X''
remains variable. Further, to remain in compliance with the
Administrative Procedure Act and address any potential interoperability
concerns, we would need to issue regulations to adopt a newer version
minimum standards code set as a ``baseline'' standard and cannot
require health IT developers to upgrade on a rolling basis.
e. Object Identifiers (OIDs) for Certain Code Systems
We are providing the following table (Table 3) of OIDs for certain
code systems to assist health IT developers in the proper
identification and exchange of health information coded to the
vocabulary standards referenced in this final rule.
[[Page 62613]]
Table 3--Code System Object Identifiers (OIDs)
------------------------------------------------------------------------
Code system OID Code system name
------------------------------------------------------------------------
2.16.840.1.113883.6.96...... IHTSDO SNOMED CT[supreg].
2.16.840.1.113883.6.1....... LOINC[supreg].
2.16.840.1.113883.6.88...... RxNorm.
2.16.840.1.113883.12.292.... HL7 Standard Code Set CVX-Vaccines
Administered.
2.16.840.1.113883.6.69...... National Drug Code Directory.
2.16.840.1.113883.6.8....... Unified Code of Units of Measure (UCUM
\9\).
2.16.840.1.113883.6.13...... Code on Dental Procedures and Nomenclature
(CDT).
2.16.840.1.113883.6.4....... International Classification of Diseases,
10th Revision, Procedure Coding System
(ICD-10-PCS).
2.16.840.1.113883.6.238..... CDC Race and Ethnicity Code Set Version
1.0 (March 2000).
2.16.840.1.113883.6.316..... Tags for Identifying Languages--Request
for Comment (RFC) 5646 (preferred
language).
2.16.840.1.113883.6.101..... Healthcare Provider Taxonomy.
------------------------------------------------------------------------
f. Subpart B--Standards and Implementation Specifications for Health
Information Technology
---------------------------------------------------------------------------
\9\ Copyright(copyright) 1998-2013, Regenstrief
Institute, Inc. and the UCUM Organization. All rights reserved.
---------------------------------------------------------------------------
We proposed to remove the term ``EHR Modules'' from Sec. 170.200
and add in its place ``Health IT Modules'' We proposed to remove the
term ``EHR technology'' from Sec. 170.210 and add in its place
``health IT.'' We noted that these proposals were consistent with our
overall approach to this rulemaking as discussed in the Proposed Rule
Executive Summary and recited in this final rule's Executive Summary.
We received no comments on these specific proposals and have adopted
these proposals. We refer readers to section IV.B of this preamble for
a detailed discussion of modifications to the ONC Health IT
Certification Program and responses to public comments received on the
proposed modifications.
3. Adopted Certification Criteria
We discuss the certification criteria that we have adopted as part
of the 2015 Edition in this section. We discuss each certification
criterion in the chronological order in which it would appear in the
CFR. In other words, the preamble that follows discusses the adopted
certification criteria in Sec. 170.315(a) first, then Sec.
170.315(b), and so on through section (h). Due to certain proposed
certification criteria not being adopted as well as further
consideration of proper categorization of criteria, the designation of
some criteria within Sec. 170.315 has changed in comparison to the
Proposed Rule (e.g., the 2015 Edition ``smoking status'' criterion has
been codified in Sec. 170.315(a)(11) instead of proposed (a)(12) and
the 2015 Edition ``patient health information capture'' criterion has
been codified in Sec. 170.315(e)(3) instead of proposed (a)(19)).
We note that we have restructured the regulatory text of
certification criteria to remove the use of ``or'' in many places where
it was proposed to indicate certification optionality. We have replaced
it with language that we believe will better convey that same
optionality. This restructuring of the regulatory text will provide
further clarity regarding when a health IT developer has flexibility to
select one of two or more options for certifying its Health IT Module
as compared to when it is expected that the Health IT Module
demonstrate all listed methods for certification. This restructuring,
by itself, did not alter any of the proposed certification criteria
requirements.
Table 4 below identifies the 2015 Edition certification criteria
associated with the EHR Incentive Programs Stage 3 as finalized in EHR
Incentive Programs Stage 3 and Modifications final rule published
elsewhere in this issue of the Federal Register. While these
certification criteria can be used to support other use cases and
health care settings beyond the EHR Incentive Programs, we have also
adopted additional 2015 health IT certification criteria that support
other specific use cases and health care settings. These criteria were
listed in Table 2 and are discussed in this section of the preamble.
[[Page 62614]]
[GRAPHIC] [TIFF OMITTED] TR16OC15.000
[[Page 62615]]
[GRAPHIC] [TIFF OMITTED] TR16OC15.001
[[Page 62616]]
[GRAPHIC] [TIFF OMITTED] TR16OC15.002
Computerized Provider Order Entry
We proposed to adopt three separate 2015 computerized provider
order entry (CPOE) certification criteria based on the clinical purpose
(i.e., medications, laboratory, and diagnostic imaging), which was
consistent with the 2014 Edition CPOE certification criteria we adopted
in the 2014 Edition Release 2 final rule (79 FR 54435-36).
Comments. We received only a few comments on this proposed
approach, all which expressed support for separating the functionality
based on clinical purpose.
Response. We have adopted separate CPOE certification criteria
based on clinical purposes that are described in more detail below.
We requested comment on whether we should specify, for the purposes
of testing and certification to the 2015 Edition CPOE criteria, certain
data elements that a Health IT Module must be able to include in a
transmitted order. In particular, we requested comment on whether a
Health IT Module should be able to include any or all of the following
data elements: secondary diagnosis codes; reason for order; and comment
fields entered by the ordering provider, if they are provided to the
ordering provider in their order entry screen. We also requested
comment on whether there are any other data elements that a Health IT
Module should be able to include as part of an order for the purposes
of testing and certification.
Comments. Most commenters opposed the inclusion of specific data
elements for certification. These commenters most often cited burden on
health IT developers and concern that new data elements might lead to
inefficient workflow for the order entry process as reasons for not
including additional data elements. Some commenters expressed support
for the inclusion of additional data elements mentioned in the Proposed
Rule, but varied in their support for the specific data elements that
should we included. These commenters did, however, agree that the
``reason for order'' data element was a data element that should be
included with an order.
Response. We acknowledge the lack of agreement as to what data
elements
[[Page 62617]]
should be required for certification, but also the support for the
``reason for order'' data elements. With consideration of commenters
concerns about burden and workflow inefficiencies, we have adopted the
``reason for order'' data element as an optional certification
provision in each of the three CPOE certification criteria. We agree
with commenters that the reason for an order data element has value.
The designation of this provision as optional in all three criteria
gives flexibility to health IT developers as they consider
certification of their health IT and providers as they consider what
certified health IT to purchase.
Computerized Provider Order Entry--Medications
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(1) (Computerized provider order entry--medications)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition CPOE certification criterion
specific to medication ordering that was unchanged in comparison to the
2014 Edition CPOE--medications criterion adopted at Sec.
170.314(a)(18) as well as Sec. 170.314(a)(1)(i). The proposed
criterion does not reference any standards or implementation
specifications.
Comments. Commenters overwhelmingly recommended that this criterion
remain unchanged. A few commenters requested clarifications regarding
the designation of authorized CPOE users and the proper counting of
CPOE orders for the purposes of meeting the associated meaningful use
objective and measure.
Response. We thank commenters for their support and have adopted
this criterion as unchanged. As noted above, we have, however, adopted
the ``reason for order'' data element as an optional provision within
this criterion. For questions related to the EHR Incentive Programs
(i.e., the designation of authorized CPOE users and the proper counting
of CPOE order for the purposes of meeting the associated meaningful use
objective and measure), we refer readers to CMS and the EHR Incentive
Programs Stage 3 and Modifications final rule published elsewhere in
this issue of the Federal Register.
Computerized Provider Order Entry--Laboratory
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(2) (Computerized provider order entry--laboratory)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition CPOE certification criterion
specific to laboratory ordering that was revised in comparison to the
CPOE--laboratory criterion adopted at Sec. 170.314(a)(19) as well as
Sec. 170.314(a)(1)(ii). For the ambulatory setting, we proposed that
this criterion would include the HL7 Version 2.5.1 Implementation
Guide: S&I Framework Laboratory Orders (LOI) from EHR, Draft Standard
for Trial Use, Release 2--US Realm (``Release 2''). We proposed to
adopt the most recent version of the HL7 Version 2.5.1 Implementation
Guide: S&I Framework Laboratory Test Compendium Framework, Release 2,
(also referred to as the ``electronic Directory of Services (eDOS)
IG'') for certification to all health care settings. We also proposed
to require that a Health IT Module use, at a minimum, version 2.50 of
Logical Observation Identifiers Names and Codes (LOINC[supreg]) as the
vocabulary standard for laboratory orders.
Comments. Commenters stated that the LOIs and eDOS IGs were not
ready for implementations, but acknowledged the significant progress
being made in developing standards for laboratory ordering and the
harmonizing of laboratory-related IGs.
Response. With consideration of comments, we have determined not to
adopt any standards for this certification criterion. We have, however,
adopted the ``reason for order'' data element as an optional provision
within this criterion. We have made the determination to keep this
criterion ``functional'' at this time based on a number of factors,
including (among other aspects) that the best versions of the IGs that
could be associated with this criterion were not sufficiently ready.
That being said, we believe that the LOI and eDOS IGs show great
promise in improving laboratory interoperability and could potentially
result in significant cost savings to the industry at large.
Accordingly, we remain committed to continued collaboration with
stakeholders to support the widespread adoption of these IGs, including
the development of testing tools and pilots where necessary and
feasible.
Computerized Provider Order Entry--Diagnostic Imaging
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(3) (Computerized provider order entry--diagnostic
imaging)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition CPOE certification criterion
specific to diagnostic imaging ordering that was unchanged in
comparison to the 2014 Edition CPOE--diagnostic imaging criterion
adopted at Sec. 170.314(a)(20) as well as Sec. 170.314(a)(1)(iii).
The proposed criterion does not reference any standards or
implementation specifications. We also proposed to adopt the title of
``diagnostic imaging,'' which is the title we gave to the 2014 Edition
version of this certification criterion in the 2014 Edition Release 2
final rule (79 FR 54436).
Comments. Commenters overwhelmingly recommended that this criterion
remain unchanged. A few commenters recommended we add functionality to
this criterion, including the required use of a standard such as
Digital Imaging and Communications in Medicine (DICOM) to support
radiology.
Response. We thank commenters for their support and have adopted
this criterion as unchanged. As noted above, we have, however, adopted
the ``reason for order'' data element as an optional provision within
this criterion. While we appreciate comments suggesting the inclusion
of additional functionality, the recommended functionality is outside
the scope of the proposed criterion. Therefore, we have not adopted the
recommended functionality in this criterion. We also refer readers to
our previous discussion of DICOM (77 FR 54173).
Drug-Drug, Drug-Allergy Interaction Checks for CPOE
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(4) (Drug-drug, drug-allergy interaction checks for
CPOE)
------------------------------------------------------------------------
We proposed to adopt a revised 2014 Edition ``drug-drug, drug-
allergy interaction checks'' criterion (Sec. 170.314(a)(2)) to clarify
that the capabilities included in this criterion are focused on CPOE.
We proposed that a Health IT Module must record at least one action
taken and by whom, and must generate either a human readable display or
human readable report of actions taken and by whom in response to drug-
drug or drug-allergy interaction checks (DD/DAI). We explained that the
benefits of recording user actions for DD/DAI interventions that assist
with quality improvement and patient safety outweigh the development
burden associated with this functionality. However, to address
development concerns, we proposed that a Health IT Module must only
record, at a minimum, one user action for DD/DAI checks; and asked for
comment on focusing the requirement to record at least one user action
taken for DD/DAI interventions on a subset of DD/DAI interventions and
what sources we
[[Page 62618]]
should consider for defining this subset. We further noted that the
proposed criterion does not establish the uses for the ``user action''
information, who should be able to view the information, or who could
adjust the capability. We also sought comment on requiring
functionality that would inform a user of new or updated DD/DAI when
the medication or medication allergy lists are updated.
Comments. We received a few comments supporting our proposed
clarification that this criterion focused on CPOE, but also suggestions
that this functionality could support other use cases, such as when
medications are reviewed or medication or medication allergy lists are
updated. We received mixed comments in response to the proposed
additional ``recording user response'' functionality for this
criterion. While many commenters supported the overall goal of
interaction checking for quality improvement and patient safety,
including functionality that would inform a user of new or updated DD/
DAI, many commenters stated that current systems already provide a wide
range of functionality to enable providers to document decisions
concerning interaction warnings. These commenters stated that the
proposed ``recording user response'' is not necessary for certification
or for providers to satisfy objectives of the EHR Incentive Programs.
Commenters requested the criterion remain eligible for gap
certification. A few expressed overall agreement with the other
functionality specified in this criterion, including the ability to
adjust the severity level of interventions (e.g., alerts) for drug-drug
interaction checks.
Response. We have determined, based on public comments, to focus
this certification criterion on CPOE and to not adopt the ``recording
user response'' functionality. This approach is responsive to comments
and will permit health IT developers to focus their efforts on
functionality and requirements that support the goals outlined in the
Executive Summary, including supporting the interoperability of health
IT. To note, this criterion is eligible for gap certification.
Demographics
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(5) (Demographics)
------------------------------------------------------------------------
We proposed to adopt a revised 2015 Edition ``demographics''
certification criterion in comparison to the 2014 Edition certification
criterion (Sec. 170.314(a)(3)). We received comments that focused on
each of the specific data elements in the certification criterion. We
have categorized and responded to these comments in a similar manner.
Sex
We proposed the requirement to record sex in accordance with HL7
Version 3 (``AdministrativeGender'') and a nullFlavor value attributed
as follows: male (M); female (F); and unknown (UNK), and noted that HL7
Version 3 for recording sex would be required under the ``Common
Clinical Data Set'' definition for certification to the 2015 Edition.
In the Proposed Rule's section III.B.3 (``Common Clinical Data Set''),
we stated that this approach would become the method for capturing sex
under the ``Common Clinical Data Set'' definition for certification to
the 2015 Edition.
Comments. Commenters were generally supportive of recording sex in
a structured manner. A few commenters suggested that we used other
values, such as U or UN for undifferentiated. A few commenters also
requested clarification on the proposed use of two different value sets
(HL7 AdministrativeGender and NullFlavor).
Response. We appreciate the support for our proposal. We have
adopted the requirement for recording sex as proposed. We clarify that
this coding is intended to present birth sex. Therefore, we believe the
use of the specified values and value sets is the most appropriate
approach. It is also an approach that we believe poses the least burden
and most health IT developers are using these values and value sets.
Race and Ethnicity
We proposed the requirement to record each one of a patient's races
and ethnicities in accordance with, at a minimum, the ``Race &
Ethnicity--CDC'' code system in the PHIN Vocabulary Access and
Distribution System (VADS), Release 3.3.9 \18\ and aggregate each one
of a patient's races and ethnicities to the categories in the OMB
standard for race and ethnicity. We explained that a Health IT Module
must be able to record each one of a patient's races and ethnicities
using any of the 900 plus concepts in the ``Race & Ethnicity--CDC''
code system, and noted that health IT developers and health care
providers could determine the appropriate user interface implementation
in a given setting. The Proposed Rule section III.A.2.d (``Minimum
Standards'' Code Sets) discussed the adoption of the ``Race &
Ethnicity--CDC'' code system in PHIN VADS as a minimum standards code
set and Release 3.3.9, or potentially a newer version if released
before this final rule, as the baseline for certification to the 2015
Edition. To note, the Proposed Rule section III.B.3 ``Common Clinical
Data Set'' also discussed adopting the Race & Ethnicity--CDC'' code
system in PHIN VADS (at a minimum, Release 3.3.9) and the OMB standard
as the race and ethnicity standards under the ``Common Clinical Data
Set'' definition for certification to the 2015 Edition.
---------------------------------------------------------------------------
\18\ https://phinvads.cdc.gov/vads/ViewCodeSystem.action?id=2.16.840.1.113883.6.238#.
---------------------------------------------------------------------------
Comments. A majority of commenters supported our proposal to
require a Health IT Module to be able to capture granular patient race
and ethnicity data. Some commenters questioned the necessity for such
granular race and ethnicity capture because it was not required for the
EHR Incentive Programs or another identified purpose, with one
commenter recommending that this be a future certification requirement.
Commenters expressed concerns about user interfaces in relation to the
over 900 concepts for race and ethnicity in PHIN VADS, including
concern over how many concepts should be displayed for users.
Similarly, commenters suggested that testing and certification should
not be to all 900 concepts. A few commenters requested clarification on
whether a health IT Module must be able to capture multiple races or
ethnicities for a patient and the appropriate method for capturing when
a patient declines to provide race or ethnicity information.
Response. We thank commenters for their support. We have adopted
the race and ethnicity requirements as proposed, including the use of
both the OMB and the CDC Race and Ethnicity standards. We believe that
the structured granular recording of race and ethnicity can both
improve patient care and support the elimination of health disparities
whether or not currently required by the EHR Incentives Programs or
another HHS program. By adopting these requirements, we ensure
certified health IT has these capabilities and can make them available
to providers. We clarify four points in response to comments. First, as
mentioned in the Proposed Rule, a health IT developer and provider can
best determine how the user interface is designed, including how many
race and ethnicity values are displayed. Second, as mentioned above and
in the Proposed Rule, a Health IT Module must be able to record each
one of a patient's races and ethnicities using any of the 900 plus
concepts. For testing and certification, a Health IT Module would be
tested to any of the 900 plus concepts at the discretion of the testing
[[Page 62619]]
body. Third, a Health IT Module would need to be capable of recording
multiple races and/or ethnicities for a patient. This approach is
consistent with the OMB standard. Fourth, a Health IT Module must be
able to demonstrate that it can record whether a patient declined to
provide information for all data specified in this certification
criterion. We do not, however, specify for the purposes of
certification how that data is specifically captured.
Preferred Language
In the Proposed Rule, we proposed to require the use of the
Internet Engineering Task Force (IETF) Request for Comments (RFC) 5646
\19\ standard for preferred language. We stated that RFC 5646 entitled
``Tags for Identifying Languages, September 2009'' is the coding system
that is commonly used to encode languages on the web. We also noted
that this standard is compatible with the C-CDA Release 2.0 (and C-CDA
Release 2.1) and that other preferred language standards in use today
can be efficiently mapped to it, such as ISO 639-1, 639-2, and 639-3.
The Proposed Rule explained that the standard does not determine the
way in which health care providers use the capability to record
preferred language or the preferred language values they are presented
with to select a patient's preferred language. In the Proposed Rule's
section III.B.3 (``Common Clinical Data Set''), we stated that RFC 5646
would also become the preferred language standard under the ``Common
Clinical Data Set'' definition for certification to the 2015 Edition.
---------------------------------------------------------------------------
\19\ http://www.rfc-editor.org/info/rfc5646.
---------------------------------------------------------------------------
Comments. Commenters were generally supportive of the adoption of
the RFC 5646 standard. Some commenters (health IT developers) expressed
opposition to the recording of preferred language in RFC 5646 due to
the new burden it would create versus the perceived minimal value. One
commenter suggested adopting ISO 639-3 instead of RFC 5646.
Response. We have adopted RFC 5646 as the preferred language
standard for this criterion. As extensively discussed in the Proposed
Rule (80 FR 16817), we believe this is the most appropriate standard
for capturing a patient's preferred language. It is compatible with the
C-CDA Release 2.1 and other preferred language standards can be
efficiently mapped to it, including IS0 639-1, 639-2, and 639-3. As
mentioned in the Proposed Rule and clarified for other demographics
data, a health IT developer and provider can best determine how the
user interface is designed, including how many preferred languages are
displayed.
Preliminary Cause of Death and Date of Death
In the Proposed Rule, we proposed that, for the inpatient setting,
a Health IT Module must include the functionality to record, change,
and access the ``date of death.'' We stated that this functionality
would be in addition to the requirement to enable a user to
electronically record, change, and access ``preliminary cause of
death'' in case of mortality, as is included in the 2014 Edition
``demographics'' certification criterion.
Comments. The majority of commenters supported this requirement. A
few commenters requested clarification as to whether the preliminary
cause of death was to be recorded consistent with either the SNOMED
CT[supreg] or ICD-10-CM standards.
Response. We thank commenters for their support and have adopted
this requirement as proposed. We clarify that the preliminary cause of
death is not required to be recorded in accordance with a standard for
the purposes of certification to this criterion as we did not propose
such a requirement nor have we adopted one.
Sexual Orientation and Gender Identity (SO/GI)
We did not propose to include a requirement to capture a patient's
sexual orientation or gender identity as part of this criterion.
Rather, we proposed the capture of SO/GI data as part of the proposed
``social, psychological, and behavioral data'' certification criterion.
Comments. We received a significant number of comments from
providers, consumers/individuals, and health care coalitions strongly
recommending that we consider including sexual orientation and gender
identify as a component of the Base EHR definition (e.g., in the
demographics certification criterion) or Common Clinical Data Set
definition. These commenters suggested that there are mature vocabulary
standards for representing SO/GI and there is strong clinical value in
having this data to inform decisions about health care and treatment.
Commenters indicated that by including SO/GI in the Base EHR or Common
Clinical Data Set definitions, providers would be required to possess
this functionality for participation in the EHR Incentive Programs,
which could have a large impact for evaluating the quality of care
provided to lesbian, gay, bisexual, and transgender (LGBT) communities.
Response. We thank commenters for their feedback. Given this
feedback, the clinical relevance of capturing SO/GI, and the readiness
of the values and vocabulary codes for representing this information in
a structured way, we require that Health IT Modules enable a user to
record, change, and access SO/GI to be certified to the 2015 Edition
``demographics'' certification criterion. By doing so, SO/GI is now
included in the 2015 Edition Base EHR definition. The 2015 Edition Base
EHR definition is part of the CEHRT definition under the EHR Incentive
Programs. Therefore, providers participating in the EHR Incentive
Programs will need to have certified health IT with the capability to
capture SO/GI to meet the CEHRT definition in 2018 and subsequent
years.
We note that like all information in the ``demographics''
criterion, certification does not require that a provider collect this
information, only that certified Health IT Modules enable a user to do
so. We believe including SO/GI in the ``demographics'' criterion
represents a crucial first step forward to improving care for LGBT
communities.
We have not included it in the Common Clinical Data Set at this
time. We refer readers to section III.B.3 of this preamble for further
discussion of the Common Clinical Data Set.
Comments. We received comments from a health care coalition that
has partnered with and coordinated industry-development of the
appropriate terminology to capture SO/GI for health care settings. The
commenters suggested that we revise the proposed terminology for
collecting SO/GI to use more appropriate language that reflects up-to-
date, non-offensive terminology that will facilitate the goal of
providing welcoming and affirming health care to LGBT individuals. As
such, the commenters recommended that we retain the proposed SNOMED
CT[supreg] and HL7 V3 codes but revise the description of some codes to
use synonyms which reflect more appropriate language. The commenters
noted that they have already submitted revisions to SNOMED CT[supreg]
to include the synonyms for these terms. The commenters also noted that
the core concepts of the codes remain the same.
Response. We thank the commenters for the suggestion and are
proceeding with the recommendation to include use the revised
terminology for collecting SO/GI. We refer readers to Sec.
170.207(o)(1) and Sec. 170.207(o)(2) for a full list of the code
descriptors and codes for SO/GI, respectively.
Comments. One commenter recommended we consider including
structured and coded questions for
[[Page 62620]]
soliciting SO/GI information as part of certification.
Response. While we thank the commenter for providing this
recommendation, we do not believe that the suggested questions have not
yet been scientifically validated for use in health care settings and,
thus, have not adopted them. We do, however, believe that these
questions are being used today in health care settings as ``best
practices,'' and would suggest that health care providers and
institutions decide whether to include these questions in the
collection of SO/GI information. These ``best practice'' questions and
the answers we have adopted are:
Do you think of yourself as:
[cir] Straight or heterosexual;
[cir] Lesbian, gay, or homosexual;
[cir] Bisexual;
[cir] Something else, please describe.
[cir] Don't know.
What is your current gender identity? (Check all that
apply.)
[cir] Male;
[cir] Female;
[cir] Transgender male/Trans man/Female-to-male;
[cir] Transgender female/Trans woman/Male-to-female;
[cir] Genderqueer, neither exclusively male nor female;
[cir] Additional gender category/(or other), please specify.
[cir] Decline to answer.
Comments. One commenter recommended that we add another question
and set of answers to collect assigned birth sex.
Response. We have not adopted this recommendation to collect
assigned birth sex as suggested because we already require the
capturing of birth sex as described under the ``sex'' section above.
Problem List
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(6) (Problem list)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``problem list'' certification
criterion that was revised as compared to the 2014 Edition ``problem
list'' certification criterion (Sec. 170.314(a)(5)) by requiring the
September 2014 Release of the U.S. Edition of SNOMED CT[supreg] as the
baseline version permitted for certification to this criterion. The
Proposed Rule's section III.A.2.d (``Minimum Standards'' Code Sets)
discussed our adoption of SNOMED CT[supreg] as a minimum standards code
set and the adoption of the September 2014 Release (U.S. Edition), or
potentially a newer version if released before this final rule, as the
baseline for certification to the 2015 Edition.
Comments. The majority of commenters supported the proposed
certification criterion. A commenter suggested that instead of the full
SNOMED CT[supreg] code system, the reference should be explicit to a
concept and its value set relevant to this criterion, such as the
``core'' problem list. A commenter recommended requiring certification
to the most current version of SNOMED CT[supreg]. Some commenters
recommended that we require the use of the ICD-10-CM code set. These
commenters noted that the code set is used for billing purposes and the
required use of SNOMED CT[supreg] adds burden on providers and their
staff due to the required use of two different systems.
A couple of commenters stated that the problem list should not be
limited to the duration of a hospitalization because it may be needed
when the patient is out of the hospital, suggesting ``for the duration
of an entire hospitalization'' be struck from the criterion. Another
commenter suggested that the distinction between inpatient and
ambulatory records should be dropped in favor of a ``patient'' record
stating that several major healthcare systems have dropped the
distinction and are focusing on a patient problem list where one or
more problems on the problem list are addressed in a particular
encounter (outpatient visit or inpatient stay).
Commenters suggested that if this criterion was adopted as proposed
that health IT developers should have the ability to attest that their
health IT previously certified to the 2014 Edition ``problem list''
criterion meets the newer baseline version of SNOMED CT[supreg] for the
purposes of testing and certification to this criterion.
Response. We have adopted this certification criterion as proposed,
except that we have adopted a newer baseline version SNOMED CT[supreg]
(September 2015 Release of the U.S. Edition) for the purposes of
certification. We refer readers to section III.A.2.c (``Minimum
Standards'' Code Sets) for a more detailed discussion of our adoption
of the September 2015 Release of the U.S. Edition of SNOMED CT[supreg]
and for our reasons why we always adopt a baseline version of a
vocabulary code set for certification instead of specifying
certification must be to the ``most current'' version. As with the 2014
Edition, testing and certification will focus on a Health IT Module's
ability to enable a user to record, change, and access a patient's
problem list in accordance with SNOMED CT[supreg]. This will enable a
provider to choose any available and appropriate code in SNOMED
CT[supreg] for a patient's problems.
We did not propose as part of this criterion to test and certify a
Health IT Module's ability to enable a user to record, change, and
access a patient's active problem list and problem history across
health care settings as this criterion is focused on the ambulatory and
inpatient settings in support of the EHR Incentive Programs. We believe
the use of ``for the duration of an entire hospitalization'' is
appropriate for this criterion and refer readers to our detailed
discussed of this determination in the 2014 Edition final rule (77 FR
54211-54212).
We agree with commenters that efficient testing and certification
processes should be available to Health IT Modules previously certified
to the 2014 Edition ``problem list'' criterion for certification to
this criterion. Accordingly, we will consider such options, such as
attestation, in developing the test procedure for this criterion and in
issuing guidance to the ONC-AA and ONC-ACBs.
Medication List
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(7) (Medication list)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``medication list''
certification criterion that was unchanged as compared to the 2014
Edition ``medication list'' certification criterion (Sec.
170.314(a)(6)). To note, the proposed criterion does not reference any
standards or implementation specifications.
Comments. The majority of commenters expressed support for this
certification criterion as proposed. A few commenters suggested
additional functionalities for this criterion. These suggestions
included functionality to designate or mark medications as confidential
or sensitive and include patient-generated data. One commenter
recommended requiring that medications be recorded in accordance with
RxNorm. A couple of commenters requested clarification and expansion of
the medication list to include over-the-counter medications, herbal
supplements, medical cannabis, and oxygen. In general, a few commenters
suggested that the medication list should be available across
encounters and there should not be a distinction between inpatient and
ambulatory records. One of these commenters noted that healthcare
systems have dropped the distinction and are focusing on a patient
medication list. Another commenter stated that the Food and
[[Page 62621]]
Drug Administration (FDA) is currently working to implement
requirements from the Drug Supply Chain Security Act (DSCSA) regarding
standards for the interoperable exchange of information for tracing
human, finished and/or prescription drugs. The commenter recommended
that we be aware of these efforts and align current and future
certification requirements with any future FDA requirements for
standards-based identification of prescription drugs.
Response. We thank commenters for their support and have adopted
this criterion as proposed. The other comments summarized above are
outside the scope of the proposed criterion. We did not propose
additional functionality for this criterion, including structured
capture in accordance with RxNorm. We also did not propose as part of
this criterion to test and certify a Health IT Module's ability to
enable a user to record, change, and access a patient's active
medication list and medication history across health care settings as
this criterion is focused on the ambulatory and inpatient settings in
support of the EHR Incentive Programs (please also see our response to
comments for the ``problem list'' certification criterion above).
Further, we do not define ``medications'' for the purpose of testing
and certifying a Health IT Module's ability to enable a user to record,
change, and access a patient's active medication list and medication
history. We thank the commenter for the information related to FDA's
work and will take steps to ensure our work aligns with the relevant
work of the FDA.
Medication Allergy List
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(8) (Medication allergy list)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``medication allergy list''
certification criterion that was unchanged as compared to the 2014
Edition ``medication allergy list'' certification criterion (Sec.
170.314(a)(7)).
Comments. The majority of commenters supported this criterion as
proposed. Multiple commenters recommended adding functionality to
support food and environmental allergies as well as other types of
allergens, noting that most providers are already recording this
information and that such functionality would support patient safety.
Some of these same commenters recommended the structured capture of
this information in various standards, including RxNorm, UNII, SNOMED
CT[supreg], and LOINC[supreg]. A couple of commenters recommended
additional functionalities such as including time and date for
medication allergies entered, edited, and deleted. In general, a few
commenters suggested that the medication allergy list should be
available across encounters and there should not be a distinction
between inpatient and ambulatory records. One of these commenters noted
that healthcare systems have dropped the distinction and are focusing
on a patient medication allergy list. Another commenter stated that the
FDA is currently working to implement requirements from the Drug Supply
Chain Security Act (DSCSA) regarding standards for the interoperable
exchange of information for tracing human, finished and/or prescription
drugs. The commenter recommended that we be aware of these efforts and
align current and future certification requirements with any future FDA
requirements for standards-based identification of prescription drugs.
Response. We thank commenters for their support and have adopted
this criterion as proposed. The other comments summarized above are
outside the scope of the proposed criterion. We did not propose
additional functionality for this criterion, including additional
allergens and the structured capture of medication allergies. As we
noted in the Proposed Rule (80 FR 16820), there are a number of
vocabularies and code sets that could support food and environmental
allergies as well as medications, but our view is that there is no
ready solution for using multiple vocabularies to code allergies that
could be adopted for the purposes of certification at this time. We
also did not propose as part of this criterion to test and certify a
Health IT Module's ability to enable a user to record, change, and
access a patient's active medication allergy list and medication
allergy history across health care settings as this criterion is
focused on the ambulatory and inpatient settings in support of the EHR
Incentive Programs (please also see our response to comments for the
``problem list'' certification criterion above). As noted in our
response under the ``medication list'' certification criterion, we will
take steps to ensure our work aligns with the relevant work of the FDA.
Clinical Decision Support
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(9) (Clinical decision support)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``clinical decision support''
(CDS) certification criterion that was revised in comparison to the
2014 Edition ``CDS'' criterion (Sec. 170.314(a)(8)). We proposed to
require a Health IT Module to follow the updated Infobutton standard
(Release 2, June 2014) \20\ and one of two updated associated IGs: HL7
Implementation Guide: Service-Oriented Architecture Implementations of
the Context-aware Knowledge Retrieval (Infobutton) Domain, Release 1,
August 2013 (``SOA Release 1 IG''),\21\ the updated Infobutton URL-
based IG (HL7 Version 3 Implementation Guide: Context-Aware Knowledge
Retrieval (Infobutton), Release 4, June 2014) (``URL-based Release 4
IG''). \22\ We proposed to require certification only to the Infobutton
standard (and an associated IG) for identifying diagnostic or
therapeutic reference information, as we stated this is the best
consensus-based standard available to support the use case. We
requested comment on requiring that a Health IT Module be able to
request patient-specific education resources identified using
Infobutton standards based on a patient's preferred language. We
proposed to require that a Health IT Module presented for certification
to this criterion be able to record at least one action taken and by
whom when a CDS intervention is provided to a user, and that a Health
IT Module must generate either a human readable display or human
readable report of the responses and actions taken and by whom when a
CDS intervention is provided. We clarified that the 2015 Edition CDS
certification criterion does not use the terms ``automatically'' and
``trigger'' as related to CDS interventions so as to reiterate the
intent to encompass all types of CDS interventions without being
prescriptive on how the interventions are deployed. We proposed cross-
reference corrections to the 2014 Edition CDS criterion.
---------------------------------------------------------------------------
\20\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=208.
\21\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=283.
\22\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=22.
---------------------------------------------------------------------------
Infobutton Standard and Related IGs
Comments. A majority of commenters supported the inclusion of the
updated Infobutton standard and related IGs. Multiple commenters
recommended that there should be more options besides Infobutton for
identifying diagnostic or therapeutic reference information. A
commenter recommended a requirement for Infobutton to be connected to a
reference resource at the end user's choice in cases of inability to
use the Infobutton functionality due to
[[Page 62622]]
contractual relationships to reference resources. Multiple commenters
voiced a need for materials to be tested and vetted to ensure the
accuracy and appropriate literacy level of material, in addition to
providers being able to provide educational resources from other
sources in case the most appropriate material deemed by the physician
cannot be identified or is limited by the health IT.
Response. We thank commenters for their support and have adopted
the proposed Infobutton standard and supporting IGs. We clarify for
commenters that our certification approach only focuses on capabilities
that must be certified to meet this criterion. A health IT developer's
product could include other means for identifying diagnostic or
therapeutic reference information. Our approach actually reduces burden
on health IT developers in that they do not have to have any other
means tested and certified. In regard to comments suggesting the
certification of the connection to a reference resource and diagnostic
or therapeutic reference information obtained, these comments are
beyond the scope of our proposal and we have not adopted them.
Preferred Language Request for Comment
Comments. Commenters expressed support for the capability to
identify for a user diagnostic and therapeutic reference information
based on a patient's preferred language with the use of Infobutton.
Commenters stated that this would support reducing racial and ethnic
health disparities by improving literacy and addressing language
barriers. Some commenters contended that including such as requirement
would increase burden for limited value because resources are often not
available in other languages with the exception of three or four of the
most commonly spoken languages.
Response. We appreciate the comments received in response to this
request for comment, including those supporting the inclusion of
preferred language. We have, however, not included preferred language
functionality in this criterion. While this functionality many support
reducing health disparities, we believe that when weighing all proposed
policies and the accumulated burden they present, this functionality
would not provide as much impact in relation to other proposals such as
the structured recording of a patient's preferred language and specific
race and ethnicity information under the ``demographics'' criterion. By
not adopting this functionality, health IT developers will be able to
focus more of their efforts on other adopted functionality and
requirements, including those that support the interoperability of
health IT.
CDS Intervention Response Documentation
Comments. We received mixed comments in response to the proposed
additional ``recording user response'' functionality for this
criterion. While many commenters supported the overall goal of
interaction checking for quality improvement and patient safety, many
commenters stated that current systems already provide a wide range of
functionality to enable providers to document decisions concerning CDS
interventions. These commenters stated that the proposed ``recording
user response'' is not necessary for certification or for providers to
satisfy objectives of the EHR Incentive Programs.
Response. We have not adopted the ``recording user response''
functionality. This approach is responsive to comments suggesting that
this functionality is already included in health IT and is unnecessary
to support providers participating in the EHR Incentive Programs.
Further, by not adopting this functionality, health IT developers will
be able to focus more of their efforts on other adopted functionality
and requirements, including those that support the interoperability of
health IT.
Clarifying ``Automatically'' and ``Triggered'' Regulatory Text
Comments. Commenters expressed agreement with our proposal to not
use the terms ``automatically'' and ``trigger'' in the 2015 Edition CDS
criterion and that CDS interventions should be limited by how they are
deployed.
Response. We thank commenters for their support. We have not
included these terms in the certification criterion to clarify our
intent to encompass all types of CDS interventions without being
prescriptive on how the interventions are deployed.
Clinical Decision Support Configuration--Laboratory Tests and Values/
Results
Comments. We received a comment seeking clarification on the
criterion's reference to laboratory tests and values/results for CDS
configuration capabilities related to the incorporation of a transition
of care/referral summary. The commenter stated that we should remove
reference to laboratory tests and values/results for CDS configuration
in relation to the incorporation of a transition of care/referral
summary because the proposed 2015 Edition ``clinical information
reconciliation and incorporation'' criterion does not include
reconciling laboratory tests and values/results.
Response. We have removed the references to laboratory tests and
values/results from the criterion. The commenter is correct in that the
2015 Edition ``clinical information reconciliation and incorporation''
criterion does not include reconciling laboratory tests and values/
results. Therefore, this data would not necessarily be available for
CDS when a patient record is incorporated.
Reordering of Provisions/Regulation Text
We have reordered the provisions of the criterion/regulation text
to better align with testing procedures. We have moved the CDS
intervention interaction provision to the beginning, followed by the
CDS configuration, evidence-based decision support interventions,
linked referential CDS, and source attributes. This reordering does not
alter the requirements of the criterion in any way.
2014 Edition ``Clinical Decision Support'' Certification Criterion--
Corrections
We received no comments on our proposal to revise the cross-
reference in Sec. 170.314(a)(8)(iii)(B)(2) (CDS configuration) to more
specifically cross-reference the 2014 ``transitions of care'' (``ToC'')
criterion (Sec. 170.314(b)(1)(iii)(B)). Accordingly, we have adopted
this proposed revision.
Drug-Formulary and Preferred Drug List Checks
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(10) (Drug-formulary and preferred drug list checks)
------------------------------------------------------------------------
In the Proposed Rule, we proposed to adopt a 2015 Edition ``drug
formulary checks and preferred drug list'' certification criterion that
was split based on drug formularies and preferred drug lists. We
proposed that a Health IT Module must (1) automatically check whether a
drug formulary exists for a given patient and medication and (2)
receive and incorporate a formulary and benefit file according to the
National Council for Prescription Drug Programs (NCPDP) Formulary and
Benefit Standard v3.0 (``v3.0''). We proposed that a Health IT Module
must automatically check whether a preferred drug list exists for a
given patient and medication. For drug formularies and
[[Page 62623]]
preferred drug lists, we proposed that a Health IT Module be capable of
indicating the last update of a drug formulary or preferred drug list
as part of certification to this criterion. We requested comment on
more recent versions of the NCPDP Formulary and Benefit Standard to
support functionality for receiving and incorporating a formulary and
benefit file and sought to understand associated potential development
burdens. In addition, we sought comment on a standard for individual-
level, real-time formulary benefit checking to address the patient co-
pay use case, whether we should offer health IT certification to the
standard for this use case, and if this functionality should be a
separate criterion from the 2015 Edition ``drug formulary and preferred
drug list checks'' certification criterion.
Comments. Commenters were supportive of splitting the drug-
formulary checks functionality from the preferred drug list
functionality. A number of commenters stated that the NCPDP Formulary
and Benefit Standard provides static, group-level formulary pricing
information that does not indicate individual-level, real-time
prescription pricing information. A few commenters stated that these
static, group-level formularies are not useful for informing
discussions with patients about what medications to prescribe because
they do not provide information about the patient's co-pay for a
particular drug. Many commenters also suggested that it was not
necessary for ONC to offer certification to this functionality because
most health IT systems already support NCPDP's Formulary and Benefit
Standard v3.0 due to the Medicare Part D e-prescribing requirements
under the Medicare Prescription Drug, Improvement, and Modernization
Act of 2003 (MMA). Some of these commenters even indicated that they
test and certify through Surescripts' certification program to the
standard. In terms of a version of the NCPDP Formulary and Benefit
Standard, stakeholders preferred ONC adopt v3.0 rather than any
subsequent version to align with the Medicare Part D requirements.
Commenters also contended that the industry has widely adopted v3.0 and
that newer versions are less stable.
Many commenters stated that there is not an industry-wide accepted
standard for real-time individual patient-level formulary checking, but
recommended ONC adopt certification to a standard once the industry
moves to an agreed-upon standard. A few commenters noted that an NCPDP
task group is analyzing use cases to support a real-time prescription
benefit inquiry and is planning to make recommendations to the NCPDP
membership on the creation of a new transaction and/or standard or
modification of existing transactions or standards.
Response. We appreciate the detailed feedback commenters provided.
We have determined that it is most appropriate to not adopt a specific
standard for this criterion. We agree with commenters that the NCPDP
Formulary and Benefit Standard v3.0 is widely implemented today in
support of Medicare Part D requirements and that certification to this
standard would add unnecessary burden to health IT developers and
providers who are already adhering to the standard.
We believe that certification for individual-level, real-time
prescription pricing information will provide the most value to inform
provider prescribing decisions and discussions between providers and
patients on the most appropriate medication options for the patient.
However, at this time, there is no real-time patient-level standard
with consensus stakeholder support that would be appropriate for
certification. Based on the comments received, we strongly urge the
industry to accelerate its work on identifying the need to create a new
transaction and/or standard or modify existing transactions or
standards for real-time prescription benefit inquiries. We intend to
continue our participation in this area and will consider proposing
certification functionalities for real-time prescription benefit
inquiries in future rulemaking.
With consideration of comments supporting our proposed split of
functionality between drug formularies and preferred drug lists, we
have adopted a 2015 Edition ``drug-formulary and preferred drug list
checks'' criterion that simply separates drug formulary and preferred
drug list functionality, but does not require any standards or
functionality beyond that included in the 2014 Edition ``drug-formulary
checks'' criterion. As such, this certification criterion is eligible
for gap certification.
Smoking Status
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(11) (Smoking status)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``smoking status''
certification criterion that was revised in comparison to the 2014
Edition ``smoking status'' criterion (Sec. 170.314(a)(11)) and to
include the 2015 Edition certification criterion in the 2015 Edition
Base EHR definition. To be certified, we proposed that a Health IT
Module must record, change, and access smoking status to any of the
September 2014 Release of the U.S. Edition of SNOMED CT[supreg]
available codes for smoking status, at a minimum. We noted that a
Health IT Module certified to certification criteria that reference the
Common Clinical Data Set (i.e., the ``transitions of care'' (``ToC''),
``data export'' (previously ``data portability''), ``view, download,
and transmit to 3rd party'' (VDT), ``Consolidated CDA creation
performance,'' and ``application access to the Common Clinical Data
Set'' certification criteria) would need to be able to code smoking
status in only the 8 smoking status codes,\23\ which may mean mapping
other smoking status codes to the 8 codes. We explained that we expect
Health IT developers to work with health care providers to include the
appropriate implementation of smoking status codes in a user interface.
---------------------------------------------------------------------------
\23\ These 8 codes are: current every day smoker, 449868002;
current some day smoker, 428041000124106; former smoker, 8517006;
never smoker, 266919005; smoker--current status unknown, 77176002;
unknown if ever smoked, 266927001; heavy tobacco smoker,
428071000124103; and light tobacco smoker, 428061000124105.
---------------------------------------------------------------------------
Comments. Some commenters stated that health IT should not be
required to support the full set of smoking status codes within SNOMED
CT[supreg] as it would cause unnecessary development burden and
potential workflow issues for providers. Multiple commenters also
expressed concern with the proper mapping all of the available smoking
status codes within SNOMED CT[supreg] to the specified 8 SNOMED
CT[supreg] smoking codes in the Common Clinical Data Set and used for
exchange of patient health information. We also received comments
requesting the inclusion of other substances and routes of
administration, including the use of chewing tobacco.
Response. We have adopted a ``smoking status'' certification
criterion that does not reference a standard. As stated in the Proposed
Rule (80 FR 16870), the capture of a patient's smoking status has
significant value in assisting providers with addressing the number one
cause of preventable death and disease in the United States. We have
also included this criterion in the Base EHR definition so that this
functionality is available to all providers participating in the EHR
Incentive Programs. In consideration of the concerns expressed by
commenters regarding development burden and the proper mapping of all
available smoking status codes within SNOMED CT[supreg] to the
specified 8 SNOMED CT[supreg] for
[[Page 62624]]
exchange, we believe that the best path forward is the adoption of a
``smoking status'' criterion that would simply require a Health IT
Module to demonstrate that it can enable a user to record, change, and
access a patient's smoking status. In regard to comments suggesting the
inclusion of other substances and routes of administration, these
comments are beyond the scope of our proposal and we have not adopted
them. In sum, this certification criterion is ``unchanged'' as compared
to the 2014 Edition ``smoking status'' criterion and is eligible for
gap certification.
As discussed in more detail under section III.B.3 of this preamble,
we have adopted the 8 specified SNOMED CT[supreg] smoking codes as part
of the Common Clinical Data Set (and for purposes of exchange). This is
a continuation of our approach first adopted with the 2014 Edition.
Family Health History
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(12) (Family health history)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``family health history'' (FHH)
certification criterion that was revised in comparison to the 2014
Edition FHH certification criterion adopted at Sec. 170.314(a)(13). In
particular, we proposed to require a Health IT Module to enable a user
to record, change, and access a patient's FHH electronically according
to, at a minimum, the concepts or expressions for familial conditions
included in the September 2014 Release of the U.S. Edition of SNOMED
CT[supreg], which would be a newer baseline version of SNOMED
CT[supreg] than adopted for the 2014 Edition FHH criterion. The
proposed rule's section III.A.2.d (``Minimum Standards'' Code Sets)
discussed our adoption of SNOMED CT[supreg] as a minimum standards code
set and the adoption of the September 2014 Release (U.S. Edition), or
potentially a newer version if released before a this final rule, as
the baseline for certification to the 2015 Edition.
Comments. Commenters generally supported this certification
criterion. Some commenters suggested not adopting this criterion
because it does not support a specific meaningful use objective of the
proposed EHR Incentive Programs Stage 3. A couple of commenters
suggested the recording of FHH is more valuable when it is actually
exchanged, with one commenter recommending that we require FFH data be
sent using the C-CDA FHH Section with Entries or, minimally, the C-CDA
FHH Organizer Entry. Another commenter suggested that the FHH be stored
in a question/answer format (LOINC[supreg] for ``questions''
(observations) and SNOMED CT[supreg] for ``answers'' (observation
values)), which would also better support electronic exchange of the
information. Some commenters suggested that if this criterion was
adopted as proposed that health IT developers should have the ability
to attest that their Health IT previously certified to the 2014 Edition
FHH criterion meets the newer baseline version of SNOMED CT[supreg] for
the purposes of testing and certification to this criterion.
Response. We have adopted this certification criterion as proposed,
except that we have adopted a newer baseline version SNOMED CT[supreg]
(September 2015 Release of the U.S. Edition) for the purposes of
certification. We refer readers to section III.A.2.c (``Minimum
Standards'' Code Sets) for a more detailed discussion of our adoption
of the September 2015 Release of the U.S. Edition of SNOMED CT[supreg].
While not supporting a specific meaningful use objective of Stage 3 of
the EHR Incentive Programs, this functionality is included in the CEHRT
definition. Furthermore, we believe that the FHH functionality is a
functionality that should be available to providers for more
comprehensive patient care.
We note that our intent is not to limit the use of LOINC[supreg]
for associated FHH ``questions'' or the specific SNOMED CT[supreg] code
that is used to label FHH. Rather, the intent is to capture this
information in SNOMED CT[supreg] instead of billing terminologies like
ICD-10-CM. We also do not intend to prohibit the exchange of this
information using the C-CDA 2.1. As we have noted in this and prior
rulemakings, certification serves as a baseline. This baseline can be
built upon through future regulation or simply through a decision by a
health IT developer and/or its customer to include functionality that
goes beyond the baseline. As present, we have set the certification
baseline for FHH information at recording it in SNOMED CT[supreg].
We agree with commenters that efficient testing and certification
processes should be available to Health IT Modules previously certified
to the 2014 Edition FHH criterion for certification to this criterion.
Accordingly, we will consider such options, such as attestation, in
developing the test procedure for this criterion and in issuing
guidance to the ONC-AA and ONC-ACBs.
Patient-Specific Education Resources
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(13) (Patient-specific education resources)
------------------------------------------------------------------------
In the Proposed Rule, we proposed to adopt a 2015 Edition
``patient-specific education resources'' certification criterion that
was revised in comparison to the 2014 Edition ``patient-specific
education resources'' certification criterion (Sec. 170.314(a)(15)).
We proposed that certification would only focus on the use of
Infobutton for this certification criterion instead of Infobutton and
any means other than Infobutton as required by the 2014 Edition
criterion. We stated that there is diminished value in continuing to
frame the 2015 Edition certification criterion similarly to the 2014
Edition criterion.
We proposed to adopt the updated Infobutton standard (Release 2 and
the associated updated IGs (SOA-based IG and URL-based IG)). We also
noted that we would not include a requirement that health IT be capable
of electronically identifying patient-specific education resources
based on ``laboratory values/results'' because the Infobutton standard
cannot fully support this level of data specificity.
We proposed that a Health IT Module be able to request patient-
specific education resources based on a patient's preferred language as
this would assist providers in addressing and mitigating certain health
disparities. More specifically, we proposed that a Health IT Module
must be able to request that patient-specific education resources be
identified (using Infobutton) in accordance with RFC 5646. We noted
that Infobutton only supports a value set of ISO 639-1 for preferred
language and, therefore, stated that testing and certification of
preferred language for this certification criterion would not go beyond
the value set of ISO 639-1. We further noted testing and certification
would focus only on the ability of a Health IT Module to make a request
using a preferred language and Infobutton because the language of
patient education resources returned through Infobutton is dependent on
what the source can support.
Comments. Multiple commenters supported the inclusion of the
updated Infobutton standard and supporting IGs. A few commenters
expressed concern about limiting certification to only Infobutton and
suggested there are other viable options for requesting patient-
specific education resources. A commenter requested clarification as to
whether providers must only use certified health IT for requesting
patient-specific education resources for
[[Page 62625]]
the purposes of participating in the EHR Incentive Programs.
Response. We thank commenters for their support and have adopted
the proposed Infobutton standard and supporting IGs. We continue to
believe that the Infobutton capability is important to be available to
providers to have and use to identify patient-specific education
resources. We clarify for commenters that our certification approach
only focuses on capabilities that must be certified to meet this
criterion. A health IT developer's product could include other means
for requesting patient-specific education resources. Our approach
actually reduces burden on health IT developers in that they do not
have to have any other means tested and certified. For questions
related to the EHR Incentive Programs, we refer readers to CMS and the
EHR Incentive Programs Stage 3 and Modifications final rule published
elsewhere in this issue of the Federal Register.
Comments. We received a few comments supporting our approach for
``laboratory values/results.''
Response. We have not included ``laboratory values/results'' as
patient data that must be used to identify patient-specific education
resources.
Comments. Commenters expressed strong support for the capability to
request patient-specific education materials based on a patient's
preferred language with the use of Infobutton. Commenters stated that
this would support reducing racial and ethnic health disparities by
improving literacy and addressing language barriers. Commenters also
expressed a need for materials to be tested and vetted to ensure the
accuracy and appropriate literacy level of the materials. Some
commenters contended that this requirement would increase burden for
limited value because educational resources are often not available in
other languages with the exception of three or four of the most
commonly spoken languages.
Response. We thank commenters for their support and feedback. With
consideration of the mixed feedback, we have determined to designate
the use of preferred language as an optional provision within this
criterion. As optional, health IT developers have flexibility to pursue
certification if they deem it advantages. With our new open data CHPL
(see section IV.D.3 of this preamble), information on whether a Health
IT Module was certified to this functionality would be readily
available for consumers.
Implantable Device List
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(14) (Implantable device list)
------------------------------------------------------------------------
In the Proposed Rule, we proposed to adopt a new 2015 Edition
certification criterion focused on the ability of health IT to
exchange, record, and allow a user to access a list of Unique Device
Identifiers (UDIs) \24\ associated with a patient's implantable
devices. Health IT certified to the proposed criterion would be able to
``parse'' a UDI into its constituent components (or ``identifiers'')
and make those accessible to the user. Separately, the health IT would
be able to retrieve and provide a user with access to, if available,
the optional ``Device Description'' attribute associated with a UDI in
the FDA's Global Unique Device Identification Database (GUDID).
Further, to facilitate the exchange of UDIs and increase their
availability and reliability in certified health IT, we proposed to
include the proposed 2015 Edition implantable device list certification
criterion in the 2015 Edition Base EHR definition and to include a
patient's UDIs as data within the CCDS definition for certification to
the 2015 Edition. We also proposed to modify Sec. 170.102 to include
new definitions for ``Device Identifier,'' ``Implantable Device,''
``Global Unique Device Identification Database (GUDID),'' ``Production
Identifier,'' and ``Unique Device Identifier.''
---------------------------------------------------------------------------
\24\ A UDI is a unique numeric or alphanumeric code that
consists of two parts: (1) A device identifier (DI), a mandatory,
fixed portion of a UDI that identifies the labeler and the specific
version or model of a device, and (2) a production identifier (PI),
a conditional, variable portion of a UDI that identifies one or more
of the following when included on the label of a device: The lot or
batch number within which a device was manufactured; the serial
number of a specific device; the expiration date of a specific
device; the date a specific device was manufactured; the distinct
identification code required by 21 CFR 1271.290(c) for a human cell,
tissue, or cellular and tissue-based product (HCT/P) regulated as a
device. 21 CFR 801.3. See also http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/UniqueDeviceIdentification/.
---------------------------------------------------------------------------
We explained that the purpose of the proposed implantable device
list certification criterion was to enable the baseline functionality
necessary to support the exchange and use of UDIs in certified health
IT. The need to exchange and have access to this information wherever
patients seek care is broadly relevant to all clinical users of health
IT, regardless of setting or specialty, so that they may know what
devices their patients are using (or have used) and thereby prevent
device-related adverse events and deliver safe and effective care.\25\
This need is most acute for implantable devices, which by their nature
are difficult to detect and identify in the absence of reliable
clinical documentation.
---------------------------------------------------------------------------
\25\ In addition, as UDIs become ubiquitous, UDI capabilities in
health IT will support other important benefits, including better
surveillance and evaluation of device performance and more effective
preventative and corrective action in response to device recalls.
---------------------------------------------------------------------------
We acknowledged in the Proposed Rule that fully implementing UDIs
in health IT will take time and require addressing a number of
challenges. Nevertheless, we noted that substantial progress has been
made. In particular, we summarized the FDA's regulatory activities and
timeline for implementing the Unique Device Identification System and
extensive work by public and private sector stakeholders to advance
standards and specifications in support of UDI use cases. On the basis
of these developments and our own ongoing consideration of these and
other issues,\26\ we recognized that while ``the path to full
implementation is complex, there are relatively straightforward steps''
that we could take now to support the electronic exchange and use of
UDIs, beginning with UDIs for implantable devices. Our proposed
certification criterion focused narrowly on implementing these first
steps.
---------------------------------------------------------------------------
\26\ As further context for our proposal, we described our
previous consideration of these and other issues related to UDI
adoption in a previous rulemaking. 79 FR 10894.
---------------------------------------------------------------------------
In light of the foregoing and with the revisions discussed below in
our analysis of the comments on this proposal, we have finalized a 2015
Edition ``implantable device list'' certification criterion. We have
also finalized our proposals to include this certification criterion in
the 2015 Base EHR definition and to include a patient's UDIs as data
within the 2015 Common Clinical Data Set definition. Discussion of
those proposals can be found elsewhere in this final rule.
Comments. Most commenters agreed with the central premise of our
proposal, that enabling the exchange and use of UDIs in certified
health IT is a key initial step towards realizing the substantial
patient safety, public health, and other benefits of UDIs and the
Unique Device Identification System. Many commenters strongly supported
the proposed criterion, including its focus on implantable devices.
Commenters stated that the ability to exchange and access identifying
information about patients' implantable devices wherever patients seek
care would enable clinicians to prevent device-related medical errors
and improve the quality of care provided to patients. Commenters also
stated that the need to access accurate information
[[Page 62626]]
about patients' implantable devices is broadly applicable to primary
care physicians, specialists, and other providers to support care
coordination and ensure that providers have a complete medical history
of their patients.
Many commenters supported the proposed criterion in full and
recommended that we finalize it without any substantial revision. A
significant number of commenters also urged to expand the scope of this
criterion to include additional UDI-related capabilities. In contrast,
a significant number of commenters stated that we should not finalize
this criterion or should make all or part of it an optional
certification criterion for the 2015 Edition. Commenters also offered a
variety of suggested revisions and refinements with respect to the
capabilities we proposed.
Response. We have adopted this certification criterion
substantially as proposed, subject to certain revisions and
clarifications discussed further below in response to the comments we
received. We thank commenters for their detailed and thoughtful
feedback on our proposal. We reiterate that this certification
criterion represents a first step towards enabling the widespread
exchange and use of UDIs and related capabilities in certified health
IT, beginning with implantable devices. Because we recognize that fully
implementing UDIs in health IT will take time and require addressing a
number of challenges, the certification criterion focuses narrowly on
baseline health IT capabilities that developers can feasibly implement
today. These capabilities will provide the foundation for broader
adoption and more advanced capabilities and use cases. We believe that
this approach minimizes the potential burden while maximizing the
impact of this criterion for all stakeholders.
Comments. A significant number of commenters who supported our
proposed implantable device list certification criterion also
recommended that we adopt additional UDI-related capabilities, either
as part of this criterion (which we proposed to reference in the 2015
Edition Base EHR definition) or as a separate, optional certification
criterion. Many commenters urged us to include requirements for
Automatic Identification and Data Capture (AIDC) of UDIs. Commenters
stated that such a requirement would facilitate the accurate and
efficient capture of UDIs and align this criterion with the UDI final
rule, which requires UDIs to support one or more forms of AIDC. Some
commenters also stated that if we did not require--or at least provide
the option for--AIDC, users may be forced to manually enter UDIs. They
stated that this could discourage them from capturing UDIs, which could
lead to incomplete or inaccurate information about patients'
implantable devices. Separate from AIDC, several commenters suggested
that we adopt other UDI-related capabilities, such as the ability to
generate lists of patients with a particular device; to generate
notifications to patients in the event of a device recall; and to
record and track information about non-implantable devices and medical
and surgical supplies that are not regulated as a device.
Response. We have not adopted any AIDC requirements for UDIs as
part of this final rule. While we unequivocally agree with commenters
that UDIs should be captured using AIDC and should rarely if ever be
manually entered; and while for this reason we strongly urge health IT
developers and heath care organizations to implement AIDC capabilities
in all settings and systems in which UDIs may be captured; yet for the
reasons elaborated below, we believe at this time that certification is
neither an effective nor appropriate means to further these policies.
As we explained in the Proposed Rule, this criterion is not intended to
provide the capability to enter or ``capture'' UDIs for implantable
device, such as during the course of a procedure. The reason for this
is that the capture of UDIs currently occurs in a wide variety of
``upstream'' IT systems and settings that are beyond the scope of the
current ONC Health IT Certification Program. Rather than ineffectually
trying to address these ``upstream'' use cases, we have chosen to focus
this certification criterion on the baseline functionality necessary to
ensure that, once recorded in a patient's electronic health record,
UDIs can be exchanged among ``downstream'' health IT systems (the
overwhelming majority of which we do certify) and accessed by
clinicians wherever patients seek care.
Some commenters understood our rationale for not requiring AIDC
capabilities for all certified health IT and instead recommended we
adopt a separate optional AIDC certification criterion that could be
leveraged by certified health IT designed for operating rooms and other
surgical settings in which devices are implanted or removed. While we
appreciate the suggestion, such a certification criterion would be
applicable to only a small subset of certified health IT, which in turn
represents only a small subset of IT systems used to capture UDIs for
implantable devices. Moreover, prescribing specific AIDC requirements
for certified health IT may also be unnecessary. Given the obvious
convenience, accuracy, and other advantages of AIDC, we anticipate that
users of certified health IT designed for surgical settings will expect
developers to include AIDC capabilities as a necessary complement to
the baseline implantable device list functionality required by this
criterion. Allowing developers and their customers to design and
implement the most appropriate AIDC solutions for their individual
needs is consistent with FDA's policy of permitting flexibility in the
use of these technologies and avoids imposing unnecessary requirements
and costs on developers, providers, and our testing and certification
bodies.
Contrary to the suggestions of some commenters, our decision not to
adopt a particular AIDC requirement for implantable devices does not
mean that users of certified health IT systems will be forced to
manually record UDIs. Again, for the reasons we have stated, this
criterion has no bearing on how UDIs are entered or captured in
upstream IT systems during a procedure or operation. It is tailored
solely to bringing and providing capabilities for UDIs to downstream
EHR and health IT systems used in physicians' offices, hospitals, and
other places where patients with implantable devices seek care.
Similarly, at this time we believe that it would be premature to
include other capabilities suggested by commenters. Some of those
capabilities--such as the ability to record information about non-
implantable devices--are beyond the scope of the proposal. For other
capabilities, greater adoption and use of UDIs in certified health IT
is needed before the capabilities will be useful to most health IT
users. For example, we recognize that being able to generate a list of
patients with a particular device will be necessary to respond to
device recalls and analyze device performance and other
characteristics. But those benefits cannot materialize until UDIs are
more broadly and more readily accessible through interoperable health
IT and health information exchange. Likewise, achieving these benefits
will first require implementing other baseline functionality included
in this criterion, such as the ability to retrieve key device
attributes from the GUDID. We think that focusing the requirements of
this criterion--and thus the efforts of developers and users of
certified health IT--on these essential baseline functionalities is the
quickest path to
[[Page 62627]]
the adoption of UDIs in health IT and thus to creating demand and
opportunities for the more advanced capabilities commenters envision.
Comments. Some commenters requested clarification as to what
constitutes an ``implantable device'' for purposes of this
certification criterion.
Response. We have adopted new definitions in Sec. 172.102 for
``Implantable Device'' and several other terms by cross-referencing the
definitions for those terms already provided at 21 CFR 801.3. We
believe adopting these definitions in our final rule will prevent any
interpretative ambiguity and ensure that each phrase's specific meaning
reflects the same meaning given to it in the Unique Device
Identification System final rule. For further discussion of these new
definitions, we refer readers to section III.B.4 of this preamble.
Comment. A commenter recommended that we use the term
``identifier'' instead of the term ``data element'' to refer to the
following identifying information that composes the Production
Identifier portion of a UDI:
The lot or batch within which a device was manufactured;
the serial number of a specific device;
the expiration date of a specific device;
the date a specific device was manufactured; and
for an HCT/P regulated as a device, the distinct
identification code required by 21 CFR 1271.290(c).
To avoid confusion and align our terminology with the UDI final
rule, the commenter recommended we refer to these ``data elements'' as
``identifiers'' or ``production identifiers.''
Response. We agree that our use of the term ``data elements'' was
imprecise and could lead to unnecessary confusion. Accordingly, we have
revised our terminology as follows to align more closely with the UDI
final rule.
In our proposal, we used the term ``data elements'' to describe two
distinct types of information associated with UDIs. First, we said that
a Health IT Module certified to our proposed criterion would have to be
able to parse certain ``data elements from a UDI'' and make these
accessible to a user. 80 FR 16825. In that context, we were referring
to what the UDI final rule describes as the ``production identifiers
that appear on the label of the device.'' 21 CFR 830.310(b)(1). These
are the identifiers listed above that compose and are required to be
included in the Production Identifier when required to be included on
the label of a device. 21 CFR 801.3. Because these identifiers are part
of the UDI, health IT should be able to parse these identifiers from
the UDI using the issuing agency's specifications. There is no need to
query an external database or source, such as the GUDID.
Second, we also used the same term, ``data element,'' to refer to
certain information not included in the UDI itself but that is
associated with the UDI and can be retrieved using the GUDID.
Specifically, we proposed that health IT be able to retrieve and make
accessible the optional ``Device Description'' attribute associated
with the Device Identifier portion of the UDI (assuming the attribute
has been populated in the GUDID).
To distinguish these separate concepts and for consistency with the
UDI final rule, this preamble and the corresponding regulation at Sec.
170.315(a)(14) use the terms ``identifier'' and ``attribute'' to refer
to the two distinct types of information described above.
Comments. Many commenters, including some health IT developers,
supported the requirement to parse a UDI and allow a user to access the
identifiers that compose the UDI. Other commenters stated that
requiring this functionality would be burdensome because UDIs may be
issued by different issuing agencies and in different formats. Some
commenters suggested we withdraw this proposed requirement until a
canonical format is established to harmonize and streamline the process
of parsing UDIs issued by different FDA-accredited issuing agencies and
in different formats.
A number of commenters pointed out that we had omitted from this
requirement the Distinct Identification Code required by 21 CFR
1271.290(c), which is one of the five identifiers that make up the
Production Identifier and applies to human cells, tissues, or cellular
and tissue-based products (HCT/P) regulated as a device, including
certain kinds of implantable devices (e.g., skin grafts and bone
matrixes). To ensure the exchange of UDIs for all implantable devices
and to avoid misalignment with the UDI final rule, we were urged to
include the Distinct Identification Code among the identifiers that
technology must be able to parse and make accessible to a user under
this criterion.
Response. The requirement to parse a UDI is reasonable despite the
existence of multiple issuing agencies and formats. We disagree that
this requirement is burdensome and note that it was supported by
several health IT developers. This criterion would require health IT to
be able to parse UDIs issued by FDA-accredited issuing agencies. There
are currently three FDA-accredited issuing agencies (GS1, HIBCC, and
ICCBBA) \27\ and each issuing agency has only one approved UDI format.
All three formats are unique and can thus be readily distinguished by
health IT and parsed according to the correct format. The formats
themselves are described in detail in a single five-page reference
document available on the FDA Web site.\28\ Each format has been
approved by the FDA, and no changes can be made unless the FDA
similarly approves of the changes prior to implementation.
---------------------------------------------------------------------------
\27\ http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/UniqueDeviceIdentification/UDIIssuingAgencies/default.htm.
\28\ FDA, UDI Formats by FDA-Accredited Issuing Agency (May 7,
2014), http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/UniqueDeviceIdentification/GlobalUDIDatabaseGUDID/UCM396595.doc. The reference document is one
of two technical documents made available by the FDA to assist
labelers and other persons to comply with the GUDID Guidance. See
http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/UniqueDeviceIdentification/GlobalUDIDatabaseGUDID/ucm416106.htm.
---------------------------------------------------------------------------
We disagree that the requirement to parse a UDI should be postponed
until the emergence of a single canonical UDI format. It is unclear at
this time when or if such a canonical format will be developed and
whether it would support the functionality we are requiring. It is also
unclear whether implementing a canonical format would reduce or
increase the overall technical complexity and burden of implementing
these capabilities for multiple UDI formats. Meanwhile, postponing
these capabilities would frustrate the purpose of this certification
criterion. Without the ability to parse a UDI, health IT would be
unable to provide users with useful information identifying and safety-
related information about a device, such as the device's expiration
date (which will be parsed from the Production Identifier) or a
description of the device (which will be retrieved by parsing and
looking up the Device Identifier in the GUDID).
The omission of ``Distinct Identification Code required by 21 CFR
1271.290(c)'' among the identifiers that health IT must be able to
parse was an oversight, and we thank commenters for bringing it to our
attention. We agree that to avoid misalignment with the UDI final rule,
health IT should be required to parse this identifier and make it
accessible in the same manner required for the other identifiers that
compose the Production Identifier, as referenced in the Proposed Rule.
We therefore
[[Page 62628]]
include it with those identifiers at Sec. 170.315(a)(14)(ii). For
similar alignment and consistency, we also include the Production
Identifier itself in the list of identifiers at Sec.
170.315(a)(14)(ii).
Comments. Several commenters objected to the proposed requirement
that health IT be able to query a UDI against the GUDID and retrieve
the associated ``Device Description'' attribute (when that attribute
has been populated and is available). Some commenters stated that it
was unreasonable to expect developers to implement GUDID capabilities
before all of the planned GUDID functionality is available. At the time
of the Proposed Rule, the GUDID was available as a downloadable file,
which was and continues to be updated daily. A web interface and web
services were also planned but had not yet been implemented. Although
we explained that the daily downloadable version of GUDID could be used
to satisfy the proposed criterion, some commenters insisted that we
should not require any GUDID retrieval capabilities until web services
are in place to enable GUDID attributes to be easily retrieved ``on
demand.'' Several commenters requested that we clarify FDA's timeline
for implementing web services.
Response. FDA has partnered with the National Library of Medicine
(NLM) to implement the GUDID. The GUDID is now available via a web
interface called AccessGUDID.\29\ In addition, FDA has confirmed that
web services will be available via the AccessGUDID website by October
31, 2015. These web services are being implemented to support health IT
developers to meet this implantable device list certification
criterion. For any valid UDI, the web services will return the
following GUDID attributes:
---------------------------------------------------------------------------
\29\ See http://accessgudid.nlm.nih.gov/. A list of APIs
currently in development is available at http://accessgudid.nlm.nih.gov/docs.
---------------------------------------------------------------------------
``GMDN PT Name'';
``Brand Name'';
``Version or Model'';
``Company Name'';
``What MRI safety information does the labeling
contain?''; and
``Device required to be labeled as containing natural
rubber latex or dry natural rubber (21 CFR 801.437).''
In addition to these GUDID attributes, and for the convenience of
health IT developers, the web services will also return the ``SNOMED
CT[supreg] Identifier'' and the ``SNOMED CT[supreg] Description''
mapped to the GMDN code set.\30\
---------------------------------------------------------------------------
\30\ Under a Cooperative Agreement between the Global Medical
Device Nomenclature Agency and the International Health Terminology
Standards Development Organization (IHTSDO), GMDN will be used as
the basis for the medical device component of SNOMED CT[supreg]. See
http://www.ihtsdo.org/resource/resource/84.
---------------------------------------------------------------------------
As commenters acknowledged, including many who objected to this
requirement, the availability of dedicated web services for retrieving
the attributes associated with a UDI from the GUDID will significantly
streamline and reduce the costs of including this functionality in
certified health IT. We take the commenters at their word and believe
that the availability of these dedicated web services--which will be
specifically designed for health IT developers and aligned with this
certification criterion--will substantially mitigate the concerns
raised by developers and other commenters regarding the potential
burden or technical challenges of implementing GUDID functionality.
Comments. Several commenters were puzzled by our proposal to
require retrieval only of the ``Device Description'' attribute. They
pointed out that submission of this attribute to the GUDID is optional
and is not standardized. The proposed requirement would therefore be
unlikely to serve our goal of providing clinicians and patients with
accurate and accessible information about implantable devices. Some
commenters suggested that the ``Global Medical Device Nomenclature
(GMDN) PT Name'' attribute would better suit our purpose and noted that
this attribute, unlike ``Device Description,'' is a required attribute
and a recognized international standard for medical device
nomenclature.
Several commenters also urged us to require retrieval of additional
GUDID attributes. Several commenters noted that certain safety-related
attributes--specifically ``What MRI safety information does the
labeling contain?'' and ``Device required to be labeled as containing
natural rubber latex or dry natural rubber (21 CFR 801.437)''--are
required to be submitted to the GUDID, are already available, and would
significantly further the patient safety aims outlined in our proposal.
Along the same lines, other commenters identified additional GUDID
attributes that would enable identification of the manufacturer or
labeler (i.e., company name), brand, and specific version or model of a
device.
Response. We believed that retrieving the ``Device Description''
attribute would be a good starting point for GUDID functionality under
this criterion and would make the implantable device list more useful
to clinicians by displaying the familiar name of each device in the
list next to the device's UDI. Based on the comments, we accept that
the ``GMDN PT Name'' attribute is more suitable for our purposes
because it is a recognized international standard for medical devices
and, unlike the ``Device Description'' attribute, is required and
therefore much more likely to in fact be populated in the GUDID. We are
therefore revising Sec. 170.315(a)(14)(iii) to require the ``GMDN PT
Name'' attribute instead of ``Device Description.'' Relatedly, we have
also revised Sec. 170.315(a)(14)(iii) to permit health IT developers
who meet this requirement using the GUDID web services to do so in
either of two ways. They may either retrieve the ``GMDN PT Name''
attribute or, alternatively, the ``SNOMED CT[supreg] Description''
associated with a UDI. Pursuant to a cooperative agreement between the
relevant standards developing organizations, the SNOMED CT[supreg] code
set is being mapped to GMDN PT and thus the description of a device
will be identical under both terminologies. However, we expect that
many developers will prefer to use the SNOMED CT[supreg] code set
because they already do so and because they can retrieve the computable
``SNOMED CT[supreg] Identifier,'' which will also be available via the
web services and will enable developers to more easily deploy CDS and
other functionality for implantable devices. Thus allowing developers
the flexibility to retrieve the ``SNOMED CT[supreg] Description'' in
lieu of the identical mapped ``GMDN PT Name'' attribute will avoid
requiring them to support multiple and duplicative code sets for
medical devices and may also encourage them to incorporate more
advanced capabilities for implantable devices, consistent with the
goals of this criterion.
As discussed above, the GUDID web interface is now available via
the NLM AccessGUDID website, which will soon be augmented with
dedicated web services designed to support health IT certified to this
criterion. With this increased readiness of the GUDID, health IT should
be able to retrieve additional GUDID attributes with little additional
effort. Therefore, we are also including the following attributes among
those that must be retrieved and made accessible to users of health IT
certified to this criterion:
``Brand Name'';
``Version or Model'';
``Company Name'';
``What MRI safety information does the labeling
contain?''; and
[[Page 62629]]
``Device required to be labeled as containing natural
rubber latex or dry natural rubber (21 CFR 801.437).'' \31\
---------------------------------------------------------------------------
\31\ Current GUDID attributes are derived from the UDI final
rule and are specified in the FDA GUDID Data Elements Reference
Table (May 1, 2015), http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/UniqueDeviceIdentification/GlobalUDIDatabaseGUDID/UCM396592.xls.
---------------------------------------------------------------------------
For the reasons that commenters identified, these particular
attributes will further the core goals of this criterion by
significantly enhancing the ability of clinicians to identify and
access important safety-related information about their patients'
implantable devices.
Comment. A commenter noted that this criterion would require health
IT to retrieve UDI attributes exclusively from the GUDID. The commenter
recommended we consult with FDA to ensure that the GUDID will be able
to support the potentially large volume of requests that could result
from this requirement.
Response. As discussed above, FDA and NLM are implementing web
services specifically to support health IT developers to meet this
implantable device list certification criterion. FDA has signed an
interagency agreement with NLM to provide public access to AccessGUDID,
including web services. NLM has experience with large volume requests
and will be able to meet any demands generated by developers and users
as a result of this criterion.
Comments. Some commenters noted that UDI attributes are not
exclusive to the GUDID and are commonly stored in providers' enterprise
resource planning systems (ERPS), materials management information
systems (MMIS), and other ``systems of record.'' Thus, instead of
requiring health IT to always retrieve the UDI attributes from the
GUDID, it was suggested that we permit attributes to be retrieved from
these and other appropriate sources, thereby giving providers and
developers (who may have different database and technical
infrastructures) the flexibility to select the most appropriate source
of this information.
Response. As we stated in the Proposed Rule, the requirement to
retrieve attributes from the GUDID can be accomplished using the
GUDID's web interface, web services, downloadable module, or any other
method of retrieval permitted under FDA's GUDID guidance. Thus GUDID
attributes could be retrieved from a local system, provided the
information in that system is up to date and is based upon the data
downloaded from the GUDID. That said, we encourage the use of the
AccessGUDID web services, which as discussed above are being designed
specifically to support health IT developers to meet this implantable
device list certification criterion.
Comments. Commenters overwhelmingly supported our proposal to
require that health IT enable a user to change a UDI in a patient's
implantable device list and, in appropriate circumstances, ``delete''
erroneous, duplicative, or outdated information about a patient's
implantable devices. However, several commenters took issue with our
use of the term ``delete,'' which could imply that a user should be
able to completely remove a UDI and associated information from a
patient's implantable device list and from the patient's electronic
health record altogether. Commenters stated that information about a
patient's implantable devices should be retained for historical
accuracy and context. One commenter noted that allowing users to delete
this information could violate record retention laws. Several
commenters suggested that we clarify that a user should be able to
``flag'' or otherwise annotate a UDI as no longer active while still
retaining the UDI and associated information.
The comments on this aspect of our proposal suggest some confusion
surrounding the concept of an ``implantable device list'' contemplated
in the Proposed Rule. Different commenters used the term ``implantable
device list'' to refer to at least three distinct constructs: (1) The
list of UDIs that would be recorded and exchanged as structured data;
(2) the presumably more detailed list of information about a patient's
implantable devices that would subsist separately and locally in EHR
systems; and (3) the list of UDIs and other information that would be
formatted and presented to users of an EHR system. Some commenters
recognized this ambiguity and asked us to be more precise. But several
commenters oscillated between these different constructs and imputed
them to different parts of our proposal, depending on the context. As a
result, some of these commenters perceived in our proposal elements
that had not been proposed, such as the ability to enable a user to
manually record a UDI or to exchange certain kinds of information about
implantable devices.
Response. We appreciate commenters' feedback on this aspect of our
proposal. We agree that a user should not be able to permanently
``delete'' UDIs recorded for a patient. Therefore, we are adopting the
approach suggested by most commenters that would allow a user to change
the status of a UDI but would require that UDI itself not be deleted
and still be accessible to a user. Specifically, health IT certified to
this criterion must enable a user to change the status of a UDI
recorded for a patient to indicate that the UDI is inactive. We also
expect that developers will implement this functionality in a manner
that allows users to indicate the reason that the UDI's status was
changed to inactive. Consistent with the policy that UDIs should not be
deleted from the implantable device list or from a patient's electronic
health record, a UDI that has been designated inactive must still be
accessible to the user so that users can access information about the
device, even if it was explanted or recorded in error. We expect that
both the status and other appropriate metadata will be recorded in a
manner consistent with the C-CDA, where applicable, and will be
exchanged with the UDI according to that standard.
As noted above, the comments on this aspect of our proposal suggest
the need for greater precision regarding the concept of an
``implantable device list.'' In this final rule, we use the term
``implantable device list'' to refer to the visible list that is
displayed to the user of health IT certified to this criterion and that
must show, at a minimum: (1) A patient's active UDIs, meaning all UDIs
recorded for the patient that have not been designated inactive; (2)
the corresponding description of each UDI in the list (which, as
discussed above, may be either the GUDID attribute ``GMDN PT Name'' or
the ``SNOMED CT[supreg] Description'' mapped to that attribute); and
(3) if one or more inactive UDIs are not included in the list, a method
of accessing those UDIs and their associated information from within
the list. The implantable device list may but need not also include the
identifiers and attributes associated with each UDI that the health IT
must be able to retrieve and make accessible to a user. If the
implantable device list does not contain these identifiers and
attributes, then the health IT would need to enable a user to access
them (for example, by presenting them when a user clicks on an item in
the implantable device list). Similarly, the implantable device list
may but need not include inactive UDIs, so long as these UDIs are
accessible from within the list. For example, the implantable device
list could display only active UDIs so long as it also contained a link
or other obvious way for a user to access all other UDIs recorded for
the patient.
The discussion above should make clear that we are using the term
``implantable device list'' to refer to the
[[Page 62630]]
UDIs and other information that must be presented and made accessible
to a user in the manner described above. This information is distinct
from the information not visible to a user that must be recorded and
exchanged by health IT certified to this criterion. That information is
not an ``implantable device list'' but rather a list of UDIs recorded
for a patient and the associated metadata that must be recorded and
exchanged in accordance with the requirements of the CCDS definition,
the 2015 Base EHR definition, and the C-CDA standard. We discuss this
data separately below in response to comments regarding the exchange of
contextual information about a patient's implantable devices. To avoid
any ambiguity or misinterpretation, we have structured Sec.
170.315(a)(14) to more precisely codify the concepts explained above.
Comments. In the Proposed Rule, we stated that this certification
criterion would not require health IT to be able to exchange or use
contextual information about a device (such as a procedure note). We
requested comment on whether we had overlooked the need for or
feasibility of requiring this functionality. Many of the comments we
received emphasized the importance of recording and exchanging
contextual information about implantable devices. Some commenters
expressed concerns that exchanging UDIs without their proper context
could lead to interoperability, patient safety, or other implementation
challenges. Some commenters also urged us to specify precisely how
contextual information associated with an implantable device should be
recorded and exchanged among health IT certified to this criterion.
These commenters did not identify any specific standards or
implementation specifications. Several other commenters explained that
current standards and implementation guides do not specify a consistent
approach to documenting this information.
Response. We recognize the importance of contextual information
about patients' implantable devices. As described elsewhere in this
rule, we have included the Unique Device Identifier in the CCDS
definition with the intent of capturing and sharing UDIs associated
with implantable devices in both internal EHR records as well as
exchangeable documents. We clarify that, where the UDI is present and
represents an Implantable Device, the UDI should be sent in accordance
with the C-CDA, which specifies its inclusion in the Procedure Activity
section of exchangeable documents. We also expected that appropriate
associated metadata, such as the date and site of the implant, will be
included with the UDI where available as specified in the standard.\32\
---------------------------------------------------------------------------
\32\ The UDI for implantable devices is encoded and exchanged in
the Procedure Activity Procedure (V2) section of C-CDA, which
contains a Product Instance template that can accommodate the UDI
the implantable device, the implant date, and the target site.
Although not required by the standard, this information should be
sent if available, as with all of the CCDS content.
---------------------------------------------------------------------------
Beyond these basic parameters, we believe it is premature to
prescribe the exact content and form of contextual information
associated with UDIs. The comments confirm our observation in the
Proposed Rule that additional standards and use cases will be needed to
support this functionality.
Comments. Some commenters insisted that the proposed criterion
lacked relevance to the majority of providers who do not practice in
surgical or certain kinds of inpatient settings. For this reason, they
suggested that we remove some or all of the criterion from the 2015
Base EHR definition or from the final rule.
Some commenters who otherwise supported our proposal felt that we
should not include this certification criterion in the Base EHR or
should make some of the proposed requirements optional in the 2015
Edition. Similarly, some commenters objected to the inclusion of a
patient's Unique Device Identifiers in the CCDS definition. Some of
these commenters objected in principle to including any requirements
that are not correlated with a meaningful use objective or measure,
while others objected on the basis that this certification criterion
would be unduly costly and burdensome for developers and could place
significant and unnecessary burdens on providers.
Several commenters claimed that this criterion was not ripe and
there were a lack of available standards for certain aspects of our
proposal. Commenters also cited potential implementation challenges,
especially the fact that UDIs and other information about implantable
devices are often captured in IT systems that are not part of certified
health IT. Because bridging these systems will be challenging without
more mature standards or customized interfaces, the information in
these systems may not be recorded in certified health IT.
Response. Again, we reiterate that this criterion is not aimed at
surgical specialties, settings, or systems. It is aimed at delivering
information to all clinicians so that they can know what devices their
patients have and use that information to deliver safer and more
effective care. We take seriously the concerns raised by some
commenters regarding the potential costs and burdens of the proposed
criterion. We have addressed those concerns above in our responses to
comments on the specific aspects of our proposal to which those
concerns pertain. We note that for many of these aspects, health IT
developers often contradicted one another as to the relative costs and
difficulty of implementing the UDI-related capabilities we proposed. As
just one illustration, several EHR developers stated that the
requirement that health IT be able to parse a UDI was infeasible or
would be unduly burdensome. In contradistinction, a different EHR
developer objected to other aspects of the proposal but specifically
endorsed the capability to parse UDIs; and yet another EHR developer
supported all of the capabilities we proposed. In short, health IT
developers' comments regarding cost and burden often pointed in
different directions, which suggests that many of their concerns are
idiosyncratic to particular developers, not generalizable to all
developers or the health IT industry. We submit that competition in the
marketplace is the more appropriate vehicle for mediating such
differences, not our regulations.\33\
---------------------------------------------------------------------------
\33\ In this connection we refer readers to the discussion of
the new transparency and disclosure requirements for health IT
developers finalized elsewhere in this rule.
---------------------------------------------------------------------------
Because all providers should have access to information about their
patients' implantable devices, we are including a patient's Unique
Device Identifiers in the CCDS definition. To ensure that all certified
health IT has the basic ability to exchange, record, and make this
information available, we are including this certification criterion in
the 2015 Base EHR definition. These definitions are not limited to the
EHR Incentive Programs and must support other programs as well as the
broader needs of health IT users throughout the health care system. We
refer commenters to our discussion of these definitions elsewhere in
this final rule. We decline to postpone this criterion until the Unique
Device Identification System is fully implemented for all devices and
across the entire medical device industry, or until additional
standards are fully developed and harmonized for additional use cases.
While this work is ongoing, UDIs are required to be available for all
implantable devices by September 2015. Similarly, standards already
exist for recording and exchanging UDIs for
[[Page 62631]]
implantable devices as structured data in patients' electronic health
records. These standards have been refined since the last time we
proposed to adopt a certification criterion for implantable devices.
And, as noted above, the GUDID is now available via the NLM's
AccessGUDID website and will support web services for this
certification criterion. While full implementation of the Unique Device
Identification System will take several years, and while the
development of standards is an ongoing process, UDIs for implantable
devices can begin to be incorporated in health IT and will support and
help accelerate these other efforts.
Commenters concerns regarding potential ``upstream'' implementation
challenges are valid, but we have addressed those concerns by focusing
this certification criterion only on the baseline functionality
necessary to ensure that, once recorded in a patient's electronic
health record, UDIs can be exchanged among certified health IT and
accessed by users of certified health IT wherever the patient seeks
care.
Social, Psychological, and Behavioral Data
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(a)(15) (Social, psychological, and behavioral data)
------------------------------------------------------------------------
We proposed to adopt a new 2015 Edition ``social, psychological,
and behavioral data'' certification criterion that would require a
Health IT Module to be capable of enabling a user to record, change,
and access a patient's social, psychological, and behavioral data based
on SNOMED CT[supreg] and LOINC[supreg] codes, including sexual
orientation and gender identity and the ability to record a patient's
decision not to provide information. As the Proposed Rule explained,
the proposed certification criterion is designed to advance the
collection and use of such patient data, to transform health delivery,
to reduce health disparities, and to achieve the overarching goals of
the National Quality Strategy. We proposed that social, psychological,
and behavioral data be coded in accordance with, at a minimum, version
2.50 of LOINC[supreg], and we explained that LOINC[supreg] codes will
be established in a newer version of LOINC[supreg] for the question-
answer sets that do not currently have a LOINC[supreg] code in place,
prior to the publication of the final rule. We proposed that sexual
orientation be coded in accordance with, at a minimum, the September
2014 Release of the U.S. Edition of SNOMED CT[supreg] and HL7 Version 3
that gender identity be coded in accordance with, at a minimum, the
September 2014 Release of the U.S. Edition of SNOMED CT[supreg] and HL7
Version 3, as enumerated in tables in the Proposed Rule. We sought
comment on inclusion of the appropriate social, psychological, and
behavioral data measures, on standardized questions for collection of
sexual orientation and gender identity data, on a minimum number of
data measures for certification, on combining and separating the
measures in certification criteria, and on inclusion of additional data
and available standards.
Comments. Many commenters were in support of our proposal to
include a new certification criterion for the capture of social,
psychological, and behavioral data. Commenters recommended that we
consider including security and privacy safeguards for this information
and additional measures relevant to other settings (e.g., oral health
measures, behavioral health diagnosis history, expansion of violence
measures, and expansion of measure applicability to parents of
pediatric patients). Commenters also recommended that we verify
proposed LOINC[supreg] codes that were listed as pending in the
Proposed Rule.
Some commenters were against certification for this data. These
commenters cited lack of uses cases for the data, overburdening
providers with data collection, and lack of maturity of data standards.
A few commenters were not supportive of additional certification for
criteria that are not proposed to specifically support Stage 3 of the
EHR Incentive Programs.
Response. We thank commenters for their feedback. We have adopted a
2015 Edition ``social, psychological, and behavioral data''
certification criterion that is described in more detail below. As
stated in Proposed Rule (80 FR 16826), we continue to believe that
offering certification to enable a user to record, change, and access a
patient's social, psychological, and behavioral data will assist a wide
array of stakeholders in better understanding how this data may
adversely affect health and ultimately lead to better outcomes for
patients. We also believe that this data has use cases beyond the EHR
Incentive Programs, including supporting the Precision Medicine
Initiative \34\ and delivery system reform. In addition, the Federal
Health IT Strategic Plan aims to enhance routine medical care through
the incorporation of more information into the health care process for
care coordination and a more complete view of health, including social
supports and community resources.\35\ We believe the collection of the
information in certified Health IT Modules through this criterion can
better inform links to social supports and community resources.
---------------------------------------------------------------------------
\34\ http://www.nih.gov/precisionmedicine/.
\35\ http://www.healthit.gov/sites/default/files/9-5-federalhealthitstratplanfinal_0.pdf.
---------------------------------------------------------------------------
In regard to comments expressing privacy and security concerns, we
first note that the functionality in this criterion is focused on
capture and not privacy and security. Second, we have established a
privacy and security certification framework for all Health IT Modules
that are certified to the 2015 Edition (please see section IV.C.1 of
this preamble). Third, we recommend that institutions develop and
maintain policies for the collection and dissemination of this data
that is consistent with applicable federal and state laws.
We appreciate comments on additional data to consider for inclusion
in this criterion. We have, however, determined that the proposed list
presents an appropriate first step for the standardized collection of
social, behavioral, and psychological data. We note, based on feedback
from commenters, we have included the capture of sexual orientation and
gender identity (SO/GI) data in the 2015 Edition ``demographics''
certification criterion. We will continue to consider whether this list
should be expanded through future rulemaking.
We have verified the LOINC[supreg] codes that were proposed and
obtained the codes for those listed as pending in the Proposed Rule,
and have provided the proper codes and answer list IDs for all eight
domains we are adopting in this criterion (please refer to Sec.
170.207(p)) for the full list of LOINC[supreg] codes).
Comments. There were mixed comments on whether we should adopt all
proposed domains in one criterion or adopt a separate criterion for
each proposed domain. We also received mixed feedback on whether
certification would be to all domains, a select number, or at least
one. Commenters in favor of one criterion with all domains stated that
the proposed domains are interrelated and together provide a total
health system perspective that can facilitate care management and
coordination.
Response. We thank commenters and agree that these eight domains
can together provide a more comprehensive picture of the patient that
can facilitate care management and coordination. We also believe that
there will not be a significant increase in development
[[Page 62632]]
burden to meet all the proposed domains because there will be
developmental synergies in meeting all domains using the required
LOINC[supreg] code set. Accordingly, we have adopted one criterion that
requires certification to all eight proposed domains (not including SO/
GI).
Transitions of Care
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(b)(1) (Transitions of care)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition certification criterion for
``transitions of care'' (``ToC'') that is a continuation and extension
of the ``ToC'' certification criterion adopted as part of the 2014
Edition Release 2 final rule at Sec. 170.314(b)(8). We proposed the
following revisions and additions.
Updated C-CDA Standard
We proposed to adopt C-CDA Release 2.0 at Sec. 170.205(a)(4) and
noted that compliance with the C-CDA Release 2.0 cannot include the use
of the ``unstructured document'' document-level template for
certification to this criterion. To address ``bilateral asynchronous
cutover,'' we proposed that the 2015 Edition ``ToC'' certification
criterion reference both the C-CDA Release 1.1 and Release 2.0
standards and that a Health IT Module presented for certification to
this criterion would need to demonstrate its conformance and capability
to create and parse both versions (Release 1.1 and 2.0) of the C-CDA
standards. While we recognized that this proposal was not ideal, we
proposed this more conservative approach as a way to mitigate the
potential that there would be interoperability challenges for
transitions of care as different health care providers adopted Health
IT Modules certified to the 2015 Edition criterion (including CCDA
Release 2.0 capabilities) at different times. We requested comment on
an alternative approach related to the creation of C-CDA-formatted
documents. We noted that the adoption of C-CDA Release 2.0 would be
applicable to all of the other certification criteria in which the C-
CDA is referenced and that, unless C-CDA Release 2.0 is explicitly
indicated as the sole standard in a certification criterion, we would
reference both C-CDA versions in each of these criteria.
Comments. Commenters agreed that C-CDA Release 2.0 offered
improvements compared to Release 1.1 for unifying summary care record
requirements and better enabling exchange of structured data between
providers across disparate settings than previous versions. Commenters
did not support requiring that Health IT Modules presented for
certification would need to demonstrate its conformance and capability
to send, receive, and parse both versions Release 1.1 and 2.0 of the C-
CDA standards. Commenters stated that this proposed requirement would
be too resource intensive, expressed concerns about the storage needed
to store two versions of the C-CDA document, and would require systems
to establish complex rules about handling content that is present in
one version but not in the other. The majority of commenters instead
recommended that we adopt a single version of the C-CDA standard that
would ensure systems can correctly process both Releases 1.1 and 2.0,
with many commenters specifically recommending Release 2.1 of C-CDA
(HL7 Implementation Guide for CDA[supreg] Release 2: Consolidated CDA
Templates for Clinical Notes (US Realm), Draft Standard for Trial Use
Release 2.1, August 2015) \36\ which the industry has developed,
balloted, and published. Release 2.1 provides compatibility between
Releases 2.0 and 1.1 by applying industry agreed-upon compatibility
principles.\37\ Release 2.1 also contains all the new document
templates included in Release 2.0. Commenters also recommended an
alternate pathway if we did not adopt Release 2.1 that would require:
---------------------------------------------------------------------------
\36\ http://www.hl7.org/documentcenter/public/standards/dstu/CDAR2_IG_CCDA_CLINNOTES_R1_DSTUR2.1_2015AUG.zip.
\37\ http://wiki.hl7.org/index.php?title=Consolidated_CDA_R2.1_DSTU_Update.
---------------------------------------------------------------------------
A 2015 Edition certified Health IT Module to be able to
send documents conformant to C-CDA Release 2.0;
A 2015 Edition certified Health IT Module to be able to
parse both a C-CDA Release 1.1 and 2.0 document;
A 2014 Edition certified Health IT Module to be able to
parse a C-CDA Release 1.1 document, and display but not parse a
document conformant to C-CDA Release 2.0.
A few commenters requested clarification on the different kinds of
null values and guidance on what constitutes an ``indication of none''
since blank values will not meet the requirements of the corresponding
measure for transitions of care for Stage 3 of the EHR Incentive
Programs.
Response. We thank commenters for their suggestions to adopt
Release 2.1 rather than require adherence to both versions Release 1.1
and Release 2.0. We agree that Release 2.1 largely provides
compatibility with Release 1.1 while maintaining many of the
improvements and new templates in Release 2.0. While we thank
commenters for the alternate suggested pathway regarding 2014 Edition
certified health IT, this would require a revision to the existing 2014
Edition ``ToC'' certification criteria (Sec. 170.314(b)(1), Sec.
170.314(b)(2), and Sec. 170.314(b)(8)) that would require technology
to be able to display a C-CDA document conformant with C-CDA Release
2.0. We did not propose this approach for public comment. Further, it
would also be impractical and burdensome to implement as it would
require forcing all health IT developers to bring back health IT
certified to the 2014 Edition to update each product's certification.
We believe that adopting Release 2.1 largely achieves the goal to
ensure systems can send, receive, and parse both C-CDA documents
formatted according to Release 1.1 or 2.0 and minimizes the burden
raised by commenters. However, we are aware that a system developed
strictly to Release 2.1 might not automatically support receiving
Release 1.1 C-CDAs without additional development (e.g., additional
generation and import effort since different vocabulary requirements
apply in several places when comparing the two versions of the C-CDA).
Therefore, we have adopted C-CDA Release 2.1 (both Volumes 1 and 2) as
a requirement for the 2015 Edition ``ToC'' criterion at Sec.
170.314(b)(1), and have also adopted the requirement that a Health IT
Module must demonstrate its ability to receive, validate, parse,
display, and identify errors to C-CDA Release 1.1 documents to ensure
compatibility and interoperability. Note that for consistency, all 2015
Edition certification criteria that reference C-CDA creation (e.g.,
clinical information reconciliation and incorporation; view, download,
and transmit to 3rd party) require conformance to Release 2.1. 2015
Edition certification criteria that include a ``receipt'' of C-CDA
documents function (e.g., clinical information reconciliation and
incorporation) will also require testing to correctly process C-CDA
Release 1.1 documents for the reasons described above. This pathway
ensures maximum interoperability while balancing the development
burden.
Regarding the questions of clarification on the use of null values
and what constitutes an ``indication of none'' for the purposes of
meeting the EHR Incentive Program Stage 3 measure, this issue concerns
the information needed to fulfill the ``automated numerator recording''
and ``automated
[[Page 62633]]
measure calculation'' functions proposed at Sec. Sec. 170.315(g)(1)
and (g)(2), respectively. This issue concerns the draft test procedure
for Sec. Sec. 170.315(g)(1) and (g)(2) as related to transitions of
care, and we intend to update the test procedures to include guidance
on how C-CDA R2.1 null values (including ``indication of none'') are
appropriately expressed by applying guidance from the HL7 Examples Task
Force.
We also highly recommend that health IT developers and providers
follow the guidance provided in the HL7 Implementation Guide: S&I
Framework Transitions of Care Companion Guide to Consolidated-CDA for
Meaningful Use Stage 2, Release 1--US Realm \38\ that includes industry
``best practices'' guidance for consistent implementation of the C-CDA
Release 1.1 standard, including for mapping Common MU Data Set elements
into the C-CDA standard. It is our understanding that the industry is
developing an update to this ``companion guide'' to provide guidance on
implementing the C-CDA Release 2.1 standard. We encourage health IT
developers to use the update to develop their products to the 2015
Edition criteria that reference C-CDA Release 2.1 when it becomes
available.
---------------------------------------------------------------------------
\38\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=374.
---------------------------------------------------------------------------
C-CDA Document Template Types
We proposed to require that all certified Health IT Modules be able
to parse C-CDA Release 2.0 documents formatted according to the
following document templates:
Continuity of Care Document (CCD);
Consultation Note;
History and Physical;
Progress Note;
Care Plan;
Transfer Summary;
Referral Note; and
Discharge Summary.
These document templates include clarifications and enhancements
relative to Release 1.1, as well as new document templates (i.e., Care
Plan, Referral Note, and Transfer Summary). We also proposed to
prohibit the use of the unstructured document template.
Comments. Commenters were supportive of the new and clarified
document templates for more specific use cases where a CCD may contain
more information than is necessary. However, a number of commenters
were concerned about the burden to certify all document templates, and
noted that not all document templates were applicable to all settings.
As such, commenters suggested we require only the CCD, Referral Note,
and (for inpatient settings only) Discharge Summary and allow health IT
developers to determine which additional templates would be appropriate
to offer for the settings and providers intended to be served by the
product. A few commenters suggested that we not prohibit the use of the
unstructured document template as it could be a stepping stone to help
providers begin using the C-CDA standard and can be used to provide
reports with images or scanned forms.
Response. We thank commenters for the comments, and acknowledge
that some of the proposed C-CDA document templates may not be
applicable to all settings. Therefore, we have required that certified
Health IT Modules be able to parse C-CDA Release 1.1 and C-CDA Release
2.1 CCD, Referral Note, and (for inpatient settings only) Discharge
Summary document templates for certification to this criterion. We
encourage health IT developers and providers to work together to
determine if additional C-CDA templates would be better suited for
certain settings. For example, the CCD may contain more information
than is necessary for some care transitions and other C-CDA document
templates may provide a more succinct and/or targeted summary of a
patient's clinical information for certain settings. We note that C-CDA
Release 2.1 includes the same document templates included in Release
2.0.
Regarding the use of the unstructured document template, we believe
that it limits interoperability as data is not exchanged in a
structured and standardized (e.g., to certain vocabulary standards)
manner. For the purposes of certification to this certification
criterion, Health IT Modules cannot include the use of the unstructured
document template.
Valid/Invalid C-CDA System Performance and Display
We proposed that Health IT Modules would need to demonstrate the
ability to detect valid and invalid C-CDA documents, including
document, section, and entry level templates for data elements
specified in 2014 and 2015 Editions. Specifically, that this would
include the ability to detect invalid C-CDA documents, to identify
valid C-CDA document templates, to detect invalid vocabularies and
codes not specified in either the C-CDA 1.1 or 2.0 standards or
required by this regulation, and to correctly interpret empty sections
and nullFlavor combinations per the C-CDA 1.1 or 2.0 standards. Last,
we proposed that technology must be able to display in human readable
format the data included in a transition of care/referral summary
document. We explained that we expected that Health IT Modules to have
some mechanism to track errors encountered when assessing received C-
CDA documents and we proposed that health IT be able to track the
errors encountered and allow for a user to be notified of errors or
review the errors produced. We stated these functionalities are an
important and necessary technical prerequisite in order to ensure that
as data in the system is parsed from a C-CDA for incorporation as part
of the ``clinical information reconciliation and incorporation''
certification criterion the user can be assured that the system has
appropriately interpreted the C-CDA it received.
Comments. There was overall support from commenters on the proposal
to require Health IT Modules detect valid and invalid C-CDA documents.
However, similar to the comments above, commenters did not support the
proposal to require validation of both C-CDA Releases 1.1 and 2.0
because of the burden and complexity of processing two versions of the
same standard. A few commenters were concerned with the proposed
requirement for the receiving system to manage an incorrectly formatted
C-CDA document, and requested that this burden should be on the sending
system. A few commenters also requested clarification on whether the
receiver is required to notify the sender of the C-CDA document of
errors. Commenters also requested clarification on how validation and
display would be tested as it would be unrealistic for health IT to
accept every single code in a system. Last, some commenters were
concerned about the ``alert fatigue'' a user could encounter if
notified of every C-CDA error detected by the certified system.
Response. We thank commenters for their support of the proposal. As
noted above, systems would be required to support validation and
display for both Releases 1.1 and Release 2.1 to ensure compatibility
and interoperability. We reiterate as noted above that systems will be
tested to perform the validation and display functions for only the
CCD, Referral Note, and (inpatient settings only) Discharge Summary
templates.
Regarding the burden to the receiving system to process incorrectly
formatted C-CDA errors, we note that all Health IT Modules certified to
a 2015 Edition criterion that includes the functionality to create a C-
CDA are also required to be certified to the ``C-CDA Creation
[[Page 62634]]
Performance'' certification criterion at Sec. 170.315(g)(6). This
certification criterion requires that systems are able to create C-CDA
documents in accordance with a gold standard that we provide, thereby
reducing the potential for errors in a C-CDA sent by an outgoing system
(please refer to the ``C-CDA creation performance'' criterion in the
preamble for further details).
However, we recognize that there may still be errors in created C-
CDA documents from a sending system and therefore continue to believe
in the value of the receiving system to process and validate C-CDA
documents, including notifying the user of errors. We clarify that the
error notification should be available to the receiving user. Regarding
error notification, systems would be required to demonstrate its
ability to notify the user of errors or allow the user to review the
errors for the purposes of certification. Per commenters' concerns
about ``alert fatigue,'' we note there is no explicit requirement that
the user be interrupted regarding the availability of errors. Rather,
that the user needed to be able to access such errors. We anticipate
that validation and display would be tested through visual inspection
that test data in the form of C-CDA documents with and without errors
can be correctly parsed and errors correctly identified.
We have finalized the requirement as part of this criterion that
Health IT Modules must be able to detect valid and invalid transition
of care/referral summaries received and formatted in accordance with C-
CDA Release 1.1 and Release 2.1 for the CCD, Referral Note, and
(inpatient settings only) Discharge Summary document templates,
including detection of invalid vocabulary standards and codes, correct
interpretation of empty sections and null combinations, recording of
errors/notification of errors to the user, and the ability to display a
human readable formatted C-CDA (for both Releases 1.1 and 2.1). We
discuss additional clarifications regarding the display of C-CDA
sections below.
Clinical Relevance of Summary Care Record Information
We have received feedback from providers expressing difficulty
finding or locating the pertinent and relevant clinical information on
a patient from a transition of care/referral summary received as a C-
CDA document. Commenters have indicated that data included in a
transition of care/referral summary document may be rendered and
displayed as a long, multi-page document, which makes it challenging
for a provider to quickly find the clinical information they seek to
make a care decision.
We note that CMS has finalized in the EHR Incentive Programs Stage
3 and Modifications final rule guidance that permits a provider and
organization (i.e., the ``sender'') to define the ``clinical
relevance'' of information sent in a summary care record depending on
the circumstances, as best fits the organizational needs, and as
relevant for the patient population.\39\ CMS notes, however, that the
sending provider has to have the ability to send all clinical notes or
laboratory results in a summary care document if that level of detail
is requested by the receiving provider.
---------------------------------------------------------------------------
\39\ Please see the EHR Incentive Programs Stage 3 and
Modifications final rule published elsewhere in this issue of the
Federal Register.
---------------------------------------------------------------------------
While the guidance in the EHR Incentive Programs Stage 3 and
Modifications final rule does address ``clinical relevance'' from the
sending side and could result in a reduction in the quantity of data
potentially viewed by a recipient as ``unnecessary'' or not useful, we
recognize that certain patients, such as those with complex and/or
chronic conditions may have a transition of care/referral summary sent
to receiving providers with large quantities of data included. In that
respect, we included as part of the 2014 Edition Final Rule a specific
``section views'' capability in the ``transitions of care''
certification criterion (adopted at 45 CFR 170.314(b)(1)(iii)(C)),
which we described as having been added to the certification criterion
in order to make sure that health IT would be able to extract and allow
for individual display each additional section or sections (and the
accompanying document header information (i.e., metadata)) that were
included in a transition of care/referral summary received and
formatted in accordance with the Consolidated CDA (77 FR 54219).
We indicated that this functionality would be useful in situations
when a user wanted to be able to review other sections of the
transition of care/referral summary that were not incorporated (as
required by this certification criterion at 45 CFR 170.314(b)(1)), such
as a patient's procedures and smoking status, and that the technology
would need to provide the user with a mechanism to select and just view
those sections without having to navigate through what could be a
lengthy document.
The section views capability remains as part of the 2015 Edition
version of this criterion. Additionally, to address comments that
raised concerns and requested that we act to address a C-CDA's
``length'' and users' ability to more easily navigate to particular
data within the C-CDA, we have included more precise requirements in
this portion of the certification criterion. Specifically, the 2015
Edition version includes that a user must be able to: (1) Directly
display only the data within a particular section, (2) set a preference
for the display order of specific sections, and (3) set the initial
quantity of sections to be displayed. We also clarify that the sole use
of the CDA.xsl style sheet provided by HL7 to illustrate how to
generate an HTML document from a CDA document will not be acceptable to
meet these requirements. We believe these clarifications will help
address stakeholder concerns regarding the difficulty finding or
locating the pertinent and relevant clinical information on a patient
from a ToC/referral summary received as a C-CDA document. We intend to
ensure that the test procedure for this criterion thoroughly tests
these aspects consistent with the certification criterion's
requirements. We also strongly urge the health IT industry to dedicate
additional focus toward improving the rendering of data when it is
received. Putting such data to use in ways that enable providers to
quickly view and locate the information they deem necessary can help
improve patient care and prevent important information from being
inadvertently missed. We further note that standards experts are aware
of the stakeholder concerns discussed above, and that the HL7
Structured Documents Work Group is working on contributing positive
momentum to this issue.\40\ The HL7 Structured Documents Work Group's
work involves developing guidance on the ``relevant'' data that should
be sent by the sender. We encourage health IT developers to participate
in this process and implement the industry principles arising out of
this project.
---------------------------------------------------------------------------
\40\ http://www.hl7.org/special/Committees/projman/searchableProjectIndex.cfm?action=edit&ProjectNumber=1183.
---------------------------------------------------------------------------
Edge Protocols
We proposed to ``carry-over'' a requirement from the 2014 Edition
Release 2 ``transitions of care'' criterion at Sec. 170.314(b)(8) that
would require a certified Health IT Module be able to send and receive
transition of care/referral summaries through a method that conforms to
the ONC Implementation Guide for Direct Edge Protocols, Version 1.1 at
Sec. 170.202(d).
Comments. Commenters were generally in support of requiring one of
[[Page 62635]]
the four Edge Protocols designated in the ONC IG for Direct Edge
Protocols. One commenter was concerned that the edge protocols offer no
additional value for those that have already implemented Direct.
Response. As stated in the 2014 Edition Release 2 final rule, we
believe that adoption of the ONC IG for Direct Edge Protocols can
improve the market availability of electronic health information
exchange services for transitions of care by separating content from
transport related to transitions of care. We believe that certification
to the Direct Edge Protocols IG can also enable greater certainty and
assurance to health IT developers that products certified to this IG
have implemented the IG's edge protocols in a consistent manner (79 FR
54437). As such, we have finalized the requirement that a certified
Health IT Module be able to send and receive transition of care/
referral summaries through a method that conforms to the ONC
Implementation Guide for Direct Edge Protocols, Version 1.1.
We note that we inadvertently left out a provision of the proposed
regulation text related to Edge Protocol requirements. As noted above
and in the Proposed Rule, we intended to ``carry over'' the Edge
Protocol requirements included in Sec. 170.314(b)(8) for this
criterion. Therefore, we have added to the provision in Sec.
170.315(b)(1)(i)(A) about sending transition of care/referral summaries
through a method that conforms with the Edge Protocol and a requirement
that it must also lead to the summaries being processed by a service
that has implemented Direct. This addition parallels the Direct Edge
Protocol ``receiving'' requirements we proposed and have finalized. It
also clarifies a consistent set of technical capabilities for sending
the Edge Protocol and technologies interacting with services that have
implemented Direct, which again are the exact same requirements
included in Sec. 170.314 (b)(8) that we intended to duplicate in this
2015 Edition criterion.
XDM Package Processing
We proposed to include a specific capability in this certification
criterion that would require a Health IT Module presented for
certification that is also being certified to the SMTP-based edge to
demonstrate its ability to accept and process an XDM package it
receives, which would include extracting relevant metadata and
document(s). We explained that this additional requirement only applies
to a Health IT Module presented for certification with an SMTP-based
edge implementation and not an XDR edge implementation. Because we
expect XDM packaging to be created in accordance with the
specifications included in IHE IT Infrastructure Technical Framework
Volume 2b, Transactions Part B--Sections 3.29--2.43, Revision 7.0,
August 10, 2010 (ITI TF-2b),\41\ we proposed to adopt this as the
standard at Sec. 170.205(p)(1) for assessing whether the XDM package
was successfully processed.
---------------------------------------------------------------------------
\41\ http://www.ihe.net/Technical_Framework/upload/IHE_ITI_TF_Rev7-0_Vol2b_FT_2010-08-10.pdf.
---------------------------------------------------------------------------
Comments. Commenters were supportive of the proposal to demonstrate
XDM package processing. Many commenters recommended that processing on
receipt depends on metadata in the XDM package that should be aligned
with the general metadata in Appendix B of the IHE Data Access
Framework Document Metadata Based Access Implementation Guide that was
published for public comment on June 1, 2015.\42\ One commenter
recommended that the certification criterion point specifically to
section 3.32.4.1.4 of ITI TF-2b.
---------------------------------------------------------------------------
\42\ http://ihe.net/uploadedFiles/Documents/PCC/IHE_PCC_IG_DAF_National%20Extension_Rev1.0_PC_2015-06-01.pdf.
---------------------------------------------------------------------------
Response. We thank commenters for their support of the proposal and
have finalized this requirement that Health IT Modules certified to an
SMTP-based edge protocol be able to receive and make available the
contents of an XDM package formatted in accordance with ITI TF-2b,
which we have adopted at Sec. 170.205(p)(1). We note that the ONC
Implementation Guide for Direct Edge Protocols adopted at Sec.
170.202(d) and required for this criterion as discussed above
references the guidance in the ONC XDR and XDM for Direct Messaging
Specification for proper use of metadata that is aligned with the IHE
Data Access Framework Document Metadata Based Access IG. Therefore, we
do not believe it is necessary to reference the IHE IG as these
metadata requirements are already referenced and required for this
criterion. Similarly, our requirement to adhere to the ITI TF-2b would
include any specific section required in the standard, and thus we do
not need to reference a specific section.
SMTP-based transport systems use standard Multi-Purpose Internet
Mail Extension (MIME) to identify email attachments and to enable
receiving computer systems to process attachments seamlessly. For
example, a MIME type of ``text/html'' identifies text styled in HTML
format. C-CDA documents are commonly identified using ``text/xml'' and
``application/xml'' MIME types. In addition, XDM packages are commonly
identified with ``application/zip'' and ``application/octet-stream''
MIME types. However, these MIME types have not been standardized by the
community for transporting C-CDA and XDM files. Systems could
potentially use other valid MIME types to send the documents. While
these standard MIME types provide sufficient information for receiving
systems to render content, they do not provide a way to distinguish the
C-CDA and XDM documents from all the other documents that could be sent
using the same MIME types. Until an appropriate set of MIME types are
developed that can uniquely identify C-CDA and XDM, there is widespread
acknowledgement that the receiving systems should accept all common
MIME types, and use the information within the actual documents, to
process C-CDA and XDM accordingly. Hence, in order to facilitate
interoperability, we expect Health IT Modules to be able to support all
commonly used MIME types when receiving C-CDA and XDM packages. We
intend to update the test procedure to include guidance on specific
MIME types that we expect Health IT Modules to support, at a minimum.
Common Clinical Data Set
We proposed to require Health IT Modules to enable a user to create
a transition of care/referral summary that includes, at a minimum, the
Common Clinical Data Set for the 2015 Edition that includes references
to new and updated vocabulary standards code sets.
Comments. Commenters were supportive of this proposal overall. A
few commenters were concerned about specific data elements in the
proposed 2015 Edition Common Clinical Data Set definition.
Response. We thank commenters for their support and have adopted
the requirement that Health IT Modules enable a user to create a
transition of care/referral summary that includes the 2015 Edition
Common Clinical Data Set at a minimum. We address the specific data
elements in the 2015 Edition Common Clinical Data Set definition in
under section III.B.3 of this final rule.
Encounter Diagnoses
We proposed to continue the requirement from the 2014 Edition
``ToC'' certification criterion that a Health IT Module must enable a
user to create a transition of care/referral summary that also includes
encounter diagnoses using either SNOMED CT[supreg] (September 2014
Release of the U.S.
[[Page 62636]]
Edition as a baseline for the 2015 Edition) or ICD-10-CM codes.
Comments. One commenter recommended solely the use of ICD-10-CM for
encounter diagnoses and certification. Another commenter requested
clarification on whether the encounter diagnoses are meant to be
``billing diagnoses'' and whether the health IT would need to include
all billing diagnoses for encounters or just the primary encounter, and
how primary would be determined.
Response. As stated in our 2014 Edition final rule (77 FR 54178 and
54220), we believe that SNOMED CT[supreg] is the more appropriate
vocabulary for clinical purposes and provides greater clinical
accuracy. However, it may be beneficial for inpatient Health IT Modules
to be certified to and support the use of ICD-10-CM to represent
diagnoses, and finalized the 2014 Edition ``transitions of care--create
and transmit'' criterion at Sec. 170.314(b)(1) to allow for either
ICD-10-CM or SNOMED CT[supreg]. We continue this policy and have
finalized the requirement for this 2015 Edition ``ToC'' certification
criterion that a Health IT Module enable a user to create a transition
of care/referral summary that includes encounter diagnoses using either
SNOMED CT[supreg] (September 2015 Release of the U.S. Edition as a
baseline for the 2015 Edition \43\) or ICD-10-CM codes.
---------------------------------------------------------------------------
\43\ We refer readers to section III.A.2.c (``Minimum
Standards'' Code Sets) for further discussion of our adoption of
SNOMED CT[supreg] as a minimum standards code set and our decision
to adopt this version.
---------------------------------------------------------------------------
We note that our certification requirement does not dictate what
encounter diagnoses providers would include in a transitions of care
document, only that certified Health IT Modules can enable a provider
to include encounter diagnoses using SNOMED CT[supreg] or ICD-10-CM.
``Create'' and Patient Matching Data Quality
As a part of the ``Create'' portion of the ``ToC'' criterion in the
2015 Edition, we proposed to require a Health IT Module to be able to
create a transition of care/referral summary that included a limited
set of standardized data in order to improve the quality of the data
that could potential be used for patient matching by a receiving
system. The proposed standardized data included: First name, last name,
maiden name, middle name (including middle initial), suffix, date of
birth, place of birth, current address, historical address, phone
number, and sex, with constrained specifications for some of the
proposed standardized data.
Comments. There was general support for requiring the proposed data
elements to be exchanged in order to improve patient matching. Some
commenters were concerned with conflicts between the proposed approach
and existing systems' algorithms and patient matching protocols. A few
commenters recommended that we wait until there is a consensus-based
patient matching standard before adopting requirements for
certification. A few commenters also noted that the proposal does not
address data quality.
Response. We note that systems can continue to use their existing
algorithms and patient matching protocols and that our proposed
approach was not intended to conflict with any existing practice. We
reiterate that the proposed data elements stem from the HITPC's and
HITSC's recommendations and findings from the 2013 ONC initiative on
patient matching as described in the Proposed Rule (80 FR 16833-16834).
We continue to believe these recommendations represent a first step
forward that is consensus-based. We agree that the proposal did not
address data quality in the sense that it would improve the
``source's'' practices and procedures to collect highly accurate and
precise data. However, we believe that including standards for the
exchange of certain data elements could improve interoperability and
provides an overall level of consistency around how the data are
represented. We encourage ongoing stakeholder efforts focused on
improving patient matching through better data quality processes and
will continue to monitor and participate in these activities.
Comments. Commenters recommended that we ensure alignment between
the proposed data elements and corresponding standards with those in
the C-CDA standard.
Response. We have performed an analysis of the proposed data
elements and standards with those in C-CDA Release 2.1 and have made
some revisions as described below. In some cases, the ONC method may be
more constrained than what is in C-CDA Release 2.1 and we believe there
will be no conflict. Rather the additional constraint is intended to
promote patient matching and interoperability. We also address
standards for specific elements below.
Comments. Commenters suggested that we should not reference the
CAQH Phase II Core 258: Eligibility and Benefits 270/271 Normalizing
Patient Last Name Rule version 2.1.0 for suffix as it puts JR, SR, I,
II, III, IV, and V in the same field as RN, MD, PHD, and ESQ.
Commenters felt that these suffixes should be kept separate as it could
be confusing if a patient has more than one suffix (e.g., JR and MD).
Individuals may also not use both suffixes in all circumstances, so it
may be difficult to match records using both.
Response. We agree with the comments and have not adopted the
constraint for suffix to adhere to the CAQH standard. We recommend that
health IT developers and providers follow the guidance for suffix in C-
CDA Release 2.1 for exchange, which allows for an additional qualifier
for any suffix provided with the last name field.
Comments. One commenter noted that the CAQH Phase II Core 258:
Eligibility and Benefits 270/271 Normalizing Patient Last Name Rule
version 2.1.0 is intended for normalization of information upon receipt
rather than at the point of sending. Pre-normalization can lead to data
loss and detract from patient matching. Therefore the commenter
recommended ONC not require the CAQH Phase II Core 258: Eligibility and
Benefits 270/271 Normalizing Patient Last Name Rule version 2.1.0 for
normalizing last name in the sending of transition of care/referral
summary documents and rather point to it as guidance for receiving
systems.
Response. We agree with the commenter, and have not adopted the
constraint for last name normalization in accordance with the CAQH
standard. We recommend that health IT developers and providers follow
the guidance for last name in C-CDA Release 2.1 for exchange of
transition of care/referral summary documents.
Comments. A few commenters suggested that the concept of ``maiden
name'' is not used in all cultures and is also gender-specific. Some
commenters noted that some nationalities, cultures, or ethnic groups do
not use this term and, in other cases, an individual may adopt more
than one family name during marriage. There are other cases where the
last name or family name has been legally changed for other situations.
Most commenters recommended we instead use another term that broadly
captures these situations and allows for aliases that a patient may use
in these circumstances.
Response. We thank commenters for the feedback and have revised
``maiden name'' to ``previous name'' to accommodate for any other
aliases including the situations described above by the commenters. We
note that the C-CDA Release 2.1 contains a field for ``birth name''
that can accommodate this information.
Comments. A number of commenters were concerned about including
place
[[Page 62637]]
of birth in the list of data elements as there is a lack of standards
on representing the place of birth. Some systems include city, county,
state, and country, while other systems may only include some of these
elements. Therefore, these commenters stated that it would be difficult
to standardize on place of birth as proposed and it would offer no
additional value for improving patient matching.
Response. We agree with commenters that the lack of standards for
representing place of birth would not improve patient matching at this
time and, therefore, have not finalized this data element requirement.
Comments. A few commenters noted concerns about including the hour,
minute, and second of the date of birth, and suggested that the time
zone is needed to correctly match records.
Response. We note that as proposed in the 2015 Edition, the hour,
minute, and second of the date of birth were optional or conditional
fields based on whether they were included. Since we have not finalized
the proposed requirement to include place of birth, we have revised the
requirement as follows. We clarify that for the purposes of
certification that the hour, minute, and second for a date of birth are
optional for certification. If a product is presented for certification
to this optional provision, the technology must demonstrate that the
correct time zone offset is included.
Comments. One commenter supported the proposal to include phone
number in the list of patient match elements. Another commenter
recommended we specify a standard for representing phone number.
Response. We clarify that we proposed that the phone number must be
represented in the ITU format specified in the International
Telecommunication Union (ITU)'s ITU-T E.123 \44\ and ITU-T E.164
standards.\45\ These are the best available industry standards for
representing phone number and we have adopted them for representing
phone number in this certification criterion.
---------------------------------------------------------------------------
\44\ http://www.itu.int/rec/T-REC-E.123-200102-I/e.
\45\ http://www.itu.int/rec/T-REC-E.164-201011-I/en I/en.
---------------------------------------------------------------------------
Comments. As stated above, commenters suggested we perform an
analysis of the standards required by the C-CDA standard and resolve
any inconsistencies with our proposal.
Response. In our analysis of the proposed data elements with the C-
CDA Release 2.1 standard as suggested by commenters, we found that the
C-CDA Release 2.1 standard is not able to distinguish between
historical and current address as proposed. Because of the discrepancy
between our proposal and what the C-CDA Release 2.1 can accommodate, we
have revised the requirement to ``address'' (not specified as
historical or current). We note that C-CDA Release 2.1 can accommodate
more than one address. It is our understanding that the underlying
parent C-CDA standard (i.e., CDA) included the ability to send a
useable period with the address to specify different addresses for
different times of the year or to refer to historical addresses.
However, this useable period was removed from C-CDA as it did not have
enough use. We intend to work with stakeholders going forward in
assessing whether the useable period should be included in future
versions of the C-CDA standard or whether there are other methods for
distinguishing historical or current address for consideration in
future rulemaking.
Comments. A number of commenters recommended ONC adopt the US
Postal Service (USPS) standard for representing address. Commenters
noted that the standard is widely supported by health care
organizations today, and that it is recommended by the American Health
Information Management Association.\46\ Another commenter recommended
we consider adoption of the GS1 Global Location Number standard.
---------------------------------------------------------------------------
\46\ http://perspectives.ahima.org/wp-content/uploads/2014/12/PatientMatchingAppendixA.pdf.
---------------------------------------------------------------------------
Response. We thank commenters for the input. At this point in time
and since this patient matching requirement focuses on the use and
representation of address in the C-CDA standard, we believe that use of
the C-CDA standard's built-in requirements is the best, most
incremental path forward. We note the C-CDA Release 2.1 standard
references the HL7 postal format. Additionally, testing and validation
to the HL7 postal format in the C-CDA standard is already available as
part of 2014 Edition ``transitions of care'' testing to C-CDA Release
1.1. We see a need for continued industry work to determine the
appropriateness of existing standards and tools for normalizing postal
address for health care use cases such as matching of electronic
patient health records, and intend to work with stakeholders in this
space. Thus, we look forward to continuing to work with stakeholders to
analyze the USPS address standard \47\ and other industry standards
with respect to any future updates to the C-CDA to bring about
industry-wide consistency. We anticipate the C-CDA validation tool for
2015 Edition ``transitions of care'' testing will carry over the 2014
Edition testing and suggest that health IT developers and implementers
adhere to the guidance in C-CDA Release 2.1 on the use of the HL7
postal format.
---------------------------------------------------------------------------
\47\ http://pe.usps.gov/cpim/ftp/pubs/Pub28/pub28.pdf.
---------------------------------------------------------------------------
Comments. A few commenters suggested we consider the addition of
data elements to the proposed list, such as a social security number or
the last four digits of a social security number.
Response. We thank commenters for the suggestions but do not agree
and have not accepted these suggestions. We have evaluated the list
proposed in the Proposed Rule \48\ and continue to believe that it
represents a good first step toward improving patient matching in line
with the HITSC, HITPC, and ONC 2013 patient matching initiative
recommendations. We intend to continue our work in developing patient
matching best practices and standards, including evaluating the
feasibility, efficacy, and, in some cases, the legality of specifying
other data elements for patient matching. We may propose to expand this
list or adopt a more sophisticated patient match policy in future
rulemaking as standards mature.
---------------------------------------------------------------------------
\48\ First name, last name, maiden name, middle name (including
middle initial), suffix, date of birth, place of birth, current
address, historical address, phone number, and sex, with constrained
specifications for some of the proposed standardized data.
---------------------------------------------------------------------------
Comments. A few commenters noted that a 100% patient match is
impossible to achieve in every instance.
Response. We note that our proposal only concerns the ability of a
certified Health IT Module to create a transition of care/referral
summary document that contains the proposed data elements in accordance
with the specified standards/constraints. The proposal would not
require a system to demonstrate how it performs patient matching with
these data for certification. As noted above, we believe the algorithms
and patient matching protocols are best left to health IT systems and
providers to determine at this point in time. While the HITPC
recommended \49\ that we should develop, promote, and disseminate best
practices, there is not an industry-wide standard for patient matching
protocols that is ready to require as a condition of certification. We
intend to continue working with the industry to develop these best
practices, and will evaluate at a later point if certification would
[[Page 62638]]
confer additional benefit for improving patient matching. Until such
protocols are established and mature, our requirement addresses the
HITPC's first recommendation, which is to provide standardized formats
for demographic data fields.
---------------------------------------------------------------------------
\49\ http://www.healthit.gov/FACAS/sites/default/files/standards-certification/8_17_2011Transmittal_HITSC_Patient_Matching.pdf.
---------------------------------------------------------------------------
In consideration of public comments, we have finalized the
requirement that Health IT Modules must be able of creating a
transition of care/referral summary in accordance with just C-CDA
Release 2.1 as part of this certification criterion that includes the
following data formatted to the associated standards/constraints where
applicable:
First name;
Last name;
Previous name;
Middle name (including middle initial);
Suffix;
Date of birth--The year, month, and day of birth are
required fields. Hour, minute, and second are optional fields; however,
if hour, minute, and second are provided then the time zone offset must
be included. If date of birth is unknown, the field should be marked as
null;
Address;
Phone number--Represent phone number (home, business,
cell) in the ITU format specified in ITU-T E.123 \50\ and ITU-T E.164
\51\ which we are adopting at Sec. 170.207(q)(1). If multiple phone
numbers are present, all should be included; and
---------------------------------------------------------------------------
\50\ http://www.itu.int/rec/T-REC-E.123-200102-I/e.
\51\ http://www.itu.int/rec/T-REC-E.164-201011-I/en I/en.
---------------------------------------------------------------------------
Sex in accordance with the standard we are adopting at
Sec. 170.207(n)(1).
We note that we corrected the date of birth requirements to specify
the year, month, and day of birth as the required fields. We previously
inadvertently listed ``date'' instead of ``day.''
Direct Best Practices
Given feedback from stakeholders regarding health IT developers
limiting the transmission or receipt of different file types via
Direct, we reminded all stakeholders in the Proposed Rule of the
following best practices for the sharing of information and enabling
the broadest participation in information exchange with Direct: http://wiki.directproject.org/Best+Practices+for+Content+and+Workflow. We did
not include a proposal or request for comment related to this guidance.
Comments. One commenter recommended we review the challenges and
solutions recommended by the DirectTrust in Chapter 2, Chapter 7 and
Chapter 8 of the white paper, ``A Report on Direct Trust
Interoperability Testing and Recommendations to Improve Direct
Exchange.\52\
---------------------------------------------------------------------------
\52\ http://static1.1.sqspcdn.com/static/f/1340919/26054983/1426686689687/Report+on+DirectTrust+Interoperability+Testing.pdf?token=A0DNBiAqjJ2YzuhUTn4vnBMrtVI%3D.
---------------------------------------------------------------------------
Response. As we did not include a proposal or request for comment,
we thank the commenter for the recommendation and will review the
recommended material.
Certification Criterion for C-CDA and Common Clinical Data Set
Certification
We noted that no proposed 2015 Edition certification criterion
includes just the C-CDA Release 2.0 and/or the Common Clinical Data
Set, particularly with the 2015 Edition not including a proposed
``clinical summary'' certification criterion as discussed in the 2015
Edition Proposed Rule (80 FR 16850). We requested comment on whether we
should adopt a separate 2015 Edition certification criterion for the
voluntary testing and certification of health IT to the capability to
create a summary record formatted to the C-CDA Release 2.0 with or
without the ability to meet the requirements of the Common Clinical
Data Set definition.
Comments. We received comments in favor of adopting a new 2015
Edition criterion that includes just the ability of a Health IT Module
to enable a user to create a transition of care/summary care record in
accordance with C-CDA Release 2.0 and with the ability to meet the
requirements of the Common Clinical Data Set.
Response. We have adopted two new 2015 Edition certification
criteria (with no relation to the EHR Incentive Programs) that include
just the ability of a Health IT Module to enable a user to create (one
criterion) and receive (one criterion) a transition of care/referral
summary in accordance with C-CDA Release 2.1 (create) and both C-CDA
Releases 1.1 and 2.1 (receive) and with the ability to meet the
requirements of the Common Clinical Data Set at Sec. 170.315(b)(4) and
Sec. 170.315(b)(5), respectively. For the certification criterion
adopted to ``create'' a transition of care/referral summary at Sec.
170.315(b)(4), we have also, for consistency, include the same patient
matching data as referenced by the ``ToC'' certification criterion. We
refer readers to the ``Common Clinical Data Set summary record--
create'' and ``Common Clinical Data Set summary record--receive''
certification criteria in this section of the preamble for a more
detailed description of the rationale and specific requirements of the
new certification criteria.
C-CDA Data Provenance Request for Comment
We requested comment on the maturity and appropriateness of the HL7
IG for CDA Release 2: Data Provenance, Release 1 (US Realm) (DSTU) \53\
for the tagging of health information with provenance metadata in
connection with the C-CDA, as well as the usefulness of this IG in
connection with certification criteria, such as ``ToC'' and ``VDT''
certification criteria.
---------------------------------------------------------------------------
\53\ http://wiki.hl7.org/index.php?title=HL7_Data_Provenance_Project_Space and http://gforge.hl7.org/gf/project/cbcc/frs/?action=FrsReleaseBrowse&frs_package_id=240.
---------------------------------------------------------------------------
Comments. Although commenters were supportive of the usefulness of
data provenance, the majority of commenters did not think the HL7 Data
Provenance standard was mature for adoption at this point in time.
Response. We thank commenters for their input and will continue to
monitor the industry uptake and maturity of the HL7 Data Provenance
standard in consideration of future rulemaking.
Clinical Information Reconciliation and Incorporation
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(b)(2) (Clinical information reconciliation and
incorporation)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``clinical information
reconciliation and incorporation'' certification criterion that is a
revised (but largely similar to the 2014 Edition Release 2) version of
the ``clinical information reconciliation and incorporation'' criterion
adopted at Sec. 170.314(b)(9). First, we proposed that Health IT
Modules must be able to incorporate and reconcile information upon
receipt of C-CDA's formatted to both Release 1.1 and Release 2.0 for
similar reasons (e.g., for compatibility with Release 1.1) as proposed
for the ``ToC'' criterion described above.
Comments. Commenters were generally supportive of the proposal to
adopt a criterion for ``clinical information reconciliation and
incorporation'' for interoperability.
Response. We thank commenters for their support and have adopted a
2015 Edition criterion for ``clinical information reconciliation and
incorporation'' with the following changes and clarifications as
discussed below.
Comments. Similar to the comments we received for the ``ToC''
criterion, commenters were not in favor of the proposed requirement to
support both
[[Page 62639]]
versions of C-CDA Release 1.1 and 2.0 because of the burden to receive
and process two versions of the same standard.
Response. As discussed in the preamble of the ``ToC'' criterion
above, we have adopted a requirement that systems must be able to
receive and correctly process documents formatted to both C-CDA
Releases 1.1 and 2.1. While C-CDA Release 2.1 largely addresses
compatibility issues with Release 1.1 and reduces the burden for
systems receiving both versions, we are aware that a system developed
strictly to Release 2.1 might not automatically support receiving
Release 1.1 C-CDAs without additional development. Therefore, this
criterion will focus on functionalities to receive, incorporate, and
reconcile information from a C-CDA formatted to Releases 1.1 and 2.1.
C-CDA Document Templates and Reconciliation
We proposed that a certified Health IT Module be able to receive,
reconcile, and incorporate information from the C-CDA Release 2.0 CCD,
Discharge Summary, and Referral Note document templates at a minimum.
Note that we incorrectly referenced the ``Referral Summary'' document
template. There is no ``Referral Summary'' document template and we
intended the ``Referral Note'' document template.
Comments. We did not receive specific comments regarding the C-CDA
document templates proposed for this criterion.
Response. Although we did not receive comments regarding the C-CDA
document templates for this certification criterion, we maintain the
consistency decision discussed in the ``ToC'' criterion to require
incorporation and reconciliation of information from the C-CDA Releases
1.1 and 2.1 CCD, Referral Note, and (for inpatient settings only)
Discharge Summary document templates. We believe this will provide
consistency between the minimum certification requirements for systems
creating and sending C-CDA documents for transitions of care and this
criterion for the receipt, incorporation, and reconciliation of C-CDA
information.
Data for Reconciliation
We proposed that a Health IT Module must be able to reconcile and
incorporate, at a minimum: problems, medications, and medication
allergies from multiple C-CDAs, with testing for this specific system
performance to verify the ability to incorporate valid C-CDAs with
variations of data elements to be reconciled (e.g., documents with no
medications, documents having variations of medication timing data). We
also proposed that problems be incorporated in accordance with the
September 2014 Release of the U.S. Edition of SNOMED CT[supreg] and
that medications and medication allergies be incorporated in accordance
with the February 2, 2015 monthly version of RxNorm as a baseline and
in accordance with our ``minimum standards code sets'' policy.
Comments. A few commenters suggested we include additional data for
incorporation and reconciliation, such as food allergies and
intolerances, labs, and immunizations.
Response. As stated in the 2014 Edition final rule, we continue to
believe that problems, medications, and medication allergies are the
minimum data that should be reconciled and incorporated from a C-CDA
(77 FR 54223). We note that this minimum requirement for certification
would not prohibit health IT developers from including functionality to
reconcile and incorporate a broader set of information from a C-CDA,
which is something we encourage developers to pursue.
Comments. One commenter suggested that a provider may use different
functionality for the reconciliation of medications distinct from the
medication allergies and/or problems, and recommended that that
certification criterion should allow for distinct or combined
reconciliation approaches.
Response. We clarify that the certification criterion would allow
for distinct (individual) or combined reconciliation functions for
medications, medication allergies, and problems to be implemented so
long as all the functions can be demonstrated.
Comments. Commenters were supportive of testing for this criterion
to verify a Health IT Module's ability to incorporate valid C-CDAs with
variations in the data elements to be reconciled. Commenters believed
this would reasonably test the real-world variation that may be found
in C-CDA documents.
Response. We thank commenters for their support and intend for
testing to verify a certified Health IT Module's ability to incorporate
valid C-CDAs with variations in the data elements.
C-CDA Creation for Validation of Accurate Reconciliation
We proposed to require that a C-CDA be created based on the
reconciliation and incorporation process in order to validate the
incorporation results. We expected that the generated C-CDA would be
verified using test tools for conformance and can be checked against
the information that was provided to incorporate.
Comments. We received mixed feedback on this proposal. Some
commenters were concerned that this requirement would not provide added
benefit for Health IT Module users or patients. Other commenters noted
that this requirement would be adding in a ``create'' function to this
criterion, which they thought contradicted the modularity we previously
introduced in the 2014 Edition Release 2 final rule when we made
modifications to the 2014 Edition ``transitions of care'' and
``clinical information reconciliation'' criteria.
Response. We believe that the creation of a C-CDA based on the
reconciliation and incorporation process will improve and automate the
testing and verification process. While there are other methods of
verifying reconciliation, such as queries and list displays, an
automated verification through the use of test tools provides the most
assurance that the information was reconciled and incorporated
correctly. We do not believe this requirement will add unnecessary
burden as it is our understanding that systems that receive,
incorporate, and reconcile C-CDA information can also create a C-CDA.
Furthermore, the purpose of this additional portion of the
certification criterion is to increase provider assurance that the
incorporation performed by a system post-reconciliation is accurate and
complete.
With respect to the comments that mentioned an apparent
contradiction with the requirement for ``creating'' a C-CDA as part of
this certification criterion, we disagree, and remind commenters that
the changes we made in the 2014 Edition Release 2 final rule were to
better position the ``incorporation'' functionality in the right
certification criterion (79 FR 54438-54439). Therefore, we have adopted
the requirement that Health IT Modules be able to create a C-CDA
Release 2.1 based on the reconciliation and incorporation process that
will be verified during testing and certification. Note that this
requirement applies to the ability to create a C-CDA formatted to the
C-CDA Release 2.1 CCD document template only.
Comments. One commenter asked for clarification on whether the
proposed regulation text ``technology must be able to demonstrate that
the transition of care/referral summary received is or can be properly
matched to the correct patient'' means that Health IT Modules must be
able to auto-match to the correct patient. Commenters noted that
[[Page 62640]]
many systems allow for manual match, and that an auto-match may not be
the most appropriate method to match patient records.
Response. We clarify that it was not our intention to prescribe how
patient match is performed for this criterion. We have revised the
regulation text to reflect that the technology must demonstrate that
the received transition of care/referral summary document can be
properly matched to the correct patient. We leave the flexibility to
the health IT developer and provider to determine the best method for
patient match.
Comments. A few commenters were concerned with the proposed
requirement that for each list type (i.e., medications, medication
allergies, or problems) the Health IT Module must simultaneously
display the data from at least two sources. Commenters noted that there
would not be two sources if the patient is new to the receiving system.
Response. We reiterate that for the purposes of testing and
certification, Health IT Modules must demonstrate the ability to
simultaneously display the data from at least two sources. While the
commenters' point is fair it is not within scope for the purposes of
testing and certification, which focuses on when there is data to
reconcile. In other words, the purpose of this certification criterion
is, in part, to assess technology's capability to reconcile data from
two sources. Testing and certification is focused on ensuring that that
functionality exists and performs correctly. Additionally, the
criterion does not address the totality of capabilities that may be
present in the technology. In cases where a new patient presents this
specific functionality may not be applicable or used at all.
Electronic Prescribing
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(b)(3) (Electronic prescribing)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition certification criterion for e-
prescribing that is revised in comparison to the 2014 Edition ``e-
prescribing'' criterion (Sec. 170.314(b)(3)).
First, we proposed to require a Health IT Module certified to this
criterion be able to receive and respond to additional National Council
for Prescription Drug Programs (NCPDP) SCRIPT Standard Implementation
Guide Version 10.6 (v10.6) transactions or segments in addition to the
New Prescription transaction, namely Change Prescription, Refill
Prescription, Cancel Prescription, Fill Status, and Medication History.
We proposed to require that a Health IT Module be able to send and
receive end-to-end prescriber-to-receiver/sender-to-prescriber
transactions (bidirectional transactions). The proposed transactions
and reasons for inclusion for testing and certification are outlined in
Table 5 below.
Table 5--Proposed Additional \54\ NCPDP SCRIPT v10.6 Transactions for Testing and Certification to e-Prescribing
Certification Criterion
----------------------------------------------------------------------------------------------------------------
NCPDP SCRIPT v10.6 transaction or Problem addressed/value in
segment Use case(s) testing for certification
----------------------------------------------------------------------------------------------------------------
Change Prescription (RXCHG, CHGRES).. Allows a pharmacist to request a Facilitates more efficient,
change of a new prescription or a standardized electronic
``fillable'' prescription. communication between
Allows a prescriber to respond to prescribers and pharmacists
pharmacy requests to change a for changing prescriptions.
prescription.
Cancel Prescription (CANRX, CANRES).. Notifies the pharmacist that a Facilitates more efficient,
previously sent prescription should be standardized electronic
canceled and not filled. communication between
Sends the prescriber the results prescribers and pharmacists
of a prescription cancellation request. for cancelling
prescriptions.
Refill Prescription (REFREQ, REFRES). Allows the pharmacist to request Facilitates more efficient,
approval for additional refills of a standardized electronic
prescription beyond those originally communication between
prescribed. prescribers and pharmacists
Allows the prescriber to grant for refilling prescriptions.
the pharmacist permission to provide a
patient with additional refills or
decline to do so.
Fill Status (RXFILL)................. Allows the pharmacist to notify the Allows the prescriber to know
prescriber about the status of a whether a patient has picked
prescription in three cases: (1) To up a prescription, and if
notify the prescriber of a dispensed so, whether in full or in
prescription, (2) to notify the part. This information can
prescriber of a partially dispensed inform assessments of
prescription, and (3) to notify a medication adherence.
prescriber of a prescription not
dispensed.
Medication History (RXHREQ, RXHRES).. Allows a requesting entity to Allows a requesting entity to
generate a patient-specific medication receive the medication
history request. history of a patient. A
The responding entity can prescriber may use this
respond, as information is available, information to perform
with a patient's medication history, medication utilization
including source, fill number, follow-up review, medication
contact, date range. reconciliation, or other
medication management to
promote patient safety.
----------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------
\54\ We proposed to keep the ``New Prescription'' transaction
for testing and certification.
---------------------------------------------------------------------------
We solicited comment on other NCPDP SCRIPT v10.6 transactions that
should be considered for testing and certification, and for what use
cases/value, and the factors to consider for end-to-end prescriber-to-
receiver testing.
Second, we proposed to require that a Health IT Module certified to
this criterion enable a user to enter, receive, and transmit codified
Sig instructions in a structured format in accordance with NCPDP
Structured and Codified Sig Format Implementation Guide v1.2 which is
embedded within NCPDP SCRIPT v10.6 for certification to the e-
prescribing criterion in the 2015 Edition.\55\ We proposed this because
we
[[Page 62641]]
believe standardizing and codifying the majority of routinely
prescribed directions for use can promote patient safety, as well as
reduce disruptions to prescriber workflow by reducing the number of
necessary pharmacy call-backs. We proposed that this requirement apply
to the New Prescription, Change Prescription, Refill Prescription,
Cancel Prescription, Fill Status, and Medication History prescription
transactions or segments as we understood that the NCPDP Structured and
Codified Sig Format can be used for all NCPDP SCRIPT v10.6 prescription
transactions that include directions for medication use. We also
proposed to require that a Health IT Module include all structured Sig
segment components enumerated in NCPDP SCRIPT v10.6 (i.e., Repeating
Sig, Code System, Sig Free Text String, Dose, Dose Calculation,
Vehicle, Route of Administration, Site of Administration, Sig Timing,
Duration, Maximum Dose Restriction, Indication and Stop composites).
---------------------------------------------------------------------------
\55\ NCPDP's Structured and Codified Sig Format Implementation
Guide v1.2 is within the NCPDP SCRIPT v10.6 standard. https://www.ncpdp.org/NCPDP/media/pdf/StandardsMatrix.pdf.
---------------------------------------------------------------------------
We solicited comment on whether we should require testing and
certification to a subset of the structured and codified Sig format
component composites that represent the most common Sig instructions
rather than the full NCPDP Structured and Codified Sig Format
Implementation Guide v1.2. NCPDP published recommendations for
implementation of the structured and Codified Sig format for a subset
of component composites that represent the most common Sig segments in
the NCPDP SCRIPT Implementation Recommendations Version 1.29.\56\
---------------------------------------------------------------------------
\56\ http://www.ncpdp.org/NCPDP/media/pdf/SCRIPTImplementationRecommendationsV1-29.pdf.
---------------------------------------------------------------------------
Third, we proposed that a Health IT Module certified to this
criterion be capable of limiting a user's ability to electronically
prescribe all medications only in the metric standard, and be capable
of always inserting leading zeroes before the decimal point for amounts
less than one when a user electronically prescribes medications. We
also proposed that the Health IT Module not allow trailing zeroes after
a decimal point. We stated our intent for proposing these requirements
was to support more precise prescription doses in order to reduce
dosing errors and improve patient safety.
Last, we proposed to adopt and include the February 2, 2015 monthly
version of RxNorm in this criterion as the baseline version minimum
standards code set for coding medications.
Comments. Many commenters suggested reducing the scope of this
proposed criterion to either divide out the requirements into separate
certification criteria or to only require the minimum functionalities
needed to achieve the corresponding proposed e-prescribing objective
for Stage 3 of the EHR Incentive Programs (80 FR 16747).
Response. In finalizing the e-prescribing criterion, we considered
whether the proposed functionality would help achieve interoperability
between health IT systems and would align with the goals and objectives
described in the ``Federal Health IT Strategic Plan.'' \57\ The reasons
for the finalized e-prescribing criterion and its included
functionality are described below in response to comments.
---------------------------------------------------------------------------
\57\ http://www.healthit.gov/sites/default/files/9-5-federalhealthitstratplanfinal_0.pdf.
---------------------------------------------------------------------------
Comments. A number of commenters supported the additional NCPDP
SCRIPT v10.6 transactions we proposed to require for testing and
certification to this criterion, and believed the additional
requirement would facilitate bidirectional prescriber-pharmacist
communications and comprehensive medication management. A number of
commenters were concerned about the variable adoption and use of the
additional NDPCP SCRIPT v10.6 transactions that were proposed. A few
commenters were concerned with the interruptive nature of real-time
messaging alerts and suggested that they be batch-processed to a team
rather than a single provider for viewing. One commenter suggested that
we verify the correct official names of the proposed NCPDP SCRIPT v10.6
transactions. Regarding the medication history transactions, a few
commenters noted that many EHRs support additional means of retrieving
medication history that can offer advantages to the NCPDP medication
history transactions (e.g., HL7, proprietary third party integration,
direct connection with third party payers).
Response. We thank commenters for their support of the proposal.
Providers that prescribe or dispense Medicare Part D drugs using
electronic transmission of prescriptions are required to comply with
the standards that CMS has adopted under the Medicare Prescription
Drug, Improvement, and Modernization Act (MMA) of 2003. CMS adopted
NCPDP SCRIPT v10.6 for Part D e-prescribing in the 2013 Physician Fee
Schedule final rule (77 FR 69330-69331) effective November 1, 2013,
including the following transactions which we also proposed to require
for 2015 Edition testing and certification:
New prescription transaction;
Prescription change request transaction;
Prescription change response transaction;
Refill prescription request transaction;
Refill prescription response transaction;
Cancel prescription request transaction;
Cancel prescription response transaction; and
Fill status notification.
We believe that providers that are e-prescribing under Part D
should have already adopted NCPDP SCRIPT v10.6 for these transactions
as required effective November 1, 2013. Further, by requiring these
transactions as part of certification, we are supporting the use of
additional NDPCP SCRIPT v10.6 transactions in a standardized way.
Comments. Some commenters also noted support for the medication
history transaction request and response transactions, and other
commenters noted that both pharmacy and EHR systems have widely adopted
the medication history transactions.
Response. As stated in the Proposed Rule, we believe that all the
above proposed transactions can facilitate prescriber and pharmacist
communications that advance better care for patients and improve
patient safety. Therefore, in support of these goals and to harmonize
with CMS' Part D requirements, we have finalized our proposal to
require that certified health IT systems enable a user to prescribe,
send, and respond to the following NCPDP SCRIPT v10.6 transactions for
certification to the 2015 Edition e-prescribing criterion:
New prescription transaction (NEWRX);
Prescription change request transaction (RXCHG);
Prescription change response transaction (CHGRES);
Refill prescription request transaction (REFREQ);
Refill prescription response transaction (REFRES);
Cancel prescription request transaction (CANRX);
Cancel prescription response transaction (CANRES);
Fill status notification (RXFILL);
Medication history request transaction (RXHREQ); and
Medication history response transaction (RXHRES).
We have confirmed the official name of these transactions with
NCPDP. We note that the requirements we have
[[Page 62642]]
finalized outline the capabilities that certified health IT must be
able to support, and do not require providers to use these
functionalities when e-prescribing. The requirements of providers and
prescribers for e-prescribing are specified by other programs, such as
the implementation of the Medicare Modernization Act and the EHR
Incentive Programs. We also note that there are other standards and
services available for requesting and receiving medication history
information. Our adoption of the NCPDP SCRIPT v10.6 medication history
request and response transactions is consistent with a standard that
commenters agreed is widely used and--as above stated--has been adopted
by the health care industry. Our adoption of these requirements does
not preclude developers from incorporating and using technology
standards or services not required by our regulation in their health IT
products.
Regarding how message notifications are presented to health IT
users, we believe this is a design feature that should be left to
providers and health IT developers to determine, including whether
batch notification is preferable to real-time messaging alerts.
Comments. Some commenters suggested that it was premature to
require end-to-end bidirectional testing because they believed pharmacy
systems may not support the transactions. Commenters also asked for
clarification on how certified health IT would be tested to demonstrate
end-to-end bidirectional messaging. A number of commenters suggested
ONC consider deeming Surescripts certification to count towards meeting
the requirements of ONC's Health IT Certification Program. A few
commenters also were concerned about the differences between
Surescripts and testing and certification requirements under the ONC
Health IT Certification Program.
Response. ONC published a notice in the Federal Register (80 FR
32477) that restated our commitment to work with the health IT industry
towards a more streamlined health IT testing and certification system.
This notice addressed a flexibility included in the ONC Health IT
Certification Program that allows the National Coordinator to approve
test procedures, test tools, and test data developed by non-
governmental entities for testing efficiencies in the ONC Health IT
Certification Program. A person or entity may submit a test procedure
or test tool (which includes test data) to the National Coordinator for
Health IT to be considered for approval and use by NVLAP accredited
testing laboratories. We strongly encourage persons or entities to
submit such test procedures, test tools, and test data to us if they
believe such procedures, tools, and data could be used to meet
certification criteria and testing approval requirements, including
those for e-prescribing functionalities. Given our policy that permits
any person or entity to submit test procedures, test tools, and test
data for approval and use under the ONC Health IT Certification
Program, we encourage stakeholders to review the Federal Register
notice and submit test procedures, test tools, and test data for
approval by the National Coordinator in accordance with the
instructions outlined in the notice.\58\
---------------------------------------------------------------------------
\58\ https://www.federalregister.gov/articles/2015/06/09/2015-13510/acceptance-and-approval-of-non-governmental-developed-test-procedures-test-tools-and-test-data-for.
---------------------------------------------------------------------------
We look forward to testing tools that allow pharmacy communications
to either be simulated or sent by a pharmacy system that has agreed to
participate in the ONC Health IT Certification Program as a pilot test
system that is able to emulate real-life e-prescribing scenarios. We
note that we intend to analyze any differences between our requirements
for testing and certification to this certification criterion and other
industry certification programs for e-prescribing to determine
opportunities for alignment. However, we note that industry
certification programs may address a different use case and potentially
test more functionality than required by this certification criterion.
Comments. A number of commenters were concerned with the limitation
of the NCPDP Structured and Codified Sig Format Implementation Guide
v1.2 that limits the structured and codified Sig text element to 140
characters, and noted that it could hinder the ability to transmit
complex dosing instructions (e.g. tapers). Commenters noted that a
later version of the NCPDP SCRIPT Standard Implementation Guide expands
this text element length to 1,000 characters, but recommended that we
not adopt this version until CMS has adopted a later version as a
requirement for part of Part D e-prescribing. Commenters were also
concerned that the NCPDP Structured and Codified Sig Format v1.2 is not
widely implemented and needs more testing. A number of commenters noted
NCPDP is in the process of updating the NCPDP SCRIPT Implementation
Recommendations to reflect updates in guidance on implementation of the
most common Sig instructions. Some commenters also noted that there are
newer versions to the NCPDP SCRIPT Implementation Recommendations than
v1.29. These commenters were concerned that guidance on implementing
the most common Sig instructions is still evolving and suggested that
we wait until there is more implementation experience with using the
NCPDP Structured and Codified Sig Format v1.2 and later versions before
considering inclusion in a certification criterion. A number of
commenters supported the Sig segment for the indication for the
medication to be documented in SNOMED CT[supreg] to assist the
pharmacist with medication counseling and care coordination, whether or
not ONC were to adopt the full NCPDP Structured and Codified Sig Format
v1.2.
Response. We thank commenters for their detailed comments and
recommendations. We acknowledge the limitations of the 140 character
structured and codified Sig, and the concerns with low implementation
of the NCPDP SCRIPT Structured and Codified Sig Format v1.2 and later
versions. In light of our decision to focus on interoperability and
considerations about the maturity of standards, we have not finalized
the proposal to require a Health IT Module certified to this criterion
to enable a user to enter, receive, and transmit codified Sig
instructions in a structured format. While we continue to believe that
e-prescribed medication instructions should be transmitted in a
structured format for improved patient safety and for clearer
communication of the prescribing information as intended by the
prescriber, we do not believe a standard is ready for adoption at this
point in time. We will continue to monitor CMS's requirements for Part
D e-prescribing, and may reconsider this stance for future rulemaking
based on newer versions of the NCPDP SCRIPT Standard Implementation
Guide that may provide implementation improvements.
While we are not adopting the NCPDP SCRIPT Structured and Codified
Sig Format v1.2 in its entirety, we agree with commenters on the
potential benefits of a field that captures the reason for the
prescription. This information has value for care coordination between
prescribers, pharmacists, and care team members. NCPDP SCRIPT v10.6
supports the exchange of the reason for the prescription in a few ways,
including (1) medication-associated diagnosis using diagnosis elements
in the DRU (Drug Segment) and (2) medication indication using the
indication elements in the SIG (Structured Sig Segment).
[[Page 62643]]
For the first method, NCPDP SCRIPT v10.6 supports use of ICD-9-CM
codes or ICD- 10-CM codes with an additional qualifier. However, the
standard does not permit the medication-associated diagnosis to be
exchanged using SNOMED CT[supreg] codes until version 2013011 and
later. We continue to support SNOMED CT[supreg] as the vocabulary code
set for clinical diagnoses. Despite the limitation of NCPDP SCRIPT
v10.6 regarding exchange of SNOMED CT[supreg] codes for medication-
associated diagnoses, e-prescribing transactions that include the
reason for the prescription support patient safety and align with
initiatives underway at HHS.\59\ While the use of ICD-10-CM for
medication-associated diagnoses is not ideal, the value of requiring a
field for medication-associated diagnoses in accordance with NCPDP
SCRIPT v10.6 outweighs the limitations of that version of the standard.
We will consider requiring certification for the medication-associated
diagnosis using SNOMED CT[supreg] codes in a future version of this
certification criterion if we adopt a version of NCPDP SCRIPT that can
support medication-associated diagnoses using SNOMED CT[supreg] codes.
---------------------------------------------------------------------------
\59\ http://chainonline.org/research-tools/improving-hit-prescribing-safety/.
---------------------------------------------------------------------------
The second method described above (medication indication using
indication elements in the SIG) does support the use of SNOMED
CT[supreg] vocabulary. In order to implement the indication elements in
the SIG, developers would need to implement at least a subset of the
structured and codified Sig format component composites that represent
the most common Sig instructions as described in the SCRIPT
Implementation Recommendations Version 1.29 \60\ and later. As we have
not adopted the proposal to require a Health IT Module certified to
this criterion to enable a user to enter, receive, and transmit
codified Sig instructions in a structured format, implementation of
this second method would depend on whether the developer voluntarily
chooses to implement Structured and Codified Sig Format v1.2.
---------------------------------------------------------------------------
\60\ http://www.ncpdp.org/NCPDP/media/pdf/SCRIPTImplementationRecommendationsV1-29.pdf.
---------------------------------------------------------------------------
Given the options discussed above, we have finalized a requirement
that requires a Health IT Module to enable a user to receive and
transmit the reason for the prescription using the diagnosis elements
in the DRU Segment. This requirement would apply to the new, change
request and response, cancel request and response, refill request and
response, fill status, and medication history request and response
NCPDP SCRIPT v10.6 transactions that we have required in this criterion
(see discussion above). Again, we note that this requirement would only
apply to the capability that a certified Health IT Module certified to
this criterion has to demonstrate, not that a provider is required to
populate the field for reason for the prescription when e-prescribing.
For the first method described above, we note that with compliance
deadline of October 1, 2015, for use of ICD-10-CM and the effective
date of this final rule, we intend to test compliance with ICD-10-CM
for the purposes of testing and certification under the ONC Health IT
Certification Program.
We are also including an optional provision that would test a
Health IT Module's ability to enable a user to receive and transmit the
reason for the prescription using the indication elements in the SIG
Segment for those developers that may have voluntarily chosen to
implement the Structured and Codified Sig Format v1.2.
Comments. Commenters were generally supportive of improving patient
safety through use of the metric standard for dosing, but recommended
that this requirement only apply to oral liquid medications. A number
of commenters noted that the dose quantity for non-oral, non-liquid
medications may not be representable using metric units (e.g., number
of puffs for inhalers, number of drops for ear and eye drops, ``thin
film'' for topic creams and ointments). There was some concern that
pharmacies may translate metric prescribing instructions into more
``patient friendly'' instructions (such as translating from mL to
``spoonfuls'') that could lead to patient dosing concerns. Commenters
were also supportive of the proposal to require the use of standard
conventions for leading zeroes and decimals (i.e., a leading zero is
always inserted before the decimal point for amounts less than one, as
well as not allowing trailing zeroes after a decimal point).
Response. We thank commenters for their support of the proposal,
and for clarifying the issue about non-metric dose quantities. Given
this input and support, we have finalized the requirement that a Health
IT Module be capable of limiting a user's ability to electronically
prescribe oral, liquid medications in only metric standard units of mL
(i.e., cc units will not be allowed for certification). A Health IT
Module certified to this criterion would also be required to always
insert leading zeroes before the decimal point for amounts less than
one when a user electronically prescribes all medications, as well as
not allow trailing zeroes after a decimal point. Stakeholder feedback
has indicated that medication labels will contain dosing instructions
in the metric standard if the prescriber doses in the metric standard.
Along with federal partners (including the FDA and CDC),\61\ we
encourage pharmacies to ensure the labels maintain the metric standard
for dosing instructions. Guidance already exists encouraging this as a
best practice for medication labeling.\62\ We understand that industry
best practices also promote the provision of a metric dosing device
along with oral liquid medications.\63\ Last, for purposes of patient
safety, we would also encourage health IT developers to implement
industry recommendations around the use of ``tall man lettering'' to
differentiate between drug names that are similar and commonly
confused.\64\
---------------------------------------------------------------------------
\61\ http://www.cdc.gov/MedicationSafety/protect/protect_Initiative.html#MedicationErrors.
\62\ http://www.ncpdp.org/NCPDP/media/pdf/wp/DosingDesignations-OralLiquid-MedicationLabels.pdf.
\63\ http://www.ncpdp.org/NCPDP/media/pdf/wp/DosingDesignations-OralLiquid-MedicationLabels.pdf.
\64\ http://www.ismp.org/Tools/tallmanletters.pdf.
---------------------------------------------------------------------------
Comments. Commenters were supportive of the proposal to adopt the
February 2, 2015, monthly version of RxNorm. A few commenters suggested
that we adopt this version at a minimum, but allow implementation of
later versions.
Response. We thank commenters for their support and have adopted
the September 8, 2015 monthly version of RxNorm.\65\ As we finalized in
the 2014 Edition final rule (77 FR 54170), we remind stakeholders that
our policy for ``minimum standards'' code sets permits the adoption of
newer versions of the adopted baseline version minimum standards code
sets for purposes of certification unless the Secretary specifically
prohibits the use of a newer version (see Sec. 170.555 and 77 FR
54268). We agree with stakeholders that the adoption of newer versions
of RxNorm can improve interoperability and health IT implementation.
---------------------------------------------------------------------------
\65\ We refer readers to section III.A.2.c (``Minimum
Standards'' Code Sets) for a more detailed discussion of our
adoption of the September 8, 2015 monthly version of RxNorm.
---------------------------------------------------------------------------
Comments. A few commenters noted there is a need for standards for
e-prescribing of controlled substances (EPCS). One commenter suggested
that a standard for prior authorization (ePA) prescribing transactions
is needed.
Response. We thank commenters for these suggestions, but note that
these
[[Page 62644]]
comments are outside the scope of this criterion as proposed.
Common Clinical Data Set Summary Record--Create; and
Common Clinical Data Set Summary Record--Receive
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(b)(4) (Common Clinical Data Set summary record--create)
------------------------------------------------------------------------
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(b)(5) (Common Clinical Data Set summary record--receive)
------------------------------------------------------------------------
In the Proposed Rule under the proposed 2015 Edition ``transitions
of care'' certification criterion, we solicited comment on whether we
should adopt and make available for testing and certification a
separate certification criterion focused on the capability to create a
summary record formatted to the C-CDA Release 2.0 with or without the
ability to meet the requirements of the Common Clinical Data Set
definition.
Comments. Comments generally supported the proposal to adopt a
separate certification criterion for the ability of a Health IT Module
to create a summary care recorded formatted to the C-CDA standard. A
few commenters suggested that this certification criterion would only
be valuable if the Common Clinical Data Set was included as well.
Similar to the comments received for the ``ToC'' criterion summarized
previously in this section of the preamble, commenters were concerned
that C-CDA documents formatted to Release 2.0 would not provide
compatibility with C-CDA Release 1.1. These commenters recommended that
this certification criterion should require creation of C-CDAs
consistent with C-CDA Release 2.1.
Response. We agree with commenters that this criterion will be
valuable if it includes the capability to create a C-CDA with the
Common Clinical Data Set. This criterion may also be valuable and less
burdensome for health IT developers that design technology for other
programs and settings outside of the EHR Incentive Programs that would
like to require or offer functionality for the creation of C-CDA
documents without the other requirements of the 2015 Edition
``transitions of care'' criterion (e.g., transport requirements). These
programs and settings may find value for providers to create a summary
care record or transition of care document in accordance with the C-CDA
standard and with the Common Clinical Data Set. For example, existing
CMS programs point to the use of technology certified to create C-CDA
documents with the Common Clinical Data Set, including for chronic care
management services in the CY 2016 Physician Fee Schedule final rule
(80 FR 41796). CMS programs also encourage the use of certified health
IT for various settings and purposes.\66\ Accordingly, we have adopted
a new 2015 Edition ``Common Clinical Data Set summary record--create''
certification criterion to support this and other use cases. We have
also adopted a similar criterion that would support receipt of health
information exchanged in accordance with this functionality (Common
Clinical Data Set summary record--receive'' certification criterion).
---------------------------------------------------------------------------
\66\ We refer readers to section IV.B.4 (``Referencing the ONC
Health IT Certification Program'') of this preamble for discussion
of these programs and associated rulemakings.
---------------------------------------------------------------------------
Common Clinical Data Set Summary Record--Create
This new criterion would require a Health IT Module enable a user
to create a transition of care/referral summary formatted in accordance
with C-CDA Release 2.1 and that includes, at a minimum, the Common
Clinical Data Set and patient matching data. For the same reasons
described in the ``ToC'' certification criterion above, the patient
match data represent a first step forward to improving the quality of
data included in an outbound summary care record to improve patient
matching. Please refer to our decision to adopt C-CDA Release 2.1 for
all certification criteria that reference C-CDA standard creation in
the 2015 Edition as described further in the preamble for the ``ToC''
certification criterion. Consistent with our decision for the ``ToC,''
``clinical information reconciliation and incorporation,'' and ``C-CDA
creation performance'' criteria described elsewhere in this section of
the preamble, this certification criterion references the C-CDA Release
2.1 CCD, Referral Note, and (for inpatient settings only) Discharge
Summary document templates for this certification criterion.
We have also included the encounter diagnoses (with either the
September 2015 Release of the US Edition of SNOMED CT[supreg] or ICD-10
codes), cognitive status, functional status, reason for referral
(ambulatory only), referring or transitioning provider's name and
office contact information (ambulatory only), and discharge
instructions (inpatient only) which are contained in the ``transitions
of care'' criterion. This data has value for providing additional
context and information for providers to make care decisions when
receiving and sending transition of care/referral summary documents. As
noted above, certain CMS programs have required or encouraged that this
data be transmitted between care settings. Inclusion of this data will
promote consistency for transitions of care across care settings and
highlight ongoing efforts to develop standards for representing this
data electronically.
Common Clinical Data Set Summary Record--Receive
In addition to adopting a new certification criterion for ``Common
Clinical Data Set summary record--create,'' we have also adopted a
complementary certification criterion focused on the receipt and proper
processing of a transition of care/referral summary formatted to C-CDA
and with the Common Clinical Data Set. Our goal is to ensure that when
a C-CDA document is created consistent with the ``Common Clinical Data
Set summary record--create'' certification criterion that the receiving
system can properly process the information for informing care
coordination. This has value for stakeholders such as providers who may
be participating in other programs that require the use of the ``Common
Clinical Data Set summary record--create'' functionality as well as
registries that may be recipients of this information. As stated in the
Federal Health IT Strategic Plan, core technical standards form the
foundation for interoperability, and systems that send and receive
information in these common standards will help ensure the meaning of
information is consistently understood.\67\
---------------------------------------------------------------------------
\67\ http://www.healthit.gov/sites/default/files/9-5-federalhealthitstratplanfinal_0.pdf.
---------------------------------------------------------------------------
In order to ensure the receiving system correctly processes the C-
CDA document, we will test that a system can properly validate the
information in accordance with the same requirements of the ``ToC''
criterion (e.g., parse, detect and notify users of errors, identify
valid document templates and process data elements, and correctly
interpret empty sections and null combinations and be able to display a
human readable format that contains the information in the received C-
CDA document in accordance with the C-CDA standard). These methods
mirror those in the ``ToC'' criterion and will provide baseline
assurance that a receiving system can properly process the C-CDA
document as together they verify that the Health IT Module is correctly
[[Page 62645]]
interpreting the received C-CDA document information.
Consistent with our decision for the ``ToC'' and ``clinical
information reconciliation and incorporation'' certification criteria
described above, we have required certification to the C-CDA Releases
1.1 and 2.1 CCD, Referral Note, and (for inpatient settings only)
Discharge Summary document templates for this certification criterion.
As previously discussed, while C-CDA Release 2.1 largely promotes
compatibility with C-CDA Release 1.1, receiving systems may have to
perform additional processing to ensure Release 1.1 conformance with
Release 2.0. We have included a requirement that Health IT Modules be
able to receive C-CDA documents with the encounter diagnoses (with
either the September 2015 Release of the U.S. Edition of SNOMED
CT[supreg] or ICD-10-CM codes), cognitive status, functional status,
reason for referral (ambulatory only), referring or transitioning
provider's name and office contact information (ambulatory only), and
discharge instructions (inpatient only) for the same reasons we have
included these data in the ``Common Clinical Data Set summary record--
create'' criterion described above.
We have also included the ``section views'' capability from the
``ToC'' certification criterion to ensure that Health IT Modules
certified to this certification criterion will be able to extract and
allow for individual display each section (and the accompanying
document header information (i.e., metadata)) that was included in a
transition of care/referral summary received and formatted in
accordance with C-CDA Releases 1.1 and 2.1. This will allow a user to
select and just view the relevant sections without having to navigate a
potentially length C-CDA document.
Data Export
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(b)(6) (Data export)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``data portability''
certification criterion that was revised in comparison to the 2014
Edition ``data portability'' certification criterion (Sec.
170.314(b)(7)). Similar to the 2014 Edition version, we proposed to
include the 2015 Edition ``data portability'' criterion in the Base EHR
definition (i.e., the 2015 Base EHR definition). To address feedback
from health IT developers and providers on the 2014 Edition
certification criterion, the proposed ``data portability''
certification criterion at Sec. 170.315(b)(6) focused on specific
capabilities that would give providers easy access and an easy ability
to export clinical data about their patients for use in a different
health information technology or a third party system for the purpose
of their choosing. We emphasized that this capability would need to be
user-focused and user-driven. We proposed to require that a user be
able to configure a Health IT Module to create an export summary for a
given patient or set of export summaries for as many patients selected
and that these export summaries be able to be created according to
certain document-template types included in the C-CDA Release 2.0. We
proposed to require the Common Clinical Data Set as the minimum data
that a Health IT Module must be capable of including in an export
summary, in addition to encounter diagnoses (according to the standard
specified in Sec. 170.207(i) (ICD-10-CM) or, at a minimum, the version
of the standard at Sec. 170.207(a)(4) (September 2014 Release of the
U.S. Edition of SNOMED CT[supreg]), cognitive status, functional
status, reason for referral and the referring or transitioning
provider's name and office contact information, and discharge
instructions for the inpatient setting. We proposed to require that a
user would need to be able to be able to configure the technology to
set the time period within which data would be used to create the
export summary or summaries, and that this must include the ability to
enter in a start and end date range as well as the ability to set a
date at least three years into the past from the current date. We
proposed to require that a user would need to be able to configure the
technology to create an export summary or summaries based on specific
user selected events listed in the Proposed Rule. We proposed to
require that a user would need to able to configure and set the storage
location to which the export summary or export summaries were intended
to be saved.
Comments. Many commenters expressed support of the concept of
``data portability.'' Many commenters also requested that we clarify
the purpose of data portability and provide related use cases to
distinguish ``data portability'' from the transition of care
certification criterion. Some commenters also suggested renaming the
criterion to better describe its intended use. One commenter noted the
``ambulatory only'' requirement included in the criterion seemed to be
confusing data portability with transition of care.
Response. We appreciate commenters' support of the concept of data
portability and the proposed certification criterion. To provide
additional clarity, we have decided to simply name the adopted
certification criterion in this final rule ``data export.''
This certification criterion's purpose is to enable a user to
export clinical data from health IT for one patient, a set of patients,
or a subset of that set of patients. The functionality included in the
criterion is intended to support a range of uses determined by a user
and it was not our intention to prescribe or imply particular uses for
this functionality. We also note that this functionality is not
intended to and may not be sufficient to accomplish a full migration
from one product to another without additional intervention because of
the scope of this criterion. Specifically, the data and document
templates specified in this criterion would not likely support a full
migration, which could include administrative data such as billing
information. The criterion's functionality could, however, support the
migration of clinical data between health IT systems and can play a
role in expediting such an activity if so determined by the user.
The ``inpatient only'' and ``ambulatory only'' portions of the
criterion that require referral and discharge information,
respectively, were part of the scope of 2014 Edition ``data
portability'' certification criterion, are part of the transition of
care criterion, and are also referenced in by the ``VDT'' criterion. As
such, we see no compelling reason to change this criterion's scope and
have adopted the criterion with these distinctions and data.
Comments. Some commenters supported requiring all of the proposed
C-CDA document templates. Other commenters stated that the number of
document templates should be limited. Some commenters had
recommendations on alternative vocabularies to include in the C-CDA.
Response. Consistent with other responses provided in this final
rule, this certification criterion requires conformance to the C-CDA
R2.1. In consideration of comments received on the Proposed Rule, we
have limited the C-CDA document template scope for this criterion to
the CCD document template. We note that the vocabularies used by the C-
CDA R2.1 are defined through the Standards Developing Organization
(SDO) process and we do not seek to change that approach via this
rulemaking (i.e., we adopt the C-CDA R2.1 as published). We note that
we have adopted this criterion with the proposed inclusion of the
Common
[[Page 62646]]
Clinical Data Set and other specified data, including the updated
minimum standards code sets we discuss in section III.A.2.c (``Minimum
Standards'' Code Sets) of this preamble.
Comments. One commenter stated that when a note is signed or an
order is placed does not necessarily indicate that all relevant
documentation is ready for export as the provider may enter more
information in the record or a result could come back from a laboratory
order. The commenter stated that this could result in incomplete data
being exported. Another commenter stated that there should be an
affirmative action by the user clearly indicating the intent to
initiate a data export. A commenter suggested removal of the
requirements related to event configuration, stating there was no clear
use case. Commenters also stated that the dates in the ``timeframe
configuration'' were unclear and sought clarification on whether it was
an admission date, an encounter date, the date the data was entered in
the system or some other date. One commenter recommended that providers
should have access to the full set of data included in the certified
health IT for the entire period covered by a provider's contract. The
HITSC stated in written advice to the National Coordinator that the
``trigger conditions'' were not appropriate and went beyond what it
believed the policy goals for this criterion.\68\
---------------------------------------------------------------------------
\68\ https://www.healthit.gov/FACAS/sites/faca/files/HITSC_Certification_NPRM_TSSWG_Comments_2015-05-20.pdf.
---------------------------------------------------------------------------
Response. In consideration of comments, we have not finalized the
requirement to permit a user to configure a data export based on
signing a note or placing an order. We believe that a time-based
approach as the baseline scope for this certification criterion is the
most appropriate, consistent with our policy goals, and helps balance
user functionality required for the purposes of certification with
developer burden. In that regard, by finalizing a time-based approach,
we have determined that this final certification criterion can be more
simply described by combining the proposed ``timeframe'' and ``event''
configurations into one provision.
We have also not adopted the proposed time requirement that
technology would need to include the ability to set a date at least
three years into the past from the current date. We have determined
that we could not properly test and certify to such a requirement. We
acknowledge that some Health IT Modules presented for certification,
particularly in 2016, will not have access to three or even one year's
worth of patient health information that is conformant to the standards
requirements of this criterion. A health IT developer's and Health IT
Module's access to such health information, and the quality of such
health information, will also likely vary considerably based on the
customers (providers) it serves. This would further complicate testing
and certification, and potentially place certain health IT developers
and products at a disadvantage. Therefore, we have not adopted this
proposed requirement.
We have finalized as part of this criterion a specific capability
that expresses time-based configuration requirements. This first
portion of this part of the criterion expresses that a user must be
able to configure a time period within which data would be used to
create export summaries, which must include the ability to express a
start and end date range. The second portion of this part of the
criterion expresses three time-based actions/configurations a user must
be able to complete based on the date range they have specified. A user
would need to be able to: (1) Create export summaries in real-time
(i.e., on demand); (2) configure technology to create such summaries
based on a relative date and time (e.g., generate a set of export
summaries from the prior month on the first of every month); and (3)
configure technology to create such summaries based on a specific date
and time (e.g., generate a set of export summaries with a date range
between January 1, 2015 and March 31, 2015 on April 1, 2015 at 1:00AM
EDT). We reiterate that a Health IT Module will need to support the
user's ability to select and configure those dates and times.
Comments. One commenter requested that the ``file location'' be a
Direct address or an external location in an HIE or some other system.
Response. For the purposes of certification, we clarify that a
Health IT Module must, at a minimum, permit a user to select a local or
network storage location. We have intentionally left the specific
transport method (e.g., sending to a Direct email address) or further
product integration (e.g., routing the export to a web service, web
service or integration engine) to the discretion of the health IT
developer and its customers.
Comments. Commenters expressed concern that privacy and security
issues may arise when data is exported. Some commenters suggested that
the criterion should require an ability to limit the users that would
be permitted to execute the data export functionality, contending that
limiting the users could address potential performance issues that may
result when executing this functionality as well as issues related to
use access or misuse.
Response. We thank commenters for raising these issues and have
modified this criterion in response. We agree that this certification
criterion could benefit from requiring health IT to include a way to
limit the (type of) users that would be able to access and initiate
data export functions. Thus, consistent with other certification
criteria that include functionality to place restrictions on the (type
of) users that may execute this functionality, we have adopted
corresponding language in this final criterion. However, we emphasize
for stakeholders this additional ``limiting'' functionality on the type
of users that may execute the data export functionality is intended to
be used by and at the discretion of the provider organization
implementing the technology. In other words, this functionality cannot
be used by health IT developers as an implicit way to thwart or moot
the overarching user-driven aspect of this certification criterion.
Data Segmentation for Privacy
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(b)(7) (Data segmentation for privacy--send)
------------------------------------------------------------------------
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(b)(8) (Data segmentation for privacy--receive)
------------------------------------------------------------------------
We proposed to adopt two new 2015 Edition certification criteria
referred to as ``data segmentation for privacy (DS4P)-send'' and data
segmentation for privacy (DS4P)-receive.'' These criteria were not
proposed to be in scope for the EHR Incentive Programs. Rather, they
were proposed to be available for health IT developers and other
programs. The proposed certification criteria focused on technical
capabilities to apply and recognize security labels (i.e., privacy
metadata tags) to a patient's health record. We noted in the Proposed
Rule that the technical capabilities to do so would enable a sending
provider's technology to tag a patient's record such that recipient of
such a record (if such recipient had also implemented the technology)
would be able to recognize that the patient's record was ``sensitive''
and needed special protection under federal or state privacy law. For
example, DS4P was piloted to support the exchange of health information
[[Page 62647]]
covered by 42 CFR part 2 (``Part 2''), which are federal regulations
implementing the law protecting confidentiality of, and restricting
access, to substance abuse related patient records.
We proposed to adopt the DS4P standard as outlined in the HL7
Version 3 Implementation Guide: DS4P, Release 1 (DS4P IG), Part 1: CDA
R2 and Privacy Metadata.\69\ The standard describes the technical means
to apply security labels to a health record and data may be tagged at
the document-level, the section-level, or individual data element-
level. The DS4P standard also provides a means to express obligations
and disclosure restrictions that may exist for the data. The DS4P
standard does not enforce privacy laws or alter privacy laws. A
healthcare provider is still responsible for ensuring that use, access,
or disclosure of the sensitive health information complies with
relevant state and federal law. DS4P supports that compliance in an
electronic health environment and is a means for providers to
electronically flag certain pieces of data that may be subject to those
laws. Importantly, the DS4P standard is ``law-agnostic'' and not
restricted to Part 2 data. It may be implemented to support other data
exchange environments in which compliance with state or federal legal
frameworks require sensitive health information to be tagged and
segmented.
---------------------------------------------------------------------------
\69\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=354 Completed Normative Ballot in
January 2014 and was successfully reconciled in February 2014. HL7
approved the final standard for publication and ANSI approved in May
2014.
---------------------------------------------------------------------------
Comments. In general, most commenters recognized the value in
complying with laws that require protecting sensitive health
information. However, we received comments both expressing support and
opposition to adopting the proposed certification criteria at this
time. Commenters in support of the DS4P certification criteria and
proposed standard pointed out the standard was the best currently
available option for protecting sensitive health information and allows
behavioral health, substance abuse, and other data to be available at
the point of care. Commenters cited teenagers, victims of intimate
partner violence, and patients with behavioral health or substance
abuse conditions as particularly vulnerable populations that would
benefit from the ability to exchange sensitive health information
electronically. Several commentators pointed out that, while we limited
segmentation to document-level tagging in the Proposed Rule preamble,
we did not do so in the proposed regulation text.
Commenters that expressed opposition to the DS4P certification
criteria and proposed standard stated that the standard was immature
and not widely adopted. The commenters expressed concern that
segmentation can lead to incomplete records and that receiving systems
may not know how to handle the DS4P tagged data, which could lead to
incomplete records that may subsequently contribute to patient safety
issues. Several comments stated that DS4P has only been piloted with
Part 2 data. One commenter requested clarification on how a sending
system will know if a receiving system supports DS4P. Commenters also
requested guidance on how to visualize in the system that data may be
incomplete or what workflows should be used when segmented data is
received. Several commentators requested that we consider the
Integrating the Healthcare Enterprise (IHE) IT Infrastructure Technical
Framework Volume 4--National Extensions--Section 3.1 Data Segmentation
for Privacy (DS4P) \70\ as an alternative to the DS4P IG.
---------------------------------------------------------------------------
\70\ http://www.ihe.net/uploadedFiles/Documents/ITI/IHE_ITI_TF_Vol4.pdf.
---------------------------------------------------------------------------
Response. We appreciate the thoughtful comments submitted on the
proposed criteria. Notably, with respect to the comments we received
that expressed opposition to the DS4P standard our analysis of the
comments indicates that commenters were more concerned with the
complexity of the privacy law landscape than they were about the
technology itself. In this regard, the vast majority of comments
focused on policy-related questions such as the likelihood that
specialized privacy laws might create ``holes'' in the data.
Additionally, we received no comments that provided substantive
technical criticisms of the DS4P standard.
In reference to the DS4P standard's maturity, we note that it is
considered a ``normative'' standard from the HL7 perspective--a status
which requires substantially higher HL7 membership participation
compared to a Draft Standard for Trial Use (DSTU) status. While we
recognize that to date the standard has not been widely adopted, it has
been used with Part 2 data and other sensitive health information by
the Substance Abuse and Mental Health Services Administration (SAMHSA),
the U.S. Department of Veterans Affairs (VA), and private companies.
In consideration of the comments we received and several of HHS'
overarching policy goals (enabling interoperability, supporting
delivery system reform, reducing health disparities, and supporting
privacy compliance), we have adopted the proposed DS4P criteria. We
note that these criteria are not part of the 2015 Edition Base EHR
definition, are not required in the certification program policies for
health IT developers to seek certification to, and are not required for
providers to participate in the EHR Incentive Programs. As we have
stated, DS4P enables sensitive health information to be exchanged
electronically and we strongly encourage health IT developers to
include DS4P functionality and pursue certification of their products
to these criteria in order to help support their users' compliance with
relevant state and federal privacy laws that protect sensitive health
information.
We agree with commenters that we should explicitly state that
document-level tagging is the scope required for certification and have
made this modification to criteria. We have also clearly indicated in
the DS4P-receive criterion that the ability to receive a summary record
in accordance with the C-CDA R2.1 is required. This was inadvertently
omitted from the criterion's proposed regulation text, but was
referenced in the DS4P-send criterion.
In response to the broader comments that were critical of the
notion of DS4P, we reiterate that DS4P is a technical standard that
helps healthcare providers comply the laws applicable to them. As such,
healthcare providers should already have processes and workflows to
address their existing compliance obligations. The DS4P standard does
not itself create incomplete records. Under existing law patients
already have the right to prevent re-disclosure of certain types of
data by withholding consent to its disclosure or to place restrictions
on its re-disclosure. DS4P allows providers to tag data as sensitive
and express re-disclosure restrictions and other obligations in an
electronic form. DS4P does not determine whether a segmentation
obligation exists legally or what that legal obligation means to the
recipient. Instead, DS4P allows for tagging and exchange of health
information that has already been determined to be sensitive and in
need of special protections. In the absence of DS4P, this specially
protected data may still be exchanged, if consent is given for
disclosure, by fax or mail, but these methods may make the data
unavailable in electronic form in the receiving provider's EHR.
We recognize that the current privacy law landscape is complex.
Despite the
[[Page 62648]]
complexities of the privacy law landscape, we believe now is the time
to support a standard that allows for increased protection for
individuals with sensitive health conditions and enables sensitive
health information to flow more freely to authorized recipients. Over
43 million Americans ages 18 and up have some form of mental
illness.\71\ As stated before, providers already have workflows to care
for individuals with these and other sensitive health conditions. DS4P
allows providers the ability to move away from fax-and-paper
information exchange into interoperable exchange of sensitive health
information. Oftentimes, individuals with sensitive health conditions
require coordinated care that is not possible if sensitive health data
cannot be exchanged. Additionally, the technical ability to segment
data supports the Precision Medicine Initiative \72\ and delivery
system reform \73\ where those initiatives depend on making computable
individual's choices about disclosure of their data.
---------------------------------------------------------------------------
\71\ http://www.samhsa.gov/disorders.
\72\ https://www.whitehouse.gov/sites/default/files/docs/pmi_privacy_and_trust_principles_july_2015.pdf; see also https://www.whitehouse.gov/the-press-office/2015/01/30/fact-sheet-president-obama-s-precision-medicine-initiative.
\73\ http://www.hhs.gov/healthcare/facts/blog/2014/09/improving-health-care-delivery.html.
---------------------------------------------------------------------------
The current DS4P standard does not have a service discovery
mechanism to determine if a potential recipient is able to receive a
tagged document. We expect that providers will have to determine the
receiving capabilities of their exchange partners, similar to how they
have to work with their exchange partners today when they are manually
exchanging sensitive health information via fax. Additionally, the DS4P
standard contains a human-readable text block that will render in the
recipients system--putting the human healthcare user on notice that
they are viewing sensitive health information, allowing them to take
appropriate actions in their system manually.
We are not aware of implementations that have used the IHE National
Extensions for Data Segmentation for Privacy and do not agree with
permitting it as an alternative approach to DS4P for the purposes of
certification at this time.
Care Plan
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(b)(9) (Care plan)
------------------------------------------------------------------------
We proposed to adopt a new 2015 Edition certification criterion
that would require a Health IT Module to enable a user to record,
change, access, create and receive care plan information in accordance
with the Care Plan document template in the HL7 Implementation Guide
for CDA[supreg] Release 2: Consolidated CDA Templates for Clinical
Notes.\74\ We explained that the C-CDA Release 2.0 contains a Care Plan
document template that provides a structured format for documenting
information such as the goals, health concerns, health status
evaluations and outcomes, and interventions. We emphasized that the
Care Plan document template is distinct from the ``Plan of Care
Section'' in previous versions of the C-CDA, stating that the Care Plan
document template represents the synthesis of multiple plans of care
(for treatment) for a patient, whereas the Plan of Care Section
represented one provider's plan of care (for treatment). The Proposed
Rule noted that the C-CDA Release 2.0 had renamed the previous ``Plan
of Care Section'' as the ``Plan of Treatment Section (V2)'' for
clarity. We sought comment on whether we should require for
certification to this criterion certain ``Sections'' that are currently
deemed optional as part of the Care Plan document template for
certification to this criterion, namely the ``Health Status Evaluations
and Outcomes Section'' and ``Interventions Section (V2).''
---------------------------------------------------------------------------
\74\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=379.
---------------------------------------------------------------------------
Comments. Commenters were supportive of the proposal to adopt a new
voluntary ``care plan'' criterion. The commenters stated that the Care
Plan document template supports broader information about the patient,
including education, physical therapy/range of motion, and social
interventions not commonly found in other parts of the C-CDA standard.
A few commenters stated that the C-CDA Release 2.0 Care Plan document
template only represents a ``snapshot in time,'' rather than a dynamic,
longitudinal shared care plan. Some commenters expressed concern that
this document template is new to C-CDA Release 2.0 and suggested that
there was no implementation experience. Other commenters stated that
clinician input was factored into the development of the Care Plan
document template and that there have been pilots through the S&I
Framework Longitudinal Coordination of Care Initiative.\75\ Commenters
suggested that the inclusion of the Care Plan document template in
certification would provide a glide path for adoption of EHRs by home
health care and hospice providers.
---------------------------------------------------------------------------
\75\ http://wiki.siframework.org/LCC+Pilots+WG.
---------------------------------------------------------------------------
Response. We thank commenters for their feedback. As stated in the
Proposed Rule (80 FR 16842), we believe the Care Plan document template
has value for improving coordination of care and provides a structured
format for documenting information such as goals, health concerns,
health status evaluations, and interventions. It represents a
consensus-based approach and is the best standard available today for
capturing and sharing care plan information. The document template has
also been demonstrated through pilots in the S&I Framework. As such, we
have adopted this criterion. To note, we have adopted the C-CDA Release
2.1 standard for this certification criterion for consistency with our
approach to the C-CDA in this final rule and for the same substantive
reasons discussed earlier in this preamble under the ``ToC''
certification criterion.
Comments. A few commenters suggested that it was not necessary to
adopt this certification criterion because other proposed criteria also
reference the C-CDA standard and Care Plan template.
Response. As described in more detail in this preamble for the
other certification criteria we have adopted that reference the C-CDA
standard (e.g., ``ToC,'' ``data export,'' and ``Consolidated CDA
creation performance''), we have adopted reduced requirements for C-CDA
Release 2.1 document template conformance per the use case(s) served by
each certification criterion. As such, the ``ToC,'' ``data export,''
``clinical information reconciliation,'' and ``Consolidated CDA
creation performance'' criteria do not require the C-CDA Release 2.1
Care Plan document template. Therefore, we have adopted this criterion
to support the care planning use cases recited above and in the
Proposed Rule.
Comments. A commenter recommended that we be more specific about
which optional (e.g., ``MAY'') items in the Health Concerns section of
the C-CDA Care Plan document template should be required.
Response. As we stated in section III.A.2.b of this preamble
regarding referenced standards for certification, if an element of a
standard or IG is optional or permissive in any way, it will remain
that way for testing and certification unless we specified otherwise in
regulation. To the commenter's question, we have not specified
otherwise in regulation. We note, however, that we would expect
[[Page 62649]]
that health IT developers and providers would work together to
determine whether the optional items are relevant and useful for the
provider and patients intended to be served by the Health IT Module.
Comments. Most commenters expressed support for requiring a Health
IT Module to be certified to the optionally designated sections in the
C-CDA Release 2.0 Care Plan document template to meet this criterion.
Commenters noted the Health Status Evaluations and Outcomes Section
incorporates patient-reported outcomes to improve care and assist with
the long-term goal of a truly integrated care plan. Commenters also
suggested the Interventions Section (V2) would be useful for patients
and family caregivers.
Response. We thank commenters for their feedback. We agree with
commenters that the Health Status Evaluations and Outcomes Section and
Interventions Section (V2) of the C-CDA provide important information
for incorporating the patient's perspective in an effort to improve
outcomes and the long-term goal of a longitudinal, dynamic, shared care
plan. Accordingly, we have specifically identified these sections as
required to be met for certification to this criterion.
Comments. A few commenters suggested that this criterion should
also include a requirement for the receiving system of a C-CDA Care
Plan to be able to reconcile the care plan information with the
patient's record in the receiving system.
Response. While reconciliation is important and may be appropriate
for any future iteration of this certification criterion, this
functionality is outside the scope of our proposal. Therefore, we have
not included in this criterion. We note that the industry continues to
improve and develop advanced care planning standards and tools, which
may address the incorporation of care planning information. As such, we
will continue to monitor these developments for consideration in future
rulemaking.
Comments. A few commenters suggested that we are conflating certain
sections of the C-CDA Care Plan document template (e.g., Health
Concerns and Goals) with items proposed in the Common Clinical Data
Set.
Response. We refer readers to our response to this comment under
the Common Clinical Data Set definition in section III.B.3 of this
preamble.
Clinical Quality Measures--Record and Export
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(c)(1) (Clinical quality measures--record and export)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``clinical quality measures
(CQM)--record and export'' certification criterion that was revised in
comparison to the 2014 Edition ``CQM--capture and export''
certification criterion (Sec. 170.314(c)(1)). In the Proposed Rule, we
explained that we would align our use of the term ``record'' used in
other 2014 and 2015 Edition certification criteria and proposed to call
this certification criterion ``CQM--record and export.'' We proposed to
require that a system user be able to export CQM data formatted to the
Quality Reporting Document Architecture (QRDA) Category I standard at
any time the user chooses for one or multiple patients and without
subsequent developer assistance to operate. We also proposed to require
that this certification criterion be part of the set of criteria
necessary to satisfy the ``2015 Edition Base EHR'' definition (see also
section III.B.1 of this preamble for a discussion of the 2015 Edition
Base EHR definition). We solicited comment on the standard, including
versions of QRDA Category I, we should adopt for this certification
criterion with consideration given to where the industry may be with
adoption of CQM and CDS standards over the next few years. In
particular, we identified industry efforts to harmonize CQM and CDS
standards. We asked for comment on the following version of QRDA or
QRDA-like standards:
HL7 Implementation Guide for CDA Release 2: Quality
Reporting Document Architecture (QRDA), DSTU Release 2 (July 2012);
HL7 Implementation Guide for CDA Release 2: Quality
Reporting Document Architecture (QRDA), DSTU Release 2 (July 2012) and
the September 2014 Errata; or
A QRDA-like standard based on the anticipated Quality
Improvement and Clinical Knowledge (QUICK) Fast Healthcare
Interoperability Resources (FHIR)-based DSTU.
In asking for comment, we sought to understand the tradeoffs
stakeholders perceive in adopting each standard considering that the
EHR Incentive Programs Stage 3 proposed rule proposed that health IT
certified to the 2015 Edition would not be required until January 1,
2018, but that EPs, eligible hospitals, and CAHs participating in the
EHR Incentive Programs Stage 3 objectives and measures could upgrade to
health IT certified to the 2015 Edition ``CQM--record and export''
certification criterion in 2017.
Comments. The majority of commenters recommended adopting the HL7
CDA[supreg] R2 Implementation Guide: Quality Reporting Document
Architecture--Category I (QRDA I); Release 1, DSTU Release 3, US Realm
(``QRDA Category I Release 3 IG'' or ``Release 3'').\76\ Commenters
noted that CMS is using the QRDA Category I Release 3 IG for the 2015
update eCQM measures and the 2016 reporting period and recommended that
we adopt this version for program alignment.\77\ Commenters indicated
Release 3 addresses known issues, fixes errors, and adds missing
content compared to earlier versions of the QRDA Category I standard.
Commenters also noted that Release 3 uses an incremental version of the
underlying data model (the Quality Data Model 4.1.1) that is a step-
wise approach toward harmonized CQM and CDS standards that stakeholders
are developing.
---------------------------------------------------------------------------
\76\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=35.
\77\ http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/eCQM_Library.html.
---------------------------------------------------------------------------
While commenters were supportive of the work and direction on
harmonized CQM and CDS standards to produce an anticipated QUICK FHIR-
based DSTU, all commenters noted that no such standard is currently
available and that it is premature to require any such standard for the
2015 Edition. Many commenters stated that stakeholders are still in the
process of implementing QRDA and that we should adopt an incremental
version of QRDA rather than pivot to the QUICK standard at this time.
Response. With consideration of commenters' feedback, we have
adopted this criterion and the QRDA Category I Release 3 IG (both
Volumes 1 and 2) for this criterion. In order to accommodate Release 3,
we are amending the paragraph level at Sec. 170.205(h) to move the
standard that is required for the 2014 Edition ``CQM--capture and
export'' criterion to Sec. 170.205(h)(1), and adopting Release 3 at
Sec. 170.205(h)(2).
We agree with commenters that it is too early to adopt the QUICK
CQM standards, but will continue to support the development and
piloting of these harmonized CQM and CDS standards and reassess their
appropriateness for certification at the time of a relevant future
rulemaking.
Comments. Commenters expressed support for the proposal to permit
users to export CQM data formatted to the
[[Page 62650]]
QRDA Category I standard for one or multiple patients at any time the
user chooses and without subsequent developer assistance to operate.
Some commenters requested clarification on what constitutes ``without
subsequent developer assistance to operate'' and noted that batch
export could be disruptive to overall EHR functionality. A few
commenters asked for clarification of the use cases for export. Some
commenters also requested clarification regarding who constitutes a
``user,'' with a few commenters suggesting that the ``user'' should
only be those individuals with specific administrative privileges.
Response. We thank commenters for their support of the proposal. We
have included in this criterion a requirement that a user be able to
export a data file formatted in accordance with Release 3 for one or
multiple patients that includes all of the data captured for each CQM
to which the health IT was certified. We believe that the ability to
export CQM data would serve two purposes. First, this functionality
will allow a provider or health system to view and verify their CQM
results for quality improvement on a near real-time basis. Second, the
export functionality gives providers the ability to export their
results to multiple programs, such as those run by CMS, states, and
private payers.
As we discussed in the 2015 Edition proposed rule (80 FR 16843),
our intent is for users of certified health IT to be able to export CQM
data formatted to the QRDA Category I standard for one or more patients
without needing to request support from a developer. Stakeholders have
noted that some health IT certified to the 2014 Edition ``CQMs--capture
and export'' criterion do not provide users the ability to export QRDA
Category I files ``on demand'' and that users must submit requests for
the health IT developer to assist or perform the export function on
their behalf. For testing and certification to the 2015 Edition ``CQM--
record and export'' criterion, we would expect demonstration that the
Health IT Module enables the user to export CQM data formatted to the
QRDA Category I standard for one or more patients without needing
additional developer support. We believe that providers and health
systems should determine the protocols around when and how providers
export CQM data, and we do not address this issue as part of
certification as it is outside the scope of the ONC Health IT
Certification Program.
We previously described a ``user'' in the 2014 Edition final rule
(77 FR 54168) and continue to use the same description for the 2015
Edition. We expect the functionalities of this criterion to be
available to any user, but the specification or limitation of types of
users for this functionality is outside the scope of certification to
this criterion. Providers have the discretion to determine the
protocols for when and which users should use this functionality.
Clinical Quality Measures--Import and Calculate
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(c)(2) (Clinical quality measures--import and calculate)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``clinical quality measures
(CQM)--import and calculate'' certification criterion that was revised
in comparison to the 2014 Edition ``CQM--import and calculate''
certification criterion (Sec. 170.314(c)(2)). We proposed to require
that a system user be able to import CQM data formatted to the QRDA
standard for one or multiple patients at any time the user chooses and
without additional assistance to operate. We proposed to no longer
include an exemption that would allow a Health IT Module presented for
certification to Sec. 170.315(c)(1), (c)(2), and (c)(3) to not
demonstrate the data import capability. Rather, we proposed that a
Health IT Module would be required to demonstrate that it could import
data in order to be certified to this certification criterion even if
it is also certified to provide ``record and export'' and ``electronic
submission/report'' functions. We solicited comment on the version of
QRDA or QRDA-like standards for individual patient-level CQM reports we
should adopt for this certification criterion.
We stated that we intend testing to the 2015 Edition ``CQM--import
and calculate'' certification criterion to include the import of a
larger number of test records compared to testing for the 2014 Edition
and to automatically de-duplicate records for accurate CQM calculation.
We requested comment on this intent and the number of test records we
should consider testing a Health IT Module for performing import and
calculate functions.
Comments. The majority of commenters recommended adopting the HL7
CDA[supreg] R2 Implementation Guide: Quality Reporting Document
Architecture--Category I (QRDA I); Release 1, DSTU Release 3, US Realm
(``QRDA Category I Release 3 IG'' or ``Release 3''). These commenters
cited the same reasons for adopting Release 3 as recited under the 2015
Edition ``CQM--record and export'' criterion summarized above, and to
which we refer readers. A few commenters recommended that QRDA Category
III (aggregate level CQM reports) should not be required for this
criterion.
Response. With consideration of commenters' feedback, we have
adopted this criterion and the QRDA Category I Release 3 IG (both
Volumes 1 and 2) for this criterion. We note that we did not propose to
require import of QRDA Category III files for this criterion and thus
QRDA Category III is outside the scope of this criterion.
Comments. Commenters expressed support for the proposal to permit
users to import CQM data formatted to the QRDA Category I standard for
one or multiple patients at any time the user chooses and without
subsequent developer assistance to operate. A few commenters asked for
clarification of the use cases for import, and the justification for
why all systems (even those previously considered ``self-contained'')
must demonstrate import. These commenters noted that some systems
export CQM data to a third-party data aggregator or warehouse for
calculation, whereas other EHR systems perform the calculation function
itself. In the latter case, some commenters suggested it was not
necessary for the system to be able to import CQM data. A few
commenters were not supportive of requiring import using the QRDA
Category I standard. Rather, they suggested import should be allowed
using whatever standard or data structure is already being used by the
system for import.
Response. We thank commenters for their support of the proposal and
requests for additional clarifications. We have included in this
criterion a requirement that a user be able to import a data file
formatted in accordance with Release 3 for one or multiple patients
that includes all of the data captured for each CQM to which the health
IT was certified. We believe that the ability to import CQM data would
serve two purposes. First, this functionality could streamline the
testing and certification process by importing QRDA Category I files
rather than systems needing to manually enter test patient data.
Second, the import functionality can promote quality improvement and
data sharing between systems by providing systems the ability to import
CQM data from other systems in a standardized format. We note that ONC
held a HITPC hearing on certification in 2014 and the HITPC recommended
CQM certification as a top priority for providing value for
[[Page 62651]]
quality improvement and delivery system reform.\78\ While we are not
prescribing how data is imported into a system (e.g., mapped to a
backend database or viewable to a provider as part of the patient
record), we believe that requiring the import functionality can
facilitate these use cases.
---------------------------------------------------------------------------
\78\ http://www.healthit.gov/facas/calendar/2014/05/07/policy-certification-hearing.
---------------------------------------------------------------------------
As we discussed in the 2015 Edition proposed rule (80 FR 16843),
our intent is for users of certified health IT to be able to import CQM
data formatted to the QRDA Category I standard for one or more patients
without needing to request support from a developer. Stakeholders have
noted that some health IT certified to the 2014 Edition ``CQMs--import
and calculate'' criterion do not provide users to import QRDA Category
I files ``on demand'' and that users must submit requests for the
developer to assist or perform the import function on their behalf. For
testing and certification to the 2015 Edition ``CQM--import and
calculate'' criterion, we would expect demonstration that the Health IT
Module enables the user to import CQM data formatted to the QRDA
Category I standard for one or more patients without needing additional
developer support. We believe that providers and health systems should
determine the protocols around when and how providers import CQM data,
and we do not address this issue as part of certification as it is
outside the scope of the ONC Health IT Certification Program.
Comments. Commenters supported our intent to increase the number of
test records used during the testing and certification process for this
criterion. Most commenters recommended that rather than test to a
certain number of records, testing should ensure that every pathway by
which a patient can enter the numerator or denominator of the given
measure is tested. Commenters were supportive of requiring health IT to
demonstrate auto de-duplication of imported records during the testing
process, but some commenters were concerned about how systems would be
required to incorporate and reconcile imported data. Commenters
requested clarification on whether duplicate records would be
determined by a duplicate record ID number or by requiring the system
to compare the data in two records and determine whether it is a
duplicate. Commenters were concerned about the amount of work to
reconcile data using the latter method.
Response. We thank commenters for supporting use of an increased
number of test records during the testing and certification process and
we agree that testing should more robustly test the pathways by which a
patient can enter the numerator or denominator of a measure, including
exclusions and exceptions. In regard to auto de-duplication, while we
have adopted the requirement, we have not prescribed how systems would
demonstrate de-duplication or what systems must do with the imported
data. We are providing flexibility in allowing health IT developers and
providers to determine the most suitable methods for de-duplication and
import of data for the given situation.
Clinical Quality Measures--Report
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(c)(3) (Clinical quality measures--report)
------------------------------------------------------------------------
In the Proposed Rule, we stated that we intend to better align with
the reporting requirements of other CMS programs, and thus, would
propose certification policy for reporting of CQMs in or with annual
PQRS and/or Hospital IQR program rulemaking anticipated in CY 2015. We
explained that we anticipated proposing standards for reporting of CQMs
that reflect CMS' requirements for the ``form and manner'' of CQM
reporting (e.g., CMS program-specific QRDA standards), allowing for
annual updates of these requirements as necessary. Under this approach,
we noted that the ``CQMs--report'' certification policy and associated
standards for the 2015 Edition that support achieving EHR Incentive
Programs requirements would be proposed jointly with the calendar year
(CY) 2016 PFS and/or IPPS proposed rules. We clarified that we
anticipated removing ``electronic'' from the name of this certification
criterion because we expected that all functions proposed in the 2015
Edition health IT certification criteria to be performed or
demonstrated electronically, unless specified otherwise. We also
explained that we anticipated naming this certification criterion
``report'' instead of ``submission'' to better align with the language
we use in other certification criteria that also require demonstration
of a ``reporting'' functionality (i.e., to submit data).
We subsequently proposed a 2015 Edition ``CQMs--report''
certification criterion in the 2016 IPPS/LTCH PPS proposed rule that
would require a Health IT Module to enable a user to electronically
create a data file for transmission of clinical quality measurement
data using the ``base'' (i.e., industry-wide, non-program-specific) HL7
QRDA Category I and Category III standards, at a minimum (80 FR 24613-
24614). We also proposed, as part of this proposed criterion, to permit
optional certification for health IT in accordance with the CMS ``form
and manner'' requirements defined in the CMS QRDA Implementation
Guide.\79\ CMS specified that health IT certified to this proposed
certification criterion would be required to meet the proposed CEHRT
definition for the EHR Incentive Programs.
---------------------------------------------------------------------------
\79\ The CMS QRDA Implementation Guide can be accessed at http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/eCQM_Library.html.
---------------------------------------------------------------------------
As detailed in the FY 2016 IPPS/LTCH PPS proposed rule, we
solicited comment on the appropriate versions of the Quality Reporting
Document Architecture--Category I (individual patient level quality
reports) and Category III (aggregate level quality reports) standards
that should be adopted. In order to give full consideration to the
comments received on the appropriate versions of the standards we
should adopt, we did not adopt a ``CQMs-report'' certification
criterion in the 2016 IPPS/LTCH PPS final rule (80 FR 49760). We stated
that we anticipate adopting both the certification criterion and the
appropriate versions of the standards in a subsequent final rule later
this year. We also noted we intended to address comments received on
both the proposed ``CQMs-report'' certification criterion and the
versions of the standards in that same rule. We have used this final
rule to address the comments and adopt the criterion and standards as
specified below.
Comments. Commenters were supportive of the proposal to adopt a
2015 Edition certification criterion for CQM reporting. There was mixed
feedback on whether a 2015 Edition ``CQMs--report'' criterion should
require adherence to the HL7 QRDA Category I and Category III
standards, or solely to the CMS QRDA Implementation Guide. The majority
of commenters recommended that we not move to the Quality Improvement
and Clinical Knowledge (QUICK) CQM \80\ standards as they are
unpublished and have not yet been balloted. Rather, commenters
suggested we adopt incremental versions the QRDA standards because
health IT developers and providers have focused efforts on fully
supporting QRDA reporting. To this end, some commenters
[[Page 62652]]
recommended that we adopt Release 3 of the QRDA Category I standard,
and the November 2012 version of the QRDA Category III standard with
the September 2014 Errata. Other commenters did not support Release 3
of the QRDA Category I standard, stating it was too immature for
adoption. One commenter suggested that while Release 3 of QRDA Category
I may be a new standard and require more work compared to Release 2 of
QRDA Category I with the 2014 Errata, it offers more efficiencies and
reduces errors that would ultimately improve eCQM processing.
---------------------------------------------------------------------------
\80\ http://wiki.siframework.org/Clinical+Quality+Framework+Initiative.
---------------------------------------------------------------------------
Response. We thank commenters for their support for proposal and
comments regarding the versions of standards. We believe that
certification to the HL7 QRDA Category I and III standards provides a
baseline for interoperability of CQM data as these standards are
consensus-based and industry developed. Additionally, the HL7 QRDA
standards are program-agnostic and can support a number of use cases
for exchanging CQM data. Providers participating in CMS payment
programs such as the EHR Incentive Programs, IPPS, or Hospital IQR may
need to adhere to additional CMS QRDA reporting requirements as
detailed in the CMS QRDA IG. However, we do not believe that all
certified health IT is intended to be used for CMS reporting, and
therefore have only included requirements for reporting to CMS (e.g.,
use of the CMS QRDA IG) as an optional provision within the criterion.
We note that the CMS QRDA IG has been aligned with the HL7 QRDA
Category I and III standards, but the CMS QRDA IG includes additional
requirements beyond the HL7 IGs specific to CMS program reporting.
Our adoption of an optional provision to certify CQM reporting in
the form and manner of CMS submission allows CMS to determine as part
of its program requirements whether this optional provision of the CQM
reporting criterion is required for participation in certain CMS
programs. For example, CMS has proposed to revise the CEHRT definition
to require health IT be certified to the provision of the ``CQMs--
report'' criterion we have deemed optional (80 FR 41880-41881), which
would affect, at a minimum, providers participating in the EHR
Incentive Programs.
We agree with the comments supporting the adoption of Release 3 of
the QRDA Category I IG as the IG will improve eCQM processing and
reduce errors. The IG will also better align with the C-CDA Release 2.1
for purposes of interoperability as compared to QRDA Category I Release
2 with the 2014 Errata. Further, Release 3 of the QRDA Category I IG
also aligns with the CMS 2015 update to eCQM measures for 2016 e-
reporting (https://ecqi.healthit.gov/ecqm).
We agree with commenters that it is too early to adopt the QUICK
CQM standards, but will continue to support the development and
piloting of these harmonized CQM and CDS standards and reassess their
appropriateness for certification at the time of a relevant future
rulemaking.
In sum, after consideration of public comments, we have adopted a
2015 Edition ``CQMs--report'' criterion that requires a Health IT
Module to enable a user to (electronically) create a data file for
transmission of CQM data in accordance with:
HL7 CDA[supreg] R2 Implementation Guide: Quality Reporting
Document Architecture--Category I (QRDA I); Release 1, DSTU Release 3
(US Realm) (both Volumes 1 and 2); and
HL7 Implementation Guide for CDA[supreg] Release 2:
Quality Reporting Document Architecture--Category III, DSTU Release 1
(US Realm) with September 2014 Errata.
All Health IT Modules must certify to the above standards to meet
the criterion. As noted above, the criterion also includes an optional
provision that requires the electronic creation of a data file for
transmission of CQM data that can be electronically accepted by CMS
(i.e., the form and manner of submission as specified in the CMS QRDA
IG \81\).
---------------------------------------------------------------------------
\81\ Available at: https://www.cms.gov/regulations-and-guidance/legislation/ehrincentiveprograms/ecqm_library.html.
---------------------------------------------------------------------------
In order to accommodate the new QRDA standards in the regulation
text, we have revised the paragraph levels at Sec. 170.205(h) and (k)
to move the QRDA standards adopted in the 2014 Edition to Sec.
170.205(h)(1) and (k)(1) respectively. We have also made a technical
amendment to the regulation text for the 2014 Edition certification
criteria for capturing, calculating, and reporting CQMs (at 45 CFR
170.314(c)(1), (c)(2), and (c)(3), respectively) to continue to
reference the appropriate implementation specifications.
Comments. Commenters requested clarification on whether our
proposal to adopt a 2015 Edition ``CQMs--report'' certification
criterion through the 2016 IPPS/LTCH PPS proposed rule implies that
annual recertification to the proposed criterion would be required as
CMS updates the measure specifications and the CMS QRDA IG annually.
Response. We clarify that the proposal for a 2015 Edition ``CQMs--
report'' certification criterion would not require Health IT Modules to
be recertified annually as part of the ONC Health IT Certification
Program. However, in conjunction with our CMS colleagues, we also
clarify that CMS requires that health IT be certified to the CMS QRDA
IG and be updated to the latest annual measure specifications if
providers intend to use the health IT to report CQMs electronically to
CMS. This does not mean recertification is required each time the
health IT system is updated to a more recent version of the CQMs. As
CMS stated in the 2016 IPPS/LTCH PPS proposed rule, CMS intends to
publish a request for information (RFI) on the establishment of an
ongoing cycle for the introduction and certification of new measures,
the testing of updated measures, and the testing and certification of
submission capabilities (80 FR 24614-24615). We and CMS encourage
readers to submit their comments and recommendations for consideration
upon publication of the RFI.
Clinical Quality Measures--Filter
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(c)(4) (Clinical quality measures--filter)
------------------------------------------------------------------------
We proposed to adopt a new 2015 Edition certification criterion
that would require health IT to be able to record data (according to
specified standards, where applicable) and filter CQM results at both
patient and aggregate levels. We listed proposed data elements and
vocabulary standards for some data elements to maintain consistency in
the use of adopted national standards, and we clarified that a Health
IT Module must be able to filter by any combination of the proposed
data elements (i.e., by any one (e.g., provider type) or a combination
of any of the data elements). We noted that the combination requirement
is different than other certification criteria in the Proposed Rule in
that it requires all combinations to be demonstrated for certification
and not just one. We requested comment on the appropriateness of the
proposed data elements for CQM filtering, including whether they are
being captured in standardized vocabularies, and additional data
elements that we should consider for inclusion and standardized
vocabularies that might be leveraged for recording this information in
health IT.
Comments. Many commenters were in support of adopting a new
criterion for CQM filtering. Commenters noted the benefit for
supporting the identification and reduction of disparities by filtering
[[Page 62653]]
by patient demographics and problem list. A number of commenters also
supported the list of proposed data elements as a good starting point
with mature standards.
Response. We thank commenters for the feedback. Our overall goal
for this functionality is to allow a provider to make a query for CQM
results using one or a combination of data captured in the certified
Health IT Module for quality improvement and quality reporting
purposes. We agree with commenters on the value of this functionality
for identification of health disparities, helping providers identify
gaps in quality, and supporting a provider in delivering more effective
care to sub-groups of their patients. As such, we have adopted this
certification criterion with the following modifications described
below.
Comments. Some commenters noted it would be valuable to filter both
QRDA Category I and Category III quality reports for this criterion to
assist with individual patient quality improvement and for population
health. One commenter noted that providing a filtered view to the
provider would allow for easy spot-checking of health disparity trends
to inform quality improvement projects.
Response. We thank commenters for the feedback and agree with the
value of being able to filter QRDA I and Category III files as well as
for providing a filtered view of the quality results for supporting the
quality improvement and quality reporting use cases. QRDA Category I
enables an individual patient-level quality report that contains
quality data for one patient for one or more quality measures.\82\ The
QRDA Category III standard enables an aggregate quality report
containing calculated summary data for one or more measures for a
specified population of patients within a particular health system over
a specific period of time.\83\ We have, therefore, required that a
Health IT Module certified to this criterion must be able to filter CQM
results at the patient and aggregate levels and be able to create a
data file of the filtered data in accordance with the QRDA Category I
and Category III standards, as well as be able to display the filtered
data results in human readable format. To align with the versions of
the QRDA standards we are adopting for the 2015 Edition ``CQMs--record
and export,'' ``CQMs--import and calculate,'' and ``CQMs--report''
criteria, we have adopted the following standards for this criterion:
---------------------------------------------------------------------------
\82\ Available at: http://www.hl7.org/implement/standards/product_brief.cfm?product_id=35.
\83\ Available at: http://www.hl7.org/implement/standards/product_brief.cfm?product_id=286.
---------------------------------------------------------------------------
HL7 CDA[supreg] R2 Implementation Guide: Quality Reporting
Document Architecture--Category I (QRDA I); Release 1, DSTU Release 3
(US Realm) (both Volumes 1 and 2); and
HL7 Implementation Guide for CDA[supreg] Release 2:
Quality Reporting Document Architecture--Category III, DSTU Release 1
(US Realm) with September 2014 Errata.
Comments. One commenter expressed concern that the proposed
criterion aims to achieve attribution of eCQM results to particular
providers or groups of providers for participation in certain quality
reporting programs, but that the proposed functionality to filter does
not actually achieve attribution. The commenter noted that attribution
requires a more complex approach than is currently proposed with the
filtering of CQM results using different combinations of data, and
suggested that it was appropriate for the industry to develop
attribution standards in upcoming quality standards work.
Response. We thank the commenter for the feedback. We agree that
proper attribution of eCQM results to a particular provider or group of
providers will require a set of defined processes. We believe that the
functionality in this criterion is a good step forward toward
establishing such a process while the industry continues to improve
eCQM standards as described further in the Proposed Rule (80 FR 16842-
16843). We intend to continue working with stakeholders to establish
standards and processes for proper attribution of quality measure
results for consideration in future rulemaking.
Comments. A few commenters requested clarification of the language
in the preamble and suggested that testing should not require that all
possible combinations of data be demonstrated as it would be time-
consuming and a very large number.
Response. We clarify that for testing Health IT Modules will not be
tested to every possible combination of data, but that any combination
could be tested at the discretion of the tester. We also note that we
have not prescribed a workflow that must be demonstrated for
certification in order to provide flexibility as long as the desired
outcome can be achieved.
Comments. A few commenters indicated concern over the lack of
alignment between the data and associated standards proposed for this
criterion compared with our proposed 2015 Edition Common Clinical Data
Set definition (80 FR 16871-16872), the data proposed in the 2015
Edition ``demographics'' criterion (80 FR 16816-16817), and the request
for comment for ``future considerations for electronically specified
measures using Core Clinical Data Elements'' in the CMS 2016 Inpatient
Prospective Payment System (IPPS) proposed rule (80 FR 24583-24584).
Commenters suggested we work to ensure alignment of the data proposed
in this criterion with those in the Common Clinical Data Set definition
and proposed for the demographics criterion. Commenters also suggested
we work with CMS on the Core Clinical Data Elements definition.
Response. We thank commenters for the recommendation to ensure data
definitions are aligned. This criterion proposes a filter by ``patient
age'' whereas the Common Clinical Data Set and demographics
certification criterion specify ``date of birth.'' For this
certification criterion, we intend that ``patient age'' is derived from
the patient's date of birth, but specify ``patient age'' because we
believe that providers should be able to filter/query CQM results by
the patient's age rather than their date of birth. For example, the
provider may query for patients older than a certain age, younger than
a certain age, or between a range of ages. Therefore, we have adopted
patient age as a data element for this certification criterion. We
believe that all the other data in this criterion are aligned with the
2015 Edition Common Clinical Data Set and ``demographics'' criterion.
We note that the ``Core Clinical Data Elements'' in CMS' 2016 IPPS
proposed rule is not being proposed for the 2016 program year and is a
comment solicitation for future rulemaking. We intend to continue to
work with CMS on alignment of data elements being required for capture
across programs.
Comments. Commenters indicated some concern that providers may use
multiple Tax Identification Numbers (TINs) and different levels of TIN/
National Provider Identifier (TIN/NPI) combinations. There was general
support for the use of the NPI as a data element for this criterion.
Response. We believe that including TIN and NPI in this criterion
offers a baseline for filtering by these data for certification. We
would expect that any programs that may require CQM reporting using TIN
and/or NPI would provide additional guidance on the level to use for
participation in its programs. Therefore, we have adopted TIN and NPI
as data elements for this criterion.
Comments. There was general support for use of the Healthcare
Provider
[[Page 62654]]
Taxonomy Code Set \84\ for classifying provider types. Commenters
indicated they were not aware of additional existing standards for
provider types. A few commenters indicated concern that providers can
select multiple codes in the NPI system that reflects their overall
practice rather than their individual specialty, and that the code may
have low reliability.
---------------------------------------------------------------------------
\84\ http://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/MedicareProviderSupEnroll/Taxonomy.html.
---------------------------------------------------------------------------
Response. We thank commenters for the feedback. We agree that the
Healthcare Provider Taxonomy Code Set (the ``Code Set'') is the best
available standard for classifying provider type at this point in time,
and have therefore adopted the CMS Crosswalk: Medicare Provider/
Supplier to Healthcare Provider Taxonomy, April 2, 2015 as the standard
for provider type for this criterion (to the version updated April 2,
2015 as a minimum version for certification).\85\ This crosswalk maps
the Medicare Provider/Supplier type to the relevant healthcare provider
taxonomy codes. It is our understanding that when a provider registers
for an NPI number, they are required to select at least one provider
type code from the Code Set, but may select more than one code.
However, the provider is required to select one code as the primary
code. It is also our understanding that the NPI record for a given
provider contains all codes a provider selected, and so we would expect
that CQM results could be filtered by any one of the provider's
selected codes (e.g., primary, secondary, tertiary, etc.). In order to
ensure the NPI record is up-to-date, we would recommend that health
care providers update and/or verify their registration annually in the
CMS National Plan and Provider Enumeration System (NPPES) \86\ to
reflect the most accurate codes for the type of care the provider is
currently providing. There are three methods by which an individual can
access the NPI files: (1) Through a downloadable file, (2) through a
display/query on the NPPES website, and (3) through an interface to the
NPPES API. While health systems may keep their own internal records of
NPI information for the providers practicing in their system, we
recommend that any of the three above methods provides the most up-to-
date information and would encourage systems to verify and use this
information for their internal records.
---------------------------------------------------------------------------
\85\ https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/MedicareProviderSupEnroll/Downloads/TaxonomyCrosswalk.pdf.
\86\ https://nppes.cms.hhs.gov/NPPES/Welcome.do.
---------------------------------------------------------------------------
Comments. As discussed in the ``transitions of care'' criterion, a
number of commenters suggested adoption of the U.S. Postal Service
postal address standard for address as concerns patient matching.
Commenters noted that the standard is widely supported by health care
organizations today and is recommended by the American Health
Information Management Association.\87\ Some commenters were concerned
about complexity in systems being able to choose the correct practice
site that a patient was seen at as a patient may visit more than one
practice site for a given provider. Another commenter suggested we
consider the GS1 Global Location Number (GLN) standard \88\ for
practice site address as it is based on the USPS standard and could be
filtered to provide a specific practice site address through the level
of ``party'' and ``location'' using the GS1 GLN standard.
---------------------------------------------------------------------------
\87\ http://perspectives.ahima.org/wp-content/uploads/2014/12/PatientMatchingAppendixA.pdf.
\88\ http://www.gs1.org/gln.
---------------------------------------------------------------------------
Response. We thank commenters for the input. At this point in time,
we believe that use of the QRDA Category I and III standards which
reference the HL7 postal format is an incremental step toward an
industry standard. This is the same HL7 postal format standard
referenced in C-CDA Release 2.1; and QRDA is based on the same
underlying standard as C-CDA (i.e., the CDA). While we continue to
analyze the USPS address standard \89\ and other industry standards, we
believe these standards were developed for other use cases (such as the
shipping and delivery of mail or tracking medical products) than for
querying for health information in the health care industry. We see a
need for continued industry work to determine the appropriateness of
existing standards and tools for normalizing postal address for health
care uses cases, and intend to work with stakeholders in this space.
---------------------------------------------------------------------------
\89\ http://pe.usps.gov/cpim/ftp/pubs/Pub28/pub28.pdf.
---------------------------------------------------------------------------
Testing and validation to the HL7 postal format in the QRDA
standard is already available as part of Cypress testing \90\ to QRDA
for the 2014 Edition CQM certification criteria. We anticipate the
Cypress testing tool for 2015 Edition CQMs criteria, including for CQM
filtering, will carry over this testing and suggest that health IT
developers and implementers adhere to the guidance in the QRDA Category
I and III standards adopted for this criterion for the HL7 postal
format. We believe it is best left to health IT developers and
providers to work together to determine how to provide results for
queries for patient seen at a particular practice site address at this
point in time, and note that testing and certification will only test
that a Health IT Module is able to filter CQM results by practice site
address. Other programs that may require the use of this certification
criterion may provide additional guidance on the definition of practice
site address and guidance on attribution.
---------------------------------------------------------------------------
\90\ http://projectcypress.org/. Cypress is the testing tool
used to test and certify products for CQMs in the ONC Health IT
Certification Program.
---------------------------------------------------------------------------
Comments. Commenters supported the Public Health Data Standards
Consortium Source of Payment Typology Code Set \91\ for representing
patient insurance. SDOs such as ANSI X12 and HL7 recognize the Source
of Payment Typology Code Set for representing patient insurance in
their standards.\92\
---------------------------------------------------------------------------
\91\ http://www.phdsc.org/standards/pdfs/SourceofPaymentTypologyVersion5.0.pdf.
\92\ http://www.phdsc.org/standards/payer-typology.asp.
---------------------------------------------------------------------------
Response. We have adopted the Public Health Data Standards
Consortium Source of Payment Typology Code Set Version 5.0 (October
2011) to represent patient insurance for this criterion.
Comments. Commenters expressed concern over the value set proposed
to represent patient sex.
Response. We address the value set for patient sex in the
``demographics'' certification criterion discussed in section III.A.3
of this preamble, to which we refer readers. As noted above and
recommended by commenters, we have adopted the same standard for this
criterion as for the ``demographics'' certification criterion, which
supports alignment and consistency.
Comments. Commenters expressed concern about the proposed
requirement to filter all 900+ race and ethnicity codes in the ``Race &
Ethnicity--CDC'' code system in PHIN VADS.
Response. We addressed the comments about the CDC Race and
Ethnicity code set in the ``demographics'' certification criterion
discussed elsewhere in this section of the preamble, to which we refer
readers. We continue to believe in the value of querying by granular
patient race and ethnicity for identification of health disparities and
supporting a provider in delivering more effective care to sub-groups
of their patients. As noted above and recommended by commenters, we
have adopted the same standard for this criterion as for the
``demographics'' certification criterion, which supports alignment and
consistency.
Comments. Commenters expressed concern on the level of complexity
for
[[Page 62655]]
filtering by SNOMED CT[supreg] codes for patient problem list.
Response. We acknowledge commenters' concerns about the level of
complexity of filtering by SNOMED CT[supreg] codes for this
certification criterion. To lessen the burden while continuing to
provide value for quality improvement, we clarify that for testing and
certification, a Health IT Module would only need to demonstrate it can
filter by the parent level code in SNOMED CT[supreg] as the code system
is designed in a hierarchical manner with more specific codes grouped
under more general parent codes.
Comments. One commenter suggested we consider adding the CMS
Certification Number (CCN) as an additional data element for this
criterion as it is used by hospitals to report their CQM data to CMS.
Response. We thank the commenter for the suggestion. At this
current point in time, we believe there are complexities with using the
CCN as a filter for CQMs. For example, a certified Health IT Module may
be certified partway through a reporting year. The CCN also represents
a unique combination of certified Health IT Modules a provider is using
to meet the CEHRT definition requirements. Thus, we are not clear on
the use case that would be served in requiring a Health IT Module
certified to this criterion to be able to filter CQM results by CCN. We
will consider the use cases and implementation of using CCN for CQM
filtering for the potential expansion of this criterion through future
rulemaking.
Authentication, Access Control, and Authorization
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(1) (Authentication, access control, and authorization)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``authentication, access
control, and authorization'' certification criterion that was unchanged
in comparison to the 2014 Edition ``authentication, access control, and
authorization'' criterion (Sec. 170.314(d)(1)).
Comments. Commenters were generally supportive of this criterion as
proposed. One commenter suggested that we track the National Strategy
for Trusted Identities in Cyberspace (NSTIC) initiative and the NSTIC
Trustmark Framework pilot. One commenter was supportive of us adopting
standards for multi-factor authentication for remote authentication to
EHR systems, whereas another commenter pointed out that current
approaches to multi-factor authentication are costly and burdensome to
implement. One commenter discussed digital signatures as they relate to
the authenticity of medical documentation.
Response. We have adopted this certification criterion largely as
proposed. We have made one minor revision by replacing the term
``person'' in the criterion with ``user.'' This revision is consistent
with our use of the term ``user'' in the 2015 Edition. We note that,
notwithstanding this revision, this criterion remains eligible for gap
certification.
In response to comments on multi-factor authentication, we have not
adopted multi-factor authentication as part of this criterion or in
another criterion or requirement as we did not propose such
functionality. We will, however, continue to track NSTIC. We will also
monitor industry progress with multi-factor authentication and may
consider multi-factor authentication certification for a future
rulemaking as noted in our discussion of the HITSC recommendations
below.
Digital signatures were proposed as part of the ``electronic
submission of medical documentation'' criterion, but were not proposed
as part of this criterion. Accordingly, we have not adopted such a
requirement as part of this criterion. We may, however, consider
digital signatures as part of a future rulemaking.
HITSC Recommendations
We received recommendations from the HITSC after the close of the
public comment period for the Proposed Rule. The HITSC recommended the
adoption of a certification criterion that would include capabilities
to ``continuously protect the integrity and confidentiality of
information used to authenticate users.'' The HITSC stated that the
adoption of such a criterion would strengthen the authentication
capabilities in currently certified health IT. The HITSC also
recommended the adoption of a certification criterion for multi-factor
authentication. These recommendations for the adoption of certification
criteria must proceed through the processes outlined in sections 3001
and 3004 of the Public Health Service Act (HITECH Act), which may lead
to a future rulemaking proposing the adoption of criteria that include
capabilities recommended by the HITSC.
Auditable Events and Tamper-Resistance
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(2) (Auditable events and tamper-resistance)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``auditable events and tamper-
resistance'' certification criterion that was unchanged in comparison
to the 2014 Edition ``auditable events and tamper-resistance''
criterion (Sec. 170.314(d)(2)) and sought comment on two issues.
First, given that it does not appear that the ASTM standard indicates
recording an event when an individual's user privileges are changed, we
asked for comment on whether we need to explicitly modify/add to the
overall auditing standard adopted in 170.210(e) to require such
information to be audited or if this type of event is already audited
at the point of authentication (e.g., when a user switches to a role
with increased privileges and authenticates themselves to the system).
We also sought comments on any recommended standards to be used in
order to record those additional data elements. We reiterated our
policy in the 2014 Edition ``auditable events and tamper resistance''
certification criterion in that the ability to disable the audit log
must be restricted to a limited set of users to meet this criterion,
and we stated that we believe our certification criterion is
appropriately framed within the parameters of what our regulation can
reasonably impose as a condition of certification. With regard to
feedback to the Voluntary Edition proposed rule that there may be some
events recorded in the audit log that may be more critical to record
than other events, we again sought comment on whether: There is any
alternative approach that we could or should consider; there is a
critical subset of those auditable events that we should require remain
enabled at all times, and if so, additional information regarding which
events should be considered critical and why; and any negative
consequences may arise from keeping a subset of audit log functionality
enabled at all times.
Comments. The majority of commenters requested that this criterion
remain as proposed and be eligible for gap certification. Commenters
overwhelming agreed that emergency access was being audited and is
already covered under the ASTM E2147 standard. Some commenters
expressed support for specifically auditing user privilege changes with
the HITSC TSSWG recommending that this
[[Page 62656]]
criterion require events to be audited in accordance with NIST SP 800-
92.\93\
---------------------------------------------------------------------------
\93\ http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf.
---------------------------------------------------------------------------
Most commenters, including the HITSC TSSWG, recommended that there
should be no change in the requirements related to disabling and
enabling the audit log. A commenter noted that determining when the
audit log should or should not be enabled is best defined by end-users
of Health IT Modules and not the health IT developers. Commenters
representing consumer organizations suggested that the audit log should
not be able to be disabled, which they argued would enhance consumer
trust. Another commenter stated that any allowance for disabling the
audit logs, for any reason, compromises the integrity of the auditing.
Commenters did not identify a critical subset of those auditable
events that we should require remain enabled at all times. However, one
commenter suggested that as an alternative to requiring the audit log
to always be enabled, we should provide regulatory guidance on the
specific information to be included in the audit log, such as is
stipulated in the ASTM E2147 standard. The commenter also recommended
that we provide clarity on the scope of the applicability of the ASTM
standard as a part of that guidance when it comes to whether the intent
is to include only natural person/end user accesses or other access
such as ``machine to machine.''
Response. We have adopted this criterion as proposed, except that
we have revised the auditing standard referenced by this criterion and
adopted in Sec. 170.210(e)(1)(i) \94\ to include a requirement to
audit changes in user privileges. With consideration of public
comments, we believe that this is an event that should be audited for
the purposes of certification. We do not, however, believe that at this
time certification should expand to an extensive list of auditable
events as recommended by the HITSC TSSWG. Rather, we believe that
certification should remain a baseline and health IT developers and
providers can expand their auditing practices as appropriate.
---------------------------------------------------------------------------
\94\ We note that the ASTM E2147 standard has been reapproved
(in 2013) with no changes. We have, therefore, revised the
regulation text to reflect the reapproval. http://www.astm.org/Standards/E2147.htm.
---------------------------------------------------------------------------
We did not receive an overwhelming response or rationale from
commenters that convinced us to change our approach to require that a
Health IT Module not permit an audit log to be disabled. In fact,
comments remained mixed and the HITSC continued to support our current
approach. As recited in the Proposed Rule, there are valid reasons for
disabling the audit log. We continue to believe that it is appropriate
to restrict the ability to disable the audit log to a limited set of
users, which permits the end user to determine if, when, and by whom
the audit log may be disabled. As to the alternative approach to always
enabling the audit log, we note that we have chosen to maintain the
current approach, but will consider as part of the finalizing of the
2015 Edition test procedure for this criterion what additional guidance
we can provide related to auditable actions consistent with the ASTM
E2147 standard.
Audit Report(s)
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(3) (Audit reports)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``audit reports(s)''
certification criterion that was unchanged in comparison to the 2014
Edition ``audit reports(s)'' criterion (Sec. 170.314(d)(3)).
Comments. Commenters recommended that we adopt this criterion as
proposed. A couple of commenters requested that we include additional
functionality in this criterion, such as a filtering functionality
(beyond sorting) and automated reporting without manual searches/
sorting.
Response. We have adopted this criterion as proposed. We appreciate
commenters' suggested additional functionalities, but these
functionalities are beyond the scope of our proposal. To note,
certification serves as a baseline for health IT. We would expect
health IT developers to incorporate such functionalities to possibly
differentiate their products in the market or if specifically desired
by their customers (e.g., providers).
Amendments
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(4) (Amendments)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``amendments'' certification
criterion that was unchanged in comparison to the 2014 Edition
``amendments'' criterion (Sec. 170.314(d)(4)). We noted that this
certification criterion only partially addresses the amendment of
protected health information (PHI) requirements of 45 CFR 164.526.
Comments. Commenters supported this criterion as proposed. A
commenter requested clarification as to whether amendment steps such as
request, approval/denial, and updating are to be tracked as separate
unique events or as a single event with a single timestamp. A couple of
commenters suggested this criterion include the capability to maintain
the provenance of amendments made by patients and other patient
generated health data to reduce the numbers of errors.
Response. We have adopted this certification criterion as proposed.
The ``tracking'' or auditing of events mentioned by the commenter is
outside the scope of this criterion. Rather, we would expect such
actions to be subject of an entity's auditing technology and practices.
We appreciate the suggestion to maintain provenance of amendments made
by patients and other patient generated health data, but this is
outside the scope of the functionality proposed for this criterion.
Automatic Access Time-Out
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(5) (Automatic access time-out)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``automatic access time-out''
certification criterion that was unchanged in comparison to the 2014
Edition ``automatic log-off'' criterion (Sec. 170.314(d)(5)). In terms
of the functionality within the criterion, we proposed to restate the
language to require a Health IT Module to demonstrate that it can
automatically stop user access to health information after a
predetermined period of inactivity and require user authentication in
order to resume or regain the access that was stopped. This proposal
was based on feedback previously received from the HITSC Privacy and
Security Workgroup (PSWG).\95\ The PSWG noted in June 2014 that many
systems are not session-based. Instead, systems may be stateless,
clientless, and/or run on any device. The HITSC recommended that this
certification criterion should not be overly prescriptive so as to
inhibit system architecture flexibility. We agreed with the substance
of the PSWG and HITSC recommendations and proposed to state the
functionality required as specified above, noting that we do not
believe this would have any impact on testing and certification as
compared to testing and certification to the 2014 Edition ``automatic
log-off'' criterion (i.e., the 2015 ``automatic
[[Page 62657]]
access time-out'' criterion would be eligible for gap certification).
---------------------------------------------------------------------------
\95\ http://www.healthit.gov/facas/sites/faca/files/HITSC_PSWG_2015NPRM_Update_2014-06-17.pdf. The HITSC Privacy &
Security Work Group changed names and became the HITSC Transport &
Security Standards Work Group in July 2014.
---------------------------------------------------------------------------
Comments. Commenters expressed support for this criterion as
proposed. The HITSC Transport and Security Standards Workgroup (TSSWG)
again recommended that we change the language of the criterion to read
``automatically terminate access to protected health information after
a system- and/or administrator-defined period of inactivity, and
reinitiate the session upon re-authentication of the user.''
Response. We thank commenters for their support. We continue to
believe that the language offered by the TSSWG prescribes a particular
session-based design and is not the most appropriate language for this
criterion. As mentioned above, not all systems are session-based.
Therefore, we have adopted this criterion as proposed.
Emergency Access
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(6) (Emergency access)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``emergency access''
certification criterion that was unchanged in comparison to the 2014
Edition ``emergency access'' criterion (Sec. 170.314(d)(6)).
Comments. Commenters supported this criterion as proposed.
Response. We have adopted this criterion as proposed.
End-User Device Encryption
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(7) (End-user device encryption)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``end-user device encryption''
certification criterion that was unchanged in comparison to the 2014
Edition ``end-user device encryption'' criterion (Sec. 170.314(d)(7)).
We proposed to require certification to this criterion consistent with
the most recent version of Annex A: Approved Security Functions (Draft,
October 8, 2014) for Federal Information Processing Standards (FIPS)
Publication 140-2.\96\ We noted, however, that we do not believe that
this would have any impact on testing and certification as compared to
testing and certification to the 2014 Edition ``end-user device
encryption'' criterion (i.e., the 2015 ``end-user device encryption''
criterion would be eligible for gap certification).
---------------------------------------------------------------------------
\96\ http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf.
---------------------------------------------------------------------------
Comments. Many commenters expressed support for leaving the
certification criterion unchanged in comparison to the 2014 Edition
``end-user device encryption'' criterion. Many commenters also
supported our proposal for using the most recent version of Annex A as
cited in the Proposed Rule.
Response. We appreciate the support expressed by many commenters.
We have adopted this certification criterion as proposed, including the
updated version of Annex A.
Comments. Some commenters suggested that we expanded the
functionality of this criterion to include server-side encryption or
encryption of data in-motion. One commenter said that data should be
encrypted when using cloud storage technologies. Another commenter
requested clarification if this criterion applied to data at-rest or
in-motion.
Response. As described in the 2014 Edition final rule (77 FR 54236-
54238), the functionality included in the 2014 Edition certification
criterion (and this 2015 Edition unchanged criterion) does not focus on
server-side or data center hosted technology. We recognize that these
implementations could employ a variety of different administrative,
physical, and technical safeguards, including hardware-enabled security
protections that would be significantly more secure than software
oriented encryption capabilities. Rather, this criterion focuses on
data locally stored on end-user devices after the use of the technology
is stopped.
Comments. Some commenters stated that we should address encryption
key management and key storage in this certification criterion.
Response. We agree with commenters that encryption controls depend
on the encryption key remaining secure. However, this functionality is
outside the scope of the proposed criterion. We also note that
encryption key management often occurs outside of certified health IT
and depends on the environment in which the certified health IT is
deployed, and, as such, depends on organizational policy and security
risk assessments. We encourage stakeholders to follow applicable
guidance from the Office for Civil Rights (OCR \97\ and the National
Institutes of Standards and Technology \98\ for securing encryption
keys.
---------------------------------------------------------------------------
\97\ http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html.
\98\ http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf.
---------------------------------------------------------------------------
Integrity
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(8) (Integrity)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``integrity'' certification
criterion that was unchanged in comparison to the 2014 Edition
``integrity'' criterion (Sec. 170.314(d)(8)). We did, however, propose
a change in how a Health IT Module would be tested and certified to
this criterion. We explained that the 2015 Edition ``integrity''
criterion would be tested and certified to support the context for
which it was adopted--upon receipt of a summary record in order to
ensure the integrity of the information exchanged (see Sec.
170.315(d)(8)(ii)). Therefore, we stated that we expect that this
certification criterion would most frequently be paired with the
``ToC'' certification criterion for testing and certification.
We sought comment on if, and when, we should set the baseline for
certification to the 2015 Edition ``integrity'' certification criterion
at SHA-2.\99\ In support of this potential change, we noted that SHA-2
has much more security strength compared to the SHA-1 standard. We also
pointed out that many companies, including Microsoft and Google, plan
to deprecate SHA-1 no later than January 1, 2017.
---------------------------------------------------------------------------
\99\ http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf.
---------------------------------------------------------------------------
Comments. Several commenters and the HITSC expressed support for
increasing the integrity standard to SHA-2. One commenter pointed out
that NIST has deprecated the use of SHA-1, whereas another commenter
claimed that health IT would have to eventually get recertified to SHA-
2 if we moved to SHA-2 at a later date (beyond the effective date of
this final rule) or in a future edition. A few commenters requested
that we wait until 2017 or 2018 to increase the standard to SHA-1.
Response. In 2012, NIST Special Publication 800-57 \100\
recommended that federal systems not be permitted to create new hashes
using SHA-1 starting in 2014. Given that NIST, technology companies,
and health IT developers are moving away from SHA-1, we believe now is
the appropriate time to move towards the more secure SHA-2 standard.
Therefore, we will make this new requirement effective with the
effective date of this final rule. We note that there is no requirement
obligating health IT developers to get their products certified to this
requirement immediately, and we would expect
[[Page 62658]]
health IT developers to not begin seeking certification to this
criterion until later in 2016 for implementation in 2017 and 2018. We
further note that certification only ensures that a Health IT Module
can create hashes using SHA-2, it does not require the use of SHA-2.
For example, users of certified health IT may find it appropriate to
continue to use SHA-1 for backwards compatibility if their security
risk analysis justifies the risk.
---------------------------------------------------------------------------
\100\ http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf.
---------------------------------------------------------------------------
Consistent with this decision, we have also updated this criterion
and standard to reference the most recent version of FIPS PUB 180-4,
Secure Hash Standard, 180-4 (August 2015).\101\
---------------------------------------------------------------------------
\101\ http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf.
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(9) (Trusted connection)
------------------------------------------------------------------------
Please see the discussion under the ``Application Access To Common
Clinical Data Set'' certification criteria later in this section of the
preamble.
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(10) (Auditing actions on health information)
------------------------------------------------------------------------
Please see the discussion under the ``Application Access To Common
Clinical Data Set'' certification criteria later in this section of the
preamble.
Accounting of Disclosures
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(d)(10) (Accounting of disclosures)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``accounting of disclosures''
certification criterion that was unchanged in comparison to the 2014
Edition ``accounting of disclosures'' criterion (Sec. 170.314(d)(9)).
We noted that the 2015 Edition criterion is no longer designated
``optional'' because such a designation is no longer necessary given
that we have discontinued the Complete EHR definition and Complete EHR
certification beginning with the 2015 Edition certification criteria.
Comments. Commenters expressed support for this certification
criterion as proposed. A commenter recommended removing the criterion
until the HHS Office for Civil Rights (OCR) issues a final rule for its
previously published proposed rule regarding accounting of disclosures
(76 FR 31426).\102\ Other commenters recommended strengthening this
criterion and specifications to enhance the ability to identify
inappropriate access inside an entity or organized health care
arrangement and to provide reports with sufficiently relevant data.
---------------------------------------------------------------------------
\102\ http://www.thefederalregister.org/fdsys/pkg/FR-2011-05-31/pdf/2011-13297.pdf.
---------------------------------------------------------------------------
Response. We have adopted this certification criterion as proposed.
We initially adopted an ``accounting of disclosures'' certification
criterion to supplement HITECH Act requirements and rulemaking by OCR
(75 FR 2016-17 and 75 FR 44623-24) and believe there is value in its
continue adoption as proposed. We appreciate the suggested revisions
offered by commenters, but believe that alignment with an ``account of
disclosures'' final rule will provide the most certainty and useful
functionality for providers, while also mitigating any health IT
development and implementation burdens that may accrue through
compliance with potential multiple adopted versions of this
certification criterion. We believe it is most appropriate to wait and
consider the provisions of an ``accounting of disclosures'' final rule
to be issued by OCR before making any revisions to this certification
criterion. As currently adopted, health IT developers have the option
of pursuing certification to this criterion if they deem it
advantageous.
View, Download, and Transmit to 3rd Party
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(e)(1) (View, download, and transmit to 3rd party)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``view, download, and transmit
to 3rd party'' (VDT) criterion that was revised in comparison to the
2014 Edition ``VDT'' criterion (Sec. 170.314(e)(1)).
Clarified Introductory Text for 2015 Edition VDT Certification
Criterion
We proposed to revise the introductory text to lead with ``Patients
(and their authorized representatives) must be able to use health IT to
. . .'' We also proposed to use this same phrase at the beginning of
each specific capability for VDT to reinforce this point. We noted that
this does not override or substitute for an individual's right to
access protected health information (PHI) in a designated record set
under 45 CFR 164.524.
Comments. Many commenters voiced support for the inclusion of
``authorized representative'' in the introductory text of VDT, noting
that specifically granting the patient's authorized representative the
ability to view/download/transmit patient health information reinforces
the importance of the caregiver role on the care team and supports a
vision of patient-centered care. One commenter urged us to adopt the
``personal representative'' term used in HIPAA.
Response. We have adopted the proposed introductory language as it
clarifies that these capabilities must enable patients and their
authorized representatives. We decline to use the HIPAA term ``personal
representative.'' Rather, we have adopted our proposal of ``patients
(and their authorized representatives)'' to be consistent with the
approach we have used in previous rulemakings that aligns with the use
of the term under the EHR Incentive Programs. A ``patient-authorized
representative'' is defined as any individual to whom the patient has
granted access to their health information (see also 77 FR 13720).
Examples would include family members, an advocate for the patient, or
other individual identified by the patient. A patient would have to
affirmatively grant access to these representatives with the exception
of minors for whom existing local, state, or federal law grants their
parents or guardians access without the need for the minor to consent
and individuals who are unable to provide consent and where the state
appoints a guardian (see also 77 FR 13720).
Additionally, consistent with our certification program approach
to apply particular privacy and security certification criteria to a
product's certification based on the scope of capabilities presented,
we have determined that this certification criterion would be clearer
and more focused if we were to remove the secure access language
included in (e)(1)(i) in favor of having a specific privacy and
security certification criterion that would be applicable to this
criterion. In transitioning this text, we have also made a conforming
revision to note that the ``technology'' used would need to be
``internet-based'' which we believe is a more generally applicable and
innovation supportive term compared to the user of the word ``online,''
which was part of the sentence that included the security specific
language that we have removed.
Updated C-CDA and Common Clinical Data Set
We proposed to reference the updated version of the C-CDA (Draft
Standard for Trial Use, Release 2.0) for the ``VDT'' criterion and
noted that compliance with Release 2.0 cannot include the use of the
``unstructured document'' document-level template for certification to
this criterion. We also solicited comment on whether we should limit
the scope of the C-CDA
[[Page 62659]]
document created for the purposes of this criterion to just the CCD
document template. We also solicited comment on whether we should
require in this criterion to permit patients and their authorized
representatives to select their health information for, as applicable,
viewing, downloading, transmitting, or API based on a specific date or
time, a period of time, or all the information available.
Comments. Multiple commenters supported the reference to C-CDA
Release 2.0 document template. Some commenters voiced concern about
adoption C-CDA Release 2.0 if backwards compatibility is not fully
addressed. Other commenters suggested additional information that
patients may need outside of the C-CDA, including referral summaries,
discharge instructions, documents listed in the Patient Health
Information Capture criterion, and nutrition and diet orders. Multiple
commenters supported the focus on the creation of a CCD document
template based on the C-CDA Release 2 for the ``VDT'' criterion,
stating that it would be less confusing for consumers who may not be
able to distinguish between different document types. In regard to our
solicitation on time and date range functionality, multiple commenters
were in support of adding such capabilities, while a few commenters did
not agree with including this functionality.
Response. Consistent with our decision for the ``ToC'' criterion,
we will reference C-CDA Release 2.1 in the ``VDT'' criterion. In
response to public comment, we have narrowed the scope of the C-CDA
document templates to only the CCD for this criterion. We emphasize
that this requirement serves as a ``floor'' rather than a ``ceiling''
and that Health IT Modules and their purchasers may choose to add
additional document types as appropriate for different practice and
care settings.
We have included an updated Common Clinical Data Set for the 2015
Edition that includes references to new and updated vocabulary
standards code sets. Please also see the Common Clinical Data Set
definition in section III.B.3 of this preamble.
In consideration of public comments that focused on our comment
solicitation around the addition of date and time filtering
capabilities, we have decided to adopt such requirements as part of
this criterion. We believe that adding this explicit functionality to
the certification criterion provides specific clarity that patients
should have certain baseline capabilities available to them when it
comes to selecting the data (or range of data) they wish to view,
download, or transmit. Specifically, we have adopted within this
criterion two timeframe filters that patients must be able to select
and configure on their own. The first would ensure that a patient can
select data associated with a specific date (to be viewed, downloaded,
or transmitted) and the second would ensure that the patient could
select data within an identified date range (to be viewed, downloaded,
or transmitted), which must be able to accommodate the patient
selecting a range that includes all data available to them. We also
clarify that we are not including the ability to select a specific data
element category as part of this requirement, but reiterate that these
requirements represent a floor rather than a ceiling, and health IT
developers may choose to add other functionalities as appropriate. The
technology specifications should be designed and implemented in such a
way as to provide maximum clarity to a patient (and their authorized
representative) about what data exists in the system and how to
interpret it, and we expect that health IT developers will make choices
following design and usability best practices that will make it easier
and clearer for patients to find and use their records.
Diagnostic Image Reports
We proposed to require that a Health IT Module would need to
demonstrate that it can make diagnostic image reports available to the
patient in order to be certified. We explained that a diagnostic image
report contains a consulting specialist's interpretation of image data,
that it is intended to convey the interpretation to the referring
(ordering) physician, and that it becomes part of the patient's medical
record.
Comments. Commenters were generally supportive of including
diagnostic image reports and associated context in the ``VDT''
criterion. Some commenters requested clarification on where this data
would be accessible within the C-CDA.
Response. We have adopted this proposal to include the diagnostic
imaging report (including the consulting specialist's interpretation)
as a requirement in the ``VDT'' criterion. Health IT Modules may
include this information in the ``Results'' section of the CCD. We
clarify that unstructured data for the interpretation text is
acceptable.
VDT--Application Access to Common Clinical Data Set
We have addressed all comments on this proposed provision under the
``Application Access to Common Clinical Data Set'' in this section of
the preamble.
Activity History Log
We proposed to include ``addressee'' as a new data element in the
2015 Edition ``VDT'' criterion related to the activity history log. In
the Proposed Rule, we noted that this transactional history is
important for patients to be able to access, especially if a patient
actively transmits his or her health information to a 3rd party or
another health care provider.
Comments. Commenters were generally supportive of this new data
element. One commenter suggested that we not include transmission
status in the final rule because few patients actually transmit.
Response. We have adopted the new data element of ``addressee'' as
part of the VDT criterion. While fewer patients may currently use
``transmit'' than ``view'' or ``download,'' we anticipate that more
patients will use this functionality in the future and that this
information will be helpful for transaction history.
Patient Access to Laboratory Test Reports
In the Proposed Rule, we noted recent regulatory changes addressing
the intersection of the CLIA rules, state laws governing direct patient
access to their laboratory test reports, and the HIPAA Privacy Rule.
These regulatory changes converged in a final rule that permits a
patient, or his or her ``personal representative,'' as applicable, to
request a copy of the patient's completed test reports directly from
the laboratory or to request that the test results be transmitted to a
designated person. To ensure fidelity of such reports regardless of the
system delivering laboratory results to a patient, we proposed that a
Health IT Module presented for certification to this criterion must
demonstrate that it can provide laboratory test reports that include
the information for a test report specified in 42 CFR 493.1291(c)(1)
through (7); the information related to reference intervals or normal
values as specified in 42 CFR 493.1291(d); and the information for
corrected reports as specified in 42 CFR 493.1291(k)(2).
Comments. One commenter suggested that this requirement be removed
until the C-CDA specification supports the requisite CLIA data
referenced in the
[[Page 62660]]
Proposed Rule. Another commenter noted that some laboratory results
require provider annotation and/or follow up testing before they can be
released to the patient to avoid harm, particularly with certain
sensitive tests such as HIV tests. Thus, a laboratory result awaiting
provider annotation may not be fully ``available'' until the annotation
is complete.
Response. We have adopted the proposed laboratory test reports
requirement for the VDT criterion. We note that the C-CDA can support
this information in a structured way using the ``Result Observation
Template'' in the ``Results'' section. We recommend that health IT
developers follow the best practices for use of these C-CDA templates
as outlined by HL7 (see, e.g., HL7 Task Force Examples: http://wiki.hl7.org/index.php?title=CDA_Example_Task_Force). Further, we
strongly recommend an approach favoring coded data where possible and
appropriate, and anticipate that future certification editions will
require more extensively coded data.
Web Content Accessibility Guidelines (WCAG)
We proposed to modify the regulatory text hierarchy at Sec.
170.204(a) to designate the WCAG 2.0 Level A (Level A) conformance at
Sec. 170.204(a)(1) instead of Sec. 170.204(a). This would also
require the 2014 Edition ``VDT'' certification criterion to be revised
to correctly reference Sec. 170.204(a)(1). We also sought comment on
whether we should adopt WCAG 2.0 Level AA (Level AA) conformance
requirements for the ``view'' capability included in the 2015 Edition
VDT criterion, instead of the current Level A.
Comments. Many commenters representing the patient advocate
community supported the increase to Level AA; additionally, the U.S.
Access Board noted that other federal agencies and programs are moving
toward Level AA. Other commenters said that Level A conformance was
sufficient and that level AA is not needed and overly burdensome.
Response. We have adopted and retained the Level A requirement for
this criterion. However, we have included Level AA as an optional
component of this certification criterion via an ``or'' in the
certification criterion so that if a developer so chooses it can
demonstrate that a Health IT Module can meet Level AA. We reiterate
that the ``or'' does not mean that a technology would need to meet both
levels. At a minimum it would need to meet Level A. We note that such
information would be listed with the product as part of its Certified
Health IT Product List (CHPL) listing. We believe this option adds
transparency to what capabilities products include and can better
inform purchasers. We have adopted Level AA as a standard at Sec.
170.204(a)(2). Additionally, we have determined that the certification
criterion's requirements for the application of WCAG would be clearer
if it were expressed in the general requirement at the paragraph
170.315(e)(1)(i) since WCAG needs to apply to all user viewable
functionality and would equally apply to and include the user
experience aspects of download and transmit.
``Transmit'' Request for Comment
We requested comment on (1) whether we should include the Direct
Project's Implementation Guide for Direct Project Trust Bundle
Distribution specification as part of certification for the ``VDT''
certification criterion; and (2) whether any additional requirements
are needed to support scalable trust between Security/Trust Agents
(STAs) as well as ways in which we, in collaboration with other
industry stakeholders, could support or help coordinate a way to bridge
any gaps.
Comments. One commenter noted that the proposed inclusion of the
Direct Project's Implementation Guide for Trust Bundle Distribution
will be confusing because most of the Direct Project IG for the trust
bundle focuses on creating a trust bundle, not consuming it. The
commenter recommended pointing developers to Section 3.0 Trust Bundle
Requestors for additional guidance, and that we support participation
in existing trust communities such as the National Association for
Trusted Exchange (NATE). Another commenter recommended that we require
EHR and HISP vendors to preload all Blue Button Patient Trust Bundles
into their systems so providers using these systems can transmit
records using the Direct protocol.
Response. Our intent is to ensure that an individual who wants to
transmit his or her health information to a third party has options to
be able to do so, and those options should be easy and convenient.
Individuals who are more concerned about sharing their data in transit
can choose a more secure, simple option for transmitting this
information. To provide greater flexibility for patients to effectively
use the ``transmit'' capability and to ensure that patients have an
easy and near universal ability to send their health information to a
destination they select, we have adopted a more flexible approach for
testing and certifying ``transmit'' as part of this certification
criterion. In order to satisfy this portion of the certification
criterion a Health IT Module must demonstrate two forms of
transmission:
(1) Email transmission (of a CCD) to any email address; \103\ and
---------------------------------------------------------------------------
\103\ Please see the OCR frequently asked questions for best
practices regarding the use of email for transmitting health
information: http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html.
---------------------------------------------------------------------------
(2) An encrypted method of electronic transmission.
This approach will provide patients with a readily understood and
convenient option to simply send their health information via email.
Patients, under current HIPAA regulations,\104\ may presently ask that
data be disclosed to them via unencrypted email. Therefore, including
email as an option for transmission capabilities is consistent with
HIPAA as well as with common communications for other purposes. We also
provide and encourage an encrypted option for transmitting their health
information if they prefer or need to transmit their data with added
security. There is a heightened interest in security of information in
transit and at rest across all industries. As such, we encourage
developers to provide innovative options for individuals to easily and
efficiently protect their health information based on generally
available mechanisms for security and new advances in this area. In
either case--whether by email or an encrypted method--the goal is to
support patients in transmitting their health information on demand to
a third party of their own choice. We note that, for certification, the
encrypted method would be subject to the 2015 Edition privacy and
security certification framework, particularly the ``trusted
connection'' certification criterion. We refer readers to section
IV.C.1 (``Privacy and Security'') of this preamble for further
discussion of the 2015 Edition P&S certification framework and to the
``application access to Common Clinical Data Set'' section of this
preamble for more information of the ``trusted connection''
certification criterion.
---------------------------------------------------------------------------
\104\ 45 CFR 164.524 and related guidance.
---------------------------------------------------------------------------
In adding flexibility to this portion of the certification
criterion, the other proposals and topics on which we sought comment
are moot. However, we wish to reiterate that for the purposes of
meeting the second form of transmission, the Direct protocol is an
encouraged and viable method, especially since health IT developers
have already been certified to this functionality for the purposes of
2014 Edition certification, and will also be
[[Page 62661]]
certified to this functionality as part of 2015 Edition certification
to support transitions of care requirements through the 2015 Edition
``ToC'' criterion. Additionally, we clarify that with respect to the
second method, health IT developers have the flexibility to either
establish an encrypted connection between two end points or,
alternatively, secure the payload via encryption. In other words, we
make no presumption and do not imply through the language in the second
method that only one approach will satisfy testing and certification.
C-CDA Data Provenance Request for Comment
We refer readers to our response to this request for comment under
the ``ToC'' criterion.
Secure Messaging
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(e)(2) (Secure messaging)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``secure messaging''
certification criterion that was unchanged in comparison to the 2014
Edition ``secure messaging'' criterion (Sec. 170.314(e)(3)).
Comments. The majority of commenters supported this criterion as
proposed. Some commenters suggested additional functionality for this
criterion, including the ability to track responses to patient-
generated messages, support languages other than English, and other
forms of communication including audio, video, or images. A few
commenters questioned whether patients' devices would need to be secure
and encrypted, and whether the encryption criteria would only apply to
the message content. A commenter recommended that health IT developers
should have to preload trust bundles. Another commenter suggested that
health IT developers should be prohibited from charging significant
add-on fees for secure messaging. Another commenter recommended that
in-the-field surveillance is needed to ensure that health IT developers
and providers were enabling this functionality. A commenter listed
several issues associated with the EHR Incentive Programs Stage 3
objective and measure related to secure messaging, including the lack
of a routine secure messaging use case for eligible hospitals and CAHs,
that only certain types of secure messages would count, that the API
alternative might drive down secure messaging using certified health
IT, and that measurement should be based on those patients who ``opt
in.'' This same commenter also suggests that if the CMS proposal is
adopted, the criterion should clearly define exclusion criteria.
Response. We have adopted this criterion with modification. We have
removed the specific security requirements out of the criterion because
the appropriate privacy and security (P&S) requirements will be applied
through the 2015 Edition P&S certification framework finalized in this
final rule. To clarify, a Health IT Module certified to this criterion
will still need to demonstrate the same security requirements as
included in the proposed criterion (patient/user authentication and
encryption and integrity-protection), but there will be more
flexibility in that a health IT developer can choose between message-
level or transport level certification in accordance with Sec.
170.315(d)(9). Certification to this criterion will also require
certification to other privacy and security criteria under the P&S
certification framework, including automatic log-off (Sec.
170.315(d)(5)) and the auditing criteria (Sec. 170.315(d)(2) and (3)).
Our revisions to the criterion and approach are consistent with our
overall approach to applying the appropriate privacy and security
certification requirements to each 2015 Edition certification
criterion. We refer readers to section IV.C.1 (``Privacy and
Security'') of this preamble for further discussion of the 2015 Edition
P&S certification framework, including specific application of the P&S
certification framework to a Health IT Module presented for
certification to the ``secure messaging'' criterion in conjunction with
other certification criteria.
This criterion is no longer eligible for gap certification as the
new hashing standard (a hashing algorithm with a security strength
equal to or greater than SHA-2) applies to this criterion.
We appreciate the suggested additional functionalities for
inclusion in this criterion (tracking responses, use of languages
beyond English, and other forms of communication, and preloaded trust
bundles), but the functionalities are beyond the scope of our proposal.
We will consider these additional functionalities for a future edition
of this criterion. We clarify in this final rule that the encryption
requirements only apply to the message content and not to patients'
devices.
We cannot prescribe the fees health IT developers charge for their
certified health IT, but note that our transparency provisions (Sec.
170.523(k)) require ONC-ACBs to ensure that health IT developers make
public the types of costs they charge to enable certified health IT.
ONC-ACBs also conduct surveillance of certified health IT under the ONC
Health IT Certification Program to ensure that health IT continues to
function as initially certified. Surveillance can be initiated randomly
or in response to complaints.
For concerns and questions related to the EHR Incentive Programs,
we refer readers to CMS and the EHR Incentive Programs Stage 3 and
Modifications final rule published elsewhere in this issue of the
Federal Register. We note that health IT certified to certification
criteria that support percentage-based measures under the EHR Incentive
Programs (i.e., this criterion) must also be able to record, at a
minimum, the numerator for that measure per the CEHRT definition
requirements and the ``meaningful use measurement calculation''
certification criteria (Sec. 170.315(g)(1) and (g)(2)).
Patient Health Information Capture
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(e)(3) (Patient health information capture)
------------------------------------------------------------------------
In following the HITSC recommendation for Health IT Module
functionality to store an advance directive and/or include more
information about the advance directive, we proposed a 2015 Edition
``patient health information capture'' certification criterion that
would ``replace'' the 2014 Edition ``advance directives'' certification
criterion (Sec. 170.314(a)(17)) and apply to various patient health
information documents. We stated that a Health IT Module would need to
enable a user to: (1) Identify (e.g., label health information
documents as advance directives and birth plans), record (capture and
store) and access (ability to examine or review) patient health
information documents; (2) reference and link to patient health
information documents; and (3) record and access information directly
and electronically shared by a patient.
We received general comments and comments on each of the
capabilities included in the proposed criterion. We have divided and
responded to the comments in a similar manner.
Comments. Commenters expressed general agreement with this
criterion, with broad support across health IT developers, providers,
consumers, and various advocacy groups. Commenters stated that this
functionality could support addressing health disparities in
populations that are less likely to execute healthcare planning
documents
[[Page 62662]]
or provide health information to providers.
Response. We thank commenters for their feedback. We have adopted
this criterion as proposed with the revisions and clarifications
specified below. As adopted, we anticipate health IT developers will
develop innovative and efficient ways to meet this criterion and
simultaneously support providers accepting health information from
patient.
Identify, Record, and Access Information Documents
Comments. Commenters universally supported this proposed provision.
Response. We thank commenters for their support. We have adopted
the capabilities of this provision (identify, record, and access
information documents) by combining them with the proposed provision of
this criterion that included capabilities to record and access
information directly and electronically shared by a patient. The
capabilities to identify, record, and access patient health information
documents are essentially a subset of the capabilities to record and
access information directly and electronically shared by a patient,
except for the proposed ``identification'' capability. Therefore, we
have specifically retained the ``identification'' capability, while
merging the other capabilities to finalize a provision that requires
health IT to enable a user to identify, record, and access information
directly and electronically shared by a patient (or authorized
representative).
Reference and Link Documents
Comments. Most commenters supported this requirement, while some
commenters did not agree that there was value in linking documents and
others expressed security concerns. A commenter stated that a link
could require additional log in credentials. A few commenters also
expressed concerns regarding a system's need to capture information
from any external internet site, stating that a patient (intentionally
or unintentionally) could provide a URL to the provider that contained
a virus.
Response. The criterion focuses solely on the ability of the Health
IT Module to be able reference (providing narrative information on
where to locate a specific health information document) and link to
patient health information. ``Linking,'' as described in the Proposed
Rule, requires a Health IT Module to demonstrate it could link to an
internet site storing a health information document. While an intranet
link to a health information document might suffice for provider use, a
Health IT Module will still need to demonstrate the ability to link to
an external site via the internet for the purposes of certification.
The requirement of this provision does not go beyond this specified
functionality.
This criterion is subject to the 2015 Edition privacy and security
(P&S) certification framework adopted in this final rule. In this
regard, a Health IT Module certified to this criterion would also need
to be certified to the P&S certification criteria in Sec.
170.315(d)(1) (authentication, access control, and authorization),
(d)(2) (auditable events and tamper resistance), (d)(3) (audit
reports), (d)(4) (amendments), (d)(5) (automatic log-off), and (d)(9)
(trusted connection).\105\ We believe these certification criteria and
included capabilities will assist a provider in protecting its health
IT system against potential security concerns. However, we note that
certification is a baseline. Health IT developers and providers have
the discretion to both determine what types of security features should
be implemented (e.g., multi-factor authentication) with the
functionality included in this criterion and whether to accept specific
electronic information from a patient, such as a URL.
---------------------------------------------------------------------------
\105\ We refer readers to section IV.C.1 (``Privacy and
Security'') of this preamble for further discussion of the 2015
Edition P&S certification framework.
---------------------------------------------------------------------------
Record and Access Information Directly Shared by a Patient
Comments. Many commenters expressed support for this provision,
including not specifying standards for compliance. A few commenters
requested we identify standards or ensure compatibility with other
standards such as the C-CDA or Direct messaging protocol. Most
commenters sought clarification of this requirement. A couple of
commenters suggested we drop this provision. A few commenters requested
to know if this criterion was intended to directly support the proposed
EHR Incentive Programs Stage 3 objective and measure regarding patient-
generated health data and what types of patient health information was
contemplated by this criterion. A commenter suggested making this
functionality a separate criterion.
Response. The intent of this provision is to establish at least one
means for accepting patient health information directly and
electronically from patients in the most flexible manner possible. This
approach means focusing on functionality and not standards. Further, we
do not believe there are appropriate standards that we could adopt that
cover all the conceivable use cases.
This criterion was specifically included in the CEHRT definition to
ensure, at a minimum, providers participating in the EHR Incentive
Programs had this capability. While it could potentially be used to
support the Stage 3 objective and measure regarding patient-generated
health data, it was not proposed with the intention of it being the
only means available for meeting the Stage 3 objective and measure.
Rather, the goal was to set a foundation for accepting information
directly from patients.
We do not seek to define the types of health information that could
be accepted as we believe this should be as broad as possible. The
types of health information could be documents as described in the
Proposed Rule (e.g., advance directive or birth plans) or health
information from devices or applications. The devices and applications
could include home health or personal health monitoring devices,
fitness and nutrition applications, or a variety of other devices and
applications. In addition, patient health information could be accepted
directly and electronically through a patient portal, an API, or even
email.
We have determined that it is most appropriate to keep all the
functionality in one criterion and combine capabilities as noted above.
We emphasize that it is always possible to have multiple technologies
certified together as a one ``Health IT Module'' to meet this
criterion.
We note that we intend for ``patient'' to be interpreted broadly to
include an authorized representative. For clarity, we have specified
this intent in regulation.
Transmission To Immunization Registries
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(f)(1) (Transmission to immunization registries)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``transmission to immunization
registries'' certification criterion that was revised in comparison to
the 2014 Edition ``transmission to immunization registries'' criterion
(Sec. 170.314(f)(2)). To note, we have structured the comments we
received and our responses based on the specific proposed provisions of
this criterion.
Comments. Most commenters supported the proposed criterion. Many
commenters noted the value of the proposed criterion to bi-directional
data
[[Page 62663]]
exchange of immunization data, which was not supported by the
functionality included in the 2014 Edition ``transmission to
immunization registries'' criterion. Commenters also noted the
importance of NDC and CVX codes, but expressed concern regarding issues
with NDC codes as discussed in more detail below. One commenter
suggested that intermediaries should be able to play a role, such as
transformation of the data, in the transmission of immunization data
and that only one system in the process of moving the immunization
information from sender to public health agency should be required to
be certified. Another commenter requested clarification if the criteria
would be part of the Base EHR definition.
Response. We appreciate the support for the proposed certification
criterion. We have adopted this certification criterion as proposed,
but with an update to the proposed IG and the clarifications in
response to comments discussed in detail below. We clarify for
commenters that any health IT can be certified to this criterion if it
can meet all the requirements of the criterion, which include context
exchange and vocabulary standards but do not specify a transport
standard or mechanism. We further clarify that this criterion is not
included in the 2015 Edition Base EHR definition, but would support
meeting one of measures under the public health objective of the EHR
Incentive Programs Stage 3.
Implementation Guide for Transmission to Immunization Registries
We proposed to adopt the CDC's updated implementation guide for
immunization messaging, HL7 Version 2.5.1: Implementation Guide for
Immunization Messaging, Release 1.5 (October 2014) (``Release 1.5'').
We explained that the updated IG promotes greater interoperability
between immunization registries and health IT systems, addresses issues
from the previous release, and revises certain HL7 message elements to
reduce data element recording differences between states and public
health jurisdictions.
Comments. The majority of commenters supported adoption of Release
1.5, acknowledging that it resolves known issues in the previous
release and offers improved support for standard data transmission.
Some commenters noted that Release 1.5 includes references to the CDC
Race and Ethnicity code set for purposes of the exchange of race and
ethnicity data--which is more granular regarding race and ethnicity
options for reporting when compared to the OMB standards. These
commenters asked for clarification of the required use of aggregated
OMB standard values.
Response. We appreciate the support for Release 1.5. We note that
the CDC has issued an addendum to Release 1.5.\106\ The addendum
consolidates the IG information that clarifies the conformance
requirements, but does not specify additional substantive requirements.
The addendum also provides value set requirements, general
clarifications, and errata. The errata provides corrections to the
length, data type, data type descriptions, usage, cardinality and/or
value sets for various message elements, as well as corrections to, and
addition of, conformance statements where they were mistakenly omitted.
The addendum also includes clarifications to use of coding systems and
value sets, additional examples of sending multiple forecast
recommendations in a single message, usage of particular message
elements (including those in the ORC and RXA segments), and updates to
the value sets for patient eligibility status and vaccine funding
source. We believe that Release 1.5 and the addendum are important
components to advancing public health reporting and interoperability.
We, therefore, have adopted HL7 Version 2.5.1: Implementation Guide for
Immunization Messaging, Release 1.5 (October 1, 2014) and HL7 Version
2.5.1: Implementation Guide for Immunization Messaging, Release 1.5,
Addendum (July 2015) for the transmission to immunization requirement.
We clarify that to meet this criterion, health IT must comply with all
mandatory requirements of Release 1.5 and its addendum, which would
include the coding for race and ethnicity. The 2015 Edition
``demographics'' criterion and Common Clinical Data Set requirements
related to race and ethnicity are not implicated by this criterion.
---------------------------------------------------------------------------
\106\ http://www.cdc.gov/vaccines/programs/iis/technical-guidance/hl7.html.
---------------------------------------------------------------------------
National Drug Codes for Administered Vaccinations
We proposed to require for certification that a Health IT Module be
able to electronically create immunization information for electronic
transmission to immunization registries using NDC codes for vaccines
administered (i.e., the National Drug Code Directory--Vaccine Codes,
updates through January 15, 2015 \107\). For historical vaccines, we
proposed to continue the use of CVX codes and proposed to adopt the HL7
Standard Code Set CVX--Vaccines Administered, updates through February
2, 2015 \108\ as the baseline version for certification to the 2015
Edition.
---------------------------------------------------------------------------
\107\ http://www2a.cdc.gov/vaccines/iis/iisstandards/ndc_tableaccess.asp.
\108\ http://www2a.cdc.gov/vaccines/iis/iisstandards/vaccines.asp?rpt=cvx.
---------------------------------------------------------------------------
We solicited comment on whether we should allow use of NDC codes
for administered vaccines as an option for certification, but continue
to require CVX codes for administered vaccines for the 2015 Edition. We
also solicited comment on whether we should require CVX plus the HL7
Standard Code Set MVX--Manufacturers of Vaccines Code Set (October 30,
2014 version) \109\ as an alternative to NDC codes for administered
vaccines, and we sought feedback on the implementation burden for
health IT developers and health care providers related to requiring CVX
plus MVX codes versus NDC codes for administered vaccines.
---------------------------------------------------------------------------
\109\ http://www2a.cdc.gov/vaccines/iis/iisstandards/vaccines.asp?rpt=mvx.
---------------------------------------------------------------------------
Comments. The majority of commenters supported the use of NDC codes
for administered vaccines and CVX codes for historical vaccines.
Commenters stated that using NDC codes for administered vaccines is
valuable because NDC codes provide more granular data than CVX codes,
which can improve patient safety. Comments also stated that adopting
NDC for administered vaccines aligns with on-going industry efforts
related to vaccine data capture.
Some commenters suggested that mapping NDC codes to CVX could be
burdensome for health IT developers and immunization registries,
especially for a multiple component vaccine. Commenters noted that NDC
codes are subject to change and codes are added and changed more
frequently than CVX and MVX codes. Commenters further noted that the
reuse of NDC codes by FDA can present difficulties regarding the
transmission of immunization data using such codes. One commenter
requested clarification on when NDC and CVX codes are required and
noted the importance of clear requirements by states when NDC, CVX, or
both codes would be needed.
Response. We appreciate commenters support for the use of NDC codes
for administered vaccines and CVX codes for historical vaccines. For
the purposes of administered vaccines, when an immunization is reported
at the time it is administered and the actual product is known, the NDC
code must be sent. We clarify that for when sending historical vaccines
and the actual NDC code is not available, CVX codes can be
[[Page 62664]]
sent as this method would be supported by health IT certified to this
criterion. We understand the concerns regarding ensuring that the
appropriate amount of information is available for immunizations and
the concern regarding mapping between NDC and CVX for purposes of
reporting. Therefore, we finalize a criterion that supports one set of
codes to be used for administered vaccines at all times and another set
of codes to be used for historical vaccines at other times. Therefore,
we have adopted the August 17, 2015 version of the CVX code set as the
minimum standards code set for historical vaccines. For purposes of
administered vaccines, we have adopted the National Drug Codes (NDC)--
Vaccine NDC Linker, updates through August 17, 2015 as the minimum
standards code set. We refer readers to section III.A.2.c (``Minimum
Standards'' Code Sets) for further discussion of our adoption of
minimum standards code sets and our decision to adopt these versions.
Immunization History and Forecast
We proposed that a Health IT Module would need to enable a user to
request, access, and display a patient's immunization history and
forecast from an immunization registry in accordance with Release 1.5.
We requested comment on whether we should include an immunization
history information reconciliation capability in this criterion and the
factors we should consider regarding the reconciliation of immunization
history information. We explained that we believe that bidirectional
exchange between health IT and immunization registries is important for
patient safety and improved care. Immunization registries can provide
information on a patient's immunization history to complement the data
in the health IT system. We noted that immunization registries also
provide immunization forecasting recommendations according to the
Advisory Committee on Immunization Practices (ACIP)'s recommendations.
This information allows for the provider to access the most complete
and up-to-date information on a patient's immunization history to
inform discussions about what vaccines a patient may need based on
nationally recommended immunization recommendations.
Comments. Many commenters recognized the benefit of bi-directional
data exchange to patient safety and population health, but some
commenters expressed concern. Commenters primarily expressed concern
that immunization registries were not ready for bi-directional data
exchange. Other commenters, however, noted that 28 Immunization
Information Systems (IIS) (which, according to the commenter,
represents about 52% of reporting systems) have notified the CDC of
their query capabilities in production today using HL7 2.5.1. The
commenter noted that the proportion would likely rise to near 100% by
2018. A few commenters questioned the utility of the ability to query a
state registry.
Many commenters also expressed concern regarding reconciliation of
forecasting data. One commenter noted that we should permit innovation
to occur by not prescribing the workflows related to reconciliation.
Another commenter noted that where bi-directional exchange is already
in production, several different workflows exist within health IT
products for reconciliation of immunization history.
Commenters expressed support for vaccine forecasting, but many
commenters also stated that incorporating a forecast from an
immunization registry into a health IT system could be difficult. Other
commenters noted that some products already have forecasting functions,
such as CDS functions for forecasting immunizations and, by association
with forecasting, more complete data for allergies and
contraindications.
Response. We have adopted the requirement for a Health IT Module to
enable a user to request, access, and display a patient's immunization
history and forecast from an immunization registry in accordance with
the Release 1.5 IG. We note that this criterion and its included
capabilities are designed and focused on health IT, such as EHRs. In
this regard, the goal is that health IT is certified to the criterion
and its included capabilities (e.g., the Release 1.5 IG). Providers who
adopt health IT certified to this criterion would then have the
capabilities to meet requirements under the EHR Incentive Programs or
query an IIS.
While we agree with commenters that some health IT (e.g., EHR
products) may sometimes have a version of the immunization history or a
version of the forecast that may differ from the immunization registry,
we still believe that it is important for an EHR to receive the history
and forecast from the registry. Based on compliance with the Release
1.5 IG, a user would be able to see and compare the forecast from the
certified health IT (e.g., EHR products) with the forecast from the
immunization registry. However, we note that this criterion does not
prescribe a particular workflow or reconciliation requirements.
Providers and health IT developers may reconcile forecast and history
information in a manner that best meets their needs for workflow and
patient safety.
Transmission to Public Health Agencies--Syndromic
Surveillance
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(f)(2) (Transmission to public health agencies--syndromic
surveillance)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition certification criterion for
transmission of syndromic surveillance to public health agencies that
was revised in comparison to the 2014 Edition version (Sec.
170.314(f)(3)) for the inpatient setting. We noted, however, that this
proposed certification criterion is unchanged (for the purposes of gap
certification) for the ambulatory setting. Given the varied adoption of
methods for transmitting syndromic surveillance information to public
health agencies from ambulatory settings, we proposed to continue to
distinguish between ambulatory and emergency department, urgent care,
and inpatient settings.
Comments. Commenters expressed support for distinguishing
ambulatory settings from emergency department, urgent care and
inpatient settings, especially given the variations in data
requirements and readiness for data acceptance among the states. A
commenter also noted that the distinction was appropriate because
ambulatory systems are still evolving. Some commenters requested
clarification of exclusions, active engagement, and other requirements
to meet the syndromic surveillance measure under the EHR Incentive
Programs.
Response. We appreciate the support offered by commenters and agree
that it is appropriate to distinguish between settings. For questions
related to the EHR Incentive Programs, we refer readers to CMS and the
EHR Incentive Programs Stage 3 and Modifications final rule published
elsewhere in this issue of the Federal Register.
Emergency Department, Urgent Care, and Inpatient Settings
We proposed to adopt the PHIN Messaging Guide for Syndromic
Surveillance: Emergency Department, Urgent Care, Inpatient and
Ambulatory Care Settings, Release 2.0, September 2014 (``Release
2.0''), due to its improvements over previous versions.
Comments. The majority of commenters supported the proposed IG. One
commenter suggested that, due to state variability, a standard should
not
[[Page 62665]]
be referenced until at least 75% of states are committed to the use of
a common standard. Other comments noted that Release 2.0 is the
standard used by all states accepting hospital-based syndromic
surveillance data. A commenter suggested that laboratory information be
removed as required from the IG as states already collect this
information under electronic laboratory reporting. One commenter
suggested that there was a potential discrepancy between OMB value sets
for race and ethnicity and the CDC Race and Ethnicity referenced code
set in the IG. Another commenter asked for clarification of the
``message frequency requirement of syndromic messages,'' noting that
the requirements within Release 2.0 may be burdensome for health IT
developers. A commenter requested that certification include optional
data elements within the IG.
Response. We appreciate the overall support for this criterion and
the Release 2.0 IG. The CDC has recently published an updated version
of the IG (April 21, 2015) \110\ that reflects work to correct errors
and clarify ambiguities that were present in the proposed version
(dating back to Release 1.0) as well as provide missing information.
The CDC also recently published an addendum to the IG, titled ``Erratum
to the CDC PHIN 2.0 Implementation Guide, August 2015; Erratum to the
CDC PHIN 2.0 Messaging Guide, April 2015 Release for Syndromic
Surveillance: Emergency Department, Urgent Care, Inpatient and
Ambulatory Care Settings'' (``Erratum'').\111\ The Erratum consolidates
Release 2.0 information and clarifies existing conformance requirements
of the IG. For example, it specifies conformance statements and
conditional predicates that clarify message requirements. It also
specifies value set requirements, provides general clarifications, and
PHIN MG corrections. Overall, the April 21, 2015, updated version and
the addendum do not create additional substantive requirements in
comparison to Release 2.0. Rather, through the corrections,
clarifications, and additional information the IG will improve testing,
certification, implementation, and interoperability. Therefore, we have
adopted this criterion with both the April 21, 2015, updated version
and addendum.
---------------------------------------------------------------------------
\110\ http://www.cdc.gov/nssp/documents/guides/syndrsurvmessagguide2_messagingguide_phn.pdf.
\111\ http://www.cdc.gov/nssp/documents/guides/erratum-to-the-cdc-phin-2.0-implementation-guide-august-2015.pdf.
---------------------------------------------------------------------------
We believe that the additional IG requirements for laboratory
information are critical for public health as not all laboratory
information is reportable to public health through electronic
laboratory reporting. These additional data elements enable public
health jurisdictions to monitor the nation's public health. We also
clarify that the aggregated OMB value sets for race and ethnicity are
acceptable within Release 2.0. We decline to make the optional elements
of the IG required for certification as we believe that certification
to the IG as published appropriately supports the use case. We also
note that any IG instructions regarding the frequency of submission are
outside the scope of certification as certification focuses on the
technical capabilities of the Health IT Module presented for
certification.
Ambulatory Syndromic Surveillance
We proposed to permit, for ambulatory setting certification, the
use of any electronic means for sending syndromic surveillance data to
public health agencies as well as optional certification to certain
syndromic surveillance data elements. Due to the continued lack of
mature IGs, we proposed to provide the option for health IT to
electronically produce syndromic surveillance information that contains
patient demographics, provider specialty, provider address, problem
list, vital signs, laboratory results, procedures, medications, and
insurance.
Comments. Most commenters stated that the majority of public health
jurisdictions do not accept ambulatory syndromic surveillance data and
that the standards for ambulatory syndromic surveillance are not
mature. In particular, one commenter noted that syndromic surveillance
standards for ambulatory encounters remain ill-defined and derivative
of the inpatient standards. A few commenters stated that the
``flexibility'' in certification created burden on both providers and
health IT developers to develop and implement health IT to meet the
specified data elements without an established use case across public
health jurisdictions.
Response. With consideration of public comments, comments received
on a prior rulemaking (79 FR 54439-54441), and stakeholder feedback
through public health outreach, we have determined to not adopt
certification requirements for the ambulatory setting. Without mature
standards and the widespread acceptance of ambulatory syndromic
surveillance data across public health jurisdictions, sufficient reason
does not exist to justify certification to the proposed functionality.
To clarify, the PHIN 2.0 IG does support the urgent care ambulatory
setting and would be appropriate for use in that particular setting.
Transmission To Public Health Agencies--Reportable
Laboratory Tests and Values/Results
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(f)(3) (Transmission to public health agencies--reportable
laboratory tests and values/results)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition certification criterion that
was revised in comparison to the 2014 Edition ``transmission of
reportable laboratory tests and values/results'' criterion (Sec.
170.314(f)(4)). We proposed to name this criterion ``transmission to
public health agencies--reportable laboratory tests and values/
results'' to clearly convey the capabilities included in this criterion
as they relate to the intended recipient of the data. We proposed to
include and adopt an updated IG, the HL7 Version 2.5.1 Implementation
Guide: Electronic Laboratory Reporting to Public Health, Release 2 (US
Realm), DSTU R1.1, 2014 or ``Release 2, DSTU R1.1'') that addresses
technical corrections and clarifications for interoperability with
laboratory orders and other laboratory domain implementation guides.
Given the improvements included in the updated IG (Release 2, DSTU
R1.1), we proposed to adopt it at Sec. 170.205(g)(2) and include it in
the 2015 Edition ``transmission of reportable laboratory tests and
values/results'' certification criterion at Sec. 170.315(f)(3). We
also proposed the September 2014 Release of the U.S. Edition of SNOMED
CT[supreg] and LOINC[supreg] version 2.50. We also proposed to make a
technical amendment to the regulation text for the 2014 Edition
criterion in order to have it continue to reference the appropriate
standard and implementation specifications \112\ after we restructured
the regulatory text hierarchy at Sec. 170.205(g) to accommodate our
2015 Edition proposal.
---------------------------------------------------------------------------
\112\ HL7 2.5.1 and HL7 Version 2.5.1: Implementation Guide:
Electronic Laboratory Reporting to Public Health, Release 1 with
Errata and Clarifications and ELR 2.5.1 Clarification Document for
EHR Technology Certification.
---------------------------------------------------------------------------
Comments. Most commenters supported the proposed criterion and
standards. A few commenters expressed concern with the proposed IG
related to use of OIDs, SPM-22 and SPM-24.
Response. We appreciate the expression of support for this
criterion and the proposed standards. We note, however, that the HL7
Public Health and Emergency Response Workgroup is currently working on
a newer version of
[[Page 62666]]
the proposed IG that harmonizes with the HL7 Laboratory Results
Interface (LRI) profiles. Harmonization with LRI will address the noted
concerns as well as ensure alignment across laboratory IGs, including
the LRI IG and the Laboratory Orders Interface (LOI) IG. This updated
IG is not yet complete and cannot be adopted at this time. With these
considerations, we do not believe it would be appropriate to adopt the
proposed IG as health IT developer and provider efforts to meet and
implement the requirements of the proposed IG would shortly be
superseded by the updated IG. Therefore, we have not adopted the
proposed IG. We have also not adopted the updated vocabulary standards
because without a newer IG, there is little benefit from having health
IT developers be tested and certified to updated vocabulary standards
for this particular use case.
We have adopted a 2015 Edition ``transmission to public health
agencies--reportable laboratory tests and values/results''
certification criterion that requires adherence to the same standards
as we referenced in the 2014 Edition ``transmission of reportable
laboratory tests and values/results'' criterion. Data from CDC and CMS
indicates that over 80% of hospitals are already in the process of
submitting electronic laboratory results using the previously adopted
standards (HL7 Version 2.5.1 Implementation Guide: Electronic
Laboratory Reporting to Public Health, Release 1 with Errata and
Clarifications, ELR 2.5.1 Clarification Document for EHR Technology
Certification, and versions of SNOMED CT[supreg] and LOINC[supreg]).
Our decision to adopt these same standards for the 2015 Edition
criterion will ensure continuity in reporting and reduce burden for
providers as well as health IT developers as this criterion is eligible
for gap certification. We will continue to monitor the development of
the updated IG and may consider proposing it for adoption through a
future rulemaking to give health IT developers and providers another
option to meet EHR Incentive Programs requirements for use of certified
health IT to meet public health objectives and measures.
Transmission To Cancer Registries
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(f)(4) (Transmission to cancer registries)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``transmission to cancer
registries'' certification criterion that was revised in comparison to
the 2014 Edition ``transmission to cancer registries'' certification
criterion (Sec. 170.314(f)(6)). We proposed to adopt the HL7
Implementation Guide for CDA(copyright) Release 2: Reporting
to Public Health Cancer Registries from Ambulatory Healthcare Providers
Release 1 or ``HL7 Release 1 IG'') to address technical corrections and
clarifications for interoperability with EHRs and cancer registries, at
Sec. 170.205(i)(2). We proposed to include the September 2014 Release
of the U.S. Edition of SNOMED CT[supreg] and LOINC[supreg] version 2.50
in this criterion. We proposed to modify the 2014 Edition certification
criterion to reference Sec. 170.205(i)(1) to establish the regulatory
text hierarchy necessary to accommodate the standard and IG referenced
by the proposed 2015 Edition certification criterion.
Comments. The majority of commenters expressed support for this
criterion as proposed, including the HL7 Release 1 IG. Commenters
stated that the proposed IG would provide substantial improvements in
cancer reporting. Commenters also expressed support for incorporating
updated versions of SNOMED CT[supreg] and LOINC[supreg] in this
criterion as the vocabulary standards align with the IG requirements.
Some commenters suggested mapping the IG to the currently used North
American Association of Central Cancer Registries (NAACCR) format for
any new cited standards. A commenter contended there was contradictory
use of null values within the proposed IG. A few commenters expressed
general concern regarding a lack of standardization across public
health jurisdictions and registries to accept data according to
proposed public health standards.
Response. We appreciate the overall support for this criterion and
the HL7 Release 1 IG. The CDC recently published and updated version of
the IG (HL7 CDA[supreg] Release 2 Implementation Guide: Reporting to
Public Health Cancer Registries from Ambulatory Healthcare Providers,
Release 1; DSTU Release 1.1, U.S. Realm) \113\ (``Release 1.1.'').
Release 1.1 involves technical corrections to Release 1. No new content
has been included. The templates in the IG were versioned due to the
versioning of included templates (see the detailed section ``Changes
from Previous Version'' in Volume 2 of this guide for a detailed view
of these changes). The TNM Clinical Stage Observation was separated
into a nested series of smaller, easier to implement templates. To
note, the TNM Clinical Stage Observation template had grown into a
large, multi-level template that was difficult to implement and test.
Similar changes were made to the TNM Pathologic Stage Observation
template. Release 1.1 also addresses the contradictory use of
nullFlavor attributes. A final notable revision is a constraint in the
Cancer Diagnosis Observation that provided a choice between the TNM
Pathologic Stage Observation and a No Known TNM Pathologic Stage
Observation was replaced by a choice of standard constraints on the
same two templates. This revision results in both an easier to
understand specification and a simplified schematron file used for
validation.
---------------------------------------------------------------------------
\113\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=398.
---------------------------------------------------------------------------
We have adopted this criterion with the updated IG, Release 1.1
(both Volumes 1 and 2). Commenters were supportive of our overall
proposed approach and the proposed IG. As detailed above, Release 1.1
addresses errors, ambiguities, implementation issues, and commenters'
concerns. Therefore, the adoption of Release 1.1 will lead to improved
implementation and interoperability.
Mapping to the NAACCR format is not included in the IG because the
mapping rules are complex, and can change over time based on continued
input and refinement by the cancer registry community. It is our
understanding that the CDC will work closely with the cancer registry
community to develop mapping rules for the IG and will incorporate the
rules into the software tools CDC provides state cancer registries. In
regard to concerns expressed about jurisdictional variations, all
public health jurisdictions have all adopted the HL7 IG Release 1 for
cancer reporting and will be moving to the updated version published by
the CDC.
We have adopted a newer baseline versions of SNOMED CT[supreg]
(September 2015 Release of the U.S. Edition) and LOINC[supreg] (version
2.52) for the purposes of certification. We refer readers to section
III.A.2.c (``Minimum Standards'' Code Sets) for further discussion of
our adoption of minimum standards code sets and our decision to adopt
these versions.
Cancer Case Information
We did not propose a ``cancer case information'' criterion as part
of the 2015 Edition (80 FR 16854-855), but welcomed comments on this
approach.
Comments. Commenters expressed agreement with discontinuing the
``cancer case information'' certification criterion, with a commenter
noting the relevant data elements are already contained in the IG
referenced in the
[[Page 62667]]
2015 Edition ``transmission to cancer registries'' certification
criterion. A commenter asked for clarification as to whether the
discontinuation of this criterion affects the requirements of the
``transmission to cancer registries'' certification criterion and the
requirements of the IG.
Response. We thank commenters for their feedback and have not
adopted a ``cancer case information'' certification criterion. This
decision has no impact on the requirements of the 2015 Edition
``transmission to cancer registries'' certification criterion or the
requirements of the IG. Certification to the 2015 Edition
``transmission to cancer registries'' criterion requires a Health IT
Module to demonstrate that it can create a file with the necessary
cancer case information in accordance with the IG.
Transmission To Public Health Agencies--Electronic Case
Reporting
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(f)(5) (Transmission to public health agencies--electronic
case reporting)
------------------------------------------------------------------------
We proposed to adopt a new 2015 Edition ``transmission to public
health agencies--case reporting'' certification criterion, which would
support the electronic transmission of case reporting information to
public health agencies. We proposed to require a Health IT Module to be
able to electronically create case reporting information for electronic
transmission in accordance with the IHE Quality, Research, and Public
Health Technical Framework Supplement, Structured Data Capture, Trial
Implementation (September 5, 2014) standard. We noted that a Health IT
Module would need to demonstrate that it can create and send a
constrained transition of care document to a public health agency,
accept a URL in return, be able to direct end users to the URL, and
adhere to the security requirements for the transmission of this
information.
In addition, we requested comment on whether we should consider
adopting the HL7 FHIR Implementation Guide: SDC DSTU that would be
balloted in mid-2015 in place of, or together with, the IHE Quality,
Research, and Public Health Technical Framework Supplement.
Comments. Commenters expressed agreement on the importance of case
reporting for public health. Some commenters expressed no concerns with
the IHE profile, while others were unsure whether public health
agencies had been sufficiently involved in the creation of the IG to
warrant adoption in the 2015 Edition. The latter commenters stated that
the IG is primarily driven by clinical research requirements and has
not been adopted by the public health community. Some commenters
expressed concern with the potential use of the FHIR standard, stating
it is immature and requires piloting and initial deployments before it
can be adopted as a national standard. A commenter recommended that
case reporting remain as a public health reporting option for the EHR
Incentive Programs, but not be constrained by a requirement to use a
specific standard.
Response. We understand commenters' concerns with the current state
of standards available and the continual evolution of standards. We
also agree with commenters' suggestions that an appropriate approach
for this criterion would be to permit flexibility for case reporting by
not referencing a specific content exchange standard for certification
at this time.
We understand the industry is moving towards RESTful approaches and
considering FHIR for different exchange patterns, including case
reporting. To accommodate this evolution, we have not adopted the
proposed IHE profile as part of this certification criterion or another
exchange standard. We understand that there are certain functional
requirements that a Health IT Module would need to support to enable
electronic case reporting. Specifically, a Health IT Module would need
to support the ability to electronically: (1) Consume and maintain a
table of trigger codes to determine which encounters should initiate an
initial case report being sent to public health; (2) when a trigger is
matched, create and send an initial case report to public health; (3)
receive and display additional information, such as a ``notice of
reportability'' and data fields to be completed; and (4) submit a
completed form.
Public health agencies have, however, prioritized receiving the
initial electronic case report form, while building the infrastructure
to request supplemental data over time. Given the priority to receive
the initial case report form, we have adopted the following
functionality that supports the first two identified steps above. To
meet this certification criterion, a Health IT Module must be able to
(1) consume and maintain a table of trigger codes to determine which
encounters should initiate an initial case report being sent to public
health to determine reportability; and (2) when a trigger is matched,
create an initial case report that includes specific data (Common
Clinical Data Set; encounter diagnoses; provider name, office contact
information, and reason for visit, and an identifier representing the
row and version of the trigger table that triggered the case report).
The CCD template of the C-CDA Release 2.1 is currently the most
viable approach for achieving step (2) above. We note, however, that
the CDC and CSTE, with the HL7 Public Health and Emergency Response
Working Group, are currently developing C-CDA and FHIR IGs to specify
the data needed in the initial case report form and the data that would
be provided in the information returned to the provider. As standards
evolve, additional/supplemental data would likely be requested
electronically about cases for which public health has received an
initial case report that is deemed reportable. To support this
additional data reporting, the future might include a FHIR-based
approach that could utilize the FHIR Structured Data Capture (SDC) IG.
Therefore, we believe this overall initial certification approach
establishes necessary flexibility within the ONC Health IT
Certification Program related to electronic case reporting in that as
technical approaches evolve to accomplish electronic case reporting
they can be certified. In the future, we may be able to consider a
specific standard for certification through rulemaking.
We note that we have inserted ``electronic'' in the criterion name
to emphasize the evolution of case reporting and the importance of
electronic case reporting.
Comments. Many commenters expressed concern around the burden of
connecting to multiple jurisdictions. One commenter noted a typical
practice may be required to report in three different states using
entirely different technologies, standards, and processes. The
commenter recommended that the public health community develop a single
reporting hub where all reports are submitted using the same
technologies, standards, and processes. A couple of commenter suggested
the use of a centralized platform or intermediary, which could
streamline connectivity and reduce jurisdictional variability.
Response. We agree with commenters that a common public health
interface or intermediary would reduce the burden on health IT
developers and state and local public health agencies. The CDC and the
public health community have made an investment in a centralized
approach for receipt of electronic case reports. The CDC will identify
a test harness and tool for all the functional requirements described
[[Page 62668]]
above. Additionally, as the CDC and public health approach matures to
include other interfaces, the CDC will continue to monitor the
development of standards to support these functional requirements. As
noted above, this may lead to future rulemaking for the certification
of electronic case reporting.
Comments. Many commenters identified a difference in the
description of case reporting between the Proposed Rule and the EHR
Incentive Programs Stage 3 proposed rule. In particular, a commenter
compared the examples given for the Structured Data Capture standard
proposed for case reporting in the Proposed Rule with the description
of case reporting provided in the EHR Incentive Programs Stage 3
proposed rule, which focused on submitting information about reportable
conditions to monitor disease outbreaks.
Response. The examples in the Proposed Rule of birth reports and
other public health reporting were not examples of electronic case
reporting. The examples were meant to illustrate how other public
health domains have accomplished public health reporting through the
use of the IHE RFD profile, upon which the IHE SDC profile proposed for
adoption is based.
Transmission To Public Health Agencies--Antimicrobial Use
And Resistance Reporting
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(f)(6) (Transmission to public health agencies--
antimicrobial use and resistance reporting)
------------------------------------------------------------------------
We proposed to adopt a new 2015 Edition certification criterion
that would require a Health IT Module to be able to electronically
create antimicrobial use and resistance reporting information for
electronic transmission in accordance with specific sections of the HL7
Implementation Guide for CDA[supreg] Release 2--Level 3: Healthcare
Associated Infection Reports, Release 1, U.S. Realm (August 2013)
(``HAI IG''). We explained that collection and analysis of data on
antimicrobial use and antimicrobial resistance are important components
of antimicrobial stewardship programs throughout the nation and
electronic submission of antimicrobial use and antimicrobial resistance
data to a public health registry can promote timely, accurate, and
complete reporting, particularly if data is extracted from health IT
systems and delivered using well established data exchange standards to
a public health registry.
We proposed to test and certify a Health IT Module for conformance
with the following sections of the IG in Sec. 170.205(r)(1): HAI
Antimicrobial Use and Resistance (AUR) Antimicrobial Resistance Option
(ARO) Report (Numerator) specific document template in Section 2.1.2.1
(pages 69-72); Antimicrobial Resistance Option (ARO) Summary Report
(Denominator) specific document template in Section 2.1.1.1 (pages 54-
56); and Antimicrobial Use (AUP) Summary Report (Numerator and
Denominator) specific document template in Section 2.1.1.2 (pages 56-
58). We explained that we would expect a Health IT Module presented for
certification to this criterion to conform to all named constraints
within the specified document template.
Comments. Most commenters expressed support for the adoption the
proposed certification criterion and the included standard. A commenter
stated that data on antimicrobial use and antimicrobial resistance are
essential components of antimicrobial stewardship programs throughout
the nation and is a highlight of the National Action Plan for Combating
Antibiotic Resistant Bacteria. Another commenter stated that the data
elements for antimicrobial use and resistance reporting are positive
steps to help guide public health activities. Commenters also stated
that the proposed criterion and standard would bolster the CDC's
National Healthcare Safety Network (NHSN) effort to develop coherent
policies to fight antibiotic resistance through the reporting of
standardized data about antibiotic use and resistance.
A commenter expressed concern about the pace and volume of changes
between versions of the standard, the burden on health IT developers
related to the timing of deployments, and that NHSN does not accept
data submitted using prior versions. Another commenter expressed
concern about state variations that are not addressed by this
criterion, suggesting that the criterion and standard not be adopted
until at least 75% of public health agencies are committed to adopting
this standard.
A commenter stated that there were inconsistences in the EHR
Incentive Programs Stage 3 proposed rule related to this criterion
regarding the standards available as well as a reference to meeting the
measure four times. Another commenter suggested that the associated
proposed measure under Stage 3 should be limited to eligible hospitals
and CAHs (not EPs).
Response. We appreciate the overall support for this criterion and
the IG. We have adopted this criterion as proposed (with both Volumes 1
and 2 of the HAI IG). We intend to work with federal partners, such as
the CDC, to eliminate or reduce any negative impacts on health IT
developers resulting from the frequency of reporting changes or the
manner in which changes are implemented in the associated program. We
note that certification to the adopted version of the standard is what
is necessary to meet the CEHRT definition under the EHR Incentive
Programs. In regard to the concern about state variations, this data
will only be collected by the CDC at the national level. The CDC is the
only public health agency that needs to be able to receive these
surveys electronically, which it is capable of doing. The use of a
national interface for receipt avoids the problems associated with
jurisdictional variation.
For concerns and questions related to the EHR Incentive Programs,
we refer readers to CMS and the EHR Incentive Programs Stage 3 and
Modifications final rule published elsewhere in this issue of the
Federal Register.
Transmission To Public Health Agencies--Health Care
Surveys
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(f)(7) (Transmission to public health agencies--health
care surveys)
------------------------------------------------------------------------
We proposed to adopt a new 2015 Edition certification criterion for
transmission of health care surveys to public health agencies that
would require a Health IT Module to be able to create health care
survey information for electronic transmission in accordance with the
HL7 Implementation Guide for CDA[supreg] Release 2: National Health
Care Surveys (NHCS), Release 1--US Realm, Draft Standard for Trial Use
(December 2014). \114\ We explained that the National Ambulatory
Medical Care Survey (NAMCS) is a national survey designed to meet the
need for objective, reliable information about the provision and use of
ambulatory medical care services in the U.S. We also explained that the
National Hospital Ambulatory Medical Care Survey (NHAMCS) is designed
to collect data on the utilization and provision of ambulatory care
services in hospital emergency and outpatient departments. We clarified
that the proposed IG is intended for the transmission of survey data
for both the NAMCS (e.g., for ambulatory medical care settings) and
NHAMCS (e.g., for hospital ambulatory settings including
[[Page 62669]]
emergency departments and outpatient departments). We noted that
templates included in the IG align with the C-CDA standard.
Additionally, we noted that the templates in the IG expand on the scope
of the original NAMCS and NHAMCS survey data elements. The templates do
not constrain the data collected to the narrow lists on the survey
instruments; rather they allow any service, procedure or diagnosis that
has been recorded.
---------------------------------------------------------------------------
\114\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=385 .
---------------------------------------------------------------------------
Commenters. Commenters overwhelmingly supported the certification
criterion and the use of the NHCS IG. Commenters expressed support for
the continued effort to advance use of health care surveys as a means
of improving patient outcomes. Commenters also expressed support for
the specified data elements in the IG. One commenter, however,
questioned the maturity of the standard and its adoption for
certification at this time. Commenters requested clarification (and
confirmation) on the surveys that must be supported for the purposes of
certification. In particular, a commenter noted that it was not unclear
whether the NAMCS and NHAMCS are the only surveys covered for
certification.
A commenter requested information on the number of public health
agencies that can electronically accept data in accordance with the IG.
Response. We appreciate the overall support for this criterion and
the IG. We have adopted this criterion as proposed. While we understand
the concerns that this standard may not be fully mature, the IG has
gone through the HL7 balloting process and is currently a Draft
Standard for Trial Use, which is no different than other standards in
use today and adopted as part of the 2015 Edition. Further, the CDC has
been working with providers to submit this data electronically using
these surveys prior to this rulemaking. As such, we believe that the IG
is mature enough for widespread adoption.
We clarify that, as proposed, certification would cover the entire
NHCS IG. The NHCS IG consists of the National Hospital Care Survey,
NHAMCS, and NAMCS. In the Proposed Rule, we focused on clarifying that
the NHAMCS and NAMCS were included in the IG and the changes in the
surveys as compared to past versions. However, all three surveys are
covered by the NHCS IG and will be covered as part of testing and
certification.
All public health agencies may not be able to receive this data
electronically and that variability across jurisdictions could be
problematic. However, this data will only be collected by the CDC at
the national level. The CDC is the only public health agency that needs
to be able to receive these surveys electronically, which it is capable
of doing. The use of a national interface for receipt avoids the
problems associated with jurisdictional variation.
Automated Numerator Recording
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(g)(1) (Automated numerator recording)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``automated numerator
recording'' certification criterion that was unchanged in comparison to
the 2014 Edition ``automated numerator recording'' criterion. We noted
that the test procedure for this criterion would be different from the
2014 Edition ``automated numerator recording'' certification criterion
in order to remain consistent with the applicable objectives and
measures required under the EHR Incentive Programs.
Comments. We received mixed comments in response to the proposal. A
number of commenters supported this criterion as proposed. A few
commenters stated that this criterion has been burdensome and
complicated as its implementation has led to interruptions in provider
workflows solely for the purposes of reporting on measures under the
EHR Incentive Programs. These commenters further contended that such
data collection was unrelated to improving patient care. A commenter
suggested that we ensure that the terminology used in the test
procedures aligns with that used for the measures under the EHR
Incentive Programs. Another commenter suggested that this criterion
should be gap certification eligible if the associated EHR Incentive
Programs measure has not changed from Stage 2.
Response. We have adopted this criterion as proposed. This
criterion is included in the CEHRT definition under the EHR Incentive
Programs. This certification criterion could ease the burden of
reporting particularly for small providers and hospitals (77 FR 54184).
We will work to ensure consistency with the test procedure and the
measures under the EHR Incentive Programs. As stated in the 2015
Edition proposed rule (FR 80 16868), this certification criterion's gap
certification eligibility is ``fact-specific'' and depends on any
modifications made to the specific certification criteria to which this
criterion applies. As mentioned above and in the Proposed Rule, it
would also depend on changes to the test procedure that are made to
align with applicable objectives and measures under the EHR Incentive
Programs.
We have changed the term ``meaningful use'' to ``EHR Incentive
Programs'' and removed ``objective with a'' in the first sentence of
the criterion to more clearly align with the terminology and framework
used under the EHR Incentive Programs.
Automated Measure Calculation
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(g)(2) (Automated measure calculation)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``automated measure
calculation'' certification criterion that was unchanged in comparison
to the 2014 Edition ``automated measure calculation'' criterion. We
proposed to apply the guidance provided for the 2014 Edition
``automated measure calculation'' certification criterion in the 2014
Edition final rule that a Health IT Module must be able to support all
CMS-acceptable approaches for measuring a numerator and denominator in
order for the Health IT Module to meet the proposed 2015 Edition
``automated measure calculation'' certification criterion.\115\ We also
proposed that the interpretation of the 2014 Edition ``automated
measure calculation'' certification criterion in FAQ 32 \116\ would
apply to the 2015 Edition ``automated measure calculation''
certification criterion. We also noted that the test procedure for this
criterion would be different from the 2014 Edition ``automated measure
calculation'' certification criterion in order to remain consistent
with the applicable objectives and measures required under the EHR
Incentive Programs.
---------------------------------------------------------------------------
\115\ 77 FR 54244-54245.
\116\ http://www.healthit.gov/policy-researchers-implementers/32-question-11-12-032.
---------------------------------------------------------------------------
Comments. We received mixed comments in response to our proposal.
One commenter noted that this criterion and included functionality has
value for helping providers understand their quality outcomes and
performance on certain EHR Incentive Programs measures. A few
commenters stated that this criterion has been burdensome and
complicated as its implementation has led to interruptions in provider
workflows solely for the purposes of reporting on measures under the
EHR Incentive Programs. These commenters further contended that such
data collection was unrelated to improving patient care.
[[Page 62670]]
Commenters were generally supportive of applying the guidance
provided in the 2014 Edition final rule (77 FR 54244-54245) and the
guidance in FAQ 32 to the 2015 Edition criterion. One commenter
suggested that this criterion should be gap certification eligible if
the associated EHR Incentive Programs measure has not changed from
Stage 2. This commenter recommended that ONC provide revised draft test
procedures for this criterion for public comment prior to the release
of the final rule.
Response. We have adopted this criterion as proposed. This
criterion is included in the CEHRT definition under the EHR Incentive
Programs. This certification criterion could improve the accuracy of
measure calculations to reduce reporting burdens for EPs, eligible
hospitals, and CAHs (77 FR 54244). We will apply the guidance in the
2014 Edition final rule and FAQ 32 to this criterion.
As stated in the 2015 Edition proposed rule (FR 80 16868), this
certification criterion's gap certification eligibility is ``fact-
specific'' and depends on any modifications made to the specific
certification criteria to which this criterion applies. As mentioned
above and in the Proposed Rule, it would also depend on changes to the
test procedure that are made to align with applicable objectives and
measures under the EHR Incentive Programs. We note that draft test
procedures for the 2015 Edition were released with the publication of
the Proposed Rule \117\ and were open for public comment from March 20,
2015, to June 30, 2015. Revised draft final test procedures will be
made available after publication of this final rule for public review
and comment.
---------------------------------------------------------------------------
\117\ http://healthit.gov/policy-researchers-implementers/2015-edition-draft-test-procedures.
---------------------------------------------------------------------------
We have changed the first use of the term ``meaningful use'' to
``EHR Incentive Programs'' and removed its second use in the criterion.
We have also removed the phrase ``objective with a.'' We have made
these revisions to more clearly align with the terminology and
framework used under the EHR Incentive Programs.
Safety-Enhanced Design
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(g)(3) (Safety-enhanced design)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``safety-enhanced design''
(SED) certification criterion that was revised in comparison to the
2014 Edition ``safety-enhanced design'' criterion. We proposed to
include seventeen (17) certification criteria (seven new) in the 2015
Edition SED certification criterion (80 FR 16857), and for each of the
referenced certification criteria and their corresponding capabilities
presented for certification, we proposed to require that user-centered
design (UCD) processes must have been applied in order satisfy this
certification criterion. We stated we intend to continue submission of
summative usability test results to promote transparency and foster
health IT developer competition, spur innovation, and enhance patient
safety. With this in mind, we sought comment on whether there are other
certification criteria that we omitted from the proposed SED criterion
that commenters believe should be included.
Comments. Comments generally supported the proposed SED criterion,
but questioned the number of certification criteria included. Some
commenters questioned rationale for adding the new criteria and the
carryover inclusion of the ``drug-drug, drug-allergy interaction checks
for CPOE'' criterion, while other commenters generally questioned
whether this criterion has contributed to improving usability or
patient safety. A few commenters suggested that this criterion only
apply to criteria that involve tasks performed by clinical users. A
couple of commenters expressed concern about the additional burden the
new criteria presented.
Response. We thank commenters for their feedback. We have adopted
the proposed SED with revisions and clarifications. We note that 5
criteria proposed for inclusion in the SED criterion have not been
adopted as part of the 2015 Edition. These criteria are: ``vital
signs,'' ``eMAR,'' ``incorporate laboratory tests/results,'' and both
``decision support'' criteria. Consequently, these criteria cannot be
included in the SED criterion and, therefore, there is only a net
increase of two criteria subject to the SED criterion. We do not
believe this will create a significant burden for health IT developers
and note that many developers have had their products certified to the
2014 Edition versions of the criteria included in the 2015 SED
criterion and the 2014 Edition SED criterion. The criteria included in
the 2015 Edition SED criterion are as follows (emphasis added for the
new criteria):
Section 170.315(a)(1) Computerized provider order entry--
medications
Section 170.315(a)(2) Computerized provider order entry--
laboratory
Section 170.315(a)(3) Computerized provider order entry--
diagnostic imaging
Section 170.315(a)(4) Drug-drug, drug-allergy interaction
checks
Section 170.315(a)(5) Demographics
Section 170.315(a)(6) Problem list
Section 170.315(a)(7) Medication list
Section 170.315(a)(8) Medication allergy list
Section 170.315(a)(9) Clinical decision support
Section 170.315(a)(14) Implantable device list
Section 170.315(b)(2) Clinical information reconciliation and
incorporation
Section 170.315(b)(3) Electronic prescribing
We believe the inclusion of criteria such as ``demographics,''
``implantable device list,'' ``drug-drug, drug-allergy interaction
checks for CPOE,'' and ``CDS'' are appropriate because data entry
errors and poor user interfaces for responding to alerts and
interventions can compromise patient safety. While we do not have
empirical data related to the ``effectiveness'' of the SED criterion,
we believe that our approach contributes to improving usability and
patient safety through both the application of the SED criterion's
requirements to a significant number of health technologies being used
in the market today and in the future as well as through the SED
information being available on the CHPL for stakeholder review and
evaluation.
NISTIR 7742 Submission Requirements, New Requirements and Compliance
Guidance
We proposed to include the specific information from the NISTIR
7742 ``Customized Common Industry Format Template for Electronic Health
Record Usability Testing'' (NIST 7742) \118\ in the regulation text of
the 2015 Edition SED criterion to provide more clarity and specificity
on the information requested in order to demonstrate compliance with
this certification criterion. We reiterated that the information must
be submitted for each and every one of the criteria specified in the
2015 Edition SED criterion to become part of the test results publicly
available on the Certified Health IT Product List (CHPL). We specified
that all of the data elements and sections must be completed, including
``major findings'' and ``areas for improvement.''
---------------------------------------------------------------------------
\118\ http://www.nist.gov/manuscript-publication-search.cfm?pub_id=907312.
---------------------------------------------------------------------------
We identified the table on page 11 of NISTIR 7742 for the
submission of demographic characteristics of the test
[[Page 62671]]
participants because it is important that the test participant
characteristics reflect the audience of current and future users. In
accordance with NISTIR 7804 (page 8),\119\ we recommended that the test
scenarios be based upon an analysis of critical use risks for patient
safety, which can be mitigated or eliminated by improvements to the
user interface design.
---------------------------------------------------------------------------
\119\ http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909701.
---------------------------------------------------------------------------
We strongly advised health IT developers to select an industry
standard process because compliance with this certification criterion
requires submission of the name, description, and citation (URL and/or
publication citation) of the process that was selected, and we provided
examples of method(s) that could be employed for UCD, including ISO
9241-11, ISO 13407, ISO 16982, ISO/IEC 62366, ISO 9241-210 and NISTIR
7741. We explained that, in the event that a health IT developer
selects a UCD process that was not an industry standard (i.e., not
developed by a voluntary consensus standards organization), but is
based on one or more industry standard processes, the developer may
name the process(es) and provide an outline of the process in addition
to a short description as well as an explanation of the reason(s) why
use of any of the existing UCD standards was impractical. We also noted
that health IT developers can perform many iterations of the usability
testing, but the submission that is ultimately provided for summative
usability testing and certification must be an expression of a final
iteration, and the test scenarios used would need to be submitted as
part of the test results. We noted that we do not expect developers to
include trade secrets or proprietary information in the test results.
Comments. Commenters expressed appreciation for the clarity the
proposed 2015 Edition SED criterion provided in terms of requirements.
Some commenters agreed with including major findings and areas for
improvement sections in the summative testing documentation, while
other commenters did not support the public reporting of major findings
and areas for improvement because they argued that the information is
usually meant to inform the developer.
Many commenters expressed concern on the proposed limitation for
measuring user satisfaction. Commenters mentioned that user
satisfaction ratings are often now based on non-standard surveying
processes. Commenters suggested that we not solely rely on task-based
satisfaction measures and consider post-session satisfaction measures.
Commenters suggested that we use industry standard, literature-
recognized satisfaction measures such as the Single Ease-of-use
Question, System Usability Scale, or Software Usability Measurement
Inventory.
Response. We thank commenters for their feedback. We have finalized
our proposed requirements with one revision. In response to comments,
we now also permit the submission of an alternative acceptable user
satisfaction measure to meet the requirements of this criterion. Stated
another way, a health IT developer could meet the proposed NIST 7742
based approach for user satisfaction or provide documentation of an
alternative acceptable user satisfaction measure. We will take into
consideration the other user satisfaction measures identified by
commenters in the development and finalization of the 2015 SED test
procedures and related guidance for complying with this criterion and
particularly the user satisfaction measure.
Number of Test Participants
We recommended following NISTIR 7804 \120\ ``Technical Evaluation,
Testing, and Validation of the Usability of Electronic Health Records''
for human factors validation testing of the final product to be
certified, and recommended a minimum of 15 representative test
participants for each category of anticipated clinical end users who
conduct critical tasks where the user interface design could impact
patient safety (e.g., physicians, nurse practitioners, physician
assistants, nurses, etc.) and who are not include employees of the
developer company. We additionally requested comment on whether we
should establish a minimum number(s) and user cohort(s) for test
participants for the purposes of testing and certification to the 2015
Edition under the ONC Health IT Certification Program.
---------------------------------------------------------------------------
\120\ http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909701.
---------------------------------------------------------------------------
Comments. We received a large number of comments in response to
this request for comment with the majority of commenters advocating for
a required minimum number of test participants and some commenters
advocating for established user cohorts per capability. Commenters
strongly stated that establishing a minimum number of participants
would allow for proper validation of testing results. Many commenters
advocated for a minimum of 12 or 15 participants. Another large
contingent of commenters advocated for 10 participants. A few
commenters suggested that the number of test participants should remain
as guidance. A few commenters also stated that a high participant
threshold could be burdensome to small developers.
Commenters generally recommended that cohorts should be consistent
with the capability under testing. Some commenters stated, for example,
that clinicians would not be appropriate for a more administrative
capability such as recording demographics. Commenters gave mixed
responses on whether this described approach should be required or
simply guidance.
Response. As a general matter, the more users tested, the more
likely developers will be able to identify and remedy design flaws. To
this point, research suggests that ``with ten participants, 80 percent
of the problems are found whereas 95 percent of the problems are found
with twenty participants.'' \121\ For the purposes of this final rule,
we have adopted a provision as part of this criterion that requires 10
participants per criterion/capability as a mandatory minimum for the
purposes of testing and certification. We believe this minimum is
responsive to commenters and will ensure more reliable summative
testing results. We also believe this number will balance any potential
burden for health IT developers, including small developers. However,
we strongly encourage health IT developers to exceed the mandatory
minimum in an effort to identify and resolve more problems.
---------------------------------------------------------------------------
\121\ Pg. 42. NISTIR 7804 Technical Evaluation, Testing, and
Validation of the Usability of Electronic Health Records http://www.nist.gov/healthcare/usability/upload/EUP_WERB_Version_2_23_12-Final-2.pdf
---------------------------------------------------------------------------
We agree with commenters that cohorts should not be limited to
clinicians but instead consist of test participants with the occupation
and experience that aligns with the capability under testing. We
believe, however, that it would be too restrictive and complicated to
establish cohort requirements per criterion. Instead, we continue to
recommend that health IT developers follow NISTIR 7804 for human
factors validation testing of the final product to be certified. We
will also work with NIST to provide further guidance as needed.
Request for Comment on Summative and Formative Testing
We requested comment regarding options that we might consider in
addition to--or as alternatives to--summative testing. We asked whether
a standardized report of formative testing
[[Page 62672]]
could be submitted for one or more of the 17 proposed certification
criteria for which summative testing would be required, if formative
testing reflected a thorough process that has tested and improved the
usability of a product. Additionally, we asked for feedback on the
requirements for such a formative testing report and on how purchasers
would evaluate these reports.
Comments. Commenters acknowledged the benefits of formative
testing, with some noting that it can act as a risk management process
before getting to summative testing. The majority of the commenters,
however, were against formative testing as an alternative to summative
testing. One commenter stated that one of the main objectives for the
SED criterion is to allow purchasers and consumers to compare competing
products on the quality of human interaction and usability. The
commenter contended that test results are therefore publicly available
for this purpose on the Certified Health IT Product List (CHPL). The
commenter maintained that this essential function cannot be fulfilled,
however, with the results of formative testing as they cannot be
compared across products but only between the iterations of a single
product. The commenter noted, as other commenters did, that formative
tests are intended to identify problems rather than produce measures. A
few commenters suggested that we require both summative and formative
testing, while a few other commenters suggested formative testing was
not reliable or useful.
Response. We thank commenters for their insightful feedback. We
agree with the commenters that see value in formative testing, but we
also agree with the commenters that contend it should not be a
substitute for summative testing for the purposes of this criterion.
With this in mind and consideration of the potential burden imposed by
requiring both summative and formative testing, we have decided to
retain summative testing requirements and not adopt formative testing
requirements.
Retesting and Certification
We stated that we believe that ONC-ACB determinations related to
the ongoing applicability of the SED certification criterion to
certified health IT for the purposes of inherited certified status
(Sec. 170.550(h)), adaptations and other updates would be based on the
extent of changes to user-interface aspects of one or more capabilities
to which UCD had previously been applied. We specified that ONC-ACBs
should be notified when applicable changes to user-interface aspects
occur, and we included these types of changes in our proposal to
address adaptations and updates under the ONC-ACB Principles of Proper
Conduct (Sec. 170.523).
We discuss the comments received on this proposal and our response
under section IV.D.6 of this preamble.
Quality Management System
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(g)(4) (Quality management system)
------------------------------------------------------------------------
We proposed to adopt a 2015 Edition ``quality management system''
certification criterion that was revised in comparison to the 2014
Edition and proposed that all Health IT Modules certified to the 2015
Edition would need to be certified to the 2015 Edition QMS criterion
``quality management system'' criterion. We proposed to require the
identification of the Quality Management System (QMS) used in the
development, testing, implementation, and maintenance of capabilities
certified under the ONC Health IT Certification Program. We specified
that the identified QMS must be compliant with a quality management
system established by the federal government or a standards developing
organization; or mapped to one or more quality management systems
established by the federal government or standards developing
organization(s). We stated that we will not permit health IT to be
certified that has not been subject to a QMS and that we will require
health IT developers to either use a recognized QMS or illustrate how
the QMS they used maps to one or more QMS established by the federal
government or a standards developing organization(s) (SDOs). We
explained that we encourage health IT developers to choose an
established QMS, however, developers may also use either a modified
version of an established QMS, or an entirely ``home grown'' QMS. In
cases where a health IT developer does not use a QMS established by the
federal government or an SDO, we proposed to require the health IT
developers illustrate how their QMS maps to one or more QMS established
by the federal government or SDO through documentation and explanation
that links the components of their QMS to an established QMS and
identifies any gaps in their QMS as compared to an established QMS. We
added that documentation of the current status of QMS in a health IT
development organization would be sufficient. We also provided a list
of QMS standards established by the federal government and SDOs (80 FR
16858).
Comments. The majority of commenters supported the proposed
criterion and its approach, with broad support across health IT
developers, providers, and consumers. A commenter questioned whether we
provided the appropriate example standards, citing ISO 14971 as a risk-
management standard for medical devices and not a QMS standard. Other
commenters stated that the identified standards were too focused on
medical devices. A few commenters indicated that other standards and
processes should be considered as acceptable means for meeting this
criterion. These commenters specifically mentioned ISO 12207, IEEE 730,
IEEE 1012, ISO 14764, ISO 80001, the health IT QMS standards under
development through the Association for the Advancement of Medical
Instrumentation (AAMI), and the accreditation process software quality
systems run by the Capability Maturity Model Integration Institute
(CMMI). A few commenters expressed concern that it would be burdensome
to map an internal QMS to one or more QMS established by the federal
government or SDO, including more burdensome on small health IT
developers.
A few commenters requested clarifications. A commenter noted that
health IT developers use agile software development practices and
requested clarification if these processes would be sufficient for
certification. A commenter asked how this criterion would apply to a
self-developer or open source software. A couple of commenters asked
how Health IT Modules would be evaluated against this criterion,
including what type of documentation would be required for mapping and
whether a documented combined QMS approach for the entire Health IT
Module would be sufficient in lieu of a capability by capability
identification.
Response. We thank commenters for their feedback and support. We
have adopted this criterion as proposed with further clarification in
response to comments. We note that this criterion applies to any health
IT presented for certification to the 2015 Edition, including self-
developed and open source software that is part of the Health IT Module
because one of the goals of this criterion is to improve patient safety
through QMS.
We expect that ONC-ACBs will certify health IT to this criterion in
the same manner as they certify health IT to the 2014 Edition QMS
criterion, but accounting for any differences that are finalized
through the 2015 Edition ACD
[[Page 62673]]
test procedure. To this point, we have removed the term ``compliant''
from the provision requiring identification of a QMS compliant with a
quality management system established by the federal government or a
standards developing organization. Similar to the mapping provision,
the focus and intent of the provision (and the criterion as a whole) is
the identification of the QMS, not a determination of compliance by the
ONC-ACB. We note that the identification of a single QMS is permitted
for a Health IT Module, which is consistent with testing and
certification to the 2014 Edition QMS certification criterion.
As noted in the 2014 Edition final rule (77 FR 54191), we agree
that existing standards may not explicitly state support for agile
development methodologies and that such methods may be part of an
optimal QMS. As such, documented agile development methodologies may be
used in meeting the mapping provision of this criterion. We will issue
further compliance guidance as necessary, including through the 2015
Edition QMS test procedure. This guidance will include updated
identification of QMS standards and more specification of documentation
requirements necessary to meet this criterion. Overall, we do not
believe this criterion presents a significant burden as many health IT
products have been previously certified to the 2014 Edition QMS
criterion and most, if not all, developers (with previously certified
products or not) should have QMS documentation readily available for
their health IT products as a standard practice.
Accessibility-Centered Design
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(g)(5) (Accessibility-centered design)
------------------------------------------------------------------------
We proposed to adopt a new 2015 Edition ``accessibility-centered
design'' certification criterion that would apply to all Health IT
Modules certified to the 2015 Edition and require the identification of
user-centered design standard(s) or laws for accessibility that were
applied, or complied with, in the development of specific capabilities
included in a Health IT Module or, alternatively, the lack of such
application or compliance.
We proposed to require that for each capability that a Health IT
Module includes and for which that capability's certification is
sought, the use of a health IT accessibility-centered design standard
or compliance with a health IT accessibility law in the development,
testing, implementation, and maintenance of that capability must be
identified. Further, we proposed to permit that a health IT developer
could document that no health IT accessibility-centered design standard
or law was applied to the health IT's applicable capabilities as an
acceptable means of satisfying this proposed certification criterion.
We added that the method(s) used to meet this proposed criterion would
be reported through the open data CHPL. We solicited comment on whether
the standards and laws identified in the Proposed Rule were appropriate
examples and whether we should limit the certification criteria to
which this criterion would apply.
We explained that the proposed certification criterion would serve
to increase transparency around the application of user-centered design
standards for accessibility to health IT and the compliance of health
IT with accessibility laws. We stated that this transparency would
benefit health care providers, consumers, governments, and other
stakeholders, and would encourage health IT developers to pursue the
application of more accessibility standards and laws in product
development that could lead to improved usability for health care
providers with disabilities and health care outcomes for patients with
disabilities.
We also proposed to revise Sec. 170.550 to require ONC-ACBs follow
this proposed approach and referred readers to section IV.C.2 of the
Proposed Rule's preamble for this proposal.
Comments. The vast majority of commenters supported the proposed
criterion and its approach, with broad support across health IT
developers, providers, and consumers. One commenter suggested that we
narrow the list of example standards to those that have the widest
applicability to EHRs. Another commenter suggested that the focus
should be on more accessibility-centered standards such as ISO 9241-20
(2008) ``Ergonomics of Human-System Interaction--Part 20: Accessibility
guidelines for information/communication technology (ICT) equipment and
services,'' ISO 9241-171 (2008) ``Ergonomics of Human-System
Interaction--Part 171: Guidance on software accessibility,'' Section
508 of the Rehabilitation Act, and Section 504 of the Rehabilitation
Act. A few commenters suggested that this criterion would have a
significant development burden for health IT developers. One commenter
requested clarification on how testing and certification will be
conducted.
Response. We thank commenters for their feedback. We have adopted
this criterion as proposed. We will work with our federal partners
(e.g., NIST, Administration for Community Living and Aging Policy, and
the HHS Office for Civil Rights) and consider comments on the final
test procedure for this criterion in providing more precise
identification and guidance on accessibility-centered standards and
laws. We believe this criterion poses minimal burden on health IT
developers as it only requires health IT developers to identify
relevant standards or laws; and, alternatively, permits a health IT
developer to state that its health IT product presented for
certification does not meet any accessibility-centered design standards
or any accessibility laws. That said, as noted above, we remind health
IT developers and providers that the existence of an option to certify
that health IT products do not meet any accessibility design standards
or comply with any accessibility laws does not exempt them from their
independent obligations under applicable federal civil rights laws,
including Section 504 of the Rehabilitation Act, Section 1557 of the
Affordable Care Act, and the Americans with Disabilities Act that
require covered entities to provide individuals with disabilities equal
access to information and appropriate auxiliary aids and services as
provided in the applicable statutes and regulations.
We expect that ONC-ACBs will certify health IT to this criterion in
the same manner as they certify health IT to the 2014 Edition QMS
criterion, but accounting for any differences that are finalized
through the 2015 Edition ACD test procedure. We will issue further
compliance guidance as necessary.
Consolidated CDA Creation Performance
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(g)(6) (Consolidated CDA creation performance)
------------------------------------------------------------------------
We proposed to adopt a new certification criterion at Sec.
170.315(g)(6) that would rigorously assess a product's C-CDA creation
performance (for both C-CDA Release 1.1 and 2.0) when it is presented
for a Health IT Module certification that includes within its scope any
of the proposed certification criteria that require C-CDA creation
(e.g., ``transitions of care'' at Sec. 170.315(b)(1)). We explained
that to implement this proposal, we would amend Sec. 170.550 to add a
requirement that ONC-ACBs shall not issue a Health IT Module
certification to a product that
[[Page 62674]]
includes C-CDA creation capabilities within its scope, unless the
product was also tested and satisfied the certification criteria
requirements proposed at Sec. 170.315(g)(6). If the scope of
certification included multiple certification criteria that require C-
CDA creation, we noted that Sec. 170.315(g)(6) need only be tested in
association with one of those certification criteria and would not be
expected or required to be tested for each. Specifically, we proposed
that three technical outcomes be met: reference C-CDA match, document
template conformance, and vocabulary conformance.
We noted that we coordinated with our colleagues at NIST and
understand that NVLAP-Accredited Testing Laboratories would retain the
C-CDA files created under test and contribute them to an ONC-maintained
repository.
Comments. A number of commenters expressed support for the proposal
for this certification criterion that would test a Health IT Module's
C-CDA creation performance as proposed. Some commenters suggested that
the gold standard needs to be specific on what to do with optionality
permitted in the C-CDA standard. A few commenters requested
clarifications on how the gold standard would be structured, whether it
would be one or multiple documents, and whether the testing would be
done through an automated tool or by visual inspection.
Response. We thank commenters for their support and have adopted a
C-CDA creation performance certification criterion with the following
changes described below. As discussed in the 2014 Edition Release 2
proposed rule (79 FR 10899), we continue to believe in the value of
this capability to promote the ability of providers to exchange C-CDA
documents and subsequently be able to parse and use the C-CDA received.
This is especially important for interoperability when the C-CDA
standard allows for optionality and variations.
We intend to publish sample gold standard C-CDA documents on
www.healthit.gov or another ONC-maintained repository for the public to
review and provide comment. We also anticipate that there will be
multiple gold standard documents for each C-CDA document template we
require for this criterion with variations in each to test optionality
for which the C-CDA standard allows. With respect to testing, we
anticipate that testing will be performed, at a minimum, through a
conformance testing tool and could also include visual inspection as
necessary to verify reference C-CDA match, document template
conformance, and vocabulary conformance.
Comments. Similar to comments received to other certification
criteria such as ``transitions of care,'' commenters did not support
the proposal to be able to create C-CDA documents in accordance with
both C-CDA Releases 1.1 and 2.0.
Response. We have adopted C-CDA Release 2.1 for this certification
criterion for the same reasons as noted in the preamble for the
``transitions of care'' criterion.
C-CDA Document Templates
We proposed that Health IT Modules would have to demonstrate
compliance with the C-CDA creation performance functions of this
criterion for the following C-CDA Release 2.0 document templates:
Continuity of Care;
Consultation Note;
History and Physical;
Progress Note;
Care Plan;
Transfer Summary;
Referral Note; and
Discharge Summary (for inpatient settings only).
Comments. A few commenters suggested that ONC not require
certification to all proposed document templates and indicated that not
all document templates are applicable to every setting. They also cited
potential development burdens with the proposed scope.
Response. As discussed in the preamble for other certification
criteria that include C-CDA creation within its scope, we have limited
the C-CDA Release 2.1 document template requirements based on the use
case for each certification criterion. Therefore, some criteria (e.g.,
ToC) require three C-CDA templates whereas others (e.g., care plan)
only require one C-CDA template. As such, we have required that C-CDA
creation performance be demonstrated for the C-CDA Release 2.1 document
templates required by the 2015 Edition certification criteria presented
for certification. For example, if a Health IT Module only included
Sec. 170.315(e)(1) within its certificate's scope, then only the
Continuity of Care Document (CCD) document template would be applicable
within this criterion. Conversely, if a Health IT Module designed for
the inpatient setting included Sec. 170.315(b)(1) within its
certificate's scope, then all three document templates referenced by
that criterion would need to evaluated as part of this certification
criterion.
If the scope of certification includes more than one certification
criterion with C-CDA creation required, C-CDA creation performance only
has to be demonstrated once for each C-CDA document template (e.g., C-
CDA creation performance to the CCD template would not have to
demonstrated twice if the Health IT Module presents for certification
to both ``ToC'' and the ``data export'' criteria).
Comments. One commenter was concerned that the proposed regulation
text language ``upon the entry of clinical data consistent with the
Common Clinical Data Set'' implies the incorrect workflow, and would
only allow creation to be done while the user finishes creating or
composing the C-CDA document. The commenter noted that there is an
additional step between creation and sending where additional
vocabulary mapping steps need to be applied.
Response. We thank the commenter for the input. We clarify that the
purpose of the phrase was to provide a clear scope to the certification
criterion for health IT developers. Given that the C-CDA includes many
section templates to represent data outside of the data specified by
the Common Clinical Data Set definition, we sought to indicate that
testing would be limited to only the data within scope for the Common
Clinical Data Set definition. We have modified the language in the
certification criterion to more clearly reflect this scope limitation.
C-CDA Completeness
Due to past feedback from providers that indicated the variability
associated with different functionalities and workflows within
certified health IT can ultimately affect the completeness of the data
included in a created C-CDA, we requested comment on a proposal that
would result in a certification requirement to evaluate the
completeness of the data included in a C-CDA. This additional
requirement would ensure that the data recorded by a user in health IT
is equivalent to the data included in a created C-CDA.
Comments. We received mixed comments in response to this request
for comment. One commenter was supportive of the proposal. Another
commenter requested clarification on whether the request for comment
intended to specify how the user interface captures specific data using
specific vocabulary, and was not supportive of imposing data capture
requirements for this criterion. One commenter was concerned that ONC
was being too prescriptive by soliciting comment on this potential
requirement to test C-CDA completeness and suggested ONC test this in a
sub-
[[Page 62675]]
regulatory manner and/or through improved conformance test tools. One
commenter suggested that some C-CDA document templates do not include
all information entered into an EHR for certain use cases, as some
document templates are meant to include targeted and specific
information for a particular setting to which a patient is being
transitioned.
Response. We thank commenters for the input and, in consideration
of the comments, have adopted this proposal as part of this
certification criterion. As we stated in the Proposed Rule, the intent
and focus of this proposal was to ensure that however data is entered
into health IT--via whatever workflow and functionality--that the C-CDA
output would reflect the data input and not be missing data a user
otherwise recorded. We also clarify that the scope of the data for this
certification criterion is limited to the Common Clinical Data Set
definition. We did not intend imply and note that that this criterion
does not prescribe how the user interface captures data.
Repository of C-CDA Documents
We did not receive any comments regarding our understanding that
NVLAP-Accredited Testing Laboratories would retain the C-CDA files
created under test and contribute them to an ONC-maintained repository.
We note that we intend to implement this repository as noted in the
Proposed Rule.
Application Access To Common Clinical Data Set
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(g)(7) (Application access--patient selection)
------------------------------------------------------------------------
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(g)(8) (Application access--data category request)
------------------------------------------------------------------------
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(g)(9) (Application access--all data request)
------------------------------------------------------------------------
We proposed a new 2015 Edition criterion at Sec. 170.315(g)(7)
that would require health IT to demonstrate it could provide
application access to the Common Clinical Data Set via an application
programming interface (API), and requiring that those same capabilities
be met as part of the ``VDT'' criterion. We noted that providing API
functionality could help to address many of the challenges currently
faced by individuals and caregivers accessing their health data,
including the ``multiple portal'' problem, by potentially allowing
individuals to aggregate data from multiple sources in a web or mobile
application of their choice. We emphasized that the proposed approach
was intended to provide flexibility to health IT developers to
implement an API that would be most appropriate for its customers and
allow developers to leverage existing standards that most health IT
developers would already need in order to seek certification for other
criteria.
Because many commenters provided feedback on the ``API'' criterion
within the context of the ``VDT'' criterion and in the order of this
final rule the VDT discussion comes first, we address all comments to
proposed Sec. 170.315(g)(7) here.
Comments. The HITSC recommended that we permit Health IT Modules to
certify towards each of the three API scenarios (get patient
identifier, get document, get discrete data) individually, while
stating the expectation that Health IT developers and provider
organizations should ensure that the APIs work together functionally.
The HITSC also recommended providing a ``sub-regulatory flexibility''
certification testing approach to allow developers to achieve
certification by participating in ``a public-private effort that
provides adequate testing and other governance sufficient to achieve
functional interoperability.''
Response. We agree with the approach suggested by the HITSC to
split our original proposed certification criterion into three separate
certification criteria with each individual criterion focused on
specific functionality. Based on prior experience with certification
criteria that ``lump'' functionality together that can otherwise be
separately performed, we believe that this additional flexibility will
allow for health IT developers to be more innovative. This will enable
additional modularity as part of the ONC Health IT Certification
Program in the event that a health IT developer seeks to change and
recertify one of the three API functionalities and leave the other two
capabilities unchanged. The three certification criteria will be
adopted at Sec. 170.315(g)(7), (g)(8), and (g)(9). Each will include
the documentation and terms of use requirement that was part of the
single proposed criterion. Additionally, in consideration of this
change and because CMS has required as part of the EHR Incentive
Program Stage 3 and Modifications final rule that providers will need
to have health IT certified to both the VDT certification criterion and
these three ``API'' criteria to meet Stage 3 Objectives 5 and 6, we
have removed the API functionality embedded within the VDT
certification criterion and adopted these three criteria to simplify
our rule and reduce redundancy.
For the purposes of testing for each of the ``API'' certification
criteria, a health IT developer will need to demonstrate the response
(i.e., output) for each of the data category requests and for the
``all'' request, the output according to the C-CDA in the CCD document
template. For all other aspects of these certification criteria, we
expect the testing would include, but not be limited to, attestation,
documentation, functional demonstration, and visual inspection.
We appreciate suggestions as to a ``sub-regulatory approach'' and
will consider whether such approaches could fit within our regulatory
structure as well as lead to consistent and efficient testing and
certification.
Comments. Multiple commenters voiced concern that we did not name a
standard for API functionality in the Proposed Rule. Of these
commenters, some suggested that we specifically name FHIR as the
standard for this criterion, while others expressed concern that FHIR
is not yet mature enough for inclusion in regulation, and suggested
that ONC eliminate or make optional API functionality until a time when
API standards have undergone more testing in the market. However, many
commenters strongly supported the inclusion of API functionality for
patient access, discussing the criterion's provision of more
flexibility and choice for the consumer, better facilitation of
communication and education for individuals, fostering of more
efficient and modern information exchange, and encouraging innovation
by app developers and entrepreneurs to create better online experiences
for users. Several commenters also voiced support for the approach of
encouraging movement towards APIs, without locking in any specific
standard, and urged ONC to maintain an open, transparent process with
public input as it works with industry to identify and develop emerging
standards in this space.
Response. We have adopted three new criteria as a new component of
the 2015 Base EHR definition in Sec. 170.102. We appreciate the number
of detailed and thoughtful comments on this criterion, and the concerns
regarding standardization. We agree with the many comments supportive
of the
[[Page 62676]]
inclusion of API functionality for Health IT Modules, and note that in
addition to enhanced flexibility for consumers and increased
innovation, we believe that the ``API'' criteria will enable easier
access to health data for patients via mobile devices, which may
particularly benefit low income populations where smartphone and tablet
use may be more prevalent than computer access. Regarding comments on
standardization, we believe that the criterion is at an appropriate
level of specificity given the ongoing development of API standards for
health care, and continue to support our initial proposal to allow for
a flexible approach without naming a specific standard. However, we
emphasize that we intend to adopt a standards-based approach for
certification in the next appropriate rulemaking and we note the
existence and ongoing piloting of promising work such as the Fast
Healthcare Interoperability Resources (FHIR) specification. We agree
with commenters' suggestions that ONC continue to monitor and actively
participate in industry efforts to support testing of these and other
emerging standards. We understand that many Health IT Modules have APIs
today and providing for flexibility in the final rule will allow them
to certify their existing APIs.
Security
We proposed that the API include a means for the establishment of a
trusted connection with the application that requests patient data. We
stated that this would need to include a means for the requesting
application to register with the data source, be authorized to request
data, and log all interactions between the application and the data
source.
Comments. Multiple commenters cited a need to provide security
standards for this criterion while also noting that current and
emerging standards, such as OAuth, are not yet tested and fully mature
for inclusion in regulation. Other commenters suggested that ONC
specifically name OAuth and/or some combination of OAuth, Open ID
Connect, and User Managed Access (UMA) as the standards for
authentication and authorization within this criterion. A few
commenters cited other standards, such as HTTPS and SSL/TLS. Multiple
commenters noted that the consumers of the API--the web and mobile
applications--were ultimately the entities responsible for security,
rather than the Health IT Module itself, and that the market for third
party applications is currently unregulated.
Response. We have adopted a final criterion without the proposed
requirement for registration of third party applications. Our intention
is to encourage dynamic registration and strongly believe that
registration should not be used as a means to block information sharing
via APIs. That is, applications should not be required to pre-register
(or be approved in advance) with the provider or their Health IT Module
developer before being allowed to access the API. Under the 2015
Edition privacy and security (P&S) certification framework, health IT
certified to the API criteria must support an application connecting to
the API. The P&S certification framework for the API criteria requires
that a Health IT Module certified to this criterion be capable of
ensuring that: valid user credentials such as a username and password
are presented (that match the credentials on file at the provider for
that user); the provider can authorize the user to view the patient's
data; the application connects through a trusted connection; and the
access is audited (Sec. 170.515(d)(1); (d)(9); and (d)(2) or (d)(10);
respectively). These certification requirements should be sufficient to
allow access without requiring further application pre-registration.
The applicable P&S certification criteria are discussed in more detail
below.
We intend to pursue a standards-based approach for this criterion
in the future, but believe that providing flexibility currently is more
appropriate as emerging standards continue to mature and gain traction
in industry, and consistent with our overall ``functional'' approach to
the API certification criteria at Sec. 170.315(g)(7), (g)(8), (g)(9).
We recognize and encourage the work being done to develop emerging
standards in this space, including OAuth, OpenID Connect, UMA, and the
Open ID Foundation's HEART profile. Accordingly, we emphasize that the
security controls mentioned in the Proposed Rule establish a floor, not
a ceiling. We encourage organizations to follow security best practices
and implement security controls, such as penetration testing,
encryption, audits, and monitoring as appropriate, without adversely
impacting a patient's access to data, following their security risk
assessment. We expect health IT developers to include documentation on
how to securely deploy their APIs in the public documentation required
by the certification criteria and to follow industry best practices. We
also seek to clarify that a ``trusted connection'' means the link is
encrypted/integrity protected according to Sec. 170.210(a)(2) or
(c)(2). As such, we do not believe it is necessary to specifically name
HTTPS and/or SSL/TLS as this standard already covers encryption and
integrity protection for data in motion.
While we appreciate the concerns of commenters regarding privacy
and security of third party applications, we note that the regulation
of third party applications is outside the scope of certification,
unless those applications are seeking certification as Health IT
Modules. As consumer applications, third-party applications may fall
under the authority of the Federal Trade Commission (FTC). In addition,
if third-party applications are offered on behalf of a HIPAA covered
entity or business associate, they would be governed by the HIPAA
Privacy and Security Rules as applicable to those entities. We also
note that the Federal Trade Commission and the National Institute of
Standards and Technology (NIST) have issued guidance regarding third-
party applications; we encourage third-party application developers to
take advantage of these resources.\122\
---------------------------------------------------------------------------
\122\ See, e.g., NIST Technical Considerations for Vetting 3rd
Party Mobile Applications, available at http://csrc.nist.gov/publications/drafts/800-163/sp800_163_draft.pdf; FTC, Careful
Connections: Building Security in the Internet of Things (Jan.
2015), available at https://www.ftc.gov/tips-advice/business-center/guidance/careful-connections-building-security-internet-things; FTC,
Mobile App Developers: Start with Security (Feb. 2013), available at
https://www.ftc.gov/tips-advice/business-center/guidance/mobile-app-developers-start-security.
---------------------------------------------------------------------------
Comments. Commenters pointed out that the proposed process for
certifying security & privacy requirements for the ``Application Access
to Common Clinical Data Set'' criterion was inconsistent with the
proposed privacy and security certification approach listed in Appendix
A of the Proposed Rule's preamble. The HITSC recommended that we
include encryption and integrity protection as a security requirement
for the ``API'' criterion.
Response. We agree with commentators that the approach from our
prior rules and our most recent Proposed Rule were inconsistent. We
have finalized an approach that standardizes the way Health IT Modules
certify for privacy and security (P&S). For consistency, we have moved
the trusted connection security requirements included proposed Sec.
170.315(g)(7)(i) into two new certification criteria under Sec.
170.315(d) and have applied them back to the three adopted ``API''
certification criteria as part of the 2015 Edition P&S certification
framework
[[Page 62677]]
(Sec. 170.550(h)).\123\ To be certified for the ``API'' criteria, a
Health IT Module must certify to either Approach 1 (technically
demonstrate) or Approach 2 (system documentation) for the following
security criteria:
---------------------------------------------------------------------------
\123\ We refer readers to section IV.C.1 (``Privacy and
Security'') of this preamble for further discussion of the 2015
Edition P&S certification framework.
---------------------------------------------------------------------------
Section 170.315(d)(1) ``authentication, access control,
and authorization;''
Section 170.315(d)(9) ``trusted connection;'' and
Section 170.315(d)(10) ``auditing actions on health
information'' or Sec. 170.315(d)(2) ``auditable events and tamper
resistance.''
We intended the trusted connection requirement to encompass
encryption and integrity. The ``trusted connection'' criterion at Sec.
170.315(d)(9) requires health IT to establish a trusted connection in
accordance with the standards specified in Sec. 170.210(a)(2) and
(c)(2). We have adopted Sec. 170.315(d)(10) ``auditing actions on
health information'' as an abridged version of Sec. 170.315(d)(2)
``auditable events and tamper resistance'' as some of the capabilities
included in Sec. 170.315(d)(2) would likely not apply to a Health IT
Module certified only to the ``API'' criteria, such as recording the
audit log status or encryption status of electronic health information
locally stored on end-user devices by the technology. A Health IT
Module presented for certification to the ``API'' criteria, depending
on the capabilities it included for certification, could be certified
to either Sec. 170.315(d)(2) or (d)(10) as part of the 2015 Edition
P&S certification framework.
We have removed the requirement that the API must include a means
for the requesting application to register with the data source. Our
intention was that APIs should support dynamic registration that does
not require pre-approval before an application requests data from the
API. However, from the comments received it was clear that our
intention was not understood. Further, open source standards for
dynamic registration are still under active development, there is
currently no consensus-based standard to apply, and we do not want
registration to become a barrier for use of Health IT Modules' APIs. We
are removing this requirement at this time for the purposes of
certification and will consider verifying this technical capability for
a potential future rulemaking.
Comments. Several commenters expressed concern that APIs may
increase security risks. In particular, these commenters called for
security standards to specify the manner in which the API is
authorized, authenticated, and how data must be secured in transit.
Response. Entities must follow federal and state requirements for
security. APIs, like all technology used in a HIPAA-regulated
environment, must be implemented consistent with the HIPAA Security
Rule. Namely, covered entities and their business associates must
perform a security risk assessment and must meet the HIPAA Security
Rule standards, consistent with their risks to the administrative,
technical, and physical security of the ePHI they maintain. The
security safeguards required by certification establish a floor of
security controls that all APIs must meet; an organization's security
risk assessment may reveal additional risks that must be addressed in
the design or implementation their EHR's particular API or they may
have additional regulatory requirements for security. Therefore, users
of health information technology should include APIs in their security
risk analysis and implement appropriate security safeguards. We also
strongly encourage health IT developers to build security into their
APIs and applications following best practice guidance, such as the
Department of Homeland Security's Build Security In initiative.\124\ We
also reiterate that at this time, we are requiring a read-only
capability--read-only capabilities may have fewer security risks
because the EHR does not consume external data.
---------------------------------------------------------------------------
\124\ https://buildsecurityin.us-cert.gov/.
---------------------------------------------------------------------------
Provider organizations already transmit information outside their
networks such as electronic claims submission, lab orders, and VDT
messages. These transmissions may be occurring using APIs today.
Therefore, provider organizations could already be implementing
safeguards needed to secure APIs. We encourage providers to employ
resources released by OCR and ONC, such as the Security Risk Assessment
Tool \125\ and the Guide to Privacy and Security of Electronic Health
Information,\126\ as well as the Office for Civil Rights' website \127\
to make risk-based decisions regarding their implementation of APIs and
the selection of appropriate and reasonable security safeguards.
---------------------------------------------------------------------------
\125\ ONC Security Risk Assessment Tool: http://www.healthit.gov/providers-professionals/security-risk-assessment.
\126\ ONC Guide to Privacy and Security of Electronic Health
Information: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf.
\127\ HHS Office for Civil Rights: http://www.hhs.gov/ocr/office/index.html.
---------------------------------------------------------------------------
It is important to recognize that an API may be used to enable a
patient to access data in the Designated Record Set for that
individual, pursuant to 45 CFR 164.524(a)(1).\128\ Additionally, the
electronic tools an individual uses to handle or transport data in the
individual's custody are not required to meet the HIPAA Security Rule.
Those tools cannot pose an unreasonable threat to the covered entity's
system, but the tools used by the individual themselves are not
regulated by HIPAA. For example, a patient may insist that in providing
an electronic copy of data about them, the email that delivers the ePHI
to the patient is not encrypted.\129\ A patient may also select a third
party product that will receive their data through the API that is not
subject to HIPAA Security Rule requirements.
---------------------------------------------------------------------------
\128\ 45 CFR 164.524(a)(1): http://www.thefederalregister.org/fdsys/pkg/CFR-2013-title45-vol1/xml/CFR-2013-title45-vol1-sec164-501.xml.
\129\ HHS Office for Civil Rights FAQs on HIPAA: http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html.
---------------------------------------------------------------------------
Comments. Several commenters stated that APIs should align with
patient privacy expectations.
Response. We appreciate the commenters' concerns about patient
privacy expectations and agree that use of APIs must align with all
federal and state privacy laws and regulations. We expect APIs to be
used in circumstances when consent or authorization by an individual is
required, as well as in circumstances when consent or authorization by
an individual is not legally required for access, use or disclosure of
PHI. In other words, APIs, like faxes before them, will be used in
light of the existing legal framework that already supports the
transmission of protected health information, sensitive health
information, and applicable consent requirements.
In circumstances where there is a requirement to document a
patient's request or particular preferences, APIs can enable compliance
with such documentation requirements. The HIPAA Privacy Rule \130\
permits the use of electronic documents to qualify as writings for the
purpose of proving signature, e.g., electronic signatures. Electronic
signatures can be captured by a patient portal or an API, absent the
application of a more privacy-protective state law.
---------------------------------------------------------------------------
\130\ 45 CFR part 160 and Part 164, Subparts A and E.
---------------------------------------------------------------------------
The existing legal framework would support the use of APIs to
facilitate patient access to electronic health information or patient
access requests
[[Page 62678]]
made pursuant to 45 CFR 164.524 to transmit their information to a
designated third party. For example, an individual may request a copy
of their data from their provider's API using software tools of the
individual's choosing. Assuming the individual has been properly
authenticated and identity-proofed, the provider's obligation under
HIPAA is to fulfill the ``access'' request through the API if that
functionality is available, because that is the medium so chosen by the
patient. The addition of APIs to the technical landscape of health IT
does not alter HIPAA requirements, which support reliance on the
established and prevailing standards for electronic proof of
identity.\131\ This policy supports the availability of health
information for treatment, payment, and health care operations (45 CFR
164.506) and leverages the progress already made to operationalize
privacy laws in an electronic environment, while facilitating
interoperability.
---------------------------------------------------------------------------
\131\ NIST SP 800-63-2.
---------------------------------------------------------------------------
Patient Selection
We proposed that the API would need to include a means for the
application to query for an identification (ID) or other token of a
patient's record in order to subsequently execute data requests for
that record.
Comments. Commenters noted that standardization of this requirement
should include industry-accepted standards such as IHE PDQ or PIX
query.
Response. Consistent with our approach throughout the ``API''
criteria, we decline to require a specific standard at this time,
although we intend to do so in a future rulemaking. We note that the
standards suggested by commenters have been adopted in industry and we
encourage Health IT Modules to identify and implement any existing
standards that best support the needs of their users. We have adopted
these final requirements in the certification criterion adopted in
Sec. 170.315(g)(7). It includes the proposed requirement with specific
conforming adjustments to be its own certification criterion. The
criterion specifies that technology will need to be able to receive a
request with sufficient information to uniquely identify a patient and
return an ID or other token that can be used by an application to
subsequently execute requests for that patient's data. We do not
presume or prescribe a particular method or amount of data by which
technology developer implements its approach to uniquely identify a
patient. However, we note that such information must be included in the
technical documentation also required to be made available as part of
certification. Once the specific ID or other token is returned in a
response, we expect and intend for the other ``API'' criteria discussed
below to be able to use the ID or other token to then perform the data
requests.
Data Requests, Response Scope, and Return Format
We proposed that the API would need to support two types of data
requests and responses: ``by data category'' and ``all.'' In both
cases, the proposed scope for certification was limited to the data
specified in the Common Clinical Data Set. For ``by data category,''
the API would need to respond to requests for each of the data
categories specified in the Common Clinical Data Set and return the
full set of data for that data category. We also proposed that as the
return format for the ``by data category,'' that either XML or JSON
would need to be produced. ``All'' requests for a specific patient
would return a patient's fully populated summary record formatted in
accordance with the C-CDA version 2.0.
Comments. Commenters suggested several specific changes to this
criterion, including: We should clarify that access is for a specific
patient; we should include a requirement that applications be able to
request specific date ranges, ability to request patient lists or other
identified populations; and we should remove the return format of
either XML or JSON, because some APIs could return data in HL7 v2
format. For the ``data category'' request requirement, commenters asked
that ONC clarify whether ``each'' means a query limited to one category
at a time, or whether combinations of categories can be requested at
one time. For ``all'' requests, some commenters suggested that this
functionality should support the ability to view or download based on
specific data, time, or period of time; other commenters urged us to
focus first on the narrow set of capabilities initially proposed to
gain experience, and add additional capabilities in future
certification. Most commenters supported focusing on the CCD document
to create clear expectations and enhance interoperability. Two
commenters were opposed to restricting the use of C-CDA 2 to CCD
document type because other document types (i.e. Transfer Summary,
Referral Note and Care Plan) are very commonly used documents in the
real world, and would not be available through this functionality.
Response. We expect that all three API capabilities would function
together; thus applications connecting to the API would be able to
request data on a specific patient, as described in the ``API--patient
selection'' criterion, using an obtained ID or other token. At this
time, we have decided not to include an additional patient list
creation requirement. However, we emphasize that this initial set of
APIs represents a floor rather than a ceiling, and we expect developers
to build enhanced APIs to support innovation and easier, more efficient
access to data in the future.
In response to concerns regarding the return format for the data-
category request, we have decided to make that requirement more
flexible and have removed the specific proposed language of XML or JSON
to say in the final criterion that the returned data must be in a
computable (i.e., machine readable) format.
In response to comments concerning the ``all-request,'' we clarify
that the API functionality must be able to respond to requests for all
of the data included in the CCDS on which there is data for patient,
and that the return format for this functionality would be limited to
the C-CDA's CCD document template. We believe that focusing on the CCD
document template will reduce the implementation burden for health IT
developers to meet this certification criterion and will help
application developers connecting to Health IT Modules' APIs because
they will know with specificity what document template they are going
to receive.
With regard to requests for each ``data category,'' for the
purposes of certification, the technology must demonstrate that it can
respond to requests for each individual data category one at a time.
However, this is a baseline for the purposes of testing and
certification and health IT developers are free to enable the return of
multiple categories at once if they choose to build out that
functionality.
Similar to our response for ``VDT'' criterion, we clarify that
patients should be provided access to any data included in the Common
Clinical Data Set.
As with the VDT requirement, we have adopted date and time
filtering requirements as part of this criterion. We agree with
commenters that adding this functionality to these criteria will
provide clarity that patients should have certain baseline capabilities
available to them when it comes to selecting the data (or range of
data) they wish to access using an application that interacts with the
Health IT Module's APIs. Specifically, we have adopted two timeframe
requirements: First, to ensure that an application can request data
[[Page 62679]]
associated with a specific date, and the second, to ensure that an
application can request data within an identified date range, which
must be able to accommodate the application requesting a range that
includes all data available for a particular patient. The technology
specifications should be designed and implemented in such a way as to
return meaningful responses to queries, particularly with regard to
exceptions and exception handling, and should make it easy for
applications to discover what data exists for the patient.
Documentation and Terms of Use
We proposed that the required technical documentation would need to
include, at a minimum: API syntax, function names, required and
optional parameters and their data types, return variables and their
types/structures, exceptions and exception handling methods and their
returns. We also stated that the terms of use must include the API's
developer policies and required developer agreements so that third-
party developers could assess these additional requirements before
engaging in any development against the API. We also proposed that
health IT developers would need to submit a hyperlink to ONC-ACBs,
which the ONC-ACB would then submit as part of its product
certification submission to the Certified Health IT Product List (CHPL)
that would allow any interested party to view the API's documentation
and terms of use.
Comments. One commenter suggested that ONC should clarify whether
our intent is that terms of use would replace, include, or overlap with
HIPAA privacy policies that health care providers are required to
provide their patients. Another commenter voiced concern that the API-
consuming application should be the party responsible for assuring
effective use of the API in terms of safety, security, privacy, and
accessibility. Multiple commenters suggested that ONC place certain
restrictions on terms of use, including limits on any fees, copyright,
or licensing requirements on APIs.
Response. We emphasize that nothing in this criterion is intended
to replace federal or state privacy laws and regulations, nor the
contractual arrangements between covered entities and business
associates. Placing requirements or limitations on the specific content
of the terms of use is beyond the scope of certification. However, we
reiterate that our policy intent is to allow patients to access their
data through APIs using the applications of their own choosing, and
limit the creation of ``walled gardens'' of applications that only
interact with certain Health IT Modules. As stated previously in this
preamble, we intend to require a standards-based approach to this
criterion in the next appropriate rulemaking and we encourage vendors
to start piloting the use of existing and emerging API standards. By
requiring that documentation and terms of use be open and transparent
to the public by requiring a hyperlink to such documentation to be
published with the product on the ONC Certified Health IT Product List,
we hope to encourage an open ecosystem of diverse and innovative
applications that can successfully and easily interact with different
Health IT Modules' APIs.
Transport Methods and Other Protocols
We proposed two ways for providers to meet the 2015 Edition Base
EHR definition using health IT certified to transport methods. The
first proposed way to meet the proposed 2015 Edition Base EHR
definition requirement would be for a provider to have health IT
certified to Sec. 170.315(b)(1) and (h)(1) (Direct Project
specification). This would account for situation where a provider uses
a health IT developer's product that acts as the ``edge'' and the HISP.
The second proposed way would be for a provider to have health IT
certified to Sec. 170.315(b)(1) (``ToC'' criterion) and (h)(2)
(``Direct Project, Edge Protocol, and XDR/XDM''). This would account
for situations where a provider is using one health IT developer's
product that serves as the ``edge'' and another health IT developer's
product that serves as a HISP.\132\ To fully implement this approach,
we proposed to revise Sec. 170.550 to require an ONC-ACB to ensure
that a Health IT Module includes the certification criterion adopted in
Sec. 170.315(b)(1) in its certification's scope in order to be
certified to the certification criterion proposed for adoption at Sec.
170.315(h)(1). We lastly proposed to revise the heading of Sec.
170.202 from ``transport standards'' to ``transport standards and other
protocols.''
---------------------------------------------------------------------------
\132\ See the 2014 Edition Release 2 final rule for more
discussion on such situations (79 FR 54436-38).
---------------------------------------------------------------------------
We received minimal comments on these proposals and discussed what
comments we received under the ``Direct Project, Edge Protocol, and
XDR/XDM'' certification criterion below.
Direct Project
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(h)(1) (Direct Project)
------------------------------------------------------------------------
We proposed to adopt a certification criterion that includes the
capability to send and receive according to the Applicability Statement
for Secure Health Transport (the primary Direct Project specification).
We noted that we previously adopted this capability for the 2014
Edition at Sec. 170.314(b)(1), (b)(2) and (h)(1). We proposed to
include as an optional capability for certification the capability to
send and receive according to the Implementation Guide for Delivery
Notification in Direct, Version 1.0, June 29, 2012 (``Delivery
Notification IG''). We explained that the primary Direct Project lacked
certain specificity and consistency guidance such that deviations from
normal message flow could result if Security/Trust Agents (STAs)
implemented only requirements denoted as ``must'' in Section 3 of the
primary Direct Project. As a result, STAs may not be able to provide a
high level of assurance that a message has arrived at its destination.
We further stated that the Delivery Notification IG provides
implementation guidance enabling STAs to provide a high level of
assurance that a message has arrived at its destination and outlines
the various exception flows that result in compromised message delivery
and the mitigation actions that should be taken by STAs to provide
success and failure notifications to the sending system.
Comments. Commenters overwhelmingly supported the adoption of this
criterion as proposed. Many commenters also expressed strong support
for the optional delivery notification provision as a means to support
specific business practices. Some commenters stated that delivery
notification will only work when both receiving and sending parties
support the functionality and, thus, delivery notification must be
required of both sending and receiving entities in order for it to
work. Commenters also requested clarification regarding ``ownership''
and maintenance of the Direct Project, including some that recommended
that ``ownership'' should belong to a SDO.
Response. We have adopted a revised criterion in comparison to our
proposal and the related 2014 Edition certification criteria. After
careful consideration of comments, we believe it is appropriate to
adopt the Applicability Statement for Secure Health Transport, Version
1.2 (August 3,
[[Page 62680]]
2015).\133\ This new version of the specification includes updates that
improve interoperability through the clarification of requirements that
have been subject to varying interpretations, particularly requirements
around message delivery notifications. This version also clarifies
pertinent requirements in the standards underlying the Applicability
Statement for Secure Health Transport. Migration to this newer version
will provide improvements for exchange of health information and should
have minor development impacts on health IT developers. Further, we
expect that many developers and technology organizations that serve as
STAs will quickly migrate to version 1.2 due to its improvements. We
note, for certification to this criterion, we have made it a
requirement to send and receive messages in only ``wrapped'' format
even though the specification (IG) allows use of ``unwrapped''
messages. This requirement will further improve interoperability among
STAs, while having minor development impact on health IT developers.
---------------------------------------------------------------------------
\133\ http://wiki.directproject.org/file/view/Applicability%20Statement%20for%20Secure%20Health%20Transport%20v1.2.pdf/556133893/Applicability%20Statement%20for%20Secure%20Health%20Transport%20v1.2.pdf.
---------------------------------------------------------------------------
We have also adopted as a requirement for this criterion the
Implementation Guide for Delivery Notification in Direct, Version 1.0,
June 29, 2012. While we proposed this IG as an optional provision, we
agree with commenters that this functionality must be required to best
support interoperability and exchange, particularly for both sending
and receiving parties. As we stated in the 2014 Edition Release 2
proposed rule (79 FR 10914-915), the capabilities in this IG provide
implementation guidance enabling HISPs to provide a high level of
assurance to senders that a message has arrived at its destination, a
necessary component to interoperability.
We appreciate the recommendations and questions regarding
``ownership'' of the Direct specifications. We clarify that although
ONC played a significant role in the creation and coordination of the
Direct specifications that ONC does not ``own'' them. Rather, the
specifications are publicly available and we view them as maintained by
the community of stakeholders who have and continue to support the
Direct specifications. To that end, as a participant in this community,
we have been working with other stakeholders to locate an appropriate
SDO who can maintain and mature these specifications over the long
term. We believe this step is both necessary and critical for Direct
specifications to be well maintained and industry supported over time.
Direct Project, Edge Protocol, and XDR/XDM
------------------------------------------------------------------------
-------------------------------------------------------------------------
2015 Edition Health IT Certification Criterion
Sec. 170.315(h)(2) (Direct Project, Edge Protocol, and XDR/XDM)
------------------------------------------------------------------------
We proposed a 2015 Edition ``Direct, Edge Protocol, and XDR/XDM''
certification criterion that included three distinct capabilities. The
first proposed capability focused on technology's ability to send and
receive according to the Applicability Statement for Secure Health
Transport (the primary Direct Project specification). The second
proposed capability focused on technology's ability to send and receive
according to both Edge Protocol methods specified by the standard
adopted in Sec. 170.202(d). The third proposed capability focused on
technology's ability to send and receive according to the XDR and XDM
for Direct Messaging Specification. We noted that these three
capabilities were previously adopted as part the 2014 Edition,
including through the 2014 Edition and 2014 Edition Release 2 final
rules, and we reminded health IT developers that best practices exist
for the sharing of information and enabling the broadest participation
in information exchange with Direct.\134\
---------------------------------------------------------------------------
\134\ http://wiki.directproject.org/Best+Practices+for+Content+and+Workflow.
---------------------------------------------------------------------------
Comments. Commenters overwhelmingly supported the adoption of this
criterion as proposed. A commenter suggested that the primary Direct
Project specification should only be included in the Direct Project
certification criterion (Sec. 170.315(h)(1)). A commenter requested
clarification on the anticipated advantage(s) of certifying with XDR/
XDM. A commenter stated some systems are still using SMTP and IMAP.
Another commenter stated that while certified Health IT Modules may
implement Direct Edge protocols there is no requirement for HISPs to
adopt the protocol. Commenters also requested clarification regarding
``ownership'' and maintenance of the Direct project, with some
recommending that ``ownership'' should belong to a SDO.
Response. We have adopted this as a revised criterion in comparison
to our proposal and the related 2014 Edition certification criteria.
After careful consideration of comments, we believe it is appropriate
to adopt the Applicability Statement for Secure Health Transport,
Version 1.2 (August 3, 2015).\135\ This new version of the
specification includes updates that improve interoperability through
the clarification of requirements that have been subject to varying
interpretations, particularly requirements around message delivery
notifications. This version also clarifies pertinent requirements in
the standards underlying the Applicability Statement for Secure Health
Transport. Migration to this newer version will provide improvements
for exchange of health information and should have minor development
impacts on health IT developers. Further, we expect that many
developers and technology organizations that serve as STAs will quickly
migrate to version 1.2 due to its improvements. For certification to
this criterion, we have made it a requirement to send and receive
messages in only ``wrapped'' format even though the specification (IG)
allows use of ``unwrapped'' messages. This requirement will further
improve interoperability among STAs while having minor development
impact on health IT developers.
---------------------------------------------------------------------------
\135\ http://wiki.directproject.org/file/view/Applicability%20Statement%20for%20Secure%20Health%20Transport%20v1.2.pdf/556133893/Applicability%20Statement%20for%20Secure%20Health%20Transport%20v1.2.pdf.
---------------------------------------------------------------------------
We have also adopted as a requirement for this criterion the
Implementation Guide for Delivery Notification in Direct, Version 1.0,
June 29, 2012. While we proposed this IG as an optional provision, we
agree with commenters that this functionality must be required to best
support interoperability and exchange, particularly for both a sending
and receiving HISP. As we stated in the 2014 Edition Release 2 proposed
rule (79 FR 10914-915), the capabilities in this IG provide
implementation guidance enabling HISPs to provide a high level of
assurance to senders that a message has arrived at its destination, a
necessary component to interoperability.
We require the use of XDR/XDM to support interoperability and
ensure that certain messages packaged using XDR/XDM can be received and
processed. This is the same approach we required with the 2014 Edition.
We also refer readers to the ``ToC'' certification criterion discussed
earlier in this preamble for further explanation of the
interoperability concerns related to the use of XDR/XDM. We clarify for
commenters that for health IT to be certified to this criterion it must
be able to support both of the Edge Protocols
[[Page 62681]]
methods referenced in the Edge IG version 1.1 (i.e., the ``IHE XDR
profile for Limited Metadata Document Sources'' edge protocol or an
SMTP-focused edge protocol (SMTP alone or SMTP in combination with
either IMAP4 or POP3)).
We note that even though the Edge Protocol requires support for XDS
limited metadata, XDR/XDM supports capability to transform messages
using full metadata wherever appropriate. Therefore, we require that a
Health IT Module must support both the XDS Metadata profiles (Limited
and Full), as specified in the underlying IHE specifications, to ensure
that the transformation between messages packaged using XDR/XDM are
done with as much appropriate metadata as possible.
This criterion requires the three capabilities specified (Direct
Project specification, Edge Protocol compliance, and XDR/XDM
processing) because it must support interoperability and all potential
certified exchange options as well as support a provider in meeting the
Base EHR definition. As we discussed above, a provider could use an
``independent'' HISP to meet the Base EHR definition. In such a case,
the HISP would need to be certified to this criterion in order for the
provider to use it to meet the Base EHR definition, which is part of
the CEHRT definition under the EHR Incentive Programs. Therefore, there
is incentive for a HISP to be certified to this criterion.
Please see our prior response regarding the ``ownership'' of the
Direct specifications under the ``Direct Project'' certification
criterion.
4. Gap Certification Eligibility Table for 2015 Edition Health IT
Certification Criteria
We have previously defined gap certification at 45 CFR 170.502 as
the certification of a previously certified Complete EHR or EHR
Module(s) to: (1) all applicable new and/or revised certification
criteria adopted by the Secretary at subpart C of part 170 based on the
test results of a NVLAP-accredited testing laboratory; and (2) all
other applicable certification criteria adopted by the Secretary at
subpart C of part 170 based on the test results used to previously
certify the Complete EHR or EHR Module(s) (for further explanation, see
76 FR 1307-1308). Our gap certification policy focuses on the
differences between certification criteria that are adopted through
rulemaking at different points in time. This allows health IT to be
certified to only the differences between certification criteria
editions rather than requiring health IT to be fully retested and
recertified to certification criteria (or capabilities) that remain
``unchanged'' from one edition to the next and for which previously
acquired test results are sufficient. Under our gap certification
policy, ``unchanged'' criteria are eligible for gap certification, and
each ONC-ACB has discretion over whether it will provide the option of
gap certification.
For the purposes of gap certification, we included a table in the
Proposed Rule to provide a crosswalk of the proposed ``unchanged'' 2015
Edition certification criteria to the corresponding 2014 Edition
certification criteria (80 FR 16868). We noted that with respect to the
2015 Edition certification criteria at Sec. 170.315(g)(1) through
(g)(3) that gap certification eligibility for these criteria would be
fact-specific and would depend on any modifications made to the
specific certification criteria to which these ``paragraph (g)''
certification criteria apply.
Comments. We did not receive specific comments on the gap
certification eligibility table or our described gap certification
policy.
Response. We have revised the proposed ``gap certification
eligibility'' table to reflect the adopted 2015 Edition certification
criteria discussed in section III.A.3 of this preamble. Table 6 below
provides a crosswalk of ``unchanged'' 2015 Edition certification
criteria to the corresponding 2014 Edition certification criteria.
These 2015 Edition certification criteria have been identified as
eligible for gap certification. We note that with respect to the 2015
Edition certification criteria at Sec. 170.315(g)(1) (``automated
numerator recording'') and (g)(2) (``automated measure calculation''),
a gap certification eligibility determination would be fact-specific
and depend on any modifications to the certification criteria to which
these criteria apply and relevant Stage 3 meaningful use objectives and
measures.
Table 6--Gap Certification Eligibility for 2015 Edition Health IT Certification Criteria
----------------------------------------------------------------------------------------------------------------
2015 Edition 2014 Edition
----------------------------------------------------------------------------------------------------------------
Title of regulation Title of regulation
Regulation section 170.315 paragraph Regulation section 170.314 paragraph
----------------------------------------------------------------------------------------------------------------
(a)(1)........................ Computerized provider (a)(1)....................... Computerized provider
order entry-- (a)(18)...................... order entry
medications. Computerized provider
order entry--
medications
(a)(2)........................ Computerized provider (a)(1)....................... Computerized provider
order entry--laboratory. (a)(19)...................... order entry
Computerized provider
order entry--
laboratory
(a)(3)........................ Computerized provider (a)(1)....................... Computerized provider
order entry--diagnostic (a)(20)...................... order entry
imaging. Computerized provider
order entry--
diagnostic imaging
(a)(4)........................ Drug-drug, drug-allergy (a)(2)....................... Drug-drug, drug-allergy
interaction checks for interaction checks
CPOE.
(a)(7)........................ Medication list......... (a)(6)....................... Medication list
(a)(8)........................ Medication allergy list. (a)(7)....................... Medication allergy list
(a)(10)....................... Drug-formulary and (a)(10)...................... Drug-formulary checks
preferred drug list
checks.
(a)(11)....................... Smoking status.......... (a)(11)...................... Smoking status
(d)(1)........................ Authentication, access (d)(1)....................... Authentication, access
control, and control, and
authorization. authorization
(d)(3)........................ Audit report(s)......... (d)(3)....................... Audit report(s)
(d)(4)........................ Amendments.............. (d)(4)....................... Amendments
(d)(5)........................ Automatic access time- (d)(5)....................... Automatic log-off
out.
(d)(6)........................ Emergency access........ (d)(6)....................... Emergency access
(d)(7)........................ End-user device (d)(7)....................... End-user device
encryption. encryption
(d)(11)....................... Accounting of (d)(9)....................... Accounting of
disclosures. disclosures
[[Page 62682]]
(f)(3)........................ Transmission to public (f)(4)....................... Inpatient setting only--
health agencies-- transmission of
reportable laboratory reportable laboratory
tests and values/ tests and values/
results. results
----------------------------------------------------------------------------------------------------------------
5. Not Adopted Certification Criteria
This section of the preamble discusses proposed certification
criteria included in the Proposed Rule that we have not adopted and
requests for comments on potential certification criteria included in
the Proposed Rule. We summarize the comments received on these proposed
criteria and requests for comments and provide our response to those
comments.
Vital Signs, Body Mass Index, and Growth Charts
We proposed to adopt a 2015 Edition ``vital signs, BMI, and growth
charts'' certification criterion that was revised in comparison to the
2014 Edition ``vital signs, BMI, and growth charts'' criterion (Sec.
170.314(a)(4)). Specifically, we proposed to: (1) Expand the types of
vital signs for recording; \136\ (2) require that each type of vital
sign have a specific LOINC[supreg] code attributed to it; (3) that The
Unified Code of Units of Measure, Revision 1.9, October 23, 2013
(``UCUM Version 1.9'') \137\ be used to record vital sign measurements;
and (4) that certain metadata accompany each vital sign, including
date, time, and measuring- or authoring-type source. In providing this
proposal, we stated awareness that several stakeholder groups are
working to define unique, unambiguous representations/definitions for
vital signs along with structured metadata to increase data
standardization for consistent representation and exchange. To ensure
consistent and reliable interpretation when information is exchanged,
we stated that vital signs should be captured natively. In addition, we
proposed ``optional'' pediatric vital signs for health IT to
electronically record, change, and access. With regard to the proposed
metadata, we requested comment on additional information that we should
consider for inclusion and the best available standards for
representing the metadata consistently and unambiguously. We also
requested comment on the on the feasibility and implementation
considerations for proposals that rely on less granular LOINC[supreg]
codes for attribution to vital sign measurements and the inclusion of
accompanying metadata. In the Proposed Rule's section III.B.3 (``Common
Clinical Data Set''), we stated that vital signs would be represented
in same manner for the ``Common Clinical Data Set'' definition as it
applies to the certification of health IT to the 2015 Edition, with the
exception of the proposed optional vital signs.
---------------------------------------------------------------------------
\136\ Per 80 FR 16818: Systolic blood pressure, diastolic blood
pressure, body height, body weight measured, heart rate, respiratory
rate, body temperature, oxygen saturation in arterial blood by pulse
oximetry, body mass index (BMI) [ratio], and mean blood pressure.
\137\ http://unitsofmeasure.org/trac/.
---------------------------------------------------------------------------
Comments. We received mixed feedback to the overall proposal, with
many commenters suggesting that (1) ONC should not be mandating how
vital signs are recorded natively within certified Health IT Modules,
and (2) the proposed approach to require recording of vital signs using
a less granular LOINC[supreg] code with associated metadata was not a
mature or the right approach for ensuring semantic interoperability.
Many commenters suggested that ONC should only specify how vital signs
are exchanged for the Common Clinical Data Set.
Concerning the proposal to specify how vital signs are recorded
natively in a health IT system, commenters noted that there would be
workflow and usability issues, such as requiring the user to enter in
metadata every time a vital sign is taken. As vital signs are routinely
taken as a part of every patient visit in many provider settings, this
could be burdensome and time-consuming.
Regarding the proposed approach to record vital signs using a less
granular LOINC[supreg] code with associated metadata, commenters had a
number of concerns. Some commenters were concerned that LOINC[supreg]
was designed as a pre-coordinated code system (e.g., some LOINC[supreg]
codes for vital signs are pre-specified to the site of vital sign
measurement, method of vital sign measurement, and/or device used to
take vital sign), but that our proposal to use a less granular code
with associated metadata to assist with interpretation would treat
LOINC[supreg] as a post-coordinated code system. Since LOINC[supreg]
does not include specific syntax rules, our proposed method could lead
to data integrity issues and patient safety concerns. Commenters
suggested that the industry is working to define a methodology for
structured data capture through initiatives like the S&I Framework
Structured Data Capture Initiative,\138\ and that ONC should not adopt
requirements for structured data capture as part of certification until
there is a consensus-based way forward. A few commenters were concerned
that the metadata could be lost or hidden from the user's view when
exchanged, resulting in the receiving user's inability to accurately
and safety interpret the vital sign measurement.
---------------------------------------------------------------------------
\138\ https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCUQFjAA&url=http%3A%2F%2Fwiki.siframework.org%2FStructured%2BData%2BCapture%2BInitiative&ei=l3KiVYW-MIKU-AH0kbjwCg&usg=AFQjCNFOieJjmvmMPbgBjd2zJ3igsdJVbw&sig2=GESy7uftrinE-ohpXqMQjw.
---------------------------------------------------------------------------
Some commenters noted that SNOMED CT[supreg] is the international
standard used for vital signs. One commenter noted that IHE is working
with the Department of Veterans Affairs and other stakeholders to
create a utility that would allow conversion from SNOMED CT[supreg] to
LOINC[supreg] or to make data accessible from other countries that use
SNOMED CT[supreg] for vital signs.
Many commenters suggested that the complexity of the proposed
approach for recording vital signs with metadata would require
extensive rework and mapping of existing systems resulting in little
additional benefit for workflow, usability, and semantic
interoperability. As such, commenters stated there was little incentive
to certify to the proposed criterion for vital signs as it was not
proposed as a requirement for participation in the EHR Incentive
Programs. Commenters also noted that most 2014 Edition certified health
IT capture vital signs data in different methods based on the product
and provider setting, but all of them still support the exchange of
vital signs as specified by the industry-accepted C-CDA standard. Thus,
most health IT already supports mapping to accepted industry standards
for exchange today.
Response. We thank commenters for the thoughtful and detailed
feedback. We agree with commenters' concerns
[[Page 62683]]
regarding the proposed approach to record vital signs natively within a
the certified Health IT Module using less specific LOINC[supreg] codes
and associated metadata. Our long-term goal is for a vital sign
measurement to be semantically interoperable during exchange and
thereby retain its meaning and be correctly interpretable by a
receiving system user. As vital signs data relates to clinical decision
support (CDS) and other quality reporting improvement tools, we
continue to believe that vital signs should be consistently and
uniformly captured in order to apply industry-developed CDS and CQM
standards. However, as noted by commenters, the proposed approach does
not fully achieve these goals and does not offer an added benefit to
the current 2014 Edition approach of requiring vital signs exchange
using industry standards and capture in a standards-agnostic manner. We
expect the industry to develop a consensus-based approach for
structured data capture, including for vital signs, and we will
continue to support these processes in consideration of a future
rulemaking. Given these considerations, we have not adopted a 2015
Edition ``vital signs, BMI, and growth charts'' certification criterion
at this time, as we believe there is no added certification value for
capturing vital signs in either the proposed manner or in a simply
standards-agnostic manner.
Image Results
We proposed to adopt a 2015 Edition ``image results'' certification
criterion that was unchanged in comparison to the 2014 Edition ``image
results'' criterion (Sec. 170.314(a)(12)).
Comments. The majority of commenters supported this criterion as
proposed, but some commenters questioned why health IT developers would
seek certification to this criterion and why providers would adopt
health IT certified to this criterion because it did not support an
objective or measure of the proposed EHR Incentive Programs Stage 3 or
another program requirement. Some commenters also questioned the value
of this criterion without a required standard, with a few commenters
recommending the adoption of the Digital Imaging and Communication in
Medicine (DICOM) standard.
Response. We have not adopted this certification criterion as part
of the 2015 Edition at this time. We have considered public comments
and no longer believe there is sufficient value in making this
criterion available for certification as proposed. The criterion was
proposed with functional requirements that do not advance functionality
beyond the 2014 Edition ``image results'' criterion, support
interoperability, nor serve an identified HHS or other program
requiring the use of health IT certified to this functionality. In the
response to the commenters recommending DICOM as the standard we should
adopt, we will further assess whether there is an appropriate use case
for the adoption of a certification criterion that requires the use of
the DICOM standard as part of any future rulemaking. However, for the
particular criterion we proposed, we refer readers to our prior
thoughts on the appropriateness of adopting DICOM (77 FR 54173).
Family Health History--Pedigree
In the Proposed Rule, we proposed a 2015 Edition ``family health
history--pedigree'' certification criterion that required health IT to
enable a user to create and incorporate a patient's FHH according to
HL7 Pedigree standard and the HL7 Pedigree IG, HL7 Version 3
Implementation Guide: Family History/Pedigree Interoperability, Release
1.\139\
---------------------------------------------------------------------------
\139\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=301.
---------------------------------------------------------------------------
Comments. While some commenters supported adoption of this
functionality and criterion, many commenters expressed concerns about
the standard and IG. Commenters stated that there has been very little
adoption of the Pedigree standard and IG. Commenters also expressed
specific concerns about the standard and IG. Commenters noted that the
standard is out of date (not been updated since 2009) and not in sync
with HL7 V3-based standards. Commenters also stated that the IG was
immature and had not been updated since 2013. In particular, commenters
noted that the W3C XML schema language cannot represent all constraints
expressed in the base specifications referenced in the IG and that
there was a lack of clear guidance on interactions and appropriate
implementations, which would likely lead to inconsistent
implementations. Overall, commenters suggested that a criterion not be
adopted with the Pedigree standard and associated IG until the standard
and IG have been appropriately updated, including addressing the
interoperability interactions that need to be supported, matured, and
widely adopted.
Response. We thank commenters for their detailed feedback. We have
not adopted this criterion as part of the 2015 Edition at this time. We
agree with commenters that further effort is necessary to address their
concerns before adoption of this criterion and associated standards. We
intend to follow up with relevant stakeholders to address these
concerns and will consider whether it is appropriate to include such a
criterion and associated standards in a future rulemaking as HHS' work
to support the Precision Medicine Initiative matures.\140\
---------------------------------------------------------------------------
\140\ http://www.nih.gov/precisionmedicine/.
---------------------------------------------------------------------------
Patient List Creation
We proposed to adopt a 2015 Edition ``patient list creation''
certification criterion that was unchanged in comparison to the 2014
Edition ``patient list creation'' criterion (Sec. 170.314(a)(14)) and
explained the expectation that a Health IT Module must demonstrate its
capability to use at least one of the more specific data categories
included in the ``demographics'' certification criterion (Sec.
170.315(a)(5)) (e.g., sex or date of birth).
Comments. The majority of commenters supported this criterion as
proposed, but some commenters questioned why health IT developers would
seek certification to this criterion and why providers would adopt
health IT certified to this criterion because it did not support an
objective or measure of the proposed EHR Incentive Programs Stage 3 or
another program requirement. Conversely, some commenters suggested that
we adopt a ``patient list creation'' criterion that had more
functionality that would be valuable to providers. These commenters
suggested that the criterion included required functionality to select,
sort, and create patient lists on, for example: on all patient
demographics, vital signs, orders, and referrals, and allergies beyond
medication allergies. Commenters stated that such enhanced
functionality would improve patient tracking and the monitoring of
health disparities.
Response. We have not adopted this certification criterion as part
of the 2015 Edition at this time. We have considered public comments
and no longer believe there is sufficient value in making this
criterion available for certification as proposed. The criterion was
proposed with limited functionality that did not go beyond the 2014
Edition ``patient list creation'' criterion. Further, as proposed, it
does not serve an identified HHS or other program. We will, however,
consider the comments recommending more enhanced functionality as we
consider certification criteria for future rulemaking.
Electronic Medication Administration Record
We proposed to adopt a 2015 Edition electronic medication
administration record (eMAR) certification criterion that was unchanged
in comparison to
[[Page 62684]]
the 2014 Edition ``eMAR'' criterion (Sec. 170.314(a)(16)).
Comments. The majority of commenters supported this criterion as
proposed, but some commenters questioned why health IT developers would
seek certification to this criterion and why providers would adopt
health IT certified to this criterion because it did not support an
objective or measure of the proposed EHR Incentive Programs Stage 3 or
another identified program requirement. A few commenters requested
clarification as to whether bar-code scanning is required to meet this
criterion, with a couple of commenters recommending that bar-code
scanning be part of this criterion to improve patient safety.
Response. We have not adopted this certification criterion as part
of the 2015 Edition at this time. We have considered public comments
and no longer believe there is sufficient value in making this
criterion available for certification as proposed. The criterion was
proposed with functional requirements that do not advance functionality
beyond the 2014 Edition ``eMAR'' criterion, support interoperability,
nor serve an identified program requiring the use of health IT
certified to this functionality. We will consider whether we should
propose the same or a more enhanced eMAR certification criterion in
future rulemaking, including giving consideration to the value of
identifying or requiring specific assistive technologies (e.g., bar-
code scanning) for demonstrating compliance with the functional
requirements of the criterion.
Decision Support--Knowledge Artifact; and Decision
Support--Service
Decision Support--Knowledge Artifact
In the Proposed Rule, we proposed to adopt a new 2015 Edition
``decision support--knowledge artifact'' certification criterion that,
for the purposes of certification, would require health IT to
demonstrate that it could electronically send and receive clinical
decision support (CDS) knowledge artifacts in accordance with a Health
eDecisions (HeD) standard. To assist the industry in producing and
sharing machine readable files for representations of clinical
guidance, we proposed to adopt the HL7 Version 3 Standard: Clinical
Decision Support Knowledge Artifact Specification, Release 1.2 DSTU
(July 2014) (``HeD standard Release 1.2'') \141\ and to require health
IT to demonstrate it can electronically send and receive a CDS artifact
formatted in the HeD standard Release 1.2. We requested comment on
specific types of CDS Knowledge Artifacts for testing and certification
to the HeD standard Release 1.2, and on standards' versions to consider
as alternative options, or for future versions of this certification
criterion, given the ongoing work to harmonize CDS and quality
measurement standards.
---------------------------------------------------------------------------
\141\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=337.
---------------------------------------------------------------------------
Decision Support--Service
In the Proposed Rule, we proposed to adopt a new 2015 Edition
``decision support--service'' certification criterion that, for the
purposes of certification, would require health IT to demonstrate that
it could electronically make an information request with patient data
and receive in return electronic clinical guidance in accordance with
an HeD standard and the associated HL7 Implementation Guide: Decision
Support Service, Release 1.1 (March 2014), US Realm DSTU
Specification.\142\ We specified that health IT would need to
demonstrate the ability to send and receive electronic clinical
guidance according to the interface requirements defined in Release
1.1. We requested comment on alternative versions of standards and on
future versions of this certification criterion to advance the work to
harmonize CDS and quality measurement standards.
---------------------------------------------------------------------------
\142\ http://www.hl7.org/documentcenter/public/standards/dstu/HL7_DSS_IG%20_R1_1_2014MAR.zip.
---------------------------------------------------------------------------
We have summarized and responded to comments on these ``decision
support'' criteria together as the referenced HeD standards were
developed by one S&I initiative to address two use cases, we received
similar comments on both proposals, and have determined to not adopt
both criteria.
Comments. Many commenters supported the overall goals of the HeD
standards to provide standardized ways to exchange decision support
artifacts and request decision support information. However, these same
commenters recommended ONC not adopt these criteria because of the
ongoing work to develop harmonized CDS and clinical quality measure
(CQM) standards through the Clinical Quality Framework Standards &
Interoperability (S&I) Framework Initiative.\143\ Commenters noted that
the harmonized standards are expected to offer clinical and operational
improvements for quality improvement over existing standards. These
commenters also stated that they expect health IT developers and
providers to dedicate resources to adopting the harmonized standards
upon their completion. Therefore, these commenters stated that they do
not intend to adopt the HeD standards because the standards are based
on a different data model (the Virtual Medical Record or vMR) than the
anticipated harmonized CDS and CQM standards. A few commenters noted
that they did not support any proposal to offer certification for
functionalities or standards that did not directly support a
requirement of the proposed the EHR Incentive Programs Stage 3.
---------------------------------------------------------------------------
\143\ http://wiki.siframework.org/Clinical+Quality+Framework+Initiative.
---------------------------------------------------------------------------
Response. We thank commenters for their thoughtful feedback. We
acknowledge that the overall direction of health IT developers and
providers is to continue to support and eventually adopt the harmonized
CDS and CQM standards. Therefore, we agree with commenters that meeting
the proposed ``decision support '' criteria and HeD standards would
likely be inconsistent with this overall direction and require
inefficient use of resources. As such, we also agree with comments that
few, if any, health IT developers would get certified to the proposed
criteria and very few providers would demand CDS functionality using
the HeD standards. Accordingly, we have not adopted these certification
criteria. We will continue to monitor the development and
implementation of the harmonized CDS and CQM standards; and will
consider whether to propose certification criteria that include these
standards in a future rulemaking.
Incorporate Laboratory Tests and Values/Results
We proposed to adopt a 2015 Edition ``incorporate laboratory tests
and values/results'' certification criterion that was revised in
comparison to the 2014 Edition ``incorporate laboratory tests and
values/results'' criterion (Sec. 170.314(b)(5)). We proposed to adopt
and include the HL7 Version 2.5.1 Implementation Guide: S&I Framework
Lab Results Interface, Draft Standard for Trial Use, Release 2, US
Realm (``LRI Release 2'') in the final 2015 Edition ``transmission of
laboratory test reports'' criterion for the ambulatory setting. We
explained that the LRI Release 2 addresses errors and ambiguities found
in LRI Release 1 and harmonizes interoperability requirements with
other laboratory standards we proposed to adopt in this final rule
(e.g., the HL7 Version 2.5.1 Implementation Guide: S&I Framework
Laboratory Orders from EHR, DSTU Release 2, US Realm, 2013).
We proposed that a Health IT Module would be required to display
the following information included in laboratory test reports it
receives: (1)
[[Page 62685]]
The information for a test report as specified in 42 CFR 493.1291(a)(1)
through (a)(3) and (c)(1) through (c)(7); the information related to
reference intervals or normal values as specified in 42 CFR
493.1291(d); the information for alerts and delays as specified in 42
CFR 493.1291(g) and (h); and the information for corrected reports as
specified in 42 CFR 493.1291(k)(2). We also proposed to require a
Health IT Module to be able to use, at a minimum, LOINC[supreg] version
2.50 as the vocabulary standard for laboratory orders.
Comments. We received mixed comments on this proposed certification
criterion. Some commenters generally supported adopting the LRI Release
2 IG. Other commenters also expressed support for inclusion of
LOINC(copyright). One commenter pointed out potential issues
with the use of LOINC(copyright) as its use may conflict
with CLIA reporting requirements for the test description and that in
some cases a textual description from the laboratory must be displayed
for CLIA reporting. This commenter encouraged the harmonization of
requirements with CMS and CDC for CLIA reporting to eliminate potential
conflicts. Some commenters expressed concerns that the proposed LRI
Release 2 IG was immature and noted additional pilots and potential
refinements should be pursued before requiring adoption of the IG for
certification.
Response. We have not adopted this certification criterion as part
of the 2015 Edition at this time. We have made this determination based
on a number of factors, including (among other aspects) that this
criterion is no longer referenced by the EHR Incentive Programs and
that the best versions of the IGs (LRI and EHR-S Functional
Requirements for LRI) that could be associated with this criterion are
not sufficiently ready. We agree with commenters regarding the LRI
Release 2 IG lack of readiness for widespread adoption. We believe,
however, that there is great promise and value in the LRI Release 2 IG
for improving the interoperability of laboratory test results/values,
the electronic exchange of laboratory test results/values, and
compliance with CLIA for laboratories. To that end, we emphasize that
we remain committed to continued collaboration with stakeholders to
take the necessary steps to support widespread adoption of this IG,
including the availability of test tools for industry use. As necessary
and feasible, we also remain interested in supporting appropriate
pilots for the IG.
EHR-S Functional Requirements LRI IG/Testing and Certification
Requirements--Request for Comment
We sought comment on the HL7 EHR-S Functional Requirements for the
V2.5.1 Implementation Guide: S&I Framework Lab Results Interface R2,
Release 1, US Realm, Draft Standard for Trial Use, Release 1 (``EHR-S
IG''), under ballot reconciliation with HL7 \144\ in describing the
requirements related to the receipt and incorporation of laboratory
results for measuring conformance of a Health IT Module to LRI Release
2. We also requested comment on uniform testing and certification
approaches, specifically for the EHR-S IG.
---------------------------------------------------------------------------
\144\ http://www.hl7.org/participate/onlineballoting.cfm?ref=nav#nonmember. Access to the current draft
of the EHR-S IG is freely available for review during the public
comment period by establishing an HL7 user account.
---------------------------------------------------------------------------
Comments. Commenters stated that while progress has been made with
the EHR-S IG, the standard has not yet been finalized and remains
unproven. One commenter requested that we consider this IG for
inclusion in a later edition of certification. Some commenters noted
that the functional requirements would only govern a Health IT Module's
ability to receive specific laboratory result content, and there is no
corresponding guarantee that a laboratory system will send well-
formatted results using the EHR-S IG. Another commenter recommended
that additional State variation and certification needs be accounted
for in the IG. A commenter stated that the HL7 Allergies and
Intolerances Workgroup \145\ will produce standards on allergies and
intolerances and that these standards should be utilized in expanding a
future or revised version of the EHR-S IG to addresses genotype-based
drug metabolizer rate information appropriately.
---------------------------------------------------------------------------
\145\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=308.
---------------------------------------------------------------------------
Response. We thank commenters for their feedback. We have not
adopted the EHR-S IG primarily because we have not adopted this
certification criterion. We also agree with commenters that the IG is
not yet ready for adoption. The comments we received will be used to
inform any future rulemaking related to LRI Release 2 and EHR-S IG.
Transmission of Laboratory Test Reports
We proposed to adopt a 2015 Edition ``transmission of laboratory
test reports'' certification criterion that was revised in comparison
to the 2014 Edition ``transmission of electronic laboratory tests and
values/results to ambulatory providers'' criterion (Sec.
170.314(b)(6)). We stated that we renamed the criterion to more clearly
indicate its availability for the certification of health IT used by
any laboratory. We proposed to adopt and include the HL7 Version 2.5.1
Implementation Guide: S&I Framework Lab Results Interface, Draft
Standard for Trial Use, Release 2, US Realm (``LRI Release 2'') in the
criterion and discussed our rationale for its inclusion in the 2015
Edition ``incorporate laboratory tests and values/results.'' We further
explained that inclusion of this standard for certification should not
only facilitate improved interoperability of electronically sent
laboratory test reports, but also facilitate laboratory compliance with
CLIA as it relates to the incorporation and display of test results in
a receiving system. We also proposed to require a Health IT Module to
be able to use, at a minimum, LOINC[supreg] version 2.50 as the
vocabulary standard.
Comments. We received similar comments to those received for the
proposed ``incorporate laboratory tests and values/results''
certification criterion described above (i.e., some general support for
adoption and other commenters expressed concern). In regard to
expressed concerns, as recited under ``incorporate laboratory tests and
values/results'' certification criterion, commenters stated that the
proposed LRI Release 2 IG was immature and noted additional pilots and
potential refinements should be pursued before requiring adoption of
the IG for certification. Commenters also expressed concern with the
use of LOINC(copyright) in relation to CLIA requirements.
One commenter requested that data provenance requirements be included
in the standard and/or the criterion.
Response. We have not adopted this certification criterion as part
of the 2015 Edition at this time. We have made this determination based
on the same factors recited for the proposed 2015 Edition ``incorporate
laboratory tests and values/results'' certification criterion as this
criterion is similarly situated as discussed below. This criterion is
no longer referenced by the EHR Incentive Programs and the best version
of the LRI IG that could be associated with this criterion is not
sufficiently ready. We agree with commenters regarding the LRI Release
2 IG lack of readiness for widespread adoption. We believe, however, as
stated under the ``incorporate laboratory tests and values/results''
certification criterion response to comments, that there is great
promise and value in the LRI Release 2 IG for improving the
[[Page 62686]]
interoperability of laboratory test results/values, the electronic
exchange of laboratory test results/values, and compliance with CLIA
for laboratories. To that end, we emphasize that we remain committed to
continued collaboration with stakeholders to take the necessary steps
to support widespread adoption of this IG, including the availability
of test tools for industry use. As necessary and feasible, we also
remain interested in supporting appropriate pilots for the IG.
Accessibility Technology Compatibility
We proposed to adopt a new 2015 Edition ``accessibility technology
compatibility'' certification criterion that would offer health IT
developers that present a Health IT Module for certification to one or
more of the clinical, care coordination, and patient engagement
certification criteria listed in proposed Sec. 170.315(a), (b), or (e)
the opportunity to have their health IT demonstrate compatibility with
at least one accessibility technology for the user-facing capabilities
included in the referenced criteria. By ``opportunity,'' we noted that
we meant that the proposed criterion would be available for
certification but not required (i.e., by the ONC Certification Program
or the EHR Incentive Programs). We explained that to meet this proposed
certification criterion, a Health IT Module would need to demonstrate
that the capability is compatible with at least one accessibility
technology that provides text-to-speech functionality to meet this
criterion. We noted that an accessibility technology used to meet this
criterion would also not be ``relied upon'' for purposes of Sec.
170.523(f). However, we stated that it would need to be identified in
the issued test report and would ultimately be made publicly available
as part of the information ONC-ACBs are required to report to ONC for
inclusion on the CHPL so that users would be able to identify the
accessibility technology with which the certified Health IT Module
demonstrated its compatibility.
We sought comment on the extent to which certification to this
criterion would assist in complying with Section 504 of the
Rehabilitation Act of 1973 (29 U.S.C. 794) and other applicable federal
(e.g., Section 508 of the Rehabilitation Act of 1973) and state
disability laws. We also sought comment on whether certification to
this criterion as proposed would serve as a valuable market distinction
for health IT developers and consumers (e.g., ``Health IT Module with
certified accessibility features'').
Comments. Some commenters supported the concept of health IT being
compatible with accessibility technology. Conversely, other commenters
stated that complying with the criterion would be burdensome and would
effectuate policy that should not be part of certification. A few
commenters contended that text-to-speech capabilities would be costly
to implement organization-wide and are not frequently appropriate for
many health care workflows, particularly when considering privacy
issues. A few commenters suggested that this criterion should include
other assistive technology beyond screen readers. One commenter stated
that many operation systems are already equipped with accessibility
features.
Response. We thank commenters for their feedback. We have not
adopted this certification criterion as part of the 2015 Edition at
this time. We believe additional research is necessary into the
appropriate accessibility technologies that should be referenced by
such a criterion and could be supported by a testing infrastructure.
We also believe further research or evidence is needed to determine
whether customers would make purchasing decisions based on whether a
health IT product was certified as being compatible with a text-to-
speech technology or simply based on whether a health IT product is
compatible with the desired accessibility technology (e.g., Braille
capability). In this regard, we did not propose that health IT must
have certain accessibility capabilities beyond text-to-speech and, more
importantly, that it must be certified to this criterion. Therefore, we
have not adopted the proposed criterion.
We do, however, believe that certification can currently support
the accessibility of health IT through other means. As such, we have
adopted the proposed ``accessibility-centered design'' certification
criterion. We refer readers to section III.A.3 of this preamble for
further discussion of this criterion. Independent of this certification
requirement, we remind health IT developers seeking certification and
providers using certified health IT of their independent obligations
under applicable federal civil rights laws, including Section 504 of
the Rehabilitation Act, Section 1557 of the Affordable Care Act, and
the Americans with Disabilities Act that require covered entities to
provide individuals with disabilities equal access to information and
appropriate auxiliary aids and services as provided in the applicable
statutes and regulations.
SOAP Transport and Security Specification and XDR/XDM for
Direct Messaging
We proposed to adopt a 2015 Edition ``SOAP Transport and Security
Specification and XDR/XDM for Direct Messaging'' certification
criterion that included the capability to send and receive according to
the Transport and Security Specification (also referred to as the SOAP-
Based Secure Transport RTM) and its companion specification XDR and XDM
for Direct Messaging Specification. We noted that we previously adopted
these capabilities for the 2014 Edition at Sec. 170.314(b)(1), (b)(2)
and (h)(3).
Comments. We received comments in support of the proposed
certification criterion. One commenter suggested that support of XDM
should be eliminated and replaced with a translation solution. We
received also received a number of comments from the Immunization
Information System (IIS) community noting their reliance on SOAP as the
recommended transport mechanism for exchange of immunization
information in many jurisdictions.
Response. We thank commenters for their feedback. We have not
adopted this certification criterion as part of the 2015 Edition at
this time. The SOAP specification was originally adopted as an
alternative to, or for use in conjunction with, the Direct Project
specification. The goal was to offer more certified ways to support the
EHR Incentive Program Stage 2 meaningful use transition of care/
exchange measure, which required the use of certified technologies in
the transmission of health information. There is no longer an explicit
need for certification to SOAP because the corresponding health
information exchange objectives in the EHR Incentive Programs Stage 3
and Modifications final rule published elsewhere in this issue of the
Federal Register permit any transport mechanism (i.e., not necessarily
the use of a certified transport method). In addition, as part of SOAP
testing under the ONC Health IT Certification Program, only base SOAP
standards, such as the web services standards (WS-*) are tested. For
implementation, health IT systems have to layer in additional profiles
(IHE based such as XDS) and IGs (e.g., NwHIN specs for patient
discovery, query for documents, and retrieve documents) that utilize
SOAP. The current testing for SOAP does not test for these additional
standards since there has not been a convergence in the industry for a
concise set of IGs. Thus, the current testing of SOAP does not provide
the rigor or assurance to health IT users that
[[Page 62687]]
systems using SOAP will ultimately enable them to exchange seamlessly.
We expect the convergence on standards will be accomplished through
SDOs.
In response to the XDM comment, we had paired the ``XDR/XDM for
Direct'' with SOAP to enable the testing of SOAP with XDR using XDM
packaging. While the comments from the IIS community are beyond the
scope of this proposal, we note for clarity that consistent with the
approach under the EHR Incentive Programs Stage 2 final rule (77 FR
53979), in the EHR Incentive Programs Stage 3 and Modifications final
rule published elsewhere in this edition of the Federal Register, CMS
adopts flexibility with respect to the public health and clinical data
registry reporting objectives at Sec. 495.316(d)(2)(iii). This policy
allows states to specify the means of transmission of public health
data, and otherwise change the public health agency reporting
objective, so long as the state does not require functionality greater
than what is required under the Medicare EHR Incentive Program CEHRT
definition and the 2015 Edition certification criteria adopted in this
final rule.
Healthcare Provider Directory--Query Request
We proposed a new 2015 Edition ``healthcare provider directory--
query request'' certification criterion that would require a Health IT
Module to be capable of querying a directory using the Integrating the
Healthcare Enterprise (IHE) \146\ Healthcare Provider Directory
(HPD).\147\ In addition, we proposed including an optional capability
within this certification criterion that addresses federated
requirements. This optional capability would require a Health IT Module
to follow the approved federation option of IHE HPD \148\ to accomplish
querying in federated environments. The proposed certification
criterion sought to establish a minimum set of queries that a Health IT
Module could support. We specified that the capabilities required by a
Health IT Module would include: (1) Querying for an individual
provider; (2) querying for an organizational provider; (3) querying for
both individual and organizational provider in a single query; (4)
querying for relationships between individual and organizational
providers; and (5) electronically processing responses according to the
IHE HPD Profile.
---------------------------------------------------------------------------
\146\ http://wiki.ihe.net/index.php?title=Healthcare_Provider_Directory.
\147\ http://www.ihe.net/uploadedFiles/Documents/ITI/IHE_ITI_Suppl_HPD.pdr.
\148\ http://www.ihe.net/uploadedFiles/Documents/ITI/IHE_ITI_Suppl_HPD.pdf.
---------------------------------------------------------------------------
Comments. Many commenters confirmed the value of provider
directories and the ability for EHRs to query a provider directory.
Most commenters stated that the proposed IHE HPD standard was immature
and had few current implementations beyond pilot projects, with some
commenters expressing concern about the costs associated with potential
changes as the standard matures. Other commenters expressed concern
with potential performance issues related to federated queries as well
as the potential to proliferate redundant data. Commenters also noted,
to ensure quality data, there needs to be: Centralized directories; a
governance model for a centralized approach; and uniform directory
sharing strategies among providers, organizations, and intermediaries.
A commenter recommended the S&I Framework revisit consider expanding
the scope of the use cases for provider directories and any solutions
beyond query and response to include the maintenance of provider
directories.
Some commenters stated a preference for an approach that utilized a
RESTful architecture, such as FHIR, noting that a service stack
utilizing SOAP protocols (as used by the IHE HPD protocol) is more
difficult to implement and maintain.
Response. We thank commenters for their feedback and appreciate
their comments in supporting the use of provider directories. We have
not adopted this criterion as part of the 2015 Edition at this time. As
noted in the draft ONC 2015 Interoperability Standards Advisory (draft
ISA), the IHE HPD Profile is a provider directory standard and was
listed as the best available standard in the draft ISA.\149\ However,
we agree with commenters that the IHE HPD standard requires further
implementation to ensure stability and support widespread adoption and
the same is true for the federated concepts. We also agree with
commenters that RESTful solutions are being defined and may be a viable
alternative in the near future. We note that HHS remains committed to
advancing policies related to provider directories as a means of
furthering health information exchange and interoperability. We believe
that continued work in this space can inform the development and
implementation of provider directory standards for consideration in
future rulemaking.
---------------------------------------------------------------------------
\149\ http://www.healthit.gov/standards-advisory.
---------------------------------------------------------------------------
Healthcare Provider Directory--Query Response
We proposed to adopt a new certification criterion that would focus
on the ``query response'' and include the corresponding set of
capabilities to respond to a provider directory query. This proposed
criterion was intended to complement the certification criterion we
proposed for adoption related to health IT issuing a healthcare
provider directory ``query request,'' and we explained that the
proposed separation would provide developers with the flexibility to
test and certify for provider directory ``query'' independent of the
provider directory ``response.'' We stated that a health IT system
would be able to be presented for testing and certification to both
proposed certification criteria if applicable or just to one or the
other as appropriate based on the product's capabilities.
We proposed that directory sources must demonstrate the capability
to respond to provider directory queries according to the IHE HPD
profile and must respond to the following provider directory queries:
Query for an individual provider; query for an organizational provider;
and query for relationships between individual providers and
organizational providers.
In addition we proposed including an optional capability within
this certification criterion to address federated requirements that
would require a Health IT Module to follow the approved federation
option of for IHE HPD to accomplish querying in federated environments.
The federation change proposal was approved in September, 2014 and was
incorporated into the IHE HPD Profile.
Comments. Commenters submitted the same or equivalent comments as
those submitted on the proposed ``healthcare provider directory--query
request'' certification criterion, which are described above.
Response. We have not adopted this criterion for reasons specified
in our response above for the proposed healthcare provider directory--
query request'' certification criterion.
Electronic Submission of Medical Documentation
We proposed to adopt a new 2015 Edition ``electronic submission of
medical documentation'' (esMD) certification criterion that focused on
the electronic submission of medical documentation through four
specific capabilities.
We proposed Capability 1 would require a Health IT Module be able
to support the creation of a document in accordance with the HL7
Implementation Guide for CDA Release
[[Page 62688]]
2: Additional CDA R2 Templates--Clinical Documents for Payers--Set 1,
Release 1--US Realm in combination with the C-CDA Release 2.0 standard.
We proposed to adopt the most recent version of the CDP1 IG, which is
designed to be used in conjunction with C-CDA Release 2.0 templates and
makes it possible for providers to exchange a more comprehensive set of
clinical information. We explained that a Health IT Module must be able
to create a document that conforms to the CDP1 IG's requirements along
with appropriate use of nullFlavors to indicate when information is not
available in the medical record for section or entry level template
required in the CDP1 IG. In addition, we proposed that a conformant
Health IT Module must also demonstrate the ability to generate the
document level templates as defined in the C-CDA Release 2.0, including
the unstructured document. We proposed a list of the applicable
document templates within the C-CDA Release 2.0 and CDP1 IG that would
need to be tested and certified for specific settings for which a
Health IT Module is designed: (regardless of setting) Diagnostic
Imaging Report; Unstructured Document; Enhanced Operative Note
Document; Enhanced Procedure Note Document; Interval Document;
(ambulatory setting only) Enhanced Encounter Document; and (inpatient
setting only) Enhanced Hospitalization Document.
We proposed Capability 2 would require a Health IT Module be able
to support the use of digital signatures embedded in C-CDA Release 2.0
and CDP1 IG documents templates by adopting the HL7 Implementation
Guide for CDA Release 2: Digital Signatures and Delegation of Rights,
Release 1 (DSDR IG).\150\ This DSDR IG defines a method to embed
digital signatures in a CDA document and provides an optional method to
specify delegation of right assertions that may be included with the
digital signatures. We proposed that for the purposes of certification,
the optional method must be demonstrated to meet this certification
criterion. The Proposed Rule listed the requirements that a system used
to digitally sign C-CDA Release 2.0 or CDP1 IG documents must meet to
create a valid digital signature that meets Federal Information
Processing Standards (FIPS),\151\ Federal Information Security
Management Act of 2002 (FISMA),\152\ and Federal Bridge Certification
Authority (FBCA) requirements.\153\ For the purposes of testing and
certification, we proposed that cryptographic module requirements must
be met through compliance documentation, and the remaining capabilities
listed in the Proposed Rule would be met through testing and
certification assessment. We also proposed that a Health IT Module must
demonstrate the ability to validate a digital signature embedded in a
C-CDA Release 2.0 document that was conformant with the DSDR IG. The
requirements proposed to perform this action are included in the DSDR
IG.
---------------------------------------------------------------------------
\150\ http://www.hl7.org/implement/standards/product_brief.cfm?product_id=375.
\151\ http://www.nist.gov/itl/fips.cfm.
\152\ http://csrc.nist.gov/drivers/documents/FISMA-final.pdf.
\153\ http://www.idmanagement.gov/sites/default/files/documents/FBCA%20Certificate%20Policy%20v2.27.pdf.
---------------------------------------------------------------------------
We proposed Capability 3 would require a Health IT Module be able
to support the creation and transmission of ``external digital
signatures'' for documents that may be used to sign any document for
the purpose of both data integrity and non-repudiation. The esMD
Initiative defines the requirements in the Author of Record Level 1:
Implementation Guide; \154\ and we proposed to adopt the IG. We
explained that this ``signing'' capability is intended for use when the
sender of one or more documents needs to ensure that the transmitted
documents include the non-repudiation identity of the sender and ensure
that the recipient can validate that the documents have not been
altered from the time of signing, and it is not intended to replace the
ability to embed multiple digital signatures in a C-CDA Release 2.0 and
CDP1 IG document.
---------------------------------------------------------------------------
\154\ http://wiki.siframework.org/file/view/esMD%20AoR%20Level%201%20Implementation%20Guide%20v5%20FINAL.docx/539084894/esMD%20AoR%20Level%201%20Implementation%20Guide%20v5%20FINAL.docx.
---------------------------------------------------------------------------
We proposed Capability 4 would require a Health IT Module to
support the creation and transmission of digital signatures for
electronic transactions for the purpose of both data integrity and non-
repudiation authenticity. The esMD Initiative defines the requirements
in the Provider Profiles Authentication: Registration Implementation
Guide; \155\ and we proposed to adopt the IG. We explained that this
``signing'' capability is intended for use when the sender or recipient
of a transaction needs to ensure that the transmitted information
include the non-repudiation identity of the sender and ensure that the
recipient can validate that the authenticity and integrity of the
transaction information, and it is not intended to replace the digital
signature requirements defined in either Capability 2 or 3 above.
---------------------------------------------------------------------------
\155\ http://wiki.siframework.org/file/view/esMD%20Use%20Case%201%20Implementation%20Guide%20v24%20FINAL.docx/539084920/esMD%20Use%20Case%201%20Implementation%20Guide%20V24%20FINAL.docx.
---------------------------------------------------------------------------
Comments. A few commenters expressed support for this criterion.
However, many more commenters expressed concerns. Commenters stated
that the IG was immature, there had been few pilots, and it was not
proposed as required for Stage 3 of the EHR Incentive Programs. A few
commenters also expressed concern about advancing a digital signature
standard that may conflict with the existing Drug Enforcement
Administration (DEA) standard for electronic prescribing of controlled
substances. Other commenters expressed concerns that the changes to
existing administrative and clinical workflows would be required to
integrate esMD at a significant cost and resource burden.
Response. We have not adopted this criterion as part of the 2015
Edition at this time. We acknowledge and agree with commenters' stated
concerns about the relative immaturity of the proposed standards and
recommendations for further industry piloting and implementation to
determine the usefulness of the standards for meeting the stated use
cases. We will continue to monitor the development and implementation
of esMD and will consider whether proposing a certification criterion
or criteria to support esMD is appropriate for a future rulemaking.
Work Information--Industry/Occupation (I/O) Data--Request
for Comment
In the Proposed Rule, we requested that commenters consider what
additional support might be needed for health IT developers,
implementers, and users to effectively include a certification
criterion that would require health IT to enable a user to record,
change, and access (all electronically) the following data elements in
structured format:
Patients' employment status and primary activities (e.g.,
volunteer work);
Patients' current I/O, linked to one another and with
time-stamp, including start date;
Patients' usual I/O, linked to one another and with time-
stamp, including start year and duration in years; and
Patients' history of occupation with a time and date stamp
for when the history was collected (to note, this is focused on the
capability to record a history, not a requirement that a history must
be recorded or that a patient
[[Page 62689]]
history be recorded for a certain historical period of time).
We also solicited public comment on the experience health IT
developers and health care providers have had in recording, coding, and
using I/O data, which included any innovation that is making I/O data
more useful for providers.
To better understand the health care needs associated with work
data, we specifically solicited public comment from health care
providers, provider organizations, and patients on the following:
The usefulness for providers to be able to access current
and usual I/O and related data in the EHR, including whether additional
data elements, such as work schedule, are useful.
The usefulness of a history of positions provided as
current I/O, with data from each position time-stamped, linked,
retained, and accessible as part of the longitudinal patient care
(medical) record.
Narrative text (vs. codes) for both current and usual I/O.
CDC_Census codes for both current and usual I/O; available
through PHIN VADS at https://phinvads.cdc.gov/vads/SearchVocab.action.
SNOMED CT[supreg] codes for occupation (current codes or
potentially developed codes).
Other standards and codes that may be in use by the health
IT industry for both current and usual I/O.
Comments. Many commenters supported the capture of structured
industry/occupation (I/O) data in EHRs and other health IT systems to
improve patient health outcomes for health issues wholly or partially
caused by work and for health conditions whose management is affected
by work. These commenters stated that the structured capture of I/O
information would also improve interoperability as the information
being collected today is largely unstructured. Commenters did, however,
express a number of concerns relating to maturity of available
standards for representing the information and the time needed for a
provider to collect structured I/O information. In regard to standards,
a number of commenters suggested that the codes currently available in
SNOMED CT[supreg] are not specific enough to capture the level of I/O
detail that would be of clinical value. Instead, commenters stated that
the industry is working through a NIOSH-led effort to develop an
interface between health IT and an I/O coding knowledge engine that
would guide users through choosing CDC Census I/O titles based on the
North American Industry Coding System (NAICS) and the Bureau of Labor
Statistics Standard Occupational Codes (SOC). Commenters mentioned that
this work is still underway and suggested we wait until this standard
is available for use before adopting requirements for capture of I/O
information through certification. Commenters stated that the NAICS/SOC
code set is considered the most authoritative and mature code set.
These comments further stated that the adoption of SNOMED CT[supreg]
would not align with the NAICS/SOC code set or the NIOSH tool and,
therefore, could potentially create unnecessary burden.
Response. We thank commenters for the thoughtful feedback. As
stated in the 2015 Edition proposed rule (80 FR 16829), we continue to
believe in the value of I/O information to provide opportunities for
health care providers to improve patient health outcomes for health
issues wholly or partially caused by work and for health conditions
whose management is affected by work. Our long-term goal is for health
care providers to use I/O information to assess symptoms in the context
of work activities and environments, inform patients of risks, obtain
information to assist in return-to-work determinations and evaluate the
health and information needs of groups of patients.
Given the feedback about the immaturity of the standards currently
available for supporting these goals, we have not adopted a 2015
Edition certification criterion for the collection of I/O information.
We are, however, optimistic about the NIOSH-led effort to develop a
tool based on the NAICS/SOC code set and believe that it can provide a
much-needed authoritative standard that can enable the detailed
recording of I/O titles. We intend to monitor the development of such a
tool and will consider it and the additional comments we received
regarding structured capture of I/O information for future rulemaking.
U.S. Uniformed/Military Service Data--Request for Comment
To improve coding of military and all uniformed history, we stated
in the Proposed Rule that a promising path forward would be to add
codes to the U.S. Extension of SNOMED-CT[supreg]. Therefore, we
requested comment on the following:
Whether a potential certification criterion should be
focused solely on U.S. military service or all uniformed service
members (e.g., commissioned officers of the USPHS and NOAA);
Whether the U.S. Extension of SNOMED-CT[supreg] is the
most appropriate vocabulary code set or whether other vocabulary code
sets may be appropriate; and
The concepts/values we should use to capture U.S. military
service or all uniformed service status. We ask commenters to consider
the work of NIOSH on I/O information as it relates to capturing
military service.
Comments. A large number of commenters suggested that we adopt
certification to capture military service. Commenters stated that
capturing information on military service could identify significant
occupational exposure risks unique to military service, including
overseas deployment and combat environments. Commenters stated that
capturing a patient's military service could also ensure that a patient
receives all the applicable health care benefits (e.g., military and
veteran's benefits), s/he is entitled to by alerting medical
professionals to the patient's service history. Commenters stated that
capturing military service information could also enable the assembly
of a complete longitudinal record of care for a U.S. service member,
including merging of health care data from different sources.
Some commenters supported and opposed the collection of non-
military service uniformed service status (e.g., service data for U.S.
Public Health Service and National Oceanic and Atmospheric
Administration uniformed officers) as part of military/uniformed
service data or collected separately.
In regard to vocabulary standards for collecting military service
information, commenters submitted mixed comments on whether SNOMED
CT[supreg] codes were sufficiently detailed and captured the right
types of military service information. Commenters pointed out that
SNOMED CT[supreg] contains some concepts to capture high-level military
history, including current or past active military service and combat
zone service. However, other commenters expressed concern that current
SNOMED CT[supreg] codes for military history are not detailed enough to
be of clinical value. As an example, commenters noted that while SNOMED
CT[supreg] can document general information about whether the person
served in the military, it does not allow for the capture of the
individual's specific occupation.
Commenters stated that the NIOSH work on developing a tool for
industry and occupation codes as described in the ``Work Information--
Industry/Occupation Data--Request for Comment'' section above would
include detailed codes for military service branch; service status;
commissioned, warrant officer, non-commissioned and
[[Page 62690]]
enlisted service; and many occupational areas. Commenters noted,
however, that the NIOSH tool is not expected to be able to capture
Military Occupational Specialty (MOS) codes maintained by the Armed
Forces or areas of service (such as ships, stations, and combat
theaters).
Response. We thank commenters for the thoughtful feedback. As
stated in the 2015 Edition proposed rule (80 FR 16830), we continue to
believe in the value of capturing patient military service and other
uniformed service information. We believe recording U.S. uniformed/
military service information can have many benefits. It can help in
identifying epidemiological risks for patients such as those noted
above. It can assist in ensuring that a patient receives all the health
care benefits he or she is entitled to by alerting medical
professionals to the patient's service history, which can facilitate
the coordination of benefits. This information can also increase the
ability to assemble a longitudinal record of care for a U.S. service
member, such as by requesting or merging of a patient's electronic
health record stored by the Department of Defense, Veteran's Health
Administration, and/or another health care provider.
Our long-term goal is for health care providers to use military
service information to provide better care for our nation's veterans.
However, given the feedback about SNOMED CT and the NIOSH tool under
development, we have not adopted a 2015 Edition certification criterion
for military service. We plan to continue to work with the appropriate
stakeholders to develop the appropriate values and code sets that would
enable consideration of a relevant certification criterion in a future
rulemaking.
Pharmacogenomics Request for Comment
Pharmacogenomics data identifies genetic variants in individuals
that alter their metabolism or other interactions with medications and
can lead to serious adverse events. This information is being included
in an increasing number of FDA-approved drug labels. Health IT that can
capture pharmacogenomics information could be used to improve patient
safety and enhance patient outcomes. In the Proposed Rule, we stated
that to our knowledge, in general, health IT has not yet captured
genomic and genetic patient information--the presence of clinically
significant genomic variants--in a structured manner such as exists for
other categorical clinical findings or laboratory-derived data.\156\
---------------------------------------------------------------------------
\156\ http://www.genomebc.ca/education/articles/genomics-vs-genetics/; and http://www.who.int/genomics/geneticsVSgenomics/en/.
---------------------------------------------------------------------------
In collaboration with the National Institutes of Health, we
solicited comment on whether:
The 2015 Edition ``medication allergy list'' certification
criterion should include the capability to integrate genotype-based
drug metabolizer rate information;
the 2015 Edition ``drug-drug, drug-allergy interactions
checks for CPOE'' certification criterion or as a separate
certification criterion should include pharmacogenomic CDS for ``drug-
genome interactions;''
we should offer 2015 Edition certification for CDS that
incorporate a patient's pharmacogenomic genotype data into the CPOE
prescribing process with the goal of avoiding adverse prescribing
outcomes for known drug-genotype interactions;
there are certification approaches that could enhance the
end-user's (provider's) adoption and continued use of health IT
implementations that guide prescribing through CDS using
pharmacogenomic data; and
there are existing or developing standards applicable to
the capture, storage, display, and exchange of potentially clinically
relevant genomic data, including the pharmacogenomic subset.
Comments. Most commenters agreed on the value of pharmacogenomics
data as an integral part of medicine in the future, but indicated that
the standards were currently not mature enough to support this
functionality and that it was premature to attempt to include it in
certification. Commenters noted that the inclusion of pharmacogenomics
data can link variants to changes in drug metabolism or response,
especially when clinical guidelines exist about dosing for variant
carriers and how it can enable pharmacogenomic-based therapeutic
recommendations integrated into computerized systems for drug
prescription, automated medication surveillance, and EHRs.
In certain instances, commenters supported inclusion of the
pharmacogenomic variant causing the allergy if such information is
known for the patient. However, other commenters suggested that studies
are needed to prove effectiveness and support inclusion of such data.
Some commenters cited drug-drug and drug-allergy interaction alerts
without an appropriate filter as the largest source of alert fatigue in
relation to the value. Many other commenters also cited concerns over
other CDS alert fatigue, poor return on investment, high costs of
testing, and the staff resources needed to maintain the CDS in a
rapidly evolving area with little evidence to show that it improves
overall outcomes or reduces costs. A few commenters noted the existence
of third-party web services that provide drug-genome interaction
checking functionality that are easily integrated with EHRs.
Response. While we believe in the value of CDS including drug-drug/
drug-allergy interaction checks for improving patient safety, we agree
that standards are not mature to support incorporating pharmacogenomics
data into health IT certification at this point in time. We encourage
the industry to continue its work on developing standards for
incorporating this information into health IT. We note that we view the
use of pharmacogenomics data in health IT as one of the early tangible
products of the Precision Medicine Initiative,\157\ and intend to
monitor and consider developments in this field for future rulemaking.
---------------------------------------------------------------------------
\157\ http://www.nih.gov/precisionmedicine/.
---------------------------------------------------------------------------
Privacy and Security Considerations for Pharmacogenomics
We solicited comment on whether:
We should offer certification for health IT functionality
that could facilitate HIPAA-compliant sharing of discrete elements of a
patient's genomic information from their record to the family history
section of a relative's record;
the proposed ``data segmentation for privacy'' criteria
would provide needed health IT functions with respect to the storage,
use, transmission, and disclosure of genetic, genomic, and
pharmacogenomics information that is subject to protections under HIPAA
and additional state and federal privacy and protection laws such as
the Genetic Information Nondiscrimination Act (GINA); \158\
---------------------------------------------------------------------------
\158\ http://ghr.nlm.nih.gov/spotlight=thegeneticinformationnondiscriminationatgina.
---------------------------------------------------------------------------
the proposed ``data segmentation for privacy'' criteria
adequately balance complex genetic privacy issues, such as those
related to behavioral health, with the clinical value of context-
appropriate availability of a patient's actionable genetic and genomic
information;
health IT should be required to apply different rules for
the use and exchange of genetic, genome, and pharmacogenomics data
based on different groupings of diseases or conditions based on the
sensitivity of
[[Page 62691]]
the information, such as those related to behavioral health; and
there are other factors we should consider for health IT
that allows the user to use or disclose genetic information in a manner
compliant with federal and state privacy laws.
Comments. Many commenters noted privacy concerns stating it is
essential to understand and implement proper privacy and security
requirements associated with certified functionalities. Commenters
indicated certified functionalities must not lead to discrimination
against individuals or their families who may be at risk of developing
future health issues. These commenters were concerned that there is not
sufficient technical maturity to support privacy protections for
genetic data, segmented to the genetic data atom. In particular,
commenters were concerned about behavioral health implications, the
risk of revealing latent conditions and providing information on close
relatives, and the effect on insurance coverage. In addition to privacy
concerns, select comments noted ethical and legal implications of any
gene-related functionality. Some commenters suggested that the features
of the ``data segmentation for privacy'' criteria should be
incorporated into any inclusion of pharmacogenomic data.
Response. We thank commenters for sharing their concerns and
feedback. As noted above, standards are not mature to support
incorporating pharmacogenomics data into health IT certification at
this point in time. We will continue to consider privacy and security
implications and stakeholder concerns as they relate to any potential
future rulemaking for pharmacogenomics data. To note, we have adopted
the proposed ``data segmentation for privacy'' criteria (see section
III.3 of this preamble) and will further assess and consider its value
in the segmentation of individually identifiable genetic information
that is protected by federal and state privacy laws as part of any
future rulemaking related to pharmacogenomics data.
B. Definitions
1. Base EHR Definitions
We proposed to adopt a Base EHR definition specific to the 2015
Edition (i.e., a 2015 Edition Base EHR definition) at Sec. 170.102 and
rename the current Base EHR definition at Sec. 170.102 as the 2014
Edition Base EHR definition. We proposed a 2015 Edition Base EHR
definition that would differ from the 2014 Edition Base EHR definition
in the following ways:
It would not include privacy and security capabilities and
certification criteria.
It would only include capabilities to record and export
CQM data (Sec. 170.315(c)(1)) and not the other CQM capabilities such
as import, calculate, and ``report to CMS.''
It would include the 2015 Edition ``smoking status''
certification criterion as patient demographic and clinical health
information data consistent with statutory requirements.\159\
---------------------------------------------------------------------------
\159\ A Base EHR is the regulatory term we have given to what
the HITECH Act defines as a ``qualified EHR.'' Our Base EHR
definition(s) include all capabilities found in the ``qualified
EHR.'' Please see the 2014 Edition final rule (77 FR 54262) for
further explanation.
---------------------------------------------------------------------------
It would include the 2015 Edition ``implantable device
list'' certification criterion as patient demographic and clinical
health information data consistent with statutory requirements.\160\
---------------------------------------------------------------------------
\160\ A capability included in the Base EHR definition, which
originates from the ``qualified EHR'' definition found in the HITECH
Act.
---------------------------------------------------------------------------
It would include the 2015 Edition ``application access to
Common Clinical Data Set'' certification criterion as a capability to
both capture and query information relevant to health care quality and
exchange electronic health information with, and integrate such
information from other sources.\161\
---------------------------------------------------------------------------
\161\ These are capabilities inlcuded in the Base EHR
definition, which originate from the ``qualified EHR'' definition
found in the HITECH Act.
---------------------------------------------------------------------------
It would include the proposed 2015 Edition certification
criteria that correspond to the remaining 2014 Edition certification
criteria referenced in the ``2014 Edition'' Base EHR definition (i.e.,
CPOE, demographics, problem list, medication list, medication allergy
list, CDS, transitions of care, data portability, and relevant
transport certification criteria). On the inclusion of transport
certification criteria, we proposed to include the ``Direct Project''
criterion (Sec. 170.315(h)(1)) as well as the ``Direct Project, Edge
Protocol and XDR/XDM'' criterion (Sec. 170.315(h)(2)) as equivalent
alternative means for meeting the 2015 Edition Base EHR definition.
Comments. A commenter recommended removing the Base EHR definition
from the 2015 Edition rulemaking and including it in the EHR Incentive
Programs rulemaking. Several commenters suggested that we modify the
Base EHR definition to accommodate use of health IT that is certified
to the 2014 Edition and the 2015 Edition, stating that this will give
providers flexibility as they upgrade to 2015 Edition and begin to
achieve Stage 3.
Commenters provided varying recommendations for the criteria that
should be included in the Base EHR definition. Some commenters stated
that separating privacy and security certification criteria from the
Base EHR definition is overly burdensome or confusing, or may create
security gaps. A commenter recommended that the ``data export'' and
``application access to Common Clinical Data Set'' criteria are more
appropriate as ``modular'' certification, rather than as part of the
Base EHR definition. A commenter suggested that ``drug-drug, drug-
allergy interaction checks for CPOE'' criterion be included in the Base
EHR definition as it is specifically for CPOE, which is part of the
Base EHR definition. Some commenters rejected the idea of including the
``implantable device list'' criterion in the Base EHR definition, while
other commenters supported inclusion of this criterion and noted that
this capability would improve care coordination. A few commenters
voiced support for the inclusion of the Direct Edge Protocol as an
alternative to Direct Project. Some commenters recommended that sexual
orientation and gender identity data be included in the Base EHR
definition.
Response. We have renamed the current Base EHR definition at Sec.
170.102 as the 2014 Edition Base EHR definition and adopted the 2015
Base EHR definition largely as proposed. In Table 7 below, we list the
2015 Edition certification criteria included in the 2015 Edition Base
EHR definition. Many of the proposed criteria have been revised in
response to comments and we refer readers to section III.A.1 of this
preamble for a detailed discussion of those criteria and revisions.
Since the establishment of the 2014 Edition Base EHR definition (77
FR 54263-64), we have tried to limit the criteria included in the Base
EHR definition to those necessary to meet the HITECH Act requirements
and our policy goals. In this regard, we have not included ``drug-drug,
drug-allergy interaction checks for CPOE'' criterion in the 2015
Edition Base EHR definition just as we did not for the 2014 Edition
Base EHR definition (see 77 FR 54264). We have, however, included the
``implantable device list'' criterion in this 2015 Edition Base EHR
definition for the reasons stated in the Proposed Rule (80 FR 16825)
and discussed under the ``implantable device list'' criterion in
section III.A.1 of this preamble. We have also included the Direct
transport alternatives for the reasons discussed in the Proposed Rule
(80 FR 16862) and under ``transport methods and other protocols'' in
section III.A.1 of this
[[Page 62692]]
preamble. In response to comments and other considerations, the
``demographics'' certification criterion (Sec. 170.315(a)(5)) now
includes sexual orientation and gender identity as data elements, thus
including this data in the 2015 Edition Base EHR definition. We discuss
this further under the ``demographics'' certification criterion in
section III.A.1 of this preamble. We also note that given our decision
to split the ``application access to Common Clinical Data Set''
criterion into three separate criteria, we have accordingly modified
the 2015 Edition Base EHR definition to include these three criteria.
In regard to the lack of inclusion of privacy and security criteria
in the 2015 Edition Base EHR definition, we believe commenters are
confused by our approach. As discussed in more detail under the
``privacy and security'' heading in section IV.C.1 of this preamble,
Health IT Modules presented for certification to criteria listed in the
2015 Base EHR definition and other 2015 Edition certification criteria
will be subject to the applicable privacy and security criteria for the
purposes of certification. Our new privacy and security certification
approach places responsibility more clearly on the health IT developer
presenting its product for certification to ensure that its health IT
has the applicable privacy and security capabilities in order to be
certified. This is counter to the approach under the 2014 Edition Base
EHR definition, which puts the onus on the provider to ensure he/she
has health IT certified to the privacy and security criteria included
in the Base EHR definition.
The CQM capabilities noted above as not included in the 2015
Edition Base EHR definition have, however, been included the Certified
EHR Technology (CEHRT) definition under the EHR Incentive Programs. We
refer readers to the next section (``2. Certified EHR Technology
Definition'') and Table 4 found in section III.A.3 (``2015 Edition
Health IT Certification Criteria Associated with the EHR Incentive
Programs Stage 3'') of this preamble for further information and
guidance on the relationship of the 2015 Edition Base EHR definition
and the 2015 Edition certification criteria with the CEHRT definition.
We also refer readers to the CEHRT definition finalized in the EHR
Incentive Programs Stage 3 and Modifications final rule published
elsewhere in this issue of the Federal Register as the authoritative
source for the requirements to meet the CEHRT definition.
We seek to clarify the 2015 Base EHR definition in response to
comments. First, the Base EHR definition is just a definition not a
single certified product. As noted in 2014 Edition final rule (77 FR
54263), the Base EHR definition may be met using multiple Health IT
Modules. Therefore, to the commenter's point, Health IT Modules
separately certified to the ``data export,'' ``application access''
criteria, and other criteria included in the 2015 Edition Base EHR
definition can be combined to meet the definition. Second, we believe
the defining of the Base EHR definition should remain in the rulemaking
as the Base EHR definition is only one part of the CEHRT definition and
may serve other purposes beyond its inclusion in the CEHRT definition
and supporting the EHR Incentive Programs. Third, with the 2014 and
2015 Base EHR definitions' inclusion in the CEHRT definition and the
CEHRT definition's included flexibility to use both health IT certified
to the 2014 and 2015 Editions for the specified EHR reporting periods,
we do not believe there would be a benefit to developing a single Base
EHR definition that referenced both the 2014 and 2015 Editions. Rather,
we believe this would cause confusion, particularly in relationship to
the CEHRT definition.
Table 7--Certification Criteria Required To Satisfy the 2015 Edition
Base EHR Definition
------------------------------------------------------------------------
Base EHR capabilities Certification criteria
------------------------------------------------------------------------
Includes patient demographic and Demographics Sec.
clinical health information, such as 170.315(a)(5).
medical history and problem lists. Problem List Sec.
170.315(a)(6).
Medication List Sec.
170.315(a)(7).
Medication Allergy List Sec.
170.315(a)(8).
Smoking Status Sec.
170.315(a)(11).
Implantable Device List Sec.
170.315(a)(14).
Capacity to provide clinical decision Clinical Decision Support Sec.
support. 170.315(a)(9).
Capacity to support physician order Computerized Provider Order
entry. Entry Sec. 170.315(a)(1),
(2) or (3).
Capacity to capture and query Clinical Quality Measures--
information relevant to health care Record and Export Sec.
quality. 170.315(c)(1).
Capacity to exchange electronic health Transitions of Care Sec.
information with, and integrate such 170.315(b)(1).
information from other sources. Data Export Sec.
170.315(b)(6).
Application Access--Patient
Selection Sec.
170.315(g)(7).
Application Access--Data
Category Request Sec.
170.315(g)(8).
Application Access--All Data
Request Sec. 170.315(g)(9).
Direct Project Sec.
170.315(h)(1) or
Direct Project, Edge Protocol,
and XDR/XDM Sec.
170.315(h)(2).
------------------------------------------------------------------------
Marketing
In the Proposed Rule, we noted that we would continue the same
marketing policy that we adopted for the 2014 Edition as it relates to
the 2015 Edition Base EHR definition (i.e., health IT developers would
have the ability to market their technology as meeting the 2015 Edition
Base EHR definition when their Health IT Module(s) is/are certified to
all the 2015 Edition certification criteria included in the 2015
Edition Base EHR definition) (see also 77 FR 54273).
Comments. A commenter requested clarification regarding how we
anticipate ONC-ACBs will monitor the use of the term ``Base EHR
definition.''
Response. We will maintain this policy with the 2015 Edition. We
anticipate that ONC-ACBs will continue to monitor health IT developers
and their certified health IT as they do now with regard to the 2014
Edition Base EHR definition. ONC-ACBs have various oversight
responsibilities for certified health IT, including ensuring the public
disclosure of certain information for certified health IT (see Sec.
170.523(k)); the proper use of the Certified HIT certification mark
(see Sec. 170.523(l)); and responsibilities under ISO/IEC 17065 (2012)
(ISO 17065),\162\ to which they are accredited. In regard to ISO 17065,
section 4.1.3.2 states ``incorrect references to the certification
scheme or misleading use of licenses,
[[Page 62693]]
certificates, marks, or any other mechanism for indicating a product is
certified, found in documentation or other publicity, shall be dealt
with by suitable action.'' Consistent with the performance of these
responsibilities, we anticipate ONC-ACBs will be able to identify any
improper marketing association of certified health IT with the ``Base
EHR definition.'' We also note that any purchaser or other stakeholder
may inform us of any alleged improper marketing association of
certified health IT with the ``Base EHR definition.''
---------------------------------------------------------------------------
\162\ This standard is incorporated by reference in 45 CFR
170.599.
---------------------------------------------------------------------------
2. Certified EHR Technology Definition
We proposed to remove the Certified EHR Technology (CEHRT)
definition from Sec. 170.102, effective with this final rule. We
explained that the CEHRT definition has always been defined in a manner
that supports the EHR Incentive Programs and would more appropriately
reside solely within the EHR Incentive Programs regulations to be
consistent with our approach in this final rule to make the ONC Health
IT Certification Program more open and accessible to other types of
health IT beyond EHR technology and for health IT that supports care
and practice settings beyond those included in the EHR Incentive
Programs. We noted that this removal of the definition should add
administrative simplicity in that regulatory provisions, which EHR
Incentive Programs participants must meet (e.g., the CEHRT definition),
would be defined within the context of rulemakings for those programs.
We further noted that, as proposed in the EHR Incentive Programs Stage
3 proposed rule (80 FR 16767), CMS would adopt a CEHRT definition in 42
CFR 495.4 that would cover all relevant compliance timelines (i.e.,
specify the CEHRT definition applicable for each year/EHR reporting
period) and EHR Incentive Programs requirements. We explained that the
CEHRT definition proposed by CMS would also continue to point to the
relevant Base EHR definitions \163\ adopted or proposed by ONC and to
other ONC-adopted and proposed certification criteria relevant to the
EHR Incentive Programs.
---------------------------------------------------------------------------
\163\ This is required by the HITECH Act under the term
``Qualified EHR'' and references a foundational set of certified
capabilities all EPs, eligible hospitals, and CAHs need to adopt.
---------------------------------------------------------------------------
Comments. The overwhelming majority of commenters were supportive
of moving the CEHRT definition into the EHR Incentive Programs. One
commenter requested that we and CMS identify which certification
criteria are required for to meet the CEHRT definition and be a
meaningful user. Many commenters suggested that the CEHRT definition
should accommodate use of health IT certified to the 2014 Edition and
health IT certified to the 2015 Edition as this approach would give
providers flexibility as they upgrade to 2015 Edition. Many commenters
also requested that we work closely with CMS and other organizations to
align any changes to the CEHRT definition or adoption of proposed
criteria for inclusion in programs beyond the EHR Incentive Programs.
Response. We have finalized our proposal to remove the CEHRT
definition for 2015 certification. As proposed in the EHR Incentive
Programs Stage 3 proposed rule, a combination of health IT certified to
the 2014 Edition and 2015 Edition may be used during EHR reporting
periods through calendar year 2017. Table 4 found in section III.A.3
(``2015 Edition Health IT Certification Criteria Associated with the
EHR Incentive Programs Stage 3'') provides guidance on the relationship
of the 2015 Edition certification criteria with the CEHRT definition
and Stage 3 of the EHR Incentive Programs. We also refer readers to the
EHR Incentive Programs Stage 3 and Modifications final rule published
elsewhere in this issue of the Federal Register as the authoritative
source for the requirements to meet the CEHRT definition (and
meaningful use objectives and measures). We note that supplemental
guidance documents we intend to issue with this final rule will also
identify the 2015 Edition certification criteria necessary to meet the
CEHRT definition and are associated with meaningful use objectives and
measures. We further note that we intend to work closely with CMS and
other stakeholders to ensure alignment of the 2015 Edition and CEHRT
definition to support settings, use cases, and programs beyond the EHR
Incentive Programs.
3. Common Clinical Data Set Definition
We received general comments on our overall proposal and comments
on the data and vocabulary standards included in the proposed
definition. We have divided and responded to the comments in a similar
manner.
Name Change
We proposed to revise the ``Common MU Data Set'' definition in
Sec. 170.102 and change the name to ``Common Clinical Data Set,''
which aligned with our proposed approach to make the ONC Health IT
Certification Program more open and accessible to other types of health
IT beyond EHR technology and for health IT that supports care and
practice settings beyond those included in the EHR Incentive Programs.
We explained the procedural requirement to remove the previous name
from the CFR and add the new name. We also proposed to change
references to the ``Common MU Data Set'' in the 2014 Edition (Sec.
170.314) to ``Common Clinical Data Set.''
Comments. The majority of commenters expressed support for the name
change. One commenter did not support the name change stating it would
add confusion and lack of continuity. One commenter stated the term
``clinical'' may be too restrictive.
Response. We thank commenters for the support for the name change
and have finalized this proposal and related changes to the CFR. The
term ``Common Clinical Data Set'' aligns with our approach to make the
ONC Health IT Certification Program more open and accessible to other
types of health IT beyond EHR technology and for health IT that
supports care and practice settings beyond those included in the EHR
Incentive Programs. We believe ``clinical'' is a suitable descriptor
for the purpose and context within which the Common Clinical Data Set
has been defined (i.e., for the certification of health IT under the
ONC Health IT Certification Program).
We refer readers to Table 8 below for a complete listing of the
data included in the Common Clinical Data Set and the associated
standards.
Vocabulary Standards
We proposed to revise the definition to include new and updated
standards and code sets (HL7 Version 3 for sex; ``Race & Ethnicity--
CDC'' code system in PHIN VADS and the OMB standard for race and
ethnicity; RFC 5646 for preferred language, the September 2014 Release
of the U.S. Edition of SNOMED CT[supreg] for problems and procedures;
the February 2, 2015 monthly version of RxNorm for medications and
medication allergies; and LOINC[supreg] version 2.50 for laboratory
tests). We noted that for race and ethnicity a Health IT Module must be
able to express both detailed races and ethnicities according to the
``Race & Ethnicity--CDC'' code system and the aggregate OMB code for
each race and ethnicity identified by the patient.
We emphasized that the proposed revisions would not change the
standards, codes sets, and data requirements specified in the Common
Clinical Data Set for 2014 Edition certification and would only apply
to a Health IT Module certified to the 2015
[[Page 62694]]
Edition certification criteria that reference the Common Clinical Data
Set.
Comments. The majority of commenters expressed support updating the
definition to reflect new and updated standards and code sets. Some
commenters stated that specific versions of vocabulary standards may
become obsolete or superseded and systems should be permitted to use
later versions.
Response. We thank commenters for their support. We have adopted
the proposed data elements and referenced standards for the Common
Clinical Data Set definition. We note that we have adopted newer
versions of SNOMED CT[supreg], RxNorm, and LOINC[supreg] than we
proposed as the baseline versions for certification. We have also more
specifically identified the CDC Race and Ethnicity code set (CDC Race
and Ethnicity Code Set Version 1.0 (March 2000)) as compared to the
identification in the Proposed Rule. We note this code set remains part
of the PHIN Vocabulary Access and Distribution System (VADS) Release
3.3.9. We refer readers to section III.A.2.c (``Minimum Standards''
Code Sets) for further discussion of our adoption of minimum standards
code sets and our decision to adopt these newer versions. We also
remind readers that health IT developers may seek certification to
newer versions than the adopted baseline versions of minimum standards
code sets, unless the Secretary specifically prohibits it.
Comments. One commenter requested clarification regarding which
codes for race and ethnicities are included in the Common Clinical Data
Set.
Response. Both the CDC Race and Ethnicity code set in PHIN VADS and
the OMB standard for race and ethnicity are included for certification
to the 2015 Edition, but only the OMB standard for certification to the
2014 Edition.
Comments. One commenter requested clarification if the C-CDA
Release 1.1 will be applicable for certification to the ``Common MU
Data Set'' or the Common Clinical Data Set.
Response. For the 2014 Edition certification criteria that
reference the Common Clinical Data Set (formerly the ``Common MU Data
Set''), the C-CDA Release 1.1 is the referenced standard.
Immunizations
We proposed to include immunizations in the Common Clinical Data
Set for 2015 Edition certification. We noted that the C-CDA Release 2.0
could support NDC codes as a translational data element, but the CVX
code is required to accompany it. We stated that it would not be a
heavy burden to map from an NDC code to a CVX code because a mapping
from NDC codes to CVX codes is publicly available. Therefore, for the
purposes of including immunizations in the Common Clinical Data Set for
2015 Edition certification, immunizations would be required to be coded
according to the CVX code set (HL7 Standard Code Set CVX--Vaccines
Administered, updates through February 2, 2015) and the NDC code set
(NDC--Vaccine NDC Linker, updates through January 15, 2015).
Comments. Multiple commenters expressed concerns with mapping
burden. One commenter stated that the inclusion of immunizations mapped
to NDC codes may be problematic as most providers may not include NDC
codes when documenting immunizations particularly for historical
immunizations and immunizations received outside the practice setting.
Some commenters commented that IIS transmission doesn't seem to align
since IIS transmission is based on HL7 V2 and not C-CDA R2.
Response. We have included immunizations in the definition
according to the standards proposed. We note that we have adopted newer
versions of NDC and CVX than we proposed as the baseline versions for
certification. We refer readers to section III.A.2.c (``Minimum
Standards'' Code Sets) for further discussion of our adoption of
minimum standards code sets and our decision to adopt these newer
versions. We do not believe this creates an undue mapping burden as CDC
provides a publicly available mapping of NDC codes for vaccines to CVX
codes.\164\ We also note that these requirements are to test and
certify a Health IT Module's capabilities; and they do not require a
provider to send an immunization using a certain code. IIS transmission
based on HL7 V2 serves a different use case than the Common Clinical
Data Set and the C-CDA, which support transitions of care, data export,
API access, and a patient's ability to view, download, and transmit
their health information.
---------------------------------------------------------------------------
\164\ http://www2a.cdc.gov/vaccines/iis/iisstandards/vaccines.asp?rpt=ndc. See also: http://www2a.cdc.gov/vaccines/iis/iisstandards/ndc_tableaccess.asp.
---------------------------------------------------------------------------
Vital Signs
We proposed to include vital signs in the Common Clinical Data Set
according to specific LOINC[supreg] codes, metadata, and relevant UCUM
unit of measures. We also proposed to offer optional certification to
pediatric vital signs as part of the Common Clinical Data Set.
We have not adopted the proposed vital signs criterion as discussed
in section III.A.5 above.
Comments. Commenters generally supported the expanded list of
proposed vital signs for the Common Clinical Data Set with concerns on
a few items. For systolic and diastolic blood pressure, a few
commenters did not support the separating out of these from blood
pressure generally as their systems allow both to be collected in one
field with a delineator (e.g., a comma or forwards-slash) that can be
used to parse the two fields. A few commenters suggested that ``body
weight measured'' specifies the method of measurement and noted that
there are other ways that body weight is collected, such as self-
reporting. There was a lot of concern over the choice of ``oxygen
saturation in arterial blood by pulse oximetry'' and a few commenters
suggested there are multiple ways of collecting pulse oximetry.
Commenters noted that BMI is typically a calculated value from height
and weight, and were concerned that users should not be allowed to
manually enter in a BMI as it could be incorrectly calculated. Last,
commenters were concerned that mean blood pressure is not a vital sign
typically collected in all provider settings, and is more specific to
surgery, ED, and ICU settings.
Response. We thank commenters for their feedback. While we have not
adopted the proposed 2015 Edition ``vital signs'' criterion as
discussed in section III.A.5 above, we have included vital signs in the
Common Clinical Data Set for certification to the 2015 Edition
consistent with the same vocabulary standards as specified by the C-CDA
Release 2.1 standard (i.e., vital signs are exchanged using a
LOINC[supreg] code, and with a Unified Code of Units of Measure (UCUM)
code for the unit of measure associated with the vital sign
measurement). We discuss the list of vital signs that must be exchanged
in this manner below, including changes made in comparison to our
proposals.
We continue to differentiate between systolic and diastolic blood
pressure as two distinct vital signs, but note that Health IT Modules
may store and display the two values in one field as long as they are
exchanged as two separate fields. We have revised ``body weight
measured'' to ``body weight.'' We have revised ``oxygen saturation in
arterial blood by pulse oximetry'' to ``pulse oximetry'' and will allow
implementers, for the purposes of testing and certification, to choose
the LOINC[supreg] code with ``pulse oximetry'' in its name that best
represents the method of measurement for exchange. We note that we
believe that inhaled oxygen
[[Page 62695]]
concentration is a necessary measurement in order to correctly
interpret the pulse oximetry measurement, and are including it in the
list of vital signs for exchange. This does not mean that providers are
required to capture this measurement every time, only that certified
Health IT Modules are able to exchange the value if present. Last, we
have removed BMI and mean blood pressure from the list of vital signs.
In summary, we require that the following vital signs must be
exchanged as part of the Common Clinical Data Set using a LOINC[supreg]
code and with a UCUM code for the unit of measure associated with the
vital sign measurement:
Systolic blood pressure;
Diastolic blood pressure;
Body height;
Body weight;
Heart rate;
Respiratory rate;
Body temperature;
Pulse oximetry; and
Inhaled oxygen concentration.
We believe this list represents vital signs commonly collected
across provider settings today and is a start at defining a minimum set
of vital signs, but note that we will continue to work with
stakeholders to determine and consider if this list should be revised
through a future rulemaking.
Comments. A number of commenters were concerned that UCUM does not
allow for mixing of units, and were therefore concerned that a height
of 5 feet and 6 inches (5'6'') could not be represented with an
associated UCUM code for the unit of measure.
Response. We note that systems have the flexibility to choose how
to display the vital sign measurement. Our requirement only specifies
that the vital sign measurement must be exchanged using an applicable
unit of measurement with a UCUM code. Therefore, systems could exchange
a height of 5'6'' as 66 inches or 5.5 feet or 167.64 centimeters using
the appropriate UCUM code to represent the unit of measure for the
measurement. Note that we provide this as an example only, and leave
the decision on the appropriate unit of measure to the developers and
providers. As noted in the 2015 Edition proposed rule (80 FR16818),
LOINC provides a translation table \165\ that enumerates UCUM syntax
for a subset of UCUM codes that are commonly used in health IT that may
be a useful reference for stakeholders. We would also suggest that
health IT developers and providers follow the guidance provided in C-
CDA Release 2.1 for exchanging vital signs.
---------------------------------------------------------------------------
\165\ https://loinc.org/downloads/usage/units.
---------------------------------------------------------------------------
Comments. Commenters were generally supportive of the proposed
optional pediatric vital signs.
Response. We have adopted the pediatric vital signs as proposed for
inclusion in the Common Clinical Data Set definition as optional for
exchange. We note that as discussed in the 2015 Edition proposed rule,
CDC recommends the use of these pediatric vital signs for settings of
care in which pediatric and adolescent patients are seen (80 FR 16818-
16819) as part of best practices. The availability of a reference
range/scale or growth curve can help with proper interpretation of the
measurements for the BMI percentile per age and sex and weight for age
per length and sex. Thus, we are including the reference range/scale or
growth curve for each of these two pediatric vital signs as part of the
Common Clinical Data Set definition for certification, and would
suggest that providers include this information as appropriate. We note
that the C-CDA Release 2.1 standard does allow for including additional
clinically relevant information with vital signs.
Unique Device Identifier(s)
We proposed to include the Unique Device Identifier(s) of a
patient's Implantable Device(s) for certification to the 2015 Edition.
Comments. Some commenters were in agreement with including UDIs,
while other commenters suggested removing UDIs until more progress has
been made with medical device identifier manufacturers and utilization
among providers.
Response. We have included UDIs in the definition and require it be
recorded in accordance with the ``Product Instance'' in the ``Procedure
Activity Procedure Section'' of the C-CDA 2.1. This specificity within
the C-CDA will make this information more easily retrievable. As
discussed in more detail under the ``implantable device list''
certification criterion in section III.A.3 of this preamble, this
information leads to improved patient safety when available to
providers. By including this information in the Common Clinical Data
Set, a Health IT Module certified to criteria referencing the Common
Clinical Data Set would be capable of exchanging this information and
further facilitating improvements in patient safety.
Assessment and Plan of Treatment, Goals, and Health Concerns
We proposed to include the ``assessment and plan of treatment,''
``goals,'' and ``health concerns'' in the ``Common Clinical Data Set''
for certification to the 2015 Edition to replace the concept of the
``care plan field(s), including goals and instructions'' which is part
of the ``Common MU Data Set'' in the 2014 Edition. We clarified that we
intend ``care plan field(s), including goals and instructions'' to be a
single provider's documentation of their assessment, plan of treatment,
goals, and health concerns for the patient, and we stated that this
clarification applies for 2014 Edition certification. We proposed this
clarification to better align with the terms used in the C-CDA Release
2.0, which includes the ``Assessment and Plan Section (V2),''
``Assessment Section (V2),'' ``Plan of Treatment Section (V2),''
``Goals Section,'' and ``Health Concerns Section.'' In previous
iterations of the C-CDA, we explained that the ``Plan of Treatment
Section'' was called the ``Plan of Care Section,'' which resulted in
confusion on whether the information was intended to represent a single
encounter or the synthesis of multiple encounters. For that reason, the
``Plan of Care Section'' was proposed to be called the ``Plan of
Treatment Section'' to indicate that it is intended to represent a
single encounter and not to be confused with the ``Care Plan document
template.''
For certification to the 2015 Edition, we proposed to include in
the Common Clinical Data Set ``assessment and plan of treatment,''
``goals,'' and ``health concerns'' data in accordance with the C-CDA
Release 2.0 ``Assessment and Plan Section (V2)'' or both the
``Assessment Section (V2)'' and ``Plan of Treatment Section (V2);'' the
``Goals Section;'' and the ``Health Concerns Section.'' We encouraged
health IT developers to allow for structured documentation or tagging
that would allow a provider to choose relevant pieces of assessment,
plan of treatment, goals, and health concerns data that could be
synthesized into a comprehensive care plan. We noted that all proposed
2015 Edition certification criteria that reference the ``Common
Clinical Data Set'' (e.g., the ``ToC'' criterion) would therefore also
require a Health IT Module to be able to capture ``assessment and plan
of treatment,'' ``goals,'' and ``health concerns'' data.
Comments. A couple of commenters expressed concern regarding
whether this proposal aligned with the C-CDA standard. One commenter
found this inclusion to be duplicative since it is captured under
``Care Plan Field(s)'' and ``Problems.'' A few commenters noted that we
should clarify the intent of the ``Goals Section'' and ``Health
Concerns
[[Page 62696]]
Section.'' These commenters noted that the ``Goals Section'' and
``Health Concerns Section'' of the C-CDA Care Plan document template
provide more structure and were originally designed to be used with the
Care Plan document template. However, other C-CDA document templates,
like CCD, allow for health concerns and goals to be included as a
narrative within the ``Assessment Section (V2),'' ``Plan of Treatment
Section (V2),'' or ``Assessment and Plan Section (V2).''
Response. We have reviewed the C-CDA 2.1 standard and believe there
is no misalignment with our proposal and that it provides the requisite
specificity we described in the Proposed Rule (80 FR 16872). Therefore,
we have adopted the specific data elements as proposed (i.e.,
``Assessment Section (V2)'' and ``Plan of Treatment Section (V2)'' or
``Assessment and Plan Section (V2);'' ``Goals Section;'' and ``Health
Concerns Section''). We clarify that we will certify Health IT Modules
to the ``Goals Section'' and the ``Health Concerns Section'' from the
Care Plan document template for the purposes of meeting the Common
Clinical Data Set definition. Thus, other C-CDA document templates such
as CCD, Referral Note, and Discharge Summary would need to be able to
exchange the structured ``Goals Section'' and ``Health Concerns
Section'' in order to meet the Common Clinical Data Set definition.
Sexual Orientation, Gender Identity, and Other Data
We received recommendations for the inclusion of data in Common
Clinical Data Set that we did not propose.
Comments. Commenters recommended that we include sexual orientation
and gender identity (SO/GI), military history, and nutritional data in
the Common Clinical Data Set definition.
Response. We have not included any of this data in the definition
as this was outside the scope of our proposal and, more importantly,
inclusion at this time would not give full consideration to the
maturity of related standards, the readiness of health IT developers to
exchange this data, the clinical relevance of the data, and other
considerations for some of the data such as any potential privacy and
security concerns. We note, however, that we have taken the
intermediate step of including SO/GI data in the 2015 Edition
``demographics'' criterion, which is a criterion included in the 2015
Edition Base EHR definition. We refer readers to section III.A.3 of
this preamble for more information on the 2015 Edition ``demographics''
criterion and SO/GI data.
[[Page 62697]]
[GRAPHIC] [TIFF OMITTED] TR16OC15.003
[[Page 62698]]
[GRAPHIC] [TIFF OMITTED] TR16OC15.004
[[Page 62699]]
[GRAPHIC] [TIFF OMITTED] TR16OC15.005
[[Page 62700]]
[GRAPHIC] [TIFF OMITTED] TR16OC15.006
[[Page 62701]]
[GRAPHIC] [TIFF OMITTED] TR16OC15.007
[[Page 62702]]
[GRAPHIC] [TIFF OMITTED] TR16OC15.008
Alignment With Clinical Practice
We requested comment in the Proposed Rule on ways in which we can
engage the public to keep the Common Clinical Data Set relevant to
clinical practice as the data included in the Common Clinical Data Set
may change over time.
Comments. A commenter suggested we limit the use of highly
prescriptive criteria, permitting innovation and clinical
appropriateness to exist within ``guardrails.'' Another commenter
encouraged us to seek input from provider specialty societies and
organizations to ensure the interests of clinicians are properly
represented, including concerns about clinical workflows.
Response. We thank commenters for their feedback. We will take
these comments under consideration for further development and uses of
the Common Clinical Data Set to support interoperability, program
alignment, and patient care.
4. Cross-Referenced FDA Definitions
We proposed to adopt in Sec. 170.102 new definitions for
``Implantable Device,'' ``Unique Device Identifier,'' ``Device
Identifier,'' and ``Production Identifier'' as discussed in the
Proposed Rule's sections for the ``implantable device list''
certification criterion. We proposed to adopt the same definitions
already provided to these phrases at 21 CFR 801.3 and emphasized that
capitalization was purposefully applied to each word in these defined
phrases in order to signal to readers that they have specific meanings.
Comments. Commenters expressed unanimous support for our proposed
approach to cross-reference relevant FDA definitions. One commenter
recommended that we use the term ``identifiers'' when referring to
Device Identifier and Product Identifier instead of the term ``UDI
data.'' The commenter contended that this would align better with FDA
terminology.
Response. We thank commenters for their support. We are adopting
the cross-referenced FDA definitions as proposed. In regard to the
recommendation to use the term ``identifiers,'' we agree that our
terminology related to UDIs should more closely align with FDA
terminology and the UDI final rule to prevent any unnecessary
confusion. Therefore, we have revised our terminology use within this
final rule and refer readers to the ``implantable device list''
certification criterion discussed earlier in this preamble for further
details.
IV. Provisions of the Proposed Rule Affecting the ONC Health IT
Certification Program
A. Subpart E--ONC Health IT Certification Program
We proposed to replace the term ``HIT'' with the term ``health IT''
and to change the name of the ``ONC HIT Certification Program'' to the
``ONC Health IT Certification Program'' wherever these references occur
in subpart E. In referring to the certification program, we noted that
the term ``health'' is capitalized. We also proposed to remove Sec.
170.553 ``Certification of health information technology other than
Complete EHRs and EHR Modules'' as no longer relevant due to proposals
in the Proposed Rule for the ONC Health IT Certification Program that
would make the program more open and accessible to health IT beyond EHR
technology.
Comments. Commenters were broadly supportive of these proposals.
Response. We have adopted these proposals as proposed.
B. Modifications to the ONC Health IT Certification Program
In the Voluntary Edition proposed rule (79 FR 10929-30) we recited
our authority and the history of the ONC Health IT Certification
Program. The history includes multiple requests for comment and
significant stakeholder feedback on making the certification program
more accessible to health IT beyond EHR technology and health care
settings and practices not directly tied to the EHR Incentive Programs.
With consideration of stakeholder feedback and our policy goals, we
attempted to make the ONC Health IT Certification Program more open and
accessible through a proposal in the Voluntary Edition proposed rule
(79 FR 10918-20) to create ``meaningful use'' (MU) and non-MU EHR
Modules. We determined that our proposal was not the best approach in a
subsequent final rule (79 FR 54472-73). Since that rulemaking, the
HITPC issued recommendations supporting certification for care/practice
settings beyond the ambulatory and inpatient settings.\166\ In
response, we reconsidered how best to structure the program and make it
open and accessible to more types of health IT, health IT that supports
a variety of care and practice settings, and programs that may
reference the ONC Health IT Certification Program, including Medicaid
and Medicare payment programs and various grant programs. In the
Proposed Rule, we proposed revisions to the ONC Health IT Certification
Program to achieve these goals, including new certification criteria
for use cases and health care
[[Page 62703]]
settings beyond the EHR Incentive Programs.
---------------------------------------------------------------------------
\166\ http://www.healthit.gov/facas/sites/faca/files/TransmittalLetter_LTPAC_BH_Certification.pdf and http://www.healthit.gov/facas/sites/faca/files/HITPC_LTPAC_BH_Certification_Recommendations_FINAL.pdf.
---------------------------------------------------------------------------
Comments. Most commenters supported the increase in scope of
technologies and health care settings to include lab information
systems, HISPs, HIEs, LTPAC, behavioral health, and pediatrics.
Commenters supported opening the certification program to greater
accessibility to more health IT, allowing for greater flexibility and
use of a variety of health IT products and services, and advancing
interoperability beyond narrowly defined EHR technology. Some
commenters, however, opposed a more open ONC Health IT Certification
Program and the use of certified health IT beyond the EHR Incentive
Programs, including linking forms of Medicare and Medicaid
reimbursement to the use of certified health IT.
Response. We disagree with the commenters that do not support a
more open ONC Health IT Certification Program and the use of certified
health IT beyond the EHR Incentive Programs. We believe the ONC Health
IT Certification Program should be open and accessible to more types of
health IT, health IT that supports a variety of care and practice
settings, and programs beyond the EHR Incentive Programs. We have
finalized provisions and adopted 2015 Edition certification criteria to
support these goals. As discussed in more detail below in regard to
referencing the use of certified health IT, ONC and HHS continue to
encourage the use of certified health IT to support interoperability
and health information exchange across diverse care and practice
settings, including the linking of certified health IT to reimbursement
under HHS payment programs.
1. Health IT Modules
We proposed to rename EHR Modules as Health IT Modules by removing
the EHR Module definition from the CFR at Sec. 170.102 and adding the
``Health IT Module'' definition. We proposed this change to be
effective with this final rule, and we proposed to make this change
applicable for certification to the 2014 Edition and 2015 Edition. We
stated that the proposed change would have no substantive impact on the
technologies that might be, or have been, certified under the ONC
Health IT Certification Program. We also noted that technologies
already certified to the 2014 Edition as EHR Modules, and their use to
meet the CEHRT definition, would not be affected by this proposal.
Comments. Many commenters strongly supported the removal of
``Complete EHR'' certification in favor of modular certification. A
couple of commenters requested that we clarify what exactly constitutes
a Health IT Module, saying that deviations in this definition will lead
to inaccurate assessments of workload requirements and scope of impact
to implement a specific certification criterion.
Response. We thank commenters for their feedback. The 2014 Edition
Release 2 final rule discontinued the ``Complete EHR'' certification
concept (see 79 FR 54443-45). ``Complete EHR'' certification will not
be available to the 2015 Edition.
The definition of a Health IT Module is any service, component, or
combination thereof that can meet the requirements of at least one
certification criterion adopted by the Secretary (see Sec. 170.102).
This essentially means any type of technology that could be certified
to one or more certification criteria under the ONC Health IT
Certification Program. For example, a Health IT Module could be
certified to only the 2015 Edition ``CPOE--Medications'' criterion and
the other required mandatory and conditional criteria (i.e., the 2015
Edition ``safety-enhanced design,'' ``quality management system,''
``accessibility-centered design,'' and applicable privacy and
certification criteria). Alternatively, a Health IT Module could be
certified to practically all the 2015 Edition certification criteria.
While we appreciate commenters' requests for further specificity for
the Health IT Module definition, we believe that this definition
affords flexibility for health IT developers and providers in terms of
what technologies are presented for certification and to what
certification criteria (e.g., technology provided by a HISP that is
presented for certification to the 2015 Edition ``Direct Project, Edge
Protocol, and XDR/XDM'' certification criterion (Sec. 170.315(h)(2))
or an EHR technology presented by a developer for certification to the
2015 Edition ``CDS'' certification criterion (Sec. 170.315(a)(9)).
2. ``Removal'' of Meaningful Use Measurement Certification Requirements
We proposed to not require ONC-ACBs to certify Health IT Modules to
the 2015 Edition ``meaningful use measurement'' certification criteria
(Sec. 170.315(g)(1) ``automated numerator recording'' and Sec.
170.315(g)(2) ``automated measure calculation''). We explained that we
believe this will make the ONC Health IT Certification more accessible
to the certification of health IT for other purposes beyond the EHR
Incentive Programs. We also emphasized that this proposed approach
would not preclude health IT developers from seeking certification to
Sec. 170.315(g)(1) or (2) in support of their customers' and
providers' needs related to the EHR Incentive Programs.
Comments. A commenter stated that these criteria and their
functionality have been well-established through certification to the
2014 Edition ``automated measure calculation'' and ``automated
numerator recording'' certification criteria; and therefore, their
removal should have minimal effect. Several commenters voiced support
for removal of these requirements. One commenter noted that this change
will not reduce the requirements for accredited testing laboratories to
test nor ONC-ACBs to certify these criteria when a health IT developer
elects to certify a product for use in the EHR Incentive Programs. A
commenter disagreed with removal of these criteria, stating that this
functionality is important for EPs and EHs to meet requirements under
the EHR Incentive Programs and for purposes of their own quality
improvement efforts.
Response. We have adopted our proposed approach in that we will not
require ONC-ACBs to certify Health IT Modules to the 2015 Edition
``meaningful use measurement'' certification criteria. However, the EHR
Incentive Program Stage 3 and Modifications final rule includes a CEHRT
definition that will require EPs, eligible hospitals, and CAHs to have
health IT certified to these criteria in order to meet the CEHRT
definition. Accordingly, we encourage health IT developers supporting
providers participating in the EHR Incentive Programs or providers'
quality improvement needs to seek certification to these criteria as
appropriate for their Health IT Modules (e.g., a Health IT Module is
presented for certification to a criterion that supports a Stage 3
objective with a percentage-based measure and the Health IT Module can
meet the ``automated numerator recording'' criterion or ``automated
measure calculation'' criterion) for their Health IT Module (e.g., the
Health IT Module is presented for certification to a criterion that
supports a Stage 3 objective percentage-based measure and the Health IT
Module can meet the ``automated numerator recording'' criterion or
``automated measure calculation'' criterion).
3. Types of Care and Practice Settings
We commented in the Proposed Rule that we had proposed a diverse
edition of health IT certification criteria with capabilities included
that could support a wide range of providers practicing in various
settings. We stated that we
[[Page 62704]]
anticipated that we would issue general interoperability guidance for
the 2015 Edition when it became final, but that we had no plans to
independently develop and issue certification ``paths'' or ``tracks''
by care or practice setting (e.g., a ``LTPAC certification'') because
it would be difficult to independently devise such ``paths'' or
``tracks'' in a manner that was sure to align with other relevant
programs and specific stakeholder needs. We explained that we are best
suited for supporting the development of standards for specific
settings/use cases and providing technical assistance to both health IT
developers and providers about the certification criteria, the
standards and capabilities they include, and the processes of the ONC
Health IT Certification Program. We stated that we would welcome
working with HHS agencies, other agencies, or provider associations, in
identifying the appropriate functionality and certification criteria to
support their stakeholders, including jointly developing specialized
certification ``paths'' or ``tracks.'' We noted that such an approach
would be consistent with stakeholder feedback we received through
rulemaking (79 FR 54473-74) and the HITPC recommendations for us to
work with HHS agencies and other agencies.
We sought comment on potential future certification criteria that
could include capabilities that would uniquely support LTPAC,
behavioral health, or pediatrics care/practice settings, as well as
other settings. In particular, we sought comment on whether
certification criteria focused on patient assessments for certain
settings would be of value to health IT developers and health care
providers.
Comments. A commenter suggested that patient assessments should not
be included in future certification criteria. A commenter requested
that EHR certification standards adequately capture and address data
elements necessary to support the home care setting--specifically for
durable medical equipment prosthetics, orthotics, and supplies
(collectively, DMEPOS). The HITPC listed several entities that may find
certification requirements applicable to them, including pharmacy
information systems, long-term services and support providers
(transport, meals, care management services, etc.), ambulance
providers, blood banks, end-stage renal disease facilities, free-
standing cancer hospitals, visiting nurse services, outpatient surgical
centers, telehealth and monitoring, personal health devices (e.g.
bands, watches, monitors), biomedical tech devices (e.g., pacemakers),
personal health record systems, health and fitness centers, free-
standing weight-loss centers. One commenter recommended including
standards and capabilities to include e-signatures to the Home Health
and Hospice Plans of Treatment.
Multiple commenters suggested that modular certification should
follow ``tracks'' or ``pathways'' for specialists to identify what they
need. Some commenters requested that we publish guidelines as to which
criteria are applicable to which care settings. These commenters
suggested that ``certification tracks'' could be established for each
different segment of the provider market (laboratories, behavioral
health, long-term care, etc.) looking for alignment and
interoperability across certification ``tracks.'' A commenter
questioned how we and stakeholders would monitor claims that a set of
independently certified Health IT Modules meet the requirements of the
path or track.
Response. We appreciate the breadth and diversity of comments on
potential future certification criteria that could include capabilities
to support different care settings and use cases. Consistent with our
request for comment in the Proposed Rule, we will carefully consider
these suggestions for future certification criteria.
As mentioned in the Proposed Rule and recited above, we do not
intend to develop certification ``tracks'' or ``pathways'' for
particular provider specialties or settings within this final rule
because it would be difficult for us to independently devise such
``paths'' or ``tracks'' in a manner that was sure to align with other
relevant programs and specific stakeholder needs. We are, however,
working with our colleagues within HHS to identify capabilities and
certification criteria that support other programs and use cases. We
also continue to welcome the opportunity to collaborate with
representatives from different provider and specialties societies as
well as health IT developers to determine what certification criteria
and ``tracks'' could be identified and developed to support various
care and practice settings and particular use cases. We do not
anticipate monitoring any developed certification ``tracks.'' Rather,
we anticipate that a program or association, as applicable, would
develop any necessary compliance requirements.
4. Referencing the ONC Health IT Certification Program
We stated in the Proposed Rule that the adoption of proposed
criteria that support functionality for different care and practice
settings and the proposals to make the ONC Health IT Certification
Program open and accessible to more types of health IT and health IT
that supports a variety of care and practice settings, would permit
further referencing and use of certified health IT. We proceeded to
cite other HHS programs that reference certification criteria and the
ONC Health IT Certification Program (80 FR 16874).
Comments. One commenter recommended that we not over-specify or
over-bundle a singular certification criterion that could cause a
mismatch between what a federal program requires and what is defined as
a single criterion. Another commenter recommended that we allow for at
least 18 months in advance of any compliance dates for providers and
health IT developers to successfully test and deploy required certified
health IT, stating that an 18-month minimum timeframe is important to
ensure that the process provides good design while reducing risks to
care and safety.
Response. We agree with the commenter that it is important to try
to properly scope a certification criterion so that the capabilities
included are consistent with current health IT technologies and design
practices. In this regard, we have separated out capabilities that have
once been proposed or adopted in a single criterion (e.g., see the
``CPOE'' criteria or the ``application access'' (``API'') criteria).
We also agree with the commenter that sufficient lead time must be
provided for development, testing, certification, and implementation
before certified health IT is required for use. With this final rule
and the EHR Incentive Programs Stage 3 and Modifications final rule,
providers and health IT developers have 27 months before health IT
certified to the 2015 Edition must be used to meet the CEHRT definition
adopted in the EHR Incentive Programs Stage 3 and Modifications final
rule published elsewhere in this issue of the Federal Register. This
timeframe should provide sufficient time for development, testing,
certification, and implementation of certified health IT. We plan to
continue to work with our colleagues in HHS to ensure that proper lead
time is considered with respect to the required use of certified health
IT.
We continue to support the use of certified health IT and the ONC
Health IT Certification Program to support interoperability and health
information exchange across diverse care and practice settings. To note
and building on the references we cited in the
[[Page 62705]]
Proposed Rule, the HHS interoperability strategy and the encouraged use
of certified health IT are mentioned in the Prospective Payment System
and Consolidated Billing for Skilled Nursing Facilities for FY 2015
proposed rule (79 FR 45652), the Conditions of Participation for Home
Health Agencies proposed rule (79 FR 61185), the CY 2016 Home Health
Prospective Payment System Rate Update; Home Health Value-Based
Purchasing Model; and Home Health Quality Reporting Requirements
proposed rule (80 FR 39844), and the End-Stage Renal Disease
Prospective Payment System, and Quality Incentive Program proposed rule
(80 FR 37852). The required use of certified health IT continues to be
referenced for chronic care management services in CY 2016 Physician
Fee Schedule final rule (80 FR 41796). Further, the Mechanized Claims
Processing and Information Retrieval Systems (MMIS) proposed rule (80
FR 20464) requires that state MMIS systems align with adopted standards
and allow for interoperability with health information exchanges.
C. Health IT Module Certification Requirements
1. Privacy and Security
We proposed a new approach for privacy and security (P&S)
certification to the 2015 Edition. In our past rulemakings, we
discussed and instituted two different policy approaches and sought
comment on others for ensuring that health IT and providers have
privacy and security capabilities while also trying to minimize the
level of regulatory burden imposed on health IT developers. With the
2011 Edition, we included an upfront requirement that required Health
IT Modules to meet all P&S certification criteria as a condition of
certification unless the health IT developer could demonstrate that
certain P&S capabilities were either technically infeasible or
inapplicable. With the 2014 Edition, we eliminated the upfront
requirement for each Health IT Module to be certified against the P&S
criteria in favor of what we thought would better balance the burden
potentially posed by our rulemaking. Thus, the P&S criteria were made
part of the 2014 Edition Base EHR definition that all EPs, eligible
hospitals, and CAHs participating in the EHR Incentive Programs must
meet in order to satisfy the CEHRT definition (meaning each provider
needed post-certification to ultimately have technology certified to
the P&S criteria).
Based on recommendations from the HITSC, in the Proposed Rule, we
proposed a revised P&S certification approach for the 2015 Edition so
that each certification criterion has a set of appropriate P&S
``safeguards'' that must be in place. We proposed to require that an
ONC-ACB must ensure that a Health IT Module presented for certification
to any of the certification criteria that fall into each regulatory
text ``first level paragraph'' category of Sec. 170.315 (e.g., Sec.
170.315(a)) identified below would be certified to either Approach 1
(technically demonstrate) or Approach 2 (system documentation) as
follows:
Table 9--Proposed 2015 Edition Privacy and Security Certification
Framework
------------------------------------------------------------------------
It will need to be certified to Approach
1 or Approach 2 for each of the P&S
If the Health IT Module certification criteria listed in the
includes capabilities for ``Approach 1'' column
certification listed under: -----------------------------------------
Approach 1 Approach 2
------------------------------------------------------------------------
Sec. 170.315(a)............. Sec. For each applicable
170.315(d)(1) P&S certification
(authentication, criterion not
access control, certified for
and approach 1, there
authorization), must be system
(d)(2) documentation
(auditable sufficiently
events and detailed to enable
tamper integration such
resistance), that the Health IT
(d)(3) (audit Module has
reports), (d)(4) implemented service
(amendments), interfaces for each
(d)(5) applicable privacy
(automatic log- and security
off), (d)(6) certification
(emergency criterion that
access), and enable the Health IT
(d)(7) (end-user Module to access
device external services
encryption). necessary to meet
the privacy and
security
certification
criterion.
Sec. 170.315(b)............. Sec.
170.315(d)(1)
through (d)(3)
and (d)(5)
through (d)(8)
(integrity).
Sec. 170.315(c)............. Sec.
170.315(d)(1)
through (d)(3).
Sec. 170.315(e)............. Sec.
170.315(d)(1)
through (d)(3),
(d)(5), and
(d)(7).
Sec. 170.315(f)............. Sec.
170.315(d)(1)
through (d)(3)
and (d)(7).
Sec. 170.315(h)............. Sec.
170.315(d)(1)
through (d)(3).
Sec. 170.315(i)............. Sec.
170.315(d)(1)
through (d)(3)
and (d)(5)
through (d)(8).
------------------------------------------------------------------------
We explained that under the P&S certification framework we
proposed, a health IT developer would know exactly what it needed to do
in order to get its Health IT Module certified and a purchaser of a
Health IT Module would know exactly what privacy and security
functionality against which the Health IT Module had to be tested in
order to be certified. We further explained that, because we explicitly
proposed which P&S certification criteria would be applicable to the
associated criteria adopted in each regulatory text ``first level
paragraph'' category and also proposed Approach 2, we did not propose
to permit the 2011 Edition policy of allowing for a criterion to be met
through documentation that the criterion is inapplicable or would be
technically infeasible for the Health IT Module to meet.
Comments. Most commenters were supportive of our proposed P&S
certification framework, including the HITSC. One commenter recommended
that we keep the option for a health IT developer to attest that a
certain security criterion is inapplicable or infeasible. Another
commenter was concerned that a health IT developer would have to
redundantly certify products that have a shared security
infrastructure.
Response. We appreciate the broad support expressed for the
proposed framework. We have adopted the P&S certification framework as
proposed. As recited above and stated in the Proposed Rule, we continue
to believe it is not necessary to permit health IT developers to attest
that certain P&S criteria are inapplicable or infeasible because we
have specified which P&S certification criteria are applicable to a
Health IT Module based on the other adopted
[[Page 62706]]
2015 Edition certification criteria for which it is presented for
certification to as well as also permitting certification through
Approach 2. We clarify that Approach 2 provides health IT developers
with the ability to demonstrate through system documentation that
products share a security infrastructure, giving developers the option
to certify the security infrastructure only once.
Comments. Several commenters provided feedback suggesting which
2015 Edition P&S certification criteria should apply to each grouping
of 2015 Edition certification criteria in Table 9 above. Commenters
recommended that we should add the:
``Integrity'' certification criterion (Sec.
170.315(d)(8)) to the clinical certification criteria (Sec.
170.315(a)) due to transmissions of laboratory data per the proposed
``CPOE--laboratory'' certification criterion (Sec. 170.315(a)(2));
``Amendments'' certification criterion (Sec.
170.315(d)(4)) to the care coordination criteria (Sec. 170.315(b)) to
support patient requested amendments; and
``Automatic access time-out'' certification criterion
(Sec. 170.315(d)(5)) to the clinical quality measures criteria (Sec.
170.315(c)) since patient health information is evident in many quality
measurement implementations.
Response. We have not adopted the commenter's recommendation to
apply the ``integrity'' certification criterion (Sec. 170.315(d)(8))
to the clinical certification criteria because we have not adopted the
proposed content exchange functionality for the ``CPOE--laboratory''
certification criterion. By not adopting the content exchange
functionality (LOI standard), testing and certification will not
involve the preparation of patient laboratory data for transmission
consistent with the proposed standards. Therefore, the ``integrity''
certification criterion (Sec. 170.315(d)(8)) does not need to be
applied to the category of criteria (i.e., Sec. 170.315(a)).
The application of the ``amendment'' criterion is not necessary for
care coordination. We have made the ``amendment'' criterion applicable
to the ``clinical care'' category of criteria (i.e., Sec. 170.315(a)).
The functionality certified under the ``clinical care'' category
focuses on data capture and is more appropriate for application of the
``amendment'' criterion, while the ``care coordination'' category
focuses on the transmission of health information and not patient
interaction related to amending the record.
We agree with commenters that the ``automatic access time-out''
criterion should apply to the clinical quality measures criteria for
the reasons provided by the commenters and have included it as
applicable to Sec. 170.315(c) under the P&S certification framework.
As discussed in the ``application access to Common Clinical Data Set''
section of this preamble, we have adopted and applied new P&S criteria
(``trusted connection'' (Sec. 170.315(d)(9) and ``auditing actions on
health information'' (Sec. 170.315(d)(10)) to the three ``API''
certification criteria as part of the P&S certification framework.
These new criteria are derived from the security requirements included
in the proposed ``API'' criterion in the Proposed Rule and have been
applied back to the ``API'' criteria adopted in this final rule.
We have separated out the ``patient engagement'' category (Sec.
170.315(e)) by criterion to provide clarity and appropriate application
of privacy and security capabilities. In this regard, we do not apply
``end-user device encryption'' to the ``secure messaging'' and
``patient health information capture'' criteria as that was not our
intention. We have added the new ``trusted connection'' criteria to the
``patient engagement'' category (Sec. 170.315(e)) to compliment the
revisions we made to the ``VDT'' and ``secure messaging'' criteria as
part of the overall P&S certification framework and to support the
functionality included in the ``patient health information capture''
criterion. Please see the discussions of these criteria earlier in this
preamble for further details.
In this final rule, we require that an ONC-ACB must ensure that a
Health IT Module presented for certification to any of the
certification criteria that fall into each regulatory text ``first
level paragraph'' category of Sec. 170.315 (e.g., Sec. 170.315(a))
identified in Table 10 below is certified to either Approach 1
(technically demonstrate) or Approach 2 (system documentation) as
follows:
Table 10--Final 2015 Edition Privacy and Security Certification Framework
----------------------------------------------------------------------------------------------------------------
It will need to be certified to Approach 1 or Approach 2 for each of the
If the Health IT Module includes P&S certification criteria listed in the ``Approach 1'' column
capabilities for certification listed -------------------------------------------------------------------------
under: Approach 1 Approach 2
----------------------------------------------------------------------------------------------------------------
Sec. 170.315(a)..................... Sec. 170.315(d)(1) For each applicable P&S
(authentication, access control, certification criterion not
and authorization), (d)(2) certified for approach 1, the
(auditable events and tamper health IT developer may certify
resistance), (d)(3) (audit for the criterion using system
reports), (d)(4) (amendments), documentation sufficiently
(d)(5) (automatic log-off), (d)(6) detailed to enable integration
(emergency access), and (d)(7) with external services necessary
(end-user device encryption). to meet the criterion.
Sec. 170.315(b)..................... Sec. 170.315(d)(1) through (d)(3)
and (d)(5) through (d)(8)
(integrity).
Sec. 170.315(c)..................... Sec. 170.315(d)(1) through (d)(3)
and (d)(5) *.
Sec. 170.315(e)(1).................. Sec. 170.315(d)(1) through
(d)(3), (d)(5), (d)(7), and
(d)(9)(trusted connection) *.
Sec. 170.315(e)(2) and (3).......... Sec. 170.315(d)(1) through
(d)(3), (d)(5), and (d)(9) *.
Sec. 170.315(f)..................... Sec. 170.315(d)(1) through (d)(3)
and (d)(7).
Sec. 170.315(g)(7), (8) and (9) *... Sec. 170.315(d)(1) and (d)(9);
and (d)(2) or (d)(10) (auditing
actions on health information) *.
Sec. 170.315(h)..................... Sec. 170.315(d)(1) through (d)(3)
----------------------------------------------------------------------------------------------------------------
* Emphasis added to identify additions to the framework as compared to the Proposed Rule.
We clarify that of the adopted 2015 Edition certification criteria,
only the privacy and security criteria and the criteria specified in
Sec. 170.315(g)(1) through (6) are exempt from the P&S certification
framework due to the capabilities included in these criteria, which do
not implicate privacy and security concerns.
[[Page 62707]]
In order to be issued a certification, a Health IT Module would
only need to be tested once to each applicable privacy and security
criterion identified as part of Approach 1 or Approach 2 so long as the
health IT developer attests that such privacy and security capabilities
apply to the full scope of capabilities included in the requested
certification, except for the certification of a Health IT Module to
Sec. 170.315(e)(1) ``VDT'' and (e)(2) ``secure messaging.'' For each
criterion, a Health IT Module must be separately tested to Sec.
170.315(d)(9) because of the specific capabilities for secure
electronic transmission and secure electronic messaging included in
each criterion, respectively.
Comments. We received several comments requesting clarification on
our proposal to allow a health IT developer to certify for P&S criteria
using system documentation sufficiently detailed to enable integration
with external services necessary to meet P&S certification criteria
(Approach 2). One commenter requested clarification regarding how an
ONC-ACB would verify that documentation was sufficient to implement the
interface. Another commenter pointed out that interfaces to external
systems may carry an additional cost. Other commenters questioned
whether the lack of standardized interfaces will lead to security gaps
or be an impediment to information sharing.
Response. System documentation for Approach 2 requires a clear
description of how the external services necessary to meet the
applicable P&S criteria would be deployed and used. We note that
Approach 2 is one of two options that provide health IT developers more
certification flexibility. Health IT developers and their customers
have the discretion to seek certification to the approach (Approach 1
or 2) that best meets their needs, taking into account efficiencies,
costs, and security concerns. We further note that the actual
implementation of privacy and security capabilities is outside the
scope of certification, but in most instances, is guided by applicable
federal and state privacy and security laws. We are supportive of the
unencumbered exchange of health information and note that certified
capabilities should not be implemented in a way that precludes health
information sharing.
Comments. A commenter requested clarification on how a health IT
developer could guarantee certain functionality, particularly end-user
device encryption.
Response. Certification ensures that a Health IT Module can meet
the capabilities of a certification criterion. However, it does not
ensure the appropriate implementation of the capabilities. For example,
in the context of a Health IT Module's certification to the ``VDT''
criterion (Sec. 170.315(e)(1)), additional required certification to
the ``end-user device encryption'' criterion is intended to apply to
the storage actions that the Health IT Module is programmed to take
(i.e., creation of temp files, cookies, or other types of cache
approaches) and not an individual or isolated user action to save or
export a file to their personal electronic storage media.
Comments. A commenter stated that the P&S certification framework
is more specific than the approach prescribed in the HIPAA Security
Rule. Another commenter stated that we should not name specific
encryption and hashing standards because the information security risk
landscape is constantly evolving.
Response. The P&S certification framework focuses on the
capabilities of health IT certified to the 2015 Edition. It is not
designed nor could it align with each covered entity's responsibilities
under the HIPAA Security Rule, which focus on a risk-based approach to
security. We note, however, that the adoption of health IT certified to
the 2015 Edition under the P&S framework may support a provider's
compliance with the HIPAA Security Rule and other federal and state
privacy and security laws. We do not require specific standards for
encryption and hashing. Rather, we require any encryption algorithm
identified by the National Institute of Standards and Technology (NIST)
as an approved security function in Annex A of the Federal Information
Processing Standards (FIPS) Publication 140-2, October 8, 2014.\167\
For hashing, we require any hashing algorithm with security strength
equal to or greater than SHA-2 as identified by NIST as an approved
security function in that publication.
---------------------------------------------------------------------------
\167\ http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.psf.
---------------------------------------------------------------------------
2. Design and Performance (Sec. 170.315(g))
We proposed to revise Sec. 170.550 to add paragraph (g), which
would require ONC-ACBs to certify Health IT Modules to certain proposed
certification criteria under Sec. 170.315(g). We proposed to require
ONC-ACBs to certify Health IT Modules to Sec. 170.315(g)(3) (safety-
enhanced design) and Sec. 170.315(g)(6) (Consolidated CDA creation
performance) consistent with the requirements included in these
criteria. We noted that paragraph (g) also includes a requirement for
ONC-ACBs to certify all Health IT Modules presented for certification
to the 2015 Edition to Sec. 170.315(g)(4) (quality system management)
and (g)(8) (accessibility-centered design). We explained that the
proposed certification requirements for Sec. 170.315(g)(3) and (4)
maintain the policy approach established with certification to the 2014
Edition (see Sec. 170.550(f)(2) and (3)), which ensures Health IT
Modules, as applicable, are certified to these specific safety and
quality certification criteria. We also explained that the proposed
certification requirement for Sec. 170.315(g)(6) is associated with
the new ``Consolidated CDA creation performance'' criterion we proposed
for the 2015 Edition. We reiterated that the requirement is similarly
designed to ensure that Health IT Modules (with Consolidated CDA
creation capabilities within their scope) are also certified to the
``Consolidated CDA creation performance'' criterion. We noted the
proposed certification requirements for Sec. 170.315(g)(8) were
associated with the new ``accessibility-centered design'' criterion we
proposed for the 2015 Edition, which patterned the certification
approach of the 2014 Edition ``quality system management'' criterion.
Comments. Commenters supported the proposed revisions to Sec.
170.550.
Response. We thank commenters for their support. We have added
paragraph (g) to Sec. 170.550 as proposed with a minor cross-reference
revision that points to the 2015 Edition ``accessibility-centered
design'' criterion codified in Sec. 170.315(g)(5) instead of proposed
paragraph (g)(8).
D. Principles of Proper Conduct for ONC-ACBs
1. ``In-the-Field'' Surveillance and Maintenance of Certification
We proposed new requirements for ``in-the-field'' surveillance and
maintenance of certification under the ONC Health IT Certification
Program. The requirements would clarify and expand ONC-ACBs' existing
surveillance responsibilities, including the responsibility to perform
surveillance of certified capabilities ``in the field.'' We explained
that in-the-field surveillance is necessary to provide assurance to
customers, implementers, and users that health IT certified on behalf
of ONC will continue to meet the requirements of its certification when
it is implemented and used in a production environment.
[[Page 62708]]
Through our proposal, we sought to promote greater consistency,
transparency, and rigor in the surveillance of certified capabilities
and to provide stakeholders with greater clarity and predictability
regarding this important aspect of the ONC Health IT Certification
Program.
Our proposal defined in-the-field surveillance and specified
certain conditions and procedures under which ONC-ACBs would be
required to initiate in-the-field surveillance of certified Complete
EHRs and certified Health IT Modules. We delineated separate
requirements for surveillance based on complaints or other information
about potential non-conformities (``reactive surveillance'') and for
surveillance based on a random sampling approach (``randomized
surveillance''). In addition, we specified certain corrective action
plan requirements and procedures that would apply in the context of
randomized surveillance. ONC-ACBs would also be required to report the
results of their in-the-field surveillance to the National Coordinator
on at least a quarterly basis and, separately, to report corrective
action plan information to the publicly accessible open data CHPL
detailed in our separate proposal ``Open Data Certified Health IT
Product List (CHPL).''
To implement the new requirements for in-the-field surveillance
outlined in the Proposed Rule, we proposed to add Sec. 170.556 (In-
the-field surveillance and maintenance of certification for health IT)
and amend Sec. 170.503 (ONC-AA Ongoing Responsibilities) and Sec.
170.523 (ONC-ACB Principles of Proper Conduct).
Definition and Principles for In-the-Field Surveillance
We proposed to explicitly define in-the-field surveillance to mean
an ONC-ACB's assessment of whether a certified Complete EHR or
certified Health IT Module to which it has issued a certification
continues to conform to the certification's requirements when the
health IT is implemented and in use in the field. This assessment would
require an ONC-ACB to assess the technology's capabilities in a
production environment and, where applicable, would be based on the use
of the capabilities with protected health information (PHI), unless the
use of test data were specifically approved by the National
Coordinator. We explained that such surveillance could be performed
through an in-person site visit or by remote observation. We solicited
comments on these and other approaches to in-the-field surveillance.
Comments. We received mixed comments on our focus on ``in-the-
field'' surveillance. The commenters who supported our focus on
surveillance of certified health IT capabilities ``in the field''
expressed strong support for our proposal to define and establish clear
and explicit expectations for in-the-field surveillance. Commenters
stated that clearer and more rigorous requirements for in-the-field
surveillance would promote confidence in certifications issued on
behalf of ONC and significantly improve the reliability and performance
of certified health IT. One ONC-ACB specifically endorsed these
requirements and our commitment to ensure that certified health IT
capabilities function for providers in their local offices and
hospitals in the same manner demonstrated by the health IT developer in
a controlled testing environment. Another ONC-ACB specifically
supported the concept of in-the-field surveillance in the context of
complaint-based surveillance, which has been a focus of the current
approach to in-the-field surveillance developed through our annual
surveillance guidance.
Several commenters described specific challenges they or their
members had encountered with certified health IT capabilities that
failed to perform in an acceptable manner when implemented in the
field. For example, one commenter stated that it had witnessed several
instances in which certified health IT that had successfully
demonstrated the ability to send a single standards-compliant
continuity of care document in a controlled testing environment could
not ``scale'' and send multiple standards-compliant continuity of care
documents when deployed in a production environment. Commenters stated
that our proposed in-the-field surveillance requirements would help
identify and address these kinds of apparent non-conformities.
Response. We thank these commenters for their feedback. They
underscore our view of the importance of in-the-field surveillance for
ensuring that providers and other stakeholders can rely on
certifications issued on behalf of ONC. This basic assurance protects
the integrity of the ONC Health IT Certification Program and federal
health IT investments because it enables customers, implementers, and
users to select appropriate technologies and capabilities; identify
potential implementation or performance issues; and implement certified
health IT in a predictable, reliable, and successful manner.
While ONC-ACBs are already required to conduct in-the-field
surveillance as part of their overall surveillance approaches, we agree
with these commenters that establishing more explicit and more rigorous
requirements will promote greater consistency and clarity regarding
ONC-ACBs' responsibilities for conducting in-the-field surveillance,
which will in turn improve the reliability and performance of certified
health IT and help identify and address potential non-conformities.
Comments. Other commenters, mostly health IT developers, were less
supportive of in-the-field surveillance. They cautioned that some
factors that may affect the performance of certified health IT--such as
how the health IT is configured, implemented and adopted by users and
integrated with other health IT components as part of complex, local
implementations--may be challenging for ONC-ACBs to evaluate or could
in some cases be beyond the scope of a health IT's certification. Some
commenters asserted that ONC-ACBs may lack the sophistication or
expertise to distinguish certification non-conformities from other
factors that may cause certified health IT to perform differently in
the field than in a controlled testing environment. In particular,
current certification requirements may be tested with an established
workflow (often the health IT developer's ``optimal workflow'') but
made available to users with additional workflow and implementation
options. According to these commenters, an ONC-ACB unfamiliar with a
particular variation could incorrectly regard it as a non-conformity.
Separately, a few commenters asserted that end-users with whom an ONC-
ACB would conduct in-the-field surveillance may lack the necessary
skill and knowledge to properly demonstrate certified health IT
capabilities, or may be susceptible to ``leading questioning''
(presumably by the ONC-ACB conducting the surveillance).
Response. We appreciate the concerns raised by commenters and
acknowledge that in-the-field surveillance presents unique challenges.
However, we disagree with the suggestion that ONC-ACBs lack the
sophistication or expertise to perform in-the-field surveillance or to
do so in a reliable and objective manner.
Under the ONC Health IT Certification Program, ONC-ACBs'
surveillance approaches must include the use of consistent, objective,
valid, and reliable methods, subject to the ongoing supervision of the
ONC-AA.
[[Page 62709]]
(Sec. 170.503(e)(2)). In addition, the requirements for in-the-field
surveillance established by this final rule build on those with which
ONC-ACBs are already familiar, including the requirements for in-the-
field surveillance that have existed since the establishment of the
Permanent Certification Program in 2011.\168\ Since that time, it is
our experience that ONC-ACBs have become increasingly adept at
analyzing the performance of certified health IT in the field,
including working with developers and end-users to identify the causes
of reported problems and to distinguish certification issues from other
factors that may affect the performance of certified health IT. For all
of these reasons, we are confident that ONC-ACBs will be able to meet
their responsibilities for conducting in-the-field surveillance.
---------------------------------------------------------------------------
\168\ 76 FR 1282 (clarifying our expectation under the Permanent
Certification Program that an ``ONC-ACB would focus its surveillance
activities on whether the Complete EHRs and/or EHR Modules it has
certified continue to perform `in the field' . . . as they did when
they were certified.''); see also ONC, ONC Health IT Certification
Program, Program Policy Guidance #13)-01.
---------------------------------------------------------------------------
Comments. Given the unique challenges associated with in-the-field
surveillance, some commenters suggested that, in addition to observing
how certified capabilities operate in a production environment, ONC-
ACBs should be permitted to use other methods to inform their
evaluation of technology in the field. For example, the ONC-AA stated
that attempting to replicate reported problems in a controlled testing
environment may provide a better basis for identifying a suspected non-
conformity than relying on in-the-field observations. Separately,
several commenters, including the ONC-AA, suggested that ONC-ACBs
should work closely with health IT developers in analyzing complaints
and other information about potential non-conformities. The commenters
stated that including developers in the surveillance process would be
important because ONC-ACBs may not be familiar with a developer's
particular technology and implementations. Moreover, health IT
developers may have internal complaint and quality management programs
that could be leveraged to provide insight into problems and their
causes.
Response. We appreciate these suggestions, which are consistent
with the approach to in-the-field surveillance we envisioned in the
Proposed Rule. We agree with commenters that the assessment of
certified health IT in a production environment may require ONC-ACBs to
employ a variety of methodologies and approaches. While these must
include, they need not be limited to, observing the performance of
certified capabilities in the field. Thus in addition to observing how
capabilities function in the field, an ONC-ACB might supplement its
field observations with information related to the certified technology
gleaned from other sources of surveillance, such as user surveys,
reviewing developers' complaint logs and defect tickets (including the
developer's root cause analysis and resolution of tickets), and
attempting to replicate reported problems in a controlled environment.
These and other appropriate investigative and diagnostic techniques may
help ONC-ACBs more effectively target and conduct their field
assessments and inform their overall assessments of certified health IT
capabilities in the field.
We also agree that ONC-ACBs should, where appropriate, involve
health IT developers in their surveillance activities. For example, an
ONC-ACB could require a health IT developer to provide technical
assistance to the ONC-ACB in understanding and analyzing variations not
seen during the testing and certification process and other
complexities. ONC-ACBs could also require or permit health IT
developers to assist in analyzing and determining the causes of issues,
provided such assistance does not compromise the ONC-ACB's independence
or the requirements of its accreditation.
Comments. Several commenters requested additional clarity regarding
the precise standards that would govern an ONC-ACB's assessment of
certified capabilities in the field. Some commenters stated that the
standards articulated in the Proposed Rule did not provide a
sufficiently objective basis for determining that certified health IT,
once implemented, no longer conforms to the requirements of its
certification. Some commenters requested that we provide detailed
guidance and bright-line rules to guide ONC-ACBs in making these
determinations.
Response. While we understand the desire for bright-line rules, we
do not think it practicable or a useful exercise to attempt to
anticipate and prescribe detailed rules for every conceivable situation
in which an ONC-ACB may discover a non-conformity during its
surveillance of technology in the field. In practice, certified health
IT may be integrated with a wide range of other systems, processes, and
people and may be customized and used in many different ways. These
circumstances, which are inherent to the production environment, are
too numerous and varied to anticipate or to reduce to simple rules of
universal application.
In light of these complexities, we identified the basic principles
that would guide an ONC-ACB's surveillance of certified health IT in
the field. (80 FR 16877). In response to commenters' requests for
additional clarity, we further elaborate on these principles below. We
believe that with these additional clarifications, the principles we
have identified will provide ONC-ACBs with clear and predictable
guidance and ensure that in-the-field surveillance is conducted in a
fair, reliable, and consistent manner across all health IT products and
implementations.
Analysis and Examples of Non-Conformities in the Field
Comments. Some commenters asked us to clarify whether an ONC-ACB's
evaluation of certified health IT capabilities in the field must be
limited to those aspects of the health IT that were tested in a
controlled environment. In this connection, a few commenters stated
that certain factors--such as how certified capabilities are made
available to and implemented by users in the field--are beyond the
scope of certification under the ONC Health IT Certification Program
and therefore cannot give rise to a ``non-conformity.''
Response. An ONC-ACB's assessment of certified health IT in the
field is not limited to aspects of the technology that were tested in a
controlled environment. Rather, an ONC-ACB must consider the unique
circumstances and context in which the certified health IT is
implemented and used in order to properly assess whether it continues
to perform in a manner that complies with its certification.
Testing is an important part of an ONC-ACB's overall analysis of
health IT under the ONC Health IT Certification Program. For practical
reasons, however, testing focuses on particular use cases and
necessarily reflects assumptions about how capabilities will be
implemented and used in practice. Thus while test results provide a
preliminary indication that health IT meets the requirements of its
certification and can support the capabilities required by the
certification criteria to which the technology was certified, that
determination is always subject to an ONC-ACB's ongoing surveillance,
including the ONC-ACB's evaluation of certified capabilities in the
field. Indeed, a fundamental purpose of in-the-field surveillance is to
identify deficiencies that may be difficult to anticipate or that may
not become
[[Page 62710]]
apparent until after certified health IT is implemented and used in a
production environment. That purpose would be entirely frustrated if an
ONC-ACB's assessment of technology in the field were confined to those
aspects of the technology's performance specifically delineated in test
procedures.
Comments. Several commenters stated that, depending on the
circumstances, certified health IT that has been implemented in the
field may be unable to demonstrate certified capabilities for reasons
that are beyond the health IT developer's control. For example, users
may customize certified health IT capabilities in ways that could not
be anticipated by the developer or that conflict with the developer's
explicit instructions regarding the proper implementation and
configuration of its technology. These and other factors beyond the
control of a developer should not, according to these commenters, be
grounds for a determination of non-conformity.
Response. We recognize there may be instances in which certified
health IT cannot successfully demonstrate implemented capabilities for
reasons that the developer cannot reasonably influence or control. We
clarify that, as discussed below, these circumstances would be beyond
the scope of the health IT's certification and would not give rise to a
non-conformity.
A non-conformity arises when certified health IT fails to conform
to the requirements of its certification under the ONC Health IT
Certification Program. Those requirements take several forms and may
apply to aspects of the design and performance of technology as well as
the responsibilities of health IT developers. In particular, certified
health IT must be able to support the capabilities and uses required by
applicable certification criteria, and developers must make such
capabilities available in ways that enable them to be implemented and
used in production environments for their intended purposes.\169\
Developers must also comply with additional program requirements as a
condition of certification.\170\
---------------------------------------------------------------------------
\169\ Most certification criteria permit technology to be
designed and made available to users in any way that meets the
outcomes required by the criteria. Several certification criteria,
however, also prescribe specific requirements for how certified
capabilities are designed or made available to users. For example,
the safety-enhanced design criterion (Sec. 170.315(g)(3)) requires
developers to apply user-centered design processes to the
capabilities referenced in that criterion during the design and
development of certified health IT. Other certification criteria
require developers to identify specific design or performance
characteristics of their technology, such as the quality management
system (Sec. 170.315(g)(4)) and accessibility-centered design
standard or law (Sec. 170.315(g)(5)) used in the development,
testing, implementation, and maintenance of the capability.
\170\ In addition to the reequirements established by adopted
certification criteria, a Complete EHR or Health IT Module's
certification is also conditioned on the health IT developer's
compliance with certain program requirements that are necessary to
the basic integrity and effectiveness of the ONC Health IT
Certification Program. These requirements include, for example, the
mandatory disclosure requirements (Sec. 170.523(k)(1)) and the
requirements related to displaying the ONC Certified HIT
Certification and Design Mark (Sec. 170.523(1)).
---------------------------------------------------------------------------
While these requirements vary based on the specific certification
criteria or program requirements at issue, all of them focus on the
responsibilities of health IT developers and those aspects of their
technology that they can reasonably influence or control. Accordingly,
if an ONC-ACB finds that health IT, as implemented in the field, cannot
demonstrate required capabilities in a compliant manner, the ONC-ACB
must determine the reasons for the failure, including the roles of the
technology as well as the health IT developer, users, and other
parties. If the ONC-ACB finds that the developer or its technology were
a substantial cause of the failure, the ONC-ACB would conclude that the
health IT does not meet the requirements of its certification. By
contrast, if the ONC-ACB finds that the failure was caused exclusively
by factors far removed from the control or responsibility of the
developer, the ONC-ACB would regard those factors as beyond the scope
of the health IT's certification and would not find a non-conformity.
The following contrasting scenarios provide an example of these
requirements in practice.
Scenario A: An ONC-ACB initiates in-the-field surveillance
of a Health IT Module certified to the clinical decision support
certification criterion at Sec. 170.315(a)(9). The ONC-ACB observes
the use of the capability at a location at which it has been
implemented. The ONC-ACB observes as a user unsuccessfully attempts to
access user diagnostic or therapeutic reference information for a
patient as required by the criterion. The ONC-ACB then performs a
series of troubleshooting and diagnostic exercises with the provider
and the developer of the certified Health IT Module. After additional
fact-finding and analysis, the ONC-ACB concludes that the failure of
the technology to perform as expected was caused by the failure to
implement a routine update of the linked referential clinical decision
support component of the Health IT Module. Under the terms of the
provider's agreement with the developer, the developer was solely
responsible for implementing routine updates in return for an annual
maintenance fee, which the provider had paid in full.
Based on these facts, the ONC-ACB would find a non-conformity
because the failure of the certified health IT to function as expected
was due solely to the actions of the developer that prevented the user
from accessing capabilities to which the health IT was certified.
Scenario B: An ONC-ACB initiates in-the-field surveillance
of a Health IT Module certified to the clinical decision support
certification criterion Sec. 170.315(a)(9). The ONC-ACB observes the
use of the capability at a location at which it has been implemented.
The ONC-ACB observes as a user unsuccessfully attempts to view user
diagnostic or therapeutic reference information for a patient as
required by the criterion. Upon further evaluation, the ONC-ACB learns
that the provider had notified the developer that it did not wish to
purchase or sublicense the standard clinical reference information
bundled with the developer's clinical decision support technology and
requested instead that the developer integrate its technology with the
provider's preferred third-party database of clinical reference
information. The developer agreed to integrate the third-party database
information as requested, but in writing advised the provider that,
because the developer did not have a sublicensing agreement in place
with the third-party vendor, the provider would be responsible for
obtaining and maintaining the necessary licenses for access to the
third-party vendor's database. The developer successfully integrated
the third-party database information as requested, and the certified
capabilities performed as expected using the third-party database
information for several months prior to the ONC-ACB's surveillance.
However, at the time of the surveillance, access to the third-party
database information had been temporarily suspended because of the
provider's failure to pay several outstanding invoices from the third-
party vendor--the result of an oversight in the provider's accounting
department. Because of the suspension in service, the technology, which
was otherwise performing as certified, was unable to retrieve and
display user diagnostic and therapeutic reference information.
Based on these facts, the ONC-ACB would not find a non-conformity
because, while the technology was unable to perform required
capabilities in the field, the failure was caused by
[[Page 62711]]
factors far removed from the control or responsibility of the
developer. Indeed, the developer took care to warn the provider that,
while the technology could be customized to support third-party
database information, the provider would be responsible for maintaining
any necessary licenses for access to the third party database
information.
Comments. Some commenters stated that contractual restrictions or
other limitations on the use of a developer's certified health IT
should be treated as a non-conformity, while several other commenters
asked for additional guidance on this issue.
Response. As the scenarios above illustrate, because developers
sell and license certified technology in many different ways and often
in conjunction with many other related products and services, an ONC-
ACB's evaluation of technology in the field will necessarily require a
consideration of the manner in which the developer makes its certified
technology and associated capabilities available to customers and
users, including a consideration of implementation options, contractual
terms, and other factors that could affect the performance of the
capabilities in the field. For example, an ONC-ACB would find a non-
conformity were it to determine that a developer had imposed
restrictions or limitations \171\ on its technology (or the use of its
technology) that substantially interfered with users' ability to access
or use certified capabilities for any purpose within the scope of the
technology's certification, as in the following scenarios.
---------------------------------------------------------------------------
\171\ Potential restrictions and limitations are discussed in
detail in section IV.D.2 of this preamble, ``Transparence and
Disclosure Requirements.''
---------------------------------------------------------------------------
Scenario C: An ONC-ACB initiates in-the-field surveillance
of a Health IT Module certified to the data export criterion at Sec.
170.315(b)(6). The ONC-ACB observes the use of the capability at a
location at which it has been implemented. The ONC-ACB observes as a
user unsuccessfully attempts to create a set of export summaries using
the required standard for patients whose information is stored in the
technology. The ONC-ACB contacts the health IT developer, which
explains that to utilize the data export capability, a user must load a
series of coded instructions into the technology using the developer's
proprietary scripting language. However, the developer restricts the
ability of users to access training materials or instructions that
would allow them to acquire the necessary knowledge and expertise to
perform this function.
Based on these facts, the ONC-ACB would find a non-conformity.
Specifically, the developer has restricted access to training materials
and instructions that are needed to access and capability and
successfully use it to achieve the technical outcomes contemplated by
Sec. 170.315(b)(6). Indeed, as the scenario illustrates, the
restriction effectively prevents a user from using the data export
capability at all. As such, the technology no longer conforms to the
requirements of its certification.
Scenario D: An ONC-ACB initiates in-the-field surveillance
of a Health IT Module certified to the data export criterion at Sec.
170.315(b)(6). The ONC-ACB observes the use of the capability at a
location at which it has been implemented. The user is able to
successfully create a set of export summaries for patients in real time
but is unable to configure the technology to create a set of export
summaries based on a relative time and date (e.g., the first of every
month at 1:00 a.m.). The ONC-ACB contacts the health IT developer,
which explains that the ability to create export summaries based on a
relative time and date is an ``advanced functionality'' that the
developer has disabled by default. The developer will only enable the
functionality if a customer specifically requests it.
Based on these facts, the ONC-ACB would find a non-conformity.
Specifically, the developer has placed a technical limitation on its
technology by disabling and thus preventing users from accessing
functionality within the scope of the technology's certification to the
data export capability. Indeed, the ability to create a set of export
summaries based on a relative time and date is expressly required by
Sec. 170.315(b)(6)(iii)(B)(2). That a customer must specifically
request that the developer turn on the functionality is a substantial
interference with a user's ability to access and use this aspect of the
certified capability. As such, the technology no longer conforms to the
requirements of its certification.
Comments. Some commenters asked whether a developer's failure to
disclose known material limitations or types of costs associated with
its certified health IT would give rise to a non-conformity. Several
commenters assumed that it would and stated that, together with the
more meaningful transparency and disclosure requirements we proposed,
assessing the effect of developers' disclosures on the performance of
certified health IT in the field would promote greater transparency and
reliability of certified health IT capabilities and help mitigate
business practices that limit or interfere with access to certified
health IT capabilities.
Response. Under the expanded transparency and disclosure
requirements at Sec. 170.523(k)(1), which are discussed in section
IV.D.2 of this preamble, a health IT developer must disclose all known
material limitations and types of costs associated with its certified
health IT. The failure to disclose this information is a violation of
an explicit certification program requirement (Sec. 170.523(k)(1)) and
thus constitutes a non-conformity. The disclosure violation may also
give rise to a separate non-conformity in the event that the failure to
disclose the required information has substantially impaired, or would
be likely to substantially impair, the ability of one or more users (or
prospective users) to implement or use the developer's certified health
IT in a manner consistent with its certification.
As an example, if the developer in Scenario D above failed to
disclose the technical limitation described in that scenario, the ONC-
ACB would find a non-conformity to the disclosure requirements at Sec.
170.523(k)(1). This determination would be warranted because the
developer's failure to disclose the limitation could substantially
interfere with the ability of a user or prospective user to implement
the data export capability in a manner consistent with the technology's
certification to Sec. 170.315(b)(6).\172\
---------------------------------------------------------------------------
\172\ The ONC-ACB would also find a separate non-conformity to
Sec. 170.315(b)(6), for the reasons explained in connection with
Scenario D.
---------------------------------------------------------------------------
Given the risk of non-conformity created by the failure of a
developer to disclose the kinds of material information described
above, and the concomitant requirement for ONC-ACBs to evaluate such
disclosures in order to properly evaluate certified technology in the
field, we have finalized elsewhere in this final rule our proposal to
expand and clarify the types of information that developers are
required to disclose as a condition of certification under the ONC
Health IT Certification Program. We discuss these disclosure
requirements in detail in section IV.D.2 of this preamble,
``Transparency and Disclosure Requirements.''
For the foregoing reasons, and with the clarifications discussed
above, we have finalized as proposed the definition of in-the-field
surveillance at Sec. 170.556(a).
Reactive Surveillance
We proposed to clarify and add to ONC-ACBs' responsibilities for
[[Page 62712]]
conducting ``reactive surveillance''--that is, surveillance of
certified health IT initiated on the basis of complaints or other
indications that the health IT does not conform to the requirements of
its certification. We proposed to create an explicit duty for an ONC-
ACB to initiate such surveillance whenever it becomes aware of facts or
circumstances that call into question the continued conformity of a
certified Complete EHR or certified Health IT Module to the
requirements of its certification (including conformity both to
applicable certification criteria as well as to other requirements of
certification, such as the disclosure requirements at Sec.
170.523(k)(1)). Further, we proposed that whenever an ONC-ACB initiates
reactive surveillance, it would be required, as a matter of course, to
assess the health IT developer's compliance with the disclosure
requirements at Sec. 170.523(k)(1).
Comments. Many commenters agreed with the proposed requirements for
reactive surveillance. Commenters stated that strengthening
surveillance, including in-the-field surveillance, based on complaints
and other information about the real-world performance of capabilities
would provide greater assurance to providers that they will in fact be
able to implement and use the capabilities to which health IT has been
certified. The ONC-AA and ONC-ACBs largely supported our proposed
reactive surveillance requirements and urged us to focus primarily on
refining this aspect of in-the-field surveillance and not the proposed
randomized surveillance requirements.
Some commenters, mostly ONC-ACBs, sought greater clarity regarding
the interaction between the proposed reactive surveillance requirements
and ONC-ACBs' existing responsibilities for conducting reactive and
other forms of surveillance pursuant to the requirements of their
accreditation to ISO/IEC 17065 and authorization to issue
certifications under the ONC Health IT Certification Program.
Relatedly, several commenters noted that the proposed duty to initiate
reactive surveillance would require in all cases that such surveillance
take place in the field; these commenters regarded this as an overly
broad requirement that could unnecessarily supplant other forms of
``traditional'' surveillance that, depending on the circumstances, may
be more effective and less burdensome.
Response. We thank commenters for their thoughtful comments on this
aspect of our proposal. In consideration of these comments and the
additional comments summarized below, we are finalizing the reactive
surveillance requirements at Sec. 170.556(b), subject to the revisions
discussed below. The revisions address the request from commenters for
clarification of the interaction between the proposed reactive
surveillance requirements and ONC-ACBs' existing obligations to conduct
reactive surveillance.
The proposed reactive surveillance requirements focused primarily
on an ONC-ACB's duty to initiate surveillance of certified health IT in
the field. Specifically, we stated that an ONC-ACB would be required to
initiate in-the-field surveillance whenever it becomes aware of facts
or circumstances that call into question health IT's continued
conformity to the requirements of its certification (80 FR 16878).
However, we agree with the observation of several commenters that
requiring ONC-ACBs to initiate in the field surveillance in all cases
would be unnecessarily prescriptive. In some cases, an ONC-ACB will be
able to investigate and evaluate a putative non-conformity just as
effectively by using traditional forms of surveillance that do not
depend on observing certified health IT capabilities in the field. For
example, an ONC-ACB may identify and substantiate non-conformities
through conventional desk-audits followed by re-testing of Health IT
Modules in a controlled environment. As another example, an ONC-ACB may
perform an audit of a developer's complaint processes to identify
potential non-compliance with the requirements of ISO/IEC 17065.
Similarly, an ONC-ACB may audit a developer's website and other
communications to identify potential non-compliance with the disclosure
requirements (Sec. 170.523(k)(1)), the Criteria and Terms of Use for
the ONC Certified HIT Certification and Design Mark (Sec. 170.523(l)),
or other certification requirements.
Because our intent was to build upon--not supplant--these
traditional forms of surveillance, we have revised the requirements at
Sec. 170.556(b) as follows. Under Sec. 170.556(b), an ONC-ACB has a
duty to initiate reactive surveillance--including, as necessary, in-
the-field surveillance--whenever it becomes aware of facts or
circumstances that would cause a reasonable person to question a
certified Complete EHR or certified Health IT Module's continued
conformity to the requirements of its certification. Such conformity
includes both ongoing conformity to applicable certification criteria
as well as compliance with other requirements of certification,
including the disclosure requirements for health IT developers at Sec.
170.523(k)(1).
Whether reactive surveillance must include in-the-field
surveillance or may employ other methods is governed by the definition
and principles for in-the-field surveillance described earlier in this
preamble and codified at Sec. 170.556(a), including the nature of the
suspected non-conformity and the adequacy of other forms of
surveillance under the circumstances. In most cases, the need to
evaluate the certified health IT in the field will be obvious from the
nature of the suspected non-conformity. For example, if a problem with
a certified health IT capability is reported to arise only in
connection with a specific local implementation option, an ONC-ACB
would likely need to observe the relevant capabilities in the field in
order to fully analyze the cause of the problem and determine whether
it is the result of a non-conformity. In other cases, the need for in-
the-field surveillance may become apparent only after other
surveillance methods and techniques have failed to isolate the cause of
the problem.
In-the-field surveillance may also be necessary to determine a
developer's compliance with certification program requirements, such as
the mandatory disclosure requirements at Sec. 170.523(k)(1). While
non-compliance with these requirements may often be established from
complaints and a review of a developer's disclosures, certain kinds of
undisclosed limitations on the capabilities of certified health IT may
need to be confirmed through in-the-field surveillance of the
technology, or may not be discovered at all except upon observing the
operation of certified capabilities in the field.
Comments. A number of commenters asked us to articulate more
precise standards for when an ONC-ACB would be required to initiate
reactive surveillance. Some of these commenters stated that ONC-ACBs
would not be able to consistently apply the standard set forth in the
Proposed Rule, which would require an ONC-ACB to initiate reactive
surveillance whenever it becomes aware of facts or circumstances that
would cause a reasonable person to question a certified Complete EHR or
certified Health IT Module's continued conformity to the requirements
of certification.
Response. As requested by commenters, we provide the following
additional guidance on the circumstances that would trigger an ONC-
ACB's duty to initiate reactive surveillance under the requirements at
Sec. 170.556(b).
[[Page 62713]]
In determining whether to initiate reactive surveillance, an ONC-
ACB must consider and weigh the volume, substance, and credibility of
complaints and other information received against the type and extent
of the alleged non-conformity, in light of the ONC-ACB's expertise and
experience with the particular capabilities, health IT, and
certification requirements at issue. For example, if an ONC-ACB
receives a number of anonymous complaints alleging general
dissatisfaction with a particular certified Health IT Module, the ONC-
ACB is not be required to initiate surveillance (though it would not be
precluded from doing so). In contrast, if an ONC-ACB receives several
complaints alleging, for example, that a particular certified Health IT
Module is unable to electronically create a set of export summaries in
accordance with the data export certification criterion at Sec.
170.315(b)(6), the ONC-ACB must initiate surveillance of the Health IT
Module unless a reasonable person in the ONC-ACB's position would doubt
the credibility or accuracy of the complaints. A reasonable basis for
doubt might exist if the ONC-ACB had recently responded to the very
same issue and determined through in-the-field surveillance of the
Health IT Module at several different locations that the reported
problem was due to a ``bug'' arising from an unsupported use of the
Health IT Module that the developer had specifically cautioned users
about in advance.
An ONC-ACB's decision to initiate reactive surveillance must also
take into account complaints and other information indicating whether a
health IT developer has disclosed all known material information about
certified capabilities, as required by Sec. 170.523(k)(1). The failure
to disclose this information calls into question the continued
conformity of those capabilities because it creates a substantial risk
that existing and prospective users will encounter problems
implementing the capabilities in a manner consistent with the
applicable certification criteria. Thus in the example above, if the
complaints received by the ONC-ACB suggested that the developer knew
about but failed to disclose the data export issue to users, the ONC-
ACB would be required to initiate in-the-field surveillance of the
certified Health IT Module to verify whether the developer had failed
to disclose known material information and, if so, whether the failure
to disclose that information prevented users from reasonably
implementing and using the data export capability in accordance with
the requirements of the certification criterion at Sec. 170.315(b)(6).
We believe the foregoing principles and examples will provide
sufficient clarity and practical guidance for ONC-ACBs regarding their
responsibilities for conducting reactive surveillance pursuant to Sec.
170.556(b). If necessary, we will issue additional guidance to ONC-ACBs
to assist them in conducting such surveillance in a consistent,
objective, and reliable manner.
Comments. A commenter suggested that reactive surveillance should
be based solely on complaints submitted directly to ONC-ACBs. The
commenter stated that ONC-ACBs ``can't be expected to keep ears to the
ground'' to monitor the trade press, user group message boards, blogs,
analyst reports, and other sources of information, which may not be
credible. Another commenter asked us to clarify that in determining
whether to initiate reactive surveillance, ONC-ACBs would be required
to consider complaints from persons other than providers and users of
certified health IT (such as public health agencies and other
recipients of electronic health information that may not themselves use
certified health IT).
Response. Under the requirements adopted in this final rule, an
ONC-ACB has a duty to initiate reactive surveillance whenever it
becomes aware of facts or circumstances that call into question the
continued conformity of health IT to which it has issued a
certification. We do not prescribe new requirements for ONC-ACBs to
proactively monitor any particular source of information (such as the
trade press or user forums), as ONC-ACBs are already required obtain
and synthesize information about certified health IT from multiple
sources.
Regardless of the form of the information or how it comes to an
ONC-ACB's attention, if the information suggests that health IT the
ONC-ACB has certified may no longer conform to the requirements of its
certification, the ONC-ACB is required to initiate surveillance. For
example, an ONC-ACB may become aware of a potential non-conformity
through user surveys and other ``behind-the-scenes'' surveillance of
users and products. Or an ONC-ACB may become aware of a potential non-
conformity while auditing a developer's website and other disclosures.
ONC will also share information with ONC-ACBs, which may well come from
the trade press and other sources. And, of course, an ONC-ACB will
receive complaints from a variety of sources, including, as one
commenter suggested, entities such as public health agencies that may
not be certified health IT users. All of this information would compose
the facts and circumstances of which an ONC-ACB is aware and is
required to consider in determining whether to initiate surveillance.
Randomized Surveillance
In addition to reactive surveillance, we proposed to require ONC-
ACBs to initiate in-the-field surveillance on a ``randomized'' basis
for the certification criteria prioritized by the National Coordinator.
For those prioritized certification criteria, an ONC-ACB would be
required each calendar year to randomly select at least 10% of the
Complete EHRs and Health IT Modules to which it has issued a
certification. The ONC-ACB would then be required to initiate in-the-
field surveillance of each such certified Complete EHR or certified
Health IT Module at the lesser of 10 or 5% of locations at which the
technology is implemented and in use in the field. The locations would
be selected at random, subject to certain sampling considerations and
limited exclusions described in the Proposed Rule.
We stated that randomized surveillance would enable ONC-ACBs to
identify non-conformities that are difficult to detect through
complaint-based or other reactive forms of surveillance. Randomized
surveillance would also enable an ONC-ACB to detect patterns of non-
conformities that indicate a more widespread or recurring problem
requiring a comprehensive corrective action plan. We proposed that a
pattern of non-conformity would exist if an ONC-ACB found that a
certified Complete EHR or certified Health IT Module failed to
demonstrate conformity to any prioritized certification criterion at
20% or more of the locations surveilled. Upon such a finding, the ONC-
ACB would deem the certified Complete EHR or certified Health IT Module
``deficient'' and impose a corrective action plan on the developer of
the certified Complete EHR or certified Health IT Module. We specified
certain elements and procedures that would be required for such
corrective action plans.
Comments. We received strong support for our proposal to require
ONC-ACBs to perform ``randomized'' surveillance as part of their in-
the-field surveillance approach. Several commenters who supported our
proposal urged us to minimize the associated disruption and other
burdens for providers who participate in randomized surveillance.
[[Page 62714]]
A number of commenters--including the ONC-AA and the ONC-ACBs--
raised concerns regarding this aspect of our proposal. The ONC-ACBs
estimated that performing randomized surveillance on 10% of certified
products, even at the relatively small number of locations specified in
the Proposed Rule, would as much as double the total cost of
certification and divert an inordinate amount of time and resources
away from other important certification and surveillance activities.
Meanwhile, commenters including the ONC-AA doubted that the proposed
sample size would be sufficient to detect patterns of non-conformities
or to determine with any degree of confidence how widespread a
particular non-conformity may be. In this connection, commenters
pointed out that surveilling a randomly selected certified Complete EHR
or certified Health IT Module at the lesser of 10 or 5% of locations at
which the technology is installed may not yield a statistically
significant result. For example, if an ONC-ACB were to randomly select
a Health IT Module installed at 40 locations, the ONC-ACB would only be
required to perform in-the-field surveillance at 2 locations. The ONC-
AA stated that performing surveillance of certain certified
capabilities, such as interoperability or privacy and security, at only
2 locations would be insufficient to identify all but the grossest non-
conformities.
Some commenters felt that it was premature to codify a specific
approach to randomized surveillance and that we should instead create a
``pilot study'' or allow ONC-ACBs to continue to experiment with
approaches to randomized surveillance in order to gauge the willingness
of providers to participate, potential methodologies, and the costs and
benefits of this type of surveillance.
Response. Randomized surveillance is an important aspect of an ONC-
ACB's overall approach to in-the-field surveillance. In addition to
exposing problems that may not surface through complaints and other
forms of surveillance, randomized surveillance will encourage
developers to proactively address issues and will also encourage
providers to participate in and become familiar with in-the-field
surveillance of certified health IT. However, we acknowledge that the
proposed randomized surveillance requirements could place a significant
burden on ONC-ACBs and divert resources and energy away from other
equally important aspects of our proposal, including more rigorous in-
the-field surveillance of certified health IT based on complaints and
other evidence of potential non-conformities. Balancing these
considerations, we are persuaded that starting with a less ambitious
approach to randomized surveillance will allow us to refine this aspect
of surveillance over time and will provide the best path to achieving
our overall goal of strengthening in-the-field surveillance and making
it more meaningful.
Accordingly, we have revised the proposed randomized surveillance
requirements as follows. First, we have reduced the annual sample size
for randomized surveillance. Instead of 10% of all certified Complete
EHRs and certified Health IT Modules, an ONC-ACB must perform
randomized surveillance on 2% of certified Complete EHRs or certified
Health IT Modules each year. Based on current data on the CHPL, we
estimate this could require ONC-ACBs to perform randomized surveillance
of up to 24 products per calendar year (depending on the total number
of products the ONC-ACB has certified, which we expect will increase
with the addition of Health IT Modules certified to the 2015 Edition).
We believe this new minimum threshold will provide additional insight
and experience related to randomized surveillance. This specific
baseline will establish a randomized surveillance program that advances
our policy aims while reducing the burden of randomized surveillance
for all stakeholders and making this initial approach more manageable
for ONC-ACBs. That being said, we intend to continually review
surveillance results and experiences to determine whether and how to
increase this threshold over time (e.g., whether an incrementally
rising threshold over time would be appropriate and effective). We also
intend to pursue and investigate other avenues that could add feedback
to (and be combined with) this surveillance process. For example, we
will explore other kinds of tools, such as those that may be able to be
used directly by health care providers to test and report how their
products performed. Overall, and over the long-term, we believe that
other approaches can and should be included to complement the
randomized in-the-field surveillance performed by ONC-ACBs.
Second, while an ONC-ACB must perform surveillance of randomly
selected certified Complete EHRs and certified Health IT Modules in the
field, we no longer specify a minimum number of locations at which the
ONC-ACB will be required to conduct such surveillance. This revision
reflects commenters' insight that requiring an ONC-ACB to surveil the
technology at the lesser of 5% or 10 locations, as we had proposed,
could be simultaneously both burdensome and yet unlikely to yield
statistically significant or generalizable results. It also reflects
our recognition, underscored by the comments, that well-established
methodologies and standards for post-market surveillance used in other
industries typically focus on conformity testing of discrete products
or components in isolation and thus provide little guidance for
formulating appropriate sampling and statistical methods under the ONC
Health IT Certification Program. Given the lack of suitable reference
models in other industries, we agree with commenters that this
particular aspect of an ONC-ACB's randomized surveillance approach
would benefit from additional experience and piloting. Thus we intend
to work with ONC-ACBs and the ONC-AA and issue guidance as necessary to
refine these aspects and ensure the use of consistent and reliable
methods across ONC-ACBs and their surveillance approaches.
Finally, we have eliminated the concept of ``deficient surveillance
results'' and instead applied the proposed corrective action plan
requirements across-the-board to all types of surveillance and
confirmed non-conformities. Thus, if an ONC-ACB performs randomized
surveillance for a certified Complete EHR or certified Health IT Module
and confirms a non-conformity, it must institute a corrective action
plan under Sec. 170.556(d) and report related information to the open
data CHPL, as required by Sec. 170.556(e)(3). This requirement applies
regardless of whether the non-conformity meets the 20% ``deficiency
threshold'' described in the Proposed Rule. These changes are described
in more detail below in our responses to the comments on these aspects
of our proposal.
We have finalized these revisions at Sec. 170.556(c)-(e).
Comments. A number of commenters suggested that we specify
additional details regarding the random sampling approach that ONC-ACBs
must follow when selecting certified Complete EHRs and certified Health
IT Modules for randomized surveillance and, separately, when selecting
the locations at which the technology will be surveilled in the field.
Commenters noted that under a purely random sampling approach, an ONC-
ACB would be equally likely to select a Complete EHR or Health IT
Module with relatively few installations or users as one with many
installations or users.
[[Page 62715]]
To maximize the value of randomized surveillance for providers and
other stakeholders, commenters suggested that we require ONC-ACBs to
weigh the selection of products based on the number of installed
locations, users, or other factors.
Commenters also suggested we clarify or specify additional
requirements related to the number and types of locations at which an
ONC-ACB must surveil certified Complete EHRs and certified Health IT
Modules that it has randomly selected for in-the-field surveillance.
One commenter stressed the importance of ensuring random selection of
and diversity in the providers and locations selected for surveillance.
Another commenter suggested that an ONC-ACB's approach to selecting
locations would need to vary depending on the type of implementation
(e.g., local versus hosted systems).
Response. We thank commenters for their feedback on potential
random sampling and other considerations for randomized surveillance.
While we do not explicitly adopt any additional sampling or
methodological constraints beyond those we proposed, we agree with many
of the commenters' suggestions and intend to work with ONC-ACBs and the
ONC-AA to incorporate these and other elements in their approaches to
randomized surveillance, consistent with the basic parameters
established by this final rule and discussed in more detail below.
In consideration of the comments provided, we have determined that
an ONC-ACB's selection process under randomized surveillance will
adhere to the following requirements. On an annual basis the ONC-ACB
must ensure that it meets the threshold sample size, which is initially
being established at 2% of all of the Complete EHRs and Health IT
Modules to which the ONC-ACB has issued a certification. The ONC-ACB
must randomly select products from those to which it has issued a
certification, but is permitted to implement appropriate weighting and
sampling considerations. After an ONC-ACB has randomly selected a
product for surveillance, for each product selected, the ONC-ACB must
select a random sample of one or more locations at which the ONC-ACB
will initiate in-the-field surveillance of the certified Complete EHR
or certified Health IT Module's prioritized capabilities. At both
stages of the selection process, an ONC-ACB must ensure that every
product selected and every provider location at which the product is in
use has a chance of being randomly selected for in-the-field
surveillance (unless a product is excluded from selection because it
was already selected for randomized surveillance within the last 12
months). This prospect, that any product and location may be selected
at random, is the essence of a ``random sampling'' approach and is a
central feature of randomized surveillance because it ensures that all
health IT developers' products and implementations are potential
candidates for in-the-field surveillance. The possibility that any
product may be surveilled at any provider location will encourage
developers to proactively address issues and improve the real-world
performance and reliability of health IT capabilities across all
customers.
Consistent with these principles, we clarify that an ONC-ACB's
selection of products and locations need not be random in the absolute
sense of assigning an equal probability of selection to every product
or location in the pool. Indeed, for the reasons stated by commenters,
there may be strong justifications for assigning different
probabilities or ``weights'' to products or locations based on a
variety of factors that are relevant to maximizing the value and impact
of randomized surveillance activities for providers and other
stakeholders. For example, when selecting products for randomized
surveillance, the ONC-ACB could assign greater weight to products that
are more widely adopted and used so as to increase the likelihood that
the products surveilled will include at least some products with a
large number of installations and users. This would increase the
overall impact of the ONC-ACB's surveillance activities by increasing
the likelihood of discovering and addressing non-conformities that
affect a large number of providers and users. As another example, when
randomly selecting locations at which to perform in-the-field
surveillance for any particular product, an ONC-ACB might ensure that
no two locations selected are under the common ownership or control of
a single person or entity, thereby addressing the concerns raised by
commenters regarding the diversity of providers and locations selected
for randomized surveillance.
To avoid any misinterpretation of the phrases ``randomly select''
and ``selected at random,'' we have clarified the regulation text at
Sec. 170.556(c)(2) and Sec. 170.556(c)(4)(ii) to allow for
appropriate weighting and sampling considerations in the random
selection of products and locations, respectively.
Finally, we note that under the ONC Health IT Certification
Program, it is an ongoing responsibility of the ONC-AA to ensure that
the surveillance approaches used by ONC-ACBs, including the selection
processes and methodologies for randomized surveillance discussed
above, include the use of consistent, objective, valid, and reliable
methods. (Sec. 170.503(e)(2)). We intend to work closely with the ONC-
AA and the ONC-ACBs to ensure that such methods are in place and to
identify and incorporate appropriate best practices and elements that
serve the policies of this final rule.
Comments. Commenters pointed out that while ONC-ACBs may be able to
randomly select locations at which to conduct in-the-field
surveillance, they cannot compel a provider to grant access to its
health care facility or to cooperate in the surveillance of its
certified health IT. At the same time, providers may be reluctant to
allow ONC-ACBs to perform in-the-field surveillance because of concerns
about granting access to PHI. One ONC-ACB stated that it had
experienced difficulties securing cooperation from providers in
connection with its existing surveillance activities and therefore
questioned whether providers would be willing to participate in
additional surveillance, especially when conducted at random rather
than in response to a complaint or identified issue.
Given these concerns, some commenters suggested that ONC-ACBs
should not be required to conduct randomized surveillance unless
providers are also required to participate in such surveillance as a
condition of participation in the EHR Incentive Programs or other
programs. Alternatively, other commenters suggested that we provide
exceptions and other flexibility for ONC-ACBs in the event that a
provider is selected for but does not cooperate with an ONC-ACB's in-
the-field surveillance of the provider's certified health IT. Several
commenters requested clarity on our expectations for providers' role as
participants in in-the-field surveillance, especially randomized
surveillance.
Response. We appreciate commenters' concerns and acknowledge that
randomized surveillance presents unique challenges. In particular, we
recognize that some providers who are selected for randomized
surveillance may not cooperate with an ONC-ACB's efforts. Moreover,
depending on the number of locations at which a particular product is
in use, a lack of cooperation from providers or end-users could prevent
the ONC-ACB from conducting in-the-field surveillance of that product
altogether.
[[Page 62716]]
Because we agree that an ONC-ACB should not be penalized in such
situations, we clarify that where an ONC-ACB makes a good faith effort
but is nevertheless unable to complete in-the-field surveillance at a
particular location for reasons beyond its control, the ONC-ACB may
exclude the location and substitute another location that meets the
random selection requirements described above. Similarly, in the event
that the ONC-ACB exhausts all available locations for a particular
certified Complete EHR or certified Health IT Module, the ONC-ACB may
exclude that Complete EHR or Health IT Module and substitute another
randomly selected Complete EHR or Health IT Module. In the case of
exhaustion, we clarify that the excluded certified Complete EHR or
Health IT Module would be counted towards the minimum number of
products an ONC-ACB is required to randomly surveil during the calendar
year surveillance period. We emphasize, however, that an ONC-ACB must
carefully and accurately document its efforts to complete in-the-field
surveillance for each product and at each location. The ONC-AA would be
expected to review this documentation to ensure that ONC-ACBs have met
the required random selection requirement and have made a good faith
effort to perform in-the-field surveillance prior to excluding any
product or location from randomized surveillance. We believe that these
revisions--combined with the reduced minimum sample size for in-the-
field surveillance and the clarifications noted above regarding the
number of locations at which an ONC-ACB must observe capabilities in
the field--will mitigate the concerns raised by commenters and make
randomized surveillance more manageable for ONC-ACBs, providers, and
developers.
It is our expectation that providers will cooperate with an ONC-
ACB's authorized surveillance activities, including the surveillance of
certified health IT in the field. While we understand that some
providers may be reluctant to grant ONC-ACBs access to PHI, we point
out that providers who commented on our proposal overwhelmingly
supported and urged us to finalize requirements for the surveillance of
certified health IT in the field (i.e., in production environments in
which the technology is implemented and used). Such surveillance will
only be successful if providers are actively engaged and cooperate with
ONC-ACBs' surveillance activities, including by granting access to and
assisting ONC-ACBs to observe the performance of production systems. We
also note that, in consultation with the Office for Civil Rights, we
have clarified that under the ``health oversight agency'' exception of
the HIPAA Privacy Rule, a healthcare provider is permitted to disclose
PHI to an ONC-ACB during the course of authorized in-the-field
surveillance activities, without patient authorization and without a
business associate agreement.\173\
---------------------------------------------------------------------------
\173\ See ONC Regulation FAQ #45 [12-13-045-1]. available at
http://www.healthit.gov/policy-researchers-implementers/45-question-12-13-045.
---------------------------------------------------------------------------
Comment. One commenter, an ONC-ACB, stated that some health IT
developers have resisted providing the ONC-ACB with a complete list of
the health IT developers' users. The commenter asked us to clarify that
health IT developers have an obligation to abide by and support an ONC-
ACB's surveillance requirements, including furnishing complete and up-
to-date user lists upon request.
Response. We expect an ONC-ACB to require, as a condition of
certification, that health IT developers furnish to the ONC-ACB upon
request, accurate and complete customer lists, user lists, and other
information that the ONC-ACB determines is necessary to enable it to
carry out its surveillance responsibilities. We note that even under
ONC-ACB's existing annual surveillance plans, access to accurate
customer and user lists is essential to an ONC-ACB's ability to contact
users for reactive surveillance and to conduct surveys and other
activities necessary to obtain and synthesize information about the
performance of certified health IT. Therefore, if a health IT developer
refuses to provide this information to an ONC-ACB, the ONC-ACB may
regard the refusal as a refusal to participate in surveillance under
the ONC Health IT Certification Program and institute appropriate
procedures, consistent with the ONC-ACB's accreditation to ISO 17065,
to suspend or terminate the health IT developer's certification.
Corrective Action Requirements; Reporting of Surveillance Results and
Corrective Action Information
In the Proposed Rule, we stated that if an ONC-ACB found a pattern
of nonconformity--defined as a failure to demonstrate conformity to any
prioritized certification criterion at 20% or more of the locations
surveilled--the ONC-ACB would be required to treat the certified
Complete EHR or certified Health IT Module as ``deficient.'' This
finding would also trigger special requirements for corrective action
plans and the reporting of that information to the open data CHPL.
Specifically, the ONC-ACB would have to contact the developer of the
certified Complete EHR or certified Health IT Module and require the
developer to submit a proposed corrective action plan to the ONC-ACB
within 30 days of the date that the developer was notified by the ONC-
ACB of the ``deficient'' finding. The ONC-ACB would be responsible for
prescribing the form and content of corrective action plans and for
developing specific procedures for submission and approval, with
guidance from ONC to promote consistency across ONC-ACBs.
Comments. Many commenters supported our proposal to specify certain
required elements and procedures for corrective action. Several
commenters asked us to clarify whether these requirements would apply
to non-conformities confirmed through reactive and other forms of
surveillance and, if not, what if any corrective action would be
required for those non-conformities. Several commenters urged us to
apply the same standards for corrective action to all types of
surveillance and non-conformities. Commenters pointed out that the
reasons for imposing such requirements apply with equal force to all
confirmed non-conformities, not only those identified through
randomized surveillance and meeting the proposed 20% threshold. In
particular, requiring corrective action plans and related public
reporting for only some non-conformities and not others would be
difficult to square with our stated goals of improving transparency and
accountability for health IT developers and ONC-ACBs. Commenters also
questioned whether the proposed approach would best achieve our patient
safety goals. When an ONC-ACB confirms a non-conformity in the context
of reactive surveillance, it may not know whether the problem is
widespread unless and until it conducts more extensive randomized
surveillance of a large sample of the potentially affected certified
Complete EHR or certified Health IT Module. For reasons described
earlier, ONC-ACBs may have difficulty at this time conducting
randomized surveillance on the necessary scale. Applying the corrective
action plan and related reporting requirements to all types of
surveillance and confirmed non-conformities would alert users to these
potential concerns.
Response. Our goal for these requirements was to ensure that health
IT users, implementers, and purchasers would be alerted to potential
non-conformities in a timely and effective manner, consistent with the
patient
[[Page 62717]]
safety, program integrity, and transparency objectives described in the
Proposed Rule. But as the comments make clear, the proposed
requirements would only partially serve those goals. As commenters
pointed out, there is no principled reason to apply the proposed
corrective action plan exclusively to non-conformities identified in
the context of the proposed randomized surveillance approach. Moreover,
the comments suggest that prescribing different corrective action plan
requirements in this context than for other types of non-conformities
(which would be governed by an ONC-ACB's general responsibility to
require corrective action per its accreditation to ISO 17065) would
likely create significant and unnecessary confusion.
Particularly in light of the reduced emphasis on randomized
surveillance in comparison to the Proposed Rule, we are persuaded that
our policy objectives will be better served by requiring the same
approach to corrective action across the board. Thus we have finalized
the proposed requirements for corrective action plans for all certified
Complete EHRs and certified Health IT Modules for which an ONC-ACB
confirms a non-conformity, whether that non-conformity is confirmed
through randomized, reactive, or any other form of surveillance under
the ONC Health IT Certification Program.
For similar reasons, we have finalized the proposed reporting
requirements for corrective action plans and extended these
requirements to all cases in which an ONC-ACB confirms a non-conformity
and subsequently approves a corrective action plan. Requiring the
uniform submission of this information will promote transparency and
alert health IT users, implementers, and purchasers to potential
conformity issues in a more timely and effective manner. These
reporting requirements are discussed further below in our response to
the comments on this aspect of our proposal and also in our discussion
of the ``Open Data CHPL'' requirements found elsewhere in this
preamble.
Comment. A commenter suggested that in addition to making
information about corrective action plans available on the CHPL, we
should require health IT developers to notify affected users of the
corrective action, similar to the requirements for breach notification
under the HIPAA Rules. The commenter stated that many providers do not
regularly check the CHPL and therefore may not be made aware of
problems in a timely manner.
Response. We appreciate the commenter's suggestion that health IT
developers who are subjected to a corrective action plan should be
required to notify affected and potentially affected users of
identified non-conformities and deficiencies. We already proposed to
require developers to describe in their corrective action plans both an
assessment of how widespread an identified non-conformity might be and
how the developer planned to address the non-conformity both at the
specific locations at which surveillance occurred and more generally at
other potentially affected locations (80 FR 16879). Requiring
developers to describe how they will notify affected and potentially
affected users of the extent of the problem and their plans to address
it is a natural extension of these requirements and will help alert
stakeholders to potential non-conformities in a timely and effective
manner, which was one of the stated purposes of these requirements (80
FR 16884).
Accordingly, we have added as a requirement of all corrective
action plans approved by an ONC-ACB that the developer identify a
process for ensuring that all affected and potentially affected
customers and users are alerted to identified non-conformities and
deficiencies, as applicable. This process must describe in detail: How
the developer will assess the scope and impact of the problem,
including identifying all potentially affected customers; how the
developer will promptly ensure that all potentially affected customers
are notified of the problem and plan for resolution; how and when the
developer will resolve issues for individual affected customers; and
how the developer will ensure that all issues are in fact resolved.
To ensure adherence to these requirements for notification and
resolution across a developer's customer base, and to the other
requirements of the approved corrective action plan, we have added as
an additional requirement of all corrective action plans approved by an
ONC-ACB that the developer attest to having completed all required
elements of the plan, including the requirements for alerting customers
and users described above.
Comments. Many commenters supported our proposals to improve the
reporting and submission of surveillance results. Several commenters
stated that requiring ONC-ACBs to submit corrective action plan
information to the publicly accessible open data CHPL would provide
customers and users with valuable information about the performance of
certified health IT while significantly enhancing transparency and
accountability for health IT developers and ONC-ACBs.
Some commenters, including several health IT developers, objected
to the reporting of corrective action plan information to the publicly
accessible Open Data CHPL. Some commenters felt that information about
non-conformities should not be made public unless and until the
developer of the certified Complete EHR or certified Health IT Module
at issue has been given a full and fair opportunity to contest the ONC-
ACB's determination, including whether the developer was responsible or
``at fault'' for the non-conformity. Other commenters stated that such
information should never be made public because it is bound to lack
important context, could be misinterpreted, or would not offer
substantial value to health IT customers and users. Separately, some
commenters raised concerns regarding the reporting of proprietary or
competitively sensitive information.
A few commenters suggested that to reduce reporting burden or
improve the efficacy of the open data CHPL, we limit the types of
information about corrective action that an ONC-ACB would be required
to submit. One commenter suggested that the reporting of corrective
action plan information be limited to 2015 Edition certified health IT
and that reporting of surveillance results be limited to twice a year
instead of quarterly. The commenter stated that these changes would
reduce burden and enable us to assess the costs of these reporting
requirements.
Response. We agree with commenters that requiring ONC-ACBs to
report surveillance results to the National Coordinator on a quarterly
basis will significantly improve our ability to respond to problems and
provide timely and accurate information stakeholders.
With regard to the reporting of corrective action plan information
to the open data CHPL, we understand the concerns raised by some
commenters but believe that it is both necessary and appropriate to
require ONC-ACBs to submit this information. The public safety,
transparency, and program integrity rationales for requiring timely and
public reporting of this information are compelling. In comparison, and
contrary to the assertions of some commenters, making this information
available is not likely to cause customers and users to draw inaccurate
or unfair conclusions about a health IT developer or its certified
technology. By definition, this information will only be required when
an ONC-ACB has confirmed a non-conformity and
[[Page 62718]]
required a health IT developer to take corrective action. Thus the ONC-
ACB will have completed its review of the relevant facts and
circumstances, including those raised by the developer in the course of
the surveillance of its certified Complete EHR or certified Health IT
Module. ONC-ACBs are required to make such determinations in accordance
with their accreditation to ISO 17065 and with the Principles of Proper
Conduct for ONC-ACBs, subject to ongoing supervision by the ONC-AA.
Moreover, as stated in the Proposed Rule, when the developer has
provided an explanation of the deficiencies identified by the ONC-ACB
as the basis for its determination, the ONC-ACB must include the
developer's explanation in its submission to the open data CHPL. Thus
developers will be able to note any objections and provide any
additional context or information that may be relevant to interpreting
the results of the surveillance and the ONC-ACB's findings and
conclusions.
We are confident that the concerns of some commenters regarding
disclosure of proprietary or sensitive information will be adequately
addressed through appropriate safeguards implemented at the discretion
of ONC-ACBs. ONC-ACBs should not submit to the open data CHPL any
information that is in fact legally privileged or protected from
disclosure. ONC-ACBs may also implement other appropriate safeguards,
as necessary, to protect information they believe should not be
reported to a publicly available Web site. However, we caution ONC-ACBs
to ensure that such safeguards are narrowly tailored and consistent
with our goal of promoting the greatest possible degree of transparency
with respect to certified health IT and the business practices of
certified health IT developers. ONC-ACBs are required to accurately
report the results of their surveillance and to explain in detail the
facts and circumstances on which their conclusions are based.
Similarly, health IT developers are required to cooperate with these
efforts and may not prevent or seek to discourage an ONC-ACB from
reporting the results of its authorized surveillance activities. We
note that while the ONC Health IT Certification Program is a voluntary
one, developers who choose to participate agree to comply with
certification program requirements, including reporting requirements
designed to ensure transparency and accountability for all participants
and stakeholders.
We decline to limit the requirements for more frequent reporting of
surveillance results to the National Coordinator and the submission of
corrective action plan information to the open data CHPL to 2015
Edition certified health IT. The public safety, transparency, and
program integrity reasons for requiring the reporting of this
information apply to all, and not only 2015 Edition, certified health
IT. However, we do agree that the reporting of corrective action
information should be limited to the types of information that will be
useful to customers and users, consistent with the goals of reporting
this information to the open data CHPL explained above. We have
therefore revised Sec. 170.523(f)(1)(xxii) and (f)(2)(xi) to limit
reporting to the following subset of information:
The specific certification requirements to which the
technology failed to conform, as determined by the ONC-ACB;
A summary of the deficiency or deficiencies identified by
the ONC-ACB as the basis for its determination of non-conformity;
When available, the health IT developer's explanation of
the deficiency or deficiencies;
The dates surveillance was initiated and completed;
The results of randomized surveillance, including pass
rate for each criterion in instances where the Health IT Module is
evaluated at more than one location;
The number of sites that were used in randomized
surveillance;
The date of the ONC-ACB's determination of non-conformity;
The date on which the ONC-ACB approved a corrective action
plan;
The date corrective action began (effective date of
approved corrective action plan);
The date by which corrective action must be completed (as
specified by the approved corrective action plan);
The date corrective action was completed; and
A description of the resolution of the non-conformity or
non-conformities.
Comments. We proposed that an ONC-ACB would have to require a
health IT developer to submit a proposed corrective action plan within
30 days of being notified of an ONC-ACB's non-conformity determination
and to complete an approved corrective action plan within 6 months of
such notice. One commenter stated that this timeline was much too long
and that developers should not be able to market health IT as certified
for 6 months while they correct a non-conformity. Another commenter
stated that the 30 day timeline was too short because it would not
allow sufficient time for the developer to understand and investigate
the issues and respond to the ONC-ACB's preliminary findings.
Response. We agree with the commenter that a developer should be
able to complete an approved corrective action plan within a
substantially shorter timeframe than we proposed.
We clarify that the 30 day period for submitting a proposed
corrective action plan would begin to run only after an ONC-ACB has
issued a non-conformity determination. In our experience, ONC-ACBs
already work with health IT developers and users to investigate
potential non-conformities prior to issuing a final determination.
Because this back-and-forth will have occurred prior to the ONC-ACB's
non-conformity determination, we believe that a developer should be
able to submit a proposed corrective action plan within 30 days of
being notified of the ONC-ACB's non-conformity determination under
Sec. 170.556(d)(1). Similarly, if after 90 days of notifying the
developer of a non-conformity under Sec. 170.556(d)(1), the ONC-ACB
cannot approve a corrective action plan because the developer has not
submitted a revised proposed corrective action plan in accordance with
Sec. 170.556(d)(4), the ONC-ACB must initiate suspension procedures.
Finally, an ONC-ACB must initiate suspension procedures when it has
approved a corrective action plan but the developer fails to comply
with all of the requirements of the plan within the time specified
therein. We have revised Sec. 170.556(d)-(e) to reflect these
requirements.
Effective Date and Applicability of Requirements
At the time of this Proposed Rule, ONC-ACBs had submitted their
annual surveillance plans for calendar year 2015, which include their
existing approaches and methodologies for randomized surveillance. To
minimize disruption to ONC-ACBs' current surveillance activities, we
proposed to make the requirements for randomized surveillance effective
beginning on January 1, 2016. We said this would provide time for ONC-
ACBs to implement these requirements in their annual surveillance plans
and incorporate additional guidance and clarification from ONC and the
ONC-AA as necessary. All other proposed surveillance requirements would
be effective immediately. We requested comment on whether this timeline
and plan for implementation was appropriate and on ways to minimize
disruption and ensure that the requirements and purpose of this
proposal are timely and effectively achieved.
[[Page 62719]]
Comments. Some commenters, including the ONC-AA and an ONC-ACB,
suggested that we specify a single January 1, 2016 effective date for
all proposed surveillance requirements in order to allow ONC-ACBs to
effectively and consistently implement these requirements in their
annual surveillance plans for the calendar year 2016 surveillance
period. Another commenter, also an ONC-ACB, stated that it would have
difficulty implementing the randomized surveillance requirements for
calendar year 2016 and suggested that the requirements be postponed
until January 1, 2017. Yet another commenter felt that the timeline for
implementing the proposed requirements should be more aggressive.
One ONC-ACB suggested that the proposed requirements for in-the-
field surveillance be applied only to 2015 Edition certified health IT
so that ONC-ACBs could implement the requirements prospectively in new
contracts with health IT developers.
Response. We believe that the proposed timeline for implementation
is reasonable. Given the significantly reduced scope of randomized
surveillance in comparison the Proposed Rule, we are confident that
ONC-ACBs will be able to complete randomized surveillance requirements
over the course of the calendar year 2016 surveillance period. We also
believe that ONC-ACBs will be able to implement the other requirements
established by this final rule during the 90 days between its
publication and effective date. Accordingly, ONC-ACBs must comply with
all new requirements by the effective date of this final rule. We will
provide guidance to ONC-ACBs regarding updates to their annual
surveillance plans for calendar year 2016 and, as necessary, regarding
other aspects of surveillance affected by this final rule.\174\
---------------------------------------------------------------------------
\174\ In our annual surveillance guidance to ONC-ACBs for the
calendar year 2016 surveillance period, we stated that ONC-ACBs
should be aware of the proposals in the 2015 Edition proposed rule
that could affect their surveillance responsibilities and indicated
that we would update our surveillance guidance as necessary in the
event that such proposals were finalized. ONC, ONC Health IT
Certification Program, Program Policy Guidance #15-01 (July 16,
2015), http://healthit.gov/sites/default/files/policy/onc-acb_cy16annual_surveillance_guidance.pdf.
---------------------------------------------------------------------------
We decline to adopt the commenter's suggestion to limit the
requirements for in-the-field surveillance and maintenance of
certification to only 2015 Edition certified health IT. The need to
assure that certified health IT conforms to the requirements of its
certification is applicable to all health IT certified under the ONC
Health IT Certification Program, not just technology certified to the
new 2015 Edition. Thus, as proposed, we have finalized the in-the-field
surveillance and maintenance of certification requirements for all
Health IT Modules certified to either the 2015 Edition or the 2014
Edition. With respect to Complete EHRs, because we have discontinued
Complete EHR certification with the 2015 Edition, we have finalized
these requirements for all Complete EHRs certified to the 2014 Edition.
We note that Complete EHR certification to the 2014 Edition has and
will continue to occur as providers may use health IT certified to the
2014 Edition to meet the CEHRT definition at least through 2017 based
on the EHR Incentive Programs Stage 3 and Modifications final rule
published elsewhere in this issue of the Federal Register.
2. Transparency and Disclosure Requirements
We proposed to revise the Principles of Proper Conduct for ONC-ACBs
to require greater and more effective disclosure by health IT
developers of certain types of limitations and additional types of
costs that could interfere with the ability to implement or use health
IT in a manner consistent with its certification. We stated that these
additional disclosure requirements were necessary to ensure that
existing and potential customers, implementers, and users of certified
health IT are fully informed about these implementation considerations
that accompany capabilities certified under the ONC Health IT
Certification Program.
Our proposal expanded on health IT developers' existing disclosure
obligations at Sec. 170.523(k)(1). Those obligations were adopted in
the 2014 Edition final rule to promote greater price transparency in
certified health IT capabilities required to meet meaningful use
objectives and measures; to mitigate confusion in the marketplace; and
to reduce the risk that EPs, eligible hospitals, and CAHs would
encounter unexpected difficulties in the implementation or use of
certified health IT.
As we explained in the Proposed Rule, despite our initial efforts
to promote greater transparency and disclosure of information by health
IT developers, many providers continue to lack reliable up-front
information about health IT products and services. We described reports
from providers who have encountered unexpected costs and limitations in
connection with their certified health IT that were not disclosed or
contemplated when the technology was initially purchased or licensed.
(80 FR 16880-81). We said that the failure of developers to disclose
``known material information'' about limitations or additional types of
costs associated with the capabilities of certified health IT
diminishes both the reliability of certified health IT and of
certifications issued under the ONC Health IT Certification Program. In
particular, the failure of developers to disclose such information
creates a substantial risk that existing or prospective users of
certified health IT will encounter problems implementing and using the
health IT in a manner consistent with its certification. Moreover,
inadequate or incomplete information about health IT products and
services distorts the marketplace by preventing customers from
accurately assessing the costs and capabilities of different
technologies and selecting the most appropriate solutions to their
needs, which increases the likelihood of downstream implementation
problems and, ultimately, reduced opportunities to use health IT to
improve health and health care. Finally, customers who purchase or
license inappropriate or suboptimal technologies may find it difficult
to switch to superior alternatives due to the often significant
financial and other ``switching costs'' associated with health IT.\175\
When providers become ``locked in'' to technologies or solutions that
do not meet their needs or the needs of their patients, health IT
developers have fewer incentives to innovate and compete on those
aspects of health IT that providers and their patients most value and
need.
---------------------------------------------------------------------------
\175\ The costs of switching to a new technology include not
only the costs of purchasing or licensing the technology itself but
of installing and integrating it with other administrative and
clinical IT systems, migrating data, redesigning associated
workflows and processes, and retraining staff to use the new
technology. The transition may also disrupt normal health care and
business operations, adding additional costs and strain on provider
organizations and staff.
---------------------------------------------------------------------------
For all of these reasons, we proposed to revise and strengthen our
existing transparency and disclosure requirements in three key
respects.
First, under our proposal, a health IT developer's obligation to
disclose ``additional types of costs'' would no longer be confined to
the use of capabilities to demonstrate a meaningful use objective or
measure under the EHR Incentive Programs. Instead, ONC-ACBs would be
required to ensure that developers disclose any additional types of
costs that a user may incur in order to implement or use capabilities
of
[[Page 62720]]
certified health IT, whether to demonstrate meaningful use objectives
or measures or for any other purpose within the scope of the health
IT's certification.
Second, in addition to ``additional types of costs,'' we proposed
that health IT developers would be required to disclose other factors
that may similarly interfere with a user's ability to successfully
implement certified health IT, including information about certain
``limitations'' associated with its certified health IT. We explained
that the failure to disclose information about limitations--including
contractual, technical, and other restrictions or policies--associated
with certified health IT creates a substantial risk that current or
prospective users will encounter problems implementing the health IT in
a manner consistent with its certification. Thus the disclosure of this
information is no less important than the disclosure of information
about additional types of costs.
Third, with regard to both ``limitations'' and ``additional types
of costs,'' we proposed to significantly broaden the types of
information and the level of detail that a health IT developer would be
required to disclose. In contrast with the price transparency
requirements adopted in the 2014 Edition final rule, which required
disclosure only of additional types of costs that a user ``would pay''
to implement certain capabilities, we proposed to require health IT
developers to be more proactive in identifying the kinds of limitations
and additional types of costs that a user ``may'' pay or encounter in
order to achieve any use of the health IT within the scope of its
certification. Specifically, developers would be required to provide,
in plain language, a detailed description of any ``known material
information'' about limitations that a purchaser may encounter, and
about additional types of costs that a user may be required to pay, in
the course of implementing or using the capabilities of health IT to
achieve any use within the scope of its certification. We also provided
an extensive discussion of the types of information that would be
deemed ``material'' and of the types of information that developers
would and would not be required to disclose. Further, we described the
manner in which the information would need to be disclosed as well as
safeguards to avoid the disclosure of intellectual property and trade
secrets.
Finally, in addition to these three aspects, we proposed one
additional element designed to complement the disclosure requirements
set forth in the Proposed Rule. We proposed that in addition to
requiring health IT developers to disclose known material information
about their certified health IT, an ONC-ACB would be required to obtain
a public attestation from every health IT developer to which it issues
or has issued a certification for any edition of certified health IT.
The attestation would take the form of a written ``pledge'' by the
health IT developer to take the additional, voluntarily step of
proactively providing information (which it would already be required
to disclose via its website and in marketing and other materials) to
all current and prospective customers as well as to any other persons
who request such information. While adherence to the attestation would
be strictly voluntary, we explained that requiring developers to make
the attestation could encourage a culture of greater transparency and
accountability in the health IT marketplace. For example, health IT
purchasers, implementers, and users (and organizations that represent
them) would be invited to approach developers directly and request
information most relevant to their health IT decisions and needs. The
expectation that developers will provide this information in a way that
is more meaningful for stakeholders, consistent with the attestation,
would create greater competitive incentives for developers to do so.
Developers would also receive important feedback about the types of
information that stakeholders find important, which would assist
developers in meeting their disclosure obligations under the ONC Health
IT Certification Program. For example, requests for information about a
particular cost or capability may alert the developer to a material
limitation or additional type of cost that it is required to disclose.
Comments. Most commenters strongly supported our proposal to
require the disclosure of additional information about certified health
IT. Many of these commenters agreed with our assessment that providers
and other stakeholders often lack reliable information about certified
health IT products and services and, as a result, may encounter
unexpected costs and limitations that interfere with their ability to
successfully implement and use certified health IT capabilities.
Several commenters cited examples of providers encountering unexpected
fees to license, implement, upgrade, or use health IT; to exchange or
export electronic health information stored in certified health IT; or
to integrate certified health IT capabilities and data with other
technologies, organizations, and applications. Similarly, commenters
cited examples of providers encountering unanticipated contractual,
technical, or other limitations on their ability to implement and use
certified health IT capabilities in the manner they anticipated when
they purchased or licensed the technology. Some commenters stated that
small providers are especially vulnerable to these unexpected
challenges because they lack the resources and time to study and
understand the complexities associated with developer contracts.
Many commenters stated that the proposed transparency and
disclosure requirements would help ensure that providers are informed
of these and other considerations and enable them both to more reliably
estimate the resources needed to successfully implement certified
health IT capabilities and to arrive at a realistic expectation of how
those capabilities will perform in the field. Commenters also noted
that this increased ability of customers to assess and compare
certified health IT products and services could reduce the problems of
``lock in'' and ``unfair surprise'' described in our proposal and put
pressure on developers to compete to innovate and deliver better and
more affordable technologies and solutions based on provider and
consumer preferences. Commenters also stated that greater transparency
in health IT products and services would help to expose and discourage
information blocking and other business practices that frustrate
interoperability and prevent the effective sharing of electronic health
information. A number of commenters cited our discussion of these
issues in our recent Report to Congress on Health Information
Blocking.\176\
---------------------------------------------------------------------------
\176\ ONC, Report to Congress on Health Information Blocking
(April 2015), http://www.healthit.gov/sites/default/files/reports/info_blocking_040915.pdf (hereinafter ``Blocking Report'').
---------------------------------------------------------------------------
Response. We thank commenters for their detailed and thoughtful
feedback on this proposal. As that feedback overwhelmingly
demonstrates, the lack of transparency and access to reliable
information about health IT products and services is a persistent and
pervasive problem that undermines the reliability of certifications
issued on behalf of ONC and creates substantial risks that users will
be unable to successfully implement and derive the benefits of
certified health IT. For this and the additional reasons discussed
below in our responses to comments on specific aspects of our proposal,
we have finalized the transparency and
[[Page 62721]]
disclosure requirements at Sec. 170.523(k). We have finalized these
requirements as proposed, except for the attestation requirement, which
we have revised. To complement these new requirements, we have also
finalized additional reporting requirements to the open data CHPL,
which we have added to Sec. Sec. 170.523(f)(1) and (f)(2). We discuss
these revisions below in our response to the comments on this aspect of
our proposal.
Comments. Several commenters specifically agreed with our proposal
to require health IT developers to disclose known material information
about the capabilities of certified health IT, including limitations
and additional types of costs. Many commenters also specifically
endorsed our proposal to apply these requirements uniformly to all
capabilities and uses within the scope of a health IT's certification--
not just those required to meet a specific meaningful use objective or
measure. Commenters stated that applying clear and uniform standards
for the disclosure of this information will be necessary to help
customers understand and use an increasing array of certified health IT
products, services, and capabilities.
In contrast, some commenters, mostly health IT developers, strongly
opposed all of the proposed disclosure requirements. These commenters
stated, among other objections, that requiring the disclosure of this
information is unnecessary; would be burdensome for developers; and
could limit developers' flexibility to design and market their products
and services in ways that their customers value. Several commenters
stated that the proposed disclosure requirements would be unfair to
developers because developers may not be aware of capabilities or uses
of their technology that are not specifically required to demonstrate
the meaningful use of certified health IT under the EHR Incentive
Programs. Some commenters also stated that developers should not be
expected to know about--or required to disclose--limitations or
additional types of costs that may apply to third-party components or
that may flow from local implementation decisions.
Response. While we appreciate the concerns raised by some
commenters, we believe they are outweighed by the need to promote
greater and more meaningful disclosure of information by developers of
health IT certified on behalf of ONC.
First, we respectfully disagree with the assertion that these
transparency and disclosure requirements are unnecessary. Our
conclusion is based on the overwhelming support for this proposal from
providers and other customers of certified health IT, whose comments
and first-hand accounts of the health IT marketplace affirm our
assessment in the Proposed Rule. Those comments suggest that many
customers lack access to reliable information about certified health IT
products and services and, as a result, are more likely to encounter
unexpected costs and limitations that interfere with their ability to
successfully implement and use certified health IT capabilities. The
comments also provide insight into other deleterious consequences that
flow from a lack of basic transparency in the marketplace, including
the increased risk that developers will engage in information blocking
and other business practices that undermine the goals of certification
and the ONC Health IT Certification Program.
Second, we disagree that the transparency and disclosure
requirements are burdensome or unfair to health IT developers. We note
that developers are not required to disclose information of which they
are not and could not reasonably be aware, nor to account for every
conceivable cost or implementation hurdle that a customer may encounter
in order to successfully implement and use the capabilities of a
developer's certified health IT. Indeed, we recognized in the Proposed
Rule that certified health IT often functions in combination with many
third party technologies and services whose specific costs and
limitations may be difficult for a health IT developer to precisely
predict or ascertain. Local implementation factors and other individual
circumstances also vary substantially among customers and impact the
cost and complexity of implementing certified health IT. In addition,
the costs of upgrading health IT to meet new regulatory requirements or
compliance timelines, which are subject to change, may make some
particular types of additional costs especially difficult to forecast.
Nevertheless, it is reasonable to assume that health IT developers
are experts on their own products and services and possess
sophisticated technical and market knowledge related to the
implementation and use of health IT in a variety of settings in which
their products are used. Through their accumulated experience
developing and providing health IT solutions to their customers, health
IT developers should be familiar with the types of costs and
limitations that most users encounter, and therefore must describe
these in sufficient detail so as to provide potential customers with
the information they need to make informed purchasing or licensing and
implementation decisions.
Finally, we disagree that the transparency and disclosure
requirements will limit developers' flexibility to design and market
their products and services in ways that their customers value. To the
contrary, greater transparency in health IT developers' business
practices will provide customers with the basic information they need
to make informed decisions in the marketplace, which will in turn
encourage and enable developers to experiment, innovate, and compete to
deliver products and services that customers demand and on such prices
and terms that meet their individual needs and requirements.
Comments. Several commenters stated that ONC-ACBs and developers
may have difficulty complying with the proposed disclosure requirements
because we had not specified with sufficient clarity or detail the
types of information that developers would be required to disclose. Two
ONC-ACBs indicated that additional guidance may be needed to fully
implement the requirements. However, another ONC-ACB that commented
extensively on the proposal did not raise these concerns. In addition,
the ONC-AA supported our approach and noted that the criteria and
examples described in the Proposed Rule provided sufficient guidance to
ONC-ACBs and developers. The ONC-AA stated that while ONC-ACBs and
developers would inevitably need to exercise some degree of judgment
regarding the precise form and content of the required disclosures,
comparisons across developers' disclosures would promote consistency
and provide additional clarity to ONC-ACBs, developers, and other
stakeholders as to the types of information and level of detail that
must be disclosed.
Response. We understand the desire for clear and predictable rules
governing these expanded disclosure requirements under the ONC Health
IT Certification Program. We note that our ability to issue guidance is
limited by the problem we are trying to solve; that is, the lack of
transparency in the marketplace means we lack detailed information
about many types of limitations and additional types of costs that
customers and users may encounter in the course of implementing and
using certified health IT and that developers would be required to
disclose.
Nevertheless, based on the comments and in particular the feedback
of the ONC-AA, we believe that the principles and examples provided in
the Proposed Rule provide a workable starting point for ONC-ACBs to
apply, and developers
[[Page 62722]]
to comply with, the disclosure requirements. As stated by the ONC-AA,
while these principles inevitably involve the exercise of some
discretion, comparisons across developers' disclosures over time will
provide consistency and additional clarity regarding the types of
information and level of detail that developers must disclose. In
addition, as our visibility into these practices improves, we stand
ready to issue additional guidance.
For the sake of additional clarity, we clarify that to comply with
the disclosure requirements, a developer must disclose in plain
language--on its website and in all marketing materials, communications
statements, and other assertions related to its certified health IT--a
detailed description of all known material information concerning
limitations and additional types of costs that a person may encounter
or incur to implement or use certified health IT capabilities, whether
to meet meaningful use objectives and measures or to achieve any other
use within the scope of the health IT's certification. Such information
is ``material'' (and its disclosure therefore required) if the failure
to disclose it could substantially interfere with the ability of a user
or prospective user to implement certified health IT in a manner
consistent with its certification. Certain kinds of limitations and
additional types of costs will always be material and thus, if known,
must be disclosed. These include but are not limited to:
Additional types of costs or fees (whether fixed,
recurring, transaction-based, or otherwise) imposed by a developer (or
any third-party from whom the developer purchases, licenses, or obtains
any technology, products, or services in connection with its certified
health IT) to purchase, license, implement, maintain, upgrade, use, or
otherwise enable and support the use of capabilities to which health IT
is certified; or in connection with any data generated in the course of
using any capability to which health IT is certified.
Limitations, whether by contract or otherwise, on the use
of any capability to which technology is certified for any purpose
within the scope of the technology's certification; or in connection
with any data generated in the course of using any capability to which
health IT is certified.
Limitations, including but not limited to technical or
practical limitations of technology or its capabilities, that could
prevent or impair the successful implementation, configuration,
customization, maintenance, support, or use of any capabilities to
which technology is certified; or that could prevent or limit the use,
exchange, or portability of any data generated in the course of using
any capability to which technology is certified.
As already noted, developers are not required to disclose
information of which they are not and could not reasonably be aware,
nor to account for every conceivable type of cost or implementation
hurdle that a customer may encounter in order to successfully implement
and use the capabilities of the developer's certified health IT.
Developers are required, however, to describe with particularity the
nature, magnitude, and extent of the limitations or types of costs. A
developer's disclosure possesses the requisite particularity if it
contains sufficient information and detail from which a reasonable
person under the circumstances would, without special effort, be able
to reasonably identify the specific limitations he may encounter and
reasonably understand the potential costs he may incur in the course of
implementing and using capabilities for any purpose within the scope of
the health IT's certification.
Comments. A commenter asked whether a developer would be required
to disclose known material limitations of its certified health IT where
the limitations are due to the actions of a third-party from whom the
developer purchases, licenses, or obtains technology, products, or
services in connection with its own certified health IT. The commenter
noted that in describing certain kinds of presumptively material
information that a developer would be required to disclose, we
mentioned third parties only in connection with types of costs and not
limitations.
Response. We clarify that a developer must disclose known material
limitations of its certified health IT, including limitations caused by
a third party that the developer should be aware of under the
circumstances.
A developer's disclosure obligations are limited to material
information that the developer knows or should know about under the
circumstances. The reference to third parties at Sec.
170.526(k)(1)(iv)(A) and above is intended to limit the material types
of costs a developer will be presumed to know about to those that the
developer itself imposes or that are imposed by a third party from whom
the developer purchases, licenses, or obtains any technology, products,
or services in connection with its certified health IT. This reflects
the reality that developers are unlikely to know about types of costs
imposed by third parties with whom they do not have a contractual
relationship. In contrast, because limitations include not only
contractual restrictions but also technical and practical limitations
of a developer's technology, developers will often be aware of material
limitations notwithstanding the existence of a contractual
relationship, and there is therefore no reason to expressly qualify the
types of material limitations for which a developer may, in appropriate
circumstances, be presumed to have knowledge.
Comments. Several commenters who supported our proposal urged us to
require the disclosure of more specific information about prices and
cost structures for health IT products and services. Some of these
commenters suggested that developers be required to disclose specific
prices for each service a user may need and provide guidance on how
relevant factors--such as the volume of transmissions, geography,
interfaces, and exchange partner technology--may impact the costs of
those services. One commenter stated that developers should be required
to disclose more detailed and specific cost structures that include
costs and fees not covered by the provider's service contract. Another
commenter stated that developers should be required to disclose costs
that could arise from common end-user customizations and
implementations of the developer's health IT. Commenters believed that
requiring the disclosure of this information would enable customers to
more easily and accurately estimate their likely total cost of
ownership and other costs.
In contrast, several health IT developers and a few other
commenters strongly objected to a requirement to disclose any
additional information about prices or costs. One commenter stated that
this information and other ``commercial terms and conditions'' are too
varied and complex to be disclosed in a useful manner to customers.
Other commenters worried that requiring disclosure of this information
could expose intellectual property, trade secrets, or other sensitive
information.
Response. We thank commenters for their extensive input regarding
the types of costs and price information health IT developers should be
required to disclose.
We understand the importance of ensuring that health IT developers'
disclosures provide meaningful information to customers and users of
certified health IT. We believe it is important for developers to
provide the kind of information and level of detail
[[Page 62723]]
that will enable ordinary purchasers, licensees, and users to
understand and make informed health IT purchasing and implementation
decisions.
At the same time, we appreciate that the disclosure of certain
kinds of proprietary or confidential information may not be necessary
to achieve these goals and may also lead to undesirable consequences.
Requiring developers to disclose trade secrets and other confidential
information, for example, could dampen innovation by making it
difficult for developers to license and make their technologies
available on terms that protect their research and investments.\177\
And requiring the disclosure of detailed price information could lessen
price competition or even lead to price coordination among competitors,
at least for certain kinds of products and services in highly
concentrated markets.
---------------------------------------------------------------------------
\177\ See M. Jager, 1 Trade Secrets Law Sec. 1.1; Restatement
(Third) of Unfair Competition Sec. 39, cmt. a.
---------------------------------------------------------------------------
We believe the approach described in the Proposed Rule accommodates
these concerns by ensuring that developers' disclosures are
comprehensive, and thus meaningful, while also providing certain
safeguards against the unnecessary disclosure of proprietary or
confidential information.
Consistent with that approach, and to comply with this final rule,
a developer must make a comprehensive disclosure of all known material
information regarding its certified health IT--including limitations
and additional types of costs. With respect to types of costs, the
disclosure must identify and describe the types of costs with
particularity, from which a potential customer or user would be able to
reasonably understand his potential costs to implement and use the
health IT for any purpose within the scope of the health IT's
certification. The disclosure must also describe the factors that
impact additional types of costs, including but not limited to
geographical considerations, volume and usage, costs associated with
necessary interfaces or other licenses or technology, and costs
associated with exchange partner technology and characteristics, among
other relevant factors. Since certified technical capabilities may be
bundled with non-certified capabilities, any disclosure would need to
include an explanation of any limitations such other non-certified
capabilities may have on the use or implementation of the certified
capabilities.\178\ Developers have substantial flexibility as to the
content of their disclosures, including how they choose to describe the
particular limitations and additional types of costs associated with
their certified health IT products and services. As such, developers
should be able to comply with the disclosure requirements without
publishing their prices or cost structures or unnecessarily disclosing
information that they deem confidential.
---------------------------------------------------------------------------
\178\ Health IT includes ``hardware, software, integrated
technologies or related licenses, intellectual property, upgrades,
or packaged solutions sold as services. . . .'' 42 U.S.C. Sec.
300jj(5).
---------------------------------------------------------------------------
The following scenario and discussion further illustrate these
requirements.
Scenario: A Health IT Module is certified to the 2014
Edition transitions of care certification criterion at Sec.
170.314(b)(1). The developer of the Health IT Module charges a yearly
``subscription fee'' for the use of the capability. In making the
capability available, the developer bundles it with its own HISP.
Because the developer is not a member of any trust network, users can
only exchange transitions of care summaries with other users of the
developer's own HISP and with users of third-party HISPs with which the
developer has negotiated or is willing to negotiate a trust agreement.
The developer also charges a ``transaction fee'' for each transitions
of care summary sent or received via a third-party HISP (the
transaction fee does not apply for transitions of care summaries
exchanged among users of the developer's own HISP).
Under these facts, the developer must disclose the existence of the
subscription fee and the transaction fee--each of which is a known
material type of cost associated with the transitions of care
capability. In addition, the developer must disclose the known material
limitation (and any associated additional types of costs) presented by
its HISP policy. The developer must describe each of these additional
types of costs and limitations with particularity to the extent they
impact the implementation and use of the transitions of care capability
for any purpose to which it is certified.
Beginning with the ``subscription fee,'' the developer must
disclose that there is such a fee along with any factors that impact
the amount a customer would have to pay. Examples include number of
licenses or limitations on the number of workstations where the
software is deployed, additional types of costs related to the volume
of transactions, or usage, or associated bandwidth costs for a
customer's transactions. Such factors would need to be described with
particularity. For example, for additional types of costs related to
the volume of transactions, the developer would need to explain how the
volume of transactions would be measured and if variations in volume or
types of transactions may trigger additional fees or variations in the
subscription fee.
Turning to the developer's HISP policy, the developer must disclose
this material limitation and the additional types of costs a user may
incur as a result. The developer must explain, for example, that as a
result of its policy the transitions of care capability is restricted
and users will be unable to exchange transitions of care summaries with
users of third-party HISPs with whom the developer does not have a
trust agreement. The developer must describe, in plain terms, its
current network of HISPs and how such network would enable a user to
exchange transitions of care summaries with users of other HISPs
servicing a provider's local referral area, including HISPs that
participate in trust networks. Further, the disclosure needs to clearly
identify any HISPs with whom the developer will not permit exchange or
which the developer knows will not agree to a trust agreement with the
developer (e.g., because the developer is not a member of a particular
trust network). If the developer offers the option to customers to
connect to third-party HISPs with whom the developer currently has no
relationship, the developer must describe the process for customers to
request such connectivity. The developer must also describe any
additional types of costs that may apply for this service, including a
description of any factors (e.g., geographical considerations or
variability in HISP technologies and trust policies) that impact the
amount a customer would have to pay.
Finally, the developer would need to disclose the separate
``transaction fee'' charged for exchanging transitions of care
summaries with users of third-party HISPs. Disclosure of all additional
types of costs based on volume, geography, or exchange partner
technology would be required. The developer would also be required to
provide additional information to assist the customer in realistically
understanding additional potential costs of sending and receiving
transitions of care summaries via third-party HISPs.
The scenario and discussion above illustrate the substantial
flexibility developers have in determining the content of their
disclosures, including how they choose to describe the particular
limitations and types of costs
[[Page 62724]]
associated with their certified health IT products and services. We
caution, however, that developers are ultimately responsible for
effectuating a comprehensive disclosure that satisfies the expanded
requirements of this final rule. Because developers have substantial
flexibility as to the form and content of their disclosures, it is
unlikely that they would have to disclose proprietary or confidential
information in order to comply with these requirements. However, the
safeguards we have adopted are prophylactic and do not create a
substantive basis for a developer to refuse to comply with the
requirements. Thus a developer cannot cure a deficient disclosure or
avoid a non-conformity finding by asserting that the disclosure of
known material limitations or types of costs would require it to
disclose trade secrets or other proprietary or confidential
information. We note that the ONC Health IT Certification Program is a
voluntary program. To the extent that developers choose to seek
certification under the Program and to market their products and
services as certified health IT, they must comply with the transparency
and disclosure requirements in their entirety.
Comments. An ONC-ACB stated that some health IT developers have
circumvented the requirement to disclose required information on their
websites by omitting discussion of the certification or certified
status of their health IT. The ONC-ACB asked us to clarify whether such
conduct is permissible or constitutes a violation of the disclosure
requirements under Sec. 170.523(k)(1). Relatedly, multiple ONC-ACBs
asked whether it would be permissible for a developer to use an
abbreviated or alternative disclosure more appropriate to the kind of
marketing material and medium at issue. One commenter noted that
requiring a detailed disclosure of information in all marketing
materials or assertions about certified health IT is impracticable and
not helpful to customers. It may also discourage developers from
including such assertions in marketing and promotional materials or
from using certain kinds of materials or media.
Response. A health IT developer's website is not only one of its
most powerful marketing tools but also, for most people, among the most
readily available sources of information about a developer's health IT
products and services. It is therefore essential that a developer
include the information specified by Sec. 170.523(k)(1) on its
website. This information must be included and updated on the
developer's website regardless of whether the website refers to the
certification or certified status of the developer's health IT. The
information must also be located in a place that is accessible and
obvious to viewers and contextually relevant to the certification
criteria to which the disclosures pertain.
For the reasons stated by the commenters, we agree that requiring a
comprehensive disclosure in all marketing materials and other
assertions may be burdensome and counterproductive to our goal of
providing this information to customers in a manner that is meaningful
and likely to inform. Therefore, we clarify that a developer may
satisfy the requirement to disclose the information required by Sec.
170.523(k)(1) in its marketing materials, communications statements,
and other assertions related to a Complete EHR or Health IT Module's
certification by providing an abbreviated disclaimer, appropriate to
the material and medium, provided the disclaimer is accompanied by a
hyperlink to the complete disclosure on the developer's website. Where
a hyperlink is not feasible (for example, in non-visual media), the
developer may use another appropriate method to direct the recipient of
the marketing material, communication, or assertion to the complete
disclosure on its website.
Because of the challenges and accommodations described above, and
the need to ensure that customers and users are able to easily locate
information about certified health IT products and services, we believe
that developers' disclosures should be accessible from a single,
authoritative source. Thus, we have included a developer's disclosures
as part of the information that an ONC-ACBs must submit to ONC for
inclusion in the open data CHPL. We have revised Sec. 170.523(f)(1)
and (f)(2) to reflect this requirement.
In keeping with the goal of making developers' disclosures
accessible and useful to customers and other stakeholders, we have also
revised Sec. 170.523(k)(1)(ii), which requires developers to include
in their disclosures certain types of administrative and programmatic
information they are required to report to ONC. While the reporting and
availability of this information is important and is still required by
Sec. 170.523(f)(1) and (2), requiring developers to insert all of this
information in their disclosures could add unnecessary clutter and
detract from the overall accessibility and clarity of those
disclosures. Therefore, under Sec. 170.523(k)(1)(ii), developers must
include in their disclosures only a subset of this information that
will be valuable to customers in making informed decisions about their
certified health IT.
Comments. Several commenters supported our proposal to require
developers to attest to voluntarily providing information about their
required disclosures to additional persons and in additional
circumstances. Other commenters questioned the value of this
requirement or stated that it was duplicative of the other requirements
we proposed. Some commenters stated that requiring developers to
provide such an attestation as a condition of certification would in
effect make compliance with the attestation mandatory.
Response. We appreciate the comments in support of the proposed
attestation requirement, which we regard as a key feature of the
transparency and disclosure requirements adopted in this final rule. In
response to the comments questioning the value of this additional
requirement, we clarify that the purpose of the attestation is to
create market incentives--independent of any regulatory obligations--
for health IT developers to be more transparent about their health IT
products, services, and business practices. Although the attestation
does not create any additional disclosure obligations under the ONC
Health IT Certification Program, we believe it will encourage
developers to make a good faith effort to ensure that customers and
other persons actually receive the information that developers are
required to disclose at such times and in such a manner as is likely to
be useful in informing their health IT purchasing or licensing,
implementation, and other decisions.
In the Proposed Rule, we explained that the attestation would take
the form of a written ``pledge'' by the developer to take the
additional, voluntarily step of proactively providing information
(which it would already be required to disclose via its Web site and in
marketing and other materials) to all current and prospective customers
as well as to any other persons who request such information. While we
stated that the attestation would not broaden or change a health IT
developer's disclosure obligations under the ONC Health IT
Certification Program, some commenters believed that in practice
developers would be forced to comply with the attestation. Because that
was and is not our intent, we have revised the attestation requirement.
Under the revised
[[Page 62725]]
approach, which we have codified at Sec. 170.523(k)(2), a developer
must either attest that it will voluntarily take the actions described
above, or, in the alternative, attest that it will not take these
actions. Further, an ONC-ACB will be required to include the
developer's attestation in the information submitted to the open data
CHPL so that persons can easily identify which attestation the
developer has made. We have revised Sec. Sec. 170.523(f)(1) and (f)(2)
accordingly.
3. Open Data Certified Health IT Product List (CHPL)
We proposed to require ONC-ACBs to report an expanded set of
information to ONC for inclusion in the CHPL upon its conversion from
its present form to an open data file represented in both XML and JSON
and with accompanying API functionality. We are converting the CHPL to
this new ``open data CHPL'' in response to feedback from stakeholders
regarding the accessibility of information on the CHPL, especially the
information contained in the publicly available test reports for
certified health IT products.\179\ We estimated that the conversion
along with the future additional data collection we have proposed for
2015 Edition certifications would occur over the next 12 to 18 months
from the date the Proposed Rule was issued.
---------------------------------------------------------------------------
\179\ As the ONC Health IT Certification Program has matured,
ONC-ACBs have continued to report the products and information about
the products they have certified to ONC for listing on the CHPL. As
part of the 2014 Edition final rule (77 FR 54271), we required
additional transparency in the ONC Health IT Certification Program
in the form of a hyperlink that ONC-ACBs needed to maintain that
would enable the public to access the test results that the ONC-ACB
used as the basis for issuing a certification. For all 2014 Edition
products certified under the ONC Health IT Certification Program,
the test results are available in a standardized summary accessible
and from the product's detailed information page on the CHPL Web
page. The test result summary includes granular detail from ATLs
about the testing performed, including, among other information: The
certification criteria tested; the test procedure, test data, and
test tool versions used during testing for each certification
criterion; instances where optional portions of certification
criteria were tested; and which standard was used for testing when a
certification criterion allowed for more than one standard to be
used to meet the certification criterion. The test result summary
also includes the user-centered design information and summative
tests results applicable to a product in cases where it was required
to meet the ``safety-enhanced design'' certification criterion
(Sec. 170.314(g)(3)) in order to ultimately be certified.
---------------------------------------------------------------------------
To complement this conversion, we proposed to require ONC-ACBs to
report an expanded set of information to ONC for inclusion in the open
data CHPL. Specifically, we proposed to revise Sec. 170.523(f) to move
the current (f) to (f)(2) and to create a new paragraph (f)(1) that
would require ONC-ACBs upon issuing a 2015 Edition (or any subsequent
edition certification) to report on the same data elements they report
to ONC under Sec. 170.523(f), the information contained in the
publicly available test report, and certain additional data listed in
the Proposed Rule. We explained that the additional data reported to
the open data CHPL would include the information ONC-ACBs would be
required to report in connection with corrective action plans under the
proposal `` `In-the-field' Surveillance and Maintenance of
Certification'' in the Proposed Rule. Because this data would be
required for all, and not only 2015 Edition, certified health IT, we
also proposed to revise new Sec. 170.523(f)(2) (former Sec.
170.523(f)) accordingly.
Consistent with ONC-ACBs' current reporting practice required by
Sec. 170.523(f), ONC-ACBs would be required to submit the additional
data no less frequently than weekly. Because this expanded list of data
would largely subsume the data included in the test results summary, we
would no longer require for 2015 Edition and subsequent edition
certifications that ONC-ACBs provide a publicly accessible hyperlink to
the test results used to certify a Health IT Module.
In submitting this data related to corrective action and
surveillance, ONC-ACBs would be required to exclude any information
that would identify any user or location that participated in or was
subject to surveillance (as currently required for ONC-ACBs' annual
surveillance results reported to the ONC). ONC-ACBs would not be
required and should take care not to submit proprietary information to
ONC for inclusion in the open data file. With respect to the reporting
of corrective action plan and surveillance information for health IT,
an ONC-ACB would be able to meet the requirement by summarizing the
deficiencies leading to its non-conformity determination without
disclosing information that the ONC-ACB believes could be proprietary
or expose it to liability.
Consistent with these proposals, we also proposed to make a
conforming modification to 45 CFR 170.523(k)(1)(ii) which currently
cross references Sec. 170.523(f) to cross reference proposed paragraph
(f)(2) for 2014 Edition certifications and an equivalent set of data
(minus the test results summary) in paragraph (f)(1) for 2015 Edition
and subsequent certifications.
Comments. Most commenters supported requiring ONC-ACBs to report an
expanded set of information to ONC for inclusion in the open data CHPL.
Multiple commenters agreed that information contained in the CHPL has
previously been difficult to access and use and supported our proposal
and plans to make this information easier to access. Commenters stated
that this information and the open data CHPL more generally would
provide greater product transparency, with a focus on surveillance,
user-centered design, and testing results.
Response. We appreciate these comments in support of our proposal.
We have finalized this proposal in its entirety, subject to minor
clarifications and revisions discussed below.
Comments. Commenters offered suggestions on operational details of
the conversion of the current CHPL to an open data format and on how we
should subsequently collect and organize information via the open data
CHPL.
Response. We appreciate these suggestions. While the conversion of
the CHPL is already underway, we will consider these comments on
operational aspects of the open data CHPL as we continue to implement
these efforts.
Comments. Some commenters stated that this proposal was unnecessary
or that its benefits would be outweighed by associated costs and
administrative burden of collecting and reporting an expanded set of
information to ONC for inclusion in the new open data CHPL. Commenters
asked us to review the proposed reporting requirements to see if they
might be clarified and simplified.
Response. While we recognize that the collection and reporting of
additional data to the open data CHPL will place a new reporting burden
on ONC-ACBs, we believe that the benefit to the public of having all of
this data about product certification in granular detail far outweighs
the administrative burden it will take to report this information.
Comments. A number of commenters, including several health IT
developers, objected to the reporting of corrective action plan
information to the publicly accessible open data CHPL. Some commenters
felt that information about non-conformities should not be made public
unless and until the developer of the certified Complete EHR or
certified Health IT Module at issue has been given a full and fair
opportunity to contest the ONC-ACB's determination, including whether
the developer was responsible or ``at fault'' for the non-conformity.
Other commenters stated that such information should never be made
public because it is bound to lack important context, could be
misinterpreted, or would not offer substantial value to health IT
customers and users. Separately, some commenters
[[Page 62726]]
raised concerns regarding the reporting of proprietary or competitively
sensitive information.
Response. We have addressed the concerns related to the submission
of corrective action plan and related information to the open data CHPL
in section IV.D.1 of this preamble (`` `In-the-field' Surveillance and
Maintenance of Certification Criteria''). For the reasons stated there,
we have finalized the requirement to submit a corrective action plan
and related information to the open data CHPL. Further, we have revised
the specific data elements that must be submitted to accommodate the
revised randomized in-the-field surveillance and corrective action plan
and related reporting requirements finalized at Sec. Sec. 170.556(c)-
(e).
Comments. Some commenters expressed confusion as to why we proposed
to require the submission of corrective action and related information
only for randomized surveillance and not for other surveillance
activities. Commenters also suggested several technical clarifications
to our proposed regulation text to ensure alignment between our ``Open
Data CHPL'' and `` `In-the-field' Surveillance and Maintenance of
Certification'' proposals.
Response. We have responded to these concerns in section IV.D.1 of
this preamble (`` `In-the-field' Surveillance and Maintenance of
Certification Criteria'') and refer commenters to that section for a
more detailed treatment of these issues. For the reasons stated there,
we agree with commenters that the requirement to submit corrective
action and related information to the open data CHPL should be applied
to all forms of surveillance and all confirmed non-conformities. We
have also refined the data elements required to be reported for reasons
also set forth in section IV.D.1 of this preamble. To implement these
changes we have revised the randomized in-the-field surveillance and
corrective action plan reporting requirements at Sec. Sec. 170.556(c)-
(e) and have made conforming revisions to Sec. 170.523(k)(1) and Sec.
170.523(k)(2) to accommodate the revised data elements.
As discussed in section IV.D.2 of this preamble (``Transparency and
Disclosure Requirements''), we have also added developers' disclosures
required by Sec. 170.523(k)(1) and their attestations required by
Sec. 170.523(k)(2) to the data that must be submitted to ONC for
inclusion in the open data CHPL.
4. Records Retention
We proposed to change the records retention requirement in Sec.
170.523(g) in two ways. We proposed to require that ONC-ACBs retain all
records related to the certification of Complete EHRs and/or Health IT
Module(s) (including EHR Modules) for a minimum of 6 years instead of 5
years as was required by regulation. We stated that this proposal would
make certification records available for a longer time period, which
may be necessary for HHS programmatic purposes such as evaluations or
audits. We also proposed that records of certifications performed under
the ONC Health IT Certification Program must be available to HHS upon
request during the proposed 6-year period that a record is retained. We
stated that this would help clarify the availability of certification
records for agencies (e.g., CMS) and authorities (e.g., the Office of
Inspector General) within HHS.
Comments. A majority of commenters expressed support for the
proposed 6-year records retention requirement without additional
comment. One commenter suggested a 10-year requirement. Another
commenter recommended record retention requirements for the life of the
edition of certification criteria. A commenter requested clarification
on the start date of the retention period, asking whether the start
date was from the first instance of certification for a product or from
the last documented date of an activity related to the certification
such as surveillance.
Response. We thank commenters for their feedback. We have adopted a
records retention provision that requires ONC-ACBs to retain all
records related to the certification of Complete EHRs and/or Health IT
Module(s) (including EHR Modules) for the ``life of the edition'' plus
an additional 3 years. We have also adopted our proposal to make these
records available to HHS upon request during this period of time for
the reasons specified above and in the Proposed Rule. We define the
``life of the edition'' as beginning with the codification of an
edition of certification criteria in regulation and ending when the
edition is removed from regulation. This means that certification
records for a Complete EHR and/or Health IT Module(s) (including EHR
Modules) certified to a specific edition (e.g., the 2015 Edition) must
be kept for a minimum of 3 years after the effective date of the
removal of that edition from the Code of Federal Regulations (CFR).
This approach is responsive to commenters and addresses the goal of
ensuring records are available for HHS programs, including evaluations
and audits, during a relevant period of time. It provides more clarity
and certainty than establishing a term such as 6 or 10 years, which may
not be a sufficient period of time or too long a period of time. It
also provides consistency and reduced burden for ONC-ACB record
keeping. To illustrate this point, establishing a record keeping period
based on an event such as an instance of first certification or a
surveillance activity would lead to variances in ONC-ACB record keeping
for certified health IT, while under our finalized approach all records
would be retained until a regulatory certain date (at least 3 years
after an edition is removed from the CFR). To note, the record would
include all documents related to the issued certification, such as test
results and surveillance engagements and results.
5. Complaints Reporting
We proposed that ONC-ACBs provide ONC (the National Coordinator)
with a list of complaints received on a quarterly basis. We proposed
that ONC-ACB indicate in their submission the number of complaints
received, the nature or substance of each complaint, and the type of
complainant for each complaint (e.g., type of provider, health IT
developer, etc.). We stated that this information would provide further
insight into potential concerns with certified health IT and/or the ONC
Health IT Certification Program and give ONC a better ability to
identify trends or issues that may require action including
notification of the public.
Comments. A majority of commenters expressed support for the
proposed quarterly complaints reporting requirement. Some commenters,
however, expressed opposition or concern with the proposed requirement.
These commenters stated that the proposed requirement would add
certification cost without value. A few commenters recommended a more
robust reporting requirement than proposed, suggesting we require a
more comprehensive list of complaint data as well as aggregated and
analyzed data. One commenter requested clarification on whether the
proposed requirement would apply to any complaint received by an ONC-
ACB, such as complaints about an ONC-ACB's services and complaints
about certified Health IT Modules.
Response. We have adopted this requirement as proposed with
clarifications in response to comments. We continue to believe that
this requirement will provide us with insight and situational awareness
of issues related to the ONC Health IT Certification Program. We
further believe these benefits outweigh the limited reporting burden we
have
[[Page 62727]]
specified, which does not adopt any new reporting requirements as
suggested by a few commenters. We clarify that this requirement applies
to all complaints received by the ONC-ACB. This includes, but is not
limited to, complaints regarding ONC-ACB services, certified health IT,
and the ONC Health IT Certification Program in general. To provide ONC-
ACBs sufficient time to meet this new requirement, this provision will
become effective on April 1, 2016. This means that we expect ONC-ACBs
to first provide ONC with a list of complaints received on July 1,
2016.
We intend to provide, as necessary, more specific guidance to ONC-
ACBs through the annual ONC Health IT Certification Program
surveillance guidance on reporting complaints received regarding
certified Health IT Modules.
6. Adaptations and Updates of Certified Health IT
We proposed to require that ONC-ACBs obtain monthly reports from
health IT developers regarding their certified health IT. Specifically,
we proposed to require that ONC-ACBs obtain a record of all adaptations
and updates, including changes to user-facing aspects, made to
certified health IT (i.e., Complete EHRs and certified Health IT
Modules), on a monthly basis each calendar year, and we requested
comment on whether we should require even more frequent reporting. We
stated that this new PoPC would apply for all certified Complete EHRs
and certified Health IT Modules (which includes ``EHR Modules'') to the
2014 Edition and all certified Health IT Modules to the 2015 Edition.
We proposed that the PoPC would become effective with this final
rule and we would expect ONC-ACBs to begin complying with the PoPC at
the beginning of the first full calendar month that is at least 30 days
after the effective date of the final rule. We explained that we would
not expect the information in these records to be reported to ONC and
listed on the CHPL. Rather, we stated that the best course of action
would be for ONC-ACBs to retain this information to provide awareness
to the ONC-ACB on adaptations and updates made to technologies they
certified.
Comments. We received mixed comments in response to the proposal. A
number of commenters supported the proposal, but expressed concerns
with the volume and frequency of updates to certified health IT.
Commenters stated that updates could arise from relatively small
changes to software code that do not result in risks to the certified
health IT and that the burden to collect a list of these updates would
not be worth the effort. Some commenters noted that health IT
developers time their major updates with certification to reflect a new
product listing on the CHPL whereas others do not. These commenters
suggested there is inconsistency in the industry in the versioning of
certified products. One commenter recommended that we provide guidance
on consistently distinguishing major from minor updates for products
listed on the CHPL.
Response. In response to comments and to balance the ONC-ACBs'
burden, we have adopted a more limited requirement than proposed. We
agree with commenters that many updates to certified health IT products
would not normally pose a risk to certified capabilities or patient
safety. As such, we have limited the requirement to only adaptations
(all adaptations); and all updates that affect the capabilities
included in certification criteria to which the ``safety-enhanced
design'' certification criteria apply.\180\ These types of updates,
particularly changes to the user-interface, pose the greatest risk to
patient safety. The adoption of this requirement will provide ONC-ACBs
with more insight and transparency into these kinds of updates and
adaptations, which should improve ONC-ACBs' situational awareness and
surveillance.
---------------------------------------------------------------------------
\180\ 2014 Edition certification criteria: CPOE (Sec.
170.314(a)(1)); drug-drug, drug-allergy interaction checks (Sec.
170.314(a)(2)); medication list (Sec. 170.314(a)(6)); medication
allergy list (Sec. 170.314(a)(7)); clinical decision support (Sec.
170.314(a)(8)); electronic medication administration record (Sec.
170.314(a)(16)); CPOE--medications (Sec. 170.314(a)(18)); CPOE--
laboratory (Sec. 170.314(a)(19)); CPOE--diagnostic imaging (Sec.
170.314(a)(20)); electronic prescribing (Sec. 170.314(b)(3));
clinical information reconciliation (Sec. 170.314(b)(4)); and
clinical information reconciliation and incorporation (Sec.
170.314(b)(9)).
2015 Edition certification criteria: CPOE--medications (Sec.
170.315(a)(1)); CPOE-- laboratory (Sec. 170.315(a)(2)); CPOE--
diagnostic imaging (Sec. 170.315(a)(3)); drug-drug, drug allergy
interaction checks (Sec. 170.315(a)(4)); demographics (Sec.
170.315(a)(5)); problem list (Sec. 170.315(a)(6)); medication list
(Sec. 170.315(a)(7)); medication allergy list (Sec.
170.315(a)(8)); clinical decision support (Sec. 170.315(a)(9));
implantable device list (Sec. 170.315(a)(14)); clinical information
reconciliation and incorporation (Sec. 170.315(b)(2)); and
electronic prescribing (Sec. 170.315(b)(3)).
---------------------------------------------------------------------------
We thank the commenter for the feedback on distinguishing major and
minor updates. We first note that, as stated in the 2014 Edition final
rule (77 FR 54268), unless adaptations are presented for separate
certification, the CHPL would not independently list the adaptation
because it is considered part of a previously certified Complete EHR or
certified Health IT Module, including EHR Modules. Second, the CHPL
does not list updates to products unless they are presented for
separate certification. This policy allows a health IT developer to
update a product for routine maintenance or to include new or modified
capabilities without the need for recertification. However, in these
instances, the product name and version on the CHPL would remain
unchanged. We established an attestation process for a product to be
approved for inherited certified status to provide a more efficient
pathway for certification for a new version of a previously certified
product in the Permanent Certification Program final rule (76 FR 1306).
As part of this policy, we noted that we do not presume the version
numbering schema that a health IT developer may choose to utilize. For
compliance with this requirement, the focus on ``updates'' is for all
updates to certified Health IT that affect the capabilities included in
certification criteria to which the ``safety-enhanced design'' criteria
apply.
Comments. A commenter requested that we clarify the definition of
an ``adaptation.'' Another commenter suggested that ONC-ACBs should
only be required to monitor adaptations made by the health IT developer
as it would be impractical for an ONC-ACB to monitor all customer-
initiated adaptations. A commenter requested clarification as to
whether an ONC-ACB is expected to review each report from a health IT
developer, which the commenter contended could be time-consuming and
costly. Another commenter requested clarification as to whether an ONC-
ACB has the authorization to suspend or withdraw a certification if the
health IT developer does not provide a report of adaptations and
updates within the specified timeframe.
Response. We maintain our previously adopted definition of an
``adaptation'' as a software application designed to run on a different
medium that includes the full and exact same capabilities included in
the Complete EHR or certified Health IT Module, including EHR Modules
(77 FR 54267). We refer readers to the discussion in the 2014 Edition
final rule preamble for more detailed examples of adaptations (77 FR
54267). We also previously stated in the 2014 Edition final rule (77 FR
54268) that a health IT developer can choose to seek certification for
adaptations which would lead to it being separately listed on the CHPL
and permit the health IT developer to openly sell the adaptation to all
potential purchasers as a separate certified product.
[[Page 62728]]
We would expect that ONC-ACBs obtain a record of adaptations of
certified health IT made by the health IT developer as those are the
adaptations covered by the issued certification. An ONC-ACB has the
discretion in determining how much time and resources should be devoted
to reviewing the lists provided by health IT developers. As previously
noted, we expect this information to inform ONC-ACBs surveillance
activities for certified health IT. In terms of non-compliance by a
health IT developer in providing the requisite list, we note that an
ONC-ACB retains its authority and oversight over the certifications it
issues and has the discretion to implement that authority and oversight
in a manner that supports its role and responsibilities as well as the
integrity of the ONC Health IT Certification Program.
Comments. We received a number of comments on the proposed
frequency in which an ONC-ACB would have to obtain a record of all
adaptations and applicable updates, with many commenters suggesting
quarterly reporting. Another commenter suggested that the reports
should be required only when adaptations and updates occur, or
alternately weekly.
Response. We have finalized a calendar quarter reporting frequency
for this requirement. This approach addresses commenters' concerns
about burden, but also ensures that ONC-ACBs receive timely
notifications about new adaptations and updates that could affect the
safety of certified health IT. In order to provide ONC-ACBs and health
IT developers sufficient time to plan and implement this new
requirement, this PoPC will not become effective until April 1, 2016.
For clarity, we reiterate that this PoPC applies to all certifications
issued to the 2014 Edition, 2015 Edition, and future editions of
certification criteria. We expect all ONC-ACBs to receive lists from
health IT developers on July 1, 2016, and then every calendar quarter
thereafter (e.g., October 1, 2016, January 1, 2017, and so on).
E. ``Decertification'' of Health IT--Request for Comments
The Proposed Rule proposed and the final rule take certain steps to
support the certification of health IT that meets relevant program
standards and permits the unrestricted use of certified capabilities
that facilitate health information exchange (see the ``In-The-Field
Surveillance and Maintenance of Certification'' and ``Transparency and
Disclosure Requirements'' proposals in section IV.D of this preamble).
In the Proposed Rule, we stated that additional rulemaking would be
necessary to implement any approach that would include ONC
appropriating an ONC-ACB's delegated authority to issue and terminate a
certification, including establishing new program requirements and
processes by which ONC or an ONC-ACB would have the grounds to
terminate an issued certification. We requested comment on the
circumstances, due process, remedies, and other factors that we should
consider regarding the termination of a certification. To assist
commenters, we provided a brief background of the ONC Health IT
Certification Program and examples of the complexities and potential
impacts associated with terminating a certification. We asked
commenters to account for the potentially profound asymmetric impacts
revoking a certification could create, especially if based on the
business practices (by health IT developers or their customers)
associated with the health IT's use and not necessarily the health IT's
performance according to certification requirements.
Comments. Commenters overwhelmingly expressed support for the
decertification of health IT products that did not continue to meet
certification requirements or proactively blocked the sharing of health
information. Of these commenters, the majority supported a clear and
structured approach to ``decertification,'' with some commenters
specifically recommending a regulatory approach that could be
implemented as soon as possible. However, other commenters opposed
changing the current approach or, at a minimum, urged caution in
implementing a new ``decertification'' process. In this regard,
commenters recommended clear parameters be established that would lead
to decertification; appropriate due processes, including sufficient
opportunities to correct deficiencies and non-compliance; and
safeguards for non-culpable parties, such as ``hold harmless''
provisions, hardship exemptions, and ``safe harbors'' when applicable.
A few commenters also suggested that further stakeholder input was
needed before considering regulations, particularly to fully understand
the ``downstream'' implications of ``decertification.''
Response. We thank commenters for their feedback. As noted in the
Proposed Rule, additional rulemaking would be necessary to implement
any new ``decertification'' process. We will take the comments received
under consideration as we determine whether a new regulatory
``decertification'' process for health IT is necessary or whether other
steps could better support the continued compliance of certified health
IT with certification requirements, the unencumbered access and use of
certified capabilities of health IT, the unrestricted exchange of
health information, and overall interoperability.
V. Incorporation by Reference