80 FR 76868 - 2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications; Corrections and Clarifications

DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary

Federal Register Volume 80, Issue 238 (December 11, 2015)

Page Range		76868-76872
FR Document		2015-31255

This document corrects errors and clarifies provisions of the final rule entitled ``2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications.''

Federal Register, Volume 80 Issue 238 (Friday, December 11, 2015)

[Federal Register Volume 80, Number 238 (Friday, December 11, 2015)]
[Rules and Regulations]
[Pages 76868-76872]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2015-31255]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Part 170

RIN 0991-AB93


2015 Edition Health Information Technology (Health IT) 
Certification Criteria, 2015 Edition Base Electronic Health Record 
(EHR) Definition, and ONC Health IT Certification Program 
Modifications; Corrections and Clarifications

AGENCY: Office of the National Coordinator for Health Information 
Technology (ONC), Department of Health and Human Services (HHS).

ACTION: Final rule; corrections and clarifications.

-----------------------------------------------------------------------

SUMMARY: This document corrects errors and clarifies provisions of the 
final rule entitled ``2015 Edition Health Information Technology 
(Health IT) Certification Criteria, 2015 Edition Base Electronic Health 
Record (EHR) Definition, and ONC Health IT Certification Program 
Modifications.''

DATES: This correction is effective January 14, 2016. The final rule 
appeared in the Federal Register on October 16, 2015 (80 FR 62602), and 
is effective on January 14, 2016, except for Sec.  170.523(m) and (n), 
which are effective on April 1, 2016.

FOR FURTHER INFORMATION CONTACT: Michael Lipinski, Office of Policy, 
National Coordinator for Health Information Technology, 202-690-7151.

SUPPLEMENTARY INFORMATION: 

I. Background

    Following the publication of Federal Register document 2015-25597 
of October 16, 2015 (80 FR 62602), final rule entitled ``2015 Edition 
Health Information Technology (Health IT) Certification Criteria, 2015 
Edition Base Electronic Health Record (EHR) Definition, and ONC Health 
IT Certification Program Modifications'' (hereinafter referred to as 
the 2015 Edition final rule), we identified a number of errors in the 
final rule. We summarize and correct these errors in the ``Summary of 
Errors'' and ``Corrections of Errors'' sections below.
    We also clarify requirements of the Common Clinical Data Set 
(CCDS), the privacy and security certification framework, and the 
mandatory disclosures for health IT developers in the 
``Clarifications'' section below.

II. Summary of Errors

A. Preamble Errors

1. ``Audit Report(s)'' Certification Criterion
    We incorrectly identified the adopted 2015 Edition ``audit 
report(s)'' certification criterion throughout the preamble as 
``unchanged'' and eligible for gap certification. More specifically, we 
identified it incorrectly:
    a. On page 62609, under Table 2 (``2015 Edition Health IT 
Certification Criteria''), as an unchanged criterion compared to the 
2014 Edition and gap certification eligible.
    b. On page 62656, second column, in the ``Response'' under ``Audit 
Report(s),'' as adopted as proposed (i.e., ``unchanged'').
    c. On page 62681, under Table 6 (``Gap Certification Eligibility 
for 2015 Edition Health IT Certification Criteria''), as eligible for 
gap certification.
    We adopted the standard at Sec.  170.210(e) as revised to include 
the auditing of changes to user privileges in paragraph (e)(1)(i). The 
adopted 2015 Edition ``audit report(s)'' certification criterion 
references this standard. Therefore, it is a ``revised'' certification 
criterion as compared to the 2014 Edition ``audit report(s)'' 
certification criterion and ineligible for gap certification.
2. ``Integrity'' Certification Criterion
    On page 62657, third column, third paragraph, the last sentence 
incorrectly references SHA-1. The commenters' statements were specific 
to SHA-2.
3. ``Accounting of Disclosures'' Certification Criterion
    On page 62658, first column, mid-page, within the 2015 Edition 
``accounting of disclosures'' certification criterion table, we 
inadvertently referenced the criterion as codified in 45 CFR 
170.315(d)(10), when in fact it was codified in 45 CFR 170.315(d)(11). 
We note that the 2015 Edition ``auditing actions on health 
information'' certification criterion was codified in 45 CFR 
170.315(d)(10).
4. ``Transmission to Public Health Agencies--Antimicrobial Use and 
Resistance Reporting'' Certification Criterion
    On page 62668, third column, lines 2 and 3, there was a 
parenthetical error stating that we adopted the ``transmission to 
public health agencies--antimicrobial use and resistance reporting'' 
certification criterion as proposed (with both Volumes 1 and 2 of the 
HAI IG). The parenthetical is corrected to not reference volumes of the 
HL 7 Implementation Guide for CDA[supreg] Release 2--Level 3: 
Healthcare Associated Infection Reports, Release 1

[[Page 76869]]

(U.S. Realm), August 9, 2013 (HAI IG). This adopted version of the HAI 
IG does not contain multiple volumes. Further, the adopted version of 
the implementation guide was incorporated by reference in Sec.  
170.299(f)(26).
5. Common Clinical Data Set--Assessment and Plan of Treatment, Goals, 
and Health Concerns
    On page 62696, second column, lines 8-14, we did not clearly 
indicate that only the narrative parts of the ``Goals Section'' and 
``Health Concerns Section'' needed to be met in order to meet the CCDS 
definition. We refer readers to section III.A (``Common Clinical Data 
Set'') below for further clarification of these CCDS requirements.

B. Regulation Text Errors

1. 2015 Edition Base EHR Definition
    On page 62742, first column, line 16 (Sec.  170.102), we 
inadvertently made an error in the 2015 Edition Base EHR definition by 
citing to Sec.  170.315(a)(15) instead of Sec.  170.315(a)(14). As 
discussed on pages 62625, 62630, 62691 and identified on page 62692 
(Table 7), we included the ``implantable device list'' certification 
criterion (Sec.  170.315(a)(14)) in the 2015 Edition Base EHR 
definition as we proposed (80 FR 16806, 16825, 16870-16871). We did not 
propose to include nor intend to include the ``social, psychological, 
and behavioral data'' certification criterion (Sec.  170.315(a)(15)) in 
the 2015 Edition Base EHR definition.
2. Sexual Orientation Code
    On page 62744, third column, line 24 (Sec.  170.207(o)(1)(ii)), the 
code (20730005) attributed to ``straight or heterosexual'' was 
inaccurate. The correct code is 20430005 (emphasis added).
3. ``Implantable Device List'' Certification Criterion
    On page 62748, third column, line 1 (Sec.  170.315(a)(14)), we 
inadvertently omitted the word ``and'' at the end of the line. On the 
same page and column, line 42, we inadvertently added the word ``and'' 
when the ``and'' should have been at the end of line 47. On the same 
page and column, line 59, we inadvertently omitted the word ``and'' at 
the end of the line.
4. ``Data Export'' Certification Criterion
    On page 62750, third column, line 63, we inaccurately cross-
referenced paragraphs (ii) through (v) of the ``data export'' 
certification criterion (Sec.  170.315(b)(6)), when the cross-reference 
should have only been to paragraphs (iii) and (iv). Paragraph (v) 
should not have been referenced because there are only four paragraphs, 
ending with paragraph (iv). Paragraph (ii) should not have been cross-
referenced because paragraph (ii) no longer includes a configuration 
capability that could be enabled. The configuration capability included 
in paragraph (ii) was intended to support user selection among the 
multiple document templates we proposed for inclusion in paragraph (ii) 
of this certification criterion. In the final rule, however, we only 
included the Continuity of Care Document (CCD) document template in 
paragraph (ii). Therefore, a configuration capability for selecting 
among document templates is no longer applicable and both the cross-
reference to paragraph (ii) and the inclusion of configuration language 
in paragraph (ii) on page 62751, first column, lines 10-11, are 
incorrect. In terms of the configuration language in paragraph (ii), 
more specifically the inclusion of ``configuration'' in the paragraph 
title is an error as is the inclusion of the capability to ``configure 
the technology'' in the first sentence.
5. ``Clinical Quality Measures--Filter'' Certification Criterion
a. Patient Insurance Standard
    On page 62751, third column, line 22, we inadvertently included 
``at a minimum'' language for the required patient insurance standard. 
The standard (Source of Payment Typology Code Set Version 5.0 (October 
2011)) was adopted at Sec.  170.207(s)(1), but we did not adopt this 
standard as a ``minimum standards'' code set (see 80 FR 62612).
b. Patient Sex Standard
    On page 62751, third column, lines 25-26, we inadvertently included 
``at a minimum'' language for the required patient sex standard. The 
standard for representing sex is the use of specific HL7 Version 3 
codes and was adopted at Sec.  170.207(n)(1). We did not adopt this 
standard as a ``minimum standards'' code set (see 80 FR 62612).
6. ``View, Download, and Transmit to 3rd Party'' (VDT) Certification 
Criterion
    On page 62753, first column, lines 37 and 55 (Sec.  
170.315(e)(1)(ii)), we inadvertently omitted references for a patient's 
authorized representative to have access to the specified capabilities 
related to the activity history log under the VDT certification 
criterion. As discussed on page 62658 and consistent with references 
throughout the VDT criterion, a patient's authorized representative 
access to these capabilities is the same as the patient for the 
purposes of testing and certification.
7. ``Consolidated CDA Creation Performance'' Certification Criterion
    On page 62754, second column, lines 42-46 (Sec.  
170.315(g)(6)(ii)), we inadvertently included a sentence stating that 
the scope of this certification criterion will not exceed the 
evaluation of the CCD, Referral Note, and Discharge Summary document 
templates. This statement is inconsistent with the preamble guidance of 
the final rule on page 62674, which states that we have required that 
Consolidated CDA (C-CDA) creation performance be demonstrated for the 
C-CDA Release 2.1 document templates required by the 2015 Edition 
certification criteria presented for certification. Certification to 
some criteria (e.g., the ``transitions of care'' criterion) requires 
three C-CDA document templates whereas other criteria (e.g., the ``care 
plan'' criterion) only requires one C-CDA document template. To further 
illustrate, if a Health IT Module only included the ``view, download, 
and transmit to 3rd party'' certification criterion (Sec.  
170.315(e)(1)) within its certificate's scope, then only the Continuity 
of Care Document (CCD) document template would be applicable within the 
``C-CDA creation performance'' criterion. Conversely, if a Health IT 
Module designed for the inpatient setting included the ``transitions of 
care'' certification criterion (Sec.  170.315(b)(1)) within its 
certificate's scope, then all three document templates referenced by 
that criterion (CCD, Referral Note, and Discharge Summary) would need 
to be evaluated as part of the ``C-CDA creation performance'' 
criterion, with the Discharge Summary only applicable to the inpatient 
setting.
8. ``Direct Project'' Certification Criterion
    On page 62755, first column, lines 53 through 55 (Sec.  
170.315(h)(1)(ii)), we inadvertently referenced the ``Applicability 
Statement for Secure Health Transport'' in the title for paragraph (ii) 
when it should have only been ``Delivery Notification in Direct.''
9. ``Direct Project, Edge Protocol, and XDR/XDM'' Certification 
Criterion
    On page 62755, second column, lines 4 through 6 (Sec.  
170.315(h)(2)(ii)), we again inadvertently referenced the 
``Applicability Statement for Secure Health Transport'' in the title 
for paragraph (ii) when it should have only been ``Delivery 
Notification in Direct.''

[[Page 76870]]

10. Principles of Proper Conduct for ONC-ACBs--Certified Health IT 
Mandatory Disclosures
a. 2015 Edition Certified Health IT
    On page 62756, third column, lines 35-36 (Sec.  
170.523(k)(1)(ii)(A)), we inadvertently cross-referenced the wrong data 
from Sec.  170.523(f)(1). We did not intend to cross-reference Sec.  
170.523(f)(1)(xvii) (certification to standards used to meet a 
certification criterion). The required data elements for disclosure 
were intended to be consistent across the editions. This data is not a 
required data element for the mandatory disclosures for health IT 
certified to the 2014 Edition. We did, however, intend to require the 
disclosure of Sec.  170.523(f)(1)(xv) (certification to clinical 
quality measures), which was inadvertently omitted but consistent with 
the new and previous 2014 Edition disclosure requirements. We also 
refer readers to section III.C (``Mandatory Disclosures for 2015 
Edition Certified Health IT'') below for a clarification related to the 
disclosure on information specified in Sec.  170.523(f)(1)(viii).
b. 2014 Edition Certified Health IT
    On page 62756, third column, lines 42-43 (Sec.  
170.523(k)(1)(ii)(B)), we inadvertently omitted cross-references to 
paragraphs (f)(2)(iii) (product version) and (vi) (any additional 
relied upon software used to demonstrate compliance with a 
certification criterion or criteria) of Sec.  170.523. The parallel 
requirements were included in the required disclosures for health IT 
certified to the 2015 Edition and were previously required to be 
disclosed as part of certification to the 2014 Edition.
10. In-the-Field Surveillance and Maintenance of Certification for 
Health IT
a. Exclusion and Exhaustion
    On page 62758, third column, lines 4 and 10 (Sec.  170.556(c)(5)), 
we twice inadvertently cross-referenced paragraph (c)(3) of Sec.  
170.556 instead of paragraph (c)(4) of Sec.  170.556. Paragraph (c)(4) 
includes the requirements for locations as they would apply to the 
``exclusion and exhaustion'' requirements of paragraph (c)(5).
b. Termination
    On page 62759, second column, lines 23-24 (Sec.  170.556(d)(6)), we 
inadvertently included language suggesting that termination was limited 
to suspensions in the context of randomized surveillance. Consistent 
with the preamble discussion on pages 62716-62718, termination can 
follow any suspension if the health IT developer has not completed the 
actions necessary to reinstate the suspended certification.

III. Clarifications

A. Common Clinical Data Set

    In the final rule (Sec.  170.102), we define the CCDS to mean data 
expressed, where indicated, according to specified standards. For four 
data specified in the CCDS (Unique Device Identifier(s) for a Patient's 
Implantable Device(s); Assessment and Plan of Treatment; Goals; and 
Health Concerns), we reference specific Consolidated Clinical Document 
Architecture (C-CDA) sections. Based on subsequent examination of this 
regulatory text and early interactions with stakeholders, we have 
determined that additional explanation of these references is necessary 
in order to ensure health IT developers accurately and consistently 
interpret and implement health IT functionality to our expressed 
regulatory requirements. In this regard, we seek to clarify two points.
    First, we clarify that the references to these four specific C-CDA 
section templates is not meant to be strictly interpreted to mean that 
a health IT developer must use the C-CDA's syntax for each referenced 
section. Such a strict interpretation would directly contradict the 
flexibility we have intentionally offered to health IT developers who 
seek to certify to the ``application access--data category request'' 
certification criterion adopted at 45 CFR 170.315(g)(8), which 
references the CCDS but does not bind health IT presented for 
certification to solely use the C-CDA to meet the criterion. To avoid 
stakeholders inadvertently following this overly strict interpretation, 
we clarify that the references to these C-CDA section templates was 
meant (like all of the other data listed in the CCDS) to emphasize that 
these data need to be consistently and independently represented as 
discrete data that are clearly distinguishable.
    Second, we clarify for the Assessment and Plan of Treatment, Goals, 
and Health Concerns data that only the narrative part of the referenced 
C-CDA section templates is necessary and required in order to satisfy 
the CCDS. Further and in support of this clarification, testing and 
certification will focus on the presence of data represented consistent 
with just the narrative part of the referenced section templates. 
Similar to our points above, given that these section templates in the 
C-CDA have two parts (a narrative part and coded requirements part for 
C-CDA), we believe that it is necessary to make this interpretation 
explicit so as to prevent health IT developers from over-interpreting 
this definition's data requirements to include more data than we had 
intended.

B. Privacy and Security Certification Framework--Approach 2

    Under Sec.  170.550(h)(4)(ii), a Health IT Module can meet 
applicable 2015 Edition privacy and security certification criterion by 
demonstrating, through system documentation that is sufficiently 
detailed to enable integration, that the Health IT Module has 
implemented service interfaces for each applicable privacy and security 
certification criterion that enable the Health IT Module to access 
external services necessary to meet the privacy and security 
certification criterion (also known as ``Approach 2''). We clarify 
three points about Approach 2. First, we clarify that the term 
``access'' includes, as applicable, bi-directional interfaces with 
external services. For example, system documentation could detail how 
integration establishes a bi-directional interface that meets the 
requirements of the 2015 Edition ``audit report(s)'' certification 
criterion. Second, external services simply mean services outside the 
scope of the Health IT Module being presented for certification. 
External services could be, but are not limited to, those provided by 
another certified Health IT Module, another software program such as 
Microsoft Active Directory, or a hospital enterprise-wide 
infrastructure. Third, a Health IT Module is not required to be paired 
with the other services for the purposes of certification (e.g., 
certified with another certified Health IT Module that performs the 
privacy and security capability or specifying the external services as 
``relied upon software'').

C. Mandatory Disclosures for 2015 Edition Certified Health IT

    We clarify that for compliance with Sec.  170.523(k)(1)(ii)(A), the 
only information that must be disclosed to meet the data requirement 
specified in Sec.  170.523(f)(1)(viii) is the certification criterion 
or criteria to which the Health IT Module has been certified. This is 
consistent with the disclosure requirements for certification to the 
2014 Edition.

IV. Waiver of Proposed Rulemaking

    We ordinarily publish a notice of proposed rulemaking in the 
Federal Register to provide a period for public comment before the 
provisions of a rule take effect in accordance with section

[[Page 76871]]

553(b) of the Administrative Procedure Act (APA) (5 U.S.C. 553(b)). 
However, we can waive this notice and comment procedure if the 
Secretary finds, for good cause, that the notice and comment process is 
impracticable, unnecessary, or contrary to the public interest, and 
incorporates a statement of the finding and the reasons therefore in 
the notice.
    In our view, this correcting and clarifying document does not 
constitute a rulemaking that would be subject to the APA notice and 
comment requirements. This document corrects errors and clarifies 
provisions of the 2015 Edition final rule published on October 16, 
2015. It does not make substantive changes to the policies that were 
adopted. As a result, this correcting document is intended to ensure 
that the final rule accurately reflects the policies adopted in that 
final rule.
    In addition, even if this were a rulemaking to which the notice and 
comment requirements applied, we find that there is good cause to waive 
such requirements. Undertaking further notice and comment procedures to 
incorporate the corrections in this document into the final rule would 
be contrary to the public interest. Furthermore, such procedures would 
be unnecessary, as we are not altering the policies that were already 
subject to comment and finalized in our final rule. Therefore, we 
believe we have good cause to waive the notice and comment 
requirements.

V. Corrections of Errors

A. Preamble Corrections

    1. On page 62609, correct Table 2 as follows:
    a. Remove ``Audit Report(s)'' from the ``Unchanged Criteria as 
Compared to the 2014 Edition (Gap Certification Eligible)'' category 
and insert it with an in asterisk (i.e., Audit Report(s)*) in the 
``Revised Criteria as Compared to the 2014 Edition'' category after 
``Auditable Events and Tamper-Resistance.''
    b. Revise the ``Unchanged Criteria as Compared to the 2014 Edition 
(Gap Certification Eligible) (16)'' title to ``Unchanged Criteria as 
Compared to the 2014 Edition (Gap Certification Eligible) (15)''.
    c. Revise the ``Revised Criteria as Compared to the 2014 Edition 
(25)'' title to ``Revised Criteria as Compared to the 2014 Edition 
(26)''.
    2. On page 62656, second column, in the ``Response'' under ``Audit 
Report(s),'' correct the first sentence to read ``We have adopted this 
certification criterion as revised to support the audit reporting of 
changes in user privileges consistent with the adopted 2015 Edition 
``auditable events and tamper resistance'' certification criterion.''
    3. On page 62657, third column, third paragraph, correct the last 
sentence to read ``A few commenters requested that we wait until 2017 
or 2018 to increase the standard to SHA-2.''
    4. On page 62658, first column, mid-page, within the 2015 Edition 
``accounting of disclosures'' certification criterion table, the 
citation is corrected to read ``45 CFR 170.315(d)(11).''
    5. On page 62668, third column, lines 2 and 3, correct the 
parenthetical to read ``(with the HAI IG).''
    6. On page 62681, Table 6, remove ``(d)(3) Audit report(s)'' from 
the ``2015 Edition'' column and ``(d)(3) Audit report(s)'' from the 
``2014 Edition'' column.
    7. On page 62696, second column, lines 8-14, correct the sentence 
to read ``Thus, other C-CDA document templates such as CCD, Referral 
Note, and Discharge Summary would need to be able to exchange the 
narrative information from the ``Goals Section'' and ``Health Concerns 
Section'' in order to meet the Common Clinical Data Set definition.''

B. Regulation Text Corrections

0
1. On page 62742, first column, in Sec.  170.102, in the definition of 
``2015 Edition Base EHR'', paragraph (3) is corrected to read as 
follows:


Sec.  170.102  Definitions.

* * * * *
    2015 Edition Base EHR * * *
    (3) Has been certified to the certification criteria adopted by the 
Secretary in Sec.  170.315(a)(1), (2), or (3); (a)(5) through (9); 
(a)(11); (a)(14); (b)(1) and (6); (c)(1); (g)(7) through (9); and 
(h)(1) or (2);
* * * * *

0
2. On page 62744, third column, in Sec.  170.207, paragraph (o)(1)(ii) 
is corrected to read as follows:


Sec.  170.207  Vocabulary standards for representing electronic health 
information.

* * * * *
    (o) * * *
    (1) * * *
    (ii) Straight or heterosexual. 20430005.
* * * * *

0
3. On pages 62748 through 62755, in Sec.  170.315, paragraphs 
(a)(14)(ii)(A), (a)(14)(iv)(A) and (B), (a)(14)(v)(C), (b)(6)(i)(A), 
(b)(6)(ii) introductory text, (c)(4)(iii)(E) and (G), (e)(1)(ii)(A) 
introductory text, (e)(1)(ii)(B), (g)(6)(ii), (h)(1)(ii), and 
(h)(2)(ii) are corrected to read as follows:


Sec.  170.315  2015 Edition health IT certification criteria.

* * * * *
    (a) * * *
    (14) * * *
    (ii) * * *
    (A) Device Identifier; and
* * * * *
    (iv) * * *
    (A) The active Unique Device Identifiers recorded for the patient;
    (B) For each active Unique Device Identifier recorded for a 
patient, the description of the implantable device specified by 
paragraph (a)(14)(iii)(A) of this section; and
* * * * *
    (v) * * *
    (C) The identifiers associated with the Unique Device Identifier, 
as specified by paragraph (a)(14)(ii) of this section; and
* * * * *
    (b) * * *
    (6) * * *
    (i) * * *
    (A) Enable a user to set the configuration options specified in 
paragraphs (b)(6)(iii) and (iv) of this section when creating an export 
summary as well as a set of export summaries for patients whose 
information is stored in the technology. A user must be able to execute 
these capabilities at any time the user chooses and without subsequent 
developer assistance to operate.
* * * * *
    (ii) Creation. Enable a user to create export summaries formatted 
in accordance with the standard specified in Sec.  170.205(a)(4) using 
the Continuity of Care Document document template that includes, at a 
minimum:
* * * * *
    (c) * * *
    (4) * * *
    (iii) * * *
    (E) Patient insurance in accordance with the standard specified in 
Sec.  170.207(s)(1).
    * * *
    (G) Patient sex in accordance with the version of the standard 
specified in Sec.  170.207(n)(1).
* * * * *
    (e) * * *
    (1) * * *
    (ii) * * *
    (A) When any of the capabilities included in paragraphs 
(e)(1)(i)(A) through (C) of this section are used, the following 
information must be recorded and made accessible to the patient (or 
his/her authorized representative):
* * * * *
    (B) Technology presented for certification may demonstrate

[[Page 76872]]

compliance with paragraph (e)(1)(ii)(A) of this section if it is also 
certified to the certification criterion specified in Sec.  
170.315(d)(2) and the information required to be recorded in paragraph 
(e)(1)(ii)(A) of this section is accessible by the patient (or his/her 
authorized representative).
* * * * *
    (g) * * *
    (6) * * *
    (ii) Document-template conformance. Create a data file formatted in 
accordance with the standard adopted in Sec.  170.205(a)(4) that 
demonstrates a valid implementation of each document template 
applicable to the certification criterion or criteria within the scope 
of the certificate sought.
* * * * *
    (h) * * *
    (1) * * *
    (ii) Delivery Notification in Direct. Able to send and receive 
health information in accordance with the standard specified in Sec.  
170.202(e)(1).
* * * * *
    (2) * * *
    (ii) Delivery Notification in Direct. Able to send and receive 
health information in accordance with the standard specified in Sec.  
170.202(e)(1).


Sec.  170.523  [Corrected]

0
4. In Sec.  170.523--
0
a. On page 62756, third column, lines 35-36, paragraph (k)(1)(ii)(A), 
the reference ``paragraphs (f)(1)(i), (vi), (vii), (viii), (xvi), and 
(xvii) of this section'' is corrected to read ``paragraphs (f)(1)(i), 
(vi), (vii), (viii), (xv), and (xvi) of this section''.
0
b. On page 62756, third column, lines 42-43, paragraph (k)(1)(ii)(B), 
the reference ``paragraphs (f)(2)(i), (ii), (iv)-(v), and (vii) of this 
section'' is corrected to read ``paragraphs (f)(2)(i) through (vii) of 
this section''.

0
5. In Sec.  170.556--
0
a. On page 62758, third column, lines 4 and 10, paragraph (c)(5), 
correct the reference ``paragraph (c)(3)'' each time it appears to read 
``paragraph (c)(4)''.
0
b. On page 62759, second column, correct paragraph (d)(6) to read as 
follows:


Sec.  170.556  In-the-field surveillance and maintenance of 
certification for Health IT.

* * * * *
    (d) * * *
    (6) If a certified Complete EHR or certified Health IT Module's 
certification has been suspended, an ONC-ACB is permitted to initiate 
certification termination procedures for the Complete EHR or Health IT 
Module (consistent with its accreditation to ISO/IEC 17065 and 
procedures for terminating a certification) when the developer has not 
completed the actions necessary to reinstate the suspended 
certification.
* * * * *

    Dated: December 7, 2015.
Madhura Valverde,
Executive Secretary to the Department, Department of Health and Human 
Services.
[FR Doc. 2015-31255 Filed 12-10-15; 8:45 am]
 BILLING CODE 4150-45-P

76868 Federal Register / Vol. 80, No. 238 / Friday, December 11, 2015 / Rules and Regulations

SOUTH CAROLINA—2008 8-HOUR OZONE NAAQS
[Primary and secondary]

Designation Classification
Designated area
Date 1 Type Date 1 Type

Charlotte-Rock Hill, NC– This action is effective 12/ Attainment.
SC: 2. 11/2015.
York County (part)
Portion along MPO
lines.

* * * * * * *
1 Thisdate is July 20, 2012, unless otherwise noted.
2 Excludes Indian country located in each area, unless otherwise noted.
3 IncludesIndian country of the tribe listed in this table located in the identified area. Information pertaining to areas of Indian country in this
table is intended for CAA planning purposes only and is not an EPA determination of Indian country status or any Indian country boundary. EPA
lacks the authority to establish Indian country land status, and is making no determination of Indian country boundaries, in this table.
4 Includes any Indian country in each county or area, unless otherwise specified.

* * * * * I. Background We adopted the standard at
[FR Doc. 2015–30920 Filed 12–10–15; 8:45 am]
Following the publication of Federal § 170.210(e) as revised to include the
BILLING CODE 6560–50–P
Register document 2015–25597 of auditing of changes to user privileges in
October 16, 2015 (80 FR 62602), final paragraph (e)(1)(i). The adopted 2015
rule entitled ‘‘2015 Edition Health Edition ‘‘audit report(s)’’ certification
DEPARTMENT OF HEALTH AND Information Technology (Health IT) criterion references this standard.
HUMAN SERVICES Certification Criteria, 2015 Edition Base Therefore, it is a ‘‘revised’’ certification
Electronic Health Record (EHR) criterion as compared to the 2014
Office of the Secretary Edition ‘‘audit report(s)’’ certification
Definition, and ONC Health IT
criterion and ineligible for gap
Certification Program Modifications’’
45 CFR Part 170 certification.
(hereinafter referred to as the 2015
RIN 0991–AB93 Edition final rule), we identified a 2. ‘‘Integrity’’ Certification Criterion
number of errors in the final rule. We On page 62657, third column, third
2015 Edition Health Information summarize and correct these errors in
Technology (Health IT) Certification paragraph, the last sentence incorrectly
the ‘‘Summary of Errors’’ and references SHA–1. The commenters’
Criteria, 2015 Edition Base Electronic ‘‘Corrections of Errors’’ sections below. statements were specific to SHA–2.
Health Record (EHR) Definition, and We also clarify requirements of the
ONC Health IT Certification Program Common Clinical Data Set (CCDS), the 3. ‘‘Accounting of Disclosures’’
Modifications; Corrections and privacy and security certification Certification Criterion
Clarifications framework, and the mandatory On page 62658, first column, mid-
AGENCY: Office of the National disclosures for health IT developers in page, within the 2015 Edition
Coordinator for Health Information the ‘‘Clarifications’’ section below. ‘‘accounting of disclosures’’ certification
Technology (ONC), Department of II. Summary of Errors criterion table, we inadvertently
Health and Human Services (HHS). referenced the criterion as codified in 45
A. Preamble Errors CFR 170.315(d)(10), when in fact it was
ACTION: Final rule; corrections and
1. ‘‘Audit Report(s)’’ Certification codified in 45 CFR 170.315(d)(11). We
clarifications.
Criterion note that the 2015 Edition ‘‘auditing
SUMMARY: This document corrects errors actions on health information’’
and clarifies provisions of the final rule We incorrectly identified the adopted certification criterion was codified in 45
entitled ‘‘2015 Edition Health 2015 Edition ‘‘audit report(s)’’ CFR 170.315(d)(10).
Information Technology (Health IT) certification criterion throughout the
preamble as ‘‘unchanged’’ and eligible 4. ‘‘Transmission to Public Health
Certification Criteria, 2015 Edition Base Agencies—Antimicrobial Use and
Electronic Health Record (EHR) for gap certification. More specifically,
we identified it incorrectly: Resistance Reporting’’ Certification
Definition, and ONC Health IT Criterion
Certification Program Modifications.’’ a. On page 62609, under Table 2
(‘‘2015 Edition Health IT Certification On page 62668, third column, lines 2
DATES: This correction is effective
Criteria’’), as an unchanged criterion and 3, there was a parenthetical error
January 14, 2016. The final rule compared to the 2014 Edition and gap stating that we adopted the
appeared in the Federal Register on certification eligible. ‘‘transmission to public health
October 16, 2015 (80 FR 62602), and is b. On page 62656, second column, in agencies—antimicrobial use and
effective on January 14, 2016, except for the ‘‘Response’’ under ‘‘Audit resistance reporting’’ certification
§ 170.523(m) and (n), which are Report(s),’’ as adopted as proposed (i.e., criterion as proposed (with both
tkelley on DSK9F6TC42PROD with RULES

effective on April 1, 2016. ‘‘unchanged’’). Volumes 1 and 2 of the HAI IG). The
FOR FURTHER INFORMATION CONTACT: c. On page 62681, under Table 6 parenthetical is corrected to not
Michael Lipinski, Office of Policy, (‘‘Gap Certification Eligibility for 2015 reference volumes of the HL 7
National Coordinator for Health Edition Health IT Certification Implementation Guide for CDA®
Information Technology, 202–690–7151. Criteria’’), as eligible for gap Release 2—Level 3: Healthcare
SUPPLEMENTARY INFORMATION: certification. Associated Infection Reports, Release 1

VerDate Sep<11>2014 11:03 Dec 10, 2015 Jkt 238001 PO 00000 Frm 00014 Fmt 4700 Sfmt 4700 E:\FR\FM\11DER1.SGM 11DER1

76870 Federal Register / Vol. 80, No. 238 / Friday, December 11, 2015 / Rules and Regulations

10. Principles of Proper Conduct for any suspension if the health IT and coded requirements part for C–
ONC–ACBs—Certified Health IT developer has not completed the actions CDA), we believe that it is necessary to
Mandatory Disclosures necessary to reinstate the suspended make this interpretation explicit so as to
a. 2015 Edition Certified Health IT certification. prevent health IT developers from over-
interpreting this definition’s data
On page 62756, third column, lines III. Clarifications requirements to include more data than
35–36 (§ 170.523(k)(1)(ii)(A)), we A. Common Clinical Data Set we had intended.
inadvertently cross-referenced the
wrong data from § 170.523(f)(1). We did In the final rule (§ 170.102), we define B. Privacy and Security Certification
not intend to cross-reference the CCDS to mean data expressed, Framework—Approach 2
§ 170.523(f)(1)(xvii) (certification to where indicated, according to specified Under § 170.550(h)(4)(ii), a Health IT
standards used to meet a certification standards. For four data specified in the Module can meet applicable 2015
criterion). The required data elements CCDS (Unique Device Identifier(s) for a Edition privacy and security
for disclosure were intended to be Patient’s Implantable Device(s); certification criterion by demonstrating,
consistent across the editions. This data Assessment and Plan of Treatment; through system documentation that is
is not a required data element for the Goals; and Health Concerns), we sufficiently detailed to enable
mandatory disclosures for health IT reference specific Consolidated Clinical integration, that the Health IT Module
certified to the 2014 Edition. We did, Document Architecture (C–CDA) has implemented service interfaces for
however, intend to require the sections. Based on subsequent each applicable privacy and security
disclosure of § 170.523(f)(1)(xv) examination of this regulatory text and certification criterion that enable the
(certification to clinical quality early interactions with stakeholders, we Health IT Module to access external
measures), which was inadvertently have determined that additional services necessary to meet the privacy
omitted but consistent with the new and explanation of these references is and security certification criterion (also
previous 2014 Edition disclosure necessary in order to ensure health IT known as ‘‘Approach 2’’). We clarify
requirements. We also refer readers to developers accurately and consistently three points about Approach 2. First, we
section III.C (‘‘Mandatory Disclosures interpret and implement health IT clarify that the term ‘‘access’’ includes,
for 2015 Edition Certified Health IT’’) functionality to our expressed as applicable, bi-directional interfaces
below for a clarification related to the regulatory requirements. In this regard, with external services. For example,
disclosure on information specified in we seek to clarify two points. system documentation could detail how
§ 170.523(f)(1)(viii). First, we clarify that the references to integration establishes a bi-directional
these four specific C–CDA section interface that meets the requirements of
b. 2014 Edition Certified Health IT templates is not meant to be strictly the 2015 Edition ‘‘audit report(s)’’
On page 62756, third column, lines interpreted to mean that a health IT certification criterion. Second, external
42–43 (§ 170.523(k)(1)(ii)(B)), we developer must use the C–CDA’s syntax services simply mean services outside
inadvertently omitted cross-references for each referenced section. Such a strict the scope of the Health IT Module being
to paragraphs (f)(2)(iii) (product version) interpretation would directly contradict presented for certification. External
and (vi) (any additional relied upon the flexibility we have intentionally services could be, but are not limited to,
software used to demonstrate offered to health IT developers who seek those provided by another certified
compliance with a certification criterion to certify to the ‘‘application access— Health IT Module, another software
or criteria) of § 170.523. The parallel data category request’’ certification program such as Microsoft Active
requirements were included in the criterion adopted at 45 CFR Directory, or a hospital enterprise-wide
required disclosures for health IT 170.315(g)(8), which references the infrastructure. Third, a Health IT
certified to the 2015 Edition and were CCDS but does not bind health IT Module is not required to be paired with
previously required to be disclosed as presented for certification to solely use the other services for the purposes of
part of certification to the 2014 Edition. the C–CDA to meet the criterion. To certification (e.g., certified with another
10. In-the-Field Surveillance and avoid stakeholders inadvertently certified Health IT Module that
Maintenance of Certification for Health following this overly strict performs the privacy and security
IT interpretation, we clarify that the capability or specifying the external
references to these C–CDA section services as ‘‘relied upon software’’).
a. Exclusion and Exhaustion templates was meant (like all of the
On page 62758, third column, lines 4 other data listed in the CCDS) to C. Mandatory Disclosures for 2015
and 10 (§ 170.556(c)(5)), we twice emphasize that these data need to be Edition Certified Health IT
inadvertently cross-referenced consistently and independently We clarify that for compliance with
paragraph (c)(3) of § 170.556 instead of represented as discrete data that are § 170.523(k)(1)(ii)(A), the only
paragraph (c)(4) of § 170.556. Paragraph clearly distinguishable. information that must be disclosed to
(c)(4) includes the requirements for Second, we clarify for the Assessment meet the data requirement specified in
locations as they would apply to the and Plan of Treatment, Goals, and § 170.523(f)(1)(viii) is the certification
‘‘exclusion and exhaustion’’ Health Concerns data that only the criterion or criteria to which the Health
requirements of paragraph (c)(5). narrative part of the referenced C–CDA IT Module has been certified. This is
section templates is necessary and consistent with the disclosure
b. Termination required in order to satisfy the CCDS. requirements for certification to the
On page 62759, second column, lines Further and in support of this 2014 Edition.
23–24 (§ 170.556(d)(6)), we clarification, testing and certification
tkelley on DSK9F6TC42PROD with RULES

inadvertently included language will focus on the presence of data IV. Waiver of Proposed Rulemaking
suggesting that termination was limited represented consistent with just the We ordinarily publish a notice of
to suspensions in the context of narrative part of the referenced section proposed rulemaking in the Federal
randomized surveillance. Consistent templates. Similar to our points above, Register to provide a period for public
with the preamble discussion on pages given that these section templates in the comment before the provisions of a rule
62716–62718, termination can follow C–CDA have two parts (a narrative part take effect in accordance with section

VerDate Sep<11>2014 11:03 Dec 10, 2015 Jkt 238001 PO 00000 Frm 00016 Fmt 4700 Sfmt 4700 E:\FR\FM\11DER1.SGM 11DER1

Federal Register / Vol. 80, No. 238 / Friday, December 11, 2015 / Rules and Regulations 76871

553(b) of the Administrative Procedure reporting of changes in user privileges § 170.315 2015 Edition health IT
Act (APA) (5 U.S.C. 553(b)). However, consistent with the adopted 2015 certification criteria.
we can waive this notice and comment Edition ‘‘auditable events and tamper * * * * *
procedure if the Secretary finds, for resistance’’ certification criterion.’’ (a) * * *
good cause, that the notice and 3. On page 62657, third column, third (14) * * *
comment process is impracticable, paragraph, correct the last sentence to (ii) * * *
unnecessary, or contrary to the public read ‘‘A few commenters requested that (A) Device Identifier; and
interest, and incorporates a statement of we wait until 2017 or 2018 to increase * * * * *
the finding and the reasons therefore in the standard to SHA–2.’’ (iv) * * *
the notice. 4. On page 62658, first column, mid- (A) The active Unique Device
In our view, this correcting and page, within the 2015 Edition Identifiers recorded for the patient;
clarifying document does not constitute ‘‘accounting of disclosures’’ certification (B) For each active Unique Device
a rulemaking that would be subject to criterion table, the citation is corrected Identifier recorded for a patient, the
the APA notice and comment to read ‘‘45 CFR 170.315(d)(11).’’ description of the implantable device
requirements. This document corrects 5. On page 62668, third column, lines specified by paragraph (a)(14)(iii)(A) of
errors and clarifies provisions of the 2 and 3, correct the parenthetical to read this section; and
2015 Edition final rule published on ‘‘(with the HAI IG).’’
6. On page 62681, Table 6, remove * * * * *
October 16, 2015. It does not make (v) * * *
substantive changes to the policies that ‘‘(d)(3) Audit report(s)’’ from the ‘‘2015
Edition’’ column and ‘‘(d)(3) Audit (C) The identifiers associated with the
were adopted. As a result, this Unique Device Identifier, as specified by
correcting document is intended to report(s)’’ from the ‘‘2014 Edition’’
column. paragraph (a)(14)(ii) of this section; and
ensure that the final rule accurately
7. On page 62696, second column, * * * * *
reflects the policies adopted in that final
lines 8–14, correct the sentence to read (b) * * *
rule.
In addition, even if this were a ‘‘Thus, other C–CDA document (6) * * *
templates such as CCD, Referral Note, (i) * * *
rulemaking to which the notice and
and Discharge Summary would need to (A) Enable a user to set the
comment requirements applied, we find
be able to exchange the narrative configuration options specified in
that there is good cause to waive such
information from the ‘‘Goals Section’’ paragraphs (b)(6)(iii) and (iv) of this
requirements. Undertaking further
and ‘‘Health Concerns Section’’ in order section when creating an export
notice and comment procedures to
to meet the Common Clinical Data Set summary as well as a set of export
incorporate the corrections in this
definition.’’ summaries for patients whose
document into the final rule would be
information is stored in the technology.
contrary to the public interest. B. Regulation Text Corrections A user must be able to execute these
Furthermore, such procedures would be
■ 1. On page 62742, first column, in capabilities at any time the user chooses
unnecessary, as we are not altering the
§ 170.102, in the definition of ‘‘2015 and without subsequent developer
policies that were already subject to
Edition Base EHR’’, paragraph (3) is assistance to operate.
comment and finalized in our final rule.
Therefore, we believe we have good corrected to read as follows: * * * * *
cause to waive the notice and comment (ii) Creation. Enable a user to create
§ 170.102 Definitions.
requirements. export summaries formatted in
* * * * * accordance with the standard specified
V. Corrections of Errors 2015 Edition Base EHR * * * in § 170.205(a)(4) using the Continuity
(3) Has been certified to the
A. Preamble Corrections of Care Document document template
certification criteria adopted by the
that includes, at a minimum:
1. On page 62609, correct Table 2 as Secretary in § 170.315(a)(1), (2), or (3);
(a)(5) through (9); (a)(11); (a)(14); (b)(1) * * * * *
follows:
a. Remove ‘‘Audit Report(s)’’ from the and (6); (c)(1); (g)(7) through (9); and (c) * * *
‘‘Unchanged Criteria as Compared to the (h)(1) or (2); (4) * * *
(iii) * * *
2014 Edition (Gap Certification * * * * *
(E) Patient insurance in accordance
Eligible)’’ category and insert it with an ■ 2. On page 62744, third column, in with the standard specified in
in asterisk (i.e., Audit Report(s)*) in the § 170.207, paragraph (o)(1)(ii) is § 170.207(s)(1).
‘‘Revised Criteria as Compared to the corrected to read as follows: * * *
2014 Edition’’ category after ‘‘Auditable
§ 170.207 Vocabulary standards for (G) Patient sex in accordance with the
Events and Tamper-Resistance.’’
representing electronic health information. version of the standard specified in
b. Revise the ‘‘Unchanged Criteria as
* * * * * § 170.207(n)(1).
Compared to the 2014 Edition (Gap
Certification Eligible) (16)’’ title to (o) * * * * * * * *
‘‘Unchanged Criteria as Compared to the (1) * * * (e) * * *
2014 Edition (Gap Certification Eligible) (ii) Straight or heterosexual. (1) * * *
(15)’’. 20430005. (ii) * * *
c. Revise the ‘‘Revised Criteria as * * * * * (A) When any of the capabilities
Compared to the 2014 Edition (25)’’ title ■ 3. On pages 62748 through 62755, in included in paragraphs (e)(1)(i)(A)
to ‘‘Revised Criteria as Compared to the § 170.315, paragraphs (a)(14)(ii)(A), through (C) of this section are used, the
tkelley on DSK9F6TC42PROD with RULES

2014 Edition (26)’’. (a)(14)(iv)(A) and (B), (a)(14)(v)(C), following information must be recorded
2. On page 62656, second column, in (b)(6)(i)(A), (b)(6)(ii) introductory text, and made accessible to the patient (or
the ‘‘Response’’ under ‘‘Audit (c)(4)(iii)(E) and (G), (e)(1)(ii)(A) his/her authorized representative):
Report(s),’’ correct the first sentence to introductory text, (e)(1)(ii)(B), (g)(6)(ii), * * * * *
read ‘‘We have adopted this certification (h)(1)(ii), and (h)(2)(ii) are corrected to (B) Technology presented for
criterion as revised to support the audit read as follows: certification may demonstrate

VerDate Sep<11>2014 11:03 Dec 10, 2015 Jkt 238001 PO 00000 Frm 00017 Fmt 4700 Sfmt 4700 E:\FR\FM\11DER1.SGM 11DER1

$76872 Federal Register / Vol. 80, No. 238 / Friday, December 11, 2015 / Rules and Regulations compliance with paragraph (e)(1)(ii)(A) (2) * * * ■ b. On page 62759, second column, of this section if it is also certified to the (ii) Delivery Notification in Direct. correct paragraph (d)(6) to read as certification criterion specified in Able to send and receive health follows: § 170.315(d)(2) and the information information in accordance with the required to be recorded in paragraph § 170.556 In-the-field surveillance and standard specified in § 170.202(e)(1). maintenance of certification for Health IT. (e)(1)(ii)(A) of this section is accessible by the patient (or his/her authorized § 170.523 [Corrected] * * * * * representative). (d) * * * ■ 4. In § 170.523— (6) If a certified Complete EHR or * * * * * ■ a. On page 62756, third column, lines certified Health IT Module’s (g) * * * 35–36, paragraph (k)(1)(ii)(A), the certification has been suspended, an (6) * * * reference ‘‘paragraphs (f)(1)(i), (vi), (vii), ONC–ACB is permitted to initiate (ii) Document-template conformance. (viii), (xvi), and (xvii) of this section’’ is certification termination procedures for Create a data file formatted in corrected to read ‘‘paragraphs (f)(1)(i), the Complete EHR or Health IT Module accordance with the standard adopted (vi), (vii), (viii), (xv), and (xvi) of this (consistent with its accreditation to ISO/ in § 170.205(a)(4) that demonstrates a section’’. IEC 17065 and procedures for valid implementation of each document template applicable to the certification ■ b. On page 62756, third column, lines terminating a certification) when the criterion or criteria within the scope of 42–43, paragraph (k)(1)(ii)(B), the developer has not completed the actions the certificate sought. reference ‘‘paragraphs (f)(2)(i), (ii), (iv)– necessary to reinstate the suspended (v), and (vii) of this section’’ is corrected certification. * * * * * to read ‘‘paragraphs (f)(2)(i) through (vii) * * * * * (h) * * * (1) * * * of this section’’. Dated: December 7, 2015. (ii) Delivery Notification in Direct. ■ 5. In § 170.556— Madhura Valverde, Able to send and receive health ■ a. On page 62758, third column, lines Executive Secretary to the Department, information in accordance with the 4 and 10, paragraph (c)(5), correct the Department of Health and Human Services. standard specified in § 170.202(e)(1). reference ‘‘paragraph (c)(3)’’ each time it [FR Doc. 2015–31255 Filed 12–10–15; 8:45 am] * * * * * appears to read ‘‘paragraph (c)(4)’’. BILLING CODE 4150–45–P tkelley on DSK9F6TC42PROD with RULES VerDate Sep<11>2014 11:03 Dec 10, 2015 Jkt 238001 PO 00000 Frm 00018 Fmt 4700 Sfmt 9990 E:\FR\FM\11DER1.SGM 11DER1$

Document Created: 2018-03-02 09:13:01
Document Modified: 2018-03-02 09:13:01

Category		Regulatory Information
Collection		Federal Register
sudoc Class		AE 2.7: GS 4.107: AE 2.106:
Publisher		Office of the Federal Register, National Archives and Records Administration
Section		Rules and Regulations
Action		Final rule; corrections and clarifications.
Dates		This correction is effective January 14, 2016. The final rule appeared in the Federal Register on October 16, 2015 (80 FR 62602), and is effective on January 14, 2016, except for Sec. 170.523(m) and (n), which are effective on April 1, 2016.
Contact		Michael Lipinski, Office of Policy, National Coordinator for Health Information Technology, 202-690-7151.
FR Citation		80 FR 76868
RIN Number		0991-AB93

80 FR 76868 - 2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications; Corrections and Clarifications

DEPARTMENT OF HEALTH AND HUMAN SERVICESOffice of the Secretary

Federal Register Volume 80, Issue 238 (December 11, 2015)

DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary