ONC: Direct review of certified EHR technology would focus on public health, safety

The Office of the National Coordinator for Health IT's proposed rule giving it the power to conduct direct reviews of certified health IT products can in many ways be explained by what it doesn't do, according to Michael Lipinski, JD, director of the agency's division of federal policy and regulatory affairs.

On a March 22 webinar focusing on the proposed rule, Lipinski clarified that the rule does not create new certification requirements for developers or providers, does not establish a means for ONC to directly test and certify health IT and does not establish regular or routine auditing by ONC of certified health IT products.

It does, however, enable ONC to directly review certified products. It also would enable increased oversight of health IT testing bodies, as well as increased transparency and accountability by making identified surveillance results of certified health IT publicly available.

Lipinski noted that the rule's goals are to reduce medical errors, protect patient information, and cut "nonconformities" of certified health IT in a timely matter. ONC's direct review will be independent of, and maybe in addition to, review conducted by the federally authorized certification bodies (ONC-ACBs), and will focus on situations that pose a risk to public health and safety.  

Some reviews will still be handled only by ONC-ACBs, such as situations when a vendor does not follow the certification body's direction. Direct ONC review may be warranted when there is a widespread issue that may be difficult for an ONC-ACB to address, or when dealing with a nonconformity in a developer's products certified by two different certification bodies.

Lipinski emphasized that ONC intends to "work with the health IT developer to remedy a nonconformity." This can include corrective action plans; products can also be suspended or terminated. A developer would have the right to appeal a suspension or decertification.  

The consequences of termination would focus on recertification, not the potential impact on providers using a product that is decertified.

ONC's enforcement and other authority has been a subject of debate. ONC also hasn't taken much action against developers. Only four EHR products have been decertified for failing to meet the standards of the Meaningful Use program.

Congress has suggested that ONC only certify products that don't block data sharing; ONC had indicated that it was looking at the implications of taking more aggressive action.

Comments on the rule are due May 2, 2016.