Proposed rule giving ONC direct review of certified IT provides opportunity to review agency itself

Most agencies are quick to justify the need of a proposed rule by pointing out the wonderful things it will do, the gaps it will fill, the problems it will resolve.

Not the Office of the National Coordinator, though, at least in its portrayal of the new proposed rule that would give the agency power to conduct direct review of certified EHR products. Instead, Michael Lipinski, JD, director of ONC's division of federal policy and regulatory affairs launched into a webinar March 22 about the proposed rule by explaining what the rule would not do. 

It does not:

  • Create new certification requirements for developers
  • Create new certification or health IT requirements for providers
  • Establish a means for ONC to directly test and certify health IT
  • Establish regular or routine auditing by ONC of certified health IT products

Instead, the proposed rule, meant to provide "enhanced oversight and accountability" would be more focused. It would enable ONC to directly review certified products, provide increased oversight of health IT testing bodies and increase transparency by making identified surveillance results of certified health IT publicly available. ONC's direct review will be independent of, and possibly in addition to, reviews conducted by the existing ONC-authorized certification bodies (ONC-ACBs) and center on situations that pose a risk to public health and safety.

OK. But we need to take a deeper look at what's going on here.

There have been calls for ONC's authority to be clarified, but where did this rule come from? It's almost as if, after pressure from Congress and others that there should be more oversight of vendors' compliance with certification requirements and information blocking, ONC said, "we should be the ones doing that," realized to its dismay that it didn't have the authority, and so decided to create it. That's rather reactive.  

The way the proposed rule appears to carve out a niche for ONC seems a bit odd, as well. ONC is proposing that it would have some direct oversight, but not all direct oversight. Is that sufficient oversight? Or too much, considering that we already have ONC-ACBs? Why not simply increase the ONC-ACB's authority, since they're more intimately knowledgeable about certification? This overlapping authority and oversight would seem overly complex and pretty confusing to a developer. And would enforcement differ, depending on who is enforcing?

Or perhaps the proposed rule doesn't go far enough. For instance, if the rule is meant to enhance oversight and accountability, as Lipinski noted, should ONC have more authority than what's being considered in the proposed rule? Maybe ONC should conduct regular audits of certified products and be more involved in certification. Perhaps it should address what happens to providers who are using a product that is decertified, rather than just focusing on the vendors.

I also question the timing of this rule. It's been issued just as the Centers for Medicare & Medicaid Services is finalizing the proposed rule that would implement the Medicare Access and CHIP Reauthorization Act and siphon off most of the physicians in Meaningful Use out of the original program, which arguably is in need of an overhaul. Is this rule meant to pivot ONC out of Meaningful Use and into certification efforts as a way to repurpose itself? If so, how well does this rule do that?

Then there's the truth of ONC's past history. ONC has treated vendors with kid gloves, frankly. Only four EHR products have been decertified since the certification program has gone into effect, despite the fact that there have been reports that other products don't deserve certification. Is ONC the correct enforcement agency here? If so, should it be beefing up its enforcement efforts?

Or look at some of ONC's other forays. It was going to create a national health information exchange (HIE) network and then backpedaled. It opted not to regulate HIE governance, leading to a myriad of governance business models, some of which have failed and some which need shoring up. It created a complaint tool so that people could voice concerns about EHRs directly to the agency, but stated up front that its wouldn't help resolve the problems being complained about.

Perhaps instead of piecemeal approaches, ONC should be looked at in its totality, and address what authority it should and shouldn't have now that some of its duties have ended and others, like the Meaningful Use program, are changing and will eventually end.

Rarely does a modest rule raise so many fundamental questions. But they must be addressed. What looks on its face as a fill-in-the-gap regulation actually can change the direction and the focus of ONC and the industry. It's an opportune time to take a good look at ONC and the role it should be playing overall. - Marla (@MarlaHirsch and @FierceHealthIT)

Suggested Articles

Roche, which already owned a 12.6% stake in Flatiron Health, has agreed to buy the health IT company for $1.9 billion.

Allscripts managed to acquire two EHR platforms for just $50 million by selling off a portion of McKesson's portfolio for as much as $235 million.

Artificial intelligence could help physicians predict a patient's risk of developing a deadly infection.