Investigators tracked the data breach back to weak login security. The hackers acquired credentials from five Anthem technology workers and used phishing campaigns to "dupe" network administrators into revealing login information or into clicking a link that granted them access to the administrators' computers. Shortly after the announcement of the Anthem breach, it was revealed data in the insurer's database was not encrypted.
Following the announcement of the Anthem breach, consumer perceptions of the payer dipped slightly. A Wedbush Securities survey of more than 1, people prior to the breach found 51 percent of consumers said Anthem Blue Cross Blue Shield was a better brand than other payers. After the breach, only 45 percent of consumers said the same.
How killing Obamacare could backfire for Trump - POLITICO
The large breach was not Anthem's first. Less than 24 hours after the announcement of the Anthem breach, the payer was faced with two class-action lawsuits. The high-profile nature of breaches like the Anthem case can drive other healthcare providers to take a second look at their own cybersecurity policies. An Experian Data Breach Resolution and Ponemon Institute found media coverage of data breaches has driven 69 percent of companies to reevaluate and prioritize security. Cybersecurity is only interesting when you have things like Sony and Anthem happen. Premera discovered the breach on Jan.
The initial attack took place on May 5, The investigation into the breach indicates no evidence of inappropriate use of the compromised data, as of March Shortly following the public announcement of the Premera breach, the insurer was hit with several class-action lawsuits. Attackers are able to operate for months before being detected, and this will continue until organizations architect in a way leaving attackers nowhere to hide," said TK Keanini, CTO of Lancope, in a Becker's Hospital Review Premera breach reaction report.
The attack was traced back to June Mandiant, a subsidiary of Milpitas, Calif. In a statement to the Wall Street Journal, FireEye said, "The intrusion was orchestrated by a sophisticated threat actor that we have seen specifically target the healthcare industry over the past year. In June, the U. Office of Personnel Management announced hackers accessed its computer system. The data of approximately 4 million government workers was compromised. The breach investigators have now linked the OPM cyberattack to both the Anthem and Premera Blue Cross breaches that occurred earlier this year.
The suspected culprits are government-linked Chinese hackers, according to a Bloomberg report. Data breach settlement costs can be substantial. To make its HIV plan work, the Trump administration planned to rely on nonprofit health clinics and hospitals that receive steep discounts on drugs.
Obamacare expanded this program, known as B, to rural, critical access and community hospitals. That drug savings money is credited with keeping many of these facilities open and alleviating some of the burden on health centers that treat uninsured and low-income HIV patients. If financially strapped rural hospitals lose their B status due to the elimination of Obamacare, it would place a huge burden on other places that treat HIV patients, like the Ryan White Clinics, said Peggy Tighe, the lead lobbyist for Ryan White Clinics for B Access.
The cuts to B would also hurt anti-addiction treatment because some of the patients treated for HIV infections in rural hospitals and clinics are also opioid users, Tighe said. More than hospitals were added to the drug discount program thanks to Obamacare in the seven states the Trump administration's HIV plan targets, according to the Health Resources and Services Administration. About 1, rural hospitals throughout the country joined the program, according to B Health, which lobbies for these health care facilities. And states would no longer be entitled to the larger discounts on drugs provided to Medicaid programs under Obamacare.
Meanwhile, Trump administration efforts to get cheaper medicines to market could falter. Certification Ban and Termination. Public Listing of Certification Ban and Terminations. Effect on Existing Program Requirements and Processes. Concurrent Enforcement by the Office of Inspector General. Legislative Background and Policy Considerations.
Purpose of the Information Blocking Provision. Relevant Statutory Terms and Provisions. Networks and Exchanges. Electronic Health Information. Interests Promoted by the Information Blocking Provision. Interoperability Elements. Prevention, Material Discouragement, and Other Interference. Likelihood of Interference. Applicability of Exceptions. Reasonable and Necessary Activities.
Treatment of Different Types of Actors. Proposed Exceptions to the Information Blocking Provision. Promoting the Privacy of EHI. Promoting the Security of EHI. Recovering Costs Reasonably Incurred. Responding to Requests That Are Infeasible. Registries Request for Information. Patient Matching Request for Information.
Incorporation by Reference. Collection of Information Requirements. Regulatory Impact Analysis. Alternatives Considered. Accounting Statement and Table. Regulatory Flexibility Act. Executive Order —Federalism. Unfunded Mandates Reform Act of ONC is responsible for the implementation of key provisions in Title IV of the 21st Century Cures Act Cures Act that are designed to advance interoperability; support the access, exchange, and use of electronic health information; and address occurrences of information blocking.
This proposed rule would implement certain provisions of the Cures Act, including Conditions and Maintenance of Certification requirements for health information technology health IT developers, the voluntary certification of health IT for use by pediatric health providers, and reasonable and necessary activities that do not constitute information blocking. In addition, the proposed rule would implement parts of section a of the Cures Act to support patient access to their electronic health information EHI , such as making a patient's EHI more electronically accessible through the adoption of standards and certification criteria and the implementation of information blocking policies that support patient electronic access to their health information at no cost.
In addition to fulfilling the Cures Act's requirements, the proposed rule would contribute to fulfilling Executive Order E. The President issued E. Section 1 c of the E. Section 1 c also states that government rules should improve access to and the quality of information that Americans need to make informed health care decisions.
For example, as mentioned above, the proposed rule focuses on establishing Application Programming Interfaces APIs for several interoperability purposes, including patient access to their health information without special effort. The API approach also supports health care providers having the sole authority and autonomy to unilaterally permit connections to their health IT through certified API technology the health care providers have acquired.
In addition, the proposed rule provides ONC's interpretation of the information blocking definition as established in the Cures Act and the application of the information blocking provision by identifying reasonable and necessary activities that would not constitute information blocking. Many of these activities focus on improving patient and health care provider access to electronic health information and promoting competition.
Since the inception of the Program, we have aimed to implement and administer the Program in the least burdensome manner that supports our policy goals. Throughout the years, we have worked to improve the Program with a focus on ways to reduce burden, offer flexibility to both developers and providers, and support innovation. ONC has reviewed and evaluated existing regulations to identify ways to administratively reduce burden and implement deregulatory actions through guidance. In this proposed rule, we also propose potential new deregulatory actions that will reduce burden for health IT developers, providers, and other stakeholders.
We propose six deregulatory actions in section III. This rule proposes to update the Edition by not only proposing criteria for removal, but by proposing to revise and add new certification criteria that would establish the capabilities and related standards and implementation specifications for the certification of health IT. However, the CCDS definition also began to be colloquially used for many different purposes.
As the CCDS definition's relevance grew outside of its regulatory context, it became a symbolic and practical limit to the industry's collective interests to go beyond the CCDS data for access, exchange, and use. In addition, as we move further towards value-based care, the need for the inclusion of additional data classes that go beyond clinical data is necessary. The USCDI standard, if adopted, would establish a set of data classes and constituent data elements that would be required to be exchanged in support of interoperability nationwide. The Standards Version Advancement Process would permit health IT developers to voluntarily implement and use a new version of an adopted standard, such as the USCDI, so long as the newer version was approved by the National Coordinator through the Standards Version Advancement Process for use in certification.
ONC and CMS have historically maintained complementary policies of maintaining aligned e-Rx and medical history MH standards to ensure that the current standard for certification to the electronic prescribing criterion permits use of the current Part D e-Rx and MH standards. The proposed criterion supports situations in which we believe that all EHI produced and electronically managed by a developer's health IT should be made readily available for export as a standard capability of certified health IT.
Specifically, this criterion would: 1 Enable the export of EHI for a single patient upon a valid request from that patient or a user on the patient's behalf, and 2 support the export of EHI when a health care provider chooses to transition or migrate information to another health IT system. This criterion would also require that the export include the data format, made publicly available, to facilitate the receiving health IT system's interpretation and use of the EHI to the extent reasonably practicable using the developer's existing technology.
This criterion provides developers with the ability to create innovative export capabilities according to their systems and data practices. We do not propose that the export must be executed according to any particular standard, but propose to require that the export must be accompanied by the data format, including its structure and syntax, to facilitate interpretation of the EHI therein. Overall, this new criterion is intended to provide patients and health IT users, including providers, a means to efficiently export the entire electronic health record for a single patient or all patients in a computable, electronic format.
The new criterion would focus on supporting two types of API-enabled services: 1 Services for which a single patient's data is the focus and 2 services for which multiple patients' data are the focus. In order to be issued a certification, we propose to require that a Health IT Module developer attest to whether the Health IT Module encrypts authentication credentials and whether the Health IT Module supports multi-factor authentication.
These criteria are not expected to place additional burden on health IT developers since they do not require net new development or implementation to take place in order to be met. Certification to the Edition DS4P criteria focus on data segmentation only at the document level. Since the Edition final rule, the health care industry has engaged in additional field testing and implementation of the DS4P standard. In addition, stakeholders shared with ONC—through public forums, listening sessions, and correspondence—that focusing certification on segmentation to only the document level does not permit providers the flexibility to address more granular segmentation needs.
Therefore, we propose to remove the current Edition DS4P criteria. We propose to make corrections to the Edition privacy and security certification framework 80 FR and relevant regulatory provisions. Section b of the Cures Act includes two provisions related to supporting health IT across the care continuum. The first instructs the National Coordinator to encourage, keep or recognize through existing authorities, the voluntary certification of health IT for use in medical specialties and sites of service where more technological advancement or integration is needed.
The second outlines a provision related to the voluntary certification of health IT for use by pediatric health providers to support the health care of children. These provisions align closely with ONC's core purpose to promote interoperability to support care coordination, patient engagement, and health care quality improvement initiatives. Advancing health IT that promotes and supports patient care when and where it is needed continues to be a primary goal of the Program.
This means health IT should support patient populations, specialized care, transitions of care, and practice settings across the care continuum. ONC has explored how we might work with the health IT industry and with specialty organizations to collaboratively develop and promote health IT that supports medical specialties and sites of service. Over time, ONC has taken steps to make the Program modular, more open and accessible to different types of health IT, and able to advance functionality that is generally applicable to a variety of care and practice settings.
Specific to the provisions in the Cures Act to support providers of health care for children, we considered a wide range of factors. These include: The evolution of health IT across the care continuum, the costs and benefits associated with health IT, the potential regulatory burden and compliance timelines, and the need to help advance health IT that benefits multiple medical specialties and sites of service involved in the care of children. In consideration of these factors, and to advance implementation of Sections b of the Cures Act specific to pediatric care, we held a listening session where stakeholders could share their clinical knowledge and technical expertise in pediatric care and pediatric sites of service.
Through the information learned at this listening session and our analysis of the health IT landscape for pediatric settings, we have identified existing Edition criteria, as well as new and revised Edition criteria proposed in this rule, that we believe could benefit providers of pediatric care and pediatric settings. In this proposed rule, we seek comment on our analysis and the correlated certification criteria that we believe would support the health care of children. We also recognize the significance of the opioid epidemic confronting our nation and the importance of helping to support the health IT needs of health care providers committed to preventing inappropriate access to prescription opioids and to providing safe, appropriate treatment.
We believe health IT offers promising strategies to help assist medical specialties and sites of services impacted by the opioid epidemic. Therefore, we request public comment on how our existing Program requirements and the proposals in this rulemaking may support use cases related to Opioid Use Disorder OUD prevention and treatment and if there are additional areas that ONC should consider for effective implementation of health IT to help address OUD prevention and treatment. We propose to establish certain Conditions and Maintenance of Certification requirements for health IT developers based on the conditions and maintenance of certification requirements outlined in section of the Cures Act.
We propose an approach whereby the Conditions and Maintenance of Certification express both initial requirements for health IT developers and their certified Health IT Module s as well as ongoing requirements that must be met by both health IT developers and their certified Health IT Module s under the Program. In this regard, we propose to implement the Cures Act Conditions of Certification with further specificity as it applies to the Program and propose to implement any accompanying Maintenance of Certification requirements as standalone requirements to ensure that not only are the Conditions of Certification met, but that they are continually being met through the Maintenance of Certification requirements.
Section c 5 D ii of the Cures Act requires that a health IT developer, as a Condition of Certification under the Program, provide assurances to the Secretary that, unless for legitimate purposes specified by the Secretary, the developer will not take any action that constitutes information blocking as defined in section a of the PHSA, or any other action that may inhibit the appropriate exchange, access, and use of EHI. We also propose to establish more specific Conditions and Maintenance of Certification requirements to provide assurances that a health IT developer does not take any other action that may inhibit the appropriate exchange, access, and use of EHI.
These proposed requirements serve to provide further clarity under the Program as to how health IT developers can provide such broad assurances with more specific actions. As a Condition and Maintenance of Certification under the Program, the Cures Act requires that health IT developers do not prohibit or restrict communications about certain aspects of the performance of health IT and the developers' related business practices. We propose that developers will be permitted to impose certain kinds of limited prohibitions and restrictions that we believe strike a reasonable balance between the need to promote open communication about health IT and related developer business practices and the need to protect the legitimate interests of health IT developers and other entities.
We propose that to maintain compliance with this Condition of Certification, a health IT developer must not impose or enforce any contractual requirement or legal right that contravenes this Condition of Certification. In section VII. These proposals include new standards, new implementation specifications, a new certification criterion, as well as detailed Conditions and Maintenance of Certification requirements.
The Cures Act adds a new Condition and Maintenance of Certification requirement that health IT developers successfully test the real world use of the technology for interoperability in the type of setting in which such technology would be marketed. We propose to limit the applicability of this Condition of Certification to health IT developers with Health IT Modules certified to one or more Edition certification criteria focused on interoperability and data exchange specified in section VII.
We propose Maintenance of Certification requirements that would require health IT developers to submit publicly available annual real world testing plans as well as annual real world testing results for certified health IT products focused on interoperability. We also propose a Maintenance of Certification flexibility we have named the Standards Version Advancement Process, under which health IT developers with health IT certified to the criteria specified for interoperability and data exchange would have the option to update their health IT to a more advanced version s of the standard s or implementation specification s included in the criteria once such versions are approved by the National Coordinator through the Standards Version Advancement Process for use in health IT certified under the Program.
We propose that health IT developers voluntarily opting to avail themselves of the Standards Version Advancement Process must address their planned and actual timelines for implementation and rollout of standards updates in their annual real world testing plans and real world testing results submissions. We also propose that health IT developers of products with existing certifications who plan to avail themselves of the Standards Version Advancement Process flexibility notify both their ONC-ACB and their affected customers of their intention and plans to update their certified health IT and its anticipated impact on their existing certified health IT and customers, specifically including but not limited to whether, and if so for how long, the health IT developer intends to continue to support the certificate for the health IT certified to the prior version of the standard.
Health IT developers would attest twice a year to compliance with the Conditions and Maintenance of Certification requirements except for the EHR reporting criteria requirement, which would be metrics reporting requirements separately implemented through a future rulemaking. In this regard, the proposed rule includes provisions to make the process as simple and efficient for health IT developers as possible e. We have not yet established an EHR reporting program.
Once ONC establishes such program, we will undertake rulemaking to propose and implement the associated Condition and Maintenance of Certification requirement s for health IT developers. Section of the Cures Act adds Program requirements aimed at addressing health IT developer actions and business practices through the Conditions and Maintenance of Certification requirements, which expands the current focus of the Program requirements beyond the certified health IT itself.
Equally important, section also provides that the Secretary of HHS may encourage compliance with the Conditions and Maintenance of Certification requirements and take action to discourage noncompliance. We, therefore, propose a general enforcement approach to encourage consistent compliance with the requirements. The proposed rule outlines a corrective action process for ONC to review potential or known instances where a Condition or Maintenance of Certification requirement has not been or is not being met by a health IT developer under the Program.
Where noncompliance is identified, our first priority would be to work with the health IT developer to remedy the matter through a corrective action process. Section a 1 of the PHSA defines information blocking in broad terms, while section a 3 authorizes and charges the Secretary to identify reasonable and necessary activities that do not constitute information blocking section a 3 of the PHSA.
We identify several reasonable and necessary activities as exceptions to the information blocking definition, each of which we propose would not constitute information blocking for purposes of section a 1 of the PHSA. The exceptions would extend to certain activities that interfere with the access, exchange, or use of EHI but that may be reasonable and necessary if certain conditions are met. In developing the proposed exceptions, we were guided by three overarching policy considerations. First, the exceptions would be limited to certain activities that clearly advance the aims of the information blocking provision; promoting public confidence in health IT infrastructure by supporting the privacy and security of EHI, and protecting patient safety; and promoting competition and innovation in health IT and its use to provide health care services to consumers.
Second, each exception is intended to address a significant risk that regulated individuals and entities i.
Value Rules: Playbook for Post-Reform Healthcare
Third, and last, each exception is intended to be tailored, through appropriate conditions, so that it is limited to the reasonable and necessary activities that it is designed to exempt. The seven proposed exceptions are set forth in section VIII. D below.
The first three exceptions, set forth in VIII. The next three exceptions, set forth in VIII. These exceptions would allow for the recovery of costs reasonably incurred; excuse an actor from responding to requests that are infeasible; and permit the licensing of interoperability elements on reasonable and non- discriminatory terms. The last exception, set forth in VIII. This proposed exception recognizes that actors may make health IT temporarily unavailable for maintenance or improvements that Start Printed Page benefit the overall performance and usability of health IT.
To qualify for any of these exceptions, we propose that an individual or entity would, for each relevant practice and at all relevant times, have to satisfy all of the applicable conditions of the exception. Additionally, we propose in section VIII. C of this preamble to define or interpret terms that are present in section of the PHSA such as the types of individuals and entities covered by the information blocking provision.
We also propose certain new terms and definitions that are necessary to implement the information blocking provisions. We propose to codify the proposed exceptions and other information blocking proposals in a new part of title 45 of the Code of Federal Regulations, part Executive Orders on Regulatory Planning and Review September 30, and on Improving Regulation and Regulatory Review February 2, direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits including potential economic, environmental, public health and safety effects, distributive impacts, and equity.
Accordingly, we have prepared an RIA that to the best of our ability presents the costs and benefits of this proposed rule. We note that we have rounded all estimates to the nearest dollar and all estimates are expressed in dollars as it is the most recent data available to address all cost and benefit estimates consistently. We also note that we did not have adequate data to quantify some of the costs and benefits within this RIA. In those situations, we have described the qualitative costs and benefits of our proposals; however, such qualitative costs and benefits have not been accounted for in the monetary cost and benefit totals below.
The Cures Act was enacted on December 13, , to accelerate the discovery, development, and delivery of 21st century cures, and for other purposes. Each was responsible for advising the National Coordinator for Health Information Technology National Coordinator on different aspects of standards, implementation specifications, and certification criteria.
Section a establishes that the HITAC shall advise and recommend to the National Coordinator on different aspects of standards, implementation specifications, and certification criteria, relating to the implementation of a health IT infrastructure, nationally and locally, that advances the electronic access, exchange, and use of health information. Further described in section b 1 A of the PHSA, this includes providing to the National Coordinator recommendations on a policy framework to advance interoperable health IT infrastructure, updating recommendations to the policy framework, and making new recommendations, as appropriate.
Section b 2 A identifies that in general, the HITAC shall recommend to the National Coordinator for purposes of adoption under section , standards, implementation specifications, and certification criteria and an order of priority for the development, harmonization, and recognition of such standards, specifications, and certification criteria.
Section of the PHSA identifies a process for the adoption of health IT standards, implementation specifications, and certification criteria and authorizes the Secretary to adopt such standards, implementation specifications, and certification criteria. As specified in section a 1 , the Secretary is required, in consultation with representatives of other relevant federal agencies, to jointly review standards, implementation specifications, and certification criteria endorsed by the National Coordinator under section c and subsequently Start Printed Page determine whether to propose the adoption of any grouping of such standards, implementation specifications, or certification criteria.
The Secretary is required to publish all determinations in the Federal Register. Section b 3 of the PHSA titled, Subsequent Standards Activity, provides that the Secretary shall adopt additional standards, implementation specifications, and certification criteria as necessary and consistent with the schedule published by the HITAC. We consider this provision in the broader context of the HITECH Act and Cures Act to grant the Secretary the authority and discretion to adopt standards, implementation specifications, and certification criteria that have been recommended by the HITAC and endorsed by the National Coordinator, as well as other appropriate and necessary health IT standards, implementation specifications, and certification criteria.
Specifically, section c 5 A specifies that the National Coordinator, in consultation with the Director of the National Institute of Standards and Technology NIST , shall keep or recognize a program or programs for the voluntary certification of health IT that is in compliance with applicable certification criteria adopted under this subtitle i.
The certification program s must also include, as appropriate, testing of the technology in accordance with section b of the HITECH Act. Overall, section b of the HITECH Act requires that with respect to the development of standards and implementation specifications, the Director of NIST shall support the establishment of a conformance testing infrastructure, including the development of technical test beds. The HITECH Act also indicates that the development of this conformance testing infrastructure may include a program to accredit independent, non-federal laboratories to perform testing.
Section c 5 of the PHSA was amended by the Cures Act, which instructs the National Coordinator to encourage, keep, or recognize, through existing authorities, the voluntary certification of health IT under the Program for use in medical specialties and sites of service for which no such technology is available or where more technological advancement or integration is needed. Section c 5 C iii identifies that the Secretary, in consultation with relevant stakeholders, shall make recommendations for the voluntary certification of health IT for use by pediatric health providers to support the care of children, as well as adopt certification criteria under section to support the voluntary certification of health IT for use by pediatric health providers.
The Cures Act further amended section c 5 of the PHSA by adding section c 5 D , which provides the Secretary with the authority, through notice and comment rulemaking, to require conditions and maintenance of certification requirements for the Program. The Secretary issued an interim final rule with request for comments 75 FR , Jan.
On March 10, , ONC published a proposed rule 75 FR that proposed both a temporary and permanent certification program for the purposes of testing and certifying health IT. A final rule establishing the temporary certification program was published on June 24, 75 FR and a final rule establishing the permanent certification program was published on January 7, 76 FR A correction notice was published for the Edition final rule on December 11, 80 FR to correct preamble and regulatory text errors and clarify requirements of the Common Clinical Data Set CCDS , the Edition privacy and security certification framework, and the mandatory disclosures for health IT developers.
The Edition final rule also made changes to the Program. The final rule finalized modifications and new requirements under the Program, including provisions related to ONC's role in the Program. The final rule created a regulatory framework for ONC's direct review of health IT certified under the Program, including, when necessary, requiring the correction of non-conformities found in health IT certified under the Program and suspending and terminating certifications issued to Complete EHRs and Health IT Modules.
The final rule also sets forth processes for ONC to authorize and oversee accredited testing laboratories under the Program. In addition, it includes provisions for expanded public availability of certified health IT surveillance results. Since the inception of the ONC Health IT Certification Program Program , we have aimed to implement and administer the Program in the least burdensome manner that supports our policy goals.
Throughout the years, we Start Printed Page have worked to improve the Program with a focus on ways to reduce burden, offer flexibility to both developers and providers, and support innovation. For example, in the Edition final rule 77 FR , we revised the certified electronic health record technology CEHRT definition to provide flexibility and create regulatory efficiencies by narrowing required functionality to a core set of capabilities i.
ONC has also supported more efficient testing and certification methods and reduced regulatory burden through the adoption of a gap certification policy. As explained in the Edition final rule 77 FR and the Edition final rule 80 FR , where applicable, gap certification allows for the use of a previously certified health IT product's test results to certification criteria identified as unchanged. Developers have been able to use gap certification for the more efficient certification of their health IT when updating from the Edition to the Edition and from the Edition to the Edition.
ONC introduced further means to reduce regulatory burden, increase regulatory flexibility, and promote innovation in the Edition Release 2 final rule 79 FR The Edition Release 2 final rule established a set of optional Edition certification criteria that provided flexibility and alternative certification pathways for health IT developers and providers based on their specific circumstances.
We determined that these criteria did not advance functionality or support interoperability 80 FR On January 30, , the President issued Executive Order on Reducing Regulation and Controlling Regulatory Costs, which requires agencies to identify deregulatory actions. Executive Order provides further direction on implementing regulatory reform by identifying a process by which agencies must review and evaluate existing regulations and make recommendations for repeal or simplification.
In order to implement these regulatory reform initiatives and policies, over the past year ONC reviewed and evaluated existing regulations. During our review, we sought to identify ways to further reduce administrative burden, to implement deregulatory actions through guidance, and to propose potential new deregulatory actions in this proposed rule that will reduce burden for health IT developer, providers, and other stakeholders. ONC changed 30 of the Edition test procedures to attestation only i.
- The Doctor In Your Pocket.
- The Patient Engagement Playbook.
- smart patient smart money the essential playbook for the new healthcare consumer Manual?
- Create a new account!
- Patient Engagement?
- Stories from Funeral Celebrants!
Health IT developers now have reduced preparation and testing costs for testing to these criteria. ONC-ATLs also benefit by having more time and resources to focus on tool-based Start Printed Page testing for interoperability-oriented criteria and being responsive to any retesting requirements that may arise from ONC-ACB surveillance activities.
Furthermore, providers and users of certified health IT do not lose confidence in the Program because this burden reduction effort in no way alters the expectations of conformance and responsibilities of Program participants. Health IT developers are still required to meet certification criteria requirements and maintain their products' conformance to the full scope of the associated criteria, including when implemented in the field and in production use. We propose six deregulatory actions below.
We welcome comments on these potential deregulatory actions and any other potential deregulatory actions we should consider. We also refer readers to section XIV Regulatory Impact Analysis of this proposed rule for a discussion of the estimated cost savings from these proposed deregulatory actions. ONC-ACBs are required to conduct surveillance of certified health IT under the Program to ensure that health IT continues to conform and function as required by the full scope of the certification requirements.
Shifting Landscape: This Time is Different
Stakeholders have expressed concern that the benefits of in-the-field, randomized surveillance may not outweigh the time commitment required by providers, particularly if no non-conformities are found. In general, providers have expressed that reactive surveillance e. The removal of randomized surveillance requirements would also give ONC-ACBs the flexibility and time to focus on other priorities, such as the certification of health IT to the Edition.
Therefore, as discussed above, we propose to eliminate certain regulatory randomized surveillance requirements. The Edition was the result of rulemaking completed in and includes standards and functionality that are now significantly outmoded. Removal of the Edition would make the Edition the baseline for health IT certification. The Edition, including the additional certification criteria, standards, and requirements proposed in this proposed rule, better enables interoperability and the access, exchange, and use of electronic health information.
Equally important, adoption and implementation of the Edition by providers would lead to the estimated costs savings in this proposed rule through improved interoperability supporting the access, exchange, and use of electronic health information. Removal of the Edition would eliminate inconsistencies and costs caused by health IT certification and implementation of two different editions with different functionalities and versions of standards.
Patient care could improve through the reduced risk of error that comes with the health care system's consistent implementation and use of health IT certified to the Edition. Innovation could also improve with health IT developers including third-party software developers developing to only one set of newer standards and implementation specifications, which would be more predictable and less costly.
Removal of the Edition would also reduce regulatory burden by no longer requiring the maintenance and support of the Edition. Maintaining compliance with only the Edition would reduce the cost and burden for health IT developers, ONC-ACBs, and ONC-ATLs because they would no longer have to support two increasingly distinct sets of requirements as is the case now with certification to both the and Editions. Accordingly, our proposal to remove the outdated Edition for the reasons discussed above would also streamline Program compliance requirements and ensure there is no regulatory confusion between ONC's rules and other HHS rules.
However, as discussed later in section IV. The new standard would be applicable to certain Edition certification criteria that currently reference the CCDS, subject to any of these criteria being removed through this rulemaking.
- Keynote Speakers From Our Previous Event!
- Back to the Banat?
- The doctor in your pocket?
Adopted standards that are also referenced in the Edition would remain. In order to avoid regulatory conflicts, we are taking into consideration the final rule released by CMS on November 2, , which makes payment and policy changes to the second year of the Quality Payment Program QPP. Therefore, we propose that the effective date of removal of the Edition certification criteria and related standards, terms, and requirements from the CFR would be the effective date of a subsequent final rule for this proposed rule, which we expect will be issued in the latter half of We note that we will continue to support Medicare and Medicaid program attestations by maintaining an archive on the CHPL allowing the public to access historic information on a product certified to the Edition.