Professional Documents
Culture Documents
Healthcare IT
540 W. Northwest Highway
Barrington, IL 60010
Overall Comments
GE Healthcare has a mixed response to the three major proposals in this proposed rule,
generally positive on Oversight of ONC-Authorized Testing Laboratories and Transparency
and Availability of Surveillance Results and with significant concerns regarding ONC Direct
Review of Certified Health IT. Overall, we support the EHR Incentive Program and the
associated HIT certification program and believe that any further changes to both of these
programs should further public health and safety, simplification, innovation, and reduction of
regulatory burden for providers and developers,
1. Oversight of ONC-Authorized Testing Laboratories
The proposed rule includes provisions that would enable ONC to conduct direct oversight of
National Voluntary Laboratory Accreditation Program-accredited testing laboratories (labs). It
proposes that such labs apply to become ONC-Authorized Testing Labs (ONC-ATLs). ONC also
proposes to establish processes to authorize, retain, suspend, and revoke ONC-ATL status.
The proposed approach would create authorization and oversight for testing labs intended to
be similar and comparable to the approach used for ONC-Authorized Certification Bodies
(ONC-ACBs).
Comment: Overall, this proposal is reasonable and potentially beneficial. It will be important,
however, for ONC to minimize additional cost burdens on ATLs, which could reduce efficiency,
lengthen review time, lower ATL program participation, and increase certification costs for
developers and, by extension, providers. ONC should also ensure that this process is consistent
with the applicable ISO standards applied to the ATLs and we support the proposed continued
role of the National Voluntary Laboratory Accreditation Program (NVLAP) in accrediting ATLs.
2. Transparency and Availability of Surveillance Results
The proposal would require ONC-ACBs to make identifiable surveillance results publicly
available on their websites quarterly, beyond information on non-conformities and corrective
action plans (CAPs) that must be disclosed today. ONC states that this provision is intended to
enhance transparency and accountability of HIT for customers and users by providing
valuable information about the continued performance of certified health IT and that public
availability of identifiable results would provide a more complete context of surveillance by
making more information about certified products available to purchasers and enabling
health IT developers to note their continued compliance with Program requirements.
ONC frames this proposal as enabling provision of what it projects to be the mostly positive
results of surveillance to be made available. It states that surveillance results would include
information such as, but not limited to: names of HIT developers; names of products and
versions; certification criteria and Program requirements surveilled; and outcomes of
surveillance. ONC also emphasizes that it does not propose to require that publicly posted
surveillance results include proprietary, trade secret, or confidential information (e.g.,
screenshots that may include such information).
Comment: Overall, availability of more balanced surveillance results could provide a more
complete picture of certified EHRs and other HIT. Given the likely positive outcomes of these
additional surveillance results, ONC and the ONC-ACBs should provide summary results, using
both the general approach to information to be released on CAPs and the definition of results
used in the 2015 ONC Certification Final Rule.
ONC should use a definition of results that is a ceiling rather than a floor to ensure program
consistency, that does not include interim work product or information obtained in the course
of surveillance (i.e., disclosure should truly focused on results), and that as proposed, does not
include proprietary or business sensitive information. Results should emphasize certified
capabilities evaluated and not indicate why surveillance took place (e.g., provider expressed
concern) as such information could provide a misleading and incomplete picture to consumers
of the information. Finally, ONC and the ACB should clearly indicate that surveillance of specific
certified HIT should not imply a problem or potential problem with the HIT.
Directly review certified health IT, independent of and in addition to an ONC-ACBs role;
Enable ONC to assess non-conformities, including those that pose a risk to public health
and safety (but including other HITECH HIT priority areas that the certification program is
intended to support), which may be caused by the interaction of certified and uncertified
capabilities within certified health IT;
Prescribe comprehensive corrective actions for developers to address nonconformities,
including notifying affected customers;
Comment: This proposal is very far-reaching in its implications and claimed authority. Although
ONC asserts that this authority would be invoked only infrequently, there is no guarantee of
such a limited approach, especially as ONC leadership changes in coming years. We have
several concerns summarized below and expanded upon in our more detailed comments. We
also suggest that ONC engage directly with such industry leaders as HIMSS and the EHR
Association to identify ways in which the certification program can better serve program goals,
including enhanced public health and safety.
First, ONC has not made the case sufficiently for direct review as proposed, focusing largely on
hypotheticals rather than documented problems that would be best remedied by direct review
using the expanded set of de facto criteria that are proposed, and we therefore oppose the
provisions for direct review, especially as they depart from evaluation against the certification
criteria established by regulation and associated test methods. Moreover, based on our
understanding of the current or likely ONC structure and budget and details in this proposal,
we do not believe that ONC has in place or has proposed a sufficient organizational and
regulatory capacity or framework for direct review.
Second, ONC appears to be substantially overstating the authority and responsibility
established in Section 3001(b) of the PHSA as it relates to this certification proposal. This
section sets out the high-level goals to be pursued by ONC, described as development of a
nationwide health information technology infrastructure that allows for the electronic use and
exchange of information and has 11 more specific goals, many of which are called out in this
proposed rule. To accomplish these goals, ONC is to carry out eight broad duties set out in
Section 3001(c), only one of which is Certification, and that also include Standard, Website,
and Reports and Publications. Clearly, this is a set of duties that, in aggregate, is intended to
further the statutory goals.
It seems inconceivable that Congress intended that each of the duties individually was to be
implemented to cover the full range of the Section 3001(b) goals. With respect to Certification,
HITECH was explicit, focusing on a program or programs for the voluntary certification of
health information technology as being in compliance with applicable certification criteria
adopted under this subtitle. Congress was also clear on the nature of the certification criteria
to be used in the certification program, stating that the term certification criteria means, with
respect to standards and implementation specifications for health information technology,
criteria to establish that the technology meets such standards and implementation
specifications. HITECH also set out the roles of the HIT Standards and Policy Committees in
developing certification criteria and the process for adoption of certification criteria by the
Secretary through rule-making. It is clear that Congress intended the process by which such
criteria are developed and implemented to support, along with other ONC duties, the broad
goals set for ONC in HITECH.
Through three regulatory cycles, ONC has developed certification criteria, the heart of the
certification program and its statutory construct. In this proposed rule, ONC, over seven years
after passage of HITECH, and after these three cycles, discovers new authority and proposes a
substantially new certification program unmoored from certification criteria developed per
statute and regulation, and one that looks back to the super-set of HITECH goals for the entire
Commenters and stakeholders must rely on the current ONCs stated desire for
limited use of this authority when there is no guarantee that limited application
would be the approach taken in later years and Administrations;
ONC sets out a very high-level and generally worded framework on which to base
essentially ad hoc certification criteria that were never communicated to health IT
developers or ONC-ACBs and for which there is no objective basis to assess
compliance nor even any clear duty for compliance;
ONC seeks a broad expansion of its authority to non-certified health IT and also to
apply pressure on firms that develop health IT relative to all of their certified
products to ensure compliance with issues with a portion of any single product,
which could hinder innovation sought by providers; and
ONC also has no current structure or experience in place to implement this vast
expansion of authority and proposes only a very limited appeal process.
Overall, if ONC wishes to add direct review to the certification program, it should do so only
after adoption of formal certification criteria developed per the applicable statute, with all
evaluations data-driven and evidence-based.
If ONC chooses to proceed in the general direction proposed, we believe that it should very
rarely need to intervene due to ONC-ACB limitations, should refine the applicable language
dealing with such limitations and should focus only on the most exigent (defined as
requiring immediate attention: needing to be dealt with immediately) safety-related
issues and not all of the strategic goals set out for ONC in HITECH. ONC should also only
focus on conformance, including safe conformance, to certified capabilities and not to an
ad hoc and implied set of new criteria as is proposed. In addition, ONC should establish
clear requirements for what information must be presented as part of an external
allegation of non-conformance, who would be eligible to make such reports, and also to
emphasize that the first recourse should always be an attempt to work directly with the
developer to remedy the issue at hand.
We also have concerns, per our detailed comments, with review, suspension, termination,
and appeals processes. Our comments include specific requested changes, focusing on:
o The overly broad and subjective scope for ONC review as discussed above;
o Inclusion of non-certified capabilities (e.g., billing capabilities or FDA-regulated
software) in review, suspension, termination and records request processes;
o Lack of clear certification criteria on which to base a suspension or termination;
o
o
o
o
o
o
o
o
***
We appreciate ONCs desire to enhance the certification program and to protect the public
health and safety. We urge ONC to give very careful consideration to these comments and to
those of our industry partners, such as the Electronic Health Records Association, HIMSS, and
AMIA. GE Healthcare appreciates the opportunity to submit comments on these important
issues. If you have questions on our comments, please do not hesitate to contact me.
Sincerely,
First, ONC has not made the case sufficiently for direct review as proposed, focusing largely on
hypotheticals rather than documented problems that would be best remedied by direct review
using the expanded set of de facto criteria that are proposed, and we therefore oppose the
provisions for direct review, especially as they depart from evaluation against the certification
criteria established by regulation and associated test methods. Moreover, based on our
understanding of the current or likely ONC structure and budget and details in this proposal, we do
not believe that ONC has in place or has proposed a sufficient organizational and regulatory capacity
or framework for direct review.
Second, ONC appears to be substantially overstating the authority and responsibility established in
Section 3001(b) of the PHSA as it relates to this certification proposal. This section sets out the highlevel goals to be pursued by ONC, described as development of a nationwide health information
technology infrastructure that allows for the electronic use and exchange of information and has
11 more specific goals, many of which are called out in this proposed rule. To accomplish these
goals, ONC is to carry out eight broad duties set out in Section 3001(c), only one of which is
Certification, and that also include Standard, Website, and Reports and Publications. Clearly, this is a
set of duties that, in aggregate, is intended to further the statutory goals and to be designed in a
way to do so.
It seems inconceivable that Congress intended that each of the duties individually was to be
implemented to cover to full range of the Section 3001(b) goals. With respect to Certification,
HITECH was explicit, focusing on a program or programs for the voluntary certification of health
information technology as being in compliance with applicable certification criteria adopted under
this subtitle. Congress was also clear on the nature of the certification criteria to be used in the
certification program, stating that the term certification criteria means, with respect to standards
and implementation specifications for health information technology, criteria to establish that the
technology meets such standards and implementation specifications. HITECH also set out the roles
of the HIT Standards and Policy Committees in developing certification criteria and the process for
adoption of certification criteria by the Secretary through rule-making. It is clear that Congress
intended the process by which such criteria are developed and implemented to support, along with
other ONC duties, the broad goals set for ONC in HITECH.
Through three regulatory cycles, ONC has developed certification criteria, which are the heart of the
certification program and its statutory construct. In the current proposed rule, ONC, over seven
years after the passage of HITECH, and after these three cycles, discovers new authority and
proposes a substantially new certification program unmoored from certification criteria developed
per statute and regulation, and one that looks back to the super-set of goals for the entire mission
of ONC to create certification concepts that can be applied at ONCs sole discretion.
Commenters and stakeholders must rely on the current ONCs stated desire for limited use
of this authority when there is no guarantee that limited application would be the approach
taken in later years and Administrations.
ONC sets out a very high-level and generally worded framework on which to base essentially
ad hoc certification criteria that were never communicated to health IT developers or ONCACBs and for which there is no objective basis to assess compliance nor even any clear duty
for compliance.
ONC seeks a broad expansion of its authority to non-certified health IT and also to pressure
on firms that develop health IT relative to all of their certified products to ensure compliance
with issues with a portion of any single product.
ONC also has no current structure or experience in place to implement this vast expansion of
authority and proposes only a very limited appeal process.
Overall, if ONC wishes to add direct review to the certification program, it should only do so after
development of formal certification criteria developed per the applicable statute and all evaluations
should be data driven and evidence-based.
If ONC chooses to proceed in the general direction proposed, we believe that it should very rarely
need to intervene due to ONC-ACB limitations, and should refine the applicable language dealing
with such limitations and should focus only on the most exigent (defined as requiring immediate
attention: needing to be dealt with immediately) safety-related issues and not all of the strategic
goals set out for ONC in HITECH. ONC should also only focus on conformance, including safe
conformance, to certified capabilities and not to an ad hoc and implied set of new criteria as is
proposed.
We also have concerns, laid out in our detailed comments below, regarding the specifics of the
review, suspension, termination, and appeals processes. Our comments include specific requested
changes. Our issues include:
o The overly broad and subjective scope for ONC review as discussed above
o Inclusion of non-certified capabilities in review, suspension, termination and records request
processes
o Lack of clear certification criteria on which to base a suspension or termination
o A developers other certified products would be unable to be further certified after
termination for one certified product (and possibly suspension)
o
o
o
o
o
o
ONC being overly prescriptive in dictating needed corrective actions and corrective action
plans, in contrast to the approach taken in the 2015 Certification Final Rule
Insufficient time for vendor response to ONC inquiries and to submit an appeal
Excessive, overly broad and likely very costly Records Access requirements
Overly restrictive appeals processes and lack of clear expertise and independence for
hearing officers unlike the proposal, developers should always be able to request a
hearing and information developed as a result of the hearing should be able to be
considered by the hearing officer
The inability of an appeal to stay the ONC marketing cease and desist order
The need to allow for extension of suspension rather than termination if the vendor has not
met all ONC requirements but has expressed a willingness to try to do so
The proposal for Records Access is very far-reaching and appears to go well beyond what is required for
ONC-ACB surveillance. It is especially troublesome given the proposed broad scope of the basis for
direct review. The proposed language should be much more narrowly focused on records that directly
bear on the specific certified capabilities affected by the non-conformance and only materials relevant
to the issue at hand. The most important records at this point would be the proof of conformance
provided to the ONC-ACB or a corrective action plan to address the non-conformance. Finally, it will be
essential to have a clear standard and definition of cooperate and we also ask for clarification
regarding the term encompassed how does it may relate inclusion of non-certified HIT.
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Proposed Amendments to Include ONC-ATLs in the Program - Principles of Proper Conduct for ONCATLs ( 170.524)
An ONC-ATL shall:
(a) Maintain its NVLAP accreditation to ISO 17025;
(b) Attend all mandatory ONC training and program update sessions;
(c) Maintain a training program that includes documented procedures and training requirements to ensure its
personnel are competent to test health IT;
(d) Report to ONC within 15 days any changes that materially affect its:
(1) Legal, commercial, organizational, or ownership status;
(2) Organization and management including key testing personnel;
(3) Policies or procedures;
(4) Location;
(5) Personnel, facilities, working environment or other resources;
(6) ONC authorized representative (point of contact); or
(7) Other such matters that may otherwise materially affect its ability to test health IT.
(e) Allow ONC, or its authorized agent(s), to periodically observe on site (unannounced or scheduled), during
normal business hours, any testing performed pursuant to the ONC Health IT Certification Program;
(f) Records retention. (1) Retain all records related to the testing of Complete EHRs and/or Health IT Modules to an
edition of certification criteria for a minimum of 3 years from the effective date that removes the applicable
edition from the Code of Federal Regulations; and
(2) Make the records available to HHS upon request during the retention period described in paragraph (f)(1) of
this section;
(g) Only test health IT using test tools and test procedures approved by the National Coordinator; and
(h) Promptly refund any and all fees received for:
(1) Requests for testing that are withdrawn while its operations are suspended by the National Coordinator;
(2) Testing that will not be completed as a result of its conduct; and
(3) Previous testing that it performed if its conduct necessitates the retesting of Complete EHRs and/or Health IT
Modules.
Preamble FR Citation: 81 FR 11069
24
25
Proposed Amendments to Include ONC-ATLs in the Program - ONC-ACB and ONC-ATL Status (
170.540)
(a) Acknowledgement and publication. The National Coordinator will acknowledge and make publicly available the
names of ONC-ACBs and ONC-ATLs, including the date each was authorized and the type(s) of certification or scope
of testing, respectively, each has been authorized to perform.
(b) Representation. Each ONC-ACB or ONC-ATL must prominently and unambiguously identify the scope of its
authorization on its web site and in all marketing and communications statements (written and oral) pertaining to
its activities under the ONC Health IT Certification Program.
(c) Renewal. An ONC-ACB or ONC-ATL is required to renew its status every three years. An ONC-ACB or ONC-ATL is
required to submit a renewal request, containing any updates to the information requested in 170.520, to the
National Coordinator 60 days prior to the expiration of its status.
(d) Expiration. An ONC-ACB's or ONC-ATLs status will expire three years from the date it was granted by the
National Coordinator unless it is renewed in accordance with paragraph (c) of this section.
Preamble FR Citation: 81 FR 11069
Proposed Amendments to Include ONC-ATLs in the Program - Good Standing as an ONC-ACB or ONCATL ( 170.560)
(a) ONC-ACB good standing. An ONC-ACB must maintain good standing by:
(1) Adhering to the Principles of Proper Conduct for ONC-ACBs;
(2) Refraining from engaging in other types of inappropriate behavior, including an ONC-ACB misrepresenting the
scope of its authorization, as well as an ONC-ACB certifying Complete EHRs and/or Health IT Module(s) for which it
does not have authorization; and
(3) Following all other applicable federal and state laws.
(b) ONC-ATL good standing. An ONC-ATL must maintain good standing by:
(1) Adhering to the Principles of Proper Conduct for ONC-ATLs;
(2) Refraining from engaging in other types of inappropriate behavior, including an ONC-ATL misrepresenting the
scope of its authorization, as well as an ONC-ATL testing health IT for which it does not have authorization; and
(3) Following all other applicable federal and state laws.
26
Proposed Amendments to Include ONC-ATLs in the Program - Good Standing as an ONC-ACB or ONCATL ( 170.560)
Preamble FR Citation: 81 FR 11069 - 70
27
28
29