ONC Direct Review - Predictions
In March of this year, ONC released perhaps is most expansive and program-altering proposed rule since its initial certification ruling called Enhanced Oversight and Accountability. It is currently under OMB review leading to the assumption it will be out near/around October 1st. The proposed rule address three areas. Two are low impact, but it is the third, ONC Direct Review, which will be a game changer.
Proposal #1: Establishing ONC-ATLs Summary Currently testing labs must be accredited by NVLAP, but ONC does not directly approve (nor oversee) the laboratories. This is different from the certification bodies which are not only accredited by ANSI but then must be approved by ONC. Thus, they are referred to as NVLAP-accredited testing laboratories but not ONC-ATLs. ONC wants to change this and bring the testing laboratories on equal footing with the certification bodies in terms of ONC approval and oversight.
Analysis This is not a big deal in that three of the four current test lab are also ONC-ACBs and more or less are authorized by ONC. Beyond that, it is not like the test laboratories currently act contrary to ONC direction. In the Drummond Group test lab, we regularly checked in with ONC to confirm our approach on testing. It won't make a noticeable change to the current program in terms of impact on operations and day-to-day activities.
Prediction I think the proposals will carry through without significant change. However, I think there is a good chance ONC uses this opportunity to expand its scope of accepting testing results. ONC has considered in public policy hearings of accepting testing results from other entities outside the NVLAP-accredited testing laboratories. The most common example is Surescripts although there are others as well. The idea is that why must you go through ONC testing on a feature, which is often conducted in a general manner, a 2nd time when you have already tested the feature very thoroughly by a schema owner who is dedicated to that feature (like Surescripts with e-Prescribing).
ONC has already taken a baby step in this manner in its 2015 Edition HISP/Direct protocol testing (315.h.1/h.2) by accepting documentation proof (i.e., it not actually tested by the ATL) that the HISP-under test successfully interoperated with other three other entities. If ONC did adopt this, it would not necessarily circumvent the ONC-ATLs, but it may mean the ONC-ATLs can accept test results from these other entities in lieu of actually retesting them again with the standard ONC test procedure. It is only a hunch, but it would make some sense to use this ruling to elaborate more on how other entities can submit test results for ONC-ATLs to make their evaluation.
Proposal #2: Surveillance Transparency Summary ONC proposed that ONC-ACBs are to release the results of their surveillance activities on a quarterly basis and post the results, both successful surveillance efforts (i.e., show the EHR was in conformance to the criteria) as well as those involving non-compliances, publicly on their website.
Analysis In the 2015 Edition Final Rule, ONC significantly increased its focus on ONC-ACB surveillance activities. They introduced randomized surveillance as well the public reporting of non-compliances on certified products, which is a form of surveillance reporting. They also required ONC-ACBs to report on a quarterly basis to the ONC the status of any surveillance activities, although they stopped short of requiring this information from being published publicly by the ONC-ACB. Of course, the Freedom of Information Act would allow most anyone the opportunity to obtain this same information. In that regard, this is just a means to simplify the process, and it continues in the direction of renewed emphasis on transparency.
Prediction Some proposed rules are efforts by the government to suggest forward-thinking policy, but they are very interested in public comment and open to pulling back parts of their proposal based on feedback. Other proposed rules are basically polite ways of saying “we are going to do this but we have to first make it an NPRM”. The surveillance transparency is definitely in the latter group. ONC will require this as it is a very natural extension of what they currently require of the ONC-ACBs.
Proposal #3: ONC Direct Review Summary ONC proposed to conduct independent and direct (i.e., not through the ONC-ACB) review of certified health IT systems. While the proposal still allows for ONC-ACB surveillance, it does state that ONC’s determination supersedes that of the ONC-ACB. ONC also shows it scope of investigation to go beyond just certified criteria but also into the area of “public health or safety”. Much of the rule goes into the rationale behind this as well as details of how the direct review will work in practice, such as notice of non-conformity and steps for suspension and termination.
Analysis This is really what this NPRM is all about, and it is major change from the previous direction of the ONC. Previously, ONC established the playing field, but they did not play in it in terms of testing or certification. Now, they are stepping into the playground to carry out aspects of their program, specifically surveillance. And to be clear, what they mean by surveillance is another way of saying they want to make sure EHRs are working in hospitals and provider offices as ONC envisioned them working.
Coming previously from the side of an ONC-ACB, I consider ONC having a good relationship with its ACBs, and I believe by and large ONC is supportive of how the ONC-ACBs are doing their work, even with surveillance. That said, I believe they began to believe that ACBs were limited in the level of work they could extend on surveillance, in terms of man-power but also authority. Some of the issues ONC was observing, like with data blocking, were not really clear violations of specific certification criteria. As a result, the ONC-ACB could not really stop these actions since the EHRs in question were not violating their certification scope, at least by the letter of the rule. I believe ONC came to the conclusion that they had to play a more active role to get some of these major obstacles cleared. That is what produced this rule.
Prediction I really believe ONC will do most everything they are proposing here, and they will take an active role in this arena of surveillance. I believe they will go into more specifics about cases that they would be investigating and also areas they won’t investigate or at least are not as focused on. Their current proposal left it very open.
I believe they will make some changes or at least clarifications of how they will work with ONC-ACBs as they proposed to treat them as separate channels of surveillance which is not realistic or wise. I think they will go to extra lengths to reassure EHR developers that they will be very fair and are not “out to get them” so to speak. I do think they will give some more time for responses and appeals from developers as their proposed times were a little short, especially given the significance of some of the issues they will be investigating.
But I think are going to conduct direct review very much like they have proposed, and I expect you will see ONC open up multiple surveillance efforts on some developers as soon as the rule becomes effective.
BTW, I want to make clear that the last point is TOTAL speculation on my part. From my time with Drummond I don’t know of any specific vendor they have identified for this direct surveillance review. The previous arrangement was leaving surveillance solely to the ONC-ACB, and they never asked us to investigate an EHR system for them. Still, you don’t make a rule like this without some situations in mind, and I expect they will begin executing their plans as soon as they can.
Conclusion Predictions are fun. They are good conversation (or argument) starters, but they also force us to consider what we really know and what we don't. And they are also humbling since you are often very, very wrong when you try to make concrete predictions. I look forward to seeing what ONC does decide to do with Direct Review. If they keep it largely as proposed, developers would justifiably need to be alert to these potential Direct Reviews. One of the services Chart Lux offers is support on surveillance activities, and we would love help developers with this challenge. Contact us to find out more.