The Office of the National Coordinator for Health Information Technology (ONC) has released a final rule (Final Rule) introducing a new regulatory framework for certified health information technology (Health IT). The use of certified Health IT—specifically, electronic health record (EHR) modules—has played a central role in the EHR Incentive Programs and is intimately linked to the accrual of points in MACRA’s Merit-based Incentive Payment System. A major component of the Final Rule allows for ONC’s direct review of products certified by ONC’s Health IT Certification Program (Program) and identifies the roles of both developers and the ONC in addressing Program-compliance issues.[1] The Final Rule impacts developers of certified Health IT (Health IT Developers), providers that utilize and rely on such certified Health IT, and ancillary developers and service providers whose businesses are linked to EHR technology.

Conditions to ONC Oversight and Reviews

Under the Final Rule, ONC may initiate a direct review of a Health IT Developer under two circumstances: (i) the presence of “unsafe conditions” and (ii) situations where ONC has a reasonable belief that certified Health IT does not conform to Program requirements and the suspected non-conformity cannot be effectively addressed by an ONC-Authorized Certification Body.[2] As a clarification of the term “unsafe conditions,” the Final Rule provides that ONC may initiate direct review if it has a reasonable belief that certified Health IT may not conform to requirements of the Program and “may be causing or contributing to conditions that present a serious risk to public health or safety.” In addition to the foregoing, the Final Rule includes a targeted set of factors to guide whether ONC’s direct review is warranted, including the potential nature, severity and extent of the suspected conditions, the need for an immediate or coordinated governmental response, and the existence of information that calls into question the validity of a product’s certification.

In comparison to the proposed rule (Proposed Rule) that preceded the Final Rule, the Final Rule establishes a narrower extension of ONC’s oversight. Had the Proposed Rule’s language survived the rulemaking process, ONC would have had more latitude when deciding whether to initiate a direct review upon reasonable belief of non-compliance with the Program’s requirements.  In its response to the public comments to the Proposed Rule, ONC concedes that other agencies are better positioned to oversee and enforce some issues, such as the security and protection of patient health information and the effects of non-conforming Health IT on health care costs.

Notwithstanding the Final Rule’s narrower language regarding ONC’s decision-making authority to initiate a direct review, the scope of ONC’s authority under the Program is still perceived by some critics to be too broad; the critics generally argue any expansion of ONC’s oversight (no matter how narrow) will disrupt development and frustrate innovation in the Health IT field.

Infrequent ONC Review? Maybe Yes, Maybe No

Throughout ONC’s responses to the public comments, the agency reiterates its belief that the initiation of a review by ONC will be an infrequent occurrence. Notwithstanding ONC’s belief as to the infrequency of ONC reviews, it is important for developers to understand the multiple phases of the review process in the “infrequent” event that it becomes the “infrequent” target of an “infrequent” ONC review.

If ONC elects to initiate a review, ONC will first issue a notice of non-conformity or a notice of potential non-conformity to the target Health IT Developer. Upon receiving such notice, the Health IT Developer must respond to ONC, generally within 30 days of its receipt of the notice. Such response must include a responsive writing addressing the issues set forth in the notice, supporting documents in support of the Health IT Developer’s response and, if the ONC notice relates to an actual (as opposed to a potential) non-conforming situation, a proposed Corrective Action Plan (CAP).  In addition to the foregoing, the Health IT Developer must allow ONC investigators access to the Health IT at issue.

In the event that the target Health IT Developer fails to timely submit an acceptable CAP, ONC has the authority to suspend or terminate certification. Pursuant to the Final Rule, an affected Health IT Developer may appeal an ONC order for suspension or termination.

Interoperability – the Likely Focus of ONC Review

ONC writings and statements seem to indicate that a major focus of any “infrequent” ONC review action will likely be IT Health Developer compliance with the applicable CMS clinical Health IT interoperability standards.

CMS and other industry players have concluded that the inability of Health IT products and systems to interact and communicate with each other—i.e., to reliably transfer, receive, find, and use data—can pose significant risks to patient health and safety. Moreover, the ongoing development of quality-based/pay-for-performance reimbursement systems—most of which rely upon the exchange of healthcare information and shared decision-making across stakeholders—has put interoperability at the top of ONC’s list of oversight priorities. For example, ONC has voiced concerns about those situations when ONC-certified capabilities interact with uncertified capabilities.  This may arise, for example, from a developer building additional, uncertified capabilities into a certified product or from the configuration of certified products with uncertified products. While uncertified capabilities are not themselves a target of direct review and identification, if ONC is conducting a review of certified Health IT which happens to be integrated into or with uncertified elements, the Health IT Developer at issue will likely find itself as the recipient of a notice of non-conformance. Since Health IT usually grows organically—add-ins and features are often added well beyond the initial installation of a Health IT system—we may find in the future that ONC reviews become more frequent than envisioned by ONC.

As described above, the Final Rule and ONC’s oversight authority will likely have an impact that goes well beyond the Health IT Developers who may be subject to an “infrequent” review. Users of certified Health IT (i.e., healthcare providers and suppliers) may be left with technology that is of questionable utility as the related Health IT Developer undergoes ONC review and the Health IT potentially loses certification. Direct review—or even the threat thereof—may  also provide openings for purveyors of interoperability technology that may be able to work with certified Health IT Developers and help them satisfy ONC requirements.



[1] The Final Rule also sets forth processes for ONC to conduct direct oversight of testing labs under the Program and includes provisions for expanded public availability of certified Health IT surveillance results.

[2] ONC-Authorized Certification Bodies (ONC-ACBs) have the delegated authority to issue certifications for Health IT on behalf of the ONC  ONC-ACBs are also responsible for conducting ongoing surveillance to assess whether certified Health IT continues to conform to Program requirements.


*Rachel Landauer is a law clerk in Sheppard Mullin’s Century City office.