Security News

ONC Final Rule Key to Evolution of Health IT Infrastructure

ONC's final rule requires the federal agency to conduct oversight to ensure certified health IT vendors are upholding their certification criteria post implementation.

By Elizabeth O'Dowd

- The Office of the National Coordinator for Health Information Technology (ONC) recently issued the final rule updating the Health IT Certification Program to include Enhanced Oversight and Accountability providing oversight and developer accountability for certified health information technology.

ONC final rule

The Health IT Certification Program’s goal is to protect patient information and ensure that electronic health information is stored and shared correctly, and vendors are meeting all certification requirements by giving ONC the ability to directly review and oversee health IT. ONC’s new regulations are effective December 19, 2016.

President and CEO of DirectTrust, David C. Kibbe, MD MBA, stated that he is in favor of the new final rule as it maintains an oversight function he deems valuable.

“The key idea is that we want a national program of health IT in which all of the participants stay up-to-date with such things as security standards, new vocabularies for clinical diagnoses and treatments, and new features and function sets that promote safe use,” said Dr, Kibbe. “We want all of the certified EHR vendors’ products to stay in step with the natural evolution that is occurring in the national health IT infrastructure, not just some of them.”

The final rule declares ONC’s accordance with the Public Health Service Act (PHSA) Title XXX Health Information Technology and Quality to improve healthcare quality, safety, and efficiency through the promotion of health IT and electronic health information exchange.

The final rule outlines ONC’s regulatory framework to ensure that health information technology is up to the standard for electronic use and exchange of protected health information. ONC is responsible for reviewing certified health IT to determine if the technology conforms with the outlined standards including:

  • Ensuring that each patient's health information is secure and protected, in accordance with applicable law.
  • Improving healthcare quality, reducing medical errors, reducing health disparities, and advancing the delivery of patient-centered medical care.
  • Reducing healthcare costs resulting from inefficiency, medical errors, inappropriate care, duplicative care, and incomplete information.
  • Providing appropriate information to help guide medical decisions at the time and place of care.
  • Ensuring the inclusion of meaningful public in development of health IT infrastructure.
  • Improving the coordination of care and information among hospitals, laboratories, physician offices, and other entities through an effective infrastructure for the secure and authorized exchange of healthcare information.
  • Improving public health activities and facilitating the early identification and rapid response to public health threats and emergencies, including bioterror events and infectious disease outbreaks.
  • Facilitating health and clinical research and health care quality.
  • Promoting early detection, prevention, and management of chronic diseases.
  • Promoting a more effective marketplace, greater competition, greater systems analysis, increased consumer choice, and improved outcomes in health care services.

According to the fact sheet released by ONC, the final rule allows the federal agency to directly review certified health IT if there is a belief that the technology may present a serious risk to public health or safety.

The fact sheet explains ONC’s intent to “help health IT developers identify and address non-conformities in the health IT that providers use to support patient care. Corrective action plans will support that intent, and ONC intends to work with health IT developers to remedy any nonconformities in a timely manner and across all customers.”

“There truly needs to be continuing oversight by ONC’s certification program to protect against the very few but potentially very damaging instances in which vendor conduct turns out to be improper after initial certification, or when vendors fail to perform their responsibilities as agreed to as part of the certification process,” stated Kibbe.

Kibbe parallels yearly car inspections with the need for regulated health IT certification inspection stating, “we’re required to get [car] inspections annually. The same notion of keeping the technology healthy, capable and safe for patients and users ought to apply to these increasingly very complicated software systems.”

The rule goes into effect Dec. 19, 2016.

Dig Deeper: