Earlier this week at HIMSS16 in Las Vegas, the U.S. Department of Health and Human Services (HHS) and the Office of the National Coordinator for Health Information Technology (ONC) proposed a new rule that would aim to further enhance the safety, reliability, transparency, and accountability of certified health IT for users. The “ONC Health IT Certification Program: Enhanced Oversight and Accountability” proposed rulemaking would change the ONC Health IT Certification Program to reflect the widespread adoption of certified electronic health records (EHRs) and the rapid pace of innovation in the health IT market, according to an HHS press release.
The proposed rule would focus on three areas: direct review, enabling ONC to directly review certified health IT products, including certified EHR systems, and take necessary action to address circumstances such as potential risks to public health and safety; enhanced oversight, increasing ONC oversight of health IT testing bodies; and greater transparency and accountability, making identifiable surveillance results of certified health IT publicly available. The idea, according to Karen DeSalvo, M.D., National Coordinator at Health IT, who spoke about it at HIMSS16, is to create a feedback loop for the EHR development process that hasn't existed before. The comment period for the proposed rule ends on May 2.
At HIMSS16 in Las Vegas, Jodi Daniel, former director of the Office of Policy within ONC, now with Crowell & Moring LLP as a partner in the Washington, D.C.-based firm’s healthcare group, discussed the proposed EHR certification rule with HCI Managing Editor Rajiv Leventhal, as well as other hot-button health IT topics. Below are excerpts of that interview.
What are your initial takeaways about the new certified EHR technology proposed rule? What impact do you see it having?
I think it's a response to ONC's role to help address public health and safety. There was the FDASIA [Food and Drug Administration Safety and Innovation Act] framework that came out [in 2014]—the one that ONC did with FDA in which FDA said they won't look at health management and health IT software, and that if it's an ONC certified product, they will leave it to ONC [to review]. My take is that this is ONC's attempt to try to address that safety issue. They do say in the rule that they expect to use the oversight authority infrequently, and I think that's more about the safety concerns than the general user complaints.
Regarding the greater transparency and accountability aspect of this rule, what kind of information will developers and the government have to disclose to consumers that they don't already?
I think that a general theme of the rule is that it lacks specificity. There are some questions in the transparency section as well as in the direct review section, where more specificity is needed to understand in what kinds of situations they will be using the authority, what kinds of data they would be asking for, and to really think through the impact of what is being proposed. I would expect that commenters will provide some input and ONC will flesh that out more.
Some have said that the ONC EHR certification process, in its current form, hampers innovation. How would you respond to that assertion?
I think it is fair to say that resources need to be spent to meet the certification requirements that may otherwise have been able to be spent elsewhere. That is a fair comment that vendors have made. That said, there is a lot of room for innovation beyond the certification requirements. Yes, it does take some resources, and I know vendors have spent time time to comply with those requirements, but there is plenty of room to innovate beyond what is being required by the government.
Moving to other areas, can you use your HIPAA privacy and security expertise to shed some light in how far the industry has come in these areas?
The industry has evolved, but there needs to be more. There are going to be security risks and breaches no matter what anyone does, and it's really a game of trying to continually improve security protections and mitigating risks. So yes, there has been progress in protections and securing data, and yes, you will continue to see improvement. As the folks who try to breach information get more sophisticated, so will the technology. It is a continual process, and I do think the efforts spent on security by the developers and by the users will have to step up because there is so much concern.
Do you think the recent HIPAA guidance we have seen from HHS' OCR [Office for Civil Rights] will have an impact?
I helped write the original HHS requirements for the HIPAA rule back in 2000, and it was pretty groundbreaking back then.