onc 2015 hit certification final rule.pdf

8/20/2019 ONC 2015 HIT Certification Final Rule.pdf

1/159

Vol. 80 Friday,No. 200 October 16, 2015

Part II

Department of Health and Human Services

Office of the Secretary

45 CFR Part 1702015 Edition Health Information Technology (Health IT) CertificationCriteria, 2015 Edition Base Electronic Health Record (EHR) Definition, andONC Health IT Certification Program Modifications; Final Rule

VerDate Sep2014 19:11 Oct 15, 2015 Jkt 238001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\16OCR2.SGM 16OCR2


2/159

62602 Federal Register / Vol. 80, No. 200 / Friday, October 16, 2015/ Rules and Regulations

DEPARTMENT OF HEALTH ANDHUMAN SERVICES

Office of the Secretary

45 CFR Part 170

RIN 0991–AB93

2015 Edition Health Information

Technology (Health IT) CertificationCriteria, 2015 Edition Base ElectronicHealth Record (EHR) Definition, andONC Health IT Certification ProgramModifications

AGENCY: Office of the NationalCoordinator for Health InformationTechnology (ONC), Department ofHealth and Human Services (HHS).

ACTION: Final rule.

SUMMARY: This final rule finalizes a newedition of certification criteria (the 2015Edition health IT certification criteria or‘‘2015 Edition’’) and a new 2015 EditionBase Electronic Health Record (EHR)definition, while also modifying theONC Health IT Certification Program tomake it open and accessible to moretypes of health IT and health IT thatsupports various care and practicesettings. The 2015 Edition establishesthe capabilities and specifies the relatedstandards and implementationspecifications that Certified ElectronicHealth Record Technology (CEHRT)would need to include to, at aminimum, support the achievement ofmeaningful use by eligible professionals(EPs), eligible hospitals, and critical

access hospitals (CAHs) under theMedicare and Medicaid EHR IncentivePrograms (EHR Incentive Programs)when such edition is required for useunder these programs.

DATES: These regulations are effective January 14, 2016, except for§ 170.523(m) and (n), which areeffective on April 1, 2016.

The incorporation by reference ofcertain publications listed in the rule isapproved by the Director of the FederalRegister as of January 14, 2016.

FOR FURTHER INFORMATION CONTACT:Michael Lipinski, Office of Policy,

Office of the National Coordinator forHealth Information Technology, 202–690–7151.

SUPPLEMENTARY INFORMATION:

Commonly Used Acronyms

API Application Programming InterfaceCAH Critical Access HospitalCDA Clinical Document ArchitectureCDC Centers for Disease Control and

PreventionCDS Clinical Decision SupportCEHRT Certified Electronic Health Record

Technology

CFR Code of Federal RegulationsCHPL Certified Health IT Product ListCLIA Clinical Laboratory Improvement

AmendmentsCMS Centers for Medicare & Medicaid

ServicesCQM Clinical Quality MeasureEHR Electronic Health RecordFDA Food and Drug AdministrationHHS Department of Health and Human

ServicesHISP Health Information Service ProvidersHIT Health Information TechnologyHITPC HIT Policy CommitteeHITSC HIT Standards CommitteeHL7 Health Level SevenIG Implementation GuideLOINC Logical Observation Identifiers

Names and CodesNIST National Institute of Standards and

TechnologyONC Office of the National Coordinator for

Health Information TechnologySDO Standards Developing OrganizationSNOMED CT Systematized Nomenclature of

Medicine Clinical Terms

Table of Contents

I. Executive SummaryA. Purpose of Regulatory ActionB. Summary of Major Provisions1. Overview of the 2015 Edition Health IT

Certification Criteria2. Health IT Definitions3. The ONC Health IT Certification

Program and Health IT ModuleC. Costs and Benefits

II. BackgroundA. Statutory Basis1. Standards, Implementation

Specifications, and Certification Criteria2. HIT Certification ProgramsB. Regulatory History1. Standards, Implementation

Specifications, and Certification CriteriaRules

2. Medicare and Medicaid EHR IncentivePrograms Rules

3. ONC Health IT Certification ProgramsRules

III. Provisions of the Proposed Rule AffectingStandards, ImplementationSpecifications, Certification Criteria, andDefinitions

A. 2015 Edition Health IT CertificationCriteria

1. Applicability2. Standards and Implementation

Specifications3. Adopted Certification Criteria4. 2015 Edition Gap Certification Eligibility

Table

5. Not Adopted Certification CriteriaB. Health IT Definitions1. Base EHR Definitions2. Certified EHR Technology Definition3. Common Clinical Data Set Definition4. Cross-Referenced FDA Definitions

IV. Provisions of the Proposed Rule Affectingthe ONC Health IT Certification Program

A. Subpart E—ONC Health IT CertificationProgram

B. Modifications to the ONC Health ITCertification Program

1. Health IT Modules2. ‘‘Removal’’ of Meaningful Use

Measurement Certification Requirements

3. Types of Care and Practice Settings4. Referencing the ONC Health IT

Certification ProgramC. Health IT Module Certification

Requirements1. Privacy and Security2. Design and Performance (§170.315(g))D. Principles of Proper Conduct for ONC–

ACBs1. ‘‘In-the-Field’’ Surveillance and

Maintenance of Certification2. Transparency and Disclosure

Requirements3. Open Data Certified Health IT Product

List (CHPL)4. Records Retention5. Complaints Reporting6. Adaptations and Updates of Certified

Health ITE. ‘‘Decertification’’ of Health IT—Request

for CommentsV. Incorporation by ReferenceVI. Collection of Information RequirementsVII. Regulatory Impact Statement

A. Statement of NeedB. Overall Impact1. Executive Orders 12866 and 13563—

Regulatory Planning and ReviewAnalysis

2. Regulatory Flexibility Act3. Executive Order 13132—Federalism4. Unfunded Mandates Reform Act of 1995

Regulation Text

I. Executive Summary

A. Purpose of Regulatory Action

Building on past rulemakings, weissued a proposed rule (‘‘ProposedRule’’) (80 FR 16804) that identifiedhow health IT certification to theproposed 2015 Edition health ITcertification criteria could support the

establishment of an interoperablenationwide health informationinfrastructure. The Proposed Rulereflected stakeholder feedback receivedthrough various outreach initiatives,including the regulatory process, andwas designed to broadly support thehealth care continuum through the useof certified health IT. This final rule,taking into account public commentsreceived on the Proposed Rule,continues to focus on the establishmentof an interoperable nationwide healthinformation infrastructure, through thesame means identified in the ProposedRule and recited below, but with anadditional focus on reducing health ITdeveloper and provider burden ascompared to the Proposed Rule. To thisend, this final rule will:

• Improve interoperability for specificpurposes by adopting new and updatedvocabulary and content standards forthe structured recording and exchangeof health information, including aCommon Clinical Data Set composedprimarily of data expressed usingadopted standards; and rigorouslytesting an identified content exchange



3/159

62603Federal Register / Vol. 80, No. 200 / Friday, October 16, 2015/ Rules and Regulations

1A Base EHR is the regulatory term we have givento what the HITECH Act defines as a ‘ ‘qualifiedEHR.’’ Our Base EHR definition(s) include allcapabilities found in the ‘‘qualified EHR.’’ Pleasesee the 2014 Edition final rule (77 FR 54262) forfurther explanation.

2A capability included in the Base EHRdefinition, which originates from the ‘‘qualifiedEHR’’ definition found in the HITECH Act.

3These are capabilities included in the Base EHRdefinition, which originate from the ‘‘qualifiedEHR’’ definition found in the HITECH Act.

standard (Consolidated ClinicalDocument Architecture (C–CDA));

• Facilitate the accessibility andexchange of data by including enhanceddata export, transitions of care, andapplication programming interface (API)capabilities in the 2015 Edition BaseElectronic Health Record (EHR)definition;

• Establish a framework that makesthe Office of the National Coordinatorfor Health Information Technology(ONC) Health IT Certification Programopen and accessible to more types ofhealth IT, health IT that supports avariety of care and practice settings,various HHS programs, and public andprivate interests;

• Support the Centers for Medicare &Medicaid Services (CMS) Medicare andMedicaid EHR Incentive Programs (EHRIncentive Programs) through theadoption of a set of certification criteriathat align with proposals for Stage 3;

• Address health disparities byproviding certification: to standards formore granular capture of race andethnicity; the collection of sexualorientation, gender identity, social,psychological, and behavioral data; forthe exchange of sensitive healthinformation (Data Segmentation forPrivacy); and for the accessibility ofhealth IT;

• Ensure all health IT presented forcertification possess the relevantprivacy and security capabilities;

• Improve patient safety by: applyingenhanced user-centered designprinciples to health IT, enhancingpatient matching, requiring health IT to

be capable of exchanging relevantpatient information (e.g., Unique DeviceIdentifiers), improving the surveillanceof certified health IT, and making moreinformation about certified productspublicly available and accessible;

• Increase the reliability andtransparency of certified health ITthrough surveillance and disclosurerequirements; and

• Provide health IT developers withmore flexibility, opportunities, and timefor development and certification ofhealth IT that supports interoperability,

usability, and innovation.

B. Summary of Major Provisions

1. Overview of the 2015 Edition HealthIT Certification Criteria

The 2015 Edition health ITcertification criteria (‘‘2015 Edition’’ or‘‘2015 Edition certification criteria’’)facilitates greater interoperability forseveral clinical health informationpurposes and enables healthinformation exchange through new andenhanced certification criteria,

standards, and implementationspecifications. It incorporates changesthat are designed to spur innovation,open new market opportunities, andprovide more choices to providers whenit comes to electronic healthinformation exchange. To achieve thesegoals, new ‘‘application access’’ (alsoknown as ‘‘API’’) certification criteria

have been adopted that will require thedemonstration of an API that respondsto data requests for any one category ofthe data referenced in the CommonClinical Data Set as well as for all of thedata referenced in the Common ClinicalData Set. We note that in response tocomments, we have separated thiscriterion into 3 criteria to provide healthIT developers and providers moreflexibility. To further validate thecontinued interoperability of certifiedhealth IT and the ability to exchangeelectronic health information withhealth IT certified to the 2014 Edition,

2015 Edition, and potentially futureeditions, a new ‘‘transitions of care’’certification criterion will rigorouslyassess a product’s ability to create andreceive an interoperable C–CDA. Wehave also adopted certification criteriathat both support interoperability andother settings and use cases, such as the‘‘Common Clinical Data Set summaryrecord,’’ ‘‘data segmentation forprivacy,’’ and ‘‘care plan’’ certificationcriteria.

We refer readers to section III.A for anoverview table (Table 2) of certificationcriteria adopted in this final rule as

compared to the certification criteriaproposed in the Proposed Rule and theadopted 2014 Edition. We also referreaders to sections III.A.3 and III.A.5 ofthis preamble for full discussions ofcertification criteria adopted as part ofthe 2015 Edition in this final rule(III.A.3) and the proposed certificationcriteria not adopted in this final rule(III.A.5).

2. Health IT Definitions

a. Base EHR Definitions

This final rule adopts a Base EHRdefinition specific to the 2015 Edition

(i.e., a 2015 Edition Base EHRdefinition) at §170.102 and renames thecurrent Base EHR definition at § 170.102as the 2014 Edition Base EHR definition.The 2015 Edition Base EHR definitiondiffers from the 2014 Edition Base EHRdefinition in the following ways:

• It does not include privacy andsecurity capabilities and certificationcriteria.

• It only includes capabilities torecord and export clinical qualitymeasure (CQM) data (§170.315(c)(1))

and not other CQM capabilities such asimport, calculate, and ‘‘report to CMS.’’

• It includes the 2015 Edition‘‘smoking status’’ certification criterionas patient demographic and clinicalhealth information data consistent withstatutory requirements.1

• It includes the 2015 Edition‘‘implantable device list’’ certification

criterion as patient demographic andclinical health information dataconsistent with statutory requirements.2

• It includes the 2015 Edition ‘‘API’’certification criteria as capabilities thatsupport both the capture and query ofinformation relevant to health carequality and exchange electronic healthinformation with, and integrate suchinformation from other sources.3

• It includes the proposed 2015Edition certification criteria thatcorrespond to the remaining 2014Edition certification criteria referencedin the ‘‘2014 Edition’’ Base EHRdefinition (i.e., CPOE, demographics,problem list, medication list,medication allergy list, CDS, transitionsof care, data portability, and relevanttransport certification criteria). For thetransport certification criteria, weinclude the ‘‘Direct Project’’ criterion(§ 170.315(h)(1)) as well as the ‘‘DirectProject, Edge Protocol and XDR/XDM’’criterion (§170.315(h)(2)) as equivalentalternative means for meeting the 2015Edition Base EHR definition.

We refer readers to section III.B.1 ofthis preamble for a more detaileddiscussion of the 2015 Edition Base EHRdefinition and to section III.A.3 of this

preamble for a full discussion of thecriteria that have been included in theBase EHR definition. Of note, the‘‘demographics’’ certification criterion(§ 170.315(a)(5)) now includes sexualorientation and gender identity as dataelements, the ‘‘smoking status’’certification criterion (§ 170.315(a)(11))is now only a functional requirement,the ‘‘API’’ criterion has been separatedinto 3 distinct criteria as mentionedabove, and the Direct-related criteriahave been updated from ‘‘unchanged’’to ‘‘revised’’ to incorporate updated andnecessary interoperability standards.

As discussed in more detail under the‘‘privacy and security’’ heading insection IV.C.1 of this preamble, Health



4/159


4Please see section II.B.3 of this preamble for aregulatory history of the ONC Health ITCertification Program, including changes to theprogram’s name.

IT Modules presented for certification tocriteria listed in the 2015 Base EHRdefinition and other 2015 Editioncertification criteria will be subject tothe applicable privacy and securitycriteria for the purposes of certification.

The CQM capabilities noted above asnot included in the 2015 Edition BaseEHR definition have, however, been

included the Certified EHR Technology(CEHRT) definition under the EHRIncentive Programs. We refer readers tothe next section (‘‘b. CEHRT definition’’)for further information and guidance onthe relationship of the 2015 EditionBase EHR definition and the 2015Edition certification criteria with theCEHRT definition. We also refer readersto the CEHRT definition finalized in theEHR Incentive Programs Stage 3 andModifications final rule publishedelsewhere in this issue of the FederalRegister as the authoritative source forthe requirements to meet the CEHRT

definition. b. CEHRT Definition

This final rule removes the CEHRTdefinition from §170.102 for thefollowing reasons. The CEHRTdefinition has always been defined in amanner that supports the EHR IncentivePrograms. As such, the CEHRTdefinition more appropriately residessolely within the EHR IncentivePrograms regulations. This is alsoconsistent with our approach in thisfinal rule to make the ONC Health ITCertification Program more open andaccessible to other types of health IT

beyond EHR technology and for healthIT that supports care and practicesettings beyond those included in theEHR Incentive Programs. Further, thisadds administrative simplicity in thatregulatory provisions, which EHRIncentive Programs participants mustmeet (e.g., the CEHRT definition), aredefined within the context ofrulemakings for those programs.

We note that the CEHRT definitionfinalized by CMS continues to includethe Base EHR definition(s) defined byONC, including the 2015 Edition BaseEHR definition adopted in this final

rule. We also refer readers to Table 4(‘‘2015 Edition Health IT CertificationCriteria Associated with the EHRIncentive Programs Stage 3’’) found insection III.A.3 of this preamble. Table 4crosswalks 2015 Edition certificationcriteria with the finalized CEHRTdefinition and EHR Incentive ProgramsStage 3 objectives. It also identifiesmandatory and conditional certificationrequirements (i.e., the application ofcertain certification criteria to Health ITModules) that Health IT Modulespresented for certification must meet

regardless of the setting or program theHealth IT Module is designed tosupport.

For the full requirements to meet theCEHRT definition under the EHRIncentive Programs, including for years

before 2018 and for 2018 andsubsequent years, we refer readers to theEHR Incentive Programs Stage 3 and

Modifications final rule publishedelsewhere in this issue of the FederalRegister.

c. Common Clinical Data Set

We revised the ‘‘Common MU DataSet’’ definition in § 170.102. Wechanged the name to ‘‘Common ClinicalData Set,’’ which aligns with ourapproach throughout this final rule tomake the ONC Health IT CertificationProgram more open and accessible toother types of health IT beyond EHRtechnology and for health IT thatsupports care and practice settings

beyond those included in the EHRIncentive Programs. We also changedreferences to the ‘‘Common MU DataSet’’ in the 2014 Edition (§170.314) to‘‘Common Clinical Data Set.’’

We revised the definition to accountfor the new and updated standards andcode sets we have adopted in this finalrule for the 2015 Edition that willimprove and advance interoperabilitythrough the exchange of the CommonClinical Data Set. We also revised thedefinition to support patient safety andimprove care through clearly referenceddata elements (‘‘care plan data’’) and theinclusion of new patient data (e.g.,

Unique Device Identifiers (UDIs) andimmunizations (with standards)). Theserevisions will not change the standards,codes sets, and data requirementsspecified in the Common Clinical DataSet for 2014 Edition certification, whichremain unchanged. They only apply tohealth IT certified to the 2015 Editioncertification criteria that reference theCommon Clinical Data Set.

We refer readers to section III.B.3 ofthis preamble for a detailed discussionof the Common Clinical Data Set and atable listing the data and standardsincluded in the Common Clinical Data

Set for both the 2014 and 2015 Editions.3. The ONC Health IT CertificationProgram and Health IT Module

We have changed the name of theONC HIT Certification Program to the‘‘ONC Health IT Certification Program.’’We have also modified the ONC HealthIT Certification Program in ways thatwill make it more accessible to othertypes of health IT beyond EHRtechnology and for health IT thatsupports care and practice settings

beyond the ambulatory and inpatient

settings. These modifications will alsoserve to support other public andprivate programs that may reference theuse of health IT certified under the ONCHealth IT Certification Program. Whenwe established the certification program(76 FR 1262),4 we stated our initialfocus would be on EHR technology andsupporting the EHR Incentive Programs,

which at the time, focused on theambulatory setting and inpatient setting(76 FR 1294).

This final rule permits other types ofhealth IT, such as technologyimplemented by health informationservice providers (HISPs) and healthinformation exchanges (HIEs), to receiveappropriate attribution and not bereferenced by a certificate with ‘‘EHR’’included in it. This final rule alsosupports health IT certification for othercare and practice settings, such as long-term post-acute care (LTPAC),

behavioral health, and pediatrics.

Further, this final rule will make itsimpler for certification criteria andcertified health IT to be referenced byother HHS programs (e.g., Medicare andMedicaid payment programs andvarious grant programs), other publicprograms, and private entities andassociations.

a. Program Alignment Changes

As part of our approach to evolve theONC Health IT Certification Program,we have replaced prior rulemaking useof ‘‘EHR’’ and ‘‘EHR technology’’ with‘‘health IT.’’ The term health IT isreflective of the scope of ONC’s

authority under the Public HealthService Act (§3000(5) as ‘‘healthinformation technology’’ is so defined),and represents a broad range oftechnology, including EHR technology.It also more properly represents some ofthe technology, as noted above, that has

been previously certified to editions ofcertification criteria under the ONCHealth IT Certification Program and may

be certified to the 2015 Edition.Similarly, to make the ONC Health ITCertification Program more open andaccessible, we have renamed the EHRModule as ‘‘Health IT Module.’’

b. ‘‘Meaningful Use Measurement’’We have adopted our proposed

approach in that we will not requireONC-Authorized Certification Bodies(ONC–ACBs) to certify Health ITModules to the 2015 Edition‘‘meaningful use measurement’’certification criteria. We note, however,that CMS has included the 2015 Edition



5/159


‘‘meaningful use measurement’’certification criteria in the CEHRTdefinition as a program requirement forthe EHR Incentive Programs.Accordingly, we encourage health ITdevelopers supporting providersparticipating in the EHR IncentivePrograms or providers’ qualityimprovement needs to seek certification

to these criteria as appropriate for theirHealth IT Modules (e.g., a Health ITModule is presented for certification toa criterion that supports a Stage 3objective with a percentage-basedmeasure and the Health IT Module canmeet the ‘‘automated numeratorrecording’’ criterion or ‘‘automatedmeasure calculation’’ criterion).

c. Privacy and Security CertificationFramework

We have adopted a new, simpler,straight-forward approach to privacyand security certification requirements

for Health IT Modules certified to the2015 Edition. In sum, the privacy andsecurity certification criteria applicableto a Health IT Module presented forcertification is based on the othercapabilities included in the Health ITModule and for which certification issought. Under the 2015 Edition privacyand security certification framework, ahealth IT developer will know exactlywhat it needs to do in order to get itsHealth IT Module certified and apurchaser of a Health IT Module will

know exactly what privacy and securityfunctionality against which the HealthIT Module had to be tested in order to

be certified.

d. Principles of Proper Conduct (PoPC)for ONC–ACBs

We have adopted new and revisedPoPC for ONC–ACBs. ONC–ACBs are

now required to report an expanded setof information to ONC for inclusion inthe open data file that would make upthe Certified Health IT Product List(CHPL). ONC–ACBs must ensure thathealth IT developers provide moremeaningful disclosure of certain typesof costs and limitations that couldinterfere with the ability of users toimplement certified health IT in amanner consistent with its certification.ONC–ACBs must retain records for aperiod of time that will support HHSprogram needs. ONC–ACBs must alsoobtain a record of all adaptations and

updates affecting ‘‘safety-enhanceddesign’’ criteria on a quarterly basiseach calendar year. ONC–ACBs mustalso report to the National Coordinatorcomplaints received on certified healthIT. We have also adopted newrequirements for ‘‘in-the-field’’surveillance under the ONC Health ITCertification Program that clarify andexpand ONC–ACBs’ existingsurveillance responsibilities byspecifying requirements and proceduresfor in-the-field surveillance. We believe

these new and revised PoPC promotegreater transparency and accountabilityfor the ONC Health IT CertificationProgram.

C. Costs and Benefits

Our estimates indicate that this finalrule is an economically significant ruleas its overall costs for health IT

developers may be greater than $100million in at least one year. We have,therefore, projected the costs and

benefits of the final rule. The estimatedcosts expected to be incurred by healthIT developers to develop and preparehealth IT to be tested and certified inaccordance with the 2015 Editioncertification criteria (and the standardsand implementation specifications theyinclude) are represented in monetaryterms in Table 1 below. We note thatthis final rule does not impose the costscited as compliance costs, but rather asinvestments which health IT developers

voluntarily take on and may expect torecover with an appropriate rate ofreturn. We further note that, based onthe estimates provided by a health ITdeveloper association in response to theProposed Rule, we have reduced theestimated burden of the 2015 Edition byover 40,000 burden hours per health ITdeveloper by not adopting certainproposed certification criteria,functionality and standards.

The dollar amounts expressed inTable 1 are expressed in 2014 dollars.

TABLE 1—DISTRIBUTED TOTAL 2015 EDITION DEVELOPMENT AND PREPARATION COSTS FOR HEALTH IT DEVELOPERS (4-YEAR PERIOD)—TOTALS ROUNDED

Year Ratio(%)

Total low costestimate

($M)

Total high costestimate

($M)

Total averagecost estimate

($M)

2015 ................................................................................................................. 15 39.07 60.48 49.772016 ................................................................................................................. 35 91.15 141.12 116.142017 ................................................................................................................. 35 91.15 141.12 116.142018 ................................................................................................................. 15 39.07 60.48 49.77

4-Year Totals ............................................................................................ ........................ 260.44 403.19 331.82

As noted above, we expect that healthIT developers will recover anappropriate rate of return for their

investments in developing andpreparing their health IT forcertification to the 2015 Editioncertification criteria adopted in thisfinal rule. However, we do not have dataavailable to quantify these benefits orother benefits that will likely arise fromhealth IT developers certifying theirhealth IT to the 2015 Edition.

We believe that there will be severalsignificant benefits that may arise fromthis final rule for patients, health careproviders, and health IT developers.

The 2015 Edition continues to improvehealth IT interoperability through theadoption of new and updated standards

and implementation specifications. Forexample, many proposed certificationcriteria include standards andimplementation specifications forinteroperability that directly support theEHR Incentive Programs, which includeobjectives and measures for theinteroperable exchange of healthinformation and for providing patientselectronic access to their healthinformation in structured formats. Inaddition, the adopted certificationcriteria that support the collection of

patient data that could be used toaddress health disparities would notonly benefit patients, but the entire

health care delivery system throughimproved quality of care. The 2015Edition also supports usability andpatient safety through new andenhanced certification requirements forhealth IT.

This final rule also makes the ONCHealth IT Certification Program openand accessible to more types of healthIT and for health IT that supports avariety of care and practice settings.This should benefit health ITdevelopers, providers practicing in



6/159


other care/practice settings, andconsumers through the availability anduse of certified health IT that includescapabilities that promoteinteroperability and enhancedfunctionality.

II. Background

A. Statutory Basis

The Health Information Technologyfor Economic and Clinical Health(HITECH) Act, Title XIII of Division Aand Title IV of Division B of theAmerican Recovery and ReinvestmentAct of 2009 (the Recovery Act) (Pub. L.111–5), was enacted on February 17,2009. The HITECH Act amended thePublic Health Service Act (PHSA) andcreated ‘‘Title XXX—Health InformationTechnology and Quality’’ (Title XXX) toimprove health care quality, safety, andefficiency through the promotion of HITand electronic health informationexchange.

1. Standards, ImplementationSpecifications, and Certification Criteria

The HITECH Act established two newfederal advisory committees, the HealthIT Policy Committee (HITPC) and theHealth IT Standards Committee (HITSC)(sections 3002 and 3003 of the PHSA,respectively). Each is responsible foradvising the National Coordinator forHealth Information Technology(National Coordinator) on differentaspects of standards, implementationspecifications, and certification criteria.The HITPC is responsible for, among

other duties, recommending prioritiesfor the development, harmonization,and recognition of standards,implementation specifications, andcertification criteria. Mainresponsibilities of the HITSC includerecommending standards,implementation specifications, andcertification criteria for adoption by theSecretary under section 3004 of thePHSA, consistent with the ONC-coordinated Federal Health IT StrategicPlan.

Section 3004 of the PHSA identifies aprocess for the adoption of health IT

standards, implementationspecifications, and certification criteriaand authorizes the Secretary to adoptsuch standards, implementationspecifications, and certification criteria.As specified in section 3004(a)(1), theSecretary is required, in consultationwith representatives of other relevantfederal agencies, to jointly reviewstandards, implementationspecifications, and certification criteriaendorsed by the National Coordinatorunder section 3001(c) and subsequentlydetermine whether to propose the

adoption of any grouping of suchstandards, implementationspecifications, or certification criteria.The Secretary is required to publish alldeterminations in the Federal Register.

Section 3004(b)(3) of the PHSA titled,Subsequent Standards Activity,provides that the Secretary shall adoptadditional standards, implementation

specifications, and certification criteriaas necessary and consistent with theschedule published by the HITSC. Weconsider this provision in the broadercontext of the HITECH Act to grant theSecretary the authority and discretion toadopt standards, implementationspecifications, and certification criteriathat have been recommended by theHITSC and endorsed by the NationalCoordinator, as well as otherappropriate and necessary health ITstandards, implementationspecifications, and certification criteria.

2. Health IT Certification Programs

Section 3001(c)(5) of the PHSAprovides the National Coordinator withthe authority to establish a certificationprogram or programs for the voluntarycertification of health IT. Specifically,section 3001(c)(5)(A) specifies that theNational Coordinator, in consultationwith the Director of the NationalInstitute of Standards and Technology(NIST), shall keep or recognize aprogram or programs for the voluntarycertification of health informationtechnology as being in compliance withapplicable certification criteria adoptedunder this subtitle (i.e., certificationcriteria adopted by the Secretary undersection 3004 of the PHSA).

The certification program(s) must alsoinclude, as appropriate, testing of thetechnology in accordance with section13201(b) of the [HITECH] Act. Overall,section 13201(b) of the HITECH Actrequires that with respect to thedevelopment of standards andimplementation specifications, theDirector of the NIST, in coordinationwith the HITSC, shall support theestablishment of a conformance testinginfrastructure, including thedevelopment of technical test beds. The

HITECH Act also indicates that thedevelopment of this conformancetesting infrastructure may include aprogram to accredit independent, non-Federal laboratories to perform testing.

B. Regulatory History

1. Standards, ImplementationSpecifications, and Certification CriteriaRules

The Secretary issued an interim finalrule with request for comments titled,‘‘Health Information Technology: Initial

Set of Standards, ImplementationSpecifications, and Certification Criteriafor Electronic Health RecordTechnology’’ (75 FR 2014, Jan. 13, 2010)(the ‘‘S&CC January 2010 interim finalrule’’), which adopted an initial set ofstandards, implementationspecifications, and certification criteria.After consideration of the comments

received on the S&CC January 2010interim final rule, a final rule wasissued to complete the adoption of theinitial set of standards, implementationspecifications, and certification criteriaand realign them with the finalobjectives and measures established forthe EHR Incentive Programs Stage 1(formally titled: Health InformationTechnology: Initial Set of Standards,Implementation Specifications, andCertification Criteria for ElectronicHealth Record Technology; Final Rule,(75 FR 44590, July 28, 2010) andreferred to as the ‘‘2011 Edition final

rule’’). The 2011 Edition final rule alsoestablished the first version of theCEHRT definition. Subsequent to the2011 Edition final rule (October 13,2010), we issued an interim final rulewith a request for comment to removecertain implementation specificationsrelated to public health surveillance thathad been previously adopted in the2011 Edition final rule (75 FR 62686).

The standards, implementationspecifications, and certification criteriaadopted by the Secretary in the 2011Edition final rule established thecapabilities that CEHRT must include inorder to, at a minimum, support the

achievement of EHR Incentive ProgramsStage 1 by eligible professionals (EPs),eligible hospitals, and critical accesshospitals (CAHs) under the Medicareand Medicaid Programs; ElectronicHealth Record Incentive Program; FinalRule (75 FR 44314) (the ‘‘EHR IncentivePrograms Stage 1 final rule’’).

The Secretary issued a proposed rulewith request for comments titled‘‘Health Information Technology:Standards, ImplementationSpecifications, and Certification Criteriafor Electronic Health RecordTechnology, 2014 Edition; Revisions to

the Permanent Certification Program forHealth Information Technology’’ (77 FR13832, March 7, 2012) (the ‘‘2014Edition proposed rule’’), whichproposed new and revised standards,implementation specifications, andcertification criteria. After considerationof the comments received on the 2014Edition proposed rule, a final rule wasissued to adopt the 2014 Edition set ofstandards, implementationspecifications, and certification criteriaand realign them with the finalobjectives and measures established for



7/159


the EHR Incentive Programs Stage 2, aswell as Stage 1 revisions (HealthInformation Technology: Standards,Implementation Specifications, andCertification Criteria for ElectronicHealth Record Technology, 2014Edition; Revisions to the PermanentCertification Program for HealthInformation Technology (77 FR 54163,

Sept. 4, 2012) (the ‘‘2014 Edition finalrule’’). The standards, implementationspecifications, and certification criteriaadopted by the Secretary in the 2014Edition final rule established thecapabilities that CEHRT must include inorder to, at a minimum, support theachievement of the EHR IncentivePrograms Stage 2 by EPs, eligiblehospitals, and CAHs under the Medicareand Medicaid Programs; ElectronicHealth Record Incentive Program—Stage2 final rule ( 77 FR 53968) (the ‘‘EHRIncentive Programs Stage 2 final rule’’).

On December 7, 2012, an interim final

rule with a request for comment wasjointly issued and published by ONCand CMS to update certain standardsthat had been previously adopted in the2014 Edition final rule. The interimfinal rule also revised the EHR IncentivePrograms by adding an alternativemeasure for the Stage 2 objective forhospitals to provide structuredelectronic laboratory results toambulatory providers, corrected theregulation text for the measuresassociated with the objective forhospitals to provide patients the abilityto view online, download, and transmitinformation about a hospital admission,

and made the case number thresholdexemption policy for clinical qualitymeasure (CQM) reporting applicable foreligible hospitals and CAHs beginningwith FY 2013. In addition, the interimfinal rule provided notice of CMS’sintent to issue technical corrections tothe electronic specifications for CQMsreleased on October 25, 2012 (77 FR72985). On September 4, 2014, a finalrule (Medicare and Medicaid Programs;Modifications to the Medicare andMedicaid Electronic Health Record(EHR) Incentive Program for 2014 andOther Changes to the EHR Incentive

Program; and Health InformationTechnology: Revisions to the CertifiedEHR Technology Definition and EHRCertification Changes Related toStandards; Final Rule) (79 FR 52910)was published adopting these proposals.

On November 4, 2013, the Secretarypublished an interim final rule with arequest for comment, 2014 EditionElectronic Health Record CertificationCriteria: Revision to the Definition of‘‘Common Meaningful Use (MU) DataSet’’ (78 FR 65884), to make a minorrevision to the Common MU Data Set

definition. This revision was intendedto allow more flexibility with respect tothe representation of dental proceduresdata for EHR technology testing andcertification.

On February 26, 2014, the Secretarypublished a proposed rule titled‘‘Voluntary 2015 Edition ElectronicHealth Record (EHR) Certification

Criteria; Interoperability Updates andRegulatory Improvements’’ (79 FR10880) (‘‘Voluntary Edition proposedrule’’). The proposed rule proposed avoluntary edition of certification criteriathat was designed to enhanceinteroperability, promote innovation,and incorporate ‘‘bug fixes’’ to improveupon the 2014 Edition. A correctionnotice was published for the VoluntaryEdition proposed rule on March 19,2014, entitled ‘‘Voluntary 2015 EditionElectronic Health Record (EHR)Certification Criteria; InteroperabilityUpdates and Regulatory Improvements;

Correction’’ (79 FR 15282). Thiscorrection notice corrected the preambletext and gap certification table for fourcertification criteria that were omittedfrom the list of certification criteriaeligible for gap certification for the 2015Edition EHR certification criteria. OnSeptember 11, 2014, a final rule waspublished titled ‘‘2014 Edition Release 2Electronic Health Record (EHR)Certification Criteria and the ONC HITCertification Program; RegulatoryFlexibilities, Improvements, andEnhanced Health InformationExchange’’ (79 FR 54430) (‘‘2014 EditionRelease 2 final rule’’). The final rule

adopted a small subset of the originalproposals in the Voluntary Editionproposed rule as optional and revised2014 Edition EHR certification criteriathat provide flexibility, clarity, andenhance health information exchange. Italso finalized administrative proposals(i.e., removal of regulatory text from theCode of Federal Regulations (CFR)) andproposals for the ONC HIT CertificationProgram that provide improvements.

On May 23, 2014, CMS and ONCjointly published the ‘‘Medicare andMedicaid Programs; Modifications tothe Medicare and Medicaid Electronic

Health Record Incentive Programs for2014; and Health InformationTechnology: Revisions to the CertifiedEHR Technology Definition’’ proposedrule (79 FR 29732). The rule proposedto update the EHR Incentive ProgramsStage 2 and Stage 3 participationtimeline. It proposed to revise theCEHRT definition to permit the use ofEHR technology certified to the 2011Edition to meet the CEHRT definitionfor FY/CY 2014. It also proposed toallow EPs, eligible hospitals, and CAHsthat could not fully implement EHR

technology certified to the 2014 Editionfor an EHR reporting period in 2014 dueto delays in the availability of suchtechnology to continue to use EHRtechnology certified to the 2011 Editionor a combination of EHR technologycertified to the 2011 Edition and 2014Edition for the EHR reporting periods inCY 2014 and FY 2014. On September 4,

2014, a final rule (‘‘CEHRT Flexibilityfinal rule’’) was published (79 FR52910) adopting these proposals.

On March 30, 2015, the Secretarypublished a proposed rule titled ‘‘2015Edition Health Information Technology(Health IT) Certification Criteria; 2015Edition Base Electronic Health Record(EHR) Definition, and ONC Health ITCertification Program Modifications’’(80 FR 16804) (‘‘2015 Edition ProposedRule’’ or ‘‘Proposed Rule’’). TheProposed Rule proposed an edition ofcertification criteria that was designedto enhance interoperability and is the

subject of this final rule.2. Medicare and Medicaid EHRIncentive Programs Rules

On January 13, 2010, CMS publishedthe Medicare and Medicaid Programs;Electronic Health Record IncentiveProgram; Proposed Rule (75 FR 1844).The rule proposed the criteria for Stage1 of the EHR Incentive Programs andregulations associated with theincentive payments made availableunder Division B, Title IV of theHITECH Act. Subsequently, CMSpublished a final rule (75 FR 44314) forStage 1 of the EHR Incentive Programs

on July 28, 2010, simultaneously withthe publication of the 2011 Edition finalrule. The EHR Incentive Programs Stage1 final rule established the objectives,associated measures, and otherrequirements that EPs, eligiblehospitals, and CAHs must satisfy tomeet Stage 1.

On March 7, 2012, CMS published theMedicare and Medicaid Programs;Electronic Health Record IncentiveProgram—Stage 2; Proposed Rule (77 FR13698). Subsequently, CMS published afinal rule (77 FR 53968) for the EHRIncentive Programs on September 4,

2012, simultaneously with thepublication of the 2014 Edition finalrule. The EHR Incentive Programs Stage2 final rule established the objectives,associated measures, and otherrequirements that EPs, eligiblehospitals, and CAHs must satisfy tomeet Stage 2. It also revised some Stage1 requirements.

As described above in Section II.B.1,ONC and CMS jointly issued an interimfinal rule with a request for commentthat was published on December 7, 2012and a final rule that was published on



8/159


September 4, 2014. Also, as describedabove in Section II.B.1, ONC and CMSjointly issued proposed and final rulesthat were published on May 23, 2014and September 4, 2014, respectively.

On March 30, 2015, CMS publishedthe Medicare and Medicaid Programs;Electronic Health Record IncentiveProgram—Stage 3; Proposed Rule (80 FR

16732) (‘‘EHR Incentive Programs Stage3 proposed rule’’) outlining objectives,associated measures, and otherrequirements that EPs, eligiblehospitals, and CAHs would need tomeet to participate in Stage 3 of the EHRIncentives Programs.

On April 15, 2015, CMS published theMedicare and Medicaid Programs;Electronic Health Record IncentiveProgram—Modifications to MeaningfulUse in 2015 Through 2017; ProposedRule (80 FR 20346) (‘‘EHR IncentivePrograms Modifications proposed rule’’)proposing modifications to the EHRIncentive Programs for the EHRreporting periods and meaningful usemeasures in 2015 through 2017.

3. ONC Health IT Certification ProgramRules

On March 10, 2010, ONC published aproposed rule (75 FR 11328) titled,‘‘Proposed Establishment ofCertification Programs for HealthInformation Technology’’ (the‘‘Certification Programs proposed rule’’).The rule proposed both a temporary andpermanent certification program for thepurposes of testing and certifying HIT.It also specified the processes the

National Coordinator would follow toauthorize organizations to perform thecertification of HIT. A final ruleestablishing the temporary certificationprogram was published on June 24,2010 (75 FR 36158) (‘‘TemporaryCertification Program final rule’’) and afinal rule establishing the permanentcertification program was published on

January 7, 2011 (76 FR 1262) (‘‘thePermanent Certification Program finalrule’’).

On May 31, 2011, ONC published aproposed rule (76 FR 31272) titled‘‘Permanent Certification Program for

Health Information Technology;Revisions to ONC-Approved AccreditorProcesses.’’ The rule proposed a processfor addressing instances where theONC–Approved Accreditor (ONC–AA)engaged in improper conduct or did notperform its responsibilities under thepermanent certification program,addressed the status of ONC–Authorized Certification Bodies ininstances where there may be a changein the accreditation organization servingas the ONC–AA, and clarified theresponsibilities of the new ONC–AA.

All these proposals were finalized in afinal rule published on November 25,2011 (76 FR 72636).

The 2014 Edition final rule madechanges to the permanent certificationprogram. The final rule adopted aproposal to change the PermanentCertification Program’s name to the‘‘ONC HIT Certification Program,’’

revised the process for permitting theuse of newer versions of ‘‘minimumstandard’’ code sets, modified thecertification processes ONC–ACBs needto follow for certifying EHR Modules ina manner that provides clearimplementation direction andcompliance with the new certificationcriteria, and eliminated the certificationrequirement that every EHR Module becertified to the ‘‘privacy and security’’certification criteria.

The Voluntary Edition proposed ruleincluded proposals that focused onimproving regulatory clarity,

simplifying the certification of EHRModules that are designed for purposesother than meeting requirements of theEHR Incentive Programs, anddiscontinuing the use of the CompleteEHR definition. As noted above, weissued the 2014 Edition Release 2 finalrule to complete the rulemaking for theVoluntary Edition proposed rule. The2014 Edition Release 2 final rulediscontinued the ‘‘Complete EHR’’certification concept beginning with theproposed 2015 Edition, adopted anupdated standard (ISO/IEC 17065) forthe accreditation of ONC–ACBs, andadopted the ‘‘ONC Certified HIT’’certification and design mark forrequired use by ONC–ACBs under theONC Health IT Certification Program.

As noted above, on March 30, 2015,the Secretary published the ProposedRule which, in addition to proposingthe 2015 Edition, proposed revisions tothe ONC Health IT CertificationProgram.

III. Provisions of the Proposed RuleAffecting Standards, ImplementationSpecifications, and CertificationCriteria

A. 2015 Edition Health IT Certification

CriteriaThis rule finalizes new, revised, and

unchanged certification criteria thatestablish the capabilities and relatedstandards and implementationspecifications for the certification ofhealth IT, including EHR technology.We refer to these new, revised, andunchanged certification criteria as the‘‘2015 Edition health IT certificationcriteria’’ and have added this term andits definition to §170.102. As noted inthe Executive Summary, we also refer to

these criteria as the ‘‘2015 Edition’’ inthis preamble. We codified the 2015Edition in §170.315 to set them apartfrom other editions of certificationcriteria and make it easier forstakeholders to quickly determine thecertification criteria included in the2015 Edition.

In the Proposed Rule, we identified

the 2015 Edition certification criteria asnew, revised, or unchanged incomparison to the 2014 Edition. In the2014 Edition final rule we gave meaningto the terms ‘‘new,’’ ‘‘revised,’’ and‘‘unchanged’’ to both describe thedifferences between the 2014 Editioncertification criteria and the 2011Edition certification criteria, as well asestablish what certification criteria inthe 2014 Edition were eligible for gapcertification (see 77 FR 54171, 54202,and 54248). Given that beginning withthe 2015 Edition, ‘‘Complete EHR’’certifications will no longer be issued

(see also 79 FR 54443–45) and that weproposed to make the ONC Health ITCertification Program more open andaccessible to other health care/practicesettings, we also proposed to give newmeaning to these terms for the purposeof a gap certification analysis as sospecified:

• ‘‘New ’’ certification criteria arethose that as a whole only includecapabilities never referenced inpreviously adopted certification criteriaeditions and to which a Health ITModule presented for certification to the2015 Edition could have neverpreviously been certified. As a counter

example, the splitting of a 2014 Editioncertification criterion into two criteria aspart of the 2015 Edition would not makethose certification criteria ‘‘new’’ for thepurposes of a gap certification eligibilityanalysis.

• ‘‘Revised ’’ certification criteria arethose that include within themcapabilities referenced in a previouslyadopted edition of certification criteriaas well as changed or additional newcapabilities; and to which a Health ITModule presented for certification to the2015 Edition could not have beenpreviously certified to all of the

included capabilities.• ‘‘Unchanged ’’ certification criteriaare those that include the samecapabilities as compared to priorcertification criteria of adopted editions;and to which a Health IT Modulepresented for certification to the 2015Edition could have been previouslycertified to all of the includedcapabilities.

Comments. While we received nospecific comments on these terms, wereceived comments both supporting andopposing the adoption of certification



9/159


criteria that go beyond specificallysupporting an objective and measureunder the EHR Incentive Programs.

Response. We continue to maintainthe same meanings for the terms ‘‘new,’’‘‘revised,’’ and ‘‘unchanged’’ asdescribed in the Proposed Rule with aslight modification to the meaning of‘‘unchanged’’ to state that ‘‘unchanged’’

certification criteria are certificationcriteria that include the same or less ofthe same capabilities as compared toprior certification criteria of adoptededitions. We refer readers to sectionIII.A.4 (‘‘2015 Edition Gap Certification

Eligibility Table’’) of this preamble for acomplete description of gap certificationand the identification of 2015 Editioncertification criteria eligible for gapcertification. In sum, ‘‘unchanged’’criteria are eligible for gap certification.For health IT previously certified to the2011 or 2014 Edition certificationcriteria, this permits, where applicable,

the use of prior test results forcertification to the 2015 certificationcriteria. This creates efficiencies andsubstantially reduces burden.

As described in the Proposed Ruleand Executive Summary of this final

rule as well as discussed in more detailin section IV.B of this preamble, we

believe the availability and use ofcertified health IT for other use casesand health care settings beyond the EHRIncentive Programs has significantvalue. Therefore, we have adoptedcertification criteria that support thosepurposes. Table 2 below provides anoverview of certification criteriaadopted in this final rule as comparedto the certification criteria proposed inthe Proposed Rule and the adopted 2014Edition.

TABLE 2—2015 EDITION HEALTH IT CERTIFICATION CRITERIA

Not Adopted Proposed Criteria (14)

Vital SignsImage ResultsFamily Health History—PedigreePatient List CreationElectronic Medication Administration Record

Decision Support—Knowledge ArtifactDecision Support—ServiceIncorporate Laboratory Tests and Values/ResultsTransmission of Laboratory Test ReportsAccessibility TechnologySOAP Transport and Security Specification and XDR/XDM for Direct MessagingHealthcare Provider Directory—Query RequestHealthcare Provider Directory—Query ResponseElectronic Submission of Medical Documentation

Unchanged Criteria as Compared to the 2014 Edition (Gap Certification Eligible) (16)

Computerized Provider Order Entry (CPOE)—MedicationsCPOE—LaboratoryCPOE—Diagnostic ImagingDrug-Drug, Drug-Allergy Interaction Checks for CPOEMedication ListMedication Allergy List

Drug-Formulary and Preferred Drug List ChecksSmoking StatusAuthentication, Access Control, AuthorizationAudit Report(s)AmendmentsAutomatic Access Time-OutEmergency AccessEnd-User Device EncryptionAccounting of DisclosuresTransmission to Public Health Agencies—Reportable Laboratory Tests and Values/

Results

Revised Criteria as Compared to the 2014 Edition (25)

DemographicsProblem ListClinical Decision Support

Family Health HistoryPatient-Specific Education ResourcesTransitions of CareClinical Information Reconciliation and IncorporationElectronic PrescribingData ExportClinical Quality Measures—Record and ExportClinical Quality Measures—Import and CalculateClinical Quality Measures—ReportView, Download, and Transmit to 3rd PartyTransmission to Immunization RegistriesTransmission to Public Health Agencies—Syndromic SurveillanceTransmission to Cancer RegistriesAutomated Numerator RecordingAutomated Measure Calculation



10/159


TABLE 2—2015 EDITION HEALTH IT CERTIFICATION CRITERIA—Continued

Safety-enhanced DesignQuality Management SystemAuditable Events and Tamper-Resistance*Integrity*Secure Messaging*Direct Project*Direct Project, Edge Protocol, and XDR/XDM*

New Criteria as Compared to the 2014 Edition (19)

Implantable Device ListSocial, Psychological, and Behavioral DataData Segmentation for Privacy—SendData Segmentation for Privacy—ReceiveCare PlanCommon Clinical Data Set Summary Record—Create ................................................... New criteria based on request for comment in the Pro-

posed Rule.Common Clinical Data Set Summary Record—ReceiveClinical Quality Measures—FilterTrusted Connection .......................................................................................................... New for privacy and security certification framework and

API approach.Auditing Actions on Health Information ........................................................................... New for privacy and security certification framework and

API approach.Patient Health Information Capture.Transmission to Public Health Agencies—Electronic Case Reporting.

Transmission to Public Health Agencies—Antimicrobial Use and Resistance Report-ing.

Transmission to Public Health Agencies—Health Care Surveys.Consolidated CDA Creation Performance.Application Access—Patient Selection ............................................................................ Split the proposed API criterion into three criteria based

on public comments.Application Access—Data Category Request.

Application Access—All Data RequestAccessibility—centered Design.

* The criterion was proposed as unchanged, but has been adopted as revised in this final rule.

We proposed that readers shouldinterpret the following terms used in the2015 Edition with the same meaningswe adopted in the 2014 Edition final

rule (77 FR 54168–54169), in responseto comment: ‘‘User,’’ ‘‘record,’’‘‘change,’’ ‘‘access,’’ ‘‘incorporate,’’‘‘create,’’ and ‘‘transmit,’’ but apply toall health IT, not just ‘‘EHR technology.’’For the term ‘‘incorporate,’’ we alsoproposed that readers should interpretthe term as we further explained itunder the ‘‘transitions of care’’certification criterion (77 FR 54218) inthe 2014 Edition final rule and in theVoluntary Edition proposed rule (79 FR10898). We proposed that the scope ofa 2015 Edition certification criterionwas the same as the scope previously

assigned to a 2014 Edition certificationcriterion (for further explanation, seethe discussion at 77 FR 54168). That is,certification to the 2015 Editioncertification criteria at §170.315 wouldoccur at the second paragraph level ofthe regulatory section and encompassall paragraph levels below the secondparagraph level. We also proposed tocontinue to use the same specificdescriptions for the different types of‘‘data summaries’’ established in the2014 Edition final rule (77 FR 54170–54171) for the 2015 Edition certification

criteria (i.e., ‘‘export summary,’’‘‘transition of care/referral summary,’’‘‘ambulatory summary,’’ and ‘‘inpatientsummary.’’)

We received no specific comments onthese proposals and have adopted thesemeanings and approaches forcertification to the 2015 Edition.

As with the adoption of the 2011 and2014 editions of certification criteria(see the introductory text to §§ 170.302,170.304, 170.306, and 170.314), allcapabilities mentioned in certificationcriteria are expected to be performedelectronically, unless otherwise noted.Therefore, we no longer include‘‘electronically’’ in conjunction witheach capability included in acertification criterion under §170.315

because the introductory text to§ 170.315 (which covers all thecertification criteria included in thesection) clearly states that health ITmust be able to electronically performthe following capabilities in accordancewith all applicable standards andimplementation specifications adoptedin the part.

Health IT certified to the 2015 Editioncertification criteria and associatedstandards and implementationspecifications can be implemented aspart of an EP’s, eligible hospital’s, or

CAH’s CEHRT and used to demonstratemeaningful use (as identified in Table 4of section III.A.3 below). We note thatTable 4 also identifies certification

criteria that are mandatory andconditional certification requirementsfor Health IT Modules, such as safety-enhanced design (conditional), andquality management system(mandatory), accessibility-centereddesign (mandatory), and privacy andsecurity certification criteria(conditional). To note, we use the termmandatory to mean that all Health ITModules must be certified to thecertification criterion (see also§ 170.550(g)(2) and (3)). Conditionalmeans that certification to thecertification criterion (e.g., the

‘‘Consolidated CDA creationperformance,’’ ‘‘safety-enhanceddesign,’’ ‘‘automatic access timeout,’’ or‘‘integrity’’ certification criterion)depends on what other certificationcriteria a Health IT Module is presentedfor certification to (see §170.550(g)(1)and (4) and §170.550(f)). For moreinformation on ‘‘conditional’’certification related to privacy andsecurity, we also refer readers to sectionIV.C.1 (‘‘Privacy and Security’’) of thispreamble.



11/159


5http://www.whitehouse.gov/omb/circulars _a119. 6http://www.healthit.gov/policy-researchers-

implementers/direct-project. 7http://www.healthit.gov/policy-researchers-

implementers/standards-interoperability-si- framework.

Health IT certified to the 2015 Editioncertification criteria and associatedstandards and implementationspecifications can also be used to meetother HHS program requirements (e.g.,Medicare chronic care managementservices) or private sector requirements(e.g., The Joint Commissionperformance measurement initiative

(‘‘ORYX’’ vendor)). We refer readers tosection IV.B.4 of this preamble forfurther programs that reference the useof certified health IT.

1. Applicability

Section 170.300 establishes theapplicability of subpart C—CertificationCriteria for Health InformationTechnology. We proposed to reviseparagraph (d) of §170.300 to add in areference to §170.315 and revise theparenthetical in the paragraph to say‘‘i.e., apply to any health care setting’’instead of ‘‘i.e., apply to bothambulatory and inpatient settings.’’

We received no comments on thesespecific proposed revisions and haveadopted the proposed revisions. Asnoted in the Proposed Rule, theserevisions clarify which specificcapabilities within a certificationcriterion included in § 170.315 havegeneral applicability (i.e., apply to anyhealth care setting) or apply only to aninpatient setting or an ambulatorysetting. The revision to change thelanguage of the parenthetical aligns withour approach to make the ONC HealthIT Certification Program more agnosticto health care settings and accessible to

health IT that supports care and practicesettings beyond the ambulatory andinpatient settings. We refer readers tosection IV.B of this preamble for adetailed discussion of modifications tothe ONC Health IT Certification Programresponses to public comments receivedon the proposed modifications.

We note that, with the 2015 Edition,we no longer label an entire certificationcriterion as either optional orambulatory/inpatient (at the secondparagraph level of § 170.315). Forexample, the 2015 Edition certificationcriterion for transmission to cancer

registries is simply ‘‘transmission tocancer registries’’ instead of ‘‘optional—ambulatory setting only—transmissionto cancer registries.’’ Similarly, the 2015Edition certification criterion for‘‘accounting of disclosures’’ is simply‘‘accounting of disclosures’’ instead of‘‘optional—accounting of disclosures.’’These simplifications are possible giventhat, beginning with the 2015 Editioncertification criteria, ‘‘Complete EHR’’certifications will no longer be issued(see 79 FR 54443–45). Therefore, thereis no longer a need to designate an

entire certification criterion in thismanner. Again, this approach alsosupports our goal to make the ONCHealth IT Certification Program moreagnostic to health care settings andaccessible to health IT that supportscare and practice settings beyond theambulatory and inpatient settings. Wenote that we still use ‘‘optional,’’

‘‘inpatient setting only,’’ and‘‘ambulatory setting only’’ designationswithin certification criteria to provideflexibility and reduce burden wherefeasible and appropriate.

We proposed to replace the term‘‘EHR technology’’ in paragraphs (d)(1)and (d)(2) of §170.300 with ‘‘health IT’’to align with our approach to make theONC Health IT Certification Programmore clearly open to the certification ofall types of health IT. We received nocomments on this specific proposal andhave replaced ‘‘EHR technology’’ with‘‘health IT’’ in the referenced

paragraphs. Again, we refer readers tosection IV.B of this preamble for adetailed discussion of modifications tothe ONC Health IT Certification Programand responses to public commentsreceived on the proposed modifications.

2. Standards and ImplementationSpecifications

a. National Technology Transfer andAdvancement Act

The National Technology Transferand Advancement Act (NTTAA) of 1995(15 U.S.C. 3701 et. seq.) and the Officeof Management and Budget (OMB)

Circular A–1195

require the use of,wherever practical, technical standardsthat are developed or adopted byvoluntary consensus standards bodies tocarry out policy objectives or activities,with certain exceptions. The NTTAAand OMB Circular A–119 provideexceptions to selecting only standardsdeveloped or adopted by voluntaryconsensus standards bodies, namelywhen doing so would be inconsistentwith applicable law or otherwiseimpractical. In this final rule, we referto voluntary consensus standards,except for:

• The standards adopted in § 170.202.(These industry standards weredeveloped by groups of industrystakeholders committed to advancingthe Direct Project,6 which includedinitiatives under the Standards andInteroperability (S&I) Framework.7 These groups used consensus processes

similar to those used by voluntaryconsensus standards bodies.);

• The standards adopted at§ 170.205(d)(4) and (e)(4) for reportingof syndromic surveillance andimmunization information to publichealth agencies, respectively (Thesestandards go through a process similarwithin the public health community to

those used by other industrystakeholders and voluntary consensusstandards bodies.);

• The standard adopted at§ 170.207(f)(2) for race and ethnicity;and

• Certain standards related to theprotection of electronic healthinformation adopted in §170.210.

We are aware of no voluntaryconsensus standard that would serve asan alternative to these standards for thepurposes that we have identified in thisfinal rule.

b. Compliance With Adopted Standards

and Implementation SpecificationsIn accordance with Office of the

Federal Register regulations related to‘‘incorporation by reference,’’ 1 CFRpart 51, which we follow when weadopt proposed standards and/orimplementation specifications in a finalrule, the entire standard orimplementation specification documentis deemed published in the FederalRegister when incorporated by referencetherein with the approval of the Directorof the Federal Register. Once published,compliance with the standard andimplementation specification includes

the entire document unless we specifyotherwise. For example, for the HealthLevel Seven (HL7) ImplementationGuide (IG) for CDA Release 2: NationalHealth Care Surveys (NHCS), Release 1adopted in this final rule, health ITcertified to the certification criterionreferencing this IG will need todemonstrate compliance with allmandatory elements and requirementsof the IG. If an element of the IG isoptional or permissive in any way, itwill remain that way for testing andcertification unless we specifiedotherwise in regulation. In such cases,

the regulatory text preempts thepermissiveness of the IG.

c. ‘‘Reasonably Available’’ to InterestedParties

The Office of the Federal Register hasestablished new requirements formaterials (e.g., standards andimplementation specifications) thatagencies incorporate by reference in theFederal Register (79 FR 66267; 1 CFR51.5(b)). To comply with theserequirements, in section V(‘‘Incorporation by Reference’’) of this


http://www.whitehouse.gov/omb/circulars_a119http://www.whitehouse.gov/omb/circulars_a119http://www.whitehouse.gov/omb/circulars_a119http://www.healthit.gov/policy-researchers-implementers/direct-projecthttp://www.healthit.gov/policy-researchers-implementers/direct-projecthttp://www.healthit.gov/policy-researchers-implementers/standards-interoperability-si-frameworkhttp://www.healthit.gov/policy-researchers-implementers/standards-interoperability-si-frameworkhttp://www.healthit.gov/policy-researchers-implementers/standards-interoperability-si-frameworkhttp://www.healthit.gov/policy-researchers-implementers/standards-interoperability-si-frameworkhttp://www.healthit.gov/policy-researchers-implementers/standards-interoperability-si-frameworkhttp://www.healthit.gov/policy-researchers-implementers/standards-interoperability-si-frameworkhttp://www.whitehouse.gov/omb/circulars_a119http://www.healthit.gov/policy-researchers-implementers/direct-projecthttp://www.healthit.gov/policy-researchers-implementers/direct-project


12/159


8We have more specifically identified the CDCRace and Ethnicity code set as compared to theidentification in the Proposed Rule. We note thiscode set remains part of the PHIN VocabularyAccess and Distribution System (VADS) Release3.3.9. http://www.cdc.gov/phin/resources/ vocabulary/index.html.

preamble, we provide summaries of,and uniform resource locators (URLs) to,the standards and implementationspecifications we have adopted andincorporated by reference in the FederalRegister. To note, we also providerelevant information about thesestandards and implementationspecifications throughout this section of

the preamble (section III), includingURLs.

‘‘Minimum Standards’’ Code Sets

In the Proposed Rule, we proposed toadopt newer versions of four previouslyadopted minimum standards code setsfor the 2015 Edition. The code setsproposed were: The September 2014Release of the U.S. Edition of SNOMEDCT, LOINC version 2.50, the February2, 2015 monthly version of RxNorm,and the February 2, 2015 version of theCVX code set. We also proposed toadopt two new minimum standards

code sets (the National Drug Codes(NDC)—Vaccine Codes, updates through January 15, 2015 and the ‘‘Race &Ethnicity—CDC’’ code system in thePHIN Vocabulary Access andDistribution System (VADS) Release3.3.9 (June 17, 2011)). We reiterated, aswe have previously articulated (77 FR54170), the adoption of newer versionsimprove interoperability and health ITimplementation, while creating littleadditional burden through the inclusionof new codes. We further stated that, asmany of these minimum standards codesets are updated frequently throughoutthe year, we would consider whether itmay be more appropriate to adopt aversion of a minimum standards codeset that is issued before we publish afinal rule for the Proposed Rule.

Comments. A number of commenterswere supportive of the proposal to adoptmore recent versions of the U.S. Editionof SNOMED CT, LOINC, RxNorm,and the CVX code set. Commenterssupported adoption of NDC codes forvaccines, but also recommended weadopt the MVX codes for vaccinemanufacturer as part of this list. Onecommenter requested identification ofthe steward for the PHIN VADS ‘‘Race

& Ethnicity—CDC’’ code system, notingthat it did not appear to have beenupdated since 2007. This commenteralso requested verification that the codeset has been reviewed on a regular basis.

A few commenters suggested that wedo not specify an exact version andrelease of a standard (e.g., allow foradoption of version/release 1.x of theHL7 Implementation Guide for CDA

Release 2: National Health Care Surveys(NHCS) where ‘‘x’’ could be anyversion/release within the version/release 1 family). Another commentersuggested that we consider adopting a‘‘rolling’’ upgrade cycle for allstandardized code systems and valuesets. Specifically, the commenterrecommended that a certified Health IT

Module should not be more than twoversions behind the most currentlyreleased version of the code system orvalue set. Commenters also suggestedthat the vocabulary code set versions inthe Proposed Rule are now outdated andhave since been updated per a regularupdate cycle. Commenters suggested weadopt these more recent versions ofthese vocabulary code sets as theyprovide the most up-to-date clinicalinformation for clinical relevance andinteroperability.

Response. As many of the proposedminimum standards code sets are

updated frequently throughout the year,we considered whether it was moreappropriate to adopt versions ofminimum standards code sets that wereissued after the Proposed Rule and

before we published this final rule. Inmaking such determination, as we havedone with prior finalized versions ofminimum standards code sets, we gaveconsideration to whether these newerversions included any new substantiverequirements and their effects oninteroperability. We have found nonegative effects on interoperability withthe newer versions we have adopted ascompared to the proposed versions.

Rather, these newer versions willfurther support and improve thestructured recording of data. To note,the adopted newer version of aminimum standards code set will serveas the baseline for certification. As withall adopted minimum standards codesets, health IT can be certified to newerversions of the adopted baseline versionminimum standards code sets forpurposes of certification, unless theSecretary specifically prohibits the useof a newer version (see § 170.555 and 77FR 54268).

We have adopted newer versions of

four 2014 Edition minimum standardscode sets in this final rule for the 2015Edition. These code sets are theSeptember 2015 Release of the U.S.Edition of SNOMED CT, LOINC version 2.52, the September 8, 2015monthly version of RxNorm, and theAugust 17, 2015 version of the CVXcode set. We have also adopted threenew minimum standards code sets.

These code sets are the National DrugCodes (NDC)—Vaccine NDC Linker,updates through August 17, 2015; theCDC Race and Ethnicity Code SetVersion 1.0 (March 2000); 8 and theCrosswalk: Medicare Provider/Supplierto Healthcare Provider Taxonomy, April2, 2015.

We have not adopted MVX codes forvaccine manufacturers as detailedfurther in the discussion on the‘‘transmission to immunizationregistries’’ certification criterion insection III.A.3 of the preamble.Therefore, we do not see a need toinclude MVX codes in this list of codesets.

We confirm that CDC continues tosteward the CDC Race and EthnicityCode Set, Version 1.0 (March 2000). Wealso confirm that we have reviewed thisversion and believe it is appropriate toadopt it as the minimum standard code

set for race and ethnicity. Any updatesto the code set, including the issuanceof newer versions, are within theoversight of the CDC.

As we stated in the 2014 Edition finalrule (77 FR 54169–54170), the Office ofthe Federal Register regulations relatedto ‘‘incorporation by reference’’ arelimited to a specific version that isapproved rather than future versions orrevisions of a given publication. Thus,we do not include regulation languagethat refers to a version/release as, forexample ‘‘Version/Release 1.X’’ when‘‘X’’ remains variable. Further, to remain

in compliance with the AdministrativeProcedure Act and address any potentialinteroperability concerns, we wouldneed to issue regulations to adopt anewer version minimum standards codeset as a ‘‘baseline’’ standard and cannotrequire health IT developers to upgradeon a rolling basis.

e. Object Identifiers (OIDs) for CertainCode Systems

We are providing the following table(Table 3) of OIDs for certain codesystems to assist health IT developers inthe proper identification and exchange

of health information coded to thevocabulary standards referenced in thisfinal rule.


http://www.cdc.gov/phin/resources/vocabulary/index.htmlhttp://www.cdc.gov/phin/resources/vocabulary/index.htmlhttp://www.cdc.gov/phin/resources/vocabulary/index.htmlhttp://www.cdc.gov/phin/resources/vocabulary/index.html


13/159


9Copyright 1998–2013, Regenstrief Institute,Inc. and the UCUM Organization. All rightsreserved.

TABLE 3—CODE SYSTEM OBJECT IDENTIFIERS (OIDS)

Code system OID Code system name

2.16.840.1.113883.6.96 .............................. IHTSDO SNOMED CT.2.16.840.1.113883.6.1 ................................ LOINC.2.16.840.1.113883.6.88 .............................. RxNorm.2.16.840.1.113883.12.292 .......................... HL7 Standard Code Set CVX-Vaccines Administered.2.16.840.1.113883.6.69 .............................. National Drug Code Directory.2.16.840.1.113883.6.8 ................................ Unified Code of Units of Measure (UCUM9).2.16.840.1.113883.6.13 .............................. Code on Dental Procedures and Nomenclature (CDT).2.16.840.1.113883.6.4 ................................ International Classification of Diseases, 10th Revision, Procedure Coding System (ICD–10–PCS).2.16.840.1.113883.6.238 ............................ CDC Race and Ethnicity Code Set Version 1.0 (March 2000).2.16.840.1.113883.6.316 ............................ Tags for Identifying Languages—Request for Comment (RFC) 5646 (preferred language).2.16.840.1.113883.6.101 ............................ Healthcare Provider Taxonomy.

f. Subpart B—Standards andImplementation Specifications forHealth Information Technology

We proposed to remove the term‘‘EHR Modules’’ from §170.200 and addin its place ‘‘Health IT Modules’’ Weproposed to remove the term ‘‘EHRtechnology’’ from §170.210 and add inits place ‘‘health IT.’’ We noted thatthese proposals were consistent withour overall approach to this rulemakingas discussed in the Proposed RuleExecutive Summary and recited in thisfinal rule’s Executive Summary. Wereceived no comments on these specificproposals and have adopted theseproposals. We refer readers to sectionIV.B of this preamble for a detaileddiscussion of modifications to the ONCHealth IT Certification Program andresponses to public comments receivedon the proposed modifications.

3. Adopted Certification CriteriaWe discuss the certification criteria

that we have adopted as part of the 2015Edition in this section. We discuss each

certification criterion in thechronological order in which it wouldappear in the CFR. In other words, thepreamble that follows discusses theadopted certification criteria in§ 170.315(a) first, then §170.315(b), andso on through section (h). Due to certainproposed certification criteria not being

adopted as well as further considerationof proper categorization of criteria, thedesignation of some criteria within§ 170.315 has changed in comparison tothe Proposed Rule (e.g., the 2015Edition ‘‘smoking status’’ criterion has

been codified in §170.315(a)(11) insteadof proposed (a)(12) and the 2015 Edition‘‘patient health information capture’’criterion has been codified in§ 170.315(e)(3) instead of proposed(a)(19)).

We note that we have restructured theregulatory text of certification criteria toremove the use of ‘‘or’’ in many placeswhere it was proposed to indicatecertification optionality. We havereplaced it with language that we

believe will better convey that sameoptionality. This restructuring of the

regulatory text will provide furtherclarity regarding when a health ITdeveloper has flexibility to select one oftwo or more options for certifying itsHealth IT Module as compared to whenit is expected that the Health IT Moduledemonstrate all listed methods forcertification. This restructuring, by

itself, did not alter any of the proposedcertification criteria requirements.

Table 4 below identifies the 2015Edition certification criteria associatedwith the EHR Incentive Programs Stage3 as finalized in EHR IncentivePrograms Stage 3 and Modificationsfinal rule published elsewhere in thisissue of the Federal Register. Whilethese certification criteria can be used tosupport other use cases and health caresettings beyond the EHR IncentivePrograms, we have also adoptedadditional 2015 health IT certificationcriteria that support other specific use

cases and health care settings. Thesecriteria were listed in Table 2 and arediscussed in this section of thepreamble.



14/159



Table 4 2015 Edition Health IT Certification Criteria Associated with the EHR Incentive

3

CFR Relationship to the Health IT

Section Certification Criterion CEHRT

10

Definition and Module

170 315 Stage 3 Objectives

Certification

Computerized Provider Order Entry

Specifically included in the

a) l)

CPOE)-

Medications

12

CEHRT definition

(a)(2)

CPOE- Laboratory

13

(a)(3)

CPOE-

Diagnostic Imaging

14

Associated with

(a)(4)

Drug-Drug, Drug-Allergy Interaction

Checks for CPOE

(a)(5) Demographics


CEHRT definition

(a)(6) Problem List


CEHRT definition

(a)(7)

Medication List


CEHRT definition

(a)(8) Medication Allergy List


CEHRT definition


(a)(9)

Clinical Decision Support CEHRT definition

Associated with

(a)(lO)

Drug-Formulary and Preferred Drug

List Checks

a) ll)

Smoking Status


CEHRT definition

(a)( l2) Family Health History


CEHRT definition

1

The EHR Incentive Programs CEHRT defmition includes the criteria adopted in the 2015 Edition Base EHR

defmition. These criteria are identified in this table as specifically included in CEHRT defmition, as are other

criteria specifically included in the CEHRT defmition but are not part of the 2015 Edition Base EHR defmition. For

more information on the 2015 Edition Base EHR defmition, please see section III.B .lo fth is fmal rule 's preamble.

For more details on the CEHRT defmition, please see the EHR Incentive Programs Stage 3 and Modifications fmal

rule published elsewhere in this issue of the Federal Register

11

Criteria associated with objectives support requirements of the EHR Incentive Programs to use certified EHR

technology to meet objectives. For further information on these requirements, please see the EHR Incentive

Programs Stage 3 and Modifications fmal rule published elsewhere in this issue

of

the

Federal Register

12

Technology needs to be certified

to§

170.315(a)(1), (a)(2), or (a)(3).

13

Technology needs to be certified

to§

170.315(a)(1), (a)(2), or (a)(3).

14

Technology needs to be certified to§ 170.315(a)(1), (a)(2), or (a)(3).


15/159



b) l)

b) 6)

c ) 1)

c ) 2)

c) 3)

e) 3)

f) I)

f) 2)

f) 3)

f) 4)

f) S)

f) 6)

f) 7)

g) l)

g) 2)

g) 7)

Transitions

of

Care

Clinical Information Reconciliation

and

Data Export

Clinical Quality Measures

-Record

and


-Import

and Calculate


-Report

View, Download, and Transmit to 3

Transmission to Public Health

Agencies

-Reportable

Laboratory

Tests and Values/Results

Transmission to Cancer Registries

Transmission to Public Health

· - Electronic Case

Automated Numerator Recording

Automated Measure Calculation

Application Access

-Patient

Selection

Associated with


CEHRT

definition


CEHRT

Defmition


CEHRT

Defmition


CEHRT

Defmition

Associated with Objective

8


8

Associated with Objective 8


8


8


8


CEHRT

definition


CEHRT

definition


CEHRT

definition

5

For the public health certification criteria

in§

170.315 f), health

IT

will

only need to be certified to those criteria

that are required to meet the measures the provider intends to report on to meet Objective

8:

Public Health and

Clinical Data Registry Reporting.


16/159


• Computerized Provider Order Entry

We proposed to adopt three separate2015 computerized provider order entry(CPOE) certification criteria based onthe clinical purpose (i.e., medications,laboratory, and diagnostic imaging),

onc 2015 hit certification final rule.pdf

Documents