[Federal Register Volume 80, Number 238 (Friday, December 11, 2015)] [Rules and Regulations] [Pages 76868-76872] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2015-31255] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary 45 CFR Part 170 RIN 0991-AB93 2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications; Corrections and Clarifications AGENCY: Office of the National Coordinator for Health Information Technology (ONC), Department of Health and Human Services (HHS). ACTION: Final rule; corrections and clarifications. ----------------------------------------------------------------------- SUMMARY: This document corrects errors and clarifies provisions of the final rule entitled ``2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications.'' DATES: This correction is effective January 14, 2016. The final rule appeared in the Federal Register on October 16, 2015 (80 FR 62602), and is effective on January 14, 2016, except for Sec. 170.523(m) and (n), which are effective on April 1, 2016. FOR FURTHER INFORMATION CONTACT: Michael Lipinski, Office of Policy, National Coordinator for Health Information Technology, 202-690-7151. SUPPLEMENTARY INFORMATION: I. Background Following the publication of Federal Register document 2015-25597 of October 16, 2015 (80 FR 62602), final rule entitled ``2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications'' (hereinafter referred to as the 2015 Edition final rule), we identified a number of errors in the final rule. We summarize and correct these errors in the ``Summary of Errors'' and ``Corrections of Errors'' sections below. We also clarify requirements of the Common Clinical Data Set (CCDS), the privacy and security certification framework, and the mandatory disclosures for health IT developers in the ``Clarifications'' section below. II. Summary of Errors A. Preamble Errors 1. ``Audit Report(s)'' Certification Criterion We incorrectly identified the adopted 2015 Edition ``audit report(s)'' certification criterion throughout the preamble as ``unchanged'' and eligible for gap certification. More specifically, we identified it incorrectly: a. On page 62609, under Table 2 (``2015 Edition Health IT Certification Criteria''), as an unchanged criterion compared to the 2014 Edition and gap certification eligible. b. On page 62656, second column, in the ``Response'' under ``Audit Report(s),'' as adopted as proposed (i.e., ``unchanged''). c. On page 62681, under Table 6 (``Gap Certification Eligibility for 2015 Edition Health IT Certification Criteria''), as eligible for gap certification. We adopted the standard at Sec. 170.210(e) as revised to include the auditing of changes to user privileges in paragraph (e)(1)(i). The adopted 2015 Edition ``audit report(s)'' certification criterion references this standard. Therefore, it is a ``revised'' certification criterion as compared to the 2014 Edition ``audit report(s)'' certification criterion and ineligible for gap certification. 2. ``Integrity'' Certification Criterion On page 62657, third column, third paragraph, the last sentence incorrectly references SHA-1. The commenters' statements were specific to SHA-2. 3. ``Accounting of Disclosures'' Certification Criterion On page 62658, first column, mid-page, within the 2015 Edition ``accounting of disclosures'' certification criterion table, we inadvertently referenced the criterion as codified in 45 CFR 170.315(d)(10), when in fact it was codified in 45 CFR 170.315(d)(11). We note that the 2015 Edition ``auditing actions on health information'' certification criterion was codified in 45 CFR 170.315(d)(10). 4. ``Transmission to Public Health Agencies--Antimicrobial Use and Resistance Reporting'' Certification Criterion On page 62668, third column, lines 2 and 3, there was a parenthetical error stating that we adopted the ``transmission to public health agencies--antimicrobial use and resistance reporting'' certification criterion as proposed (with both Volumes 1 and 2 of the HAI IG). The parenthetical is corrected to not reference volumes of the HL 7 Implementation Guide for CDA[supreg] Release 2--Level 3: Healthcare Associated Infection Reports, Release 1 [[Page 76869]] (U.S. Realm), August 9, 2013 (HAI IG). This adopted version of the HAI IG does not contain multiple volumes. Further, the adopted version of the implementation guide was incorporated by reference in Sec. 170.299(f)(26). 5. Common Clinical Data Set--Assessment and Plan of Treatment, Goals, and Health Concerns On page 62696, second column, lines 8-14, we did not clearly indicate that only the narrative parts of the ``Goals Section'' and ``Health Concerns Section'' needed to be met in order to meet the CCDS definition. We refer readers to section III.A (``Common Clinical Data Set'') below for further clarification of these CCDS requirements. B. Regulation Text Errors 1. 2015 Edition Base EHR Definition On page 62742, first column, line 16 (Sec. 170.102), we inadvertently made an error in the 2015 Edition Base EHR definition by citing to Sec. 170.315(a)(15) instead of Sec. 170.315(a)(14). As discussed on pages 62625, 62630, 62691 and identified on page 62692 (Table 7), we included the ``implantable device list'' certification criterion (Sec. 170.315(a)(14)) in the 2015 Edition Base EHR definition as we proposed (80 FR 16806, 16825, 16870-16871). We did not propose to include nor intend to include the ``social, psychological, and behavioral data'' certification criterion (Sec. 170.315(a)(15)) in the 2015 Edition Base EHR definition. 2. Sexual Orientation Code On page 62744, third column, line 24 (Sec. 170.207(o)(1)(ii)), the code (20730005) attributed to ``straight or heterosexual'' was inaccurate. The correct code is 20430005 (emphasis added). 3. ``Implantable Device List'' Certification Criterion On page 62748, third column, line 1 (Sec. 170.315(a)(14)), we inadvertently omitted the word ``and'' at the end of the line. On the same page and column, line 42, we inadvertently added the word ``and'' when the ``and'' should have been at the end of line 47. On the same page and column, line 59, we inadvertently omitted the word ``and'' at the end of the line. 4. ``Data Export'' Certification Criterion On page 62750, third column, line 63, we inaccurately cross- referenced paragraphs (ii) through (v) of the ``data export'' certification criterion (Sec. 170.315(b)(6)), when the cross-reference should have only been to paragraphs (iii) and (iv). Paragraph (v) should not have been referenced because there are only four paragraphs, ending with paragraph (iv). Paragraph (ii) should not have been cross- referenced because paragraph (ii) no longer includes a configuration capability that could be enabled. The configuration capability included in paragraph (ii) was intended to support user selection among the multiple document templates we proposed for inclusion in paragraph (ii) of this certification criterion. In the final rule, however, we only included the Continuity of Care Document (CCD) document template in paragraph (ii). Therefore, a configuration capability for selecting among document templates is no longer applicable and both the cross- reference to paragraph (ii) and the inclusion of configuration language in paragraph (ii) on page 62751, first column, lines 10-11, are incorrect. In terms of the configuration language in paragraph (ii), more specifically the inclusion of ``configuration'' in the paragraph title is an error as is the inclusion of the capability to ``configure the technology'' in the first sentence. 5. ``Clinical Quality Measures--Filter'' Certification Criterion a. Patient Insurance Standard On page 62751, third column, line 22, we inadvertently included ``at a minimum'' language for the required patient insurance standard. The standard (Source of Payment Typology Code Set Version 5.0 (October 2011)) was adopted at Sec. 170.207(s)(1), but we did not adopt this standard as a ``minimum standards'' code set (see 80 FR 62612). b. Patient Sex Standard On page 62751, third column, lines 25-26, we inadvertently included ``at a minimum'' language for the required patient sex standard. The standard for representing sex is the use of specific HL7 Version 3 codes and was adopted at Sec. 170.207(n)(1). We did not adopt this standard as a ``minimum standards'' code set (see 80 FR 62612). 6. ``View, Download, and Transmit to 3rd Party'' (VDT) Certification Criterion On page 62753, first column, lines 37 and 55 (Sec. 170.315(e)(1)(ii)), we inadvertently omitted references for a patient's authorized representative to have access to the specified capabilities related to the activity history log under the VDT certification criterion. As discussed on page 62658 and consistent with references throughout the VDT criterion, a patient's authorized representative access to these capabilities is the same as the patient for the purposes of testing and certification. 7. ``Consolidated CDA Creation Performance'' Certification Criterion On page 62754, second column, lines 42-46 (Sec. 170.315(g)(6)(ii)), we inadvertently included a sentence stating that the scope of this certification criterion will not exceed the evaluation of the CCD, Referral Note, and Discharge Summary document templates. This statement is inconsistent with the preamble guidance of the final rule on page 62674, which states that we have required that Consolidated CDA (C-CDA) creation performance be demonstrated for the C-CDA Release 2.1 document templates required by the 2015 Edition certification criteria presented for certification. Certification to some criteria (e.g., the ``transitions of care'' criterion) requires three C-CDA document templates whereas other criteria (e.g., the ``care plan'' criterion) only requires one C-CDA document template. To further illustrate, if a Health IT Module only included the ``view, download, and transmit to 3rd party'' certification criterion (Sec. 170.315(e)(1)) within its certificate's scope, then only the Continuity of Care Document (CCD) document template would be applicable within the ``C-CDA creation performance'' criterion. Conversely, if a Health IT Module designed for the inpatient setting included the ``transitions of care'' certification criterion (Sec. 170.315(b)(1)) within its certificate's scope, then all three document templates referenced by that criterion (CCD, Referral Note, and Discharge Summary) would need to be evaluated as part of the ``C-CDA creation performance'' criterion, with the Discharge Summary only applicable to the inpatient setting. 8. ``Direct Project'' Certification Criterion On page 62755, first column, lines 53 through 55 (Sec. 170.315(h)(1)(ii)), we inadvertently referenced the ``Applicability Statement for Secure Health Transport'' in the title for paragraph (ii) when it should have only been ``Delivery Notification in Direct.'' 9. ``Direct Project, Edge Protocol, and XDR/XDM'' Certification Criterion On page 62755, second column, lines 4 through 6 (Sec. 170.315(h)(2)(ii)), we again inadvertently referenced the ``Applicability Statement for Secure Health Transport'' in the title for paragraph (ii) when it should have only been ``Delivery Notification in Direct.'' [[Page 76870]] 10. Principles of Proper Conduct for ONC-ACBs--Certified Health IT Mandatory Disclosures a. 2015 Edition Certified Health IT On page 62756, third column, lines 35-36 (Sec. 170.523(k)(1)(ii)(A)), we inadvertently cross-referenced the wrong data from Sec. 170.523(f)(1). We did not intend to cross-reference Sec. 170.523(f)(1)(xvii) (certification to standards used to meet a certification criterion). The required data elements for disclosure were intended to be consistent across the editions. This data is not a required data element for the mandatory disclosures for health IT certified to the 2014 Edition. We did, however, intend to require the disclosure of Sec. 170.523(f)(1)(xv) (certification to clinical quality measures), which was inadvertently omitted but consistent with the new and previous 2014 Edition disclosure requirements. We also refer readers to section III.C (``Mandatory Disclosures for 2015 Edition Certified Health IT'') below for a clarification related to the disclosure on information specified in Sec. 170.523(f)(1)(viii). b. 2014 Edition Certified Health IT On page 62756, third column, lines 42-43 (Sec. 170.523(k)(1)(ii)(B)), we inadvertently omitted cross-references to paragraphs (f)(2)(iii) (product version) and (vi) (any additional relied upon software used to demonstrate compliance with a certification criterion or criteria) of Sec. 170.523. The parallel requirements were included in the required disclosures for health IT certified to the 2015 Edition and were previously required to be disclosed as part of certification to the 2014 Edition. 10. In-the-Field Surveillance and Maintenance of Certification for Health IT a. Exclusion and Exhaustion On page 62758, third column, lines 4 and 10 (Sec. 170.556(c)(5)), we twice inadvertently cross-referenced paragraph (c)(3) of Sec. 170.556 instead of paragraph (c)(4) of Sec. 170.556. Paragraph (c)(4) includes the requirements for locations as they would apply to the ``exclusion and exhaustion'' requirements of paragraph (c)(5). b. Termination On page 62759, second column, lines 23-24 (Sec. 170.556(d)(6)), we inadvertently included language suggesting that termination was limited to suspensions in the context of randomized surveillance. Consistent with the preamble discussion on pages 62716-62718, termination can follow any suspension if the health IT developer has not completed the actions necessary to reinstate the suspended certification. III. Clarifications A. Common Clinical Data Set In the final rule (Sec. 170.102), we define the CCDS to mean data expressed, where indicated, according to specified standards. For four data specified in the CCDS (Unique Device Identifier(s) for a Patient's Implantable Device(s); Assessment and Plan of Treatment; Goals; and Health Concerns), we reference specific Consolidated Clinical Document Architecture (C-CDA) sections. Based on subsequent examination of this regulatory text and early interactions with stakeholders, we have determined that additional explanation of these references is necessary in order to ensure health IT developers accurately and consistently interpret and implement health IT functionality to our expressed regulatory requirements. In this regard, we seek to clarify two points. First, we clarify that the references to these four specific C-CDA section templates is not meant to be strictly interpreted to mean that a health IT developer must use the C-CDA's syntax for each referenced section. Such a strict interpretation would directly contradict the flexibility we have intentionally offered to health IT developers who seek to certify to the ``application access--data category request'' certification criterion adopted at 45 CFR 170.315(g)(8), which references the CCDS but does not bind health IT presented for certification to solely use the C-CDA to meet the criterion. To avoid stakeholders inadvertently following this overly strict interpretation, we clarify that the references to these C-CDA section templates was meant (like all of the other data listed in the CCDS) to emphasize that these data need to be consistently and independently represented as discrete data that are clearly distinguishable. Second, we clarify for the Assessment and Plan of Treatment, Goals, and Health Concerns data that only the narrative part of the referenced C-CDA section templates is necessary and required in order to satisfy the CCDS. Further and in support of this clarification, testing and certification will focus on the presence of data represented consistent with just the narrative part of the referenced section templates. Similar to our points above, given that these section templates in the C-CDA have two parts (a narrative part and coded requirements part for C-CDA), we believe that it is necessary to make this interpretation explicit so as to prevent health IT developers from over-interpreting this definition's data requirements to include more data than we had intended. B. Privacy and Security Certification Framework--Approach 2 Under Sec. 170.550(h)(4)(ii), a Health IT Module can meet applicable 2015 Edition privacy and security certification criterion by demonstrating, through system documentation that is sufficiently detailed to enable integration, that the Health IT Module has implemented service interfaces for each applicable privacy and security certification criterion that enable the Health IT Module to access external services necessary to meet the privacy and security certification criterion (also known as ``Approach 2''). We clarify three points about Approach 2. First, we clarify that the term ``access'' includes, as applicable, bi-directional interfaces with external services. For example, system documentation could detail how integration establishes a bi-directional interface that meets the requirements of the 2015 Edition ``audit report(s)'' certification criterion. Second, external services simply mean services outside the scope of the Health IT Module being presented for certification. External services could be, but are not limited to, those provided by another certified Health IT Module, another software program such as Microsoft Active Directory, or a hospital enterprise-wide infrastructure. Third, a Health IT Module is not required to be paired with the other services for the purposes of certification (e.g., certified with another certified Health IT Module that performs the privacy and security capability or specifying the external services as ``relied upon software''). C. Mandatory Disclosures for 2015 Edition Certified Health IT We clarify that for compliance with Sec. 170.523(k)(1)(ii)(A), the only information that must be disclosed to meet the data requirement specified in Sec. 170.523(f)(1)(viii) is the certification criterion or criteria to which the Health IT Module has been certified. This is consistent with the disclosure requirements for certification to the 2014 Edition. IV. Waiver of Proposed Rulemaking We ordinarily publish a notice of proposed rulemaking in the Federal Register to provide a period for public comment before the provisions of a rule take effect in accordance with section [[Page 76871]] 553(b) of the Administrative Procedure Act (APA) (5 U.S.C. 553(b)). However, we can waive this notice and comment procedure if the Secretary finds, for good cause, that the notice and comment process is impracticable, unnecessary, or contrary to the public interest, and incorporates a statement of the finding and the reasons therefore in the notice. In our view, this correcting and clarifying document does not constitute a rulemaking that would be subject to the APA notice and comment requirements. This document corrects errors and clarifies provisions of the 2015 Edition final rule published on October 16, 2015. It does not make substantive changes to the policies that were adopted. As a result, this correcting document is intended to ensure that the final rule accurately reflects the policies adopted in that final rule. In addition, even if this were a rulemaking to which the notice and comment requirements applied, we find that there is good cause to waive such requirements. Undertaking further notice and comment procedures to incorporate the corrections in this document into the final rule would be contrary to the public interest. Furthermore, such procedures would be unnecessary, as we are not altering the policies that were already subject to comment and finalized in our final rule. Therefore, we believe we have good cause to waive the notice and comment requirements. V. Corrections of Errors A. Preamble Corrections 1. On page 62609, correct Table 2 as follows: a. Remove ``Audit Report(s)'' from the ``Unchanged Criteria as Compared to the 2014 Edition (Gap Certification Eligible)'' category and insert it with an in asterisk (i.e., Audit Report(s)*) in the ``Revised Criteria as Compared to the 2014 Edition'' category after ``Auditable Events and Tamper-Resistance.'' b. Revise the ``Unchanged Criteria as Compared to the 2014 Edition (Gap Certification Eligible) (16)'' title to ``Unchanged Criteria as Compared to the 2014 Edition (Gap Certification Eligible) (15)''. c. Revise the ``Revised Criteria as Compared to the 2014 Edition (25)'' title to ``Revised Criteria as Compared to the 2014 Edition (26)''. 2. On page 62656, second column, in the ``Response'' under ``Audit Report(s),'' correct the first sentence to read ``We have adopted this certification criterion as revised to support the audit reporting of changes in user privileges consistent with the adopted 2015 Edition ``auditable events and tamper resistance'' certification criterion.'' 3. On page 62657, third column, third paragraph, correct the last sentence to read ``A few commenters requested that we wait until 2017 or 2018 to increase the standard to SHA-2.'' 4. On page 62658, first column, mid-page, within the 2015 Edition ``accounting of disclosures'' certification criterion table, the citation is corrected to read ``45 CFR 170.315(d)(11).'' 5. On page 62668, third column, lines 2 and 3, correct the parenthetical to read ``(with the HAI IG).'' 6. On page 62681, Table 6, remove ``(d)(3) Audit report(s)'' from the ``2015 Edition'' column and ``(d)(3) Audit report(s)'' from the ``2014 Edition'' column. 7. On page 62696, second column, lines 8-14, correct the sentence to read ``Thus, other C-CDA document templates such as CCD, Referral Note, and Discharge Summary would need to be able to exchange the narrative information from the ``Goals Section'' and ``Health Concerns Section'' in order to meet the Common Clinical Data Set definition.'' B. Regulation Text Corrections 0 1. On page 62742, first column, in Sec. 170.102, in the definition of ``2015 Edition Base EHR'', paragraph (3) is corrected to read as follows: Sec. 170.102 Definitions. * * * * * 2015 Edition Base EHR * * * (3) Has been certified to the certification criteria adopted by the Secretary in Sec. 170.315(a)(1), (2), or (3); (a)(5) through (9); (a)(11); (a)(14); (b)(1) and (6); (c)(1); (g)(7) through (9); and (h)(1) or (2); * * * * * 0 2. On page 62744, third column, in Sec. 170.207, paragraph (o)(1)(ii) is corrected to read as follows: Sec. 170.207 Vocabulary standards for representing electronic health information. * * * * * (o) * * * (1) * * * (ii) Straight or heterosexual. 20430005. * * * * * 0 3. On pages 62748 through 62755, in Sec. 170.315, paragraphs (a)(14)(ii)(A), (a)(14)(iv)(A) and (B), (a)(14)(v)(C), (b)(6)(i)(A), (b)(6)(ii) introductory text, (c)(4)(iii)(E) and (G), (e)(1)(ii)(A) introductory text, (e)(1)(ii)(B), (g)(6)(ii), (h)(1)(ii), and (h)(2)(ii) are corrected to read as follows: Sec. 170.315 2015 Edition health IT certification criteria. * * * * * (a) * * * (14) * * * (ii) * * * (A) Device Identifier; and * * * * * (iv) * * * (A) The active Unique Device Identifiers recorded for the patient; (B) For each active Unique Device Identifier recorded for a patient, the description of the implantable device specified by paragraph (a)(14)(iii)(A) of this section; and * * * * * (v) * * * (C) The identifiers associated with the Unique Device Identifier, as specified by paragraph (a)(14)(ii) of this section; and * * * * * (b) * * * (6) * * * (i) * * * (A) Enable a user to set the configuration options specified in paragraphs (b)(6)(iii) and (iv) of this section when creating an export summary as well as a set of export summaries for patients whose information is stored in the technology. A user must be able to execute these capabilities at any time the user chooses and without subsequent developer assistance to operate. * * * * * (ii) Creation. Enable a user to create export summaries formatted in accordance with the standard specified in Sec. 170.205(a)(4) using the Continuity of Care Document document template that includes, at a minimum: * * * * * (c) * * * (4) * * * (iii) * * * (E) Patient insurance in accordance with the standard specified in Sec. 170.207(s)(1). * * * (G) Patient sex in accordance with the version of the standard specified in Sec. 170.207(n)(1). * * * * * (e) * * * (1) * * * (ii) * * * (A) When any of the capabilities included in paragraphs (e)(1)(i)(A) through (C) of this section are used, the following information must be recorded and made accessible to the patient (or his/her authorized representative): * * * * * (B) Technology presented for certification may demonstrate [[Page 76872]] compliance with paragraph (e)(1)(ii)(A) of this section if it is also certified to the certification criterion specified in Sec. 170.315(d)(2) and the information required to be recorded in paragraph (e)(1)(ii)(A) of this section is accessible by the patient (or his/her authorized representative). * * * * * (g) * * * (6) * * * (ii) Document-template conformance. Create a data file formatted in accordance with the standard adopted in Sec. 170.205(a)(4) that demonstrates a valid implementation of each document template applicable to the certification criterion or criteria within the scope of the certificate sought. * * * * * (h) * * * (1) * * * (ii) Delivery Notification in Direct. Able to send and receive health information in accordance with the standard specified in Sec. 170.202(e)(1). * * * * * (2) * * * (ii) Delivery Notification in Direct. Able to send and receive health information in accordance with the standard specified in Sec. 170.202(e)(1). Sec. 170.523 [Corrected] 0 4. In Sec. 170.523-- 0 a. On page 62756, third column, lines 35-36, paragraph (k)(1)(ii)(A), the reference ``paragraphs (f)(1)(i), (vi), (vii), (viii), (xvi), and (xvii) of this section'' is corrected to read ``paragraphs (f)(1)(i), (vi), (vii), (viii), (xv), and (xvi) of this section''. 0 b. On page 62756, third column, lines 42-43, paragraph (k)(1)(ii)(B), the reference ``paragraphs (f)(2)(i), (ii), (iv)-(v), and (vii) of this section'' is corrected to read ``paragraphs (f)(2)(i) through (vii) of this section''. 0 5. In Sec. 170.556-- 0 a. On page 62758, third column, lines 4 and 10, paragraph (c)(5), correct the reference ``paragraph (c)(3)'' each time it appears to read ``paragraph (c)(4)''. 0 b. On page 62759, second column, correct paragraph (d)(6) to read as follows: Sec. 170.556 In-the-field surveillance and maintenance of certification for Health IT. * * * * * (d) * * * (6) If a certified Complete EHR or certified Health IT Module's certification has been suspended, an ONC-ACB is permitted to initiate certification termination procedures for the Complete EHR or Health IT Module (consistent with its accreditation to ISO/IEC 17065 and procedures for terminating a certification) when the developer has not completed the actions necessary to reinstate the suspended certification. * * * * * Dated: December 7, 2015. Madhura Valverde, Executive Secretary to the Department, Department of Health and Human Services. [FR Doc. 2015-31255 Filed 12-10-15; 8:45 am] BILLING CODE 4150-45-P