In October 2016, ONC released the ONC Health IT Certification Program: Enhanced Oversight and Accountability Final Rule. The final rule updates the Program by establishing a regulatory framework for ONC’s direct review of health IT certified under the Program. ONC may choose to initiate direct review in two distinct sets of circumstances:
- When there is a reasonable belief that the certified health IT may present a serious risk to public health or safety; or
- When a review of certified health IT could present practical challenges for ONC-ACBs.
If one or both of these circumstances is met, ONC will consider three additional principles in determining whether it should initiate direct review. First, ONC’s direct review of certified health IT—and any subsequent determination of non-conformity—must be based on a reasonable belief that health IT may be, or is, in violation of Program requirements. Second, the focus of direct review is on the performance of the health IT’s certified capabilities (that is, capabilities or other aspects of the health IT that are certified under the Program). ONC will only review the uncertified capabilities that are part of health IT products to the extent that the capability or uncertified health IT interacts with and is relevant to the performance of certified capabilities. Third, a health IT developer cannot be held responsible for problems or issues with its technology that are not reasonably within its ability to influence or control.
ONC may elect to not initiate direct review (or, if it has initiated direct review, to cease such review) at any time and for any reason. For example, ONC may elect not to initiate (or to cease) review if it believes that another government agency is better situated to investigate or address a suspected non-conformity or that direct review could duplicate or interfere with the oversight or enforcement activities of other agencies. ONC may coordinate and share information with other agencies and may engage other persons and entities, as appropriate, to effectively respond to suspected problems with certified health IT.
If ONC determines a suspected non-conformity or non-conformity exists in certified health IT, it will send a notice to the health IT developer. The health IT developer will have 30 days to respond to the notice (unless ONC adjusts the response timeframe). ONC will require corrective action for non-conformities and, when necessary, suspend or terminate a certification issued to a Complete EHR or Health IT Module. In cases of termination of a certification, ONC may coordinate with other Department of Health and Human Services programs, such as the Centers for Medicare and Medicaid Services, to help identify and make available appropriate remedies to users of terminated certified health IT. Health IT developers may appeal determinations by ONC to suspend or terminate certifications issued to health IT under the Program. ONC’s first and foremost goal is to work with health IT developers to remedy any identified non-conformities of certified health IT in a timely manner.
ONC receives information on the performance of health IT certified under the Program from a variety of sources including but not limited to: ONC-ACBs’ surveillance reports, issues submitted to ONC from ONC-ACBs or ONC-Authorized Testing Laboratories (ONC-ATLs), issues submitted directly to ONC, and referrals from other government agencies. ONC analyzes information gathered from these various sources to identify circumstances that may warrant direct review. ONC typically shares any information received with the relevant ONC-ACB, to be address through its existing procedures. However, there may be circumstances when ONC would not share information with the relevant ONC-ACB, such as when a complaint includes confidential information.
 On a case by case basis, ONC will consider a variety of factors to determine if a serious risk is presented, including the nature, extent and severity of the risk, the imminence of the risk of harm, and actions being taken to mitigate the risk or information that calls into question the validity of the health IT’s certification.