ONC direct review was established in the ONC Health IT Certification Program: Enhanced Oversight and Accountability Final Rule and further expanded in the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule. These final rules establish the regulatory framework through which ONC may directly review certified health IT or a health IT developer’s actions or practices to determine whether either conform to the requirements of the ONC Health IT Certification Program.
ONC may choose to initiate direct review in three distinct circumstances:
- When there is a reasonable belief that certified health IT may present a serious risk to public health or safety;
- When a review of certified health IT could present practical challenges for ONC-Authorized Certification Bodies (ACBs); or
- When there is reasonable belief that the health IT developer has not complied with a Condition or Maintenance of Certification requirement.
If any of these circumstances is met, ONC will consider three additional principles in determining whether it should initiate direct review. First, ONC’s direct review of certified health IT or a health IT developer's actions—and any subsequent determination of non-conformity—must be based on a reasonable belief that health IT or health IT developer action may be, or is, in violation of Program requirements. Second, the focus of direct review is on the performance of the health IT’s certified capabilities (that is, capabilities or other aspects of the health IT that are certified under the Program) or the compliance of health IT developers to the Conditions and Maintenance of Certification requirements. ONC will only review the uncertified capabilities that are part of health IT products to the extent that the capability or uncertified health IT interacts with and is relevant to the performance of certified capabilities. Third, a health IT developer cannot be held responsible for problems or issues with its technology that are not reasonably within its ability to influence or control.
ONC may elect to not initiate direct review (or, if it has initiated direct review, to cease such review) at any time and for any reason. For example, ONC may elect not to initiate (or to cease) review if it believes that another government agency is better situated to investigate or address a suspected non-conformity or that direct review could duplicate or interfere with the oversight or enforcement activities of other agencies. ONC may coordinate and share information with other agencies and may engage other persons and entities, as appropriate, to effectively respond to suspected problems with certified health IT.
If ONC determines a suspected non-conformity or non-conformity exists in certified health IT, it will send a notice to the health IT developer. The health IT developer will have 30 days to respond to the notice (unless ONC adjusts the response timeframe). ONC will require corrective action for non-conformities and, when necessary and applicable, suspend or terminate a certification issued to a Health IT Module. In cases of termination of a certification, ONC may coordinate with other Department of Health and Human Services programs, such as the Centers for Medicare and Medicaid Services, to help identify and make available appropriate remedies to users of terminated certified health IT. Health IT developers may appeal determinations by ONC to suspend or terminate certifications issued to health IT under the Program. ONC’s first and foremost goal is to work with health IT developers to remedy any identified non-conformities of certified health IT or compliance to the Conditions and Maintenance of Certification requirements in a timely manner.
ONC receives information on the performance of health IT certified and compliance to the Condition and Maintenance of Certification requirements under the Program from a variety of sources including but not limited to: ONC-ACBs’ surveillance reports, issues submitted to ONC from ONC-ACBs or ONC-Authorized Testing Laboratories (ONC-ATLs), issues submitted directly to ONC, and referrals from other government agencies. ONC analyzes information gathered from these various sources to identify circumstances that may warrant direct review. ONC typically shares any information received with the relevant ONC-ACB, to be address through its existing procedures. However, there may be circumstances when ONC would not share information with the relevant ONC-ACB, such as when a complaint includes confidential information.
 On a case by case basis, ONC will consider a variety of factors to determine if a serious risk is presented, including the nature, extent and severity of the risk, the imminence of the risk of harm, and actions being taken to mitigate the risk or information that calls into question the validity of the health IT’s certification.