ONC Direct Review was established in the ONC Health IT Certification Program: Enhanced Oversight and Accountability Final Rule and further expanded in the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule. These final rules establish the regulatory framework through which ONC may directly review Certified Health IT Module's or a Certified Health IT Developer’s actions or practices to determine whether either conform to the requirements of the ONC Health IT Certification Program (Certification Program).
Direct Review Criteria
ONC may choose to initiate Direct Review in three distinct circumstances:
- When there is a reasonable belief that Certified Health IT Modules may present a serious risk to public health or safety;
- When a review of Certified Health IT Modules could present practical challenges for ONC-Authorized Certification Bodies (ACBs); or
- When there is reasonable belief that the Certified Health IT Developer has not complied with a Condition or Maintenance of Certification requirement.
If any of these circumstances are met, ONC will consider three additional principles in determining whether it should initiate Direct Review. First, ONC’s Direct Review of Certified Health IT Module or a developer’s actions—and any subsequent determination of non-conformity—must be based on a reasonable belief that the Health IT Module or a developer’s action may be, or is, in violation of Certification Program requirements. Second, the focus of Direct Review is on the performance of the Health IT Module’s certified capabilities (that is, capabilities or other aspects of the health IT that are certified under the Certification Program) or the compliance of developers to the Conditions and Maintenance of Certification requirements. ONC will only review the uncertified capabilities that are part of health IT products to the extent that the capability or uncertified health IT interacts with and is relevant to the performance of certified capabilities. Third, a developer cannot be held responsible for problems or issues with its technology that are not reasonably within its ability to influence or control.
ONC Direct Review Authorities
ONC may elect to not initiate Direct Review (or, if it has initiated Direct Review, to cease such review) at any time and for any reason. For example, ONC may elect not to initiate (or to cease) review if it believes that another government agency is better situated to investigate or address a suspected non-conformity or that Direct Review could duplicate or interfere with the oversight or enforcement activities of other agencies. ONC may coordinate and share information with other agencies and may engage other persons and entities, as appropriate, to effectively respond to suspected problems with Certified Health IT Modules.
Notice of Non-Conformity
If ONC determines a suspected non-conformity or non-conformity exists in certified health IT, it will send a notice to the developer. The Certified Health IT Developer will have 30 days to respond to the notice (unless ONC adjusts the response timeframe). ONC will require corrective action for non-conformities and, when necessary and applicable, suspend or terminate a certification issued to a Health IT Module or ban a developer from future certification of a Certified Health IT developer's products. In cases of termination of a certification, ONC may coordinate with other Department of Health and Human Services programs, such as the Centers for Medicare and Medicaid Services, to help identify and make available appropriate remedies to users of terminated certified health IT. Developers may appeal determinations by ONC to suspend or terminate certifications issued to health IT under the Certification Program. ONC’s first and foremost goal is to work with developers to remedy any identified non-conformities of certified health IT or compliance to the Conditions and Maintenance of Certification requirements in a timely manner.
Performance and Compliance Information
ONC receives information on the performance of certified health IT and compliance to the Condition and Maintenance of Certification requirements under the Certification Program from a variety of sources including but not limited to: ONC-ACBs’ surveillance reports, issues submitted to ONC from ONC-ACBs or ONC-Authorized Testing Laboratories (ONC-ATLs), issues submitted directly to ONC, and referrals from other government agencies. ONC analyzes information gathered from these various sources to identify circumstances that may warrant Direct Review. ONC typically shares any information received with the relevant ONC-ACB, to be addressed through its existing procedures. However, there may be circumstances when ONC would not share information with the relevant ONC-ACB, such as when a complaint includes confidential information.
 On a case by case basis, ONC will consider a variety of factors to determine if a serious risk is presented, including the nature, extent and severity of the risk, the imminence of the risk of harm, and actions being taken to mitigate the risk or information that calls into question the validity of the Health IT Module’s certification.