CuresNPRM_PRA Supporting Statement_FINAL_3-7-2019

CuresNPRM_PRA Supporting Statement_FINAL_3-7-2019.docx

21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program

OMB: 0955-0018

Document [docx]
Download: docx | pdf







Supporting Statement

21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program NPRM






















Department of Health and Human Services

Office of the National Coordinator for Health IT

Office of Policy

330 C Street SW

Washington D.C. 20201


Supporting Statement

21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program NPRM


A. JUSTIFICATION


1. Circumstances of Information Collection


The Office of the National Coordinator for Health IT (ONC) is requesting OMB approval for a collection of information proposed in the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program NPRM. This is a new information collection request which pertains to a records and information retention requirement found at § 170.402(b)(1).


The Cures Act (Pub. L. 114-255) was enacted on December 13, 2016, to accelerate the discovery, development, and delivery of 21st century cures, and for other purposes. The Cures Act, through Title IV – Delivery, amended the HITECH Act (Title XIII of Division A of Pub. L. 111-5) by modifying or adding certain provisions to the Public Health Service Act (PHSA) relating to health IT. Section 4002 of the Cures Act, which amended section 3001(c)(5) of the PHSA (42 U.S.C. 300jj-11), requires the Secretary of HHS, through notice and comment rulemaking, to establish conditions and maintenance of certification requirements for the ONC Health IT Certification Program (Program). Specifically, section 4002(a) of the Cures Act requires that a health IT developer provide assurances to the Secretary, unless for legitimate purposes specified by the Secretary, that it will not take any action that constitutes information blocking as defined in 42 U.S.C. 300jj-52 and § 171.103; and any action that may inhibit the appropriate exchange, access, and use of electronic health information (EHI).


We are proposing to implement this Condition of Certification and accompanying Maintenance of Certification requirements in § 170.402. We also propose to establish more specific Conditions and Maintenance of Certification requirements for a health IT developer to provide assurances that it does not take any action that may inhibit the appropriate exchange, access, and use of EHI. These proposed requirements serve to clarify how health IT developers can provide such broad assurances and with more specific actions under the Program.


As such, we are proposing in 45 CFR 170.402(b)(1) as a Maintenance of Certification requirement, a health IT developer must, for a period of 10 years beginning from the date each of a developer’s health IT is first certified under the Program, retain all records and information necessary that demonstrate initial and ongoing compliance with the requirements of the Program. To reduce administrative burden, we also propose, that in situations where the certification criteria is removed from the Code of Federal Regulations before the 10 years have expired, records must only be kept for 3 years from the date of removal unless that timeframe would exceed the overall 10-year retention period.


2. Purpose and Use of Information

The purpose and use of this records and information retention requirement is to verify, as necessary, health IT developer compliance with Program requirements, including certification criteria and Conditions of Certification. Certification under the Program relies on a health IT developer’s compliance with Program requirements that ensure the basic integrity and effectiveness of the Program, which is further stressed through the addition of the conditions and maintenance of certification requirements in the Cures Act.


In response to any notice of potential non-conformity or notice of non-conformity, ONC must be granted access to, and have the ability to share within HHS, with other federal agencies, and with appropriate entities, all of a health IT developers’ records and technology related to the development, testing, certification, implementation, maintenance, and use of a health IT developers’ certified health IT; and any complaint records related to the certified health IT.


The records and information retained by health IT developers would assist in reviewing allegations that a health IT developer violated a Condition of Certification. Further, it is possible that multiple Conditions and Maintenance of Certification may be implicated under a review, and thus ONC believes it is appropriate to require a developer make available to ONC all records and other relevant information concerning all the Conditions and Maintenance of Certification and Program requirements to which it and its Health IT Modules are subject.


3. Use of Improved Information Technology and Burden Reduction


We expect the costs and burden to developers to retain the described records and information to be mitigated due to the following factors. First, we expect that health IT developers are already keeping the majority of their records and information in an electronic format. Second, we expect that health IT developers already have systems in place for retaining records and information.


Last, we also expect that some developers may already be retaining records and information for extended periods of time due to existing requirements of other programs, including those programs that their customers participate in.


4. Efforts to Identify Duplication and Use of Similar Information


Currently, there are no existing regulatory requirements regarding record and information retention by health IT developers.


5. Impact on Small Businesses or Other Small Entities


We do not anticipate any substantial impact on small entities or small businesses.


6. Consequences if Information Were Collected Less Frequently


We do not anticipate any consequences if information were collected less frequently.


7. Special Circumstances Relating to the Guidelines of 5 CFR 1320.5


The records and information retention requirement is in a manner consistent with guidelines contained in 5 CFR 1320.5(d)(2).


We believe that 10 years, beginning from the date a developer’s health IT is first certified under the Program, is an appropriate period of time given that many users of certified health IT participate in various CMS programs, as well as other programs, that require similar periods of records retention.


However, we are proposing that in situations where applicable certification criteria are removed from the Code of Federal Regulations before the 10 years have expired, records must only be kept for 3 years from the date of removal for those certification criteria and related Program provisions unless that timeframe would exceed the overall 10-year retention period.


8. Comments in Response to the Federal Register Notice/Outside Consultation


The NPRM published in the Federal Register on March 4, 2019.


The NPRM solicits comments on the records and information retention requirement and we will summarize public comments received in response to the notice, as well as describe actions taken by ONC in response to these comments after the comment period has concluded.


We have consulted with the Office of the Inspector General regarding the overall policy and time period recommendations of records and information retention. The OIG members consulted were:


General Attorney

Office of the Inspector General

202-482-4661



9. Explanation of any Payment/Gift to Respondents


Payment/gifts will not be made to respondents.


10. Assurance of Confidentiality Provided to Respondents


We understand that health IT developers may have concerns regarding the disclosure of proprietary, trade secret, competitively sensitive, or other confidential information. As we stated in the EOA final rule (81 FR 72429), ONC would implement appropriate safeguards to ensure, to the extent permissible with federal law, that any proprietary business information or trade secrets ONC may encounter by accessing the health IT developer’s records, other information, or technology, would be kept confidential by ONC or any third parties working on behalf of ONC.


However, a health IT developer would not be able to avoid providing ONC access to relevant records by asserting that such access would require it to disclose trade secrets or other proprietary or confidential information. Therefore, health IT developers must clearly mark, as described in HHS Freedom of Information Act regulations at 45 CFR 5.65(c), any information they regard as trade secret or confidential commercial or financial information which they seek to keep confidential prior to disclosing the information to ONC or any third party working on behalf of ONC.


11. Justification for Sensitive Questions


There are no questions or collection of information that is of a sensitive nature.


12. Estimates of Annualized Hour and Cost Burden


We estimate that each health developer will, on average, spend two hours each week, or 104 hours per year, to comply with our proposed records and information retention requirement. We expect that a health IT developer’s office clerk could complete the record retention responsibilities. According to the May 2016 BLS occupational employment statistics, the mean hourly wage for an office clerk [43-9061] is $15.871. As noted previously, we have assumed that overhead costs (including benefits) are equal to 100% of pre-tax wages, so the hourly wage including overhead costs is $31.74. Therefore, we estimate the annual cost per developer would, on average, be $3,301 and the total annual cost for all health IT developers (458 health IT developers have products certified to the 2015 Edition that are capable of recording patient health data) would, on average, be $1.5 million. We note that this is a perpetual cost.


The Estimated Annualized Total Burden Hours and Records Retention is presented as follows:

Type of Respondent

Code of Federal Regulations Section

Number of Respondents

Number of Responses per Respondent

Average Burden Hours per Response

Total Burden Hours

Cost Per Hour


Total Cost


Health IT Developers


458

1

104

47,632

$31.74

$1,511,840



13. Estimates of other Total Annual Cost Burden to Respondents or Record keepers/Capital Costs


There are no capital or start-up costs associated with this data collection.


14. Annualized Cost to Federal Government


Health IT developers are required to attest under the Conditions and Maintenance of Certification that they are in compliance with the records and information retention provision. The attestation is viewed and maintained by the ONC – Authorized Certification Bodies (ONC-ACBs). However, under certain circumstances, such as enforcement actions where ONC is provided all requested records and documentation that ONC would use to review and conduct an inquiry into health IT developer actions, ONC has proposed processes for overseeing the Conditions and Maintenance of Certification for direct review of non-conformities in certified health IT as described in current § 170.580.


We have proposed that ONC may directly review a health IT developer’s actions to determine whether they conform to the Conditions and Maintenance of Certification requirements proposed in this proposed rule. The estimated costs and benefits for such oversight and review are detailed below.


We estimate that ONC may commit, on average and depending on complexity, between 8 and 80 hours of staff time to complete a review and inquiry into health IT developer actions. We assume that the expertise of a GS-15, Step 1 federal employee(s) would be necessary. The hourly wage with benefits for a GS-15, Step 1 employee located in Washington, DC is approximately $122.74. Therefore, based on the estimate of between 12 and 18 cases each year, we estimate ONC’s annual costs would on, average range, from $11,783 to $176,745. We note that some reviews and inquiries may cost less and some may cost more than this estimated cost range. Further, we note that these costs would be perpetual. Therefore, we estimate the average total cost to the Federal government to be $100,155.


15. Explanation for Program Changes or Adjustments


This is a new data collection.


16. Plans for Tabulation and Publication and Project Time Schedule


The records and information requirement for health IT developers will not be published, tabulated, or manipulated.


17. Reason(s) Display of OMB Expiration Date is Inappropriate


The expiration date will not be displayed because there is no collection instrument.


18. Exceptions to the Certification for Paperwork Reduction Act Submission


We note the following exceptions to the Paperwork Reduction Act (PRA) collection requirements in our NPRM, identified as follows:


  1. We propose to add new ONC-ACB collection and reporting requirements for the certification of health IT to the 2015 Edition (and any subsequent edition certification) in § 170.523(p), (q), (t), and § 170.550(1).


As proposed for § 170.523(p)(3), ONC-ACBs would be required to collect and report certain information to ONC related to real world testing plans and results. ONC-ACBs would be required to verify that the health IT developer submits an annual, publicly available real world testing plan and perform a completeness check for both real world testing plans and results.


As proposed by § 170.523(q), ONC-ACBs would not be able to certify health IT until they review and verify health IT developers’ attestations confirming that the developers are compliant with Conditions and Maintenance of Certification requirements. ONC-ACBs would also submit the health IT developer attestations to ONC.


As proposed for § 170.523(t), ONC-ACBs would ensure health IT developers opting to take advantage of the Standards Version Advancement Process flexibility per § 170.405(b)(5) provide timely advance written notice to the ONC-ACB and all affected customers. ONC-ACBs would be required to maintain a record of the date of issuance and the content of developers’ notices, and timely post content of each notice received publicly on the CHPL attributed to the certified Health IT Module(s) to which it applies.


In the 2015 Edition proposed rule (80 FR 16894), we estimated fewer than ten annual respondents for all of the regulatory “collection of information” requirements that applied to the ONC-AA and ONC-ACBs, including those previously approved by OMB. In the 2015 Edition final rule (80 FR 62733), we concluded that the regulatory “collection of information” requirements for the ONC-AA and the ONC-ACBs were not subject to the PRA requirements under 5 CFR 1320.3(c). We continue to estimate less than ten annual respondents for all of the proposed regulatory “collection of information” requirements for ONC-ACBs under Part 170 of Title 45, including those previously approved by OMB and proposed in the 21st Century Cures Act NPRM.

  1. As proposed in 45 CFR 170.580(a)(2)(iii), ONC may take action against a health IT developer for failure to comply with Conditions and Maintenance of Certification requirements. We propose to generally use the same processes previously codified in regulation (§§ 170.580 and 170.581) to take administrative enforcement action. These processes require health IT developers to submit information to ONC to facilitate and conclude its review. The PRA, however, exempts these information collections. Specifically, 44 U.S.C. 3518(c)(1)(B)(ii) excludes collection activities during the conduction of administrative actions or investigations involving the agency against specific individuals or entities.

8


NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW:

This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated, distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
AuthorStephanie Lee
File Modified0000-00-00
File Created2021-01-20

© 2024 OMB.report | Privacy Policy