Supporting Statement
21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program NPRM
Department of Health and Human Services
Office of the National Coordinator for Health IT
Office of Policy
330 C Street SW
Washington D.C. 20201
Supporting Statement
21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program NPRM
A. JUSTIFICATION
1. Circumstances of Information Collection
The Office of the National Coordinator for Health IT (ONC) is requesting OMB approval for a collection of information proposed in the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program NPRM. This is a new information collection request which pertains to a records and information retention requirement found at § 170.402(b)(1).
The Cures Act (Pub. L. 114-255) was enacted on December 13, 2016, to accelerate the discovery, development, and delivery of 21st century cures, and for other purposes. The Cures Act, through Title IV – Delivery, amended the HITECH Act (Title XIII of Division A of Pub. L. 111-5) by modifying or adding certain provisions to the Public Health Service Act (PHSA) relating to health IT. Section 4002 of the Cures Act, which amended section 3001(c)(5) of the PHSA (42 U.S.C. 300jj-11), requires the Secretary of HHS, through notice and comment rulemaking, to establish conditions and maintenance of certification requirements for the ONC Health IT Certification Program (Program). Specifically, section 4002(a) of the Cures Act requires that a health IT developer provide assurances to the Secretary, unless for legitimate purposes specified by the Secretary, that it will not take any action that constitutes information blocking as defined in 42 U.S.C. 300jj-52 and § 171.103; and any action that may inhibit the appropriate exchange, access, and use of electronic health information (EHI).
We are proposing to implement this Condition of Certification and accompanying Maintenance of Certification requirements in § 170.402. We also propose to establish more specific Conditions and Maintenance of Certification requirements for a health IT developer to provide assurances that it does not take any action that may inhibit the appropriate exchange, access, and use of EHI. These proposed requirements serve to clarify how health IT developers can provide such broad assurances and with more specific actions under the Program.
As such, we are proposing in 45 CFR 170.402(b)(1) as a Maintenance of Certification requirement, a health IT developer must, for a period of 10 years beginning from the date each of a developer’s health IT is first certified under the Program, retain all records and information necessary that demonstrate initial and ongoing compliance with the requirements of the Program. To reduce administrative burden, we also propose, that in situations where the certification criteria is removed from the Code of Federal Regulations before the 10 years have expired, records must only be kept for 3 years from the date of removal unless that timeframe would exceed the overall 10-year retention period.
2. Purpose and Use of Information
The purpose and use of this records and information retention requirement is to verify, as necessary, health IT developer compliance with Program requirements, including certification criteria and Conditions of Certification. Certification under the Program relies on a health IT developer’s compliance with Program requirements that ensure the basic integrity and effectiveness of the Program, which is further stressed through the addition of the conditions and maintenance of certification requirements in the Cures Act.
In response to any notice of potential non-conformity or notice of non-conformity, ONC must be granted access to, and have the ability to share within HHS, with other federal agencies, and with appropriate entities, all of a health IT developers’ records and technology related to the development, testing, certification, implementation, maintenance, and use of a health IT developers’ certified health IT; and any complaint records related to the certified health IT.
The records and information retained by health IT developers would assist in reviewing allegations that a health IT developer violated a Condition of Certification. Further, it is possible that multiple Conditions and Maintenance of Certification may be implicated under a review, and thus ONC believes it is appropriate to require a developer make available to ONC all records and other relevant information concerning all the Conditions and Maintenance of Certification and Program requirements to which it and its Health IT Modules are subject.
3. Use of Improved Information Technology and Burden Reduction
We expect the costs and burden to developers to retain the described records and information to be mitigated due to the following factors. First, we expect that health IT developers are already keeping the majority of their records and information in an electronic format. Second, we expect that health IT developers already have systems in place for retaining records and information.
Last, we also expect that some developers may already be retaining records and information for extended periods of time due to existing requirements of other programs, including those programs that their customers participate in.
4. Efforts to Identify Duplication and Use of Similar Information
Currently, there are no existing regulatory requirements regarding record and information retention by health IT developers.
5. Impact on Small Businesses or Other Small Entities
We do not anticipate any substantial impact on small entities or small businesses.
6. Consequences if Information Were Collected Less Frequently
We do not anticipate any consequences if information were collected less frequently.
7. Special Circumstances Relating to the Guidelines of 5 CFR 1320.5
The records and information retention requirement is in a manner consistent with guidelines contained in 5 CFR 1320.5(d)(2).
We believe that 10 years, beginning from the date a developer’s health IT is first certified under the Program, is an appropriate period of time given that many users of certified health IT participate in various CMS programs, as well as other programs, that require similar periods of records retention.
However, we are proposing that in situations where applicable certification criteria are removed from the Code of Federal Regulations before the 10 years have expired, records must only be kept for 3 years from the date of removal for those certification criteria and related Program provisions unless that timeframe would exceed the overall 10-year retention period.
8. Comments in Response to the Federal Register Notice/Outside Consultation
The NPRM published in the Federal Register on March 4, 2019.
The NPRM solicits comments on the records and information retention requirement and we will summarize public comments received in response to the notice, as well as describe actions taken by ONC in response to these comments after the comment period has concluded.
We have consulted with the Office of the Inspector General regarding the overall policy and time period recommendations of records and information retention. The OIG members consulted were:
General Attorney
Office of the Inspector General
202-482-4661
9. Explanation of any Payment/Gift to Respondents
Payment/gifts will not be made to respondents.
10. Assurance of Confidentiality Provided to Respondents
We understand that health IT developers may have concerns regarding the disclosure of proprietary, trade secret, competitively sensitive, or other confidential information. As we stated in the EOA final rule (81 FR 72429), ONC would implement appropriate safeguards to ensure, to the extent permissible with federal law, that any proprietary business information or trade secrets ONC may encounter by accessing the health IT developer’s records, other information, or technology, would be kept confidential by ONC or any third parties working on behalf of ONC.
However, a health IT developer would not be able to avoid providing ONC access to relevant records by asserting that such access would require it to disclose trade secrets or other proprietary or confidential information. Therefore, health IT developers must clearly mark, as described in HHS Freedom of Information Act regulations at 45 CFR 5.65(c), any information they regard as trade secret or confidential commercial or financial information which they seek to keep confidential prior to disclosing the information to ONC or any third party working on behalf of ONC.
11. Justification for Sensitive Questions
There are no questions or collection of information that is of a sensitive nature.
12. Estimates of Annualized Hour and Cost Burden
We estimate that each health developer will, on average, spend two hours each week, or 104 hours per year, to comply with our proposed records and information retention requirement. We expect that a health IT developer’s office clerk could complete the record retention responsibilities. According to the May 2016 BLS occupational employment statistics, the mean hourly wage for an office clerk [43-9061] is $15.871. As noted previously, we have assumed that overhead costs (including benefits) are equal to 100% of pre-tax wages, so the hourly wage including overhead costs is $31.74. Therefore, we estimate the annual cost per developer would, on average, be $3,301 and the total annual cost for all health IT developers (458 health IT developers have products certified to the 2015 Edition that are capable of recording patient health data) would, on average, be $1.5 million. We note that this is a perpetual cost.
The Estimated Annualized Total Burden Hours and Records Retention is presented as follows:
Type of Respondent |
Code of Federal Regulations Section |
Number of Respondents |
Number of Responses per Respondent |
Average Burden Hours per Response |
Total Burden Hours |
Cost Per Hour |
Total Cost |
Health IT Developers |
|
458 |
1 |
104 |
47,632 |
$31.74 |
$1,511,840 |
13. Estimates of other Total Annual Cost Burden to Respondents or Record keepers/Capital Costs
There are no capital or start-up costs associated with this data collection.
14. Annualized Cost to Federal Government
Health IT developers are required to attest under the Conditions and Maintenance of Certification that they are in compliance with the records and information retention provision. The attestation is viewed and maintained by the ONC – Authorized Certification Bodies (ONC-ACBs). However, under certain circumstances, such as enforcement actions where ONC is provided all requested records and documentation that ONC would use to review and conduct an inquiry into health IT developer actions, ONC has proposed processes for overseeing the Conditions and Maintenance of Certification for direct review of non-conformities in certified health IT as described in current § 170.580.
We have proposed that ONC may directly review a health IT developer’s actions to determine whether they conform to the Conditions and Maintenance of Certification requirements proposed in this proposed rule. The estimated costs and benefits for such oversight and review are detailed below.
We estimate that ONC may commit, on average and depending on complexity, between 8 and 80 hours of staff time to complete a review and inquiry into health IT developer actions. We assume that the expertise of a GS-15, Step 1 federal employee(s) would be necessary. The hourly wage with benefits for a GS-15, Step 1 employee located in Washington, DC is approximately $122.74. Therefore, based on the estimate of between 12 and 18 cases each year, we estimate ONC’s annual costs would on, average range, from $11,783 to $176,745. We note that some reviews and inquiries may cost less and some may cost more than this estimated cost range. Further, we note that these costs would be perpetual. Therefore, we estimate the average total cost to the Federal government to be $100,155.
15. Explanation for Program Changes or Adjustments
This is a new data collection.
16. Plans for Tabulation and Publication and Project Time Schedule
The records and information requirement for health IT developers will not be published, tabulated, or manipulated.
17. Reason(s) Display of OMB Expiration Date is Inappropriate
The expiration date will not be displayed because there is no collection instrument.
18. Exceptions to the Certification for Paperwork Reduction Act Submission
We note the following exceptions to the Paperwork Reduction Act (PRA) collection requirements in our NPRM, identified as follows:
We propose to add new ONC-ACB collection and reporting requirements for the certification of health IT to the 2015 Edition (and any subsequent edition certification) in § 170.523(p), (q), (t), and § 170.550(1).
As proposed for § 170.523(p)(3), ONC-ACBs would be required to collect and report certain information to ONC related to real world testing plans and results. ONC-ACBs would be required to verify that the health IT developer submits an annual, publicly available real world testing plan and perform a completeness check for both real world testing plans and results.
As proposed by § 170.523(q), ONC-ACBs would not be able to certify health IT until they review and verify health IT developers’ attestations confirming that the developers are compliant with Conditions and Maintenance of Certification requirements. ONC-ACBs would also submit the health IT developer attestations to ONC.
As proposed for § 170.523(t), ONC-ACBs would ensure health IT developers opting to take advantage of the Standards Version Advancement Process flexibility per § 170.405(b)(5) provide timely advance written notice to the ONC-ACB and all affected customers. ONC-ACBs would be required to maintain a record of the date of issuance and the content of developers’ notices, and timely post content of each notice received publicly on the CHPL attributed to the certified Health IT Module(s) to which it applies.
In
the 2015 Edition proposed rule (80 FR 16894), we estimated fewer than
ten annual respondents for all of the regulatory “collection of
information” requirements that applied to the ONC-AA and
ONC-ACBs, including those previously approved by OMB. In the 2015
Edition final rule (80 FR 62733), we concluded that the regulatory
“collection of information” requirements for the ONC-AA
and the ONC-ACBs were not subject to the PRA requirements under 5 CFR
1320.3(c). We continue to estimate less than ten annual respondents
for all of the proposed regulatory “collection of information”
requirements for ONC-ACBs under Part 170 of Title 45, including those
previously approved by OMB and proposed in the 21st
Century Cures Act NPRM.
As proposed in 45 CFR 170.580(a)(2)(iii), ONC may take action against a health IT developer for failure to comply with Conditions and Maintenance of Certification requirements. We propose to generally use the same processes previously codified in regulation (§§ 170.580 and 170.581) to take administrative enforcement action. These processes require health IT developers to submit information to ONC to facilitate and conclude its review. The PRA, however, exempts these information collections. Specifically, 44 U.S.C. 3518(c)(1)(B)(ii) excludes collection activities during the conduction of administrative actions or investigations involving the agency against specific individuals or entities.
NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW:
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated, distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | Stephanie Lee |
| File Modified | 0000-00-00 |
| File Created | 2021-01-20 |