Supporting Statement
21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule
Department of Health and Human Services
Office of the National Coordinator for Health IT
Office of Policy
330 C Street SW
Washington D.C. 20201
Supporting Statement
21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule
A. JUSTIFICATION
1. Circumstances of Information Collection
The Office of the National Coordinator for Health IT (ONC) is requesting OMB approval for a collection of information finalized in the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule. This is a new information collection request which pertains to a records and information retention requirement found in § 170.402(b)(1).
The Cures Act (Pub. L. 114-255) was enacted on December 13, 2016, to accelerate the discovery, development, and delivery of 21st century cures, and for other purposes. The Cures Act, through Title IV – Delivery, amended portions of the HITECH Act (Title XIII of Division A of Pub. L. 111-5) by modifying or adding certain provisions to the Public Health Service Act (PHSA) relating to health IT. Section 4002 of the Cures Act, which amended section 3001(c)(5) of the PHSA (42 U.S.C. 300jj-11), requires the Secretary of HHS, through notice and comment rulemaking, to establish conditions and maintenance of certification requirements for the ONC Health IT Certification Program (Program). Specifically, section 4002(a) of the Cures Act requires that a health IT developer provide assurances to the Secretary, unless for legitimate purposes specified by the Secretary, that it will not take any action that constitutes information blocking as defined in 42 U.S.C. 300jj-52 and § 171.103; and any action that may inhibit the appropriate exchange, access, and use of electronic health information (EHI).
We have finalized our proposal to implement this Condition of Certification and accompanying Maintenance of Certification requirements in § 170.402. We have also finalized our proposal to establish more specific Condition and Maintenance of Certification requirements for a health IT developer to provide assurances that it does not take any action that may inhibit the appropriate exchange, access, and use of EHI. These finalized requirements serve to clarify how health IT developers can provide such broad assurances and with more specific actions under the Program.
As such, we have adopted in 45 CFR 170.402(b)(1) as a Maintenance of Certification requirement, that a health IT developer must, for a period of 10 years beginning from the date a developer’s health IT is first certified under the Program, retain all records and information necessary that demonstrate initial and ongoing compliance with the requirements of the Program. To reduce administrative burden, we also have finalized, that in situations where the certification criteria is removed from the Code of Federal Regulations before the 10 years have expired, records must only be kept for 3 years from the date of removal unless that timeframe would exceed the overall 10-year retention period.
2. Purpose and Use of Information
The purpose and use of this records and information retention requirement is to verify, as necessary, health IT developer compliance with Program requirements, including certification criteria and Conditions of Certification. Certification under the Program relies on a health IT developer’s compliance with Program requirements that ensure the basic integrity and effectiveness of the Program, which is further stressed through the addition of the “conditions and maintenance of certification requirements” in the Cures Act.
In response to any notice of potential non-conformity or notice of non-conformity, ONC must be granted access to, and have the ability to share within HHS, with other Federal agencies, and with appropriate entities, all of a health IT developers’ records and technology related to the development, testing, certification, implementation, maintenance, and use of a health IT developers’ certified health IT; and any complaint records related to the certified health IT.
The records and information retained by health IT developers would assist in reviewing allegations that a health IT developer violated a Condition of Certification requirement. Further, it is possible that multiple Condition and Maintenance of Certification requirements may be implicated under a review, and thus ONC believes it is appropriate to require a developer make available to ONC all records and other relevant information concerning all the Conditions and Maintenance of Certification and Program requirements to which it and its Health IT Modules are subject.
3. Use of Improved Information Technology and Burden Reduction
We expect the costs and burden to developers to retain the described records and information to be mitigated due to the following factors. First, we expect that health IT developers are already keeping the majority of their records and information in an electronic format. Second, we expect that health IT developers already have systems in place for retaining records and information.
Last, we also expect that some developers may already be retaining records and information for extended periods of time due to existing requirements of other programs, including those programs that their customers participate in. For instance, Medicaid managed care companies are required to keep records for ten years from the effective date of a contract.
4. Efforts to Identify Duplication and Use of Similar Information
Currently, there are no existing regulatory requirements regarding record and information retention by health IT developers.
5. Impact on Small Businesses or Other Small Entities
We do not anticipate any substantial impact on small entities or small businesses.
6. Consequences if Information Were Collected Less Frequently
We do not anticipate any consequences if information were collected less frequently.
7. Special Circumstances Relating to the Guidelines of 5 CFR 1320.5
The records and information retention requirement is in a manner consistent with guidelines contained in 5 CFR 1320.5(d)(2).
We believe that 10 years, beginning from the date a developer’s health IT is first certified under the Program, is an appropriate period of time given that many users of certified health IT participate in various CMS programs, as well as other programs, that require similar periods of records retention.
However, we have also finalized that in situations where applicable certification criteria are removed from the Code of Federal Regulations before the 10 years have expired, records must only be kept for 3 years from the date of removal for those certification criteria and related Program provisions unless that timeframe would exceed the overall 10-year retention period.
8. Comments in Response to the Federal Register Notice/Outside Consultation
The NPRM published in the Federal Register on March 4, 2019.
The NPRM solicited comments on the records and information retention requirement and we received no comments specific to the collection of information from health IT developers, and our corresponding PRA determinations.
The Final Rule published in the Federal Register on May 1, 2020 (85 FR 25642)
We have consulted with the Office of the Inspector General regarding the overall policy and time period recommendations of records and information retention. The OIG members consulted were:
General Attorney
Office of the Inspector General
202-482-4661
9. Explanation of any Payment/Gift to Respondents
Payment/gifts will not be made to respondents.
10. Assurance of Confidentiality Provided to Respondents
We understand that health IT developers may have concerns regarding the disclosure of proprietary, trade secret, competitively sensitive, or other confidential information. As we stated in the EOA final rule (81 FR 72429), ONC would implement appropriate safeguards to ensure, to the extent permissible with federal law, that any proprietary business information or trade secrets ONC may encounter by accessing the health IT developer’s records, other information, or technology, will be kept private by ONC or any third parties working on behalf of ONC to the extent allowed by law.
However, a health IT developer would not be able to avoid providing ONC access to relevant records by asserting that such access would require it to disclose trade secrets or other proprietary or confidential information. Therefore, health IT developers must clearly mark, as described in HHS Freedom of Information Act regulations at 45 CFR 5.65(c), any information they regard as trade secret or confidential commercial or financial information which they seek to keep confidential prior to disclosing the information to ONC or any third party working on behalf of ONC.
11. Justification for Sensitive Questions
There are no questions or collection of information that is of a sensitive nature.
12. Estimates of Annualized Hour and Cost Burden
We estimate that each health developer will on average, spend two hours each week, or 104 hours per year, to comply with our finalized records and information retention requirement. We expect that a health IT developer’s office clerk could complete the record retention responsibilities. According to the May 2017 Bureau of Labor Statistics (BLS) occupational employment statistics, the mean hourly wage for an office clerk is $16.30.1 As noted previously, we have assumed that overhead costs (including benefits) are equal to 100 percent of pre-tax wages, so the hourly wage including overhead costs is $32. Therefore, we estimate the annual cost per developer would, on average, be $3,328 and the total annual cost for all health IT developers (458 health IT developers have products certified to the 2015 Edition that are capable of recording patient health data) would, on average, be about $1.5 million. We note that this is a perpetual cost.
The Estimated Annualized Total Burden Hours and Records Retention is presented as follows:
Type of Respondent |
Code of Federal Regulations Section |
Number of Respondents |
Number of Responses per Respondent |
Average Burden Hours per Response |
Total Burden Hours |
Cost Per Hour |
Avg. Total Cost |
Health IT Developers |
45 CFR 170.402(b)(1) |
458 |
1 |
104 |
47,632 |
$32.00 |
$1,524,224 |
13. Estimates of other Total Annual Cost Burden to Respondents or Record keepers/Capital Costs
There are no capital or start-up costs associated with this data collection.
14. Annualized Cost to Federal Government
ONC has broad discretion to review certified health IT. However, we anticipate that such direct review, including all the requested records, access to the technology as needed, and documentation that ONC would use to conduct the fact-finding will be relatively infrequent.
We do not believe there are annualized costs to the federal government for the health IT developer records and information retention requirement found in § 170.402(b)(1), however we have identified potential costs if ONC deems enforcement actions necessary. ONC may commit, on average and depending on complexity, between 20 and 12,000 hours of staff time to complete a review and inquiry into certified health IT. We assume that the expertise of a GS-15, Step 1 federal employee(s) will be necessary. The hourly wage with benefits for a GS-15, Step 1 federal employee located in Washington, DC is approximately $126. Therefore we estimate the cost for ONC to review and conduct an inquiry into certified health IT will, on average range from $2,520 to $151,200. We note that some reviews and inquiries may cost less and some may cost more than the estimated cost range. Therefore, we estimate the average total cost to the Federal government to be $76,860 if such enforcement actions are deemed necessary to conduct an inquiry.
For clarification, we generally do not believe there are annualized costs to the federal government for the health IT developer records and information retention requirement found in § 170.402(b)(1) pertaining to the circumstances of this information collection supporting statement.
15. Explanation for Program Changes or Adjustments
This is a new data collection.
16. Plans for Tabulation and Publication and Project Time Schedule
The records and information requirement for health IT developers will not be published, tabulated, or manipulated. We request a 3 year clearance for this reoccurring records and information retention requirement.
17. Reason(s) Display of OMB Expiration Date is Inappropriate
The expiration date will not be displayed because there is no collection instrument.
18. Exceptions to the Certification for Paperwork Reduction Act Submission
We note the following exceptions to the Paperwork Reduction Act (PRA) collection requirements in our final rule, identified as follows:
We have finalized our proposal to add new ONC-ACB collection and reporting requirements for the certification of health IT to the 2015 Edition (and any subsequent edition certification) in § 170.523(p), (q), (t), and § 170.550(1).
As finalized in § 170.523(p)(3), ONC-ACBs would be required to collect and report certain information to ONC related to real world testing plans and results. ONC-ACBs would be required to verify that the health IT developer submits an annual, publicly available real world testing plan and perform a completeness check for both real world testing plans and results.
As finalized in § 170.550(l), ONC-ACBs would not be able to certify health IT until they review and verify health IT developers’ attestations confirming that the developers are compliant with Conditions and Maintenance of Certification requirements. ONC-ACBs would also submit the health IT developer attestations to ONC per § 170.523(q).
As finalized in § 170.523(t), ONC-ACBs would ensure health IT developers opting to take advantage of the Standards Version Advancement Process flexibility per § 170.405(b)(8) provide timely advance written notice to the ONC-ACB and all affected customers. ONC-ACBs would be required to maintain a record of the date of issuance and the content of developers’ notices, and timely post content of each notice received publicly on the CHPL attributed to the certified Health IT Module(s) to which it applies.
In
the 2015 Edition proposed rule (80 FR 16894), we estimated fewer than
ten annual respondents for all of the regulatory “collection of
information” requirements that applied to the ONC-AA and
ONC-ACBs, including those previously approved by OMB. In the 2015
Edition final rule (80 FR 62733), we concluded that the regulatory
“collection of information” requirements for the ONC-AA
and the ONC-ACBs were not subject to the PRA requirements under 5 CFR
1320.3(c). We continue to estimate less than ten annual respondents
for all of the regulatory “collection of information”
requirements for ONC-ACBs under Part 170 of Title 45, including those
previously approved by OMB and finalized in the 21st
Century Cures Act Final Rule.
As finalized in 45 CFR 170.580(a)(2)(iii), ONC may take action against a health IT developer for failure to comply with Conditions and Maintenance of Certification requirements. We have finalized an approach to generally use the same processes previously codified in regulation (§§ 170.580 and 170.581) to take administrative enforcement action. These processes require health IT developers to submit information to ONC to facilitate and conclude its review. The PRA, however, exempts these information collections. Specifically, 44 U.S.C. 3518(c)(1)(B)(ii) excludes collection activities during the conduction of administrative actions or investigations involving the agency against specific individuals or entities.
NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW:
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated, distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
Author | Stephanie Lee |
File Modified | 0000-00-00 |
File Created | 2021-01-14 |