ICSA Labs ONC Health IT Certification Program CY 2018 ... · Surveillance activities are tracked...

ICSA Labs ONC Health IT Certification Program

CY 2018 Surveillance Plan

Document Version 1.0 Effective: January 1, 2018

www.icsalabs.com

http://www.icsalabs.com/

ONC Health Certification Program CY 2018 Surveillance Plan

of 13 Document Version 1.0 Copyright 2018 ICSA Labs. All Rights Reserved. Effective date: January 1, 2018 Printed copies are not controlled and may not be official.

ICSA Labs - ONC-Authorized Certification Body (ACB) CY 2018 Surveillance Plan

I. Introduction and Overview

The ICSA Labs ONC Health Certification Program Surveillance Plan was developed to meet requirements

per ISO/IEC 17065:2012, the Permanent Certification Program Final Rule, 2014 Edition Release 2 Final

Rule1, 2015 Edition Final Rule2, and the latest and most relevant ONC Program Policy Guidance

documents. In developing this plan ICSA Labs also considered industry best practices, ongoing feedback

offered by customers, the ONC Approved Accreditor (ANSI), the ONC and suggestions developed

collaboratively by industry associations such as the HIMSS Electronic Health Records Association (EHRA).

For CY 2018, ICSA Labs has prepared this surveillance plan in accordance with Guidance #15-01A and the

ONC Health IT Certification Program: Enhanced Oversight and Accountability Proposed Rule.

II. Surveillance Approach

ICSA Labs conducts regular surveillance on all certified products to ensure continued conformance to

the standards and requirements under which the product was certified – not only in a controlled testing

environment, but also when implemented and used in a production environment, as mandated by ONC.

Surveillance activities are tracked and documented as part of the ISO/IEC 17065:2012 requirements for

an accredited certification body and generally consist of proactive and reactive surveillance.

In order to gauge ongoing compliance with certification requirements, surveillance approaches will

combine both administrative reviews and technical assessments based on selection triggered by

complaints and/or feedback from users, retesting, and customer and end-user surveys.

A. Proactive Surveillance

Proactive surveillance focuses on ensuring certified Health IT maintains conformity to the ONC

prioritized certification criteria, and adherence to guidelines around public facing information

about a certified product. Administrative surveillance is conducted regularly on all certified

products to ensure vendors and product developers:

1 2014 Edition Release 2 Electronic Health Record (EHR) Certification Criteria and the ONC Health IT Certification Program; Regulatory Flexibilities, Improvements, and Enhanced Health Information Exchange; Final Rule (79 FR 54430) (2014 Edition Release 2 Final Rule). 2 2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications final rule (80 FR 62601).



Clearly and correctly communicate to prospective consumers and implementers of said

technology the mandatory disclosure requirements at 45 CFR § 170.523(k)(1) pertaining

to Certified EHR Technology;

Appropriately use the ONC and ICSA Labs certification marks; and,

Provide and follow internally documented procedures such as a product developer’s

complaints resolution process.

Surveillance is carried out by monitoring customer websites, reviewing and approving press

releases for ONC Health Certified products, and periodic reviews of other ONC-mandated,

publicly available materials.

B. Reactive Surveillance

Reactive surveillance involves the certification body acting on information concerning ongoing

compliance with certification requirements. In order to determine ongoing compliance and what

if any corrective actions are necessary to ensure compliance, ICSA Labs may request, obtain, and

analyze information including but not limited to the following:

Complaints and other information about certified health IT submitted directly to

ICSA Labs by customers or users of ICSA Labs Certified health IT, by the National

Coordinator, or by other persons.

Results of collected feedback from surveys or by notification of:

o Changes significantly affecting the product’s design or specification, or

o Changes in the standards to which compliance of the product is certified, or

o Changes in the ownership, structure or management of the customer, if

relevant, or in the case of any other information indicating that the product

may no longer comply with the requirements of the certification system.

o Repeated number of inherited certified status requests (pursuant to 45 CFR

170.545(d) and 45 CFR 170.550(f) – (Products requesting 3 or more

inherited certified status requests)

o ONC or ONC-ACB identified priority criteria

o Reviews of complaint logs and service tickets submitted by Health IT

developers, and other documentation concerning the analysis and

resolution of complaints or issues as reported to the developer (“Review

Developer Complaint Processes” for more information).

o Developers’ public and private disclosures regarding certified health IT

capabilities, including any discrepancies or failures to disclose known

material information about certified capabilities, as required by

§170.523(k)(1). (See section IV A, “Surveillance of Developers’ Disclosures”

for more information.)



o Information from publicly available sources (e.g., a developer’s website or

user forums).

o Other facts and circumstances of which ICSA Labs is aware.

In the event ICSA Labs is contacted either by ONC or by a customer in possession of a health IT

product certified by ICSA Labs with complaints about a product’s ability to comply with the

certification criteria, ICSA Labs will notify the vendor/developer and investigate the complaint to

take appropriate action. A record of all complaints received, the action taken and its

effectiveness will be maintained.

All nonconformities identified during surveillance activities will be communicated to the

customer (See Section V Corrective Action Procedures for more information). In order to

determine whether the technology remains in conformance, ICSA Labs will take into account all

information collected including the volume, substance, and credibility of any complaints about

the certified product, as well as the response from the vendor/developer (including past

submissions and the results of previous surveys and surveillance artifacts.

Further assessment by ICSA Labs or additional evaluation by an ONC-ATL may be potential next

steps to determine conformance by requesting:

Sample files and generated output to verify conformance to standards

Corroborating documentation to ensure previously certified functionality has not

been compromised

Verification via live demonstration that the product is conformant in the field, as

appropriate

The customer is provided an opportunity to correct the nonconformities before the issue is

escalated. See the ICSA Labs ONC Health Certification Program Manual’s section on

“Certification Suspension and Withdrawal” and Section V of this document, “Corrective Action

Procedures” for more information.

Note: Products that have been rebranded may be candidates for surveillance testing to ensure

that certified functionality remains intact and in accordance to the original product certified.

III. Prioritized Elements

ONC considers the following elements a priority for surveillance:

The assessment of developers’ disclosures, as required by 45 CFR 170.523(k) and the evaluation

of potential non-conformities resulting from the failure to disclose material information about

limitations or additional types of costs associated with certified health IT.



The assessment of potential non-conformities resulting from implementation or business

practices of a health IT developer that could affect the performance of certified capabilities in

the field.

The adequacy of developers’ user complaint processes, including customer complaint logs,

consistent with ISO/IEC 17065 § 4.1.2.2 (j).

The appropriate use of the ONC Certification Mark.

IV. Transparency and Disclosure Requirements

The transparency and disclosure requirements adopted in the 2015 Edition Final Rule, and prioritized in

this surveillance plan for CY 2018, are documented in the ICSA Labs ONC Health Certification Program

Manual and will be reinforced in messaging to HIT product developers via email, program webinars, the

ICSA Labs website, and other various forms of communication to ensure proper understanding and

conformance.

Product developers will be required to adhere to the transparency and disclosure requirements adopted

in the 2015 Edition Final Rule 45 CFR § 170.523(k) which states:

A Health IT developer must conspicuously include the following on its website and in all marketing

materials, communications statements, and other assertions related to the Complete EHR or Health IT

Module's certification:

“This [Complete EHR or Health IT Module] is [specify Edition of EHR certification criteria]

compliant and has been certified by an ONC-ACB in accordance with the applicable certification

criteria adopted by the Secretary of Health and Human Services. This certification does not

represent an endorsement by the U.S. Department of Health and Human Services.”

And

a. The vendor name

b. The date certified

c. The product name and version

d. The unique certification number or other specific product identification

e. Where applicable, the certification criterion or criteria to which each EHR module has been

tested and certified

f. The clinical quality measures to which a complete EHR or EHR module has been tested and

certified

g. And where applicable, any additional software a complete EHR or EHR module relied upon

to demonstrate its compliance with a certification criterion or criteria adopted by the

Secretary

h. And where applicable, any additional types of costs that a user may be required to pay to

implement or use the Complete EHR or Health IT Module's capabilities, whether to meet



meaningful use objectives and measures or to achieve any other use within the scope of the

health IT's certification. (Examples given include: fixed, recurring, transaction-based, or

otherwise that are imposed by a health IT developer (or any third-party from whom the

developer purchases, licenses, or obtains any technology, products, or services in connection

with its certified health IT) to purchase, license, implement, maintain, upgrade, use, or

otherwise enable and support the use of capabilities to which health IT is certified; or in

connection with any data generated in the course of using any capability to which health IT

is certified.)

i. And where applicable, any limitations (whether by contract or otherwise) that a user may

encounter in the course of implementing and using the Complete EHR or Health IT Module's

capabilities, whether to meet meaningful use objectives and measures or to achieve any

other use within the scope of the health IT's certification. (Examples given include, but not

limited to technical or practical limitations of technology or its capabilities, that could

prevent or impair the successful implementation, configuration, customization,

maintenance, support, or use of any capabilities to which technology is certified; or that

could prevent or limit the use, exchange, or portability of any data generated in the course of

using any capability to which technology is certified.)

A developer may satisfy the requirement to disclose the information required by § 170.523(k)(1) in its

marketing materials, communications statements, and other assertions related to a Complete EHR or

Health IT Module's certification by providing an abbreviated disclaimer, appropriate to the material and

medium, provided the disclaimer is accompanied by a hyperlink to the complete disclosure on the

developer's website.

Where a hyperlink is not feasible (for example, in non-visual media), the developer may use another

appropriate method to direct the recipient of the marketing material, communication, or assertion to

the complete disclosure on its website.

A. Surveillance of Developers’ Disclosures

As noted in Section II.A (Proactive Surveillance), ICSA Labs will proactively select health IT

developers and products for surveillance to ensure a developers’ compliance with the

mandatory disclosure requirements found in 45 CFR § 170.523(k)(1). Surveillance is carried out

by monitoring customer websites, reviewing and approving press releases for ONC Health

Certified products, and periodic reviews of other publicly available materials.

During surveillance activities, ICSA Labs will review a health IT product developer’s public

materials (i.e. websites, press releases, marketing materials, etc.) and assess whether the

information displayed matches the information attested to on the product developer’s

registration form.

As noted in Policy Guidance #15-01A, developers are not required to disclose information of

which they are not and could not reasonably be aware, nor to account for every conceivable

type of cost or implementation hurdle that a customer may encounter. “Developers are



required; however, to describe with particularity the nature, magnitude, and extent of the

limitations or types of costs.” A developer’s disclosure possesses the requisite particularity if it

contains sufficient information and detail from which a reasonable person under the

circumstances would, without special effort, be able to reasonably identify the specific

limitations he/she may encounter and reasonably understand the potential costs he/she may

incur in the course of implementing and using capabilities for any purpose within the scope of

the health IT's certification.

Any discrepancies or obvious issues with the information disclosed will be communicated to the

product developer with an opportunity for remediation (See Corrective Action Procedures). The

customer is provided an opportunity to correct the nonconformities before the issue is

escalated. See the ICSA Labs ONC Health Certification Program Manual’s section on Certification

Suspension and Withdrawal for more information.

B. Attestation Requirement

As a condition of certification, health IT developers must make one of the following attestations:

In the affirmative:

In support of enhanced marketplace transparency and visibility into the costs and

performance of certified health IT products and services, and the business practices of

health IT developers, [Developer Name] hereby attests that it will provide in a timely

manner, in plain writing, and in a manner calculated to inform, any part (including all) of

the information required to be disclosed under 45 CFR §170.523(k)(1)under the

following circumstances:

To all persons who request such information.

To all persons who request or receive a quotation, estimate, description of

services, or other assertion or information from [Developer Name] in connection with

any certified health IT or any capabilities thereof.

To all customers prior to providing or entering into any agreement to provide

any certified health IT or related product or service (including subsequent updates, add-

ons, or additional products or services during the course of an on-going agreement).

– OR –

In the negative:

[Developer Name] hereby attests that it has been asked to make the voluntary

attestation described by 45 CFR § 170.523(k)(2)(i)in support of enhanced marketplace

transparency and visibility into the costs and performances of certified health IT

products and services, and the business practices of health IT developers.

[Developer Name] hereby declines to make such attestation at this time.



A developers’ adherence to their attestations is voluntary; however, ICSA Labs is required to

include the developers’ attestations in the hyperlink submitted to the National Coordinator for

inclusion in the CHPL so that the public can determine which developers have attested to taking

the additional actions to promote transparency of their technologies and business practices.

ONC notes that a developer’s attestation under 45 CFR § 170.523(k)(2) does not broaden or

change the scope of the information a developer is required to disclose under 45 CFR

§170.523(k)(1).

V. Corrective Action Procedures

If a certified product is found to be non-conformant to the requirements of its certification, ICSA Labs

will notify the vendor/developer of any findings. The vendor/developer is required to submit to ICSA

Labs a proposed corrective action plan (CAP) for the applicable certification criterion, certification

criteria, or certification requirement. Related information will also be publicly reported to the ONC’s

open data CHPL as required by ONC.

A. Corrective Action Plan Elements

To further clarify, per ONC a CAP is required under §170.556 any time an ACB finds that a

product or a developer is non-compliant with any certification criterion or any other

requirement of certification, including the transparency and disclosure requirements.

Corrective action plans submitted by a developer to an ONC-ACB must include the following

elements:

i. A description of the identified non-conformities or deficiencies

ii. An assessment of how widespread or isolated the identified non-conformities or

deficiencies may be across all of the developer’s customers and users of the certified

technology

iii. How the developer will address the identified non-conformities or deficiencies, both at

the locations under which surveillance occurred and for all other potentially affected

customers and users

iv. How the developer will ensure that all affected and potentially affected customers and

users are alerted to the identified non-conformities or deficiencies, including a detailed

description of how the developer will assess the scope and impact of the problem,

including identifying all potentially affected customers; how the developer will promptly

ensure that all potentially affected customers are notified of the problem and plan for

resolution; how and when the developer will resolve issues for individual affected

customers; and how the developer will ensure that all issues are in fact resolved

v. The timeframe under which corrective action will be completed



vi. An attestation by the developer that it has completed all elements of the approved

corrective action plan, or the target dates of completion

B. Corrective Action Plan Submission and Review

The CAP must be provided to ICSA Labs within 30 days of notification. A non-response may be

grounds for further punitive action. Extensions may be granted on a case by case basis. ICSA

Labs will review the CAP and make a determination as to whether the plan will be approved,

needs any revisions, or is altogether rejected.

The determination will be based on a review of the thoroughness and completeness of the

submitted CAP based on the CAP requirements outlined above, and whether the timelines and

proposed corrective actions provide confidence to the certification body that the product is in

conformance or will be by a certain target date. Depending on the degree and scope of the non-

conformities, it is still possible that the certification may be suspended or withdrawn. See the

ICSA Labs Certification Program Manual for more information.

C. Corrective Action Plan Submission and Review

Once the CAP is approved, ICSA Labs will follow up within 30 days to ensure adherence to the

approved corrective action plan and in order to verify that requirements of the corrective action

plan have been completed. ICSA Labs may conduct additional follow up with the

vendor/developer, as well as end-users, to verify the attestation and ensure that the corrective

actions have been implemented for all affected and potentially affected customers and users.

Similarly, the product may be a candidate for future surveillance.

VI. Submission of Corrective Action and Surveillance Information

A. Submission of Corrective Action Information

Any non-conformity/non-compliance would be reported to the CHPL and then updated to

include the CAP and the activities surrounding execution of the CAP. At any point during

surveillance ICSA Labs may notify ONC of its activities, especially if there are concerns about

safety, information blocking, etc.

As part of ICSA Labs’ reporting requirement to ONC, the following corrective action

information would be submitted to ONC for inclusion in the CHPL:

The CHPL Product number of each Complete EHR or Health IT Module that failed to

conform to its certification and for which corrective action was instituted under 45

CFR § 170.556.

The specific certification requirements to which the technology failed to conform.

A summary of the deficiency or deficiencies identified by the ICSA Labs as the basis

for its determination of non-conformity.



When available, the health IT developer's explanation of the deficiency or

deficiencies.

The dates surveillance was initiated and completed.

The results of randomized surveillance, including pass rate for each criterion in

instances where the Complete EHR or EHR Module is evaluated at more than one

location.

The number of sites that were used in randomized surveillance.

The date of the ONC-ACB's determination of non-conformity.

The date on which the ONC-ACB approved a corrective action plan.

The date corrective action began (effective date of approved corrective action plan).

The date by which corrective action must be completed (as specified by the

approved corrective action plan).

The date corrective action was completed.

A description of the resolution of the non-conformity or non-conformities.

B. Submission of Surveillance Information

1. Surveillance Narratives and Corroborating Documentation

ICSA Labs reports surveillance results to the National Coordinator on a rolling basis (i.e.,

no less frequently than quarterly) throughout CY18. When submitting annual

surveillance results, ICSA Labs will identify each instance of surveillance performed

during CY18 and the results of that surveillance, including a detailed narrative and

corroborating documentation and evidence to support any determinations or findings,

including:

Each certified Complete EHR or Health IT Module (identified by its CHPL product

ID), each certification criterion, and each certification program requirement that

was subject to surveillance.

The type of surveillance (proactive, reactive) initiated in each case.

The grounds for initiating surveillance and for deciding whether or not to

evaluate the certified health IT in the field.

Whether or not the surveillance activities confirmed a non-conformity.

The substantial factors that, in the certification body’s assessment, caused or

contributed to the apparent non conformity (e.g., implementation problem,

user error, limitations on the use of capabilities in the field, a failure to disclose

known material information, etc.).

The steps the certification body took to obtain and analyze evidence and to

arrive at its conclusions.



When documenting the surveillance activities, ICSA Labs will include the following

information in the report:

Methodologies and techniques employed to determine whether to initiate

surveillance, what type of surveillance to perform (e.g., in-the-field surveillance

or other forms of surveillance), and how to evaluate suspected non-

conformities.

How the certification body engaged and worked with developers and end-users

to analyze and determine the causes of any suspected non-conformities and

related deficiencies.

How the certification body evaluated any non-conformities resulting from

implementation or business practices of the health IT developer which then

potentially affected the performance of certified capabilities in the field.

How the certification body evaluated any potential non-conformities resulting

from the non-disclosure of material information about limitations or additional

types of costs associated with certified health IT.

2. Review of Developer Complaint Processes

Vendors and product developers are required to provide details of their complaint

handling process for complaints relating to the scope of functionality certified in the

ONC Health Certification Program on an annual basis.

The complaint handling process will include details as to how customers can report

defects or make complaints about the product including:

Methods customers can use to the report issue

The process used to track the issue

The process used to analyze the issue

How issues are resolved

How customers are subsequently notified

All product developers must also:

Provide ICSA Labs with documentation outlining internal complaint handling

processes

Maintain a record of all customer complaints related to a product's compliance

with the ONC Health Certification criteria against which it was tested

Retain a log of actions taken in response to such complaints.

The complaint handling processes of any developer whose technology was subject

to surveillance during the applicable calendar year will be reviewed by ICSA Labs to

determine whether the appropriate actions were taken as reported in their



complaint handling processes. If the issues were not properly addressed, ICSA Labs

will follow up, as necessary with the vendor/developer and end user as a next step

and reported to ONC.

ICSA Labs will also evaluate the frequency of complaints made to the developer that

were associated with the prioritized surveillance elements noted in Section III –

Prioritized Elements.

C. Due Process and Exclusion of Certain Sensitive Information

1. Meaningful Opportunity for Input and Comment on ONC-ACB Findings

Prior to making a non-conformity or other determination and prior to submitting

surveillance results (and, where applicable, corrective action information) to the

National Coordinator, ICSA Labs will attempt to conduct a thorough and complete

review of all relevant facts and circumstances including a review of all findings and an

opportunity to the developer to explain any deficiencies identified by the certification

body or complaint.

2. Exclusion of Certain Information from Submission of Corrective Action

Information and Surveillance Results

In order to safeguard confidentiality, prior to submitting corrective action information

and surveillance results to the National Coordinator, ICSA Labs will conduct a review to

ensure the exclusion of information that would identify any health IT developer

customer or user, any health care provider, location, or practice site that participated in

or was subject to surveillance, or any person who submitted a complaint or other

information to a health IT developer or ONC-ACB. This review would include de-

identifying any names or locations in reports or narratives, as well as any testing

artifacts.

3. Exclusion of Certain Information from Submission of Corrective Action

Information

With respect to the submission of corrective action information to the National

Coordinator for inclusion in the CHPL, ICSA Labs will not submit any information that is

in fact legally privileged or protected from disclosure and that therefore should not be

listed on a publicly available website. ICSA Labs may also implement other appropriate

safeguards, as necessary to protect information that, while not legally protected from

disclosure, ICSA Labs believes should not be reported to a publicly available website. As

intended by ONC, any such safeguards will be narrowly tailored and consistent with the

goal of promoting the greatest possible degree of transparency with respect to certified

health IT and the business practices of certified health IT developers, especially the

disclosure of material information about limitations and types of costs associated with

certified health IT.



VII. Public Accountability

Please note that the ONC recommends that all ONC-ACBs make their annual surveillance plans and

surveillance results publicly available after submission to ONC in an effort to strengthen the value

stakeholders receive from the ONC Health Certification Program. It is ICSA Labs intent to publish

surveillance plans and results publicly.

ICSA Labs ONC Health IT Certification Program CY 2018 ... · Surveillance activities are tracked...

Documents

Transcript of ICSA Labs ONC Health IT Certification Program CY 2018 ... · Surveillance activities are tracked...