ONC Health IT Certification Program Certification Requirements Update March 17, 2016

ICSA Labs Health IT Program

Agenda

• Introduction • Mandatory Product Disclosures and Transparency

Requirements • Certified Vendor Pledge • Required Reporting: Complaints, Product Updates, and

Adaptations • Changes to Surveillance • Product Non-Conformities/Corrective Action Reports • Recap and Next steps

3/17/2016 © 2016. All Rights Reserved. 2

• Trusted institute since 1989 – over 25 years’ experience

• First commercial lab to receive ISO/IEC 17025 accreditation for information security testing

• Providing organizations with expert, objective, third-party evaluations of deployed and proposed technologies

• Testing and evaluation of IT security products, applications, devices, and solutions against industry accepted criteria

• Significant involvement in health IT testing and certification for ONC Health IT, ConCert by HIMSS™, IHE International Conformity Assessment

Trusted authority for testing and certification

About ICSA Labs

ICSA Labs’ International Accreditations

ISO 9001:2008 registered for quality management systems ISO 17065 accredited Certification Body by the American National Standards Institute (ANSI)

ISO 17025 accredited Test Lab by the National Voluntary Lab Accreditation Program (NVLAP) ONC-Authorized Certification Body (ONC-ACB) and Accredited Testing Laboratory (ATL)

3/17/2016 © 2016. All Rights Reserved. 4

Mandatory Product Disclosures - 170.523(k)(1)

Certified health IT developers must conspicuously disclose in plain language on their website, in all marketing materials, communication statements, and other assertions related to certified health IT, ALL of the following information, for EVERY Certified Product:

“This [Complete EHR or EHR Module] is ONC 20[XX] Edition compliant and has been certified by ICSA Labs, an ONC-ACB, in accordance with the applicable certification criteria adopted by the Secretary of Health and Human Services. This certification does not represent an endorsement by the U.S. Department of Health and Human Services.” and

The vendor name (if applicable) The date certified The product name and version The unique certification number or other specific product identification Where applicable, the certification criterion or criteria to which each EHR module has been tested and certified The clinical quality measures to which a complete EHR or EHR module has been tested and certified And where applicable, any additional software the Certified Health IT relied upon to demonstrate its compliance with a certification

criterion [Note: version of additional software is required for 2015 Edition] And where applicable, any additional types of costs that a user may be required to pay to implement or use the Certified Health IT's

capabilities, whether to meet meaningful use objectives and measures or to achieve any other use within the scope of the health IT's certification.

And where applicable, any limitations (whether by contract or otherwise) that a user may encounter in the course of implementing and using the Certified Health IT’s capabilities, whether to meet meaningful use objectives and measures or to achieve any other use within the scope of the health IT's certification.

Mandatory Product Disclosures - 170.523(k)(1) Cont.

• Types of Additional Costs - fixed, recurring, transaction-based, or otherwise that are imposed by a health IT developer (or

any third-party from whom the developer purchases, licenses, or obtains any technology, products, or services in connection with its certified health IT) to purchase, license, implement, maintain, upgrade, use, or otherwise enable and support the use of capabilities to which health IT is certified; or in connection with any data generated in the course of using any capability to which health IT is certified.

» License and Subscription Fee » Connection Fee » Transaction Fee

• Limitations - include, but not limited to technical or practical limitations of technology or its capabilities, that could prevent or impair the successful implementation, configuration, customization, maintenance, support, or use of any capabilities to which technology is certified; or that could prevent or limit the use, exchange, or portability of any data generated in the course of using any capability to which technology is certified.

» Not able to use third-party HISP for direct messaging if developer does not have trust agreement with it » Direct messaging capability limit to 500 messages in 24 hr. period

• ONC Template for Mandatory Disclosures – detailed guidance by ONC for additional costs and limitations

Examples

Mandatory Product Disclosures - 170.523(k)(1) Cont.

» Must appear on public website

Required whether or not the website refers to certification or certified status of the health IT product Web page or document must be publicly available even if product developer does not have a website (e.g. publicly

accessible Google Doc, PDF accessible through Dropbox or to a github web page) Link to certification certificates is permissible, however, you must still include sections for additional costs and

limitations on main page along with product name, version and certification ID Disclosures are required for every product certified and listed on Open CHPL Any products no longer supported should be reported to ICSA Labs

» Required to provide ICSA Labs with URL to disclosures which will be posted to Open CHPL » Originally required by March 14th

Extension granted to April 12th Submit early to allow time for review and feedback

» Self-Developers excluded from requirement – however we ask that you submit attestation that you are a self-developer » All non-compliances identified after deadline will be required to submit a corrective action plan and will be reported

to ONC

Disclosure Requirements

Certified Vendor Pledge

Note: pledge is not a requirement to disclose dollar amounts, only the preceding information required in the mandatory product disclosures. Self-developers that do not market, sell or license their Certified Health IT are exempt, but must still complete the pledge and identify themselves accordingly.

Certified Vendor Pledge

» Required as a condition of Complete EHR or Health IT Module’s certification Attests that product developer will voluntarily and in timely fashion, provide in plain writing and in a manner

calculated to inform, any part (including all of) the information required to be disclosed in 170.523(k)(1) which includes

– To all customers, prior to providing or entering into any agreement to provide any certified health IT or related product or service (including subsequent updates, add-ons, or additional products or services during the course of an on-going agreement);

– To any person who requests or receives a quotation, estimate, description of services, or other assertion or information from the developer in connection with any certified health IT or any capabilities thereof; and

– To any person, upon request » Response of yes/no/self-developer published to Open CHPL » Regardless of yes/no response, transparency disclosures (i.e. 170.523(k)(1)) still required to be publicly reported on

websites, marketing materials, etc. » Extension granted to April 12th » Self-Developers must comply by indicating self-developer exclusion status on form » All non-compliances identified after deadline will be required to submit a corrective action plan and will be reported to

ONC

Certified Vendor Pledge

Required Reporting

» All product developers are required to submit the Complaint Handling Process Form to ICSA Labs » Processes should describe:

Specific methods customers use to report issues (specifically related to scope of certification); Processes use to track and analyze issues; How issues are resolved; How customers are notified of resolutions

» Notice sent out yearly to confirm/report any changes Attestation section added to product update form to confirm/report any changes during year

» Self-Developers excluded from requirement, but must indicate self-developer status on form » Complaints handling process will be reviewed and verified as part of surveillance activities » Note: ONC accepts anonymous complaints through their website

Complaint Handling Process

Required Reporting Cont.

» All product developers required to submit a quarterly log for any complaints related to certified functionality

» Complaint log template provided to collect: Date complaint received Criteria related to certified functionality Description of complaint (Do not include PHI) Corrective action taken (i.e. resolution) Resolution type/ Nature of complaint (i.e. user error, bug, clarification, lack of functionality, etc.)

» Use best judgment on reporting (minor complaint vs. complaint effecting patient safety) » Must use attestation form to report when no complaints are recorded in quarter » Self-Developers excluded from requirement

Complaints

Required Reporting Cont.

» Adaptations are defined as software designed to run on different medium (e.g. mobile device or tablet) that includes the full and exact same capabilities included in the Complete EHR or certified Health IT Module

» Certified health IT developers are required to submit a record of all adaptations of certified Health

IT Modules Health IT developer can choose to seek certification for adaptations which would have separate

listing on CHPL and permit health IT developer to openly sell adaptation to all potential purchasers as separate certified product

Adaptations

Required Reporting Cont.

» Certified health IT developers required to submit record of all updates made to certified Complete EHRs and certified Health IT Modules (no change/updates must still be reported) Must report changes to user-facing aspects made to certified health IT Re-testing likely for updates to criteria to which “safety-enhanced design” certification criteria

apply o 2014 Edition criteria affected: a(1), a(2), a(6), a(7), a(8), a(16), a(18), a(19), a(20), b(3),

b(4), b(9) o 2015 Edition criteria affected: a(1), a(2), a(3), a(4), a(5), a(6), a(7), a(8), a(9), a(14),

b(2) and b(3) Previously vendor self-submitted using product update form Now at minimum, update information required from all product developers on quarterly basis Use attestation form to report scope of changes along with evidence/documentation

Product Updates

Required Reporting Cont.

» Reporting Periods

Q1: January 1 – March 31 – Attestations due 4/7 Q2: April 1 – June 30 – Attestations due 7/7 Q3: July 1 – September 30 – Attestations due 10/7 Q4: October 1 – December 31 – Attestations due 1/7

» A list of all product updates, adaptations and complaints should be submitted to ICSA Labs no later than 5 business days after the close of the quarter First reporting period begins 2nd quarter and due on or before July 7th (i.e. 5 business days from

close of quarter) » Records of adaptations and updates are reviewed by ICSA Labs and retained for awareness and

surveillance purposes.

Updates and Adaptations Cont.

Required Reporting Cont.

• ACBs report surveillance results to ONC quarterly • Nonconformities identified based on surveillance will require developers to submit a

Corrective Action Plan to their ACB (within 30 days of being notified). Related information will be reported to the ONC’s open data CHPL

» Contents of surveillance results submitted to ONC will not include any information to identify any user or location that participated in or was subject to surveillance

• Final Rule requires as a condition of certification that HIT developers furnish upon request, accurate and complete customer lists, user lists, and other information necessary to enable the ACB to carry out surveillance activities (for surveys, in-the-field surveillance, etc.)

• Requirements for random surveillance effective on January 1, 2016. • All others in effect with Final Rule (90 days from publication)

Surveillance Reporting Changes

Post-certification Surveillance

• Reactive surveillance

» Based on complaints, repeated inheritance requests, and/or information about potential non-conformities [including the transparency and disclosure requirements for health IT developers]

• Randomized surveillance » Based on random sampling of all certified products (2014 Ed. & 2015 Ed.)

ACBs are permitted to implement appropriate weighting and sampling considerations (such as products that are widely implemented vs. not)

ACBs must ensure that every product selected and every provider location at which the product is in use has a chance of being randomly selected for in-the-field surveillance

» Random surveillance of at least 2% of all products issued ONC HIT Certification each year For each product selected, ACBs must select a random sample of one or more locations to

initiate in-the-field surveillance of the certified technology’s prioritized capabilities

Surveillance

Post-certification Surveillance

In-the-field Surveillance • ACB’s are required to initiate in-the-field surveillance as necessary to assess certified

technologies for continued compliance when implemented and used in a production environment

• ONC requires that assessment of capabilities in the field must be based on the use of production data, unless the use of test data has been approved by the National Coordinator

» If surveillance confirms a nonconformity, the developer must submit a corrective action plan and the ACB must report related information to the ONC’s open data CHPL

• For more information see the ICSA Labs CY2016 Surveillance Plan found at icsalabs.com

Surveillance

Non-conformities

• Non-conformities may be issued based on:

» Complaints received through ONC or directly to the ACB » Failure to adhere to the surveillance process (providing installation sites, access to user lists) » Non-compliant results based on reactive or in-the-field surveillance » Failure to respond to ACB requests for disclosures (product update information, adaptations,

transparency pledge)

• Note: the failure of a health IT developer to disclose the required information is a violation of an explicit certification program requirement and thus constitutes a non-conformity

• Any non-conformity issued will result in the vendor having to submit a corrective action plan within 30 days of notification to ICSA Labs

Addressing Non-Conformities

Corrective Actions

Corrective action plans submitted by a developer to an ONC-ACB must include: • (i) A description of the identified non-conformities or deficiencies; • (ii) An assessment of how widespread or isolated the identified non-conformities or deficiencies may be across all

of the developer’s customers and users of the certified technology; • (iii) How the developer will address the identified non-conformities or deficiencies, both at the locations under

which surveillance occurred and for all other potentially affected customers and users; • (iv) How the developer will ensure that all affected and potentially affected customers and users are alerted to

the identified non-conformities or deficiencies, including a detailed description of how the developer will assess the scope and impact of the problem, including identifying all potentially affected customers; how the developer will promptly ensure that all potentially affected customers are notified of the problem and plan for resolution; how and when the developer will resolve issues for individual affected customers; and how the developer will ensure that all issues are in fact resolved.

• (v) The timeframe under which corrective action will be completed • (vi) An attestation by the developer that it has completed all elements of the approved corrective action plan.

Corrective Action Plans

Recap and Next Steps

• Send vendor pledge to diana.coniglio@icsalabs.com • Update websites and marketing materials to include 170.523(k)(1) product disclosures

» Send URL to diana.coniglio@icsalabs.com before April 12th

• Begin quarterly reporting of complaints, product updates and adaptations » Second quarter begins: April 1 – June 30 » First round of complaints, product updates and adaptations due by July 7th (i.e. 5 business days after

close of quarter) » Indicate on form if no complaints, product updates or adaptations are recorded during quarter and

submit to diana.coniglio@icsalabs.com » On due date, submit product updates and adaptations on form

• Webinar recording will be posted within 2-3 days. Today’s slides will be sent to attendees and posted along with a recording of this presentation

• Latest Product Update/Adaptations/Complaint handling process forms will also be distributed to customers

ONC Resources

New - dedicated list serv to communicate updates about the certification program, test tools, test procedures, certification companion guides, etc. Sign up here: https://www.healthit.gov/policy-researchers-implementers/about-onc-health-it-certification-program

Contacts:

Kevin D Brown Certification Body Manager kbrown@icsalabs.com

Diana Coniglio Certification Manager diana.coniglio@icsalabs.com

Amit Trivedi Program Manager - Healthcare amit.trivedi@icsalabs.com