Acquisition Regulation: Information Technology; Standards for Health IT – Proposed Rule

HHS proposed a new mandate to standardize a term in contracts with health plans and healthcare providers requiring the use of information technology that is certified by ONC.

WHAT: HHS published a proposed rule that would require all healthcare providers and health plans that receive HHS funding to use certified health IT or, at a minimum, adhere to ONC standards. The proposed rule would apply to all solicitations and contracts, issued by or on behalf of HHS entities, that involve implementing, acquiring, or upgrading health IT used (1) for the direct exchange of individually identifiable health information between agencies and non-Federal entities, or (2) by healthcare providers, health plans, or health insurance issuers.

WHY THIS IS IMPORTANT: Healthcare providers’ electronic medical record vendors (e.g., Epic) were already going through the ONC certification process due to financial incentives for hospitals and clinicians in the Medicare program, but this process would be new for health plan IT vendors. For example, the CMS Interoperability and Patient Access final rule requires Medicare Advantage (MA) organizations to implement multiple Application Programming Interfaces (APIs) by January 1, 2027; this new rule would require MA plans to use certified health IT for this purpose as part of its contract with CMS.

IN BRIEF: The proposed rule was issued by the HHS Assistant Secretary for Technology Policy and Office of the National Coordinator for Health IT (ASTP/ONC) and the Office of the Assistant Secretary for Financial Resources (ASFR), but it applies to all contracts that involve the acquisition, implementation, and upgrading of health IT. Using the authority under the Federal Acquisition Regulation (FAR) that mandates the fair and consistent procurement of goods and services for the federal government, HHS is mandating the new contract term across all of its operating divisions and offices to align and coordinate health IT-related activities in support of HHS health IT and interoperability goals outlined by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The proposed rule is designed to ensure that all health IT systems procured by HHS or on behalf of the agency – through contracts with healthcare providers, health plans, or insurance issuers – are fully compliant with the standards and implementation specifications set by ASTP/ONC.

WHEN: The proposed rule was published on August 9, 2024. Comments on the proposed rule must be submitted by October 8, 2024. The rule will be finalized after the comment period and will be informed by submitted comments.

• Intersection With HTI-2: In our HTI-2 Maverick Minute, we explained how ASTP/ONC expanded its Certification Program – for the first time – to include certification criteria for payer and public health software. We also noted in our Perspective that ONC’s Certification Program is not only a voluntary program, but that EHR developers are the only developers of health IT with a regulatory reason to certify their products. This new proposed rule from ASTP/ONC and ASFR would effectively create a regulatory reason for health IT developers to go through ONC’s certification process if they want to be selected as a vendor for health plans that receive funding from HHS.
• Applicable Health IT: The proposed rule provides that HHS would be prohibited from awarding contracts that include implementing, acquiring, or upgrading health IT used for the direct exchange of individually identifiable health information between agencies and with non-Federal entities unless the awardee (e.g., MA plan, provider, insurance issuer) uses health IT that meets ASTP/ONC standards or is certified.
• Implementing Definition: This may include investments in health IT for its maintenance and upkeep; the use of health IT to collect, store, and share health information; and activities supporting the piloting, but not acquisition, of health IT tools.