Proposed Rule2024-17096
HHS Acquisition Regulation: Acquisition of Information Technology; Standards for Health Information Technology (HHSAR Case 2023-001)
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
August 9, 2024
Issuing agencies
Health and Human Services Department
Abstract
The Department of Health and Human Services (HHS) is proposing to amend and update its Health and Human Services Acquisition Regulation (HHSAR) to implement requirements to procure health information technology (health IT) that meets standards and implementation specifications (standards) adopted by the Office of the National Coordinator for Health Information Technology (ONC) in the following parts: Acquisition of Information Technology and Solicitation Provisions and Contract Clauses.
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 154 (Friday, August 9, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 154 (Friday, August 9, 2024)]
[Proposed Rules]
[Pages 65303-65311]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-17096]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
48 CFR Parts 339 and 352
RIN 0991-AC35
HHS Acquisition Regulation: Acquisition of Information
Technology; Standards for Health Information Technology (HHSAR Case
2023-001)
AGENCY: Department of Health and Human Services.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Health and Human Services (HHS) is proposing
to amend and update its Health and Human Services Acquisition
Regulation (HHSAR) to implement requirements to procure health
information technology (health IT) that meets standards and
implementation specifications (standards) adopted by the Office of the
National Coordinator for Health Information Technology (ONC) in the
following parts: Acquisition of Information Technology and Solicitation
Provisions and Contract Clauses.
DATES: Comments must be received on or before October 8, 2024, to be
considered in the formulation of the final rule.
ADDRESSES: Submit written comments in response to HHSAR Case 2023-001
through the Federal eRulemaking Portal at: <a href="https://www.regulations.gov">https://www.regulations.gov</a>
by searching for ``HHSAR Case 2023-001''. Select the link ``Comment
Now'' and follow the ``Submit a comment'' instructions. Please include
your name, company name (if any), and indicate they are submitted in
response to ``RIN 0991-AC35--HHS Acquisition Regulation: Acquisition of
Information Technology; Standards for Health Information Technology
(HHSAR Case 2023-001).''
Warning: Do not include any personally identifiable information or
confidential business information that you do not want publicly
disclosed. All comments may be posted on the internet and can be
retrieved by most internet search engines. No deletions, modifications,
or redactions will be made to comments received.
Inspection of Public Comments: All comments received before the
close of the comment period will be available for viewing by the
public, including personally identifiable or confidential business
information that is included in a comment. You may wish to consider
limiting the amount of personal information that you provide in any
voluntary public comment submission you make. HHS reserves the right to
withhold information provided in comments from public viewing that it
determines may have an adverse impact on an individual(s). For
additional information, please read the Privacy Act notice that is
available via the link in the footer of <a href="https://www.regulations.gov">https://www.regulations.gov</a>.
Follow the search instructions on that website to view the public
comments.
FOR FURTHER INFORMATION CONTACT: Mr. Jarreau Vieira, Chief, Acquisition
Rule-Making Branch, U.S. Department of Health and Human Services,
Office of the Assistant Secretary for Financial Resources, Office of
Acquisition Policy, 200 Independence Avenue SW, Washington, DC 20201.
Email: <a href="/cdn-cgi/l/email-protection#57363426223e243e233e38390827383b3e342e173f3f2479303821"><span class="__cf_email__" data-cfemail="b1d0d2c0c4d8c2d8c5d8dedfeec1deddd8d2c8f1d9d9c29fd6dec7">[email protected]</span></a>, Telephone: (202) 731-4625. This is
not a toll-free telephone number.
SUPPLEMENTARY INFORMATION:
I. Background
A. Authority
This rulemaking is being taken under the authority of the Office of
Federal Procurement Policy (OFPP) Act which provides the authority for
an agency head to authorize the issuance of agency acquisition
regulations that implement or supplement the Federal Acquisition
Regulation (FAR). The OFPP Act, as codified in 41 U.S.C. 1702, provides
the authority for the FAR and for the issuance of agency acquisition
regulations consistent with the FAR. This authority ensures that
Government
[[Page 65304]]
procurements are handled fairly and consistently, that the Government
receives overall best value, and that the Government and contractors
both operate under a known set of rules. The Health and Human Services
Acquisition Regulation (HHSAR) is set forth at Title 48 CFR, chapter 3,
parts 301 through 370.
Under this authority, we are seeking to implement a department-wide
management policy issued by the Secretary of the Department of Health
and Human Services (Secretary) in July 2022 (hereafter the
``Secretary's July 2022 Memorandum''), that directed HHS agencies to
align and coordinate health IT-related activities in support of HHS
health IT and interoperability goals. This policy was supported by
requirements in sections 13111 and 13112 of the Health Information
Technology for Economic and Clinical Health Act (HITECH Act) (Pub. L.
111-5).
B. Genesis of Standards for Health Information Technology in the HHSAR
The Secretary's July 2022 Memorandum recognized that HHS spending
on health IT-related activities has grown dramatically in recent years,
as various agencies have begun to leverage the large foundation of
electronic health records put in place by the $40 billion invested as a
result of the HITECH Act, as part of the American Recovery and
Reinvestment Act of 2009 (Pub. L. 111-5, Feb. 17, 2009), and the
related clinical data and interoperability standards that HHS continues
to promote. Advancing interoperability and the effective and
appropriate use of health IT systems is a key HHS objective, and COVID-
19 has further demonstrated the importance of interoperable data to
improve the quality, safety, affordability, and efficiency of health
care delivery; inform pandemic response; and identify and address
disparities in care. As health IT-related activities begin to play an
increasingly prominent role in programs across the Department, the
Secretary's July 2022 Memorandum states that it is critical to ensure
alignment of such activities to avoid the proliferation of ad-hoc
health IT and data silos. These silos undercut the effectiveness and
efficiency of the Department's policies and programs, are costly for
Federal and state agencies and private sector partners to create and
maintain, have no synergies across programs, and--due to lack of
alignment across and within HHS agencies--impose significant burden on
health care providers, technology developers, and other health care
stakeholders.
As part of the Secretary's July 2022 Memorandum, the Secretary
directed HHS agencies, working with the Assistant Secretary for
Financial Resources (ASFR), to develop standard language for use in
grants, cooperative agreements, or contracts. The Secretary's July 2022
Memorandum further identified the general elements of this standard
language, including that: recipients are expected to utilize health IT
that meets standards adopted under Section 3004 of the Public Health
Service Act (PHSA), if applicable, when the funding mechanism includes
provisions requiring recipients to implement, acquire, or upgrade
health IT; health care providers who have been eligible to participate
in Center for Medicare & Medicaid Services's (CMS's) health IT-focused
incentive programs can meet alignment requirements under this policy by
using certified health IT which incorporates standards adopted under
PHSA Section 3004; and, where there are no applicable standards adopted
under PHSA Section 3004, recipients are encouraged to use other HHS-
identified standards or non-proprietary, consensus-based standards
developed by a national standard setting organization, such as those
referenced in the Interoperability Standards Advisory, are recommended.
We note that this regulation does not impact existing HHS
authorities for standards adoption and note that HHS agencies are
committed to working together to ensure that standards under such
authorities are aligned to advance interoperability for a nationwide
health IT infrastructure.
Section 13111 of the HITECH Act requires agencies identified by the
Director of the Office of Management and Budget (OMB), in consultation
with the Secretary, when implementing, acquiring, or upgrading health
IT systems used for the direct exchange of individually identifiable
health information between agencies and with non-Federal entities, to
utilize, where available, health IT systems and products that meet
standards and implementation specifications adopted by ONC on behalf of
the Secretary under section 3004 of the Public Health Service Act
(PHSA).
Section 13112 of the HITECH Act specifies that agencies, as defined
in Executive Order 13410, shall require in contracts or agreements with
health care providers, health plans, or health insurance issuers that
as each provider, plan, or issuer implements, acquires, or upgrades
health IT systems, it shall utilize, where available, health IT systems
and products that meet standards and implementation specifications
adopted under Section 3004 of the PHSA.
On behalf of HHS, ONC adopts standards and implementation
specifications under section 3004 of the PHSA in 45 CFR part 170,
subpart B. Standards adopted under section 3004 are included in
certification criteria for health IT in the ONC Health Information
Technology Certification Program in 45 CFR part 170, subpart C. For
more information on the ONC Certification Program, see <a href="https://www.healthit.gov/topic/certification-ehrs/certification-health-it">https://www.healthit.gov/topic/certification-ehrs/certification-health-it</a>.
Health care providers who have been eligible to participate in CMS's
health IT-focused incentive programs under sections 4101, 4102, and
4201 of the HITECH Act have been incentivized to adopt health IT that
meets certification criteria which incorporate standards in 45 CFR part
170, subpart B. Consistent with HHS policy, the proposals address use
of certified health IT by these providers, where applicable.
C. Implementation Via Class Deviation (2023-01)
On December 20, 2022, the HHS Senior Procurement Executive issued
HHSAR Class Deviation (2023-01) from part 339, Acquisition of
Information Technology; Standards for Health Information Technology, in
advance of this proposed rule to implement in the HHSAR the
requirements of the HITECH Act and HHS' implementation standards.
D. Purpose of Rule
This proposed rule is issued to comply with the requirements of 41
U.S.C. 1707 and FAR subpart 1.5 that require publication of a proposed
rule for public comment.
Consistent with HHS policy, including the Secretary's July 2022
Memorandum, and with sections 13111 and 13112 of the HITECH Act (Pub.
L. 111-5), HHS is proposing to amend the HHSAR to implement and align
requirements related to the procurement of health IT with standards and
implementation specifications adopted by ONC under section 3004 of the
PHSA.
This proposed rule would add a new HHSAR subpart 339.70, Standards
for Health Information Technology, which provides definitions, policy,
and a prescription for a new HHSAR clause to implement requirements of
the HITECH Act, to include: (1) when contracting officers must procure
health IT consistent with requirements in the HITECH Act; and (2) when
to require use of health IT in a manner consistent with requirements in
the HITECH Act,
[[Page 65305]]
in contracts and agreements with health care providers, health plans,
or health insurance issuers.
This proposed rule would implement requirements in the HHSAR that
would apply to all solicitations and contracts, issued by or on behalf
of HHS entities, that involve implementing, acquiring, or upgrading
health IT used (1) for the direct exchange of individually identifiable
health information between agencies and non-Federal entities, or (2) by
health care providers, health plans, or health insurance issuers.
II. Discussion and Analysis
A. HITECH Act Discussion
In this section, we provide discussion of several issues in
connection to our proposals in this proposed rule.
1. Acquiring, Implementing, or Upgrading Health IT
We believe additional discussion of terms used in sections 13111
and 13112 of the HITECH Act will help the public to understand how
these proposals will be implemented. Specifically, we note that both
sections refer to implementing, acquiring, or upgrading of health IT
systems as activities to which the statutory provisions apply. We
believe the terms acquiring and upgrading health IT are clear for the
purpose of this policy. However, we believe additional explanation of
the term ``implementing'' as it is used in this policy is warranted.
``Implementing'' health IT may include a variety of activities that are
distinct from acquiring or upgrading health IT. For instance,
``implementing'' health IT may include investments in health IT for its
maintenance and upkeep, the use of health IT to collect, store, and
share health information, and activities supporting the piloting, but
not the acquisition, of health IT tools.
We note that the proposals in HHSAR parts 339 and 352 in this
proposed rule pertain to ``work performed under the contract that
involves implementing, acquiring, or upgrading health IT.'' For
example, a contracted party performing research may obtain data from
health IT systems. Unless the contract defines specific health IT
activities and/or investments related to these data, such activities
would be considered incidental to the work performed under the contract
and would not be subject to our proposed requirements. We seek comment
on additional details that would help with clarifying when a contract
activity would be considered ``implementing'' health IT.
B. Authorities and Summary of Proposed Changes
We propose to revise the following parts of the HHSAR, 48 CFR
chapter 3: parts 339 and 352.
We propose to revise the authority citations cited in each HHSAR
part to reflect as follows: 5 U.S.C. 301; 40 U.S.C. 121(c); 41 U.S.C.
1121(c)(3); 41 U.S.C. 1702; and 48 CFR 1.301 through 1.304. Where
additional authorities for a specific part are applicable, we identify
them under that discussion of each HHSAR part later in this preamble.
We propose to retain the authority of 5 U.S.C. 301. This authority
provides that the head of an Executive department or military
department may prescribe regulations for the government of his
department, the conduct of its employees, the distribution and
performance of its business, and the custody, use, and preservation of
its records, papers, and property.
We propose to retain the authority of 40 U.S.C. 121(c) and slightly
revise the reference. This authorizes the head of each executive agency
to issue orders and directives that the agency head considers necessary
to carry out the regulations. The Federal Acquisition Regulation System
and the publication of the FAR is issued pursuant to this authority as
are agency supplements to the FAR such as the HHSAR.
We propose to include a reference to 41 U.S.C. 1121(c)(3). This
provision states that the authority of an executive agency under
another law to prescribe policies, regulations, procedures, and forms
for procurement is subject to the authority conferred in section 1121,
as well as other sections of title 41.
We propose to add an authority citation for 41 U.S.C. 1702 which
addresses the acquisition planning and management responsibilities that
are carried out by the HHS Senior Procurement Executive.
And we propose to add the citation of 48 CFR 1.301 through 1.304 to
reflect the authority and responsibility set forth in the FAR and
delegated to Federal agencies to issue agency regulations that
supplement and implement the FAR.
Any other proposed changes to authorities are shown under the
individual parts below.
1. HHSAR Part 339--Acquisition of Information Technology
We propose to revise the authority citations for part 339, for the
reasons set forth in the discussion and analysis section, to read as
follows: 5 U.S.C. 301; 40 U.S.C. 121(c); 41 U.S.C. 1121(c)(3); 41
U.S.C. 1702; and 48 CFR 1.301 through 1.304.
We propose to add subpart 339.70, Standards for Health Information
Technology, to include underlying sections 339.7000, 339.7001,
339.7002, and 339.7003. This subpart is added to implement standards
under the authority of the HITECH Act, Public Law 111-5, title XIII,
sections 13111 and 13112 that are applicable for HHS contracts, as well
as HHS policy.
We propose to add section 339.7000, Scope of subpart, to provide
general scope and purpose of the subpart and its underlying sections,
which implements and aligns requirements related to the procurement of
health IT with standards and implementation specifications adopted by
ONC, under section 3004 of the PHSA, consistent with sections 13111 and
13112 of the HITECH Act (Pub. L. 111-5) and HHS policy to advance
health IT alignment. The subpart describes the policies and procedures
for solicitations and contracts that involve implementing, acquiring,
or upgrading health IT that is used for the direct exchange of
individually identifiable health information between agencies and with
non-Federal entities; or by health care providers, health plans, or
health insurance issuers.
We propose to add section 339.7001, Definitions. This section is
added to include three definitions applicable to the new subpart:
Health information technology (health IT), individually identifiable
health information, and the ONC Health Information Technology
Certification Program.
We propose to add section 339.7002, Policy--standards for health
information technology. This section is added to implement standards
for health IT in HHS contracts. This section would require, pursuant to
the HITECH Act, Public Law 111-5, title XIII, sections 13111 and 13112,
and HHS policy, that health IT shall meet standards and implementation
specifications adopted in 45 CFR part 170, subpart B, if applicable.
This includes health IT that is--
<bullet> Procured by or on behalf of HHS entities, or
<bullet> Procured through HHS contracts with health care providers,
health plans, or health insurance issuers that involve implementing,
acquiring, or upgrading health IT.
Section 339.7002 would prohibit contracting officers from awarding
a contract involving health IT as described in this preamble, unless
certain conditions are met. First, this section would prohibit
contracting officers from awarding a contract that includes
implementing, acquiring, or upgrading health IT used for the direct
[[Page 65306]]
exchange of individually identifiable health information between
agencies and with non-Federal entities unless an offeror/quoter/
contractor shall utilize health IT that--
<bullet> Meets standards and implementation specifications adopted
in 45 CFR part 170, subpart B, if such standards and implementation
specifications can support work performed under the contract; or
<bullet> Is certified under the ONC Health Information Technology
Certification Program, if certified technology can support work
performed under the contract (see certification criteria in 45 CFR part
170, subpart C), when the contractor is--
[cir] an eligible professional in an ambulatory setting, or a
hospital, eligible under sections 4101, 4102, and 4201 of the HITECH
Act; or
[cir] implementing, acquiring, or upgrading technology to be used
by an eligible professional in an ambulatory setting, or hospital,
eligible under sections 4101, 4102, and 4201 of the HITECH Act.
Further, this section would also prohibit contracting officers from
awarding a contract if a contractor is a health care provider, health
plan, or health insurance issuer, or, to perform the contract, is
establishing an agreement with a health care provider, health plan, or
health insurance issuer, for any work performed under the contract that
involves implementing, acquiring, or upgrading health IT, unless the
offeror/quoter/contractor agrees that it shall utilize health IT that--
<bullet> Meets standards and implementation specifications adopted
in 45 CFR part 170, subpart B, if such standards and implementation
specifications can support work performed under the contract; or
<bullet> Is certified under the ONC Health Information Technology
Certification Program, if certified technology can support work
performed under the contract (see certification criteria in 45 CFR part
170, subpart C), when the contractor is--
[cir] an eligible professional in an ambulatory setting, or a
hospital, eligible under sections 4101, 4102, and 4201 of the HITECH
Act; or
[cir] implementing, acquiring, or upgrading technology to be used
by an eligible professional in an ambulatory setting, or hospital,
eligible under sections 4101, 4102, and 4201 of the HITECH Act.
Finally, this section would also encourage offerors/quoters/
contractors, if standards and implementation specifications adopted in
45 CFR part 170, subpart B, cannot support the work as specified in the
contract, to use health IT that meets non-proprietary standards and
implementation specifications developed by consensus-based standards
development organizations. This may include standards identified in the
ONC Interoperability Standards Advisory, available at <a href="https://www.healthit.gov/isa/">https://www.healthit.gov/isa/</a>.
We propose to add section 339.7003, Contract clause, to prescribe a
new clause at 352.239-70, Standards for Health Information Technology,
in solicitations and contracts, issued by or on behalf of HHS entities,
that involve implementing, acquiring, or upgrading health IT used--
(a) for the direct exchange of individually identifiable health
information between agencies and with non-Federal entities; or
(b) by health care providers, health plans, or health insurance
issuers.
2. HHSAR Part 352--Solicitation Provisions and Contract Clauses
We propose to revise the authority citations for part 352, for the
reasons set forth in the discussion and analysis section, to read as
follows: 5 U.S.C. 301; 40 U.S.C. 121(c); 41 U.S.C. 1121(c)(3); 41
U.S.C. 1702; and 48 CFR 1.301 through 1.304.
We propose to add clause 352.239-70, Standards for Health
Information Technology, to set forth requirements for the standards for
health IT provided or utilized on a contract. The clause would include
three definitions: Health information technology (health IT),
individually identifiable health information, and the ONC Health
Information Technology Certification Program.
The clause would provide that by submission of an offer or a quote,
and execution of a contract, the offeror/quoter/contractor agrees
that--
<bullet> For any work performed under the contract that involves
implementing, acquiring, or upgrading health IT procured by or on
behalf of HHS entities used for the direct exchange of individually
identifiable health information between agencies and with non-Federal
entities, the offeror/quoter/contractor shall utilize health IT that--
(1) Meets standards and implementation specifications adopted in 45
CFR part 170, subpart B, if such standards and implementation
specifications can support the work performed under the contract; or
(2) Is certified under the ONC Health Information Technology
Certification Program, if certified technology can support the work
performed under the contract (see certification criteria in 45 CFR part
170, subpart C), when the Contractor is--
(i) an eligible professional in an ambulatory setting, or a
hospital, eligible under sections 4101, 4102 and 4201 of the HITECH
Act; or
(ii) is implementing, acquiring or upgrading technology to be used
by an eligible professional in an ambulatory setting, or a hospital,
eligible under sections 4101, 4102 and 4201 of the HITECH Act.
<bullet> When the contractor is a health care provider, health
plan, or health insurance issuer, or, to perform the contract, is
establishing an agreement with a health care provider, health plan, or
health insurance issuer, for work performed under the contract that
involves implementing, acquiring, or upgrading health IT, the offeror/
quoter/contractor shall utilize heath IT that--
(1) Meets standards and implementation specifications adopted in 45
CFR part 170, subpart B, if such standards and implementation
specifications can support the work performed under the contract; or
(2) Is certified under the ONC Health Information Technology
Certification Program, if certified technology can support the work
performed under the contract (see certification criteria in 45 CFR part
170, subpart C), when the Contractor is--
(i) an eligible professional in an ambulatory setting, or a
hospital, eligible under sections 4101, 4102 and 4201 of the HITECH
Act; or
(ii) implementing, acquiring or upgrading technology to be used by
an eligible professional in an ambulatory setting, or a hospital,
eligible under sections 4101, 4102 and 4201 of the HITECH Act.
Additionally, this section would also encourage contractors, if
such standards and implementation specifications adopted in 45 CFR part
170, subpart B, cannot support the work as specified in the contract,
to use health IT that meets non-proprietary standards and
implementation specifications developed by consensus-based standards
development organizations. This may include standards identified in the
ONC Interoperability Standards Advisory, available at <a href="https://www.healthit.gov/isa/">https://www.healthit.gov/isa/</a>.
III. Executive Order 12866 and 13563
Executive Orders (E.O.) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, when
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic,
[[Page 65307]]
environmental, public health and safety, and other advantages;
distributive impacts; and equity). E.O. 13563 (Improving Regulation and
Regulatory Review) emphasizes the importance of quantifying both costs
and benefits, reducing costs, harmonizing rules, and promoting
flexibility.
The Office of Information and Regulatory Affairs has examined the
economic, interagency, budgetary, legal, and policy implications of
this regulatory action, and has determined that this proposed rule is
not a significant regulatory action under E.O. 12866.
HHS's impact analysis can be found as a supporting document at
<a href="https://www.regulations.gov">https://www.regulations.gov</a>, usually within 48 hours after the
rulemaking document is published.
IV. Paperwork Reduction Act
This proposed rule contains no provisions constituting a collection
of information under the Paperwork Reduction Act of 1995 (44 U.S.C.
3501-3521).
V. Regulatory Flexibility Act
The Secretary hereby certifies that this proposed rule would not
have a significant economic impact on a substantial number of small
entities as they are defined in the Regulatory Flexibility Act (5
U.S.C. 601-612). Therefore, pursuant to 5 U.S.C. 605(b), the initial
and final regulatory flexibility analysis requirements of 5 U.S.C. 603
and 604 do not apply.
HHS expects that the overall impact of the proposed rule would
benefit small businesses because the HHSAR is being updated to provide
needed guidance to ensure HHS's contractors properly understand and can
propose and provide health IT that meets standards and implementation
specifications adopted by the ONC, consistent with sections 13111 and
13112 of the HITECH Act (Pub. L. 111-5, title XIII, sections 13111 and
13112) and HHS policy.
Any additional costs associated with the proposed rule, such as
costs to implement the substantive new and revised requirements
concerning the HITECH Act, can be factored into the contract price.
There are no alternatives that would permit treating small businesses
providing services and equipment to HHS differently than other firms.
However, with clear guidance and an understanding of the requirement,
small businesses will be better postured to provide offers and quotes
with fully compliant equipment and thus be able to effectively
participate in HHS acquisitions. The use of consensus-based standards
presents a potential benefit to small businesses as it provides clear
technical guidelines for health IT requirements. This can help to
reduce development burden by offering open technical guidelines for
implementation, rather than necessitating resource allocation to
standards development. In addition, the use of non-proprietary
standards allows greater flexibility for customers and mitigates the
risk of being ``locked in'' to any one product or vendor. Overall, the
use of open, consensus-based standards increases small businesses'
ability to compete in the health IT landscape. On this basis, the
Secretary hereby certifies that this proposed rule will not have a
significant economic impact on a substantial number of small entities
as they are defined in the Regulatory Flexibility Act, 5 U.S.C. 601-
612. Therefore, pursuant to 5 U.S.C. 605(b), the initial regulatory
flexibility analysis requirements of section 603 does not apply.
While on the basis of the foregoing, HHS has determined that the
agency is not required to prepare an Initial Regulatory Flexibility
Analysis (IRFA), HHS has prepared an IRFA that is summarized here.
Comments are solicited from small businesses and other interested
parties and will be considered in the development of the final rule.
VI. Initial Regulatory Flexibility Analysis
This Initial Regulatory Flexibility Analysis (IRFA) has been
prepared consistent with 5 U.S.C. 603.
1. Description of the reasons why the action is being taken.
This proposed rule would amend the Health and Human Services
Acquisition Regulation (HHSAR) to implement updates to the HHSAR to add
substantive new language to align requirements related to the
procurement of health information technology (health IT) with standards
and implementation specifications (standards) adopted by the Office of
the National Coordinator for Health Information Technology (ONC),
consistent with sections 13111 and 13112 of the Health Information
Technology for Economic and Clinical Health Act (``HITECH Act'') (Pub.
L. 111-5, title XIII, sections 13111 and 13112) and HHS policy.
Section 13111 of the HITECH Act requires agencies identified by the
Director of the Office of Management and Budget (OMB), in consultation
with the Secretary, when implementing, acquiring, or upgrading health
IT systems used for the direct exchange of individually identifiable
health information between agencies and with non-Federal entities, to
utilize, where available, health IT systems and products that meet
standards and implementation specifications adopted by ONC on behalf of
the Secretary under section 3004 of the Public Health Service Act
(PHSA).
Section 13112 of the HITECH Act specifies that agencies, as defined
in Executive Order 13410, shall require in contracts or agreements with
health care providers, health plans, or health insurance issuers that
as each provider, plan, or issuer implements, acquires, or upgrades
health IT systems, it shall utilize, where available, health IT systems
and products that meet standards and implementation specifications
adopted under section 3004 of the PHSA.
On behalf of HHS, ONC adopts standards and implementation
specifications under section 3004 of the PHSA in 45 CFR part 170,
subpart B. Standards adopted under section 3004 are included in
certification criteria for health IT in the ONC Health Information
Technology Certification Program at 45 CFR part 170, subpart C. For
more information on the ONC Certification Program, see <a href="https://www.healthit.gov/topic/certification-ehrs/certification-health-it">https://www.healthit.gov/topic/certification-ehrs/certification-health-it</a>.
This proposed rule would implement requirements in the HHSAR that
would apply to all solicitations and contracts, issued by or on behalf
of HHS entities, that involve implementing, acquiring, or upgrading
health IT used (1) for the direct exchange of individually identifiable
health information between agencies and non-Federal entities, or (2) by
health care providers, health plans, or health insurance issuers under
HHS contracts. Based on a review of the potential impact on small
business entities, HHS has determined that the requirements specified
in the proposed rule are inherent to successful performance on any
relevant Federal contract.
This proposed rule would provide definitions, policy, and a
prescription for a new HHSAR clause to implement requirements of the
HITECH Act, to include: (1) when contracting officers must procure
health IT that complies with the HITECH Act; and (2) when to require
health IT that complies with the HITECH Act in contracts and agreements
with health care providers, health plans, or health insurance issuers.
2. Succinct statement of the objectives of, and legal basis for,
the rule.
The proposed rule implements the HITECH Act, sections 13111 and
13112, and HHS policy. This must be
[[Page 65308]]
implemented in the HHSAR in accordance with 41 U.S.C. 1707, and FAR
subpart 1.5 that require publication of a proposed rule for public
comment.
3. Description of and, where feasible, estimate of the number of
small entities to which the rule will apply.
To estimate the number of small businesses that could potentially
be impacted by the proposed rule, HHS identified contract award actions
across key North American Industry Classification System (NAICS) codes,
as well as Product Service Codes (PSC) that could be affected for five
fiscal years--FY 2018, 2019, 2020, 2021 and 2022 as set forth in the
table below. HHS focused on businesses that potentially could be
impacted by the proposed revisions to parts 339 and 352 involving
health IT, because of the potential costs resulting from the
utilization of health information technology that meets standards and
implementation specifications adopted under section 3004 of the PHSA,
consistent with the HITECH Act, in HHS acquisitions containing such
requirements.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Number of contract actions
NAICS NAICS description ---------------------------------------------------------------------------------------------------------------
FY 2018 FY 2019 FY 2020 FY 2021 FY 2022 Total Average
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
518210..................................... Computing Infrastructure Providers, 772 799 797 754 909 4,031 806.2
Data Processing, Web Hosting, and
Related Services.
524292..................................... Pharmacy Benefit Management and 29 29 32 29 44 163 32.6
Other Third Party Administration
of Insurance and Pension Funds.
541511..................................... Custom Computer Programming 1,327 1,288 1,343 1,332 1,668 6,958 1,391.6
Services.
541512..................................... Computer Systems Design Services... 2,838 3,095 2,891 3,103 4,497 16,424 3,284.8
541513..................................... Computer Facilities Management 125 130 155 121 161 692 138.4
Services.
541519..................................... Other Computer Related Services.... 4,857 4,264 4,813 4,141 4,610 22,685 4,537
541715..................................... Research and Development in the 322 644 1,074 1,498 2,227 5,765 1,153
Physical, Engineering, and Life
Sciences (except Nanotechnology
and Biotechnol-ogy).
541990..................................... All Other Professional, Scientific, 3,356 2,943 3,216 3,305 4,271 17,091 3,418.2
and Tech. Svcs.
611310..................................... Colleges, Universities, and 336 265 228 222 265 1,316 263.2
Professional Schools.
----------------------------------------------------------------------------------------------------------------------------------------------------
NAICS Total ................................... 13,962 13,457 14,549 14,505 18,652 75,125 15,025
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
PSC Product service code description...
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
7010....................................... Information Technology Equipment 94 94 94 94 94 94 94
System Configuration.
7020....................................... Information Technology Central 47 41 79 19 5 191 38.2
Processing Unit (CPU, Computer),
Analog.
7021....................................... Information Technology Central 231 116 207 23 14 591 118.2
Processing Unit (CPU, Computer),
Digital.
7022....................................... Information Technology Central 18 18 14 6 0 56 11.2
Processing Unit (CPU, Computer),
Hybrid.
7025....................................... Information Technology Input/Output 149 105 136 40 23 453 90.6
and Storage Devices.
7030....................................... Information Technology Software.... 1,934 1,524 1,971 674 514 6,617 1,323.4
7035....................................... Information Technology Support 501 353 426 106 79 1,465 293
Equipment.
----------------------------------------------------------------------------------------------------------------------------------------------------
PSC Total......................... 2,974 2,253 2,931 898 657 9,713 1,942.6
Total............................. 16,936 15,710 17,480 15,403 19,309 84,838 16,967.6
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
As shown, HHS awarded over 84,838 contract actions for nine NAICS
(products or services) and seven Product Service Codes for IT or IT-
related services during the period FY 2018 through FY 2022. To estimate
the number of small businesses potentially impacted by this proposed
rule involving the much narrower health IT certification standards and
requirements, HHS notes that in FY 2022, the total number of contract
actions awarded to small business concerns across the nine NAICS and
all operating administrations was around 55%. Using this figure to
project the potential impact to small business entities that may be
affected by the proposed rule, the Department estimates that up to
8,484 contract actions could be awarded to small businesses.
4. Description of projected reporting, recordkeeping, and other
compliance requirements of the rule, including an estimate of the
classes of small entities which will be subject to the requirement and
the type of professional skills necessary for preparation of the report
or record.
This proposed rule contains no provisions constituting a collection
of information under the Paperwork Reduction Act of 1995 (44 U.S.C.
3501-3521).
5. Identification, to the extent practicable, of all relevant
Federal rules which may duplicate, overlap, or conflict with the rule.
[[Page 65309]]
The proposed rule does not duplicate, overlap, or conflict with any
other Federal rules.
6. Description of any significant alternatives to the rule which
accomplish the stated objectives of applicable statutes and which
minimize any significant economic impact of the rule on small entities.
HHS considered whether any other alternatives would reduce the
impact on small businesses but concluded that the proposed rule was
necessary for consistency with the FAR, for compliance with the HITECH
Act and HHS policy, and to ensure the information security and
integrity of HHS information and information systems.
IV. Comments on the Economic Impacts of the Rule
HHS has submitted a copy of the IRFA to the Chief Counsel for
Advocacy of the Small Business Administration. HHS will consider
comments from small entities concerning the affected HHSAR parts, to
include 339 and 352 that pertains to IT. Interested parties should cite
5 U.S.C. 601, et seq. and reference 0991-AC35--HHS Acquisition
Regulation: Acquisition of Information Technology; Standards for Health
Information Technology (HHSAR Case 2023-001), in comments on the
certification or the IRFA presented in this proposed rule.
A. Unfunded Mandates
The Unfunded Mandates Reform Act of 1995 (URMA) requires, at 2
U.S.C. 1532, that agencies prepare an assessment of anticipated costs
and benefits before issuing any rule that may result in the expenditure
by State, local, and tribal governments, in the aggregate, or by the
private sector, of $100 million or more (adjusted annually for
inflation) in any one year. In 2023, that threshold is approximately
$177 million. HHS has determined that this proposed rule would have no
such effect on State, local, and tribal governments or on the private
sector. Therefore, the analytical requirements of UMRA do not apply.
List of Subjects in 48 CFR Parts 339 and 352
Government procurement.
Xavier Becerra,
Secretary, Department of Health and Human Services.
For the reasons set out in the preamble, HHS proposes to amend 48
CFR parts 339 and 352 as follows:
PART 339--ACQUISITION OF INFORMATION TECHNOLOGY
0
1. The authority citation for part 339 is revised to read as follows:
Authority: 5 U.S.C. 301; 40 U.S.C. 121(c); 41 U.S.C. 1121(c)(3);
41 U.S.C. 1702; and 48 CFR 1.301 through 1.304.
0
2. Subpart 339.70 is added to read as follows:
Subpart 339.70--Standards for Health Information Technology
339.7000 Scope of subpart.
339.7001 Definitions.
339.7002 Policy--standards for health information technology.
339.7003 Contract clause.
339.7000 Scope of Subpart
(a) This subpart implements and aligns requirements related to the
procurement of health information technology (health IT) with standards
and implementation specifications (standards) adopted by the Office of
the National Coordinator for Health Information Technology (ONC) under
section 3004 of the Public Health Service Act (PHSA), consistent with
sections 13111 and 13112 of the HITECH Act (Pub. L. 111-5) and HHS
policy to advance health IT alignment.
(b) This subpart provides policies and procedures for solicitations
and contracts that involve implementing, acquiring, or upgrading health
IT used--
(1) For the direct exchange of individually identifiable health
information between agencies and with non-Federal entities; or
(2) By health care providers, health plans, or health insurance
issuers.
339.7001 Definitions
As used in this subpart--
Health information technology (health IT) means hardware, software,
integrated technologies or related licenses, intellectual property,
upgrades, or packaged solutions sold as services that are designed for
or support the use by health care entities or patients for the
electronic creation, maintenance, access, or exchange of health
information. (42 U.S.C. 300jj(5))
Individually identifiable health information means any information,
including demographic information collected from an individual, that--
(1) Is created or received by a health care provider, health plan,
employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental
health condition of an individual; the provision of health care to an
individual; or the past, present, or future payment for the provision
of health care to an individual; and
(i) Identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe
the information can be used to identify the individual. (42 U.S.C.
300jj(8), 1320d(6))
ONC Health Information Technology Certification Program means the
voluntary certification program administered by ONC using a third-party
conformity assessment program for health IT. Certification criteria for
the Program are found in 45 CFR part 170, subpart C, and incorporate
standards and implementation specifications in 45 CFR part 170 subpart
B.
339.7002 Policy--Standards for Health Information Technology
(a) Pursuant to the HITECH Act, Public Law 111-5, title XIII,
sections 13111 and 13112, and HHS policy, health IT procured by or on
behalf of HHS entities, or procured through HHS contracts with health
care providers, health plans, or health insurance issuers that involve
implementing, acquiring, or upgrading health IT, shall meet standards
and implementation specifications adopted in 45 CFR part 170, subpart
B, if applicable.
(b) Contracting officers shall not award a contract unless the
offeror/quoter/contractor agrees, by submission of an offer (or a
quote) and execution of the contract, that--
(1) For any work performed under the contract that involves
implementing, acquiring, or upgrading health IT procured by or on
behalf of HHS entities used for the direct exchange of individually
identifiable health information between agencies and with non-Federal
entities unless the offeror/quoter/contractor shall utilize health IT
that--
(i) Meets standards and implementation specifications adopted in 45
CFR part 170, subpart B, if such standards and implementation
specifications can support work performed under the contract; or
(ii) Is certified under the ONC Health Information Technology
Certification Program, if certified technology can support work
performed under the contract (see certification criteria in 45 CFR part
170, subpart C), when the contractor is--
(A) An eligible professional in an ambulatory setting, or a
hospital, eligible under sections 4101, 4102, and 4201 of the HITECH
Act; or
(B) Implementing, acquiring, or upgrading technology to be used by
an
[[Page 65310]]
eligible professional in an ambulatory setting, or hospital, eligible
under sections 4101, 4102, and 4201 of the HITECH Act.
(2) If the contractor is a health care provider, health plan, or
health insurance issuer, or, to perform the contract, is establishing
an agreement with a health care provider, health plan, or health
insurance issuer, for any work performed under the contract that
involves implementing, acquiring, or upgrading health IT, the offeror/
quoter/contractor shall utilize health IT that--
(i) Meets standards and implementation specifications adopted in 45
CFR part 170, subpart B, if such standards and implementation
specifications can support work performed under the contract; or
(ii) Is certified under the ONC Health Information Technology
Certification Program, if certified technology can support work
performed under the contract (see certification criteria in 45 CFR part
170, subpart C), when the contractor is--
(A) An eligible professional in an ambulatory setting, or a
hospital, eligible under sections 4101, 4102, and 4201 of the HITECH
Act; or
(B) Implementing, acquiring, or upgrading technology to be used by
an eligible professional in an ambulatory setting, or hospital,
eligible under sections 4101, 4102, and 4201 of the HITECH Act.
(c) If standards and implementation specifications adopted in 45
CFR part 170, subpart B, cannot support the work as specified in the
contract, the offeror/quoter/contractor is encouraged to use health IT
that meets non-proprietary standards and implementation specifications
developed by consensus-based standards development organizations. This
may include standards identified in the ONC Interoperability Standards
Advisory, available at <a href="https://www.healthit.gov/isa/">https://www.healthit.gov/isa/</a>.
339.7003 Contract Clause
The contracting officer shall insert the clause at 352.239-70,
Standards for Health Information Technology, in solicitations and
contracts issued by or on behalf of HHS entities that--
(a) Involve implementing, acquiring, or upgrading health IT used
for the direct exchange of individually identifiable health information
between agencies and with non-Federal entities; or
(b) Are with health care providers, health plans, or health
insurance issuers that, under the solicitation or contract, would be
implementing, acquiring, or upgrading health IT.
PART 352--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
3. The authority for part 352 is revised to read as follows:
Authority: 5 U.S.C. 301; 40 U.S.C. 121(c); 41 U.S.C. 1121(c)(3);
41 U.S.C. 1702; 42 U.S.C. 2003; and 48 CFR 1.301 through 1.304.
Subpart 352.2--Text of Provisions and Clauses
0
4. The heading for subpart 352.2 is revised to read as set forth above.
0
5. Section 352.239-70 is added to read as follows:
352.239-70 Standards for Health Information Technology
As prescribed in 339.7003, insert the following clause:
Standards for Health Information Technology
(Date)
(a) Definitions. As used in this clause--
Health information technology (health IT) means hardware, software,
integrated technologies or related licenses, intellectual property,
upgrades, or packaged solutions sold as services that are designed for
or support the use by health care entities or patients for the
electronic creation, maintenance, access, or exchange of health
information. (42 U.S.C. 300jj(5))
Individually identifiable health information means any information,
including demographic information collected from an individual, that--
(1) Is created or received by a health care provider, health plan,
employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental
health condition of an individual; the provision of health care to an
individual; or the past, present, or future payment for the provision
of health care to an individual; and
(i) Identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe
the information can be used to identify the individual. (42 U.S.C.
300jj(8), 1320d(6))
ONC Health Information Technology Certification Program means the
voluntary certification program administered by the HHS Office of the
National Coordinator for Health Information Technology (ONC) using a
third-party conformity assessment program for health IT. Certification
criteria for the Program are found in 45 CFR part 170, subpart C, and
incorporate standards and implementation specifications in 45 CFR part
170, subpart B.
(b) Pursuant to the Health Information Technology for Economic and
Clinical Health Act (HITECH Act), Public Law 111-5, title XIII,
sections 13111 and 13112, and HHS policy, by submission of an offer (or
a quote) and execution of a contract, the offeror/quoter/Contractor
agrees that--
(1) For any work performed under the contract that involves
implementing, acquiring, or upgrading health IT procured by or on
behalf of HHS entities used for the direct exchange of individually
identifiable health information between agencies and with non-Federal
entities, the offeror/quoter/Contractor shall utilize health IT that--
(i) Meets standards and implementation specifications adopted in 45
CFR part 170, subpart B, if such standards and implementation
specifications can support the work performed under the contract; or
(ii) Is certified under the ONC Health Information Technology
Certification Program, if certified technology can support the work
performed under the contract (see certification criteria in 45 CFR part
170, subpart C), when the Contractor is--
(A) An eligible professional in an ambulatory setting, or a
hospital, eligible under sections 4101, 4102 and 4201 of the HITECH
Act; or
(B) Implementing, acquiring, or upgrading technology to be used by
an eligible professional in an ambulatory setting, or a hospital,
eligible under sections 4101, 4102 and 4201 of the HITECH Act.
(2) If the Contractor is a health care provider, health plan, or
health insurance issuer, or, to perform the contract, is establishing
an agreement with a health care provider, health plan, or health
insurance issuer, for any work performed under the contract that
involves implementing, acquiring, or upgrading health IT, the offeror/
quoter/Contractor shall utilize health IT that--
(i) Meets standards and implementation specifications adopted in 45
CFR part 170, subpart B, if such standards and implementation
specifications can support the work performed under the contract; or
(ii) Is certified under the ONC Health Information Technology
Certification Program, if certified technology can support the work
performed under the contract (see certification criteria in 45 CFR part
170, subpart C), when the Contractor is--
(A) An eligible professional in an ambulatory setting, or a
hospital, eligible under sections 4101, 4102 and 4201 of the HITECH
Act; or
(B) Implementing, acquiring, or upgrading technology to be used by
an
[[Page 65311]]
eligible professional in an ambulatory setting, or a hospital, eligible
under sections 4101, 4102 and 4201 of the HITECH Act.
(c) If standards and implementation specifications adopted in 45
CFR part 170, subpart B, cannot support the work as specified in the
contract, the Contractor is encouraged to use health IT that meets non-
proprietary standards and implementation specifications developed by
consensus-based standards development organizations. This may include
standards identified in the ONC Interoperability Standards Advisory,
available at <a href="https://www.healthit.gov/isa/">https://www.healthit.gov/isa/</a>.
(End of clause)
[FR Doc. 2024-17096 Filed 8-8-24; 8:45 am]
BILLING CODE 4151-19-P
</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>Indexed from Federal Register on August 9, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.