89 FR 154 pgs. 65303-65311 - HHS Acquisition Regulation: Acquisition of Information Technology; Standards for Health Information Technology (HHSAR Case 2023-001)
Type: PRORULEVolume: 89Number: 154Pages: 65303 - 65311
Pages: 65303, 6530465305, 65306, 65307, 65308, 65309, 65310, 65311, FR document: [FR Doc. 2024-17096 Filed 8-8-24; 8:45 am]
Agency: Health and Human Services Department
Official PDF Version: PDF Version
[top]
DEPARTMENT OF HEALTH AND HUMAN SERVICES
48 CFR Parts 339 and 352
RIN 0991-AC35
HHS Acquisition Regulation: Acquisition of Information Technology; Standards for Health Information Technology (HHSAR Case 2023-001)
AGENCY:
Department of Health and Human Services.
ACTION:
Proposed rule.
SUMMARY:
The Department of Health and Human Services (HHS) is proposing to amend and update its Health and Human Services Acquisition Regulation (HHSAR) to implement requirements to procure health information technology (health IT) that meets standards and implementation specifications (standards) adopted by the Office of the National Coordinator for Health Information Technology (ONC) in the following parts: Acquisition of Information Technology and Solicitation Provisions and Contract Clauses.
DATES:
Comments must be received on or before October 8, 2024, to be considered in the formulation of the final rule.
ADDRESSES:
Submit written comments in response to HHSAR Case 2023-001 through the Federal eRulemaking Portal at: https://www.regulations.gov by searching for "HHSAR Case 2023-001". Select the link "Comment Now" and follow the "Submit a comment" instructions. Please include your name, company name (if any), and indicate they are submitted in response to "RIN 0991-AC35-HHS Acquisition Regulation: Acquisition of Information Technology; Standards for Health Information Technology (HHSAR Case 2023-001)."
Warning: Do not include any personally identifiable information or confidential business information that you do not want publicly disclosed. All comments may be posted on the internet and can be retrieved by most internet search engines. No deletions, modifications, or redactions will be made to comments received.
Inspection of Public Comments: All comments received before the close of the comment period will be available for viewing by the public, including personally identifiable or confidential business information that is included in a comment. You may wish to consider limiting the amount of personal information that you provide in any voluntary public comment submission you make. HHS reserves the right to withhold information provided in comments from public viewing that it determines may have an adverse impact on an individual(s). For additional information, please read the Privacy Act notice that is available via the link in the footer of https://www.regulations.gov. Follow the search instructions on that website to view the public comments.
FOR FURTHER INFORMATION CONTACT:
Mr. Jarreau Vieira, Chief, Acquisition Rule-Making Branch, U.S. Department of Health and Human Services, Office of the Assistant Secretary for Financial Resources, Office of Acquisition Policy, 200 Independence Avenue SW, Washington, DC 20201. Email: acquisition_policy@hhs.gov, Telephone: (202) 731-4625. This is not a toll-free telephone number.
SUPPLEMENTARY INFORMATION:
I. Background
A. Authority
[top] This rulemaking is being taken under the authority of the Office of Federal Procurement Policy (OFPP) Act which provides the authority for an agency head to authorize the issuance of agency acquisition regulations that implement or supplement the Federal Acquisition Regulation (FAR). The OFPP Act, as codified in 41 U.S.C. 1702, provides the authority for the FAR and for the issuance of agency acquisition regulations consistent with the FAR. This authority ensures that Government
Under this authority, we are seeking to implement a department-wide management policy issued by the Secretary of the Department of Health and Human Services (Secretary) in July 2022 (hereafter the "Secretary's July 2022 Memorandum"), that directed HHS agencies to align and coordinate health IT-related activities in support of HHS health IT and interoperability goals. This policy was supported by requirements in sections 13111 and 13112 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) (Pub. L. 111-5).
B. Genesis of Standards for Health Information Technology in the HHSAR
The Secretary's July 2022 Memorandum recognized that HHS spending on health IT-related activities has grown dramatically in recent years, as various agencies have begun to leverage the large foundation of electronic health records put in place by the $40 billion invested as a result of the HITECH Act, as part of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5, Feb. 17, 2009), and the related clinical data and interoperability standards that HHS continues to promote. Advancing interoperability and the effective and appropriate use of health IT systems is a key HHS objective, and COVID-19 has further demonstrated the importance of interoperable data to improve the quality, safety, affordability, and efficiency of health care delivery; inform pandemic response; and identify and address disparities in care. As health IT-related activities begin to play an increasingly prominent role in programs across the Department, the Secretary's July 2022 Memorandum states that it is critical to ensure alignment of such activities to avoid the proliferation of ad-hoc health IT and data silos. These silos undercut the effectiveness and efficiency of the Department's policies and programs, are costly for Federal and state agencies and private sector partners to create and maintain, have no synergies across programs, and-due to lack of alignment across and within HHS agencies-impose significant burden on health care providers, technology developers, and other health care stakeholders.
As part of the Secretary's July 2022 Memorandum, the Secretary directed HHS agencies, working with the Assistant Secretary for Financial Resources (ASFR), to develop standard language for use in grants, cooperative agreements, or contracts. The Secretary's July 2022 Memorandum further identified the general elements of this standard language, including that: recipients are expected to utilize health IT that meets standards adopted under Section 3004 of the Public Health Service Act (PHSA), if applicable, when the funding mechanism includes provisions requiring recipients to implement, acquire, or upgrade health IT; health care providers who have been eligible to participate in Center for Medicare & Medicaid Services's (CMS's) health IT-focused incentive programs can meet alignment requirements under this policy by using certified health IT which incorporates standards adopted under PHSA Section 3004; and, where there are no applicable standards adopted under PHSA Section 3004, recipients are encouraged to use other HHS-identified standards or non-proprietary, consensus-based standards developed by a national standard setting organization, such as those referenced in the Interoperability Standards Advisory, are recommended.
We note that this regulation does not impact existing HHS authorities for standards adoption and note that HHS agencies are committed to working together to ensure that standards under such authorities are aligned to advance interoperability for a nationwide health IT infrastructure.
Section 13111 of the HITECH Act requires agencies identified by the Director of the Office of Management and Budget (OMB), in consultation with the Secretary, when implementing, acquiring, or upgrading health IT systems used for the direct exchange of individually identifiable health information between agencies and with non-Federal entities, to utilize, where available, health IT systems and products that meet standards and implementation specifications adopted by ONC on behalf of the Secretary under section 3004 of the Public Health Service Act (PHSA).
Section 13112 of the HITECH Act specifies that agencies, as defined in Executive Order 13410, shall require in contracts or agreements with health care providers, health plans, or health insurance issuers that as each provider, plan, or issuer implements, acquires, or upgrades health IT systems, it shall utilize, where available, health IT systems and products that meet standards and implementation specifications adopted under Section 3004 of the PHSA.
On behalf of HHS, ONC adopts standards and implementation specifications under section 3004 of the PHSA in 45 CFR part 170, subpart B. Standards adopted under section 3004 are included in certification criteria for health IT in the ONC Health Information Technology Certification Program in 45 CFR part 170, subpart C. For more information on the ONC Certification Program, see https://www.healthit.gov/topic/certification-ehrs/certification-health-it. Health care providers who have been eligible to participate in CMS's health IT-focused incentive programs under sections 4101, 4102, and 4201 of the HITECH Act have been incentivized to adopt health IT that meets certification criteria which incorporate standards in 45 CFR part 170, subpart B. Consistent with HHS policy, the proposals address use of certified health IT by these providers, where applicable.
C. Implementation Via Class Deviation (2023-01)
On December 20, 2022, the HHS Senior Procurement Executive issued HHSAR Class Deviation (2023-01) from part 339, Acquisition of Information Technology; Standards for Health Information Technology, in advance of this proposed rule to implement in the HHSAR the requirements of the HITECH Act and HHS' implementation standards.
D. Purpose of Rule
This proposed rule is issued to comply with the requirements of 41 U.S.C. 1707 and FAR subpart 1.5 that require publication of a proposed rule for public comment.
Consistent with HHS policy, including the Secretary's July 2022 Memorandum, and with sections 13111 and 13112 of the HITECH Act (Pub. L. 111-5), HHS is proposing to amend the HHSAR to implement and align requirements related to the procurement of health IT with standards and implementation specifications adopted by ONC under section 3004 of the PHSA.
[top] This proposed rule would add a new HHSAR subpart 339.70, Standards for Health Information Technology, which provides definitions, policy, and a prescription for a new HHSAR clause to implement requirements of the HITECH Act, to include: (1) when contracting officers must procure health IT consistent with requirements in the HITECH Act; and (2) when to require use of health IT in a manner consistent with requirements in the HITECH Act,
This proposed rule would implement requirements in the HHSAR that would apply to all solicitations and contracts, issued by or on behalf of HHS entities, that involve implementing, acquiring, or upgrading health IT used (1) for the direct exchange of individually identifiable health information between agencies and non-Federal entities, or (2) by health care providers, health plans, or health insurance issuers.
II. Discussion and Analysis
A. HITECH Act Discussion
In this section, we provide discussion of several issues in connection to our proposals in this proposed rule.
1. Acquiring, Implementing, or Upgrading Health IT
We believe additional discussion of terms used in sections 13111 and 13112 of the HITECH Act will help the public to understand how these proposals will be implemented. Specifically, we note that both sections refer to implementing, acquiring, or upgrading of health IT systems as activities to which the statutory provisions apply. We believe the terms acquiring and upgrading health IT are clear for the purpose of this policy. However, we believe additional explanation of the term "implementing" as it is used in this policy is warranted. "Implementing" health IT may include a variety of activities that are distinct from acquiring or upgrading health IT. For instance, "implementing" health IT may include investments in health IT for its maintenance and upkeep, the use of health IT to collect, store, and share health information, and activities supporting the piloting, but not the acquisition, of health IT tools.
We note that the proposals in HHSAR parts 339 and 352 in this proposed rule pertain to "work performed under the contract that involves implementing, acquiring, or upgrading health IT." For example, a contracted party performing research may obtain data from health IT systems. Unless the contract defines specific health IT activities and/or investments related to these data, such activities would be considered incidental to the work performed under the contract and would not be subject to our proposed requirements. We seek comment on additional details that would help with clarifying when a contract activity would be considered "implementing" health IT.
B. Authorities and Summary of Proposed Changes
We propose to revise the following parts of the HHSAR, 48 CFR chapter 3: parts 339 and 352.
We propose to revise the authority citations cited in each HHSAR part to reflect as follows: 5 U.S.C. 301; 40 U.S.C. 121(c); 41 U.S.C. 1121(c)(3); 41 U.S.C. 1702; and 48 CFR 1.301 through 1.304. Where additional authorities for a specific part are applicable, we identify them under that discussion of each HHSAR part later in this preamble.
We propose to retain the authority of 5 U.S.C. 301. This authority provides that the head of an Executive department or military department may prescribe regulations for the government of his department, the conduct of its employees, the distribution and performance of its business, and the custody, use, and preservation of its records, papers, and property.
We propose to retain the authority of 40 U.S.C. 121(c) and slightly revise the reference. This authorizes the head of each executive agency to issue orders and directives that the agency head considers necessary to carry out the regulations. The Federal Acquisition Regulation System and the publication of the FAR is issued pursuant to this authority as are agency supplements to the FAR such as the HHSAR.
We propose to include a reference to 41 U.S.C. 1121(c)(3). This provision states that the authority of an executive agency under another law to prescribe policies, regulations, procedures, and forms for procurement is subject to the authority conferred in section 1121, as well as other sections of title 41.
We propose to add an authority citation for 41 U.S.C. 1702 which addresses the acquisition planning and management responsibilities that are carried out by the HHS Senior Procurement Executive.
And we propose to add the citation of 48 CFR 1.301 through 1.304 to reflect the authority and responsibility set forth in the FAR and delegated to Federal agencies to issue agency regulations that supplement and implement the FAR.
Any other proposed changes to authorities are shown under the individual parts below.
1. HHSAR Part 339-Acquisition of Information Technology
We propose to revise the authority citations for part 339, for the reasons set forth in the discussion and analysis section, to read as follows: 5 U.S.C. 301; 40 U.S.C. 121(c); 41 U.S.C. 1121(c)(3); 41 U.S.C. 1702; and 48 CFR 1.301 through 1.304.
We propose to add subpart 339.70, Standards for Health Information Technology, to include underlying sections 339.7000, 339.7001, 339.7002, and 339.7003. This subpart is added to implement standards under the authority of the HITECH Act, Public Law 111-5, title XIII, sections 13111 and 13112 that are applicable for HHS contracts, as well as HHS policy.
We propose to add section 339.7000, Scope of subpart, to provide general scope and purpose of the subpart and its underlying sections, which implements and aligns requirements related to the procurement of health IT with standards and implementation specifications adopted by ONC, under section 3004 of the PHSA, consistent with sections 13111 and 13112 of the HITECH Act (Pub. L. 111-5) and HHS policy to advance health IT alignment. The subpart describes the policies and procedures for solicitations and contracts that involve implementing, acquiring, or upgrading health IT that is used for the direct exchange of individually identifiable health information between agencies and with non-Federal entities; or by health care providers, health plans, or health insurance issuers.
We propose to add section 339.7001, Definitions. This section is added to include three definitions applicable to the new subpart: Health information technology (health IT), individually identifiable health information, and the ONC Health Information Technology Certification Program.
We propose to add section 339.7002, Policy-standards for health information technology. This section is added to implement standards for health IT in HHS contracts. This section would require, pursuant to the HITECH Act, Public Law 111-5, title XIII, sections 13111 and 13112, and HHS policy, that health IT shall meet standards and implementation specifications adopted in 45 CFR part 170, subpart B, if applicable. This includes health IT that is-
• Procured by or on behalf of HHS entities, or
• Procured through HHS contracts with health care providers, health plans, or health insurance issuers that involve implementing, acquiring, or upgrading health IT.
[top] Section 339.7002 would prohibit contracting officers from awarding a contract involving health IT as described in this preamble, unless certain conditions are met. First, this section would prohibit contracting officers from awarding a contract that includes implementing, acquiring, or upgrading health IT used for the direct
• Meets standards and implementation specifications adopted in 45 CFR part 170, subpart B, if such standards and implementation specifications can support work performed under the contract; or
• Is certified under the ONC Health Information Technology Certification Program, if certified technology can support work performed under the contract (see certification criteria in 45 CFR part 170, subpart C), when the contractor is-
? an eligible professional in an ambulatory setting, or a hospital, eligible under sections 4101, 4102, and 4201 of the HITECH Act; or
? implementing, acquiring, or upgrading technology to be used by an eligible professional in an ambulatory setting, or hospital, eligible under sections 4101, 4102, and 4201 of the HITECH Act.
Further, this section would also prohibit contracting officers from awarding a contract if a contractor is a health care provider, health plan, or health insurance issuer, or, to perform the contract, is establishing an agreement with a health care provider, health plan, or health insurance issuer, for any work performed under the contract that involves implementing, acquiring, or upgrading health IT, unless the offeror/quoter/contractor agrees that it shall utilize health IT that-
• Meets standards and implementation specifications adopted in 45 CFR part 170, subpart B, if such standards and implementation specifications can support work performed under the contract; or
• Is certified under the ONC Health Information Technology Certification Program, if certified technology can support work performed under the contract (see certification criteria in 45 CFR part 170, subpart C), when the contractor is-
? an eligible professional in an ambulatory setting, or a hospital, eligible under sections 4101, 4102, and 4201 of the HITECH Act; or
? implementing, acquiring, or upgrading technology to be used by an eligible professional in an ambulatory setting, or hospital, eligible under sections 4101, 4102, and 4201 of the HITECH Act.
Finally, this section would also encourage offerors/quoters/contractors, if standards and implementation specifications adopted in 45 CFR part 170, subpart B, cannot support the work as specified in the contract, to use health IT that meets non-proprietary standards and implementation specifications developed by consensus-based standards development organizations. This may include standards identified in the ONC Interoperability Standards Advisory, available at https://www.healthit.gov/isa/.
We propose to add section 339.7003, Contract clause, to prescribe a new clause at 352.239-70, Standards for Health Information Technology, in solicitations and contracts, issued by or on behalf of HHS entities, that involve implementing, acquiring, or upgrading health IT used-
(a) for the direct exchange of individually identifiable health information between agencies and with non-Federal entities; or
(b) by health care providers, health plans, or health insurance issuers.
2. HHSAR Part 352-Solicitation Provisions and Contract Clauses
We propose to revise the authority citations for part 352, for the reasons set forth in the discussion and analysis section, to read as follows: 5 U.S.C. 301; 40 U.S.C. 121(c); 41 U.S.C. 1121(c)(3); 41 U.S.C. 1702; and 48 CFR 1.301 through 1.304.
We propose to add clause 352.239-70, Standards for Health Information Technology, to set forth requirements for the standards for health IT provided or utilized on a contract. The clause would include three definitions: Health information technology (health IT), individually identifiable health information, and the ONC Health Information Technology Certification Program.
The clause would provide that by submission of an offer or a quote, and execution of a contract, the offeror/quoter/contractor agrees that-
• For any work performed under the contract that involves implementing, acquiring, or upgrading health IT procured by or on behalf of HHS entities used for the direct exchange of individually identifiable health information between agencies and with non-Federal entities, the offeror/quoter/contractor shall utilize health IT that-
(1) Meets standards and implementation specifications adopted in 45 CFR part 170, subpart B, if such standards and implementation specifications can support the work performed under the contract; or
(2) Is certified under the ONC Health Information Technology Certification Program, if certified technology can support the work performed under the contract (see certification criteria in 45 CFR part 170, subpart C), when the Contractor is-
(i) an eligible professional in an ambulatory setting, or a hospital, eligible under sections 4101, 4102 and 4201 of the HITECH Act; or
(ii) is implementing, acquiring or upgrading technology to be used by an eligible professional in an ambulatory setting, or a hospital, eligible under sections 4101, 4102 and 4201 of the HITECH Act.
• When the contractor is a health care provider, health plan, or health insurance issuer, or, to perform the contract, is establishing an agreement with a health care provider, health plan, or health insurance issuer, for work performed under the contract that involves implementing, acquiring, or upgrading health IT, the offeror/quoter/contractor shall utilize heath IT that-
(1) Meets standards and implementation specifications adopted in 45 CFR part 170, subpart B, if such standards and implementation specifications can support the work performed under the contract; or
(2) Is certified under the ONC Health Information Technology Certification Program, if certified technology can support the work performed under the contract (see certification criteria in 45 CFR part 170, subpart C), when the Contractor is-
(i) an eligible professional in an ambulatory setting, or a hospital, eligible under sections 4101, 4102 and 4201 of the HITECH Act; or
(ii) implementing, acquiring or upgrading technology to be used by an eligible professional in an ambulatory setting, or a hospital, eligible under sections 4101, 4102 and 4201 of the HITECH Act.
Additionally, this section would also encourage contractors, if such standards and implementation specifications adopted in 45 CFR part 170, subpart B, cannot support the work as specified in the contract, to use health IT that meets non-proprietary standards and implementation specifications developed by consensus-based standards development organizations. This may include standards identified in the ONC Interoperability Standards Advisory, available at https://www.healthit.gov/isa/.
III. Executive Order 12866 and 13563
[top] Executive Orders (E.O.) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, when regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic,
The Office of Information and Regulatory Affairs has examined the economic, interagency, budgetary, legal, and policy implications of this regulatory action, and has determined that this proposed rule is not a significant regulatory action under E.O. 12866.
HHS's impact analysis can be found as a supporting document at https://www.regulations.gov, usually within 48 hours after the rulemaking document is published.
IV. Paperwork Reduction Act
This proposed rule contains no provisions constituting a collection of information under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501-3521).
V. Regulatory Flexibility Act
The Secretary hereby certifies that this proposed rule would not have a significant economic impact on a substantial number of small entities as they are defined in the Regulatory Flexibility Act (5 U.S.C. 601-612). Therefore, pursuant to 5 U.S.C. 605(b), the initial and final regulatory flexibility analysis requirements of 5 U.S.C. 603 and 604 do not apply.
HHS expects that the overall impact of the proposed rule would benefit small businesses because the HHSAR is being updated to provide needed guidance to ensure HHS's contractors properly understand and can propose and provide health IT that meets standards and implementation specifications adopted by the ONC, consistent with sections 13111 and 13112 of the HITECH Act (Pub. L. 111-5, title XIII, sections 13111 and 13112) and HHS policy.
Any additional costs associated with the proposed rule, such as costs to implement the substantive new and revised requirements concerning the HITECH Act, can be factored into the contract price. There are no alternatives that would permit treating small businesses providing services and equipment to HHS differently than other firms. However, with clear guidance and an understanding of the requirement, small businesses will be better postured to provide offers and quotes with fully compliant equipment and thus be able to effectively participate in HHS acquisitions. The use of consensus-based standards presents a potential benefit to small businesses as it provides clear technical guidelines for health IT requirements. This can help to reduce development burden by offering open technical guidelines for implementation, rather than necessitating resource allocation to standards development. In addition, the use of non-proprietary standards allows greater flexibility for customers and mitigates the risk of being "locked in" to any one product or vendor. Overall, the use of open, consensus-based standards increases small businesses' ability to compete in the health IT landscape. On this basis, the Secretary hereby certifies that this proposed rule will not have a significant economic impact on a substantial number of small entities as they are defined in the Regulatory Flexibility Act, 5 U.S.C. 601-612. Therefore, pursuant to 5 U.S.C. 605(b), the initial regulatory flexibility analysis requirements of section 603 does not apply.
While on the basis of the foregoing, HHS has determined that the agency is not required to prepare an Initial Regulatory Flexibility Analysis (IRFA), HHS has prepared an IRFA that is summarized here. Comments are solicited from small businesses and other interested parties and will be considered in the development of the final rule.
VI. Initial Regulatory Flexibility Analysis
This Initial Regulatory Flexibility Analysis (IRFA) has been prepared consistent with 5 U.S.C. 603.
1. Description of the reasons why the action is being taken.
This proposed rule would amend the Health and Human Services Acquisition Regulation (HHSAR) to implement updates to the HHSAR to add substantive new language to align requirements related to the procurement of health information technology (health IT) with standards and implementation specifications (standards) adopted by the Office of the National Coordinator for Health Information Technology (ONC), consistent with sections 13111 and 13112 of the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") (Pub. L. 111-5, title XIII, sections 13111 and 13112) and HHS policy.
Section 13111 of the HITECH Act requires agencies identified by the Director of the Office of Management and Budget (OMB), in consultation with the Secretary, when implementing, acquiring, or upgrading health IT systems used for the direct exchange of individually identifiable health information between agencies and with non-Federal entities, to utilize, where available, health IT systems and products that meet standards and implementation specifications adopted by ONC on behalf of the Secretary under section 3004 of the Public Health Service Act (PHSA).
Section 13112 of the HITECH Act specifies that agencies, as defined in Executive Order 13410, shall require in contracts or agreements with health care providers, health plans, or health insurance issuers that as each provider, plan, or issuer implements, acquires, or upgrades health IT systems, it shall utilize, where available, health IT systems and products that meet standards and implementation specifications adopted under section 3004 of the PHSA.
On behalf of HHS, ONC adopts standards and implementation specifications under section 3004 of the PHSA in 45 CFR part 170, subpart B. Standards adopted under section 3004 are included in certification criteria for health IT in the ONC Health Information Technology Certification Program at 45 CFR part 170, subpart C. For more information on the ONC Certification Program, see https://www.healthit.gov/topic/certification-ehrs/certification-health-it.
This proposed rule would implement requirements in the HHSAR that would apply to all solicitations and contracts, issued by or on behalf of HHS entities, that involve implementing, acquiring, or upgrading health IT used (1) for the direct exchange of individually identifiable health information between agencies and non-Federal entities, or (2) by health care providers, health plans, or health insurance issuers under HHS contracts. Based on a review of the potential impact on small business entities, HHS has determined that the requirements specified in the proposed rule are inherent to successful performance on any relevant Federal contract.
This proposed rule would provide definitions, policy, and a prescription for a new HHSAR clause to implement requirements of the HITECH Act, to include: (1) when contracting officers must procure health IT that complies with the HITECH Act; and (2) when to require health IT that complies with the HITECH Act in contracts and agreements with health care providers, health plans, or health insurance issuers.
2. Succinct statement of the objectives of, and legal basis for, the rule.
[top] The proposed rule implements the HITECH Act, sections 13111 and 13112, and HHS policy. This must be
3. Description of and, where feasible, estimate of the number of small entities to which the rule will apply.
To estimate the number of small businesses that could potentially be impacted by the proposed rule, HHS identified contract award actions across key North American Industry Classification System (NAICS) codes, as well as Product Service Codes (PSC) that could be affected for five fiscal years-FY 2018, 2019, 2020, 2021 and 2022 as set forth in the table below. HHS focused on businesses that potentially could be impacted by the proposed revisions to parts 339 and 352 involving health IT, because of the potential costs resulting from the utilization of health information technology that meets standards and implementation specifications adopted under section 3004 of the PHSA, consistent with the HITECH Act, in HHS acquisitions containing such requirements.
| NAICS | NAICS description | Number of contract actions | FY 2018 | FY 2019 | FY 2020 | FY 2021 | FY 2022 | Total | Average |
|---|---|---|---|---|---|---|---|---|---|
| 518210 | Computing Infrastructure Providers, Data Processing, Web Hosting, and Related Services | 772 | 799 | 797 | 754 | 909 | 4,031 | 806.2 | |
| 524292 | Pharmacy Benefit Management and Other Third Party Administration of Insurance and Pension Funds | 29 | 29 | 32 | 29 | 44 | 163 | 32.6 | |
| 541511 | Custom Computer Programming Services | 1,327 | 1,288 | 1,343 | 1,332 | 1,668 | 6,958 | 1,391.6 | |
| 541512 | Computer Systems Design Services | 2,838 | 3,095 | 2,891 | 3,103 | 4,497 | 16,424 | 3,284.8 | |
| 541513 | Computer Facilities Management Services | 125 | 130 | 155 | 121 | 161 | 692 | 138.4 | |
| 541519 | Other Computer Related Services | 4,857 | 4,264 | 4,813 | 4,141 | 4,610 | 22,685 | 4,537 | |
| 541715 | Research and Development in the Physical, Engineering, and Life Sciences (except Nanotechnology and Biotechnol-ogy) | 322 | 644 | 1,074 | 1,498 | 2,227 | 5,765 | 1,153 | |
| 541990 | All Other Professional, Scientific, and Tech. Svcs | 3,356 | 2,943 | 3,216 | 3,305 | 4,271 | 17,091 | 3,418.2 | |
| 611310 | Colleges, Universities, and Professional Schools | 336 | 265 | 228 | 222 | 265 | 1,316 | 263.2 | |
| NAICS Total | 13,962 | 13,457 | 14,549 | 14,505 | 18,652 | 75,125 | 15,025 | ||
| PSC | Product service code description | ||||||||
| 7010 | Information Technology Equipment System Configuration | 94 | 94 | 94 | 94 | 94 | 94 | 94 | |
| 7020 | Information Technology Central Processing Unit (CPU, Computer), Analog | 47 | 41 | 79 | 19 | 5 | 191 | 38.2 | |
| 7021 | Information Technology Central Processing Unit (CPU, Computer), Digital | 231 | 116 | 207 | 23 | 14 | 591 | 118.2 | |
| 7022 | Information Technology Central Processing Unit (CPU, Computer), Hybrid | 18 | 18 | 14 | 6 | 0 | 56 | 11.2 | |
| 7025 | Information Technology Input/Output and Storage Devices | 149 | 105 | 136 | 40 | 23 | 453 | 90.6 | |
| 7030 | Information Technology Software | 1,934 | 1,524 | 1,971 | 674 | 514 | 6,617 | 1,323.4 | |
| 7035 | Information Technology Support Equipment | 501 | 353 | 426 | 106 | 79 | 1,465 | 293 | |
| PSC Total | 2,974 | 2,253 | 2,931 | 898 | 657 | 9,713 | 1,942.6 | ||
| Total | 16,936 | 15,710 | 17,480 | 15,403 | 19,309 | 84,838 | 16,967.6 |
As shown, HHS awarded over 84,838 contract actions for nine NAICS (products or services) and seven Product Service Codes for IT or IT-related services during the period FY 2018 through FY 2022. To estimate the number of small businesses potentially impacted by this proposed rule involving the much narrower health IT certification standards and requirements, HHS notes that in FY 2022, the total number of contract actions awarded to small business concerns across the nine NAICS and all operating administrations was around 55%. Using this figure to project the potential impact to small business entities that may be affected by the proposed rule, the Department estimates that up to 8,484 contract actions could be awarded to small businesses.
4. Description of projected reporting, recordkeeping, and other compliance requirements of the rule, including an estimate of the classes of small entities which will be subject to the requirement and the type of professional skills necessary for preparation of the report or record.
This proposed rule contains no provisions constituting a collection of information under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501-3521).
[top] 5. Identification, to the extent practicable, of all relevant Federal rules which may duplicate, overlap, or conflict with the rule.
The proposed rule does not duplicate, overlap, or conflict with any other Federal rules.
6. Description of any significant alternatives to the rule which accomplish the stated objectives of applicable statutes and which minimize any significant economic impact of the rule on small entities.
HHS considered whether any other alternatives would reduce the impact on small businesses but concluded that the proposed rule was necessary for consistency with the FAR, for compliance with the HITECH Act and HHS policy, and to ensure the information security and integrity of HHS information and information systems.
IV. Comments on the Economic Impacts of the Rule
HHS has submitted a copy of the IRFA to the Chief Counsel for Advocacy of the Small Business Administration. HHS will consider comments from small entities concerning the affected HHSAR parts, to include 339 and 352 that pertains to IT. Interested parties should cite 5 U.S.C. 601, et seq. and reference 0991-AC35-HHS Acquisition Regulation: Acquisition of Information Technology; Standards for Health Information Technology (HHSAR Case 2023-001), in comments on the certification or the IRFA presented in this proposed rule.
A. Unfunded Mandates
The Unfunded Mandates Reform Act of 1995 (URMA) requires, at 2 U.S.C. 1532, that agencies prepare an assessment of anticipated costs and benefits before issuing any rule that may result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more (adjusted annually for inflation) in any one year. In 2023, that threshold is approximately $177 million. HHS has determined that this proposed rule would have no such effect on State, local, and tribal governments or on the private sector. Therefore, the analytical requirements of UMRA do not apply.
List of Subjects in 48 CFR Parts 339 and 352
Government procurement.
Xavier Becerra,
Secretary, Department of Health and Human Services.
For the reasons set out in the preamble, HHS proposes to amend 48 CFR parts 339 and 352 as follows:
PART 339-ACQUISITION OF INFORMATION TECHNOLOGY
1. The authority citation for part 339 is revised to read as follows:
Authority:
5 U.S.C. 301; 40 U.S.C. 121(c); 41 U.S.C. 1121(c)(3); 41 U.S.C. 1702; and 48 CFR 1.301 through 1.304.
2. Subpart 339.70 is added to read as follows:
Subpart 339.70-Standards for Health Information Technology
339.7000 Scope of subpart.
339.7001 Definitions.
339.7002 Policy-standards for health information technology.
339.7003 Contract clause.
339.7000 Scope of Subpart
(a) This subpart implements and aligns requirements related to the procurement of health information technology (health IT) with standards and implementation specifications (standards) adopted by the Office of the National Coordinator for Health Information Technology (ONC) under section 3004 of the Public Health Service Act (PHSA), consistent with sections 13111 and 13112 of the HITECH Act (Pub. L. 111-5) and HHS policy to advance health IT alignment.
(b) This subpart provides policies and procedures for solicitations and contracts that involve implementing, acquiring, or upgrading health IT used-
(1) For the direct exchange of individually identifiable health information between agencies and with non-Federal entities; or
(2) By health care providers, health plans, or health insurance issuers.
339.7001 Definitions
As used in this subpart-
Health information technology (health IT) means hardware, software, integrated technologies or related licenses, intellectual property, upgrades, or packaged solutions sold as services that are designed for or support the use by health care entities or patients for the electronic creation, maintenance, access, or exchange of health information. (42 U.S.C. 300jj(5))
Individually identifiable health information means any information, including demographic information collected from an individual, that-
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) Identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. (42 U.S.C. 300jj(8), 1320d(6))
ONC Health Information Technology Certification Program means the voluntary certification program administered by ONC using a third-party conformity assessment program for health IT. Certification criteria for the Program are found in 45 CFR part 170, subpart C, and incorporate standards and implementation specifications in 45 CFR part 170 subpart B.
339.7002 Policy-Standards for Health Information Technology
(a) Pursuant to the HITECH Act, Public Law 111-5, title XIII, sections 13111 and 13112, and HHS policy, health IT procured by or on behalf of HHS entities, or procured through HHS contracts with health care providers, health plans, or health insurance issuers that involve implementing, acquiring, or upgrading health IT, shall meet standards and implementation specifications adopted in 45 CFR part 170, subpart B, if applicable.
(b) Contracting officers shall not award a contract unless the offeror/quoter/contractor agrees, by submission of an offer (or a quote) and execution of the contract, that-
(1) For any work performed under the contract that involves implementing, acquiring, or upgrading health IT procured by or on behalf of HHS entities used for the direct exchange of individually identifiable health information between agencies and with non-Federal entities unless the offeror/quoter/contractor shall utilize health IT that-
(i) Meets standards and implementation specifications adopted in 45 CFR part 170, subpart B, if such standards and implementation specifications can support work performed under the contract; or
(ii) Is certified under the ONC Health Information Technology Certification Program, if certified technology can support work performed under the contract (see certification criteria in 45 CFR part 170, subpart C), when the contractor is-
(A) An eligible professional in an ambulatory setting, or a hospital, eligible under sections 4101, 4102, and 4201 of the HITECH Act; or
[top] (B) Implementing, acquiring, or upgrading technology to be used by an
(2) If the contractor is a health care provider, health plan, or health insurance issuer, or, to perform the contract, is establishing an agreement with a health care provider, health plan, or health insurance issuer, for any work performed under the contract that involves implementing, acquiring, or upgrading health IT, the offeror/quoter/contractor shall utilize health IT that-
(i) Meets standards and implementation specifications adopted in 45 CFR part 170, subpart B, if such standards and implementation specifications can support work performed under the contract; or
(ii) Is certified under the ONC Health Information Technology Certification Program, if certified technology can support work performed under the contract (see certification criteria in 45 CFR part 170, subpart C), when the contractor is-
(A) An eligible professional in an ambulatory setting, or a hospital, eligible under sections 4101, 4102, and 4201 of the HITECH Act; or
(B) Implementing, acquiring, or upgrading technology to be used by an eligible professional in an ambulatory setting, or hospital, eligible under sections 4101, 4102, and 4201 of the HITECH Act.
(c) If standards and implementation specifications adopted in 45 CFR part 170, subpart B, cannot support the work as specified in the contract, the offeror/quoter/contractor is encouraged to use health IT that meets non-proprietary standards and implementation specifications developed by consensus-based standards development organizations. This may include standards identified in the ONC Interoperability Standards Advisory, available at https://www.healthit.gov/isa/.
339.7003 Contract Clause
The contracting officer shall insert the clause at 352.239-70, Standards for Health Information Technology, in solicitations and contracts issued by or on behalf of HHS entities that-
(a) Involve implementing, acquiring, or upgrading health IT used for the direct exchange of individually identifiable health information between agencies and with non-Federal entities; or
(b) Are with health care providers, health plans, or health insurance issuers that, under the solicitation or contract, would be implementing, acquiring, or upgrading health IT.
PART 352-SOLICITATION PROVISIONS AND CONTRACT CLAUSES
3. The authority for part 352 is revised to read as follows:
Authority:
5 U.S.C. 301; 40 U.S.C. 121(c); 41 U.S.C. 1121(c)(3); 41 U.S.C. 1702; 42 U.S.C. 2003; and 48 CFR 1.301 through 1.304.
Subpart 352.2-Text of Provisions and Clauses
4. The heading for subpart 352.2 is revised to read as set forth above.
5. Section 352.239-70 is added to read as follows:
352.239-70 Standards for Health Information Technology
As prescribed in 339.7003, insert the following clause:
Standards for Health Information Technology
(Date)
(a) Definitions. As used in this clause-
Health information technology (health IT) means hardware, software, integrated technologies or related licenses, intellectual property, upgrades, or packaged solutions sold as services that are designed for or support the use by health care entities or patients for the electronic creation, maintenance, access, or exchange of health information. (42 U.S.C. 300jj(5))
Individually identifiable health information means any information, including demographic information collected from an individual, that-
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) Identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. (42 U.S.C. 300jj(8), 1320d(6))
ONC Health Information Technology Certification Program means the voluntary certification program administered by the HHS Office of the National Coordinator for Health Information Technology (ONC) using a third-party conformity assessment program for health IT. Certification criteria for the Program are found in 45 CFR part 170, subpart C, and incorporate standards and implementation specifications in 45 CFR part 170, subpart B.
(b) Pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act), Public Law 111-5, title XIII, sections 13111 and 13112, and HHS policy, by submission of an offer (or a quote) and execution of a contract, the offeror/quoter/Contractor agrees that-
(1) For any work performed under the contract that involves implementing, acquiring, or upgrading health IT procured by or on behalf of HHS entities used for the direct exchange of individually identifiable health information between agencies and with non-Federal entities, the offeror/quoter/Contractor shall utilize health IT that-
(i) Meets standards and implementation specifications adopted in 45 CFR part 170, subpart B, if such standards and implementation specifications can support the work performed under the contract; or
(ii) Is certified under the ONC Health Information Technology Certification Program, if certified technology can support the work performed under the contract (see certification criteria in 45 CFR part 170, subpart C), when the Contractor is-
(A) An eligible professional in an ambulatory setting, or a hospital, eligible under sections 4101, 4102 and 4201 of the HITECH Act; or
(B) Implementing, acquiring, or upgrading technology to be used by an eligible professional in an ambulatory setting, or a hospital, eligible under sections 4101, 4102 and 4201 of the HITECH Act.
(2) If the Contractor is a health care provider, health plan, or health insurance issuer, or, to perform the contract, is establishing an agreement with a health care provider, health plan, or health insurance issuer, for any work performed under the contract that involves implementing, acquiring, or upgrading health IT, the offeror/quoter/Contractor shall utilize health IT that-
(i) Meets standards and implementation specifications adopted in 45 CFR part 170, subpart B, if such standards and implementation specifications can support the work performed under the contract; or
(ii) Is certified under the ONC Health Information Technology Certification Program, if certified technology can support the work performed under the contract (see certification criteria in 45 CFR part 170, subpart C), when the Contractor is-
(A) An eligible professional in an ambulatory setting, or a hospital, eligible under sections 4101, 4102 and 4201 of the HITECH Act; or
[top] (B) Implementing, acquiring, or upgrading technology to be used by an
(c) If standards and implementation specifications adopted in 45 CFR part 170, subpart B, cannot support the work as specified in the contract, the Contractor is encouraged to use health IT that meets non-proprietary standards and implementation specifications developed by consensus-based standards development organizations. This may include standards identified in the ONC Interoperability Standards Advisory, available at https://www.healthit.gov/isa/.
(End of clause)
[FR Doc. 2024-17096 Filed 8-8-24; 8:45 am]
BILLING CODE 4151-19-P