HHS Proposes Using Procurement Policy to Push Health IT Standards

The Department of Health and Human Services (HHS) continues its push on health data interoperability with a proposed rule, HHS Acquisition Regulation: Acquisition of Information Technology; Standards for Health Information Technology.  Specifically, HHS proposes to modify the Health and Human Service Acquisition Regulation (HHSAR) to implement an HHS-wide policy to align requirements related to the procurement of health IT with standards and implementation specifications adopted by the Office of the National Coordinator for Health IT (ONC) or compliance with the voluntary ONC Health IT Certification Program.  This proposed rule was published on August 9, 2024, just 4 days after the ONC proposed HTI-2 rule was published in the Federal Register.

The proposed rule includes requirements that would apply to all solicitations and contracts issued by or on behalf of HHS entities that involve “implementing, acquiring, or upgrading health IT” in certain circumstances.  Comments are due by October 8, 2024.

Background

In 2022, HHS stated its intent to develop standard language for the HHS Health IT Alignment Policy for use in grants, cooperative agreements, contracts, and policy and regulatory actions.  Specifically, this policy broadly includes requirements for all HHS divisions “to include standard health IT language in applicable grants, cooperative agreements, contracts, and rulemaking to ensure alignment of the Department’s health IT investments,” to the extent legally permissible.

We note that this policy effort goes back much further than 2022.  Even before the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was passed, and before ONC had authority to adopt standards through regulation, the federal government sought to leverage government programs to promote standards and interoperability of health IT.  Specifically, in 2006, the Bush Administration published Executive Order (EO) 13410, including Section 3, which directed all federal agencies that implement, acquire or upgrade health IT for the direct exchange of health information between agencies and with non-Federal entities, to use health IT systems that met recognized interoperability standards, where available, and to require the same in contracts or agreements with health care providers, health plans, or health insurance issuers.  Thus, this regulation is proposed 18 years after the government first determined that it should leverage federal agency programs to promote use of standardized health IT.

Sections 13111 and 13112 of the HITECH Act codified the requirements that were in EO 13410, specifically calling on agencies to meet standards and implementation specifications when “implementing, acquiring, or upgrading health IT systems” in certain circumstances.  The proposed regulation implements these provisions of the HITECH Act through amendment of the HHSAR.

Proposed Rule

In general, under the proposed rule, HHS contracting officers would be prohibited from awarding a contract involving health IT unless the contractor either (1) meets ONC standards and implementation specifications, if such standards and implementation specifications can support work performed under the contract; or (2) is certified under the ONC Health IT Certification Program, if certified technology can support work performed under the contract.  For any submission that is within scope, the offeror would have to agree to meet ONC standards or be certified.  The regulation proposes to amend and update the HHSAR to implement specific procurement language that must be included in applicable contracts.

The proposed rule clarifies that the requirements would apply to work performed under the contract that involve “implementing, acquiring, or upgrading health IT.”  HHS explains that this would not include activities that are incidental to the contract, such as when a contracted party is performing research and may need to obtain data from a health IT system.  The proposed rule describes policies and procedures for solicitations and contracts that are within scope, including standards for health IT in HHS contracts.  This includes health IT that is:

• Procured on behalf of HHS entities; or
• Procured through HHS contracts with health care providers, health plans, or health insurance issuers that involve implementing, acquiring, or upgrading health IT.

The proposed rule defines “health IT” and “individually identifiable health information” the same as in the HITECH Act. The preamble to the proposed rule also attempts to explain the term “implementing,” stating: “[f]or instance, ‘implementing’ health IT may include investments in health IT for its maintenance and upkeep, the use of health IT to collect, store, and share health information, and activities supporting the piloting, but not the acquisition, of health IT tools.” 

While the proposed rule may be clear as to the requirements, less clear is the scope of contracts to which this rule would apply.  Specifically, the proposed rule would apply to contracts for health IT procured by or on behalf of HHS entities.  This seems to clearly contemplate HHS purchasing health IT, for example.  However, the proposed rule also states that it applies to a contractor that is a health care provider, health plan or health insurance issuer “for any work performed under the contract that involves implementing, acquiring, or upgrading health IT.” Health IT is broadly defined in the proposed regulation as:

hardware, software, integrated technologies or related licenses, intellectual property, upgrades, or packaged solutions sold as services that are designed for or support the use by health care entities or patients for the electronic creation, maintenance, access, or exchange of health information.

Most health care providers, health plans and health insurance issuers use information technology that meets the definition of health IT and may need to use this technology to manage activities and operations of the entity or to share electronic health information with the government as part of a contract with HHS.  Although the preamble states that “unless the contract defines specific health IT activities and/or investments related to these data, such activities would be considered incidental to the work performed under the contract,” if the contract requires use of health IT for data exchange that does not seem to be incidental it could be determined to “involve” implementing health IT and therefore require compliance with ONC standards or certification, which are currently voluntary.  Furthermore, ONC vaguely states in a blog that “The proposed rule sets out requirements for all HHS contracts that involve health IT activities to use HHS-adopted health IT standards to promote interoperability across the health system,” adding to the confusion regarding the potential breadth of the proposed rule.

Takeaways

This proposed regulation implements requirements under the HITECH Act and is consistent with prior federal policy to establish a consistent HHS-wide approach for health IT requirements.  Entities that contract with HHS to implement, acquire, or upgrade health IT used (1) for the direct exchange of individually identifiable health information between agencies and non-Federal entities, or (2) by health care providers, health plans, or health insurance issuers should review these proposed requirements, decide whether to comment, and consider how to implement the requirements proposed.  However, since this is being implemented by regulation for the first time despite long-standing federal policy, we think it is important for health care organizations that contract with HHS to look carefully at the language in the rule and consider commenting on the scope.  We note that HHS specifically requests comment on clarifying when a contract activity would be considered ‘‘implementing’’ health IT. 

Also, given that the HHS Health IT Alignment Policy focuses not just on contracts, but also grants, cooperative agreements, and regulations, we should expect to see more policy actions to push requirements for use of standards and certified health information technology.

Please reach out to the individuals below or your regular health care or government contracts contact if you would like to discuss further.