(a) In-the-field surveillance. Consistent with its accreditation under 170.523(a) to ISO/IEC 17065 and the requirements of this subpart, an ONC-ACB must initiate surveillance “in the field” as necessary to assess whether a certified Health IT Module continues to conform to the requirements in subparts A, B, C and E of this part once the certified Health IT Module has been implemented and is in use in a production environment.
(1) Production environment. An ONC-ACB's assessment of a certified capability in the field must be based on the use of the capability in a production environment, which means a live environment in which the capability has been implemented and is in use.
(2) Production data. An ONC-ACB's assessment of a certified capability in the field must be based on the use of the capability with production data unless the use of test data is specifically approved by the National Coordinator.
(b) Reactive surveillance. An ONC-ACB must initiate surveillance (including, as necessary, in-the-field surveillance required by paragraph (a) of this section) whenever it becomes aware of facts or circumstances that would cause a reasonable person to question a certified Health IT Module's continued conformity to the requirements of its certification.
(1) Review of required disclosures. When an ONC-ACB performs reactive surveillance under this paragraph, it must verify that the requirements of § 170.523(k)(1) have been followed as applicable to the issued certification.
(2) [Reserved]
(c) Randomized surveillance. During each calendar year surveillance period, an ONC-ACB may conduct in-the-field surveillance for certain randomly selected Health IT Modules to which it has issued a certification.
(1) Scope. When an ONC-ACB selects a certified Health IT Module for randomized surveillance under this paragraph, its evaluation of the certified Health IT Module must include all certification criteria prioritized by the National Coordinator that are part of the scope of the certification issued to the Health IT Module.
(2) [Reserved]
(3) Selection method. An ONC-ACB must randomly select (subject to appropriate weighting and sampling considerations) and certified Health IT Modules for surveillance under this paragraph.
(4) Number and types of locations for in-the-field surveillance. For each certified Health IT Module selected for randomized surveillance under this paragraph, an ONC-ACB must:
(i) Evaluate the certified Health IT Module's capabilities at one or more locations where the certified Health IT Module is implemented and in use in the field.
(ii) Ensure that the locations are selected at random (subject to appropriate weighting and sampling considerations) from among all locations where the certified Health IT Module is implemented and in use in the field.
(d) Corrective action plan and procedures.
(1) When an ONC-ACB determines, through surveillance under this section or otherwise, that a Health IT Module does not conform to the requirements of its certification, the ONC-ACB must notify the developer of its findings and require the developer to submit a proposed corrective action plan for the applicable certification criterion, certification criteria, or certification requirement.
(2) The ONC-ACB shall provide direction to the developer as to the required elements of the corrective action plan.
(3) The ONC-ACB shall verify the required elements of the corrective action plan, consistent with its accreditation and any elements specified by the National Coordinator. At a minimum, any corrective action plan submitted by a developer to an ONC-ACB must include:
(i) A description of the identified non-conformities or deficiencies;
(ii) An assessment of how widespread or isolated the identified non-conformities or deficiencies may be across all of the developer's customers and users of the certified Health IT Module;
(iii) How the developer will address the identified non-conformities or deficiencies, both at the locations under which surveillance occurred and for all other potentially affected customers and users;
(iv) How the developer will ensure that all affected and potentially affected customers and users are alerted to the identified non-conformities or deficiencies, including a detailed description of how the developer will assess the scope and impact of the problem, including identifying all potentially affected customers; how the developer will promptly ensure that all potentially affected customers are notified of the problem and plan for resolution; how and when the developer will resolve issues for individual affected customers; and how the developer will ensure that all issues are in fact resolved.
(v) The timeframe under which corrective action will be completed.
(vi) An attestation by the developer that it has completed all elements of the approved corrective action plan.
(4) When the ONC-ACB receives a proposed corrective action plan (or a revised proposed corrective action plan), the ONC-ACB shall either approve the corrective action plan or, if the plan does not adequately address the elements described by paragraph (d)(3) of this section and other elements required by the ONC-ACB, instruct the developer to submit a revised proposed corrective action plan.
(5) Suspension. Consistent with its accreditation to ISO/IEC 17065 and procedures for suspending a certification, an ONC-ACB shall initiate suspension procedures for a Health IT Module:
(i) 30 days after notifying the developer of a non-conformity pursuant to paragraph (d)(1) of this section, if the developer has not submitted a proposed corrective action plan;
(ii) 90 days after notifying the developer of a non-conformity pursuant to paragraph (d)(1) of this section, if the ONC-ACB cannot approve a corrective action plan because the developer has not submitted a revised proposed corrective action plan in accordance with paragraph (d)(4) of this section; and
(iii) Immediately, if the developer has not completed the corrective actions specified by an approved corrective action plan within the time specified therein.
(6) Withdrawal. If a or certified Health IT Module's certification has been suspended, an ONC-ACB is permitted to initiate certification withdrawal procedures for the Health IT Module (consistent with its accreditation to ISO/IEC 17065 and procedures for withdrawing a certification) when the health IT developer has not completed the actions necessary to reinstate the suspended certification.
(e) Reporting of surveillance results requirements -
(1) Rolling submission of in-the-field surveillance results. The results of in-the-field surveillance under this section must be submitted to the National Coordinator, at a minimum, on a quarterly basis in accordance with § 170.523(i)(2).
(2) Confidentiality of locations evaluated. The contents of an ONC-ACB's surveillance results submitted to the National Coordinator must not include any information that would identify any user or location that participated in or was subject to surveillance.
(3) Reporting of corrective action plans. When a corrective action plan is initiated for a Health IT Module, an ONC-ACB must report the Health IT Module and associated product and corrective action information to the National Coordinator in accordance with § 170.523(f)(1)(xxii) or (f)(2)(xi), as applicable.
(f) Relationship to other surveillance requirements. Nothing in this section shall be construed to limit or constrain an ONC-ACB's duty or ability to perform surveillance, including in-the-field surveillance, or to suspend or terminate the certification, of any certified Health IT Module as required or permitted by this subpart and the ONC-ACB's accreditation to ISO/IEC 17065.
[80 FR 62758, Oct. 16, 2015, as amended at 80 FR 76872, Dec. 11, 2015; 81 FR 72466, Oct. 19, 2016; 85 FR 25952, May 1, 2020]