William A. Hyman
Professor Emeritus, Biomedical Engineering
Texas A&M University, w-hyman@tamu.edu
Read other articles by this author
The ONC recently released a 257-page Final Rule on Enhanced Oversight and Accountability under the Health IT Certification Program. The first 223 pages provide an explanation of how the ONC reached the decisions they did, what comments they had received on the rule as previously proposed, and their responses to those comments. The actual changes to the rule in the remaining 32 pages are somewhat cryptic because they insertions and revisions to the previously existing 45 CFR Part 170, Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology. Before these changes Part 170 was a 206 page document in Word, or 66 pages in the 3 column, small font Federal Register version. The history of Part 170 is interesting in that it was first published as a temporary rule in 2010 followed by a permanent rule in January 2011. Permanency here is a relative term since it was then revised in November 2011, September 2012, September 2014, October 2015, and now in October, 2016.
The gist of the new revisions is, per the ONC Summary, that they create a regulatory framework for ONC’s direct review of health information technology (health IT) certified under the program, including, when necessary, requiring the correction of non-conformities and suspending and terminating certifications. There is of course a great deal of medical software that is not under ONC’s perspective of what constitutes health IT. Some other software falls under the umbrella of medical devices as regulated (or not) by the FDA, while other medical and health related software are unregulated products. Health IT might also more generally include healthcare infrastructure and the now ubiquitous questions of cybersecurity across the software and network enterprise. The ONC final rule also sets forth processes for ONC to authorize and oversee accredited testing laboratories and it includes provisions for expanded public availability of certified health IT surveillance results. Of note here is the ONC’s limitation to issues of non-conformities in relation to the certification criteria. Other forms of mal-performance are not directly covered.
Extensive and changing rules (regulations) makes keeping up with and understanding them a considerable effort. I think it is fair to say that such rules are challenging to digest and that they may contain pieces that are unclear, and/or seemingly contradictory. At risk of belaboring the analogy, it might also be that that which is difficult to digest might later cause considerable indigestion. Sometimes agencies release their own interpretive materials in an attempt to clarify what their own rules actually mean. The FDA, for example, regularly issues Guidance Documents which elaborate on FDA’s “thinking” on a regulatory subject. Similarly, ONC uses Fact Sheets, Advisory’s and other communications. The introductions to new rules, such as the 223 pages from ONC also have elements of explanation and clarification and such discourse might be cited by agencies when asserting a deviation from a regulation. A favorite of mine in this regard is an FDA regulation that requires risk analysis “where appropriate”, perhaps leaving it to the regulated party to determine when that is. But the preamble material explains, and FDA has asserted, that the only way to determine if risk analysis is appropriate is to first actually go through a risk management process, ie in order to determine you don’t have to do it you have to first do it.
It is not only the government that creates documents that challenge interpretation and require analysis and explanation. In a different tradition, sets of rules were developed to aid in the necessary interpretations of religious texts and the resolution of what appear to be conflicts. In recently rereading one set of 13 such rules from the 1st and 2nd century it struck me that they were quite applicable to contemporary analysis of government regulations. I offer a shorter and somewhat revised selection here.
- A comprehensive principle, as contained in one or more sections, is applicable to all related sections.
- When a generalization is followed by a specification, the specification applies instead of the generalization.
- When a specification is followed by a generalization, the generalization then applies.
- When, however, the specification or generalization is necessary for the sake of clarity, rules 2 and 3 do not apply.
- An ambiguous word or passage may be interpreted from its context or from a subsequent usage.
- When two sections of text contradict each other, they can be reconciled only by a third section.
Rule 1 means that a section of the regulation need not necessarily reiterate a stipulation found elsewhere but might none-the-less include it, or it might not. Two and 3 are of interest because they each provide that it is the second element of certain compound regulations that govern, whether it be something general or something specific. Rule 4 reminds us of the principle that all rules have exceptions, here that clarifying phrases are exempt. This also suggests that in some cases the specification that follows the generalization, or the generalization that follows the specification, does not add clarity. This is certainly reassuring. Lack of clarity is also the issue in rule 5 which provides two ways to figure out what a word or phrase means when such is not obvious. Similarly, per rule 6, a third section can be used to solve the problem of two other conflicting sections.
A challenge of interpretation is that not all interpreters will necessarily research the same conclusion, even if there are rules of analysis. In the case of government regulations another rule applies: Unless resolved by litigation, the government agency is right and you are wrong. Or perhaps if not right, then at least compelling.