HHS Acquisition Regulation: Acquisition of Information Technology; Standards for Health Information Technology (HHSAR Case 2023-001), 65303-65311 [2024-17096]

Agencies

• DEPARTMENT OF HEALTH AND HUMAN SERVICES

[Federal Register Volume 89, Number 154 (Friday, August 9, 2024)]
[Proposed Rules]
[Pages 65303-65311]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-17096]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

48 CFR Parts 339 and 352

RIN 0991-AC35


HHS Acquisition Regulation: Acquisition of Information 
Technology; Standards for Health Information Technology (HHSAR Case 
2023-001)

AGENCY: Department of Health and Human Services.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Department of Health and Human Services (HHS) is proposing 
to amend and update its Health and Human Services Acquisition 
Regulation (HHSAR) to implement requirements to procure health 
information technology (health IT) that meets standards and 
implementation specifications (standards) adopted by the Office of the 
National Coordinator for Health Information Technology (ONC) in the 
following parts: Acquisition of Information Technology and Solicitation 
Provisions and Contract Clauses.

DATES: Comments must be received on or before October 8, 2024, to be 
considered in the formulation of the final rule.

ADDRESSES: Submit written comments in response to HHSAR Case 2023-001 
through the Federal eRulemaking Portal at: https://www.regulations.gov 
by searching for ``HHSAR Case 2023-001''. Select the link ``Comment 
Now'' and follow the ``Submit a comment'' instructions. Please include 
your name, company name (if any), and indicate they are submitted in 
response to ``RIN 0991-AC35--HHS Acquisition Regulation: Acquisition of 
Information Technology; Standards for Health Information Technology 
(HHSAR Case 2023-001).''
    Warning: Do not include any personally identifiable information or 
confidential business information that you do not want publicly 
disclosed. All comments may be posted on the internet and can be 
retrieved by most internet search engines. No deletions, modifications, 
or redactions will be made to comments received.
    Inspection of Public Comments: All comments received before the 
close of the comment period will be available for viewing by the 
public, including personally identifiable or confidential business 
information that is included in a comment. You may wish to consider 
limiting the amount of personal information that you provide in any 
voluntary public comment submission you make. HHS reserves the right to 
withhold information provided in comments from public viewing that it 
determines may have an adverse impact on an individual(s). For 
additional information, please read the Privacy Act notice that is 
available via the link in the footer of https://www.regulations.gov. 
Follow the search instructions on that website to view the public 
comments.

FOR FURTHER INFORMATION CONTACT: Mr. Jarreau Vieira, Chief, Acquisition 
Rule-Making Branch, U.S. Department of Health and Human Services, 
Office of the Assistant Secretary for Financial Resources, Office of 
Acquisition Policy, 200 Independence Avenue SW, Washington, DC 20201. 
Email: [email protected], Telephone: (202) 731-4625. This is 
not a toll-free telephone number.

SUPPLEMENTARY INFORMATION:

I. Background

A. Authority

    This rulemaking is being taken under the authority of the Office of 
Federal Procurement Policy (OFPP) Act which provides the authority for 
an agency head to authorize the issuance of agency acquisition 
regulations that implement or supplement the Federal Acquisition 
Regulation (FAR). The OFPP Act, as codified in 41 U.S.C. 1702, provides 
the authority for the FAR and for the issuance of agency acquisition 
regulations consistent with the FAR. This authority ensures that 
Government

[[Page 65304]]

procurements are handled fairly and consistently, that the Government 
receives overall best value, and that the Government and contractors 
both operate under a known set of rules. The Health and Human Services 
Acquisition Regulation (HHSAR) is set forth at Title 48 CFR, chapter 3, 
parts 301 through 370.
    Under this authority, we are seeking to implement a department-wide 
management policy issued by the Secretary of the Department of Health 
and Human Services (Secretary) in July 2022 (hereafter the 
``Secretary's July 2022 Memorandum''), that directed HHS agencies to 
align and coordinate health IT-related activities in support of HHS 
health IT and interoperability goals. This policy was supported by 
requirements in sections 13111 and 13112 of the Health Information 
Technology for Economic and Clinical Health Act (HITECH Act) (Pub. L. 
111-5).

B. Genesis of Standards for Health Information Technology in the HHSAR

    The Secretary's July 2022 Memorandum recognized that HHS spending 
on health IT-related activities has grown dramatically in recent years, 
as various agencies have begun to leverage the large foundation of 
electronic health records put in place by the $40 billion invested as a 
result of the HITECH Act, as part of the American Recovery and 
Reinvestment Act of 2009 (Pub. L. 111-5, Feb. 17, 2009), and the 
related clinical data and interoperability standards that HHS continues 
to promote. Advancing interoperability and the effective and 
appropriate use of health IT systems is a key HHS objective, and COVID-
19 has further demonstrated the importance of interoperable data to 
improve the quality, safety, affordability, and efficiency of health 
care delivery; inform pandemic response; and identify and address 
disparities in care. As health IT-related activities begin to play an 
increasingly prominent role in programs across the Department, the 
Secretary's July 2022 Memorandum states that it is critical to ensure 
alignment of such activities to avoid the proliferation of ad-hoc 
health IT and data silos. These silos undercut the effectiveness and 
efficiency of the Department's policies and programs, are costly for 
Federal and state agencies and private sector partners to create and 
maintain, have no synergies across programs, and--due to lack of 
alignment across and within HHS agencies--impose significant burden on 
health care providers, technology developers, and other health care 
stakeholders.
    As part of the Secretary's July 2022 Memorandum, the Secretary 
directed HHS agencies, working with the Assistant Secretary for 
Financial Resources (ASFR), to develop standard language for use in 
grants, cooperative agreements, or contracts. The Secretary's July 2022 
Memorandum further identified the general elements of this standard 
language, including that: recipients are expected to utilize health IT 
that meets standards adopted under Section 3004 of the Public Health 
Service Act (PHSA), if applicable, when the funding mechanism includes 
provisions requiring recipients to implement, acquire, or upgrade 
health IT; health care providers who have been eligible to participate 
in Center for Medicare & Medicaid Services's (CMS's) health IT-focused 
incentive programs can meet alignment requirements under this policy by 
using certified health IT which incorporates standards adopted under 
PHSA Section 3004; and, where there are no applicable standards adopted 
under PHSA Section 3004, recipients are encouraged to use other HHS-
identified standards or non-proprietary, consensus-based standards 
developed by a national standard setting organization, such as those 
referenced in the Interoperability Standards Advisory, are recommended.
    We note that this regulation does not impact existing HHS 
authorities for standards adoption and note that HHS agencies are 
committed to working together to ensure that standards under such 
authorities are aligned to advance interoperability for a nationwide 
health IT infrastructure.
    Section 13111 of the HITECH Act requires agencies identified by the 
Director of the Office of Management and Budget (OMB), in consultation 
with the Secretary, when implementing, acquiring, or upgrading health 
IT systems used for the direct exchange of individually identifiable 
health information between agencies and with non-Federal entities, to 
utilize, where available, health IT systems and products that meet 
standards and implementation specifications adopted by ONC on behalf of 
the Secretary under section 3004 of the Public Health Service Act 
(PHSA).
    Section 13112 of the HITECH Act specifies that agencies, as defined 
in Executive Order 13410, shall require in contracts or agreements with 
health care providers, health plans, or health insurance issuers that 
as each provider, plan, or issuer implements, acquires, or upgrades 
health IT systems, it shall utilize, where available, health IT systems 
and products that meet standards and implementation specifications 
adopted under Section 3004 of the PHSA.
    On behalf of HHS, ONC adopts standards and implementation 
specifications under section 3004 of the PHSA in 45 CFR part 170, 
subpart B. Standards adopted under section 3004 are included in 
certification criteria for health IT in the ONC Health Information 
Technology Certification Program in 45 CFR part 170, subpart C. For 
more information on the ONC Certification Program, see https://www.healthit.gov/topic/certification-ehrs/certification-health-it. 
Health care providers who have been eligible to participate in CMS's 
health IT-focused incentive programs under sections 4101, 4102, and 
4201 of the HITECH Act have been incentivized to adopt health IT that 
meets certification criteria which incorporate standards in 45 CFR part 
170, subpart B. Consistent with HHS policy, the proposals address use 
of certified health IT by these providers, where applicable.

C. Implementation Via Class Deviation (2023-01)

    On December 20, 2022, the HHS Senior Procurement Executive issued 
HHSAR Class Deviation (2023-01) from part 339, Acquisition of 
Information Technology; Standards for Health Information Technology, in 
advance of this proposed rule to implement in the HHSAR the 
requirements of the HITECH Act and HHS' implementation standards.

D. Purpose of Rule

    This proposed rule is issued to comply with the requirements of 41 
U.S.C. 1707 and FAR subpart 1.5 that require publication of a proposed 
rule for public comment.
    Consistent with HHS policy, including the Secretary's July 2022 
Memorandum, and with sections 13111 and 13112 of the HITECH Act (Pub. 
L. 111-5), HHS is proposing to amend the HHSAR to implement and align 
requirements related to the procurement of health IT with standards and 
implementation specifications adopted by ONC under section 3004 of the 
PHSA.
    This proposed rule would add a new HHSAR subpart 339.70, Standards 
for Health Information Technology, which provides definitions, policy, 
and a prescription for a new HHSAR clause to implement requirements of 
the HITECH Act, to include: (1) when contracting officers must procure 
health IT consistent with requirements in the HITECH Act; and (2) when 
to require use of health IT in a manner consistent with requirements in 
the HITECH Act,

[[Page 65305]]

in contracts and agreements with health care providers, health plans, 
or health insurance issuers.
    This proposed rule would implement requirements in the HHSAR that 
would apply to all solicitations and contracts, issued by or on behalf 
of HHS entities, that involve implementing, acquiring, or upgrading 
health IT used (1) for the direct exchange of individually identifiable 
health information between agencies and non-Federal entities, or (2) by 
health care providers, health plans, or health insurance issuers.

II. Discussion and Analysis

A. HITECH Act Discussion

    In this section, we provide discussion of several issues in 
connection to our proposals in this proposed rule.
1. Acquiring, Implementing, or Upgrading Health IT
    We believe additional discussion of terms used in sections 13111 
and 13112 of the HITECH Act will help the public to understand how 
these proposals will be implemented. Specifically, we note that both 
sections refer to implementing, acquiring, or upgrading of health IT 
systems as activities to which the statutory provisions apply. We 
believe the terms acquiring and upgrading health IT are clear for the 
purpose of this policy. However, we believe additional explanation of 
the term ``implementing'' as it is used in this policy is warranted. 
``Implementing'' health IT may include a variety of activities that are 
distinct from acquiring or upgrading health IT. For instance, 
``implementing'' health IT may include investments in health IT for its 
maintenance and upkeep, the use of health IT to collect, store, and 
share health information, and activities supporting the piloting, but 
not the acquisition, of health IT tools.
    We note that the proposals in HHSAR parts 339 and 352 in this 
proposed rule pertain to ``work performed under the contract that 
involves implementing, acquiring, or upgrading health IT.'' For 
example, a contracted party performing research may obtain data from 
health IT systems. Unless the contract defines specific health IT 
activities and/or investments related to these data, such activities 
would be considered incidental to the work performed under the contract 
and would not be subject to our proposed requirements. We seek comment 
on additional details that would help with clarifying when a contract 
activity would be considered ``implementing'' health IT.

B. Authorities and Summary of Proposed Changes

    We propose to revise the following parts of the HHSAR, 48 CFR 
chapter 3: parts 339 and 352.
    We propose to revise the authority citations cited in each HHSAR 
part to reflect as follows: 5 U.S.C. 301; 40 U.S.C. 121(c); 41 U.S.C. 
1121(c)(3); 41 U.S.C. 1702; and 48 CFR 1.301 through 1.304. Where 
additional authorities for a specific part are applicable, we identify 
them under that discussion of each HHSAR part later in this preamble.
    We propose to retain the authority of 5 U.S.C. 301. This authority 
provides that the head of an Executive department or military 
department may prescribe regulations for the government of his 
department, the conduct of its employees, the distribution and 
performance of its business, and the custody, use, and preservation of 
its records, papers, and property.
    We propose to retain the authority of 40 U.S.C. 121(c) and slightly 
revise the reference. This authorizes the head of each executive agency 
to issue orders and directives that the agency head considers necessary 
to carry out the regulations. The Federal Acquisition Regulation System 
and the publication of the FAR is issued pursuant to this authority as 
are agency supplements to the FAR such as the HHSAR.
    We propose to include a reference to 41 U.S.C. 1121(c)(3). This 
provision states that the authority of an executive agency under 
another law to prescribe policies, regulations, procedures, and forms 
for procurement is subject to the authority conferred in section 1121, 
as well as other sections of title 41.
    We propose to add an authority citation for 41 U.S.C. 1702 which 
addresses the acquisition planning and management responsibilities that 
are carried out by the HHS Senior Procurement Executive.
    And we propose to add the citation of 48 CFR 1.301 through 1.304 to 
reflect the authority and responsibility set forth in the FAR and 
delegated to Federal agencies to issue agency regulations that 
supplement and implement the FAR.
    Any other proposed changes to authorities are shown under the 
individual parts below.
1. HHSAR Part 339--Acquisition of Information Technology
    We propose to revise the authority citations for part 339, for the 
reasons set forth in the discussion and analysis section, to read as 
follows: 5 U.S.C. 301; 40 U.S.C. 121(c); 41 U.S.C. 1121(c)(3); 41 
U.S.C. 1702; and 48 CFR 1.301 through 1.304.
    We propose to add subpart 339.70, Standards for Health Information 
Technology, to include underlying sections 339.7000, 339.7001, 
339.7002, and 339.7003. This subpart is added to implement standards 
under the authority of the HITECH Act, Public Law 111-5, title XIII, 
sections 13111 and 13112 that are applicable for HHS contracts, as well 
as HHS policy.
    We propose to add section 339.7000, Scope of subpart, to provide 
general scope and purpose of the subpart and its underlying sections, 
which implements and aligns requirements related to the procurement of 
health IT with standards and implementation specifications adopted by 
ONC, under section 3004 of the PHSA, consistent with sections 13111 and 
13112 of the HITECH Act (Pub. L. 111-5) and HHS policy to advance 
health IT alignment. The subpart describes the policies and procedures 
for solicitations and contracts that involve implementing, acquiring, 
or upgrading health IT that is used for the direct exchange of 
individually identifiable health information between agencies and with 
non-Federal entities; or by health care providers, health plans, or 
health insurance issuers.
    We propose to add section 339.7001, Definitions. This section is 
added to include three definitions applicable to the new subpart: 
Health information technology (health IT), individually identifiable 
health information, and the ONC Health Information Technology 
Certification Program.
    We propose to add section 339.7002, Policy--standards for health 
information technology. This section is added to implement standards 
for health IT in HHS contracts. This section would require, pursuant to 
the HITECH Act, Public Law 111-5, title XIII, sections 13111 and 13112, 
and HHS policy, that health IT shall meet standards and implementation 
specifications adopted in 45 CFR part 170, subpart B, if applicable. 
This includes health IT that is--
     Procured by or on behalf of HHS entities, or
     Procured through HHS contracts with health care providers, 
health plans, or health insurance issuers that involve implementing, 
acquiring, or upgrading health IT.
    Section 339.7002 would prohibit contracting officers from awarding 
a contract involving health IT as described in this preamble, unless 
certain conditions are met. First, this section would prohibit 
contracting officers from awarding a contract that includes 
implementing, acquiring, or upgrading health IT used for the direct

[[Page 65306]]

exchange of individually identifiable health information between 
agencies and with non-Federal entities unless an offeror/quoter/
contractor shall utilize health IT that--
     Meets standards and implementation specifications adopted 
in 45 CFR part 170, subpart B, if such standards and implementation 
specifications can support work performed under the contract; or
     Is certified under the ONC Health Information Technology 
Certification Program, if certified technology can support work 
performed under the contract (see certification criteria in 45 CFR part 
170, subpart C), when the contractor is--
    [cir] an eligible professional in an ambulatory setting, or a 
hospital, eligible under sections 4101, 4102, and 4201 of the HITECH 
Act; or
    [cir] implementing, acquiring, or upgrading technology to be used 
by an eligible professional in an ambulatory setting, or hospital, 
eligible under sections 4101, 4102, and 4201 of the HITECH Act.
    Further, this section would also prohibit contracting officers from 
awarding a contract if a contractor is a health care provider, health 
plan, or health insurance issuer, or, to perform the contract, is 
establishing an agreement with a health care provider, health plan, or 
health insurance issuer, for any work performed under the contract that 
involves implementing, acquiring, or upgrading health IT, unless the 
offeror/quoter/contractor agrees that it shall utilize health IT that--
     Meets standards and implementation specifications adopted 
in 45 CFR part 170, subpart B, if such standards and implementation 
specifications can support work performed under the contract; or
     Is certified under the ONC Health Information Technology 
Certification Program, if certified technology can support work 
performed under the contract (see certification criteria in 45 CFR part 
170, subpart C), when the contractor is--
    [cir] an eligible professional in an ambulatory setting, or a 
hospital, eligible under sections 4101, 4102, and 4201 of the HITECH 
Act; or
    [cir] implementing, acquiring, or upgrading technology to be used 
by an eligible professional in an ambulatory setting, or hospital, 
eligible under sections 4101, 4102, and 4201 of the HITECH Act.
    Finally, this section would also encourage offerors/quoters/
contractors, if standards and implementation specifications adopted in 
45 CFR part 170, subpart B, cannot support the work as specified in the 
contract, to use health IT that meets non-proprietary standards and 
implementation specifications developed by consensus-based standards 
development organizations. This may include standards identified in the 
ONC Interoperability Standards Advisory, available at https://www.healthit.gov/isa/.
    We propose to add section 339.7003, Contract clause, to prescribe a 
new clause at 352.239-70, Standards for Health Information Technology, 
in solicitations and contracts, issued by or on behalf of HHS entities, 
that involve implementing, acquiring, or upgrading health IT used--
    (a) for the direct exchange of individually identifiable health 
information between agencies and with non-Federal entities; or
    (b) by health care providers, health plans, or health insurance 
issuers.
2. HHSAR Part 352--Solicitation Provisions and Contract Clauses
    We propose to revise the authority citations for part 352, for the 
reasons set forth in the discussion and analysis section, to read as 
follows: 5 U.S.C. 301; 40 U.S.C. 121(c); 41 U.S.C. 1121(c)(3); 41 
U.S.C. 1702; and 48 CFR 1.301 through 1.304.
    We propose to add clause 352.239-70, Standards for Health 
Information Technology, to set forth requirements for the standards for 
health IT provided or utilized on a contract. The clause would include 
three definitions: Health information technology (health IT), 
individually identifiable health information, and the ONC Health 
Information Technology Certification Program.
    The clause would provide that by submission of an offer or a quote, 
and execution of a contract, the offeror/quoter/contractor agrees 
that--
     For any work performed under the contract that involves 
implementing, acquiring, or upgrading health IT procured by or on 
behalf of HHS entities used for the direct exchange of individually 
identifiable health information between agencies and with non-Federal 
entities, the offeror/quoter/contractor shall utilize health IT that--
    (1) Meets standards and implementation specifications adopted in 45 
CFR part 170, subpart B, if such standards and implementation 
specifications can support the work performed under the contract; or
    (2) Is certified under the ONC Health Information Technology 
Certification Program, if certified technology can support the work 
performed under the contract (see certification criteria in 45 CFR part 
170, subpart C), when the Contractor is--
    (i) an eligible professional in an ambulatory setting, or a 
hospital, eligible under sections 4101, 4102 and 4201 of the HITECH 
Act; or
    (ii) is implementing, acquiring or upgrading technology to be used 
by an eligible professional in an ambulatory setting, or a hospital, 
eligible under sections 4101, 4102 and 4201 of the HITECH Act.
     When the contractor is a health care provider, health 
plan, or health insurance issuer, or, to perform the contract, is 
establishing an agreement with a health care provider, health plan, or 
health insurance issuer, for work performed under the contract that 
involves implementing, acquiring, or upgrading health IT, the offeror/
quoter/contractor shall utilize heath IT that--
    (1) Meets standards and implementation specifications adopted in 45 
CFR part 170, subpart B, if such standards and implementation 
specifications can support the work performed under the contract; or
    (2) Is certified under the ONC Health Information Technology 
Certification Program, if certified technology can support the work 
performed under the contract (see certification criteria in 45 CFR part 
170, subpart C), when the Contractor is--
    (i) an eligible professional in an ambulatory setting, or a 
hospital, eligible under sections 4101, 4102 and 4201 of the HITECH 
Act; or
    (ii) implementing, acquiring or upgrading technology to be used by 
an eligible professional in an ambulatory setting, or a hospital, 
eligible under sections 4101, 4102 and 4201 of the HITECH Act.
    Additionally, this section would also encourage contractors, if 
such standards and implementation specifications adopted in 45 CFR part 
170, subpart B, cannot support the work as specified in the contract, 
to use health IT that meets non-proprietary standards and 
implementation specifications developed by consensus-based standards 
development organizations. This may include standards identified in the 
ONC Interoperability Standards Advisory, available at https://www.healthit.gov/isa/.

III. Executive Order 12866 and 13563

    Executive Orders (E.O.) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, when 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic,

[[Page 65307]]

environmental, public health and safety, and other advantages; 
distributive impacts; and equity). E.O. 13563 (Improving Regulation and 
Regulatory Review) emphasizes the importance of quantifying both costs 
and benefits, reducing costs, harmonizing rules, and promoting 
flexibility.
    The Office of Information and Regulatory Affairs has examined the 
economic, interagency, budgetary, legal, and policy implications of 
this regulatory action, and has determined that this proposed rule is 
not a significant regulatory action under E.O. 12866.
    HHS's impact analysis can be found as a supporting document at 
https://www.regulations.gov, usually within 48 hours after the 
rulemaking document is published.

IV. Paperwork Reduction Act

    This proposed rule contains no provisions constituting a collection 
of information under the Paperwork Reduction Act of 1995 (44 U.S.C. 
3501-3521).

V. Regulatory Flexibility Act

    The Secretary hereby certifies that this proposed rule would not 
have a significant economic impact on a substantial number of small 
entities as they are defined in the Regulatory Flexibility Act (5 
U.S.C. 601-612). Therefore, pursuant to 5 U.S.C. 605(b), the initial 
and final regulatory flexibility analysis requirements of 5 U.S.C. 603 
and 604 do not apply.
    HHS expects that the overall impact of the proposed rule would 
benefit small businesses because the HHSAR is being updated to provide 
needed guidance to ensure HHS's contractors properly understand and can 
propose and provide health IT that meets standards and implementation 
specifications adopted by the ONC, consistent with sections 13111 and 
13112 of the HITECH Act (Pub. L. 111-5, title XIII, sections 13111 and 
13112) and HHS policy.
    Any additional costs associated with the proposed rule, such as 
costs to implement the substantive new and revised requirements 
concerning the HITECH Act, can be factored into the contract price. 
There are no alternatives that would permit treating small businesses 
providing services and equipment to HHS differently than other firms. 
However, with clear guidance and an understanding of the requirement, 
small businesses will be better postured to provide offers and quotes 
with fully compliant equipment and thus be able to effectively 
participate in HHS acquisitions. The use of consensus-based standards 
presents a potential benefit to small businesses as it provides clear 
technical guidelines for health IT requirements. This can help to 
reduce development burden by offering open technical guidelines for 
implementation, rather than necessitating resource allocation to 
standards development. In addition, the use of non-proprietary 
standards allows greater flexibility for customers and mitigates the 
risk of being ``locked in'' to any one product or vendor. Overall, the 
use of open, consensus-based standards increases small businesses' 
ability to compete in the health IT landscape. On this basis, the 
Secretary hereby certifies that this proposed rule will not have a 
significant economic impact on a substantial number of small entities 
as they are defined in the Regulatory Flexibility Act, 5 U.S.C. 601-
612. Therefore, pursuant to 5 U.S.C. 605(b), the initial regulatory 
flexibility analysis requirements of section 603 does not apply.
    While on the basis of the foregoing, HHS has determined that the 
agency is not required to prepare an Initial Regulatory Flexibility 
Analysis (IRFA), HHS has prepared an IRFA that is summarized here. 
Comments are solicited from small businesses and other interested 
parties and will be considered in the development of the final rule.

VI. Initial Regulatory Flexibility Analysis

    This Initial Regulatory Flexibility Analysis (IRFA) has been 
prepared consistent with 5 U.S.C. 603.
    1. Description of the reasons why the action is being taken.
    This proposed rule would amend the Health and Human Services 
Acquisition Regulation (HHSAR) to implement updates to the HHSAR to add 
substantive new language to align requirements related to the 
procurement of health information technology (health IT) with standards 
and implementation specifications (standards) adopted by the Office of 
the National Coordinator for Health Information Technology (ONC), 
consistent with sections 13111 and 13112 of the Health Information 
Technology for Economic and Clinical Health Act (``HITECH Act'') (Pub. 
L. 111-5, title XIII, sections 13111 and 13112) and HHS policy.
    Section 13111 of the HITECH Act requires agencies identified by the 
Director of the Office of Management and Budget (OMB), in consultation 
with the Secretary, when implementing, acquiring, or upgrading health 
IT systems used for the direct exchange of individually identifiable 
health information between agencies and with non-Federal entities, to 
utilize, where available, health IT systems and products that meet 
standards and implementation specifications adopted by ONC on behalf of 
the Secretary under section 3004 of the Public Health Service Act 
(PHSA).
    Section 13112 of the HITECH Act specifies that agencies, as defined 
in Executive Order 13410, shall require in contracts or agreements with 
health care providers, health plans, or health insurance issuers that 
as each provider, plan, or issuer implements, acquires, or upgrades 
health IT systems, it shall utilize, where available, health IT systems 
and products that meet standards and implementation specifications 
adopted under section 3004 of the PHSA.
    On behalf of HHS, ONC adopts standards and implementation 
specifications under section 3004 of the PHSA in 45 CFR part 170, 
subpart B. Standards adopted under section 3004 are included in 
certification criteria for health IT in the ONC Health Information 
Technology Certification Program at 45 CFR part 170, subpart C. For 
more information on the ONC Certification Program, see https://www.healthit.gov/topic/certification-ehrs/certification-health-it.
    This proposed rule would implement requirements in the HHSAR that 
would apply to all solicitations and contracts, issued by or on behalf 
of HHS entities, that involve implementing, acquiring, or upgrading 
health IT used (1) for the direct exchange of individually identifiable 
health information between agencies and non-Federal entities, or (2) by 
health care providers, health plans, or health insurance issuers under 
HHS contracts. Based on a review of the potential impact on small 
business entities, HHS has determined that the requirements specified 
in the proposed rule are inherent to successful performance on any 
relevant Federal contract.
    This proposed rule would provide definitions, policy, and a 
prescription for a new HHSAR clause to implement requirements of the 
HITECH Act, to include: (1) when contracting officers must procure 
health IT that complies with the HITECH Act; and (2) when to require 
health IT that complies with the HITECH Act in contracts and agreements 
with health care providers, health plans, or health insurance issuers.
    2. Succinct statement of the objectives of, and legal basis for, 
the rule.
    The proposed rule implements the HITECH Act, sections 13111 and 
13112, and HHS policy. This must be

[[Page 65308]]

implemented in the HHSAR in accordance with 41 U.S.C. 1707, and FAR 
subpart 1.5 that require publication of a proposed rule for public 
comment.
    3. Description of and, where feasible, estimate of the number of 
small entities to which the rule will apply.
    To estimate the number of small businesses that could potentially 
be impacted by the proposed rule, HHS identified contract award actions 
across key North American Industry Classification System (NAICS) codes, 
as well as Product Service Codes (PSC) that could be affected for five 
fiscal years--FY 2018, 2019, 2020, 2021 and 2022 as set forth in the 
table below. HHS focused on businesses that potentially could be 
impacted by the proposed revisions to parts 339 and 352 involving 
health IT, because of the potential costs resulting from the 
utilization of health information technology that meets standards and 
implementation specifications adopted under section 3004 of the PHSA, 
consistent with the HITECH Act, in HHS acquisitions containing such 
requirements.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                                            Number of contract actions
                   NAICS                              NAICS description          ---------------------------------------------------------------------------------------------------------------
                                                                                      FY 2018         FY 2019         FY 2020         FY 2021         FY 2022          Total          Average
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
518210.....................................  Computing Infrastructure Providers,             772             799             797             754             909           4,031           806.2
                                              Data Processing, Web Hosting, and
                                              Related Services.
524292.....................................  Pharmacy Benefit Management and                  29              29              32              29              44             163            32.6
                                              Other Third Party Administration
                                              of Insurance and Pension Funds.
541511.....................................  Custom Computer Programming                   1,327           1,288           1,343           1,332           1,668           6,958         1,391.6
                                              Services.
541512.....................................  Computer Systems Design Services...           2,838           3,095           2,891           3,103           4,497          16,424         3,284.8
541513.....................................  Computer Facilities Management                  125             130             155             121             161             692           138.4
                                              Services.
541519.....................................  Other Computer Related Services....           4,857           4,264           4,813           4,141           4,610          22,685           4,537
541715.....................................  Research and Development in the                 322             644           1,074           1,498           2,227           5,765           1,153
                                              Physical, Engineering, and Life
                                              Sciences (except Nanotechnology
                                              and Biotechnol-ogy).
541990.....................................  All Other Professional, Scientific,           3,356           2,943           3,216           3,305           4,271          17,091         3,418.2
                                              and Tech. Svcs.
611310.....................................  Colleges, Universities, and                     336             265             228             222             265           1,316           263.2
                                              Professional Schools.
                                            ----------------------------------------------------------------------------------------------------------------------------------------------------
 NAICS Total                                 ...................................          13,962          13,457          14,549          14,505          18,652          75,125          15,025
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
PSC                                          Product service code description...
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
7010.......................................  Information Technology Equipment                 94              94              94              94              94              94              94
                                              System Configuration.
7020.......................................  Information Technology Central                   47              41              79              19               5             191            38.2
                                              Processing Unit (CPU, Computer),
                                              Analog.
7021.......................................  Information Technology Central                  231             116             207              23              14             591           118.2
                                              Processing Unit (CPU, Computer),
                                              Digital.
7022.......................................  Information Technology Central                   18              18              14               6               0              56            11.2
                                              Processing Unit (CPU, Computer),
                                              Hybrid.
7025.......................................  Information Technology Input/Output             149             105             136              40              23             453            90.6
                                              and Storage Devices.
7030.......................................  Information Technology Software....           1,934           1,524           1,971             674             514           6,617         1,323.4
7035.......................................  Information Technology Support                  501             353             426             106              79           1,465             293
                                              Equipment.
                                            ----------------------------------------------------------------------------------------------------------------------------------------------------
                                              PSC Total.........................           2,974           2,253           2,931             898             657           9,713         1,942.6
                                              Total.............................          16,936          15,710          17,480          15,403          19,309          84,838        16,967.6
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    As shown, HHS awarded over 84,838 contract actions for nine NAICS 
(products or services) and seven Product Service Codes for IT or IT-
related services during the period FY 2018 through FY 2022. To estimate 
the number of small businesses potentially impacted by this proposed 
rule involving the much narrower health IT certification standards and 
requirements, HHS notes that in FY 2022, the total number of contract 
actions awarded to small business concerns across the nine NAICS and 
all operating administrations was around 55%. Using this figure to 
project the potential impact to small business entities that may be 
affected by the proposed rule, the Department estimates that up to 
8,484 contract actions could be awarded to small businesses.
    4. Description of projected reporting, recordkeeping, and other 
compliance requirements of the rule, including an estimate of the 
classes of small entities which will be subject to the requirement and 
the type of professional skills necessary for preparation of the report 
or record.
    This proposed rule contains no provisions constituting a collection 
of information under the Paperwork Reduction Act of 1995 (44 U.S.C. 
3501-3521).
    5. Identification, to the extent practicable, of all relevant 
Federal rules which may duplicate, overlap, or conflict with the rule.

[[Page 65309]]

    The proposed rule does not duplicate, overlap, or conflict with any 
other Federal rules.
    6. Description of any significant alternatives to the rule which 
accomplish the stated objectives of applicable statutes and which 
minimize any significant economic impact of the rule on small entities.
    HHS considered whether any other alternatives would reduce the 
impact on small businesses but concluded that the proposed rule was 
necessary for consistency with the FAR, for compliance with the HITECH 
Act and HHS policy, and to ensure the information security and 
integrity of HHS information and information systems.

IV. Comments on the Economic Impacts of the Rule

    HHS has submitted a copy of the IRFA to the Chief Counsel for 
Advocacy of the Small Business Administration. HHS will consider 
comments from small entities concerning the affected HHSAR parts, to 
include 339 and 352 that pertains to IT. Interested parties should cite 
5 U.S.C. 601, et seq. and reference 0991-AC35--HHS Acquisition 
Regulation: Acquisition of Information Technology; Standards for Health 
Information Technology (HHSAR Case 2023-001), in comments on the 
certification or the IRFA presented in this proposed rule.

A. Unfunded Mandates

    The Unfunded Mandates Reform Act of 1995 (URMA) requires, at 2 
U.S.C. 1532, that agencies prepare an assessment of anticipated costs 
and benefits before issuing any rule that may result in the expenditure 
by State, local, and tribal governments, in the aggregate, or by the 
private sector, of $100 million or more (adjusted annually for 
inflation) in any one year. In 2023, that threshold is approximately 
$177 million. HHS has determined that this proposed rule would have no 
such effect on State, local, and tribal governments or on the private 
sector. Therefore, the analytical requirements of UMRA do not apply.

List of Subjects in 48 CFR Parts 339 and 352

    Government procurement.

Xavier Becerra,
Secretary, Department of Health and Human Services.

    For the reasons set out in the preamble, HHS proposes to amend 48 
CFR parts 339 and 352 as follows:

PART 339--ACQUISITION OF INFORMATION TECHNOLOGY

0
1. The authority citation for part 339 is revised to read as follows:

    Authority: 5 U.S.C. 301; 40 U.S.C. 121(c); 41 U.S.C. 1121(c)(3); 
41 U.S.C. 1702; and 48 CFR 1.301 through 1.304.

0
2. Subpart 339.70 is added to read as follows:

Subpart 339.70--Standards for Health Information Technology


339.7000  Scope of subpart.


339.7001  Definitions.


339.7002  Policy--standards for health information technology.


339.7003  Contract clause.

339.7000 Scope of Subpart

    (a) This subpart implements and aligns requirements related to the 
procurement of health information technology (health IT) with standards 
and implementation specifications (standards) adopted by the Office of 
the National Coordinator for Health Information Technology (ONC) under 
section 3004 of the Public Health Service Act (PHSA), consistent with 
sections 13111 and 13112 of the HITECH Act (Pub. L. 111-5) and HHS 
policy to advance health IT alignment.
    (b) This subpart provides policies and procedures for solicitations 
and contracts that involve implementing, acquiring, or upgrading health 
IT used--
    (1) For the direct exchange of individually identifiable health 
information between agencies and with non-Federal entities; or
    (2) By health care providers, health plans, or health insurance 
issuers.

339.7001 Definitions

    As used in this subpart--
    Health information technology (health IT) means hardware, software, 
integrated technologies or related licenses, intellectual property, 
upgrades, or packaged solutions sold as services that are designed for 
or support the use by health care entities or patients for the 
electronic creation, maintenance, access, or exchange of health 
information. (42 U.S.C. 300jj(5))
    Individually identifiable health information means any information, 
including demographic information collected from an individual, that--
    (1) Is created or received by a health care provider, health plan, 
employer, or health care clearinghouse; and
    (2) Relates to the past, present, or future physical or mental 
health condition of an individual; the provision of health care to an 
individual; or the past, present, or future payment for the provision 
of health care to an individual; and
    (i) Identifies the individual; or
    (ii) With respect to which there is a reasonable basis to believe 
the information can be used to identify the individual. (42 U.S.C. 
300jj(8), 1320d(6))
    ONC Health Information Technology Certification Program means the 
voluntary certification program administered by ONC using a third-party 
conformity assessment program for health IT. Certification criteria for 
the Program are found in 45 CFR part 170, subpart C, and incorporate 
standards and implementation specifications in 45 CFR part 170 subpart 
B.

339.7002 Policy--Standards for Health Information Technology

    (a) Pursuant to the HITECH Act, Public Law 111-5, title XIII, 
sections 13111 and 13112, and HHS policy, health IT procured by or on 
behalf of HHS entities, or procured through HHS contracts with health 
care providers, health plans, or health insurance issuers that involve 
implementing, acquiring, or upgrading health IT, shall meet standards 
and implementation specifications adopted in 45 CFR part 170, subpart 
B, if applicable.
    (b) Contracting officers shall not award a contract unless the 
offeror/quoter/contractor agrees, by submission of an offer (or a 
quote) and execution of the contract, that--
    (1) For any work performed under the contract that involves 
implementing, acquiring, or upgrading health IT procured by or on 
behalf of HHS entities used for the direct exchange of individually 
identifiable health information between agencies and with non-Federal 
entities unless the offeror/quoter/contractor shall utilize health IT 
that--
    (i) Meets standards and implementation specifications adopted in 45 
CFR part 170, subpart B, if such standards and implementation 
specifications can support work performed under the contract; or
    (ii) Is certified under the ONC Health Information Technology 
Certification Program, if certified technology can support work 
performed under the contract (see certification criteria in 45 CFR part 
170, subpart C), when the contractor is--
    (A) An eligible professional in an ambulatory setting, or a 
hospital, eligible under sections 4101, 4102, and 4201 of the HITECH 
Act; or
    (B) Implementing, acquiring, or upgrading technology to be used by 
an

[[Page 65310]]

eligible professional in an ambulatory setting, or hospital, eligible 
under sections 4101, 4102, and 4201 of the HITECH Act.
    (2) If the contractor is a health care provider, health plan, or 
health insurance issuer, or, to perform the contract, is establishing 
an agreement with a health care provider, health plan, or health 
insurance issuer, for any work performed under the contract that 
involves implementing, acquiring, or upgrading health IT, the offeror/
quoter/contractor shall utilize health IT that--
    (i) Meets standards and implementation specifications adopted in 45 
CFR part 170, subpart B, if such standards and implementation 
specifications can support work performed under the contract; or
    (ii) Is certified under the ONC Health Information Technology 
Certification Program, if certified technology can support work 
performed under the contract (see certification criteria in 45 CFR part 
170, subpart C), when the contractor is--
    (A) An eligible professional in an ambulatory setting, or a 
hospital, eligible under sections 4101, 4102, and 4201 of the HITECH 
Act; or
    (B) Implementing, acquiring, or upgrading technology to be used by 
an eligible professional in an ambulatory setting, or hospital, 
eligible under sections 4101, 4102, and 4201 of the HITECH Act.
    (c) If standards and implementation specifications adopted in 45 
CFR part 170, subpart B, cannot support the work as specified in the 
contract, the offeror/quoter/contractor is encouraged to use health IT 
that meets non-proprietary standards and implementation specifications 
developed by consensus-based standards development organizations. This 
may include standards identified in the ONC Interoperability Standards 
Advisory, available at https://www.healthit.gov/isa/.

339.7003 Contract Clause

    The contracting officer shall insert the clause at 352.239-70, 
Standards for Health Information Technology, in solicitations and 
contracts issued by or on behalf of HHS entities that--
    (a) Involve implementing, acquiring, or upgrading health IT used 
for the direct exchange of individually identifiable health information 
between agencies and with non-Federal entities; or
    (b) Are with health care providers, health plans, or health 
insurance issuers that, under the solicitation or contract, would be 
implementing, acquiring, or upgrading health IT.

PART 352--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
3. The authority for part 352 is revised to read as follows:

    Authority: 5 U.S.C. 301; 40 U.S.C. 121(c); 41 U.S.C. 1121(c)(3); 
41 U.S.C. 1702; 42 U.S.C. 2003; and 48 CFR 1.301 through 1.304.

Subpart 352.2--Text of Provisions and Clauses

0
4. The heading for subpart 352.2 is revised to read as set forth above.
0
5. Section 352.239-70 is added to read as follows:

352.239-70 Standards for Health Information Technology

    As prescribed in 339.7003, insert the following clause:

Standards for Health Information Technology

(Date)

    (a) Definitions. As used in this clause--
    Health information technology (health IT) means hardware, software, 
integrated technologies or related licenses, intellectual property, 
upgrades, or packaged solutions sold as services that are designed for 
or support the use by health care entities or patients for the 
electronic creation, maintenance, access, or exchange of health 
information. (42 U.S.C. 300jj(5))
    Individually identifiable health information means any information, 
including demographic information collected from an individual, that--
    (1) Is created or received by a health care provider, health plan, 
employer, or health care clearinghouse; and
    (2) Relates to the past, present, or future physical or mental 
health condition of an individual; the provision of health care to an 
individual; or the past, present, or future payment for the provision 
of health care to an individual; and
    (i) Identifies the individual; or
    (ii) With respect to which there is a reasonable basis to believe 
the information can be used to identify the individual. (42 U.S.C. 
300jj(8), 1320d(6))
    ONC Health Information Technology Certification Program means the 
voluntary certification program administered by the HHS Office of the 
National Coordinator for Health Information Technology (ONC) using a 
third-party conformity assessment program for health IT. Certification 
criteria for the Program are found in 45 CFR part 170, subpart C, and 
incorporate standards and implementation specifications in 45 CFR part 
170, subpart B.
    (b) Pursuant to the Health Information Technology for Economic and 
Clinical Health Act (HITECH Act), Public Law 111-5, title XIII, 
sections 13111 and 13112, and HHS policy, by submission of an offer (or 
a quote) and execution of a contract, the offeror/quoter/Contractor 
agrees that--
    (1) For any work performed under the contract that involves 
implementing, acquiring, or upgrading health IT procured by or on 
behalf of HHS entities used for the direct exchange of individually 
identifiable health information between agencies and with non-Federal 
entities, the offeror/quoter/Contractor shall utilize health IT that--
    (i) Meets standards and implementation specifications adopted in 45 
CFR part 170, subpart B, if such standards and implementation 
specifications can support the work performed under the contract; or
    (ii) Is certified under the ONC Health Information Technology 
Certification Program, if certified technology can support the work 
performed under the contract (see certification criteria in 45 CFR part 
170, subpart C), when the Contractor is--
    (A) An eligible professional in an ambulatory setting, or a 
hospital, eligible under sections 4101, 4102 and 4201 of the HITECH 
Act; or
    (B) Implementing, acquiring, or upgrading technology to be used by 
an eligible professional in an ambulatory setting, or a hospital, 
eligible under sections 4101, 4102 and 4201 of the HITECH Act.
    (2) If the Contractor is a health care provider, health plan, or 
health insurance issuer, or, to perform the contract, is establishing 
an agreement with a health care provider, health plan, or health 
insurance issuer, for any work performed under the contract that 
involves implementing, acquiring, or upgrading health IT, the offeror/
quoter/Contractor shall utilize health IT that--
    (i) Meets standards and implementation specifications adopted in 45 
CFR part 170, subpart B, if such standards and implementation 
specifications can support the work performed under the contract; or
    (ii) Is certified under the ONC Health Information Technology 
Certification Program, if certified technology can support the work 
performed under the contract (see certification criteria in 45 CFR part 
170, subpart C), when the Contractor is--
    (A) An eligible professional in an ambulatory setting, or a 
hospital, eligible under sections 4101, 4102 and 4201 of the HITECH 
Act; or
    (B) Implementing, acquiring, or upgrading technology to be used by 
an

[[Page 65311]]

eligible professional in an ambulatory setting, or a hospital, eligible 
under sections 4101, 4102 and 4201 of the HITECH Act.
    (c) If standards and implementation specifications adopted in 45 
CFR part 170, subpart B, cannot support the work as specified in the 
contract, the Contractor is encouraged to use health IT that meets non-
proprietary standards and implementation specifications developed by 
consensus-based standards development organizations. This may include 
standards identified in the ONC Interoperability Standards Advisory, 
available at https://www.healthit.gov/isa/.

(End of clause)

[FR Doc. 2024-17096 Filed 8-8-24; 8:45 am]
BILLING CODE 4151-19-P