Up until the passage of the HITECH Act in 2009, electronic health records (EHR) were largely unregulated, with adoption rates among providers not significant enough to warrant government oversight. CMS’ final rule defining the Stage 1 ‘Meaningful Use’ criteria was the first widespread federal effort to control the implementation and use of EHRs. Given the financial commitment the federal government is making to wire the U.S. health care system, and the critical role EHRs will play in streamlining care and assisting in clinical decision-making, future regulatory oversight of health information technology (HIT) promises to be both rigorous and widespread.

While exact roles still need to be defined, there will be at least three federal agencies exercising some level of regulatory jurisdiction over EHRs.

Through the EHR Incentive program and the Meaningful Use criteria, the Center for Medicare and Medicaid Services (CMS) will play a hands-on role in the use of EHR systems through this decade. Though the final stage of the EHR Incentive program will occur in 2015, Medicaid providers have a much longer glide path to adoption and could conceivably receive incentive payments up until 2021. Even after incentive dollars cease to flow, CMS can still control behavior by levying penalties on providers and hospitals (in the form of lower reimbursements) who have not become meaningful users.

CMS is also beginning to build a foundation for oversight by including EHR-related requirements and mandates in other programs. For example, the recently released Notice of Proposed Rulemaking (NPRM) on the Medicare Shared Savings Program requires that at least 50% of an Accountable Care Organization’s (ACO) providers be meaningful users of HIT. The NPRM also requires an ACO’s infrastructure to include shared clinical decision support capabilities, and to report the percentage of their providers who use CDS.

The prospect of regulatory oversight by the Food and Drug Administration (FDA) has caused many a sleepless night for HIT vendors, who fear their product development efforts will suffer from the same filings, trials and delays the pharmaceutical and medical device industries have experienced. The FDA has already stated publicly that health information technology falls within its jurisdiction. The only question remaining is whether select HIT products will be labeled as Class III devices, subject to pre-market approval before being rolled out to doctors and hospitals. The HIT Industry received positive news (relatively speaking) in February when the FDA released a rule on Medical Device Data Systems, determining that these would be treated as Class I devices only, requiring registration, quality manufacturing practices and reporting of adverse events, but stopping short of pre-market approval. The FDA has recently indicated that it will regulate mobile medical applications that will run on smart phones, tablets and other hand-held devices, with specific guidance to be released later this year. Further definition of the FDA’s role may also be forthcoming this fall when the Institute of Medicine releases a report on HIT and patient safety.

A relative newcomer to the federal regulation scene, the Office of the National Coordinator for Health Information Technology (ONC) is already overseeing the EHR certification and standards setting processes that support the EHR Incentive program. As health information technology becomes more ingrained in other programs (i.e. ACOs, Medical Homes) as well as the default method for CMS quality reporting, look for ONC to continue providing certification for HIT functionality so doctors and hospitals can rest assured the new systems and modules they purchase meet government guidelines. Similarly the emphasis on health information exchange to foster care coordination will require ONC to continually update and articulate new data exchange standards. ONC’s future regulatory role will be further defined (and likely expanded) in the upcoming NPRM on Governance of the National Health Information Network.

Other federal agencies and offices will also play roles in overseeing or influencing HIT policy, including the National Institute for Standards and Technology (NIST) and HHS’ Office of Civil Rights (OCR). NIST will continue to work with ONC on testing procedures and scripts used in the certification process. OCR will focus on safeguarding personal health information that is more widely accessible through the use of HIT. OCR’s recent NPRM updating the Health Insurance Portability and Accountability Act (HIPAA) with new accounting of disclosures rules is just one example of their work in HIT.

And this is just the feds. In a future post, I’ll explore the possible role states will play in regulating health information technology.