United States: HHS-ONC Finalizes Rule With New Requirements For Use Of AI In Certified Health IT And Information Blocking Modifications

On December 13, 2023, the Office of the National Coordinator for Health Information Technology ("ONC") within the U.S. Department of Health and Human Services issued a final rule titled "Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing" (the "HTI-1 Final Rule").¹ The HTI-1 Final Rule finalizes significant changes to the ONC Health Information Technology Certification Program (the "HIT Certification Program") and the Information Blocking Rule² applicable to health care providers, developers of certified health information technology ("health IT"), and health information exchanges and networks ("HIE/HINs"). After incorporating public feedback on its proposed rule from April, which we summarized in a prior article (the "HTI-1 Proposed Rule"), ONC finalized many of the changes that were proposed in the HTI-1 Proposed Rule.

As summarized in Section I below, the HTI-1 Final Rule finalizes several changes to the HIT Certification Program, including finalizing a new Decision Support Intervention ("DSI") certification criterion that includes certification requirements for predictive models and other forms of artificial intelligence ("Predictive DSIs") and establishing new Insights Condition and Maintenance of Certification Requirements (the "Insights Condition") requiring developers to report certain interoperability data to ONC.

As summarized in Section II below, there are also major changes to the Information Blocking Rule, including modifying the definition of a "developer" subject to information blocking requirements, adding new scenarios in which fulfilling a request for electronic health information ("EHI") can be considered infeasible under the Infeasibility Exception, and allowing fulfillment of such requests only via the Trusted Exchange Framework and Common Agreement ("TEFCA") in certain circumstances.

I. Changes to the HIT Certification Program

While the HIT Certification Program is a voluntary program, health care providers must use certified electronic health record ("EHR") technology to participate in the Medicare Promoting Interoperability Programs as well as some other government and non-government programs.³ In the HTI-1 Final Rule, ONC finalized several changes to the HIT Certification Program.

a. Single Set of ONC Certification Criteria for Health IT (finalized as proposed)

In the HTI-1 Proposed Rule, ONC proposed to rename all certification criteria within the HIT Certification Program as "ONC Certification Criteria for Health IT," without reference to different year-specific "Editions." Many commenters agreed that this approach would reduce confusion and allow for more flexibility in implementing HIT Certification Program updates, so ONC finalized this approach as proposed.

b. New DSI Certification Criterion (finalized with modifications)

In the HTI-1 Proposed Rule, ONC proposed a new DSI certification criterion as an iterative update and replacement criterion for the CDS certification criterion, which would address both clinical decision support ("CDS") covered by current HIT Certification Program requirements and new Predictive DSIs.

Most of ONC's proposals related to the DSI certification criterion were finalized, with some modifications in response to comments that expressed concern about the broad scope and the high burden of complying with some of the requirements that had been proposed. Importantly, commenters expressed concern that application of the requirements to all Predictive DSIs "that the certified Health IT Module enables or interfaces with" (as had been proposed) would be too broad and lead to a significant compliance burden for certified health IT developers. In response to the comments, ONC narrowed the scope of requirements to Predictive DSIs supplied by a health IT developer as part of its certified health IT module ("Health IT Module").

Other Predictive DSI certification requirements were finalized largely as proposed, including (1) enabling users to access information about the design, development, training, and evaluation of Predictive DSIs; (2) requiring developers to apply "intervention risk management" practices for all Predictive DSIs that are supplied by the developer of certified health IT as part of its Health IT Module; and (3) making summary information regarding these practices publicly available. The new DSI certification criterion will take effect on January 1, 2025.

In order to ensure that the policy objectives and goals of the DSI certification criterion are met, ONC has also finalized a new Maintenance of Certification requirement as part of the Assurances Condition of Certification to support the new DSI certification criterion, which was not proposed in the HTI-1 Proposed Rule. This new Maintenance of Certification requirement, which takes effect on January 1, 2025, requires developers with health IT products certified to the DSI certification criterion to review and update, as necessary, source attribute information, risk management practices, and summary information about these practices.⁴

c. New Patient Requested Restrictions Certification Criterion (not finalized)

In the HTI-1 Proposed Rule, ONC proposed to adopt a new "Patient Requested Restrictions" certification criterion to support "the right of an individual to request restrictions of uses and disclosures" pursuant to 45 C.F.R. § 164.522(a).⁵ While many commenters expressed support for the goal of the "Patient Requested Restrictions" certification criterion, some noted concerns about implementation feasibility, impacts on patient safety and provider burden, the importance of patient education, and intersections with existing information blocking requirements and TEFCA. Due to the mixed response towards this proposed certification criterion, ONC decided not to finalize the "Patient Requested Restrictions" certification criterion, instead committing to monitoring standards development efforts in this area for future potential rulemaking.

d. View, Download, Transmit Certification Criterion (finalized as proposed)

Public comments were supportive of revisions to the "view, download and transmit to 3rd party" certification criterion that would provide a method by which patients could request a restriction of uses and disclosures of PHI via the Health IT Module. Similar to the proposed "Patient Requested Restrictions" certification criterion described above, these revisions would support patient-requested privacy restrictions, but without many of the technical requirements that were proposed in the "Patient Requested Restrictions" certification criterion. As such, ONC has finalized the requirement that Health IT Modules certified to the "view, download, and transmit to 3rd party" certification criterion must provide patients with an "internet-based method to request a restriction to be applied for any data expressed in the standards in 45 C.F.R. § 170.213." Health IT Modules certified to this criterion must comply by January 1, 2026.

e. Electronic Case Reporting Certification Criterion (finalized with minor technical modifications)

To better support and facilitate case reporting, disease tracking, and prevention for public health purposes, ONC had proposed to replace the functional requirements of the electronic case reporting certification criterion with a set of consensus-based, industry-developed electronic standards and implementation guides. Commenters were generally supportive of these proposed changes, stating that the changes would improve interoperability and support the consistent and timely transmission of accurate case data between health providers and public health agencies. With the positive public feedback, ONC finalized the changes largely as proposed, with minor technical modifications.

f. USCDI v.3 as New Baseline Standard (finalized as proposed with new effective date)

In the HTI-1 Proposed Rule, ONC proposed to establish the United States Core Data for Interoperability version 3 as the new baseline standard of data classes and constituent data elements for certified health IT effective January 1, 2025. In response to comments expressing concern about complying with the new standard by that date, ONC changed the effective date to January 1, 2026.

g. New Insights Condition and Maintenance of Certification Requirements (finalized with modifications)

Under the 21st Century Cures Act, ONC is required to establish an EHR Reporting Program that provides transparent reporting on certified health IT in the areas of interoperability, usability and user-centered design, security, conformance to certification testing, and other categories, as appropriate to measure the performance of EHR technology. To satisfy this requirement, ONC had proposed new Insights Condition and Maintenance of Certification Requirements (the "Insights Condition") that would include nine reporting measures focusing on interoperability separated into four areas related to interoperability: (1) individuals' access to EHI; (2) public health information exchange; (3) clinical care information exchange; and (4) standards adoption and conformance. In the HTI-1 Proposed Rule, ONC stated that it plans to develop reporting measures that focus on usability and user-centered design, security, and conformance to certification testing in future rulemaking.⁶

While commenters expressed overall support of the intent behind the Insights Condition to drive transparency in the health IT marketplace and track trends in interoperability services, many commenters opposed the total number and type of proposed measures under the Insights Condition, and also specifically noted the complexity of the data elements to be reported as well as the implementation burden of reporting these measures in the proposed timeframe. In response, ONC finalized the Insights Condition with several modifications. First, ONC finalized only seven of the nine proposed measures based on public comments and simplified the metrics to be reported for each measure. Second, ONC developed a more incremental approach for implementing the reporting measures over a three-year time period, starting on January 1, 2026. For those measures that must be implemented by January 1, 2026, data is to be collected for calendar year 2026, with responses due in July 2027. Third, ONC reduced the frequency of measure reporting from semiannual to annual reporting. Fourth, ONC finalized an alternative reporting approach for health IT developers that are not able to report on their entire customer base due to contractual reasons. The seven finalized measures, the applicable metrics, and the applicable implementation year of each measure are summarized in Exhibit A. As finalized, only health IT developers with at least 50 hospital sites or 500 individual clinician users for their certified health IT must report on the measures under the Insights Condition.

h. Changes to Existing Conditions and Maintenance of Certification Requirements (finalized with modifications)

ONC also finalized changes to existing Conditions and Maintenance of Certification Requirements as follows:

• Assurances: In the HTI-1 Proposed Rule, ONC sought to strengthen the Assurances Condition and Maintenance of Certification Requirements by proposing the Condition of Certification that health IT developers provide additional assurances that they will not inhibit a customer's timely access to interoperable health IT certified under the HIT Certification Program, as well as two accompanying Maintenance of Certification requirements. Commenters generally supported these proposals, citing the benefits of ensuring timely access to interoperable health IT. As such, ONC finalized them as proposed, requiring health IT developers to (1) update a Health IT Module, once certified to a certification criterion adopted in 45 C.F.R. § 170.315, to all applicable revised certification criteria and (2) provide all Health IT Modules certified to a revised certification criterion to their customers of such certified health IT.
• APIs: In the HTI-1 Proposed Rule, ONC proposed to amend the API Condition and Maintenance of Certification requirements by adding the requirement that developers with APIs certified to 45 C.F.R. § 170.315(g)(10) must publish their service base URLs according to a standardized data format for all customers and must also review this published information quarterly. This amendment was finalized as proposed.
• Real World Testing and Attestations: In response to comments, ONC abandoned its proposal to add the CDS certification criterion (45 C.F.R. § 170.315(a)(9)) to the list of criteria that must be included in a developer's real world testing plan and for which the developer must attest to compliance with real world testing requirements. However, ONC closed a loophole that allows health IT with "inherited" certified status to avoid real world testing, as it had initially proposed.⁷

II. Changes to the Information Blocking Rule

The Information Blocking Rule prohibits certain "actors"—health care providers, developers of certified health IT, and HIE/HINs—from engaging in certain practices that interfere with access, exchange, or use of EHI, except as required by law or permitted by an information blocking exception specified in the regulations. In the HTI-1 Proposed Rule, ONC proposed several changes to the Information Blocking Rule, aimed to support information sharing and to improve clarity and reduce the burden of complying with information blocking requirements.

a. Technical Changes to Remove References to Limited EHI Definition (finalized as proposed)

ONC finalized technical revisions to the Information Blocking Rule to remove references to the limited definition of EHI that was in effect prior to October 6, 2022.

b. Updated Definition of "Developer" to Clarify What Constitutes "Offering" Certified Health IT (finalized with minor modifications)

In the HTI-1 Proposed Rule, ONC proposed to define the term "offer health IT" to help clarify what activities and arrangements would cause an individual or entity that offers certified health IT to be considered a "health IT developer of certified health IT," as defined in 45 C.F.R. § 171.102. The term "offer health IT" was finalized to mean the proffering or supplying of certified health IT to be deployed by others, except under certain excluded arrangements, such as: (1) certain health IT donation and subsidized supply arrangements; (2) certain implementation and use activities (e.g., issuing user accounts or making API technology available); and (3) certain consulting and legal services arrangements. Only minor modifications were made to the proposed definition to improve readability and clarity. ONC also finalized proposed modifications to the developer definition to incorporate the new "offer" term. Organizations should consider whether these changes would alter their analysis as to whether they would be considered a "developer" subject to the Information Blocking Rule due to activities that may be considered "offering" certified health IT.

c. Updates to the Infeasibility Exception (finalized with modifications)

The Infeasibility Exception outlines the conditions under which not fulfilling a request to access, exchange, or use EHI due to infeasibility of the request will not be considered information blocking. There are three conditions under the current Infeasibility Exception, of which only one needs to be satisfied: uncontrollable events, segmentation, and infeasibility under the circumstances.

ONC finalized its change to the "uncontrollable events" condition with modification to clearly characterize the causal relationship that must exist between the uncontrollable event and the infeasibility to fulfill the request. Thus, under the finalized "uncontrollable events" condition, an actor meets this condition if it "cannot fulfill the request . . . because of [an uncontrollable event] that in fact negatively impacts the actor's ability to fulfill the request."

In the HTI-1 Proposed Rule, ONC also proposed to add two new conditions under the Infeasibility Exception: the "third party seeking modification use" and "Manner Exception exhausted" conditions. The finalized "third party seeking modification use" condition will permit actors to decline requests for third-party modification of EHI, except for actors that are business associates when their contracted covered entity health care provider has requested to make modifications. The finalized "Manner Exception exhausted" condition may be used by actors that cannot fulfill a request to access, exchange, or use EHI after exhausting the "manner requested" and the "alternative manner" conditions of the Manner Exception, and that otherwise do not provide a substantial number of individuals or entities similarly situated to the requestor with the same requested access, exchange, or use of EHI. ONC also further clarified in the HTI-1 Final Rule that an actor exhausts the Manner Exception when it has offered the requestor at least two alternative manners, one of which must be either technology certified to standard(s) adopted in 45 C.F.R. Part 170 or published content and transport standards consistent with 45 C.F.R. § 171.301(b)(1)(ii).

d. Addition of the New "TEFCA Manner" for Fulfilling Requests for EHI (finalized with modifications)

In the HTI-1 Proposed Rule, ONC proposed to add a new condition under the Manner Exception that would provide TEFCA-qualified health information networks ("QHINs") and their participants and subparticipants flexibility in fulfilling requests to access, exchange, or use EHI via TEFCA, where the requestor is also a QHIN, participant, or subparticipant. The purpose of this new TEFCA condition is to incentivize participation in TEFCA, a voluntary data-sharing agreement among HINs to support nationwide health information interoperability. Public comments pointed out that incentivizing participation in TEFCA must be balanced with ONC's separate goal of promoting Fast Healthcare Interoperability Resources ("FHIR")-based APIs. In response to these comments, ONC finalized the TEFCA condition with modifications, namely that (1) for clarity, the TEFCA Manner Exception is established in a separate subpart rather than within the existing Manner Exception and (2) actors that receive requests to access, exchange, or use EHI via API standards adopted under the HIT Certification Program cannot meet the finalized TEFCA Manner Exception.

III. Conclusion

The HTI-1 Final Rule makes significant changes to the HIT Certification Program and the Information Blocking Rule to facilitate interoperability and improve access, exchange, and use of EHI. Developers of certified health IT will need to take steps to comply with the new HIT Certification Program requirements, including new requirements regarding DSIs and with respect to data that must be reported under the Insights Condition. In addition, health care organizations should reevaluate their information blocking actor classifications and information sharing practices for consistency with new provisions of the Information Blocking Rule. The HT-1 Final Rule affirms ONC's commitment to continued development of the HIT Certification Program and information sharing requirements, which appear likely to continue as prominent areas of focus for the agency.

Footnotes

1 U.S. Department of Health and Human Services, HHS Finalizes Rule to Advance Health IT Interoperability and Algorithm Transparency (Dec. 13, 2023), https://www.hhs.gov/about/news/2023/12/13/hhs-finalizes-rule-to-advance-health-it-interoperability-and-algorithm-transparency.html.

2 Codified at 45 C.F.R. Part 171.

3 Office of the National Coordinator for Health Information Technology, "About The ONC Health IT Certification Program," https://www.healthit.gov/topic/certification-ehrs/about-onc-health-it-certification-program; Office of the National Coordinator for Health Information Technology, ONC Health IT Certification Program Overview, https://www.healthit.gov/sites/default/files/‌PUBLICHealthITCertificationProgramOverview.pdf/.

4 45 C.F.R. § 170.402(b)(4).

5 88 Fed. Reg. at 23,821-26.

6 88 Fed. Reg. 23,843–44.

7 88 Fed. Reg. 23830–31. A newer version of a previously certified health IT module may be granted "inherited" certified status if the certifying body determines that the capabilities for which certification criteria have been adopted have not been adversely affected. See https://www.healthit.gov/faq/b11-how-does-inherited-certification-status-work.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.