On August 5, 2024, the Office of the National Coordinator for Health Information Technology— now known as the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT (“ASTP/ONC”) within the U.S. Department of Health and Human Services (“HHS”)—issued a proposed rule titled “Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability” (the “HTI-2 Proposed Rule”), as part of its ongoing efforts to enhance health care interoperability and data sharing.
The HTI-2 Proposed Rule builds on the January 2024 “Health Data, Technology, and Interoperability” final rule (the “HTI-1 Final Rule”). Comments on the HTI-2 Proposed Rule are due October 4.
Through the proposed changes, ASTP/ONC would (1) make sweeping changes to its Health Information Technology Certification Program (“HIT Certification Program”); (2) make revisions to the information blocking regulation, including implementing two new information blocking exceptions; and (3) codify and implement the statutory provisions regarding the Trusted Exchange Framework and Common Agreement (“TEFCA”) requirements.
New and Revised HIT Certification Criteria
The proposed changes in the HTI-2 Proposed Rule would significantly expand the scope of the HIT Certification Program to introduce additional functionality and new technology for developers of HIT used by health care providers and HIT that is intended to be used by payers and for public health agencies. The certification criteria introduced in HTI-2 for payers is the first time that the health IT certification program is being extended beyond the certified electronic health record (EHR) technology developers. Some notable changes include the following:
Diagnostic Imaging Hyperlink
ASTP/ONC proposes to include certification requirements to support capturing and documenting hyperlinks to diagnostic imaging. It is not, however, proposing a specific standard associated with the support of this functionality, noting that this requirement can be met with a context-sensitive link to an external application that provides access to images and their associated narrative. Diagnostic images are often stored in systems external to the EHR, such as picture archiving and communication systems or vendor neutral archives. ASTP/ONC hopes that promoting access to images via EHR hyperlink functionality may encourage more widespread adoption and integration of these already existing pathways and reduce inefficiencies (e.g., CD-ROM–dependent exchanges).
USCDI Version 4
ASTP/ONC proposes adopting the United States Core Data for Interoperability (USCDI) v4, which updates the USCDI standard. The adoption of USCDI v4 would add 20 new data elements, some of which are specifically relevant to behavioral health and marginalized and underserved communities, including treatment intervention preference data elements and alcohol use, substance use, and physical activity data elements. ASTP/ONC believes that adopting USCDI v4 would support data users’ abilities to identify, assess, and analyze gaps in care, which in turn could be used to inform and address the quality of health care through interventions and strategies.
Updated Minimum Standards Code Sets
Code sets are an important component of interoperability that provide a standardized language that various health information technologies can understand. Code sets establish clinical concepts and ensure that data shared between systems retains its meaning. The HTI-2 Proposed Rule also proposes the adoption of frequently updated versions of “minimum standards” codes to improve interoperability and implementation. ONC hopes that a standardized code set can create efficient health-related data exchange, improve clinical-decision making, and increase a patient’s quality of care. The newer versions of the code sets can be utilized as the baseline for certification and the new versions can be used on a voluntary basis. ONC is proposing the adopting of new minimum code sets for these specific areas:
- 45 C.F.R. § 170.207(a) – Problems
- 45 C.F.R. § 170.207(c) – Laboratory Tests
- 45 C.F.R. § 170.207(d) – Medications
- 45 C.F.R. § 170.207(e) – Immunizations
- 45 C.F.R. § 170.207(f) – Race and Ethnicity
- 45 C.F.R. § 170.207(n) – Sex
- 45 C.F.R. § 170.207(o) – Sexual Orientation and Gender Information
- 45 C.F.R. § 170.207(p) – Social, Psychological, and Behavioral Data
Bulk Data Sets
The HTI-2 Proposed Rule seeks to adopt the Bulk Data Access v2.0.0: STU 2 implementation specification (“Bulk v2 IG”) and require server support for the group export operation and a query parameter for performance improvement. ASTP/ONC believes this will better support application developers interacting with ONC-certified Health IT Modules in exporting complete sets of EHI via Fast Healthcare Interoperability Resources (FHIR), as constrained by the US Core Interoperability Implementation Guides (IG) and USCDI, for pre-defined cohorts of patients. Currently, the Bulk v1 IG requirements for certification only includes support for the group export operation and not any of the optional query parameters in the Bulk v1 IG. ASTP/ONC believes that these new certification requirements will provide meaningful improvements in the performance of Bulk Application Programming Interfaces (APIs).
Electronic Prior Authorization
The HTI-2 Proposed Rule proposes new certification criteria that aim to complement the policies advanced by CMS in the Advancing Interoperability and Improving Prior Authorization Processes Final Rule (“Final Prior Authorization Rule”) that was published in the Federal Register on February 8, 2024. The Final Prior Authorization Rule was intended to increase patient, provider, and payer access to information related to electronic prior authorization requests, streamline the electronic prior authorization process, and ensure that patients receive the care they need in a timely manner.
Five of the seven certification criteria enable the patient access API and providers access and bidirectional exchange. They adopt and reference the same required and recommended implementation specifications from the CMS requirements that include the use of the current version of USCDI, Multi-factor Authentication for individual access, FHIR API requirements, and the implementation specifications that were developed by the HL7® Da Vinci Project, which will also follow the Standards Version Advancement Process (SVAP). The remaining two APIs enable the bi-directional exchange and transfer of data between payer systems and provider systems who receive information from payer systems. These two certification criteria that only affect payer systems do not implement CMS requirements. Therefore, ASTP/ONC considers them as optional for certification purposes.
Public Health Data Exchange Certification Criteria
ASTP/ONC proposes to update existing certification criteria for reporting public health data to include new and updated standards. These include two new certification criteria related to data exchange with public health authorities regarding birth reports and prescription drug monitoring. ASTP/ONC also proposes a standardized HL7 FHIR-based API for public health data exchange that would extend the capabilities included in the standardized API for patient and population services in 45 C.F.R. § 170.315(g)(10). ASTP/ONC contends that the new certification criterion would support ongoing and future development of public health FHIR IGs leveraging a core set of existing, modular, and extensible capabilities and standards. Through these updates and future efforts, ASTP/ONC expects to enhance interoperability across the health care and public health ecosystem and provide a long-term mechanism for alignment as data exchange matures over time.
API Capabilities
ASTP/ONC proposes a set of certification criteria that align with CMS-established API requirements and would enable implementers to ensure that APIs developed to meet CMS regulations adhere to required and recommended interoperability standards and support other features important to effective information sharing. Specifically, ASTP/ONC proposes to adopt the following:
- “Patient access API” certification criterion to specify requirements for health IT that can be used by payers to enable patients to access health and administrative information using a health application of their choice, including payer drug formulary information, and patient clinical, coverage, and claims information;
- “Provider access API – client” and “Provider access API – server” certification criteria to specify requirements for provider and payer systems to support provider access to payer information. This information can include patient clinical, coverage, and claims information;
- “Payer-to-payer API” certification criterion to specify requirements for health IT that can be used by payers to support electronic exchange between payer systems. ASTP/ONC proposes to reference standards including CARIN Blue Button IG, Da Vinci PDex IG, and US Core IG; and
- “Provider directory API – health plan coverage” certification criterion, which specifies technical requirements for health IT that can be used by payers to publish information regarding the providers that participate in their networks. ONC proposes to reference standards including Da Vinci PDex Plan Net IG.
New Proposed Information Blocking Exceptions
In 2016, the 21st Century Cures Act made sharing electronic health information (“EHI”) the expected norm in health care and authorized the HHS Secretary to identify reasonable and necessary activities that do not constitute information blocking. These “reasonable and necessary” activities were established by ONC as information blocking exceptions. In the HTI-2 Proposed Rule, ASTP/ONC proposes adding two new exceptions:
- Protecting Care Access Exception: This proposed exception would, under specific conditions, cover actors’ limiting EHI sharing in order to reduce a risk of potentially exposing patients, providers, or persons who facilitate care to legal action based on the mere fact that they sought, obtained, provided, or facilitated lawful reproductive health care. The Protecting Care Access Exception would also apply where an actor limits sharing of a patient’s EHI potentially related to reproductive health care in order to protect that patient from potential exposure to legal action. This proposed exception seemingly aims to address circumstances in which—after the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization—some states restricted or prohibited abortions and sought to investigate/prosecute both residents who seek reproductive health care in other states and out-of-state providers who furnish such care.
- Requestor Preferences Exception: This proposed new exception would provide actors a framework under which they can be confident they will not be committing information blocking if they agree to a requestor’s ask for restrictions on when, under what conditions, and how much EHI is made available to that requestor. ASTP/ONC proposed this exception in response to various stakeholders asking for clarity as to whether it would be permissible to honor such requests.
Additionally, ASTP/ONC proposes codifying certain acts and omissions that constitute interferences for purposes of the information blocking definition. The proposed codified practices are not an exhaustive list; other activities that are likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI may also be considered interference for information blocking purposes. The proposed codification of these specific practices is intended to provide actors, and those who seek to engage in EHI access, exchange, or use with actors, certainty that these specific practices constitute interference.
TEFCA Proposals
ASTP/ONC also proposes to add a new part 172 to title 45 of the Code of Federal Regulations to implement certain provisions related to the Trusted Exchange Framework and Common Agreement (“TEFCA”). These provisions would establish the qualifications necessary for an entity to receive and maintain designation as a Qualified Health Information Network (“QHIN”) capable of trusted exchange pursuant to TEFCA. The proposals also cover the procedures governing QHIN onboarding and designation, suspension, termination, and administrative appeals. ASTP/ONC states that these provisions were proposed to be codified in order to support the reliability, privacy, security, and trust within TEFCA.
Key Takeaways
Micky Tripathi, the Assistant Secretary for Technology Policy, National Coordinator for Health Information Technology, and Acting Chief Intelligence officer at HHS, calls the HTI-2 Proposed Rule a “tour de force.” The HTI-2 Proposed Rule reflects ONC’s ongoing efforts to enhance interoperability, address stakeholder concerns, and adapt to evolving regulatory and legal changes impacting health information exchange. If finalized, these changes under the HTI-2 Proposed Rule could significantly impact health information exchange, interoperability, and the organizations that support these functions. Ultimately, however, it will be up to technology developers, healthcare providers, payers, and other interoperability stakeholders to determine whether the business and financial incentives will justify the investments necessary to comply with the rule’s requirements and bring the rule’s goals to fruition.
Epstein Becker Green Staff Attorney Ann W. Parks and Sara Devaraj, a Summer Associate in the Washington, DC, office (not admitted to practice) assisted with the preparation of this post.
Blog Editors
Authors
- Senior Counsel
- Associate
- Senior Counsel
- Member of the Firm