On August 5, 2024, the Office of the National Coordinator for Health Information Technology— now known as the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT (“ASTP/ONC”) within the U.S. Department of Health and Human Services (“HHS”)—issued a proposed rule titled “Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability” (the “HTI-2 Proposed Rule”), as part of its ongoing efforts to enhance health care interoperability and data sharing.

The HTI-2 Proposed Rule builds on the January 2024 “Health Data, Technology, and Interoperability” final rule (the “HTI-1 Final Rule”). Comments on the HTI-2 Proposed Rule are due October 4.

Through the proposed changes, ASTP/ONC would (1) make sweeping changes to its Health Information Technology Certification Program (“HIT Certification Program”); (2) make revisions to the information blocking regulation, including implementing two new information blocking exceptions; and (3) codify and implement the statutory provisions regarding the Trusted Exchange Framework and Common Agreement (“TEFCA”) requirements.

New and Revised HIT Certification Criteria

The proposed changes in the HTI-2 Proposed Rule would significantly expand the scope of the HIT Certification Program to introduce additional functionality and new technology for developers of HIT used by health care providers and HIT that is intended to be used by payers and for public health agencies. The certification criteria introduced in HTI-2 for payers is the first time that the health IT certification program is being extended beyond the certified electronic health record (EHR) technology developers. Some notable changes include the following:

Diagnostic Imaging Hyperlink

ASTP/ONC proposes to include certification requirements to support capturing and documenting hyperlinks to diagnostic imaging. It is not, however, proposing a specific standard associated with the support of this functionality, noting that this requirement can be met with a context-sensitive link to an external application that provides access to images and their associated narrative. Diagnostic images are often stored in systems external to the EHR, such as picture archiving and communication systems or vendor neutral archives. ASTP/ONC hopes that promoting access to images via EHR hyperlink functionality may encourage more widespread adoption and integration of these already existing pathways and reduce inefficiencies (e.g., CD-ROM–dependent exchanges).

USCDI Version 4

ASTP/ONC proposes adopting the United States Core Data for Interoperability (USCDI) v4, which updates the USCDI standard. The adoption of USCDI v4 would add 20 new data elements, some of which are specifically relevant to behavioral health and marginalized and underserved communities, including treatment intervention preference data elements and alcohol use, substance use, and physical activity data elements. ASTP/ONC believes that adopting USCDI v4 would support data users’ abilities to identify, assess, and analyze gaps in care, which in turn could be used to inform and address the quality of health care through interventions and strategies.

Updated Minimum Standards Code Sets

Code sets are an important component of interoperability that provide a standardized language that various health information technologies can understand. Code sets establish clinical concepts and ensure that data shared between systems retains its meaning. The HTI-2 Proposed Rule also proposes the adoption of frequently updated versions of “minimum standards” codes to improve interoperability and implementation. ONC hopes that a standardized code set can create efficient health-related data exchange, improve clinical-decision making, and increase a patient’s quality of care. The newer versions of the code sets can be utilized as the baseline for certification and the new versions can be used on a voluntary basis. ONC is proposing the adopting of new minimum code sets for these specific areas:

  • 45 C.F.R. § 170.207(a) – Problems
  • 45 C.F.R. § 170.207(c) – Laboratory Tests
  • 45 C.F.R. § 170.207(d) – Medications
  • 45 C.F.R. § 170.207(e) – Immunizations
  • 45 C.F.R. § 170.207(f) – Race and Ethnicity
  • 45 C.F.R. § 170.207(n) – Sex
  • 45 C.F.R. § 170.207(o) – Sexual Orientation and Gender Information
  • 45 C.F.R. § 170.207(p) – Social, Psychological, and Behavioral Data

Bulk Data Sets

The HTI-2 Proposed Rule seeks to adopt the Bulk Data Access v2.0.0: STU 2 implementation specification (“Bulk v2 IG”) and require server support for the group export operation and a query parameter for performance improvement. ASTP/ONC believes this will better support application developers interacting with ONC-certified Health IT Modules in exporting complete sets of EHI via Fast Healthcare Interoperability Resources (FHIR), as constrained by the US Core Interoperability Implementation Guides (IG) and USCDI, for pre-defined cohorts of patients. Currently, the Bulk v1 IG requirements for certification only includes support for the group export operation and not any of the optional query parameters in the Bulk v1 IG. ASTP/ONC believes that these new certification requirements will provide meaningful improvements in the performance of Bulk Application Programming Interfaces (APIs).

Electronic Prior Authorization

The HTI-2 Proposed Rule proposes new certification criteria that aim to complement the policies advanced by CMS in the Advancing Interoperability and Improving Prior Authorization Processes Final Rule (“Final Prior Authorization Rule”) that was published in the Federal Register on February 8, 2024. The Final Prior Authorization Rule was intended to increase patient, provider, and payer access to information related to electronic prior authorization requests, streamline the electronic prior authorization process, and ensure that patients receive the care they need in a timely manner.

Five of the seven certification criteria enable the patient access API and providers access and bidirectional exchange. They adopt and reference the same required and recommended implementation specifications from the CMS requirements that include the use of the current version of USCDI, Multi-factor Authentication for individual access, FHIR API requirements, and the implementation specifications that were developed by the HL7® Da Vinci Project, which will also follow the Standards Version Advancement Process (SVAP). The remaining two APIs enable the bi-directional exchange and transfer of data between payer systems and provider systems who receive information from payer systems. These two certification criteria that only affect payer systems do not implement CMS requirements. Therefore, ASTP/ONC considers them as optional for certification purposes.

Public Health Data Exchange Certification Criteria

ASTP/ONC proposes to update existing certification criteria for reporting public health data to include new and updated standards. These include two new certification criteria related to data exchange with public health authorities regarding birth reports and prescription drug monitoring. ASTP/ONC also proposes a standardized HL7 FHIR-based API for public health data exchange that would extend the capabilities included in the standardized API for patient and population services in 45 C.F.R. § 170.315(g)(10). ASTP/ONC contends that the new certification criterion would support ongoing and future development of public health FHIR IGs leveraging a core set of existing, modular, and extensible capabilities and standards. Through these updates and future efforts, ASTP/ONC expects to enhance interoperability across the health care and public health ecosystem and provide a long-term mechanism for alignment as data exchange matures over time.

API Capabilities

ASTP/ONC proposes a set of certification criteria that align with CMS-established API requirements and would enable implementers to ensure that APIs developed to meet CMS regulations adhere to required and recommended interoperability standards and support other features important to effective information sharing. Specifically, ASTP/ONC proposes to adopt the following:

  • “Patient access API” certification criterion to specify requirements for health IT that can be used by payers to enable patients to access health and administrative information using a health application of their choice, including payer drug formulary information, and patient clinical, coverage, and claims information;
  • “Provider access API – client” and “Provider access API – server” certification criteria to specify requirements for provider and payer systems to support provider access to payer information. This information can include patient clinical, coverage, and claims information;
  • “Payer-to-payer API” certification criterion to specify requirements for health IT that can be used by payers to support electronic exchange between payer systems. ASTP/ONC proposes to reference standards including CARIN Blue Button IG, Da Vinci PDex IG, and US Core IG; and
  • “Provider directory API – health plan coverage” certification criterion, which specifies technical requirements for health IT that can be used by payers to publish information regarding the providers that participate in their networks. ONC proposes to reference standards including Da Vinci PDex Plan Net IG.

New Proposed Information Blocking Exceptions

In 2016, the 21st Century Cures Act made sharing electronic health information (“EHI”) the expected norm in health care and authorized the HHS Secretary to identify reasonable and necessary activities that do not constitute information blocking. These “reasonable and necessary” activities were established by ONC as information blocking exceptions. In the HTI-2 Proposed Rule, ASTP/ONC proposes adding two new exceptions:

  1. Protecting Care Access Exception: This proposed exception would, under specific conditions, cover actors’ limiting EHI sharing in order to reduce a risk of potentially exposing patients, providers, or persons who facilitate care to legal action based on the mere fact that they sought, obtained, provided, or facilitated lawful reproductive health care. The Protecting Care Access Exception would also apply where an actor limits sharing of a patient’s EHI potentially related to reproductive health care in order to protect that patient from potential exposure to legal action. This proposed exception seemingly aims to address circumstances in which—after the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization—some states restricted or prohibited abortions and sought to investigate/prosecute both residents who seek reproductive health care in other states and out-of-state providers who furnish such care.
  2. Requestor Preferences Exception: This proposed new exception would provide actors a framework under which they can be confident they will not be committing information blocking if they agree to a requestor’s ask for restrictions on when, under what conditions, and how much EHI is made available to that requestor. ASTP/ONC proposed this exception in response to various stakeholders asking for clarity as to whether it would be permissible to honor such requests.

Additionally, ASTP/ONC proposes codifying certain acts and omissions that constitute interferences for purposes of the information blocking definition. The proposed codified practices are not an exhaustive list; other activities that are likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI may also be considered interference for information blocking purposes. The proposed codification of these specific practices is intended to provide actors, and those who seek to engage in EHI access, exchange, or use with actors, certainty that these specific practices constitute interference.

TEFCA Proposals

ASTP/ONC also proposes to add a new part 172 to title 45 of the Code of Federal Regulations to implement certain provisions related to the Trusted Exchange Framework and Common Agreement (“TEFCA”). These provisions would establish the qualifications necessary for an entity to receive and maintain designation as a Qualified Health Information Network (“QHIN”) capable of trusted exchange pursuant to TEFCA. The proposals also cover the procedures governing QHIN onboarding and designation, suspension, termination, and administrative appeals. ASTP/ONC states that these provisions were proposed to be codified in order to support the reliability, privacy, security, and trust within TEFCA.

Key Takeaways

Micky Tripathi, the Assistant Secretary for Technology Policy, National Coordinator for Health Information Technology, and Acting Chief Intelligence officer at HHS, calls the HTI-2 Proposed Rule a “tour de force.”  The HTI-2 Proposed Rule reflects ONC’s ongoing efforts to enhance interoperability, address stakeholder concerns, and adapt to evolving regulatory and legal changes impacting health information exchange. If finalized, these changes under the HTI-2 Proposed Rule could significantly impact health information exchange, interoperability, and the organizations that support these functions.  Ultimately, however, it will be up to technology developers, healthcare providers, payers, and other interoperability stakeholders to determine whether the business and financial incentives will justify the investments necessary to comply with the rule’s requirements and bring the rule’s goals to fruition.

Epstein Becker Green Staff Attorney Ann W. Parks and Sara Devaraj, a Summer Associate in the Washington, DC, office (not admitted to practice) assisted with the preparation of this post.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.