ONC Releases Final Rule on Information Blocking and Health IT Certification Program Updates, Including Requirements Related to AI

On December 13, 2023, the U.S. Department of Health and Human Services' (HHS) Office of the National Coordinator for Health Information Technology (ONC) released the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule. The effective date of the HTI-1 Final Rule is updated and is now March 11, 2024.

The HTI-1 Final Rule finalizes statutory requirements required by the 21^stCentury Cures Act (Cures Act) to issue policies on information blocking and the ONC Health IT Certification Program (Certification Program). In addition, the HTI-1 Final Rule’s predictive decision support interventions (DSI) provisions align with the President’s recent Executive Order (EO) to advance trustworthy artificial intelligence (AI).

ONC published a general overview and fact sheet on the HTI-1 Final Rule.

Summary of Proposals

The HTI-1 Final Rule finalizes information blocking and Certification Program changes, which were proposed in the April 2023 HTI-1 Proposed Rule. The HTI-1 Final Rule will impact health care providers, developers of certified health IT, health information networks (HINs) and health information exchanges (HIEs). We highlight major finalized updates and summarize significant changes between the HTI-1 Final Rule and the proposed version below.

I. Information Blocking Enhancements

ONC has modified the information blocking regulations, which were adopted in May 2020 (ONC Information Blocking Rule), by a) revising the definition of the term “offer health IT”; and b) modifying the information blocking exceptions.

a. Narrows Scope of Coverage by Narrowing the Meaning of “offer health IT”

The definition of “health IT developer of certified health IT” that is subject to the information blocking regulations, includes those who “offer health IT.” ONC revised the definition “offer health IT” to narrow the scope of entities that will be considered a health IT developer of certified health IT.  Specifically, ONC’s modified definition confirms that supplying any certified health IT to be deployed by others generally will be considered an offer of health IT, while explicitly excluding certain activities from what it means to “offer” health IT, specifically:

• Certain funding subsidy arrangements for obtaining, maintaining or upgrading certified health IT;
• Common activities associated with purchasing “certified health IT,” such as implementing application programming interfaces (APIs) or portals for clinician or patient access or issuing login credentials; and
• Consulting and legal services in a comprehensive (or “turn key”) package of services for administrative management of the clinician practice or other health care provider.

b. Modifies Information Blocking Exceptions

The information blocking prohibition in the ONC Information Blocking Rule, which generally prohibits certain actors from interfering with access, exchange, or use of electronic health information (EHI), contains a number of exceptions for practices that do not implicate information blocking. ONC finalized the following changes to these exceptions:

• Infeasibility Exception – Uncontrollable Events Condition: The ONC Information Blocking Rule, includes an exception when complying with a request for access, exchange, or use of EHI would be considered infeasible due to unforeseeable or unavoidable circumstances outside the actor’s control (i.e., public health emergency, war, natural disaster, etc.). In the HTI-1 Final Rule, ONC finalized the revision of the “uncontrollable events” condition to clarify that the uncontrollable event must be directly causally related to the actor’s inability to fulfill the request.
• Infeasibility Exception – Third Party Seeking Modification:  This exception will apply in certain situations where the actor is asked to provide the ability for a third party (or its technology, such as an application) to modify EHI that is maintained by or for an entity that has deployed health information technology and maintains within or through use of that technology any instance(s) of any EHI. ONC explained that this exception permits actors to deny requests to modify EHI provided the request is not from a health provider for which the actor is the business associate.
• Manner Exception Renamed and New Manner Exhausted Condition to the Infeasibility Exception: ONC renamed the “Content and Manner Exception” as the “Manner Exception,” and finalized a new Manner Exhausted Condition to the Infeasibility Exception for when an actor has exhausted the Manner Exception, including that an actor must offer at least two alternative manners under the Manner Exception.
• Trusted Exchange Framework and Common Agreement (TEFCA) Manner Exception: ONC finalized a new TEFCA Manner Exception, which provides that an actor’s practice of limiting the manner in which it fulfills a request for access, exchange, or use EHI to providing such access, exchange or use only via TEFCA will not be considered information blocking when the practice follows these conditions:

1. 1. The actor and requestor are both part of TEFCA (this means that this exception would not apply to when the requestor is an individual);
   2. The requestor is capable of such access, exchange, or use of the requested EHI from the actor via TEFCA;
   3. The request for access, exchange, or use of EHI is not via an API, essentially Fast Healthcare Interoperability Resources (FHIR)-based standards; and
   4. Any fees charged by the actor and the terms for any license of interoperability elements granted by the actor in relation to fulfilling the request are required to satisfy, respectively, the Fees Exception (§ 171.302) and the Licensing Exception (§ 171.303).

In the HTI-1 Final Rule, ONC created a separate TEFCA exception, clarifying that it is available only to TEFCA participants. ONC also stated that, in creating this new subpart, it left room for identifying other reasonable and necessary activities related to TEFCA that do not constitute information blocking, that may be proposed in future rulemakings.

c. Information Blocking and Privacy Protections

ONC advised that where certain practices are “covered in part, but not fully covered” by particular exceptions, such as the Privacy Exception (45 CFR 171.202), the actor may consider satisfying a combination of multiple exceptions applicable to the specific practice in which the actor engages. ONC referred to this as “stacking” of multiple exceptions. For example, ONC explained that under the Privacy Exception, actors may agree to an individual’s request for restrictions on sharing of the individual’s EHI beyond the restrictions imposed by applicable laws. Further, to the extent that actors agree to the restriction, the segmentation condition of the Infeasibility Exception (§ 171.204(a)(2)), may be applicable when the actor cannot unambiguously segment the requested EHI from EHI that an individual has requested not to be shared with a specific person, for a specific purpose, or both.

II. ONC Health IT Certification Program Updates

ONC finalized policies updating the Certification Program by: a) changing its approach to naming new editions; b) modifying standards and certification criteria; and c) modifying conditions of certification and other aspects of the Certification Program.

a. Definition of Revised Certification Criterion, and Related Program Oversight

ONC finalized its proposal to change the “edition” naming approach to a single set of certification criteria by discontinuing the use of year-themed editions for ONC Certification Criteria for Health IT and adopting the name “ONC Certification Criteria for Health IT.” ONC explained that this would be updated in an incremental fashion to closer align with standards development cycles and regular health IT development timelines.

b. New and Revised Standards and Certification Criteria

ONC finalized a number of proposed changes to the standards and certification criteria, including the core data set, criteria related to public health reporting, and criteria related to AI-enabled predictive DSI.

• The United States Core Data for Interoperability Version 3 (USCDI v3): ONC established the USCDI v3 as the new baseline standard of data classes and constituent data elements for certified health IT, effective January 1, 2026. USCDI v3 includes Sexual Orientation, Gender Identity, Functional Status, Disability Status, Mental/Cognitive Status, and Social Determinants of Health (SDOH) data elements.
• Electronic Case Reporting (eCR): ONC explained that case reporting serves as early notification to Public Health Agencies (PHAs) for potential disease outbreaks and includes information that enables PHAs to start contact tracing and other prevention measures. ONC finalized adopting standards for eCR that would create a case report for electronic transmission; consume and process a case report response; and consume and process electronic case reporting trigger codes and parameters. The eCR implementation deadline is December 31, 2025.
• Decision Support Intervention and Predictive Models: ONC explained that predictive models, which are powered by AI and machine learning, are increasingly being used to aid decision-making through clinical decision support (CDS) and notes that developers of certified health IT also create and deploy predictive algorithms or models for use in production environments through their Health IT Modules.

In the HTI-1 Final Rule, ONC finalized most of its proposals with modifications intended to align and simplify technical requirements. ONC clarified that it has narrowed the overall scope of this certification criterion from the HTI-1 Proposed Rule, in which it required the health IT developer to be accountable for Predictive DSIs of third parties with which their Health IT Modules interfaced or enabled (i.e., linked referential DSIs). Starting January 1, 2025, ONC requires predictive DSI-related source attributes and Intervention Risk Management (IRM) practices to apply only to predictive DSIs supplied by the health IT developer as part of its Health IT Module. Specifically, ONC finalized the following Predictive DSI provisions:

• • Definition of Predictive DSI: ONC finalized the following definition: “Predictive DSI means technology that supports decision-making based on algorithms or models that derive relationships from training data and then produce an output that results in prediction, classification, recommendation, evaluation, or analysis.”
  • IRM Practices: ONC finalized requiring IRM practices to be applied for each Predictive DSI supplied by the health IT developer as part of its Health IT Module. The finalized certification criterion requires that IRM practices must be applied for each Predictive DSI supplied by the health IT developer as part of its Health IT Module, including risk analysis, risk mitigation, and governance.
  • Assurances Maintenance of Certification requirement: ONC finalized requiring health IT developers with Health IT Modules to review and update as necessary, source attribute information, risk management practices, and summary information.
• Standardized API for Patient and Population Services: As proposed, ONC finalized a number of updates to the standardized API for patient and population services certification criterion, including the following:
  • Native Applications and Refresh Tokens: ONC finalized requiring a certified Health IT Module's authorization server to issue a refresh token that should be valid for a period of no less than three months and will apply to all applications using the “confidential app” profile for both first time and subsequent connections.
  • Access Token Revocation: ONC finalized a requirement specifying that Health IT Modules allow short-lived access tokens to expire, in lieu of immediate access token revocation, must have such access tokens expire within one hour of the request.
  • SMART App Launch 2.0: ONC finalized adopting the Substitutable Medical Applications, Reusable Technologies (SMART) Application Launch Framework Implementation Guide Release 2.0.0 (SMART v2 Guide), which would replace SMART v1 Guide as the standard.

• Patient requested restrictions criteria: In the HTI-1 Proposed Rule, ONC proposed enabling a certified health IT user to implement a process to restrict data from use or disclosure in response to a patient request, supporting the HIPAA Privacy Rule’s “right to request a restriction” on uses and disclosures. In the HTI-1 Final Rule, ONC concluded that it should not finalize these proposals due to comments expressing concern with successfully implementing the proposal. ONC stated that it will continue to engage with industry and standards development community efforts to advance standards supporting privacy workflows and to monitor the continued evolution of standards to consider new criteria in future rulemaking.

c. Other Certification Program Changes

• Real World Testing – Inherited Certified Status: Since many health IT developers update their Health IT Modules on a regular basis, leveraging the flexibility provided through ONC’s Inherited Certified Status (ICS), this creates an anomaly that could result in existing certified Health IT Modules being inadvertently excluded from the real-world testing reporting requirements. As proposed in the HTI-1 Proposed Rule, ONC finalized requiring health IT developers to include in their real-world testing results report the most recent version of those Health IT Modules that are updated using ICS after August 31 of the year in which the plan is submitted.
• Insights Condition and Maintenance of Certification: ONC finalized creating the Insights Condition and Maintenance of Certification (Insights Condition) within the Certification Program to provide transparent reporting on certified health IT. The Insights Condition’s reporting will: 1) address information gaps in the health IT marketplace; 2) provide insights on the use of specific certified health IT functionalities; and 3) provide information about use of certified functionalities by end users.

Key Takeaways

The HTI-1 Final Rule made significant changes to the Certification Program and information blocking regulations to facilitate interoperability and improve access, exchange, and use of EHI. ONC appears to be keenly aware of the challenges for actors to share EHI but also to protect patient privacy, especially with respect to sensitive health information such as related to reproductive care and vulnerable populations. These updates will also have an impact on any entity that creates, accesses, or exchanges EHI, as the information blocking provisions may require updates to existing contracts and agreements that these actors have with other health care stakeholders.

The HTI-1 Final Rule will be effective within 30 days of being published in the Federal Register. Key implementation dates for the HTI-1 Final Rule are available here. ONC plans to hold in the coming months information sessions on the various provisions included in the HTI-1 Final Rule (register here). ONC also plans to issue in 2024 another proposed rule, Patient Engagement, Information Sharing, and Public Health Interoperability, which would build on the policies finalized in the HTI-1 Final Rule.

For additional information on the specific provisions in the HTI-1 Final Rule and how your organization can prepare for compliance, Crowell’s team is here to help your organization understand this final rule and other interoperability regulations.