ONC Releases Proposed Rule on Information Blocking Proposals and ONC Health IT Certification Program Updates

On April 11, 2023, the U.S. Department of Health and Human Services' (“HHS”) Office of the National Coordinator for Health Information Technology (“ONC”) released the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing Proposed Rule (“HTI-1 Proposed Rule”) to implement key provisions in the 21st Century Cures Act (“Cures Act”) governing health information technology (“health IT”) certification and information blocking, and other issues, as set forth further below.

In the latest information session on the HTI-1 Proposed Rule, Micky Tripathi, the National Coordinator for Health IT at ONC, outlined that the proposed policies in the HTI-1 Proposed Rule aim to (i) leverage existing health IT and keep building the digital foundations, including addressing tools that encompass artificial intelligence and machine learning (“AI/ML”), (ii) make interoperability easier by furthering the HL7® Fast Healthcare Interoperability Resources (“FHIR”) framework, authentication, validation, standardization of endpoints and leveraging Trusted Exchange Framework and Common Agreement (“TEFCA”); and (iii) encourage appropriate sharing and use of electronic health information (“EHI”) by refining information blocking rule requirements and addressing mounting and heightened concerns about privacy.

Background

The HTI-1 Proposed Rule builds on previous regulations issued by the agency in May 2020 (the “ONC Cures Act Final Rule”), implements certain provisions in Title IV of the Cures Act and the HITECH Act to establish policies on information blocking and the ONC Health IT Certification Program, and aligns with two executive orders (“E.O.s”) focused on health equity.

Summary of Proposals

The HTI-1 Proposed Rule focuses on both information blocking enhancements and ONC certification program criteria update proposals.  There are a number of significant and meaningful proposed changes.

Information Blocking Enhancements

This is the first time ONC is proposing to modify the information blocking rules since adoption in May 2020.  Specifically, ONC proposes to: a) define “offer health IT”; b) modifies information blocking exceptions; and c) makes requests for information (“RFIs”) on a number of issues.

Narrows Scope of Coverage by Narrowing the Meaning of “offer health IT”

The definition of “health IT developer of certified health IT,” one of the actors subject to the information blocking rules, include those who offer health IT. ONC proposes to define the term “offer health IT” to narrow the scope of coverage.  Specifically, “offer health IT” would mean “providing, supplying, or otherwise making available certified health IT under any arrangement or terms,” but explicitly excludes certain activities:

• • Certain funding subsidy arrangements: The provision of funding for obtaining, maintaining or upgrading certified health IT.
  • Common activities associated with purchasing “certified health IT”: Common activities include implementing application programming interfaces (“APIs”) or portals for clinician or patient access in addition to issuing login credentials.
  • Consulting and legal services: Offering health IT in a package of items, supplies, facilities, and services that a management consultant handles for clinicians in a comprehensive (“turn key”) package of services for administrative or operational management of the clinician practice or other health care provider.

Modifies Information Blocking Exceptions

The information blocking prohibition in the ONC Cures Act Final Rule contains a number of exceptions whereby practices that meet the exception are permitted. The HTI-1 Proposed Rule would modify the information blocking exceptions by: 1) proposing to revise the uncontrollable events condition under the infeasibility exception; 2) proposing a “manner exception exhausted condition”; and 3) proposing manner exception for exchange via the TEFCA.

• • Infeasibility Exception – Uncontrollable Events Condition: The ONC Cures Act Final Rule, specified that there may be situations when complying with a request for access, exchange, or use of EHI would be considered infeasible because an actor is unable to provide such access, exchange, or use due to unforeseeable or unavoidable circumstances outside the actor’s control (i.e., public health emergency, war, natural disaster, etc.). In the HTI-1 Proposed Rule, ONC proposes to revise the “uncontrollable events” condition to clarify that the uncontrollable event must be directly causally related to the actor’s inability to fulfill the request. ONC explains that the uncontrollable event need not be the only cause of a particular incapacity but that the actor needs to demonstrate the event negatively impact the feasibility of that actor fulfilling access, exchange, or use in the specific circumstances where the actor is claiming infeasibility.
  • Manner Exception – Renamed and Manner Exhausted Condition: The HTI-1 Proposed Rule would modify the “Content and Manner Exception,” and rename it as the “Manner Exception.” ONC proposes to create a “manner exception exhausted condition,” which would apply where an actor is unable to fulfill a request for access, exchange, or use of EHI after having exhausted the Manner Exception, such as where the requestor refuses to accept the access, exchange, or use alternatives, and fulfilling the request would require significant technical or financial resources. To satisfy manner exception exhausted, an actor would be considered “unable” to fulfill a request for access, exchange, or use of EHI when three factors are true:
    1. 1. 1. The actor could not reach agreement with a requestor in accordance with the manner requested condition or was technically unable to fulfill a request for EHI in the manner requested;
          2. The actor offered all alternative manners in accordance with the rule but could not reach agreement with the requestor; and
          3. The actor does not provide the same access, exchange, or use of the requested EHI to a substantial number of individuals or entities that are similarly situated to the requester.
  • Manner Exception - TEFCA Condition: ONC proposes to add a TEFCA condition to the proposed revised and renamed Manner Exception. If an actor who is a Qualified Health Information Network (“QHIN”), participant, or subparticipant under TEFCA offers to fulfill a request for EHI access, exchange, or use for any permitted purpose under the Common Agreement and Framework Agreement, then:
    1. 1. 1. The actor is not required to offer the EHI in any alternative matter;
          2. Any fees charged by the actor in relation to fulfilling the request are not required to satisfy the fees exception in § 171.302; and
          3. Any license of interoperability elements granted by the actor in relation to fulfilling the request is not required to satisfy the exception licensing exception in § 171.303.

Under the Manner Exception, an actor’s practice of prioritizing TEFCA exchange would be considered reasonable and necessary, including for EHI for which access, exchange, or use can be supported by TEFCA exchange for both the actor and requestor; so long as the requestor is a QHIN, Participant, or Subparticipant and the purpose is permitted under TEFCA; regardless of whether the request is initially made through TEFCA means; and regardless of whether all data classes or exchange purposes are required by TEFCA to be returned in response to a TEFCA request.

Information Blocking RFIs

ONC particularly called out a number of requests for information related to information blocking as follows:

• • Additional Exclusions for Offer Health IT: ONC seeks public comment on whether to propose additional exclusions from the “offer health IT” definition, particularly regarding activities or arrangements that may occur less often due to potential information blocking liability. ONC seeks input on steps to encourage lawful donation or subsidized provision of certified health IT to healthcare providers who may struggle to afford it, without reducing the benefits provided by ONC's information blocking and Health IT Certification Program regulations.
  • Possible Additional TEFCA “Reasonable and Necessary” Activities: ONC seeks public comment on whether any practices required of QHINs, Participants, or Subparticipants pursuant to the Common Agreement pose a substantial concern or uncertainty regarding potential information blocking, despite not being required by law. ONC requests input on specific practices and their source of requirement, as well as whether any should be considered “reasonable and necessary” activities that do not constitute information blocking. Additionally, ONC seeks feedback on potential unintended consequences for EHI access, exchange, or use by individuals or entities who are not QHINs, Participants, or Subparticipants.
  • Health IT Capabilities for Data Segmentation and User/Patient Access: ONC seeks comment to inform steps it might consider taking to improve the availability and accessibility of solutions supporting health care providers’ and other information blocking actors’ efforts to honor patients’ expressed preferences regarding their EHI. ONC requests comments related to the ability of health IT products to segment data and support sharing of information consistent with patient preferences and applicable laws. ONC also seeks feedback on the availability and utility of certified health IT products' capabilities to segment data in various use cases, as well as barriers to technical feasibility presented by regulations, and how the ONC Health IT Certification Program could better support these use cases through certification requirement.

ONC Health IT Certification Program Updates

ONC proposes to update the certification program to 1) change its approach to naming new editions; 2) modify standards and certification criteria; 3) modify conditions of certification and other aspects of the certification program; and 4) makes RFIs on a number of issues.

Approach to Naming New Editions

ONC proposed to change the “edition” naming approach to sets of health IT certification criteria to a single set of certification criteria, which would be updated in an incremental fashion to closer align with standards development cycles and regular health IT development timelines. ONC proposed applicability or implementation timelines for both certification criteria and the standards adopted in 45 CFR part 170 by establishing the dates by which an existing version of a criterion is no longer applicable and by establishing a date by when a new or revised certification criterion or standard version is adopted. Since the ONC proposes to switch to the single set of "ONC Certification Criteria for Health IT", they subsequently proposed to change to the 'life of the edition,’ which would be the period of three years beginning on the effective date of the final rule that removes the applicable ONC certification criterion or criteria for health IT from regulatory text. 

Modified Standards and Certification Criteria

There are a number of significant proposed changes to the standards and certification criteria including the core data set, criteria related to public health reporting, criteria related to AI enabled decision support technology, and criteria to support patient preferences, which are outlined below:

• • • USCDI v3: The proposed rule would establish a new baseline version of the United States Core Data for Interoperability (“USCDI”) by proposing to add the newly released UCSDI v3 and by establishing a January 1, 2025 expiration date for UCSDI v1. ONC also states that any Health IT Modules seeking certification for criteria would need to be capable of exchanging the data classes and elements that comprise USCDI v3 (as of January 1, 2025). ONC clarifies that under this proposal USCDI v1 would remain applicable as the minimum version of the USCDI required for certification criteria until December 31, 2024. USCDI v3 includes Sexual Orientation, Gender Identity, Functional Status, Disability Status, Mental/Cognitive Status, and Social Determinants of Health (“SDOH”) data elements.
    • Electronic Case Reporting: Electronic case reporting is the automated, real-time, bidirectional exchange of case report information between Electronic Health Records (“EHRs”) and public health agencies that uses standard codes to trigger the transfer of relevant clinical data to such agencies for case investigation and follow-up, including data on demographics, comorbidities, immunizations, medications, occupation, and other treatments. In the ONC Cures Act Final Rule, electronic case reporting was included as part of the Real-World Testing Condition and Maintenance of Certification requirements.  ONC proposes to adopt standards specific to electronic case reporting that aim to support the following: (i) create a case report for electronic transmission; (ii) consume and process a case report response; and (iii) consume and process electronic case reporting trigger codes and parameters. ONC states that the proposed standards would supplement the functional, descriptive requirements under current regulations until December 31, 2024. Beginning January 1, 2025, only the proposed revision criterion would be used for certification.
    • Decision Support Intervention (“DSI”) and Predictive Models: ONC recognizes that clinicians, payers, researchers, and individuals are increasingly using and relying upon AI and predictive models to support decision-making in health care. ONC proposes to revise the existing clinical decision support (“CDS”) certification criterion by proposing a DSIs certification criterion. ONC proposes to define predictive DSI as “technology intended to support decision-making based on algorithms or models that derive relationships from training or example data and then are used to produce an output or outputs related to prediction, classification, recommendation, evaluation, or analysis.” ONC also proposes a range of new requirements for developers of certified health IT with Health IT Modules to provide transparency of predictive DSIs, in addition to establishing decision support configuration requirements and intervention risk management practices. Developers of certified health IT would need to comply with these new requirements on and after January 1, 2025.
    • Standardized API for Patient and Population Services: ONC proposes to revise the “standardized API for patient and population services” certification criterion in several ways:

- Native Applications and Refresh Tokens: ONC proposes to require a certified Health IT Module's authorization server to issue a refresh token that should be valid for a period of no less than three months and will apply to all applications using the “confidential app” profile for both first time and subsequent connections.

- FHIR United States Core Implementation Guide (“IG”) Version 5.0.1: ONC proposes to adopt the FHIR US Core IG STU version 5.0.1. ONC believes that US Core IG v6.0.0 will be published before it finalizes this rule and intends to consider adopting the updated US Core IG v6.0.0 that supports the data elements and data classes in USCDI v3.

- FHIR Endpoint for Service Base URLs: ONC proposes to amend the API Condition and Maintenance of Certification requirements by adding the requirement that Certified API Developers with patient-facing apps must publish their service base URLs for all customers, regardless of whether the certified Health IT Modules are centrally managed by the Certified API Developer or locally deployed by an API Information Source.

- Access Token Revocation: ONC proposes to revise the requirement to specify that Health IT Modules presented for certification that allow short-lived access tokens to expire, in lieu of immediate access token revocation, must have such access tokens expire within one hour of the request. This revised requirement would align with industry standard practice for short-lived access tokens, would provide clarity and consistent expectations that developers revoke access or expire access privileges within one hour of a request, and would offer patients an assurance that an application’s access to their data would be revoked or expired within one hour of a request.

- SMART App Launch 2.0: ONC proposes to adopt the Substitutable Medical Applications, Reusable Technologies (“SMART”) Application Launch Framework Implementation Guide Release 2.0.0 (“SMART v2 Guide”), which would replace SMART v1 Guide as the standard. The SMART v2 Guide iterates on the features of the SMART v1 Guide by including new features and technical revisions based on industry consensus, including features that reflect security best practices. ONC proposes that the availability of the SMART v1 Guide to be adopted as a standard in the Program would expire on January 1, 2025. After this time, the SMART v2 Guide would be the only version of the IG available for use in the ONC Health IT Certification Program.

• • • Patient requested restrictions criteria: ONC proposes to enable a certified health IT user to implement a process to restrict data from use or disclosure in response to a patient request, supporting the HIPAA Privacy Rule’s “right to request a restriction” on uses and disclosures:

- Flag restricted data and prevent use: ONC proposes that for any data expressed in the USCDI standard, a health IT developer would have to enable a user to flag whether such data needs to be restricted from being subsequently used or disclosed and would have to prevent any data flagged from being included in a use or disclosure.

- Add a new “patient requested restriction” criterion: ONC proposes to modify the Privacy and Security Framework in §170.550(h) to add the proposed new “patient requested restriction” criterion and to require it by January 1, 2026.

- Modify Privacy and Security Framework: ONC also proposes to modify the Privacy and Security Framework §170.550(e)(1) to add a paragraph (iii) stating patients (and their authorized representatives) must be able to use an internet-based method to request a restriction to be applied for any data expressed in USCDI.

Other Certification Program Changes

• • • Real World Testing – Inherited Certified Status: Since many health IT developers update their Health IT Modules on a regular basis, leveraging the flexibility provided through ONC’s Inherited Certified Status (“ICS”), this creates an anomaly that could result in existing certified Health IT Modules being inadvertently excluded from the real-world testing reporting requirements. In the HTI-1 Proposed Rule, ONC proposes to eliminate this anomaly by requiring health IT developers to include in their real-world testing results report the most recent version of those Health IT Modules that are updated using ICS after August 31 of the year in which the plan is submitted.
    • Insights Condition and Maintenance of Certification: The Cures Act specified requirements in section 4002(c) to establish an EHR Reporting Program to provide transparent reporting on certified health IT in the categories of interoperability, usability and user-centered design, security, conformance to certification testing, and other categories, as appropriate to measure the performance of EHR technology. In the HTI-1 Proposed Rule, ONC proposes to implement the EHR Program Condition and Maintenance of Certification requirements as the Insights Condition and Maintenance of Certification (“Insights Condition”) requirements. ONC proposes to adopt nine reporting measures for developers of certified health IT that focus initially on the interoperability category, emphasizing four areas of interoperability: individuals' access to EHI, public health information exchange, clinical care information exchange, and standards adoption and conformance.

ONC Health IT Certification Program RFIs

ONC particularly called out a number of requests for information related to the ONC Health IT Certification Program as follows:

• • • • Laboratory Data Interoperability: ONC seeks public feedback that may be used to inform a study and report regarding the adoption of standards and certification criteria to advance laboratory data interoperability and exchange. ONC also seeks comment on whether it should adopt additional standards and laboratory-related certification criteria as part of the ONC Health IT Certification Program.
      • Pharmacy Interoperability Functionality within the ONC Health IT Certification Program including Real-Time Prescription Benefit Capabilities: The Consolidated Appropriations Act of 2021, requires PDP sponsors of prescription drug plans to implement one or more real-time benefit tools (“RTBTs”) after the HHS Secretary has adopted a standard for RTBTs and at a time determined appropriate by the HHS Secretary. ONC states that it intends to propose in future rulemaking the establishment of a real-time prescription benefit health IT certification criterion within the ONC Health IT Certification Program, to enable a provider to view within the electronic prescribing workflow at the point of care patient-specific benefit, estimated cost information, and viable alternatives, and to consider a proposal to adopt and reference the National Council for Prescription Drug Programs (“NCPDP”) Real-Time Prescription Benefit (“RTPB”) standard version 12 as part of the potential certification criterion. ONC requests comment from the public about specific issues related to establishing a certification criterion using NCPDP RTPB standard version 12 and other potential actions that could support complementary and interoperable workflows.
      • FHIR Standard: FHIR Subscriptions are enabled by the following resources: Subscription, Subscription Topic, and Subscription Status. ONC seeks public feedback on the maturity of these resources in the FHIR Release 4 standard. Additionally, ONC seeks comment on whether the FHIR Subscriptions capability aligns with the adoption of the FHIR Release 5 standard, and whether alignment with FHIR Release 5 would avoid any costly refactoring of the resources and give more time for industry to test the various features and capabilities under development. Furthermore, ONC requests comment on whether there is a need to define a minimum set of Subscription Topics that can be consistently implemented by all health IT developers of certified health IT to provide a base level expectation for clients using the services.

More to Come

ONC has stated that it is developing two other proposed rules, which are listed in the Fall 2022 Unified Agenda of Regulatory and Deregulatory Actions and the Regulatory Plan:

• Establishment of Disincentives for Health Care Providers Who Have Committed Information Blocking
• Patient Engagement, Information Sharing, and Public Health Interoperability

We are also awaiting the final HHS Office of Inspector General enforcement rule on information blocking.

Key Takeaways

The HTI-1 Proposed Rule will impact health care providers, developers of Certified Health IT, health information networks (“HINs”) and health information exchanges (“HIEs”). It will also have an impact on any entity that creates, accesses, or exchanges EHI, as the information blocking provisions may require updates to existing contracts and agreements that these actors have with other health care stakeholders. The proposed certification program changes also may have impacts on providers and patients in that it may impact their health data practices, including the ability to limit data sharing to reflect a patient’s preferences and by requiring more transparency related to AI-enabled decision support tools. 

The public comment period on the Proposed Rule will remain open through June 20, 2023. ONC has started to host a series of information sessions on the Proposed Rule, with next sessions planned for May 4 (DSI and Algorithmic Transparency Proposals), May 11 (Insights Condition Proposals), and May 18 (Information Blocking Proposals) (register here).

For further guidance on the specifics related to the proposals in HTI-1 Proposed Rule and how your organization can prepare for compliance, the Crowell & Moring’s team is here to help your organization understand and respond to the Proposed Rule and existing interoperability regulations.