The Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) has published its first final rule on Health Data, Technology and Interoperability. The rule, known as the HTI-1 rule, takes effect on February 8, and governs updates to the ONC’s Health IT Certification Program, as well as regulations on information blocking.

Among the program criteria that the rule addresses include those related to decision support, electronic case reporting and standards-based application programming interfaces (APIs). To address the question of information blocking, the rule provides refined definitions of statutory terms and identifies practices that cannot constitute information blocking as they are considered by ONC to be “reasonable and necessary.”

Changes to the Certification Criteria and Standards

The rule makes a number of changes to the Certification Program including updating baseline data needs and changes to criteria. We will cover several the largest changes below.

Decision Support Interventions and Predictive Algorithms

The rule updates and replaces the certification criteria related to clinical decision support technology (45 CFR 170.315(a)(9)) with a new standard related to decision support interventions (DSIs). These changes are provided largely to tackle the rise of predictive algorithms and artificial intelligence (AI) in Health IT modules.

The rule does not set a baseline for fair, appropriate, valid, effective, and safe use of predictive models, algorithms, or AI. Instead, the rule sets forth certain data requirements that any Health IT module must provide in an accessible manner to allow users to assess whether the predictive models are an appropriate use of the technology.

The rule also changed the “Base EHR” definition such that the new standard for DSIs will be required for EHRs starting on January 1, 2025. ONC will permit a Health IT module to meet either the revised DSI criterion or the existing CDS version of the criterion through December 31, 2024.

Patient Restrictions and API Access Requirements

The proposed rule included several proposals for patient-requested restrictions on the transmission of health data to a third party or through downloads. However, in the final rule, ONC decided only to implement a requirement that Health IT modules certified to the “view, download and transmit to a 3rd party” criterion must support an “internet-based method” for patients to request restrictions from such transmissions.

Additionally, the final rule adds requirements for the Standards-Based API for Patient and Population Services certification criterion, including requirements for issuing refresh tokens and revoking access privileges.

USCDI Baseline Change

One of the major changes to the standards comes from setting version 3 of the United States Core Data for Interoperability Standard (USCDI) as the baseline minimum data set for the purposes of certifying Health IT for interoperability, with related updates to minimum standards code sets for a variety of Health IT functions. According to ONC, this change will increase data available for exchange through Health IT modules by adding more data elements and classes. The current standard, USCDI version 1, will continue to be accepted for compliance until 2026, after which point a product must be compliant with version 3 in order to maintain certification.

Electronic Case Reporting

For Health IT modules that are certified for transmission of electronic case reports to public health officials, the rule is changing from a functional-based report process as currently exists, to one that is governed by industry-wide adopted standards

This change is also set to be fully implemented by January 1, 2026. Before that point, a module can be certified either through the new standards-based method or by the functional method.

Information Blocking Changes

The rule also makes changes to the information blocking regulations in order to clarify information blocking restrictions.

Definition of Offering Health IT

The rule created a new definition of what it means to “offer health IT” in order to clarify who is governed by the information blocking rules. Under this new definition, an individual is said to offer Health IT if they “hold out for sale, resale, license, or relicense; or to sell, resell, license, relicense, or otherwise provide or supply health information technology” with the exception of a number of different specified arrangements.

Those arrangements include:

  • Certain donation and subsidized supply arrangements provided such individual or entity offers and makes such subsidy without condition(s) limiting the interoperability or use of the technology to access, exchange or use electronic health information for any lawful purpose.
  • Implementation and use activities conducted to issue user accounts to employees or public health officials or login credentials for healthcare professionals who furnish services in the facility, or making available or operating production instances of online portals or APIs for health information that the entity has in its possession or control
  • Certain legal and consulting arrangements

Of note, ONC observes that its definition of “offering health IT” does not affect other laws potentially implicated by the offering of IT, such as the federal Anti-Kickback Statute.

Exceptions to Information Blocking

The rule made changes to some of the exceptions to information blocking. Most importantly, it established a TEFCA Manner Exception and clarifying the interplay between the Infeasibility Exception and the (recently) renamed Manner Exception.

The TEFCA Manner Exception will apply when both the actor and requestor are part of the Trusted Exchange Framework and Common Agreement (TEFCA). In that case, if they only transmit the information through TEFCA for certain requests it is not considered information blocking.

Additionally, the rule revised the conditions for the Infeasibility Exception. In particular the rule added two new conditions for that exception:

  1. A “third-party seeking modification use” condition in cases where the request is to enable use of the information in order to modify the information as long as the request is not from a health care provider requesting use from a business associate
  2. A “manner exception exhausted” condition, that allows refusal if the actor and requestor cannot reach agreement on a manner to transmit the information and the actor has offered at least two other methods and does not offer the same information to similarly situated individuals.

The rule covers a lot more very technical ground and is worth a read at least in its executive summary for any Health IT users and providers. During a January 4, 2024 informational call on the provisions of the Final Rule, a member of the ONC staff noted that there are other aspects of the HTI rules coming soon so it is also worth watching what the agency plans to tackle next.

That information session was one of many from ONC delving into the specifics of the rule. On January 4, 2024 they hosted an overview of the rule. On January 18, 2024, they hosted a session focused on the DSI and predictive algorithms. Sessions on Information Blocking, an Overview Q&A and the Insights Conditions will be hosted on January 25, February 1 and February 8, respectively. Details on how to sign up for the information sessions and to hear recordings of past sessions are available from ONC here.

Reed Smith will continue to follow developments from ONC and related to interoperability, information blocking, and related certification requirements. For more information on the Final Rule and its impact on your business, please contact one a member of the Reed Smith health care team.