ONC Proposes "Tour De Force" Interoperability And Information Sharing Updates

On July 10, 2024, the Office of the National Coordinator for Health Information Technology ("ONC") within the U.S. Department of Health and Human Services ("HHS") issued a proposed rule titled "Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability" (the "HTI-2 Proposed Rule") as part of its continued focus on expanding interoperability and improving information sharing among all health care stakeholders.¹ The HTI-2 Proposed Rule builds on ONC's January 2024 Health Data, Technology, and Interoperability final rule (the "HTI-1 Final Rule").² According to National Coordinator Micky Tripathi, Ph.D., the HTI-2 Proposed Rule is a "tour de force" designed to "advance HHS-wide interoperability priorities."³

If finalized, the proposed changes would (1) significantly expand the scope of the ONC Health Information Technology Certification Program ("HIT Certification Program"), (2) introduce impactful changes to federal information blocking regulations codified at 45 C.F.R. Part 171 (the "Information Blocking Rule"), and (3) provide greater transparency to Trusted Exchange Framework and Common Agreement ("TEFCA") requirements. We provide below additional information regarding key proposals in these areas.

I. Proposed Changes to the HIT Certification Program

The HTI-2 Proposed Rule proposes several significant changes to the HIT Certification Program, including new certification criteria related to public health, payers, and modular application programming interface ("API") capabilities, some of which are designed to facilitate exchange of electronic prior authorization and other information among payers, providers, and patients in accordance with recent Centers for Medicare and Medicaid Services ("CMS") rulemaking.⁴ Notable proposed changes include the following:

1. New and Updated Certification Criteria Related to Public Health: Pursuant to recommendations of advisory committees convened by ONC and the Centers for Disease Control and Prevention during and after the COVID-19 pandemic, ONC proposes to adopt new certification criteria related to public health to improve the exchange of data between providers, laboratories, and public health authorities for contact tracing, patient outreach, direct care, and other public health activities. These include two proposed certification criteria related to data exchange with public health authorities regarding (1) birth reports and (2) prescription drug monitoring. Several other new proposed certification criteria would adopt a standardized Fast Healthcare Interoperability Resources-based API for public health data exchange and establish minimum public health information technology capabilities and exchange standards. These capabilities and standards would support the exchange of many types of data, such as immunization information, electronic lab reporting, cancer pathology reporting, and electronic case reporting. In addition, ONC proposes revisions to several existing certification criteria related to public health by adding new functional requirements and adopting new implementation standards.
2. New Certification Criteria for Patient, Provider, and Payer APIs: In alignment with recent CMS rulemaking, the HTI-2 Proposed Rule includes a new proposed set of certification criteria that is focused on facilitating the exchange of clinical and coverage information, drug formulary information, and prior authorization information among patients, providers, and payers. These criteria outline API implementation specifications and other certification requirements for health IT that supports such exchanges. Health IT certified to these criteria would support payers and providers in complying with CMS interoperability, patient access, and prior authorization requirements, including implementation of Patient Access APIs, Provider Access APIs, and Payer-to-Payer APIs.⁵
3. New Certification Criteria for Modular API Capabilities: ONC proposes to adopt 14 new certification criteria for "modular API capabilities" to allow developers to seek certification tailored to specific clinical, public health, and administrative use cases. As proposed, each certification criterion would entail different combinations of applicable, standards-based API capabilities depending on the intended use case. This approach would provide greater flexibility for health IT developers to seek certification for health IT that serves discrete functions of limited scope.
4. USCDI Version 4 and Updated Minimum Standards Code Sets: The HTI-1 Final Rule set United States Core Data for Interoperability ("USCDI") version 3 as the required standard of data classes and constituent data elements for certified health IT effective January 1, 2026.⁶ The HTI-2 Proposed Rule proposes to advance the standard to USCDI version 4 effective January 1, 2028 to better support nationwide interoperability, with a particular focus on data elements that serve public health data exchange and promote health equity. In addition, ONC has proposed to update the minimum standard code sets that would serve as the new baseline for certification for problems; laboratory tests; medications; immunizations; race and ethnicity; numerical references; sex; sexual orientation and gender information; social, psychological and behavioral data; provider type; and patient insurance.
5. New Imaging Requirements for Health IT Modules: Diagnostic imaging, such as X-rays and computed tomography scans, are often stored in imaging platforms external to electronic health records ("EHR") systems. This has made the electronic exchange of diagnostic imaging more difficult in many cases, with patients often receiving diagnostic imaging via physical media such as printed copies, flash drives, or CDs. To improve the interoperability of diagnostic imaging shared across health care settings, ONC proposes to revise three existing certification criteria by adding a requirement for the health IT module to support a link to view and retrieve diagnostic imaging.
6. Changes to the Insights Condition and Maintenance of Certification Requirements (the "Insights Condition"): The Insights Condition was implemented as part of the HTI-1 Final Rule to establish an EHR Reporting Program, as required by the 21st Century Cures Act. The first iteration of this program includes seven reporting measures focused on interoperability that developers must begin monitoring for calendar year 2026, with the first reporting submission due in July 2027. In terms of the process for reporting, ONC proposes to require that all developers submit data in compliance with the Insights Condition regardless of how long the developer has had an active certification under the HIT Certification Program. Furthermore, ONC seeks to expand the "individuals' access to electronic health information ("EHI") through certified health IT" measure by requiring that developers submit metrics for not only individuals' access to their EHI, but also for individuals' authorized representatives accessing their EHI. This proposed change would serve to align the Insights Condition measure with the Medicare Promoting Interoperability Program measure for patient access, which incorporates access by both individuals and their authorized representatives.
7. Assurances Condition and Maintenance of Certification Requirement (the "Assurances Condition"): Under the Assurances Condition, a health IT module that is part of a health IT product that electronically stores EHI must be certified to the EHI Export certification criterion at 45 C.F.R. § 170.315(b)(10). To address stakeholder comments that this requirement is burdensome, the HTI-2 Proposed Rule proposes an exemption to this requirement for health IT modules that (i) primarily act as intermediaries and (ii) receive fewer than 10 requests for single patient EHI export in a given year. To prevent abuse of this proposed exemption, ONC proposes to adopt a new Assurances Maintenance of Certification requirement that would require developers of certified health IT that claim this proposed exemption to report on the number of requests for single patient EHI export to their ONC-Authorized Certification Bodies annually beginning January 1, 2028.
8. Definition of "Serious Risk to Public Health or Safety": Current regulations provide that ONC may initiate direct review of certified health IT and impose an HIT Certification Program suspension due to a health IT module posing a serious risk to public health or safety.⁷ The HTI-2 Proposed Rule defines "serious risk to public health or safety" as "a single event or phenomenon or a recurring set of events or phenomena that by the nature and the fact of its occurrence endangers the life or safety of one or more individuals." The proposed definition includes examples of such events or phenomena, such as (i) erasure, destruction, or truncation of clinical data entries needed to maintain the integrity of clinical data points; (ii) corruption of clinical data resulting in attribution of clinical documentation to a different patient from the intended patient; and (iii) changes in numerical values for the treatment dose or frequency of a medication not initiated by a user of the certified health IT.
9. ONC's Direct Review of Certified Health IT: The HTI-2 Proposed Rule proposes revisions to the regulatory framework of ONC's direct review of certified health IT to clarify that the National Coordinator has controlling authority over matters under ONC's direct review and that the National Coordinator may rely on HHS Office of Inspector General ("HHS-OIG") findings to form the basis of a direct review action. Given HHS-OIG's role in investigating alleged information blocking violations,⁸ this proposal could signal future ONC direct review of certified health IT due to an HHS-OIG finding that a developer has engaged in information blocking. Developers are already prohibited from taking any action that constitutes information blocking as a condition of certification under the HIT Certification Program.⁹

II. Proposed Changes to the Information Blocking Rule

The Information Blocking Rule prohibits certain "actors"—health care providers, developers of certified health IT, and health information exchanges and networks—from engaging in certain practices that interfere with access, exchange, or use of EHI, except as required by law or permitted by an information blocking exception specified in federal regulations. The HTI-2 Proposed Rule proposes changes to the Information Blocking Rule to clarify what practices constitute "interfering" with access, exchange, or use of EHI and introduce modifications and additions to the information blocking exceptions. Notable proposed changes include the following:

1. Practices that Constitute "Interferences" with Access, Exchange, or Use of EHI: ONC proposes to codify in the Information Blocking Rule examples of practices that constitute "interfering" with access, exchange, or use of EHI for purposes of information blocking. Previously, ONC had provided examples of practices that are likely to constitute information blocking in several forms of guidance, including Federal Register preamble commentary¹⁰ and frequently asked questions available on ONC's website.¹¹ ONC hopes that codifying examples in federal regulations will increase transparency regarding the types of practices it considers as presenting information blocking concerns. ONC proposes to codify the following examples:
   1. Delay on new access. Delaying patient access to new EHI, such as diagnostic testing results, so clinicians or other actor representatives can review the EHI.
   2. Portal access. Delaying patient access to EHI in a portal when the actor has the EHI and the actor's system has the technical capability to support automated access, exchange, or use of the EHI via the portal.
   3. API access. Delaying the access, exchange, or use of EHI to or by a third-party app designated and authorized by the patient, when there is a deployed API able to support the access, exchange, or use of the EHI.
   4. Non-standard implementation. Implementing health IT in ways that are likely to restrict access, exchange, or use of EHI with respect to exporting EHI, including, but not limited to, exports for transitioning between health IT systems.
   5. Contract provisions. Negotiating or enforcing a contract provision that restricts or limits otherwise lawful access, exchange, or use of EHI.
   6. Non-compete provisions in agreements. Negotiating or enforcing a clause in any agreement that (i) prevents or restricts an employee (other than the actor's employees), a contractor, or a contractor's employee (ii) who accesses, exchanges, or uses the EHI in the actor's health IT (iii) from accessing, exchanging, or using EHI in other health IT in order to design, develop, or upgrade such other health IT.
   7. Manner or content requested. Improperly encouraging or inducing requestors to limit the scope, manner, or timing of EHI requested for access, exchange, or use.
   8. Medical images. Requiring that the access, exchange, or use of any medical images (including, but not limited to, photographs, x-rays, and imaging scans) occur by exchanging physical copies or copies on physical media (such as a thumb drive or DVD) when the actor and the requestor possess the technical capability to access, exchange, or use the images through fully electronic means.
   9. Omissions. Not exchanging EHI under circumstances in which such exchange is lawful; not making EHI available for lawful use; and not complying with another valid law enforceable against the actor that requires access, exchange, or use of EHI. In addition, a Certified API Developer (as defined in 45 C.F.R. § 170.404) failing to publish API discovery details and an API Information Source (as defined in 45 C.F.R. § 170.404) failing to disclose to the Certified API Developer the information necessary for the Certified API Developer to publish the API discovery details, as required by 45 C.F.R. § 170.404(b)(2).

   Although ONC emphasizes that this is not an exhaustive list, these examples are helpful for actors to understand what types of practices ONC considers to be information blocking. Actors should review these examples to determine if any of their current practices may be considered impermissible interferences. For example, actors should reconsider any delays that they have implemented with respect to making test results and other EHI available to patients (including through patient portals) and should review their capabilities and processes for providing medical images in electronic form. In addition, actors should take care not to negotiate any new contractual provisions that would violate examples 5 and 6 or, if such provisions are present in their current contracts, not to enforce such provisions. Actors should also be careful not to improperly encourage or induce requestors to limit a request for EHI (as described in example 7).

2. New Protecting Care Access Exception: Following the Supreme Court's 2022 decision in Dobbs v. Jackson Women's Health Organization,¹² some states have restricted or prohibited abortions and have sought to investigate and prosecute both residents who seek reproductive health care in other states and out-of-state providers who furnish such care. To address concerns that such investigations may implicate actors in other states and patients who cross state lines to seek care, ONC proposes a new Protecting Care Access Exception. This exception would allow an actor not to disclose EHI when it has a good faith belief that doing so would reduce potential exposure to legal action related to reproductive health care. Different conditions apply depending on whether the practice is undertaken to reduce potential exposure to a patient or to a person involved in furnishing care to the patient. This proposed exception aligns with efforts at both the federal and state levels to address similar concerns. At the federal level, the HHS Office for Civil Rights ("OCR") issued a final rule on April 26, 2024,¹³ which prohibits the use or disclosure of PHI in certain circumstances for purposes such as imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. Certain states, including Maryland and California, have enacted laws that regulate the disclosure of information related to reproductive health care.¹⁴ While the Protecting Care Access Exception may be a welcome addition for actors grappling with these issues, health IT developers may still face challenges in developing the technological capabilities to meet the requirements of the exception, including that the practice is tailored to be no broader than necessary to reduce the risk of potential legal exposure.
3. New Requestor Preferences Exception: A new proposed Requestor Preferences Exception specifies conditions under which an actor may honor a requestor's written request to (i) limit the scope of EHI made available to the requestor; (ii) delay provision of access, exchange or use by the requestor until a condition specified by the requestor has been met; or (iii) delay provision of access, exchange, or use by the requestor for a specified period of time. ONC explains that it has proposed this exception in response to stakeholders asking for clarity as to whether honoring such requests would be permissible. Note that under the proposed examples of practices that constitute interferences, improperly encouraging or inducing requestors to limit the scope, manner, or timing of their request (example 7 above) would not qualify for protection under this exception.
4. Privacy Exception Modifications: ONC proposes to expand the applicability of the sub-exception of the Privacy Exception related to denial of an individual's request for EHI consistent with "unreviewable grounds" for denial of access under 45 C.F.R. § 164.524. Currently, the sub-exception is only available to actors who are also HIPAA covered entities or business associates. ONC seeks to expand applicability to any actor. Separately, ONC proposes to remove the requirement of the "individual requests" sub-exception that honoring an individual's request not to share EHI must comply with other applicable law.
5. Infeasibility Exception Modifications: ONC proposes to modify the Segmentation sub-exception to cross-reference the Privacy Exception and the new Protecting Care Access Exception. ONC also proposes to modify the Third Party Seeking Modification Use sub-exception, which—as finalized in the HTI-1 Final Rule—does not allow a business associate of a HIPAA covered entity health care provider to refuse to honor the provider's request to modify EHI. The proposed change would provide that both business associates of covered entity health care providers and contractors of providers that are not HIPAA covered entities must honor a provider's requested modification. In addition, ONC proposes to extend the timeframe for notifying a requestor that a request is infeasible—which is currently within 10 business days of receipt of the request—to within 10 business days of a determination made without unnecessary delay and based on a reasonable assessment of the facts that fulfilling the request would qualify as infeasible under the exception.

III. Proposed Establishment of TEFCA Governance Rules

Through TEFCA, ONC seeks to establish a floor for nationwide interoperability to facilitate full network-to-network exchange of health information. ONC has designated the Sequoia Project as the TEFCA Recognized Coordinating Entity ("RCE") responsible for developing and operationalizing the Common Agreement and administering the qualified health information network ("QHIN") application, onboarding, and designation process. Currently, entities that seek to become QHINs must navigate the RCE's standard operating procedures, protocols, and other requirements relating to onboarding and designation. However, to support the viability of the future of TEFCA and to support QHIN appeals to ONC, ONC is proposing to codify through regulation the qualifications for QHIN designation, QHIN onboarding and designation processes, the QHIN attestation process, ONC's authority to delegate responsibilities to the RCE, and QHIN termination and appeal rights.

IV. Conclusion

The HTI-2 Proposed Rule represents ONC's continued efforts to advance interoperability, respond to stakeholder concerns, and adapt to regulatory and legal changes affecting health information exchange. The new proposed health IT certification requirements, especially those focused on public health and payer use cases, could facilitate increased standardization of health information exchange nationwide. Other proposed changes, such as modifications to ONC's direct review process, codification of examples of practices likely to be considered information blocking, and introduction of new TEFCA regulations, provide clarity for stakeholders who seek to comply with the HIT Certification Program, the Information Blocking Rule, and TEFCA requirements. This increased transparency means that stakeholders should consider themselves "on notice" of applicable requirements, particularly with respect to information blocking compliance. If finalized, the HTI-2 Proposed Rule's changes could have a significant effect on health information exchange and interoperability and the stakeholders that support these activities.

Footnotes

1. Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability Proposed Rule (July 10, 2024), https://www.healthit.gov/sites/default/files/page/2024-07/ONC_HTI-2_Proposed_Rule.pdf.

2. Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing, 89 Fed. Reg. 1192 (Jan. 9, 2024).

3. HHS, "HHS Proposed HTI-2 Rule to Improve Patient Engagement, Information Sharing, and Public Health Interoperability" (July 10, 2024), https://www.hhs.gov/about/news/2024/07/10/hhs-proposes-hti-2-rule-improve-patient-engagement-information-sharing-public-health-interoperability.html.

4. For more information on these CMS requirements, see Christine Moundas, Gideon Zvi Palte & Carolyn Lye, CMS Finalizes New Electronic Prior Authorization Requirements for Payers and Providers, Ropes & Gray LLP (Jan. 23, 2024), https://www.ropesgray.com/en/insights/alerts/2024/01/cms-finalizes-new-electronic-prior-authorization-requirements-for-payers-and-providers.

5. See id.

6. 45 C.F.R. § 170.213.

7. 45 C.F.R. § 170.580(a)(2)(i); 45 C.F.R. § 170.580(d)(1).

8. See Christine Moundas, Gideon Zvi Palte & Carolyn Lye, Renewed Focus on Information Sharing as OIG Finalizes Penalties of up to $1 Million per Information Blocking Violation, Ropes & Gray LLP (Jul. 11, 2023), https://www.ropesgray.com/en/insights/alerts/2023/07/information-blockers-beware-oig-announces-penalties-of-up-to-1-million-per-information-blocking.

9. 45 C.F.R. § 170.401.

10. 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Proposed Rule, 84 Fed. Reg. 7424, 7518–21 (March 4, 2019); ONC, Information Blocking Frequently Asked Questions, (last visited July 16, 2024).

11. See Frequently Asked Questions, HealthIT.gov, https://www.healthit.gov/faqs (last visited Jul. 17, 2024).

12. 597 U.S. 215 (2022).

13. HIPAA Privacy Rule to Support Reproductive Health Care Privacy, 89 Fed. Reg. 32976 (April 26, 2024).

14. For Maryland, see Md. Health-General Code Ann. § 4-302.5 (and implementing regulations at COMAR 10.25.07 and 10.25.18). For California, see, e.g., Cal. Civil Code § 56.101(c)(1).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.