Biden Administration Finalizes Its Last Changes To Health Data Interoperability and Information Blocking Regulations

In December 2024, the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (“ASTP/ONC”) within the U.S. Department of Health and Human Services (“HHS”) published two final rules that establish health data interoperability and information blocking regulations (the “New HTI Final Rules”).

The New HTI Final Rules will affect Trusted Exchange Framework and Common Agreement (“TEFCA”) qualified health information networks (“QHINs”) and health care organizations that exchange data through QHINs, as well as developers of certified health information technology, health information exchanges and networks, and health care providers (collectively, “Actors”) that are subject to the Information Blocking Rule. This alert summarizes key provisions of the New HTI Final Rules.

I. Establishment of TEFCA Governance Rules (HTI-2 Final Rule)

On December 16, 2024, ASTP/ONC published the “Health Data, Technology, and Interoperability: Trusted Exchange Framework and Common Agreement (TEFCA)” final rule (the “HTI-2 Final Rule”).¹ The HTI-2 Final Rule finalizes federal regulations for TEFCA, which seeks to establish a floor for nationwide interoperability to facilitate full network-to-network exchange of health information.²

TEFCA comprises two components: (a) the Trusted Exchange Framework, a common set of principles designed to facilitate trust between HINs; and (b) the Common Agreement, an agreement establishing baseline legal and technical requirements for nationwide interoperability that QHINs must execute with the TEFCA Recognized Coordinating Entity (“RCE”) selected by ASTP/ONC to administer the requirements of the Common Agreement. In the HTI-2 Final Rule, ASTP/ONC finalized new TEFCA regulations at 45 C.F.R. Part 172 that establish the processes and procedures governing the onboarding and designation of QHINs; suspension, termination and administrative appeals to ASTP/ONC; and QHIN attestation for the adoption of TEFCA.

The new federal regulations will promote transparency in governance and oversight in TEFCA by providing a central resource for requirements that previously were established through the Common Agreement and various policies and procedures published by the RCE. In addition, ASTP/ONC will exercise more direct authority over the program by requiring the RCE to obtain the agency’s prior authorization for certain actions, including interim or final QHIN designation decisions and establishing QHIN onboarding requirements.

II. Changes to the Information Blocking Rule (HTI-3 Final Rule)

On December 17, 2024, ASTP/ONC published the “Health Data, Technology, and Interoperability: Protecting Care Access” final rule (the “HTI-3 Final Rule”).³ The HTI-3 Final Rule finalizes an exception to the Information Blocking Rule for certain practices that may interfere with access, exchange, or use of electronic health information (“EHI”) that are undertaken to protect patients or providers from legal risk related to reproductive health care. The HTI-3 Final Rule also introduces minor changes to existing information blocking exceptions.

1. New Protecting Care Access Exception

The HTI-3 Final Rule implements the new Protecting Care Access Exception to the Information Blocking Rule. The Protecting Care Access Exception was proposed in the HTI-2 Proposed Rule largely in response to new state laws restricting access to and delivery of reproductive health care in the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.⁴ To address the chilling effect of these state laws on an individual’s willingness to seek and a provider’s willingness to furnish reproductive health care, the Protecting Care Access Exception protects from information blocking liability certain restrictions on access, exchange, or use of EHI when undertaken to reduce potential legal exposure related to reproductive health care. The Protecting Care Access Exception builds on similar efforts by the federal government and certain states to address concerns related to reproductive health care. At the federal level, the HHS Office for Civil Rights issued a final rule on April 26, 2024,⁵ which prohibits the use or disclosure of protected health information in certain circumstances for purposes such as imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care. Certain states, including Maryland and California, have enacted laws that regulate the disclosure of information related to reproductive health care.⁶

Public comments were strongly supportive of the Protecting Care Access Exception, and ASTP/ONC finalized it largely as proposed. The final exception includes additional flexibility for Actors that are business associates to rely on the good faith belief and determination of legal risk of an organization for which the Actor maintains EHI as a business associate.

2. Privacy Exception and Infeasibility Exception Modifications

The Privacy Exception allows an Actor to decline to provide access, exchange, or use of EHI if requested by an individual under certain circumstances. In the HTI-2 Proposed Rule, ASTP/ONC proposed to revise the Privacy Exception to remove the limitation that it can apply only where the sharing of EHI is not otherwise required by law. This would mean that Actors may restrict access, exchange, or use of EHI as requested by an individual even when another law requires fulfillment of a request for EHI. ASTP/ONC finalized this modification as proposed, but emphasized that the modification does not override other law compelling disclosure against the individual’s wishes; rather, it merely protects the Actor from information blocking liability that may arise from complying with the individual’s request.⁷

ASTP/ONC also implemented modifications to the Infeasibility Exception’s segmentation condition, which now allows an Actor not to provide access, exchange, or use of EHI that cannot be segmented from other EHI that (i) cannot be made available by law or (ii) may be withheld under the Preventing Harm Exception, the Privacy Exception, or the new Protecting Care Access Exception.

III. Unimplemented Proposals

While these changes are significant, they represent only a few of many proposals that ASTP/ONC had proposed in the HTI-2 Proposed Rule.⁸ ASTP/ONC touted the HTI-2 Proposed Rule as a “tour de force” when it was released,⁹ and it was widely anticipated that the ensuing final rule would have a significant impact on the ONC Health IT Certification Program, the Information Blocking Rule, and TEFCA. The New HTI Final Rules leave out significant proposals, including proposed new certification criteria related to public health, payers, and application programming interface capabilities; regulations codifying examples of practices that may be considered information blocking; and a new information blocking exception for honoring a requestor’s preferences when fulfilling a request to access, exchange, or use EHI.

ASTP/ONC has explained that it chose to limit the scope of the New HTI Final Rules because “the number of public comments received made it impracticable to finalize the [proposed] rule in its entirety in a timely manner.”¹⁰ The agency left open the possibility that unimplemented proposals “may be the subject of subsequent final rules related to such proposals in the future.”¹¹ However, it remains to be seen when and whether such proposals will be finalized, particularly considering that a new presidential administration will take office in January 2025.

IV. Conclusion

The New HTI Final Rules introduce meaningful regulations that will increase transparency in the administration of TEFCA and provide protection under the Information Blocking Rule for certain activities undertaken to protect against litigation risk arising from reproductive health care. However, other impactful changes that were proposed in the HTI-2 Proposed Rule were not finalized. Although ASTP/ONC has stated that those proposals have not been abandoned, their future is uncertain, especially considering the imminent change in presidential administrations, which may lead to shifting regulatory priorities.

1. ^{ASTP/ONC, Health Data, Technology, and Interoperability: Trusted Exchange Framework and Common Agreement (TEFCA) Final Rule, 89 Fed. Reg. 101,772 (Dec. 16, 2024), https://www.federalregister.gov/documents/2024/12/16/2024-29163/health-data-technology-and-interoperability-trusted-exchange-framework-and-common-agreement-tefca.}
2. ^{The HTI-2 Final Rule also finalizes minor administrative updates to the ONC Health IT Certification Program to require that health IT certified to the Decision Support Interventions certification criterion also must be certified to the corresponding privacy and security certification requirements beginning on January 1, 2028, and to remove terms and time-limited certification criteria that are no longer applicable.}
3. ^{ASTP/ONC, Health Data, Technology, and Interoperability: Protecting Care Access Final Rule, 89 Fed. Reg. 102,512 (Dec. 17, 2024), https://www.federalregister.gov/documents/2024/12/17/2024-29683/health-data-technology-and-interoperability-protecting-care-access.}
4. ^{597 U.S. 215 (2022).}
5. ^{HIPAA Privacy Rule to Support Reproductive Health Care Privacy, 89 Fed. Reg. 32976 (Apr. 26, 2024).}
6. ^{For Maryland, see Md. Health-General Code Ann. § 4-302.5 (and implementing regulations at COMAR 10.25.07 and 10.25.18). For California, see, e.g., Cal. Civil Code § 56.101(c)(1).}
7. ^{ASTP/ONC also finalized technical corrections to the definition of “individual” in the Privacy Exception.}
8. ^{ONC, Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability, 89 Fed. Reg. 63,498 (Aug. 5, 2024), https://www.federalregister.gov/documents/2024/08/05/2024-14975/health-data-technology-and-interoperability-patient-engagement-information-sharing-and-public-health. For more information on the HTI-2 Proposed Rule, see Christine Moundas, Gideon Palte, and Carolyn Lye, ONC Proposes “Tour De Force” Interoperability and Information Sharing Updates, Ropes & Gray LLP (Jul. 22, 2024), https://www.ropesgray.com/en/insights/alerts/2024/07/onc-proposes-tour-de-force-interoperability-and-information-sharing-updates.}
9. ^{HHS, “HHS Proposed HTI-2 Rule to Improve Patient Engagement, Information Sharing, and Public Health Interoperability” (Jul. 10, 2024), https://www.hhs.gov/about/news/2024/07/10/hhs-proposes-hti-2-rule-improve-patient-engagement-information-sharing-public-health-interoperability.html. See also Christine Moundas, Gideon Zvi Palte & Carolyn Lye, ONC Proposed “Tour De Force” Interoperability and Information Sharing Updates, Ropes & Gray LLP (Jul. 11, 2023), https://www.ropesgray.com/en/insights/alerts/2024/07/onc-proposes-tour-de-force-interoperability-and-information-sharing-updates.}
10. ^{Christian Robles, ASTP/ONC Releases HTI-2 Final Rule Focused on TEFCA, Additional Health IT Final Rule At OMB, InsideHealthPolicy (Dec. 11, 2024), https://insidehealthpolicy.com/daily-news/astponc-releases-hti-2-final-rule-focused-tefca-additional-health-it-final-rule-omb.}
11. ^{89 Fed. Reg. at 101,772.}