Key Takeaways

• ONC proposes several changes to certification criterion, including a change to improve transparency and reliability for the use of artificial intelligence in clinical decision support tools.
• ONC proposes several updates to improve patient privacy, including requiring EHR functionality to flag instances in which a patient has requested that data be restricted from subsequent use or disclosure.
• ONC proposes updates to the information blocking regulations, including defining what it means to "offer health IT," revising the "uncontrollable events" condition and proposing two new conditions to the Infeasibility Exception, and creating a new condition under the (as-proposed) Manner Exception.

On April 18, the Office of the National Coordinator for Health Information Technology (ONC) formally published its proposed rule titled Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (Proposed Rule). The Proposed Rule implements provisions of the 21st Century Cures Act, makes significant updates to electronic health record (EHR) certification criteria, modifies the information-blocking regulations, and seeks to improve the ability of patients to request restrictions on the use and disclosure of their protected health information. While many of the proposed revisions are highly technical in nature and geared toward developers of health IT, the Proposed Rule is aimed at furthering ONC’s goal of advancing health information exchange and interoperability. This is the first significant proposed rule since the ONC Cures Act Final Rule was passed in 2020, and we have summarized the most notable updates in the Proposed Rule below. 

Updates to EHR Certification Criteria

• Adoption of United States Core Data for Interoperability (USCDI) Version 3. ONC proposed adopting Version 3 of USCDI as a standard within ONC’s Certification Program and establishing an expiration date for USCDI Version 1 as a certification standard for the program.
• Use of Artificial Intelligence for Clinical Decision Support. ONC proposed a “decision support interventions (DSI)” certification criterion to improve transparency and reliability for the use of artificial intelligence in the use of clinical decision support tools. The compliance date for those requirements would be Dec. 31, 2024, as proposed.
• Application Programming Interface (API) Improvements. ONC proposed a number of updates to improve the secure transmission of access of information transmitted through APIs, including amending the API Condition and Maintenance of Certification requirements.
• Updated Demographic Criterion. As part of its efforts to increase inclusivity, ONC proposed to add the data elements “Sex for Clinical Use,” “Name to Use” and “Pronouns” to the proposed Patient Demographics and Observations certification criterion. ONC also proposed to replace the terminology standards for “Sex,” “Sexual Orientation” and “Gender Identity” with other terminology codes according to SNOMED CT.

Increased Patient Privacy Protections

ONC made several proposals to improve the ability of patients to request restrictions on the use and disclosure of their health information as provided by the HIPAA Privacy Rule. The updated certification criterion would require functionality with the EHR to flag instances in which a patient has requested that data be restricted from subsequent use or disclosure in order to prevent such flagged data from being included in a subsequent use or disclosure for the restricted purpose. These updates would be required by Jan. 1, 2026, if finalized.

Updates to Information Blocking Regulations

• ONC proposed several updates to the information blocking regulations, including defining what it means to “offer health IT” for purposes of the information blocking rule to narrow the applicability of the health IT developer of certified health IT definition and clarify that ONC does not consider the following to be offering health IT: the implementation of APIs or portals for clinician or patient access; the issuance of login credentials allowing licensed healthcare professionals who are in independent practice to use a hospital/health facility’s EHR to furnish and document care to patients in that hospital/health facility; or the inclusion of health IT in a package of items, supplies, facilities and services that a management consultant handles for a clinical practice or other healthcare provider in a comprehensive package of services for administrative or operational management. The Proposed Rule also clarifies that ONC does not consider healthcare providers who self-develop certified health IT to “offer health IT” even if they supply their self-developed certified health IT to others under arrangements excluded from the definition of what it means to "offer health IT.”
• The Proposed Rule also revised the “uncontrollable events” condition to the Infeasibility Exception and added two new conditions to the exception to address (i) denial of requests in situations where a third party asks to enable use of Electronic Health Information (EHI) to modify EHI (“third party seeking modification use” condition) and (ii) when the Manner Exception has been exhausted (“manner exception exhausted” condition). The manner exception exhausted condition would apply when (i) the actor could not reach an agreement with the requestor under the “manner requested” condition or was technically unable to fulfill a request for EHI in the manner requested, (ii) the actor offered alternative manners in accordance with the “alternative manner” condition for the EHI and could not reach agreement with the requestor, and (iii) the actor does not provide a substantial number of similarly situated individuals/entities with the same access, exchange or use of the requested EHI.
• ONC also added a Trusted Exchange Framework and Common Agreement (TEFCA) condition to provide additional flexibility to TEFCA participants such that when a TEFCA participant fulfills a request from a TEFCA participant through TEFCA, the data is not required to be provided in an alternative manner.

Comments to the Proposed Rule are due June 20, 2023. We will continue to monitor and report on significant rulemaking regarding this Proposed Rule.

[View source.]