Final ONC Interoperability Regulation: What You Need to Know

A woman wearing scrubs sits at a desk in a hospital setting and uses a laptop computer.

On Monday, March 9, the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare & Medicaid Services (CMS) publicly released their final regulations related to driving more interoperability and data exchange across the entire healthcare ecosystem. The government intends the combined regulations to provide patients with timely access to their health data to make informed healthcare decisions and better manage their care. The Department of Health and Human Services (HHS) expects the regulations to place patients at the center of care delivery and provide them more control, which is the centerpiece of the Trump Administration’s work toward a value-based healthcare system.

The ONC Interoperability and Information Blocking Final Regulation implements key provisions of the 21st Century Cures Act focused on advancing interoperability; supporting the access, exchange, and use of electronic health information (EHI); and, addressing occurrences of information blocking. ONC’s regulation also establishes application programming interface (API) requirements using the Fast Healthcare Interoperability Resources (FHIR®) standard, including for patients to use APIs to be able to electronically access all of their EHI, structured and/or unstructured, at no cost.

The CMS Interoperability and Patient Access Final Regulation builds on ONC’s Final Regulation as well as the MyHealthEData Initiative, which was originally announced at the HIMSS18 Conference. The CMS Regulation is focused on liberating patient claims data so patients can be more informed decision makers leading to better-informed treatment. More information on the CMS Regulation can be found online.

The Key Parts of the ONC Regulation include:

Certification Program-Related Changes

ONC sunsets the 2014 Edition and finalizes several changes to the existing 2015 Edition Health IT Certification Criteria, introducing some new certification criteria, revising existing certification criteria, and removing certification criteria. ONC has summarized these changes online.

Overall, these changes constitute the 2015 Edition Cures Update. It is important to note that although ONC retained the overall 2015 Edition title, the agency will distinguish the new or revised criteria adopted in this Final Regulation by referring to them as the 2015 Edition Cures Update on the Certified Health IT Product List (CHPL) for products that are certified.

In addition, ONC established specific API Conditions of Certification that address the practices developers of certified health IT may engage in with respect to certified API technology, which is discussed in more detail below.

United States Core Data for Interoperability (USCDI v1) is adopted as a Standard in the ONC Cures Act Final Regulation

ONC’s Regulation finalizes the transition from the Common Clinical Data Set (CCDS) to the United States Core Data for Interoperability (USCDI). The USCDI establishes a minimum set of data classes that are required to be interoperable nationwide and is designed to be expanded in an iterative and predictable way over time. Data classes listed in the USCDI are represented in a technically agnostic manner. The USCDI sets a foundation for broader sharing of electronic health information to support patient care, and replaces CCDS in certain certification criteria.

In addition, use of the USCDI standard is required as part of the new API certification criterion, “standardized API for patient and population services” — which focuses on supporting two types of API-enabled services: (1) services for which a single patient's data is the focus; and, (2) services for which multiple patients' data are the focus.

APIs Conditions and Maintenance of Certification

The Final Regulation establishes specific API Conditions of Certification that address the practices developers of certified health IT should engage in, such as minimizing the “special effort” necessary to access, exchange, and use EHI via certified API technology. More emphasis has been placed on privacy and security transparency to foster greater trust between the information sender and receiver.

In addition, this new certification criterion requires standardized API access for single patient and population services limited to API-enabled “read” services using the Health Level 7 (HL7®) FHIR® standard Release 4 and references several standards and implementation specifications adopted to support standardization and interoperability.

The API Maintenance of Certification requirements focus on three conditions:

  • Transparency
    Requiring certified API developers to publish specific business and technical documentation necessary to interact with their certified API technology and make such documentation publicly accessible via a hyperlink
  • Fees
    Building criteria for allowable fees, guidelines for the fees certified API developers would be permitted to charge, and to whom those fees could be charged
  • Openness and Pro-competitiveness
    Establishing practices that certified API developers must follow to enable an open and competitive marketplace

It is important to note that ONC specified that the API Conditions of Certification only apply to developer practices associated with certified API technology and do not generally apply to other software interfaces.

Definitions in the Final Regulation

Three categories of “actors” are regulated by the information blocking section of the Final Regulation: Health Care Provider; Health IT Developer of Certified Health IT; and, Health Information Network (HIN) or Health Information Exchange (HIE).

The HIN/HIE Definition is merged from what was included in the Proposed Regulation, when each was a distinct category. This combined functional definition applies to both terms in order to clarify the types of individuals and entities that would be covered and limits the types of actions that would be necessary for an actor to meet the definition of HIN or HIE. The Final Regulation also focuses the definition’s scope on exchange related to treatment, payment, and health care operations, as each are defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Regulations.

In addition, the data classes in USCDI v1 will define EHI during the initial 24-month period after implementation of the information blocking provisions. To be clear, six months after the Final Regulation is published in the Federal Register would serve as the start of the compliance date for the information blocking provisions, and then the Final Regulation provides an additional 18 months as this initial compliance period.

The six-month delayed compliance date was established to provide actors with time to thoroughly read and understand the Final Regulation and educate their workforce in order to apply the exceptions in an appropriate manner, while the additional 18 months provide the opportunity for the actors to gain experience applying the exceptions. After 24 months, the EHI definition is expanded and represents the same electronic protected health information (ePHI) that a patient would have the right to request a copy of pursuant to the HIPAA Privacy Regulation.

Eight Exceptions Defined for When an Actor Would Not be Considered an Information Blocker

ONC’s Final Regulation outlines eight exceptions to the definition of information blocking that would apply when one of the designated actors meets the conditions of one or more exceptions—in such an instance, that actor would not be considered an information blocker. It is important to note that an actor’s practice that does not meet the conditions of an exception will not automatically constitute information blocking, as these practices will be evaluated on a case-by-case basis to determine whether information blocking has occurred.

ONC divided the information blocking exceptions into two categories:

Exceptions that involve not fulfilling requests to access, exchange, or use EHI

  • Preventing Harm Exception
  • Privacy Exception
  • Security Exception
  • Infeasibility Exception
  • Health IT Performance Exception

Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI

  • Content and Manner Exception
  • Fees Exception
  • Licensing Exception

ONC’s Proposed Regulation included seven exceptions — the Content and Manner Exception was added to the final regulation. This new exception provides clarity and flexibility to actors on the required content (i.e., the scope of EHI) of an actor’s response to a request to access, exchange, or use EHI, as well as the manner in which the actor may fulfill the request.

Combined with the initial definition of EHI, the Content and Manner Exception allows actors to make available a limited set of EHI, and along with the Infeasibility Exception, attempts to address concerns about certain actors having limited resources or limited access to health IT.

Implementation Timelines Specified

Generally speaking, the effective date for the certification portion of ONC’s Final Regulation is 60 days after publication in the Federal Register. Compliance for other components of the Final Regulation occur six months from its publication. Although ONC has released its Regulation, it has not been formally published in the Federal Register yet, so the precise effective and compliance dates will be specified once it has been published.

The effective date for the 2015 Edition Cures Update certification criteria as well as certain Conditions of Certification is 60 days from the Federal Register publication. Six months after publication is when specific compliance requirements start for several Conditions of Certification, including related to information blocking and APIs.

As previously discussed, six months after publication is also when compliance begins for information blocking, with the EHI definition limited to the data classes in USCDI v 1.

However, it is important to note that ONC and the HHS Office of Inspector General (OIG) are coordinating timing of the effective date of this Final Regulation and the start of information blocking enforcement as well as enforcement of the Conditions of Certification related to information blocking. For actors regulated by the information blocking provision, enforcement of information blocking civil monetary penalties (CMP) will not begin until OIG engages in a notice and comment period to set the parameters around these penalties.

Overall, health IT developers of certified health IT and HIN/HIEs will not be subject to penalties (ONC and OIG must still define the appropriate disincentives for providers under information blocking) until OIG’s CMP Regulations are final. The timeframe for enforcement would not begin sooner than the compliance date of the information blocking provision and will depend on when the CMP Regulations are finalized. ONC and OIG are emphasizing that they are exhibiting discretion on conduct that occurs before that time and any questionable actions will not be subject to information blocking CMPs. However, the actors that are subject to the information blocking regulations must comply with this Final Regulation as of the compliance date of this provision.

Continue to stay connected to HIMSS over the coming days as we provide further analysis on the impact of the Final ONC and CMS Interoperability Regulations.

Discover the Power of Interoperability

Help advance interoperability and standards-based health IT systems that lead to meaningful health information exchange.

Join the Interoperability & HIE Committee

Published on