On Monday, February 11, the Office of the National Coordinator for Health Information Technology (ONC) continued its implementation of the 21st Century Cures Act with the publication of its proposed regulation designed to advance interoperability, support the access, exchange and use of electronic health information, and address occurrences of information blocking.
ONC is also implementing Conditions and Maintenance of Certification requirements for health IT developers and supporting patient access to their electronic health information (EHI), such as making a patient’s EHI more electronically accessible through the adoption of standards and certification criteria and the implementation of information blocking policies that support patient electronic access to their health information at no cost. In addition, the proposed rule would modify the 2015 Edition health IT certification criteria and ONC Health IT Certification Program in other ways to advance interoperability, enhance health IT certification, as well as reduce burden and costs.
Moreover, the proposed rule focuses on establishing application programming interfaces (APIs) for several interoperability purposes, including patient access to their health information without special effort. The API approach also supports health care providers having the sole authority and autonomy to unilaterally permit connections to their health IT through certified API technology that health care providers have acquired.
Through this regulatory policymaking, ONC is trying to ensure coordination with the proposed regulation from the Centers for Medicare & Medicaid Services (CMS) to advance interoperability and facilitate greater patient engagement with and control over their healthcare data. Overall, the Department of Health and Human Services (HHS) is attempting to create opportunities for new market entrants and remove barriers to interoperability and EHI exchange, which would greatly benefit health care providers and patients.
The key provisions of ONC’s proposed regulation include the following.
ONC is proposing an approach where the Conditions and Maintenance of Certification express the initial and ongoing requirements for health IT developers and their certified Health IT Modules as part of the Health IT Certification Program. However, ONC is taking certification to a higher level beyond the technical and functional requirements to also include the conditions or requirements that health IT developers should also be held to, including:
ONC is also planning to implement an additional future condition and maintenance of certification requirement that is focused on an electronic health record (EHR) reporting criteria submission. In the fall of 2018, ONC released a Request for Information for the EHR Reporting Program, and is waiting to take further regulatory action until it evaluates all the public comments that it received.
In order to advance interoperability by ensuring compliance with new structured data and code sets that support the data, ONC is proposing to remove the Common Clinical Data Set (CCDS) definition and its references from the 2015 Edition and replacing it with the United States Core Data for Interoperability (USCDI) standard. USCDI v1 establishes a minimum set of data classes (including structured data) that are required for health IT to be interoperable nationwide and is designed to be expanded in an iterative and predictable way over time. USCDI v1 adds two new data classes, Clinical Notes and Provenance that were not defined in CCDS, which will require updates to the Consolidated Clinical Document Architecture (C-CDA) standard.
Overall, USCDI v1 is a modest expansion of CCDS, which ONC believes most health IT developers already support, were already working toward, or should be capable of updating their health IT to support in a timely manner.
The ONC-Approved Accreditor’s (ONC-AA’s) role is to accredit certification bodies for the Program and to oversee the ONC-Authorized Certification Bodies (ONC-ACBs). ONC is proposing to remove the ONC-AA from the Program. Years of experience and changes with the Program have led ONC to conclude that, in many respects, the role of the ONC-AA to oversee ONC-ACBs is now duplicative of ONC’s oversight. More specifically, ONC’s experience with administering the Principles of Proper Conduct for ONC-ACBs as well as issuing necessary regulatory changes (e.g., ONC-ACB surveillance and reporting requirements in the 2015 Edition final rule) has demonstrated that ONC on its own has the capacity to provide the appropriate oversight of ONC-ACBs.
ONC is introducing several new terms in this proposed rule and it is critical that the community understands and conveys these labels appropriately. These terms include:
ONC identifies proposals for several reasonable and necessary activities as exceptions to the information blocking definition, each of which would be considered to not constitute information blocking. The exceptions would extend to certain activities that interfere with the access, exchange, or use of EHI but that may be reasonable and necessary if certain conditions are met. To qualify for any of these exceptions, ONC is proposing that an individual or entity would, for each relevant practice and at all relevant times, have to satisfy all of the applicable conditions of that specific exception.
In developing the proposed exceptions, ONC was guided by overarching policy considerations focused on ensuring that the exceptions would be limited to certain activities that clearly advance the aims of the information blocking provision, such as promoting public confidence in health IT infrastructure by supporting the privacy and security of EHI, protecting patient safety, and promoting competition and innovation in health IT and its use to provide health care services to consumers.
In addition, each exception is intended to address a significant risk that regulated individuals and entities (i.e., the actors defined in this part of the regulation, specifically health care providers, health IT developers of certified health IT, health information networks, and health information exchanges) will not engage in these reasonable and necessary activities because of potential uncertainty regarding whether they would be considered information blocking. Moreover, each exception is intended to be tailored, through appropriate conditions, so that it is limited to the reasonable and necessary activities that it is designed to exempt.
Of the seven proposed exceptions, the first three address activities that are reasonable and necessary to promote public confidence in the use of health IT and the exchange of EHI. These exceptions are intended to protect patient safety; promote the privacy of EHI; and promote the security of EHI. The next three exceptions address activities that are reasonable and necessary to promote competition and consumer welfare. These exceptions would allow for the recovery of costs reasonably incurred; excuse an actor from responding to requests that are infeasible; and permit the licensing of interoperability elements on reasonable and non-discriminatory terms. The final exception addresses activities that are reasonable and necessary to promote the performance of health IT. This proposed exception recognizes that actors may make health IT temporarily unavailable for maintenance or improvements that benefit the overall performance and usability of health IT.
The exceptions for reasonable and necessary activities that do not constitute information blocking include:
The proposed regulation states that an API Technology Supplier must publish APIs and allow health information from such technology to be accessed, exchanged, and used without special effort through the use of APIs or successor technology or standards, including providing access to all data elements of a patient’s electronic health record to the extent permissible under applicable privacy laws. ONC wants this process to be very transparent and is only permitting certain types of fees to apply here, where an API Technology Supplier must have objective and verifiable criteria and keep detailed records of fees.
Ultimately, ONC wants to ensure that all terms and conditions for a Technology Supplier’s API technology, including any fees, restrictions, limitations, obligations, registration process requirements, or other similar requirements is published in a public manner and are uniformly applied for all substantially similar or similarly situated classes of persons and requests.
Any and all fees charged by an API Technology Supplier for the use of its API technology must be described in detailed as well as plain language. The description of the fees must include all material information, including but not limited to: the persons or classes of persons to whom the fee applies; the circumstances in which the fee applies; and, the amount of the fee, which for variable fees must include the specific variable(s) and methodology(ies) that will be used to calculate the fee.
ONC is asking for comments around several additional issues in this proposed regulation, and each provides an opportunity to help guide the agency forward on crucial policy topics. ONC is seeking comment in this proposed rule on a series of questions related to health IT functionalities and standards to support the effective prevention and treatment of opioid use disorder (OUD) across patient populations and care settings.
The proposed rule also raises the idea of whether ONC should consider whether certain health IT developers should be required to participate in the Trusted Exchange Framework and adhere to the Common Agreement that the agency is still working to finalize. Such an exception may support adoption of the Common Agreement and encourage other entities to participate in trusted exchange through health information networks that enter into the Common Agreement. It could potentially provide protection if there are practices that are expressly required by the Common Agreement, or that are necessary to implement such requirements, that might implicate the information blocking provision and would not qualify for another exception.
An additional RFI is focused on whether ONC should establish new regulatory processes tailored towards recognizing the unique characteristics of health IT (e.g., EHR software) by looking first at the health IT developer, rather than primarily at the health IT presented for certification, as is currently done under the Program. Such an effort could be modeled after the Food and Drug Administration Digital Health Software Pre-Certification Program. For example, ONC could possibly establish Conditions and Maintenance of Certification requirements, through rulemaking, that facilitate the deeming of all of a health IT developer’s health IT as “certified” under the Program for certification criteria identified by ONC as solely “functionally-based” criteria.
The idea of disincentives for health care providers is the subject of another RFI. Any health care provider determined by the Office of Inspector General (OIG) to have committed information blocking shall be referred to the appropriate agency to be subject to appropriate disincentives using authorities under applicable federal law, although these disincentives may not cover the full range of applicable conduct. ONC is requesting information on disincentives or if modifying disincentives already available under existing HHS programs and regulations would provide for more effective deterrents.
ONC is also exploring multiple approaches to advancing health IT interoperability for bidirectional exchange with registries in order to mitigate risks based on factors like feasibility and readiness, potential unintended burden on health care providers, and the need to focus on priority clinical use cases. As ONC is in the process of conducting research and analysis to determine what evidence-based use cases should be supported and what standards are available to support such use cases, comments on opportunities for bidirectional exchange with registries will be timely.
In addition, ONC is looking for comment on additional opportunities that may exist in the patient matching space and ways that the agency can lead and contribute to coordination efforts with respect to patient matching.
More information about the ONC Proposed Rule is available online. Look to HIMSS for further details about the regulatory process and how members can get involved in helping to devise our public comment response letter.