[Federal Register Volume 89, Number 6 (Tuesday, January 9, 2024)]
[Rules and Regulations]
[Pages 1192-1438]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-28857]
[[Page 1191]]
Vol. 89
Tuesday,
No. 6
January 9, 2024
Part III
Department of Health and Human Services
-----------------------------------------------------------------------
45 Parts 170 and 171
Health Data, Technology, and Interoperability: Certification Program
Updates, Algorithm Transparency, and Information Sharing; Final Rule
��Federal Register / Vol. 89, No. 6 / Tuesday, January 9, 2024 / Rules
and Regulations��
[[Page 1192]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 170, 171
RIN 0955-AA03
Health Data, Technology, and Interoperability: Certification
Program Updates, Algorithm Transparency, and Information Sharing
AGENCY: Office of the National Coordinator for Health Information
Technology (ONC), Department of Health and Human Services (HHS).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule implements the Electronic Health Record (EHR)
Reporting Program provision of the 21st Century Cures Act by
establishing new Conditions and Maintenance of Certification
requirements for health information technology (health IT) developers
under the ONC Health IT Certification Program (Program). This final
rule also makes several updates to certification criteria and standards
recognized by the Program. The Program updates include revised
certification criteria for ``decision support interventions,''
``patient demographics and observations,'' and ``electronic case
reporting,'' as well as a new baseline version of the United States
Core Data for Interoperability (USCDI) standard to Version 3.
Additionally, this final rule provides enhancements to support
information sharing under the information blocking regulations. The
implementation of these provisions advances interoperability, improves
algorithm transparency, and supports the access, exchange, and use of
electronic health information (EHI). This final rule also updates
numerous technical standards in the Program in additional ways to
advance interoperability, enhance health IT certification, and reduce
burden and costs for health IT developers and users of health IT.
DATES:
Effective date: This final rule is effective on February 8, 2024.
Incorporation by reference: The incorporation by reference of
certain publications listed in the rule was approved by the Director of
the Federal Register as of February 8, 2024.
FOR FURTHER INFORMATION CONTACT: Michael Lipinski, Office of Policy,
Office of the National Coordinator for Health Information Technology,
202-690-7151.
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Executive Summary
A. Purpose of Regulatory Action
1. Statutory Responsibilities and Implementation
2. Administration Executive Orders
3. Federal Coordination
B. Summary of Major Provisions
1. ONC Health IT Certification Program Updates
a. ``The ONC Certification Criteria for Health IT'' and
Discontinuing Year Themed ``Editions''
b. New and Revised Standards and Certification Criteria
i. The United States Core Data for Interoperability Version 3
(USCDI v3)
ii. C-CDA Companion Guide Updates
iii. ``Minimum Standards'' Code Sets Updates
iv. Electronic Case Reporting
v. Decision Support Interventions and Predictive Models
vi. Synchronized Clocks Standard
vii. Standardized API for Patient and Population Services
viii. Patient Demographics and Observations Certification
Criterion in Sec. 170.315(a)(5)
ix. Updates to Transitions of Care Certification Criterion in
Sec. 170.315(b)(1)
x. Patient Right To Request a Restriction on Use or Disclosure
xi. Requirement for Health IT Developers To Update Their
Previously Certified Health IT
2. Assurances Condition and Maintenance of Certification
Requirements
3. Real World Testing--Inherited Certified Status
4. Insights Condition and Maintenance of Certification
5. Information Blocking Enhancements
C. Costs and Benefits
II. Background
A. Statutory Basis
1. Standards, Implementation Specifications, and Certification
Criteria
2. Health IT Certification Program(s)
B. Regulatory History
C. General Comments on the HTI-1 Proposed Rule
III. ONC Health IT Certification Program Updates
A. ``The ONC Certification Criteria for Health IT'' and
Discontinuing Year Themed ``Editions,'' Definition of Revised
Certification Criterion, and Related Program Oversight
1. Discontinuing Year Themed ``Editions''
2. Definition of ``Revised Certification Criterion''
3. Program Oversight Related to Discontinuation of Editions
a. Records Retention
b. Records Retention--Complete EHR
B. Standards and Implementation Specifications
1. National Technology Transfer and Advancement Act
2. Compliance With Adopted Standards and Implementation
Specifications
3. ``Reasonably Available'' to Interested Parties
C. New and Revised Standards and Certification Criteria
1. The United States Core Data for Interoperability Version 3
(USCDI v3)
a. Certification Criteria That Reference USCDI
b. USCDI Standard--Data Classes and Elements Added Since USCDI
v1
2. C-CDA Companion Guide Updates
3. ``Minimum Standards'' Code Sets Updates
4. Electronic Case Reporting
5. Decision Support Interventions and Predictive Models
a. Requirements for Decision Support Interventions (DSI)
Certification Criterion
b. Updates to Real World Testing Condition for CDS Criterion
6. Synchronized Clocks Standard
7. Standardized API for Patient and Population Services
a. Native Applications and Refresh Tokens
b. FHIR United States Core Implementation Guide Version 5.0.1
c. FHIR Endpoint for Service Base URLs
d. Access Token Revocation
e. SMART App Launch 2.0
8. Patient Demographics and Observations Certification Criterion
in Sec. 170.315(a)(5)
9. Updates to Transitions of Care Certification Criterion in
Sec. 170.315(b)(1)
10. Patient Right To Request a Restriction on Use or Disclosure
11. Requirement for Health IT Developers To Update Their
Previously Certified Health IT
D. Assurances Condition and Maintenance of Certification
Requirements
1. Condition of Certification
2. Maintenance of Certification Requirements
E. Real World Testing--Inherited Certified Status
F. Insights Condition and Maintenance of Certification
1. Background and Purpose
2. Insights Condition and Maintenance of Certification--Final
Measures
3. Insights Condition and Maintenance of Certification--
Requirements
4. Insights Condition and Maintenance of Certification--Process
for Reporting
G. Requests for Information
1. Laboratory Data Interoperability Request for Information
2. Request for Information on Pharmacy Interoperability
Functionality Within the ONC Health IT Certification Program
Including Real-Time Prescription Benefit Capabilities
3. FHIR Standard
IV. Information Blocking Enhancements
A. General Comments Regarding Information Blocking Enhancements
B. Defined Terms
1. Offer Health Information Technology or Offer Health IT
a. Exclusion of Certain Funding Subsidy Arrangements From Offer
Health IT Definition
b. Implementation and Use Activities That Are Not an Offering of
Health IT
c. Consulting and Legal Services Exclusion From Offer Health IT
Definition
2. Health IT Developer of Certified Health IT: Self-Developer
Health Care Providers
3. Information Blocking Definition
[[Page 1193]]
C. Exceptions
1. Infeasibility
a. Infeasibility Exception--Uncontrollable Events Condition
b. Infeasibility Exception--Third Party Seeking Modification Use
c. Infeasibility Exception--Manner Exception Exhausted
2. TEFCA Manner Exception
D. Information Blocking Requests for Information
1. Additional Exclusions From Offer Health IT--Request for
Information
2. Possible Additional TEFCA Reasonable and Necessary
Activities--Request for Information
3. Health IT Capabilities for Data Segmentation and User/Patient
Access--Request for Information
V. Incorporation by Reference
VI. Collection of Information Requirements
A. Independent Entity
B. Health IT Developers
C. ONC-ACBs
VII. Regulatory Impact Analysis
A. Statement of Need
B. Alternatives Considered
C. Overall Impact
1. Executive Orders 12866 and 13563--Regulatory Planning and
Review Analysis
a. Costs and Benefits
b. Accounting Statement and Table
D. Regulatory Flexibility Act
E. Executive Order 13132--Federalism
F. Unfunded Mandates Reform Act of 1995
Regulation Text
I. Executive Summary
A. Purpose of Regulatory Action
The Office of the National Coordinator for Health Information
Technology (ONC) is the principal federal entity charged with
coordinating nationwide efforts to implement and use advanced health IT
and to facilitate the electronic exchange of health information. ONC is
at the forefront of the administration's health IT efforts and is a
resource to the entire health system to support the adoption of health
IT and the promotion of nationwide, standards-based health information
exchange to improve healthcare. ONC is focused on two strategic
objectives: (1) advancing the development and use of health IT
capabilities; and (2) establishing expectations for data sharing. ONC's
overall mission, consistent with the policies adopted in this final
rule, is to create systemic improvements in health and care through the
access, exchange, and use of data.
This final rule fulfills statutory requirements and aligns with
administrative priorities; advances equity, innovation, and
interoperability; and supports the access, exchange, and use of EHI. It
also promotes the responsible development and use of artificial
intelligence through transparency and improves patient care through
policies that advance standards-based interoperability and EHI
exchange, which are central to the Department of Health and Human
Services' efforts to enhance and protect the health and well-being of
all Americans.
1. Statutory Responsibilities and Implementation
The Secretary of Health and Human Services has delegated to ONC the
responsibility to implement certain provisions in Title IV of the 21st
Century Cures Act (Pub. L. 114-255, Dec. 13, 2016) (Cures Act)
including: the Electronic Health Record (EHR) Reporting Program
condition and maintenance of certification requirements under the ONC
Health IT Certification Program (Program) and the identification of
reasonable and necessary activities that do not constitute information
blocking.\1\ ONC is also responsible for implementing certain
provisions of the Health Information Technology for Economic and
Clinical Health Act (Pub. L. 111-5, Feb. 17. 2009) (HITECH Act) of
2009, including, but not limited to, requirements that the National
Coordinator perform duties consistent with the development of a
nationwide health information technology infrastructure that allows for
the electronic use and exchange of information and that promotes a more
effective marketplace, greater competition, and increased consumer
choice, as well as requirements to keep, or recognize, a program or
programs for the voluntary certification of health information
technology.
---------------------------------------------------------------------------
\1\ Reasonable and necessary activities that do not constitute
information blocking, also known as information blocking exceptions,
are identified in 45 CFR part 171 subparts B and C. ONC's official
website, HealthIT.gov, offers a variety of resources on the topic of
Information Blocking, including fact sheets, recorded webinars, and
frequently asked questions. To learn more, please visit: https://www.healthit.gov/topic/information-blocking/.
---------------------------------------------------------------------------
This final rule adopts new and revised standards and requirements
for the certification of health IT under the Program. For example, key
provisions of this final rule implement the EHR Reporting Program
through new Conditions and Maintenance of Certification requirements
(referred herein as the Insights Condition) for developers of certified
health IT, which will provide transparency into the use and benefits of
certified health IT, with an initial focus on interoperability. This
final rule revises several Program certification criteria, including
criteria related to decision support, electronic case reporting, and
standards-based application programming interfaces (APIs), as well as
raises the baseline version of the USCDI from Version 1 to Version 3.
The adoption of new and revised standards and criteria in this final
rule will facilitate interoperability through standardized health
information and functionality, which will lead to better care and
health outcomes for patients, while reducing burden and costs. Finally,
this rule continues to implement the provisions of the Cures Act to
improve information sharing--and address information blocking--by
providing refined definitions of statutory terms and further
identifying practices that are reasonable and necessary and, therefore,
do not constitute information blocking.
2. Administration Executive Orders
In addition to fulfilling the HITECH Act's and Cures Act's
requirements described above, this final rule supports implementation
of Executive Orders (E.O.) 13994, 13985, 14036, 14058, 14091, and
14110. The President issued E.O. 13994 on January 21, 2021, to ensure a
data-driven response to COVID-19 and future high-consequence public
health threats. The Cures Act and the information blocking provisions
in the 21st Century Cures Act: Interoperability, Information Blocking,
and the ONC Health IT Certification Program (85 FR 25642) (ONC Cures
Act Final Rule) took critical steps to making data available across the
healthcare system. Adoption of USCDI v3 in this rule facilitates the
gathering, sharing, and publication of public health and emergency
response data (e.g., the COVID-19 pandemic) by capturing and promoting
the sharing of key data elements related to public health. The updates
to API Conditions and Maintenance of Certification requirements, as
discussed in section III.C.7, continue the implementation of ONC's
statutory responsibilities and efforts to develop and standardize APIs
and to help individuals and other authorized health care providers,
including those engaged in public health, securely access EHI through
the broader adoption of standardized APIs.2 3 Additionally,
this final rule
[[Page 1194]]
adopts consensus-based, industry-developed health IT standards for
certified Health IT Modules to support electronic case reporting. As
discussed in section III.C.4, among other benefits, electronic case
reporting facilitates faster and more efficient disease tracking,
prevention, and case management. It also provides more timely and
complete data to public health agencies than manual or non-standardized
reporting.
---------------------------------------------------------------------------
\2\ ONC. (2022, October 18). API Resource Guide. ONC Health IT
Certification Program API Resource Guide. Retrieved March 16, 2023,
from https://onc-healthit.github.io/api-resource-guide/.
\3\ Section 4002 of the 21st Century Cures Act (Cures Act)
establishes a condition of certification that requires health IT
developers to publish application programming interfaces (APIs) that
allow ``health information from such technology to be accessed,
exchanged, and used without special effort through the use of APIs
or successor technology or standards, as provided for under
applicable law.'' The Cures Act's API Condition of Certification
requirement also states that a developer must, through an API,
``provide access to all data elements of a patient's electronic
health record to the extent permissible under applicable privacy
laws.'' The API Conditions and Maintenance of Certification
requirements and certification criteria are identified in 45 CFR
part 170.
---------------------------------------------------------------------------
We are also committed to advancing health equity, and this final
rule is consistent with E.O. 13985 of January 20, 2021, Advancing
Racial Equity and Support for Underserved Communities Through the
Federal Government,\4\ and E.O. 14091 of February 16, 2023, Further
Advancing Racial Equity and Support for Underserved Communities Through
the Federal Government.\5\ Section 1 of E.O. 13985 states that ``the
Federal Government should pursue a comprehensive approach to advancing
equity for all, including people of color and others who have been
historically underserved, marginalized, and adversely affected by
persistent poverty and inequality.'' Section 1 of E.O. 13985 also
states that ``because advancing equity requires a systematic approach
to embedding fairness in decision-making processes, executive
departments and agencies must recognize and work to redress inequities
in their policies and programs that serve as barriers to equal
opportunity.'' As noted above, we have adopted USCDI v3 in this final
rule to meet statutory responsibilities discussed in section II.A to
improve the standardization of health information that is accessed,
exchanged, and used within certified health IT. The USCDI v3 standard
includes data elements on patient demographics (such as sexual
orientation and gender identity) and social determinants of health
(SDOH), as discussed in sections III.C.1 and III.C.8 of this final
rule. These updates help capture more accurate and complete patient
characteristics that are reflective of patient diversity and inclusion,
which could potentially help data users address disparities in health
outcomes for all patients, including those who may be marginalized and
underrepresented. The use of USCDI v3 also supports data users'
abilities to identify, assess, and analyze gaps in care, which could in
turn be used to inform and address the quality of healthcare through
interventions and strategies. This could lead to better patient care,
experiences, and health outcomes.
---------------------------------------------------------------------------
\4\ United States, Executive Office of the President [Joseph
Biden]. Executive Order 13985: Advancing Racial Equity and Support
for Underserved Communities Through the Federal Government. Jan 20,
2021. 86 FR 7009-7013, https://www.federalregister.gov/documents/2021/01/25/2021-01753/advancing-racial-equity-and-support-for-underserved-communities-through-the-federal-government.
\5\ United States, Executive Office of the President [Joseph
Biden]. Executive Order 14091: Further Advancing Racial Equity and
Support for Underserved Communities Through the Federal Government.
Feb 16, 2023. 88 FR 10825-10833, https://www.federalregister.gov/documents/2023/02/22/2023-03779/further-advancing-racial-equity-and-support-for-underserved-communities-through-the-federal.
---------------------------------------------------------------------------
Section 1 of E.O. 14091 also requires the Federal Government to
``promote equity in science and root out bias in the design and use of
new technologies, such as artificial intelligence.'' Section 8 of E.O.
14091 requires agencies to ``prevent and address discrimination and
advance equity for all'' and to ``consider opportunities to prevent and
remedy discrimination, including by protecting the public from
algorithmic discrimination.'' The E.O. states that the Federal
Government shall continue to ``advance equity in health, including
mental and behavioral health and well-being.'' We are committed to the
concept of ``health equity by design'',\6\ in which health equity
considerations are identified and incorporated from inception and
throughout the technology design, build, and implementation process. We
consider health equity by design to incorporate health equity
strategies, tactics, and patterns as guiding principles for software
and IT development, enforced by technical architecture, data, and
information governance process, and built into the technology at every
layer. In this final rule we apply the concept of health equity by
design to bring transparency to the quality and performance of
intelligence and machine learning-based decision support tools in
healthcare. As discussed in section III.C.5, the ``decision support
intervention,'' (DSI) certification criterion is supportive of the
goals of E.O. 14091 and advances health equity by design by making it
known to users of Health IT Modules certified to the DSI criterion
whether patient demographic, SDOH, or health assessment data are used
in DSIs. Other finalized policies: (1) establish a definition for
algorithm-based and model-based ``predictive'' DSIs; (2) require Health
IT Modules certified to the DSI criterion to enable users to access
information about the design, development, training, and evaluation of
Predictive DSIs, including descriptions of training data and
information on whether the Predictive DSI was tested and evaluated for
fairness; (3) require developers of certified health IT to apply risk
management practices for all Predictive DSIs that are supplied by the
developer of certified health IT as part of its Health IT Module; and
(4) make summary information regarding these practices available
publicly.
---------------------------------------------------------------------------
\6\ HealthIT.gov: Embracing Health Equity by Design. https://www.healthit.gov/buzz-blog/health-it/embracing-health-equity-by-design.
---------------------------------------------------------------------------
Additionally, the DSI certification criterion and surrounding
transparency requirements are especially aligned with E.O. 14110, Safe,
Secure, and Trustworthy Development and Use of Artificial Intelligence,
issued October 30, 2023.\7\ The finalized DSI requirements will improve
transparency, promote trustworthiness, and incentivize the development
and wider use of fair, appropriate, valid, effective, and safe
Predictive DSIs to aid decision-making in healthcare. The resulting
information transparency increases public trust and confidence in these
technologies so that the benefits of these technologies may expand in
safer, more appropriate, and more equitable ways. This transparency
also informs wider discussions, including those across industry,
academia, and government, regarding how to evaluate and communicate
performance related to Predictive DSIs, consistent with Section 8 of
the E.O., ``Protecting Consumers, Patients, Passengers, and Students.''
---------------------------------------------------------------------------
\7\ United States, Executive Office of the President [Joseph
Biden]. Executive Order 14110: Safe, Secure, and Trustworthy
Development and Use of Artificial Intelligence. Oct. 20, 2023. 88 FR
75191. https://www.federalregister.gov/documents/2023/11/01/2023-24283/safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence.
---------------------------------------------------------------------------
The finalized DSI certification criterion also aligns with the
public availability and transparency policy goals of the Office of
Science and Technology Policy (OSTP) memorandum ``Ensuring Free,
Immediate, and Equitable Access to Federally Funded Research.'' \8\ The
memorandum provides policy guidance to federal agencies and departments
to promote improved public access to and transparency of federally
funded
[[Page 1195]]
research. The finalized DSI certification criterion aligns with the
goals of the memorandum by establishing requirements to make
information available through Sec. 170.315(b)(11)(iv), including
information created through federally funded research and evaluations,
that will enable users to determine if a Predictive DSI supplied by a
health IT developer as part of its Health IT Module is acceptably fair,
appropriate, valid, effective, and safe.
---------------------------------------------------------------------------
\8\ Ensuring Free, Immediate, and Equitable Access to Federally
Funded Research. Office of Science and Technology Policy (OSTP)
(2022). https://www.whitehouse.gov/wp-content/uploads/2022/08/08-2022-OSTP-Public-access-Memo.pdf.
---------------------------------------------------------------------------
President Biden's E.O. 14036, Promoting Competition in the American
Economy, issued on July 9, 2021, established a whole-of-government
effort to promote competition in the American economy and reaffirmed
the policy stated in E.O. 13725 of April 15, 2016 (Steps to Increase
Competition and Better Inform Consumers and Workers to Support
Continued Growth of the American Economy).\9\ This final rule fosters
competition by advancing foundational standards for certified API
technology, which enable--through applications (apps) and without
special effort--improved legally permissible sharing of EHI among
clinicians, patients, researchers, and others. As described in section
III.C.7, competition is advanced through these improved API standards
that can help individuals connect to their information and can help
authorized health care providers, involved in the patient's care,
securely access information. For example, these standards are designed
to foster an ecosystem of new applications that can connect through the
API technology to provide patients with improved electronic access to
EHI.
---------------------------------------------------------------------------
\9\ United States, Executive Office of the President [Joseph
Biden]. Executive Order 14036: Promoting Competition in the American
Economy. Jul 9, 2021. 86 FR 36987-36999, https://www.federalregister.gov/documents/2021/07/14/2021-15069/promoting-competition-in-the-american-economy.
---------------------------------------------------------------------------
Further, as described in section IV, this final rule provides
enhancements to support information sharing under the information
blocking regulations and promote innovation and competition, as well as
address market consolidation. As we have noted, addressing information
blocking is critical for promoting innovation and competition in health
IT and for the delivery of healthcare services to individuals. In both
the ONC Cures Act Proposed Rule (84 FR 7508) and Final Rule (85 FR
25790 through 25791), we discussed how the information blocking
provisions provide a comprehensive response to the issues identified by
empirical and economic research. This research suggested that
information blocking may weaken competition, encourage consolidation,
and create barriers to entry for developers of new and innovative
applications and technologies that enable more effective uses of EHI to
improve population health and the patient experience.\10\ We explained
that the information blocking provisions of the Public Health Service
Act (PHSA) itself expressly addresses practices that impede innovation
and advancements in EHI access, exchange, and use, including care
delivery enabled by health IT (section 3022(a)(2)(C)(ii) of the PHSA).
Actors subject to the information blocking provisions may,\11\ among
other practices, attempt to exploit their control over interoperability
elements to create barriers to entry for competing technologies and
services that offer greater value for health IT customers and users,
provide new or improved capabilities, and enable more robust access,
exchange, and use of EHI (85 FR 25820).\12\ Information blocking may
not only harm competition in health IT markets, but also in markets for
healthcare services (85 FR 25820). In the ONC Cures Act Final Rule, we
described practices that dominant market health care providers may
leverage and use to control access and use of their technology,
resulting in technical dependence and possibly leading to barriers to
entry by would-be competitors, as well as making some market health
care providers vulnerable to acquisition or inducement into
arrangements that enhance the market power of incumbent health care
providers to the detriment of consumers and purchasers of healthcare
services (85 FR 25820). The implementation of the new information
blocking provisions detailed in section IV of this final rule promote
innovation, encourage market competition, and address consolidation in
the interest of the patient to advance interoperability, improve
transparency, and support the access, exchange, and use of EHI.
---------------------------------------------------------------------------
\10\ See, e.g., Martin Gaynor, Farzad Mostashari, and Paul B.
Ginsberg, Making Health Care Markets Work: Competition Policy for
Health Care, 16-17 (Apr. 2017), available at http://heinz.cmu.edu/news/news-detail/index.aspx?nid=3930; Diego A. Martinez et al., A
Strategic Gaming Model For Health Information Exchange Markets,
Health Care Mgmt. Science (Sept. 2016). (``[S]ome healthcare
provider entities may be interfering with HIE across disparate and
unaffiliated providers to gain market advantage.'') Niam Yaraghi, A
Sustainable Business Model for Health Information Exchange
Platforms: The Solution to Interoperability in Healthcare IT (2015),
available at http://www.brookings.edu/research/papers/2015/01/30-sustainable-business-model-health-information-exchange-yaraghi;
Thomas C. Tsai Ashish K. Jha, Hospital Consolidation, Competition,
and Quality: Is Bigger Necessarily Better? 312 J. AM. MED. ASSOC.
29, 29 (2014).
\11\ The information blocking regulations in 45 CFR part 171
apply to health care providers, health IT developers of certified
health IT, and health information networks (HIN) and health
information exchanges (HIE), as each is defined in 45 CFR 171.102.
Any individual or entity that meets one of these definitions is an
``actor'' and subject to the information blocking regulation in 45
CFR part 171.
\12\ See also Martin Gaynor, Farzad Mostashari, and Paul B.
Ginsberg, Making Health Care Markets Work: Competition Policy for
Health Care, 16-17 (Apr. 2017), available at http://heinz.cmu.edu/news/news-detail/index.aspx?nid=3930.
---------------------------------------------------------------------------
Lastly, in support of E.O. 14058, Transforming Federal Customer
Experience and Service Delivery to Rebuild Trust in Government, issued
on December 16, 2021, we are committed to advancing the equitable,
inclusive, and effective delivery of services with a focus on the
experience of individuals, health IT developers, and health care
providers.\13\ As required by section 4002 of the Cures Act and
included in the ONC Cures Act Final Rule (85 FR 25717), we established
certain Conditions and Maintenance of Certification requirements, which
express initial and ongoing requirements for health IT developers and
their certified Health IT Module(s) under the Program. This final rule
implements the EHR Reporting Program Condition and Maintenance of
Certification requirement outlined in the Cures Act by establishing--
within the Program--a new Condition and Maintenance of Certification
hereafter referred to as the ``Insights Condition.'' As discussed in
section III.F, the implementation of the Insights Condition provides
transparent reporting to address information gaps in the health IT
marketplace and provides insights on the use of specific certified
health IT functionalities. The implementation of this new Condition and
Maintenance of Certification requirement will allow ONC to gain a
better understanding of the use of health IT and provide ONC with
information about consumers' experience with certified health IT.
---------------------------------------------------------------------------
\13\ United States, Executive Office of the President [Joseph
Biden]. Executive Order 14058: Transforming Federal Customer
Experience and Service Delivery To Rebuild Trust in Government. Dec
13, 2021. 86 FR 71357-71366, https://www.federalregister.gov/documents/2021/12/16/2021-27380/transforming-federal-customer-experience-and-service-delivery-to-rebuild-trust-in-government.
---------------------------------------------------------------------------
3. Federal Coordination
We strive to improve federal agency coordination. ONC works with
the Centers for Medicare & Medicaid Services (CMS) to ensure that the
certification timelines we have established complement timelines for
CMS programs that reference ONC regulations, such as the Medicare
Promoting Interoperability Program and
[[Page 1196]]
the Promoting Interoperability performance category of the Merit-based
Incentive Payment System (MIPS). In the interest of clarity and
cohesion among HHS components, we have aligned some of our compliance
dates to the calendar year for consistency with calendar-year based
performance periods in CMS programs when participants may be required
to use updated certified health IT. We believe this approach reduces
confusion for participants in these programs and better serves the
public interest.
B. Summary of Major Provisions
1. ONC Health IT Certification Program Updates
a. ``The ONC Certification Criteria for Health IT'' and Discontinuing
Year Themed ``Editions''
We noted in the HTI-1 Proposed Rule that we no longer believed that
it was helpful or necessary to maintain an ``edition'' naming
convention or to adopt entirely new editions of certification criteria
to encapsulate updates over time (88 FR 23750). Instead, we conveyed
that there should be a single set of certification criteria, which
would be updated in an incremental fashion in closer alignment to
standards development cycles and regular health IT development
timelines. In section III.A, we discuss our final policy to rename all
certification criteria within the Program simply as ``ONC Certification
Criteria for Health IT.''
b. New and Revised Standards and Certification Criteria
i. The United States Core Data for Interoperability Version 3 (USCDI
v3)
We noted in the HTI-1 Proposed Rule that because USCDI is the
standard for data required to be accessible through certified health IT
for numerous certification criteria, expanding the data elements and
data classes included in USCDI increases the amount of data available
to be used and exchanged for patient care (88 FR 23751). To expand
standardized data reporting, we have finalized the proposal to codify
USCDI v1 in Sec. 170.213(a) and to add USCDI v3 to Sec. 170.213 (to
be codified as Sec. 170.213(b)). We have incorporated USCDI v3 by
reference in Sec. 170.299 as of the effective date of this final rule.
Lastly, we have finalized that the USCDI v1 (July 2020 Errata) in the
USCDI standard in Sec. 170.213(a) will expire on January 1, 2026. As
codified in Sec. 170.213, only USCDI v3 will be available in the
Program as of January 1, 2026.
ii. C-CDA Companion Guide Updates
As discussed in section III.C.2, we have finalized the adoption of
the HL7[supreg] CDA[supreg] R2 Implementation Guide: C-CDA Templates
for Clinical Notes STU Companion Guide, Release 4.1--US Realm (C-CDA
Companion Guide R4.1) in Sec. 170.205(a)(6) because it is the only
version that provides guidance and clarifications for specifying data
in USCDI v3.
iii. ``Minimum Standards'' Code Sets Updates
In the 2015 Edition Health Information Technology (Health IT)
Certification Criteria, 2015 Edition Base Electronic Health Record
(EHR) Definition, and ONC Health IT Certification Program Modifications
Final Rule (2015 Edition Final Rule), we established a policy of
adopting newer versions of ``minimum standards'' code sets that
frequently update (80 FR 62612). Adopting newer versions of these code
sets enables improved interoperability and implementation of health IT
with minimal additional burden (77 FR 54170). We discussed in the HTI-1
Proposed Rule that, if adopted, newer versions of these minimum
standards code sets would serve as the baseline for certification, and
developers of certified health IT would be able to use newer versions
of these adopted standards on a voluntary basis (88 FR 23751). We have
finalized, as discussed in section III.C.3, the adoption of the
versions we had proposed of the following minimum standards code sets:
Sec. 170.207(a)--Problems
Sec. 170.207(c)--Laboratory tests
Sec. 170.207(d)--Medications
Sec. 170.207(e)--Immunizations
Sec. 170.207(f)--Race and ethnicity
Sec. 170.207(m)--Numerical references
Sec. 170.207(n)--Sex
Sec. 170.207(o)--Sexual orientation and gender information
Sec. 170.207(p)--Social, psychological, and behavioral data
Sec. 170.207(r)--Provider type
Sec. 170.207(s)--Patient insurance
In addition to the finalized adoption of the minimum standards code
sets listed above, we have finalized proposed updates to certification
criteria that reference those minimum standards. These criteria include
Sec. 170.315(a)(5)(i)(A)(1) and (2), (a)(5)(i)(C) through (E),
(a)(12), (b)(1)(iii)(B)(2), (b)(1)(iii)(G)(3), (b)(6)(ii)(B)(2),
(c)(4)(iii)(C), (c)(4)(iii)(E), (c)(4)(iii)(G) through (I),
(f)(1)(i)(B) and (C), (f)(3)(ii), and (f)(4)(ii).
We have finalized the proposal to change the heading of Sec.
170.207(o) to ``sexual orientation and gender information'' to
acknowledge that Sec. 170.207(o) includes standard code sets to
support gender-related data items in addition to standard code sets to
support sexual orientation.
iv. Electronic Case Reporting
As discussed in section III.C.4 of this final rule, we have
finalized the revisions to the ``transmission to public health
agencies--electronic case reporting'' criterion in Sec. 170.315(f)(5)
to adopt consensus-based, industry-developed electronic standards and
implementation guides (IGs) to replace all functional, descriptive
requirements in the present criterion in Sec. 170.315(f)(5). These
standards will support the following requirements for Health IT Modules
certified to Sec. 170.315(f)(5): (i) create a case report for
electronic transmission; (ii) consume and process a case report
response; and (iii) consume and process electronic case reporting
trigger codes. We note that these electronic standards are standards-
based representations of the functional requirements described in the
existing criterion in Sec. 170.315(f)(5) as described in section
III.C.4 of this preamble.
v. Decision Support Interventions and Predictive Models
As discussed in section III.C.5 of this final rule, we have
finalized the adoption of the certification criterion, ``decision
support interventions (DSI)'' in Sec. 170.315(b)(11). The DSI
criterion is a revised certification criterion, serving both an
iterative update and replacement criterion for the ``clinical decision
support (CDS)'' certification criterion in Sec. 170.315(a)(9) (88 FR
23751). The DSI criterion, as finalized, ensures that Health IT Modules
certified to Sec. 170.315(b)(11) reflect an array of contemporary
functionalities, support data elements important to health equity, and
enable the transparent use of predictive models and algorithms to aid
decision-making in healthcare.
We have adopted a new definition for Predictive Decision Support
Intervention, (also referred to hereafter as Predictive DSI) in Sec.
170.102, and we have finalized that Health IT Modules certified to
Sec. 170.315(b)(11) must enable a limited set of identified users to
select (i.e., activate) evidence-based and Predictive DSIs, as
described in Sec. 170.315(b)(11)(iii). Additionally, we have finalized
that Health IT Modules certified to Sec. 170.315(b)(11) must support
``source attributes''--categories of technical performance and quality
information--for both evidence-based
[[Page 1197]]
and Predictive DSIs in Sec. 170.315(b)(11)(iv).
We have not finalized proposed requirements that Health IT Modules
clearly indicate when source attributes from other parties are
unavailable. Rather, we have finalized that Health IT Modules certified
to Sec. 170.315(b)(11) must enable a limited set of identified users
to access complete and up-to-date descriptions of all source attributes
related to evidence-based DSIs and Predictive DSIs that are supplied by
the developer of certified health IT as part of their Health IT Module,
as described in Sec. 170.315(b)(11)(v)(A). Moreover, we have finalized
in Sec. 170.315(b)(11)(v)(B) requirements that Health IT Modules
certified to Sec. 170.315(b)(11) must enable a limited set of
identified users to record and change source attributes listed in
paragraphs Sec. 170.315(b)(11)(iv)(A) and (B).
We have also finalized in Sec. 170.315(b)(11)(vi) that
intervention risk management (IRM) practices must be applied for each
Predictive DSI supplied by the health IT developer as part of its
Health IT Module, including requirements to subject Predictive DSIs to
risk analysis and risk mitigation related to validity, reliability,
robustness, fairness, intelligibility, safety, security, and privacy.
We note that for governance practices, we have finalized in Sec.
170.315(b)(11)(vi)(C) requirements for Health IT Modules to be subject
to policies and implemented controls for governance, including how data
are acquired, managed, and used. Consistent with the other IRM
practices, these policies and implemented controls must be applied for
all Predictive DSIs supplied by the health IT developer as part of its
Health IT Module.
Additionally, in consideration of comments received and the scope
reductions we have made to this final certification criterion, we
determined that a supportive Maintenance of Certification requirement
as part of the Assurances Condition of Certification is necessary to
implement our policy objectives and proposals fully. Specifically, we
have included in this final rule a Maintenance of Certification
requirement at 45 CFR 170.402(b)(4) that reinforces a health IT
developer's ongoing responsibility to review and update, as necessary,
source attribute information in Sec. 170.315(b)(11)(v)(A) and (B),
risk management practices described in Sec. 170.315(b)(11)(vi), and
summary information provided through Sec. 170.523(f)(1)(xxi). We have
finalized in Sec. 170.402(b)(4) that developers with products
certified to Sec. 170.315(b)(11) will need to comply with this
Maintenance of Certification requirement starting January 1, 2025.
Finally, we have finalized our proposals to facilitate this
transition from one version of the criterion to the other by updating
the 2015 Edition Base EHR definition in Sec. 170.102,\14\ which is
being replaced with a definition of Base EHR, to include an option for
a Health IT Module to meet the definition by either being certified to
the existing CDS version of the certification criterion in Sec.
170.315(a)(9), or being certified to the revised DSI criterion in Sec.
170.315(b)(11), for the period up to, and including, December 31, 2024.
On and after January 1, 2025, only the DSI criterion in Sec.
170.315(b)(11) will be included in the Base EHR definition and the
adoption of the criterion in Sec. 170.315(a)(9) will expire on January
1, 2025. We discuss in section III.C.5.b of this preamble policies that
would constitute changes to the CDS criterion, as the new DSI
criterion.
---------------------------------------------------------------------------
\14\ In section III.C.5.a.i., we discuss finalizing our proposal
to adopt a definition of ``Base EHR'' and remove the prior
definition of ``2015 Edition Base EHR.''
---------------------------------------------------------------------------
vi. Synchronized Clocks Standard
We have finalized, as discussed in section III.C.6, the removal of
the current named specification for clock synchronization, which is
Network Time Protocol (NTP v4 of RFC 5905), in Sec. 170.210(g).
Additionally, we have finalized the requirement for any network time
protocol (NTP) standard to be used that can ensure a system clock has
been synchronized and meets time accuracy requirements.
vii. Standardized API for Patient and Population Services
We have finalized, as discussed in section III.C.7, the proposed
revisions to the ``standardized API for patient and population
services'' certification criterion in Sec. 170.315(g)(10). We have
finalized the requirement that a certified Health IT Module's
authorization server issues a refresh token according to the
implementation specification adopted in Sec. 170.215(c).
We have also finalized the proposed revisions in Sec.
170.315(g)(10)(vi) to specify that Health IT Modules presented for
certification that allow short-lived access tokens to expire, in lieu
of immediate access token revocation, must have such access tokens
expire within one hour of the request. This revised requirement aligns
with industry standard practice for short-lived access tokens, provides
clarity and consistent expectations that developers revoke access or
expire access privileges within one hour of a request, and offers
patients an assurance that an application's access to their data will
be revoked or expired within one hour of a request.
We have also adopted the HL7[supreg] FHIR[supreg] US Core
Implementation Guide (IG) STU version 6.1.0 (FHIR US Core 6.1.0) in
Sec. 170.215(b)(1)(ii). This version of the US Core IG provides the
latest consensus-based capabilities aligned with USCDI v3 data elements
for FHIR APIs.
Additionally, we have finalized the proposal to amend the API
Condition and Maintenance of Certification requirements by adding the
requirement that Certified API Developers with patient-facing apps must
meet the publication requirements associated with service base URLs
according to a specified format.
We have adopted the Substitutable Medical Applications, Reusable
Technologies (SMART) App Launch Implementation Guide Release 2.0.0
(SMART v2 Guide) in Sec. 170.215(c)(2), which replaces the SMART
Application Launch Framework Implementation Guide Release 1.0.0 (SMART
v1 Guide) as the standard in Sec. 170.215(a)(3) (finalized in this
rule as Sec. 170.215(c)(1)). Adoption of this standard impacts the
certification criterion in Sec. 170.315(g)(10) in several
subparagraphs. The SMART v2 Guide builds on the features of the SMART
v1 Guide by including new features and technical revisions based on
industry consensus, including features that reflect security best
practices. The SMART v1 Guide will continue to be available as a
standard for use in the Program through December 31, 2025. Beginning
January 1, 2026, the SMART v2 Guide will be the only version of the IG
available for use in the Program.
viii. Patient Demographics and Observations Certification Criterion in
Sec. 170.315(a)(5)
We have finalized, as discussed in section III.C.1 of this final
rule, the adoption of USCDI v3, which includes certain data elements,
namely Sex, Sexual Orientation, and Gender Identity, that are also data
elements in Sec. 170.315(a)(5). As discussed in section III.C.8 of
this preamble, to ensure consistency, we have finalized the name change
of the certification criterion in Sec. 170.315(a)(5) from
``demographics'' to ``patient demographics and observations.''
Additionally, to ensure consistent capture of these data elements
across health IT, we carry these changes into their respective data
elements in Sec. 170.315(a)(5), as discussed in section III.C.8.
[[Page 1198]]
We have finalized the replacement of the specific concepts
referenced in Sec. 170.315(a)(5)(i)(D) and (E), Sexual Orientation and
Gender Identity, respectively, with the Systematized Nomenclature of
Medicine Clinical Terms U.S. Edition (SNOMED CT[supreg]) code set, as
referenced in the standard in Sec. 170.207(o)(3). We have also
finalized our proposal that the adoption of the code sets referenced in
Sec. 170.207(n)(1) will expire on January 1, 2026, and that health IT
developers can continue to use the specific codes in the current
terminology standard through December 31, 2025, in order to provide
adequate time for Health IT Modules certified to particular
certification criteria to transition to the updated terminology
standards.
We have finalized the addition of Sex Parameter for Clinical Use as
a new data element in Sec. 170.315(a)(5)(i)(F). As discussed in
section III.C.1 of this final rule, we proposed Sex for Clinical Use in
the HTI-1 Proposed Rule and have revised the title of Sex for Clinical
Use to instead be Sex Parameter for Clinical Use (SPCU) to align with
changes made by the HL7 Gender Harmony Project and updated the title in
Sec. 170.315(a)(5)(i)(F). The data element definition did not change.
Additionally, we have finalized new data elements--Name to Use in Sec.
170.315(a)(5)(i)(G) and Pronouns in Sec. 170.315(a)(5)(i)(H)--to
facilitate data capture that supports providers' ability to provide
culturally competent care for their patients.
ix. Updates to Transitions of Care Certification Criterion in Sec.
170.315(b)(1)
We have finalized, as discussed in section III.C.9, the proposed
updates to the ``transitions of care'' certification criterion (Sec.
170.315(b)(1)) to align it with our adoption of USCDI v3 in Sec.
170.213(b). This change ensures that Health IT Modules certified to
Sec. 170.315(b)(1) are capable of accessing, exchanging, and using
USCDI data elements referenced in the standards in Sec. 170.213.
x. Patient Right To Request a Restriction on Use or Disclosure
We stated in the HTI-1 Proposed Rule that we believed that
individuals should be provided a reasonable opportunity and technical
capability to make informed decisions about the collection, use, and
disclosure of their electronic health information (88 FR 23753). The
Health Insurance Portability and Accountability Act (HIPAA) \15\
Privacy Rule \16\ provides individuals with several legal, enforceable
rights that empower them to manage their health information. We made
several proposals in support of the HIPAA Privacy Rule's individual
right to request restriction of certain uses and disclosures of their
protected health information \17\ (PHI) (see also 45 CFR 154.522(a)).
In this final rule, we have finalized a requirement for Health IT
Modules certified to the ``view, download, and transmit to a 3rd
party,'' certification criterion in Sec. 170.315(e)(1) to support an
``internet-based method'' for a patient to request a restriction as
proposed. Based on the feedback received from numerous interested
parties, we have decided not to finalize the remainder of our proposals
for patient requested restrictions at this time. We will continue to
monitor standards development efforts in this space.
---------------------------------------------------------------------------
\15\ Public Law 104-191,110 Stat. 1936 (August 21, 1996),
codified at 42 U.S.C. 1320d-1320d8.
\16\ 45 CFR part 160 and subparts A and E of part 164.
\17\ 45 CFR 160.103 (definition of ``Protected health
information'').
---------------------------------------------------------------------------
xi. Requirement for Health IT Developers To Update Their Previously
Certified Health IT
We have finalized our proposal to add text to the introductory text
in Sec. 170.315 stating that health IT developers participating in the
Program must update their certified Health IT Modules and provide that
updated certified health IT to customers in accordance with the
timelines defined for a specific criterion or standard included in
Sec. 170.315. More specifically, we have finalized, as discussed in
section III.C.11, that health IT developers with health IT certified to
any of the certification criteria in Sec. 170.315 will need to update
their previously certified Health IT Modules to be compliant with any
revised certification criterion adopted in Sec. 170.315, including any
new standards adopted in 45 CFR part 170 subpart B and capabilities
included in the revised certification criterion. We have further
finalized the requirement that health IT developers will also need to
provide the updated health IT to customers of the previously certified
health IT according to the dates established for that criterion and any
applicable standards.
2. Assurances Condition and Maintenance of Certification Requirements
We have finalized, as discussed in section III.D, additional
Assurances Condition and Maintenance of Certification requirements. We
have finalized as a Condition of Certification that a health IT
developer must provide an assurance that it will not interfere with a
customer's timely access to interoperable health IT certified under the
Program. To support this assurance, we have finalized two accompanying
Maintenance of Certification requirements. We have finalized that a
health IT developer must update a Health IT Module, once certified to a
certification criterion adopted in Sec. 170.315, to all applicable
revised certification criteria, including the most recently adopted
capabilities and standards included in the revised certification
criterion. We have also finalized that a health IT developer must
provide all Health IT Modules certified to a revised certification
criterion to its customers of such certified health IT. In response to
comments and to provide regulatory clarity, we have revised the
separate ``timely access'' or ``timeliness'' requirements for each of
the two proposed Maintenance of Certification requirements. Rather than
relying on independent timeliness requirements for previously certified
health IT, the maintenance requirements now cross-reference timeframes
specified in 45 CFR part 170, while still maintaining the proposed
minimum 12-month timeframe for new customers.
3. Real World Testing--Inherited Certified Status
Section 4002(a) of the Cures Act added a new Condition and
Maintenance of Certification requirement that health IT developers must
successfully test the real-world use of health IT for interoperability
in the type(s) of setting(s) in which such technology would be
marketed. Many health IT developers update their certified Health IT
Module(s) on a regular basis, leveraging the flexibility provided
through ONC's Inherited Certified Status (ICS).\18\ Because of the way
that ONC issues certification identifiers, this updating can cause an
existing certified Health IT Module to be recognized as new within the
Program. Regular updating, especially on a frequent basis (such as
quarterly or semi-annually), creates an anomaly that could result in
existing certified Health IT Modules being inadvertently excluded from
the real world testing reporting requirements (88 FR 23753).
---------------------------------------------------------------------------
\18\ See 2015 Edition Cures Update Fact Sheet: https://www.healthit.gov/sites/default/files/page/2022-03/Cures-Update-Fact-Sheet.pdf.
---------------------------------------------------------------------------
To ensure that all developers continue to test the real-world use
of their technology as required, we have finalized, as discussed in
section III.E,
[[Page 1199]]
the proposal to eliminate this anomaly by requiring health IT
developers to include in their real world testing results report the
newer version of those certified Health IT Module(s) that are updated
using ICS after August 31 of the year in which the plan is submitted.
This will ensure that health IT developers fully test all applicable
certified Health IT Module(s) as part of their real world testing
requirements.
4. Insights Condition and Maintenance of Certification
The Cures Act specified requirements in section 4002(c) to
establish an EHR Reporting Program to provide reporting on certified
health IT in the categories of interoperability, usability and user-
centered design, security, conformance to certification testing, and
other categories as appropriate to measure the performance of EHR
technology. The Cures Act also specified, in text added at section
3009A(b) of the Public Health Service Act, that a health IT developer
be required, as a Condition and Maintenance of Certification
requirement under the ONC Health IT Certification Program, to submit
responses to reporting criteria in accordance with the EHR Reporting
Program established with respect to all certified technology offered by
such developer. For clarity, we refer to the Condition and Maintenance
of Certification associated with the ``EHR Reporting Program'' as the
``Insights Condition and Maintenance of Certification'' (also referred
to as the ``Insights Condition'') throughout this final rule. We
believe this descriptive name captures the essence of this requirement
and will help avoid confusion that might occur through use of the term
``EHR Reporting Program.''
In section III.F, we have adopted seven reporting measures for
developers of certified health IT that focus initially on the
interoperability category, emphasizing four areas of interoperability:
(1) individuals' access to electronic health information; (2) public
health information exchange; (3) clinical care information exchange;
and (4) standards adoption and conformance. Through this first set of
finalized measures, we intend to provide insights on the
interoperability category specified in the Cures Act. We intend to
explore the other Cures Act categories (security, usability and user-
centered design, conformance to certification testing, and other
categories to measure the performance of EHR technology) in future
years.
We have also finalized, as discussed in section III.F, the
implementation of the Insights Condition requirements in Sec. 170.407
in three phases over three years, where health IT developers to which
the requirements apply, will be required to report on some of the
measures earlier than others. For each final measure, we have included
information on the rationale for adopting the measure, the final
metrics, and other key topics. The Insights Condition will provide
transparent reporting, address information gaps in the health IT
marketplace, and provide insights on the use of health IT.
5. Information Blocking Enhancements
As discussed in section IV.B.1 of this preamble, we have finalized
a definition of ``offer health information technology'' or ``offer
health IT'' for purposes of the information blocking regulations in 45
CFR part 171. This definition of ``offer health IT,'' as finalized in
Sec. 171.102, narrows the applicability of the ``health IT developer
of certified health IT'' definition in 45 CFR 171.102. The definition
of ``offer health IT,'' finalized in 45 CFR 171.102, will generally
continue to include holding out for sale, selling, or otherwise
supplying certified health IT to others on commercial or other terms.
However, our finalized definition of ``offer health IT'' explicitly
excludes certain activities and arrangements. First, the ``offer health
IT'' definition excludes making available funding to obtain or maintain
certified health IT, provided the funding is made available without
condition(s) limiting the interoperability, or use of the technology to
access, exchange or use electronic health information for any lawful
purpose (see paragraph (1) of the offer health IT definition). Second,
the finalized ``offer health IT'' definition also explicitly codifies
that health care providers or other health IT users do not ``offer
health IT'' when they engage in certain health IT implementation and
use activities, regardless of whether they obtain that health IT from a
commercial developer or a reseller or develop it themselves (see
paragraph (2) of the offer health IT definition).
We have also finalized (in paragraph (3) of the ``offer health IT''
definition) an exclusion from the ``offer health IT'' definition that
applies to certain consulting and legal services. This consulting and
legal services exclusion (see subparagraph (3)(iii)) encompasses
supplying health IT in complement to the other items, supplies,
facilities, and services that a consultant handles for a clinician
practice or other health care provider in a comprehensive (``turn
key'') package of services for administrative or operational management
(see section IV.B.1.c.iii of this preamble). The consulting and legal
services exclusion from the ``offer health IT'' definition also
encompasses assistance by health IT consultants with the selection,
implementation, and use of health IT as specified in subparagraph
(3)(ii) and legal services furnished by outside counsel as specified in
subparagraph (3)(i).
As discussed in section IV.B.2, we have modified the ``health IT
developer of certified health IT'' definition so that it is clear that
health care providers who self-develop certified health IT will
continue to be excluded from this definition if they do not engage in
activities falling within the ``offer health IT'' definition. The
updated Sec. 171.102 health IT developer of certified health IT
definition we have finalized represents a change from prior policy to
the extent that a health care provider that is a self-developer would
not meet the definition of ``health IT developer of certified health
IT'' if they supply certified health IT to one or more other health
care provider(s) under a comprehensive and predominantly non-health IT
administrative or operations management services arrangement consistent
with subparagraph (3)(iii) (under the consulting and legal services
exclusion from the 45 CFR 171.102 ``offer health IT'' definition).
Previously, health care providers who self-developed certified health
IT were excluded from the 45 CFR 171.102 ``health IT developer of
certified health IT'' definition if they self-developed the Health IT
Module(s) for their ``own use'' (85 FR 25799 and 25956).
We have finalized revisions to the text of Sec. 171.103, which
defines ``information blocking'' for purposes of 45 CFR part 171, to
remove paragraph (b) that established a period of time during which
electronic health information (EHI) for purposes of the information
blocking provision (Sec. 171.103) was limited to a subset of EHI that
was identified by the data elements represented in the USCDI standard
adopted in Sec. 170.213. As established in the ONC Cures Act Final
Rule (85 FR 25793, 85 FR 25876, and 85 FR 25956), that period of time
ended on May 2, 2022. The end date of that period of time was extended
to October 5, 2022, in the subsequent interim final rule with comment
titled ``Information Blocking and the ONC Health IT Certification
Program: Extension of the Compliance Dates and Timeframes in Response
to the COVID-19 Public Health Emergency'' (85 FR 70064). On and after
October 6, 2022, the scope of EHI for purposes of the ``information
blocking'' definition (Sec. 171.103) is EHI as defined in Sec.
171.102 (88 FR 23754, see also 85 FR 25793, 25876, 70069, and
[[Page 1200]]
70085). October 5, 2022, has passed. Therefore, the paragraph (which
had been designated paragraph (b), as codified) limiting the
``information blocking'' definition to the subset of EHI for the
specified time period is no longer needed. We have re-designated
remaining paragraphs of Sec. 171.103 as discussed in section IV.B.3
and as shown in updated text we have finalized in Sec. 171.103 (see
Regulation Text, see also discussion in section IV.B.3).
We note that in the HTI-1 Proposed Rule we did not propose to
change the scope of EHI for purposes of the information blocking
definition (88 FR 23754). We simply proposed to update the CFR text to
remove paragraph (b) from Sec. 171.103 that had temporarily--until
October 5, 2022--limited the scope of the information blocking
definition to the subset of EHI represented by USCDI v1 (88 FR 23864
and 23916). Similarly, because we included the same time period in
reference to the scope of EHI in two paragraphs of the Content and
Manner Exception (Sec. 171.301(a)(1) and (2)), we proposed to revise
Sec. 171.301 to remove from the regulatory text the existing Sec.
171.301(a)(1) and (2) as no longer necessary (88 FR 23754). We have
finalized the revisions to Sec. 171.301 to remove the regulatory text
in subparagraphs (a)(1) and (2) as no longer necessary and rename Sec.
171.301 the Manner Exception. We have finalized the redesignation of
the paragraphs now codified within Sec. 171.301, so that different
paragraphs are now designated (a)(1) and (2) rather than the paragraphs
we have removed as no longer necessary (see discussion in sections
IV.B.3 and IV.C.2, see also Regulation Text for revised and
redesignated paragraphs of Sec. 171.301).
As explained in section IV.C.1, we have finalized revisions to the
Infeasibility Exception codified in 45 CFR 171.204 both by adding two
new conditions and by revising one existing condition for improved
clarity. First, we have finalized revisions to the uncontrollable
events condition in Sec. 171.204(a)(1) to further clarify when an
actor's practice meets the uncontrollable events condition. Our
finalized revision to Sec. 171.204(a), the uncontrollable events
condition of the Infeasibility Exception, is discussed in Section
IV.C.1.a. Second, we have added two new conditions to be codified as
subparagraphs (a)(3) and (a)(4) and have, therefore, redesignated the
infeasible under the circumstances condition as subparagraph (a)(5).
The infeasible under the circumstances condition was previously
designated as subparagraph (a)(3) of Sec. 171.204.
The first new infeasibility condition in Sec. 171.204(a)(3)
(discussed in Section IV.C.1.b) will apply to an actor's practice of
denying a third party's request to enable use of EHI in order to modify
EHI, including, but not limited to, creation and deletion
functionality, provided the request is not from a health care provider
requesting such use from an actor that is their business associate.\19\
In support of this new condition, we have finalized as proposed a
definition of ``business associate'' in Sec. 171.102. That definition
is, by cross-reference to 45 CFR 160.103, the HIPAA Privacy Rule's
definition of ``business associate.''
---------------------------------------------------------------------------
\19\ See definition of ``business associate'' at 45 CFR 160.103.
Business associates include a subcontractor that creates, receives,
maintains, or transmits protected health information on behalf of
the business associate.
---------------------------------------------------------------------------
The second new infeasibility condition in Sec. 171.204(a)(4),
discussed in Section IV.C.1.c, will apply where an actor has exhausted
the Manner Exception in Sec. 171.301, including offering at least two
alternative manners in accordance with Sec. 171.301(b), including one
manner that uses either technology certified to standard(s) adopted in
45 CFR part 170 that is specified by the requestor (Sec.
171.301(b)(1)(i)) or published content and transport standards
consistent with Sec. 171.301(b)(1)(ii). The actor cannot meet this new
condition if the actor currently provides a substantial number of
individuals or entities similarly situated to the requestor with the
same requested access, exchange, or use of the requested EHI.
As discussed in section IV.C.3, we have finalized a new subpart D
under part 171 for information blocking exceptions that involve
practices related to actors' participation in the Trusted Exchange
Framework and Common Agreement (TEFCA\SM\). In this new subpart D, we
have established a standalone TEFCA Manner Exception, in Sec. 171.403,
that is based on a proposed TEFCA manner condition of the Manner
Exception that was included in the HTI-1 Proposed Rule. The new
exception provides that an actor's practice of not fulfilling a request
to access, exchange, or use EHI in any alternative manner besides via
TEFCA will not be considered information blocking when the practice
follows certain conditions, which are discussed in more detail in
section IV.C.3. Both the actor and requestor must be part of TEFCA, and
the requestor must be able to access, exchange, or use the requested
EHI via TEFCA. In consideration of comments and our stated policy
goals, any fees or license agreements must satisfy the Fees (Sec.
171.302) and Licensing (Sec. 171.303) exceptions, which is counter to
our initial proposed position. Further, in consideration of our stated
policy goals and comments we received, the exception is not available
when the requestor has requested access, exchange, or use via FHIR-
based APIs.
In section IV.D, we discuss information blocking requests for
information that we included in section IV.C of the HTI-1 Proposed Rule
(88 FR 23873).
C. Costs and Benefits
Executive Orders 128660 \20\ and 13563 \21\ direct agencies to
assess all costs and benefits of available regulatory alternatives and,
if regulation is necessary, to select regulatory approaches that
maximize net benefits (including potential economic, environmental,
public health and safety effects, distributive impacts, and equity).
Executive Order 14094 \22\ entitled ``Modernizing Regulatory Review''
(hereinafter, the Modernizing E.O.) amends section 3(f) of Executive
Order 12866 (Regulatory Planning and Review). The amended section 3(f)
of Executive Order 12866 defines a ``significant regulatory action'' as
an action that is likely to result in a rule that may: (1) have an
annual effect on the economy of $200 million or more (adjusted every 3
years by the Administrator of the Office of Information and Regulatory
Affairs (OIRA) for changes in gross domestic product); or adversely
affect in a material way the economy, a sector of the economy,
productivity, competition, jobs, the environment, public health or
safety, or State, local, territorial, or Tribal governments or
communities; (2) create a serious inconsistency or otherwise interfere
with an action taken or planned by another agency; (3) materially alter
the budgetary impacts of entitlement grants, user fees, or loan
programs or the rights and obligations of recipients thereof; or (4)
raise legal or policy issues for which centralized review would
meaningfully further the President's priorities or the principles set
forth in this Executive Order, as specifically authorized in a timely
manner by the Administrator of OIRA in each case. OMB has determined
that this final rule is a significant regulatory action, as the
potential economic
[[Page 1201]]
impacts associated with this final rule could be greater than $200
million per year. Accordingly, we have prepared a Regulatory Impact
Analysis (RIA) that, to the best of our ability, presents the costs and
benefits of this final rule. We have estimated the potential monetary
costs and benefits of this final rule for the health IT community,
including costs and benefits as they relate to health IT developers,
health care providers, patients, and the Federal Government (i.e.,
ONC), and have broken those costs and benefits out by section. In
accordance with E.O. 12866, we have included the RIA summary table as
Table 37.
---------------------------------------------------------------------------
\20\ https://www.archives.gov/files/federal-register/executive-orders/pdf/12866.pdf.
\21\ https://obamawhitehouse.archives.gov/the-press-office/2011/01/18/executive-order-13563-improving-regulation-and-regulatory-review.
\22\ https://www.whitehouse.gov/briefing-room/presidential-actions/2023/04/06/executive-order-on-modernizing-regulatory-review/.
---------------------------------------------------------------------------
We note that we have rounded all estimates to the nearest dollar
and that all estimates are expressed in 2022 dollars as it is the most
recent data available to address all cost and benefit estimates
consistently. The wages used to derive the cost estimates are from the
May 2022 National Occupational Employment and Wage Estimates reported
by the U.S. Bureau of Labor Statistics.\23\ We also note that estimates
presented in the following ``Employee Assumptions and Hourly Wage,''
``Quantifying the Estimated Number of Health IT Developers and
Products,'' and ``Number of End Users that Might Be Impacted by ONC's
Proposed Regulations'' sections are used throughout the RIA.
---------------------------------------------------------------------------
\23\ May 2021 National Occupational Employment and Wage
Estimates, United States. U.S. Bureau of Labor Statistics. https://www.bls.gov/oes/current/oes_nat.htm.
---------------------------------------------------------------------------
We estimate that the total annual cost for this final rule for the
first year after it is finalized (including one-time costs), based on
the cost estimates outlined throughout the RIA, would result in $437
million. The total undiscounted perpetual cost over a 10-year period
for this final rule (starting in year three), would result in $477
million. We estimate the total costs to health IT developers to be $914
million and estimate the government (ONC) costs to be between $56,800
to $113,600.
We estimate the total annual benefit for this final rule would be
on average $1.0 billion. We estimate the total undiscounted perpetual
annual net benefit for this final rule (starting in year three), would
be $124 million.
II. Background
A. Statutory Basis
The Health Information Technology for Economic and Clinical Health
Act (HITECH Act), Title XIII of Division A and Title IV of Division B
of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5),
was enacted on February 17, 2009. The HITECH Act amended the Public
Health Service Act (PHSA) and created ``Title XXX--Health Information
Technology and Quality'' (Title XXX) to improve healthcare quality,
safety, and efficiency through the promotion of health IT and
electronic health information (EHI) exchange.
The 21st Century Cures Act, Public Law 114-255 (Cures Act), was
enacted on December 13, 2016, to accelerate the discovery, development,
and delivery of 21st century cures, and for other purposes. The Cures
Act, through Title IV--Delivery, amended the HITECH Act by modifying or
adding certain provisions to the PHSA relating to health IT.
Section 119 of Title I, Division CC of the Consolidated
Appropriations Act, 2021, Public Law 116-260 (CAA), enacted on December
27, 2020, requires prescription drug plan (PDP) sponsors to implement
one or more real-time benefit tools (RTBTs) that meet the requirements
described in the statute, after the Secretary has adopted a standard
for RTBTs and at a time determined appropriate by the Secretary. For
purposes of the requirement to implement a real-time benefit tool in
section 1860D-4(o)(1) of the Social Security Act, described above, the
CAA provides that one of the requirements for an RTBT is that it can
integrate with electronic prescribing and EHR systems of prescribing
healthcare professionals for the transmission of formulary and benefit
information in real time to such professionals. The statute requires
incorporation of RTBTs within both the Medicare Part D prescription
drug program and the Program. Specifically, the law amends the
definition of a ``qualified electronic health record'' (qualified EHR)
in section 3000(13) of the PHSA to require that a qualified EHR must
include (or be capable of including) an RTBT.
1. Standards, Implementation Specifications, and Certification Criteria
The HITECH Act established two Federal advisory committees, the
Health IT Policy Committee (HITPC) and the Health IT Standards
Committee (HITSC). Each was responsible for advising the National
Coordinator for Health Information Technology (National Coordinator) on
different aspects of standards, implementation specifications, and
certification criteria.
Section 4003(e) of the Cures Act amended sections 3002 and 3003 of
the PHSA by replacing, in an amended section 3002, the HITPC and HITSC
with one committee named the Health Information Technology Advisory
Committee (Health IT Advisory Committee or HITAC). Section 3002(a) of
the PHSA, as added by the Cures Act, establishes that the HITAC
recommends to the National Coordinator policies and standards,
implementation specifications, and certification criteria, relating to
the implementation of a health information technology infrastructure,
nationally and locally, that advances the electronic access, exchange,
and use of health information. Further described in section 3002(b)(1)
of the PHSA, this includes recommending to the National Coordinator a
policy framework to advance interoperable health information technology
infrastructure, updating recommendations to the policy framework, and
making new recommendations, as appropriate. Section 3002(b)(2)(A) of
the PHSA specifies that in general, the HITAC shall recommend to the
National Coordinator for purposes of adoption under section 3004,
standards, implementation specifications, and certification criteria
and an order of priority for the development, harmonization, and
recognition of such standards, specifications, and certification
criteria. Like the process previously required of the former HITPC and
HITSC, section 3002(b)(5) of the PHSA requires the HITAC to develop a
schedule, updated annually, for the assessment of policy
recommendations, which the Secretary publishes in the Federal Register.
Section 3004 of the PHSA establishes a process for the adoption of
health IT standards, implementation specifications, and certification
criteria and authorizes the Secretary to adopt such standards,
implementation specifications, and certification criteria. As specified
in section 3004(a)(1), the Secretary is required, in consultation with
representatives of other relevant federal agencies, to jointly review
standards, implementation specifications, and certification criteria
endorsed by the National Coordinator under section 3001(c) and
subsequently determine whether to propose the adoption of such
standards, implementation specifications, or certification criteria.
Section 3004(a)(3) requires the Secretary to publish all such
determinations in the Federal Register.
Section 3004(b)(3) of the PHSA, titled Subsequent Standards
Activity, provides that the Secretary shall adopt additional standards,
implementation specifications, and certification criteria as necessary
and consistent with the schedule published by the HITAC. We consider
this provision in the broader
[[Page 1202]]
context of the HITECH Act and Cures Act to grant the Secretary the
authority and discretion to adopt standards, implementation
specifications, and certification criteria that have been recommended
by the HITAC and endorsed by the National Coordinator, as well as other
appropriate and necessary health IT standards, implementation
specifications, and certification criteria.
2. Health IT Certification Program(s)
Section 3001(c)(5) of the PHSA provides the National Coordinator
with the authority to establish a certification program or programs for
the voluntary certification of health IT. Section 3001(c)(5)(A)
specifies that the National Coordinator, in consultation with the
Director of the National Institute of Standards and Technology (NIST),
shall keep or recognize a program or programs for the voluntary
certification of health IT that is in compliance with applicable
certification criteria adopted under section 3004 of the PHSA. The
certification program(s) must also include, as appropriate, testing of
the technology in accordance with section 13201(b) of the HITECH Act.
Section 13201(b) of the HITECH Act requires that, with respect to the
development of standards and implementation specifications, the
Director of NIST shall support the establishment of a conformance
testing infrastructure, including the development of technical test
beds. Section 13201(b) also indicates that the development of this
conformance testing infrastructure may include a program to accredit
independent, non-federal laboratories to perform testing.
Section 4003(b) of the Cures Act added section 3001(c)(9)(B)(i) to
the PHSA, which requires the National Coordinator ``to convene
appropriate public and private stakeholders'' with the goal of
developing or supporting a Trusted Exchange Framework and a Common
Agreement (collectively, TEFCA\SM\) for the purpose of ensuring full
network-to-network exchange of health information. Section
3001(c)(9)(B) outlines provisions related to the establishment of a
Trusted Exchange Framework for trust policies and practices and a
Common Agreement for exchange between health information networks
(HINs)--including provisions for the National Coordinator, in
collaboration with the NIST, to provide technical assistance on
implementation and pilot testing of TEFCA. Section 3001(c)(9)(C)
requires the National Coordinator to publish TEFCA on its website and
in the Federal Register.
Section 4002(a) of the Cures Act amended section 3001(c)(5) of the
PHSA by adding section 3001(c)(5)(D), which requires the Secretary,
through notice and comment rulemaking, to require conditions of
certification and maintenance of certification for the Program.
Specifically, the health IT developers or entities with technology
certified under the Program must, in order to maintain such
certification status, adhere to certain conditions and maintenance of
certification requirements concerning information blocking; assurances
regarding appropriate exchange, access, and use of electronic health
information; communications regarding health IT; APIs; real world
testing; attestations regarding certain conditions and maintenance of
certification requirements; and submission of reporting criteria under
the EHR Reporting Program in accordance with section 3009A(b) of the
PHSA.
B. Regulatory History
The Secretary issued an interim final rule with request for
comments on January 13, 2010, ``Health Information Technology: Initial
Set of Standards, Implementation Specifications, and Certification
Criteria for Electronic Health Record Technology'' (75 FR 2014), which
adopted an initial set of standards, implementation specifications, and
certification criteria. On March 10, 2010, the Secretary issued a
proposed rule, ``Proposed Establishment of Certification Programs for
Health Information Technology'' (75 FR 11328), that proposed both
temporary and permanent certification programs for the purposes of
testing and certifying health IT. A final rule establishing the
temporary certification program was published on June 24, 2010,
``Establishment of the Temporary Certification Program for Health
Information Technology'' (75 FR 36158), and a final rule establishing
the permanent certification program was published on January 7, 2011,
``Establishment of the Permanent Certification Program for Health
Information Technology'' (76 FR 1262).
We have engaged in multiple rulemakings to update standards,
implementation specifications, certification criteria, and the
certification program, a history of which can be found in the October
16, 2015 final rule ``2015 Edition Health Information Technology
(Health IT) Certification Criteria, 2015 Edition Base Electronic Health
Record (EHR) Definition, and ONC Health IT Certification Program
Modifications'' (80 FR 62602) (2015 Edition Final Rule). The history
can be found at 80 FR 62606. A correction notice was published for the
2015 Edition Final Rule on December 11, 2015 (80 FR 76868), to correct
preamble and regulatory text errors and clarify requirements of the
Common Clinical Data Set (CCDS), the 2015 Edition privacy and security
certification framework, and the mandatory disclosures for health IT
developers.
The 2015 Edition Final Rule established a new edition of
certification criteria (``2015 Edition health IT certification
criteria'' or ``2015 Edition'') and a new 2015 Edition Base EHR
definition. The 2015 Edition established the minimum capabilities and
specified the related minimum standards and implementation
specifications that certified electronic health record technology
(CEHRT) would need to include to support the achievement of
``meaningful use'' by eligible clinicians, eligible hospitals, and
critical access hospitals under the Medicare and Medicaid EHR Incentive
Programs (EHR Incentive Programs) (now the Medicare Promoting
Interoperability Program and the Promoting Interoperability performance
category of MIPS) when the 2015 Edition is required for use under these
and other programs referencing the CEHRT definition. The 2015 Edition
Final Rule also adopted a proposal to change the Program's name to the
``ONC Health IT Certification Program'' from the ONC HIT Certification
Program, modified the Program to make it more accessible to other types
of health IT beyond EHR technology and for health IT that supports care
and practice settings beyond the ambulatory and inpatient settings, and
adopted new and revised Principles of Proper Conduct (PoPC) for ONC-
Authorized Certification Bodies (ONC-ACBs).
After issuing a proposed rule on March 2, 2016, ``ONC Health IT
Certification Program: Enhanced Oversight and Accountability'' (81 FR
11056), we published a final rule by the same title (81 FR 72404) (EOA
Final Rule) on October 19, 2016. The EOA Final Rule finalized
modifications and new requirements under the Program, including
provisions related to our role in the Program. The EOA Final Rule
created a regulatory framework for our direct review of health IT
certified under the Program, including, when necessary, requiring the
correction of non-conformities found in health IT certified under the
Program and suspending and terminating certifications issued to
Complete EHRs and Health IT Modules. The EOA Final Rule also set forth
processes for us to
[[Page 1203]]
authorize and oversee accredited testing laboratories under the
Program. In addition, it included provisions for expanded public
availability of certified health IT surveillance results.
On March 4, 2019, the Secretary published a proposed rule titled,
``21st Century Cures Act: Interoperability, Information Blocking, and
the ONC Health IT Certification Program'' (84 FR 7424) (ONC Cures Act
Proposed Rule). The ONC Cures Act Proposed Rule proposed to implement
certain provisions of the Cures Act that would advance interoperability
and support the access, exchange, and use of electronic health
information. We also requested comment in the ONC Cures Act Proposed
Rule (84 FR 7467) as to whether certain health IT developers should be
required to participate in TEFCA as a means of providing assurances to
their customers and ONC that they are not taking actions that
constitute information blocking or any other action that may inhibit
the appropriate exchange, access, and use of EHI, with the goal of
developing or supporting TEFCA for the purpose of ensuring full
network-to-network exchange of health information.
On May 1, 2020, a final rule was published titled, ``21st Century
Cures Act: Interoperability, Information Blocking, and the ONC Health
IT Certification Program'' (85 FR 25642) (ONC Cures Act Final Rule).
The ONC Cures Act Final Rule implemented certain provisions of the
Cures Act, including Conditions and Maintenance of Certification
requirements for health information technology (health IT) developers,
the voluntary certification of health IT for use by pediatric health
providers, and reasonable and necessary activities that do not
constitute information blocking. The ONC Cures Act Final Rule also
implemented certain parts of the Cures Act to support patients' access
to their EHI, and the implementation of information blocking policies
that support patient electronic access. Additionally, the ONC Cures Act
Final Rule modified the 2015 Edition health IT certification criteria
and Program in other ways to advance interoperability, enhance health
IT certification, and reduce burden and costs, as well as improving
patient and health care provider access to EHI and promoting
competition. On November 4, 2020, the Secretary published an interim
final rule with comment period titled, ``Information Blocking and the
ONC Health IT Certification Program: Extension of Compliance Dates and
Timeframes in Response to the COVID-19 Public Health Emergency'' (85 FR
70064) (Cures Act Interim Final Rule). The Cures Act Interim Final Rule
extended certain compliance dates and timeframes adopted in the ONC
Cures Act Final Rule to offer the healthcare system additional
flexibilities in furnishing services to combat the COVID-19 pandemic,
including extending the applicability date for information blocking
provisions to April 5, 2021.
On January 19, 2022, we published a notice titled, ``Notice of
Publication of the Trusted Exchange Framework and Common Agreement''
(87 FR 2800) (``TEFCA''). The notice fulfilled an obligation under
section 3001(c)(9)(C) of the PHSA, which requires the National
Coordinator for Health Information Technology to publish on the Office
of the National Coordinator for Health Information Technology's public
internet website, and in the Federal Register, the trusted exchange
framework and common agreement developed under the PHSA.
On April 18, 2023, the Secretary published a proposed rule titled,
``Health Data, Technology, and Interoperability: Certification Program
Updates, Algorithm Transparency, and Information Sharing'' (HTI-1) (88
FR 23746) (HTI-1 Proposed Rule). The HTI-1 Proposed Rule proposed to
implement the Electronic Health Record (EHR) Reporting Program
provision of the 21st Century Cures Act by establishing new Conditions
and Maintenance of Certification requirements for health IT developers
under the Program. The HTI-1 Proposed Rule also proposed several
updates to certification criteria and implementation specifications
recognized by the Program, including a revised certification criterion
for decision support and revised certification criteria for ``patient
demographics and observations'' and ``electronic case reporting.''
Additionally, the HTI-1 Proposed Rule proposed to establish a new
baseline version of the United States Core Data for Interoperability
(USCDI). The HTI-1 Proposed Rule also proposed enhancements to support
information sharing under the information blocking regulations. The
implementation of these provisions would advance interoperability,
improve transparency, and support the access, exchange, and use of
electronic health information. The HTI-1 Proposed Rule also proposed to
update the Program in additional ways to advance interoperability,
enhance health IT certification, and reduce burden and costs and is
subject of this final rule.
C. General Comments on the HTI-1 Proposed Rule
Comments. Numerous commenters expressed support for the overall
direction of the HTI-1 Proposed Rule and its policy goals, including
improved interoperability, standardization, reporting requirements, and
electronic health information exchange. Many commenters also stated
that the updated standards and certification criteria in the HTI-1
Proposed Rule would enhance patient and clinical access and enable
health care providers to better meet patients' needs. A few commenters
commended us for the protections for patients' privacy provided by the
standards in the HTI-1 Proposed Rule. A few commenters also expressed
appreciation for ONC providing clarity on certification criteria for
certified health IT. A number of commenters stated that they looked
forward to working with ONC and cooperating with the public and private
sectors on improving interoperability for EHI.
Response. We appreciate the support expressed by many commenters.
This final rule maintains the direction of the HTI-1 Proposed Rule, and
we also look forward to ongoing collaboration with public and private
sector partners as we implement the provisions of this final rule.
Comments. Many commenters expressed concern that the timeline for
compliance deadlines for the standards in the HTI-1 Proposed Rule was
too aggressive and that it was unrealistic for the health IT community
to meet the requirements. Several commenters recommended delaying the
compliance deadlines until at least two years after the date of
publication of the final rule or providing a temporary enforcement safe
harbor for developers and providers who are in the process of
implementing the required changes. One commenter suggested that the
timeline for adoption might be too aggressive and lead to health IT
developers producing Health IT Modules that meet certification
standards without providing the intended substantive benefits for
patients and providers. A few commenters suggested that ONC create a
standardized framework and cycle for adopting and requiring new and
revised standards for certification criteria. Commenters suggested that
ONC give more consideration to the burden placed on the health IT
community by the requirements of both ONC and CMS standards, and work
with CMS and other HHS agencies to more closely align standards and
compliance dates.
Response. We appreciate commenters' concerns about the timelines
for
[[Page 1204]]
conformance to new standards and certification criteria for the
Program. After consideration of comments, we have finalized the
adoption of certain certification criteria and standards with a
compliance date of January 1, 2026, instead of the proposed compliance
date of January 1, 2025, and noted in the specific certification
criteria or standards each specific adopted conformance date. We have
finalized the adoption of Sec. 170.315(a)(5); (b)(1), (2), and (9);
(e)(1); (f)(5); and (g)(6), (9), and (10) with a compliance date of
January 1, 2026. We believe that these updated compliance dates, which
are approximately two years from when this final rule published in the
Federal Register, for certain criteria will allow developers increased
flexibility and alleviate burden by allowing additional time for
developers to prioritize updates, while also ensuring timely
implementation of the requirements for health care providers and
patients. We note that the compliance date defines the date by which a
health IT developer with a Health IT Module certified to any revised
certification criterion, as defined in Sec. 170.102, must update the
Health IT Module and provide such update to their customers in order
for the Health IT Module to maintain certification.
In response to commenters' recommendations for a standardized
framework and cycle for updates to certification criteria, we
appreciate commenters' concerns about the long-term timeline for
updates to ONC Certification Criteria for Health IT. We have finalized
our proposed approach to discontinue the use of year themed editions
for ONC Certification Criteria for Health IT and adopt an incremental
approach to updates to ONC Certification Criteria for Health IT. We
believe that an incremental approach to updates will allow for a more
consistent and transparent update cycle. We plan to issue clear
guidance and timelines for when updates would be required.
Comments. A number of commenters stated that the HTI-1 Proposed
Rule and ONC's rulemaking schedule is overly complex, including a broad
range of proposed changes to regulations. Some commenters recommended
simplifying the proposals in this rule or creating a process to
introduce more simplified regulatory updates in the future.
Response. We appreciate the concerns expressed about the complexity
and broad scope of the changes to standards and the Program in this
rule. Upon consideration of all the comments we have received, we have
made adjustments, such as an extended implementation timeline for most
standards and certification criteria and modified requirements for
Health IT Modules certified to Sec. 170.315(b)(11), in this final rule
to alleviate the potential burden on developers of certified health IT
and health care providers.
Comments. Some commenters stated that the adoption of a singular
set of standards for EHI could have harmful effects for Health IT
Modules. A few commenters were concerned that the standards in the HTI-
1 Proposed Rule would not allow for specific standards for specialized
or small health care providers. A few commenters were concerned that
the requirements in the HTI-1 Proposed Rule could make health care
providers dependent on collaboration with health IT developers to meet
their obligations and could increase EHR fees for physicians or create
bottlenecks that prevent physicians from adopting new EHR technology.
Some commenters recommended that ONC provide assistance and guidance
for providers to understand new requirements, and consider patient
accessibility, particularly the limitations of patient literacy
regarding healthcare and health IT, for requirements for patients'
records. A number of commenters were concerned that the HTI-1 Proposed
Rule's requirements for interoperability and patient access would not
adequately protect patients' private information. Several commenters
also recommended that ONC require greater transparency from health IT
developers to foster an accessible health IT marketplace for consumers.
Response. We believe the updated standards and certification
criteria will improve health IT interoperability and functionality for
providers and patients. We thank commenters for their comments
regarding privacy concerns and recognize the importance of addressing
the privacy and confidentiality of sensitive information. Recognizing
this, the Program establishes the standards, implementation
specifications, and functional requirements for certified health IT to
manage and exchange data but does not control the collection or use of
data. For more on patient requested restrictions on sharing of their
health information, we refer readers to section III.C.10 on
modifications to the ``view, download, and transmit to 3rd party''
certification criterion in Sec. 170.315(e)(1), which addresses
patients' (and their authorized representatives') ability to use an
internet-based method to request a restriction to be applied for any
data expressed in the standards in Sec. 170.213. We also appreciate
commenters recommending that we require greater transparency from
health IT developers to foster an accessible health IT marketplace for
consumers. As stated in the HTI-1 Proposed Rule (88 FR 23831) and this
final rule, data collected and reported under the Insights Condition
will address information gaps in the health IT marketplace and provide
insights on the use of certified health IT. We believe that consumers
will benefit from the increased transparency that the reporting
requirements of Insights Condition will provide.
While we believe that the language that we use in this rule
provides clarity on the effects of this rule, as we did with the HTI-1
Proposed Rule, we will develop, as appropriate, resources such as
infographics, FAQs, and fact sheets and provide webinars among other
forms of educational materials and outreach to explain the effects of
this rule for developers, providers, and patients.
Comments. One commenter requested that ONC adopt a definition of
``health IT developer'' to provide more clarity regarding what entities
may be considered developers for certification criteria.
Response. We thank commenters for their feedback. We decline to
adopt a new definition for ``health IT developer'' in this rule.
Adopting a new definition for ``health IT developer'' would be out of
scope for this rule because we did not propose a definition of ``health
IT developer'' in the HTI-1 Proposed Rule.
Comments. One commenter recommended ONC include non-patient facing
facilities (e.g., radiology) in the certified health IT requirements.
This commenter stated that by establishing specialty-specific or size-
specific health IT requirements, the goal of promoting interoperability
across the healthcare landscape may be better achieved.
Response. We thank the commenter for their feedback. Including non-
patient facing facilities in the certified health IT requirements was
out of the HTI-1 Proposed Rule's scope. As we did not propose such
changes to health IT requirements in the HTI-1 Proposed Rule, these
changes would also be out of scope for this rule.
Comments. A few commenters raised issues that are out of scope for
this rule, including concerns specifically about CMS policies and
requirements.
Response. We reiterate that comments regarding CMS program
requirements are out of scope as we cannot change CMS policy. We refer
to readers to CMS programs for further information.
Comments. Some commenters requested that ONC provide technical
[[Page 1205]]
assistance for the implementation of the requirements of this rule.
Response. We thank commenters for their feedback. As we did with
the HTI-1 Proposed Rule, we will develop, as appropriate, resources
such as infographics, FAQs, and fact sheets and provide webinars among
other forms of educational materials and outreach to explain the
effects of this rule for interest parties.
Comments. Several commenters identified issues that were out of
scope for our proposal, such as requesting potential changes to the
Cures Act and other federal legislation, and developing state local
public health infrastructure and regulations with state and local
health agencies.
Response. We appreciate commenters' interest in federal
legislation, and state and local public health infrastructure and
regulations. Because we did not propose changes related to these areas
in the HTI-1 Proposed Rule, these comments are out of scope, and we
decline to finalize the recommended changes in this rule. ONC does not
have the authority to change federal legislation through rulemaking.
ONC looks forward to communicating with state and local public health
agencies for the implementation of this rule and the development of
future rulemaking.
Comments. We also received numerous comments that were out of scope
or that recommended that ONC adopt new requirements that we did not
propose and are not addressed in this rulemaking.
Response. We thank commenters for their input. These comments are
out of scope for the HTI-1 Proposed Rule in that we did not propose
changes to the requirements the comments addressed, and we decline to
finalize such changes.
III. ONC Health IT Certification Program Updates
A. ``The ONC Certification Criteria for Health IT'' and Discontinuing
Year Themed ``Editions,'' Definition of Revised Certification
Criterion, and Related Program Oversight
1. Discontinuing Year Themed ``Editions''
In the HTI-1 Proposed Rule, we stated that we no longer believed it
was helpful or necessary to maintain an ``edition'' naming convention
or to adopt entirely new editions of certification criteria to
encapsulate updates over time (88 FR 23750). Instead, we proposed that
there should be a single set of certification criteria, which would be
updated in an incremental fashion in closer alignment to standards
development cycles and regular health IT development timelines. We
proposed in the HTI-1 Proposed Rule to rename all certification
criteria within the Program simply as ``ONC Certification Criteria for
Health IT'' (88 FR 23759). We explained that maintaining a single set
of ``ONC Certification Criteria for Health IT'' would create more
stability for users of health IT and Program partners, such as CMS, as
well as make it easier for developers of certified health IT to
maintain their product certificates over time. Unchanged certification
criteria would no longer be duplicated as separate criteria under
multiple editions. Accordingly, we proposed to rename Sec. 170.315 as
the ``ONC Certification Criteria for Health IT'' and replace all
references throughout 45 CFR part 170 to the ``2015 Edition'' with this
new description (this would impact the wording, though not the
substance or effect, of Sec. Sec. 170.102, 170.405, 170.406, 170.523,
170.524, and 170.550, as shown in the revised regulation text).
Comments. Many commenters were supportive of ONC's proposed
approach to discontinue the use of year-themed editions for ONC
Certification Criteria for Health IT, stating that it would reduce
confusion. Commenters generally indicated that the change from year
themed editions to adopting the name ``ONC Certification Criteria for
Health IT'' would be understood by health IT developers, patients, and
health care providers. Commenters stated and agreed that the previous
naming convention inaccurately implied the age and outdatedness of the
certification criteria and contributed to confusion about which edition
was required for Program adherence. A number of commenters agreed that
the change to incremental updates of certification criteria would be
more efficient and allow for more flexibility than the edition-based
updates to certification criteria that ONC has previously adopted. One
commenter stated that such an approach would be more appropriate given
the rapid pace at which health IT evolves. Another commenter favored
the use of clear, regular, step-by-step updates in small portions,
rather than complete overhauls of certification criteria. The commenter
also favored a predictable timeline for updates based on standards
development cycles with reasonable development timelines.
Alternatively, some commenters expressed concern that discontinuing
year-themed editions and adopting incremental advancement for
certification criteria would create too much burden for developers of
certified health IT and health care providers around updating Health IT
Modules. Commenters stated that adopting incremental updates to many
criteria instead of edition-based updates to criteria could lead to too
many and too frequent deadlines for developers and providers to comply
with and a significant added burden in cost and time. Commenters raised
concerns that incremental standards updates may divert developer
resources away from implementing provider requests. A few developers
recommended that ONC adopt a regular cycle for updates and compliance
to certification criteria and provide adequate time between revisions
to criteria that accommodate typical development timelines for Health
IT Modules. Numerous commenters contended that the proposed approach to
discontinue the use of year-themed editions for ONC health IT
certification criteria in favor of using the title ``ONC Certification
Criteria for Health IT'' would not add sufficient clarity to the
Program or would actually make the Program more difficult to
understand. Commenters stated that the incremental updates for
certification criteria could make it difficult for developers and
consumers to understand which iterations of revised and updated
standards are the most recently adopted criteria that Health IT Modules
need to be certified to. A few commenters stressed that ONC should
provide specificity and education regarding the standards that are
necessary to participate in federal interoperability programs. Some
commenters recommended that ONC create a listing of information on
certification criteria that health IT developers and consumers could
reference to determine the most up-to-date standards for a
certification criterion and Health IT Module certified to such
criterion. A few commenters requested greater clarity on how much
responsibility consumers as opposed to developers would bear for
maintaining the certification for Health IT Modules with the adoption
of incremental advancements. One commenter was concerned that
developers might charge providers the costs for updates and recommended
that ONC add a requirement for developers to inform health care
providers of the meaning of a ``provider product'' and the consequences
of declining updates to health IT for participation in other federal
programs.
Response. We thank all commenters for their thoughtful feedback.
Upon consideration of all comments received on this proposal, we have
finalized our approach as proposed. As noted in the
[[Page 1206]]
HTI-1 Proposed Rule (FR 23759), we believe that there should be a
single set of certification criteria, which would be updated in an
incremental fashion in closer alignment to standards development cycles
and regular health IT development timelines. To finalize this proposal,
we renamed all certification criteria within the Program simply as
``ONC Certification Criteria for Health IT.'' We believe maintaining a
single set of ``ONC Certification Criteria for Health IT'' will create
more stability for users of health IT and Program partners, such as
CMS, as well as make it easier for developers of certified health IT to
maintain their product certificates over time. In addition, we believe
that this approach will have the benefit of reducing administrative
burden for health IT developers participating in the Program.
Previously, duplicative references to separate certification criteria
under multiple, year-themed editions created administrative burden for
health IT developers by requiring developers to seek an updated
certificate attributed to the ``new'' duplicated certification
criterion even in circumstances when the certification criterion
remained substantively unchanged. Under this approach, unchanged
certification criteria would no longer be duplicated as separate
criteria under multiple editions. Accordingly, we renamed Sec. 170.315
as the ``ONC Certification Criteria for Health IT'' and replaced all
references throughout 45 CFR part 170 to the ``2015 Edition'' with this
new description (this impacted the wording, though not the substance or
effect, of Sec. Sec. 170.102, 170.405, 170.406, 170.523, 170.524, and
170.550, as shown in the revised regulation text).
With respect to those commenters that expressed reservations,
discontinuing the use of year-themed editions for ONC Certification
Criteria for Health IT will not impose a significant burden on
implementers. Our intent with this approach is to maintain a single set
of certification criteria that have been updated to include the most
recent versions of adopted standards, and to establish an incremental
approach to health IT updates over time. In fact, this has been
embedded within the Program's approach all along because of the way we
revised only certain certification criteria within an edition change.
Moreover, in the ONC Cures Act Final Rule, we stated our belief that
this kind of approach should also include development timelines based
on the updates required for each criterion and a transition period
allowing for either the prior adopted standard or the new standard to
be used for a reasonable period of time (before shifting to exclusive
use of the new standard). We further noted our belief that this
approach can help to reduce the burden on health IT developers and
health care providers and could allow health IT developers to implement
updates in the manner most appropriate for their product and customers
(85 FR 25665). We have received significant positive feedback
expressing that the incremental approach to updates is generally
beneficial as a long-term approach. Specifically, feedback conveyed
that a consistent, transparent, incremental update cycle that includes
the following features would be preferred by some: (1) regular updates
to recognize standards advancement and an allowance for voluntary
standards advancement between updates, (2) incremental updates rather
than ``wholesale'' product overhauls, (3) a predictable timeline for
updates based on standards development cycles with reasonable
development timelines, and (4) a reasonable development timeline for
any new criterion based on specific development needs. We plan to issue
clear guidance and timelines for when updates would be required. In
consideration of the overall support from commenters, we have finalized
our proposed approach to discontinue the use of year themed editions
for ONC Certification Criteria for Health IT.
In response to commenters that indicated we did not provide
adequate specificity or education in our HTI-1 Proposed Rule, we
appreciate the commenters' concerns and agree with the need for
educational materials and resources. We intend to make updates to ONC
website materials, engage in public presentations and webinars, and
revise the Certified Health IT Product List (CHPL) database to make
clear which certification criteria, standards, and implementation
specifications are valid under the Program at a given point in time.
Between the ONC website and the CHPL updates, we are confident that
interested parties will have the necessary information regarding both
certification criteria and certified health IT products. We will also
develop educational resources so that purchasers and users understand
which Health IT Modules have met their obligations under the Program by
updating their Health IT Modules to revised certification criteria.
In response to the commenter suggestion that ONC add a requirement
for developers to inform health care providers of the meaning of a
``provider product'' and the consequences for declining updates to
health IT regarding participation in federal reporting programs, we
thank the commenter for their comment. However, we have not proposed
any requirements related to the term, ``provider product,'' and decline
to finalize any such requirements in this final rule. Although we are
not at this time requiring developers to inform health care providers
of the consequences of declining updates to health IT, we encourage
developers to be transparent with customers about the benefits of
updates and impacts of declining them. We understand there are costs
associated with updating new technology and also with foregoing
participation in a federal program that requires the use of certified
health IT. Therefore, we encourage developers to ensure that their
customers are fully informed about all impacts before making a decision
on updates.
Comments. Several commenters requested further clarity on issues
related to the impact of the proposed approach on public health
entities. Commenters noted that an approach should include an
``expiration date'' or identify minimum standards to ensure public
health and other entities receiving data from certified health IT do
not maintain support for outdated standards. Commenters also stated
that the proposed approach should recognize the cost and implementation
burden for public health agencies associated with updating standards,
and that all regulatory impact analyses, including for the current
rule, should include estimated costs for public health agencies,
laboratories, and their intermediaries. Further, commenters recommended
more attention on public input procedures, including from public
health, and asked ONC to ensure that regulations do not update
standards without verifying that public health authorities can meet the
updated standards. Finally, one commenter suggested that ONC reference
the authority of state, local, and territorial public health agencies
within the standards update process to ensure clarity for users.
Response. We thank commenters for their input. We have identified
in several places within 45 CFR part 170 subpart B, and within several
certification criteria in 45 CFR part 170 subpart C, ``expiration
dates'' and dates after which a standard or certification criterion is
no longer valid within the context of the Program. We believe these
dates will ensure public health and other entities receiving data from
certified health IT do not maintain support for outdated standards. We
understand concerns about the broader
[[Page 1207]]
overall downstream impact of this rulemaking on entities beyond
developers of certified health IT, which are specifically regulated
under authorities delegated to ONC. This rule's impact analysis
measures the estimated costs for developers of certified health IT to
meet new Program requirements, for example, to develop or modify the
technical functionality of their certified health IT or adopt a new
standard or standard version. These are the expected direct costs of
the rule's final policies on developers of certified health IT.
However, we recognize that developers of certified health IT are
largely private businesses that operate in a competitive marketplace
and that they may not bear all costs to meet these requirements. We
include in the ``Costs and Benefits'' section of the Regulatory Impact
Analysis the estimated impact on certified health IT end users. In this
case, health care providers, such as hospitals and clinicians. We
believe these estimates provide a general, but not necessarily
comprehensive, understanding of the possible pass-through costs borne
by users of certified health IT.
We also plan to issue educational resources explaining, consistent
with standards and timelines adopted in this rule, when updates would
be required. In addition, we actively engage with public health
agencies to ensure that the regulatory process for updating standards
represents their input. Finally, we indicate the authority of state,
local, and territorial laws and requirements where appropriate.
Comments. One commenter stated that they did not support the change
to an ``edition-less'' format because the availability of the Standards
Version Advancement Process (SVAP) allows health IT developers to
upgrade to approved standards on a voluntary basis. The commenter urged
ONC to consider the following steps to mitigate burden on health IT
developers: provide a minimum implementation time of 24 months for any
new or updated criteria, utilize the SVAP process over required updates
where feasible, accept ``evidence-based'' attestations for the purposes
of certification, and work with other HHS agencies on awareness around
updates to certification criteria.
Response. As noted above, we plan to issue educational resources
explaining, consistent with standards and timelines adopted in this
rule, when updates would be required. In the ONC Cures Act Final Rule,
as part of the Real World Testing Condition of Certification, we
finalized a ``flexibility'' within the associated Maintenance of
Certification that we refer to as the SVAP (85 FR 25775). This
flexibility permits health IT developers to voluntarily use newer
versions of adopted standards in their certified Health IT Modules so
long as certain conditions are met. These conditions are not limited
to, but notably include, successful real world testing of the Health IT
Module using the new version(s) subsequent to the inclusion of these
newer standards and implementation specification versions in the Health
IT Module's certification. We established the SVAP not only to meet the
Cures Act's goals for interoperability, but also in response to the
feedback ONC has received through prior rulemakings and engagements,
which advocated for ONC to establish a predictable and timely approach
within the Program to keep pace with the industry's standards
development efforts (85 FR 25775). We continue to support the SVAP, but
we also believe it is necessary to discontinue the use of year-themed
editions for ONC Certification Criteria for Health IT and adopt
incremental updates to the Program. While SVAP allows flexibility for
the voluntary adoption of newer versions of standards, the incremental
Program updates will ensure aligned minimum requirements within the
health IT industry that advance interoperability.
Comments. One commenter stated that moving to an ``edition-less''
approach would require ONC-ACBs to provide increased oversight to
ensure certified health IT meets the specific compliance dates provided
in regulation. Another commenter stated that ONC should provide a
minimum of six months for developers and ONC-ACBs to implement this
change, such as removing references to the 2015 Edition from
documentation related to the Program.
Response. We thank commenters for their feedback; however, we
disagree that moving to an ``edition-less'' approach will require ONC-
ACBs to conduct more oversight than under the edition-based construct.
We note that while an ``edition-less'' approach may require different
levels of documentation of oversight than currently exist in the
Program, this approach will also likely reduce documentation and
oversight in other areas given that health IT developers will not
update Health IT Modules to all certification criteria at once, which
was the case under the edition-based approach.
Comments. All comments received were supportive of revising the
text from ``time-limited certification and certification status for
certain 2015 Edition certification criteria'' in Sec. 170.550(m) to
``time-limited certification and certification status for certain ONC
Certification Criteria for Health IT.'' Commenters noted that our
proposal for time-limited certification should require products be
clearly labeled and advertised as time-limited and include a
description of which aspects of the product/certification are time-
limited. Additionally, commenters requested we make a filterable tag in
the CHPL and/or provide a list of the time-limited products separately.
Response. We appreciate the support expressed by many commenters,
and we have finalized the removal of ``2015 Edition'' from Sec.
170.550(m). We look forward to ongoing collaboration with public and
private sector partners as we implement the provisions of this final
rule.
After consideration of these comments, we have finalized our
proposed approach to discontinue year-themed editions. Specifically, we
have renamed Sec. 170.315 as the ``ONC Certification Criteria for
Health IT'' and replaced references to the ``2015 Edition'' in
Sec. Sec. 170.102, 170.405, 170.406, 170.523, 170.524, and 170.550,
with this description.
2. Definition of ``Revised Certification Criterion''
In the HTI-1 Proposed Rule, we described the use of terms meant to
describe the status of certification criteria for use in the Program
from the 2011 to 2014 Edition transition (88 FR 23760). We also
referenced the definitions finalized in the 2015 Edition Final Rule for
the following terms:
``New'' certification criteria are those that as a whole
only include capabilities never referenced in previously adopted
certification criteria editions and to which a Health IT Module
presented for certification to the 2015 Edition could have never
previously been certified.
``Revised'' certification criteria are those that include
the capabilities referenced in a previously adopted edition of
certification criteria as well as changed or additional new
capabilities; and to which a Health IT Module presented for
certification to the 2015 Edition could not have been previously
certified to all of the included capabilities.
``Unchanged'' certification criteria are those that
include the same capabilities as compared to prior certification
criteria of adopted editions; and to which a Health IT Module presented
for certification to the 2015 Edition could have been previously
certified to all the included capabilities (80 FR 62608).
[[Page 1208]]
We proposed that these same terms as applied to the certification
criteria would continue to be used by the Program in the absence of a
year-named edition. However, for clarity, we proposed to define
``revised certification criterion (or criteria)'' in Sec. 170.102 to
mean a certification criterion that meets at least one of the
following: (1) has added or changed the capabilities described in the
existing criterion in 45 CFR 170 part C; (2) has an added or changed
standard or implementation specification referenced in the existing
criterion in 45 CFR part 170 subpart B; or (3) is specified through
notice and comment rulemaking as an iterative or replacement version of
an existing criterion in 45 CFR part 170 subpart C.
We stated in the HTI-1 Proposed Rule that we would continue to use
these terms when: communicating proposals for future criteria, such as
revising a criterion that will maintain its place in the CFR or
establishing a new criterion that is an iterative or replacement
criterion in the Program; establishing scenarios for when gap
certification is an option for developers of certified health IT; and
setting expiration dates or applicable timelines related to standards
and certification criteria. Through the development of educational
resources, such as fact sheets \24\ and resource guides,\25\ these
designations will help users and the public understand to which
versions of standards and certification criteria a Health IT Module may
be certified when multiple versions of standards or certification
criteria are available under the Program. In the HTI-1 Proposed Rule,
we proposed applicability or implementation timelines for both our
certification criteria and the standards adopted in 45 CFR part 170 by
establishing the dates by which an existing version of a criterion or
standard is no longer applicable and by establishing a date by which a
new or revised certification criterion or standard version is adopted
(88 FR 23760).
---------------------------------------------------------------------------
\24\ See 2015 Edition Cures Update Fact Sheet: https://www.healthit.gov/sites/default/files/page/2022-03/Cures-Update-Fact-Sheet.pdf.
\25\ See API Resource Guide: https://onc-healthit.github.io/api-resource-guide/.
---------------------------------------------------------------------------
Comments. Most commenters supported our proposed definition of
``revised certification criterion (or criteria).''
Response. We appreciate the feedback from commenters. We believe
the revised certification criterion (or criteria) definition provides
clarity around our approach for setting applicability or implementation
timelines for both our certification criteria and the standards adopted
in 45 CFR part 170. We have finalized our definition for revised
certification criterion (or criteria) as proposed.
Comments. Some commenters suggested better coordination with the
Centers for Medicare & Medicaid Services (CMS) to ensure that our
definition is consistent and aligned with the Medicare Promoting
Interoperability (PI) Program or MIPS Promoting Interoperability
performance category.
Response. We appreciate the comment and will continue to coordinate
and work with our federal partners, including CMS, on points of
intersection for potential future rulemaking. We note that the CY 2024
Physician Fee Schedule Proposed Rule \26\ has a discussion related to
this policy, and we invite readers to review the discussion at 88 FR
52547.
---------------------------------------------------------------------------
\26\ ``Medicare and Medicaid Programs; CY 2024 Payment Policies
Under the Physician Fee Schedule and Other Changes to Part B Payment
and Coverage Policies; Medicare Shared Savings Program Requirements;
Medicare Advantage; Medicare and Medicaid Provider and Supplier
Enrollment Policies; and Basic Health Program'' (88 FR 52262).
---------------------------------------------------------------------------
Comments. One commenter inquired how users of a certified Health IT
Module that has been certified to multiple certification criteria that
have been revised and included overlapping timeframes for standards
updates will know if the Health IT Module is compliant.
Response. ONC has included in the Code of Federal Regulations (CFR)
revisions to certification criteria, standards, and implementation
specifications--and their associated timelines. To meet a certification
requirement, a Health IT Module would need to be updated to the most
recently adopted capabilities and standards indicated in the CFR within
the timelines specified. For example, if a finalized revised
certification criterion references a new standard this year that must
be adopted by 2027, and we subsequently revised this certification
criterion through rulemaking again in 2026 with a newer version of that
standard to be adopted by 2028, then the Health IT Module would need to
be updated to the new standard identified this year in the CFR by 2027
and subsequently be updated to the standard identified through
rulemaking in 2026 by 2028.
Comments. One commenter inquired how an update to an existing
criterion will be identified on the CHPL.
Response. ONC will establish clear requirements and timelines for
all revised criteria within the CHPL. To support effective
communication of the updates, we will implement a practical approach to
facilitate transparency using the CHPL.
Table 1 below includes the revised certification criteria we have
finalized in this rule.
Table 1--List of Finalized Health IT Certification Criteria
------------------------------------------------------------------------
------------------------------------------------------------------------
Revised Certification Criteria
------------------------------------------------------------------------
Sec. 170.315(a)(5)................. Clinical--Patient demographics
and observations (currently
Demographics).
Sec. 170.315(a)(9)................. Clinical--Clinical decision
support (CDS) at Sec.
170.315(a)(9) (to be moved to
the ``Care Coordination''
certification criteria as the
``decision support
intervention'' criterion at Sec.
170.315(b)(11)'').
Sec. 170.315(b)(1)................. Care Coordination--Transitions of
care.
Sec. 170.315(e)(1)................. Patient Engagement--View,
download, and transmit to 3rd
party.
Sec. 170.315(f)(5)................. Public Health--Transmission to
public health agencies--
electronic case reporting.
Sec. 170.315(g)(10)................ Design and Performance--
Standardized API for patient and
population services.
------------------------------------------------------------------------
Revised Certification Criteria (standards updates)
------------------------------------------------------------------------
Sec. 170.315(a)(12)................ Clinical--Family health history.
Sec. 170.315(b)(2)................. Care Coordination--Clinical
information reconciliation and
incorporation.
Sec. 170.315(b)(6)................. Care Coordination--Data export.
Sec. 170.315(b)(9)................. Care Coordination--Care plan.
Sec. 170.315(c)(4)................. Clinical Quality Measures--
Clinical quality measures--
filter.
Sec. 170.315(f)(1)................. Public Health--Transmission to
immunization registries.
Sec. 170.315(f)(3)................. Public Health--Transmission to
public health agencies--
reportable laboratory tests and
values/results.
[[Page 1209]]
Sec. 170.315(f)(4)................. Public Health--Transmission to
cancer registries.
Sec. 170.315(g)(3)................. Design and Performance--Safety-
enhanced design.
Sec. 170.315(g)(6)................. Design and Performance--
Consolidated CDA creation
performance.
Sec. 170.315(g)(9)................. Design and Performance--
Application access--all data
request.
------------------------------------------------------------------------
In the HTI-1 Proposed Rule, we included proposed modifications to
our approach for setting applicability or implementation timelines for
each certification criteria and the applicable standards adopted in 45
CFR part 170 (88 FR 23761). In this final rule, we have finalized that
proposal to incorporate the applicable timelines and ``expiration
dates'' for capabilities and standards updates within each individual
criterion or standard.
We direct readers to section III.C.11 of this final rule for
further discussion of the requirements for health IT developers
voluntarily participating in the Program related to health IT
certification updates.
3. Program Oversight Related to Discontinuation of Editions
a. Records Retention
In the ONC Cures Act Final Rule, we revised the Principles of
Proper Conduct for ONC-ACBs and ONC-ATLs by amending the records
retention policies to include the ``life of the edition'' (85 FR 25710
through 25713). Specifically, we clarified that the records retention
provisions in Sec. Sec. 170.523 and 170.524 included the ``life of the
edition'' as well as three years after the retirement of an edition
related to the certification of Complete EHRs and Health IT Modules. We
explained that ``[b]ecause the `life of the edition' begins with the
codification of an edition of certification criteria in the CFR and
ends on the effective date of the final rule that removes the
applicable edition from the CFR, the start and end dates for the `life
of the edition' are published in the Federal Register in the rulemaking
actions that finalize them. The period of three years beyond the `life
of the edition' begins on the effective date of the final rule that
removes the applicable edition from the CFR, thus the three-year period
after removal from the CFR continues through three full calendar years
following that date'' (85 FR 25710).
In the HTI-1 Proposed Rule, we proposed to maintain a single set of
``ONC Certification Criteria for Health IT'' and not an edition, so we
therefore proposed to revise Sec. 170.523 and Sec. 170.524 (88 FR
23762). We proposed that the period of three years begins on the
effective date of the final rule that removes the applicable ONC
certification criterion or criteria for health IT from the CFR, thus
the three-year period after removal from the CFR continues through
three full calendar years following that date (in addition to the
calendar year in which it was removed). We also retained the ``Complete
EHR'' language in these sections because beginning with the 2015
Edition, Complete EHR certifications could no longer be issued.
However, since the 2014 Edition was not removed from the CFR until the
ONC Cures Act Final Rule, which became effective on June 30, 2020,
records would need to be retained (including Complete EHRs) until June
30, 2023.
Comments. A majority of commenters, including individuals,
professional trade associations, and other interested parties expressed
support for the ONC-ATLs retaining the records of Complete EHRs' and
Health IT Modules' testing through a minimum of three years from the
effective date of the removal of those certification criteria from the
CFR. Commenters indicated such requirements were reasonable,
particularly in relation to the retirement of the edition concept, and
they indicated that these records could better facilitate surveillance
and enforcement of certification criteria and transparency for
customers. One commenter highlighted the importance of retaining those
records for historical documentation regarding their health IT vendors'
certification status. One commenter suggested ONC expand the three-year
requirement to six years, to align with the HIPAA Privacy Rule's
retention period.
Response. We appreciate the commenters' support for continuing our
current three-year retention policy and our proposed modifications that
the retention policy would be effective for three full calendar years
beginning on the effective date of the final rule that removes the
applicable ONC certification criterion or criteria for health IT from
the CFR. We agree that maintaining those records for historical
documentation is important and have finalized our policy as proposed.
We do not believe that a six-year retention policy is needed at this
time because it may result in more burden than is warranted. However,
we will continue to monitor the effectiveness of our existing retention
policy and consider changes as needed, including consulting with
Federal partners that conduct federal program enforcement, such as the
HHS OIG.
Comments. Commenters suggested ONC establish an organized system of
documentation management for each Health IT Module/developer to be
shared on the CHPL to streamline the process and enhance efficiency; to
adopt new indicators of current certification status each time a
criterion certified as part of a Health IT Module is incrementally
updated; and to create a special coding system that represents the most
current year of certification for Health IT Modules to support
oversight and compliance requirements health care providers may have
with other programs such as the CMS Quality Payment Program.
Response. We appreciate commenters identifying options for
enhancing how the Program documents certification status for Health IT
Modules as we retire the year-themed edition approach. We note that the
CHPL primarily serves as a comprehensive repository of certified health
IT products and their corresponding certification details. While it
provides information about certified health IT products, it does not
specifically serve as a documentation management system for Modules/
developers. The CHPL provides transparency and access to certification
information, including the certification criteria used for certifying a
Health IT Module, test results, and certified health IT product
details. It serves as a valuable resource for users to verify the
certification status and capabilities of Health IT products. Overall,
we will take these comments, and related comments received, into
consideration as we implement removal of year-themed editions in the
Program.
b. Records Retention--Complete EHR
In the HTI-1 Proposed Rule, we proposed to retain the ``Complete
EHR'' language in Sec. Sec. 170.523 and 170.524 even though, beginning
with the 2015 Edition, Complete EHR certifications could no longer be
issued. We did so because the records for 2014 Edition Complete EHR
certifications still needed to be retained until the records retention
timeframe expired on June 30, 2023. Though not specifically stated in
the HTI-1 Proposed Rule, the removal of
[[Page 1210]]
the ``Complete EHR'' language from all reference points in Sec. Sec.
170.523 and 170.524 could have been reasonably anticipated once June
30, 2023, had passed. Therefore, since the date has now passed and
because retaining ``Complete EHR'' in the regulation text may cause
confusion for the public, we have removed all remaining references to
the ``Complete EHR'' language in Sec. Sec. 170.523 and 170.524.
B. Standards and Implementation Specifications
1. National Technology Transfer and Advancement Act
The National Technology Transfer and Advancement Act (NTTAA) of
1995 (15 U.S.C. 3701 et seq.) and the Office of Management and Budget
(OMB) Circular A-119 \27\ require the use of, wherever practical,
technical standards that are developed or adopted by voluntary
consensus standards bodies to carry out policy objectives or
activities, with certain exceptions. The NTTAA and OMB Circular A-119
provide exceptions to electing only standards developed or adopted by
voluntary consensus bodies, namely when doing so would be inconsistent
with applicable law or otherwise impractical. Agencies have the
discretion to decline the use of existing voluntary consensus standards
if it is determined that such standards are inconsistent with
applicable law or otherwise impractical, and instead use a government-
unique standard or other standard. In addition to the consideration of
voluntary consensus standards, the OMB Circular A-119 recognizes the
contributions of standardization activities that take place outside of
the voluntary consensus standards process. Therefore, in instances
where use of voluntary consensus standards would be inconsistent with
applicable law or otherwise impracticable, other standards should be
considered that meet the agency's regulatory, procurement, or program
needs, deliver favorable technical and economic outcomes, and are
widely utilized in the marketplace.
---------------------------------------------------------------------------
\27\ https://www.whitehouse.gov/wp-content/uploads/2020/07/revised_circular_a-119_as_of_1_22.pdf.
---------------------------------------------------------------------------
In this final rule, we use voluntary consensus standards except
for:
The standard adopted in Sec. 170.213, the United States
Core Data for Interoperability Version 3 (USCDI v3), is a hybrid of
government policy (i.e., determining which data to include in the
USCDI) and voluntary consensus standards (i.e., the vocabulary and code
set standards attributed to USCDI data elements); and
The standard adopted in Sec. 170.207(f)(3) for race and
ethnicity.
We are not aware of any voluntary consensus standards that could
serve as an alternative for the purposes we describe in further detail
throughout this final rule including establishing a baseline set of
data that can be exchanged across care settings for a wide range of
uses. We refer readers to section III.C.1 of this preamble for a
discussion of the USCDI.
Comments. One commenter suggested ONC look at the work of the FHIR
accelerators as meeting the requirements of `voluntary consensus
bodies' outlined in the OMB Circular A-119 for standards and frameworks
that fall outside of the HL7 process. The commenter stated that as an
example, CARIN has worked with FAST to develop a framework for how
digital identity is federated across healthcare participants with the
CARIN/HHS Healthcare Digital Identity Federation Proof of Concept
report in which ONC participated. The commenter encouraged ONC to
leverage the open-source work that has been done to advance digital
identity federation in future rulemaking.
Response. We thank commenters for their input. We will consider
leveraging the work that the commenter suggested in future rulemakings.
2. Compliance With Adopted Standards and Implementation Specifications
In accordance with Office of the Federal Register regulations
related to ``incorporation by reference,'' 1 CFR part 51, which we
follow when we adopt proposed standards and implementation
specifications in any subsequent final rule, the entire standard or
implementation specification document is deemed published in the
Federal Register when incorporated by reference therein with the
approval of the Director of the Federal Register. Once published,
compliance with the standard and implementation specification includes
the entire document unless we specify otherwise. If an element of the
IG is optional or permissive in any way, it will remain that way for
testing and certification unless we specified otherwise in regulation.
In such cases, the regulatory text would preempt the permissiveness of
the IG.
3. ``Reasonably Available'' to Interested Parties
The Office of the Federal Register has established requirements for
materials (e.g., standards and implementation specifications) that
agencies propose to incorporate by reference in the Code of Federal
Regulations (79 FR 66267; 1 CFR 51.5(b)). To comply with these
requirements, in section V (``Incorporation by Reference'') of this
preamble, we provide summaries of, and uniform resource locators (URLs)
to, the standards and implementation specifications we have adopted and
subsequently incorporate by reference in the Code of Federal
Regulations. To note, we also provide relevant information about these
standards and implementation specifications throughout the relevant
sections of this final rule.
C. New and Revised Standards and Certification Criteria
1. The United States Core Data for Interoperability Version 3 (USCDI
v3)
As discussed in the HTI-1 Proposed Rule, the USCDI is a
standardized set of health data classes and constituent data elements
for nationwide, interoperable health information exchange \28\ (88 FR
23751). USCDI v1 established a baseline set of data that can be
commonly exchanged across care settings for a wide range of uses and is
a required part of certification criteria in the 2015 Edition Cures
Update. For the overall structure and organization of USCDI, including
data classes and data elements in USCDI v1, please see the discussion
in the ONC Cures Act Final Rule (85 FR 25669-25670), as well as
www.healthIT.gov/uscdi.
---------------------------------------------------------------------------
\28\ https://www.healthit.gov/isa/united-states-core-data-interoperability-uscdi.
---------------------------------------------------------------------------
We stated in the ONC Cures Act Final Rule that we intended to
utilize a predictable, transparent, and collaborative process to expand
USCDI, including providing the public with the opportunity to comment
on USCDI's expansion (85 FR 25670). We also noted that developers of
certified health IT would be able to use the Standards Version
Advancement Process (SVAP) to voluntarily implement and use a newer,
National Coordinator-approved version of USCDI without waiting for ONC
to propose and adopt via rulemaking an updated version of the USCDI (85
FR 25669). We, therefore, established a process for expanding USCDI
based on public input and submissions of new data elements and
classes.\29\ To enable these submissions, we created the ONC New Data
Element and Class (ONDEC) submission system, which provides the public
with the opportunity to submit new data
[[Page 1211]]
elements for consideration for inclusion in future versions of
USCDI.\30\
---------------------------------------------------------------------------
\29\ https://www.healthit.gov/buzz-blog/interoperability/uscdi-onc-new-data-element-and-class-submission-system-now-available.
\30\ https://www.healthit.gov/isa/ONDEC.
---------------------------------------------------------------------------
In the HTI-1 Proposed Rule, we proposed to update the USCDI
standard in Sec. 170.213 by adopting the newly released USCDI v3 and
establishing a January 1, 2025, expiration date for USCDI v1 (July 2020
Errata) for purposes of the Program. We proposed to add USCDI v3 in
Sec. 170.213(b) and incorporate it by reference in Sec. 170.299.
Specifically, we proposed in the HTI-1 Proposed Rule to adopt USCDI v3
(October 2022 Errata). We also proposed to codify the existing
reference to USCDI v1 (July 2020 Errata) in Sec. 170.213(a). Lastly,
we proposed that as of January 1, 2025, any developers seeking
certification for their Health IT Modules to criteria that reference
the standards in Sec. 170.213 would need to be capable of exchanging
the data elements that comprise USCDI v3.
Comments. We received a large number of comments expressing overall
support for our proposals to adopt USCDI v3 in Sec. 170.213(b) and for
USCDI v1 to expire on January 1, 2025. Many commenters specifically
supported the inclusion of SDOH data elements in USCDI v3 and noted
that more accurate and complete patient characteristics will help
address health disparities. Several commenters in support of our
proposals specifically agreed with the proposed deadline. Commenters
supporting our proposal also noted that it would reduce burden, advance
interoperability, support quality measurement initiatives, and support
providers' ability to acquire and share the information needed to
provide the best care for their patients.
Response. We thank commenters for the support of our proposals and
for recognizing potential benefits such as reduced burden, increased
interoperability, more complete data, and the ability to support
quality measurement initiatives and better address health disparities.
Comments. We received numerous comments that expressed concern
about the proposed deadline and advocated for an extension. These
comments generally expressed concern about the burden on developers
posed by the proposed deadline, stating that more time would be needed
to successfully adopt USCDI v3, including development, implementation,
and testing, and stressed that it would be a large undertaking for
developers as well as for health care providers. Some commenters
recommended moving the deadline to the end of the calendar year which
is no shorter than 24 months from the publication of this final rule.
Some commenters suggested extending the compliance deadline by six
months, and others suggested compliance dates of December 31, 2025, or
January 1, 2026. Several commenters mentioned the need for ONC to
coordinate with CMS on timelines, and one mentioned the need to allow
providers a ``flex'' year after the certification deadline during which
to upgrade. Some comments suggested aligning compliance deadlines with
the availability of scalable FHIR-based API standards, which they
stated could help support successful implementation of USCDI v3, while
others suggested waiting to adopt USCDI v3 until after Release 4 of the
C-CDA Companion Guide is finalized. Some commenters stated that USCDI
v3 should not be required until all of the standards supporting USCDI
v3 are officially published.
Additionally, a number of commenters requested clarification from
ONC related to the proposed adoption of USCDI v3. This included
clarification on future updates to USCDI; how USCDI works with CMS
rules and programs; the applicability of USCDI v2 once USCDI v3 is
adopted; the distinction between USCDI, USCDI+ and US Core; the lack of
vocabulary standards for some USCDI v3 data elements; and the
expectations regarding data sharing.
Response. We thank commenters for expressing a desire for an
extension on proposed deadlines. USCDI v3 includes all data elements in
USCDI v2, as well as additional data elements. In response to
commenters' feedback, we have extended the deadline for the expiration
of USCDI v1 in Sec. 170.213 to January 1, 2026. We believe the
extended time, combined with the fact that USCDI v3 has been publicly
available since July 2022, will make it feasible for all interested
parties to meet the revised deadline. We note that USCDI v3 has been
available for use in the Program using the FHIR US Core 6.1.0 and C-CDA
Companion Guide R4.1 through SVAP effective September 11, 2023.\31\ In
response to comments suggesting that USCDI v3 lacks vocabulary
standards, in the USCDI v3 standard ONC has identified applicable
vocabulary standards for those USCDI data elements where a coded value
is expected, a standard code set is currently in use, and where the
submitters and commenters have provided evidence of current use.
Further terminology bindings are defined in the C-CDA Companion Guide
and HL7 US Core Implementation Guide.
---------------------------------------------------------------------------
\31\ https://www.healthit.gov/sites/default/files/2023-07/2023_SVAP_Fact_Sheet.pdf.
---------------------------------------------------------------------------
In response to the comment requesting that ONC explain the
distinction between USCDI, USCDI+, and US Core, we note that the USCDI+
program was not referenced in the HTI-1 Proposed Rule. USCDI+ supports
the identification and establishment of domain or program-specific
datasets that will operate as extensions to USCDI and uses similar
processes as the USCDI, such as seeking input from the Health IT
Advisory Committee and other interested partners to stimulate public
engagement and help shape USCDI+ datasets.
As we have described previously, the USCDI is a standardized set of
health data classes and constituent data elements for nationwide,
interoperable health information exchange. In order for the USCDI to be
implemented with specific exchange modalities or functionalities,
additional specifications are required to provide guidance on how the
USCDI should be implemented in the context of that exchange method. The
US Core and C-CDA implementation guides are aligned to specific
versions of USCDI and provide the implementation specification and
expectations for each particular version of USCDI. In this case, we
have finalized USCDI v3 and the applicable FHIR US Core Implementation
Guide (FHIR US Core 6.1.0) and C-CDA Companion Guide (C-CDA Companion
Guide R4.1), both of which provide guidance on how to implement the
updates from USCDI v1 to USCDI v3.
We recognize that we stated in the HTI-1 Proposed Rule that we
would consider adopting the most up-to-date versions of the FHIR US
Core and C-CDA Companion Guide specifications that align with the
updates to USCDI v3 (FHIR US Core 6.0.0 and C-CDA Companion Guide R4).
However, after the publishing of FHIR US Core 6.0.0 and C-CDA Companion
Guide R4, HL7 found errors with how the guides implemented data
elements in USCDI v3 and had to make updates to those specifications to
align with USCDI v3 and ensure that USCDI v3 can be implemented in
Health IT Modules. Adopting FHIR US Core 6.1.0 and C-CDA Companion
Guide R4.1 is necessary for developers of certified health IT to have
appropriate implementation guidance to meet the criteria adopted in
this final rule that reference USCDI v3. Based on public comments on
this and prior rulemakings, we believe that the health IT industry,
healthcare standards developers, and health care providers expect and
support ONC making such
[[Page 1212]]
determinations so that the adopted version of standards are the most
up-to-date available and are feasible for real-world implementation
(see, for example, 85 FR 25677 and 25708).
In response to comments regarding how CMS or other federal programs
incorporate USCDI into rules and programs, we note that ONC receives
submissions and comments from federal partners, including CMS, on USCDI
content and will continue to work towards alignment where appropriate
with these partners.
In response to comments on future updates to USCDI, we clarify that
USCDI generally expands annually to keep pace with clinical,
technology, and policy changes.\32\ ONC follows a predictable,
transparent, and collaborative process for updating USCDI that allows
interested parties to submit new data elements and classes for future
versions of USCDI through the ONDEC submission system. Regarding
applicability, USCDI v2 will not be available for new and updating
certifications via SVAP after December 31, 2023. We erroneously stated
in the HTI-1 Proposed Rule that USCDI v2 would remain available via
SVAP until December 31, 2024 (88 FR 23764); however, our intention was
that USCDI v2 would remain available via SVAP until it sunsets. USCDI
v2 sunsets on December 31, 2023 and will no longer be available via
SVAP after that date.\33\
---------------------------------------------------------------------------
\32\ https://www.healthit.gov/sites/default/files/page/2023-07/Standards_Bulletin_2023-2.pdf.
\33\ https://www.healthit.gov/topic/standards-version-advancement-process-svap.
---------------------------------------------------------------------------
Comments. We received numerous comments expressing concerns about
privacy and the implementation of USCDI v3. These commenters generally
noted that USCDI v3 includes data elements that may contain sensitive
health information, including mental health, substance use, and
reproductive health information, the disclosure of which could increase
the risk of harassment or harm toward providers and patients. Several
of these commenters noted the need for ONC to create education
materials around the fact that USCDI v3 does not require sharing of
sensitive information. Some commenters recommended that ONC remove data
elements that provide personally identifiable information that does not
support the provision of care. Several comments encouraged ONC to
consider requiring granular data segmentation policies concurrently
with adopting USCDI v3. Commenters also requested that ONC consider
removing any personally identifiable data elements in USCDI that do not
provide value in order to avoid re-identification, or alternatively to
revise policies that require automatic inclusion of all data elements
in the USCDI.
Response. We thank commenters for their feedback regarding the
importance of addressing the privacy and confidentiality of sensitive
information. The adoption of USCDI v3 sets a new baseline for the
capability of Health IT Modules certified to particular certification
criteria to capture and exchange data but does not dictate when and how
either of those two actions occur. We have not adopted new or
additional privacy standards related to controlling sensitive data that
may be represented in USCDI data elements. However, our existing
criteria in Sec. 170.315(b)(7) and (b)(8) include support for privacy
and security labels in health information exchange workflows and these
criteria reference the HL7[supreg] Implementation Guide: Data
Segmentation for Privacy (DS4P), Release 1 adopted in Sec.
170.205(o)(1) and incorporated by reference in Sec. 170.299. In
addition, we have adopted a new requirement as part of the
certification criterion in Sec. 170.315(e)(1) in support of the HIPAA
Privacy Rule's individuals' ``right to request a restriction'' as
discussed in section III.C.10. For more on patient requested
restrictions on sharing of their health information, we refer readers
to section III.C.10 for discussion on modifications to the ``view,
download, and transmit to 3rd party'' certification criterion in Sec.
170.315(e)(1), stating that patients (and their authorized
representatives) must be able to use an internet-based method to
request a restriction to be applied for any data expressed in the
standards in Sec. 170.213. The HIPAA Privacy Rule provides federal
protections for PHI held by covered entities and gives individuals an
array of rights with respect to that information.
Comments. We received multiple comments expressing concern about
provider burden, including administrative, cognitive, and documentation
burden associated with USCDI data elements. Some commenters also
expressed concerns about the cost burden of implementing USCDI v3,
noting that it could require numerous downstream standards updates,
migration costs, costs to standardize and use unconstrained data, and
costs related to software, IT infrastructure, workforce recruiting and
training, and ongoing operational costs. Several commenters were
particularly concerned about the potential costs to public health
organizations and to small and rural providers, which may have limited
budgets or resources to devote to the implementation of EHR systems
capable of collecting and sharing data according to the USCDI v3
standard. Several commenters suggested that ONC provide resources and
support to providers to help reduce provider burden. One commenter
proposed a test or pilot to ensure that burdens are not shifted to
providers when USCDI v3 is implemented. Another commenter proposed that
ONC consider regulations to prevent developers of certified health IT
from increasing fees due to the update to USCDI v3.
Response. We thank commenters for the feedback regarding
implementation burden and the adoption of USCDI v3. As we have noted,
the adoption of USCDI v3 sets a new baseline for the capability of
Health IT Modules certified to particular certification criteria to
capture and exchange data. USCDI v3 does not dictate when and how
either of those two actions occur, including with what frequency health
care providers document information that could be captured as part of
the data elements within USCDI v3. We also note that we have
established a predictable, transparent, and collaborative expansion
process for USCDI based on public evaluation of previous versions and
submissions by the health IT community. Each of the data elements in
USCDI v3 has been evaluated for overall value, maturity, and ease of
implementation. In addition, the data elements (as applicable) are
represented by health IT standard terminologies, technical
specifications, or implementation guides, and are used extensively in
production electronic systems. We intend to provide implementation
resources such as implementation guide validators for both HL7 C-CDA
and FHIR corresponding implementation guides to USCDI v3. However, we
decline to conduct a test pilot or create additional regulations
focused on burden and USCDI v3 at this time.
We appreciate the comments related to implementation burden for
rural and small providers and understand concerns about the overall
downstream impact of the HTI-1 Proposed Rule on entities beyond
developers of certified health IT to which ONC authorities apply. As
part of our Regulatory Impact Analysis in section VII, we have
identified that developers of certified health IT are largely private
businesses who operate in a competitive marketplace, and they may not
bear all costs to meet regulatory requirements.
Comments. Several commenters expressed concerns about data quality
when USCDI v3 is implemented and suggested that ONC work with the
[[Page 1213]]
industry on developing standards. Several commenters expressed concerns
about the lack of use cases and standards related to USCDI v3 and
suggested that ONC develop those.
Response. We thank commenters for their feedback. We work directly
with HL7 to finalize HL7[supreg] FHIR[supreg] US Core and C-CDA
Companion Guide specifications for each published version of USCDI,
including USCDI v3. These specifications include terminology bindings
to value sets drawn from standard code sets, where appropriate. To
further support implementation of USCDI v3, we will update the C-CDA
validator \34\ and Inferno \35\ test tools to align with USCDI v3 and
validate the quality of the data. We will continue to identify
opportunities to work with industry to improve data quality. For
example, we recently awarded a Leading Edge Acceleration Project (LEAP)
award to explore enabling easy access to high-quality, standardized
healthcare data, with a focus on USCDI in FHIR and open-source
platforms.\36\
---------------------------------------------------------------------------
\34\ https://site.healthit.gov/sandbox-ccda/ccda-validator.
\35\ https://inferno.healthit.gov/.
\36\ https://www.healthit.gov/sites/default/files/page/2023-04/LEAP%20FY2023%20SEN_508.pdf.
---------------------------------------------------------------------------
Comments. Several commenters expressed concern that not all data
elements in USCDI v3 are applicable to all users and urged that ONC
allow EHRs flexibility in adopting USCDI v3. These commenters generally
urged ONC to allow EHRs to add only the data elements needed by their
users. Commenters also urged ONC to explore a modular approach for
USCDI that would group data elements to support specific use cases,
noting that this would help reduce burden and costs while improving
care.
Response. We thank commenters for the input suggesting that ONC
allow flexibility in supporting USCDI v3 data classes and data elements
for purposes of the Program. We decline to allow developers to be
selective in which USCDI v3 data classes and data elements they support
for purposes of the Program. The USCDI standard is intended to provide
a common set of data classes and data elements in support of nationwide
health information exchange, therefore, partial adoption of the USCDI
standard would impact the effectiveness of the standard and impede
interoperability. Additionally, we recognize that not all USCDI v3 data
elements originate in an EHR, however Health IT Modules certified to
particular certification criteria must be able to capture and exchange
the values when available.
Comments. One commenter suggested that ONC establish a framework
for certification of specialty EHRs and non-EHRs to help promote USCDI
uptake across the care continuum.
Response. We thank the commenter for their suggestion that ONC
establish a framework for certification to support specialty EHRs and
non-EHRs to promote USCDI uptake across the care continuum. At this
time, we decline to provide selective certification frameworks for
purposes of the Program. The USCDI standard is intended to provide a
common set of data classes and data elements in support of nationwide
health information exchange.
Comments. Several commenters expressed a preference for USCDI v4
over USCDI v3, noting that it will help the healthcare marketplace and
encourage competition. One comment encouraged ONC to finalize USCDI v4
in 2023 and require support by the end of 2024.
Response. We thank commenters for the comments in support of USCDI
v4. However, we did not propose, and therefore decline to adopt, USCDI
v4 in the USCDI standards in Sec. 170.213 at this time. We have
adopted USCDI v3 in Sec. 170.213(b) as proposed. Additionally, we note
that implementation guides are not yet released to support USCDI v4.
Comments. A number of commenters generally encouraged ONC to work
with CMS on timelines and on alignment with program requirements,
including aligning future USCDI updates with CMS programs.
Response. We thank commenters for the comments regarding working
with CMS and assure commenters that we work closely with CMS across
multiple programs and initiatives on aligning program requirements and
deadlines. We will continue to do so in the future. Those CMS programs
include, but are not limited to, the Quality Payment Program, Inpatient
Quality Reporting Program, and Medicare Promoting Interoperability
Program, as well as regulatory proposals such as the Interoperability
and Prior Authorization Proposed Rule (87 FR 76238).\37\
---------------------------------------------------------------------------
\37\ ``Medicare and Medicaid Programs; Patient Protection and
Affordable Care Act; Advancing Interoperability and Improving Prior
Authorization Processes for Medicare Advantage Organizations,
Medicaid Managed Care Plans, State Medicaid Agencies, Children's
Health Insurance Program (CHIP) Agencies and CHIP Managed Care
Entities, Issuers of Qualified Health Plans on the Federally-
Facilitated Exchanges, Merit-Based Incentive Payment System (MIPS)
Eligible Clinicians, and Eligible Hospitals and Critical Access
Hospitals in the Medicare Promoting Interoperability Program.'' (87
FR 76238). See https://www.federalregister.gov/documents/2022/12/13/2022-26479/medicare-and-medicaid-programs-patient-protection-and-affordable-care-act-advancing-interoperability.
---------------------------------------------------------------------------
Comments. Several commenters encouraged ONC to maintain awareness
of state agency data exchange requirements and to work to alleviate
discrepancies, noting that the variances in USCDI versioning pose
challenges industry-wide if not aligned with state and federal
regulations.
Response. We thank commenters for the comments regarding state
agency data exchange requirements and assure commenters that we monitor
and are aware of state and federal regulations impacting adoption of
USCDI v3.
Comments. There were a number of comments requesting technical
support, education, and other resources or actions from ONC related to
adopting and implementing USCDI v3. These included addressing semantic
differences across health systems, developing mappings and value sets
for data elements, improving the specificity and testing requirements
for USCDI, expediting the availability of high-quality testing tools,
developing and publicizing an analysis of which USCDI elements are
interoperable, and aligning data standardization efforts across
programs.
Response. We acknowledge the comments requesting resources and
technical support from ONC related to adoption of USCDI v3. We maintain
a variety of resources and technical support related to USCDI,
including numerous resources related to the Program. Resources include
Certification Companion Guides (CCGs) and Test Procedures related to
specific certification criterion to assist developers that are seeking
to certify to the criteria.\38\ Any considerations for implementing
USCDI in compliance with these criteria are, additionally, outlined in
these resources. In addition, there is a USCDI CCG that includes
clarifications for specific data classes and elements as they relate to
terminology standards and/or implementation guides. The Program offers
testing and conformance methods for verification that a product meets
criteria requirements. Other technical documentation may be found on
ONC's website: https://www.healthit.gov/uscdi.
---------------------------------------------------------------------------
\38\ https://www.healthit.gov/topic/certification-ehrs/certification-health-it.
---------------------------------------------------------------------------
Comments. There were also a number of commenters that made
suggestions for future versions of USCDI. Commenters suggested
improving the USCDI interface and allowing comment on proposed value
sets. Various commenters suggested adding specific
[[Page 1214]]
---------------------------------------------------------------------------
data elements in future versions of USCDI, including the following:
marital status
education
water insecurity
value-based care
prescription drug insurance information
advance directive documentation
clinical orders
care experience preference
newborn delivery information
vaccine administration date
vaccination event record type
medical record number
mother's maiden name
multiple birth indicator
birth order
Response. We thank commenters for the feedback and suggestions
regarding future versions of USCDI. The USCDI v3 is a published
standard at https://www.healthit.gov/isa/sites/isa/files/2022-10/USCDI-Version-3-October-2022-Errata-Final.pdf and thus it is not possible to
add new data elements to USCDI v3 through the rulemaking process or
other means at this time. We direct commenters to the USCDI website,
available at https://www.healthit.gov/uscdi, where the public is
invited to enter comments on leveled data elements or submit new data
elements for consideration in future versions of USCDI.
a. Certification Criteria That Reference USCDI
As discussed in the HTI-1 Proposed Rule, the USCDI standard is
currently cross-referenced, via cross-reference to Sec. 170.213, in
certain certification criteria (88 FR 23763). The criteria cross-
referencing to USCDI via cross-reference to Sec. 170.213 are as
follows:
``Care coordination--Transitions of care--Create'' (Sec.
170.315(b)(1)(iii)(A)(1));
``Care coordination--Clinical information reconciliation
and incorporation--Reconciliation'' (Sec. 170.315(b)(2)(iii)(D)(1)
through (3));
``Patient engagement--View, download, and transmit to 3rd
party--View'' (Sec. 170.315(e)(1)(i)(A)(1));
``Design and performance--Consolidated CDA creation
performance'' (Sec. 170.315(g)(6)(i)(A));
``Design and performance--Application access--all data
request--Functional requirements'' (Sec. 170.315(g)(9)(i)(A)(1)); and
``Design and performance--Standardized API for patient and
population services--Data response'' (Sec. 170.315(g)(10)(i)(A) and
(B)).
We noted in the HTI-1 Proposed Rule that Sec. 170.315(f)(5) also
currently references Sec. 170.213; however, we proposed to rely on
specific IGs for that criterion, rather than reference Sec. 170.213
(88 FR 23763). We proposed that through December 31, 2024, a Health IT
Module certified to the criteria above that cross-reference Sec.
170.213 may be certified by complying with (1) USCDI v1; (2) USCDI v2
under SVAP; and (3) USCDI v3 (88 FR 23763). We proposed to allow only
USCDI v3 after this date for the criteria that cross-reference Sec.
170.213.
We noted in the HTI-1 Proposed Rule that a developer of certified
health IT will not be required to provide technology updates for
certified criteria or standards to a user who declined such updates;
however, if such an update is not provided, that version of the Health
IT Module will no longer be considered certified under the Program (88
FR 23764).
In the HTI-1 Proposed Rule, we proposed in the preamble to add
introductory text to Sec. 170.213 noting that the Secretary adopts the
following standards as the standards available for representing EHI (88
FR 23764), and we proposed in the regulatory text to add introductory
text to Sec. 170.213 stating the Secretary adopts the following
versions of the USCDI standard (88 FR 23907). This discrepancy was
inadvertent, and we clarify that we intended to propose introductory
text to Sec. 170.213 stating the Secretary adopts the following
versions of the USCDI standard. We also proposed to include the date
the adoption of the standard in Sec. 170.213(a) expires. Consistent
with our proposals in sections III.A and III.C.11, we proposed this
expiration date to be January 1, 2025. Health IT developers with Health
IT Modules certified to certification criteria that reference Sec.
170.213 would have to update such certified health IT to USCDI v3 and
provide it to customers by December 31, 2024. Further, we proposed that
Health IT Modules certified to the above-listed certification criteria
would need to update their Health IT Modules to accommodate USCDI v3
data elements using the FHIR US Core Implementation Guide Version 5.0.1
in Sec. 170.215(b)(1)(ii) and the HL7 CDA[supreg] R2 IG: C-CDA
Templates for Clinical Notes R2.1 Companion Guide, Release 3 in Sec.
170.205(a)(6). We noted in the HTI-1 Proposed Rule that if the FHIR US
Core Implementation Guide and the HL7 CDA[supreg] R2 IG: C-CDA
Templates for Clinical Notes R2.1 Companion Guide are updated before
the date of publication of this final rule, it would be our intent to
consider adopting the updated versions that support USCDI v3.
We refer to the term ``expires'' in standards throughout this final
rule, and it means that the standard is unavailable for use in the
Program, or any other programs that may cite the standard, as of the
expiration date.
Additionally, because we finalized in the ONC Cures Act Final Rule
that the Common Clinical Data Set (CCDS) would no longer be applicable
for certified Health IT Modules 24 months after the publication date of
the ONC Cures Act Final Rule (85 FR 25671), and then extended that date
to December 31, 2022, in the interim final rule titled ``Information
Blocking and the ONC Health IT Certification Program: Extension of
Compliance Dates and Timeframes in Response to the COVID-19 Public
Health Emergency'' (85 FR 70073), we proposed to remove references to
CCDS in the following sections of 45 CFR 170.315: Sec.
170.315(b)(1)(iii)(A)(2); (e)(1)(i)(A)(2); (g)(6)(i)(B); and
(g)(9)(i)(A)(2). In each of those sections, we proposed to instead
include a reference to USCDI. Because Sec. 170.315(b)(6)(ii)(A), which
also references CCDS, is still available for the period before December
31, 2023, we did not propose to remove the reference to CCDS in that
section.
Comments. A number of commenters expressed support for ONC's
proposals regarding certification criteria that reference USCDI.
Commenters stated this would support health equity by design, help
capture more accurate and complete patient data, and help address
health disparities.
Response. We thank commenters for support of our proposals and for
recognizing the potential benefits. We note that the implementation
guides we proposed in the HTI-1 Proposed Rule aligned with USCDI v2,
and since the publication of the HTI-1 Proposed Rule, HL7 released
updated FHIR US Core and C-CDA Companion Guides that align with the
updates to USCDI v3. However, after the publishing of US Core 6.0.0 and
C-CDA Companion Guide 4.0, HL7 found errors with how the guides
implemented data elements in USCDI v3 and had to make updates to those
specifications to align with USCDI v3 and to ensure that USCDI v3 can
be implemented in Health IT Modules. Given the adoption of USCDI v3, we
have finalized the FHIR US Core 6.1.0 and C-CDA Companion Guide R4.1,
which are the most recent versions that align with USCDI v3. FHIR US
Core 6.1.0 and C-CDA Companion Guide R4.1 have not added any
substantial functionality or requirements. We do not believe adoption
of FHIR US Core 6.1.0 and C-CDA Companion Guide R4.1 would contribute
to a greater
[[Page 1215]]
implementation burden, and FHIR US Core 6.1.0 and C-CDA Companion Guide
R4.1 are the only versions of their respective implementation guides
that fully align with and support the complete USCDI v3.
As discussed earlier in this section, we recognize that we stated
in the HTI-1 Proposed Rule that we would consider adopting the most up-
to-date versions of the FHIR US Core and C-CDA Companion Guide
specifications that align with USCDI v3 FHIR US Core 6.01.0 and C-CDA
Companion Guide R4).1. However, after the publishing of FHIR US Core
6.0.0 and C-CDA Companion Guide R4, HL7 found errors with how the
guides implemented data elements in USCDI v3 and had to make updates to
those specifications to align with USCDI v3 and ensure that USCDI v3
can be implemented in Health IT Modules. Adopting FHIR US Core 6.1.0
and C-CDA Companion Guide R4.1 is necessary for developers of certified
health IT to have appropriate implementation guidance to meet the
criteria adopted in this final rule that reference USCDI v3. Based on
public comments on this and prior rulemakings, we believe that the
health IT industry, healthcare standards developers, and health care
providers expect and support ONC making such determinations so that the
adopted version of standards are the most up-to-date available and are
feasible for real-world implementation (see, for example, 85 FR 25677
and 25708).
Comments. Several commenters suggested ONC should establish a more
formal schedule for adopting future versions of USCDI into the Program,
in addition to requests for clarification on the availability of USCDI
v2 under SVAP. Commenters also recommended updating SVAP to allow at
least two new versions of the same standard (e.g., USCDI v2 and USCDI
v3) to be available under SVAP at a time.
Response. We thank the commenters for the suggestion. Generally,
ONC updates USCDI on an annual basis, usually over the summer after an
extensive public comment period. We decline to adopt a more formalized
schedule; however, we promote widely the availability of draft versions
of USCDI and engage heavily with interested parties, including the
HITAC on new versions. As finalized in this rule, developers of
certified health IT are able to certify Health IT Modules to
certification criteria that reference USCDI v1 until it expires on
January 1, 2026. Beginning on January 1, 2026, only USCDI v3 will be
available in Sec. 170.213 as the USCDI standard for use by developers
of certified health IT. Under SVAP, developers of certified health IT
had the opportunity to certify their Health IT Modules to certification
criteria that reference USCDI using USCDI v2 from July 2021 through
December 2023. Because we approved a newer version of USCDI--USCDI v3
in July 2023 as part of approved standards for 2023 SVAP--Health IT
Modules not already certified to USCDI v1 or v2 may adopt USCDI v3
instead. USCDI v2 will not be available for new and updating
certifications via SVAP after December 31, 2023. In this final rule, we
have codified USCDI v3 in Sec. 170.213(b), and thus it will not be
necessary to use the SVAP process to advance to USCDI v3 after this
final rule is effective. In general, these comments are out of scope
for this final rule as we did not request feedback on the SVAP program
as part of the HTI-1 Proposed Rule.
b. USCDI Standard--Data Classes and Elements Added Since USCDI v1
USCDI v3 includes all data elements defined in USCDI v1 and USCDI
v2, as well as additional data elements added in USCDI v3. In the HTI-1
Proposed Rule, we described the data classes and data elements in USCDI
v3 that are not included in USCDI v1, as well as any data classes or
data elements that were changed through the USCDI update processes when
comparing USCDI v3 to USCDI v1 (88 FR 23764). For the overall structure
and organization of the USCDI standard, including USCDI v3, we urged
the public to consult www.healthIT.gov/uscdi. We proposed that each of
the data classes or data elements listed below be included in the USCDI
standard in Sec. 170.213 and be incorporated by reference in Sec.
170.299 as part of our proposal to adopt USCDI v3.
i. Social Determinants of Health (SDOH)
SDOH \39\ are the conditions in which people live, learn, work, and
play, and these conditions affect a wide range of health and quality-
of-life risks and outcomes.\40\ In the HTI-1 Proposed Rule, we stated
that USCDI v3 includes four SDOH data elements that represent aspects
of SDOH data related to the use or purpose of the SDOH data rather than
being based on the domain (88 FR 23764). These data elements are SDOH
Assessment in the Assessment and Plan of Treatment data class, SDOH
Goals in the Goals data class, SDOH Interventions in the Procedures
data class, and SDOH Problems/Health Concerns in the Problems data
class.
---------------------------------------------------------------------------
\39\ See SDOH Toolkit for more information, https://www.healthit.gov/sites/default/files/2023-02/Social%20Determinants%20of%20Health%20Information%20Exchange%20Toolkit%202023_508.pdf.
\40\ https://www.healthit.gov/topic/health-it-health-care-settings/social-determinants-health.
---------------------------------------------------------------------------
Comments. A number of commenters expressed general support for
inclusion of SDOH-related data elements in USCDI v3, often noting that
the access, exchange, and use of these elements by Health IT Modules
certified to particular certification criteria would support the
availability of more information and better care for patients, as well
as more equitable public health interventions.
Response. We thank commenters for the comments expressing support
for the inclusion of SDOH-related data elements in USCDI v3 and for
recognizing the benefits.
Comments. Several commenters did not support the inclusion of data
elements related to SDOH at this time, stating that the proposed data
elements fail to capture a comprehensive view of all SDOH and that
there is a lack of standards related to these data elements. Commenters
also suggested that SDOH-related data elements only be required as part
of USCDI v3 once FHIR-based APIs and implementation guides are
available.
Response. We thank commenters for their comments voicing concern
that SDOH data elements as written in USCDI v3 are not comprehensive
enough, lack standards, and should only be required once FHIR-based
APIs and implementation guides are available. We note that there are
available and applicable standards. Specifically, FHIR US Core 6.1.0
and C-CDA Companion Guide R4.1 support USCDI v3 and align with the SDOH
data elements in USCDI v3. We note that both FHIR US Core 6.1.0 and C-
CDA Companion Guide R4.1 are incremental updates which address errors
and misalignments in their respective prior versions. FHIR US Core
6.1.0 and C-CDA Companion Guide R4.1 have not added any substantial
functionality or requirements. We do not believe adoption of FHIR US
Core 6.1.0 and C-CDA Companion Guide R4.1 would contribute to a greater
implementation burden, and FHIR US Core 6.1.0 and C-CDA Companion Guide
R4.1 are the only versions of their respective implementation guides
that fully align with and support the complete USCDI v3.
As mentioned earlier, we recognize that we proposed different
versions of the US Core and C-CDA Companion Guide specifications but
stated that we would consider newer versions that align with USCDI v3
(FHIR US Core 6.0.0 and C-CDA Companion Guide R4). However, after the
publishing of FHIR US Core 6.0.0 and C-CDA Companion Guide R4, HL7
found errors with how
[[Page 1216]]
the guides implemented data elements in USCDI v3 and had to make
updates to those specifications to align with USCDI v3 and ensure that
USCDI v3 can be implemented in Health IT Modules. Adopting FHIR US Core
6.1.0 and C-CDA Companion Guide R4.1 is necessary for developers of
certified health IT to have appropriate implementation guidance to meet
the criteria adopted in this final rule that reference USCDI v3. Based
on public comments on this and prior rulemakings, we believe that the
health IT industry, healthcare standards developers, and health care
providers expect and support ONC making such determinations so that the
adopted version of standards are the most up-to-date available and are
feasible for real world implementation (see, for example, 85 FR 25677
and 25708).
In addition, the HL7 Gravity Project's Social Determinants of
Health Clinical Care Release 2.0.0 Implementation Guide was published
in October 2022.\41\ While the Gravity Project's Social Determinants of
Health Clinical Care Implementation Guide does not encompass all
possible SDOH aspects, it does define exchange standards for multiple
key domains.
---------------------------------------------------------------------------
\41\ http://hl7.org/fhir/us/sdoh-clinicalcare/STU2/.
---------------------------------------------------------------------------
Comments. Commenters also urged that SDOH data be protected to
ensure the privacy and security of the information, with some
commenters urging ONC to adopt granular data segmentation requirements
along with USCDI v3.
Response. We thank commenters for noting their concerns regarding
SDOH data, specifically the importance of addressing the privacy and
confidentiality of sensitive information. The adoption of USCDI v3 sets
a new baseline for the capability of Health IT Modules certified to
specific certification criteria to capture and exchange data but does
not dictate when and how either of those two actions occur. We did not
propose and are not adopting privacy protections or standards related
to controlling sensitive data that may be represented in USCDI data
elements, including granular data segmentation requirements. However,
we have adopted a new technical requirement as part of the
certification criterion in Sec. 170.315(e)(1) in support of the
development and use of technology to enable the HIPAA Privacy Rule's
individuals' ``right to request a restriction'' as discussed in section
III.C.10. For more on patient requested restrictions on sharing of
their health information, we refer readers to section III.C.10 on
modifications to the ``view, download, and transmit to 3rd party''
certification criterion in Sec. 170.315(e)(1) stating that patients
(and their authorized representatives) must be able to use an internet-
based method to request a restriction to be applied for any data
expressed in the standards in Sec. 170.213. As noted in the HTI-1
Proposed Rule (88 FR 23765), in the 2015 Edition, ONC adopted a
certification criterion to enable users of Health IT Modules(s)
certified to that criterion with the functionality to electronically
capture, modify, and access SDOH data elements--that is information
that identifies common SDOH conditions in a standardized manner--in
Sec. 170.315(a)(15) social, psychological, and behavioral data (80 FR
62631). These functionalities are intended to support users with the
ability to use technology to comply with applicable existing legal
requirements or organizational policies that may require such data
collection and broader, existing industry interests and efforts to
collect and use this data to inform clinical decision-making and
improve patient care by looking at the whole patient, including
leveraging other types of care such as home and community-based
services. ONC supports the use of technology to improve the
standardized capture of a set of health data elements to support the
healthcare industry's need to electronically capture the underlying
data they need or want to collect for healthcare. ONC will continue
working with our federal partners in their efforts to educate
interested parties, including both health care providers and
patients,\42\ regarding the access, exchange, and use of information
about patients and the use of certified health IT.
---------------------------------------------------------------------------
\42\ See e.g., https://www.healthit.gov/topic/patient-access-health-records/patient-access-health-records.
---------------------------------------------------------------------------
Comments. One commenter suggested that a base set of SDOH criteria
for each of the SDOH elements be required, while optional criteria
could be added based on the hospital or provider's specific situation.
Response. We thank the commenter for their suggestion. USCDI v3
includes data elements for SDOH Problems/Health Concerns, SDOH
Assessment, SDOH Goals, and SDOH Interventions. For the purposes of the
Program, developers with Health IT Modules certified to specific
certification criteria must support all USCDI v3 data elements,
including the SDOH data elements for Problems/Health Concerns,
Assessment, Goals, and Interventions. Under these required data
elements, those health IT developers may support any of the SDOH
domains such as referrals, food insecurity, transportation, and housing
security. The USCDI standard is intended to provide a common set of
data classes and data elements to support nationwide health information
exchange and interoperability, and partial adoption of the USCDI
standard would impair its effectiveness in doing so.
Comments. Commenters had a variety of recommendations related to
including SDOH data elements in USCDI v3. Several comments suggested
that ONC partner with standards organizations and others in the
industry in developing and implementing SDOH data elements. Commenters
also suggested that when developing SDOH data elements, ONC should seek
input from patients and advocates representing those with health
disparities. Commenters also suggested that ONC work with CMS and state
Medicaid agencies on capturing and sharing SDOH data. One commenter
suggested aligning SDOH data collection across federal and state
healthcare program reporting requirements.
Response. We thank commenters for the recommendations related to
including SDOH data elements in USCDI v3. We work closely with the HL7
FHIR Gravity Accelerator to develop and implement SDOH data elements.
We also support the HL7 Gravity Pilots Affinity Group and support
testing through connectathons and pilots. Throughout the spring of
2023, we engaged interested parties and the community in the ONC SDOH
Information Exchange Learning Forum, resulting in the creation of an
ONC SDOH Information Exchange Toolkit.\43\ In 2021, we funded a Leading
Edge Acceleration Project for Referral Management to Address SDOH
Aligned with Clinical Care.
---------------------------------------------------------------------------
\43\ https://www.healthit.gov/sites/default/files/2023-02/Social%20Determinants%20of%20Health%20Information%20Exchange%20Toolkit%202023_508.pdf.
---------------------------------------------------------------------------
The HL7 FHIR Gravity Accelerator participants include individuals,
patients, advocates, representatives from payer organizations, social
services organizations, health IT developers, provider associations,
and other government participants, including CMS.
Comments. Several commenters suggested that ONC provide support to
providers and their staff to implement SDOH data elements and ensure
SDOH data is collected, used, and shared appropriately. Commenters
suggested that education and training on SDOH
[[Page 1217]]
data elements, including definitions and use cases, is needed for the
industry, and several commenters suggested that ONC develop standards,
value sets, and mappings related to SDOH data elements.
Response. We thank commenters for the input regarding the need for
support and resources. To support the adoption and implementation of
SDOH data elements, ONC published the SDOH Information Exchange Toolkit
to further support communities working toward achieving health equity
through SDOH information exchange and the use of interoperable,
standardized data. The Toolkit is intended to provide information on
the exchange of SDOH information to interested parties of all
experience levels, as well as identify approaches to advance SDOH
information exchange goals. The audience for the Toolkit includes
states, payers, health care provider networks, human services
providers, and community-based services entities.
Comments. One commenter sought clarification regarding the Medicare
Promoting Interoperability Program requirements and the SDOH Problems/
Health data element and whether there is a need for an option to
indicate ``None.''
Response. We thank commenters for the feedback seeking
clarification regarding the Medicare Promoting Interoperability Program
requirements for the SDOH Problems/Health data element. ONC refers the
commenter to CMS for their program requirements.
ii. Care Team Member
In USCDI v1, the Care Team Member data class had one data element
to capture all aspects about a care team member. USCDI v3 includes five
Care Team Member data elements: Name, Identifier, Role, Location, and
Telecom.
Comments. Several commenters specifically supported the inclusion
in USCDI v3 of the Care Team Member Name and Identifier data elements.
However, several commenters had concerns about the Care Team Member
data elements. These commenters suggested removal of the Care Team
Member Name and Identifier data elements to protect providers or,
alternatively, to let providers opt out of having their information
included and noted that providers may be at risk of personal harm if
their identity is known. Other commenters noted that without standards,
organizations will implement the data elements differently. One
commenter recommended that a value set and coding be provided for the
Care Team Member Role data element.
Response. We thank commenters for the comments regarding Care Team
Member Name, Role and Identifier data elements. We work with the HL7
community to develop vocabulary applicable to USCDI data elements to
ensure standard implementation of these data elements. In addition, we
note that the USCDI v3 is a standard as a whole and has been adopted in
whole, as proposed. As conveyed elsewhere in our responses, the
adoption of USCDI v3 sets a new baseline for the capability of Health
IT Modules certified to particular certification criteria to capture
and exchange such data but does not dictate when and how either of
those two actions occur. Specifically, in the Program, we establish
requirements for Health IT Modules to enable a user to capture or
exchange data. We do not establish requirements in the Program for an
entity to use a certified Health IT Module or for the user of a Health
IT Module to capture or record specific data.
iii. Clinical Notes
For the data element Discharge Summary Note in the Clinical Notes
data class, we specified additional requirements in USCDI v3 including
admission and discharge dates and locations, discharge instructions,
and reason(s) for hospitalization, which are also required elements in
the ``transitions of care'' certification criterion (Sec.
170.315(b)(1)).
Comments. We received several comments supporting the Clinical
Notes data class and data elements, including Discharge Summary Note.
One commenter noted that standardizing the presentation of this
information will improve consistency and reliability. Another commenter
focused on the specified Logical Observation Identifiers Names and
Codes (LOINC[supreg]) codes and recommended linking them to
International Classification of Diseases, Tenth Revision, Clinical
Modification (ICD-10-CM) -Z codes and/or SNOMED-CT, which represent
concepts rather than specific questions and answers, and recommended
considering one-to-many bindings. One commenter sought clarification
regarding whether ONC certification would require support for both
structured and unstructured narrative findings.
Response. We thank commenters for the comments on the Clinical
Notes data class and data elements regarding standardization. Health IT
developers certifying Health IT Modules to certification criteria that
reference USCDI v3 must align with the applicable vocabulary standards
as defined in USCDI v3 and with the requirements in the C-CDA Companion
Guide R4.1 and FHIR US Core 6.1.0 that list concept codes from the
LOINC Document Ontology to identify the note type. Many certification
criteria reference the USCDI standard, which comprises either
structured or unstructured narrative notes.
iv. Clinical Tests
USCDI v3 includes a data class for Clinical Tests, which has two
data elements, Clinical Test and Clinical Test Result/Report. This is a
new data class as compared to USCDI v1.
Comments. We received several comments expressing concerns
regarding the Clinical Tests data class and data elements. One
commenter expressed concerns about the Clinical Tests Results/Report
data element, stressing that human interpretation is needed and that it
could be dangerous to send test results without ``normal'' or
``abnormal'' indicators, or a reference range. One commenter sought
clarification regarding whether ONC will require support for both
structured and unstructured narrative findings. One commenter noted
that the availability of clinical tests in EHR systems varies
substantially.
Response. We appreciate the comments regarding concerns about how
the Clinical Tests data elements are implemented. The two data elements
represent the minimum information necessary to convey patient data for
non-laboratory and non-diagnostic imaging tests, such as
electrocardiograms and visual acuity. We agree with the commenter that
supplemental data such as ``normal,'' ``abnormal,'' or reference ranges
provide valuable information. However, the USCDI v3 is a published
standard at www.healthit.gov/uscdi and thus it is not possible to add
new data elements to USCDI v3 through the rulemaking process or other
means at this time. We direct commenters to the USCDI website available
at https://www.healthit.gov/uscdi where the public is invited to enter
comments on leveled data elements or submit new data elements for
consideration in future version of USCDI. Health IT developers are
encouraged to work with their customers to exchange data that adds
value. The Clinical Test data element must be represented with a
LOINC[supreg] code to indicate the specific test performed or planned.
The Clinical Test Result/Report data element may be structured and
represented using a code set such as SNOMED CT U.S. Edition, or
unstructured and represented with free text. The Program does not
require
[[Page 1218]]
the use of standardized vocabularies for Clinical Test Result/Report.
ONC acknowledges that clinical test availability varies within and
across EHR systems. However, Health IT Modules certified to criteria
that reference the USCDI standards in Sec. 170.213 must have the
capability to exchange clinical test data.
v. Diagnostics Imaging
USCDI v3 includes the Diagnostic Imaging data class and its two
elements: Diagnostic Imaging Test and Diagnostic Imaging Report. This
is a new data class as compared to USCDI v1.
Comments. We received comments on the Diagnostic Imaging data class
noting that many specialty health IT systems may not integrate with or
support imaging services, and a requirement to support this data class
could be infeasible for some systems or result in unused capabilities.
Response. We thank commenters for their input. We understand that
many specialty health IT systems do not integrate with or support
imaging services. The data elements in the Diagnostic Imaging data
class are not specific to the actual images that may be housed or
supported in an image storing system, but rather are based on types of
diagnostic imaging referenced by LOINC[supreg] codes and the
interpreted imaging test results in a report. USCDI is not specific to
a setting of care, a healthcare specialty, or a specific category of
health IT user; the standard provides a common set of data classes and
data elements that can be used for nationwide, interoperable health
information exchange. To ensure interoperability for the core set of
data in the USCDI, it is important for developers of certified health
IT to support the complete USCDI where required for health IT
certification criteria in the Program. To the extent that such
specialty health IT systems are not certified to certification criteria
that reference Sec. 170.213, then they would not have to support this
data class.
vi. Encounter Information
USCDI v3 includes the Encounter Information data class, which
includes five data elements: Encounter Type, Encounter Diagnosis,
Encounter Time, Encounter Location, and Encounter Disposition. This is
a new data class as compared to USCDI v1.
Comments. One commenter expressed specific agreement and support of
the Encounter Information data class. Several comments expressed
concerns, including regarding a lack of standards. One commenter
recommended only adopting the Encounter Diagnosis data element since it
does have a standard. One commenter expressed concern that Encounter
Information would identify information about pregnancy termination
services that could be misused and lead to administrative or criminal
investigations of patients and providers. Another commenter sought
confirmation regarding whether inpatient encounters need to be included
and suggested that they be included in a final rule.
Response. We have reviewed the comments regarding the Encounter
Information data class and concerns around the lack of standards. The
USCDI v3 data classes and data elements apply to inpatients and
outpatients and define applicable vocabulary standards where
appropriate. The Encounter Diagnosis data element references the SNOMED
CT U.S. Edition and ICD-10-CM vocabulary standards. Regarding comments
on privacy and security of Encounter Information and related services,
we note the adoption of USCDI v3 sets a new baseline for the capability
of Health IT Modules certified to particular certification criteria to
capture and exchange data but does not dictate when and how either of
those two actions occur.
vii. Health Insurance Information
USCDI v3 includes the Health Insurance Information data class,
which provides an opportunity for health IT to capture and exchange key
elements of healthcare insurance coverage. This is a new data class as
compared to USCDI v1. This data class includes seven data elements:
Coverage Status, Coverage Type, Relationship to Subscriber, Member
Identifier, Subscriber Identifier, Group Identifier, and Payer
Identifier.
Comments. A number of commenters expressed support for the Health
Insurance Information data class. Comments included that it would be
vital for emergency medical services (EMS) providers to receive
reimbursement and that it will open opportunities for patients and
providers to use beneficial apps, such as those related to cost
barriers and administrative transactions.
Response. We thank commenters for their support of the Health
Insurance Information data class and for recognizing the potential
benefits.
Comments. A number of commenters expressed concern or did not
support the Health Insurance Information data class. Several commenters
stated that the data elements needed more standardization before they
should be required, and that it was unreasonable to include this data
class because there are no related standards yet. One commenter stated
that the Health Insurance Information data class is problematic because
there is no guidance about how to align this proposed standard with the
proposed US Core IG v5.0.1 that payers would be required to adopt via
the Interoperability and Prior Authorization Proposed Rule (87 FR
76238). The commenter stated that ONC's proposal does not align with
the changes proposed in the Interoperability and Prior Authorization
Proposed Rule. Commenters also stated that prior authorization
standards were needed for payers to see value in this data class.
Additionally, commenters expressed concern that most health IT systems
seeking certification would need to rely on third-party systems to
support documentation and storage of health insurance data. Commenters
also stated that ONC should not add data elements to the USCDI that
duplicate processes housed in practice management systems. Several
commenters stated that USCDI v3 should not be required until the Health
Insurance Information data class is revised, or that USCDI v3 should be
adopted without the Health Insurance Information data class included.
Commenters also stated that the Health Insurance Information data class
should not have to be shared until CMS clarifies which data elements do
not have to be shared through the Payer-to-Payer API to avoid the
exchange of competitively sensitive information.
Response. We have considered the comments expressing concern about
the Health Insurance Information data class. We do not agree that there
are no related standards for these data elements, as HL7 FHIR US Core
and the C-CDA Companion Guide support the Health Insurance Information
data elements and include references to standard vocabulary where
available and in use. Regarding alignment with requirements proposed by
CMS in the Interoperability and Prior Authorization Proposed Rule, we
refer readers to CMS' proposals in the Interoperability and Prior
Authorization Proposed Rule to allow payers to use updated versions of
standards in Sec. 170.215, subject to certain conditions including
approval for use by the National Coordinator (87 FR 76315). We also
note that in the Interoperability and Prior Authorization Proposed
Rule, CMS has proposed to allow flexibility for use of a version of the
USCDI standard in Sec. 170.213 (87 FR 76250) where proposed payer API
requirements reference the USCDI, which will include USCDI v3 under our
finalized policy. We further disagree
[[Page 1219]]
with the concerns reflected in the comments about the burden that would
be associated with sharing this data and believe these comments may not
accurately reflect what is expected from the USCDI v3 data elements.
The data elements in this data class are to exchange information about
whether a patient has insurance coverage, and the type of coverage.
Also included are elements that provide information about the plan. The
Health Insurance Information data elements do not include any claims
specific information. Additionally, we recognize that this information
may or may not originate in an EHR, however Health IT Modules certified
to certification criteria that reference Sec. 170.213 must be able to
capture and exchange the values when available.
Regarding the comment about this data only being valuable with
respect to prior authorization standards, we note that such standards
may be adopted in the future and believe that this information can
provide substantial value at present by supporting the availability of
data about coverage that is important for health care providers to
understand a patient's situation. We recently sought comment through an
RFI titled ``Electronic Prior Authorization Standards, Implementation
Specifications, and Certification Criteria'' (87 FR 3475), which
appeared in the January 24, 2022 issue of the Federal Register, on how
updates to the Program could support electronic prior authorization. We
have reviewed comments, and this information may be used to inform a
future rulemaking related to the ONC Health IT Certification Program
and electronic prior authorization. We will continue to work with CMS
to ensure alignment with our rules.
Comments. Several commenters also expressed privacy concerns
regarding the Health Insurance Information data class. Commenters
suggested that ONC revise the data class to protect patient privacy and
that ONC should remove data elements that provide personally
identifiable information not supportive of patient care, such as
``group identifier.'' Commenters also expressed concern about the
inclusion of financial data in the USCDI, the sharing of claim-level
payment information and the disclosure of confidentially negotiated
rates.
Response. As we have noted in similarly themed comments, the
adoption of USCDI v3 sets a new baseline for the capability of Health
IT Modules certified to particular certification criteria to capture
and exchange data but does not dictate when and how either of those two
actions occur. Further, the concerns expressed related to financial
data including claim-level payment and negotiated rates are not within
scope of the HTI-1 Proposed Rule because USCDI v3 does not include any
financial, claim level, or negotiated rate data elements.
Comments. Commenters suggested that the data class should focus on
data elements related to whether a person has insurance coverage, the
type of coverage, and which payers are covering the patient. Other
commenters suggested that the data class should be revised to focus on
sharing information that can be collected based on national standards.
Commenters also stated that vendors use different health insurance
payer identification numbers, making it challenging to match records,
and that ONC should work with the industry to adopt a single source for
payer identification. One commenter recommended including both medical
insurance and prescription insurance as part of the data elements, and
another comment recommended that ONC adopt the data elements included
in the CARIN IG for Blue Button.
Response. We appreciate the additional suggestions. The data
elements in the Health Insurance Information class are to exchange
information about whether a patient has insurance coverage, and the
type of coverage. Also included are elements that provide information
about the plan.
The USCDI v3 is a published standard at www.healthit.gov/uscdi and
thus it is not possible to add new data elements to USCDI v3 through
the rulemaking process or other means at this time. We direct
commenters to the USCDI website available at www.healthit.gov/uscdi
where the public is invited to enter comments on leveled data elements
or submit new data elements for consideration in future versions of
USCDI.
Comments. Commenters sought clarification regarding the Coverage
Status data element and if it should indicate whether and which type of
health insurance a patient has, rather than if specific services are
covered. One commenter sought clarification for why the value set for
Coverage Type data element was not a required standard in USCDI v3.
Commenters also sought clarification regarding whether health insurance
includes both medical and prescription insurance.
Response. The Health Insurance data class is intended to capture
data related to an individual's insurance coverage for healthcare
including medical and prescription insurance. Coverage Status is
defined in USCDI v3 as the presence or absence of healthcare insurance,
whereas Coverage Type is designed to communicate the category of
healthcare payer (e.g., Medicare, Commercial, Managed Care--PPO). ONC
refers implementers to the US Core and C-CDA implementation guides for
guidance on specific value sets. For future versions of USCDI, we
encourage interested parties to provide feedback for applicable
vocabulary standards, for the Coverage Type and Coverage Status data
elements during an open comment period at https://www.healthit.gov/uscdi.
viii. Health Status Assessments
USCDI v3 includes a data class called Health Status Assessments,
which contains four new data elements: Disability Status, Mental/
Cognitive Status, Functional Status, and Pregnancy Status. This is a
new data class as compared to USCDI v1. In USCDI v3, the Health Status
Assessments data class also includes two data elements that have been
recategorized, Health Concerns and Smoking Status, which were
previously part of different data classes in USCDI.
Comments. Several commenters expressed concerns about the Health
Status Assessment data class. One commenter noted that Health Status
Assessments often vary from provider to provider and that requiring
these data elements from non-standardized forms by the proposed
deadline is not possible. One commenter noted that it is not clear how
the USCDI data elements apply to mental/behavioral health and substance
use treatment data.
Response. We thank commenters and acknowledge that assessments
often vary from provider to provider. The USCDI data elements in this
data class reference applicable vocabulary standards, including LOINC
and SNOMED CT U.S. Edition, to identify the assessment and related
questions which may identify not only the assessment or survey
instrument, but may also allow for understanding the semantics of the
assessment data. The USCDI v3 includes a Mental/Cognitive Status data
element to support the exchange of mental/behavioral health data. There
are new data elements in USCDI v4 that capture Alcohol Use and
Substance Use assessments. We clarify that USCDI v4 is not being
adopted as a standard in this final rule. Additionally, USCDI v4 is not
available through SVAP at this time. Generally, approved SVAP versions
of standards are announced in June each year and
[[Page 1220]]
become effective for Program use after a 60-day period.\44\
---------------------------------------------------------------------------
\44\ https://www.healthit.gov/sites/default/files/2023-07/2023_SVAP_Fact_Sheet.pdf.
---------------------------------------------------------------------------
Comments. The majority of the comments on the Health Status
Assessment data class were related to the Pregnancy Status data
element. One commenter expressed support for including Pregnancy Status
as a data element, but most comments expressed concerns about Pregnancy
Status, including regarding legal implications for providers and that
sharing this information in patients' records without their express
consent could create real dangers. Some commenters recommended
reconsidering this data element given the increased criminalization of
reproductive health and pregnancy-related care. Commenters suggested
delaying the inclusion of this data element until patient requested
restrictions could be fully operationalized. Commenters also noted a
lack of standards around this data element and stated that without
standards, incompatible data could be entered for Pregnancy Status, and
recommended against including it as a data element until there is a
defined standard. One commenter recommended also including Pregnancy
Intention Screening as a data element.
Response. We appreciate the comments regarding privacy concerns
expressed above. The adoption of USCDI v3 sets a new baseline for the
capability of Health IT Modules certified to particular certification
criteria to capture and exchange data but does not dictate when and how
either of those two actions occur. For more on patient requested
restrictions on sharing of their health information, we refer readers
to section III.C.10 on modifications to the ``view, download, and
transmit to 3rd party'' certification criterion in Sec. 170.315(e)(1),
stating patients (and their authorized representatives) must be able to
use an internet-based method to request a restriction to be applied for
any data expressed in the standards in Sec. 170.213.
The USCDI v3 is a published standard at www.healthit.gov/uscdi and
thus it is not possible to add new data elements to USCDI v3 through
the rulemaking process or other means at this time. We direct
commenters to the USCDI website available at www.healthit.gov/uscdi
where the public is invited to enter comments on leveled data elements
or submit new data elements for consideration in future versions of
USCDI. Commenters are directed to the FHIR US Core 6.1.0 and C-CDA
Companion Guide R4.1 for guidance on how to implement the Pregnancy
Status data element.
ix. Laboratory
USCDI v3 includes Specimen Type and Result Status data elements,
which have been added to the USCDI Laboratory data class to address
public health reporting priorities.
We did not receive comments to specifically respond to with
clarifications.
x. Medications
USCDI v3 includes Dose, Dose Unit of Measure, Indication, and Fill
Status data elements, which have been added to the Medications data
class in response to public feedback. These data elements are necessary
for certain CMS reporting programs and are also critical to certain ONC
certification criteria (including the ``electronic prescribing
certification'' criterion at Sec. 170.315(b)(3)).
Comments. Several comments expressed concern about the lack of
standards for data elements in the Medications data class, including
Medications, Indication, and Fill Status. One comment noted that Fill
Status data is generally maintained by pharmacy systems and many
systems seeking certification would not natively support documentation
and storage of this information. One comment stated that USCDI v3 is
not clear regarding what must be included for the Medications data
element and that more specificity could improve patient care and
safety.
Response. The Medications data element includes both RxNorm and NDC
as applicable vocabulary standards in USCDI v3. The HL7 FHIR US Core
Implementation Guide and C-CDA Companion Guide for USCDI v3 have
defined terminology bindings for Indication to include value sets drawn
from both SNOMED CT U.S. Edition and ICD-10-CM. Regarding the utility
of including Fill Status in the USCDI v3, we recognize that this
information may or may not originate in an EHR, however certified
health IT with Health IT Modules certified to particular certification
criteria that reference Sec. 170.213 must be able to capture and
exchange the value when it is available.
xi. Patient Demographics/Information
Based on submissions and comments during the USCDI update processes
described above, we changed or added data elements in the Patient
Demographics/Information data class. USCDI v3 includes data elements
Sexual Orientation and Gender Identity, which have been added to the
USCDI Patient Demographics/Information data class. As described in the
HTI-1 Proposed Rule, we previously adopted standards for Sexual
Orientation in the demographics criterion in Sec. 170.315(a)(5)(i)(D)
and for Gender Identity in the demographics criterion in Sec.
170.315(a)(5)(i)(E) that included requirements to code Sexual
Orientation and Gender Identity according to the adopted SNOMED
CT[supreg] U.S. Edition codes and HL7 Version 3 Standard, Value Sets
for AdministrativeGender and NullFlavor, as referenced Sec.
170.207(o)(1) and Sec. 170.207(o)(2), respectively (88 FR 23766). We
proposed to remove the requirement to use specific codes for
representing Sexual Orientation and Gender Identity and have removed
the codes as applicable vocabulary standards from USCDI v3. We proposed
that certified health IT with Health IT Modules certified to particular
certification criteria that reference Sec. 170.213 would be required
to be capable of representing Sexual Orientation and Gender Identity in
SNOMED CT[supreg] U.S. Edition when such information is exchanged as
part of USCDI. We stated in the HTI-1 Proposed Rule that we believe it
is best to let the health IT community develop the list of appropriate
values for Sexual Orientation and Gender Identity, whether through
implementation specifications or developing additional codes in SNOMED
CT[supreg] U.S. Edition (88 FR 23766).
As described in the HTI-1 Proposed Rule, we have recharacterized
the USCDI data element Sex (Assigned at Birth) to Sex (88 FR 23766). We
proposed to remove the requirement in Sec. 170.315(a)(5)(i)(C) and
Sec. 170.315(b)(1)(iii)(G)(3) to code Sex according to the adopted
value sets of HL7 Version 3 Value Sets for AdministrativeGender and
NullFlavor as referenced in the value sets in Sec. 170.207(n)(1). We
proposed instead to permit coding according to either the adopted value
sets of HL7 Version 3 Value Sets for AdministrativeGender and
NullFlavor as referenced in the value sets in Sec. 170.207(n)(1) until
December 31, 2025, or in accordance with the standard in proposed Sec.
170.207(n)(2). We also proposed to no longer require the use of
specific code sets for representing Sex and have removed the codes from
USCDI v3. We proposed that certified health IT with Health IT Modules
certified to certification criteria that reference Sec. 170.213 would
be required to be capable of representing Sex in SNOMED CT when such
information is exchanged as part of USCDI. We proposed to adopt the
same changes for relevant certification criteria that reference these
[[Page 1221]]
standards (see sections III.C.8 and III.C.9).
In the HTI-1 Proposed Rule, we noted efforts to develop a
clinically meaningful way for identifying a patient's sex from
observable information that may be suitable for clinical care,
including the development of a new data element Sex for Clinical Use,
and sought public comment on this concept and approach (88 FR 23766).
In addition, as noted in our proposals to the ``patient demographics
and observations'' certification criterion in Sec. 170.315(a)(5), we
proposed to adopt the same changes for relevant certification criteria
that reference these standards (see sections III.C.8 and III.C.9).
As discussed in the HTI-1 Proposed Rule, a new standard for patient
addresses, the Unified Specification for Address in Health Care
(US@),\45\ emerged and was released in 2022 (88 FR 23767). After
receiving broad support from the public, ONC has incorporated the
Project US@ Technical Specification version 1 as the applicable
standard for Current Address and Previous Address in USCDI v3.
---------------------------------------------------------------------------
\45\ https://oncprojectracking.healthit.gov/wiki/pages/viewpage.action?pageId=180486153.
---------------------------------------------------------------------------
Also as discussed in the HTI-1 Proposed Rule, USCDI v3 includes six
data elements added to the USCDI Patient Demographics/Information data
class: Related Person's Name, Related Person's Relationship, Date of
Death, Occupation, Occupation Industry, and Tribal Affiliation.
Comments. Several commenters explicitly expressed support for the
Patient Demographics/Information data class, noting that this will
improve healthcare quality, enhance communication, bolster cultural
competency, and support the ability of providers to gather and exchange
the information needed to make the best care plans for their patients.
Response. We thank commenters for their support of the Patient
Demographics/Information data class and for noting the potential
benefits.
Comments. Some commenters had concerns about the Patient
Demographics/Information data class, including that it was not
reasonable to require the full data class. Additionally, comments
included recommendations for ONC with respect to the Patient
Demographics/Information data class. Comments recommended aligning
deadlines with the availability of FHIR-based APIs to ensure
consistency across interested parties and aligning the USCDI Patient
Demographics/Information data class with CMS definitions of the
included data elements.
Response. We receive submissions and comments from federal
partners, including CMS, on the USCDI and will continue to work towards
alignment where appropriate with these partners. With respect to the
suggestions regarding flexibility in supporting USCDI v3 data classes
and data elements for purposes of the Program, we decline to allow
developers to be selective in which USCDI v3 data classes and data
elements they support for purposes of the Program. Because the USCDI
standard is intended to provide a common set of data classes and data
elements in support of nationwide health information exchange, partial
adoption of the USCDI standard would impact the effectiveness of the
standard and impede interoperability.
Comments. Specific comments about data elements stated that
standards should be included to restrict date formats for Date of Birth
and Date of Death data elements, and that Previous Name and Tribal
Affiliation data elements should not be included in USCDI v3 until
there are standards for them. One commenter asked for clarification on
whether detailed race standards or free text fields should be used for
Tribal Affiliation.
Response. We thank commenters for the feedback on the lack of
standards for the Date of Birth and Date of Death data elements. We
direct commenters to the HL7 FHIR US Core Implementation Guide and the
C-CDA Companion Guide when an applicable standard is not identified in
USCDI. In addition, these implementation guides provide guidance for
exchanging Previous Name and Tribal Affiliation, the latter of which
includes a vocabulary binding to a harmonized value set.
Comments. A number of commenters addressed the Sexual Orientation
and Gender Identity (SOGI) and Sex data elements. Many of those
commenters expressed support for including SOGI data elements, for
removal of the requirement to use specific codes for representing SOGI,
and for updating SOGI codes with SNOMED CT. Some of these commenters
noted that this would reduce burden and would facilitate identifying
disparities and improving outcomes for the LGBTQ+ population.
Response. We thank commenters for the feedback in support of the
Sexual Orientation, Gender Identity, and Sex data elements and related
requirements and standards, and for recognizing the potential benefits.
Comments. Several commenters expressed concerns related to the SOGI
data elements, including that best practices around SOGI data are not
well established and that there could be unintended confusion around
the terms. Commenters also stressed the need for standardized codes
related to SOGI, the importance of industry collaboration, and the
value of education on SOGI data elements and use cases. One commenter
noted that patients are historically reluctant to answer questions on
sexual identity and this may lead to lower accuracy. One commenter
stated that the health IT industry will not coalesce around value sets
for Sex, Sexual Orientation and Gender Identity data elements and urged
ONC to create them. Commenters also noted that several existing
definitions within the proposed standards for SOGI expire on December
31, 2025, and recommended aligning deadlines.
Response. We appreciate the detailed comments. We defined SNOMED
CT, U.S. Edition as the vocabulary standard for Sex, Sexual
Orientation, and Gender Identity in USCDI v3. We collaborated with HL7,
and the HL7 Gender Harmony Project team to update the US Core
Implementation Guide and C-CDA Companion Guide with references to value
sets with specific SNOMED CT U.S. Edition concepts. We work closely
with federal partners to promote quality data capture and storage
practices using standard terminology. We encourage providers to work
with their patients to understand how and when this data is valuable
for patient care and to address the situation where a patient may be
reluctant to share information.
Comments. One commenter stated that changing Sex (assigned at
birth) to Sex would lead to inconsistency and that it would be
preferable to define a series of specific data elements with clear
definitions related to this data class. One commenter sought
clarification that under USCDI v3 developers should continue exchanging
the same data from their systems that is currently being exchanged as
the Sex (assigned at birth) data element to comply with requirements
for the Sex data element.
Response. We thank commenters for the input regarding the Sex data
element in USCDI v3 and concerns regarding the update from Sex
(Assigned at Birth) in USCDI v2 to Sex in USCDI v3. We, along with the
HL7 community recognized that Sex (Assigned at Birth) has been used to
represent different concepts not always associated with the value
assigned at time of birth such as clinically relevant sex for
laboratory tests or diagnostic imaging, and administrative sex recorded
on birth certificates and health forms. The values
[[Page 1222]]
used for each instance may not be the same for a given patient.
Furthermore, the value set referenced in earlier versions of USCDI for
Sex (Assigned at Birth) does not include all possible values that
represent sex. We therefore removed the reference to the limited value
set previously used and expanded the applicable vocabulary standard to
the SNOMED CT U.S. Edition code set. ONC worked closely with HL7
Structured Documents and US Core teams to update the US Core
Implementation Guide and the C-CDA Companion Guide to distinguish
between Sex (Assigned at Birth) and Sex as separate data elements. It
is ONC's intent that developers continue exchanging the same data from
their systems that is currently being exchanged as Sex (Assigned at
Birth) and additionally exchange the USCDI v3 Sex data element.
Comments. In the HTI-1 Proposed Rule, we stated that we welcomed
public comment on the development and inclusion in future standards of
a new data element Sex for Clinical Use (88 FR 23766). We received
several comments in support of including a Sex for Clinical Use data
element in future versions of USCDI, generally because of the perceived
benefits. One commenter opposed inclusion of Sex for Clinical Use as a
data element in USCDI without further consultation with transgender and
intersex communities. However, most of the comments about Sex for
Clinical Use related to proposals regarding the Sex for Clinical Use
data element in the ``patient demographics and observations''
criterion.
Response. We thank commenters for these suggestions. Sex for
Clinical Use may be considered for inclusion as a data element in a
future version of USCDI. We received comments related to Sex for
Clinical Use as it relates to the ``patient demographics and
observations'' certification criterion, and we discuss those comments
in section III.C.8 of this final rule concerning the ``patient
demographics and observations'' certification criterion in Sec.
170.315(a)(5).
Comments. There were several comments related to the Race and
Ethnicity data elements. Commenters expressed concerns about upgrading
to the 2022 version of the Centers for Disease Control and Prevention
(CDC) Race and Ethnicity code sets because this would add burden to the
industry and recommended only adding codes and not changing existing
ones. Commenters requested clarification on why this change was needed
and the benefits. Commenters also noted that ONC should follow efforts
by the Office of Management and Budget (OMB) regarding adoption of new
race and ethnicity data standards.
Response. We thank commenters for the input regarding the Race and
Ethnicity data elements. We did not propose updating to the 2022
version of the Centers for Disease Control and Prevention (CDC) Race
and Ethnicity code set at this time as the 2022 version of CDC Race and
Ethnicity code set has not been released. We assure commenters that we
follow efforts by OMB regarding adoption of new race and ethnicity
standards.
Comments. Several commenters asked for additional guidance,
including on how data for the Patient Demographics/Information data
class is collected and used, and on terminology related to SOGI. One
commenter requested that ONC clarify how interested parties should
address conflicting information among SOGI data elements due to
disparities in elements and collection. One comment stated that ONC
should encourage healthcare organizations to offer the term
``nonbinary'' as a Gender Identity data element field.
Response. We thank commenters for the feedback. We do not dictate
when and how capture and exchange of USCDI data elements occur, nor how
conflicting information may be reconciled. We also do not require
specific concepts, such as ``nonbinary,'' from the applicable
vocabulary standard, SNOMED CT U.S. Edition for Gender Identity, and
instead defer to the HL7 FHIR US Core Implementation Guide, HL7 v2 and
C-CDA Companion Guide to declare value sets appropriate for use.
xii. Problems
As discussed in sub-section i of this section, USCDI v3 includes
the SDOH Problems/Health Concerns data element added to the prior USCDI
Problems data class. In addition, USCDI v3 includes Date of Diagnosis
and Date of Resolution data elements added to the prior USCDI Problems
data class to include timing elements for recorded and maintained
problem lists within electronic health records.
Comments. A couple of commenters noted a lack of standards for the
Date of Diagnosis, Date of Resolution, and Problems data elements.
Commenters stated that the lack of standards constricting date formats
impacts interoperability, and that the Problems data element should be
able to indicate a degree of importance.
Response. We thank commenters for the input regarding the lack of
standards for Date of Diagnosis, Date of Resolution, and Problems data
elements. While the USCDI v3 does not identify applicable vocabulary
standards for the data elements, the HL7 FHIR US Core Implementation
Guide and C-CDA Companion Guide define the allowable date formats.
Addressing the comment about indicating a degree of importance for
a Problem, the USCDI v3 is a published standard at www.healthit.gov/
uscdi and thus it is not possible to add new data elements to USCDI v3
through the rulemaking process or other means at this time. We direct
commenters to the USCDI website available at www.healthit.gov/uscdi
where the public is invited to enter comments on leveled data elements
or submit new data elements for consideration in future versions of
USCDI.
xiii. Procedures
USCDI v3 includes the Reason for Referral data element added to the
prior USCDI Procedures data class. As discussed in sub-section i of
this section, the USCDI v3 also includes the SDOH Interventions data
element added to the prior USCDI Procedures data class.
Comments. One commenter on the Procedures data class recommended
that USCDI v3 specify that CDT is the applicable standard for
technology developed to record dental procedures.
Response. We thank the commenter for the comment and note that the
Code on Dental Procedures and Nomenclature (CDT) is included in USCDI
v3 as an applicable standard in the USCDI v3 Procedures data element in
the Procedures Data Class and may be used when exchanging dental
procedures.
xiv. Updated Versions of Vocabulary Standard Code Sets
In the 2015 Edition Final Rule, we established a policy for minimum
standards code sets that update frequently throughout a calendar year
at 80 FR 62612, and we have listed several standards as minimum
standards code sets in 45 CFR part 170 subpart B. As with all adopted
minimum standards code sets, health IT can be certified to newer
versions of the adopted baseline version minimum standards code sets
for purposes of certification, unless the Secretary specifically
prohibits the use of a newer version (see Sec. 170.555 and 77 FR
54268). In USCDI v3, we included the versions of the minimum standards
code sets available when we published USCDI v3. We have adopted the
minimum standards code sets we proposed in the HTI-1 Proposed Rule.
Comments. Commenters recommended that HL7, LOINC, SNOMED CT U.S.
Edition, and RxNorm
[[Page 1223]]
vocabulary bindings be added to the USCDI criteria in the final rule.
Response. We thank commenters for the comments related to
vocabulary and vocabulary bindings in USCDI. USCDI v3 includes required
and optional applicable vocabulary standards with references to code
sets for data elements where an encoded value is expected and where a
code set has been identified and is in use. This general binding to a
code system may be further refined in the HL7 implementation guides.
xv. Unique Device Identifier(s) for a Patient's Implantable Device(s)
Comments. Several commenters specifically supported Unique Device
Identifier(s) for a Patient's Implantable Device(s) as a data class and
data element in USCDI v3. One commenter encouraged ONC to include this
data element in all information exchanges and to work with CMS to tie
Unique Device Identifier codes to payment for devices.
Response. We thank commenters for the comments regarding Unique
Device Identifier(s) for a Patient's Implantable Device(s). Regarding
requests that ONC work with CMS on alignment, we assure commenters that
we work closely with CMS across multiple programs and initiatives to
align program requirements and deadlines and will continue to do so in
the future.
xvi. Vital Signs
Comments. One commenter expressed concern that without dates and
times, vital signs information is not meaningful and potentially
dangerous.
Response. We thank commenters for the comments and understand the
concern. The HL7 FHIR US Core Implementation Guide (both the prior and
updated versions) adopted in Sec. 170.215(b)(1) and incorporated by
reference in Sec. 170.299 and the HL7 C-CDA R2.1 base standard adopted
in Sec. 170.205(a)(4) and incorporated by reference in Sec. 170.299
require dates and times when exchanging vital signs.
After consideration of all comments regarding the data classes and
data elements in USCDI v3, we have finalized our adoption of USCDI v3
in Sec. 170.213(b) as proposed. We have extended the date USCDI v1
expires as a standard for use in the Program to January 1, 2026.
2. C-CDA Companion Guide Updates
We proposed to adopt the HL7[supreg] CDA[supreg] R2 Implementation
Guide: C-CDA Templates for Clinical Notes STU Companion Guide, Release
3--US Realm in Sec. 170.205(a)(6) (``C-CDA Companion Guide R3''). The
C-CDA Companion Guide R3 provides supplemental guidance and additional
technical clarification for specifying data in the C-CDA Release 2.1
for USCDI v2. We stated that if the C-CDA Companion Guide Release 4 (C-
CDA Companion Guide R4) is published before the date of publication of
this final rule, it would be our intention to consider adopting the
updated C-CDA Companion Guide R4 that provides guidance and
clarifications for specifying data in USCDI v3 in Sec. 170.205(a)(6),
since we proposed to adopt USCDI v3 as the baseline (88 FR 23767).
As mentioned above, HL7[supreg] has been updating the C-CDA
Companion Guide to accommodate the new data classes and data elements
in each USCDI version. To allow developers to voluntarily update to
USCDI v2, ONC included the C-CDA Companion Guide R3 in the SVAP
Approved Standards List for 2022. ONC released the SVAP Approved
Standards List for 2022 in June 2022. We stated in the HTI-1 Proposed
Rule that we anticipated that the C-CDA Companion Guide R4 would
support updates included in the proposed USCDI v3 and that the adoption
of the C-CDA Companion Guide R4 would align with our goal to increase
the use of consistently implemented standards among health IT
developers and improve interoperability. We proposed to adopt the C-CDA
Companion Guide R3 as a standard in Sec. 170.205(a)(6) and incorporate
it by reference in Sec. 170.299. We stated that if the C-CDA Companion
Guide R4 is available at the time of publication of this final rule, we
would consider adopting the C-CDA Companion Guide R4 in Sec.
170.205(a)(6), which would support the updates included in proposed
USCDI v3 (88 FR 23767).
Consistent with our proposals in sections III.A and III.C.11, we
proposed to revise Sec. 170.205(a)(5) to add that the adoption of the
standard in Sec. 170.205(a)(5) expires on January 1, 2025. Developers
of certified health IT with Health IT Modules certified to particular
certification criteria that reference Sec. 170.205(a)(5) would have to
update those Health IT Modules to Sec. 170.205(a)(6) and provide them
to customers by January 1, 2025. We clarified that under this proposal,
for the time period up to and including December 31, 2024, HL7
CDA[supreg] R2 Implementation Guide: C-CDA Templates for Clinical Notes
R2.1 Companion Guide, Release 2 would remain applicable as the minimum
version required in the Program.
Further, we proposed that Health IT Modules certified to the
particular certification criteria below would need to update to the HL7
CDA[supreg] R2 IG: C-CDA Templates for Clinical Notes R2.1 Companion
Guide, Release 3 in Sec. 170.205(a)(6) by January 1, 2025:
``transitions of care'' (Sec. 170.315(b)(1)(iii)(A));
``clinical information reconciliation and incorporation''
(Sec. 170.315(b)(2)(i), (ii), and (iv));
``care plan'' (Sec. 170.315(b)(9)(ii));
``view, download, and transmit to 3rd party'' (Sec.
170.315(e)(1)(i)(A) and (B));
``consolidated CDA creation performance'' (Sec.
170.315(g)(6)(i)); and
``application access--all data request'' (Sec.
170.315(g)(9)(i)).
For the purposes of meeting that compliance date, we stated that we
expected health IT developers to update their certified health IT
without new mandatory testing and notify their ONC-ACB on the date at
which they have reached compliance. Developers would also need to
factor these updates into their next real world testing plan (88 FR
23767 through 23768).
Comments. The majority of commenters supported the adoption of the
HL7 CDA[supreg] R2 IG: C-CDA Templates for Clinical Notes R2.1
Companion Guide, Release 3 as proposed in Sec. 170.205(a)(6). Many of
the comments also noted support for the adoption of C-CDA Companion
Guide Release that aligns with USCDI v3 if published before the date of
publication of this final rule. Comments supporting this proposal noted
that incorporating newer versions of the C-CDA standard will improve
interoperability of clinical data.
Response. We thank commenters for support of our proposals and for
recognizing potential benefits expand interoperability for clinical
information shared via structured clinical notes. We also appreciate
commenters who recommended adoption of the most recent version of C-CDA
Companion Guide. After the publication of C-CDA Companion Guide R4, HL7
found errors with how the guide implemented data elements in USCDI v3
and had to make updates to the specification to align with USCDI v3 and
ensure that USCDI v3 can be implemented in certified Health IT Modules.
We note that C-CDA Companion Guide R4.1 has not added any substantial
functionality or requirements beyond C-CDA Companion Guide R4.
Therefore, we do not believe adoption of C-CDA Companion Guide R4.1
would contribute to a greater implementation burden, and C-CDA
Companion Guide R4.1 is the only version of the C-CDA
[[Page 1224]]
Companion Guide that fully aligns with and supports the complete USCDI
v3. Given the support of the commenters to adopt the most recent
version of the C-CDA Companion Guide that aligns with USCDI v3, we have
finalized adoption of C-CDA Companion Guide R4.1, which was published
in June 2023, in Sec. 170.205(a)(6).
Adopting the C-CDA Companion Guide R4.1 is necessary for developers
of certified health IT to have appropriate implementation guidance to
meet the criteria adopted in this final rule that reference USCDI v3.
Based on public comments on this and prior rulemakings, we believe that
the health IT industry, healthcare standards developers, and health
care providers expect and support ONC making such determinations so
that the adopted version of standards are the most up-to-date available
and are feasible for real world implementation (see, for example, 85 FR
25677 and 25708).
Comments. Some commenters expressed concern about the deadline for
this proposal and requested to extend the implementation deadline. Some
suggested deadline extensions included to 24 months post-effective date
of this final rule and December 31, 2025.
Response. We thank commenters for expressing a desire for an
extension on proposed deadlines. We have finalized a January 1, 2026
date for the expiration of the standard in Sec. 170.205(a)(5). We
believe that this deadline provides adequate time for developers and
industry to support C-CDA Companion Guide R4.1, which we have finalized
in Sec. 170.205(a)(6).
Comments. A minority of commenters cautioned us about the real-
world needs of physicians and patients and added complexities of
implementing additional health IT standards. One commenter appreciated
the flexibility and reduced burden of confirming conformance via a
notification to their ONC-ACB and noted concern that certification to a
new requirement may involve proof of conformance to ensure that there
is clear and consistent understanding and application of requirements
across developers of certified health IT.
Response. We thank commenters for the comments regarding the
potential burden placed on providers and developers by our proposal. We
do not believe that the burden on providers or developers for the
adoption of a new version of the C-CDA Companion Guide is excessive.
ONC has worked closely with the implementer community to help alleviate
burden, and we are confident that the addition of USCDI v3 data
elements will provide significant benefit.
3. ``Minimum Standards'' Code Sets Updates
We established a policy in the 2015 Edition Final Rule for minimum
standards code sets that update frequently (80 FR 62612). In prior
rulemaking, we discussed the benefits of adopting newer versions of
minimum standards code sets, including the improved interoperability
and implementation of health IT with minimal additional burden (77 FR
54170). When determining whether to propose newer versions of minimum
standards code sets, we consider the impact on interoperability and
whether a newer version would require substantive effort for developers
of certified health IT to implement. If adopted, newer versions of
minimum standards code sets would serve as the baseline for
certification and developers of certified health IT would be able to
use newer versions of these adopted standards on a voluntary basis. We
reiterate that while minimum standard code sets update frequently,
perhaps several times in a single year, these updates are confined to
concepts within the code system, not substantive changes to the
standards themselves. In the HTI-1 Proposed Rule, we proposed to adopt
the following versions of the minimum standards code sets listed below
(88 FR 23768 through 23769).
Sec. 170.207(a)--Problems
We proposed to remove and reserve Sec. 170.207(a)(3), IHTSDO
SNOMED CT[supreg] International Release July 2012 and US Extension to
SNOMED CT[supreg] March 2012 Release. We proposed to revise Sec.
170.207(a)(1), which is currently reserved, to reference SNOMED CT US
Edition March 2022 and incorporate it by reference in Sec. 170.299.
Sec. 170.207(c)--Laboratory tests
We proposed to remove and reserve Sec. 170.207(c)(2), Logical
Observation Identifiers Names and Codes (LOINC[supreg]) Database
version 2.40. We proposed to revise Sec. 170.207(c)(1), which is
currently reserved, to reference LOINC Database version 2.72, February
16, 2022, and incorporate it by reference in Sec. 170.299.
Sec. 170.207(d)--Medications
We proposed to revise Sec. 170.207(d)(1), which is currently
reserved, to reference RxNorm July 5, 2022, Full Monthly Release and
incorporate it by reference in Sec. 170.299. We proposed in Sec.
170.207(d)(4) to reference the code set specified in 45 CFR
162.1002(c)(1) which includes International Classification of Diseases,
10th Revision, Clinical Modification (ICD-10-CM); International
Classification of Diseases, 10th Revision, Procedure Coding System
(ICD-10-PCS) (including The Official ICD-10-PCS Guidelines for Coding
and Reporting); National Drug Codes (NDC); the combination of Health
Care Financing Administration Common Procedure Coding System (HCPCS),
as maintained and distributed by HHS, and Current Procedural
Terminology, Fourth Edition (CPT-4), as maintained and distributed by
the American Medical Association, for physician services and other
healthcare services; Health Care Financing Administration Common
Procedure Coding System (HCPCS) as maintained and distributed by HHS,
for all other substances, equipment, supplies, or other items used in
healthcare services; and Code on Dental Procedures and Nomenclature.
We have not finalized this proposal and explain the update later in
this section in response to a comment in support of our proposal to
update the standards for Medications in Sec. 170.207(d).
Sec. 170.207(e)--Immunizations
We proposed to revise Sec. 170.207(e)(1), which is currently
reserved, to reference CVX--VaccinesAdministered, updates through June
15, 2022, and incorporate it by reference in Sec. 170.299. We also
proposed to revise Sec. 170.207(e)(2), which is currently reserved, to
reference National Drug Code Directory (NDC)--Vaccine NDC Linker,
updates through July 19, 2022, and incorporate it by reference in Sec.
170.299.
Sec. 170.207(f)--Race and ethnicity
We proposed to add Sec. 170.207(f)(3) to reference CDC Race and
Ethnicity Code Set Version 1.2 (July 15, 2021) and incorporate it by
reference in Sec. 170.299.
Sec. 170.207(m)--Numerical references
We proposed to revise Sec. 170.207(m)(2), which is currently
reserved, to reference the Unified Code for Units of Measure, Revision
2.1, November 21, 2017, and incorporate it by reference in Sec.
170.299.
Sec. 170.207(n)--Sex
We proposed to revise Sec. 170.207(n)(2), which is currently
reserved, to reference the version of SNOMED CT [supreg] U.S. Edition
codes specified in Sec. 170.207(a)(1). We also proposed to add Sec.
170.207(n)(3) to reference the version of LOINC [supreg] codes
specified in Sec. 170.207(c)(1).
Sec. 170.207(o)--Sexual orientation and gender
information
We proposed to change the heading of Sec. 170.207(o) from ``sexual
orientation and gender identity'' to ``sexual orientation and gender
information'' to acknowledge that Sec. 170.207(o) includes
[[Page 1225]]
standard code sets to support other gender related data items. We
proposed to add Sec. 170.207(o)(3) to reference the version of SNOMED
CT [supreg] U.S. Edition codes specified in Sec. 170.207(a)(1) and to
add Sec. 170.207(o)(4) to reference the version of LOINC [supreg]
codes specified in Sec. 170.207(c)(1) for Pronouns.
Sec. 170.207(p)--Social, psychological, and behavioral
data
We proposed to revise Sec. 170.207(p)(1) through (8) to reference
the version of LOINC[supreg] codes specified in proposed Sec.
170.207(c)(1) instead of Sec. 170.207(c)(3). We proposed to revise
Sec. 170.207(p)(4), (5) and (7) and (8) to reference the version of
the Unified Code of Units of Measure in proposed Sec. 170.207(m)(2),
instead of Sec. 170.207(m)(1). We also proposed to revise Sec.
170.207(p)(6) to include a reference to the version of the Unified Code
of Units of Measure in proposed Sec. 170.207(m)(2).
Sec. 170.207(r)--Provider type
We proposed to revise Sec. 170.207(r)(2), which is currently
reserved, to reference Medicare Provider and Supplier Taxonomy
Crosswalk, October 29, 2021, and incorporate it by reference in Sec.
170.299.
Sec. 170.207(s)--Patient insurance
We proposed to revise Sec. 170.207(s)(2), which is currently
reserved, to reference Public Health Data Standards Consortium Source
of Payment Typology Code Set December 2020 Version 9.2 and incorporate
it by reference in Sec. 170.299.
In addition to updating the minimum standards code sets listed
above, we proposed to update some of the certification criteria that
reference those minimum standards. We proposed to update some of the
certification criteria that reference Sec. 170.207(a) Problems by
replacing the reference to Sec. 170.207(a)(4) in those criteria that
reference it with a reference to the new proposed Sec. 170.207(a)(1).
These criteria include Sec. 170.315(a)(12), (b)(1)(iii)(B)(2),
(b)(6)(ii)(B)(2), (c)(4)(iii)(I), and (f)(4)(ii). We also proposed to
update Sec. 170.315(f)(3)(ii) by replacing the reference to Sec.
170.207(a)(3) with a reference to the new proposed Sec. 170.207(a)(1).
We proposed to update the certification criteria that reference
Sec. 170.207(c) Laboratory Tests by replacing the references to Sec.
170.207(c)(2) and (c)(3) in those criteria with a reference to the new
proposed Sec. 170.207(c)(1). These criteria include Sec.
170.315(f)(3)(ii) and (f)(4)(ii).
We proposed to update two certification criteria that reference
Sec. 170.207(e) Immunizations. We proposed to update the certification
criterion Sec. 170.315(f)(1)(i)(B), which references Sec.
170.207(e)(3), to instead reference the new proposed Sec.
170.207(e)(1). We also proposed to update the certification criterion
Sec. 170.315(f)(1)(i)(C), which references Sec. 170.207(e)(4), by
replacing the reference to Sec. 170.207(e)(4) in that criterion with a
reference to the new proposed Sec. 170.207(e)(2).
We proposed to update several certification criteria that reference
Sec. 170.207(f) Race and Ethnicity. We proposed to update
certification criteria that reference Sec. 170.207(f)(2) to instead
reference the new proposed Sec. 170.207(f)(3). These criteria include
Sec. 170.315(a)(5)(i)(A)(1) and (2) and Sec. 170.315(c)(4)(iii)(H).
As described in sections III.C.1 and III.C.8 of this final rule, we
proposed to update criteria that reference Sec. 170.207(n) Sex by
updating criteria that reference Sec. 170.207(n)(1) to reference the
new proposed Sec. 170.207(n)(2). More specifically, we proposed to
update Sec. 170.315(a)(5)(i)(C) to reference Sec. 170.207(n)(1) for
the time period up to and including December 31, 2025, or to reference
Sec. 170.207(n)(2). We also proposed to update Sec.
170.315(c)(4)(iii)(G) and Sec. 170.315(b)(1)(iii)(G)(3) to reference
Sec. 170.207(n)(2). We note that, in the HTI-1 Proposed Rule
regulation text in Sec. 170.315(b)(1)(iii)(G)(3), we inadvertently
included a reference to Sec. 170.213 (88 FR 23909) instead of
including Sec. 170.207(n)(2) as discussed in our proposal (88 FR
23821). ONC has finalized Sec. 170.315(b)(1)(iii)(G)(3) without the
proposed reference to Sec. 170.213. We have finalized Sec.
170.315(b)(1)(iii)(G)(3) to include a reference to Sec. 170.207(n)(2)
to correct this error and to reference the most recent version of
SNOMED CT U.S. Edition available at the time of this rule. Health IT
developers may update to a newer version if one exists at effective
date of the criterion.
Additionally, as described in sections III.C.1 and III.C.8 of this
final rule, we proposed to update the criteria that reference Sec.
170.207(o) Sexual orientation and gender information (as we proposed to
rename the criterion) by updating criteria that reference Sec.
170.207(o)(1) and (2). We proposed to replace the reference to Sec.
170.207(o)(1) in Sec. 170.315(a)(5)(i)(D) with a reference to the new
proposed Sec. 170.207(o)(3) and proposed to replace the reference to
Sec. 170.207(o)(2) in Sec. 170.315(a)(5)(i)(E) with a reference to
the new proposed Sec. 170.207(o)(3). More specifically, we proposed to
update Sec. 170.315(a)(5)(i)(D) to reference Sec. 170.207(o)(1) for
the time period up to and including December 31, 2025, or to reference
Sec. 170.207(o)(3), as well as whether a patient declines to specify
sexual orientation. We proposed to update Sec. 170.315(a)(5)(i)(E) to
reference Sec. 170.207(o)(2) for the time period up to and including
December 31, 2025, or to reference Sec. 170.207(o)(3), as well as
whether a patient declines to specify gender identity.
We also proposed to update Sec. 170.315(c)(4)(iii)(C), which
references Sec. 170.207(r) Provider Type. Specifically, we proposed to
replace the reference to Sec. 170.207(r)(1) in that criterion with a
reference to the new proposed Sec. 170.207(r)(2). We also proposed to
update Sec. 170.315(c)(4)(iii)(E), which references Sec. 170.207(s)
Patient insurance. Specifically, we proposed to replace the reference
to Sec. 170.207(s)(1) in that criterion with a reference to the new
proposed Sec. 170.207(s)(2).
Comments. Most commenters were supportive of ONC's proposal to
adopt updated minimum code set versions. Meanwhile other commenters had
recommendations pertinent to specific standards considered a ``minimum
standard'' code set.
Response. We thank commenters for their support of our proposal to
adopt updated minimum code set versions. We have finalized the adoption
of updated minimum standard code set versions as proposed. We note that
newer versions of the codes sets may have become available since we
published the HTI-1 Proposed Rule and this does not preclude developers
of certified health IT from updating minimum code sets to newer
versions in their Health IT Modules.
Comments. Several commenters suggested different naming conventions
for different standards and data concepts included as part of the
Program's minimum standard code sets, including the name of Patient
Demographics, Sexual Orientation, and Gender Identity.
Response. We appreciate these comments. However, we have finalized
the title of Sec. 170.207(o) to reflect the inclusion of the minimum
standard code set for Pronouns in that section, and we have finalized
our proposal to update the Sexual Orientation and Gender Identity title
in Sec. 170.207(o) to ``Sexual orientation and gender information'' to
provide clarity on the standard code sets related to data elements in
that section. We have also finalized our proposal to update the
``demographics'' title in Sec. 170.315(a)(5) to ``patient demographics
and observations'' to acknowledge that not all data described in that
section are understood to be demographics.
[[Page 1226]]
Comments. We received multiple comments encouraging ONC to continue
to work with the HL7 Gender Harmony project team and federal partners
to update terminology definitions over time.
Response. We thank commenters for their support of our working with
the HL7 Gender Harmony project team and federal partners to update
terminology definitions. We anticipate ongoing collaboration with these
parties to promote collection and exchange of data elements related to
health equity and support for underserved populations.
Comments. We received a comment in support of the proposal to
update the standards for Medications at Sec. 170.207(d); however, the
commenter noted that the reference to 45 CFR 162.1002(c)(1) for NDC
includes references to medical code sets that are not appropriate for
medications and the reference should be changed to 162.1002(b)(2),
which is specific to NDC.
Response. We thank the commenter for their support of our proposed
updates. We note that our reference to 45 CFR 162.1002(c)(1) in the
proposal was intended to be consistent with the timeframes identified
in the referenced regulation--i.e., ``For the period on and after
October 1, 2015'' as opposed to 45 CFR 162.1002(b)(2) which is
referenced as ``For the period on and after October 16, 2003 through
September 30, 2015.'' However, we agree with the commenter that the
reference should include only NDC, and we have finalized Sec.
170.207(d)(4) to reference 45 CFR 162.1002(b)(2) as referenced in 45
CFR 162.1002(c)(1) for the period on and after October 1, 2015.'' We
did not intend to cross-reference code sets no longer in effect, and we
believe that commenters would have anticipated us to correct this.
Comments. We received several comments related to the OMB Initial
Proposals For Updating OMB's Race and Ethnicity Statistical Standards
and the 2022 proposed updates to the CDC Race and Ethnicity code set.
Some commenters suggest that ONC prioritize and prepare for any changes
that may be necessary should the proposed changes be finalized. Other
commenters expressed concern that the proposed changes will have a
significant impact on health IT. Some commenters provided suggestions
for ONC to develop data collection guidelines and provided suggestions
for code set content updates.
Response. We thank commenters for their input regarding the
proposed updates to the CDC race and ethnicity code set and OMB race
and ethnicity collection; however, these comments are out of scope for
this rulemaking. We will continue to work with federal partners to
promote alignment for these data concepts.
Comments. We received comments regarding the effective dates for
the new minimum code set versions. Some comments suggested that ONC
specify the time health IT developers must incorporate the new code set
versions once they have been published to allow time for health IT
developers and providers to incorporate the new versions. Other
commenters recommended that ONC align code set version update timelines
to the base program requirements.
Response. We thank commenters for their input regarding the
effective dates for new minimum code set version and to align code set
version updates timelines to the base Program requirements. We have
finalized the adoption of Sec. 170.207 with a compliance date of
January 1, 2026.
We have adopted the proposed version of code sets. Again, we note
that we have adopted minimum code set versions and this does not
preclude developers of certified health IT from updating minimum code
sets to newer versions in their Health IT Modules.
4. Electronic Case Reporting
As discussed in the HTI-1 Proposed Rule, case reporting serves as
early notification to Public Health Agencies (PHAs) for potential
disease outbreaks and includes information that enables PHAs to start
contact tracing and other prevention measures. (88 FR 23769)
Since ONC adopted 45 CFR 170.315(f)(5) as a functional requirement
for Health IT Modules in the 2015 Edition, standards development
organizations (SDOs), public health, and interested parties within the
healthcare industry have balloted several standards related to
electronic case reporting. The standards were produced and developed
through a collaborative effort among many partners, including CDC, the
Council of State and Territorial Epidemiologists (CSTE), the
Association of State and Territorial Health Officials (ASTHO), the
Association of Public Health Laboratories (APHL), EHR developers, and
the HL7 Public Health (PH) Work Group.\46\ These standards pertain to
both HL7[supreg] FHIR and HL7[supreg] CDA and include multiple
Implementation Guides (IGs).
---------------------------------------------------------------------------
\46\ See work group membership at: https://confluence.hl7.org/display/PHWG/Public+Health+Work+Group.
---------------------------------------------------------------------------
Recognizing advancement of standards development in this area, ONC
analyzed the currently balloted standards for potential inclusion in
the existing 45 CFR 170.315(f)(5) criterion. As discussed in detail in
the HTI-1 Proposed Rule, ONC examined the standards for potential
inclusion as a part of this criterion (88 FR 23770-23771).
In the HTI-1 Proposed Rule (88 FR 23771-23772), we proposed to
adopt standards for electronic case reporting in Sec.
170.315(f)(5)(ii). This included a proposal in Sec.
170.315(f)(5)(ii)(A) that a Health IT Module certified to Sec.
170.315(f)(5) support the consumption and processing of electronic case
report trigger codes and parameters based on a match from Reportable
Conditions Trigger Code value set in Sec. 170.205(t)(4) received from
the eRSD profiles as specified in the HL7 FHIR eCR IG in Sec.
170.205(t)(1). We clarified that a Health IT Module need only support
parsing and consuming the eRSD Specification Library and eRSD
Supplemental Library because we understand that health IT developers
may choose to either manually encode the electronic case reporting
trigger logic into Health IT Modules or may support a more automated
process for encoding the trigger logic into Health IT Modules. We
requested comment on this approach and on whether there is general
support of the eRSD Specification Library and eRSD Supplemental Library
for electronic case reporting triggering (88 FR 23773).
Additionally, we proposed in Sec. 170.315(f)(5)(ii)(B) to require
a Health IT Module to create a case report for electronic transmission
according to at least one of the following two HL7[supreg] standards:
in accordance with the electronic initial case report (eICR) profiles
specified in the HL7 FHIR eCR IG in Sec. 170.205(t)(1) or in
accordance with the HL7 CDA eICR IG in Sec. 170.205(t)(2). Finally, we
proposed in Sec. 170.315(f)(5)(ii)(C) to require that Health IT
Modules certified to Sec. 170.315(f)(5) support the receipt,
consumption, and processing of reportability responses (RR) formatted
according to the RR profiles defined in the HL7 FHIR eCR IG or the HL7
CDA RR IG.
Comments. We received numerous comments and broad support for
updating the ``electronic case reporting'' criterion to reference
standards-based requirements. Commenters stated that the current
functional certification criteria in the Program do not meet eCR
program needs and that requiring use of a standard would improve
interoperability and implementation
[[Page 1227]]
consistency to further enable the transmission of timely, granular, and
accurate case data between health providers and public health agencies.
Commenters stated that moving from functional electronic case reporting
requirements to standards-based requirements is an important step
toward ensuring that public health programs have access to critical
data. Commenters also stated there is substantial opportunity to
empower public health, improve public health surveillance, and more
efficiently monitor and manage public health concerns through
standardization of electronic case reporting. Others wrote that the
standards would improve consistency and increase real-time
communication between healthcare and public health.
Several commenters supported the requirements as proposed,
including the requirements for Health IT Modules to support either HL7
FHIR or HL7 CDA standards for case reporting. Some commenters stated
the need for EHRs to support the HL7 CDA standard since many public
health agencies only accept HL7 CDA documents. Several commenters
stated that both the HL7 CDA and the HL7 FHIR standards should be
required to allow Public Health Agencies (PHAs) time and the
appropriate resources to be able to receive incoming electronic case
reports. Other commenters stated they would prefer a single standard be
included in the criterion rather than including multiple options for
certification. Commenters noted that existing health information
conversion tools could help with the translation between HL7 CDA and
HL7 FHIR formats. Additionally, commenters advocated that the
electronic case report and the reportability response should adhere to
the same standard (CDA or FHIR) and noted that it would be burdensome
if the reportability response from public health was based on a
different standard than the initial case report.
Response. We appreciate these comments and agree with the
importance of including standards to improve interoperability and
public health agencies' access to critical information. Taking into
consideration feedback from commenters, we have finalized our proposal
in Sec. 170.315(f)(5)(ii)(B) to require Health IT Modules to enable a
user to create a case report consistent with at least the eICR profile
of the HL7 FHIR eCR IG in Sec. 170.205(t)(1) or the HL7 CDA eICR IG
Sec. 170.205(t)(2). Additionally, we have finalized in Sec.
170.315(f)(5)(ii)(C) to require Health IT Modules to receive, consume,
and process a case report response according to the reportability
response profile of the HL7 FHIR eCR IG in Sec. 170.205(t)(1) or the
HL7 CDA RR IG in Sec. 170.205(t)(3) as determined by the standard used
in (f)(5)(ii)(B) of this section. We have finalized this requirement to
ensure that a Health IT Module that creates a case report according to
the eICR profile of HL7 FHIR eCR IG can receive, consume, and process a
case report response using the same HL7 FHIR eCR IG. The same would be
true for a Health IT Module that creates a case report according to the
HL7 CDA eICR IG; this Health IT Module must be capable of receiving a
reportability response according the HL7 CDA RR IG. We believe
requiring support for creating a case report based on either the HL7
FHIR eCR IG or the HL7 CDA eICR IG while requiring support for receipt,
consumption, and processing of a case report response according to
either the HL7 FHIR eCR IG or the HL7 CDA RR IG provides technical
design flexibility while supporting the HL7 CDA-based landscape for
case reporting that exists today. Additionally, we have finalized our
proposal in Sec. 170.315(f)(5)(ii)(D) for Health IT Modules to support
transmission of a case report electronically to a system capable of
receiving a case report.
As with most consensus-based standards, we recognize that
additional improvements can be made to the HL7 FHIR and HL7 CDA IGs for
case reporting. We encourage interested parties, including the CDC, the
appropriate HL7 working groups, and public health associations to
update and improve the IGs, as well as collaborate on solutions that
facilitate the ability of PHAs to parse, filter, and consume case
reports. We plan to continue monitoring the development of standards
for case reporting and foundational standards that facilitate
interoperability for various public health use cases. As the HL7 FHIR-
based certification criteria in the Program continue to grow and
industry more broadly supports HL7 FHIR-based IGs, we intend to
transition to solely an HL7 FHIR-based approach for case reporting in
future rulemaking.
Comments. One commenter suggested that the adoption of HL7[supreg]
standards was unnecessary to advance interoperability for EHI because
EHR systems are capable of effectively and securely communicating using
multiple standards and messaging formats. This commenter stated that
the adoption of HL7 standards would prevent health care providers from
using other standards that could better serve different situations and
communities.
Response. We disagree that adoption of standards for case reporting
is unnecessary to advance interoperability. We note that for nearly a
decade, Program requirements for electronic case reporting have not
been standards-based, and numerous examples cited in this preamble and
in the HTI-1 Proposed Rule reveal deficiencies in nationwide electronic
case reporting due to misaligned technical standards and
implementations. We believe that consensus has emerged for adoption of
HL7 standards, which we have finalized in Sec. 170.315(f)(5)(ii), and
we believe that such standards can be enhanced over time to address the
emergent needs of health care providers and the communities they serve.
Comments. We received multiple comments supporting our proposal
relating to the consumption and processing of case report trigger codes
based on the Reportable Conditions Trigger Code value set in Sec.
170.205(t)(4). Many public health agency commenters expressed support
to require certified Health IT Modules to support the ability to
consume and process the eRSD profiles, which include the RCTC value
set, regardless of whether such a Health IT Module supports a FHIR-
based or CDA-based approach to certification, stating that it would
support interoperability. One hospital-based commenter suggested that
in addition to the mandated proposed RCTC value sets, ONC should
require support for the adjunct `eRSD Supplemental Library' as part of
the certification criterion at Sec. 170.315(f)(5) as we proposed.
Several health IT developer commenters stated that the eRSD profiles
should not be required, including the reference to the eRSD
Supplemental Library or the eRSD Specification Library, stating that
the underlying standards are too immature and not sufficient for broad
use. Commenters further stated concerns about the burdensome and manual
updates and maintenance required to support the eRSD profiles and noted
that the specification is mainly in use today by the eCR Now FHIR App,
a solution developed specifically for case reporting. One commenter
suggested that Health IT Modules should be required to use updated
reportable condition trigger codes, stating that during an emergency,
new trigger codes are almost always needed and are necessary in
effectiveness of use in an emergency response. One commenter emphasized
coordination with the CDC to not only make eRSD-based sharing of
reportable events available, but also the Reportable Conditions
Knowledge Management System (RCKMS) to enable
[[Page 1228]]
efficient sharing of PHA requirements in terms of reportable events,
content, format, and transport.
Response. We thank the commenters for their perspectives. We agree
that consuming and processing reportable condition trigger codes is a
necessary first step in electronic case reporting, and we have
finalized in Sec. 170.315(f)(5)(ii)(A) our proposal that Health IT
Modules certified to Sec. 170.315(f)(5) must, beginning January 1,
2026, support the consumption and processing of case reporting trigger
codes and must identify a reportable patient visit or encounter based
on a match from the RCTC value set in Sec. 170.2015(t)(4). However,
after additional examination of the HL7 FHIR eCR specification, and in
response to comments received, we have not adopted our proposal to
require that such Health IT Modules receive the RCTC value set from the
eRSD profiles as specified in the HL7 FHIR eCR IG in Sec.
170.205(t)(1). This means that Health IT Modules do not need to support
the eRSD profiles, including the eRSD PlanDefinition, Supplemental
Library, and Specification Library, in order to be certified to Sec.
170.315(f)(5).
We have finalized this approach to allow developers of certified
health IT flexibility to support the consumption of the RCTC value set
in the way that best suits their technology and in a way that does not
constrain how the RCTC value set is consumed as the underlying
standards mature. We share concerns with commenters who noted that the
triggering logic within the eRSD profiles of the FHIR IG are complex,
not supported across the industry, and remain largely untested outside
their use in the eCR Now FHIR App. We believe requiring that a Health
IT Module certified to Sec. 170.315(f)(5) support the consumption and
processing of case reporting trigger codes and identify a reportable
patient visit or encounter based on a match from the RCTC value set in
Sec. 170.205(t)(4), without further constraining how the RCTC value
set is received, will simplify Program conformance and responds to
concerns raised by commenters and raised through our own analysis.
For purposes of Program conformance, we reiterate from the HTI-1
Proposed Rule that the RCTC value set in Sec. 170.205(t)(4) is a
minimum standard code set, and that Health IT Modules certifying to
Sec. 170.315(f)(5) by way of Sec. 170.315(f)(5)(ii) may voluntarily
support an updated version (e.g., a subsequent release) of the RCTC
value set. We anticipate that health IT developers would be
incentivized by their customers to take advantage of this opportunity
to voluntarily support updated versions of the RCTC value set because
updated versions will likely include new codes reflecting new or
emerging infectious diseases (88 FR 23773). We urge developers with
Health IT Modules certified to Sec. 170.315(f)(5)(ii) to support all
the reportable condition trigger codes in the RCTC value set as it
updates so that emerging infectious diseases may be reported
electronically to public health authorities as those infectious
diseases emerge.
We note that the RCTC value set is not currently hosted on the
National Library of Medicine Value Set Authority Center, like many
other value sets. Instead, the RCTC value set is currently available
for distribution by the Association of Public Health Laboratories.\47\
We plan to work with CDC and the industry to align the availability of
the RCTC value set with other, similar value sets in the future.
---------------------------------------------------------------------------
\47\ Electronic Reporting and Surveillance Distribution page
managed by the Association of Public Health Laboratories: https://ersd.aimsplatform.org/#/home.
---------------------------------------------------------------------------
Finally, we note that the CDA IG cross-references the RCTC value
set specified in the HL7 FHIR eCR IG.\48\ Therefore, Health IT Modules
certified to Sec. 170.315(f)(5) using the HL7 CDA IG as described in
Sec. 170.315(f)(5)(i), must also support the requirement to trigger a
case report based on a match from the RCTC value set in Sec.
170.205(t)(4) at a minimum. We encourage implementers to reference the
HL7 CDA eICR IG for additional guidance regarding the use of the RCTC
value set for identifying reportable cases.
---------------------------------------------------------------------------
\48\ See section 1.11.2 of the CDA eICR IG titled, ``Using the
eRSD (from the FHIR eCR IG).'' https://www.hl7.org/implement/standards/product_brief.cfm?product_id=436.
---------------------------------------------------------------------------
Comments. Commenters suggested requiring a longer compliance date
than December 31, 2024, for health IT developers to certify to the
proposed updated criterion to allow the industry to widely implement
the standards-based requirements in production. One commenter expressed
support, stating that allowing current standards requirements to remain
until December 31, 2024, is reasonable, while another commenter
recommended an implementation deadline of December 31, 2025. Several
commenters stated that more time should be given for compliance, such
as a minimum of 24 months post-final rule effective date for such
deadlines or postponing the requirement for electronic case reporting
until public health jurisdictions can adequately adapt to the
technology needed to ingest the data. One commenter expressed that more
time is needed to develop, test, and deliver new capabilities, stating
that the proposed timeframe is insufficient.
Response. We appreciate commenters' concerns about the timelines
for conformance to new standards for the Program. We have finalized in
Sec. 170.315(f)(5) that Health IT Modules must enable a user to create
a case report for electronic transmission meeting requirements in Sec.
170.315(f)(5)(i) for the time period up to and including December 31,
2025, or meet the requirements in Sec. 170.315(f)(5)(ii). This
approach will allow developers to continue to certify to functional
requirements for case reporting according to Sec. 170.315(f)(5)(i)
while allowing developers to certify to the standards-based approach to
case reporting in Sec. 170.315(f)(5)(ii). After December 31, 2025,
developers will only be able to certify to case reporting using the
standards-based approach described Sec. 170.315(f)(5)(ii). In
addition, previously certified products will need to update their
certification to the standards-based approach described in Sec.
170.315(f)(5)(ii) by December 31, 2025. We believe this date will
provide adequate time for developers of certified health IT with Health
IT Modules certified to Sec. 170.315(f)(5) to comply with the
requirements we have finalized, while also ensuring timely
implementation of the requirements for public health agencies.
Comments. Many commenters suggested that systems receiving
electronic case reports should also have to certify to capabilities
that align with the requirements in Sec. 170.315(f)(5). Another
commenter stated that there is little value in requiring the capability
to transmit electronic case reporting if public health partners do not
have the capabilities to receive data electronically. Some commenters
stated that they are prepared to support electronic case reporting but
have not been able to do so due to lack of public health capacity to
receive it, and recommended ONC work with other agencies to support
public health partners with funding to bolster electronic case
reporting capacity. Several commenters suggested ONC provide support
for the transition to eCR reporting, such as ONC collaborating with
other agencies and public health entities to provide financial
resources/incentives and support, as well as publishing and maintaining
a master list of U.S. public health data standards, and work with state
and local public health agencies to ensure technical readiness for
their adoption and implementation. One commenter
[[Page 1229]]
recommended ONC encourage and enforce public health agencies to move
away from manual reporting. The same commenter also urged coordination
to promote the reduction and elimination of variances in format and
transport mechanisms.
One commenter expressed support and requested clarification if the
intent is to require support based on the standards ONC specifies, and
not to require support for jurisdiction-specific communication methods.
Another commenter stated that state and local variations create burden
on the sender to meet specific requests and needs of jurisdictions. One
commenter requested further guidance through a companion guide on how
to comply with differing federal and state regulations related to
electronic case reporting requirements, such as what additional data
elements are needed by state PHAs and beyond those that are defined in
the standards. Multiple commenters expressed concern regarding
variability in implementation of standards, and the jurisdictional
distinctions that required customizations and manual burden to
maintain. We received a few comments stating that the proposed
requirements are too broad and urged a more tempered approach to permit
maturation as integrations increase. One commenter stated that the
proposal does not describe likely performance parameters or offer an
architecture that would support true disease surveillance. Some
commenters expressed concern with public health agencies' lack of
readiness for electronic case reporting, stating that, in their
experience, production use of electronic case reporting is limited for
conditions beyond COVID-19 and Mpox.
Response. We understand that gaps remain in practice regarding the
ability of public health agencies to receive electronic case reports,
particularly with parsing, filtering, and consuming incoming electronic
case reports, and that manual reporting mechanisms remain in place for
many reportable conditions. We appreciate the commenters that suggested
we create an aligned requirement for systems receiving electronic case
reports and will consider these comments for future rulemaking. We are
supportive of CDC-led efforts to build public health capacity to accept
electronic case report information, and the electronic receipt and
ingestion of electronic case reports are a core component of the CDC
Public Health Data Strategy.\49\ We believe the timeline for requiring
standards-based electronic case reporting for Health IT Modules
certified to Sec. 170.315(f)(5) will allow both healthcare
organizations and public health agencies to develop and implement the
capability for receipt and exchange of electronic case reports and
associated information. We recognize the need for ONC to continue to
collaborate and coordinate with CDC and national public health
associations, as well as with public health jurisdictions. Further,
there are tools and intermediary options available, like HL7 CDA to HL7
FHIR conversion tools, that PHAs could leverage to accept incoming HL7
FHIR-based case reports and convert them into a format they can receive
and process.
---------------------------------------------------------------------------
\49\ https://www.cdc.gov/ophdst/public-health-data-strategy/Public_Health_Data_Strategy-final-P.pdf.
---------------------------------------------------------------------------
We acknowledge that variations between state and federal
requirements and local requirements and needs add burden for reporters.
However, we are unable to holistically solve this challenge through the
Program. The Program is voluntary, and developers that elect to
participate are only required to adhere to the requirements in
applicable certification criteria. The Program does not directly
address case reporting requirements imposed by state or local bodies.
Furthermore, we believe these issues could be addressed through the
standards development processes, including through the Public Health
Workgroup for HL7, and through working with PHAs and appropriate public
health associations to align on the use of a national standard and
reduce state and local variation in requirements where possible.
Regarding comments that the proposals are too broad, we believe
requiring standards-based support for electronically reporting case
reports and receiving reportability responses, including using standard
triggers, will allow for implementation flexibility while improving
interoperability. Further, standards-based requirements can help to
reduce variation and fragmentation that may otherwise cause
interoperability issues for implementers and users. We understand that
PHAs expressed concerns related to technology used by PHAs being able
to accept incoming reports that adhere to the FHIR standard. We believe
that the longer timeline can help with this transition, as well as
allow the industry time to pursue different approaches to implementing
the required components of the eCR FHIR IG. We understand concerns
related to performance, scalability, and maintenance, and will monitor
standards development and implementation to inform future rulemaking.
Comments. Some commenters stated that public health-specific
approaches for data exchange should not be the way of the future, and
that existing solutions, such as FHIR capabilities including
subscriptions and patient-level queries, should instead be leveraged
for the purposes of public health data exchange. Several commenters
believe common data infrastructure and standards, such as HL7 FHIR-
based APIs and the SMART Backend Services, would better serve
electronic case reporting than the current standards, which they stated
are brittle and require consistent updating and manual support. Several
commenters offered suggestions of additional functionality. One
commenter suggested that health IT developers must provide
functionality to users to send on-discharge summary updates for
patients admitted to hospital, and interfaces to allow their users to
adjust timing of triggering, document build, send, and other
parameters. One commenter suggested that ONC incorporate the language
and data elements of specialty records into its standards to increase
effectiveness for interoperability initiatives across the spectrum of
patient care. Another commenter suggested requiring functionality
related to high-risk and immediate reporting for provider-initiated (or
`manually triggered') electronic reporting stating that provider-
triggered `manual' eCRs are critical for emergency preparedness and
reducing the burden on healthcare staff and public health staff of
manual reporting and data entry in future outbreaks, novel conditions,
and early in confirmed outbreak scenarios. One commenter stated that
healthcare facility IDs and address formatting cause serious impacts
for public health because they cannot be verified for eCRs sent. The
commenter, therefore, suggested more standards conformance and health
IT functionality to allow users to easily edit, update, and maintain
correct facility IDs, as well as consistent formatting of address and
rational facility naming, will ease processing burden on PHAs and other
data receivers. Several comments mentioned specific challenges within
the proposed specifications, including challenges with certain data
elements.
Response. We acknowledge the importance of reusable and scalable
standards for health information interoperability including standards-
based APIs. The Standardized API for ``patient and population
services'' criterion at Sec. 170.315(g)(10) has provided a baseline
for reusable services to advance interoperability nationwide.
[[Page 1230]]
Like many other HL7 FHIR IGs in the US Realm, the HL7 FHIR profiles
defined in the eCR FHIR IG were built using the profiles defined in the
US Core IG as part of the HL7 FHIR profiling model.\50\ Notably, the US
Core IG is part of the certification criterion at Sec. 170.315(g)(10),
adopted in Sec. 170.215(b)(1) and incorporated by reference in Sec.
170.299. While we recognize the potential of these foundational APIs,
implementation guides, and services to generally support public health,
we believe it is helpful to provide further specificity for use cases
like electronic case reporting. We will consider ways to align the
public health certification criteria in the Program to promote reuse of
common standards to support various public health reporting and
interoperability use cases in future rulemaking. We appreciate that
challenges and additional potential uses and applications of the
electronic case reporting standard remain. However, the Program is not
the venue through which the specification can be updated or changed. We
encourage commenters to participate in standards development processes,
including in the HL7 Public Health Workgroup. Further, we are aware
that tools exist for PHAs that can translate incoming FHIR to CDA and/
or other formats that public health surveillance systems can currently
accept, which can aid with data receipt in the interim period as
surveillance systems are updated to be able to receive FHIR and as
additional FHIR-based tools and solutions are developed and
implemented.
---------------------------------------------------------------------------
\50\ https://hl7.org/fhir/R4/profiling.html#reslicing.
---------------------------------------------------------------------------
For concerns related to triggering and adjusting triggers based on
timing and the occurrence of certain events, we believe this can be
addressed through healthcare organizations and other reporters working
with public health jurisdictions to determine the timing and triggers
that work for all involved participants and that do not place undue
burden on health IT and public health systems. We also encourage
triggering and timing approaches to be discussed through standards
development processes to develop, pilot, and share approaches that meet
the needs of both reporters and public health agencies.
Comments. One commenter requested clarification on whether the
Health IT Module being certified needs to identify any intermediaries
involved in the transmission of electronic case reports or RR messages
as part of certification, or if these intermediaries need to also be
certified for these eCR criteria. Another commenter requested
clarification on how a ``system capable of receiving an electronic case
report'' would be identified or validated, and whether this system
would need to be certified against specific criteria. A few commenters
recommended recognition, or new certification processes using the eCR
Now FHIR application with a companion guide, as well as a different set
of data than the USCDI v1 data set cited as standard for the criterion
to ensure health IT systems can meet the new certification criteria.
One commenter suggested that the eCR Now FHIR App should be accepted
for certification. Some commenters expressed a belief that continued
success in case reporting relies on a reasonable expectation of a
routing and decision support intermediary such as AIMS (APHL
Informatics Messaging Services). One commenter suggested that the AIMS
network should support the submission (and response to submission) of
any public health reporting using RESTful (or Representational State
Transfer) application programming interfaces. One commenter recommended
that ONC work closely with the CDC and the AIMS Platform team to ensure
requirements do not exceed or violate the AIMS requirements, stating
that many of the proposals are beyond the current allowed features on
the AIMS network application programming interfaces. One commenter
recommended that ONC work closely with the CDC and the AIMS Platform
team to ensure requirements do not exceed or violate the AIMS
requirements, stating that many of the proposals are beyond the current
allowed features on the AIMS network.
Response. We appreciate the questions we received related to
intermediaries, the use of specific tools or systems, and the
applicability of the Program to intermediaries. Our Program is
voluntary, and health IT developer participation in the Program has
traditionally been incentivized through connections to CMS payment
programs. While we do not have the authority to enforce or provide
incentives for adoption of certified Health IT Modules, other entities
could choose to do so. Should other federal entities choose to require
certain systems or technologies to certify to the criterion at Sec.
170.315(f)(5) via other mechanisms, the applicability of the
requirements could extend beyond health IT that is traditionally
presented for certification. Additionally, developers of intermediary
software may also voluntarily certify their technology through the
Program without incentives or requirements.
As part of the Program, we do not require the use of specific
systems or solutions, such as the eCR Now FHIR App, which several
commenters raised. Rather, we specify standards-based requirements
based on standards and implementation specifications that have been
developed through consensus by the health IT industry and functional
requirements to allow for flexibility and innovation. We are aware that
the eCR Now FHIR App is an option for transmitting electronic case
reports using either the HL7 CDA IG or the HL7 FHIR eCR IG. We also are
aware of the CDC-supported data ingestion building blocks that can aid
PHAs in converting incoming information from HL7 FHIR to HL7 CDA so
that surveillance systems are able to process reports in the standards
with which they can currently receive data. Developers of certified
health IT have the flexibility to leverage the eCR Now FHIR App or
other solutions to meet the requirements under our Program under
existing requirements for Sec. 170.315(f)(5). Further, as developers
of certified health IT work to implement either the CDA or FHIR
standards as part of their Health IT Modules, they can use ``relied
upon software'' to demonstrate certification criteria compliance (see
84 FR 7433 and 76 FR 1276-1277).\51\ This encompasses third-party
software or products that are not developed by the health IT developer
but are being used to meet a portion of (or the entirety of) certain
certification criteria. Such third-party products must be reported to
the Certified Health IT Product List. We are aware that there are
several technical options that meet our required functional criteria
adhering to the FHIR standard. Intermediaries, such as the AIMS
platform supported by APHL, as well as other intermediaries such as
HIEs or HINs, are used by healthcare organizations to assist with
routing, transport, and, in some cases, conversion before submitting
electronic case reports to PHAs. However, we do not dictate the
mechanism through which vendors or organizations choose to accomplish
the electronic case reporting workflow--only the functional
expectations and the accompanying standard(s). At this time, ONC is not
requiring Health IT Modules certified to Sec. 170.315(f)(5) to
specifically connect to AIMS or support RCKMS \52\ to meet the proposed
requirements in Sec. 170.315(f)(5)(ii)(D). While we
[[Page 1231]]
understand the role AIMS and RCKMS play in a centralized, hub-and-spoke
model for electronic case reporting, we proposed that the functional
requirements for Sec. 170.315(f)(5)(ii)(D) remain agnostic as to which
reporting platform and which decision support tool(s) are used.
Further, the use of HL7 FHIR supports the use of RESTful APIs. We will
continue to coordinate and work with CDC on ensuring support is
available as Health IT Modules work toward Certification of the
``electronic case reporting'' criterion, regardless of their approach.
Given public comments and our desire to support providers reporting
electronic case reports to any PHA that may be authorized to receive
case reports, we have finalized our requirements in Sec.
170.315(f)(5)(ii)(D) to ``transmit a case report electronically to a
system capable of receiving an electronic case report,'' as proposed.
---------------------------------------------------------------------------
\51\ https://www.healthit.gov/sites/default/files/relieduponsoftwareguidance.pdf.
\52\ https://www.rckms.org/.
---------------------------------------------------------------------------
Comments. One commenter recommended that systems be tested with
``live'' public health information systems, or systems specified by the
public health community instead of self-certifying that real world
testing has been completed. The same commenter also recommended that if
a Health IT Module is certified only for CDA or FHIR exchange of RR
data, the Health IT Module must also successfully complete real world
testing with a commercially available service to transform the data
into the format not implemented as part of the Health IT Module to
ensure the provider can receive RR messages regardless of the format
utilized. One commenter recommended that timely and or automated eRSD
updates should be considered for inclusion in real world testing. One
commenter expressed that they appreciate the requirement to ensure
Health IT Modules continue to demonstrate conformance through real
world testing.
Response. We appreciate the comments and note that electronic case
reporting is subject to the Real World Testing Condition and
Maintenance of Certification requirements at Sec. 170.405(a). However,
we note that developers of certified Health IT Modules subject to real
world testing have extensive flexibility to design real world testing
approaches that meet requirements established in Sec.
170.405(b)(1)(iii). We decline to establish specific requirements for
real world testing plans beyond what is established in Sec.
170.405(b)(1)(iii) for electronic case reporting currently. We also
note that our requirement for Health IT Modules certifying to Sec.
170.315(f)(5)(ii) to use either the FHIR-based or CDA-based IG is
intended to facilitate interoperability and should not necessitate
support for multiple formats to receive RR messages. Several commenters
were concerned about receiving RRs in a different standard than the
sent eICR, and we encourage the reporters to work with PHAs and
intermediaries to limit the potential differentiation in standards used
for eICR and RR, and to consider the use of potential solutions that
could convert the eICR or RR into the corresponding standard.
We have finalized the revised criterion for electronic case
reporting in Sec. 170.315(f)(5) with modifications. First, we have
finalized a modification of the proposed description in Sec.
170.315(f)(5) from ``an electronic case report'' to ``a case report for
electronic transmission'' consistent with the prior functional
criterion in Sec. 170.315(f)(5). Second, we have modified the date
from December 31, 2024 to December 31, 2025 for certification to the
existing functional criterion, which is now specified in Sec.
170.315(f)(5)(i) Functional electronic case reporting. For the
standards-based version of the criterion in Sec. 170.315(f)(5) and
specified in Sec. 170.315(f)(5)(ii) Standards-based electronic case
reporting, we have finalized a modification to the proposed regulation
text to reference the Reportable Conditions Trigger Code value set in
Sec. 170.205(t)(4) without including the reference to the HL7 FHIR eCR
IG in Sec. 170.315(f)(5)(ii)(A). We have finalized a modification to
the proposed regulation text as described above to reference only the
HL7[supreg] CDA[supreg] eICR IG in Sec. 170.315(f)(5)(ii)(B)(2). We
have finalized a modification to the proposed regulation text for the
capabilities described in Sec. 170.315(f)(5)(ii)(C) by adding ``as
determined by the standard used in (f)(5)(ii)(B) of this section.''
Finally, we have finalized a modification to Sec. 170.315(f)(5)(ii)(D)
to modify ``capable of receiving an electronic case report'' as
follows: ``Transmit a case report electronically to a system capable of
receiving a case report.''
5. Decision Support Interventions and Predictive Models
Since 2010, the Program has maintained a CDS certification
criterion, consistent with the qualified electronic health record
definition in section 3000(13) of the PHSA, which defines a qualified
EHR as an electronic record of health-related information on an
individual that has the capacity to ``provide clinical decision
support'' (42 U.S.C. 300jj(13)(B)(i)). The initial requirements for the
CDS certification criterion were intended to ensure that Health IT
Modules would support broad categories of CDS while being agnostic
toward the intended use of the CDS beyond drug-drug and drug-allergy
interaction checks (75 FR 2046).
In 2012, ONC established a new set of requirements for Health IT
Modules to support CDS. These requirements included capabilities to
support evidence-based CDS based on a defined set of data elements; CDS
configuration for both inpatient and ambulatory settings; and the
display of source attribute or bibliographic citation of CDS (77 FR
54212). These requirements were largely based on recommendations made
by ONC's Health Information Technology Policy Committee (HITPC) \53\
from 2011 recommending ONC require Health IT Modules support CDS,
including: (1) display source or citation of CDS; (2) be configurable
based on patient context (e.g., inpatient, outpatient, problems, meds,
allergies, lab results); (3) be presented at a relevant point in
clinical workflow; (4) include alerts presented to users who can act on
alerts (e.g., licensed professionals); and (5) be integrated with the
EHR (i.e., not standalone). In the 2015 Edition Final Rule, ONC
finalized an updated CDS criterion in Sec. 170.315(a)(9) (80 FR
62622).
---------------------------------------------------------------------------
\53\ Health Informational Technology Policy Committee (HITPC)
Transmittal Letter to the National Coordinator. June 2011. https://www.healthit.gov/sites/default/files/facas/hitpc-stage-2-mu-recommendations.pdf#page=4.
---------------------------------------------------------------------------
Since the CDS criterion was first adopted in Sec. 170.315(a)(9),
health IT implementation and technology resources used to support
clinical decision-making have continued to evolve and expand across the
health IT ecosystem. Within healthcare today, predictive models are
increasingly being used and relied upon to inform an array of decision-
makers, including clinicians, payers, researchers, and individuals, and
to aid decision-making through CDS.\54\ In many cases, Health IT
Modules are key components of these predictive models, often providing
the data used to build and train algorithms and serving as the vehicle
to influence day-to-day decision-making.\55\ Both
[[Page 1232]]
structured and unstructured data generated by, and subsequently made
available through, certified Health IT Modules power the training and
real-world use of predictive models. Developers of certified health IT
also create and deploy predictive algorithms or models for use in
production environments through their Health IT Modules and,
increasingly, such developers also enable other parties, including
third-party developers and the developer of certified health IT's
customers, to create and deploy predictive models through the
developer's Health IT Modules.56 57 In turn, certified
Health IT Modules are often the vehicle or delivery mechanism for
predictive model outputs to reach users, such as clinicians, through
clinical decision support.58 59
---------------------------------------------------------------------------
\54\ See, e.g., American Hospital Association. ``Surveying the
AI Health Care Landscape'' 2019. https://www.aha.org/system/files/media/file/2019/10/Market_Insights_AI-Landscape.pdf; Darshali A
Vyas, et al., Hidden in plain sight--reconsidering the use of race
correction in clinical algorithms Sec. 383 (Mass Medical Soc 2020);
Fact Versus Fiction: Clinical Decision Support Tools and the
(Mis)use of Race. (2021); Goldhill, Olivia. Artificial intelligence
can now predict suicide with remarkable accuracy, Quartz, (July
2022), https://qz.com/1001968/artificial-intelligence-can-now-predict-suicide-with-remarkable-accuracy/ (discussing the use of ML
algorithms to predict and prevent suicide).
\55\ See, e.g., Burdick, Hoyt, et al. ``Effect of a sepsis
prediction algorithm on patient mortality, length of stay and
readmission: a prospective multicentre clinical outcomes evaluation
of real-world patient data from US hospitals.'' BMJ health & care
informatics 27.1 (2020).
\56\ Landi, H. Epic taps Microsoft to accelerate generative AI-
powered `copilot' tools to help clinicians save time. Fierce
Healthcare. August 22, 2023 https://www.fiercehealthcare.com/ai-and-machine-learning/epic-expands-ai-partnership-microsoft-rolls-out-copilot-tools-help.
\57\ See 88 FR 23860 where we discuss that a production
environment is generally understood as being the setting where
health IT is implemented, run, and relied on by end users in day-to-
day conduct of their profession (such as medicine, nursing, or
pharmacy) or other business (such as a payer processing healthcare
reimbursement claims or a patient managing their health and care).
\58\ Fox, A. NextGen introduces AI-enabled ambient listening
that syncs with EHR. Healthcare IT News. October 11, 2023. https://www.healthcareitnews.com/news/nextgen-introduces-ai-enabled-ambient-listening-syncs-ehr.
\59\ Miliard, M. Oracle Cerner adds generative AI to its EHR
platforms. September 19, 2023. https://www.healthcareitnews.com/news/oracle-cerner-adds-generative-ai-its-ehr-platforms.
---------------------------------------------------------------------------
The National Academy of Medicine (NAM) described in a 2019 report
how predictive models and other forms of artificial intelligence (AI)
have the potential to represent the ``payback'' of using health IT ``by
facilitating tasks that every clinician, patient, and family would
want, but are impossible without electronic assistance.'' \60\ The NAM
report also identified a crucial ``need to present each health care AI
tool along with the spectrum of transparency related to the potential
harms and context of its use. Evaluating and addressing appropriate
transparency, in each sub-domain of data, algorithms, and performance,
and systematically reporting it, must be a priority.'' \61\
---------------------------------------------------------------------------
\60\ Michael Matheny, et al., Artificial intelligence in health
care: the hope, the hype, the promise, the peril, Washington, DC:
National Academy of Medicine (2019).
\61\ Id.
---------------------------------------------------------------------------
In November 2020, the Office of Management and Budget released a
Memorandum for the Heads of Executive Departments and Agencies on
Guidance for Regulation of Artificial Intelligence Applications, which
directed that ``[w]hen considering regulations or policies related to
AI applications, agencies should continue to promote advancements in
technology and innovation, while protecting American technology,
economic and national security, privacy, civil liberties, and other
American values, including the principles of freedom, human rights, the
rule of law, and respect for intellectual property.'' \62\ This was
followed by an executive order in December 2020, E.O. 13960 Promoting
the Use of Trustworthy Artificial Intelligence in the Federal
Government.\63\ The executive order stated: ``The ongoing adoption and
acceptance of AI will depend significantly on public trust. Agencies
must therefore design, develop, acquire, and use AI in a manner that
fosters public trust and confidence while protecting privacy, civil
rights, [and] civil liberties[.]'' (85 FR 78939).
---------------------------------------------------------------------------
\62\ OMB--EOP--Memorandum for the Heads of Executive Departments
and Agencies on Guidance for Regulation of Artificial Intelligence
M-21-06, p. 6 (Nov. 17, 2020).
\63\ E.O. No. 13960, 85 FR 78939: https://www.federalregister.gov/documents/2020/12/08/2020-27065/promoting-the-use-of-trustworthy-artificial-intelligence-in-the-federal-government.
---------------------------------------------------------------------------
In June 2021, the Government Accountability Office (GAO) published
Artificial Intelligence: An Accountability Framework for Federal
Agencies and Other Entities, which specifically outlined key principles
and actions ``[t]o help entities promote accountability and responsible
use of AI systems.'' This included outlining four principles for the
framework, including governance, data, performance, and monitoring.\64\
---------------------------------------------------------------------------
\64\ GAO, Artificial Intelligence: An Accountability Framework
for Federal Agencies and Other Entities: (June 2021), https://www.gao.gov/assets/gao-21-519sp.pdf. See generally Artificial
Intelligence in Health Care: Benefits and Challenges of Technologies
to Augment Patient Care, (Nov. 2020), https://www.gao.gov/products/gao-21-7sp.
---------------------------------------------------------------------------
In September 2022, the Biden-Harris Administration published
Principles for Enhancing Competition and Tech Platform Accountability,
which included a principle related to stopping discriminatory
algorithmic decision-making.\65\ In October 2022, the Biden-Harris
Administration published a Blueprint for an AI Bill of Rights, which
outlines five principles, informed by public input, that should guide
the design, use, and deployment of automated systems to protect the
American public in the age of AI. These principles are safe and
effective systems; algorithmic discrimination protections; data
privacy; notice and explanation; and human alternatives, consideration,
and fallback.\66\
---------------------------------------------------------------------------
\65\ See White House, Principles for Enhancing Competition and
Tech Platform Accountability, Sept. 8, 2022, https://www.whitehouse.gov/briefing-room/statements-releases/2022/09/08/readout-of-white-house-listening-session-on-tech-platform-accountability/.
\66\ See White House, Blueprint for an AI Bill of Rights
(October 4, 2022), https://www.whitehouse.gov/ostp/ai-bill-of-rights/.
---------------------------------------------------------------------------
On February 16, 2023, E.O. 14091, Further Advancing Racial Equity
and Support for Underserved Communities Through the Federal Government,
was issued (88 FR 10825-10833).\67\ E.O. 14091 builds upon previous
equity-related executive orders, including E.O. 13985.\68\ Section 1 of
E.O. 14091 requires the Federal Government to ``promote equity in
science and root out bias in the design and use of new technologies,
such as artificial intelligence.'' Section 8, subsection (f) of E.O.
14091 requires agencies to consider opportunities to ``prevent and
remedy discrimination, including by protecting the public from
algorithmic discrimination.''
---------------------------------------------------------------------------
\67\ E.O. 14091, 88 FR 10825-10833: https://www.federalregister.gov/documents/2023/02/22/2023-03779/further-advancing-racial-equity-and-support-for-underserved-communities-through-the-federal. See https://www.whitehouse.gov/briefing-room/statements-releases/2023/10/30/fact-sheet-president-biden-issues-executive-order-on-safe-secure-and-trustworthy-artificial-intelligence/.
\68\ E.O. 13985, 88 FR 7009: https://www.federalregister.gov/documents/2021/01/25/2021-01753/advancing-racial-equity-and-support-for-underserved-communities-through-the-federal-government.
---------------------------------------------------------------------------
Finally, on October 30, 2023, E.O. 14110, Safe, Secure, and
Trustworthy Development and Use of Artificial Intelligence, was issued
to ensure that America leads the way in seizing the promise and
managing the risks of AI.\69\ This E.O. established directives and
priorities for this emerging technology, including, standards for AI
safety and security. E.O. 14110 supports responsible AI development and
use in healthcare, specifically, and directs HHS to issue a strategic
plan on responsible deployment and use of AI and AI-enabled
technologies in the health and human services sector that includes
``development, maintenance, and availability of documentation to help
users determine appropriate and safe uses of AI in local settings in
the health and human services sector;'' (Section 8, subsection
(b)(i)(E)). It likewise directs the Secretary of HHS to develop a
strategy to ``determine
[[Page 1233]]
whether AI-enabled technologies in the health and human services sector
maintain appropriate levels of quality, including, as appropriate, in
the areas described in subsection (i) of this section. This work shall
include the development of AI assurance policy--to evaluate important
aspects of the performance of AI-enabled healthcare tools--and
infrastructure needs for enabling premarket assessment and post-market
oversight of AI-enabled healthcare-technology algorithmic system
performance against real-world data (Section 8, subsection (b)(ii)). In
addition, E.O. 14110 directs HHS to establish a safety program to
receive reports of--and act to remedy--harms or unsafe healthcare
practices involving AI (Section 8, subsection (b)(iv)).\70\
---------------------------------------------------------------------------
\69\ E.O. 14110. 88 FR 75191: https://www.federalregister.gov/documents/2023/11/01/2023-24283/safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence.
\70\ In addition to the E.O., on November 1, the Office of
Management and Budget (OMB) released draft guidance for federal
agencies, ``Advancing Governance, Innovation, and Risk Management
for Agency Use of Artificial Intelligence'' available at: https://ai.gov/wp-content/uploads/2023/11/AI-in-Government-Memo-Public-Comment.pdf.
---------------------------------------------------------------------------
A growing body of peer-reviewed evidence, technical and socio-
technical expert analyses, and government activities and reports focus
on ensuring that the promise of AI and machine learning can equitably
accelerate advancements in healthcare to improve the health and well-
being of the American public.\71\ The Department has a longstanding
interest in understanding and addressing concerns about negative,
adverse, or harmful consequences that may result from the use of
digital data or information about individuals' health (including data
analytics), including historically, their use in computerized decision-
making.\72\ As such, we proposed in the HTI-1 Proposed Rule (88 FR
23774-23811) to incorporate new requirements into the Program for
Health IT Modules that support the execution of AI or machine learning-
based technology in support of decision-making as part of the revised
CDS criterion in Sec. 170.315(b)(11). These requirements align with
the Federal Government's efforts to promote trustworthy AI and the
Department's stated policies on advancing equity in the delivery of
health and human services.\73\
---------------------------------------------------------------------------
\71\ We discuss additional federal and HHS activities--including
activities resulting from the executive orders--in the subsection
below entitled ``Relationship to Other Federal Agencies' Relevant
Activities, Interests, and Regulatory Authority.''
\72\ See e.g., U.S. Dep't. of Health, Education, & Welfare
(HEW), Secretary's Advisory Committee on Automated Personal Data
Systems, Records, Computers, and the Rights of citizens viii (1973)
https://aspe.hhs.gov/report/records-computers-and-rights-citizens
https://aspe.hhs.gov/report/records-computers-and-rights-citizens
(The origination of the code of fair information practices, more
commonly known as the fair information practice principles (FIPPs)).
\73\ HHS, Statements on New Plan to Advance Equity in the
Delivery of Health and Human Services, April 14, 2022, https://www.hhs.gov/about/news/2022/04/14/hhs-statements-on-new-plan-advance-equity-delivery-health-human-services.html.
---------------------------------------------------------------------------
We believe that the continued evolution of decision support
software, especially as it relates to AI or machine learning-driven
Predictive DSIs, necessitates new requirements for the Program's CDS
criterion. We therefore proposed requirements for new sets of
information that are necessary to guide decision-making based on
outputs (e.g., recommendations) from Predictive DSIs, such as an
expanded set of ``source attributes'' and information related to how
risk is managed by developers of certified health IT (88 FR 23775). We
believe that these new sets of information will provide appropriate
information to help guide decisions at the time and place of care,
consistent with 42 U.S.C. 300jj-11(b)(4).
In the HTI-1 Proposed Rule (88 FR 23746), we provided an overview
of the history, current uses, and risks associated with predictive
algorithms and models in healthcare. We refer readers to section
III.C.5 of the HTI-1 Proposed Rule for the details of those discussions
(88 FR 23776 through 23781). We noted our goal with the proposals,
described herein and as aligned with our authority, was to assist in
addressing the gaps between the promise and peril of AI in health
articulated in the National Academy of Medicine report \74\ discussed
in the HTI-1 Proposed Rule (88 FR 23780).
---------------------------------------------------------------------------
\74\ Michael Matheny, et al., Artificial intelligence in health
care: the hope, the hype, the promise, the peril, Washington, DC:
National Academy of Medicine (2019).
---------------------------------------------------------------------------
Objectives of the Policies To Address Predictive Modeling in DSI
In the HTI-1 Proposed Rule at 88 FR 23780-23781, we noted that the
proposals for Sec. 170.315(b)(11) were intended to introduce much-
needed information transparency to address uncertainty regarding the
quality of Predictive DSIs that Health IT Modules certified to the
criterion in Sec. 170.315(b)(11) support. We noted that doing so would
equip potential users with sufficient information about how a
Predictive DSI was designed, developed, trained, and evaluated to
determine whether it was trustworthy (88 FR 23780). We proposed a dual
emphasis for transparency on (1) the technical and performance aspects
of Predictive DSIs and (2) the organizational competencies employed to
manage risks for Predictive DSIs. Together, this information would
support potential users in making better informed decisions about
whether and how to use Predictive DSIs in their decision-making given
the specifics of their context, patients, and needs. We noted that we
considered the information included in these proposed requirements as a
prerequisite to determine the quality of predictive models. We
explained that our proposals were not aimed at approving or
guaranteeing the quality of Predictive DSIs or the models on which they
are based. Instead, the proposals were intended to provide users and
the public with greater information, available in a consistent manner,
on whether a Predictive DSI is fair, appropriate, valid, effective, and
safe (FAVES). We anticipated that a long-term outcome of such
transparency would be increased public trust and confidence in
Predictive DSIs. As a result of new transparency, we anticipated that
users, including healthcare systems, clinicians, and patients, would be
able to expand the use of these technologies in safer, more
appropriate, and more equitable ways.
We did not propose to establish or define regulatory baselines,
measures, or thresholds for FAVES (88 FR 23780). Instead, we proposed
to establish requirements in Sec. 170.315(b)(11) to make information
available that would enable users, based on their own judgment, to
determine if a Predictive DSI, that is supported by a Health IT Module,
is acceptably fair, appropriate, valid, effective, and safe. We
conveyed our understanding that numerous and parallel efforts led by
industry groups and academia were developing methods to evaluate
Predictive DSIs for fairness, appropriateness, validity, effectiveness,
and safety, among other kinds of evaluations. Moreover, we noted that
we understood that these efforts were also identifying means to
communicate measures of FAVES through model cards,\75\ model nutrition
labels,\76\ datasheets,\77\ data cards,\78\ or algorithmic audits.\79\
However, we also
[[Page 1234]]
noted that these efforts lacked consensus and have not been widely or
consistently implemented to date. We described that we thought it would
be premature to propose requirements for specific measures or
thresholds for FAVES. Rather, we stated that the proposed requirements
would enable consistent and routine access to technical and performance
information specifically relevant to FAVES, which would support users
in making informed decisions about whether and how to use Predictive
DSIs. While we stressed that transparency regarding the technical and
performance dimensions of Predictive DSIs was needed, we also believed
that transparency regarding the organizational and socio-technical
competencies employed by those who develop Predictive DSIs was
foundational for users to determine whether their Predictive DSI is
FAVES. Therefore, in addition to the proposed requirements for
Predictive DSI-specific source attributes, we also proposed that
developers of certified health IT with Health IT Modules that enable or
interface with Predictive DSIs employ or engage in intervention risk
management practices, subsequently making summary information about
these practices publicly available.\80\ We proposed three intervention
risk management practices: (1) risk analysis, (2) risk mitigation, and
(3) governance (88 FR 23780). Overall, we identified these as practices
that promote transparency regarding how the developer of certified
health IT analyzes and mitigates risks at the organization level,
including proposals that would have such developers establish policies
and implement controls for governance, inclusive of how data are
acquired, managed, and used in Predictive DSIs. Together, transparency
regarding the technical and performance details of a Predictive, as
well as the organizational competencies of the developer of certified
health IT to manage risks for a Predictive DSI, were intended to
contribute to the trustworthiness of these emerging and important
technologies.
---------------------------------------------------------------------------
\75\ Mitchell, Margaret, et al. ``Model cards for model
reporting.'' Proceedings of the conference on fairness,
accountability, and transparency. 2019.
\76\ Sendak MP, Gao M, Brajer N, Balu S. Presenting machine
learning model information to clinical end users with model facts
labels. NPJ Digit Med. 2020 Mar 23;3:41. Doi: 10.1038/s41746-020-
0253-3.
\77\ Gebru, Morgenstern, Vecchione, et al, Datasheets for
Datasets, https://arxiv.org/abs/1803.09010.
\78\ FaccT `22: 2022 ACM Conference on Fairness, Accountability,
and Transparency (June 2022) Pages 1776-1826, https://dl.acm.org/doi/proceedings/10.1145/3531146.
\79\ See lag Guszcza, et al., Why We Need to Audit Algorithms.
Harvard Business Review. Nov. 28, 2018. https://hbr.org/2018/11/why-we-need-to-audit-algorithms; Xiaoxuan Liu, et al., The medical
algorithmic audit, The Lancet Digital Health (2022). See generally
Outsider Oversight: Designing a Third-Party Audit Ecosystem for AI
Governance, ID Raji, P Xu, C Honigsberg, D Ho--Proceedings of the
2022 AAAI/ACM Conference on AI, 2022, https://dl.acm.org/doi/pdf/10.1145/3514094.3534181.
\80\ Public availability and transparency aims align with the
OSTP Memorandum to federal departments and agencies (August 2022):
``Ensuring Free, Immediate, and Equitable Access to Federally Funded
Research'' https://www.whitehouse.gov/wp-content/uploads/2022/08/08-2022-OSTP-Public-access-Memo.pdf.
---------------------------------------------------------------------------
We noted at 88 FR 23780-23781 that the proposed requirements for
the certification criterion in Sec. 170.315(b)(11) also supported
health equity by design,\81\ for example, (1) emphasizing transparency
regarding the use of specific data elements relevant to health equity
\82\ in Predictive DSIs; (2) enabling users to review whether and how
the Predictive DSI was tested for fairness; and (3) enabling
transparency about how developers of certified health IT manage risks
related to fairness for the Predictive DSIs their Health IT Modules
enable or interface with.
---------------------------------------------------------------------------
\81\ See ``Embracing Health Equity by Design'' ONC, February
2022: https://www.healthit.gov/buzz-blog/health-it/embracing-health-equity-by-design.
\82\ See HHS's Strategic Approach to Addressing Social
Determinants of Health to Advance Health Equity--At a Glance (April
2022), https://aspe.hhs.gov/sites/default/files/documents/aabf48cbd391be21e5186eeae728ccd7/SDOH-Action-Plan-At-a-Glance.pdf.
---------------------------------------------------------------------------
At 88 FR 23781, we noted our belief that the existing scope and
structure of the Program were fit for these purposes because the
Program has existing requirements to make information transparent
regarding the authorship, bibliography, and other kinds of ``source
attribute'' information for evidence-based decision support and linked
referential intervention types (at Sec. 170.315(a)(9)(v)(A) and (B),
respectively). We proposed to build on these requirements so that
developers of certified health IT with Health IT Modules certified to
Sec. 170.315(b)(11) would need to enable user review of evidence-based
and Predictive DSIs within their certified products, and to disclose
approach(es) to intervention risk management in a publicly accessible
manner. Together, we said these requirements would have an important
impact on the Department's efforts to address disparities and bias that
may be propagated through DSIs. Consequently, we hoped to enhance
market transparency and encourage trust across the software development
life cycle (SDLC) of DSIs in healthcare. We said this transparency
would serve as a foundation for establishing consistency in information
availability, improving overall data stewardship, and guiding the
appropriate use of data derived from health information about
individuals.
At 88 FR 23781, we noted that we were intentional regarding the
level of prescriptiveness in our proposals because these are nascent
technologies with enormous potential benefit. Thus, we sought to
establish appropriate guardrails for information transparency about
Predictive DSIs that do not undercut the value that could be offered to
patients and clinicians from such promising technologies.
Comments. Commenters were largely supportive of our DSI proposals
but mixed in their support of the specifics of the DSI certification
criterion we proposed in Sec. 170.315(b)(11). Most commenters stated
that our proposals would increase transparency and accountability,
enhance trustworthiness in AI and machine learning-driven decision
support tools, and promote risk management by developers of certified
health IT. Several commenters stated that these benefits would lead to
equitable access to healthcare, contribute to reducing health
disparities during provider-patient encounters, increase user and
patient trust, and enhance patient experience. Commenters commended
ONC's efforts to prevent bias and discriminatory outcomes driven by
DSIs and noted that a regulatory framework must be created whereby
tools are appropriately tested and vetted during their development, and
products are labeled to provide users with essential information.
Several commenters applauded our effort to address transparency of
rapidly evolving AI in healthcare. Commenters noted that adding new
requirements for transparency around DSI applications' technical
information, risk management processes, and real-world testing are all
foundational steps in establishing these tools' safe and effective use.
Several commenters agreed with our proposal that biases in the data and
algorithms underlying AI or machine learning could negatively impact
certain subpopulations and supported more rigorous evaluation of such
tools to ensure that they are fair, effective, and support improved
outcomes for patient populations. Specifically, commenters remarked
that greater transparency, including about the datasets used to train a
Predictive DSI, would help avoid embedding bias in the system and help
improve efficiency. Several commenters noted that the HTI-1 Proposed
Rule would help lay the foundations for responsible, ethical AI
development in healthcare and for enhanced federal AI transparency and
will promote establishing necessary assurances for greater trust in AI
use. Commenters acknowledged that due to the leaps in technological
innovations, especially as it relates to predictive models, it is
necessary to have new requirements for the Program's CDS criterion.
Several commenters agreed that it is critical for the end user to
understand how a Predictive DSI is designed, developed, trained, and
evaluated; and how it should be used by the end-user.
[[Page 1235]]
Commenters approved of the proposal separately looking at risk
analysis, risk mitigation, and governance as essential tasks in
ensuring proper DSI development, management, and use. Commenters
observed that the proposal, if adopted, would provide the opportunity
for transparent, thoughtful decision-making by enabling users,
including medical practitioners, health care providers, and other
interested parties of AI and algorithmic tools to evaluate, disclose,
and mitigate risks that could impact patients. Lastly, commenters urged
ONC to be mindful that regulations on AI should not stifle innovation
or have a chilling effect on beneficial uses of this emerging tool, and
that we should seek to balance the risks and benefits to consumers of
the public availability of information with the need to protect certain
data to comply with the HIPAA Privacy Rule and limit adverse effects
from a clinical standpoint.
Response. We thank commenters for their broad support of our
proposals. We appreciate that many commenters understood our policy
objectives and agreed with our proposals to improve trustworthiness
through transparency in support of decision-making using AI machine
learning-driven tools. We agree with and thank commenters who noted
that greater transparency, including about the datasets used to train
Predictive DSI, would help avoid embedding bias in the system and help
improve efficiency. We are also mindful of the need to balance
prescriptiveness and flexibility in our requirements for developers of
certified health IT with Health IT Modules certified to Sec.
170.315(b)(11) and have made several modifications to our proposals,
described in detail in subsequent responses, to achieve this balance.
Comments. Several commenters expressed concern that the proposed
requirements were not strong enough to ensure DSIs are designed with
equity in mind and fully validated for all patient populations when
deployed and believed the HTI-1 Proposed Rule did not ensure developer
accountability. One commenter was concerned that the proposal did not
address or require equity testing across patient populations to limit
potential biases.
Response. We appreciate commenters concerns. We have finalized
several requirements that will help promote DSIs to be designed with
health equity in mind, and we have finalized specific requirements
related to performance measures of validity and fairness.\83\ Our
proposal sought to ensure that information would be available for users
to easily review whether a given model has been adequately validated
and tested for fairness before using it, as well as enable users to
understand if a DSI used data elements relevant to health equity, such
as race, ethnicity, and sexual orientation, among other data
elements.\84\ We clarify that nothing from our proposals nor our
finalized criterion would require a user of a Health IT Module
certified to Sec. 170.315(b)(11) to review source attributes, though
we also note that certain users may already have an existing obligation
to ensure compliance with non-discrimination requirements and comply
with applicable law.\85\
---------------------------------------------------------------------------
\83\ See Sec. 170.315(b)(11)(iv)(B)(v)(5)-(9).
\84\ See Sec. 170.315(b)(11)(iv)(A)(5)-(13).
\85\ See U.S. Dept of Health & Human Servs., Office for Civil
Rights, Notice of Proposed Rulemaking, Nondiscrimination in Health
Programs and Activities, 87 FR 47824, 47880 (Aug. 4, 2022), https://www.federalregister.gov/documents/2022/08/04/2022-16217/nondiscrimination-in-health-programs-and-activities (prohibiting
discrimination on the basis of race, color, national origin
(including limited English proficiency), sex (including sexual
orientation and gender identity), age, or disability in certain
health programs or activities through the use of clinical algorithms
in their decision-making); Title VI of the Civil Rights Act of 1964,
42 U.S.C. 2000d et seq. (prohibiting discrimination on the basis of
race, color, or national origin (including limited English
proficiency) in federally funded programs or activities); Title IX
of the Education Amendments of 1972, 20 U.S.C. 1681 et seq.
(prohibiting sex discrimination in federally funded education
programs or activities); the Age Discrimination Act of 1975, 42
U.S.C. 6101 et seq. (prohibiting age discrimination in federally
funded programs or activities); Section 504 of the Rehabilitation
Act of 1973, 29 U.S.C. 794 (prohibiting disability discrimination in
federally funded or federally conducted programs or activities); and
the Americans with Disabilities Act, 42 U.S.C. 12101 et seq.
(prohibiting disability discrimination by employers, state and local
government entities, and businesses that are open to the public,
among others).
---------------------------------------------------------------------------
Comments. A minority of commenters did not support the proposed
revised DSI certification criterion, noting that it was premature for
ONC to adopt policies related to AI or machine learning. Some
commenters expressed a belief that ONC's proposed revised DSI
certification criterion's requirements would exceed ONC's authority,
questioned whether ONC had the authority to impose non-quality or
efficacy criteria on Predictive DSI, and believed there was not
sufficient statutory support for the proposed revisions to DSI or
authority over non-certified software that is enabled by or interfaces
with certified health IT. In particular, commenters noted that ONC's
authority to adopt certification criteria is provided by section
3001(c)(5)(D) of the PHSA and that the HTI-1 Proposed Rule would make
changes to the architecture of health software used by thousands of
hospitals and health providers across the country, including software
that would not be directly part of the Program. Commenters also
requested that ONC address how each of its proposed changes fit within
the subcategories permitted by section 3001(c)(5)(D) of the PHSA.
Response. We disagree with commenters who believe that requirements
for AI or machine learning-driven decision support is premature. Given
the proliferation of such tools used in healthcare and supplied by
developers of certified health IT, we believe now is an opportune time
to help optimize the use and improve the quality of AI and machine
learning-driven decision support tools. Moreover, our statutory
authority to promulgate regulations to define certification criteria
for the Program is established in 42 U.S.C. 300jj-11(c)(5)(A) and
300jj-14(b). The authority in 42 U.S.C. 300jj-11(c)(5)(D) of the PHSA
was added by section 4002(a) of the Cures Act and is specific to
conditions of certification under the Program, which does not limit the
scope of the Program and, in fact, expanded the scope and applicability
of the Program with respect to developers of certified health IT.
Moreover, since 2010, the Program has included a certification
criterion related to decision support in response to the definition
established by Congress for qualified electronic health record, in 42
U.S.C. 300jj(13)(B)(i).\86\ At the time Congress included this specific
capability within the qualified electronic health record definition, it
did so without specific limits and in the context of the broader HITECH
Act, and subsequently the Cures Act, with the understanding that
technology changes over time and so too would certification criteria.
Finally, we note that our authority to propose and finalize revisions
to the Program's DSI criterion is consistent with 42 U.S.C. 300jj-
(c)(5) and fulfills several purposes enumerated by Congress in 42
U.S.C. 300jj-(b). The finalized requirements in Sec. 170.315(b)(11),
consistent with our authority, substantially focus on the
responsibilities of developers of certified health IT and the products
these developers bring forward for certification. Specifically, the
updated criterion includes new sets of information that are necessary
to guide
[[Page 1236]]
decision-making based on outputs (e.g., recommendations) from
Predictive DSIs, including:
---------------------------------------------------------------------------
\86\ ONC finalized in Sec. 170.304(e) the ``clinical decision
support'' certification criteria in the interim final rule, ``Health
Information Technology: Initial Set of Standards, Implementation
Specifications, and Certification Criteria for Electronic Health
Record Technology,'' January 13, 2010 (75 FR 2014).
---------------------------------------------------------------------------
An expanded set of ``source attributes'' in Sec.
170.315(b)(11)(iv);
Requirements for Health IT Modules to enable a limited set
of identified users to access complete and up-to-date plain language
descriptions of source attribute information in Sec.
170.315(b)(11)(v);
Requirements for intervention risk management practices to
be applied for each Predictive DSI supplied by the health IT developer
as part of its Health IT Module in Sec. 170.315(b)(11)(vi); and
Requirements for summary information related to how
intervention risk is managed to be publicly accessible in Sec.
170.523(f)(1)(xxi).
We believe that these new sets of information will provide
appropriate information to help guide decisions at the time and place
of care, consistent with 42 U.S.C. 300jj-11(b)(4). Additionally, our
finalized policies in Sec. Sec. 170.315(b)(11), 170.402(b)(4), and
170.523(f)(1)(xxi) will support several other Congressionally-
identified purposes that inform the National Coordinator's work in
carrying out their duties, including the duty identified in 42 U.S.C.
300jj-11(c)(5)(A). These additional purposes include 42 U.S.C. 300jj-
11(b)(2), ``improves health care quality, reduces medical errors,
reduces health disparities, and advances the delivery of patient-
centered medical care''; 42 U.S.C. 300jj-11(b)(8), ``facilitates health
and clinical research and health care quality''; 42 U.S.C. 300jj-
11(b)(10), ``promotes a more effective marketplace, greater
competition, greater systems analysis, increased consumer choice, and
improved outcomes in health care services''; and 42 U.S.C. 300jj-
11(b)(11), ``improves efforts to reduce health disparities.''
In consideration of all the public comments received, and aligned
with both the authorities granted by Congress and directives
established by several Executive Orders, we have finalized most of our
proposals for Sec. 170.315(b)(11) with modifications intended to align
and simplify technical requirements between evidence-based DSIs and
Predictive DSIs as well as to clarify: (1) the definition of Predictive
DSI in Sec. 170.102; (2) the scope of technologies considered to be an
evidence-based DSI for purposes of the Program; and (3) the scope of
source attribute information that must be accessible to users.
Specifically, we have finalized our proposals by significantly
narrowing the scope of requirements for Predictive DSI-related source
attributes and intervention risk management (IRM) practices to apply
only to Predictive DSIs supplied by the health IT developer as part of
its Health IT Module. In addition to the detailed section-by-section
final rule discussions, the following paragraphs summarize some of the
key policy determinations included in this final rule.
Additionally, in consideration of comments received and the scope
reductions we have made to this final certification criterion, we
determined that a supportive Maintenance of Certification requirement
as part of the Assurances Condition of Certification is necessary to
fully implement our policy objectives and proposals. Specifically, we
have finalized in this final rule an ``Assurances'' Maintenance of
Certification requirement at 45 CFR 170.402(b)(4) that starting January
1, 2025, and on an ongoing basis thereafter, health IT developers with
Health IT Modules certified to Sec. 170.315(b)(11) review and update
as necessary, source attribute information in Sec.
170.315(b)(11)(v)(A) and (B), risk management practices described in
Sec. 170.315(b)(11)(vi), and summary information provided through
Sec. 170.523(f)(1)(xxi). This reinforces a health IT developer's
ongoing responsibility to enable users to access complete and up-to-
date descriptions of DSI source attribute information at Sec.
170.315(b)(11)(v)(A) and (B) to review and update as necessary IRM
practices for all Predictive DSIs it supplies as part of its Health IT
Module, and to ensure the ongoing public availability of summary IRM
practice information as submitted to their ONC-ACB via hyperlink in
Sec. 170.523(f)(1)(xxi). We have finalized that developers with Health
IT Modules certified to Sec. 170.315(b)(11) will need to comply with
this Maintenance of Certification requirement starting January 1, 2025.
We added this Maintenance of Certification requirement to serve as a
discrete connection for developers of certified health IT with Health
IT Modules certified to Sec. 170.315(b)(11) to ensure that their
Health IT Modules have complete and up-to-date descriptions of source
attribute information and other required information, both at the time
of certification and on an ongoing basis while their Health IT Modules
are certified to Sec. 170.315(b)(11).
We have not finalized proposals related to the proposed Predictive
DSI attestation statement, and we will not require Health IT Modules
certified to Sec. 170.315(b)(11) to support linked referential DSIs or
related source attributes under the Program. Further, we have finalized
modifications to our proposal for IRM practices in Sec.
170.315(b)(11)(vi) and did not adopt the requirement for detailed
documentation we proposed in Sec. 170.315(b)(11)(vi)(B). The finalized
Sec. 170.315(b)(11)(vi) requires that IRM practices must be applied
for each Predictive DSI supplied by the health IT developer as part of
its Health IT Module, which is similar to how we described the proposal
in Sec. 170.315(b)(11)(vii)(A) in the HTI-1 Proposed Rule (88 FR
23798).
We have also finalized in Sec. 170.102, as proposed, the date for
which the requirements of Sec. 170.315(b)(11) must be satisfied for
Health IT Modules to meet the definition of Base EHR. This means that
proposed changes to the Base EHR definition in Sec. 170.102 that would
allow a Health IT Module to meet said definition if it has been
certified to Sec. 170.315(a)(9) or (b)(11) for the period up to and
including December 31, 2024, and Sec. 170.315(b)(11) on and after
January 1, 2025, have been finalized as proposed. This also means that
a developer of certified health IT with a Health IT Module certified to
Sec. 170.315(b)(11) must apply IRM practices for each Predictive DSI
supplied by the health IT developer as described in Sec.
170.315(b)(11)(vi) and submit summary information of their IRM
practices to its ONC-ACB via publicly accessible hyperlink according to
Sec. 170.523(f)(1)(xxi) before December 31, 2024. We note that we have
finalized, as discussed in section III.C.5.a.xiv, that the adoption of
the criterion at Sec. 170.315(a)(9) for purposes of the ONC Health IT
Certification Program expires on January 1, 2025.
Together, these modifications reflect feedback received from
numerous interested parties and are in response to both their support
and opposition to our proposals. They are also intended to simplify
Program requirements and support practical implementation of the
certification criterion by developers of certified health IT. We
elaborate on the details of these and other finalized policies more
fully in subsequent responses of this final rule.
a. Requirements for Decision Support Interventions (DSI) Certification
Criterion
i. Structural Revisions and New Criterion Categorization
We proposed at 88 FR 23782 through 23783 to adopt the certification
criterion ``decision support interventions,'' (DSI) in Sec.
170.315(b)(11) as a ``revised certification criterion'' according to
the
[[Page 1237]]
proposed definition in Sec. 170.102. The proposed criterion in Sec.
170.315(b)(11) was a revised version of 45 CFR 170.315(a)(9),
``clinical decision support (CDS).'' In Sec. 170.315(b)(11), we
proposed to adopt a substantially similar structure as is currently in
Sec. 170.315(a)(9). In the revised certification criterion at Sec.
170.315(b)(11), we proposed to modify the existing requirements in
Sec. 170.315(a)(9) to reflect an array of contemporary
functionalities, data elements, and software applications that
certified Health IT Modules support to aid decision-making in
healthcare. We proposed that the policies established in Sec.
170.315(a)(9)(i) through (iv) would be included as Sec.
170.315(b)(11)(i) through (iv) with modifications. We proposed to
introduce a new intervention type in Sec. 170.315(b)(11), Predictive
DSIs, with a corresponding definition in Sec. 170.102 for the term.
At 88 FR 23782, we discussed our rationale for these proposals and
stated our view that proposed Sec. 170.315(b)(11) reflected
functionality that is better categorized as part of the ``care
coordination certification criteria,'' as opposed to the ``clinical
certification criteria,'' supported by the Program. Hence, we proposed
to adopt the ``decision support intervention'' certification criterion
in the ``care coordination criteria'' section adopted within Sec.
170.315(b).
At 88 FR 23783, we proposed modifications to the Base EHR
definition in Sec. 170.102 to identify the dates when Sec.
170.315(b)(11) would replace Sec. 170.315(a)(9) in the Base EHR
definition. In keeping with the proposal to modify the Base EHR
definition in Sec. 170.102, we proposed that the adoption of Sec.
170.315(a)(9) as part of the Program would expire on January 1, 2025.
We noted that if we finalized these proposals, developers of certified
health IT with Health IT Modules certified to Sec. 170.315(a)(9) would
need to certify those Health IT Modules to Sec. 170.315(b)(11) in
order for those Health IT Modules to continue to meet the Base EHR
definition. Lastly, as a consequence of the proposed adoption of this
criterion in Sec. 170.315(b), we noted that developers of certified
health IT with Health IT Module(s) certified to Sec. 170.315(b)(11)
would be required to submit real world testing plans and corresponding
real world testing results, consistent with Sec. 170.405.
Comments. Commenters' support was split with respect to the
proposal to adopt the certification criterion naming update of
``decision support interventions,'' or DSI, for Sec. 170.315(b)(11) as
a ``revised certification criterion'' of 45 CFR 170.315(a)(9),
``clinical decision support'' (CDS). Commenters in support noted that
the proposal would promote greater trust in DSI and predictive models
through the Program. Commenters stated that distinguishing between CDS
and DSI was warranted and that with the technological advancements in
predictive analytics, AI, and machine learning, the certification
criterion needed to be updated to better reflect the market, and our
proposal reflected contemporary and emerging functions, uses, and data
elements. Commenters who did not support the proposal recommended
against renaming clinical decision support to decision support
interventions because they stated the term ``intervention'' has other
meanings within healthcare. Commenters suggested that retaining the
name ``clinical decision support'' aligns better with the clinical
decision support included in the legislative definition of a qualified
electronic health record.
Response. We appreciate commenters' support for our proposal and
agree that revising the existing CDS criterion in Sec. 170.315(a)(9)
as the DSI criterion in Sec. 170.315(b)(11) is reflective of how
decision support relies on increasing technological advancements in
predictive analytics, AI, and machine learning. We agree the Program
should be updated to reflect these advancements. While we appreciate
the concerns raised regarding renaming the criterion from Clinical
Decision Support to Decision Support Interventions, we note that the
term ``evidence-based decision support intervention,'' has been part of
the Program for nearly a decade, and we believe that removing
``clinical'' reflects the reality that Health IT Modules already
support a broad array of decision support beyond what has been
traditionally considered CDS. We also believe that the DSI criterion
will continue to support the legislative definition of a qualified
electronic health record as it has since the inception of the Program.
We note our discussion of the term ``intervention'' was described in 88
FR 23786 and that the Program's use of the term ``intervention'' is
different from ``clinical intervention'' as defined under FDA
regulation that includes a range of regulated products, such as a
medication or medical device. We discuss the term ``intervention'' in
more detail in subsequent responses.
Comments. Several commenters suggested that ONC make Predictive DSI
support a separate certification criterion from the existing ``clinical
decision support'' criterion to better facilitate it being on a more
extended timeframe for implementation and potentially impacting
different products, whereas other commenters were supportive of
revising the criterion to account for the rapid changes in this area of
health IT.
Response. We appreciate the comments, but we decline to create a
separate certification criterion for Predictive DSIs. We believe that
the current structure of the CDS criterion in Sec. 170.315(a)(9) is
suitable to be implemented in a revised version in Sec. 170.315(b)(11)
and that this approach is more straight-forward than having
substantially similar yet separate criteria. We have not extended the
timeframe for implementation from what we proposed because many of the
capabilities we have finalized in Sec. 170.315(b)(11) are
substantially similar to what already exists in Sec. 170.315(a)(9) and
because we have made other corresponding scope adjustments to the
finalized certification criterion. We agree with commenters who note
that technology is changing rapidly and there is a need for these
policies to be implemented on a more accelerated timeline from other
requirements in the HTI-1 Proposed Rule.
After consideration of these comments, we have finalized our
proposal to adopt the ``DSI certification criterion'' in Sec.
170.315(b)(11) as a ``revised certification criterion'' according to
the proposed definition in Sec. 170.102 and as part of the ``care
coordination certification criteria,'' in Sec. 170.315(b), including
paragraph (b)(11)(i), which remains unchanged from paragraph (a)(9)(i).
We have also finalized inclusion of the certification criterion at
Sec. 170.315(b)(11) as part of the Base EHR definition in Sec.
170.102, and that beginning January 1, 2025, the certification
criterion at Sec. 170.315(a)(9) would not be included in that
definition. Among the numerous standards and certification criteria
proposed for revision by the end of 2024, the certification criterion
in Sec. 170.315(b)(11) has been prioritized and finalized on the
proposed timeline. Based on public comment, we have lengthened the
implementation timeline for nearly every other standard and
certification criterion proposed in the HTI-1 Proposed Rule, as well as
made other timing adjustments that could impact prioritization for
Sec. 170.315(b)(11). We believe these final rule updates will give
developers of certified health IT time to focus on implementing the DSI
criterion at Sec. 170.315(b)(11).
Finally, as we noted in the HTI-1 Proposed Rule (88 FR 23783), as a
consequence of adopting this revised
[[Page 1238]]
criterion in Sec. 170.315(b), developers of certified health IT with
Health IT Module(s) certified to Sec. 170.315(b)(11) are required to
submit real world testing plans and corresponding real world testing
results, consistent with Sec. 170.405, demonstrating the real world
use of each type of DSI in Sec. 170.315(b)(11), including evidence-
based DSIs and Predictive DSIs. Finally, as we noted in the HTI-1
Proposed Rule (88 FR 23783), as a consequence of adopting this revised
criterion in Sec. 170.315(b), developers of certified health IT with
Health IT Module(s) certified to Sec. 170.315(b)(11) are required to
submit real world testing plans and corresponding real world testing
results, consistent with Sec. 170.405, demonstrating the real-world
use of each type of DSI in Sec. 170.315(b)(11), including evidence-
based DSIs and Predictive DSIs.
ii. Decision Support Configuration
At 88 FR 23783, we proposed in Sec. 170.315(b)(11)(ii) to
establish ``decision support configuration'' requirements based on what
is currently in Sec. 170.315(a)(9)(ii) with modifications and
additional requirements. To reflect ONC's focus on the USCDI and to
acknowledge the varied data for which DSIs may be enabled, we proposed
that data elements listed in Sec. 170.315(b)(11)(ii)(B)(1)(i) through
(iii) and (v) through (viii) be expressed according to the standards
expressed in Sec. 170.213, including the proposed USCDI v3. We
proposed to reference the USCDI in Sec. 170.315(b)(11)(ii)(B)(1) to
define the scope of the data ``at a minimum.'' We noted the intention
was to establish baseline expectations that Health IT Modules certified
to Sec. 170.315(b)(11) must be capable of supporting DSIs that use
those data elements listed in Sec. 170.315(b)(11)(ii)(B)(1). We did
not propose to establish requirements for specific interventions to be
supported, only that Health IT Modules certified to Sec.
170.315(b)(11) be capable of supporting interventions that use those
listed data elements. This proposed requirement was framed to pertain
to both evidence-based DSIs and Predictive DSIs that would be enabled
by or interfaced with a certified Health IT Module, including any
Predictive DSIs that were developed by users of the certified Health IT
Module. We proposed to adopt in Sec. 170.315(b)(11) the existing
reference in Sec. 170.315(a)(9)(ii)(B)(1)(iv) to demographic data in
Sec. 170.315(a)(5)(i).
Additionally, at 88 FR 23783 we proposed to include two USCDI data
classes not currently found in Sec. 170.315(a)(9)(ii)(B)(1). In Sec.
170.315(b)(11)(ii)(B)(1)(vii)-(viii), we proposed to include the Unique
Device Identifier(s) for a Patient's Implantable Device(s) and
Procedures data classes, respectively, as expressed in the standards in
Sec. 170.213, including the proposed USCDI v3. We proposed to require
that Health IT Modules would support data from the Procedures data
class and the Unique Device Identifier(s) for a Patient's Implantable
Device(s) data class as an input to DSIs. We invited comment on the
additional data classes described in Sec.
170.315(b)(11)(ii)(B)(1)(vii).
At 88 FR 23784, we proposed to adopt in Sec. 170.315(b)(11)(ii)(C)
a new functionality to enable users to provide electronic feedback data
based on the information displayed through the DSI. We proposed that a
Health IT Module certified to Sec. 170.315(b)(11) must be able to
export such feedback data, including but not limited to the
intervention, action taken, user feedback provided (if applicable),
user, date, and location, so that the exported data could be associated
with other relevant data.
At 88 FR 23784, we proposed that such feedback data be available
for export by users for analysis in a computable format, so that it
could be associated with other relevant data. We noted that
``computable format,'' was consistent with current requirements in
Sec. 170.315(b)(10)(i)(D) for EHI Export, and we clarified that
``computable format'' is also referred to as ``machine readable,'' in
other contexts, which is not synonymous with ``digitally accessible.''
\87\ We did not propose to require specific formatting requirements for
such feedback mechanisms.
---------------------------------------------------------------------------
\87\ See also 85 FR 25879 discussion of machine readable.
---------------------------------------------------------------------------
Comments. The majority of commenters expressed support for the
proposal to define the scope of data and supported the inclusion of
USCDI v3 as the minimum set of data that should be included stating
that defining data elements according to the USCDI v3 standard would
have the benefit of improving transparency and increasing accuracy.
Commenters recommended ONC support alignment efforts with standards
development organizations (SDOs) and convene listening sessions with
DSI developers to align reporting efforts and to understand the
appropriate minimum base sets of data for DSI technology. One commenter
expressed concern that the proposal to include USCDI v3 data elements
was unclear and requested ONC clarify whether a Health IT Module must
support these data elements so external DSI solutions can be
integrated. One commenter expressed concern that the proposal for the
data to be expressed in the standards in Sec. 170.213 was unclear and
recommended including USCDI data elements individually within the
criterion for clarity on which elements would be required.
Response. We thank commenters for their support and feedback
received during the public comment period, and we have finalized
several proposals based on such feedback. We thank the commenter for
expressing their concern regarding our proposals to include the USCDI
v3. We did not propose to establish requirements for specific
interventions to be supported, only that Health IT Modules certified to
Sec. 170.315(b)(11) be capable of supporting interventions that use
those listed data elements (88 FR 23783). The criterion at Sec.
170.315(a)(9)(ii)(B)(1) listed many of the same types of information,
such as medications for example, but the criterion at Sec.
170.315(a)(9) did so without specifying a standard. As the result of
our finalizing references to the standards in Sec. 170.213, we have
provided clarity and better alignment with other certification criteria
in the Program. We appreciate the suggestion that we work with SDOs and
coordinate listening sessions with DSI developers. We will take these
suggestions under consideration for future work, including potential
future workshops, listening sessions, and advisory group task forces.
We have finalized Sec. 170.315(b)(11)(ii)(A) with a minor
modification to remove ``(e.g., system administrator)'' from that
provision (which is also in existing regulation text at Sec.
170.315(a)(9)(ii)(A)), as this example is unnecessary. We have also
finalized the list of data elements proposed at Sec.
170.315(b)(11)(ii)(B)(1) with the following modifications in
consideration of comments. We have moved the list from proposed Sec.
170.315(b)(11)(ii)(B)(1) and finalized the list at Sec.
170.315(b)(11)(iii)(A)(1) and finalized the list as proposed. We have
finalized the list of data elements in Sec. 170.315(b)(11)(iii)(A)(1)
because they establish a scope for evidence-based DSIs that must be
supported by Health IT Modules certified to Sec. 170.315(b)(11) as
well as scope the evidence-based DSIs that are subject to requirements
in Sec. 170.315(b)(11)(v). Including the list in Sec.
170.315(b)(11)(iii)(A)(1) is intended to make this connection clearer.
We note that elsewhere in this final rule we have finalized an
expiration date in Sec. 170.213 for USCDI v1 to occur on January 1,
2026. Consistent with the applicable dates for the versions of the
[[Page 1239]]
USCDI in Sec. 170.213, this means Health IT Modules certified to Sec.
170.315(b)(11) need only support the listed data elements according to
the USCDI v1 standard until this time. A Health IT Module certified to
Sec. 170.315(b)(11) may support the data elements according to the
USCDI v3 standard adopted in Sec. 170.213 as of the effective date of
this final rule. On and after January 1, 2026, Health IT Modules
certified to Sec. 170.315(b)(11) must support those listed data
elements according to the USCDI v3 standard consistent with Sec.
170.213.
We have also finalized Sec. 170.315(b)(11)(ii)(B)(2) as Sec.
170.315(b)(11)(ii)(B) due to the corresponding shift of the list of
evidence-based DSI-related data elements noted above. We did not
propose any changes to Sec. 170.315(b)(11)(ii)(B) in transposing the
proposed regulatory text from the regulation text at Sec.
170.315(a)(9)(ii)(B)(2), and we have finalized regulation text proposed
at Sec. 170.315(b)(11)(ii)(B)(2) using existing language found at
Sec. 170.315(a)(9)(ii)(B)(2) at Sec. 170.315(b)(11)(ii)(B).
Comments. Commenters generally expressed support for the proposal
at Sec. 170.315(b)(11)(ii)(C) to enable users to provide electronic
feedback based on the information displayed through the DSI and
applauded including human-readable display. However, there was concern
among many commenters regarding the details of this proposal, including
requirements that Health IT Modules must be able to export feedback
data, including but not limited to the intervention, action taken, user
feedback provided (if applicable), user, date, and location, so that
the exported data can be associated with other relevant data. These
concerns were generally related to how these requirements would impact
usability, user interfaces, and ongoing innovation of decision support
tools. Specific commenters noted that capturing the ``action taken,''
by a user would be particularly problematic and would degrade DSI to
simple ``yes/no'' designs.
Commenters suggested that we should limit the requirements to DSIs
directly implemented by a developer of certified health IT and limit
the requirements to interruptive alerts, because passive alerts cannot
have associated user actions. Other commenters recommended the
functionality to enable ``feedback loops'' be optional for users and
that the requirement pertain to evidence-based DSIs exclusively.
Response. We appreciate the comments and thank commenters for their
recommendations. We noted in the HTI-1 Proposed Rule that this is the
second time we have proposed a functionality that would require a
Health IT Module to enable a user to provide electronic feedback, also
referred to as the capability to support ``feedback loops,'' on the
performance of DSIs implemented at the point of care (88 FR 23783). We
note that in our 2015 Edition Proposed Rule, we proposed to adopt new
functionality that would require a Health IT Module certified to the
CDS criterion in Sec. 170.315(a)(9) to be able to record at least one
action taken, and by whom it was taken, when a CDS intervention is
provided to a user (e.g., whether the user viewed, accepted, declined,
ignored, overrode, provided a rationale or explanation for the action
taken, took some other type of action not listed here, or otherwise
commented on the CDS intervention) (80 FR 16821). At the time, many
commenters stated that current systems already provided a wide range of
functionality to enable providers to document decisions concerning CDS
interventions and that such functionality was unnecessary to support
providers participating in the EHR Incentive Programs (80 FR 62622).
However, subsequent research over the last seven years indicates that
``feedback loop'' functionality is not widely available across Health
IT Modules certified to the CDS criterion in Sec. 170.315(a)(9), but
that such functionality could be useful (88 FR 23784).
We appreciate the comments asking us to clarify to which DSI types
our proposals would pertain. We agree with commenters who indicated
that feedback loop functionality would be most appropriate for
evidence-based DSIs. We have finalized Sec. 170.315(b)(11)(ii)(C) to
make clear that this functionality would only be required to apply to
evidence-based decision support interventions. We decline to limit this
functionality to interruptive alerts only, but we believe that
interruptive alerts can be improved if user feedback data is applied to
make such interruptions more meaningful.
While we are receptive to concerns regarding usability, we do not
believe that the finalized requirements to enable a user to provide
electronic feedback on evidence-based DSIs constrain or hinder
usability or would lead to CDS degradation because this electronic
feedback data can be gathered in ways that are non-disruptive to users
and we believe our requirements are sufficiently flexible to enable a
user to provide feedback in a manner appropriate to their workflow.
Furthermore, we note that while Health IT Modules must support the
capability at Sec. 170.315(b)(11)(ii)(C) in order to demonstrate
conformance to the certification criterion, a user still needs to
choose to implement such functionality. A user would not be required to
provide feedback; rather, the capability to enable a user to provide
electronic feedback is what must be included within the Health IT
Module.
We clarify that only evidence-based DSIs that are actively
presented to users in clinical workflow to enhance, inform, or
influence decision-making related to the care a patient receives must
be supported by the ``feedback loop'' functionality described in Sec.
170.315(b)(11)(ii)(C). We believe that scoping the requirement for
feedback loops to these kinds of evidence-based DSIs would be both
appropriate to the goal of enabling ongoing quality improvement of
DSIs, as discussed on 88 FR 23784-23785, and feasible for Health IT
Modules to support. We also clarify that a Health IT Module must be
able to make available feedback data to a limited set of identified
users for export in a computable format. This clarifies that while the
Health IT Module must enable any user to provide electronic feedback,
the Health IT Module is not required to export this feedback data to
any user; rather, such an export of feedback data must be available to
a limited set of identified users.
As it relates to concerns regarding the ``action taken,''
requirement, we note that the action taken will be specific to the
intended use of the evidence-based DSI. Actions could include whether
the user viewed, accepted, declined, ignored, overrode, or modified the
DSI in some way. At this time, we decline to require an enumerated list
of ``actions taken'' be supported. We believe that developers of
certified health IT and their customers are better positioned to
determine the range of actions that are appropriate as part of feedback
data.
iii. Evidence-Based Decision Support Interventions
In the HTI-1 Proposed Rule, we proposed at 88 FR 23784 to establish
``evidence-based decision support interventions'' at Sec.
170.315(b)(11)(iii), with a minor revision to current requirements that
are part of the CDS criterion in Sec. 170.315(a)(9)(iii). We explained
that this proposal would replace the current construct in Sec.
170.315(a)(9)(iii), which states a Health IT Module must enable
evidence-based decision support interventions ``based on each one and
at least one combination of'' the data referenced in paragraphs
[[Page 1240]]
Sec. 170.315(a)(9)(ii)(B)(1)(i) through (vi). We proposed that Health
IT Modules supporting evidence-based DSIs must have the ability to
support ``any,'' meaning all, of the revised data referenced in
paragraphs of proposed Sec. 170.315(b)(11)(ii)(B)(1)(i) through
(viii). We noted this proposal would broaden the scope of data elements
that Health IT Modules must support when enabling evidence-based DSIs
to include 15 data elements expressed by the standards in Sec.
170.213, including USCDI v3, which we proposed to adopt in Sec.
170.213(b) elsewhere in the HTI-1 Proposed Rule. The HTI-1 Proposed
Rule did not prescribe the intended use of the evidence-based DSI.
Rather, the proposed subparagraph at Sec. 170.315(b)(11)(iii), in
combination with the data referenced in Sec. 170.315(b)(11)(ii)(B)(1),
represented the scope of evidence-based DSIs and scope of data that
Health IT Modules certified to Sec. 170.315(b)(11) should enable for
purposes of certification under our Program.
Comments. Commenters were generally evenly split on their support
for the proposal to establish ``evidence-based decision support
interventions,'' with a minor revision to current requirements that are
part of the CDS criterion in Sec. 170.315(a)(9)(iii), with those in
support noting that it would ensure that decision support systems are
founded on the latest scientific research and clinical guidelines and
assist healthcare professionals in making informed and effective
choices that are supported by robust evidence. One commenter
appreciated that we differentiated between predictive and evidence-
based DSIs to support decision-making. One commenter noted that they
believed it is critical that ONC account for the needs of clinical
guideline developers so that undue burdens are not placed on the
guideline development process as DSI tools are developed and
implemented in part based on clinical guidelines.
Response. We appreciate these comments. We have finalized Sec.
170.315(b)(11)(iii) with accompanying modifications and clarifications.
As articulated in more detail in subsequent responses, we clarify that
evidence-based DSIs, for purposes of requirements in Sec.
170.315(b)(11), are limited to only those DSIs that are actively
presented to users in clinical workflow to enhance, inform, or
influence decision-making related to the care a patient receives and
that do not meet the definition for Predictive Decision Support
Intervention at Sec. 170.102. Actively presented stands in contrast to
decision support that initiates an action without a user's knowledge or
occurs outside a user's normal workflow. We believe this clarification
will help interested parties differentiate between evidence-based DSIs
and Predictive DSIs and delineate which requirements in Sec.
170.315(b)(11) pertain to these DSI types. We also note that some data
elements in Sec. 170.315(b)(11)(iii)(A) are not part of USCDI v1 and
are only in USCDI v3. For the time period before the expiration date of
USCDI v1, Health IT Modules are not required to support evidence-based
DSIs that are based solely on data elements included in USCDI v3.
However, beginning January 1, 2026, Health IT Modules must support DSIs
based on all--meaning each--USCDI v3 data element listed in Sec.
170.315(b)(11)(iii)(A).
Comments. Commenters not in support of the proposal expressed
concern that the definition of evidence-based DSI was too broad and
would encompass a large number of baseline functionality and
capabilities within an EHR including passive and active alerts, order
sets, care plans and protocols, simple rules and calculations,
references ranges, age and weight based dosing and reminders for
preventative care. Commenters sought more clarity related to how
evidence-based and Predictive DSIs were defined and should be
supported. Specifically, commenters noted concerns related to
consistently determining what types of functionalities qualify as an
evidence-based DSI, a Predictive DSI, or neither. Commenters also noted
that EHRs support a vast number of financial and reimbursement rules to
support medical necessity and reimbursement. The commenters recommended
that the definition of evidence-based DSI align with the current Sec.
170.315(a)(9) definition of clinical decision support and that the
Sec. 170.315(a)(9) certification criterion remain unchanged until
future rulemaking can more clearly define the criterion and specific
priority use cases beyond clinical.
Response. We thank commenters for their concerns and understand
there is substantial confusion regarding the scope of what constitutes
an evidence-based DSI as well as corresponding requirements for
evidence-based DSIs in Sec. 170.315(b)(11). In the HTI-1 Proposed Rule
we included background information indicating that the initial CDS
criterion, established in 2010, required that a Health IT Module could:
(1) implement rules, ``according to specialty or clinical priorities;''
(2) ``automatically and electronically generate and indicate in real-
time, alerts and care suggestions based upon clinical decision support
rules and evidence grade;'' and (3) track, record, and generate reports
on the number of alerts responded to by a user (75 FR 2046).'' (88 FR
23774). Since this time, the CDS criterion has remained agnostic to use
case, except for drug-drug and drug-allergy contraindication checking,
requiring Health IT Modules to enable the use of a variety of tools
based on a specified set of data, including problems, medications,
demographics, and laboratory data. While this framing has ensured that
users have access to a broad range of tools, for a wide array of
purposes, related to decision support through Health IT Modules
certified to the CDS criterion, we now believe some clarity is needed
to refine the scope of evidence-based DSIs for the purposes of
requirements in Sec. 170.315(b)(11).
We noted in the HTI-1 Proposed Rule that we were not establishing
requirements for specific interventions to be supported, only that
Health IT Modules certified to Sec. 170.315(b)(11) be capable of
supporting interventions based on specified data (as proposed in Sec.
170.315(b)(11)(ii)(B)(1)(i) through (viii) (88 FR 23783)). We also
noted in the HTI-1 Proposed Rule that the term ``intervention,'' \88\
is specific to ``an intervention occurring within a workstream,
including but not limited to alerts, order sets, flowsheets,
dashboards, patient lists, documentation forms, relevant data
presentations, protocol or pathway support, reference information or
guidance, and reminder messages,'' (88 FR 23786).
---------------------------------------------------------------------------
\88\ The ONC Program's use of the term ``intervention'' is
different from ``clinical intervention'' as defined under FDA
regulation that includes a range of regulated products, such as a
medication or medical device. We note that there may be a software-
as-a-medical device (SaMD) that is considered a ``clinical
intervention'' and subject to FDA authority.
---------------------------------------------------------------------------
Given the confusion conveyed through comments received from many
interested parties regarding the scope of what decision support is
considered evidence-based decision support, we clarify that for
purposes of requirements in Sec. 170.315(b)(11), evidence-based DSIs
are limited to only those DSIs that are actively presented to users in
clinical workflow to enhance, inform, or influence decision-making
related to the care a patient receives and that do not meet the
definition for Predictive DSI at Sec. 170.102.\89\ In the context of
Program
[[Page 1241]]
requirements, this means that if a developer of certified health IT
with a Health IT Module certified to Sec. 170.315(b)(11) enables a
user to select an evidence-based DSI that is actively presented in
clinical workflow to enhance, inform, or influence decision-making
related to the care a patient receives that evidence-based DSI would be
subject to the requirements that apply to evidence-based DSIs within
Sec. 170.315(b)(11). We note that if the DSI in question meets the
definition of Predictive DSI at Sec. 170.102, then requirements that
apply to those types of interventions within Sec. 170.315(b)(11) would
be applicable. Additionally, we clarify that ``actively presented,'' is
inclusive of, but not limited to, ``interruptive alerts,'' and we
clarify that ``related to the care a patient receives,'' would include
use cases related to direct patient care as well as use cases that
impact care a patient receives. For example, a decision support rule
that recommends a follow-up appointment within 12 weeks according to
United States Preventive Services Taskforce (USPSTF) recommendations
would be considered an evidence-based DSI for purposes of Program
requirements. These clarifications stand in contrast to back-end
systems rules that are not presented to users and are not related to
care an individual patient receives, such as those used for resource
management or back-end logic that may support an organization's
business rules but are not part of a user's workflow. Such rules and
tools would not be considered an evidence-based DSI for the purposes of
this certification criterion.
---------------------------------------------------------------------------
\89\ We note that this clarification is aligned with FDA's
Clinical Decision Support Software Guidance, specifically the
software functionalities described under Criterion 3, which refers
to condition-, disease-, or patient-specific recommendations to a
health care professional to enhance, inform, or influence a health
care decision. Note that we reference the FDA CDS Guidance only to
clarify the scope of which kinds of evidence-based DSIs are subject
to applicable requirements in Sec. 170.315(b)(11). See https://www.fda.gov/regulatory-information/search-fda-guidance-documents/clinical-decision-support-software.
---------------------------------------------------------------------------
Beyond this clarification, we have finalized Sec.
170.315(b)(11)(iii) by changing the title of the paragraph from
proposed ``Evidence-based decision support interventions,'' to
``Decision support intervention selection'' and included explicit
instruction for Health IT Modules to enable a limited set of identified
users to select (i.e., activate) decision support interventions (in
addition to drug-drug and drug-allergy contraindication checking) that
are evidence-based DSIs and Predictive DSIs. We have finalized the same
requirement for all DSI types recognized in the Program, be they
evidence-based DSIs or Predictive DSIs, because the technical
capability to enable a user to select (i.e., activate) is the same
regardless of the type of DSI being activated. As described in more
detail below, Program requirements to enable a user to select a DSI is
contingent only on the data elements in Sec. 170.315(b)(11)(iii)(A)
(for evidence-based DSIs) and Sec. 170.213 (for Predictive DSIs) and
supportive of various use cases.
As discussed in more detail in the section III.C.5.v. ``Predictive
Decision Support Interventions, Attestation for Predictive Decision
Support Interventions,'' we did not adopt the Predictive DSI
attestation statement proposed at Sec. 170.315(b)(11)(v) in this final
rule and we have narrowed the overall scope of technologies impacted by
finalized requirements in Sec. 170.315(b)(11). Given these changes,
certain adjustments to the certification criterion were necessary to
simplify, clarify, and align technical requirements that could be
shared between evidence-based DSIs and Predictive DSIs. We believe
these adjustments directly respond to commenter confusion and help
reduce the technical updates that developers will need to complete in
response to final requirements in Sec. 170.315(b)(11) as they will be
able to build on and extend existing capabilities to support Predictive
DSIs. This is particularly true with respect to the capability
expressed at final Sec. 170.315(b)(11)(iii). Further, the alignment of
evidence-based DSI and Predictive DSI capabilities will help provide
for a consistent experience for those users identified to select DSIs
pursuant to final Sec. 170.315(b)(11)(iii).
While we specifically discussed evidenced-based DSIs in the HTI-1
Proposed Rule (88 FR 23784) with respect to proposed Sec.
170.315(b)(11)(iii), we did not (aside from the paragraph title)
expressly limit the scope of the proposed regulation text to evidenced-
based DSIs--instead focusing on ``electronic decision support
interventions.'' Moreover, at 88 FR 23783, we noted that requirements
proposed at Sec. 170.315(b)(11)(ii) for DSI configuration ``would
pertain to both evidence-based DSIs and predictive DSIs that are
enabled by or interfaced with a certified health IT Module, including
any predictive DSIs that are developed by users of the certified Health
IT Model.'' We have addressed these ambiguities in finalized regulation
text at Sec. 170.315(b)(11)(iii) and appreciate the comments that
sought more clarity related to the shared uses expected for
certification for evidence-based and Predictive DSIs.
We note that the capability in Sec. 170.315(b)(11)(iii) is
consistent with the historic and current expectation for evidence-based
DSIs in Sec. 170.315(a)(9)(iii) and we reiterate that this capability
does not require a developer of certified health IT with a Health IT
Module certified to Sec. 170.315(b)(11) to author, develop, or
otherwise support a specific evidence-based DSI or Predictive DSI.
Comments. One commenter suggested that ONC reconsider including
Unique Device Identifier(s) for a Patient's Implanted Devices as a
required element, or alternatively recognize that any DSI around Unique
Device Identifier(s) is likely to only use certain elements of the
Unique Device Identifier, not the full Unique Device Identifier--
particularly the Device Identifier--and suggested that adoption as a
required element for support via evidence-based DSIs is unnecessary at
this stage.
Response. We appreciate the comment. We noted in the HTI-1 Proposed
Rule that we believed that data regarding a patient's procedures and
whether a patient has an implantable medical device, as indicated by a
unique device identifier (UDI), can play a significant role in
contemporary DSIs (88 FR 23783). As a result, we proposed to require
that Health IT Modules would support data from the Procedures data
class and the Unique Device Identifier(s) for a Patient's Implantable
Device(s) data class as an input to DSIs. The addition of UDI
complements medications and proposed procedures as an important focal
point for various decision support interventions, including those
related to MRIs, post-implant clinical care, among other care scenarios
(88 FR 23783). We note that under this requirement, a Health IT Module
would be required to enable an evidence-based DSI that included a UDI
as expressed in the standards in Sec. 170.213, and we clarify this
requirement is affirmed regardless of whether the full UDI is part of
the intervention or a component of the full UDI, such as the device
identifier or the production identifier. Both identifiers are required
to be supported as a part of USCDI v1 (Sec. 170.213(a)) and v3 (Sec.
170.213(b)).\90\
---------------------------------------------------------------------------
\90\ https://www.healthit.gov/isa/uscdi-data-class/unique-device-identifiers-a-patients-implantable-devices#uscdi-v1.
---------------------------------------------------------------------------
Comments. One commenter requested clarification on whether
algorithms that use patient medical/demographic information to provide
patient-specific screening, counseling, and preventive recommendations
by mapping to well-known and established authorities are considered
evidence-based DSI unless there is a ``predicted value.'' The commenter
questioned if scenarios where the algorithm is calculating a risk
[[Page 1242]]
value based on a pre-defined deterministic clinical guideline are
included.
Response. We appreciate the opportunity to clarify this point. We
note that to be considered a Predictive DSI, a function or technology
must meet all parts of the definition in Sec. 170.102. Namely, it must
support decision-making based on algorithms or models that derive
relationships from training data and then produce an output that
results in prediction, classification, recommendation, evaluation, or
analysis. Based on the information presented by this commenter, we do
not believe a risk score based on a deterministic clinical guideline
would be considered a Predictive DSI. Rather, this would be considered
an evidence-based DSI. However, we note that whether a technology meets
the definition of Predictive DSI is fact based, and this response
should not be understood as determinative.
Comments. One commenter noted that for non-predictive CDS certified
to existing ONC standards, the new transparency requirements related to
patient demographics, social determinants of health, and health status
assessments would be difficult to implement as such information is
often not available to the CDS developer and recommended that ONC not
require this for certified CDS but encourage it when such information
is available.
Response. We appreciate the comment and we note that our
requirements for evidence-based DSIs related to source attributes is
substantially unchanged from the existing requirements. We describe in
more detail our final policy for source attributes in the section ``vi.
Source Attributes.'' However, we will require that users can review
whether and which patient demographics, social determinants of health,
and health status assessments data are used as part of an evidence-
based DSI.
iv. Linked Referential CDS
At 88 FR 23784, we proposed to replicate what is currently in Sec.
170.315(a)(9)(iv) as Sec. 170.315(b)(11)(iv) with a modification to
reference the criterion in Sec. 170.315(b)(11) wherever the current
reference is to Sec. 170.315(a)(9). We welcomed comment regarding the
functionalities and standards listed in Sec. 170.315(a)(9)(iv), the
HL7 Context Aware Knowledge Retrieval Application (``Infobutton'')
standards, including whether linked referential CDS were commonly used
with, or without, the named standards in Sec. 170.315(a)(9)(iv)(A)(1)
and (2) and whether we should continue to require use of these
standards.
Comments. The majority of commenters were in support of removing
the linked referential CDS provisions from the scope of the criterion,
noting that it emphasizes the shift in focus to AI and machine
learning-based DSI technology and removes a requirement that has been
of little value for health care providers. In particular, commenters
were supportive of removing the HL7 Context Aware Knowledge Retrieval
Application (``Infobutton'') standards from the scope of the criterion,
noting that removal is appropriate because there is low utilization for
this standard, there is significant expansion of the proposed criterion
in the areas of evidence-based and Predictive DSI, it would help
streamline the certification process, and that customers perceive it as
lacking value to clinical workflow in favor of traditional evidence-
based CDS interventions. However, one commenter strongly supported
retention of the ``Infobutton'' standard for linked referential DSIs
but did not provide a rationale.
Response. We thank commenters for their recommendations. We agree
with commenters that ``infobuttons,'' while helpful and useful in some
contexts, no longer need to be mandated as part of the revised
criterion at Sec. 170.315(b)(11). We also note that the ``infobutton''
standard has not been updated for several years (since 2014). As part
of an effort to streamline and update the historic criterion at Sec.
170.315(a)(9), we have finalized Sec. 170.315(b)(11) without proposed
paragraph (b)(11)(iv) Linked referential DSI and associated
subparagraphs. We anticipate that ``infobuttons'' and other linked
referential DSIs will continue to be used where they provide value
without a requirement in the Program. We believe that removal of this
requirement as part of the revised certification criteria at Sec.
170.315(b)(11) will reduce overall burden and focus requirements on
evidence-based and Predictive DSIs.
Comments. One commenter was supportive of our proposal to include
``linked referential DSIs'' in the Program, noting that it has the
advantage of equipping health care providers with comprehensive and up-
to-date resources, thus empowering them to make well-informed decisions
by drawing upon a wealth of knowledge and clinical expertise,
ultimately improving patient outcomes.
Response. We appreciate the commenter's support for the
requirement. However, we have finalized Sec. 170.315(b)(11) without
requiring ``Linked referential DSIs.'' We reiterate that in
circumstances where linked referential DSIs and ``infobuttons'' are
providing value, nothing in this final rule would inhibit their use.
Furthermore, nothing in this final rule should be used to inhibit the
use of diagnostic and therapeutic reference information or any
associated bibliographic information that is part of the linked
referential DSI.
v. Predictive Decision Support Interventions
We proposed at 88 FR 23784 to reference a new intervention type,
``predictive decision support intervention,'' in Sec.
170.315(b)(11)(v), and we proposed a corresponding definition in Sec.
170.102. We also proposed in Sec. 170.315(b)(11)(v)(A) that developers
of certified health IT with Health IT Modules certified to Sec.
170.315(b)(11) attest ``yes'' or ``no'' as to whether their Health IT
Module enables or interfaces with one or more Predictive DSIs based on
any of the data expressed in the standards in Sec. 170.213, including
USCDI v3, which we also proposed at 88 FR 23746.
Definition of Predictive Decision Support Intervention
We proposed at 88 FR 23784-23785 a definition of ``predictive
decision support intervention,'' (again hereafter referenced as
Predictive DSI) in Sec. 170.102 to mean ``technology intended to
support decision-making based on algorithms or models that derive
relationships from training or example data and then are used to
produce an output or outputs related to, but not limited to,
prediction, classification, recommendation, evaluation, or analysis.''
We explained that such Predictive DSIs are based on the use of
predictive model(s), and that ``model'' refers to a quantitative
method, system, or approach that applies statistical, economic,
bioinformatic, mathematical, or other techniques (e.g., algorithm or
equations) to process input data into quantitative estimates. We also
discussed our use of the phrase ``intended to support decision-making''
to be interpreted broadly and to encompass technologies that require
users' interpretation and action to implement as well as those that
initiate patient management without user action and require action to
contest. We also noted that our use of Predictive DSI was not tied to
who developed it, the level of risk or degree to which the Predictive
DSI informs or drives treatment, is relied upon by the user, relates to
time sensitive action, or whether the Predictive DSI is augmentative or
[[Page 1243]]
autonomous.\91\ We differentiated Predictive DSIs as those that support
decision-making by learning or deriving relationships to produce an
output, rather than those that rely on pre-defined rules based on
expert consensus, such as computable clinical guidelines, to support
decision-making.
---------------------------------------------------------------------------
\91\ See generally IMDRF [verbar] Software as a Medical Device:
Possible Framework for Risk Categorization and Corresponding
Considerations: https://www.imdrf.org/documents/software-medical-device-possible-framework-risk-categorization-and-corresponding-considerations.
See AMA [verbar] CPT[supreg] Appendix S: Artificial Intelligence
Taxonomy for Medical Services and Procedures: https://www.ama-assn.org/system/files/cpt-appendix-s.pdf for definitions of
``augmentative'' and ``autonomous''; ANSI/CTA Standard, The Use of
Artificial Intelligence in Health Care: Trustworthiness ANSI/CTA-
2090: https://shop.cta.tech/collections/standards/products/the-use-of-artificial-intelligence-in-healthcare-trustworthiness-cta-2090?_ga=2.195226476.1947214965.1652722036-709349392.1645133306.
---------------------------------------------------------------------------
We noted in the HTI-1 Proposed Rule that our definition of
Predictive DSI was intended to cover a wide variety of techniques from
algebraic equations to machine learning and natural language processing
(NLP) (88 FR 23785). We mentioned the Acute Physiology and Chronic
Health Evaluation IV (APACHE IV) model, which predicts in-hospital
mortality for patients in intensive care units and was initially
trained and validated with data from 45 hospitals, including over
100,000 individuals in 2006 (88 FR 23785). We also mentioned that
models designed to estimate risk of a first Atherosclerotic
Cardiovascular Disease, trained and validated on pooled cohorts of
large studies as examples of common and in-scope models for our
definition of Predictive DSI. We also noted that more complex models,
for instance ones developed by combining multiple algorithms or deep
neural networks trained and validated on over ten thousand individuals,
that can be applied to patients in operational contexts would meet the
proposed definition. So too would our definition include models that
were adaptive, online or unlocked, which continue to adapt when exposed
to new data, as well as those that are locked to the relationships
learned in training data.
As proposed in Sec. 170.102, the definition of Predictive DSI
would not include simulation models that use modeler-provided
parameters rather than training data or unsupervised machine learning
techniques that do not predict an unknown value (i.e., are not labeled)
(88 FR 23786). For instance, the use of an unsupervised learning model
within decision support would not meet our definition of Predictive
DSI, nor would the use of developer-supplied parameters to simulate
operating-room usage and develop an effective scheduling strategy. We
refer readers to 88 FR 23784-23786 for the discussion on the definition
of Predictive DSI.
Comments. Commenters were mixed in their support for the proposed
definition of Predictive DSI, with those in support noting that it
provides broad flexibility, comprehensively encompasses AI, and
accurately highlights its distinction from any other potential sources
of decision support interventions that do not involve modeling. Some
commenters expressed support particularly for including complex
predictive models leveraging machine learning in the proposed
definition, noting that this recognition serves as a necessary step to
combat bias and promote equity amid the growing number and increased
use of AI tools.
While many commenters broadly supported the intent and goals of the
proposed definition for Predictive DSI, other commenters expressed
concern that the proposed definition was too broad and should be
narrowed in several ways to provide clarity on the scope of
technologies covered to prevent burden on health IT developers and
health care providers. Other commenters noted that a broad definition
of Predictive DSI creates confusion for what technology must be scoped
for certification. Notably, many commenters suggested revising the
definition to clarify that Predictive DSI means technology intended to
support clinical or medical decision-making to ensure organizational
and administrative decision making are excluded from the definition to
limit the documentation requirements to demonstrate compliance and
limit the number of citations in the system to alleviate user burden.
For instance, one commenter suggested that ONC add the term
``clinical'' so that Predictive DSI means ``Predictive decision support
intervention means technology intended to support clinical decision-
making based on algorithms or models that derive relationships from
training or example data and then are used to produce an output or
outputs related to, but not limited to, prediction, classification,
recommendation, evaluation, or analysis.'' Commenters recommended that
the definition be limited to high risk DSIs, and that it should exclude
certain health care providers, such as those that develop their own DSI
and do not make it commercially available. Commenters also requested
that we reconsider the proposals to apply a more limited scope that
centers on functionality that necessitates the granular transparency of
source attributes and feedback capabilities for end-users that ONC
proposed.
Response. We appreciate the support from those commenters that said
our definition comprehensively encompasses AI, and accurately
highlighted the definition's distinction from any other potential
sources of decision support interventions that do not involve modeling.
We sought to establish a definition that was both broad and
appropriate. Consistent with our rationale to move from CDS to DSI in
Program nomenclature, we sought to establish a definition that
encompassed the broad forms that algorithm and model-based decision
support interventions can take and for which transparency regarding the
performance of that model would benefit users, and would help users
determine whether the technology they are using is fair, appropriate,
valid, effective, and safe. We also sought to establish a definition
that did not include a range of simple alerts and functions that would
not benefit from the sorts of transparency our requirements would
portend. However, we note there are many recent examples
92 93 94 where the task of delineating between those
predictive algorithms and models can have unintended consequences.
---------------------------------------------------------------------------
\92\ Samorani M., Harris S.L., Blount L.G., et al (2021)
Overbooked and Overlooked: Machine Learning and Racial Bias in
Medical Appointment Scheduling. Manufacturing & Service Operations
Management 24(6):2825-2842. https://doi.org/10.1287/msom.2021.0999.
\93\ Vyas D.A., Eisenstein L.G., Jones D.S. Hidden in Plain
Sight--Reconsidering the Use of Race Correction in Clinical
Algorithms. Aug. 2020. N Engl J Med 2020; 383:874-882. DOI: 10.1056/
NEJMms2004740.
\94\ Ziad Obermeyer et al., Dissecting racial bias in an
algorithm used to manage the health of populations. Science 366,
447-453 (2019). DOI:10. 1126/science.aax2342.
---------------------------------------------------------------------------
We thank commenters for their critiques of our definition. Many
commenters said that our definition was too broad, and a small minority
of these commenters offered specific suggestions on how to reduce the
scope of our definition. We thank those commenters, especially. We
understand that many algorithms not directly supporting medical
decision making can nevertheless impact the delivery of healthcare
(e.g., algorithms supporting scheduling or the provision of supplies),
and so have not sought to limit the definition to models specifically
informing medical decision making. Overall, we found that many other
commenters did not consider our definition for Predictive DSI as a
whole; rather, these commenters chose to isolate certain phrases or
aspects of the
[[Page 1244]]
definition to question its scope and its applicability to specific use
cases. As stated, our intention with the definition of Predictive DSI
is to be expansive beyond the traditional role of CDS, yet appropriate
to the dynamic technology environment that Predictive DSIs may be
applied. Toward these two intentions, we noted in the HTI-1 Proposed
Rule that we differentiate Predictive DSIs as those that support
decision-making by learning or deriving relationships to produce an
output, rather than those that rely on pre-defined rules to support
decision-making (88 FR 23785). Taken alongside the rest of the
definition, this distinction is intended to preclude the vast number of
alerts or reminders that are either based on consensus clinical
guidelines or bespoke business processes and organizational policies
that may or may not be based on any guideline.
We also noted in the HTI-1 Proposed Rule that our definition is not
tied to the level of risk (88 FR 23785) and our certification criterion
for CDS was established to ensure that Health IT Modules support broad
categories of CDS while being agnostic toward the intended use of the
CDS beyond drug-drug and drug-allergy interaction checks (88 FR 23774).
We did not propose to alter that construct in our proposals. However,
we are sensitive to defining Predictive DSIs in a way that makes clear
which technologies are in scope for Sec. 170.315(b)(11).
We also decline to limit the definition to a specific source or
developer of the intervention, although additional facets of the final
policy define the applicable scope of Sec. 170.315(b)(11).
We have finalized our proposed definition for Predictive DSI with
modification. Specifically, we have finalized the definition in Sec.
170.102 as follows: ``Predictive decision support intervention or
Predictive DSI means technology that supports decision-making based on
algorithms or models that derive relationships from training data and
then produce an output that results in prediction, classification,
recommendation, evaluation, or analysis.'' We note that this version of
the definition is not markedly different from the definition we
proposed, but we intend it to be more exacting. Thus, the examples and
discussion regarding scope in the HTI-1 Proposed Rule remain relevant
to this definition (88 FR 23784-23786). To help interested parties
better understand the scope of technologies included in this definition
we reiterate the following: The development process whereby models
under this definition ``learn'' relationships in training data and then
are used to generate an unknown label or value (via prediction,
classification, recommendation, evaluation, or analysis) that is based
on the ``learned'' relationships is a fundamental differentiator from
evidence-based DSIs. While we appreciate commenters' request to limit
or constrain the scope of the Predictive DSI definition based on its
intended purpose or use (e.g., clinical and medical versus
administrative), level of risk (e.g., high versus low), and entity or
party that developed the technology (e.g., health care provider that
self-develops versus technology company that sells Predictive DSIs), we
do not believe such an approach would be appropriate. We believe that
the transparency requirements within this criterion are appropriate to
all Predictive DSIs used within the context of certified health IT,
given the potential of these Predictive DSIs to impact the delivery of
healthcare at vast scale. We believe that constraining the definition
of Predictive DSI by intended purposes, level of risk, or developing
entity would create multiple layers of complexity and lead to different
requirements for technology that may have qualities that pertain to one
or more of these dimensions or exist along a spectrum of these
concepts. We believe that a broad and consistently applied definition
will improve the likelihood of achieving our stated goals for
transparency and trustworthiness.
We note that the definition of Predictive DSI is aligned with and
within the scope of the definition of Artificial Intelligence at 15
U.S.C. 9401(3), as used in E.O. 14110, Safe, Secure, and Trustworthy
Development and Use of Artificial Intelligence (88 FR 75191).
Predictive DSIs perceive environments through the use of training data;
abstract perceptions into models as they learn relationships in that
data; and produce an output, often for an individual, through inference
based on those learned relationships. We further note that evidence-
based DSI likely represents another form of Artificial Intelligence,
though that form is fundamentally based on rules-based models.
We also clarify that the exclusion of unsupervised learning models
discussed at 88 FR 23786 was intended to focus on models trained in
data without labels. This exclusion reflected our understanding that it
is not feasible to produce descriptions for many of the source
attributes we are requiring for Predictive DSI. For example,
unsupervised models are generally based on data without labels, which
often generate measures of similarity or closeness of observations
rather than a predicted value. In these instances, assessing the
accuracy, validity and fairness of a prediction would be difficult, if
not impossible, because the outcome is not specified. The exclusion of
unsupervised learning models is embedded in the definition because the
definition focuses on ``relationships in training data,'' which
generally refers to the relationship between some set of data
(sometimes referred to as inputs, features, or predictors) and an
outcome or label (such as a diagnosis or the next word in a string). In
contrast, unsupervised learning models rely more generally on patterns
in data. We further clarified this exclusion in the HTI-1 Proposed Rule
at 88 FR 23786 and maintain the exclusion in the final definition.
These unsupervised models contrast with LLMs and other forms of
generative AI, which often leverage self-supervised learning wherein
the data itself provides a label (e.g., the next word in a string of
text) and the model returns a predicted value of that label as output,
in which case the accuracy, validity and fairness of a prediction can
readily be assessed (although additional use-case specific evaluation
may also be beneficial). Self-supervised learning models would
therefore generally be included within the definition of Predictive
DSI. We also note that LLMs and other forms of generative AI often use
a combination of unsupervised, self-supervised, supervised and
reinforcement learning, and those that include a component of
supervised learning, including semi-supervised approaches, would likely
meet the definition of Predictive DSI.
Finally, we understood that models that solely rely on unsupervised
learning techniques are not widely deployed in healthcare today.\95\ We
will continue to monitor development of methodologies and applications
of unsupervised learning to health-related use cases and may consider
future rulemaking for these models as the field develops.
---------------------------------------------------------------------------
\95\ Michael Matheny, et al., Artificial intelligence in health
care: the hope, the hype, the promise, the peril, Washington, DC:
National Academy of Medicine (2019).
Artificial Intelligence in Health Care: Benefits and Challenges
of Technologies to Augment Patient Care, (Nov. 2020), https://www.gao.gov/products/gao-21-7sp. Deo, Rahul C. ``Machine learning in
medicine.'' Circulation 132.20 (2015): 1920-1930.
American Hospital Association. ``Surveying the AI Health Care
Landscape'' 2019. https://www.aha.org/system/files/media/file/2019/10/Market_Insights_AI-Landscape.pdf.
---------------------------------------------------------------------------
Comments. Several commenters expressed concern about consistency,
duplication, and redundant requirements across various federal
[[Page 1245]]
programs. Commenters recommended that ONC tailor the scope of the
proposed term Predictive DSI, and the proposed definition at Sec.
170.102, to exclude FDA-authorized AI and machine learning medical
devices to mitigate their concerns mentioned above. Specifically, one
commenter recommended tailoring the Predictive DSI requirements to
explicitly exclude tools that are regulated medical devices, to exclude
third-party tools that qualify as non-device per the statutory
exemption for CDS software, and, to apply only to technology developed
by vendors of certified Health IT Modules to avoid unnecessary burdens
on regulated device manufacturers. Commenters noted that our proposal
for Predictive DSI could implicate CDS software that falls within FDA
regulated medical devices which may have already been cleared,
approved, or otherwise authorized for marketing within the United
States.
Response. We appreciate the concerns expressed by these commenters,
which is why we worked closely with the FDA on development of our
proposals in Sec. 170.315(b)(11). This collaboration included
consultation with the FDA on the inclusion or exclusion of devices
within FDA's authority in the definition of Predictive DSI.
Specifically, we sought alignment with the FDA's recent Clinical
Decision Support Guidance for Industry (CDS Guidance), finalized in
September 2022,\96\ and we note that our requirements in Sec.
170.315(b)(11) are complementary to FDA's Content of Premarket
Submissions for Device Software Functions guidance, finalized in June
2023.\97\ This high degree of coordination will reduce burden on device
manufacturers by establishing the potential that a device manufacturer
that also develops a Predictive DSI can fulfill two separate federal
agency's requirements with substantially similar or the same
information.
---------------------------------------------------------------------------
\96\ See https://www.fda.gov/regulatory-information/search-fda-guidance-documents/clinical-decision-support-software.
\97\ See https://www.fda.gov/regulatory-information/search-fda-guidance-documents/content-premarket-submissions-device-software-functions.
---------------------------------------------------------------------------
We noted in the HTI-1 Proposed Rule that our authority to regulate
developers of certified health IT under the Program is separate and
distinct from other federal agencies' regulatory authorities focused on
the same or similar entities and technology (88 FR 23811).\98\ For
example, the safety and effectiveness of a software function, including
clinical decision support or other kinds of decision support
interventions, is within the purview of FDA regulatory oversight, if
such software functionality meets the definition of a ``device.'' \99\
In the area of predictive technology, ONC and FDA support a harmonized
and complementary approach, independent of the platform on which the
technology operates, in accordance with our existing intersecting
regulatory oversight. We also noted in the HTI-1 Proposed Rule that
questions of whether DSIs enabled by or interfaced with certified
health IT are subject to FDA regulations, under the Federal Food, Drug,
& Cosmetic Act, or are used by entities subject to the HIPAA Rules, are
separate and distinct from the question of whether a developer or a
particular technology is subject to regulatory oversight by our
Program, to which our proposals pertain (88 FR 23811).
---------------------------------------------------------------------------
\98\ See U.S. Dept of Health & Human Servs., Office for Civil
Rights, Notice of Proposed Rulemaking, Nondiscrimination in Health
Programs and Activities, 87 FR 47824, 47880 (Aug. 4, 2022), https://www.federalregister.gov/documents/2022/08/04/2022-16217/nondiscrimination-in-health-programs-and-activities (prohibiting
discrimination on the basis of race, color, national origin
(including limited English proficiency), sex (including sexual
orientation and gender identity), age, or disability in certain
health programs or activities through the use of clinical algorithms
in their decision-making).
\99\ A device, as defined in section 201(h) of the FD&C Act, can
include an instrument, apparatus, implement, machine, contrivance,
implant, in vitro reagent, or other similar or related article,
including a component part, or accessory which is, among other
criteria, intended for use in the diagnosis of disease or other
conditions, or in the cure, mitigation, treatment, or prevention of
disease in man. The term ``device'' does not include software
functions excluded pursuant to section 520(o) of the FD&C Act. For
more information about determining whether a software function is
potentially the focus of the FDA's oversight, please visit the FDA's
Digital Health Policy Navigator Tool: https://www.fda.gov/medical-devices/digital-health-center-excellence/digital-health-policy-navigator.
---------------------------------------------------------------------------
We also anticipate that in a scenario where a Device CDS (this is a
CDS with software functions) has been cleared, approved, or otherwise
authorized for marketing by the FDA, this device's manufacturer will
have ready access to much of the information necessary for it to comply
with requirements in Sec. 170.315(b)(11) as a developer of certified
health IT.
We appreciate the suggestions to exclude from our definition for
Predictive DSI software that are regulated medical devices and to
exclude third-party software that qualify as non-device software
functions per the statutory exemption for CDS software. However, we
decline to include any exclusionary criteria in our definition for
Predictive DSI, such as exclusions for specific types of functions or
specific types of Predictive DSI developers because the finalized
definition is appropriate to reflect the wide variety of predictive
tools that impact and intersect with the delivery of healthcare. Also,
whether or not a given technology or tool is a Predictive DSI should be
consistent regardless of the developer of the tool. We also note--as
stated above and previously in the HTI-1 Proposed Rule--that the FDA
and ONC have separate and distinct authorities and regulate for
separate and distinct purposes with separate and distinct policy
objectives (88 FR 23811). Moreover, we stress the benefits that such
alignment and coordination brings to users. Because of our requirements
for source attributes in Sec. 170.315(b)(11), users of both CDS with
device software functions and Non-Device CDS will have easy access to
important information at the point-of-care.
Comments. Several commenters requested we clarify the proposed
definition of Predictive DSI by providing examples of use cases to show
the application of the policy. One commenter recommended that ONC
include a clear standard or definition as to which entities the HTI-1
Proposed Rule applied to, and which applications and tools are in scope
for Predictive DSIs.
Response. We understand commenters' desire to have ONC assess
whether specific algorithms, models, and technologies would meet the
definition for Predictive DSI. in Sec. 170.102. Rather than make
specific assessments to these commenters' questions, we provide the
following examples of technologies that would likely meet our
definition for Predictive DSI and examples of technologies that would
likely not meet our definition for Predictive DSI:
1. Models that predict whether a given image contains a malignant
tumor or that predict patient reported pain based on an image, trained
based on relationships observed in large data sets often using neural
networks, would likely be considered Predictive DSIs.\100\
---------------------------------------------------------------------------
\100\ Pierson, Emma, et al. ``An algorithmic approach to
reducing unexplained pain disparities in underserved populations.''
Nature Medicine 27.1 (2021): 136-140. Hosny, Ahmed, et al.
``Artificial intelligence in radiology.'' Nature Reviews Cancer 18.8
(2018): 500-510.
---------------------------------------------------------------------------
2. Models that pre-selected or highlighted a default order from an
order set based on relationships in training data indicating that order
was most likely to be selected would likely be considered Predictive
DSIs.
3. Models that predict risk of sepsis, readmission (e.g., LACE+),
estimated glomerular filtration rate (eGFR), or risk of suicide
attempt, which have been trained based on relationships observed in
large data sets, often using logistic
[[Page 1246]]
regression and machine learning techniques, and are used to support
decision making, would likely be considered Predictive DSIs.\101\
---------------------------------------------------------------------------
\101\ van Walraven, Carl, Jenna Wong, and Alan J. Forster.
``LACE+ index: extension of a validated index to predict early death
or urgent readmission after hospital discharge using administrative
data.'' Open Medicine 6.3 (2012): e80.
Levey, Andrew S., et al. ``A more accurate method to estimate
glomerular filtration rate from serum creatinine: a new prediction
equation.'' Annals of internal medicine 130.6 (1999): 461-470.
Walsh, Colin G., Jessica D. Ribeiro, and Joseph C. Franklin.
``Predicting risk of suicide attempts over time through machine
learning.'' Clinical Psychological Science 5.3 (2017): 457-469.
Fleuren, Lucas M., et al. ``Machine learning for the prediction
of sepsis: a systematic review and meta-analysis of diagnostic test
accuracy.'' Intensive care medicine 46 (2020): 383-400.
---------------------------------------------------------------------------
4. Indices and classification systems developed by expert consensus
rather than in empirical data, such as the SOFA index and NYHA Heart
Failure classification, would likely not be considered Predictive DSIs
but are likely evidence-based DSI because the score is based on pre-
defined rules and not relationships learned in training data.\102\
---------------------------------------------------------------------------
\102\ Vincent, J -L., et al. ``The SOFA (Sepsis-related Organ
Failure Assessment) score to describe organ dysfunction/failure: On
behalf of the Working Group on Sepsis-Related Problems of the
European Society of Intensive Care Medicine (see contributors to the
project in the appendix).'' (1996): 707-710.
---------------------------------------------------------------------------
5. Models that generate clinical notes or draft clinical notes and
that were trained based on relationships in large data sets of free
text, including large language models, and support decision making
about what to document in the clinical note, would likely be considered
Predictive DSIs.
6. Models that use natural language processing to route secure
messages, which were trained based on the relationship between message
contents and the individual who responded to similar messages in the
past would likely be considered Predictive DSIs.
7. Rules-based algorithms for routing secure messages based on the
type of message, rather than relationships in training data, would
likely not be considered Predictive DSIs.
8. Growth charts, for instance percentile calculations based on a
lambda-mu-sigma transformation of similar age children's weights, with
parameters learned in training data from a national sample of children,
would likely not be considered Predictive DSIs because the underlying
model is based on the distribution of a single variable (e.g., weight)
rather than a prediction based on relationships between variables.
9. A calculation for BMI would likely not be considered a
Predictive DSI because the calculation (weight divided by height
squared) is not based on relationships in training data.
10. Patient matching algorithms based on indices of similarities,
rather than by relationships in training data where an outcome is
known, would likely not be Predictive DSIs. Many of these technologies
are most similar to unsupervised machine learning, which we described
previously in this section and in the HTI-1 Proposed Rule at 88 FR
23786 as out of scope of the current definition of Predictive DSI.
11. Optical character recognition, used simply to make a PDF
readable or searchable to end users, would likely not be considered
Predictive DSI because it does not support decision-making.
Comments. Commenters were generally mixed on our mention of LLMs
and other generative AI as in scope for the proposed definition of
Predictive DSI in the HTI-1 Proposed Rule. Some commenters in support
agreed with our assessment that the use of predictive models, such as
AI, invariably present model risk that can lead to patient harm, bias,
widening health disparities, discrimination, inefficient resource
allocation decisions, or ill-informed clinical decision-making.
Commenters stated LLMs and generative AI tools could pose risks if they
are not deployed appropriately and monitored carefully and viewed our
proposals as a necessary step to combat bias and promote equity amid
the growing number and increased use of AI tools.
Other commenters expressed concern that LLMs, such as ChatGPT,
would be covered in the proposed Predictive DSI definition, noting the
definition could sweep in developers of general-purpose AI applications
that enable or interface with Health IT Modules. One commenter noted
that these models are fundamentally different than other Predictive DSI
models, thus including these models in the same category as Predictive
DSIs would be an inaccurate classification. Commenters were concerned
that including LLMs could potentially limit their effective application
in non-clinical aspects of healthcare software intended to help users
save time and organizations save money and urged ONC to revise the
definition so that developers of general-purpose AI applications are
not obligated by the proposed requirements and instead that
applications be evaluated within the context of a specific use case.
Response. In the HTI-1 Proposed Rule, we were explicit in
describing the scope of our Predictive DSI definition to include large
language models, or LLMs, and other forms of generative AI that meet
the definition of Predictive DSI. We do not believe that LLMs should be
excluded from our definition for Predictive DSI if the LLMs are used to
support decision-making, nor do we believe that LLMs are complete
``black-boxes'' about which no information can be made available to
users that would be valuable. We agree with commenters that LLMs could
pose a risk if they are not deployed appropriately. We believe that the
source attribute- and risk management-related requirements in this rule
could help to decrease the likelihood that a model is inappropriately
deployed in a Health IT Module in a way that exacerbates bias or poses
other risks. We note that we have finalized a fundamentally limited the
scope in Sec. 170.315(b)(11) to focus on transparency capabilities and
instances where Predictive DSIs (such as LLMs or other generative AI)
are supplied by a developer of certified health IT--and not generally
on LLMs or generative AI that may be used in the healthcare ecosystem.
If, as part of its Health IT Module, a health IT developer supplies an
LLM or other generative AI that meets the definition of Predictive DSI,
the finalized policy in Sec. 170.315(b)(11) requires the health IT
developer's Health IT Module certified to Sec. 170.315(b)(11) to
enable access to complete and up-to-date plain language descriptions of
source attribute information related to that Predictive DSI. Our
finalized policy also requires Health IT Modules certified to Sec.
170.315(b)(11) to, at a minimum, have the technical capability for
users and other parties to populate the source attributes listed in
Sec. 170.315(b)(11)(iv) themselves. We agree with commenters that LLMs
should be evaluated within the context of specific use cases and
believe that the scope of this final rule will not limit the effective
application of LLMs.
Regarding commenters' concerns about LLMs being fundamentally
different and requiring different kinds of source attributes that are
more fit for transparency purposes, we note that our requirements for
source attributes represent a minimum ``floor,'' and developers of
certified health IT are encouraged to provide additional source
attributes to users as appropriate. We also describe in more detail in
subsequent responses that we have finalized a requirement for Health IT
Modules to enable a limited set of identified users to record, change,
and access additional source attribute information not specified in
Sec. 170.315(b)(11)(iv)(B) of this final rule. This will enable users
to identify source
[[Page 1247]]
attributes and record, change, and access those source attributes based
on local validation and enable users to access emerging transparency
measures specific to emerging Predictive DSI types, such as those based
on LLMs.
Comments. One commenter expressed concern with the proposed
definition including the term ``derive relationships from training or
example data,'' stating that it is overly broad and unclear as to what
would be considered in scope, such as whether general system
improvements learned from user behavior would fall into this
definition. The commenter also expressed concern with our preamble
description that ``Predictive models are those that have `learned'
relationships from a training or historic data source, generally using
some form of statistical or machine learning approach'' stating that it
is unclear whether commonly used predictions (e.g., LACE+ for
readmission or a SOFA score) \103\ are included in the definition of
Predictive DSI. The commenter requested that the definition should be
clarified to focus only on models that are generated from machine
learning techniques and for the types of clinical predictions that are
not commonly used in medical practice and clarified to focus on a
prediction of an unknown or future clinical event.
---------------------------------------------------------------------------
\103\ Vincent, J.L., et al. ``The SOFA (Sepsis-related Organ
Failure Assessment) score to describe organ dysfunction/failure: On
behalf of the Working Group on Sepsis-Related Problems of the
European Society of Intensive Care Medicine (see contributors to the
project in the appendix).'' (1996): 707-710.
van Walraven, Carl, Jenna Wong, and Alan J. Forster. ``LACE+
index: extension of a validated index to predict early death or
urgent readmission after hospital discharge using administrative
data.'' Open Medicine 6.3 (2012): e80.
---------------------------------------------------------------------------
Response. We appreciate the comment and the questions. We note that
``derive relationships from training data'' is only a part of the
overall definition we have finalized. If a technology is used to make
``general system improvements'' based on training data that consists of
``user behavior,'' it may meet the definition of a Predictive DSI in
Sec. 170.102 if it derived relationships (for instance, correlations)
from that training data and then produced an output that results in
prediction, classification, recommendation, evaluation, or analysis
used to support decision-making. ``General system improvements'' based
on other analysis, such as tracking the time required to perform a
task, would likely not meet the definition because that technology does
not ``derive relationships.'' If ``general system improvements learned
from user behavior,'' were the outputs of the technology or the effect
of the technology, but that output was not used to support decision-
making or was not a prediction, classification, recommendation,
evaluation or analysis, then this technology likely would not meet our
finalized definition.
We noted above in examples that the LACE+ model for readmission
would likely meet the definition of Predictive DSI at Sec. 170.102 and
because the SOFA score was defined by expert consensus, rather than
training data, this would not likely meet the definition of Predictive
DSI at Sec. 170.102. We note that in our finalized definition, we have
removed ``or example'' and now only refer to ``training data,'' for
clarity and because we do not believe there is an appreciable or
impactful difference between training and example data. We respectfully
decline to include any exclusionary criteria in our definition for
Predictive DSI, including exclusions for specific types of functions or
specific types of Predictive DSI developers.
Comments. Several commenters recommended that we revise the
definition to take a tiered approach to DSI requirements based on the
type and level of meaningful risk to patients associated with the AI
systems, suggesting that we should focus on ``high-risk'' DSIs,
remarking that it would help alleviate public confusion and suggesting
that this approach would better meet the intent of addressing the risks
associated with DSI. One commenter recommended that Predictive DSI
should not apply to consumer-facing devices and low risk tools, noting
that the public interest would not be served by imposing regulatory
compliance obligations on low-risk Predictive DSI use cases--even when
applied in a clinical context. For example, Predictive DSI tools used
for non-clinical purposes (e.g., EHR integrations for administrative
notes and billing) do not present the sorts of risks that the HTI-1
Proposed Rule is intended to address. Along with clarifying that low-
risk Predictive DSI tools are exempt, the commenter suggested that ONC
should also issue guidance clarifying the types of proposed uses that
are considered ``low-risk.''
Response. We noted in the HTI-1 Proposed Rule that our definition
is not tied to the level of risk (88 FR 23785), and we decline to focus
on ``high-risk'' DSIs. Doing so would diverge from established
approaches within the CDS criterion. The certification criterion for
CDS was established to ensure that Health IT Modules certified to the
criterion support broad categories of CDS, including by making
information about the CDS available for user review, while being
agnostic toward the intended use of the CDS beyond drug-drug and drug-
allergy interaction checks (88 FR 23774). We did not propose to alter
that construct in our proposals, and we respectfully decline to do so
in this final rule. We do not agree with commenters that a focus on
``high-risk'' DSIs would alleviate public confusion because defining
and determining levels of risk for Predictive DSIs that, in some cases
indirectly, impact the healthcare of millions of individuals is complex
and requires consideration of numerous factors. Instead, the
information required for Predictive DSI will be beneficial for all
Predictive DSI supplied by developers of certified health IT.
We also decline to include any exclusionary criteria in our
definition for Predictive DSI, including exclusions for specific types
of functions, such as consumer-facing tools or other ``low risk''
tools, or for specific types of Predictive DSI developers. We note that
non-clinical Predictive DSIs and clinical Predictive DSIs that may be
categorized as of relatively low risk have consequences for and impact
the care individuals receive, and as we have noted elsewhere,
demonstrably negative impacts beyond clinical safety have been well-
documented in various studies and academic literature in recent
years.\104\ Together, we believe these factors warrant a broad and
inclusive definition for Predictive DSI.
---------------------------------------------------------------------------
\104\ Samorani M., Harris S.L., Blount L.G., et al (2021)
Overbooked and Overlooked: Machine Learning and Racial Bias in
Medical Appointment Scheduling. Manufacturing & Service Operations
Management 24(6):2825-2842. https://doi.org/10.1287/msom.2021.0999.
Vyas D.A., Eisenstein L.G., Jones D.S. Hidden in Plain Sight--
Reconsidering the Use of Race Correction in Clinical Algorithms.
Aug. 2020. N Engl J Med 2020; 383:874-882. DOI: 10.1056/
NEJMms2004740.
Ziad Obermeyer et al.,Dissecting racial bias in an algorithm
used to manage the health of populations. Science 366, 447-453
(2019). DOI: 10.1126/science.aax2342.
Delgado, Cynthia, et al. ``A unifying approach for GFR
estimation: recommendations of the NKF-ASN task force on reassessing
the inclusion of race in diagnosing kidney disease.'' Journal of the
American Society of Nephrology 32.12 (2021): 2994-3015.
---------------------------------------------------------------------------
Comments. Some commenters were concerned that due to the breadth of
the definition, non-certified health IT would be included in the
definition and believed the HTI-1 Proposed Rule should be limited to
software that an EHR vendor submits for certification under the
Program, noting that ONC's authority under the Program is limited to
oversight of certified Health IT Modules and developers of certified
health IT.
[[Page 1248]]
Response. We acknowledge that the definition of Predictive DSI
itself may have broad applicability. As part of 45 CFR part 170, any
application of the definition (and the related requirements in Sec.
170.315(b)(11)) is limited to certified Health IT Modules and
developers who develop them. We note that our definition does not
depend on or reference the certification status of the entity that
developed the technology that may or may not be considered a Predictive
DSI. We established the definition to be agnostic to both use case and
party that develops a Predictive DSI, and we and have not chosen to
finalize a definition with any such caveats. As described elsewhere in
the rule, and to address these and related commenters' concerns, we
have focused the scope of Predictive DSIs to which our regulatory
requirements apply to those supplied by the developer of certified
health IT as part of its Health IT Module. We noted in the HTI-1
Proposed Rule that our authority to regulate developers of certified
health IT and their Health IT Modules, ensuring that both conform to
technical standards, certification criteria, implementation
specifications, and adherence to Conditions and Maintenance of
Certification requirements, is separate and distinct from other federal
agencies' authorities to regulate for separate and distinct purposes
with separate and distinct policy objectives that may be focused on the
same or similar entities and technology (88 FR 23809-23810), that may
pertain to the use of Predictive DSIs and technology, including AI and
machine learning, in health and human services.\105\ Outside of the
Department of Health and Human Services, multiple federal agencies,
within their unique authorities, are exploring policies pertaining AI
and machine learning (88 FR 23810).\106\
---------------------------------------------------------------------------
\105\ See, e.g., See U.S. Dept of Health & Human Servs., Office
for Civil Rights, Notice of Proposed Rulemaking, Nondiscrimination
in Health Programs and Activities, 87 FR 47824, 47880 (Aug. 4,
2022), https://www.federalregister.gov/documents/2022/08/04/2022-16217/nondiscrimination-in-health-programs-and-activities
(prohibiting discrimination on the basis of race, color, national
origin (including limited English proficiency), sex (including
sexual orientation and gender identity), age, or disability in
certain health programs or activities through the use of clinical
algorithms in their decision-making).
CMS Medicare Advantage Program Final Rule (April 2023), https://www.federalregister.gov/documents/2023/04/12/2023-07115/medicare-program-contract-year-2024-policy-and-technical-changes-to-the-medicare-advantage-program (The rule clarified coverage criteria for
basic benefits and the use of prior authorization, added continuity
of care requirements, and required an annual review of utilization
management tools).
\106\ The Federal Trade Commission (FTC) has addressed AI
repeatedly in its work through a combination of law enforcement,
business education and policy initiatives. For example, numerous FTC
orders have required companies to delete data and algorithms. See
``Amazon/Alexa'' case, https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-doj-charge-amazon-violating-childrens-privacy-law-keeping-kids-alexa-voice-recordings-forever (settling
allegations that Amazon retained children's voice recordings
indefinitely to feed its voice recognition algorithm in violation of
a children's privacy law); ``Ring'' case, https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-says-ring-employees-illegally-surveilled-customers-failed-stop-hackers-taking-control-users (settling allegations that home security company allowed
employees to access consumers' private videos); ``Weight Watchers/
Kurbo'' case, https://www.justice.gov/opa/pr/weight-management-companies-kurbo-inc-and-ww-international-inc-agree-15-million-civil-penalty (settling allegations that weight loss app for use by
children as young as eight collected their personal information
without parental permission); ``Everalbum'' case, https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3172-everalbum-inc-matter (settling allegations that the company deceived
consumers about the use of facial recognition to analyze users'
private images, including in connection with training FRT models);
the ``Mole Detective'' case, https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3210-new-consumer-solutions-llc-mole-detective (alleging deceptive conduct, where app developers claimed
in advertisements that their consumer-facing app could determine
based on photographs whether a mole was cancerous). In May 2023, the
FTC issued a Policy Statement discussing the application of Section
5 of the FTC Act to the collection and use of biometric information
(such as finger or hand prints, facial images or geometry, voice
recordings, or genetic information), including the use of biometric
information technologies developed using machine learning and
similar techniques. Fed. Trade Comm'n, Policy Statement of the
Federal Trade Commission on Biometric Information and Section 5 of
the Federal Trade Commission Act (May 18, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf. In November 2023, the FTC filed
a comment with the Copyright Office on Artificial Intelligence. See
https://www.ftc.gov/legal-library/browse/advocacy-filings/comment-federal-trade-commission-artificial-intelligence-copyright. FTC
staff guidance has warned companies about their obligation to use AI
responsibly and identified concerns from consumers and about
competition. See, e.g., Consumers Are Voicing Concerns About AI,
https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/10/consumers-are-voicing-concerns-about-ai (October 3, 2023); Watching
the detectives: Suspicious marketing claims for tools that spot AI-
generated content (July 6, 2023); https://www.ftc.gov/business-guidance/blog/2023/07/watching-detectives-suspicious-marketing-claims-tools-spot-ai-generated-content; Generative AI Raises
Competition Concerns, https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/06/generative-ai-raises-competition-concerns (June
29, 2023); Hey, Alexa! What are you doing with my data? (June 13,
2023), https://www.ftc.gov/business-guidance/blog/2023/06/hey-alexa-what-are-you-doing-my-data; The Luring Test: AI and the engineering
of consumer trust (May 1, 2023), https://www.ftc.gov/business-guidance/blog/2023/05/luring-test-ai-engineering-consumer-trust;
Chatbots, deepfakes, and voice clones: AI deception for sale (March
20, 2023), https://www.ftc.gov/business-guidance/blog/2023/03/chatbots-deepfakes-voice-clones-ai-deception-sale; and Keep your AI
claims in check (February 27, 2023): Keep your AI claims in check
(February 2, 2023), https://www.ftc.gov/business-guidance/blog/2023/02/keep-your-ai-claims-check; Aiming for truth, fairness, and equity
in your company's use of AI (April 19, 2021), https://www.ftc.gov/business-guidance/blog/2021/04/aiming-truth-fairness-equity-your-companys-use-ai; Artificial Intelligence and Algorithms (Apr. 8,
2020), https://www.ftc.gov/news-events/blogs/business-blog/2020/04/using-artificial-intelligence-algorithms; The Commission has issued
numerous reports related to algorithmic decision making. See FTC,
Combatting Online Harms Through Innovation: A Report to Congress
(June 2022), https://www.ftc.gov/reports/combatting-online-harms-through-innovation; FTC Report to Congress on Privacy and Security,
September 2021, https://www.ftc.gov/system/files/documents/reports/ftc-report-congress-privacy-security/report_to_congress_on_privacy_and_data_security_2021.pdf; Fed. Trade
Comm'n, Big Data: A Tool for Inclusion or Exclusion? (Jan. 2016),
https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf.
For information on best practices to reduce bias and discrimination,
see generally Rebecca Kelly Slaughter, Algorithms and Economic
Justice, Yale J.L. & Tech. (Aug. 2021), https://law.yale.edu/sites/default/files/area/center/isp/documents/algorithms_and_economic_justice_master_final.pdf. The agency has
also held several public events focused on AI issues, including a
workshop on generative AI, workshops on dark patterns and voice
cloning, sessions on AI and algorithmic bias at PrivacyCon 2020 and
2021, a hearing on competition and consumer protection issues with
algorithms and AI, a FinTech Forum on AI and blockchain, and an
early forum on facial recognition technology (resulting in a 2012
staff report). See https://www.ftc.gov/news-events/events/2023/10/creative-economy-generative-ai; https://www.ftc.gov/news-events/events/2021/04/bringing-dark-patterns-light-ftc-workshop; https://www.ftc.gov/news-events/events-calendar/you-dont-say-ftc-workshop-voice-cloning-technologies; https://www.ftc.gov/news-events/events-calendar/privacycon-2021; https://www.ftc.gov/news-events/eventscalendar/privacycon-2020; https://www.ftc.gov/news-events/events-calendar/ftc-hearing-7-competition-consumerprotection-21st-century; https://www.ftc.gov/news-events/events-calendar/2017/03/fintech-forum-blockchainartificial-intelligence; and https://www.ftc.gov/news-events/events-calendar/2011/12/face-facts-forum-facialrecognition-technology.The Commission has issued an advanced
notice of proposed rulemaking that poses questions about the harms
to consumers that may result from commercial surveillance, including
as related to algorithmic decision making. See FTC, Advance Notice
of Proposed Rulemaking regarding Commercial Surveillance and Data
Security (August 11, 2022), https://www.ftc.gov/legal-library/browse/federal-register-notices/commercial-surveillance-data-security-rulemaking.
---------------------------------------------------------------------------
Comments. A few commenters expressed concern that our proposed
definition does not add clarity and offered other examples of
definitions that ONC should consider. For example, one commenter
recommended ONC use public definitions of AI and include a neural net
component for an adopted definition of Predictive DSI. Another
commenter suggested ONC narrow the definition of Predictive DSI to
focus on outputs that are recommendations and to limit the definition
by removing the proposed ``. . . prediction, classification, evaluation
or analysis'' section of the proposed definition. One
[[Page 1249]]
commenter urged ONC to survey the definitions of healthcare AI
currently in use, including the American Medical Association Current
Procedural Terminology (CPT[supreg]) Appendix S: AI taxonomy for
medical services and procedures because it outlines the range of AI
tools from those performing purely assistive functions to fully
autonomous technologies.
Response. We appreciate the comments, and we are aware of the
American Medical Association Current Procedural Terminology
(CPT[supreg]) Appendix S: AI taxonomy for medical services and
procedures. We think this taxonomy has value but decline to include
specific purposes or kinds of machine learning in our Predictive DSI
definition. We believe such constraints may unintentionally exclude
relevant technology as it evolves and is applied to more use cases,
humans interact with technology in more diverse ways, and societal
views on the line between assistive and autonomous technologies shift.
We, again, decline to modify our definition to exclude specific use
cases, purpose of uses or intended uses and decline to modify our
definition to include specific types of algorithms, such as neural
networks, because we suspect the relevant algorithms will similarly
evolve over time. We also decline to narrow the definition to exclude
prediction, classification, evaluation and analysis because we believe
that each of these types of output and use are of relevance in
healthcare and can result from fundamentally similar technologies.
Comments. Several commenters expressed concern that the proposed
definition included and implicated algorithms that are not directly
tied to clinical workflows or capture large areas of software solutions
used in certified EHR systems or types of interventions that are not
conducive to source attributes or feedback gathering, specifically
noting concerns with gathering feedback from passive clinical support.
One commenter noted that the proposed definition could be interpreted
to classify any list of patients, information form, or a comparison
against a population average as Predictive DSI and recommended that ONC
should remove the overly broad examples or clarify that the definition
applies only when the predictive modifier applies.
Response. We appreciate the comments, and we acknowledge that our
discussion regarding the term ``intervention,'' at 88 FR 23786, which
included mention of ``alerts, order sets, flowsheets, dashboards,
patient lists, documentation forms, relevant data presentations,
protocol or pathway support, reference information or guidance, and
reminder messages,'' was imperfectly placed. It was not our intention
to intimate that each of these kinds of ``interventions,'' would always
fall under the Predictive DSI definition but that each kind of
intervention could be a Predictive DSI if they are driven by algorithms
or models that derive relationships from training data and then produce
an output that results in prediction, classification, recommendation,
evaluation, or analysis. We believe that source attributes can be
provided for a Predictive DSI that is used in operations, scheduling,
payment, and other workflows and that there is value in doing so, for
instance, for medical coders to evaluate the relevance of codes
suggested by a Predictive DSI. We note that feedback gathering is
limited to evidence-based decision support interventions, which have a
more limited scope. We believe that our finalized definition and
associated examples provide interested parties with better clarity on
technology within the definition's scope.
Comments. Several commenters expressed concern that the proposed
definition does not adequately distinguish Predictive DSI from
evidence-based DSI, which they believed is also defined too broadly.
Commenters provided examples they believed should be excluded from the
definition, such as passive decision support, reminders for
preventative care, industry standard growth charts, well established
reference ranges, default selections in the system, suggested word
completions when typing, or rules-based decision support. Several
commenters recommended that DSIs should be limited to predictive,
evidence-based medicine support interventions impacting clinical
choice, and solutions supporting fact-based administrative functions,
such as scheduling appointments or bed availability, should be carved
out.
Response. We have provided a set of examples, discussed above,
along with our finalized definition in Sec. 170.102 of Predictive DSI
as meaning technology that supports decision-making based on algorithms
or models that derive relationships from training data and then produce
an output that results in prediction, classification, recommendation,
evaluation, or analysis. We also have clarified the scope of evidence-
based DSIs, for purposes of requirements in Sec. 170.315(b)(11), as
being limited to only those DSIs that are actively presented to users
in clinical workflow to enhance, inform, or influence decision-making
related to the care a patient receives and that do not meet the
definition for Predictive DSI at Sec. 170.102. We decline to further
limit the scope of the Predictive DSI definition, especially for
administrative functions, which would likely benefit from the
transparency our requirements would provide. We note that even
appointment scheduling and block scheduling predictive models have been
demonstrated to be of insufficient quality, causing harm to
patients.\107\ We believe that greater transparency on the quality of
these models could have avoided harm to patients by users interpreting
predictions more judiciously or choosing not to use the model, or by
motivating developers to retrain the models.
---------------------------------------------------------------------------
\107\ Samorani M., Harris S.L., Blount L.G., et al (2021)
Overbooked and Overlooked: Machine Learning and Racial Bias in
Medical Appointment Scheduling. Manufacturing & Service Operations
Management 24(6):2825-2842. https://doi.org/10.1287/msom.2021.0999.
---------------------------------------------------------------------------
Comments. Several commenters recommended that ONC limit the
definition to exclude health care providers that have developed their
own tools for internal use regardless of whether they are enabled by or
interface with the EHR the provider uses from the proposed regulatory
requirements. Commenters remarked that the distinction between health
care providers and EHR vendors offering DSI services through certified
health IT products is important as providers have greater understanding
and experience with self-developed DSI tools they use internally and
should not be subject to the same requirements as vendors offering DSI
tools in certified health IT products for commercial use.
Response. We appreciate the comments. With regards to the
definition of Predictive DSI, we did not propose and have not finalized
a definition that is dependent on the entity or party developing the
Predictive DSI. In other words, ``who develops'' a Predictive DSI is
separate and distinct from how we define what a Predictive DSI is for
the purpose of this regulation. Along those lines, while health care
providers may develop Predictive DSIs (as we have defined), we have not
excluded those provider-authored Predictive DSIs from meeting the
regulatory definition. However, it is important for commenters to keep
in mind that the definition is only one part of the Program's policy
approach to Predictive DSIs. In response to comments that appeared to
conflate ``the who'' and ``the what'' with respect to the definition,
we clarify that a health
[[Page 1250]]
care provider who self-develops a tool that meets our definition of
Predictive DSI is not subject to the requirements in Sec.
170.315(b)(11). We believe that `self-developed' tools, which may be
developed by informaticians in a health system and then applied to
individual patients by clinical users or others without knowledge of
the development or evaluation process could benefit from the inclusion
of transparency information guiding their use. And our finalized
certification criterion in Sec. 170.315(b)(11) would result in health
care providers being equipped with the technological capabilities to
deliver such transparency through Health IT Modules certified to Sec.
170.315(b)(11). We describe requirements further below that Health IT
Modules certified to Sec. 170.315(b)(11) must support the technical
capability for source attribute information to be accessed and modified
by users as well as the limited contexts in which developers of
certified health IT are required to populate those attributes.
Specifically, as already noted, we have limited the scope of our
transparency requirements for source attribute information to apply to
Predictive DSIs that are supplied by the health IT developer as part of
its Health IT Module.
Comments. One commenter urged ONC to revise the proposed definition
of Predictive DSI in a manner that specifically excludes laboratory
results reported to a health care provider via a Health IT Module when
such laboratory results are derived using an algorithm. The commenter
noted their concern that the broad definition of Predictive DSI could
cause Health IT developers to believe that a laboratory offering a test
whose result is derived using an algorithm, and which is reported via
an interfaced laboratory information system (LIS), must provide source
attribute information about the test. The commenter also noted
instrumentation result generation should not be considered covered by
this DSI intervention rule, because laboratories' instrumentation
remains under the auspices of standards established by the College of
American Pathologists (CAP) and CLIA. One commenter expressly requested
that we adopt an exception for radiologists in implementing DSI because
they stated that DSI is not useful to that specialty and thus we should
exempt them until the CMS Appropriate Use Criteria (AUC) program is
available.
Response. We appreciate the comments. As noted above, we
respectfully decline to include any exclusionary criteria in our
definition for Predictive DSI, including exclusions for specific types
of organizations that develop the Predictive DSI, exclusions for
specific types of technology that may be considered a Predictive DSI,
and exclusions for organizations or technology that may be subject to
other federal requirements and authorities, like the Clinical
Laboratory Improvement Amendments regulations,\108\ the CMS Appropriate
Use Criteria program,\109\ or Medicare Advantage Program regulations
related to utilization management.\110\ Related to the lab example
provided by the commenter, and reflective of our final policy, this
example would generally not be within the scope of a developer of
certified IT's accountability, unless the developer of certified health
IT specifically supplied the laboratory Predictive DSI as part of its
Health IT Module certified to Sec. 170.315(b)(11). As indicated by the
comment, the certified health IT would be receiving a lab result for an
outside entity using instrumentation separate and distinct (not
included as a part of the developer's certified health IT), even if
that result was arrived at by the laboratory using a Predictive DSI.
---------------------------------------------------------------------------
\108\ CLIA regulations include federal standards applicable to
all U.S. facilities or sites that test human specimens for health
assessment for to diagnose, prevent, or treat disease. CDC, in
partnership with CMS and FDA, supports the CLIA program and clinical
laboratory quality. For more information, see https://www.cdc.gov/clia/index.html.
\109\ We note that CMS rescinded the regulations for the AUC
program in the 2024 Physician Fee Schedule Final Rule (88 FR 79262).
For more information about the program, see https://www.cms.gov/medicare/quality/appropriate-use-criteria-program.
\110\ See, e.g., CMS Medicare Advantage Program Final Rule
(April 2023), https://www.federalregister.gov/documents/2023/04/12/2023-07115/medicare-program-contract-year-2024-policy-and-technical-changes-to-the-medicare-advantage-program (clarified coverage
criteria for basic benefits and the use of prior authorization,
added continuity of care requirements, and required an annual review
of utilization management tools).
---------------------------------------------------------------------------
Comments. One commenter requested clarification on whether patient
matching algorithms are subject to the Predictive DSI definition, and
thus included in the risk management and reporting requirements. The
commenter was supportive of including patient matching algorithms under
the proposed definition given that the models use example data to
determine accuracy prior to implementation and produce an output
stating which patient it believes matches to which record given the
data it is presented with. The commenter observed that by being able to
understand the matching algorithms themselves, the healthcare continuum
can better react and hone its data capture practices ensuring the
algorithms receive the best quality data to guarantee the best possible
match given the algorithms' determinations. Relatedly, a second
commenter requested clarification on whether an algorithm that assigns
similarity scores without labels is not a Predictive DSI.
Response. We appreciate the comment and refer readers to our
finalized definition for Predictive DSI as technology that supports
decision-making based on algorithms or models that derive relationships
from training data and then produces an output that results in
prediction, classification, recommendation, evaluation, or analysis. We
are aware of a variety of methods to perform patient matching,
including identifying whether specific fields are exact matches, or
whether certain strings of text contain a high proportion of matching
characters, and not all of them are based in relationships derived from
training data.\111\ Such patient matching methods would likely not be
considered Predictive DSI if they were not based on relationships
derived from training data. We further note that the exclusion of
unsupervised machine learning approaches, which generally do not
predict an unknown value but rather identify the similarity or
closeness of data, described at 88 FR 23786, is likely to apply to some
patient matching algorithms, which would also likely not be considered
Predictive DSI. That same clarification would apply to other algorithms
that generate a similarity or closeness score without labeled training
data (for instance, patient phenotyping or search recommendations based
on the similarity between search strings and document contents), which
would likely not be considered Predictive DSI. Other patient matching
algorithms, especially those leveraging a supervised learning approach,
are likely to meet the definition of a Predictive DSI.
---------------------------------------------------------------------------
\111\ Government Accountability Office. Health Information
Technology: Approaches and Challenges to Electronically Matching
Patients' Records across Providers. Jan 15, 2019.
---------------------------------------------------------------------------
Comments. A different commenter was concerned with the proposed
definition of Predictive DSI including the term ``algorithm'' because
it suggested a more inclusive set of health IT than they believed was
intended by legislative and regulatory scope, which they stated would
create confusion in the marketplace. The commenter recommended refining
DSI's definition by removing ``algorithms'' to limit scope specifically
to decision support driven by models using example data. Some
commenters recommended ONC shift the criterion back to a specific focus
on
[[Page 1251]]
clinical DSIs as an initial starting point for the revised criterion.
Response. We appreciate the comment and the concern. Our definition
for Predictive DSI includes technology that supports decision-making
based on both models and algorithms that derive relationships from
training data and then produce an output that results in prediction,
classification, recommendation, evaluation, or analysis. We understand
that not all interested parties share the same conception of how an
algorithm is related to a model or vice versa. Regardless, the
existence of an algorithm in or as part of a technology is not, alone,
determinative in meeting our definition for Predictive DSI. In addition
to including an algorithm, a technology must also support decision-
making based on the algorithm and that algorithm must derive, or learn,
relationships from training data and then produce an output that
results in prediction, classification, recommendation, evaluation, or
analysis. We also decline to limit the scope of our definition to focus
on clinical uses as previously discussed in this section.
Attestation for Predictive Decision Support Interventions
In proposed Sec. 170.315(b)(11)(v)(A), at 88 FR 23786, we proposed
that developers of certified health IT with Health IT Modules certified
to Sec. 170.315(b)(11) attest ``yes'' or ``no'' to whether their
Health IT Module enables or interfaces with Predictive DSIs based on
any of the data expressed in the standards in Sec. 170.213. This
attestation requirement would have the effect of permitting developers
of certified health IT to certify to Sec. 170.315(b)(11) without
requiring their Health IT Modules to enable or interface with
Predictive DSIs. However, for those developers of certified health IT
that attest ``yes'' as described in Sec. 170.315(b)(11)(v)(A), we
described in the HTI-1 Proposed Rule additional applicable requirements
related to source attributes and IRM practices (88 FR 23786).
We clarified that ``enables'' means that the developer of certified
health IT has the technical capability to support a predictive model or
DSI within the developer's Health IT Module. We clarified that
applications developed by other parties and self-developed applications
that are used within or as a part of a Health IT Module would mean that
the Health IT Module is considered to ``enable'' Predictive DSIs. We
provided an example, stating that if the calculations or processing for
a Predictive DSI occur within the Health IT Module, either through a
standalone application developed by an other party \112\ or an
application self-developed by a developer of certified health IT for
use within a Health IT Module, we would consider this ``enabling.'' In
contrast, we clarified that ``interfaces with'' means that the Health
IT Module facilitates either (1) the launch of a predictive model or
DSI or (2) the delivery of a predictive model or DSI output(s) to users
when such a predictive model or DSI resides outside of the Health IT
Module and provided examples. We noted that some organizations may use
USCDI data exported or sourced from a certified Health IT Module to
develop data-driven advanced analytics leveraging predictive models or
technologies to provide insights for healthcare. We also noted that in
such circumstances, our proposed requirements would only apply if the
output of the predictive model subsequently interfaced with a Health IT
Module. The proposed requirement would not establish requirements for
predictive technologies that are not enabled or do not interface with a
Health IT Module.
---------------------------------------------------------------------------
\112\ Please note that ``other party'' is a term of art we
described at 88 FR 23796. In this final rule, we have italicized
other party and other parties to assist readers' understanding that
we are using this term of art and not misspelling ``another.''
---------------------------------------------------------------------------
Finally, we clarified that other parties includes any party that
develops a DSI, a model, or an algorithm that is used by a DSI and is
not a developer of certified health IT (88 FR 23796). We said these
other parties could include, but are not limited to: a customer of the
developer of certified health IT, such as an individual health care
provider, provider group, hospital, health system, academic medical
center, or integrated delivery network; a third-party software
developer, such as those that publish or sell medical content or
literature used by a DSI; or researchers and data scientists, such as
those who develop a model or algorithm that is used by a DSI.
Comments. Commenters were generally supportive of the proposal to
enable Health IT Modules to be certified to Sec. 170.315(b)(11)
without the health IT developer being obligated to provide Predictive
DSIs to their customers by having developers of certified health IT
attest ``yes'' or ``no'' to whether their Health IT Module enables or
interfaces with Predictive DSIs based on any of the data expressed in
the standards in Sec. 170.213. Commenters requested that we reflect
that health IT developers would not be compelled to provide (or author)
Predictive DSIs due to the attestation statements adopted in this
provision.
Notwithstanding the general support, many commenters did not
support the ``enables or interfaces with,'' construct associated with
the attestation proposed in Sec. 170.315(b)(11)(v)(A). Many commenters
noted that the ``enables or interfaces with,'' scope was a vague,
ambiguous, and problematic phrase when applied to the proposed
definition for Predictive DSI. Commenters, specifically health IT
developers, were concerned that it would be hard to comply with the
``enables or interfaces with'' scope on which conditional requirements
for source attributes and IRM practice requirements would rely.
Commenters requested that we further define and narrow the scope of
``enables or interfaces with,'' and commenters stated that ONC should
clearly define the scope of activities or technologies to which the
related requirements for source attributes and IRM practices apply. For
example, some commenters suggested that source attribute and IRM
practice requirements should only apply in specific situations, such as
when entities have contracts specifically covering the enablement and
use of such technologies. Commenters also expressed substantive
concerns that the phrase ``enables or interfaces with'' would require
health IT developers to meet the transparency requirements for all
third-party apps that customers utilize via Sec. 170.315(g)(10)
technology. They also stated that it would be difficult for developers
to know when these third-party apps ``enable or interfaced with'' their
Health IT Module and difficult to require third parties to provide
source attributes information, particularly when there is no
contractual relationship between the health IT developer and those
third parties.
Taken together and as we looked at the substance of comments
comprehensively, we noticed that commenters described circumstances
that would otherwise make the original intent behind the attestation
proposal moot. Instead of enabling a health IT developer that did not
provide or author Predictive DSIs to meet the attestation for proposed
Sec. 170.315(b)(11)(v) by attesting ``no'' regarding their support for
Predictive DSIs, many developers appeared to convey that they would
need to attest ``yes'' because of their understanding of the proposed
scope for ``enable or interface with.'' This was because they
interpreted our proposal for ``enable or interface with'' to include
their accountability for customer actions associated with Predictive
DSIs, which would not necessarily be known at the
[[Page 1252]]
time of certification and, as a result, the developer of certified
health IT would have to err on the side of expecting that one of their
customers would enable or interface their Health IT Module with a
Predictive DSI. In short, we understood from commenter feedback that
developers of certified health IT could not reasonably validate whether
customers were using Health IT Modules to enable or interface with
Predictive DSIs.
On the whole, commenters contended that our proposal included
ambiguities and challenges related to implementation, knowledge, and
ongoing compliance. The latter of which would be the most difficult for
developers of certified health IT based on what we had proposed. For
example, if under our proposal, a developer had attested ``no'' and
then months later a single customer had ``enabled or interfaced with''
an other party Predictive DSI with the developer's Health IT Module
(certified to Sec. 170.315(b)(11)), it was unclear whether the
developer would need to reengage its ONC-ACB to change its certificate
for Sec. 170.315(b)(11) and attest ``yes'' and take on the additional
compliance requirements. Comments also made clear that we should seek
to minimize and separate how independent customer actions and decisions
associated with Predictive DSIs interplay with conditional compliance
requirements for developers of certified health IT under the Program.
Response. We appreciate commenters' feedback on the attestation
proposal, its construction within the criterion at Sec.
170.315(b)(11), and how to make it more implementable. In summary, the
intent behind the proposed attestation statement and its associated
framing was to establish a conditional approach whereby developers of
certified health IT certifying to Sec. 170.315(b)(11) would still be
able to get certified to Sec. 170.315(b)(11) even if their Health IT
Module did not enable or interface with a Predictive DSI. We had hoped
that this would relieve specific regulatory burdens for developers of
certified health IT that had no intention to enable or interface with a
Predictive DSI. However, as commenters pointed out, because of the
broad scope of ``enable or interfaced with'' even those developers that
could have plausibly attested ``no'' may still have felt it necessary
to attest ``yes'' when seeking certification. Despite not knowing of
customers using Health IT Modules to enable or interface with a
Predictive DSI, these developers of certified health IT would need to
attest ``yes'' as soon as single customer used their certified Health
IT Module to enable or interface with a Predictive DSI. We interpreted
these developer compliance concerns, about whether they would know if a
customer had enabled or interfaced a Predictive DSI with their Health
IT Module, as an important implementation issue and necessary to
address as part of this final rule.
In consideration of these and similar comments, we have not adopted
the attestation statement we proposed in Sec. 170.315(b)(11)(v). Given
the circumstances and concerns described by commenters, we have
concluded that accurate attestations, relieved burden, and clear
(initial and ongoing) compliance would not have been accomplished as
proposed. Rather than adopt an attestation statement, we have finalized
minimal, uniform requirements for all Health IT Modules certified to
Sec. 170.315(b)(11) while also maintaining a construction that enables
a developer of certified health IT to certify a Health IT Module to
Sec. 170.315(b)(11) without being obligated to author, develop, or
otherwise directly provide Predictive DSIs to their customers. In
response to comments, we believe this synthesized approach provides
developers of certified health IT with clear policy and layered
compliance requirements that are specifically within the scope of the
Program and that of the developer's control (i.e., a customer's action
will not create any corresponding compliance impact on a developer's
Sec. 170.315(b)(11) compliance).
As described throughout this section, we have removed ``enabled or
interfaced with'' and replaced it with ``supplied by.'' The final
rule's scope places the knowledge, decision, and ongoing compliance
associated with including a Predictive DSI solely within the control of
a developer of certified health IT. While the use of ``supplied by'' is
a different configuration nexus than the proposed attestation statement
that used ``enables or interfaces with,'' this approach similarly
addresses our intent to only apply additional Predictive DSI related
stewardship responsibilities to health IT developers who supply
Predictive DSIs as part of their Health IT Module. The paragraphs that
follow illustrate by way of final certification criterion requirements
some of the changes we have made in response to comments associated
with the certification criterion's focus on Predictive DSI's ``supplied
by'' the health IT developer and the corresponding effect of not
finalizing the attestation. We believe the finalized requirements
provide much more certainty for health IT developers while still
addressing our overall policy goal for Sec. 170.315(b)(11)--to provide
as part of the Program greater transparency associated with DSIs,
particularly Predictive DSIs and their ability to be FAVES.
First, we have adopted requirements in Sec. 170.315(b)(11)(iii),
described previously in this final rule, that enables a limited set of
identified users to select (i.e., activate) electronic DSIs that are
evidence-based in (b)(11)(iii)(A) and predictive in (b)(11)(iii)(B). We
believe that this uniform requirement to enable the selection of a
Predictive DSI represents a minimal level of effort beyond, and a
slight modification to, what developers of certified health IT would
have had to do if we had finalized the ``no,'' attestation. Such
developers of certified health IT would have had to enable selection of
evidence-based DSIs and supported source attribute fields for evidence-
based DSIs. As stated previously, enabling the selection of Predictive
DSIs would likely be operationalized through the same technical means
as enabling selection of an evidence-based DSI. Additionally, and in
acknowledgement of our proposed rule discussion that requirements for
DSI configuration in Sec. 170.315(b)(11)(ii) applied to both evidence-
based DSIs and Predictive DSIs (88 FR 23783), we believe that Health IT
Modules certified to Sec. 170.315(b)(11) would have baseline
expectations to support both user configuration of Predictive DSIs and
user selection of Predictive DSIs. Finally, we believe that software
development of fields to support source attributes (in Sec.
170.315(b)(11)(v)(B)) for Predictive DSIs would likely not be
substantially more burdensome than the work necessary to develop fields
to support evidence-based DSI source attributes (in Sec.
170.315(b)(11)(A)).
Second, the finalization of Sec. 170.315(b)(11) without an
attestation statement but with uniform requirements for users to
configure and have the technical capability to select both evidence-
based and Predictive DSIs achieves a policy goal to ensure that users
have equal technical capabilities to access, record, and change
Predictive DSI source attributes in Sec. 170.315(b)(11)(v)(B) for
Predictive DSIs they self-develop and for Predictive DSIs they purchase
from other parties, in addition to potential Predictive DSIs supplied
by the users' developer of certified health IT. Under the proposed
attestation statement with the enables or interfaces with configuration
nexus, users of Health IT Modules that attested ``no,'' would have
technical challenges to use self-
[[Page 1253]]
developed or other party-developed Predictive DSIs. This is because
Predictive DSI-related source attribute fields (proposed in Sec.
170.315(b)(11)(vi)(C)) and Predictive DSI-related capabilities to
author and revise source attributes (proposed in Sec.
170.315(b)(11)(vi)(E)) would not have been required for those ``no
attestation'' Health IT Modules to support. We believe that as the
market for Predictive DSIs grows, equivalent technical capabilities for
users to access, record, and change source attributes in Sec.
170.315(b)(11)(iv) across Health IT Modules certified to Sec.
170.315(b)(11) will be vital to promote Predictive DSIs that are FAVES.
Third, we have narrowed the focus of requirements related to
providing IRM practices information on Predictive DSIs to those that
are ``supplied by the health IT developer as part of its Health IT
Module.'' This approach reduces the overall scope of technologies
subject to final requirements in Sec. 170.315(b)(11) while keeping the
intent of the attestation statement we proposed. For instance, our
finalized policy in Sec. 170.315(b)(11)(vi) requires that for
Predictive DSIs supplied by the developer of certified health IT as
part of its Health IT Module the developer would have to address
specific IRM practices associated with each Predictive DSI it supplies.
As noted and similar to our intent with the ``no'' attestation
proposal, based on the revised scope in this final rule, if a health IT
developer does not supply any Predictive DSIs it will still be able to
comply with Sec. 170.315(b)(11) and will not have to meet, for
example, IRM practice requirements in Sec. 170.315(b)(11)(vi) because
the health IT developer does not supply any Predictive DSIs as part of
its Health IT Module. We note, however, if after certification to Sec.
170.315(b)(11), a developer does begin to supply Predictive DSIs as
part of its certified Health IT Module, it would need to comply with
all applicable requirements in Sec. 170.315(b)(11).
We interpret ``supplied by'' to include interventions authored or
developed by the health IT developer as well as interventions authored
or developed by an other party that the health IT developer includes as
part of its Health IT Module, such as stated in the comments ``when
entities have contracts specifically covering the enablement and use of
such technologies.'' The concept of ``supplied by'' means that the
developer of certified health IT has taken on stewardship and
accountability for that Predictive DSI for the purposes of the Health
IT Module. We interpret ``as part of its Health IT Module'' to mean
that the developer of certified health IT has explicitly offered or
provided its customers the technical capability to use or support a
Predictive DSI, regardless of whether the Predictive DSI was developed
by the developer of certified health IT or by an other party.
By way of example, ``supplied by the health IT developer as part of
its Health IT Module'' would include the implementation of a publicly
available predictive model, like LACE+,\113\ if a developer of
certified health IT includes this Predictive DSI as part of its product
and it is part of what the developer offers its customers. As another
example, ``supplied by the health IT developer as part of its Health IT
Module'' would include incorporation of an other party's LLM, or other
generative AI, that meets the definition of Predictive DSI and is part
of what the developer offers its customers.
---------------------------------------------------------------------------
\113\ van Walraven, Carl, Jenna Wong, and Alan J. Forster.
``LACE+ index: extension of a validated index to predict early death
or urgent readmission after hospital discharge using administrative
data.'' Open Medicine 6.3 (2012): e80.
---------------------------------------------------------------------------
From a conformance perspective, ``supplied by the health IT
developer as part of its Health IT Module'' means that developers of
certified health IT are not accountable for populating source attribute
information for, or applying IRM practices, to Predictive DSIs in
instances where their customers choose to deploy a self-developed
Predictive DSI or an other party-developed Predictive DSI for use
within their certified health IT. This is true even if the customer
leverages data from the developer of certified health IT's Health IT
Module and even if the output from an other party's Predictive DSI is
delivered to or through a Health IT Module into a customer's clinical
workflow.
We reiterate that other party means any party that develops a DSI,
a model, or an algorithm that is used by a DSI, and is not the
developer of certified health IT or a subsidiary of the developer of
certified health IT. This is consistent with our discussion in the HTI-
1 Proposed Rule on 88 FR 23796.\114\ This description of other party in
this final rule preamble specifically excludes a subsidiary of a
developer of certified health IT. We intend for purposes of our
requirements in Sec. 170.315(b)(11) that a subsidiary of a developer
of certified health IT that develops a Predictive DSI would be
considered the same as if it were the developer of certified health IT,
subjecting Predictive DSIs developed by a subsidiary to the same
requirements as a Predictive DSI supplied by a developer of certified
health IT as part of its Health IT Module.
---------------------------------------------------------------------------
\114\ As noted in HTI-1 Proposed Rule, Other parties can
include, but are not limited to: a customer of the developer of
certified health IT, such as an individual health care provider,
provider group, hospital, health system, academic medical center, or
integrated delivery network; a third-party software developer, such
as those that publish or sell medical content or literature used by
a DSI; or researchers and data scientists, such as those who develop
a model or algorithm that is used by a DSI (88 FR 23796).
---------------------------------------------------------------------------
We note that Health IT Modules certified to Sec. 170.315(b)(11)
must support the technical capability for other party source attribute
information to be entered into the Health IT Module's source attribute
fields, per requirements elaborated below for final Sec.
170.315(b)(11)(v)(B). We note that if a developer of certified health
IT would like to include a capability for other parties to record
source attributes into a Health IT Module in a way that shields the
developer of certified health IT from having access to the other party
source attributes, they may do so. However, we reiterate that
developers of certified health IT are not required to receive, acquire,
or otherwise obtain source attribute information for an other party's
Predictive DSI unless such Predictive DSI is supplied by the developer
of certified health IT as part of its Health IT Module.
Finally, and in consideration of comments received and the scope
reductions we have made to this final certification criterion, we
determined that a supportive Maintenance of Certification requirement
as part of the Assurances Condition of Certification in 45 CFR
170.402(b) was necessary to fully implement our policy objectives and
proposals. We have included in this final rule an Assurances
Maintenance of Certification requirement that reinforces a certified
health IT developer's ongoing responsibility in Sec.
170.315(b)(11)(v)(A)(1) to enable user access to updated descriptions
of source attribute information at Sec. 170.315(b)(11)(iv)(A) and (B),
to review and update as necessary IRM practices that must be applied
for each Predictive DSI the health IT developer supplies as part of its
Health IT Module in Sec. 170.315(b)(11)(vi), and to ensure the ongoing
public accessibility of updated summary IRM practice information as
submitted to their ONC-ACB via hyperlink in Sec. 170.523(f)(1)(xxi).
This Maintenance of Certification requirement is a Sec.
170.315(b)(11)-specific instantiation of general Program requirements
described in Sec. 170.402(a) as well as an adaptation of what we
proposed at Sec. 170.315(b)(11)(vii)(D), which proposed to establish
an ``annual
[[Page 1254]]
and, as necessary, update'' requirement for developers with Health IT
Modules certified to Sec. 170.315(b)(11) (88 FR 23805). In
consideration of comments received on Sec. 170.315(b)(11) as a whole
and the corresponding changes we made to the final certification
criterion to focus on Health IT Module capabilities, it became clear
that the ongoing transparency of source attribute and IRM practices
associated with Sec. 170.315(b)(11) would best fit under the Program
as a developer-level responsibility compared to a product-level
responsibility. As such, it made the most sense to shift the nature of
these proposals from the more technical certification criterion to the
Assurances Condition. Accordingly, we have finalized at Sec.
170.402(b)(4) that starting January 1, 2025, and on an ongoing basis,
developers of Health IT Modules certified to Sec. 170.315(b)(11) must
review and update, as necessary, source attribute information in Sec.
170.315(b)(11)(iv)(A) and (B), risk management practices described in
Sec. 170.315(b)(11)(vi), and summary information provided through
Sec. 170.523(f)(1)(xxi).
First, we have finalized this Maintenance of Certification
requirement to serve as a discrete connection for developers of
certified health IT with Health IT Modules certified to Sec.
170.315(b)(11) to have complete and up-to-date descriptions of source
attribute information (in Sec. 170.315(b)(11)(iv)(A) and (B)) at the
time of certification and on an ongoing basis while their Health IT
Module is certified to Sec. 170.315(b)(11). This Maintenance of
Certification requirement builds on three existing Assurances Condition
of Certification requirements at Sec. 170.402(a)(1), (2) and (3),
respectively, stating that a health IT developer must provide
assurances to the Secretary that it ``. . . will not take . . . any
other action that may inhibit the appropriate exchange, access, and use
of electronic health information,'' ``must ensure that its health IT
certified under the ONC Health IT Certification Program conforms to the
full scope of the certification criteria,'' and ``must not take any
action that could interfere with a user's ability to access or use
certified capabilities for any purpose within the full scope of the
technology's certification.'' While we believe these existing
requirements within the Assurance Condition pertain to both evidence-
based and Predictive DSIs, as well as IRM practices, we believe this
specific additional Maintenance of Certification requirement is
necessary because of the unique, evolving, and dynamic nature of DSIs.
Moreover, it is important for users of health IT certified to Sec.
170.315(b)(11) as well as the Secretary to have as an explicit
assurance that developers of certified health IT are keeping source
attribute information up-to-date and, as applicable, that such
developers are committed to IRM practices.
For example, both evidence-based and Predictive DSIs use EHI as key
input data in underlying rules and models. Supplying DSIs without
accompanying accurate and up-to-date documentation could inhibit the
appropriate use of EHI in two ways. First, it could lead the health IT
developer's customers to fail to use the DSI in appropriate ways, most
obviously by omission of an updated statement of the DSI's intended use
as required at Sec. 170.315(b)(11)(iv)(B)(2)(i). Similarly, supplying
DSIs without accompanying documentation could lead to the use of a DSI
on unintended populations, on individuals from groups for which the DSI
does not perform adequately, or by leading to the use of a DSI for
which associated risks have not been appropriately identified and
mitigated. Further, supplying a DSI without accompanying documentation
could inhibit the selection and use of a DSI that would make
appropriate use of EHI. Without information on the DSI supplied by the
developer of certified health IT, users will not be able to adequately
determine whether the developer of certified health IT's supplied DSI
is fit for their purpose, or whether they should select a more
effective DSI.
While we believe that, under our proposal, developers of certified
health IT would have taken actions to continually maintain information
associated with DSIs and IRM practices, in accordance with Assurances
requirements in Sec. 170.402(a)(1), (2), and (3), this Maintenance of
Certification requirement adds necessary specificity to the overall
Assurances Condition of Certification and ensures that developers of
certified health IT are firmly aware of their ongoing obligations
associated with the certification criterion at Sec. 170.315(b)(11).
Moreover, this Maintenance of Certification requirement ensures that
actions taken by the developer of certified health IT enable a user to
access Sec. 170.315(b)(11)-related documentation on an ongoing basis
will not inhibit the appropriate use of EHI. In establishing this
Maintenance of Certification requirement, we address acute transparency
concerns from public comments regarding the accuracy, relevance, and
timeliness of the source attribute information provided by the
developers of certified health IT. As reflected in several source
attributes seeking information on the ongoing maintenance of
intervention implementation and use, and in particular the validity and
fairness of predictions in local data, models and data used to drive
Predictive DSIs will change over time (88 FR 23792); if developers of
certified health IT do not continue to keep associated attribute
information up to date, their failure to do so could have adverse
impacts on user trust, accuracy, usage, and safety.
Second, we have finalized in this Maintenance of Certification
requirement that developers of certified health IT with Health IT
Modules certified to Sec. 170.315(b)(11) review and update as
necessary risk management practices described in Sec.
170.315(b)(11)(vi). This is substantially similar to what we proposed
at Sec. 170.315(b)(11)(vii)(D), which was to review annually and, as
necessary, update IRM practice documentation. We discuss comments
received to proposed Sec. 170.315(b)(11)(vii)(D) further in this final
rule preamble.
Last, we have finalized in this Maintenance of Certification
requirement that developers of certified health IT with Health IT
Modules certified to Sec. 170.315(b)(11) review and update as
necessary summary information provided to the developer's ONC-ACB,
consistent with what we proposed at Sec. 170.315(b)(11)(vii)(C), which
required that summary information be submitted to the health IT
developer's ONC-ACB via publicly accessible hyperlink, as well as what
we proposed at Sec. 170.523(f)(xxi), which required ONC-ACBs to ensure
that all of the information required to be submitted by the health IT
developer to meet IRM requirements in Sec. 170.315(b)(11)(vii)(C) were
available via public hyperlink. We discuss comments received to
proposed Sec. 170.315(b)(11)(vii)(C) and Sec. 170.523(f)(xxi) further
in this final rule preamble.
Comments. While some commenters agreed with and were supportive of
the proposed definition and our explanation of the differences between
``Enables'' and ``Interfaces with,'' several commenters expressed
concern that the proposed phrase ``enables or interfaces with'' was
overly broad when applied to the proposed definition for Predictive DSI
and requested that we further define and narrow the scope of these
terms. These commenters stated that ONC should clearly define the scope
of activities or technologies that ``enable or
[[Page 1255]]
interface with'' Predictive DSIs to narrow the scope of this
requirement to make it clear that the HTI-1 Proposed Rule applies in
situations such as, for example, when entities have contracts
specifically covering the enablement and use of such technologies.
Commenters also expressed concern that the phrase ``enables or
interfaces with'' would require health IT developers to meet the
transparency requirements for all third-party apps that customers
utilize via Sec. 170.315(g)(10) technology, and that it would be
difficult for developers to require third parties to provide source
attributes information, particularly when there is no contractual
relationship between the health IT developer and other party
developers.
Response. We appreciate the comments and have modified our final
scope for Health IT Modules that must provide source attribute
information and our scope for which Predictive DSIs must be subject to
IRM practices in response to public comment. We understand through
public comments that interested parties viewed the scope contingent on
``enables or interfaces with'' as too broad and ambiguous, especially
given that the scope of these terms would impact conditional
requirements related to source attributes and risk management by way of
the proposed attestation in Sec. 170.315(b)(11)(v). In considering
alternative constructions that would clarify our intent and in
consideration of commenters' concerns, we have finalized a construction
that narrows and replaces the two concepts of ``enables,'' and
``interfaces with,'' with ``supplied by.'' This modification is
reflected in the finalized text of Sec. 170.315(b)(11)(v) and
regulatory text in Sec. 170.315(b)(11)(vi) to establish conditional
requirements for Health IT Modules that include an other party's
Predictive DSI that is supplied by the health IT developer.
For example, if a user ordered a lab test using the existing
certification criterion capability for computerized provider order
entry-laboratory (Sec. 170.315(a)(3)) and the lab test result was
derived from a Predictive DSI used by the laboratory, such a
configuration would be out of scope and the Health IT Module would not
subject to the requirements in Sec. 170.315(b)(11)(v), because the
Predictive DSI that rendered the lab test result was not supplied by
(i.e., included as part of the Health IT Module) the developer of the
certified health IT.
We believe that these modifications significantly narrow the scope
of our proposal and clarify which other party Predictive DSI
configurations are subject to requirements in Sec. 170.315(b)(11) for
source attributes. We also note that the phrase ``supplied by'' is also
included in the text of Sec. 170.315(b)(11)(vi) to establish a
conditional requirement that for each Predictive DSI supplied by the
health IT developer as part of its Health IT Module, is subject to risk
analysis, risk mitigation, and governance, which we discuss more in
section ``xi. Intervention Risk Management (IRM)'' later in this final
rule. We believe that developers of certified health IT with Health IT
Modules that supply an other party's Predictive DSI as part of their
Health IT Module would be generally aware of and be well positioned to
make source attribute information available for user review as well as
apply IRM practices given the likelihood of a high degree of technical
coordination and formalized business relationship between a developer
of certified health IT and an other party in such scenarios.
Comments. One commenter expressed concern that the definition of
Predictive DSI included the terms ``interfaces with,'' and ``enabled
by'' could potentially incorporate test results generated using
laboratory processes that contain algorithmic components, if the
outputs of those tests are transmitted to an EHR, and requested that
the definition exclude laboratory results because labs are already
subject to other federal requirements and should not be subject to
additional requirements due to their results being made available
through an EHR.
Response. We thank the commenter for their input. However, we
clarify that neither our proposed nor final definition in Sec. 170.102
included the terms ``interfaces with,'' or ``enabled by.'' These terms
of art were used in the HTI-1 Proposed Rule to establish a
configuration nexus that would subject Health IT Modules to additional
requirements if such Health IT Modules enabled or interfaced with a
Predictive DSI. As noted above, and given that our final policy nexus
is dependent on ``supplied by the health IT developer as part of its
Health IT Module,'' we note that if the test result is generated by a
Predictive DSI used by the lab itself for the generation of results but
the Predictive DSI is not supplied by the developer of the certified
Health IT Module, it would be out of scope of the requirements
established by the final policy. As another example, if a user ordered
a lab test using the existing certification criterion capability for
Computerized provider order entry-laboratory (Sec. 170.315(a)(3)) and
the lab test result was derived from a Predictive DSI used by the
laboratory, such a configuration would be out of scope and the Health
IT Module would not subject to the requirements in Sec.
170.315(b)(11), because the Predictive DSI that rendered the lab test
result was not supplied by the health IT developer as part of its
Health IT Module.
vi. Source Attributes
At 88 FR 23787, we proposed in Sec. 170.315(b)(11)(vi) that Health
IT Modules certified to Sec. 170.315(b)(11) enable a user to review a
plain language description of source attribute information as indicated
at a minimum via direct display, drill down, or link out from a Health
IT Module. We noted that Sec. 170.315(g)(3) ``safety-enhanced
design,'' applies to the existing Sec. 170.315(a)(9) criterion and in
keeping with that applicability, we proposed that safety-enhanced and
user-centered design processes described in Sec. 170.315(g)(3) would
apply to the new certification criterion proposed in Sec.
170.315(b)(11) as well. We proposed to update Sec. 170.315(g)(3)
accordingly to reference the proposed Sec. 170.315(b)(11).
Comments. Commenters were generally split on supporting or not
supporting the proposal in Sec. 170.315(b)(11)(vi) that Health IT
Modules certified to Sec. 170.315(b)(11) enable a user to review a
plain language description of source attribute information as indicated
at a minimum via direct display, drill down, or link out from a Health
IT Module. Those in support noted that it would have the benefit of
allowing users to assess the DSI's quality and thereby enhancing
trustworthiness; enable those with sufficient knowledge to understand
the data to make informed purchasing decisions; and give flexibility
that ensures that the recommendations and guidance provided by these
systems align with the organization's unique workflows and patient
populations, facilitating seamless integration into clinical practice.
Several commenters agreed that user feedback can be a useful tool to
support quality improvement within health IT and emphasizing
transparency and customization allows healthcare organizations to
tailor decision support systems to their specific needs. Other
commenters urged ONC not to adopt the direct display, drill down, or
link requirement observing that including too much information in the
direct display can negatively impact usability and user adoption in
comparison to providing rational and accessible paths to deeper
information via click-paths that are based on user-centered design
principles. These commenters worried that requiring ``at a minimum
direct
[[Page 1256]]
display, drill down, or link out,'' could unintentionally inhibit
innovative user interfaces and user designs to enable user access to
source attributes.
Response. We thank commenters for their support, and we note that
requirements originally proposed in Sec. 170.315(b)(11)(vi) for source
attributes built off more than a decade of existing expectations for
source attributes in the current CDS criterion at Sec.
170.315(a)(9)(v) where the expectation for direct display, drill down,
or link out had been described at 77 FR 54215. However, in
consideration of comments, we have not finalized the requirements for
source attribute information to be available via direct display, drill
down, or link out from a Health IT Module. Rather we have finalized a
source attributes requirement in Sec. 170.315(b)(11)(iv) without the
text ``at a minimum via direct display, drill down, or link out from a
Health IT Module.'' While we have not finalized a requirement for
presenting source attribute information to users in the regulation text
at Sec. 170.315(b)(11)(iv), we reiterate the requirement in Sec.
170.315(b)(11)(v)(A)(1) that Health IT Modules enable a limited set of
identified users to access complete and up-to-date plain language
descriptions of source attribute information in paragraphs Sec.
170.315(b)(11)(iv)(A) and Sec. 170.315(b)(11)(iv)(B). And we have also
included a requirement in Sec. 170.315(b)(11)(v)(B)(1) to enable a
limited set of identified users to record, change and access the same
source attribute information. The phrase ``limited set of identified
users'' conveys that the capability is not required for all users of
the Health IT Module. Rather, that the capability can be constrained to
a smaller userbase that are identified to have the privileges necessary
to use the capabilities in Sec. 170.315(b)(11), including the
capability to record, change, and access source attributes and source
attribute information. We have provided this flexibility so that any
number and configuration of users may record, change, and access source
attribute information according to organizational needs. For example,
if a client of a developer of certified health IT hosts source
attributes for each deployed evidence-based or Predictive DSI
centrally, a Health IT Module could include a hyperlink from a
dashboard or other user interface to a user at the point-of-care.
Additionally, this flexibility could limit record, change, and access
privileges to a user who has responsibilities for an organization's
procurement and implementation decisions.
Finally, we did not receive any substantive or direct feedback
regarding our proposal to update ``safety-enhanced design,'' to
reference the certification criterion finalized in Sec.
170.315(b)(11). We continue to believe that just as the CDS criterion
in Sec. 170.315(a)(9) was subject to safety-enhanced design
requirements, so too should the revised criterion in Sec.
170.315(b)(11). Thus, we have finalized our proposed modification to
Sec. 170.315(g)(3) ``safety-enhanced design,'' to reference the
certification criterion finalized in Sec. 170.315(b)(11).
Comments. Commenters requested clarity on the proposal for source
attributes noting that the proposal was ambiguous as to what source
attributes would need to be implemented and requested that ONC provide
more clarity on the expectation of how source attributes must be
implemented in a Health IT Module. Specifically, one commenter
requested clarification on whether software should support source
attribution when clinically appropriate, noting that many health care
providers and health systems have structures in place to track
appropriate source attributes. One commenter requested additional
clarity on how the information being available at the point of care
should be used in real time stating that most of the source attribute
information will be relevant to the organization while it makes
procurement and implementation decisions versus during care delivery.
Response. We appreciate the commenters' suggestions and have
finalized our proposal with modifications in consideration of these and
related comments. We have made several modifications to reduce the
ambiguity cited by commenters related to the source attributes
proposals. We have separately identified requirements related to
accessing up-to-date and complete information for DSI supplied in the
Health IT Module at Sec. 170.315(b)(11)(v)(A) and requirements related
to enabling customers to modify source attributes and source attribute
information for DSI at Sec. 170.315(b)(11)(v)(B). We also separately
list source attribute categories for evidence-based and Predictive DSI
at Sec. 170.315(b)(11)(iv)(A) and (B), respectively. We believe that
information available as source attributes will have value both as
reference information to individual users evaluating the use of a DSI
on an individual patient--for instance, by assessing whether it has
been recently evaluated at their health system and whether it has been
shown to perform well for a patient like theirs--and for the
organization during procurement, implementation, and analysis.
To further address potential ambiguity about how source attributes
must be implemented in Health IT Modules certified to Sec.
170.315(b)(11), we have finalized uniform requirements in Sec.
170.315(b)(11)(iv) for Health IT Modules to support source attributes
listed at Sec. 170.315(b)(11)(iv)(A) and (B). This means that all
Health IT Modules certified to Sec. 170.315(b)(11) must support the
categories, but not necessarily the content, for each source attribute
listed at Sec. 170.315(b)(11)(iv)(A) and (B). For example, Health IT
Modules must support user access to complete and up-to-date source
attribute information in Sec. 170.315(b)(11)(iv)(B) only if the
Predictive DSI is supplied by the health IT developer as part of its
Health IT Module.
We have provided additional specificity about the technical
capabilities required to support source attributes at Sec.
170.315(b)(11)(v). As described above, we have not finalized our
proposal for an attestation statement. Rather, we have finalized in
Sec. 170.315(b)(11)(v) a set of four capabilities that Health IT
Modules must support related to source attributes. Each of these
capabilities was proposed in different parts of Sec. 170.315(b)(11) in
the HTI-1 Proposed Rule.
First, we have finalized requirements for ``Source attribute access
and modification'' in Sec. 170.315(b)(11)(v). Specifically, we
finalized a requirement in Sec. 170.315(b)(11)(v)(A)(1) that is
substantially similar to what we proposed in Sec. 170.315(b)(11)(vi)
to ``Enable a user to review a plain language description of source
attribute information as indicated and at a minimum via direct display,
drill down, or link out from a Health IT Module . . . .'' The finalized
``access'' requirement states in Sec. 170.315(b)(11)(v)(A)(1) that for
evidence-based and Predictive DSIs supplied by the health IT developer,
the Health IT Module must enable a limited set of identified users to
access complete and up-to-date plain language descriptions of source
attribute information specified in Sec. 170.315(b)(11)(iv)(A) and (B)
as finalized. As discussed earlier, we have not finalized proposed
requirements for Health IT Modules to make source attribute information
available via direct display, drill down, or link out.
Second, we have finalized at Sec. 170.315(b)(11)(v)(A)(2) that for
Predictive DSIs supplied by the health IT developer as part of its
Health IT Module, the Health IT Module must
[[Page 1257]]
indicate when information is not available for review for source
attributes in paragraphs (b)(11)(iv)(B)(6); (b)(11)(iv)(B)(7)(iii),
(iv), and (v); (b)(11)(iv)(B)(8)(ii) and (iv); and (b)(11)(iv)(B)(9).
This requirement is finalized as a modified version of what was
proposed at Sec. 170.315(b)(11)(vi)(D)(1) and Sec.
170.315(b)(11)(vi)(D)(2), which required Health IT Modules to indicate
a source attribute is missing if the source attribute included the ``if
available'' phrase. We clarify that per conformance with this
certification criterion and its associated maintenance of certification
requirement adopted as part of Sec. 170.402(b)(4), if and when
information related to these source attributes are generated, the
developer of certified health IT must make this information available
to users. For example, if the developer of certified health IT gets
newly available information on the validity of the intervention in
local data (Sec. 170.315(b)(11)(iv)(B)(8)(ii)) following the
deployment of a Predictive DSI, that information must be made available
as source attributes information to reflect up-to-date descriptions of
source attributes.
Third and fourth, we have finalized two requirements related to the
ability to ``modify'' source attributes and source attribute
information at Sec. 170.315(b)(11)(v)(B). At Sec.
170.315(b)(11)(v)(B)(1), we have finalized a requirement that for
evidence-based DSIs and Predictive DSIs, the Health IT Module must
enable a limited set of identified users to record, change, and access
source attributes in paragraphs (b)(11)(iv)(A) and (B) of this section.
At Sec. 170.315(b)(11)(v)(B)(2) we have finalized that, for Predictive
DSIs, a Health IT Module must enable a limited set of identified users
to record, change, and access additional source attributes not
specified in Sec. 170.315(b)(11)(iv)(B). These requirements are
substantially similar to what we proposed in Sec.
170.315(b)(11)(vi)(E) while retaining the ability to access or review
this information as would have been required in proposed Sec.
170.315(b)(11)(v). In proposed Sec. 170.315(b)(11)(vi)(E) we proposed
that a Health IT Module must enable a limited set of identified users
to ``author and revise,'' source attribute information beyond source
attributes listed. We note that the capability to record and change
replaces the proposed capability to author and revise.
Comments. Commenters requested guidance on the level of detail
required in these descriptions and specification of ``plain language
descriptions'' for which audience (e.g., developers, clinicians, and
other end-users) and guidelines on how to present this information,
noting the concern that a user may have difficulty finding the required
documentation depending on how the interface is designed. Commenters
expressed concern that the proposal to enable a user to review a plain
language description of source attribute information could result in
legal liability and vulnerability for clinicians and health care
providers, underscoring the need that the information provided in the
new source attributes for Predictive DSI are useful and understandable.
Response. We thank commenters for their concerns. We note that
requirements related to a plain language description are now included
at Sec. 170.315(b)(11)(v)(A)(1). When we indicate ``plain language
description,'' we mean language that the intended audience can readily
understand and use because that language is clear, concise, well-
organized, accurately describes the information, and follows other best
practices of plain language writing. We encourage model developers to
consider what information would be useful for users to determine if a
Predictive DSI is FAVES without providing difficult to understand
technical details. We agree that providing this information in a useful
form will be essential. Comments regarding legal liability are outside
the scope of this rulemaking. Therefore, we decline to finalize any
such change.
Comments. One commenter requested clarity regarding cases where
third-party IT that is enabled or interfaced with certified health IT
but is modified by users or a different third-party developer such that
the added functionality results in the generation of a Predictive DSI,
and whether such cases would be subject to conditional requirements for
source attributes listed in Sec. 170.315(b)(11)(vi)(A) and deployment
of or engagement in intervention risk management practices discussed in
Sec. 170.315(b)(11)(vii).
Response. In a scenario where an other party technology is modified
by a different other party (e.g., users or a different third-party
developer) such that the initial technology meets the definition of a
Predictive DSI, we would categorize the modified technology as a
Predictive DSI developed by an other party. A Health IT Module may be
expected to have the technical capability for users to record, change
and access source attributes of this modified technology, and may be
expected to provide up-to-date source attribute information if the
Predictive DSI is supplied by the developer of certified health IT as
part of the Health IT Module.
vii. Source Attributes--Demographic, SDOH, and Health Status Assessment
Data Use
We proposed at 88 FR 23787 to include as source attributes in Sec.
170.315(b)(11)(vi)(A)(1) through (4) the source attributes currently
found in Sec. 170.315(a)(9)(v)(A)(1) through (4). Additionally, we
proposed that the use of three additional specific types of data in a
DSI be included as source attributes in Sec. 170.315(b)(11)(vi)(A)--
Demographic data elements in Sec. 170.315(b)(11)(vi)(A)(5), SDOH data
elements in Sec. 170.315(b)(11)(vi)(A)(6), and Health Status
Assessment data elements in Sec. 170.315(b)(11)(vi)(A)(7). We noted at
88 FR 23787 that ``types of data in a DSI'' means that the DSI includes
any of these data as inputs or otherwise expressly rely on any of these
data in generating an output or outputs. We explained that by proposing
to modify the source attributes as part of proposed Sec.
170.315(b)(11)(vi)(A) relative to the existing attributes in Sec.
170.315(a)(9)(v)(A), we expected that information would be made
available to users if the specific data elements within these three
data categories were used in the DSI.
Context note. We note for readers that while all of the proposals
just summarized were part of proposed Sec. 170.315(b)(11)(vi), we have
finalized modified versions of these requirements as part of Sec.
170.315(b)(11)(iv)(A). As a result, we discuss the finalized
requirements with that context in mind.
Comments. The majority of commenters supported the proposal to
include the requirement that certified Health IT Modules should provide
users with source attributes for DSI, including the three additional
specific types of data of demographic, SDOH, and health status
assessment data elements. These commenters stated that it would have
the benefit of enabling individuals and organizations to understand the
nature of certified health IT, whether there are inherent biases, and
how best to use the technology for a specific patient population.
Commenters also stated that requiring developers of certified health IT
to report on these data elements' inclusion will assist providers in
both ensuring the whole patient is cared for and that there is
transparency as part of that whole-person care. Commenters noted that
the proposed requirements would address pressing concerns that AI
algorithms can reinforce biases related
[[Page 1258]]
to socioeconomic status, race, ethnicity, sexual orientation, gender
identity, sex, and other identities and conditions, observing that
recent advances in AI stand to potentially harm patients by reinforcing
implicit and explicit biases that do not reflect the diverse population
of America and that may only increase health inequities. Commenters
supported the public transparency requirements for source attribute
information as an important measure to avoid exacerbating these
inequities.
A minority of commenters did not support the proposal stating that
the HTI-1 Proposed Rule would create significant implementation burden
with unclear benefits. One commenter suggested that the HTI-1 Proposed
Rule may also paradoxically increase disparities by reducing innovation
and the implementation of DSIs due to increased regulatory burden. One
commenter expressed concern that the preamble was unclear on what it
meant for an evidence-based decision support intervention to ``use'' or
``include'' patient demographics and observations, SDOH, or health
status assessments.
Response. We thank commenters for their support and agree that by
highlighting when an evidence-based DSI uses patient demographics,
SDOH, or health status assessments data elements,\115\ users are
empowered to interrogate and ensure that the DSI is appropriate. We
believe that identification of race, ethnicity, language, age (date of
birth), sexual orientation, gender information, SDOH, and health status
assessments, such as disability, data elements, if included as part of
an evidence-based DSI, would greatly improve the possibility of
identifying and mitigating the risks of employing evidence-based DSIs
for patient care, including those related to exacerbating racial
disparities and promoting bias. We believe that this requirement
represents a low burden that is unlikely to reduce innovation and
implementation of DSIs. We also thank commenters for identifying
ambiguities in what it means for an evidence-based decision support
intervention to ``use'' or ``include'' these data elements. We clarify
that our intention is to enable a user to understand if one or more of
these data elements are included as inputs or otherwise expressly
relied upon to generate an output in an evidence-based DSI. We also
intend that, if the data elements are included, the user is informed
which one(s) are used in the evidence-based DSI. This means that a user
must be able to review whether a data element relevant to those
categories in Sec. 170.315(b)(11)(iv)(A)(5)-(13) (as expressed by the
standards in Sec. 170.213) is used in the evidence-based DSI, and if
so, which specific data element or elements are used in the evidence-
based DSI.
---------------------------------------------------------------------------
\115\ For purposes of this final rule, health status assessments
are assessments of a health-related matter of interest, importance,
or worry to a patient, patient's family, or patient's health care
provider that could identify a need, problem, or condition. See
ONC's Interoperability Standards Advisory (ISA) at https://www.healthit.gov/isa/uscdi-data-class/health-status-assessments#uscdi-v3.
---------------------------------------------------------------------------
We do not prescribe how this information is communicated to a user,
nor do we prescribe a minimum level of context at this time. For
example, we do not require that a source attribute indicating the use
of an SDOH data element in Sec. 170.315(b)(11)(iv)(A)(6) must describe
how the data element is used as part of the evidence-based DSI.
Instead, we require a Health IT Module to enable a user to review
whether an SDOH data element is used as part of the evidence-based DSI
and which SDOH data element (as expressed by the standards in Sec.
170.213) is used as part of the evidence-based DSI.
After consideration of comments, we have finalized as part of Sec.
170.315(b)(11)(iv)(A) patient demographic, SDOH, and health status
assessment data elements in Sec. 170.315(b)(11)(iv)(A)(5) through (13)
as expressed in the standards in Sec. 170.213. We note that,
consistent with the dates established in Sec. 170.213, compliance with
USCDI v1 will be required to initially meet this certification
criterion until compliance with USCDI v3 becomes required as part of
this certification criterion (i.e., January 1, 2026). As a result, for
the first compliance date associated with Sec. 170.315(b)(11) a Health
IT Module may include, but is not required to include, identification
of the use of patient demographic data elements that are only found in
USCDI v3 as part of evidence-based DSIs in Sec.
170.315(b)(11)(iv)(A)(5)-(13).
Comments. Several commenters responded to our solicitation for
comment on whether we should require a certain format or order in which
these source attributes must appear to users. Commenters noted that the
proposed source attribute requirements would require each organization
to craft their own documentation process and suggested that ONC
collaborate with interested parties to implement and refine a
standards-based approach for capturing and sharing source attributes,
including sharing both machine-readable and human-readable tables/lists
of DSI source attribute information. Commenters also observed that
requiring information about DSIs to be submitted in a standard format
will focus the scope of the information disclosed, create consistency
in the kind of information shared about these AI tools, and contribute
to a presentation of this information for end users that is repeatable
and digestible. Commenters noted that without a standardization and
strategic placement, providers moving across organizations will
experience the added stress of learning each organization's method of
addressing DSI, compounding burden. One commenter supported including
HL7 consensus-based implementation guides for AI information, and
another commenter recommended that ONC should produce a document format
for DSI developers to use in conveying information to EHR developers
and interface specialists. One commenter suggested that there are two
common ways to present this type of long list of data: alphabetically
or by type (often organized alphabetically underneath each category)
and recommended categorizing by type of data then presenting each list
therein alphabetically. For example: Demographic Data: date of birth,
race, sex Health Status: disability status, smoking status.
One commenter observed that to implement a standardized format may
be burdensome for health IT developers but also will be beneficial to
reduce bias in decision making and will encourage smaller, third-party
applications to be more transparent and responsible in their
development, stating that there are potential benefits to requiring
documentation of what a clinical decision support algorithm does, and
provides certainty that a level of testing and trials has been done to
ensure the relevance and accuracy of the model.
Response. We appreciate the comments received regarding a
standardized format for source attribute information. We noted in the
HTI-1 Proposed Rule that we were not aware of widely agreed upon best
practices for the format in which these elements or source attributes
information should be displayed. We are also not aware of a consensus-
based standardized format that might best meet the objective described
by the commenter to reduce bias in decisions making. However, we are
aware of industry efforts to standardize a format to display
information about technology in the form of a ``model card'' or
``nutritional label'' for healthcare (88 FR 23794). We did not propose
a specific format for source attributes, and we decline to finalize any
specific formats. We believe
[[Page 1259]]
this represents an ideal space for interested parties across industry,
academia, government, and the non-profit sector (such as SDOs and
patient advocacy organizations) to collaborate. We note that part of
our rationale for being flexible in the use of standardized formats and
placement of source attributes within users' workflows is precisely
because there is a lack of consensus. We look forward to working with
interested parties to develop consensus-based standards across numerous
and far-reaching types of use cases.
viii. Source Attributes for Predictive Decision Support Interventions
At 88 FR 23788-23795, we proposed source attributes applicable for
all Predictive DSIs that are enabled by or interface with certified
Health IT Modules certified to Sec. 170.315(b)(11). These source
attributes were intended to provide users with greater insight into the
model incorporated into a particular Predictive DSI and intended to
provide information for an array of uses, including in support of so-
called ``model cards'' or algorithm ``nutrition labels'' that have been
described by others.\116\ This proposed requirement applied to
developers of certified health IT that attest ``yes'' in Sec.
170.315(b)(11)(v)(A).
---------------------------------------------------------------------------
\116\ Mitchell, Margaret, et al. ``Model cards for model
reporting.'' Proceedings of the conference on fairness,
accountability, and transparency. 2019.
---------------------------------------------------------------------------
We noted that the proposals for source attributes would not require
disclosing or sharing intellectual property (IP) existing in the
developer's health IT, including other parties' IP. We reiterated that
source attributes in Sec. 170.315(b)(11)(vi) would not require
disclosure of proprietary information or IP (88 FR 23788). We also
noted that if developers of certified health IT would like to include a
capability for other parties to record source attributes into a Health
IT Module in a way that shields the developer of certified health IT
from having access to the other party source attributes, they could do
so, but that this was not proposed as a required technical capability
within the proposed criterion.
New Source Attributes for Predictive DSI
At 88 FR 23789, we proposed to add fourteen new source attributes
for Predictive DSIs that enable or interface with Health IT Modules.
Consistent with our proposals in Sec. 170.315(b)(11)(vi), we proposed
that these new source attributes listed in Sec. 170.315(b)(11)(vi)(C)
would be in plain language and available for user review via direct
display, drill down, or link out from a Health IT Module certified to
Sec. 170.315(b)(11) and for which the developer attested ``yes'' in
Sec. 170.315(b)(11)(v)(A).
We clarified that we proposed to require that developers must
enable a user to review a plain language description of source
attribute information as indicated and at a minimum via direct display,
drill down, or link out from a Health IT Module and that information on
these source attributes must be provided by the developer of certified
health IT unless the attribute contained the phrase ``if available''
(discussed at 88 FR 23789) or was developed by an other party, as
proposed at Sec. 170.315(b)(11)(vi)(D) discussed at 88 FR 23795-23796.
Context note. We note for readers that while all of the proposals
just summarized were part of proposed Sec. 170.315(b)(11)(vi)(C), we
have finalized modified versions of these requirements as part of Sec.
170.315(b)(11)(iv)(B). As a result, we discuss the finalized
requirements with that context in mind.
Comments. Commenters were mixed in their support or opposition to
requirements for source attributes for Predictive DSI, with those in
support noting that it would create greater transparency for patients
and providers that is key to building trust in AI. Commenters who were
supportive noted that it would be critical for the end user to
understand how a Predictive DSI is developed, evaluated, and how it
should be used appropriately. Commenters also noted that health care
providers would benefit because transparency promotes the exercise of a
provider's judgment at the point of care, which can help avoid errors
and mitigate algorithmic biases, and that source attributes will help
organizations make informed decisions around potential implementation.
One commenter noted that complex predictive models that incorporate
difficult-to-observe validity or fairness issues may lead to harm if
left unchecked, resulting in bias that can lead to decisions that can
have a collective, disparate impact on certain groups of people even
without the programmer's intention to discriminate.
Response. We thank commenters for their feedback and their support.
As expressed in our proposals for Sec. 170.315(b)(11), we believe that
transparency is a prerequisite for high-quality Predictive DSIs to be
trusted by clinicians, patients, health systems, software developers,
and other interested parties. We believe that transparency can help to
reduce the harm of complex predictive models by informing the use,
disuse, updating or decommissioning of such models. As described in
more detail below, we have finalized in Sec. 170.315(b)(11)(iv)(B)
modified versions of our proposals for Predictive DSI-specific source
attributes.
Comments. Several commenters did not support our proposal, with
many expressing concerns that our proposal is too prescriptive and
limiting to industry innovation, the source attribute categories and
disclosure requirements create unnecessary burden on health IT
developers and providers, and stifle competition. Several commenters
were concerned that the proposed source attribute disclosure
requirements could compromise patient privacy and requested
clarification on the granularity of data elements that developers must
disclose. Commenters recommended ONC limit the type of data that is
made publicly available from high-impact DSIs to protect patient
information privacy and security and safeguard protected health
information (``PHI'') or sensitive data.
Response. We respectfully disagree with these commenters. In
developing proposed source attributes for Predictive DSIs, we sought a
balance between limited prescriptiveness and sufficient detail to
enable thorough transparency of source attribute information to users.
Our selection of the proposed attributes was guided by reviews of
existing model reporting guidelines, including seventeen different sets
of industry- and academia-developed recommendations for information to
be reported on models and related standards.\117\
[[Page 1260]]
Because these guidelines are designed to support innovation and
competition in the development and validation of predictive models in
the academic literature, we believe that their use will similarly leave
sufficient space for innovation by a variety of entities. In our
review, we emphasized attributes that: (1) were most commonly included
in the reviewed reporting guidelines; (2) we believed would be most
interpretable by both health IT professionals and users; (3) were
focused on identifying issues of bias; and (4) were intended to show
that the model would perform effectively outside of the specific
context in which it was developed. In finalizing Predictive DSI source
attributes in Sec. 170.315(b)(11)(iv)(B), we have provided information
on what we believe should be included in each attribute based on our
understanding of the current best practices in this area. However,
given the varied technologies, applications, and contexts in which
Predictive DSIs may be used, we have sought to keep requirements
sufficiently flexible to meet varied use cases. We note that under that
this policy establishes different requirements for developers of
certified health IT that supply Predictive DSIs versus those certified
health IT developers that do not supply Predictive DSIs. Many
developers of certified health IT that do not supply a Predictive DSI
as part of their Health IT Module are among those developers with
smaller revenues and fewer clients. These developers will be able to
certify to the criterion at Sec. 170.315(b)(11) while expending
limited additional development resources on products they have
certified currently. Specifically, these developers will likely have no
costs related to providing complete and up-to-date source attribute
information for Predictive DSI supplied by the developer or engaging in
risk management and annually update risk management information.
---------------------------------------------------------------------------
\117\ Scott, Ian, Stacy Carter, and Enrico Coiera. ``Clinician
checklist for assessing suitability of machine learning applications
in healthcare.'' BMJ Health & Care Informatics 28.1 (2021).
Liu X, Cruz Rivera S, Moher D, Calvert MJ, Denniston AK; SPIRIT-
AI and CONSORT-AI Working Group. Reporting guidelines for clinical
trial reports for interventions involving artificial intelligence:
the CONSORT-AI extension. Nat Med. 2020;26(9):1364-1374.
doi:10.1038/s41591-020-1034-x.
Moons KGM, Kengne AP, Woodward M, et al. Risk prediction models,
I: development, internal validation, and assessing the incremental
value of a new (bio)marker. Heart. 2012;98(9):683-690. doi:10.1136/
heartjnl-2011-301246.
Rivera SC, Liu X, Chan AW, Denniston AK, Calvert MJ; SPIRIT-AI
and CONSORT-AI Working Group. Guidelines for clinical trial
protocols for interventions involving artificial intelligence: the
SPIRIT-AI Extension. BMJ. 2020;370:m3210. doi:10.1136/bmj.m3210.
Steyerberg EW, Vergouwe Y. Towards better clinical prediction
models: seven steps for development and an ABCD for validation. Eur
Heart J. 2014;35(29):1925-1931. doi:10.1093/eurheartj/ehu207.
Moons KGM, de Groot JAH, Bouwmeester W, et al. Critical
appraisal and data extraction for systematic reviews of prediction
modelling studies: the CHARMS checklist. PLoS Med.
2014;11(10):e1001744.
Collins GS, Reitsma JB, Altman DG, Moons KGM. Transparent
Reporting of a Multivariable Prediction Model for Individual
Prognosis or Diagnosis (TRIPOD): the TRIPOD statement. Br J Surg.
2015;102(3):148-158.
Cohen JF, Korevaar DA, Altman DG, et al. STARD 2015 guidelines
for reporting diagnostic accuracy studies: explanation and
elaboration. BMJ Open. 2016;6(11):e012799. doi:10.1136/bmjopen-2016-
012799.
Luo W, Phung D, Tran T, et al. Guidelines for developing and
reporting machine learning predictive models in biomedical research:
a multidisciplinary view. J Med internet Res. 2016;18(12):e323.
doi:10.2196/jmir.5870.
Breck E, Cai S, Nielsen E, Salib M, Sculley D. The ML Test
Score: a rubric for ML production readiness and technical debt
reduction. Proceedings of the 2017 IEEE International Conference on
Big Data. December 11-14, 2017:1123-1132. doi:10.1109/
BigData.2017.8258038.
Wolff RF, Moons KGM, Riley RD, et al; PROBAST Group[dagger].
PROBAST: a tool to assess the risk of bias and applicability of
prediction model studies. Ann Intern Med. 2019;170(1):51-58.
doi:10.7326/M18-1376.
Mitchell M, Wu S, Zaldivar A, et al. Model Cards for model
reporting. In: Proceedings of the Conference on Fairness,
Accountability, and Transparency. Association for Computing
Machinery; January 29, 2019.
Sendak MP, Gao M, Brajer N, Balu S. Presenting machine learning
model information to clinical end users with model facts labels. NPJ
Digit Med. 2020;3:41. doi:10.1038/s41746-020-0253-3.
Hernandez-Boussard T, Bozkurt S, Ioannidis JPA, Shah NH. MINIMAR
(Minimum Information for Medical AI Reporting): developing reporting
standards for artificial intelligence in health care. J Am Med
Inform Assoc. 2020;27(12):2011-2015.doi:10.1093/jamia/ocaa088.
Norgeot B, Quer G, Beaulieu-Jones BK, et al. Minimum Information
About Clinical Artificial Intelligence Modeling: the MI-CLAIM
checklist. Nat Med. 2020;26(9):1320-1324. doi:10.1038/s41591-020-
1041-y.
Silcox C, Dentzer S, Bates DW. AI-enabled clinical decision
support software: a ``trust and value checklist'' for clinicians.
NEJM Catalyst. 2020;1(6). doi:10.1056/CAT.20.0212.
Vasey, Baptiste, et al. ``Reporting guideline for the early-
stage clinical evaluation of decision support systems driven by
artificial intelligence: DECIDE-AI.'' Nature medicine 28.5 (2022):
924-933.
---------------------------------------------------------------------------
We believe that our finalized Predictive DSI source attributes
strike a balance between prescriptiveness and flexibility that is
necessary to foster a nascent information ecosystem that can help users
understand whether the Predictive DSI they are using (as supplied by
their health IT developer as part of its Health IT Module) is FAVES.
Moreover, we believe these source attributes help establish a
consistent transparency baseline, or foundation, especially given that
we have not established requirements for specific measures. Rather, we
encourage industry, academic, professional associations, and other
interested parties to determine which information best fits each use
case. We also do not believe that the information in source attributes
creates a risk to patient privacy, given the level of detail at which
information should be provided, as described in more detail in response
to concerns related to intellectual property. We also note that we are
affording flexibilities related to source attributes that are only
required once information for them become available, such as source
attributes related to validity and fairness of prediction in external
and local data. We have finalized the categories of source attributes
related to Predictive DSIs at Sec. 170.315(b)(11)(iv)(B) with
modifications and clarifications to source attribute category
subparagraphs, described below in this final rule.
Comments. Several commenters, including health information
technology companies, insurance companies, software developers, and
professional trade associations, expressed concerns that providing
users with access to information described as part of source attributes
would expose proprietary information regarding the predictive algorithm
or model and risk exposing intellectual property (IP) among other
risks, including that disclosure of such information would stifle
competition and innovation. Some commenters suggested ONC specify that
the information in our proposals does not include confidential
information such as IP. Some commenters were concerned that source
attributes could enable reconstruction of the algorithm and that it
would create a power imbalance between small and startup ``other
parties'' and large incumbent developers of certified health IT, which
could either refuse to display source attributes from other parties or
use information in those source attributes inappropriately. While many
commenters were vague in their concerns related to revealing IP and
trade secrets a small number of commenters identified the
``Intervention Development'' category of source attributes as
problematic and another commenter noted that the output of the
intervention would constitute IP. During further fact-finding,
commenters mentioned specific concerns around source attribute
information on how input and output variables were identified, as well
as the model parameters, hyperparameters, or the results of tuning,
which they described as crucial pieces of intellectual property,
proprietary information, or trade secrets. Another commenter included
``model type, target definition (intended use), and inputs'' as
information that could include IP or proprietary information.
Several commenters suggested ways to mitigate IP and proprietary
information concerns, including listing data classes instead of data
elements used in the algorithm; limiting source attribute information
to summary information for high-risk use cases only; limiting source
attribute requirements to algorithms developed by developers of
certified health IT; requiring only links to DSIs centrally supported
by a government-sponsored resource and to information maintained by the
FDA if the DSI is regulated as a medical device; and giving developers
the ability to exclude or redact source attribute
[[Page 1261]]
information they considered proprietary.
Response. As described in detail below, we respectfully disagree
with the claims that our proposed, and now final, requirements for
source attributes in Sec. 170.315(b)(11)(iv)(B) would result in
disclosures of IP, trade secrets, or proprietary information. Nor do we
believe that our requirements for source attributes would stifle
competition and innovation. Given the overall scope changes and
numerous clarifications offered through this final rule to narrow
health IT developer's scope of responsibilities (to only those
Predictive DSIs that are supplied as part of its Health IT Module) we
believe we have substantively address commenters' concerns regarding
exposure of proprietary information to other parties as well as
exposure to proprietary information originating from other parties.
Additionally, we believe that the transparency needs are so acute for
Predictive DSIs that the public benefit outweighs any remaining
concerns. Overall, we anticipate that better information regarding
Predictive DSIs will bolster the use of high-quality, fair,
appropriate, valid, effective, and safe predictive algorithms across
the healthcare landscape.
First, we do not agree that the information we require for
Predictive DSI source attributes is new or novel within the healthcare
context, presenting authors of Predictive DSIs with new or novel
concerns related to IP or proprietary information. We note that we
analyzed and drew from more than a dozen widely accepted and used
reporting guidelines, used by researchers and developers to demonstrate
the validity of algorithms in peer-reviewed literature.\118\ We believe
that much of the same information required for publication by the New
England Journal of Medicine or the Journal of the American Medical
Association, for example, ought to be routinely and consistently
available for user review to improve the trustworthiness of Predictive
DSIs. We note that some reporting guidelines, from which we draw our
own source attributes, have more than 15,000 citations across peer-
reviewed, academic literature.\119\
---------------------------------------------------------------------------
\118\ See footnote 117.
\119\ Table 1. Summary of 15 Model Reporting Guideline Papers.
Lu JH, Callahan A, Patel BS, et al. Assessment of Adherence to
Reporting Guidelines by Commonly Used Clinical Prediction Models
From a Single Vendor: A Systematic Review. JAMA Netw Open.
2022;5(8):e2227779. doi:10.1001/jamanetworkopen.2022.27779.
---------------------------------------------------------------------------
Second, we have clarified the scope of our requirements by adding
detail to the information expected as part of source attributes in what
is now finalized at Sec. 170.315(b)(11)(iv)(B). We note that these
explicit requirements in regulation text mirror the requirements
described previously in preamble or represent a subset of requirements
previously described in preamble. The information required in source
attributes is not intended to include detailed information on model
parameters, hyperparameters, detailed specifics around how input or
output variables are defined, transformed, or otherwise
operationalized. We do not believe that information at that level of
detail is necessary for source attributes in Sec.
170.315(b)(11)(iv)(B) or necessary for users of a Predictive DSI to
determine whether it is fair, appropriate, valid, effective, and safe.
Third, as it relates to ``Intervention Development,'' source
attributes, which include input features, such as exclusion and
inclusion criteria that influenced the data set; use of race,
ethnicity, language (REL), SDOH, and health assessment variables as
input features; and a description of relevance of training data to
intended deployed setting, we note that these source attributes are
important to give users a sense of whether they ought to use the
Predictive DSI on an individual in front of them, or on individuals
generally seen within the user's organization. Understanding whether
specific input features, such as race, sex, or food insecurity is part
of the training data set for a Predictive DSI could present a user with
critical information on its relevance and validity to individual
patients or patient cohorts for which the Predictive DSI is being
applied. We further ask in Sec. 170.315(b)(11)(iv)(B)(4)(iii) for some
sense of how representative demographic variables are within a
Predictive DSI's training data set, which could be equally important if
the Predictive DSI was trained on data dominated by one racial group
and applied to a different group.
To further mitigate concerns around IP, we have limited the input
features that must be included to those listed at Sec.
170.315(b)(11)(iv)(A)(5)-(13). We understand that resources are
expended to identify and operationalize numerous input features to
improve Predictive DSI performance. We believe this list narrows the
scope of features that must be reported and addresses concerns about
revealing IP underlying curation of input features more broadly.
Furthermore, in developing information for source attributes, we
encourage model developers to consider the level of information that
would be useful for health systems and end users to best determine if a
Predictive DSI is FAVES without providing difficult to understand
technical details that might reveal trade secretes or proprietary
information. We also reiterate that information provided should be
described in plain language, as stated at Sec.
170.315(b)(11)(v)(A)(1).
We disagree with commenters concerns that identifying the output of
the intervention would constitute IP. We provided an example of a
prediction of the likelihood that an individual will be readmitted
among individuals recently discharged (88 FR 23789). We do not believe
that the description of an output, at the low level of detail provided
in the example, is likely to constitute intellectual property or trade
secrets. We believe that a description of the output produced by the
model, along with ``intended use,'' is foundational to understanding
how the model is meant to be deployed and used.
Fourth, we appreciate the many commenters that raised IP and
proprietary information concerns while also providing ways to mitigate
those concerns, primarily by limiting the number or the scope of source
attributes that should be available to users. Based on the scope
changes to final Sec. 170.315(b)(11) and other clarifications issued
throughout this final rule, we have not finalized additional mitigation
suggestions by commenters. We believe that the clarifications provided
as part of this response on the level of detail required for source
attributes (as well as other corresponding responses below) will
sufficiently mitigate concerns related to IP.
Last, while we understand concerns raised by commenters regarding a
potential to create a power imbalance between small and startup ``other
parties'' and large incumbent developers of certified health IT, which
could either refuse to display source attributes from other parties or
use information in those source attributes inappropriately, we believe
our finalized scope for Predictive DSI source attributes addresses
these concerns. Particularly, we note that these source attributes must
be complete and up-to-date if they are supplied by the health IT
developer as part of its Health IT Module. In this scenario, other
party source attributes could be directly supplied to a developer
certified health IT's customer (who will have both the ability to
select this other party's Predictive DSI and have a Health IT Module
support Predictive DSI source attribute categories for the other
party's source attributes, even if their developer
[[Page 1262]]
does not supply a Predictive DSI as part of its Health IT Module, due
to requirements at Sec. 170.315(b)(11)(iii)(B) and Sec.
170.315(b)(11)(iv)(B)). Further, if developer of certified health IT a
with Health IT Module certified to Sec. 170.315(b)(11) would like to
include a capability for other parties to record source attributes into
a Health IT Module in a way that shields the developer of certified
health IT from having access to the other party source attributes, the
developer of certified health IT may do so.
Comments. Several commenters were concerned that our proposal
requires health IT software developers to expend significant resources
to gather information from numerous sources and is an unnecessary
burden. Specifically, commenters noted that requiring developers of
certified health IT to monitor, catalog, request information, and
conduct analysis requires significant resources that will need to be
redirected from development, enhancement, and assessment of its own
software.
Response. We appreciate the comment and as part of this final rule
we have substantially reduced the scope of the final requirements to be
fully within the developer of certified health IT's purview, such that
the developer will know and be able to fully estimate the resources it
will need to expend to maintain complete and up-to-date source
attribute information (which could be limited if, for example, the
developer does not supply any Predictive DSIs as part of its Health IT
Module). We appreciate the comment and as part of this final rule we
have substantially reduced the scope of the finalized requirements to
be fully within the developer of certified health IT's purview, such
that the developer will know and be able to fully estimate the
resources it will need to expend to maintain complete and up-to-date
source attribute information (which could be limited if, for example,
the developer does not supply any Predictive DSIs as part of it Health
IT Module). We also believe that this scope and associated information
is necessary for the trustworthy use of Predictive DSIs and that the
benefits will be commensurate with the burden implied. As stated
numerous times throughout the preamble, our intention in requiring such
work is to better ensure that high quality Predictive DSIs can be more
effectively used to improve patient care.
Given the many comments received from interested parties, we have
limited the source attributes that developers of certified health IT
with Health IT Modules certified to Sec. 170.315(b)(11) are required
to complete and keep current to those that are related to Predictive
DSIs supplied by the developer of certified health IT, which we believe
would limit the resources required to gather information from other
parties. We describe in further detail these requirements in subsequent
responses in this final rule. We reiterate that Health IT Modules must
support the capability for other party source attribute information to
be accessible to users, but that developers are not required to receive
or proactively acquire such information for user access from these
other parties just because a user selects (i.e., activates) a
Predictive DSI using the developer's Health IT Module.
Comments. Some commenters recommended that the requirements should
be limited to require summary information of source attributes and only
for high-impact Predictive DSI that presents a greater risk of
potential harm. One commenter recommended that ONC should take a risk-
based approach and limit Predictive DSIs in scope and exclude low-risk
use cases for consumers, such as general wellness.
Response. We appreciate the comments. However, the Program is not
predicated on levels of risk that a technology may pose. As previously
noted, we believe that identifying whether a Predictive DSI is ``high-
risk'' or could have a ``high-impact'' across millions of patients is
not appropriate for this rulemaking because Predictive DSIs that may in
some sense be ``low-risk,'' such as those that predict appointment no-
shows can (in some cases indirectly) impact the healthcare of millions
of individuals and thereby be ``high-impact.'' We also believe that it
is important to require the same information for Predictive DSIs
supplied by developers of certified health IT. We reiterate that we
have not established requirements for specific measures of validity or
fairness, for example. Rather, we encourage industry, academic,
professional associations, and other interested parties to determine
which information best fits each use case. For instance, a radiological
or oncologic society might develop recommendation on how to measure
fairness for a Predictive DSI that predicts onset of melanoma in
diverse populations, and we encourage the use of those measures as they
continue to be refined. We are also aware of ongoing work to
standardize approaches to select specific measures and performance
targets and encourage developers to follow those best practices.\120\
We believe our requirements at Sec. 170.315(b)(11)(iv)(B) are
consistent with industry and academia-developed reporting guidelines,
and are appropriately balanced and flexible, while ensuring a
consistent baseline of information users need to make informed
decisions regarding their use of a Predictive DSI.
---------------------------------------------------------------------------
\120\ Health AI Partnership. ``Define performance targets,''
https://healthaipartnership.org/guiding-question/define-performance-targets Data Science and Public Policy, Carnegie Mellon University.
``Aequitas'' http://www.datasciencepublicpolicy.org/our-work/tools-guides/aequitas/.
---------------------------------------------------------------------------
Comments. Several commenters expressed concerns that our proposal
was duplicative of FDA requirements, noting that they believed our
proposal imposes duplicative and unnecessary requirements for software
solely based on its use within certified health IT, creating additional
burdens for device manufacturers who are also regulated by the FDA.
Commenters expressed concern regarding the existing authority that the
FDA has over device CDS, which may result in a duplication of efforts
with differing requirements, meaning providers and EHR vendors would
need to satisfy two sets of regulations. One commenter noted that they
believe that in some instances, publication of source attribute
information distinct from existing labeling could require supplemental
FDA authorization. Some commenters suggested that regulating source
attributes would be accomplished more effectively by the FDA.
Response. We appreciate the concerns expressed by these commenters,
which is why we worked closely with the FDA on development of our
proposals in Sec. 170.315(b)(11), especially regarding Predictive DSI-
specific source attributes. We are aware that technologies that meet
the definition for Predictive DSI within the Program may be considered
Non-Device CDS, be considered CDS with device software functions, or
lie outside of FDA's purview, depending on the specifics of the
technology. We worked with the FDA expressly to minimize duplication of
effort and maximize alignment across our distinct and different
authorities.
We coordinated with FDA to ensure that the information required
within source attributes in our finalized Sec. 170.315(b)(11) is
complementary and not conflicting with the information that FDA
describes in its CDS Guidance, finalized in September 2022.\121\
Specifically, we believe that both (1) the
[[Page 1263]]
content of the information described for source attributes in Sec.
170.315(b)(11)(iv) and (2) the capabilities required in Sec.
170.315(b)(11)(iii) and Sec. 170.315(b)(11)(v) are complementary and
aligned with FDA CDS guidance and could reduce burdens for entities
that develop device software functions that also meet the definition of
Predictive DSI.
---------------------------------------------------------------------------
\121\ See https://www.fda.gov/regulatory-information/search-fda-guidance-documents/clinical-decision-support-software.
---------------------------------------------------------------------------
We note that section 520I(1)(E) of the Food Drug & Cosmetics (FD&C)
Act (Pub. L. 75-717, Jun. 1938) excludes from the definition of
``device,'' software functions that, among other things, are intended
for the purpose of enabling a healthcare professional to independently
review the basis for recommendations that such software presents. As
part of this alignment effort across both FDA and ONC regulatory
requirements, we identified and have finalized source attribute
information that could plausibly address some of the informational
requirements in 520I(1)(E)(iii) of the FD&C Act, including:
Sec. 170.315(b)(11)(iv)(B)(2) Purpose of the
intervention, including: (i) Intended use of the intervention; (ii)
Intended patient population(s) for the intervention's use; (iii)
Intended user(s); and (iv) Intended decision-making role the
intervention was designed to be used/for (e.g., informs, augments,
replaces clinical management).
Sec. 170.315(b)(11)(iv)(B)(4) Intervention development
details and input features, including at a minimum: (i) Exclusion and
inclusion criteria that influenced the data set; (ii) Use of variables
in 170.315(b)(11)(iv)(A)(5)-(13) as input features; (iii) Description
of demographic representativeness according to variables in Sec.
170.315(b)(11)(iv)(A)(5)-(13) including, at a minimum, those used as
input features in the intervention; and (iv) Description of relevance
of training data to intended deployed setting.
Sec. 170.315(b)(11)(iv)(B)(7) Quantitative measures of
performance, including: (i) Validity of intervention in test data
derived from the same source as the initial training data; and (v)
References to evaluation of use of the intervention on outcomes, if
available, including, bibliographic citations or hyperlinks to
evaluations of how well the intervention reduced morbidity, mortality,
length of stay, or other outcomes.
We believe that these similarities will reduce compliance burden in
three ways. First, an entity that develops device software functions
that also meet the definition of Predictive DSI would be able to
fulfill informational requirements for both FDA and ONC purposes using
the same or similar information. Second, an entity that develops device
software functions that also meet the definition of a Predictive DSI
may be eligible to be considered Non-Device CDS according to FDA
guidance, if the developer of the Predictive DSI fulfils informational
requirements according to Program requirements in Sec. 170.315(b)(11)
and Sec. 170.402(b)(4). Specifically, we note that the capability to
enable a limited set of identified users to select evidence-based DSIs
and Predictive DSIs in Sec. 170.315(b)(11)(iii) and access source
attributes for these DSIs in Sec. 170.315(b)(11)(v) could be the
technical mechanism by which technologies meet requirements in section
520I(1)(E)(iii) of the FD&C Act, described as Criterion 4 of the FDA
CDS guidance. Finally, we believe that burdens will be reduced across
entities regulated by FDA and ONC because an entity that develops
device software functions that also meet the definition of a Predictive
DSI could leverage Program requirements to enable users to select
Predictive DSIs in Sec. 170.315(b)(11)(iii) and access source
attribute information in Sec. 170.315(b)(11)(v). These capabilities
could serve as the technical means to deliver information to users
about the credibility of the device software function that is necessary
for ``independent review,'' without having to build a parallel
technological means to deliver such information.
For example, for those software functions that are considered non-
device CDS, and therefore are not the focus of the FDA's regulatory
oversight, our source attribute requirements are complementary to the
required factor ``intended for the purpose of enabling such healthcare
professional to independently review the basis for such recommendations
that such software presents so that it is not the intent that such
healthcare professional rely primarily on any of such recommendations
to make a clinical diagnosis or treatment decision regarding an
individual patient'' (section 520I(1)(E)(iii) of the FD&C Act). In this
case, our requirements are supportive of meeting aspects which may be
part of determining that a Predictive DSI is not a medical device and
therefore not the focus of the FDA's oversight.
For those CDS software that are medical devices and the focus of
the FDA's oversight, we note our requirements are consistent with best
practices and recommendations similarly provided by the FDA. In such
cases, as these recommendations are consistent across our agencies, we
believe that providing such information should not increase burden on
developers who may be responsible for meeting both FDA and ONC
requirements.
We note that our authorities and policy objectives for decision
support are not identical to those of the FDA, and so the information
required for source attributes may not be identical to the information
that would enable independent review according to FDA's guidance and
determination, and that the inverse is also true. For instance, we have
included source attributes related to the determination of fairness, as
well as measures of local validation pursuant to the purposes
enumerated in 42 U.S.C. 300jj-11(b)(11) and (4) to support development
of a nationwide health information technology infrastructure that
improves efforts to reduce health disparities and that provides
appropriate information to help guide medical decisions at the time and
place of care, respectively, but the FDA CDS guidance did not
explicitly describe measures related to fairness or local validation in
their description of independent review. We note that a determination
regarding information necessary for independent review lies with, and
would continue to lie with, the FDA.
Beyond the FDA CDS guidance, we note alignment with several
categories of source attribute information in the finalized Sec.
170.315(b)(11)(iv)(B) and IRM practices described in Sec.
170.315(b)(11)(vi) across other FDA guidance documents including the
FDA's draft guidance on Marketing Submission Recommendations for a
Predetermined Change Control Plan for Machine Learning Device Software
Functions (PCCP-ML guidance) \122\ and the FDA's guidance on Content of
Premarket Submissions for Device Software Functions. We also note
important differences between these requirements and FDA guidance,
which highlights our complementary--yet distinct--regulatory
authorities. Specifically, we highlight that the source attributes for
ongoing maintenance of intervention implementation and use in the
finalized Sec. 170.315(b)(11)(iv)(B)(8) are similar to information
described within FDA's PCCP-ML draft guidance. However, specific
emphases for fairness measures in local data (at Sec.
170.315(b)(11)(iv)(B)(8)(iv)) and
[[Page 1264]]
descriptions of the frequency by which the intervention's performance
is corrected when risks related to validity and fairness are identified
(at Sec. 170.315(b)(11)(iv)(B)(9)(ii)) are not requirements of the
FDA's PCCP-ML draft guidance. We also note that our source attribute
information pertains to an expanded set of technologies because it is
not limited to Predictive DSI that are unlocked or those that
developers intend to modify over time. Our scope for technology that
meets the definition of Predictive DSI is more expansive than what the
PCCP-ML guidance considers because we view transparency into the
performance of Predictive DSIs in a local health system or clinic to be
particularly important to users to determine if a given Predictive DSI
is fit for use on or with their patients, particularly in the case of
older Predictive DSI that are rarely retrained based on local data. We
believe that ensuring certified health IT has a place to provide this
information, or indicate its omission, will be of value to users
deciding on whether a technology is fit-for-purpose at their
organization, but may be beyond the scope of FDA's review and approval
process.
---------------------------------------------------------------------------
\122\ See https://www.fda.gov/regulatory-information/search-fda-guidance-documents/marketing-submission-recommendations-predetermined-change-control-plan-artificial.
---------------------------------------------------------------------------
Similar examples exist in what FDA describes in its Premarket
Submissions for Device Software Functions guidance, including
documentation recommendations related to ``software description,''
which align with ONC final requirements in Sec.
170.315(b)(11)(iv)(B)(1) for details and output of the intervention and
Sec. 170.315(b)(11)(iv)(B)(4) for intervention development details and
input features, as well as FDA guidance for a ``risk management file,''
which aligns with requirements in Sec. 170.523(f)(1)(xxi) for summary
risk management information to be available via publicly accessible
hyperlink. We believe that these similarities will reduce the burden on
complying with our Program requirements for those Predictive DSI that
have device software functions.
We are aware that some Predictive DSI may not be within FDA's
purview because, consistent with the history of our Program, we have
not focused requirements for DSIs on specific use cases. Thus, we
believe that ONC is well positioned to regulate certified health IT in
ways that are different from how FDA regulates device software
functions and disagree with commenters' suggestion that more effective
regulation of source attributes could be accomplished by the FDA, or
that there is conflict between FDA labeling requirements and source
attributes, because we have different authorities and, where similar
requirements may be needed within these differing scopes, our agencies
have worked closely to ensure complementary recommendations and
requirements. These technologies, especially in the aggregate, impact
how healthcare is delivered, and we believe our complementary
authorities will provide important benefits to users.
Comment. Several commenters expressed concern that the list of
required source attributes that must be disclosed is overly broad and
potentially impractical to implement. Commenters requested clarity
regarding how DSI developers would satisfy the proposed requirement of
providing access of source attributes to an end user and how that
information would need to be presented or formatted. They further noted
the concern that providing access to users of such broad source
attribute information could result in an interface that impairs
physician usability. Another commenter suggested that the health IT
developers should be required to instead provide a configuration option
through which third-party vendors of Predictive DSI could include their
source attributes during the integration with health IT or
implementation within a hospitals or provider's database. Another
commenter suggested that the health IT developers should be required to
instead provide a configuration option through which third-party
vendors of Predictive DSI could include their source attributes during
the integration with health IT or implementation within a hospitals or
provider's database.
Response. We appreciate comments regarding implementation of our
source attributes requirements for user review and implications for
usability. While our proposals required a Health IT Module to enable
users to review source attribute information, we did not specify either
that a user must review source attribute information or that source
attribute information be presented at a specific time or manner to a
user. We noted in the HTI-1 Proposed Rule that we understood that
source attribute information may be presented in varied ways at various
points of workflow and contain varying levels of detail and do not
intend to limit the options by which this information can be made
available (88 FR 23788). We also said, consistent with prior ONC
discussion related to existing Sec. 170.315(a)(9)(v) requirements for
source attributes (77 FR 54215), the proposal would not require the
automatic display of source attributes information when a
recommendation, alert, or other decision support output is presented
that resulted from a DSI (88 FR 23788). Last, we noted that we were not
aware of widely agreed upon best practices for the format in which this
source attribute information should be displayed. However, we are aware
of industry efforts to standardize a format to display information
about technology in the form of a ``model card'' or ``nutritional
label'' for healthcare (88 FR 23794). We believe that rather than
prescribing uniform presentation of this kind of information, that
developers of certified health IT should work with their customers to
determine the best format and structure of source attribute
information. Finally, we note that we did not prescribe a mechanism,
standard, or process for how developers of certified health IT should
receive or acquire information from other parties for source attributes
in the HTI-1 Proposed Rule and have also not done so in this final
rule.
Comments. Several commenters expressed concern that our proposal
would require health IT developers with certified health IT to regulate
other developer's Predictive DSI and stated that health IT developers
should not be responsible for the Predictive DSI of their customers or
other parties and that health IT developers' certification should not
be contingent on other parties providing information to the developer.
Response. We thank the commenters for their concerns. As described
elsewhere in this final rule, we have adopted modified final rule
requirements and a reduced scope to address these concerns.
Specifically, we have finalized a different scope with respect to other
party source attributes, such that developers of certified Health IT
are only required to make source attribute information available when
the health IT developer supplies the other party's Predictive DSI as
part of its Health IT Module. In alignment with the comments, the
finalized requirements of Sec. 170.315(b)(11) do not extend to
developers of certified health IT being accountable for Predictive DSIs
developed by their customers or other party Predictive DSIs implemented
by their customers.
Comments. One commenter expressed concern that the proposal will
not be effective at creating broad, uniform transparency throughout the
Predictive DSI marketplace because ONC has authority to regulate
certified health IT, which is only a portion of the predictive model
marketplace. The commenter noted that the proposal would create
imbalance in the marketplace between developers of certified health IT
and developers of noncertified health IT. The commenter also stated
that
[[Page 1265]]
information from third-party developers will be inconsistent and
intermittent.
Response. We believe that the scope of our definition for
Predictive DSI and our requirements for Predictive DSIs supplied by
developers of certified health IT are sufficiently calibrated to affect
a substantial portion of the DSI marketplace and that developers of
certified health IT are well-positioned to ensure that information is
updated routinely and consistently for Predictive DSI they supply as
part of their health IT.
Comments. One commenter expressed concern that our proposals would
result in inefficiencies for developers, and that transparency goals
would be more efficiently achieved through regulations that directly
apply to creators of clinical decision alert content. They noted that
in some cases that would be those developing EHRs, but in most
instances, those creating alerts are either third-party businesses or
health care providers themselves.
Response. We agree with the commenter that there is a growing
market for DSIs created by other parties, which could include third-
party businesses or health care providers using certified health IT.
While we have not finalized our proposals to require developers of
certified health IT to indicate when source attributes are missing for
all other party-developed Predictive DSIs, we have finalized that a
developer of certified health IT must complete and keep current
descriptions of source attribute information as specified in Sec.
170.402 (b)(4) for all interventions supplied by the health IT
developer, including other party interventions the health IT developer
supplies as part of its Health IT Module. We believe this scope
appropriately focuses on what a developer of certified health IT can
readily and efficiently access in terms of source attribute
information. We also finalize that for source attributes in Sec.
170.315(b)(11)(iv)(B)(6); (b)(11)(iv)(B)(7)(iii), (iv), and (v);
(b)(11)(iv)(B)(8)(ii) and (iv); and (b)(11)(iv)(B)(9) a health IT
developer must indicate when information is not available for review.
This requirement pertains to both source attributes related to
Predictive DSIs authored by the developer of certified health IT and to
Predictive DSIs developed by other parties that are supplied by the
developer as part of its Health IT Module.
Comments. Numerous commenters requested that we clarify that the
certification requirements for developers of certified health IT do not
convey an obligation for health care providers to review all the source
attributes of a DSI each time they choose to use a tool.
Response. Nothing in our proposals nor this final rule would compel
a user of certified health IT to review source attributes. However, we
note it would be a best practice for users to conduct such affirmative
reviews in an effort to identify potentially discriminatory tools, as
discriminatory outcomes may violate applicable civil rights law.\123\
---------------------------------------------------------------------------
\123\ See U.S. Dept of Health & Human Servs., Office for Civil
Rights, Notice of Proposed Rulemaking, Nondiscrimination in Health
Programs and Activities, 87 FR 47824, 47880 (Aug. 4, 2022), https://www.federalregister.gov/documents/2022/08/04/202216217/nondiscrimination-in-health-programs-and-activities (prohibiting
discrimination on the basis of race, color, national origin
(including limited English proficiency), sex (including sexual
orientation and gender identity), age, or disability in certain
health programs or activities through the use of clinical algorithms
in their decisionmaking); Title VI of the Civil Rights Act of 1964,
42 U.S.C. 2000d et seq. (prohibiting discrimination on the basis of
race, color, or national origin (including limited English
proficiency) in federally funded programs or activities); Title IX
of the Education Amendments of 1972, 20 U.S.C. 1681 et seq.
(prohibiting sex discrimination in federally funded education
programs or activities); the Age Discrimination Act of 1975, 42
U.S.C. 6101 et seq. (prohibiting age discrimination in federally
funded programs or activities); Section 504 of the Rehabilitation
Act of 1973, 29 U.S.C. 794 (prohibiting disability discrimination in
federally funded or federally conducted programs or activities); and
the Americans with Disabilities Act, 42 U.S.C. 12101 et seq.
(prohibiting disability discrimination by employers, state and local
government entities, and businesses that are open to the public,
among others).
---------------------------------------------------------------------------
Comments. Several commenters expressed concern that our proposal
for source attributes for Predictive DSIs is overly broad and should
instead be narrowed to specifically focus on AI and machine learning
algorithms, noting that there are substantial risks of bias associated
with these models if they are not constructed in a manner that allows
the end user to understand how they were constructed and will be
maintained going forward.
Response. We appreciate the comments and agree that bias associated
with AI and machine learning algorithms could create substantial risks
if they are presented to the end user without information to understand
how they were constructed, evaluated, and should be maintained. We
believe that recent scrutiny of other predictive models has shown that
those models can similarly present substantial risk if presented
without this information. We note that most of our source attributes
are specific to Predictive DSIs, which encompasses AI and machine
learning algorithms. We have only amended existing requirements for
evidence-based DSIs by asking for specific data elements to be
identified when used by the DSI, including race, ethnicity, language,
sexual orientation, gender identity, sex, date of birth, SDOH, sexual
orientation, and health assessments data elements (e.g., disability
status).
Comments. Several commenters applauded HHS's efforts to recognize
the challenges of complex predictive models and the general need for
public disclosure of source data to determine reliability. Commenters
also encouraged HHS to consider additional measures to oversee the
explain-ability of the data output and for HHS to adopt broad policies
that ensure public access to both models and their data sources. One
commenter stated that they believed that the information presented
under ``source attributes'' should be in the public domain and not just
presented to end users, and information about which datasets were used
to train and evaluate a DSI should be in the public domain and added to
the required ``source attributes.''
Response. We thank commenters for their support. However, we
decline to consider additional measures regarding the concept of
``explain-ability,'' at this time and instead we include a requirement
for risks related to intelligibility to be analyzed and mitigated at
Sec. 170.315(b)(11)(vi). We also appreciate the feedback regarding the
value of making public the information we are requiring for source
attributes. We view access to source attribute information as a
necessary step for users of Predictive DSIs to determine the quality of
Predictive DSIs they use. We decline to require public disclosure of
source attribute information at this time. Rather, we believe that it
is vital to implement the policies that we have finalized in this rule,
learn from their implementation, and revisit ways to improve
transparency over time. As the industry as a whole gains experience
with making source attributes available to users of Predictive DSIs, we
may consider broader and public availability of source attribute
information in future rulemakings.
Meanwhile, we remind interested parties that under current Program
requirements related to the Communications Condition and Maintenance of
Certification requirements in Sec. 170.403 users have explicit rights
to discuss publicly various aspects regarding the performance of
certified health IT. Specifically, we note that in Sec.
170.403(a)(1)(iv) users have the right to describe relevant information
regarding their experiences when using a Health IT Module. We also
noted in
[[Page 1266]]
the ONC Cures Act Final Rule that algorithms would be considered ``non-
user-facing aspects of health IT'' as they are not readily apparent to
persons using health IT for the purpose for which it was purchased or
obtained (85 FR 25731). Thus, communications regarding algorithms
(e.g., mathematical methods and logic) could be restricted or
prohibited, while communications regarding the output of the algorithm
and how it is displayed in a health IT system could not be restricted
as ``non-user-facing aspects of health IT.'' Given this, we note that
source attribute information is user-facing and is relevant to a user's
experience using certified health IT. Thus, source attribute
information is among the kinds of information that customers may freely
discuss publicly.
We also note our discussion in the HTI-1 Proposed Rule regarding an
individual's ability to obtain information about any use of a
Predictive DSI--or other emerging technologies--in their healthcare
through the HIPAA Privacy Rule individual's right of access (88 FR
23795).\124\
---------------------------------------------------------------------------
\124\ 45 CFR 164.524.
---------------------------------------------------------------------------
In many cases, developers of certified health IT serve as HIPAA
business associates to their covered entity customers, such as health
care providers or health plans.\125\ If an individual requests access
to their health information from a HIPAA covered entity (e.g., a health
care provider that transmits health information in electronic form in
connection with an HHS adopted standard transaction) that individual,
generally, has a right to access medical and health information
(protected health information (PHI)) about themselves in one or more
designated record sets (DRS) maintained by or for the individual's
HIPAA covered entity.\126\ The DRS could include underlying data and
information used to generate recommendations about an individual's
healthcare, such as information about the use of a Predictive DSI in a
healthcare decision and source attribute information associated with
use of a Predictive DSI in a healthcare decision.\127\
---------------------------------------------------------------------------
\125\ See definitions of ``business associate'' and ``covered
entity'' at 45 CFR 160.103.
\126\ For more information about the HIPAA Privacy Rule
individual's right of access, see OCR's HIPAA Access Guidance:
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.
\127\ See, e.g., OCR's HIPAA FAQs 2048 and 2049, https://www.hhs.gov/guidance/document/faq-2048-does-individual-have-right-access-genomic-information-generated-clinical; https://www.hhs.gov/
hipaa/for-professionals/faq/2049/does-an-individual-have-a-right-
under/
index.html#:~:text=Under%20the%20HIPAA%20Privacy%20Rule,a%20clinical%
20laboratory%20may%20hold.
---------------------------------------------------------------------------
Comments. One commenter agreed that developers should implement
practices and processes when a model's performance is inconsistent with
its intended use and recommended that we include in regulations a
specific process for developers to follow. Another commenter
recommended including ``identification of intended user
qualifications.''
Response. We agree with commenters that developers should implement
processes to update models and have included relevant source attributes
describing the process of updating models at Sec.
170.315(b)(11)(iv)(B)(8) and (9). However, we decline to specify a
process by which this is performed because it is likely to vary across
Predictive DSI. Information on intended user qualifications would be
appropriately included at Sec. 170.315(b)(11)(iv)(B)(2)(iii)
``intended users,'' but we do not explicitly require such information
to be there.
Comments. One commenter requested that DSIs based on studies or
recommendations from Federal Agencies should be exempt from any other
reporting requirements other than identifying the Agency and the study.
Response. We decline to exempt any DSIs described in Sec.
170.315(b)(11) from any of the applicable reporting requirements based
on where the recommendations originate. We believe that recommendations
from a federal agency, such as the Centers for Disease Control and
Prevention, should include all the source attributes, not only the
bibliographic citation, as is suggested by the commenter. For the same
reason that transparency would be helpful for any evidence-based DSI,
so too would transparency be valuable for DSIs based on studies or
recommendations from federal agencies.
Comments. Numerous commenters supported the FAVES framework
described in the HTI-1 Proposed Rule, noting that these concepts
reflect a consensus view of the characteristics of high-quality
Predictive DSIs. One commenter expressed concern that the effectiveness
in regulating source attributes would be hampered by reliance on highly
defined input fields which can be made subject to political analysis
(e.g., FAVES) and related noncomputational tests to guide to desired
political outcomes, and instead suggested that ONC, rather than
focusing on redesign of models and model parameters, instead emphasize
transparency as to when an AI algorithm is being used.
Response. We appreciate the many statements of support for our
framing of ``high-quality,'' predictive algorithms to mean that such
algorithms are fair, appropriate, valid, effective, and safe, or FAVES.
However, we do not believe a Program requirement for Health IT Modules
to indicate when an AI algorithm was used to support decision-making is
appropriate (as users should already understand if they're using a
predictive AI to support their decision-making) nor sufficient for
users to understand the quality of such AI algorithms. We believe that
defined source attribute categories, coupled with a description of the
characteristics that make up a high-quality Predictive DSI, are
necessary to provide consistent information that will more effectively
promote the use of those Predictive DSI where appropriate. Further, we
note that while we have defined input fields, we have not established
requirements for specific measures or identified specific thresholds
for content that is related to those categories.
Comments. Several commenters encouraged ONC to work with interested
parties to further develop guidance and standards. Specifically, one
commenter urged ONC and HHS to convene interested parties to develop a
consensus set of meta-data that should and, must be, transparently
provided by DSI developers, and strongly supported ONC requiring a
standard representing a Structure Product Label for Predictive Decision
Support. One commenter encouraged additional regulatory parameters and
encouraged ONC to consider requirements for regular, algorithmic impact
assessments that analyze data sets, biases, and how users interact with
the systems, and the overall design and monitoring of system outputs,
as well as to include expressly incorporating data-set best practices
and data standards requirements.
Response. We appreciate these comments and will continue to
collaborate with interested parties inside and outside of government to
ensure that information resulting from our transparency requirements is
meaningful for patient care and decision-making.
Given the comments received from a range of interested parties, and
to clarify the scope of information required for an applicable
Predictive DSI, we have finalized our proposals in Sec.
170.315(b)(11)(iv)(B) with modification. We note that the information
required here as source attribute information is similar to the ``meta-
data'' described by commenters.
[[Page 1267]]
First, rather than include references to evidence-based source
attributes as proposed, we have added new subparagraphs as part of the
``Intervention details'' source attribute at Sec.
170.315(b)(11)(iv)(B)(1) to include similar general attribute
information. Specifically, at Sec. 170.315(b)(11)(iv)(B)(1)(i) we
require ``The name and contact information for the developer of the
intervention,'' and at Sec. 170.315(b)(11)(iv)(B)(1)(ii) we require
``Funding source of the intervention,'' which are substantially similar
to the proposed inclusion of bibliographic information (since citations
include the name and contact information for corresponding authors) and
``developer of the intervention and ``Funding source of the
intervention'' is directly parallel to ``Funding source of the
intervention development technical implementation'' all of which we
proposed to apply to Predictive DSIs in the HTI-1 Proposed Rule.
Commenters noted, and we agree, that bibliographic citation of the
intervention finalized at Sec. 170.315(b)(11)(iv)(A)(1) likely would
not be relevant for all Predictive DSIs and other source attributes
specific to evidence-based DSIs at Sec. 170.315(b)(11)(iv)(A) were
duplicative of source attributes in Sec. 170.315(b)(11)(iv)(B).
Second, we have made explicit in regulation text several
requirements described in the HTI-1 Proposed Rule's preamble to ensure
that health IT developers clearly understand the source attribute
requirements applicable to Health IT Modules presented for
certification to Sec. 170.315(b)(11). We have finalized these
requirements to address many commenters' concerns regarding proprietary
information and to help convey at what level of detail Predictive DSI
source attributes should be available for a limited set of identified
users to record, change, and access.
Comments. We received numerous comments from interested parties
indicating that more clarity was needed to help communicate the scope
and detail of information included as source attributes in what is now
finalized at Sec. 170.315(b)(11)(iv)(B).
Response. We agree and have finalized regulation text at Sec.
170.315(b)(11)(iv)(B) to clarify the scope and detail of information
required to be available for user review. We note that these explicit
requirements in regulation text mirror the requirements described
previously in preamble or represent a subset of requirements previously
described in preamble. We also reiterate our preamble discussion that
the requirements do not require disclosing or sharing IP or proprietary
information existing in the developer's health IT, including other
parties' IP and proprietary information.
Intervention Details
We proposed three source attributes related to details of
predictive models and their proper use in Sec.
170.315(b)(11)(vi)(C)(1) ``Intervention Details,'' Including ``Output
of the intervention,'' ``Intended use of the intervention,'' and
``Cautioned out-of-scope use of the intervention.'' We refer readers to
88 FR 23789-23790 for a detailed discussion of our proposed rationale
for these source attributes as well as examples and additional
instruction, which we have made explicit in the regulation text below.
We have finalized Sec. 170.315(b)(11)(iv)(B)(1) as follows:
``Details and output of the intervention, including: (i) Name and
contact information for the intervention developer; (ii) Funding source
of the technical implementation for the intervention(s) development
(for which we have modified the wording order from the HTI-1 Proposed
Rule to make the source attribute read clearer and we have also made
this corresponding change for evidence-based DSIs as well); (iii)
Description of value that the intervention produces as an output; and
(iv) Whether the intervention output is a prediction, classification,
recommendation, evaluation, analysis, or other type of output.''
We have finalized Sec. 170.315(b)(11)(iv)(B)(2) ``Purpose of the
intervention, including: (i) Intended use of the intervention; (ii)
Intended patient population(s) for the intervention's use; (iii)
Intended user(s); and (iv) Intended decision-making role for which the
intervention was designed to be used/for (e.g., informs, augments,
replaces clinical management).''
We have finalized Sec. 170.315(b)(11)(iv)(B)(3) as follows
``Cautioned out-of-scope use of the intervention, including: (i)
Description of tasks, situations, or populations where a user is
cautioned against applying the intervention; (ii) and Known risks,
inappropriate settings, inappropriate uses, or known limitations.''
Intervention Development
We proposed at 88 FR 23790 three source attributes related to model
development in Sec. 170.315(b)(11)(vi)(C)(2), ``Intervention
Development,'' including ``Input features of the intervention including
description of training and test data,'' ``Process used to ensure
fairness in development of the intervention,'' and ``External
validation process, if available.'' We refer readers to 88 FR 23790-
23795 for a detailed discussion of these source attributes in the HTI-1
Proposed Rule.
We have finalized Sec. 170.315(b)(11)(iv)(B)(4) as follows
``Intervention development details and input features, including at a
minimum: (i) Exclusion and inclusion criteria that influenced the data
set; (ii) Use of variables in 170.315(b)(11)(v)(A)(5)-(13) as input
features; (iii) Description of demographic representativeness according
to variables in Sec. 170.315(b)(11)(iv)(A)(5)-(13) including, at a
minimum, those used as input features in the intervention; and (iv)
Description of relevance of training data to intended deployed
setting.''
We have finalized Sec. 170.315(b)(11)(iv)(B)(5) as follows
``Process used to ensure fairness in development of the intervention,
including: (i) Description of the approach the intervention developer
has taken to ensure that the intervention's output is fair; and (ii)
Description of approaches to manage, reduce, or eliminate bias.''
We have finalized Sec. 170.315(b)(11)(iv)(B)(6) as follows
``External validation process including: (i) Description of the source,
clinical setting, or environment where an intervention's validity and
fairness has been assessed, other than the source training and testing
data; (ii) Party that conducted the external testing; Description of
demographic representativeness of external data according to variables
in Sec. 170.315(b)(11)(iv)(A)(5)-(13) including, at a minimum, those
used as input features in the intervention; and Description of external
validation process.''
Quantitative Measures of Intervention Performance
We proposed at 88 FR 23791-23792, five source attributes relevant
to validation or evaluation of the performance (including accuracy,
validity, and fairness) of the predictive model and evaluation of its
effectiveness in Sec. 170.315(b)(11)(vi)(C)(3) ``Quantitative measures
of Intervention Performance,'' including ``Validity of prediction in
test data,'' ``Fairness of prediction in test data,'' ``Validity of
prediction in external data, if available,'' ``Fairness of prediction
in external data, if available,'' and ``References to evaluation of use
of the model on outcomes, if available.'' Together, these source
attributes were intended to be a presentation of the
[[Page 1268]]
measure or set of measures related to the model's validity (often
referred to as performance) and fairness when tested in data derived
from the same source as the initial training data as well as when
tested in data external to--that is, from a different source than--the
primary training data. ``References to evaluation of use of the model
on outcomes, if available,'' are bibliographic citations or links to
evaluations of how well the intervention, or model on which it is based
accomplished specific objectives such as reduced morbidity, mortality,
length of stay or other important outcomes.
We have finalized Sec. 170.315(b)(11)(iv)(B)(7) as follows
``Quantitative measures of performance, including: (i) Validity of
intervention in test data derived from the same source as the initial
training data; (ii) Fairness of intervention in test data derived from
the same source as the initial training data; (iii) Validity of
intervention in data external to or from a different source than the
initial training data; (iv) Fairness of intervention in data external
to or from a different source than the initial training data; and (v)
References to evaluation of use of the intervention on outcomes,
including, bibliographic citations or hyperlinks to evaluations of how
well the intervention reduced morbidity, mortality, length of stay, or
other important outcomes.''
Ongoing Maintenance of Intervention Implementation and Use
At 88 FR 23792, we proposed three source attributes related to the
``ongoing maintenance of intervention implementation and use,''
including, ``Update and continued validation or fairness assessment
schedule,'' ``Validity of prediction in local data, if available,'' and
``Fairness of prediction in local data, if available.'' These source
attributes were a description of the process and frequency by which the
model's performance is measured and monitored in the local environment
and corrected when risks related to validity and fairness are
identified.
We have finalized Sec. 170.315(b)(11)(iv)(B)(8) as follows
``Ongoing maintenance of intervention implementation and use,
including: (i) Description of the process and frequency by which the
intervention's validity is monitored over time; (ii) Validity of
intervention in local data; (iii) Description of the process and
frequency by which the intervention's fairness is monitored over time;
and (iv) Fairness of intervention in local data.''
Update and Continued Validation or Fairness Assessment Schedule
At 88 FR 23792 we proposed a source attribute, ``Update and
continued validation or fairness assessment schedule'' and described it
as including ``the process and frequency by which the model's
performance is measured and monitored in the local environment and
corrected when risks related to validity and fairness are identified.''
Information from this attribute is important to assess whether the
model is up to date or may reflect outdated trends.
We have finalized Sec. 170.315(b)(11)(iv)(B)(9) as follows
``Update and continued validation or fairness assessment schedule,
including: (i) Description of process and frequency by which the
intervention is updated; and (ii) Description of frequency by which the
intervention's performance is corrected when risks related to validity
and fairness are identified.''
ix. Missing Source Attribute Information
At 88 FR 23795-23796 we proposed that a Health IT Module certified
Sec. 170.315(b)(11) would need to clearly indicate when a source
attribute listed is not available for the user to review, including in
two specific circumstances. First, we proposed that for source
attributes that include the ``if available'' phrase, a Health IT Module
must clearly indicate when such source attribute is not available for
review. Second, we proposed that when a Health IT Module enables or
interfaces with a DSI developed by other parties that are not
developers of certified health IT, that Health IT Module must clearly
indicate when any source attribute is not available for the user to
review. We explained that this meant that a Health IT Module that
supports a DSI developed by other parties that are not developers of
certified health IT would have needed to clearly indicate when any
attribute listed is not available for the user to review, regardless of
whether the DSI is a Predictive DSI, as defined at Sec. 170.102, or an
evidence-based DSI.
At 88 FR 23796, we clarified that ``other parties,'' as used in our
proposal, included any party that develops a DSI, a model, or an
algorithm that is used by a DSI and is not a developer of certified
health IT. These could include, but were not limited to: a customer of
the developer of certified health IT, such as an individual health care
provider, provider group, hospital, health system, academic medical
center, or integrated delivery network; a third-party software
developer, such as those that publish or sell medical content or
literature used by a DSI; or researchers and data scientists, such as
those who develop a model or algorithm that is used by a DSI.
We reiterated that while we did not prescribe how a certified
Health IT Module would need to indicate that an attribute was missing
that the certified Health IT Module would need to communicate an
attribute was missing unambiguously and in a conspicuous manner to a
user. We noted that these ``other parties'' may or may not have a
contractual relationship with the developer of certified health IT.
However, we sought comment on whether we should require developers of
certified health IT with Health IT Modules that enable or interface
with Predictive DSIs to display source attributes for other parties
with which the developer of certified health IT has a contractual
relationship.
Comments. We received mixed comments supporting and opposing our
proposal to require a Health IT Module to clearly indicate when a
source attribute is not available for the user to review. Among those
who opposed our proposal, they conveyed that indicating to a user when
a source attribute was unavailable would create burdens on health IT
developers who do not readily have access to source attribute
information and would position health IT developers to enforce
information gathering requirements on other companies, including third-
party vendors with which the health IT developer has no formal contract
and health IT customers that create clinical decision support data.
Many commenters who opposed this proposal supported an alternative
requirement that would require certified developers to (1) provide
source attributes and indicate when information was missing for those
interventions they themselves authored (i.e., self-developed
interventions) and (2) for those interventions that were developed by
other parties with which the developer of certified health IT worked to
implement into their Health IT Modules as opposed to all other parties,
regardless of the health IT developer's relationship with those other
parties. In other words, commenters suggested limiting the transparency
requirement to those other parties the health IT developer has a
contractual relationship with or to require health IT developers to
include functionality to display the information and letting their
customers decide whether to display information about their own
Predictive DSI or that of other developers with whom the customers have
a contractual relationship.
[[Page 1269]]
Response. We thank commenters for their concerns. We agree with
commenters regarding the burden and implementation issues associated
with identifying missing information as we proposed and have made
changes to the scope in response. In particular, we have addressed the
concerns raised about Predictive DSIs developed by other parties with
which the developer of certified health IT has no formal relationship.
The finalized policy, described below more closely aligns with the
commenters' alternative policy, which we believe addresses these
concerns.
While we noted in the HTI-1 Proposed Rule that missing source
attribute information would be foundational for users' understanding of
the DSI regardless of whether the intervention developer was a
developer of certified health IT, a customer of the developer of
certified health IT, an academic health system, integrated delivery
network, a third-party software developer, or other party (88 FR
23795), we also acknowledged that we understood there may be
circumstances where a developer of certified health IT may not have
information pertaining to a source attribute for a Health IT Module to
enable such user review.
In response to public comments received, we have made two overall
adjustments. First, we did not finalize our proposals for missing
source attributes as it relates to other parties as proposed. This is
because, as discussed elsewhere in this section, we have constrained
the overall scope of the certification criterion and the developer of
the certified Health IT Module's accountability to those Predictive
DSIs supplied by the health IT developer as part of its Health IT
Module. As a result, in circumstances where a developer of certified
health IT has not supplied an other party's Predictive DSI as part of
its Health IT Module the developer is not accountable for the
unavailability of those Predictive DSI's source attribute information.
Second, we have finalized a certification requirement for Health IT
Modules to indicate when information is not available for specific
source attributes only. Specifically, we have finalized at Sec.
170.315(b)(11)(v)(A)(2) requirements that for Predictive DSIs, a Health
IT Module must indicate when information is not available for review
for source attributes in Sec. 170.315(b)(11)(iv)(B)(6);
(b)(11)(iv)(B)(7)(iii), (iv), and (v); (b)(11)(iv)(B)(8)(ii) and (iv);
and (b)(11)(iv)(B)(9). We note that the implication of this finalized
policy is twofold: (1) developers of certified health IT with Health IT
Modules certified to Sec. 170.315(b)(11) must enable a limited set of
identified users to access complete and up-to-date plain language
descriptions for all source attributes, except those listed in Sec.
170.315(b)(11)(v)(A)(2); and (2) developers of certified health IT with
Health IT Modules certified to Sec. 170.315(b)(11) must enable such
access for evidence-based and Predictive DSIs at least when those DSIs
are supplied by the health IT developer as part of its Health IT
Module.
We are aware that, in some limited circumstances, information for
specific source attributes related to Predictive DSIs supplied by the
health IT developer as part of its Health IT Module may not be
available nor re-creatable. For example, health IT developers that
supply Predictive DSIs that use models provided through the peer
reviewed literature, such as ASCVD, eGFR, APACHE IV, and LACE+ models
referenced elsewhere in this final rule,\128\ may not have access to
training data that would allow them to: 1) provide a description of
demographic representativeness of the training data (Sec.
170.315(b)(11)(iv)(B)(4)(iii)); 2) generate measures of validity in
test data derived from the same source as the initial training data
(Sec. 170.315(b)(11)(iv)(B)(7)(i)); and 3) generate measures of
fairness in test data derived from the same source as the initial
training data (Sec. 170.315(b)(11)(iv)(B)(7)(ii)). In cases where
information is only available through published literature, developers
may provide information for these source attributes that indicate that
the relevant information is not available and that it cannot be
replicated. In these cases, we encourage organizations to perform
external validation of these models and we believe that providing users
information on the results of that work will be of high value. We note
that where source attribute information is available for Predictive
DSIs in these scenarios, or where source attribute information can be
extrapolated from the literature (e.g., intended use, cautioned out-of-
scope use, or intended population, etc.) source attribute information
should be accessible and modifiable consistent with requirements in
Sec. 170.315(b)(11)(v).
---------------------------------------------------------------------------
\128\ Goff Jr, David C., et al. ``2013 ACC/AHA guideline on the
assessment of cardiovascular risk: a report of the American College
of Cardiology/American Heart Association Task Force on Practice
Guidelines.'' Circulation 129.25_suppl_2 (2014): S49-S73.
Levey, Andrew S., et al. ``A more accurate method to estimate
glomerular filtration rate from serum creatinine: a new prediction
equation.'' Annals of internal medicine 130.6 (1999): 461-470.
---------------------------------------------------------------------------
Comments. Commenters that expressed support for this proposal
commended our efforts and requested we strengthen this provision to
require that all source attribute information is available for user
review. Some commenters expressed support for the proposal stating that
it would send a signal to health care providers about the
trustworthiness of a DSI tool and encourage AI developers to be
transparent. One commenter expressed concern that our proposal would
allow health IT developers to opt-out of reporting information and
allowing developers to indicate when source attributes are missing
should be the exception and not the rule. Another commenter expressed
concern that this provision places no limits on how much or what type
of data can be missing while still complying with source data
transparency requirements and could incentivize developers to not
provide any data that might show bias or lead to any type of negative
conclusion by potential users.
Response. We thank commenters for their support. As addressed more
fully in the response directly above, we have made substantial
adjustments to the certification criterion's scope and health IT
developers accountability expectations. As a result of these changes,
we have also addressed commenter concerns that there would be no limit
on how much or what type of data can be missing. We have finalized in
Sec. 170.315(b)(11)(v)(A)(2) that only source attributes in Sec.
170.315(b)(11)(iv)(B)(6); (b)(11)(iv)(B)(7)(iii), (iv), and (v);
(b)(11)(iv)(B)(8)(ii) and (iv); and (b)(11)(iv)(B)(9) may be missing
and in these circumstances a health IT developer must indicate when
information is not available for review.
Comments. Some commenters expressed concern that the proposal to
require Health IT Modules to display missing source attributes could
result in unfair market dynamics, in which developers of certified
health IT will make available full and complete source attribute
information for their homegrown or native DSIs while being less
inclined to collect and meaningfully display such information from
other parties developing and offering Predictive DSIs. Several
commenters noted that the proposal would not compel third-party
creators to provide the information to the health IT developer, or to
renegotiate existing contracts to compel the provision of source
attributes.
Response. We thank commenters for these concerns and suggestions.
We did not propose and we have not finalized
[[Page 1270]]
a policy that regulates other parties and this final rule does not
compel other parties to provide source attribute information to
developers of certified health IT. Rather, we believe there is
sufficient market-driven motivation for other parties to provide source
attribute information for Predictive DSIs they author or develop to
health care providers who seek to use their Predictive DSI's in
addition to any of the ones supplied by a developer of certified health
IT as part of its Health IT Module. We believe health IT users are
likely to develop the expectation that information is available through
source attributes and trust and choose to use Predictive DSIs that have
the information contained in source attributes compared to those that
do not, which may also create competitive pressure in the market to
provide source attribute information. For example, the market
incentives consumers have when choosing between vehicles that have
complete history reports regarding accident damages, manufacturer
buybacks, registration records, odometer readings, and ownership
transfers, and those vehicles that do not. We believe similar market
incentives will result in more source attribute information being made
available for user review than would be the case absent the requirement
to indicate when source attributes were not available for review.
In response to the commenter concerned about unfair market
dynamics, we note that we have finalized a requirement that Health IT
Modules must be capable of displaying source attributes from other
parties and for users to be able to modify attributes for those
Predictive DSI. But that is where the finalized requirements stop. With
the exception of Predictive DSIs authored by the health IT developer or
those it expressly chooses to supply as part of its Health IT Module,
we have not required health IT developers with Health IT Modules
certified to Sec. 170.315(b)(11) to receive, acquire, or otherwise
produce source attributes related to other party DSIs. We encourage
those other parties to work with their customers to ensure that source
attribute information is full and complete, thereby addressing any
potentially unfair market dynamics.
Comments. Another commenter suggested that developer of the other
system, at most, could denote if a DSI it interfaces with is in fact a
third-party model, thus informing the user of the need to seek out any
desired information from the primary developer of the DSI in question.
Response. As part of this final rule's focus on providing
information only for Predictive DSIs supplied in Health IT Modules, we
decline to require that Health IT Modules display or ``denote'' when
another system includes a third-party model.
Comments. Commenters stated that communicating that a model is
third-party is sufficient and stated that while the proposed language
of saying source attribute information is ``not available for user
review'' is both unnecessarily pejorative to the third party and
misleading to the end user.
Response. We have finalized at Sec. 170.315(b)(11)(v)(B)(1) that
Health IT Modules must ``Enable a limited set of identified users to
record and change source attributes in paragraphs (b)(11)(iv)(A) and
(B) of this section,'' but have left flexibility to developers of
certified health IT and their customers to choose if and how to
indicate that information is missing, when they believe doing so is
valuable, so that they may avoid pejorative and misleading language.
Comments. One commenter expressed concern with the phrase ``other
parties'' because it could encompass healthcare delivery organizations
that self-develop Predictive DSI for ``in-house'' use to augment their
purchased EHR system and requested an exemption from certain
requirements, and that they not be penalized by ONC or their EHR vendor
who could pass on ``costs'' to use their ``in-house'' tools.
Response. We thank the commenter for their concern. We believe this
final rule's focus on providing information only for Predictive DSIs
supplied by health IT developers in their Health IT Modules will reduce
concerns around a need for specific exemptions or that developers of
certified health IT might pass on costs, since those developers are
only likely to incur costs for those Predictive DSI they supply.
Predictive DSI that a healthcare delivery organization self-developed
and used to augment their Health IT Module would likely not be
considered supplied by health IT developers.
As noted previously in this final rule, we have maintained our
description of ``other parties.'' For the purposes of the Program,
compliance clarity, and distinguishing a health IT developer's own
authored and supplied Predictive DSIs from everyone else, we use the
phrase ``other party,'' which could include a health care provider who
self-develops a Predictive DSI. That said, as we have conveyed this
final rule's requirements, being described as an other party imposes no
specific regulatory compliance requirement.
x. Authoring and Revising Source Attributes
At proposed Sec. 170.315(b)(11)(vi)(E), we proposed that Health IT
Modules certified to Sec. 170.315(b)(11) support the ability for a
limited set of identified users to author (i.e., create) and revise
source attributes and information provided for user review beyond the
specific source attributes we enumerated (88 FR 23796-23797). This
proposal applied to source attributes related to both evidence-based
DSIs and Predictive DSIs that would be enabled by or interfaced with a
certified Health IT Module, including any Predictive DSIs that could
have been developed by users of the certified Health IT Module, and we
described specific examples in the HTI-1 Proposed Rule. While we did
not propose to require a developer of certified health IT to be
directly involved in the authoring or revision of source attribute
information provided for user review, we proposed that the certified
Health IT Module would need to support the technical ability for a
limited set of identified users to create new or revised attribute
information alongside other source attribute information proposed as
part of Sec. 170.315(b)(11)(vi)(A) and (C).
Comments. A majority of commenters did not support the proposal
that Health IT Modules certified to Sec. 170.315(b)(11) support the
ability for a limited set of identified users to author (i.e., create)
and revise source attributes and information provided for user review
beyond what was proposed. One commenter supported the concept of
hospitals and providers creating their own Predictive DSI models and
suggested that developers should only be expected to create
functionality to allow users to enter their own source attributes and
that developers should not have responsibility for gathering that
information for users for input into the products. One commenter
expressed concern that it is unclear whether the expectation is that
developers must allow for customers to revise the source attributes
that developers have themselves defined for DSIs they have developed,
noting that allowing revisions would seem problematic as it could
inappropriately alter the meaning and information being relayed to end-
users. Commenters recommended that we clearly indicate that this
requirement applies solely to additional/supplementary source
attributes for DSIs developed by the developer of certified health IT
themselves stating that DSIs that are not directly implemented or
enabled by the developer should be out of scope for the
[[Page 1271]]
criterion. Commenters were especially concerned that the proposal
failed to define the intent for, or characteristics of, the limited set
of identified users and would enable those users to create extra
regulatory requirements for developers of certified Health IT Modules.
Response. We appreciate the comments and believe that coupled with
the proposed scope for the certification criterion that some commenters
may have misinterpreted the intent behind our proposal and how the
technical capabilities for a Health IT Module would play out as part of
implementation. We note that several source attributes, particularly
those now finalized in Sec. 170.315(b)(11)(iv)(B)(6)-(9) pertain to
activities that may occur within individual customer sites, so that
processes to measure validity and fairness, as well as the results of
those processes, are likely to differ across customer sites. We believe
individual customers will have substantial value in revising these
source attributes. We clarify that developers of certified health IT
are not responsible for content recorded, changed, or accessed by these
users and are not responsible for gathering information for or from
users that wish to record or change source attribute information.
We nevertheless understand commenters' concerns related to
modification of source attributes related to Predictive DSIs that are
developed by health IT developers. We clarify that developers of
certified health IT are not responsible for the accuracy or use of
source attribute information that is modified by their users. Rather,
developers of certified health IT are required to have Health IT
Modules that support the capability for their users to author or revise
source attribute information. We emphasize that this capability is not
dependent on the entity that developed the Predictive DSI or related
source attributes and we decline to limit this capability to only those
additional/supplementary source attributes for DSIs developed by a
developer of certified health IT. We note that a Health IT Module is
required to enable a ``limited set of identified users,'' to author and
revise source attributes. We believe this stipulation ensures that a
Health IT Module is capable of enabling some specified users, but not
all users, to have the capability to author and revise source
attributes and we believe this mitigates concerns around inappropriate
alteration. This requirement will not provide these users with the
ability to create additional regulatory requirements but simply to
display information related to source attributes of their choosing. We
note that several certification criteria include the phrase ``limited
set of identified users,'' including the CDS criterion at Sec.
170.315(a)(9), which developers of certified health IT have had more
than a decade of experience supporting.
Comments. Some commenters did not agree with the proposal that
Health IT Modules certified to Sec. 170.315(b)(11) support the ability
for a limited set of identified users to author (i.e., create) and
revise source attributes and information provided for user review
beyond what was proposed in Sec. 170.315(b)(11)(vi)(A) and (C). These
commenters noted that it could be burdensome on device manufactures, be
at odds with FDA device requirements, adulterate the functionality of
the device, and could possibly invalidate any testing and validity
provided by the developers or require such robust testing for all
permutations that quality and cost could be impacted. Commenters were
concerned about the impact on FDA approved devices, observing that
allowing third-party developers and users to alter source attribute
information, including information related to the ``intended use'' of
the device, may be considered an alteration to the device and impact
FDA approval.
Response. We appreciate commenters' concerns regarding FDA-approved
medical devices and alterations to the devices intended use source
attribute. We note that the source attribute related to intended use is
a description of what the output of the Predictive DSI should be used
for and not a bound indication of what a devices may be approved to do.
While we do not expect users to change the intended use of a Predictive
DSI, the requirement is that a Health IT Module enable a limited set of
users to change and record source attribute information. We believe
that developers of certified health IT and their customers are best
positioned to jointly decide how broadly to provide the ability to
change and record source attributes and under what circumstances.
Customers could then decide what set of users should have the ability
to record and change source attribute information in the capabilities
adopted in final Sec. 170.315(b)(11)(iv)(A) and (B). In many cases, we
believe that FDA requirements and the information included as source
attributes are closely aligned, limiting burden on developers. Where
that is not the case, we believe the information provided as source
attributes will have substantial values to users commensurate with
implied burden. Though required, developers concerned about changes to
their original source attribute information are free to include a
capability to allow users to review the original source attributes even
when the information has been changed by end users.
We have finalized our requirements related to revising source
attribute information with modifications at Sec.
170.315(b)(11)(v)(B)(1), which requires that a Health IT Module must
enable a limited set of identified users to record and change source
attributes in Sec. 170.315(b)(11)(iv)(A) and (b)(11)(iv)(B). As
previously discussed, Sec. 170.315(b)(11)(v)(B) is a modified version
of proposed Sec. 170.315(b)(11)(iv) and Sec. 170.315(b)(11)(vi)(E),
combining the ``author and revise'' concepts of Sec.
170.315(b)(11)(iv)(E) with the ``review'' concept in Sec.
170.315(b)(11)(iv). In finalizing this language, we intend to clearly
convey that individuals can record and change information within the
source attributes listed at Sec. 170.315(b)(11)(iv)(A) and
(b)(11)(iv)(B).
We are also aware of substantial activity by the public, industry
groups, and other advocacy organizations to further transparency
related to Predictive DSIs. Along those lines, we have observed that
variations exist with respect to each initiative's priorities and that
there is not strong consensus among these groups related to the
information included as source attributes or transparency
information.\129\ As technology related to Predictive DSIs continues to
evolve and as industry consensus matures, we expect that new
information may need to be made available through source attributes for
new models. In recognition of the fact that this final rule now sets a
consistent, industry-wide baseline set of source attributes on which
these groups may wish to build, we have retained a requirement at Sec.
170.315(b)(11)(v)(B)(2) around authoring source attributes in addition
to those listed in Sec. 170.315(b)(11)(iv)(B). This capability will
help support health care providers who wish to stay at pace with
industry consensus around transparency and include additional source
attribute information using their certified health IT to do so.
---------------------------------------------------------------------------
\129\ See, for instance, work by the coalition for health AI
https://www.coalitionforhealthai.org/ and the health AI partnership
https://healthaipartnership.org/.
---------------------------------------------------------------------------
In Sec. 170.315(b)(11)(v)(B)(2) we have finalized that for
Predictive DSIs, the Health IT Module must enable a limited set of
identified users to record, change, and access additional source
attribute information not specified in paragraph (b)(11)(iv)(B). First,
we have limited this
[[Page 1272]]
capability to only Predictive DSI source attributes in Sec.
170.315(b)(11)(iv)(B), whereas our proposal applied to both evidence-
based and Predictive DSIs. This is intended to be responsive to
commenters who worried that the scope of this capability was too
burdensome to implement. Second, we have modified the capability from
``author and revise source attributes beyond those listed'' to the
capability to ``record, change, and access additional source attribute
information not specified.'' We believe this more clearly articulates
the intent of the policy and addresses concerns regarding questions
posed by interested parties on what ``beyond,'' meant within the
context of their obligations. We clarify that developers of certified
Health IT Modules are not responsible for the content recorded,
changed, or accessed by these users.
xi. Intervention Risk Management (IRM) Requirements for Predictive
Decision Support Interventions
At 88 FR 23797-23808, we proposed to establish ``intervention risk
management'' (IRM) requirements. We proposed at 88 FR 23797 to require
that by December 31, 2024, a developer of certified health IT that
attested ``yes'' as part of our other proposal would need to employ or
engage in certain IRM practices for all Predictive DSIs, as we proposed
at 88 FR 23785 to define in Sec. 170.102, that the developer's
certified Health IT Module enables or interfaces with. We also proposed
that developers of certified health IT analyze potential risks and
adverse impacts associated with a Predictive DSI for the following
characteristics: validity, reliability, robustness, fairness,
intelligibility, safety, security, and privacy at Sec.
170.315(b)(11)(vii)(A)(1) (88 FR 23799-23801). Similarly, we proposed
that developers of certified health IT implement practices to mitigate
risks associated with intervention Predictive DSIs at Sec.
170.315(b)(11)(vii)(A)(2) (88 FR 23801-23802). And, related to
governance, we proposed that developers of certified health IT would
need to establish policies and implement controls for Predictive DSI
governance, including how data are acquired, managed, and used in a
Predictive DSI at Sec. 170.315(b)(11)(vii)(A)(3) (88 FR 23802-23803).
With respect to documentation, we proposed at Sec.
170.315(b)(11)(vii)(B) that developers of certified health IT compile
detailed documentation of IRM practices and upon request from ONC make
available such detailed documentation for any Predictive DSI that their
certified Health IT Module enables or interfaces with (88 FR 23803-
23804). We also proposed at Sec. 170.315(b)(11)(vii)(C) to require
developers of certified health IT to submit summary information to
their ONC-ACB regarding IRM practices listed via a publicly accessible
hyperlink that would allow any person to directly access the
information without any preconditions or additional steps (88 FR
23804). Consistent with Program implementation for similar
documentation requirements (84 FR 7484), we proposed that for this
proposed summary information, the required documentation would need to
be submitted to ONC-ACBs for review prior to issuing a certification
(88 FR 23805).
Finally, we proposed at Sec. 170.315(b)(11)(vii)(D) to require
that developers of certified health IT review annually and, as
necessary, update both detailed documentation and summary information
associated with the certification criterion (88 FR 23805). We also
proposed to establish a deadline of December 31, 2024, for developers
of certified health IT with Health IT Modules to which the proposed
requirements in that section apply to engage in IRM practices and
develop both detailed documentation and summary information (88 FR
23797). This proposed deadline corresponded with other proposals in the
HTI-1 Proposed Rule, including our proposed to update the Base EHR
definition (88 FR 23808).
Comments. Commenters both supported and opposed our proposed IRM
requirements at Sec. 170.315(b)(11)(vii), with those in support noting
the proposed risk management practices of risk analysis, risk
mitigation, and governance are essential for ensuring the
trustworthiness of Predictive DSIs. One commenter suggested that ONC
strengthen its risk analysis requirements to include intended and
reasonably expected DSI use(s), DSI evidence of safety, DSI efficacy,
DSI level of automation, and conditions of DSI deployment, whereas
another commenter recommended ONC limit its risk analysis requirements
to predictive clinical DSIs. Commenters were especially supportive of
our proposal to adopt NIST's AI Risk Management Framework (AI RMF)
because they noted the characteristics in the proposal provide a robust
framework to help with risk mitigation.\130\ Some commenters
recommended that we follow the Congressionally-created National
Artificial Intelligence Advisory Committee (NAIAC) recommendation to
use either the NIST AI RMF or similar processes and policies that align
with NIST AI RMF. One commenter was supportive to use the NIST
Characteristics for FAVES, but recommended revisions to the Fairness,
Intelligibility, and Safety characteristics. One commenter who
supported the proposal suggested that ONC should strengthen the
proposed requirements to explicitly require that a health IT
developer's risk mitigation practice include additional information on
addressing bias, safeguarding privacy, security interests, and personal
information, and create a full feedback loop.
---------------------------------------------------------------------------
\130\ NIST AI Risk Management Framework, https://airc.nist.gov/AI_RMF_Knowledge_Base/Playbook.
---------------------------------------------------------------------------
Response. We appreciate these comments and agree that risk
management practices are essential for ensuring the trustworthiness of
Predictive DSIs and that these practices would promote transparency and
accountability within healthcare. As described further in this section
we have finalized in Sec. 170.315(b)(11)(vi) substantially similar
versions of our proposals. The finalized certification criterion
requires that IRM practices must be applied for each Predictive DSI
supplied by the health IT developer as part of its Health IT Module,
including risk analysis, risk mitigation, and governance. We have also
finalized modified versions of what we proposed related to IRM summary
information in Sec. 170.523(f)(1)(xxi) as well as the annual review
and updated documentation requirements in Sec. 170.402(b)(4). We have
not finalized our proposal that developers of certified health IT
compile detailed documentation of IRM practices listed in Sec.
170.315(b)(11)(vii)(A) and upon request from ONC make available such
detailed documentation for any Predictive DSI that their certified
Health IT Module enables or interfaces with.
We thank commenters for their support of our proposal's consistency
with the NIST AI RMF and the National Association of Insurance
Commissioners (NAIC) recommendation to use either the NIST AI RMF or
similar processes and policies that align with the NIST AI RMF.\131\
While we encourage the use of
[[Page 1273]]
a framework to help facilitate IRM and adapted the NIST AI RMF concepts
and emphasis areas, conformance with this certification criterion does
not require the use of any particular framework, approach, or
methodology for providing information about risk management practices.
As noted in HTI-1 Proposed Rule (88 FR 23798), we have left this
flexibility given a lack of healthcare sector-specific guidance and the
nascency of several emerging efforts for risk management of predictive
software.
---------------------------------------------------------------------------
\131\ As noted in the HTI-1 Proposed Rule (88 FR 23810)
(footnote 289), we are aware of and coordinated with multiple
federal agencies and activities focused on AI, including the NAIC,
that are also exploring policies to prevent and mitigate bias in AI/
ML and the intersection with privacy, equity, and civil rights. For
more information about the Congressionally-created NAIC and its
recommendation for federal agencies, please see the NAIC Year 1
Report (May 2023), available at: https://www.ai.gov/wp-content/uploads/2023/05/NAIAC-Report-Year1.pdf.
---------------------------------------------------------------------------
We appreciate commenters' suggestions on additional characteristics
and additional kinds of risks that developers of certified health IT
with Health IT Modules certified to Sec. 170.315(b)(11) should include
as part of their IRM practices. However, we remained consistent with
what we proposed and decline to add further characteristics. We believe
that the eight areas we have finalized represent consensus focus areas,
are based on the NIST AI RMF, and would be most relevant to Predictive
DSIs. We will monitor implementation of this requirement and may
consider modifications to these characteristics in future rulemaking.
Comments. Commenters not in support of the IRM requirements
proposed at Sec. 170.315(b)(11)(vi), expressed significant concerns
that they would require disclosing IP or proprietary information, could
compromise patient privacy, and increase administrative burdens. Other
commenters did not support the IRM requirements because they thought
they were too broad, noting that requiring a developer of certified
health IT to perform IRM practices over a third party's DSI tool is
neither feasible or competitively rational and recommended that we
limit the scope so that developers are accountable for IRM practices
for its own DSI only. Other commenters that did not support the IRM
proposals urged ONC to consider a risk-based DSI approach that would
classify high, moderate, and low risk DSIs and would provide developers
with appropriately scaled risk-based controls based on potential harm
to individual patients and populations. One commenter expressed concern
that some developers may engage in risky practices that result in harm
or privacy violations and requested more clarity on how certification
criteria would exclude developers from engaging in these practices. One
commenter expressed concern that there is not enough time for
developers to meet the December 31, 2024, deadline due to the time to
develop and implement the requirements and requested additional time to
address the eight characteristics of risk.
Response. We thank commenters for their concerns and suggestions.
As we have noted throughout this rulemaking, we believe that such
transparency is a prerequisite for high-quality Predictive DSIs to be
trusted by clinicians, patients, health systems, software developers,
and other interested parties. When we developed the proposed IRM
requirements, we sought a balance between limited prescriptiveness and
sufficient detail to enable robust and broadly applicable reporting of
information on risk management practices to users and the public. Our
proposed requirements focused on potential risks and adverse impacts
(harm) in eight areas, that include privacy and fairness, that may be
associated with each Predictive DSI that is authored by the health IT
developer.
In consideration of the feedback we received, we believe that the
finalized IRM requirements strike the best balance, especially given
that we have not established requirements for specific measures.
Rather, we have given maximum flexibility to developers of certified
health IT to determine which information best fits their unique
circumstances and Predictive DSI use cases. We encourage developers of
certified health IT to examine industry resources, such as the NIST AI
RMF or the Health Equity Across the AI Lifecycle (HEAAL)
framework,\132\ as part of these requirements.
---------------------------------------------------------------------------
\132\ Kim J., Hasan A., Kellogg K., et al. Development and
preliminary testing of Health Equity Across the AI Lifecycle
(HEAAL): A framework for healthcare delivery organizations to
mitigate the risk of AI solutions worsening health inequities.
medRxiv 2023.10.16.23297076; doi: https://doi.org/10.1101/2023.10.16.23297076.
---------------------------------------------------------------------------
Further, as stated in the HTI-1 Proposed Rule (88 FR 23799), we
believe that many such developers of certified health IT already employ
or engage in IRM practices to comply with existing certification
criteria (Sec. 170.315(g)(3) ``safety-enhanced design'' (SED) and
Sec. 170.315(g)(4) Quality management systems (QMS)). Thus, we
continue to believe that the finalized requirement to provide
information on these practices represents a low-level of burden for
those developers. We believe that our IRM practice requirements are
important for several reasons. First, all developers of certified
health IT that seek certification to Sec. 170.315(b)(11) and supply
Predictive DSIs as part of their Health IT Module will become familiar
with foundational IRM practices. Second, the public disclosure of the
summary information of IRM practices employed or engaged by the
developer of certified health IT, as described further below, will
provide transparency to purchasers (potential users), users, and other
interested parties, and contribute to appropriate information to help
guide medical decisions. Lastly, our finalized requirements in Sec.
170.315(b)(11)(vi)(A) will encourage development of healthcare-
specific, consensus, and industry-based best practices for risk
management.
We appreciate the concerns expressed about IP and proprietary
information, patient information privacy, and administrative burden. As
noted, as part of this certification criterion's preamble we have made
scope adjustments in response to public comment that we believe
substantially address these concerns. The finalized requirements for
risk analysis and risk mitigation are limited to only those Predictive
DSIs supplied by the developer of health IT as part of its Health IT
Module. We have also clarified our expectations for governance
requirements. With the exception of other party Predictive DSI's
supplied by developers of health IT as part of their Health IT Module,
we have not finalized the proposals (88 FR 23803) that caused
commenters' concerns regarding the developer of certified health IT
performing ``IRM practices over a third party's DSI.'' Specifically, we
have not finalized that developers review risk management information
from other parties nor that developers include risk management
information from other parties as part of the documentation
requirement.
We appreciate the concern expressed about information privacy and
harm. We expect that model developers will use data for training and
testing consistent with applicable law, patients' expectations, and any
patient consent or preference given. We believe the scope changes we
have made as part of this finalized certification criterion along with
the high degree of flexibility we provide to developers of certified
health IT to establish appropriate risk management practices mitigate
concerns related to compromising IP, proprietary information, and
patient privacy. While we appreciate the concerns raised by some
commenters, based on the final certification criterion's scope, we
believe they are outweighed by the need to promote greater and more
meaningful disclosure of information by developers of health IT
certified. We disagree with the claims that our requirements for
summary information about risk management practices would result in
[[Page 1274]]
disclosing IP or proprietary information as we are entrusting
developers of certified health IT to disclose information at a level of
detail according to their own judgments. Furthermore, based on the
scope of the final certification criterion, it is reasonable to assume
that developers of certified health IT are experts on their own
products and services and possess sophisticated technical and market
knowledge related to the implementation and use of health IT in a
variety of settings in which their products are used. Through their
accumulated experience developing and providing health IT solutions to
their customers, health IT developers should be familiar with the types
of risks that most users encounter, and therefore must describe these
in sufficient detail to provide potential customers, patients, or
researchers, with the information they need to make informed
applicability, scope, and use decisions.
As for recommendations that we take a risk-based approach to IRM
requirements, we appreciate the comment. However, the Program is not
predicated on levels of risk and our requirements for certification to
the DSI (formerly CDS) criterion has been and continues to be agnostic
to specific use cases, intended uses, and risks. We reiterate that we
are not establishing requirements for specific measures. Rather, we are
giving maximum flexibility for developers of certified health IT to
determine which information best fits their unique circumstances and
Predictive DSI use cases.
As noted in the HTI-1 Proposed Rule (88 FR 23802), developers of
certified health IT have the flexibility to choose an approach to
meeting this requirement that addresses their own unique circumstances
for their Predictive DSIs. However, we encourage developers to
implement policies and controls to evaluate whether risk analysis and
risk mitigation practices are being carried out as specified; to
consider how policies and controls are monitored and updated; and to
plan a schedule for updating those policies and controls. Policies and
controls should include details on roles, responsibilities, staff
expertise, authority, reporting lines, and continuity. We further
encourage developers to have accountability and escalation policies and
controls related to how management oversees the development,
deployment, and management of Predictive DSIs.\133\ These policies and
controls should describe the developer of certified health IT's
decision-making parameters or programs and include how management is
held accountable for the impact of Predictive DSIs. We encourage
developers to identify staff that are responsible for Predictive DSIs
and related models and to develop policies to hold those staff
accountable to the developer's established policies and
procedures.\134\ We believe that developers should plan escalation
processes that permit significant issues with Predictive DSI
development, integration, or use to reach appropriate levels of
management and describe standards for timely resolution of issues with
Predictive DSIs and related models.\135\ If the developer uses a third
party to assess risk, the developer should describe processes for
determining whether assessments performed by a third party meet the
standards and controls set forth in the developer's governance
framework.
---------------------------------------------------------------------------
\133\ Off. Comptroller Currency, Comptroller's Handbook: Model
Risk Management (Aug. 2021), https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/model-risk-management/index-model-risk-management.html.
\134\ Id.
\135\ Id.
---------------------------------------------------------------------------
We appreciate the commenter's concerns about meeting the December
31, 2024, deadline, and the desire for an extension. We note that in
prioritizing this certification criterion, we have finalized longer
timelines for the adoption of other standards and certification
criteria with, for example, a compliance date of January 1, 2026. We
believe the extended dates for conformance with these other standards
and certification criteria will make it more feasible for the industry
to meet the December 31, 2024, deadline for the finalized requirements
in Sec. 170.315(b)(11). We discuss timing requirements in more detail
below in the section on modifications to the ``Base EHR.''
After consideration of public comments received, we have finalized
with modifications our proposed requirements for IRM practices.
Specifically, we have finalized in Sec. 170.315(b)(11)(vi) that IRM
practices must be applied for each Predictive DSI supplied by the
health IT developer as part of its Health IT Module. This finalized
requirement applies to Predictive DSIs ``supplied by the health IT
developer as part of its Health IT Module,'' which establishes an
equivalent scoping between what we proposed under the attestation
statement in proposed Sec. 170.315(b)(11)(v) and what we have
finalized in Sec. 170.315(b)(11)(vi). As proposed, only those
developers that attested ``yes,'' would have had to employ or engage in
IRM practices and as finalized, only developers that supply Predictive
DSIs are required to apply IRM practices. We have finalized Sec.
170.315(b)(11)(vi)(A) requiring that Predictive DSIs must be subject to
analysis of potential risks and adverse impacts associated with the
following characteristics: validity, reliability, robustness, fairness,
intelligibility, safety, security, and privacy, which is substantially
similar to what we proposed. We have finalized Sec.
170.315(b)(11)(vi)(B) requiring that Predictive DSIs must be subject to
practices to mitigate risks, identified in accordance with
(b)(4)(ii)(A) of this section, which is substantially similar to what
we proposed. We have finalized Sec. 170.315(b)(11)(vi)(C) requiring
that Predictive DSIs must be subject to policies and implemented
controls for governance, including how data are acquired, managed, and
used, for all Predictive DSIs supplied by the health IT developer as
part of its Health IT Module, which is substantially similar to what we
proposed.
We have also finalized requirements in Sec. 170.523(f)(1)(xxi) as
part of the Principles of Proper Conduct for ONC-ACB's that an ONC-ACB
shall, where applicable, ensure that summary information of the IRM
practices listed in paragraph Sec. 170.315(b)(11)(vi) is submitted by
the health IT developer via publicly accessible hyperlink that allows
any person to access the summary information directly without any
preconditions or additional steps. We have finalized this requirement
as a combination of what we proposed in Sec. 170.315(b)(11)(vii)(C)
and what we proposed as a modification the Principles of Proper Conduct
for ONC-ACB in Sec. 170.523(f)(1)(xxi)
Finally, as stated previously, we have finalized a new Assurances
Maintenance of Certification requirement in Sec. 170.402(b)(4) that
requires developers of Health IT Modules certified to Sec.
170.315(b)(11), starting January 1, 2025, and on an ongoing basis
thereafter, review and update, as necessary, source attribute
information in Sec. 170.315(b)(11)(iv)(A) and (B), risk management
practices described in Sec. 170.315(b)(11)(vi), and summary
information provided through Sec. 170.523(f)(1)(xxi). This requirement
is substantially similar to what we had included in our proposal (such
as Sec. 170.315(b)(11)(vii)(D)). We provide additional details on
Sec. 170.402(b)(4) in previous comment responses in section III.C.5.v.
``Predictive Decision Support Interventions, Attestation for Predictive
[[Page 1275]]
Decision Support Interventions,'' of this final rule.
We reiterate that ONC has not adopted specific risk analysis
metrics or risk mitigation practices beyond describing eight
characteristics in Sec. 170.315(b)(11)(vi)(A) and we note that
developers of certified health IT may vary their IRM practices based on
their understanding of the risk of each Predictive DSI.
Comments. Several commenters expressed concerns that the nature of
the proposed documentation required in the IRM disclosure requirements
that developers would have to meet would require a third-party
developer to share proprietary technical and governance information and
requested clarification on the level of detail required in
documentation that IRM practices are employed. One commenter requested
clarification on how developers of health IT would meet the proposed
documentation requirements in Sec. 170.315(b)(11)(vii)(B) when they
would need to obtain the documentation from third-party developers.
Several commenters did not support our IRM proposals due to the burdens
it would place on health IT developers and recommended that we limit
the IRM proposals to health IT developers who develop their own
Predictive DSI models.
Response. We thank commenters for their concerns. After
consideration of these comments, we have not finalized the requirements
described in the HTI-1 Proposed Rule preamble for developers of
certified health IT to receive or have access to risk management
information for Predictive DSIs developed by other parties (and that
are not supplied by the developer as part of its Health IT Module).
After consideration of these comments, we have not finalized the
requirements described in the HTI-1 Proposed Rule (88 FR 23803)
preamble for developers of certified health IT to receive or have
access to risk management information for Predictive DSIs developed by
other parties (and that are not supplied by the developer as part of
its Health IT Module). This means there are no expectations that
developers review risk management information from other parties with
whom they have no relationship and with whom they have not expressly
chosen to supply a Predictive DSI as part of their Health IT Module.
This also excludes all other party Predictive DSIs that their customers
choose to implement as well as any Predictive DSIs that their customers
author.
Comments. Several commenters believed that developers, and not
health care providers, should ultimately be responsible for the tools
they create and bear responsibility for harmful outcomes resulting from
the tools being used as intended. Whereas other commenters suggested
that the responsibility for risk assessment and mitigation should be
shared with DSI providers and authors of the toolset, rather than
requiring the health IT developers to accept all responsibilities.
Response. We appreciate the commenters' concerns. We agree that
multiple parties share responsibility for risk assessment and
mitigation and the safe application of Predictive DSI, and note that
this rule does not alter any party's responsibility for exercising
sound professional judgment in making clinical decisions and complying
with applicable laws.\136\ Developers and health care providers should
implement practices in full awareness that this final rule will not
change their responsibility under other applicable law. We have
finalized requirements aligned with our authorities for developers of
certified health IT, and we anticipate these requirements for IRM
practices will help spur much-needed conversations across providers and
their health IT partners on how best to analyze, mitigate, and govern
risks associated with Predictive DSIs.
---------------------------------------------------------------------------
\136\ See e.g., U.S. Dept of Health & Human Servs., Office for
Civil Rights, Notice of Proposed Rulemaking, Nondiscrimination in
Health Programs and Activities, 87 FR 47824, 47880 (Aug. 4, 2022),
https://www.federalregister.gov/documents/2022/08/04/2022-16217/nondiscrimination-in-health-programs-and-activities (prohibiting
discrimination on the basis of race, color, national origin
(including limited English proficiency), sex (including sexual
orientation and gender identity), age, or disability in certain
health programs or activities through the use of clinical algorithms
in their decision-making); Title VI of the Civil Rights Act of 1964,
42 U.S.C. 2000d et seq. (prohibiting discrimination on the basis of
race, color, or national origin (including limited English
proficiency) in federally funded programs or activities); Title IX
of the Education Amendments of 1972, 20 U.S.C. 1681 et seq.
(prohibiting sex discrimination in federally funded education
programs or activities); the Age Discrimination Act of 1975, 42
U.S.C. 6101 et seq. (prohibiting age discrimination in federally
funded programs or activities); Section 504 of the Rehabilitation
Act of 1973, 29 U.S.C. 794 (prohibiting disability discrimination in
federally funded or federally conducted programs or activities); and
the Americans with Disabilities Act, 42 U.S.C. 12101 et seq.
(prohibiting disability discrimination by employers, state and local
government entities, and businesses that are open to the public,
among others); The Health Insurance Portability and Accountability
Act (HIPAA) Public Law 104-191,110 Stat. 1936 (August 21, 1996),
codified at 42 U.S.C. 1320d-1320d8; HIPAA Privacy Rule, 45 CFR part
160 and subparts A and E of part 164; and The HIPAA Security Rule,
45 CFR part 160 and subparts A and C of part 164.
---------------------------------------------------------------------------
As noted in the HTI-1 Proposed Rule, we are aware that, in addition
to developers of certified health IT, users, such as healthcare
organizations and clinicians, have responsibilities related to
Predictive DSIs, including intervention or model risk management during
implementation and use, as well as model validation (88 FR 23805). For
example, we believe it is important that users maintain strong
governance and controls to help manage model risk and how they will use
outputs from interventions in decision-making, including monitoring any
potential impacts of model use. Users of a Predictive DSI are also best
able to report on how the Predictive DSI performs in real world and
local settings, which can differ from their performance during testing.
Comments. One commenter expressed concern that the proposal was too
broad and recommended that ONC exclude from its transparency and risk
management requirements any DSI tools that are created by a health care
provider organization for its own use, with no intent to commercialize
the tool(s). One commenter expressed concern that ONC did not account
for the difference between ``AI Developers'' and ``AI Deployers''
noting that each has unique and distinct roles, and risk analysis
requirements should account for these separate roles.
Response. We appreciate the feedback. As we have noted as part of
the certification criterion's discussion throughout this final rule, we
have adjusted the scope of the certification criterion and clarified
health IT developer responsibilities compared to health care providers
and other parties. We clarify, based on the scope and policy for the
final certification criterion, that ``DSI tools created by a health
care provider'' for its own use are not in scope for Program
requirements. More to the point, such health care providers will
benefit from this final certification criterion's requirements because
updated certified health IT will include more supportive capabilities
for DSI transparency that they will be able to use for their own
purposes. We appreciate the comment for differentiating between ``AI
Developers'' and ``AI Deployers,'' however, we decline to establish
different IRM practice requirements for different roles that may, or
may not, exist across organizational boundaries. Our requirements
pertain specifically to developers of certified Health IT Modules that
supply Predictive DSIs as part of their Health IT Module.
Comments. Several commenters expressed concern about the potential
liability of health IT developers and health care providers. One
commenter expressed concern that some developers
[[Page 1276]]
may attempt to shift liability for poor performing tools and
recommended that the developer of the tool should bear the
responsibility of ensuring optimal performance of the tool they
developed and should bear the brunt of the liability when errors occur.
One commenter recommended that we strengthen the requirements around
IRM practices by requiring developers of certified health IT with
Health IT Modules that enable or interface with Predictive DSIs to
carry liability insurance that covers contingent bodily injury due to
technology errors and omissions.
Response. We appreciate the commenter's concern for liability and
accountability. We believe that our requirements for transparency in
both performance, as indicated by the information required as part of
source attributes, and in IRM practices will help users determine if
tools are poor performing and make subsequent decisions on whether and
how to use such tools. In general, these comments are outside of the
scope of this rulemaking, and we decline to require liability insurance
as part of our requirements and believe that issues of liability are
outside the scope of this rulemaking. Those concerned or curious about
it should reference federal, state, or tribal laws and regulations--or
reliable sources information.
Comments. One commenter expressed concern that there is no
requirement for real world testing in an uncontrolled environment and
urged ONC require these activities are tested in real world scenarios
before they are adopted to ensure DSIs are successful.
Response. We thank the commenter for their suggestion to require
real world testing of Predictive DSIs. We note that among the source
attributes listed in Sec. 170.315(b)(11)(iv) there are two that would
enable users to know if a Predictive DSI was tested for fairness at
Sec. 170.315(b)(11)(iv)(B)(8)(iii) and (iv) and validity in local data
at Sec. 170.315(b)(11)(B)(iv)(8)(i) and (ii). These source attributes
are intended to support such real world testing; however, we are not
requiring that such testing be done, so as noted within the
certification criterion these source attributes may be missing. We also
note that Health IT Modules certified to Sec. 170.315(b)(11) must
participate in real world testing as a Condition and Maintenance of
Certification requirement as stipulated in Sec. 170.405.
Risk Analysis
In the HTI-1 Proposed Rule (88 FR 23798-23799), we proposed to
require developers of certified health IT to analyze potential risks
and adverse impacts associated with a Predictive DSI that their
certified Health IT Modules enable or interface with. NIST's AI RMF
describes seven characteristics of trustworthy AI, and we proposed to
adapt these concepts and require that developers of health IT with
certified Health IT Modules that enable or interface with Predictive
DSIs employ or engage in risk management practices related to the
following characteristics: (1) validity; (2) reliability; (3)
robustness; (4) fairness; (5) intelligibility; (6) safety; (7)
security; and (8) privacy. We did not propose or describe risk
tolerance associated with the eight characteristics, as we believe
these should be decisions made by those involved with the design,
development, deployment, and use of the technology. We proposed that
developers of certified health IT must analyze the potential risks and
adverse impacts, associated with a Predictive DSI that their certified
Health IT Modules enable or interface with, related to lack or failure
in the eight characteristics.
Comments. Several commenters were concerned that ONC did not
establish or define regulatory baselines, measures, or thresholds for
what constitutes FAVES for Predictive DSIs and noted that providers are
not trained to independently assess whether a Predictive DSI was FAVES,
nor is there a commonly accepted standard for review. Several
commenters expressed concern that the IRM proposals could be
duplicative of other federal agencies and could create conflicting
regulatory schemes and urged ONC to consult and collaborate with
federal partners and build on existing federal efforts to ensure bias,
discrimination, and other health equity concerns were addressed through
a unified AI government framework. One commenter recommended that the
proposed ``Safety'' characteristic should explicitly exclude FDA-
authorized AI and machine learning medical devices because they believe
that a risk assessment for these tools is best made by the FDA due to
their expertise in medical and clinical safety and being uniquely
positioned to draw conclusions and develop guidelines for the safe and
appropriate use of AI and machine learning tools.
Response. Given the broad uses of Predictive DSIs, ONC did not seek
to establish specific baselines, measures, or thresholds for what
constitutes FAVES in the HTI-1 Proposed Rule. These measures are likely
to vary based on specific technologies and uses of Predictive DSI. In
many cases, the safety and effectiveness of a software function,
including clinical decision support or other kinds of decision support
interventions, is within the purview of FDA regulatory oversight, when
such functionality meets the definition of a ``device'' under the FD&C
Act.[thinsp]As previously noted, ONC and FDA support a harmonized and
complementary approach to predictive technology in accordance with our
existing intersecting regulatory oversight. We sought to ensure there
would be limited, if any, contradictory requirements. We note that we
have afforded substantial flexibility to developers in practicing IRM.
For tools that have been authorized by the FDA, we believe it would be
appropriate for developers to provide information on FDA authorization
as part of the ``Safety'' characteristic. Furthermore, given the
intersecting interest across the Department to address the use of AI in
health, we consulted extensively with our HHS partners at AHRQ, FDA,
and OCR as well as our federal partners at the FTC and VA in developing
the HTI-1 Proposed Rule to advance our shared goals of promoting
greater trust in Predictive DSIs in healthcare that are fair,
appropriate, valid, effective, and safe to deliver patient care, enable
an effective marketplace, and greater competition.\137\
---------------------------------------------------------------------------
\137\ See generally HHS Press Release (April 2023), https://www.hhs.gov/about/news/2023/04/11/hhs-propose-new-rule-to-further-implement-the-21st-century-cures-act.html.
---------------------------------------------------------------------------
After consideration of these comments, we have finalized
requirements at Sec. 170.315(b)(11)(vi)(A) that for each Predictive
DSI supplied by the health IT developer as part of its Health IT
Module, the Predictive DSI must be subject to analysis of potential
risks and adverse impacts associated with Predictive DSI the following
characteristics: validity, reliability, robustness, fairness,
intelligibility, safety, security, and privacy. We note that we have
narrowed the scope of Predictive DSIs for which a developer is expected
to analyze risks and adverse impacts to only those Predictive DSIs that
are supplied by the health IT developer. As stated previously, this is
in response to public comments concerned with the overall scope of our
IRM practice requirements and the related burdens, difficulty, and
concerns around potential proprietary information related with getting
such information from other parties.
Risk Mitigation
In the HTI-1 Proposed Rule, we proposed to require implementation
of practices to mitigate risks associated with Predictive DSIs (88 FR
23801). In
[[Page 1277]]
the HTI-1 Proposed Rule, we proposed Sec. 170.315(b)(11)(vii)(A)(2) to
require implementation of practices to mitigate risks associated with
Predictive DSIs (88 FR 23801). We noted that risk mitigation practices
should seek to address adverse impacts or minimize anticipated negative
impacts of Predictive DSIs on patients and populations. We stated model
risk mitigation should include disciplined and knowledgeable
development and implementation practices that are consistent with the
real-world context of the model's use, intended specific application of
the model, and goals of the model user.
Comments. One commenter expressed concern that some developers may
engage in risky practices that result in harm or privacy violations and
requested more clarity on how certification criteria would exclude
developers from engaging in these practices. One commenter encouraged
ONC to clearly define the types of risks or harms that would disqualify
a developer from Program certification. One commenter expressed concern
that our proposal lacked requirements for DSI systems on managing
complaints, post market surveillance, and error or misuse detection
guidance, as well as reporting requirements related to these issues.
Response. We thank commenters for their concerns. We note that
developers should implement practices in full awareness that this final
rule will not change their responsibility under other applicable
laws,\138\ including those that provide legal protections to minimize
risk practices and prohibit discrimination. We expect that model
developers will use data for training and testing consistent with
applicable law, patients' expectations, and any patient consent or
preference given. We decline to further specify practices that would
disqualify a developer from the Program, beyond the eight
characteristics that must be addressed. As it relates to managing
complaints and reporting requirements, we note that ONC has long
maintained a ``health IT inquiry and feedback portal,'' available where
users and the public can file complaints and ask questions about
products certified under the Program.\139\ We also reiterate that
developers of certified health IT with Health IT Modules certified to
Sec. 170.315(b)(11) will be required to engage in real world testing
per requirements at Sec. 170.405.
---------------------------------------------------------------------------
\138\ See HIPAA Privacy and Security Rules, 45 CFR part 160 and
subparts A and E of part 164; 15 U.S.C. 45(a) (Section 5 of the FTC
Act) and Health Breach Notification Rule in 16 CFR part 318; U.S.
Dept of Health & Human Servs., Office for Civil Rights, Notice of
Proposed Rulemaking, Nondiscrimination in Health Programs and
Activities, 87 FR 47824, 47880 (Aug. 4, 2022), https://www.federalregister.gov/documents/2022/08/04/2022-16217/nondiscrimination-in-health-programs-and-activities (prohibiting
discrimination on the basis of race, color, national origin
(including limited English proficiency), sex (including sexual
orientation and gender identity), age, or disability in certain
health programs or activities through the use of clinical algorithms
in their decision-making); Title VI of the Civil Rights Act of 1964,
42 U.S.C. 2000d et seq. (prohibiting discrimination on the basis of
race, color, or national origin (including limited English
proficiency) in federally funded programs or activities); Title IX
of the Education Amendments of 1972, 20 U.S.C. 1681 et seq.
(prohibiting sex discrimination in federally funded education
programs or activities); the Age Discrimination Act of 1975, 42
U.S.C. 6101 et seq. (prohibiting age discrimination in federally
funded programs or activities); Section 504 of the Rehabilitation
Act of 1973, 29 U.S.C. 794 (prohibiting disability discrimination in
federally funded or federally conducted programs or activities); and
the Americans with Disabilities Act, 42 U.S.C. 12101 et seq.
(prohibiting disability discrimination by employers, state and local
government entities, and businesses that are open to the public,
among others).
\139\ https://inquiry.healthit.gov/support/plugins/servlet/desk/portal/2.
---------------------------------------------------------------------------
Comments. Several commenters supported our proposal for risk
mitigation requirements. Several commenters recommended that ONC adopt
a tiered or risk-based approach to IRM practices and adopt requirements
that would only apply to applications that present a meaningful risk to
patients, allowing ONC to focus on high risk DSIs. These commenters
generally supported the assessment of risk in predictive models but
stated that requiring all models to adhere to the same set of
compliance and regulatory rigor seems both unnecessary and overly
burdensome. Some of these commenters also thought a risk-based approach
was appropriate for determining whether and which disclosure
requirements were necessary to prevent stifling innovation and prevent
overly restrictive reviews.
Response. We appreciate the comments supporting our proposal for
risk mitigation. We decline to accept the recommendation to take a
risk-based DSI approach as suggested. We reiterate that the Program is
not predicated on levels of risk and the DSI criterion will continue to
be agnostic to specific use cases, intended uses, and risks. As stated
in the HTI-1 Proposed Rule (88 FR 23799), we will require the
developers of certified health IT engage in and document risk
management practices related to eight characteristics: (1) validity;
(2) reliability; (3) robustness; (4) fairness; (5) intelligibility; (6)
safety; (7) security; and (8) privacy. However, we have provided
substantial flexibility in the risk management practices developers
engage in within those characteristics and the associated
documentation. Developers may therefore choose to apply different
levels of rigor to the risk analysis, risk mitigation, and governance
of different Predictive DSIs. Similarly, developers of certified health
IT may choose to apply different levels of detail describing their
approaches to risk management practices as part of the summary
information that must be summited per requirements in Sec.
170.523(f)(1)(xxi).
This approach also aligns with HIPAA Security Rule requirements for
covered entities and business associates. HIPAA covered entities, such
as health care providers and health plans, are generally among the
customers of developers of certified health IT. In many cases,
developers of certified health IT serve as HIPAA business associates to
their covered entity customers, such as health care providers or health
plans,\140\ and thus must comply with the HIPAA Security Rule. The
HIPAA Security Rule requires covered entities and business associates
to identify and assess risks and vulnerabilities to the
confidentiality, integrity, and availability of electronic PHI
(``ePHI'') when conducting the risk analysis and risk management
required by the Security Rule, including any risks of third-party
access to a covered entity's or business associate's information
systems that contain electronic protected health information.\141\
---------------------------------------------------------------------------
\140\ See definitions of ``business associate'' and ``covered
entity'' at 45 CFR 160.103.
\141\ See the definition of ``electronic protected health
information'' at 45 CFR 160.103.
---------------------------------------------------------------------------
As noted in the HTI-1 Proposed Rule, similar to when a HIPAA
covered entity or business associate engages with a cloud service
provider,\142\ a developer of certified health IT, supplying an other
party-developed Predictive DSI as part of its Health IT Module,\143\
should understand the ways in which the technology or solution offered
by the other party would seek to connect to or integrate with the
certified health IT developer's product(s), so that the covered entity
or business associate can appropriately conduct its own risk analysis
and establish risk management
[[Page 1278]]
policies, as well as enter into appropriate Business Associate \144\
Agreements (BAAs).\145\ For example, a health IT developer providing
certified health IT as a business associate may consider including in
its risk analysis any risks associated with a decision by a covered
entity to connect or integrate an other party's Predictive DSI with the
developer's certified health IT products.\146\ Under the HIPAA Security
Rule, business associates have an independent obligation to identify
and manage risks, regardless of whether or not a BAA exists.\147\ If a
business associate relationship exists and a BAA does not exist, the
absence of a BAA does not relieve the business associate from HIPAA
Security Rule obligations.
---------------------------------------------------------------------------
\142\ U.S. Department of Health and Human Services, Office for
Civil Rights (OCR), Guidance on HIPAA & Cloud Computing: https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html.
\143\ As noted in HTI-1 Proposed Rule at 88 FR 23796, we note
that these ``other parties'' may or may not have a contractual
relationship with the developer of certified health IT.
\144\ See definition of ``business associate'' at 45 CFR
160.103. Business associates include a subcontractor that creates,
receives, maintains, or transmits protected health information on
behalf of the business associate.
\145\ See 45 CFR 164.308(b) for information about the Security
Rule's requirements for BAAs. 45 CFR 164.502(e) permits a covered
entity to disclose PHI to a business associate and to allow a
business associate to create, receive, maintain, or transmit PHI on
its behalf, if the covered entity obtains satisfactory assurance
that the business associate will appropriately safeguard the
information. Additional guidance on BAAs, often referred to as
business associate contracts, is available at https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.
\146\ The risk is based on the connection permitted to the
certified health IT product by the health IT developer and not
whether the developer has a direct or contractual relationship to
the other party.
\147\ Business associates are required to comply with the
requirements of the HIPAA Security Rule. 45 CFR 164.302. See OCR's
Direct Liability of Business Associates, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html; OCR's Security Rule Guidance material, available at:
https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html?language=es.
---------------------------------------------------------------------------
After consideration of these comments, we have finalized at Sec.
170.315(b)(11)(vi)(B) that for each Predictive DSI supplied by the
health IT developer as part of its Health IT Module, the Predictive DSI
must be subject to practices to mitigate risks, identified in
accordance with Sec. 170.315(b)(11)(vi)(A). We note that we have
narrowed the scope of Predictive DSIs for which a developer is expected
to mitigate risks to only those Predictive DSIs that are supplied by
the health IT developer as part of its Health IT Module. As stated
previously, this is in response to public comments concerned with the
overall scope of our proposed IRM practices requirements and the
related burdens, difficulty, and potential proprietary information
concerns related with getting such information from other parties.
Governance
In the HTI-1 Proposed Rule, we proposed Sec.
170.315(b)(11)(vii)(A)(3) to require that developers of certified
health IT establish policies and implement controls for Predictive DSIs
(88 FR 23802). We proposed that a developer of a certified Health IT
Module that enables or interfaces with a Predictive DSI must establish
policies and implement controls for how data are acquired, managed, and
used for said Predictive DSI.\148\ Governance should encompass models,
software and data developed or provided by other parties as well as
internally developed interventions.\149\
---------------------------------------------------------------------------
\148\ See, e.g., The Organisation for Economic Co-operation and
Development (OECD), Recommendation of the Council on Health Data
Governance, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0433; General Accountability Office (GAO), AI: An
Accountability Framework for Federal Agencies and Other Entities
(June 2021), https://www.gao.gov/assets/gao-21-519sp.pdf; See
generally GAO, Artificial Intelligence in Health Care: Benefits and
Challenges of Technologies to Augment Patient Care, (Nov. 2020),
https://www.gao.gov/products/gao-21-7sp.
\149\ See NIST AI RMF 1.0, https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf.
---------------------------------------------------------------------------
At 88 FR 23802-23803, we provided a discussion of the flexibility
developers of certified health IT would have to choose an approach to
meeting this proposed requirement that addresses their own unique
circumstances for their Predictive DSIs. This included setting and
enforcing priorities for managing and using data as a strategic asset,
which is a concept that identifies key activities of data governance as
data identification, data management policy, data issues management,
data assessment, data oversight, and data communications.\150\
---------------------------------------------------------------------------
\150\ See for example Federal Data Strategy, Data Governance
Playbook, https://resources.data.gov/assets/documents/fds-data-governance-playbook.pdf.
---------------------------------------------------------------------------
Comments. Several commenters supported our requirement to include
``governance'' as part of the IRM practices. However, many commenters
also expressed concern regarding our expectation that developers of
certified health IT review governance information from other parties or
that other parties provide the developer of certified health IT with
relevant IRM information so that such information may be available for
both detailed and summary documentation.
Response. We appreciate commenters' concerns. In response to public
comments, we have not finalized the requirements described in the HTI-1
Proposed Rule for developers of certified health IT to receive or have
access to specific risk management information from other parties
except when the health IT developer supplies an other party Predictive
DSI as part of its Health IT Module. We have finalized as part of
Governance requirements in Sec. 170.315(b)(11)(vi)(C), that for each
Predictive DSI supplied by the developer as part of its Health IT
Module, the Predictive DSI must be subject to policies and implemented
controls for governance, including how data are acquired, managed, and
used. As a result, we clarify that the expectation described in the
HTI-1 Proposed Rule that developers receive or have access to risk
management information for Predictive DSIs developed by other parties
is generally inapplicable, unless the developer of health IT is the one
supplying the other party's Predictive DSI as part of its Health IT
Module.
The NIST AI RMF Govern Section 6 discusses a need for policies and
procedures to be in place to address AI risks and benefits arising from
third-party software and data.\151\ We note that while not required to
follow the NIST AI RMF, developers of certified health IT may wish to
review Govern Section 6 as this section provides a number of suggested
actions and documentation questions that we believe would be
informative towards meeting governance requirements.\152\ Similarly,
The Office of the Comptroller of Currency similarly described several
best practices related to risk management of models developed by third
parties, including seventeen specific items included on its internal
control questionnaire.\153\ Many of these practices could apply to the
development of governance processes pertaining to risk management of
models authored by other parties including, for example, ``When relying
on third-party models, does management obtain ongoing performance
monitoring and outcomes analysis of the model conducted by third
parties''.\154\
---------------------------------------------------------------------------
\151\ NIST AI RMF. Govern, Section 6. Available at: https://airc.nist.gov/AI_RMF_Knowledge_Base/Playbook/Govern.
\152\ Ibid. Transparency and Documentation.
\153\ See Bd. Governors Fed. Rsrv. Sys., Off. of Comptroller of
the Currency, Supervisory Guidance on Model Risk Management, SR
Letter 11-7, (April 2011), https://www.federalreserve.gov/supervisionreg/srletters/sr1107.htm; Off. Comptroller Currency,
Comptroller's Handbook: Model Risk Management (Aug. 2021), https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/model-risk-management/index-model-risk-management.html.
\154\ Id.
---------------------------------------------------------------------------
[[Page 1279]]
Compile Detailed IRM Practice Documentation
In the HTI-1 Proposed Rule, we proposed that a health IT developer
that attests ``yes'' as part of proposed Sec. 170.315(b)(11)(v)(A)
would need to compile detailed documentation regarding IRM practices
and upon request from ONC make available such detailed documentation to
ONC for any Predictive DSI, as defined in Sec. 170.102, that the
certified Health IT Module enables or interfaces with (88 FR 23803). We
noted our belief that a developer of certified health IT subject to
this proposed requirement should be able to provide detailed
documentation of their IRM practices, if ONC requests such information,
without much effort because this information should be a byproduct of
employing or engaging in IRM practices.
Comments. Several commenters were not supportive of the proposed
requirements for detailed documentation of IRM practices and expressed
concern that including the term ``interfaces with'' as it relates to
the proposed IRM practices results in a policy that is too broad.
Specifically, commenters noted that obtaining detailed documentation
related to a third party's DSI tool is neither feasible nor
competitively rational and recommended that we limit the scope so that
developers are accountable for IRM practices for its own DSI only. One
commenter requested clarification on how developers of health IT would
meet the proposed documentation requirements when they would need to
obtain documentation from third-party developers.
Response. As discussed throughout this section, we have finalized a
more specific and limited scope for Predictive DSIs that are supplied
by the health IT developer as part of its Health IT Module. After
consideration of these comments, we have not finalized the proposals
requiring developers of certified health IT with Health IT Modules
certified to Sec. 170.315(b)(11) to compile detailed documentation
regarding the IRM practices listed in paragraph (b)(4)(iii) of this
section and upon request from ONC, make available such detailed
documentation for each Predictive DSI.
Request for Comment
Users of Certified Health IT and Predictive DSI Management
This request for comment included in the HTI-1 Proposed Rule (88 FR
23805-23806) focused on the DSI section, and we sought input on shared
responsibilities with users related to FAVES DSIs, including
intervention or model risk management during implementation
(deployment) and use, as well as model validation. We welcomed
technical and policy comments on this section. We received many
insightful comments on this request for comment. We appreciate the
input provided by commenters and may consider their input to inform a
future rulemaking.
Data Practices and Governance: Ethical, Legal, and Social
Implications of Data Collection and Use
This request for comment included in the HTI-1 Proposed Rule (88 FR
2380- 23807) focused on the DSI section and related to ONC's
authorities under the HITECH Act and the Cures Act with respect to
adopting standards, implementation specifications, and certification
criteria as part of the Program, overseeing developers of certified
health IT through Conditions and Maintenance of Certification
requirements, and serving in a coordinating role with respect to health
IT. We welcomed technical and policy comments on this section. We
received many insightful comments on this request for comment. We
appreciate the input provided by commenters and may consider their
input to inform a future rulemaking. We will also share relevant
comments with our federal partners in the Department.
Technical Data Standards and Data Management: Electronic
Data Source, Capture, and Use
This request for comment included in the HTI-1 Proposed Rule (88 FR
23808) focused on the DSI section and how ONC can further support
standardization and harmonization in these areas. We welcomed technical
and policy comments on this section. We received many insightful
comments on this request for comment. We appreciate the input provided
by commenters and may consider their input to inform a future
rulemaking.
xii. Public Disclosure and Availability of Summary Documentation and
Corresponding Proposals for ONC-ACBs in Sec. 170.523(f)(1)(xxi)
In the HTI-1 Proposed Rule, we proposed that a health IT developer
that attested ``yes'' consistent with our other proposals would need to
submit summary information of the IRM practices to its ONC-ACB via
publicly accessible hyperlink that allows any person to directly access
the information without any preconditions or additional steps (88 FR
23804). We also proposed a new Principle of Proper Conduct for the ONC-
ACBs to require ONC-ACBs to report the proposed summary information
that they received from developers of certified health IT on the
Certified Health IT Product List (CHPL) for the applicable Health IT
Modules. We noted our belief this new Principle of Proper Conduct is
consistent with existing public disclosure requirements (e.g., 45 CFR
170.523(f)(1)(xii) and Sec. 170.523(f)(1)(xx)) under the Program and
would help ensure accountability for the public availability of
information. We proposed to require that this summary information be
made available to ONC-ACBs via publicly accessible hyperlink by
December 31, 2024.
We stated that ``summary information'' should describe risk
management practices we enumerated in our proposals for the Predictive
DSIs with which a certified Health IT Module enables or interfaces
within general terms. We noted that ``summary information,'' is not
specific to any single Predictive DSI. Rather, the information pertains
to the suite or portfolio of Predictive DSIs enabled by or interfaced
with the certified Health IT Module. We noted that the summary
information likely encompasses variation in risk management practices
for different kinds of Predictive DSIs.
Similar to our policy associated with the API-focused certification
criteria in Sec. 170.315(g)(10)(viii)(B), at 88 FR 23805, we proposed
that all IRM documentation be available via a publicly accessible
hyperlink that allows any person to directly access the information
without any preconditions or additional steps. We clarified that for
the proposed IRM documentation, summary information would need to be
submitted to the developer of certified health IT's ONC-ACB for review
prior to issuing a certification. The availability of documentation as
part of the certification process is also consistent with existing
requirements for API documentation in Sec. 170.315(g)(10)(viii)(B)
(API documentation requirements were proposed in the Cures Act Proposed
Rule (84 FR 7484) and finalized in the ONC Cures Act Final Rule (88 FR
25748)).
To support submission of documentation, and consistent with other
Principles of Proper Conduct in Sec. 170.523(f)(1), we proposed a new
Principle of Proper Conduct for IRM practice documentation in Sec.
170.523(f)(1)(xxi) that ONC-ACBs report the information required in
Sec. 170.315(b)(11)(vii)(C) on the CHPL for the applicable certified
Health IT Modules. We believe this new Principle of Proper Conduct will
assist in promoting greater transparency for the
[[Page 1280]]
Program and will strengthen ONC-ACB oversight regarding IRM
documentation.
Comments. Several commenters expressed concern with the proposed
requirement to make summary information about IRM practices available
publicly because they believed it would require developers to risk
revealing their intellectual property or proprietary information,
increase administrative burdens, provide little value to the public,
and potentially create imbalance in the marketplace. A few commenters
suggested that the non-public information that the developer makes
available to prospective and existing clients as part of Program
certification requirements is sufficient to demonstrate adequate IRM
practices. Another commenter recommended flexibility for health care
providers that develop health IT solutions specific for use within
their EHR platform so that disclosure of proprietary model information
would be permissive.
Response. We appreciate and understand commenters concerns about
revealing proprietary information. However, we do not agree that
intellectual property or trade secrets are jeopardized through
publication of summary risk management information. Our final policy
gives developers of certified health IT flexibility to determine what
information to describe at what level of detail they feel is most
appropriate. To clarify, the summary information of IRM practices
requirement do not need to include public disclosure of specific
information on code, model tuning, parameter or hyperparameter
selection, or details on how individual input or output variables were
selected or operationalized, which we understand to form the
underpinnings of developers concerns related to intellectual property.
We encourage developers to provide information that they determine
would be useful to inform potential users of whether a model is FAVES
without providing information at the level of detail that might
constitute proprietary information.
We recognize there may be some burden associated with making
summary information of IRM practices publicly available but we believe
the benefits of such transparency outweigh those burdens, especially
given that we have not required generation of more detailed IRM
practice information as proposed. A primary objective of our policy is
to increase trust in the development and use of Predictive DSIs and
this includes making summary information on risk management practices
available to patients, researchers, policymakers, and other interested
parties.
Comments. Some commenters expressed support for the proposed
requirement to make summary information regarding IRM publicly
accessible. One commenter urged ONC to include an additional
requirement to require a developer to enclose an intelligible end-user
fact sheet that would disclose data used for training, potential risks,
concerns for bias, performance, and generalizability, at a minimum, and
in clear, concise language.
Response. We appreciate the comments and suggestions. We note that
much of the information the commenters requested is included within the
source attributes listed at Sec. 170.315(b)(11)(iv). We decline at
this time to require developers to disclose source attribute
information publicly, but we have finalized the requirement to publicly
disclose summary of IRM practices.
After consideration of these comments, we have finalized
requirements proposed in Sec. 170.523(f)(1)(xxi) requiring that ONC-
ACBs shall, where applicable, ensure that summary information of the
IRM practices listed in paragraph Sec. 170.315(b)(11)(vi) is submitted
by the health IT developer via publicly accessible hyperlink that
allows any person to access the summary information directly without
any preconditions or additional steps.\155\
---------------------------------------------------------------------------
\155\ Please visit the Program's Certified Health IT Product
List (CHPL) for information about the Program's authoritative
listing of all certified health IT that have been successfully
tested and certified, available at https://chpl.healthit.gov/#/search.
---------------------------------------------------------------------------
xiii. Annual Review
Finally, in the HTI-1 Proposed Rule at Sec. 170.315(b)(11)(vi)(D),
we proposed to require developers of certified health IT that attested
``yes'' to review annually and, as necessary, update detailed and
summary documentation (88 FR 23805). We noted that we viewed the
detailed documentation required as being a by-product of the proposed
requirement for the developer of certified health IT to engage or
employ in IRM practices. Thus, we expect that developers of certified
health IT subject to this proposed requirement would review
documentation associated with their IRM practices annually and, as
necessary, update their documentation. Further, we noted our belief
that developers of certified health IT that attested ``yes'' would
consider risk as part of ongoing development cycles, and these risks
should be assessed in a timely manner so that risk analysis
documentation is up to date. Similar to the HIPAA Security Rule,\156\
which requires covered entities and business associates to conduct
ongoing risk analysis,\157\ we proposed that developers of certified
health IT with Health IT Modules that enable or interface with
Predictive DSIs review their IRM practices and update their
documentation as necessary.
---------------------------------------------------------------------------
\156\ 45 CFR part 160 and subparts A and C of part 164.
\157\ 45 CFR. 164.306(e) and 164.316(b)(2)(iii); see also OCR
Guidance on Risk Analysis, https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
(noting that ``in order for an entity to update and document its
security measures `as needed,' which the HIPAA Security Rule
requires, it should conduct continuous risk analysis to identity
when updates are needed'').
---------------------------------------------------------------------------
As noted in the HTI-1 Proposed Rule, we considered an annual review
as a way to establish a minimum expectation for updating IRM
documentation, and believed that would be good for Predictive DSIs to
undergo a full validation process at some fixed interval, including
updated documentation of all related activities (88 FR 23805). As noted
in the HTI-1 Proposed Rule, we considered an annual review as a way to
establish a minimum expectation for updating IRM documentation, and we
believed that would be good practice for Predictive DSIs to undergo a
full validation process at some fixed interval, including updated
documentation of all related activities (88 FR 23805). While we did not
propose more frequent reviews, we stated those may be appropriate for
developers of certified health IT that have Health IT Modules that
enable or interface with numerous or complex Predictive DSIs.
Comments. We did not receive substantive feedback regarding this
requirement for annual review.
Response. As a result, consistent with all other policy changes we
have made for this final certification criterion, we have finalized
requirements in Sec. 170.402(b)(4) that developers with Health IT
Modules certified to Sec. 170.315(b)(11), starting January 1, 2025 and
on an ongoing basis thereafter review and update, as necessary,
information in Sec. 170.315(b)(11)(v)(A) and (B), risk management
practices described in Sec. 170.315(b)(11)(vi), and summary
information provided through Sec. 170.523(f)(1)(xxi). As noted
previously (see prior comment responses in ``v. Predictive Decision
Support Interventions, Attestation for Predictive Decision Support
Interventions''), we have determined that a supportive Maintenance of
Certification requirement as part of the Assurances
[[Page 1281]]
Condition of Certification is necessary to fully implement our policy
objectives and proposals. We believe that this finalized policy is
substantially similar to what we proposed in Sec.
170.315(b)(11)(vii)(D). Moreover, we believe that this finalized policy
maintains a substantially similar, or reduces, scope for developers of
certified health IT, depending on whether they supply a Predictive DSI
as part of its Health IT Module. For developers of certified health IT
that would have attested ``no'' to our proposed attestation statement,
these developers do not supply a Predictive DSI as part its Health IT
Module and, therefore, do not have IRM practices or IRM summary
information that needs to be reviewed and updated. For developers of
certified health IT that would have attested ``yes'' to our proposed
attestation statement, these finalized requirements are a reduction in
scope given our focus on Predictive DSIs supplied by a health IT
developer as part of its Health IT Module, as compared to our proposed
scope of Predictive DSIs enabled or interfaced with a Health IT Module.
The requirements proposed are the same as the requirements finalized
for these developers of certified health IT that must review and
update, as necessary, risk management practices described in Sec.
170.315(b)(11)(vi), and summary information provided through Sec.
170.523(f)(1)(xxi).
As for the finalized requirement in Sec. 170.402(b)(4) to review
and update source attribute information in Sec. 170.315(b)(11)(v)(A)
and (B), we believe this is a clearer articulation of our intention
proposed at Sec. 170.315(b)(11)(vi)(A) and (C). This annual review
process clarifies expectations that developers of certified health IT
must review and update, as necessary, on an ongoing basis the source
attribute information that was proposed to be available for user review
in Sec. 170.315(b)(11)(vi)(A) and (C).
xiv. Update From Clinical Decision Support to Decision Support
Intervention Criterion
At 88 FR 23808, we proposed modifications to the Base EHR
definition in Sec. 170.102 to identify that a Health IT Module can be
certified to either Sec. 170.315(a)(9) or Sec. 170.315(b)(11) to
satisfy the definition for the period up to and including December 31,
2024. We also proposed that Sec. 170.315(a)(9) would no longer be
included as part of the Base EHR definition after December 31, 2024.
Rather, only Sec. 170.315(b)(11) and not Sec. 170.315(a)(9) will be
available as a certification criterion to satisfy the definition of
Base EHR beginning January 1, 2025.
Additionally, in Sec. 170.315(a)(9)(vi) we proposed that the
adoption of Sec. 170.315(a)(9) would expire on January 1, 2025, for
purposes of the Program. Together, these proposals identified the dates
when Sec. 170.315(b)(11) replaces Sec. 170.315(a)(9) in the Base EHR
definition, and they indicated when Health IT Modules certified to
Sec. 170.315(a)(9) will need to be certified to Sec. 170.315(b)(11)
to maintain compliance with the Base EHR definition.
Comments. Several commenters were not supportive of the proposed
requirement to developers of certified health IT with Health IT Modules
certified to Sec. 170.315(a)(9) who wish for those Health IT Modules
to continue to meet the Base EHR definition would need to certify those
Health IT Modules to Sec. 170.315(b)(11) by December 31, 2024, and
requested that the timeframe be extended due to the feasibility of
implementation. Specifically, commenters requested a compliance
timeframe of 24-36 months from final rule to design, program, test,
certify, deploy to customers and real word test any new certification
requirements for DSI.
Response. We thank commenters for their comments regarding our
proposal to modify the Base EHR definition in Sec. 170.102 to identify
the dates when Sec. 170.315(b)(11) replaces Sec. 170.315(a)(9) in the
Base EHR definition. As part of a broader timing strategy, and in
acknowledgement of the important work related to Predictive DSI
transparency that is needed now, we have finalized our proposal that
the reference to Sec. 170.315(a)(9) as part of the Base EHR definition
in Sec. 170.102, thus its availability as a certification criterion in
the Program, would expire January 1, 2025. We have finalized that
developers of certified health IT with Health IT Modules certified to
Sec. 170.315(a)(9) who wish for those Health IT Modules to continue to
meet the Base EHR definition would need to certify those Health IT
Modules to Sec. 170.315(b)(11). We also note for purposes of the
Program that the certification criterion at Sec. 170.315(a)(9) expires
on January 1, 2025.
b. Updates to Real World Testing Condition for CDS Criterion
At 88 FR 23808-23811, we proposed to revise Sec. 170.405(a) to
include Sec. 170.315(a)(9) within the list of certification criteria
for which a developer of certified health IT with Health IT Module(s)
certified to such criteria must successfully test the real world use of
those Health IT Module(s) for interoperability in the type of setting
in which such Health IT Module(s) would be or are marketed. As
proposed, this meant that a developer of certified health IT with a
Health IT Module certified to Sec. 170.315(a)(9) would be subject to
the requirements set forth in Sec. 170.405(a) (88 FR 23808). We noted
that the effects of including Health IT Modules certified to Sec.
170.315(a)(9) in Sec. 170.405(a) and the effect of proposing a revised
version of the CDS criterion in Sec. 170.315(b)(11) would require
developers of certified health IT certified to Sec. 170.315(a)(9) and
Sec. 170.315(b)(11) to follow the testing plans, methods, and results
reporting; submission dates; and August 31 deployment deadline
requirements in Sec. 170.405(b) similar to the requirements of other
applicable certification criteria listed in Sec. 170.405(a) (88 FR
23809). We anticipated that if finalized as proposed this would mean
that Health IT Modules certified to Sec. 170.315(a)(9) would be
subject to the real world testing Condition and Maintenance of
Certification requirements beginning with the 2023 real world testing
cycle.
Comments. Commenters were mixed in their support and opposition to
our proposal to add Sec. 170.315(a)(9) to the list of applicable
certification criteria for the real world testing Condition and
Maintenance of Certification requirement in Sec. 170.405(a) and thus
requiring developers certified to Sec. 170.315(a)(9) or Sec.
170.315(b)(11) to participate in real world testing plan and results
submission. Commenters that did not support including Sec.
170.315(a)(9) in the list of applicable criteria for real world testing
Condition and Maintenance of Certification requirements stating that it
would be infeasible, and a poor investment of time and resources given
the possible timing of this final rule publication in conjunction with
requirements for 2024 real world testing plan submissions in November
of 2023. Commenters stated that it would create significant developer
burden to meet this requirement for a criterion that developers could
not certify to after December 31, 2024. Many of these commenters
instead said we should limit real world testing requirement to
developers of certified health IT with Health IT Module(s) certified to
Sec. 170.315(b)(11). Commenters suggested that by only including Sec.
170.315(b)(11) then ONC and developers could focus resources on a
revised criterion instead of a retired criterion. Commenters also
recommended a phased approach for the inclusion of Predictive DSI into
real
[[Page 1282]]
world testing given the burden on developers to implement other
proposals in the rule, notably the new Insights Condition and
Maintenance of Certification requirements.
Commenters who were supportive of the proposal to add Sec.
170.315(a)(9), thus requiring developers certified to Sec.
170.315(b)(11) to participate in real world testing, stated that it
would have the benefit of testing predictive models in a diverse range
of real world clinical settings, thereby creating a more accurate,
comprehensive, and contextual understanding of a model's performance.
Commenters noted that including CDS will help ensure implementation of
the CDS Criterion, future certification criteria, and other elements
discussed in this rule are effective, efficient, minimally burdensome,
and beneficial, and would ensure intended performance in practice. One
commenter stated that adding CDS to real world testing will give
developers an opportunity to determine if the user community is using
their interventions, and if so, the ability to determine how the
interventions are being used. Lastly, one commenter believed that
testing decision support intervention technology and predictive models
successfully for real world use enhances interoperability and patient
care experience in which certified Health IT Modules would be marketed.
Response. We appreciate comments regarding our proposal to revise
Sec. 170.405(a) to include Sec. 170.315(a)(9). Given the mixed
support from commenters and finalization of our policy to replace Sec.
170.315(a)(9) with Sec. 170.315(b)(11) as of January 1, 2025, we have
not finalized our proposal to modify Sec. 170.405(a) to include Health
IT Modules certified to Sec. 170.315(a)(9). We agree with commenters
that requiring developers of certified health IT with Health IT Modules
certified to Sec. 170.315(a)(9) to engage in real world testing for
only the period of time before the revised criterion expires is
unnecessary. We continue to believe there is value for developers of
certified health IT with Health IT Modules certified to Sec.
170.315(a)(9) to demonstrate how their support of evidence-based CDS
and linked referential CDS positively impacts patient care through real
world testing plans and results; however, we think it would be more
important for developers of certified health IT to spend time and
resources conforming to requirements in Sec. 170.315(b)(11) and Sec.
170.402(b)(4) by January 1, 2025.
We note that because all criteria in Sec. 170.315(b) are already
subject to real world testing requirements in Sec. 170.405, Health IT
Modules certified to Sec. 170.315(b)(11) prior to August 31, 2024,
would need to, among other requirements, address each of the elements
in Sec. 170.405(b)(1)(iii)(A) through (G) in their real world testing
plans by December 15, 2024, and submit results based on those plans no
later than March 15, 2026.
We appreciate those commenters who supported our proposals for real
world testing because it would have various benefits for more accurate,
comprehensive, and contextual understanding of a model's performance.
We also appreciate the commenters that stated how real-world testing
will give developers an opportunity to determine if the user community
is using their interventions, and if so, the ability to determine how
the interventions are being used. We agree and we encourage developers
of certified health IT to consider ways to demonstrate validity or
fairness of Predictive DSIs in local data as a means to fulfill the
requirements for real world testing plans and results.
Comments. A minority of commenters did not support including either
Sec. 170.315(a)(9) or Sec. 170.315(b)(11) in real world testing and
stated neither certification criterion appropriately fit the stated
intent for the scope of Real world Testing Condition and Maintenance of
Certification. One commenter recommended including Sec. 170.315(a)(9)
in real world testing, with the proposed updates, but only if ONC would
keep Sec. 170.315(a)(9) as a certification criterion and add Sec.
170.315(b)(11) as a separate certification criterion, noting that
requiring real world testing for Predictive DSI immediately after
development and implementation is overly burdensome for developers.
Response. We appreciate these comments and we have not finalized
our proposal to modify Sec. 170.405(a) to include Health IT Modules
certified to Sec. 170.315(a)(9). We note that certification criteria
at Sec. 170.315(b) are already subject to real world testing
requirements identified in Sec. 170.405; thus, Health IT Modules
certified to Sec. 170.315(b)(11) will be subject to the same
requirements currently applied to Health IT Modules certified to Sec.
170.315(b)(1), for example. We believe real world testing would not be
overly burdensome with the implementation of the DSI requirements under
Sec. 170.315(b)(11).
Comments. A few commenters questioned the logistics of real world
testing CDS and DSI criteria and sought clarity on how the proposed
real world testing plan will be assessed. Specifically, one commenter
sought clarity on how real world testing would impact a health plan's
existing operations. One commenter suggested that certification testing
could be accomplished using a test data set that incorporates synthetic
patient records containing a wide range of demographic and health
condition information, including rare diseases and conditions, noting
that DSI training and testing data should be developed in collaboration
with provider, patient, research, and health IT partners and made
available to all parties in a standardized, computable format. In the
interest of program flexibility, one commenter suggested that real
world testing of CDS should allow for some types of survey or
questionnaire form for providers to offer feedback on the value and use
of CDS in the EHR rather than trying to capture analytics or metrics on
CDS use from the EHR as developers are required to do with other real
world testing criteria.
Response. We note that we did not propose any changes to the
requirements of real world testing plans and results submission, which
are currently described in Sec. 170.405(b)(1)-(2). We also invite
readers to review discussion in the ONC Cures Act Final Rule at 85 FR
25766 and visit the numerous resources we have developed to support
ongoing implementation of the real world testing Condition and
Maintenance of Certification requirements at https://www.healthit.gov/topic/certification-ehrs/real-world-testing.
6. Synchronized Clocks Standard
We proposed at 88 FR 23811 to remove from 45 CFR 170.210(g) the
current named specification for clock synchronization, which is Network
Time Protocol (NTP v4 of RFC 5905). However, we proposed to amend 45
CFR 170.210(g) so that Health IT Modules certified to applicable
certification criteria continue to utilize any Network Time Protocol
(NTP) standard that can ensure a system clock has been synchronized and
meets time accuracy requirements. The applicable certification criteria
that either reference the NTP standard, revised in Sec. 170.210(g), or
cross-reference a provision that references Sec. 170.210(g), include
Sec. 170.315(d)(2), Sec. 170.315(d)(3), Sec. 170.315(d)(10), and
Sec. 170.315(e)(1) (88 FR 23811).
Comments. Commenters, including health information technology
companies, consumer and patient advocacy groups, health IT expert
organizations, and professional trade
[[Page 1283]]
associations, uniformly agreed with our proposal to remove the named
standard in Sec. 170.210(g) and instead require the date and time
recorded utilize a system clock that has been synchronized using any
NTP standard. Several commenters welcomed the flexibility offered by
this approach to use updated versions of NTP or specified versions of
NTP, such as Microsoft's MS-SNTP. One commenter noted support for our
proposal but urged consistency across organizational networks and
systems to ensure that the same network time protocol is used across
all servers and platforms.
Response. We appreciate the commenters' support for this proposal.
We have finalized the changes as proposed, including the removal of a
named standard in Sec. 170.210(g), but we will require Health IT
Modules to utilize a system clock that has been synchronized using any
NTP standard.
Comments. A health IT expert organization requested ONC comment on
the NTP test procedure by either explicitly removing the demonstration
requirement or describing a test procedure to demonstrate time server
accuracy to accommodate a variation in time services used.
Response. We thank the commenter for the comment. While the request
is outside the scope of this final rule because conformance methods,
including testing procedures, are not determined as part of notice and
comment rulemaking, we will consider updating the test procedures in
the future.
7. Standardized API for Patient and Population Services
In the HTI-1 Proposed Rule, we proposed to reorganize Sec. 170.215
to delineate the purpose and scope more clearly for each type of
standard or implementation specification (88 FR 23812). We refer
readers to the HTI-1 Proposed Rule (88 FR 23812) for additional
background history. We proposed to revise the structure of Sec.
170.215 as follows:
Application Programming Interface Standards.
(a) API base standard.
(b) API constraints and profiles.
(c) Application access and launch.
(d) Bulk export and data transfer standards.
(e) API authentication, security, and privacy.
Comment. We received one comment supporting the revision of the
structure of the API related standards.
Response. We thank the commenter for their support. We have
finalized the revised structure of Sec. 170.215 as proposed. This
restructuring will impact cross-references in the certification
criterion at Sec. 170.315(g)(10) in several subparagraphs, including
Sec. 170.315(g)(10)(i)(A) and (B); Sec. 170.315(g)(10)(ii); Sec.
170.315(g)(10)(iv)(A) and (B); Sec. 170.315(g)(10)(v)(A)(1)(i) and
(ii); Sec. 170.315(g)(10)(v)(A)(2)(i) and (ii); Sec.
170.315(g)(10)(v)(B); and Sec. 170.315(g)(10)(vii).
a. Native Applications and Refresh Tokens
In an interim final rule (IFR) published on November 4, 2020 (85 FR
70064), we addressed an ambiguity regarding how our refresh token
requirements, in Sec. 170.315(g)(10)(v)(A), would apply to ``native
applications.'' \158\ In response to public feedback in the IFR and
subsequent interaction with interested parties, a history of which can
be found in the HTI-1 Proposed Rule (88 FR 23812), we proposed in the
HTI-1 Proposed Rule to remove mention of ``applications capable of
storing a client secret'' from Sec. 170.315(g)(10)(v)(A)(1)(ii) and
Sec. 170.315(g)(10)(v)(A)(2)(ii), as well as to revise Sec.
170.315(g)(10)(v)(A)(1)(ii) to state, ``A Health IT Module's
authorization server must issue a refresh token valid for a period of
no less than three months to applications using the `confidential app'
profile according to an implementation specification adopted in Sec.
170.215(c)'' (88 FR 23813). We also proposed to revise Sec.
170.315(g)(10)(v)(A)(2)(ii) to state, ``A Health IT Module's
authorization server must issue a refresh token valid for a new period
of no less than three months to applications using the `confidential
app' profile according to an implementation specification adopted in
Sec. 170.215(c)'' (88 FR 23813). We stated that these proposed
revisions would better reflect a Health IT Module's obligation for
first time and subsequent connection refresh tokens using concepts
familiar to industry and according to the HL7 FHIR SMART Application
Launch Framework Implementation Guide (IG). We noted that existing
requirements for Health IT Modules to issue a refresh token to native
applications, consistent with Sec. 170.315(g)(10)(v)(A)(1)(iii),
remained unchanged.
---------------------------------------------------------------------------
\158\ According to IETF RFC 6749, ``native applications are
``clients installed and executed on the device used by the resource
owner (i.e., desktop application, native mobile application).''
See[thinsp]IETF RFC 6749: https://tools.ietf.org/html/rfc6749.
---------------------------------------------------------------------------
We also stated in the HTI-1 Proposed Rule that we would continue to
monitor implementation of Sec. 170.315(g)(10), engage with the
standards development community, and provide information through
existing ONC Certification Companion Guides (CCGs), the ONC API
Resource Guide, and other educational materials.
Comments. Many commenters expressed support for our proposal to
revise Sec. 170.315(g)(10)(v)(A)(1)(ii) and (2)(ii) to reference the
``confidential app'' profile defined in the HL7 FHIR SMART Application
Launch Framework IG as part of our refresh token support requirements.
Several of these commenters expressed appreciation for our reference to
an industry standard and noted the important role of this standard for
driving consistent implementations and interoperability.
Response. We appreciate the feedback from commenters. We have
finalized our revisions to Sec. 170.315(g)(10)(v)(A)(1)(ii) and
(2)(ii) as proposed.
Comments. Some commenters raised concerns around the impacts to app
developers of breaking API changes, particularly changes that affect
refresh token validity. These commenters suggested requirements that
app developers be given advance notification of upcoming breaking
changes that affect refresh tokens.
Response. We appreciate these commenters' concerns and suggestions.
We remind commenters of the scope of our revisions to Sec.
170.315(g)(10)(v)(A)(1)(ii) and (2)(ii) in this final rule, and
specifically note that our revisions do not change certain previously
finalized requirements around refresh tokens, namely that Health IT
Modules certified to Sec. 170.315(g)(10) must issue refresh tokens
valid for a period of no less than three months.\159\ We also remind
commenters of our existing API Conditions and Maintenance of
Certification requirements at 45 CFR 170.404, which apply to developers
of certified health IT with Health IT Modules certified to Sec.
170.315(g)(10). Specifically, at Sec. 170.404(a)(4)(iii), we have
``service and support obligations'' that Certified API Developers must
abide by. These obligations include requirements for Certified API
Developers to ``make reasonable efforts to maintain the compatibility
of its certified API technology and to otherwise avoid disrupting the
use of certified API technology in production environments'' by API
Users. While we appreciate the specific suggestions from commenters for
added requirements, we decline to add these requirements in this final
rule. In the circumstance
[[Page 1284]]
where a Certified API Developer must make a change to their technology
that affects refresh token validity, we expect that the Certified API
Developer abide by the obligations referenced above to enable the
continued and effective production use of their certified API
technology.
---------------------------------------------------------------------------
\159\ See Sec. 170.315(g)(10)(v)(A)(1)(ii), (iii), and (2)(ii)
in 85 FR 70083.
---------------------------------------------------------------------------
Comments. Some commenters suggested that refresh tokens for non-
patient facing applications should be reviewed on a case-by-case basis
for security reasons. One commenter asked that we clarify that apps
may, at times, be required to request a new token with new access
scopes instead of using a refresh token and that this is not a
violation of our refresh token policies. Another commenter suggested
that we change the requirements for the duration of refresh tokens and
that three months is not always appropriate in all cases.
Response. We appreciate these suggestions from commenters. We do
not agree that we should include separate requirements for refresh
tokens that apply only in non-patient facing application use cases at
this time. We remind this commenter of what we stated in the ONC Cures
Act Final Rule at 85 FR 25746--25747 when responding to commenters who
similarly raised security concerns and suggested we finalize different
requirements for refresh tokens based on patient versus non-patient
facing application use cases. Those sections of the ONC Cures Act Final
Rule also clarify what implementers of Sec. 170.315(g)(10)-certified
Health IT Modules are allowed to do regarding refresh token length and
clarify what practices we see as restricted. We stated in the ONC Cures
Act Final Rule that ``[r]efresh tokens are commonly used in healthcare
and other industries'' and that ``implementers of Sec. 170.315(g)(10)-
certified Health IT Modules are not prohibited from changing the length
of refresh tokens for users of the API including patients and providers
to align with their institutional policies.'' We also stated that
``implementers of Sec. 170.315(g)(10)-certified Health IT Modules
should be mindful of information blocking provisions applicable to them
and that requiring patients to re-authenticate and re-authorize at a
high frequency could inhibit patient access and implicate information
blocking'' (85 FR 25747).
Regarding duration of refresh tokens, we again remind commenters of
what we clarified in the ONC Cures Act Final Rule where we noted that
``we believe a refresh token valid for a period of three months is
sufficient to balance persistent access and security concerns'' (85 FR
25747). We also stated that implementers (e.g., hospitals) ``of Sec.
170.315(g)(10)-certified Health IT Modules are not prohibited from
changing the length of refresh tokens for users of the API, including
patients and providers, to align with their institutional policies.
Further, implementers of Sec. 170.315(g)(10)-certified Health IT
Modules are not prohibited from implementing their Sec.
170.315(g)(10)-certified Health IT Modules in accordance with their
organizational security policies and posture, including by instituting
policies for re-authentication and re-authorization (e.g., providers
and/or patients could always be required to re-authenticate and re-
authorize after a set number of refresh tokens have been issued)'' (85
FR 25747). Further, we clarify that Sec. 170.315(g)(10)-certified
Health IT Modules may require a new authorization request from an
application to provision that application with scopes not already
granted.
In acknowledgement of the comments received, we have finalized our
requirements in Sec. 170.315(g)(10)(v)(A)(1)(ii) and (2)(ii) to
reference the ``confidential app'' profile defined in the HL7 FHIR
SMART Application Launch Framework as proposed.
b. FHIR United States Core Implementation Guide Version 5.0.1
In the HTI-1 Proposed Rule, 88 FR 23813 to 238144, we included a
proposal to adopt the FHIR US Core IG v5.0.1 in Sec. 170.215(b)(1)(ii)
and incorporate it by reference in Sec. 170.299. We noted that based
on the annual US Core release cycle, the FHIR US Core IG v6.0.0 would
likely be published between the release of the HTI-1 Proposed Rule and
our finalization of this final rule. Assuming the FHIR US Core IG
v6.0.0 was published prior to the release of this final rule, we stated
that we would consider adopting v6.0.0 rather than v5.0.1. We stated
our belief that the FHIR US Core IG v6.0.0 would support the data
elements and data classes in USCDI v3, which we also proposed to adopt
in the HTI-1 Proposed Rule.
In addition, we proposed to update some of the cross-references to
the FHIR US Core IG v3.1.1 in Sec. 170.215(a)(2) in Sec.
170.315(g)(10)(i)(A) and (B), (ii)(A) and (iv)(A) to instead refer to
FHIR US Core IG v5.0.1. Finally, we proposed to restructure the
standards in Sec. 170.215 to better categorize API standards and to
enable simultaneous use of different versions of IGs for a set period.
For example, we proposed categorizing the US Core IG v3.1.1 in Sec.
170.215(b)(1)(i) as part of a group of standards for constraining and
profiling data elements, and we proposed that the adoption of this
standard would expire on January 1, 2025. We proposed to include the US
Core IG v5.0.1 in this same group in Sec. 170.215(b)(1)(ii).
Comments. Commenters overwhelmingly supported our proposal to
advance the version of the FHIR US Core IG included in Sec. 170.215
and incorporated by reference in Sec. 170.299. Most of the commenters
specifically voiced support for including the FHIR US Core IG v6.0.0,
which was published in May 2023 and supports the data elements and data
classes in USCDI v3. We did not receive any comments in favor of
adopting the FHIR US Core IG v5.0.1 rather than v6.0.0. Commenters
noted that the FHIR US Core IG v6.0.0 aligns with our proposals
elsewhere in the HTI-1 Proposed Rule, including our proposals to adopt
USCDI v3 and the SMART v2 IG.
We received only one comment in opposition to the proposal to
advance the version of the FHIR US Core IG, which expressed concerns
about the limited amount of time for developers to test and implement
v5.0.1. While still supportive of advancing the version of the FHIR US
Core IG, several other commenters also expressed concerns about the
timelines for adoption of the latest version. These commenters urged
ONC to acknowledge the development time and effort required to support
a newer version of the US Core FHIR IG and consider extending the
deadline for certification to a newer version.
Response. We thank the commenters for their support. The HL7
standards development community published FHIR US Core 6.0.0 in May
2023. As anticipated, FHIR US Core 6.0.0 added new and updated FHIR
profiles to represent new data elements and classes included in USCDI
v3. We considered adopting FHIR US Core 5.0.1 and FHIR US Core 6.0.0
and using the Standards Version Advancement Process (SVAP) to enable
developers of certified health IT to use FHIR US Core 6.1.0 to certify
Health IT Modules that require support of the USCDI. However, we
concluded that this would be insufficient to achieve our policy
objectives for improved interoperability and lead to misalignment in
the marketplace. This is because use of the SVAP by developers of
certified health IT is voluntary and experience to-date indicates that
a minority of developers of certified health IT choose to avail their
Health IT Modules to use newer standards. Adopting FHIR US Core 6.1.0
establishes a consistent baseline across all Health IT Modules
certified to
[[Page 1285]]
criteria that reference the USCDI and provides clarity to developers of
certified health IT regarding which version of the US Core IG they are
expected to use in support of USCDI v3 and which version they can
expect to encounter when interacting with other actors in the health IT
ecosystem, industry-wide.
After the publishing of FHIR US Core 6.0.0, HL7 found errors with
how the guide implemented data elements in USCDI v3 and had to make
updates to the specification to align with USCDI v3 and ensure that
USCDI v3 can be implemented in Health IT Modules. Adopting FHIR US Core
6.1.0 is necessary for developers of certified health IT to have
appropriate implementation guidance to meet the criteria adopted in
this final rule that reference USCDI v3. Based on public comments on
this and prior rulemakings, we believe that the health IT industry,
healthcare standards developers, and health care providers expect and
support ONC making such determinations so that the adopted version of
standards are the most up-to-date available and are feasible for real
world implementation (see, for example, 85 FR 25677 and 25708).
We have finalized the adoption of the FHIR US Core 6.1.0 in Sec.
170.215 and incorporated it by reference in Sec. 170.299. We have also
finalized our proposal to restructure the standards in Sec. 170.215
and adopted the FHIR US Core 6.1.0 at Sec. 170.215(b)(1)(ii).
Likewise, we have finalized our proposal to categorize the FHIR US Core
IG v3.1.1 in Sec. 170.215(b)(1)(i) as part of a group of standards for
constraining and profiling data elements and have finalized our
proposal that the adoption of this standard would expire on January 1,
2026. With regard to concerns about compliance dates, we refer readers
to the discussion in section II.C (General Comments on the HTI-1
Proposed Rule) of this final rule.
c. FHIR Endpoint for Service Base URLs
In the ONC Cures Act Final Rule, we finalized API Maintenance of
Certification requirements in 45 CFR 170.404(b)(2) which contain a
specific provision requiring Certified API Developers, for Health IT
Modules certified to the certification criterion in Sec.
170.315(g)(10), to publicly publish certain ``service base URLs''--
otherwise known as ``endpoints''--for all their customers and in a
machine-readable format at no charge (85 FR 25764--25765). These
electronic endpoints are the specific locations on the internet that
make it possible for apps to access EHI at the patient's request.
As we developed these service base URL publication requirements in
the ONC Cures Act Final Rule, we acknowledged the importance of
industry alignment and standardization in this area by indicating that
we ``strongly encourage API Technology Suppliers, health care
providers, HINs and patient advocacy organizations to coalesce around
the development of a public resource or service from which all
interested parties could benefit'' (84 FR 7494). We ultimately did not
adopt specific standards for the publication format of these service
base URLs in the ONC Cures Act Final Rule to provide industry an
opportunity to coalesce on specifications. We finalized Sec.
170.404(b)(2) to require that Certified API Developers must make their
service base URLs freely accessible and in a machine-readable format at
no charge (85 FR 25765).
However, since the ONC Cures Act Final Rule was published, we have
found that developers with publicly discoverable endpoint lists have
defined their own bespoke publication approaches and unique formats.
This variability across developers of certified health IT in the format
they are using to publish their service base URLs indicates the
industry has not coalesced around a common framework or approach.
Research conducted through ONC's Lantern Project confirms this
variability among developers of certified health IT, which is hindering
maturation of a vibrant app ecosystem for patients and the healthcare
community,\160\ a primary objective within the Federal Health IT
Strategic Plan.\161\
---------------------------------------------------------------------------
\160\ https://www.healthit.gov/buzz-blog/healthit-certification/shining-a-light-on-fhir-implementation-progress-toward-publishing-fhir-endpoints.
\161\ See objective 1b in the 2020-2025 Federal Health IT
Strategic Plan at https://www.healthit.gov/topic/2020-2025-federal-health-it-strategic-plan.
---------------------------------------------------------------------------
The inconsistent implementation of our service base URL requirement
has also rendered important data meant to facilitate connections to
endpoints difficult to access.\162\ Specifically, the organization
details of the API Information Source associated with a service base
URL is not always available, and even when available, is not always
available in a format that can be readily used. Patient-facing apps
require access to these service base URLs to provide patients access to
information maintained by specific provider organizations that deploy
certified API technology (i.e., API Information Sources). Without
standardized formats and an ability to search for service base URLs,
patients are hindered in their ability to find which service base
URL(s) refer to their provider. Similar barriers exist for others
involved in healthcare seeking to leverage apps for interoperability.
---------------------------------------------------------------------------
\162\ https://www.healthit.gov/news/events/onc-lantern-workshop.
---------------------------------------------------------------------------
Additionally, it is difficult to map multiple, unique organizations
to service base URLs. Experience to-date indicates that the name of the
organization associated with a service base URL is typically formatted
as free text (i.e., String). A single String is unable to represent the
complexity of healthcare systems, where a system can contain many
subsystems, or where a FHIR API URL can support a set of systems.
Including all organizations that are serviced by a service base URL is
important for discovery of which service base URL serves a particular
health care provider, which in turn would allow API users to access
relevant EHI through that service base URL. Having all healthcare
organizations serviced by the service base URL accessible and in a
standardized format would help app developers easily fetch information
to enable patients and other users to access, exchange, and use
information.
To address the inconsistencies in service base URL publication and
challenges with mapping, we proposed in the HTI-1 Proposed Rule to
revise the requirement in Sec. 170.404(b)(2) to include new data
format requirements (88 FR 23814). We anticipated that these new
specifications would establish standards for industry adoption and
better facilitate patient access to their health information. In the
revised Sec. 170.404(b)(2), we also proposed to incorporate the
following existing requirements in Sec. 170.404(b)(2)(i) and (ii): a
Certified API Developer must publish service base URLs ``[f]or all of
its customers regardless of whether the Health IT Modules certified to
Sec. 170.315(g)(10) are centrally managed by the Certified API
Developer or locally deployed by an API Information Source;'' and
publish these service base URLs ``at no charge'' as part of proposed
Sec. 170.404(b)(2). We proposed that Certified API Developers publish
these standardized details by December 31, 2024.
In Sec. 170.404(b)(2)(i), we proposed to require that service base
URLs must be published in ``Endpoint'' resource format according to the
FHIR standard adopted in Sec. 170.215(a) (88 FR 23814). Additionally,
in Sec. 170.404(b)(2)(ii) and subparagraphs Sec. 170.404(b)(2)(ii)(A)
and Sec. 170.404(b)(2)(ii)(B), we proposed to require that
organization details such as name, location, and provider identifiers
[[Page 1286]]
(e.g., National Provider Identifier (NPI), CMS Certification Number
(CCN), or health system ID) for each service base URL must be published
in US Core ``Organization'' resource format according to the
implementation specifications adopted in Sec. 170.215(b)(1) (we note
that elsewhere in this final rule, in section III.C.7.b, we discuss the
proposal to move US Core IGs to Sec. 170.215(b)(1)), with the
``Organization.endpoint'' element referencing the service base URLs
managed by this organization.
We proposed the Endpoint and Organization resource formats because
they are based on the FHIR Release 4 and US Core IG industry standards
that are already adopted for use in the Program in Sec.
170.315(g)(10). We specifically proposed the FHIR ``Endpoint'' resource
because it is used for representing technical endpoint details and
contains a required ``address'' element that, according to the FHIR R4
standard, contains ``the technical base address for connecting to this
endpoint.'' \163\ We noted that Certified API Developers would be able
to populate this element, in each of their published ``Endpoint''
resources, with a service base URL that can be used by patients to
access their EHI.
---------------------------------------------------------------------------
\163\ https://hl7.org/fhir/R4/endpoint.html.
---------------------------------------------------------------------------
We additionally proposed the US Core ``Organization'' resource
because it can be used to represent important contextual information
around a service base URL (88 FR 23814 through 23815). We noted that
the US Core ``Organization'' resource contains an optional ``endpoint''
element that can be used to reference ``technical endpoints providing
access to services operated for the organization.'' \164\ To
standardize a link between published ``Endpoint'' resources and
organization details relating to the organization that services these
endpoints, we proposed to require, in Sec. 170.404(b)(2)(ii)(A), that
this optional ``endpoint'' element be populated on publicly published
``Organization'' resources and that they reference the ``Endpoints''
managed by the organization. We noted that ``publicly published'' meant
that the information is made publicly available and noted that ONC will
host a link to developers' service base URL list on the Certified
Health IT Product List (CHPL) or another website hosted by ONC. We
stated that this information would give the public a standard way of
knowing how published ``Endpoint'' and published ``Organization''
resources are linked and which organization details apply to which
service base URLs.
---------------------------------------------------------------------------
\164\ https://www.hl7.org/fhir/organization.html.
---------------------------------------------------------------------------
Additionally, we noted in the HTI-1 Proposed Rule that the US Core
``Organization'' resource contains a ``mandatory'' element called
``name'' that contains a ``name used for the organization'' (88 FR
23815). In addition to this required element, we proposed in Sec.
170.404(b)(2)(ii)(B) to require Certified API Developers to make
available ``must support'' elements of organization location and
provider identifier(s) using the US Core ``Organization'' resource. An
organization's location could be an address that is populated in the
``address'' element of the US Core ``Organization'' resource; and a
provider identifier could be a National Provider Identifier (NPI),
Clinical Laboratory Improvement Amendments (CLIA) number, or other
health system ID populated in the ``identifier'' element. We noted that
this information helps contextualize service base URLs and enables
application developers to more easily and consistently provide patients
access to their electronic health information.
Finally, we proposed, in Sec. 170.404(b)(2)(iii), requirements for
collection and maintenance of Endpoint and organization resources.
Specifically, in Sec. 170.404(b)(2)(iii)(A), we proposed to require
that these resources be collected in a ``Bundle'' resource, according
to the FHIR standard adopted in Sec. 170.215(a), that the Certified
API Developer would publicly publish (88 FR 23815). According to the
FHIR specification, a ``Bundle'' acts as ``a container for a collection
of resources'' and is widely used in use cases, such as returning
search results and grouping resources as part of a message
exchange.\165\ Given the broad use of the ``Bundle'' resource
throughout the FHIR specification (e.g., FHIR search), we noted in the
HTI-1 Proposed Rule our expectation that most FHIR clients and FHIR
application developers would be familiar with the ``Bundle'' resource
and be able to parse ``Bundle'' resources electronically and extract
relevant information from them for use in their application.
Alternatively, we considered a different format for requiring that the
Endpoint and Organization resources be collected for publication. We
also considered the Newline Delimited JSON (ndjson) format (88 FR
23815). According to the ndjson specification, this format is
convenient for publishing ``structured data that may be processed one
record at a time.'' \166\ The ndjson format is an efficient way for
machines to parse large amounts of data given that the entire file does
not need to be read into memory before parsing. As we noted in the HTI-
1 Proposed Rule, we expect that these ``Endpoint'' and ``Organization''
JSON resource lists may be large, depending on the developer of
certified health IT's client base. We noted our expectation that most
Certified API Developers would be familiar with this format because it
is included as an underlying standard in the FHIR Bulk Data Access IG
required for certification to Sec. 170.315(g)(10). Given the
simplicity of the ndjson standard, we also noted our expectation that
most FHIR clients and FHIR application developers would easily be able
to parse ndjson files electronically and extract relevant information
from them for use in their application.
---------------------------------------------------------------------------
\165\ http://hl7.org/fhir/R4/bundle.html.
\166\ http://ndjson.org/.
---------------------------------------------------------------------------
We also proposed, in Sec. 170.404(b)(2)(iii)(B), that Certified
API Developers review Endpoint and Organization resources quarterly
and, as necessary, update the information (88 FR 23815). We recognized
that as customers upgrade and install new health IT, data provided in
the Endpoint and Organization resources will change. In the HTI-1
Proposed Rule, we noted that a one-time publication of the developer's
current list of endpoints for active customers upon certification to
the Sec. 170.315(g)(10) criterion will only meet initial certification
requirements, and we proposed to establish in Sec.
170.404(b)(2)(iii)(B) a requirement that Certified API Developers
maintain this information over time. We also noted that failure to
maintain the service base URLs and ensure the associated organization
information remains up to date and free of errors or defects on a
quarterly basis would be considered a violation of this Condition and
Maintenance of Certification requirement and may result in corrective
action. We clarified that any endpoint or organization information that
is out of date, incomplete, or otherwise unusable for more than 90-days
would be considered in violation of this proposed requirement.
Comments. The majority of commenters support the continued
development and standardization of publication formats for FHIR
``service base URLs'' otherwise known as ``endpoints,'' noting that
standardization would better facilitate interoperability and address
challenges that exist in operationalizing connections to FHIR servers
for facilitating patient access. Many of these supportive commenters
cautioned that our proposal does not align with the direction of
industry and one
[[Page 1287]]
commenter raised a particular concern that our proposal is not based in
implementation experience and has not been informed by a draft
implementation guide. Another commenter noted that since we are
proposing that the ``endpoint'' element in the US Core ``Organization''
resource be used to reference FHIR R4 ``Endpoint'' resource(s), we
should make specific and clear reference to the applicability of FHIR
R4 and its detailed standards on Endpoint. Most of these commenters
also offered suggestions on how we should change our proposal by citing
the Argonaut implementation guide for Patient-access Brands as standard
and the industry driven approach we should consider referencing for
this endpoint publication use case.
Response. We thank the commenters for their support of the
continued development in this space and suggestions for improvement.
The ``Patient-access Brands'' conceptual model, developed by the FHIR
community through the Argonaut Project, has advanced significantly
since publication of the HTI-1 Proposed Rule. A connectathon, which is
an event where the FHIR community gathers and tests emerging FHIR
standards, was held in May 2023 and it included developers of certified
health IT and app developers who tested the real-world feasibility of
the Patient-access Brands model.\167\ Additionally, at the September
2023 HL7 Working Group Meeting, the FHIR community discussed and
finalized new changes to the Patient-access Brands model.\168\
Currently, the Patient-access Brands model is incorporated into a
section of the continuous build draft version of the SMART App Launch
IG.\169\ This indicates that the Patient-access Brands model is now a
draft specification and is on track for publication in a future version
of the SMART App Launch IG.
---------------------------------------------------------------------------
\167\ More information on this connectathon can be found at
https://confluence.hl7.org/pages/viewpage.action?pageId=90350859#EndpointCallNotes-2023-5-312-5pET:Connectathon.
\168\ See https://jira.hl7.org/browse/FHIR-42134.
\169\ https://build.fhir.org/ig/HL7/smart-app-launch/branches/pab/brands.html.
---------------------------------------------------------------------------
We agree with commenters that the Patient-access Brands
specification is a key standardized approach for the endpoint
publication use case and we are committed to aligning our requirements
with industry efforts. In the HTI-1 Proposed Rule, our proposal
generally aligned with the current draft Patient-access Brands
specification by calling for the use of ``Organization'' and
``Endpoint'' FHIR resources for representing endpoints (e.g., service
base URLs) and corresponding organization (e.g., API Information
Source) details in a standardized format.
Additionally, in the HTI-1 Proposed Rule, our proposal, similarly
to the current draft of Patient-access Brands specification, called for
the use of the ``endpoint'' element in the US Core ``Organization''
resource for linking ``Endpoint'' resources and organizational details
relating to the organization that services this endpoint.\170\ However,
our proposal in the HTI-1 Proposed Rule is not an exact match of the
underlying construct defined in the Patient-access Brands
specification. One key difference that could result in
incompatibilities between our requirements and the industry led efforts
in the Patient-access Brands specification is that we referenced the US
Core profile of the base FHIR ``Organization'' resource, while the
Patient-access Brands specification includes its own custom profile of
the base FHIR ``Organization'' resource. Both profiles are based off
the base FHIR ``Organization'' resource, but they each contain their
own sets of constraints to best match their use cases.
---------------------------------------------------------------------------
\170\ During the public comment period for the HTI-1 Proposed
Rule, the draft Patient-access Brands specification called for the
use of the ``managiningOrganization'' element in the ``Endpoint''
resource for linking ``Endpoint'' and ``Organization'' resources. At
the September 2023 HL7 Working Group Meeting, occurring after the
comment period for the HTI-1 Proposed Rule closed, the FHIR
community approved a change to use the ``endpoint'' element in the
``Organization'' resource instead of the ``managiningOrganization''
element in the ``Endpoint'' resource for linking ``Endpoint'' and
``Organization'' resources. See https://jira.hl7.org/browse/FHIR-42134.
---------------------------------------------------------------------------
Based on commenter feedback, we do not believe it is necessary for
us to impose US Core level ``Organization'' resource constraints and
reference the FHIR ``Organization'' resource via the US Core IG at this
time. We agree with the commenter who recommended a specific and clear
reference to the applicability of FHIR R4. We realize that we
introduced some unnecessary confusion by referencing two separate but
related standards, namely FHIR R4 and US Core, in separate paragraphs
of our proposed criterion updates in Sec. 170.404(b)(2). To simplify
our requirements and make a more specific and clear reference to FHIR
R4, we believe it is necessary to reference one standard, namely FHIR
R4. We also agree with the many commenters who emphasized the
importance of considering and not conflicting with the standards
developed by the FHIR community for the endpoint publication use case,
and we believe that referencing the more general FHIR R4 standard for
our Program reduces the risk of conflicting requirements.
To generalize our proposal, respond to commenter feedback, and to
align our requirements with emerging industry standards for the
endpoint discovery use case, we have finalized a modified version of
our proposed requirements at Sec. 170.404(b)(2). We have modified the
standard referenced in Sec. 170.404(b)(2)(ii) to require the use of
the base FHIR ``Organization'' resource instead of the more constrained
US Core-profiled version of the base FHIR ``Organization'' resource.
Specifically, we have revised Sec. 170.404(b)(2)(ii) to reference the
standard adopted in Sec. [thinsp]170.215(a). We emphasize that
subparagraphs of finalized Sec. 170.404(b)(2)(ii)(A) and (B) remain
largely unchanged, meaning that Certified API Developers will still be
required to reference ``Endpoint'' resources using the ``endpoint''
element in the ``Organization'' FHIR resource and will still be
required to publish organization details such as name, location, and
facility identifier. With this modification, we have finalized a policy
that is less prescriptive than what we proposed. By referencing the
base FHIR ``Organization'' resource, instead of the US Core-profiled
``Organization'' resource, Certified API Developers have more
flexibility to support the ``Organization'' resource without minimal
element constraints and no elements are marked as ``must support.'' We
note that when proposing the US Core ``Organization'' resource profile,
we referenced certain mandatory and ``must support'' elements contained
in that profile, including ``address,'' ``name,'' and ``identifier.''
We did not adopt these constraints; rather, we are leaving it up to the
Certified API Developer to determine how best to publish the required
organization details using the base FHIR standard instead of the more
constrained US Core IG. Overall, this change will provide industry with
more flexibility to meet Program requirements as standards evolve. We
have finalized our proposal in Sec. 170.404(b)(2) to require Certified
API Developers to publish these standardized details by December 31,
2024, as proposed. We clarify that for the time period between when
this final rule is effective and December 31, 2024, that Certified API
Developers may fulfill their obligations at Sec. 170.404(b)(2) by
publicly publishing the service base URLs for all customers in a
machine-readable format at no charge.
This modification supports our goal of addressing the inconsistent
implementation of our service base URL requirement and better
facilitates
[[Page 1288]]
patient access to their health information by requiring the use of a
consistent data format, while also reflecting feedback received from
software developers, technology companies, and standards developer
interested parties. This modification also better aligns our
requirements with the underlying data format constructs currently
defined in the leading, and still emerging, industry specification in
this area, namely the Patient-access Brands specification. We hope to
give Certified API Developers the option of using the data format
structure in Patient-access Brands specification to publish their
service base URLs and organization data we require without being in
conflict with our data format requirements for the Program. We note
that at the time of publication of this final rule, the Patient-access
Brands specification is still in draft form and may evolve over time,
including the addition of breaking changes. We will consider the
Patient-access Brands specification for adoption in future rulemaking
as it develops.
Comments. In addition to the Patient-access Brands specification,
several commenters noted the Directory IG for TEFCA as a standard to
consider for the endpoint publication use case. All but one of these
commenters cited the Directory IG for TEFCA alongside the Patient-
access Brands specification and advocated for the alignment of TEFCA
with the Patient-access Brands specification. One commenter advocated
specifically for changes to our proposal based on the Directory IG for
TEFCA, stating that we should consider it for defining the format of
FHIR ``Organization'' and ``Endpoint'' resources for the endpoint
publication use case.
Response. We appreciate the notes from commenters pointing us to
other work in the endpoint publication space to consider. The Directory
IG for TEFCA is under active development and is being designed to
support the TEFCA use case and the participants within that framework.
\171\ We agree that this IG is an important standard to keep in mind
for supporting the endpoint publication use case more broadly but,
because it already includes constraints and extensions that go beyond
the relatively small set of elements we proposed requiring of
developers, we do not agree with the commenter who suggested using it
for specifying the format of FHIR ``Organization'' and ``Endpoint''
resources used for publishing endpoints in our Program at this time.
However, we note that because we have finalized an approach in Sec.
170.404(b)(2) that references the base FHIR standard, Certified API
Developers have the flexibility to consider using ``Organization'' and
``Endpoint'' FHIR resources profiles, such as the profiles in the
Directory IG for TEFCA, to meet our requirements.
---------------------------------------------------------------------------
\171\ https://rce.sequoiaproject.org/RCEIG/output/index.html.
---------------------------------------------------------------------------
Regarding the suggestions to align TEFCA with the Patient-access
Brands specification, we thank commenters for this suggestion but note
that it is outside the scope of the proposals related to TEFCA in the
HTI-1 Proposed Rule. We will continue to monitor the development of
these standards and may take them into consideration in future
rulemaking.
Comments. A number of commenters asked that we clarify the intended
use of the organization details we proposed to be published. More
specifically, commenters asked that we clarify that we expect
organization or facility level identifiers, rather than individual
practitioner identifiers, to be published. Many of these commenters
noted that the publication of individual practitioner identifiers is
out of scope for our intended use case. Additionally, one commenter
noted the active work on a National Directory FHIR IG and said that it
would be an approach to consider if we intend for practitioner level
identifiers to be published.
Response. We appreciate commenters' input and suggestions for
clarity. We intend for these additional organization details to be used
by app developers to help them map organizations to endpoints which, in
turn, helps patients find the organization(s) they want to allow an app
to access data from. We clarify that facility or organization level
identifiers are sufficient to satisfy our proposed publication
requirements. Facility level identifiers, for the purposes of
certification to these Endpoint publication requirements, include
identifiers such as: a National Provider Identifier (NPI), Clinical
Laboratory Improvement Amendments (CLIA) number, CMS Certification
Number (CCN), or other health system ID. Support for one of these
identifier types is sufficient, meaning Certified API Developers are
not required to publish individual NPIs as a floor for certification.
Different identifiers may be used depending on the customers a
Certified API Developer has. We have updated our regulatory text at
Sec. 170.404(b)(2)(ii)(B) to more clearly state that ``[e]ach
Organization resource must contain the organization's name, location,
and facility identifier.''
For clarity and consistency, we have also updated our regulatory
text at Sec. 170.404(b)(2), and the relevant preamble text in this
final rule, to replace the word ``organizational'' with
``organization.'' The phrase ``organization details'' more accurately
represents the details we are referring to and is a consistent phrase
to use in lieu of our mixed use of ``organizational'' and
``organization'' in the HTI-1 Proposed Rule.
Regarding the comment on the active work on a National Directory
FHIR IG, we thank this commenter for pointing this out. Because we have
not required the publication of individual provider-level identifiers,
we are not considering this IG for the endpoint publication use case in
our Program. We emphasize again that because we have finalized an
approach in Sec. 170.404(b)(2) that references the base FHIR standard,
Certified API Developers have the flexibility to consider using
``Organization'' and ``Endpoint'' FHIR resources profiles, such as the
profiles in the National Directory FHIR IG, to meet those requirements.
Comments. A couple of commenters asked that we clarify our
requirements for elements in the Endpoint and Organization FHIR
resources if we are updating to US Core version 6.
Response. We thank the commenters and we note that, given the
changes we have made to Sec. 170.404(b)(2)(ii) (see response to
comments above), US Core is no longer in scope. We have modified the
standard referenced in Sec. 170.404(b)(2)(ii) to require the use of
the base FHIR ``Organization'' resource instead of a US Core-profiled
``Organization'' resource.
Comments. A few commenters responded to our invitation for comment
on whether we should finalize our proposal to adopt a requirement for
FHIR Endpoint and Organization resources to be made publicly available
according to the FHIR Bundle format or if we should finalize the
requirement to use a ndjson format. These commenters were generally
split on which format they prefer. One commenter noted that large FHIR
Bundles are challenging to parse. Another commenter suggested that we
align with a format that is most compatible with Lantern to support
certification.
Response. We appreciate these responses and suggestions from
commenters. We have finalized, at Sec. 170.404(b)(2)(iii)(A), our
requirement for FHIR Endpoint and Organization resources to be
collected in FHIR Bundle resource format. We recognize that large FHIR
Bundles may be hard to parse given their size, but we anticipate that
app developers will have the technology and access to the tools
[[Page 1289]]
needed to parse large machine-readable artifacts. We also note that the
current draft Patient-access Brands specification calls for the use of
FHIR Bundles to collect FHIR Endpoint and Organization details.\172\ We
believe that our finalized requirement for publication using the FHIR
Bundle resource format sufficiently supports app developers and aligns
with industry direction.
---------------------------------------------------------------------------
\172\ https://build.fhir.org/ig/HL7/smart-app-launch/branches/pab/brands.html.
---------------------------------------------------------------------------
We thank commenters for supporting Lantern, which is an open-source
tool developed by ONC and the MITRE corporation ``that monitors and
provides analytics about the availability and adoption of FHIR API
service base URLs (endpoints) across healthcare organizations in the
United States.'' \173\ We anticipate that Lantern and other FHIR tools
will be able to take advantage of our standards-based and machine-
readable approach to monitor and discover FHIR endpoints. We also note
that the Program will continue to explore ways to support conformance
and certification to these requirements to enable patients and other
users to access, exchange, and use information via discoverable FHIR
APIs.
---------------------------------------------------------------------------
\173\ https://lantern.healthit.gov/?tab=dashboard_tab.
---------------------------------------------------------------------------
Comments. One commenter suggested that both human readable and
machine-readable Endpoint metadata be made available on the CHPL.
Response. We thank this commenter for their suggestion. We
acknowledge that human readable Endpoint metadata may be useful for
some use cases, but we do not believe that is a necessary additional
requirement to put on Certified API Developers in our Program. We note
that by requiring machine-readable publication using a standardized
FHIR format, developers can consider developing their own tools or
leveraging existing community tools (e.g., Lantern) that render FHIR
data into human readable formats.
Comments. One commenter explicitly expressed support for the
quarterly review timeline we proposed for Certified API Developers in
Sec. 170.404(b)(2)(iii)(B), while two commenters recommended changes
to the timeline. The two commenters who recommended changes indicated
that a quarterly review minimum was too long given that inaccurate
organization details and non-functioning endpoints significantly
hinders interoperability. One of these two commenters suggested the
review timeline be one week and the other suggested that ONC notify
organizations of any inaccurate information after 30 days and find them
in violation if no corrective updates are made after 60 days.
Response. We appreciate the feedback and thoughtful suggestions for
possible improvement from commenters. We agree that this information
needs to remain up to date to ensure application developers can easily
and consistently provide patients access to EHI. We also acknowledge
the need to consider the burden on Certified API Developers to keep
their customers' endpoint information up to date. To balance value and
burden, we have finalized the review timeline as proposed and have
finalized a quarterly review timeline as the requirement. In response
to commenters' suggestion that ONC monitor and notify interested
parties of inaccurate information and initiate corrective action after
60 days, we note that we have a defined process to elevate concerns of
non-conformity and we urge users or other interested parties to
leverage this process.\174\
---------------------------------------------------------------------------
\174\ https://www.healthit.gov/topic/certified-health-it-complaint-process.
---------------------------------------------------------------------------
Comments. Many commenters suggested that ONC work on a process for
validating and monitoring these endpoints. Many of these commenters
also suggested that we develop a directory of these endpoints. One
commenter specifically cited our Lantern tool as a central place where
these endpoints could be submitted and validated.
Response. We thank the commenters for their feedback and
suggestions. All Certified API Developer published Endpoint and
Organization FHIR resource Bundles will be available publicly via the
CHPL. Links to these Bundles are collected during the certification
process by the ONC-Authorized Certification Bodies (ONC-ACB) and posted
on a product's CHPL listing following successful certification. This
public data can be used by anyone for collection and monitoring. This
includes ONC's open-source Lantern tool. ONC hosts a public instance of
this tool at https://lantern.healthit.gov/ and collects data into this
instance from many sources, including the CHPL, to monitor and provide
analytics about the availability and adoption of FHIR API
endpoints.\175\ We encourage interested parties to visit the Lantern
tool and we will continue to consider ways to ensure that service base
URLs required in the Program continue to support individuals' access to
their health information.
---------------------------------------------------------------------------
\175\ https://lantern.healthit.gov/?tab=about_tab.
---------------------------------------------------------------------------
Comments. A few commenters expressed concern over the burdens and
challenges for EHR developers to collect this information from their
customers and be responsible for it being up to date. This included
comments that Certified API Developers should not be penalized if and
when their customers do not provide this information. One commenter
asked that ONC clarify that Certified API Developers can rely on
assurances provided by their customers that this information is valid
and up to date, because it will not be feasible for developers to
independently validate the information, and that Certified API
Developers should instead only be expected to publish information for
customers that provide details to the Certified API Developers, rather
than an expectation that endpoint and organization detail lists are
comprehensive. A couple of commenters suggested the introduction of a
CMS attestation for providers and hospitals to be responsible for this
information and keeping it up to date.
Response. We appreciate the feedback from commenters and
acknowledge these concerns from Certified API Developers about
gathering endpoint and organization information from their customers
and being responsible for its publication. However, we did not propose
and have not finalized any changes to our existing policy at Sec.
170.404(b)(2) that requires Certified API Developers to publicly
publish the service base URLs for all of their customers regardless of
whether the Health IT Modules certified to Sec. 170.315(g)(10) are
centrally managed by the Certified API Developer or locally deployed by
an API Information Source. As we said in the ONC Cures Act Final Rule
with regards to publication of service base URLs, we believe that
Certified API Developers will have adequate relationships with API
Information Sources in the process of providing Health IT Modules
certified to Sec. 170.315(g)(10) to gather the necessary information
(85 FR 25765). We believe that these same relationships are adequate
for Certified API Developers to be able to collect and publish service
base URLs, organization names, organization locations, and facility
identifiers on behalf of their customers. We do not agree that it will
be infeasible for Certified API Developers to provide validated URLs
for customers that locally deploy certified API technology because
details related to customer names, organization locations, and facility
identifiers should be routinely and readily available during the
business process (i.e., a Certified API Developer licensing or selling
use of certified API technology to a customer). We remind commenters of
our focus for
[[Page 1290]]
this criterion on service base URLs and related organization details
for Health IT Modules certified to Sec. 170.315(g)(10) that can be
used by patients to access their EHI. We believe that the effort needed
to collect this information is warranted given the critical role it
plays in enabling third-party apps to access EHI at a patient's
request.
We appreciate the feedback and suggestions from commenters on
potential points of intersection between our requirements and CMS
requirements. Updates to CMS programs are out of scope of this rule,
but we encourage commenters to submit such ideas to CMS.
Comments. A few commenters suggested that we work with CMS and
other federal partners to ensure our requirements do not duplicate
other efforts and to ensure that the necessary infrastructure is in
place to support this requirement. One commenter specifically cited
CMS's ongoing effort to develop a national directory.
Response. We appreciate the feedback from commenters. We will
continue to coordinate and work with our federal partners, including
CMS, on points of intersection for potential future rulemaking.
d. Access Token Revocation
In the ONC Cures Act Final Rule, we established a requirement in
Sec. 170.315(g)(10)(vi) that for Health IT Modules certified to Sec.
170.315(g)(10), the Health IT Module's authorization server must be
able to revoke an authorized application's access at a patient's
direction (85 FR 25945). This required capability is intended to enable
patients to ``definitively revoke an application's authorization to
receive their EHI until reauthorized, if ever, by the patient'' (85 FR
25747). We noted in the ONC Cures Act Final Rule that we finalized
Sec. 170.315(g)(10)(vi) as a functional requirement to allow health IT
developers the ability to implement it in a way that best suits their
existing infrastructure and allows for innovative models for
authorization revocation to develop (85 FR 25747). We understand that a
lack of specificity in the current requirement has led to some
confusion among health IT developers and application developers.
As part of health IT developers' implementation of these
requirements, we have received feedback regarding the implementation of
authorization revocation, specifically around the revocation of access
tokens. Health IT developers have requested clarification regarding
letting access tokens expire in lieu of immediate access token
revocation for the purposes of certification testing. The Oauth 2.0
Token Revocation specification, RFC 7009, describes expiration of
short-lived access tokens as a design option for authorization servers
to revoke an application's access. This design option conforms with
industry standard practice and may reduce health IT developer burden as
the Health IT Module would not have to perform token introspection for
each resource request nor maintain a database of valid access tokens.
In the HTI-1 Proposed Rule, we proposed to revise the requirement
in Sec. 170.315(g)(10)(vi) to specify that a Health IT Module's
authorization server must be able to revoke and must revoke an
authorized application's access at a patient's direction within 1 hour
of the request (88 FR 23816). This requirement aligns with industry
standard practice of short-lived access tokens as specified in internet
Engineering Task Force (IETF) Request for Comments (RFC) 6819,\176\
IETF RFC 7009,\177\ and Section 7.1.3 of the SMART Application Launch
Framework version 1.0.0, which states that ``Access tokens SHOULD have
a valid lifetime no greater than one hour. Confidential clients may be
issued longer-lived tokens than public clients.'' This policy would
provide clarity and create a consistent expectation that developers
revoke access within 1 hour of a request, regardless of their internal
approach to fulfilling a patient's request to revoke access. This
policy would also assure patients that once requested, an application's
access to their data would be revoked within 1 hour. This would also
support situations where a patient may have an unexpected change in
their privacy concerns and seek to curtail access to their information.
---------------------------------------------------------------------------
\176\ Available at: https://www.rfc-editor.org/pdfrfc/rfc6819.txt.pdf.
\177\ Available at: https://www.rfc-editor.org/pdfrfc/rfc7009.txt.pdf.
---------------------------------------------------------------------------
Comments. The majority of commenters supported our proposal to
revise Sec. 170.315(g)(10)(vi) to specify that a Health IT Module's
authorization server must be able to revoke and must revoke an
authorized application's access at a patient's direction within 1 hour
of the request. Several commenters, including health IT companies,
medical software companies, professional trade associations, some
healthcare systems, and consumer/patient advocacy groups agreed with
our rationale that such a requirement supported patients' direct
control over the applications that have access to their EHI, and that
the requirement is consistent with industry standards.
Response. We appreciate the feedback from commenters. We believe
our proposal would assure patients that once requested, an
application's access to their data would be revoked within 1 hour and
that such revocation could be supported by all Health IT Modules
regardless of their internal approach to fulfilling a patient's request
to revoke access. We appreciate the overall strong support for our
proposal that, for Health IT Modules certified to Sec. 170.315(g)(10),
the Health IT Module's authorization server must be able to revoke and
must revoke an authorized application's access at a patient's direction
within 1 hour of the request. We have adopted our proposal in Sec.
170.315(g)(10)(vi) without revisions.
Comments. A small number of commenters opposed our proposal, for
differing reasons. A healthcare system and a medical software company
commented that 1 hour is too long a period of time to execute a
revocation request, and a trade organization said 1 hour was too short.
Two commenters worried about implications related to information
blocking, including a professional trade association that said that
providers should be able to request that an app developer delete any
data received through the API between when the request was made and
when access had been revoked without trigging information blocking
concerns, and a medical software company worried about information
blocking claims if revocation within 1 hour was not feasible due to
technical challenges, such as a network outage at a cloud provider.
Response. We appreciate these commenters' concerns. However, we
note that this proposed requirement aligns with industry standard
practice of short-lived access tokens as specified in IETF RFCs 6819
and 7009. We also note that this 1-hour requirement does not preclude a
Health IT Module from revoking access in a shorter timeframe; rather,
it establishes a maximum timeframe for the revocation of access once
requested. Based on community feedback, we respectfully disagree with
the commenter indicating that 1 hour is not enough time to process such
a request; industry consensus, as discussed above with the IETF RFCs,
and experience with implementing the Program requirement to-date,
indicates that many, if not most, requests can be easily fulfilled
within 1 hour. We have established this timeframe to clearly delineate
Program expectations, which did not previously exist. Finally, we
appreciate commenters' concerns regarding information blocking;
however, we currently do not provide
[[Page 1291]]
an exception specific to access token revocation and we decline to do
so at this time. We also invite readers to review the discussion
regarding the Infeasibility Exception, finalized by the ONC Cures Act
Final Rule in Sec. 171.204 (85 FR 25866-25875), and our discussion of
the Infeasibility Exception and its responding to requests condition
(Sec. 171.204(b)) discussed in section IV.C.1 of this final rule.
Comments. One commenter from a health system recommends that the
ONC liaise with the Federal Trade Commission (FTC) to consider
introducing a requirement such that, when consumer apps that access,
exchange, or use personal health records experience a breach and are
required to notify users of such a breach, those apps also include
easy-to-understand instructions about how to revoke access to that
application via certified health IT products and the timeframe in which
such revocation must occur.
Response. We appreciate the comment and will continue to coordinate
and work with our federal partners, including the FTC, on points of
intersection for potential future rulemaking.
We appreciate the overall strong support for our proposal that a
Health IT Module's authorization server must be able to revoke and must
revoke an authorized application's access at a patient's direction
within 1 hour of the request and we have adopted our proposal in Sec.
170.315(g)(10)(vi) without revisions.
e. SMART App Launch 2.0
In the ONC Cures Act Final Rule, we adopted the HL7 FHIR SMART
Application Launch Framework Implementation Guide Release 1.0.0 (SMART
v1 Guide), a profile of the Oauth 2.0 specification, in Sec.
170.215(a)(3) (85 FR 25741). The SMART v1 Guide provides reliable,
secure authorization for a variety of app architectures through the use
of the Oauth 2.0 standard. This IG defines various capabilities for app
support, known as the ``SMART on FHIR Core Capabilities'' (85 FR
25741). As part of adopting the implementation specification in Sec.
170.215(a)(3), the ONC Cures Act Final Rule required support for these
``SMART Core Capabilities,'' which enable applications to securely
perform standardized authentication and authorization as part of
enabling receipt of patient EHI via a FHIR API.
In the ONC Cures Act Final Rule, the Sec. 170.315(g)(10)
``Standardized API for patient and population services'' certification
criterion required support for capabilities from the SMART v1 Guide as
described in Sec. 170.215(a)(3) to enable apps to securely perform
authentication and authorization with the Health IT Module in a
standardized manner. Additionally, the Sec. 170.315(g)(10) criterion
included additional requirements for technical capabilities specified
in the SMART v1 Guide, requiring support for the issuance of ``refresh
tokens'' valid for a period of no less than three months. This
requirement was intended to reduce patient and provider burden to
receive patient EHI using an application of their choice by potentially
reducing the number of re-authorizations of the application. Support
for refresh tokens facilitates patient and provider receipt of patient
EHI by enabling an application to be authorized to receive data in a
persistent manner, without requiring re-authorization of the
application while the refresh token is valid. The Sec. 170.315(g)(10)
criterion required support for the issuance of refresh tokens valid for
a period of no less than three months, so that an application could
potentially be authorized to receive patient EHI for at least a three-
month period without requiring re-authorization.
As part of the adopted implementation specification, we explicitly
required mandatory support of the ``SMART Core Capabilities'' for
Program testing and certification, and we stated that by requiring the
``permission-patient'' ``SMART Core Capability'' in Sec.
170.215(a)(3), Health IT Modules presented for testing and
certification to Sec. 170.315(g)(10), via cross-references to Sec.
170.215(a)(3), must include the ability for patients to authorize an
application to receive their electronic health information (EHI) based
on FHIR resource-level scopes (85 FR 25741, 25746). Practically, this
means that patients would need to have the ability to authorize access
to their EHI at the individual FHIR resource-level, from one specific
FHIR resource (e.g., ``Immunization'') up to all FHIR resources
necessary to implement the standard adopted in Sec. 170.213 and
implementation specification adopted in Sec. 170.215(a)(2). This
capability gives patients increased control over how much EHI they
authorize applications of their choice to receive.
The SMART App Launch Implementation Guide Release 2.0.0 (SMART v2
Guide) is the next major release of the SMART App Launch IG.\178\ The
SMART v2 Guide updates the features of the SMART v1 Guide by including
revisions aligning with industry consensus to provide technical
improvements and reflect security best practices. The SMART v2 Guide
technical enhancements improve the authentication and authorization
security layer provided by the SMART v1 Guide and enables increased
capabilities and functionality for individual control of EHI.
Therefore, we proposed to adopt the SMART v2 Guide in Sec.
170.215(c)(2), and we proposed that the adoption of the SMART v1 Guide
in Sec. 170.215(c)(1) would expire as of January 1, 2025 (88 FR
23816). We clarified that both the SMART v1 Guide and SMART v2 Guide
will be available for purposes of certification where certification
criteria reference Sec. 170.215(c) until the expiration date of
January 1, 2025, after which time only the SMART v2 Guide will be
available for certification.
---------------------------------------------------------------------------
\178\ https://hl7.org/fhir/smart-app-launch/STU2/index.html.
---------------------------------------------------------------------------
As part of this proposal, we proposed to adopt several sections
specified as ``optional'' in the SMART v2 Guide as ``required'' for
purposes of the Program for certification criteria that reference Sec.
170.215(c). Specifically, we proposed to adopt all Capabilities as
defined in ``8.1.2 Capabilities,'' which include but are not limited to
(1) backward compatibility mapping for SMART v1 scopes as defined in
``3.0.2 Scopes for requesting clinical data;'' (2) asymmetric client
authentication as defined in ``5 Client Authentication: Asymmetric
(public key);'' and granular scopes as defined in (3) ``3.0.2.3 Finer-
grained resource constraints using search parameters.'' Additionally,
we proposed to require support for the ``Patient Access for Standalone
Apps'' and ``Clinician Access for EHR Launch'' Capability Sets from
``8.1.1 Capability Sets.'' Also, we proposed to adopt token
introspection as defined in ``7 Token Introspection.'' Again, we
clarified that for the period before January 1, 2025, Health IT Modules
certified to certification criteria that reference Sec. 170.215(c) may
use either SMART v1 or SMART v2 for certification (88 FR 23817).
Further, we noted that the SMART v2 Guide includes section 3.0.2.3
``Finer-grained resource constraints using search parameters,'' and
associated ``3.0.2.4 requirement for support'' and ``3.0.2.5
experimental features,'' which present concepts for further development
within the SMART v2 Guide (88 FR 23817). Together, these optional
functionalities will enable more granular control for individuals,
clinicians, and other users to share information with apps of their
choice in more explicit ways. The granular scope functionality would
empower patients and providers to share health data in a
[[Page 1292]]
more granular fashion, which would improve confidence in the use of
third-party apps by allowing app users to decide which specific type of
EHI they share with the app. These functionalities would help address
privacy and security concerns of third-party app access to health data
and further patient empowerment by providing the ability to limit an
app's access to a granular, minimum set of health data, as determined
by the app user. We proposed these sections for adoption as part of
SMART v2 Guide with the understanding that either the SMART v2 Guide or
another implementation guide such as the US Core Implementation Guide
will define more specific requirements for finer-grained resource
constraints using search parameters.
Comments. There was near universal support for adoption of the
SMART v2 Guide among commenters, including health IT companies,
software and IT firms, advocacy organizations, and health systems.
Several commenters noted that the SMART v2 Guide would play a crucial
role in promoting health data interoperability and facilitating
seamless data exchange between healthcare systems and applications.
However, there was strong support among many of these interested
parties to adopt the newest balloted version of the SMART App Launch
Implementation Guide, Release 2.1. (SMART v2.1 Guide), rather than the
SMART v2 Guide. Several commenters highlighted the benefits of the
SMART v2.1 Guide, including improved FHIR Context management and App
State capability. Some commenters also recommended ONC require support
for browser-based apps, including requirements from the SMART v2.1
Guide.
Response. We thank the commenters for their support. We have
finalized the adoption of the SMART v2 Guide subject to modifications
described later in this section. We believe that adoption of the SMART
v2 Guide will enable an improved and more secure authorization process
for applications to receive EHI from Health IT Modules. We appreciate
commenters' input regarding adoption of the subsequent release of the
SMART v2.1 Guide. We acknowledge there are noteworthy updates included
in the SMART v2.1 Guide. However, given that the SMART v2 Guide has
already been an established part of the Program via SVAP and rigorously
tested as a result, we believe adopting the SMART v2 Guide as a
baseline requirement is more appropriate at this time. We will consider
potential ways the SMART v2.1 Guide could be included in the Program in
the future, including through SVAP. We also clarify that browser-based
apps fitting the definition of ``public clients'', or ``native
applications'' as defined in internet Engineering Task Force Request
for Comments 6749 (RFC 6749), are required to be supported by Health IT
Modules certified to the Sec. 170.315(g)(10) criterion, per the
requirements of that criterion. Such relevant requirements for
supporting ``public clients'' and ``native applications'' include the
data response, search, registration, secure connection, authentication
and authorization for patient and user scopes, and authorization
revocation requirements in the Sec. 170.315(g)(10) criterion,
respectively at Sec. 170.315(g)(10)(i)(A), Sec.
170.315(g)(10)(ii)(A), Sec. 170.315(g)(10)(iii), Sec.
170.315(g)(10)(iv)(A), Sec. 170.315(g)(10)(v)(A), and Sec.
170.315(g)(10)(vi).
Comments. Commenters were mixed in their recommendations on our
proposal to expire the use of the SMART v1 Guide as part of the Program
on January 1, 2025, effectively requiring use of only the SMART v2
Guide for applicable certification criteria after that date. Among
those interested parties that commented, professional associations
urged ONC to finalize the timeline as proposed. Health information
technology companies and one health system requested additional time,
indicating that the proposed expiration timeframe of January 1, 2025,
does not give organizations sufficient time to develop, test, and
implement necessary changes to systems and processes.
Response. We thank the commenters for their input. We acknowledge
the benefits of extending the timeframe in which the SMART v1 Guide is
available for certification. Taking this into consideration, we have
modified our proposal as suggested by commenters who recommended more
time to adopt only the SMART v2 Guide. We have, therefore, finalized
our modified proposal that the adoption of the SMART v1 Guide
implementation specification expires on January 1, 2026, and we clarify
that following expiration of the SMART v1 Guide, the SMART v2 Guide
will be the only valid standard for certification criteria that
reference Sec. 170.215(c).
i. SMART v2 Guide New and Revised Features Proposed for Adoption
The SMART v2 Guide introduces new or revised requirements to the
previous version of the implementation guide, SMART v1 Guide. Major
requirements new to the SMART v2 Guide include support for the OAuth
2.0 security extension Proof Key for Code Exchange (PKCE), as well as a
revision of the scope syntax. The SMART v2 Guide includes requirements
that both the EHR and all apps support the OAuth 2.0 security extension
PKCE. PKCE is an industry standard security extension for OAuth 2.0 to
mitigate the known security vulnerability of authorization code
interception attacks.\179\ The requirement of support for PKCE
especially improves the security of native apps, or apps that operate
from an individual's phone or tablet, which were particularly
vulnerable to authorization code interception attacks.
---------------------------------------------------------------------------
\179\ https://www.oauth.com/oauth2-servers/pkce/.
---------------------------------------------------------------------------
Another major change included in the SMART v2 Guide is revision of
the syntax of scopes provided to apps. To align with the FHIR
interactions of ``Create,'' ``Read,'' ``Update,'' ``Delete,''
``Search,'' collectively known as ``CRUDS,'' scopes are constructed to
consist of combinations of five types of permissions corresponding to
the CRUDS interactions. The use of this CRUDS scope syntax permits
improved patient choice for persistent access as more specific
combinations of permissions can be granted to apps as opposed to the
scope syntax used in the SMART v1 Guide, which only used two permission
types of ``read'' and ``write.''
New feature: PKCE
One of the major security improvements in the SMART v2 Guide is the
requirement that all apps support the OAuth 2.0 security extension
Proof Key for Code Exchange (PKCE). PKCE is designed to mitigate the
known security vulnerability of authorization code interception
attacks, with native apps especially targeted. According to IETF RFC
7636,\180\ the request for comment which defines the PKCE extension,
this attack can be used to illegitimately obtain an access token from
the authorization server and thus obtain server data in an unauthorized
manner. PKCE mitigates this vulnerability by creating cryptographically
random keys for every authorization request. The authorization server
performs proof of possession of the secret key by the client. This
mitigates the vulnerability as an attacker who intercepts the
authorization code cannot redeem it for an access token as they do not
possess the secret key associated with the authorization request.
---------------------------------------------------------------------------
\180\ See IETF RFC 7636 at: https://www.rfc-editor.org/rfc/rfc7636.
---------------------------------------------------------------------------
Support for PKCE is important because PKCE makes health app access
[[Page 1293]]
of patient health information more secure in a standardized manner. ONC
recognizes healthcare participants and patients are interested in the
secure use of health apps, including native apps, to access health
information. PKCE support makes the granting of access to health
information via health apps more secure by mitigating the known
vulnerability of authorization code interception attacks. We believe
the support of PKCE would further our goal of secure access of health
information without special effort by further securing health app
access, especially for native apps. Therefore, we proposed to require
the support of PKCE as specified in the SMART v2 Guide (88 FR 23817).
Comments. All comments received from interested parties supported
adoption of the OAuth 2.0 security extension PKCE in the SMART v2
Guide. Many commenters noted that adoption and required support for
PKCE is aligned with industry best practice and forthcoming updates to
OAuth in draft version 2.1.
Response. We thank the commenters for their support. We believe the
support of PKCE would further our goal of secure access of health
information without special effort by further securing health app
access, especially for native apps. Therefore, we have finalized
adoption of the SMART v2 guide with inclusion of PKCE. This means that
Health IT Modules presented for testing and certification to Sec.
70.315(g)(10) must support PKCE.
New Feature: CRUDS scope syntax
Another major update in the SMART v2 Guide is the revision of the
scope syntax to align with the FHIR REST API interactions for FHIR
resources. Previously in the SMART v1 Guide, scope syntax for FHIR
resources was delineated in terms of combinations of ``read'' and
``write'' permissions. The SMART v2 Guide revises this scope syntax by
splitting ``read'' permissions into two types of permissions which
correspond to FHIR REST API interactions, ``Read'' and ``Search.''
Similarly, the ``write'' permissions from the SMART v1 Guide are split
into ``Create,'' ``Update,'' and ``Delete.'' This alignment of scope
syntax to the FHIR REST API interactions permits Health IT Module
authorization servers to provide greater specificity regarding which
permissions are granted in scopes to apps and has the benefit of
improved technical clarity to health IT and application developers.
This additional specificity for scopes also improves a patient's
control over how an app accesses their health data by clarifying for
the patient what specific type of API interactions are permitted to the
app. For example, under this new syntax the patient could specifically
permit an app ``read'' access to a FHIR resource but deny ``search''
access for the same FHIR resource.
As stated in the ONC Cures Act Final Rule at 85 FR 25742, the Sec.
170.315(g)(10) certification criterion only requires health IT
developers to support ``read'' capabilities according to the standard
and implementation specifications adopted in Sec. 170.215(a) and in
Sec. 170.215(b)(1), including the mandatory capabilities described in
``US Core Server Capability Statement.'' Our proposal aligns with this
existing policy for Sec. 170.315(g)(10) by proposing to require that
only ``Read'' and ``Search'' permissions as specified in the SMART v2
Guide be supported for certification to the Sec. 170.315(g)(10)
criterion.
Comments. Comments from health IT companies supported our proposals
to adopt the SMART v2 revised scope syntax of ``Create,'' ``Read,''
``Update,'' ``Delete,'' and ``Search,'' or CRUDS. They noted that the
new syntax supports flexible and patient-friendly user interfaces (UI).
One commenter noted that ONC should maintain current policy allowing
developers the flexibility to present authorization scopes in a more
user-friendly format, such as by logically grouping FHIR resource-level
scopes, as long as users are able to grant FHIR resource-level scope
authorizations, if requested. We also received a comment recommending
against requiring support for wildcard scopes as defined in the SMART
v2 Guide due to concerns about data management and security in patient
access use cases.
Response. We thank the commenters for their support and comments.
In consideration of the comments received, we have finalized as
proposed the requirement for Health IT Modules certified to Sec.
170.315(g)(10) to support the SMART v2 scope syntax for the ``Read''
and ``Search'' permissions as specified in the SMART v2 Guide. We
clarify that Health IT Modules supporting the SMART v2 Guide scope
syntax and the ``permission-patient'' capability from the SMART v2
Guide are not required to support wildcard scopes relating to
authorization to receive a single patient's data. Instead, we align
with the policy as mentioned in the ONC Cures Act Final Rule (85 FR
25741) that as part of supporting the ``permission-patient''
capability, Health IT Modules presented for testing and certification
must include the ability for patients to authorize an application to
receive their EHI based on FHIR resource-level scopes.
ii. SMART v2 Optional Features Proposed as Required by ONC
We proposed to require all Capabilities as defined in ``8.1.2
Capabilities'' and the ``Patient Access for Standalone Apps'' and
``Clinician Access for EHR Launch'' Capability Sets from ``8.1.1
Capability Sets'' (88 FR 23817 through 23819). First, the SMART v2
Guide introduces functionality specified as optional in the
implementation guide. We proposed to make several of these optional
functionalities required as part of the proposed implementation
specification, and therefore required for certification criteria that
reference proposed Sec. 170.215(c)(2) (88 FR 23818).
Second, the SMART v2 Guide introduces an optional profile for
authorization servers to support asymmetric client authentication for
confidential clients. We proposed to require Health IT Modules support
asymmetric client authentication as an option for confidential clients
during the process of authentication and authorization when granting
access to patient data.
Third, the SMART v2 Guide also introduces a new optional feature of
granular scope constraints using search parameters. This feature uses
the FHIR REST API search parameter syntax to specify permissions more
granular than the FHIR resource level, which was the maximum
granularity of scopes in the SMART v1 Guide. We proposed to require
``3.0.2.3 Finer-grained resource constraints using search parameters''
with the clarification that Health IT Modules certified to Sec.
170.315(g)(10) must minimally be capable of handling finer-grained
scopes using the ``category'' parameter for (1) the Condition resource
with Condition sub-resources Encounter Diagnosis, Problem List, and
Health Concern and (2) the Observation resource with Observation sub-
resources Clinical Test, Laboratory, Social History, SDOH, Survey, and
Vital Signs. We note that the requirements denoted in ``3.0.2.3 Finer-
grained resource constraints using search parameters'' would be
required as part of implementing the ``permission-v2'' capability
defined in ``8.1.2 Capabilities''. We anticipated that the US Core IG
would provide guidance for developers to support a minimum number of
search parameters, and this minimum list would be consistent with the
optional scopes described in section ``3.8 Future of US Core'' of the
US Core IG v6.1.0.
Fourth, the SMART v2 Guide revises how capabilities are
categorized. The ``SMART Core Capabilities'' in the
[[Page 1294]]
SMART v1 Guide define capabilities supported by the server and are made
available to inform clients of supported functionality.
``Capabilities'' are grouped into ``Capability Sets'' to define the
functionalities required for a specific use case. The SMART v2 Guide
restructures how ``Capabilities'' are organized, and no longer includes
``SMART Core Capabilities.'' Instead, the SMART v2 Guide includes a
list of ``Capabilities'' and ``Capability Sets.''
Finally, the SMART v2 Guide introduces a new requirement to support
POST-based authorization for the client authorization request. This new
requirement in the SMART v2 Guide is adapted from the OpenID Connect
Core specification and is related to the requirement in Sec.
170.315(g)(10)(v)(A)(1)(i), which requires a Health IT Module to
support authentication and authorization during the process of granting
access to patient data according to the SMART App Launch and OpenID
Connect Core standards. The SMART v2 Guide includes the ``authorize-
post'' capability under ``Capabilities'' for servers to indicate
support for this requirement. To align with this new technical
requirement in the SMART v2 Guide and the authorization and
authentication requirement in Sec. 170.315(g)(10)(v)(A)(1)(i), we
proposed to require the ``authorize-post'' capability (88 FR 23819).
Comment. Overall, commenters were supportive of ONC's proposals to
adopt optional features in the SMART v2 Guide as required for the
Program. Several commenters supported adoption of all optional
features; several others supported adoption of all optional features
except for ``authorize-post'' capability (also referred to as HTTP POST
by commenters); and a minority of commenters also commented against
including the ``permission-online'' capability. There was a comment
recommending revision to the language of the token introspection
proposal in Sec. &170.315(g)(10)(vii), since the SMART v1 Guide does
not include a guidance section regarding token introspection. We also
received a comment requesting clarity regarding requirements to
independently support SMART v2 scopes separately from SMART v1 scopes.
Response. We thank the commenters for their support and comments.
We believe requiring the proposed optional features will improve the
capability of applications to be authorized by users to securely
receive EHI. We clarify the ``authorize-post'' capability is not an
optional capability and is required as per the SMART v2 Guide as a
method to obtain an authorization code from the authorization server.
To align with the requirement as per the implementation guide, we have
finalized the proposal to require the ``authorize-post'' capability. We
encourage interested parties to participate in the development of the
SMART App Launch IG if there are enhancements or technological advances
regarding this capability. We proposed to require the ``permission-
online'' capability, as part of our proposal to require all
``Capabilities'' as defined in ``8.1.2 Capabilities,'' which would
enable an application to receive authorization to receive EHI while the
user is logged in. In consideration of comments we received, we believe
additional clarity is necessary regarding the specific authorization
contexts in which this capability would be required. Also, further
insight is needed regarding the use cases in which this capability
provides utility beyond the ``permission-offline'' capability included
in the proposal. Therefore, we are modifying our proposal to exclude
the ``permission-online'' capability from the requirements of Sec.
170.215(c)(2). Thus, we have finalized our proposal to require all
Capabilities as defined in ``8.1.2 Capabilities'' and the ``Patient
Access for Standalone Apps'' and ``Clinician Access for EHR Launch''
Capability Sets from ``8.1.1 Capability Sets'' of the SMART v2 Guide,
except for the ``permission-online'' capability. We also note that
since we have finalized our proposal to expire use of the SMART v1
Guide as part of the Program on January 1, 2026, that after that date
certification to Sec. 170.315(g)(10) would effectively require that
token introspection be supported as described in the SMART v2 Guide.
Additionally, regarding independently supporting SMART v2 and SMART v1
scopes, we note that this proposal requires the ``permission-v1'' and
``permission-v2'' capabilities as defined in the SMART v2 Guide, which
define how such scopes must be supported. We clarify that the SMART v2
Guide scopes must be supported independently of the SMART v1 Guide
scopes as per the ``permission-v2'' capability in the SMART v2 Guide,
and that the SMART v1 Guide scopes must be supported as per the
``permission-v1'' capability in the SMART v2 Guide. Support for scopes
in this manner enables the updated SMART v2 Guide scope syntax to be
used by applications while also maintaining backwards compatibility
with the SMART v1 Guide scopes for legacy applications.
Comments. We received support from a majority of commenters that
addressed ONC's proposals for support of the SMART v2 Guide's optional
capability ``3.0.2.3 Finer-grained resource constraints using search
parameters,'' including our proposal to use the ``category'' parameter
for (1) the Condition resource with Condition sub-resources Encounter
Diagnosis, Problem List, and Health Concern and (2) the Observation
resource with Observation sub-resources Clinical Test, Laboratory,
Social History, SDOH, Survey, and Vital Signs. Multiple commenters
appreciated this degree of specificity and encouraged ONC to finalize
this approach without further specifying in future rulemaking; instead,
many of these commenters said ONC should rely on future versions of the
US Core Implementation Guide to instruct further specification of other
FHIR resource constraints. One health IT company recommended that we do
not align scopes requirements to ``search operations,'' and instead
adopt authorization scopes no more granular than the ``category'' level
for FHIR resources such as Condition, Observation, Medication Request,
and Diagnostic Report.
Response. We appreciate commenters' feedback and have finalized the
requirements as proposed. We note that the finalized requirements
regarding ``3.0.2.3 Finer-grained resource constraints using search
parameters'' are required as part of implementing the ``permission-v2''
capability defined in ``8.1.2 Capabilities''. We also note that the
requirements of this proposal to support finer-grained scopes using
search parameter syntax and the ``category'' parameter are intended to
align with capabilities and guidance as included in the SMART v2 Guide
and FHIR US Core 6.1.0 implementation guide. We believe that
establishing minimal conformance requirements at the category level for
the Condition and Observation resources using specifications and
guidance from these implementation guides will both ensure that Health
IT Modules are capable of supporting the finer-grained resource
constraints capability without being overly prescriptive in setting
expectations for how the Health IT Module implements such capabilities.
Comments. Several commenters suggested that ONC adopt capabilities
and standards that were outside the scope of our proposals, including
``rich authorization requests,'' ``push authorization requests, as
defined by RFC 9126,'' and anti-malware capabilities, identity threat
detection and response systems, the adoption of sender-constrained
tokens, and OAuth 2.0 Demonstrating Proof-of-Possession
[[Page 1295]]
at the Application Layer (DPoP) specification.
Response. We thank the commenters for their recommendations, but we
note that these comments are outside the scope of our proposals. We
decline to accept the recommendations to adopt these capabilities, but
we encourage industry to continue highlighting potential capabilities
for future consideration in the Program. We also encourage interested
parties to participate in the development and refinement of standards
and implementation guides such as the SMART App Launch Implementation
Guide.
8. Patient Demographics and Observations Certification Criterion in
Sec. 170.315(a)(5)
In the 2015 Edition Final Rule (80 FR 62601), ONC required the
recording, capture, and access to a patient's sex, sexual orientation,
and gender identity for Health IT Modules certified to the
``Demographics'' certification criterion (Sec. 170.315(a)(5)) (80 FR
62747). This rule also defined a required set of standardized
terminology to represent each of these data elements (80 FR 62618-
62620). Since then, ONC has received recommendations through the Health
Information Technology Advisory Committee (HITAC) and public feedback
that the current terms and terminologies used to represent sex, gender
identity, and sexual orientation are limited and need to be updated.
Meanwhile, the healthcare industry had similarly taken note of the
need for precision for ideas encompassed in terms such as ``sex'' and
``gender'' and launched the Gender Harmony Project \181\ to capture
these concepts consistently within healthcare. The Gender Harmony
Project introduced for the health IT context the concepts ``Sex for
Clinical Use'' (SFCU), ``Recorded Sex or Gender'' (RSG), ``Name to
Use,'' and ``Pronouns.'' The Gender Harmony Project defines Sex for
Clinical Use as a category that is based on clinical observations
typically associated with the designation of male and female; Name to
Use provides the name that should be used when addressing or
referencing the patient; Recorded Sex or Gender is the documentation of
a specific instance of sex and/or gender information; and Pronouns are
determined by a patient and used when referring to the patient in
speech, clinical notes, and in written instructions to caregivers
(e.g., she/her/hers or they/them). Sex for Clinical Use, Name to Use,
Recorded Sex or Gender, and Pronouns are currently not present in the
certification criteria.
---------------------------------------------------------------------------
\181\ https://confluence.hl7.org/display/VOC/The+Gender+Harmony+Project.
---------------------------------------------------------------------------
We outline our proposals as discussed in the HTI-1 Proposed Rule to
modify the ``Demographics'' certification criterion (Sec.
170.315(a)(5)) (88 FR 23820):
We proposed to rename Sec. 170.315(a)(5) from ``demographics'' to
``patient demographics and observations,'' to acknowledge that the data
elements being proposed are broader than demographics information, as
we look to promote a more inclusive healthcare system.
We proposed to add the data elements ``Sex for Clinical Use'' in
Sec. 170.315(a)(5)(i)(F), ``Name to Use'' in Sec.
170.315(a)(5)(i)(G), and ``Pronouns'' in Sec. 170.315(a)(5)(i)(H) to
the ``patient demographics and observations'' certification criterion
(Sec. 170.315(a)(5)). This addition reflects concepts developed by the
HL7 Gender Harmony Project and help promote inclusivity in care
delivery.
We proposed to revise the terminology standards specified for
``Sex'' in Sec. 170.315(a)(5)(i)(C). Prior to issuing the HTI-1
Proposed Rule, ONC received significant feedback reflecting the need to
be more inclusive in the terminology representing the data element. As
such, ONC proposed to revise the fixed list of terms for ``Sex'' in
Sec. 170.315(a)(5)(i)(C), which are represented by HL7[reg] Value Sets
for Administrative Gender and NullFlavor in Sec. 170.207(n)(1). We
proposed to ultimately replace Sec. 170.207(n)(1) with the SNOMED
CT[reg] U.S. Edition code set proposed in Sec. 170.207(n)(2). In order
to be less disruptive to developers of certified health IT, we proposed
to provide flexibility and allow recording the element using the
specific codes represented in Sec. 170.207(n)(1) for the time period
up to and including December 31, 2025, to provide enough time to
transition their health IT systems to SNOMED CT[reg] U.S. Edition by
January 1, 2026. By having Sec. 170.207(n)(1) expire at the end of
2025 and adding Sec. 170.207(n)(2) as a requirement for Health IT
Modules certified to Sec. 170.315(a)(5) beginning January 1, 2026, we
proposed to enable health IT developers to specify any appropriate
value from the SNOMED CT[reg] U.S. Edition code set with the standard
specified in Sec. 170.207(n)(2). We proposed to require that Sex for
Clinical Use must be coded in accordance with, at a minimum, the
version of LOINC[reg] codes specified in Sec. 170.207(c)(1).
Additionally, we proposed to replace the terminology standards
specified for Sexual Orientation in Sec. 170.315(a)(5)(i)(D), and
Gender Identity in Sec. 170.315(a)(5)(i)I. ONC has received
significant feedback reflecting the need to be more inclusive in the
terminology representing each of these data elements. As such, ONC
proposed to revise the fixed list of terms for Sexual Orientation in
Sec. 170.315(a)(5)(i)(D), and Gender Identity in Sec.
170.315(a)(5)I(E), which are represented by SNOMED CT[reg] U.S. Edition
and HL7[reg] Value Set for NullFlavor in Sec. 170.207(o)(1) and (2),
and ultimately replace it with the SNOMED CT[reg] U.S. Edition code set
specified in Sec. 170.207(o)(3).
We further proposed to set an expiration date of January 1, 2026,
for the adoption of the values sets referenced in Sec. 170.207(o)(1)
and (o)(2). This allows the use of either the value sets in Sec.
170.207(o)(1) and (o)(2) or the standard proposed in Sec.
170.207(o)(3) beginning on the effective date of a final rule and
transitioning to allow only the use of the adopted standard in Sec.
170.207(o)(3) after December 31, 2025. Consistent with our policies in
sections III.A and III.C.11, developers of certified health IT with
Health IT Modules certified to criteria that reference Sec.
170.207(o)(1) or (o)(2) would have to update those Health IT Modules to
Sec. 170.207(o)(3) and provide them to customers by January 1, 2026.
We also proposed to add Sex for Clinical Use (SFCU) as a new data
element in Sec. 170.315(a)(5)(i)(F). SFCU is a category based upon
clinical observations typically associated with the designation of male
and female. It &ports context specificity, is derived from observable
information, and is preferably directly linked to &e information this
element summarizes. SFCU represents a patient's sex relevant to a
specific clinical setting. This is valuable when providing care for a
patient whose condition or treatment is dependent on their sex as
determined by observing and evaluating, for example, a patient's
hormonal values, organ inventory, genetic observations, or external
genital morphology. SFCU may differ from a patient's sex as recorded on
a birth certificate or driver's license. We further clarified, that
while there may be multiple values of SFCU tied to different events,
such as requesting a laboratory test or imaging study, we proposed to
require health IT developer be able to record at least one value of
SFCU. Additionally, in order to align with current industry practice
and to provide flexibility to health IT developers, we proposed that
health IT be capable of recording SFCU using the LOINC[reg] terminology
code set standard specified in proposed Sec. 170.207(n)(3).
[[Page 1296]]
We proposed to add new data elements Name to Use in Sec.
170.315(a)(5)(i)(G) and Pronouns in Sec. 170.315(a)(5)(i)(H),
respectively, to advance the culturally competent care for lesbian,
gay, bisexual, transgender, queer, intersex, asexual, and all sexual
and gender minority (LGBTQIA+) people. Multiple values for a given
patient may be valid over time. We require at least one value for
Pronouns and Name to Use be recorded. Additionally, in order to align
with current industry practice and to provide flexibility to health IT
developers, we proposed that health IT be capable of recording Pronouns
using the LOINC[reg] terminology code set standard specified in
proposed Sec. 170.207(o)(4).
In addition to the other data elements proposed, the HL7 Gender
Harmony Project created an element named Recorded Sex or Gender (RSG).
RSG documents a specific instance of sex and/or gender information. RSG
is considered a complex data element that includes provision for a sex
or gender value, as well as reference to the source document where the
value was found, whereas Sex is a simple data element. RSG provides an
opportunity for health IT developers to differentiate between sex or
gender information that exists in a document or record, and from Sex
for Clinical Use (SFCU) which is designed to be used for clinical
decision-making. In the HTI-1 Proposed Rule, ONC asked commenters to
evaluate two options and provide feedback regarding whether Recorded
Sex or Gender as defined by the HL7 Gender Harmony Project should be
incorporated into 170.315('')(5) ``patient demographics and
observations'' (88 FR 23820).
Comments. Some commenters did not support the proposed deadline and
instead suggested a deadline of 24 months after the effective date of
the final rule as this would be in line with the proposed
``timeliness'' provisions of the Assurances Condition and Maintenance
of Certification requirements. Other commenters specifically proposed
December 31, 2025, for the adoption of new and updated certification
criteria.
Response. We thank the commenters for the comments suggesting an
extension to the proposed effective dates. In assessing the overall
burden and proposed timeframes, we have revised the compliance dates to
allow for 24 months for compliance and finalized the adoption of Sec.
170.315(a)(5) with a compliance date of January 1, 2026. We have also
revised the ``timeliness'' requirement in the Assurances Condition to
avoid confusion.
Comments. Most commenters supported the addition of Sex for
Clinical Use, Name to Use, Sex, and Pronouns to Sec. 170.315(a)(5)
``patient demographics and observations.'' Some commenters noted that
comprehensive demographic data supports holistic understanding of
patients' background, leading to culturally competent and patient-
centered care. Commenters also encouraged ONC to continue collaborating
with the HL7 Gender Harmony Project to provide more detail regarding
the definitions and supporting terminologies--supporting the ability
for people to provide more nuanced information about themselves to best
inform care. Commenters also suggested that ONC explore how Sex for
Clinical Use could be expanded to incorporate organ inventory and
hormone levels. One commenter suggested that ONC promote Sex for
Clinical Use as a repeatable set of observations. Another commenter
suggested that the addition of Pronouns, Name to Use, and Sex for
Clinical Use would create unnecessary confusion, increased medical
risk, and religious conscience concerns. Other commenters expressed
concern that it will be difficult to collect Sex for Clinical Use as
the clinician interacting with the patient may not have the information
necessary to provide a value. Some commenters expressed concern about
the complexities of dealing with context-specific Sex for Clinical Use
data.
Some commenters expressed concern that there is not sufficient
information or guidance for programs and health IT to implement Sex for
Clinical Use, therefore it should not be included in Sec.
170.315(a)(5) ``patient demographics and observations.'' Several
commenters suggested that ONC wait to add any data elements to
``patient demographics and observations'' until the data elements are
part of USCDI. Other commenters supported the addition of Sex for
Clinical Use, Name to Use and Pronouns to the ``patient demographics
and observations'' criterion rather than USCDI, as adding to USCDI and
then SVAP would greatly slow adoption since SVAP is optional.
Response. ONC thanks the commenters expressing support for Name to
Use, Pronouns, and Sex for Clinical Use. Including ``patient
demographics and observations'' criterion in this final rule provides
time for Health IT Modules to incorporate support for capture of this
important data prior to requiring exchange.
ONC collaborates closely with the HL7 Gender Harmony project team
and as a result has finalized the descriptive data name change of ``Sex
for Clinical Use'' to ``Sex Parameter for Clinical Use'' in Sec.
170.315(a)(5)(i)(F). ONC will continue to support efforts to expand the
scope of the HL7 Gender Harmony Project to explore how more specific
information about a person's physical characteristics (e.g., organ
inventory and hormone levels) can be collected and exchanged to inform
Sex Parameter for Clinical Use. We have finalized as proposed (88 FR
23820) that the Health IT Module must be able to record at least one
value for Sex Parameter for Clinical Use for each patient and note that
there may also be multiple values tied to different events, such as
requesting a laboratory test or imaging study, allowing for and
encouraging more than one. We recognize that the Sex Parameter for
Clinical Use data element may be a new concept to some. However, we
note that developers of certified health IT have the flexibility to
configure their user interface and to capture and display these data in
clinical workflows consistent with their own design decisions.
ONC appreciates the concerns expressed by some commenters about
lack of guidance to implement Sex Parameter for Clinical Use (formerly
Sex for Clinical Use); however, at the time of this final rule, HL7 has
published updated specifications that provide specific exchange
guidance that may then inform incorporation into health IT workflows.
ONC has identified Sex Parameter for Clinical Use, Name to Use, and
Pronouns as key to implementing ONC's priorities to support health
equity and access for LGBTQIA+ communities. We have also finalized what
was proposed to specify that at least one Name to Use and Pronouns must
be recorded for each patient.
With regards to the comment suggesting that collection of these
data elements would create unnecessary confusion, increased medical
risk, and religious conscience concerns, ONC believes that these data
elements are critical to supporting healthcare, health equity, and
access for LGBTQIA+ communities. Our adoption of these data elements
will help to advance the capability of certified health IT to exchange
these data elements for use by patients and health care providers. Our
adoption of these data elements does not establish a requirement for
health care providers or patients to record or disclose this
information, or use these capabilities. As stated above, these data
elements may be new concepts to some, and ONC encourages developers of
certified health IT to work with providers to develop appropriate
workflows.
[[Page 1297]]
The ``patient demographics and observations'' criterion focuses on
data capture and storage and not the exchange of this data, which is
the focus of USCDI. Therefore, we did not accept the comment suggesting
that ONC not include the data elements in Sec. 170.315(a)(5) ``patient
demographics and observations'' until they are included USCDI.
Comments. Commenters suggested that ONC remove Sex and retain Sex
for Clinical Use because Sex for Clinical Use paired with Gender
Identity provides clear information to distinguish between a clinical
categorization of a person's sex used for clinical decision making and
a person's self-reported Gender Identity.
Response. ONC thanks commenters for their input suggesting that Sex
be removed and Sex Parameter for Clinical Use (as we have renamed Sex
for Clinical Use) be retained. However, more analysis by the health IT
community is necessary to determine the impact of removing Sex.
Therefore, ONC declines to remove Sex.
Comments. Some commenters did not support changing the title from
patient demographics to patient demographics and observations, noting
that all data described within are considered demographics. Other
commenters noted that the title change is confusing as the criterion
now includes statistical characteristics of human populations used to
identify population segments and attributes associated with a
diagnostic test or procedure.
Response. We disagree with the stated concerns and do not believe
that the certification criterion name change will be confusing to most
in the healthcare ecosystem. The addition of the word ``observations''
signals that some of the data elements in this data class may not be
statistical characteristics of human populations by all people
evaluating the certification criterion. Accordingly, we have finalized
the criterion title change as proposed.
Comments. Multiple commenters expressed concern about changing the
requirement for specific code set concepts for Sexual Orientation and
Gender Identity to a more general reference to SNOMED CT U.S. Edition.
They also questioned whether health IT developers would be compliant if
other values are exchanged such as ``unknown'' or ``asked but did not
answer.'' Other commenters supported ONC's plans to move value set
definitions out of regulatory text and delegate to industry groups. One
commenter suggested referencing specific value sets defined in the
Value Set Authority Center.
Response. ONC thanks the commenters for their input and assures
them that ONC collaborates with health IT developers to develop
specific values that may be exchanged, including those that indicate a
standard value is not available, such as ``unknown'' or ``asked but did
not answer''. The resulting value sets may be defined in the Value Set
Authority Center. Removing specific code set concepts from regulation
allows health IT developers to provide options that are culturally
relevant and may change on a cycle that is different from regulation.
Comments. Some commenters did not support the addition of Sex with
the requirement that data values be drawn from SNOMED CT U.S. Edition.
Others expressed concern that the addition of Sex may increase
confusion among senders and receivers about the various data elements
currently in use--administrative sex, administrative gender, and sex
(assigned at birth).
Response. ONC thanks the commenters for their input regarding Sex.
Health IT Modules may continue to record and exchange Sex (assigned at
birth). Historically, Sex (assigned at birth), administrative sex, and
administrative gender have been used to communicate sex which may be
used for clinical decision making when the values were obtained from a
document at some point in a patient's life or were not based on
clinical observations and should not be used for clinical decision
making. The addition of Sex allows health IT developers to exchange Sex
without relying on document context.
Comments. Some commenters suggested that ONC remove the ``patient
demographics and observations'' criterion entirely and rely on USCDI to
promote the capture, use, and exchange of patient demographic data
elements. Others suggested that all data elements listed in the
``patient demographics and observations'' criterion should be in USCDI
prior to inclusion in regulation. These commenters referenced cases
where ONC withdrew certification criteria (e.g., Problem List,
Medication List, Smoking Status).
Response. ONC thanks the commenters and acknowledges that
certification criteria have been withdrawn in the past. ONC declines to
remove the ''patient demographics and observations'' criterion or
change the scope of USCDI to include data capture and use.
The ``patient demographics and observations'' certification
criterion includes important data elements supporting underserved
communities and health equity. The USCDI scope is focused on the
exchange of data element values, whereas this certification criterion
focuses on health IT capabilities to collect and record certain data.
In some cases, the data required to be collected and recorded is not
yet in USCDI.
Comments. In the HTI-1 Proposed Rule, proposals for Sec.
170.315(a)(5), ONC asked commenters to provide feedback regarding
whether Recorded Sex or Gender as defined by the Gender Harmony Project
should be incorporated into the Sec. 170.315(a)(5) ``patient
demographics and observations'' criterion. Responses indicate there is
not agreement among interested parties, and many open issues remain
related to how and when these data should be collected. One commenter
suggested that ONC remove the Sex data element entirely and add
Recorded Sex or Gender to delineate administrative information from Sex
for Clinical Use, which is to be used when making clinical decisions.
Response. ONC thanks commenters for their thoughtful input and will
not finalize the addition of Recorded Sex or Gender to Sec.
170.315(a)(5) due to lack of community consensus. ONC will continue to
support maturation of this data element through the Gender Harmony
Project at HL7.
Comments. Some commenters encouraged ONC to work with interested
parties to provide clarity on the differences between related data
elements to ensure patients' identities are respected while important
information for clinical care is captured correctly. Specifically,
sharing this information via a patient access API, such as those
required by the CMS quality programs for health care providers under
Medicare, may cause confusion or distress to a patient. Commenters also
noted that care must be taken to ensure privacy controls are in place
to protect sensitive, granular health data. This information may be
sold or disclosed by an application developer if agreed to in the
consumer terms and agreement.
Response. We thank the commenters for their comments regarding
privacy concerns and recognize the importance of addressing the privacy
and confidentiality of sensitive information. Recognizing this, the
Program establishes the standards, implementation specifications, and
functional requirements for health IT to manage and exchange data but
does not control the collection or use of data. For more on patient
requested restrictions on sharing of their health information, we refer
readers to section III.C.10 on modifications to the ``view, download,
and transmit to 3rd party'' certification
[[Page 1298]]
criterion in Sec. 170.315(e)(1), which addresses patients' (and their
authorized representatives') ability to use an internet-based method to
request a restriction to be applied for any data expressed in the
standards in Sec. 170.213.
Base EHR Definition
We proposed to revise and update the ``demographics'' certification
criterion (Sec. 170.315(a)(5)), to rename as ``patient demographics
and observations,'' and which is included in the Base EHR definition in
Sec. 170.102 (88 FR 23821). This means Health IT Modules would need to
be updated to accommodate the additional requirements in the ``patient
demographics and observations'' certification criterion in order to
meet the Base EHR definition. We did not receive comments related to
updating the Base EHR definition to include the additional requirements
in the ``patient demographics and observations'' certification
criterion, so we have finalized this revision as proposed.
In addition, because December 31, 2022 has passed, we proposed to
revise the Base EHR definition by removing the reference to Sec.
170.315(g)(8) in Sec. 170.102 Base EHR Definition (3)(ii) and
replacing the references to Sec. 170.315(g)(10) in Sec. 170.102 Base
EHR Definition (3)(ii) and (iii) with a single reference to Sec.
170.315(g)(10) in Sec. 170.102 Base EHR Definition (3)(i). We did not
receive comments on this proposal, so we have finalized this revision
as proposed.
9. Updates to Transitions of Care Certification Criterion in Sec.
170.315(b)(1)
We proposed to replace the fixed value set for the USCDI data
element ``Sex'' and instead enable health IT developers to specify any
appropriate value from the SNOMED CT U.S. Edition code set with the
standard specified in Sec. 170.207(n)(2) (88 FR 23821). We proposed
that health IT developers can continue using the specific codes for Sex
represented in Sec. 170.207(n)(1) for the time period up to and
including December 31, 2025. We note that these dates were proposed for
the adoption of the associated standards in Sec. 170.207(n), including
the expiration of the adoption of the standard in Sec. 170.207(n)(1)
on January 1, 2026. As discussed in sections III.A and III.C.11,
developers of certified health IT with Health IT Modules certified to
criteria that reference Sec. 170.207(n)(1) would have to update those
Health IT Modules to Sec. 170.207(n)(2) and provide them to customers
by January 1, 2026. We note that, in the proposed rule regulation text
in Sec. 170.315(b)(1)(iii)(G)(3), we inadvertently included a
reference to Sec. 170.213 (88 FR 23909) instead of including Sec.
170.207(n)(2) as discussed in our proposal (88 FR 23821). ONC has not
finalized Sec. 170.213 as proposed in Sec. 170.315(b)(1)(iii)(G)(3),
as Sec. 170.213 references a version of SNOMED CT U.S. Edition that is
older than the one referenced in Sec. 170.207(n)(2). We have finalized
the reference to Sec. 170.207(n)(2) in Sec. 170.315(b)(1)(iii)(G)(3)
to include the most recent version of SNOMED CT U.S. Edition available
at the time of publication of this final rule. Health IT developers may
update to a newer version if one exists at effective date of the
criterion.
We also proposed a conforming update to Sec. 170.315(b)(1) to
update the listed minimum standard code sets for Problems in Sec.
170.315(b)(1)(iii)(B)(2) (88 FR 23821). We proposed that Health IT
Modules certified to Sec. 170.315(b)(1) use, at a minimum, the version
of the standard specified in Sec. 170.207(a)(1).
Comments. All commenters agreed with the proposal to update the
transitions of care certification criterion Sec.
170.315(b)(1)(iii)(G)(3) to include the adoption of USCDI v3 in Sec.
170.213(b). Some commenters noted that the updated criterion will allow
better inpatient--outpatient transitions, especially for community
health centers.
Response. ONC thanks commenters for their support to update the
transitions of care certification criterion to include the adoption of
USCDI v3. We have finalized the adoption of this proposal in this final
rule.
Comments. One commenter encouraged ONC to work across HHS to
enforce existing CMS and ONC requirements across products and
healthcare organizations. The commenter suggests that HHS should extend
transition of care data elements for claims data from payers to
healthcare organizations offering primary care.
Response. ONC thanks the commenter for their input. ONC will
continue to work with federal partners to promote alignment for these
data concepts.
Comments. Some commenters suggested that the date to support USCDI
v3 in Transitions of Care documents should be changed to December 31,
2025, or 24 months after the rule is finalized to allow health IT
developers time to incorporate and test USCDI v3 data elements into
Health IT Modules and develop appropriate safeguards for sensitive
personal health information.
Response. ONC appreciates concerns expressed about the proposed
date to allow for USCDI v3 adoption prior to including USCDI v3 data
elements in transition of care documents. We have finalized the
adoption of updates to Sec. 170.315(b)(1) with a compliance date of
January 1, 2026.
Comments. Some commenters expressed concern about USCDI data
element Sex and its inclusion in patient matching algorithms,
suggesting that time of birth is a better matching parameter than Sex.
Other commenters suggested that mother's maiden name (in a child's
record), birth order, and multiple birth indicators be added to the
patient matching requirement.
Response. ONC thanks commenters for their input concerning
appropriate data to include in patient matching algorithms. The
transitions of care criterion define the minimum set of data elements
to use for patient matching and does not inhibit health IT developers
from using other additional data elements.
10. Patient Right To Request a Restriction on Use or Disclosure
In the HTI-1 Proposed Rule, we noted that under the HIPAA Privacy
Rule, covered entities, as defined in 45 CFR 160.103, are required to
allow individuals to request a restriction on the use or disclosure of
their PHI for treatment, payment, or health care operations, although
it does not require covered entities to accept such requests, except in
certain limited circumstances (See 45 CFR 164.522(a)(1)) and
164.530(i)) (88 FR 23821). The HIPAA Privacy Rule also requires covered
entities to implement policies and procedures with respect to PHI that
are designed to comply with the standards, implementation
specifications, or other requirements of the HIPAA Privacy Rule,
including the individual right to request restrictions (See 45 CFR
164.530(i)(1)). We stated that we believe that certified health IT
should support covered entities so they can execute these processes to
protect individuals' privacy and to provide patients an opportunity to
exercise this right to the extent feasible. However, we also noted that
patient-directed privacy of data the patient deems sensitive requires
attention to specific technology and policy challenges, which we
recognize are not easily solved (88 FR 23821).
We proposed a new certification criterion in Sec. 170.315(d)(14),
an addition to ONC's Privacy and Security Framework under the Program
in Sec. 170.550(h), and a revision to an existing ``view, download,
and transmit to 3rd party'' certification criterion in Sec.
170.315(e)(1) to support additional tools for implementing patient
requested privacy restrictions (88 FR 23822 through 23824).
[[Page 1299]]
We proposed to adopt a new certification criterion ``patient
requested restrictions'' in Sec. 170.315(d)(14) to enable a user to
implement a process to restrict uses or disclosures of data in response
to a patient request when such restriction is agreed to by the covered
entity (88 FR 23822). This criterion was proposed specifically in
support of the HIPAA Privacy Rule's individual right to request
restriction of certain uses and disclosures (See also 45 CFR
164.522(a)). We proposed that this new criterion in Sec.
170.315(d)(14) would be standards-agnostic, allowing health IT
developers seeking to certify a Health IT Module to the criterion
flexibility in how they design these capabilities as long as they meet
the functional requirements described for certification. We
specifically intended the proposed Sec. 170.315(d)(14) to advance the
technological means to support clinicians and other covered entities
when honoring patient requests for the restriction of uses or
disclosure of PHI through certified health IT.
We proposed to add the following in Sec. 170.315(d)(14) for this
new criterion ``patient requested restrictions'':
For any data expressed in the standards in Sec. 170.213,
enable a user to flag whether such data needs to be restricted from
being subsequently used or disclosed; as set forth in 45 CFR 164.522;
and
prevent any data flagged pursuant to paragraph (d)(14)(i)
of this section from being included in a subsequent use or disclosure
for the restricted purpose.
We proposed that ``enabl[ing] a user to flag'' means enabling the
user of the Health IT Module to indicate that a request for restriction
was made by the patient and that the user intends to honor the request.
We noted that in the case of integration with a Health IT Module
certified to the revised criterion in Sec. 170.315(e)(1), that request
made by the patient could be in part automated for requests made
through an internet-based method. However, the functionality under the
proposed new criterion in Sec. 170.315(d)(14) would include the
ability for the user to indicate a request made via other means. We
noted that such ``flags'' may leverage use of security labels like
those included in the HL7 data segmentation for privacy (DS4P)
implementation guides discussed in section III.C.10.b of the HTI-1
Proposed Rule, or other data standards such as provenance or digital
signature specifications.\182\ We also noted that the use of such
standards or specifications would be at the discretion of the health IT
developer, and they would have the flexibility to implement the
``enable a user to flag'' functionality in the manner that works best
for their users and systems integration expectations.
---------------------------------------------------------------------------
\182\ For example, the USCDI v3 includes a provenance data class
(https://www.healthit.gov/isa/uscdi-data-class/provenance#uscdi-v3)
and submissions in ISA include digital signature as a potential
addition to provenance within the USCDI: https://www.healthit.gov/isa/uscdi-data/signature. Further specifications for provenance data
and digital signatures in the context of FHIR-based transactions are
also referenced in ISA: https://www.healthit.gov/isa/representing-data-provenance.
---------------------------------------------------------------------------
We proposed that the developer of a certified Health IT Module,
under the proposed standards-agnostic approach, would have the
flexibility to implement the restriction on the inclusion in a
subsequent use or disclosure via a wide range of potential means
dependent on their specific development and implementation constraints
(e.g., flagged data would not be included as part of a summary care
record, not be displayed in a patient portal, or not be shared via an
API). We proposed and sought comment on several alternatives which
would add standards to the proposed new criterion and would
specifically leverage HL7 dS4P IGs for the new criterion in Sec.
170.315(d)(14). We also proposed and sought comment on alternate
proposals that looked exclusively at the HL7 Privacy and Security
Healthcare Classification System (HCS) Security Label Vocabulary within
the HL7 dS4P IGs for a source taxonomy for the ``flag'' applied to the
data (88 FR 23822).
We also proposed to modify the Privacy and Security Framework in
Sec. 170.550(h) to add the proposed new criterion. Specifically, we
proposed to modify Sec. 170.550(h)(iii) in reference to the certain of
``care coordination'' certification criteria in Sec. 170.315(b); Sec.
170.550(h)(v) in reference to the ``view, download, and transmit to 3rd
party'' certification criterion in Sec. 170.315(e)(1); and to Sec.
170.550(h)(viii) in reference to the Sec. ``application access''
certification criteria at Sec. 170.315(g)(7) through (g)(9) and the
``standardized API for patient and population services'' certification
criterion at Sec. 170.315(g)(10).
We proposed that the new ``patient requested restrictions''
certification criterion in Sec. 170.315(d)(14) would be required for
the Privacy and Security Framework by January 1, 2026.
We also proposed a modification to the ``view, download, and
transmit to 3rd party'' certification criterion in Sec. 170.315(e)(1)
to support patients' ability to leverage technology to exercise their
right to request restrictions of uses and disclosures under the HIPAA
Privacy Rule. We proposed that a Health IT Module certified to the
criterion in Sec. 170.315(e)(1) must also enable an internet-based
approach for patients to request a restriction of use or disclosure of
their EHI for any data expressed in the USCDI standards in Sec.
170.213. Specifically, we proposed to modify Sec. 170.315(e)(1) to add
a paragraph (iii) stating patients (and their authorized
representatives) must be able to use an internet-based method to
request a restriction to be applied for any data expressed in the
standards in Sec. 170.213.
We proposed that conformance with this update to the ``view,
download, and transmit to 3rd party'' certification criterion in Sec.
170.315(e)(1)(iii) would be required by January 1, 2026, for Health IT
Modules certified to Sec. 170.315(e)(1). Consistent with our proposals
in sections III.A and III.C.11 of the HTI-1 Proposed Rule, developers
of certified health IT with Health IT Modules certified to Sec.
170.315(e)(1) would have to update those Health IT Modules to Sec.
170.315(e)(1)(iii) and provide them to customers by January 1, 2026.
We did not propose any changes to the current certification
criteria for ``security-tags--summary of-care--send'' and ``security-
tags--summary of care--receive'' in Sec. 170.315(b)(7) and Sec.
170.315(b)(8) respectively; however, we noted that the inclusion of the
proposed new certification criterion in Sec. 170.315(d)(14) into the
Privacy and Security Framework in Sec. 170.550(h) would mean that the
proposed new certification criterion would be applicable for Health IT
Modules certified to the ``security tags--send'' and ``security tags--
receive'' certification criteria as well (88 FR 23822-23823). We sought
comment on whether those certification criteria should also be directly
modified in alignment with the proposals described in this section (88
FR 23823).
We sought comment on the capabilities we have proposed for the new
criterion in relation to the HIPAA Privacy Rule individual right to
request restriction of uses and disclosures of PHI. We specifically
sought comment on whether the proposed new criterion should include
additional functions to better support compliance with the HIPAA
Privacy Rule individual right to request restriction of uses and
disclosures of PHI. We also sought comment on whether the proposed new
criterion should, for example, include capabilities to support HIPAA
Privacy Rule provisions for emergency disclosures in Sec.
164.522(a)(1)(iii) and (iv) or termination of a restriction under Sec.
164.522(a)(2).
[[Page 1300]]
We sought public comment on each part of this proposal--the new
criterion in Sec. 170.315(d)(14), the inclusion of the request
capability for patients in Sec. 170.315(e)(1), and the requirements
with the Privacy and Security Framework in Sec. 170.550(h)--both
separately and as a whole. We specifically sought comment on the
feasibility of each part in terms of technical implementation and
usefulness for patients and covered entities using these capabilities.
We sought comment on the health IT development burden associated with
implementation of the capabilities including for the individual
certification criterion referenced in the Privacy and Security
Framework in Sec. 170.550(h).
In addition, we sought comment on any unintended consequences that
the new criterion in Sec. 170.315(d)(14) or the addition to the
Privacy and Security Framework in Sec. 170.550(h) might place on
patients, clinicians, or other covered entities using certified health
IT. We sought comment on whether, and by how much, the use of this
criterion as part of broader privacy workflows might represent a
reduction in manual effort for covered entities, a positive impact on
uptake by patients, or other benefits such as supporting documentation
of restrictions as required under the HIPAA Privacy Rule in Sec.
164.522(a)(3).
Finally, we sought comment on methods by which we might quantify
the development burden and costs as well as the potential benefits or
future cost savings for the new criterion in Sec. 170.315(d)(14), the
new functionality in the existing criterion in Sec. 170.315(e)(1), and
the addition to the Privacy and Security Framework in Sec. 170.550(h).
Comments. Overall, in response to our new proposal for Patient
Requested Restrictions Criterion in Sec. 170.315(d)(14), we received
mixed input for our proposals and our alternative proposals from
interested parties. Comments ranged from full support to limited
support expressing various technical and policy considerations all the
way to full opposition because of technical, policy, and patient care
concerns. Multiple commenters expressed support for the intent behind
the proposal, noting its potential to empower patients to take
ownership of their data, while ensuring that providers are not engaging
in information blocking for automated data flows and expressed support
for the development and implementation of data segmentation technology.
Multiple commenters supported giving patients a reasonable opportunity
and the technical capability to make informed decisions about the
collection, use, and disclosure of their EHI, noting that the
functionality is increasingly necessary for ensuring patient trust.
However, in most instances where support was indicated, it was
conditional. In these instances, commenters indicated concern with the
implementation of the proposal, noting that if ONC were to finalize the
proposal then it should be mindful of numerous considerations and
challenges. Concerns ranged across many broad policy and technical
topics including but not limited to implementation feasibility,
unintended consequences such as impacts on patient safety and provider
burden, implementation timeline and approach, importance of patient
education, and intersections with existing information blocking policy
as well as the Trusted Exchange Framework and Common Agreement (TEFCA).
Multiple commenters questioned the readiness of real-world tested,
national standards and specifications for this proposal. One commenter
suggested that developers should be given flexibility in implementing
the criterion, given the breadth of activities, workflows and features
in which patient data is used. Some suggested that adopting a
standards-agnostic approach will allow health IT developers to
determine appropriate implementation in their own systems and could
lead to the future development of new, consensus-based standards
informed by robust real-world implementation experience across a broad
set of developers and health care provider organizations. However,
multiple commenters recommended the criterion be standards-based, as
based on past examples, a standards-agnostic approach would likely not
successfully lead the private sector to come to consensus on their own.
Some commenters indicated support for HL7 FHIR DS4P IG but felt it was
not clear that it has been adequately tested and deployed in the field.
Such commenters stated that ONC should move forward with support for
implementations and test them before deploying as a requirement. One
commenter indicated ONC should instead look at FHIR for future
rulemaking. Multiple commenters recommended that we focus on
establishing, with the relevant Standards Development Organizations
(SDOs) as well as other relevant groups, a common infrastructure that
enables patients to only document their consent rules once, while
having a common definition of all relevant privacy rules across US
jurisdictions. Multiple commenters recommended federally funded
connectathons and other policy-driven approaches to stimulate the
developer community to implement toward a particular use case with the
purpose of advancing standards development.
We also received comments indicating strong opposition to the new
proposal for patient requested restrictions criterion in Sec.
170.315(d)(14). Commenters opposing the proposal shared a similar
sentiment to those supporting the proposal provided certain conditions
were met. These commenters stated that it is not feasible for
developers to support every permutation on the use of data that a
patient might request and that the proposed criterion may not provide
enough control to help patients manage the complexities of their
information. Commenters highlighted the complexity of managing and
scaling a consent management infrastructure, especially across all the
data sources where the patient's data is available. Others noted this
proposal runs a high risk of allowing for a wide variety of misaligned
implementation, and some felt it would increase burden and undermine
benefits of interoperability.
Multiple commenters suggested that, if adopted, the new proposed
criterion in Sec. 170.315(d)(14) should be optional and that adoption
of the criterion within the privacy and security framework in Sec.
170.550(h) should not be required before CY 2030. Commenters noted that
significant work would be required by health IT developers, including
reconfiguration of existing EHR systems as well as other interconnected
systems related to treatment, payment and operations and that ONC
should allow for a 3-year implementation cycle, 2 years to develop,
test and certify, and at least 1 year to roll-out the proposed
criterion to customers and update workflows. In response to our request
for comment related to the development burden (88 FR 23823), commenters
estimated up to one-million hours for preliminary development and
rollout, plus additional ongoing maintenance requirements.
We received several comments regarding how to achieve policy goals
through alternative approaches and factors that should be taken into
consideration--including several that are out of scope of ONC
authorities, but informative of the need for alignment to related
privacy laws. Several commenters stated ONC should better align with
other regulators and have more explicit workflows on privacy and
patient consent before adopting this proposed certification criterion
in Sec. 170.315(d)(14). One commenter also
[[Page 1301]]
suggested that this criterion's functionality support providers
implementing information sharing practices in compliance with potential
future policies to protect sensitive health information regarding
``highly politicized lawful health care services.'' Multiple commenters
recommended introducing a functional requirement aligning with the
HIPAA right to request corrections and amendments to erroneous
information to ensure patients have an easy path to requesting
corrections or amendments to their PHI through patient portals and
APIs. They also felt that this would drive participation in
standardization efforts through independent patient-led governance
bodies. One commenter suggested that this work be funded and supported
by the institutions sharing the data and driving these exchanges, and
the commenter encouraged use of established patient-created resources
to evaluate fairness of engagement with patient communities. Several
commenters focused on our proposals in relation to other related
regulations. These commenters indicated that ONC should work with other
agencies to focus on ensuring there are streamlined and complementary
privacy regulations. They additionally commented that any new privacy
related regulation gets compared and cross referenced across existing
and pending ones to support policy alignment.
Response. We thank the commenters for their thoughtful input
addressing both the entirety of the proposals and specific areas of
concern. As noted in the HTI-1 Proposed Rule (see, for example, 88 FR
23821), we proposed requirements for Health IT Modules certified under
the Program to support workflows and specifications that would enable
an individual to exercise their right to request restriction of uses
and disclosures under the HIPAA Privacy Rule. We expressed our concerns
about feasibility, timelines, and the overall complexity of the
workflows and the related capabilities associated with this right as
well as our intent to propose several options for consideration by the
healthcare and health IT communities. Based on the mixed input we
received on the proposed new criterion in Sec. 170.315(d)(14) and the
inclusion of the criterion in the privacy and security framework in
Sec. 170.550(h), and the strong concerns regarding its implementation
feasibility by interested parties opposing these proposals, we have
concluded that we should not finalize the proposals at this time. Our
decision to not finalize the criterion in Sec. 170.315(d)(14) is
informed by the range of comments expressing concern with successfully
implementing the proposal. In particular, there was no clear consensus
on whether and how to proceed either with immature and untested
standards or without the required use of specific standards for the
certification criterion at Sec. 170.315(d)(14). We agree with the
concerns on the high risk of allowing Health IT Modules to implement a
wide variety of misaligned standards and implementation specifications,
as well as increased burden on developers of certified health IT, care
providers, health information exchange networks, and a high probability
of confusion for patients.
We note that those supporting our proposals for Sec.
170.315(d)(14) did so to varying degrees, often extending conditional
support while raising the same broad technical and policy
considerations and concerns as those opposed to the proposal. Outright
support on Sec. 170.315(d)(14) as proposed, or for the various
alternate proposals, was not as common as conditional support or
opposition. The specific suggestions for such conditional support were
varied and would introduce substantial additional detailed
specification well beyond the scope of our proposal and the standards
in the alternate proposals. Based on this input, there is no clear and
consistent approach at this time to effectively address all commenter
concerns. Therefore, we have not finalized the specific proposal to
adopt a new certification criterion in Sec. 170.315(d)(14). We also
have not finalized corresponding modifications related to this proposed
criterion's in ONC's Privacy and Security Framework in Sec.
170.550(h). We will continue to encourage and engage with industry and
standards development community efforts to advance standards supporting
privacy workflows and to monitor the continued evolution of the HL7
DS4P IGs to consider new criteria in future rulemaking.
In consideration of those commenters who articulated full support,
we recognize the importance of empowering patients to take ownership of
their data and continue to support efforts to develop the technical
capability for patients to leverage certified health IT to take
affirmative action regarding the collection, use, and disclosure of
their EHI. We note that we have maintained the existing criteria in
Sec. 170.315(b)(7) and Sec. 170.315(b)(8) which support the
application and persistence of security labels for document-based
exchange and reference the standards adopted in Sec. 170.205(o)(1),
the HL7 Implementation Guide: Data Segmentation for Privacy (DS4P),
Release 1 (HL7 CDA DS4P IG) incorporated by reference in Sec. 170.299.
These two criteria require a Health IT Module to (1) enable a user to
create a summary record that is tagged as restricted and subject to
restrictions on re-disclosure and (2) enable a user to receive a
summary record that is tagged as restricted and subject to restrictions
on re-disclosure and to preserve privacy markings. The use of Health IT
Modules certified to these two criteria can support privacy and
security labels based on consent and with respect to sharing and re-
disclosure restrictions. As noted, these existing criteria utilize the
HL7 CDA DS4P IG, and include the use of the taxonomy of reference (HCS
Security Label Vocabulary) for the purposes of applying and identifying
standardized security labels on health information at the document,
segment, or data element level. These existing certification criteria
can be leveraged during transitions of care and sending/receiving
summary of care records (i.e., combined with Health IT Modules
certified to Sec. 170.315(b)(1)) and we encourage purchasers of
certified health IT to explore the use and incorporation of these
capabilities in their Health IT Modules.
We recognize the concerns of both commenters supporting the
application of standards and those identifying a lack of readiness and
gaps in the standards for the disposition of a disclosure request based
on our proposed new criterion. We also recognize those commenters who
advised a longer implementation timeline to refine and test standards.
While we considered delaying the implementation of our proposal to
2030, or beyond, we believe that Health IT Modules certified to Sec.
170.315(b)(7) and (b)(8) that use the HL7 CDA DS4P IG may serve as a
balanced approach to address these disparate concerns by applying the
standard where feasible, while allowing broad flexibility for health IT
developers to implement functionalities where the standard is silent on
core processes. We will continue to monitor uptake of the existing
certification criteria at Sec. 170.315(b)(7) and Sec. 170.315(b)(8),
as well as continue to work with the healthcare, health IT, and
standards community to advance and evaluate the readiness and potential
adoption in future rulemaking of the related HL7 FHIR DS4P IG, which is
intended to support the same security label taxonomy (HCS Security
Label Vocabulary) for health information
[[Page 1302]]
exchange via standards-based APIs using the FHIR standard.
Comments. We received many comments in relation to our proposal to
update the existing ``view, download, and transmit to 3rd party''
certification criterion in Sec. 170.315(e)(1), to add Sec.
170.315(e)(1)(iii) to support additional tools for implementing patient
requested privacy restrictions (88 FR 23822 through 23824) through the
inclusion of an ``internet-based'' method for patients to request a
restriction. Commenters were overwhelmingly supportive of the proposal
to provide a means for patients to make a restriction request via
Health IT Module. However, commenters expressed a wide range of related
concerns ranging from the documentation of the request to potential
consequences to consider when processing a patient's requests for
restriction.
One commenter expressed concern that the HIPAA Privacy Rule does
not (with certain exceptions) require a covered entity to restrict
disclosure of an individual's PHI if so requested. Instead, the covered
entity is required to have a process for approving or denying the
request, and that decision is not under the individual's control. One
commenter recommended that the certification criterion respect the
individual's request for privacy regardless of the covered entity's
perspective. However, another commenter noted that requiring the
covered entity's approval ensures that important health information is
still available when medically necessary while balancing patient
privacy and security concerns. One commenter stated that clinicians may
have a better understanding than individuals regarding which health
data is relevant for their care. Commenters also expressed concern
regarding an obligation to accept an individual's request for
restriction. One commenter questioned how the lack of restriction on
timelines for the request--such as the lookback period for the data or
the length of time for which the restriction would be applicable--could
impact the clinician's ability to make a reasoned judgment. Another
commenter expressed a number of legal concerns relating to concerns
that clinicians may have to defend refusals to comply with a patient's
request for restriction, or that compliance with the patient's request
which could place them in legal jeopardy for fraud, professional
misconduct, or criminal charges.
Response. We thank the commenters for their input and support of
our proposal to include an internet-based method for an individual to
request restriction of uses and disclosures consistent with their right
under the HIPAA Privacy Rule. We have finalized this proposed revision
to the existing ``view, download, and transmit to 3rd party''
certification criterion in Sec. 170.315(e)(1) to support additional
tools for implementing patient requested privacy restrictions (88 FR
23822 through 23824) through the inclusion of an ``internet-based''
method for patients to request restriction. Specifically, we have
finalized in Sec. 170.315(e)(1)(iii) a requirement that Health IT
Modules support patients (and their authorized representatives) to use
an internet-based method to request a restriction to be applied for any
data expressed in the standards in Sec. 170.213. We have also
finalized that conformance with this paragraph is required by January
1, 2026.
In response to comments on whether a patient or health care
provider may be best suited to determine if data should be private, or
a covered entity's obligation to accept a patient's request, we
reiterate our statement from the HTI-1 Proposed Rule that our intent is
to advance technologies that support requirements already extant under
the HIPAA Privacy Rule (88 FR 23821). In the HTI-1 Proposed Rule, we
described that the HIPAA Privacy Rule provides individuals with several
rights intended to empower them to be more active participants in
managing their health information. These include the right to access
certain health information maintained about the individual; the right
to have certain health information amended; the right to receive an
accounting of certain disclosures; the right to receive adequate notice
of a covered entity's privacy practices; the right to agree or object
to, or authorize, certain disclosures; the right to request
restrictions of certain uses and disclosures; and provisions allowing a
covered entity to obtain consent for certain uses and disclosures.
Under the HIPAA Privacy Rule, covered entities as defined in 45 CFR
164.530(i) are required to allow individuals to request a restriction
on the use or disclosure of their PHI for treatment, payment, or health
care operations and to have policies in place by which to accept or
deny such requests (See 45 CFR 164.522(a)(1)(i)(A) and (B)). The HIPAA
Privacy Rule does not specify a particular process to be used by
individuals to make such requests or for the entity to accept or deny
the request. However, we believe that certified health IT should--to
the extent feasible--support covered entities so they can execute these
processes to protect individuals' privacy and to provide patients an
opportunity to exercise this right (88 FR 23821).
We further stated that identifying which health data are defined as
``sensitive'' may vary across federal or state laws and may further
vary based on an individual's perspective. Thus, the concept of
``sensitive data'' is dynamic and specific to the individual. Patient
populations that have historically been subject to discrimination may
identify a wide range of demographic information as sensitive,
including race, ethnicity, preferred language, sex, sexual orientation,
gender identity, and disability status--or patients may want to
restrict health data that they view as sensitive, such as behavioral
health or reproductive health-related data. These considerations from
an individual's perspective may not always coincide with a health care
provider's perspective. However, we believe that facilitating the
ability of a patient to request such a restriction, in addition to
addressing patient considerations, may also provide additional context
for health care providers engaged in discussions with patients about
their health information, sensitivities, and related concerns.
In response to commenters expressing concerns with timelines
associated with requests, we decline to specify any limitations and
note that a health care provider might include an option for an
individual to specify such information as a part of the internet-based
method for requests in Sec. 170.315(e)(1).
For commenters expressing concerns related to legal liabilities, we
reiterate that ONC certifies capabilities of Health IT Modules to
perform specific functions, in many circumstances using specific
standards. These are generally restricted to technical standards and
capabilities. The user of the technology may also need to comply with
certain requirements established by federal, state, territory, local or
tribal law. Our intent for finalizing a technical means for individuals
to request a restriction on their data is to advance tools that support
privacy laws, including the HIPAA Privacy Rule right to request a
restriction of certain uses and disclosures.
We note that the revision adding an internet-based method to make a
request that we have finalized as part of Sec. 170.315(e)(1) only
supports one component of the HIPAA Privacy Rule. As noted in the HTI-1
Proposed Rule, we emphasize that use of a Health IT Module certified to
revised criterion in Sec. 170.315(e)(1) would not, by itself, fully
discharge a covered entity's obligations
[[Page 1303]]
under the HIPAA Privacy Rule to allow an individual to request
restriction of the use or disclosure of their PHI for treatment,
payment, or health care operations or to have policies in place to
address such requests (88 FR 23826). Further, use of any such certified
Health IT Module would not discharge the obligations of a covered
entity to meet any other requirements under 45 CFR 164.522. In
addition, there may be other applicable laws that affect the exchange
of particular information, and those laws should be considered when
developing policies that provide individuals with more granular control
over the use or disclosure of their PHI.
Comments. Several commenters expressed support for a patient's
ability to manage various aspects related to their restriction
requests. Multiple commenters noted that patients should be able to
allow data use/exchange with some parties but not others and be able to
decide the timing to safeguard patient autonomy and mitigate
criminalization risk. Commenters also suggested that the patient should
be able to define when a treatment relationship exists with a provider
and only allow exchange with those providers who qualify, without
explicit consent from the patient. One commenter noted that patients
should be able to group data by type or encounter/procedure date or any
criteria the patient wishes to impose on data use and exchange. Another
commenter recommended allowing patients to decide how long they would
like to restrict sensitive data from being shared. Another commenter
suggested that we introduce certification requirements focused on
granting health care providers the option to segment entire discrete
sensitive notes, which allow clinicians to limit access to notes that
patients consider sensitive, in a fully self-contained way.
With regards to recording patient requests for restriction, we
received comments related to the inclusion of additional, relevant
information. One commenter sought clarification on whether the
requirement includes providing a standard way for a patient to state
the purpose for a particular restriction. One commenter highly
recommended that we include a certification criterion for the
``tracking of patient privacy and disclosure requests'' and another
suggested that the concepts ``request for restriction was made'' and
``request for restriction was granted'' be separated in the
requirements, recorded, and permanently associated with the related
data. They also recommended that if a request is denied, a rejection
reason should be required, retained, and exchanged alongside the
related data so the next recipient of the data could potentially decide
how to respond to the patient request.
Response. We thank the commenters for their input and advocacy on
behalf of patients. In the HTI-1 Proposed Rule, we did not include
proposals for Sec. 170.315(e)(1) to add specific requirements on the
format of the ``internet-based method'' individuals to request
restrictions. We also did not specify additional functionality beyond
the capability for patients (and their authorized representatives) to
use an internet-based method to request a restriction to be applied for
any data expressed in the standards in Sec. 170.213. For example, we
did not propose that the function must enable individuals to
specifically identify different access roles for individual care team
members or that patients be enabled to group health information in
different ways, such as by type or encounter/procedure, or that
patients be provided the option to segment entire discrete sensitive
notes. We proposed an approach that, at minimum, would support a method
for patients to request restrictions on PHI uses and disclosures
through means related to the function supporting their ability to view,
download, or transmit to a 3rd party their health information using
certified health IT. We also did not propose specific terminologies to
be used for the recording, disposition or notification of acceptance or
denial of such requests. We appreciate the insights into enhanced
functionalities and the related recording of data associated with such
request, but such additional requirements would constitute a
significant deviation from the proposed functionality. We do not
believe that our proposals represent sufficient notice of the intent to
add such requirements in this final rule. However, we will continue to
engage with the health IT, standards, health care provider, and patient
advocacy communities and to encourage innovative approaches to
implementation of the adopted criteria and standards, as well as
advancement of additional interoperable privacy standards and
functionality. We will also monitor and analyze approaches by health IT
developers for real world implementation of the revised criterion, and
will consider such information to inform further modifications in
future rulemaking.
We further note that, while we have not finalized the inclusion of
additional capabilities or the application of a specific standard,
there are obligations imposed on covered entities under the HIPAA
Privacy Rule, if they agree to the requested restrictions, which this
functionality may partially support, that health IT developers may
consider supporting in related capabilities. For example, the HIPAA
Privacy Rule prohibits a covered entity that agrees to a restriction
request to use or disclose PHI in violation of such restriction except
in certain limited circumstances. We encourage developers of certified
health IT certifying Health IT Modules to the revised criterion in
Sec. 170.315(e)(1) to consider if there are methods that additional
health IT tools could integrate with such Health IT Modules to
facilitate these processes. In addition, while we did not propose and
have not finalized the use of a standard for the use of security
labels, we note that the HL7 CDA DS4P IG adopted in Sec. 170.205(o)
and the HCS Security Label Vocabulary that is referenced as part of the
HL7 CDA DS4P IG are valuable health IT implementation resources for
these purposes. As described in the HTI-1 Proposed Rule (88 FR 23824),
the HCS Security Label Vocabulary could serve as the basis for a
format-agnostic and transport-mechanism-agnostic standard for the
application of security labels and to define the general instructions
for security labels for a wide range of use cases including patient
requested restrictions. While we are not requiring the use of the HCS
Security Label Vocabulary within the revised criterion in Sec.
170.315(e)(1), we recommend health IT developers consider its
applicability for this purpose. We further note that the existing
criteria ``security tags- summary of care send and receive'' in Sec.
170.315(b)(7) and (b)(8) for sending and receiving summary of care
records with security labels applied at the document, segment, or data
element level would potentially support the capabilities commenters
describe, including, for example, the ability to label a clinical note
in the C-CDA as sensitive.
Comments. ONC also received several comments related to health
equity and the need for patient-specific education about privacy
restrictions. Multiple commenters recommended explaining specific
aspects of the proposed functionality to patients such as, how it
facilitates individual rights under the HIPAA Privacy Rule, how data is
used to improve individual and population outcomes, and the proper role
of health IT in protecting the security and privacy of health
information. Multiple commenters also recommended providing counseling
to patients regarding benefits and risks of restricting data and the
impact on their
[[Page 1304]]
healthcare outcomes and safety. These comments focused on empowering
patients with more granular privacy controls while noting that health
literacy is an important part of such control in order to avoid
disparities in privacy protection and on overall care quality. These
commenters also identified that a person may not share sensitive health
data if they do not understand the options for data sharing. One
commenter suggested that we clarify if and how patients should be
informed about functionality, specifically regarding the ability to
request a restriction in multiple ways and with different levels of
granularity (rather than just having the binary choice to either share
or to not share data globally). Some commenters expressed concern that,
if presented with complex data-element sharing options, patients may
get confused and simply decide against sharing any data. Another
commenter suggested that patients also need to be informed that their
requests may be denied. Multiple commenters recommended that we add a
requirement that patient-facing certified Health IT Modules include the
capability to provide educational materials regarding the patient's
options about disclosure and instructions regarding how to change
disclosure limitations. Other commenters additionally highlighted the
importance of patient education and health literacy, particularly for
older-adult and disabled patients who may struggle with cognitive
impairments or behavioral health issues. Finally, commenters sought
clarification on whether the patient will be informed about who will be
notified of restriction requests, as some may be concerned about
negatively impacting their relationship with their providers and/or
healthcare institutions.
In addition to patients, multiple commenters suggested that we
provide education and guidance to providers, developers, and the
industry as a whole. One commenter noted that provider organizations
often do not have a clear mechanism for making patient restriction
requests or know how to process/adjudicate/implement them if they do
receive requests. Another commenter suggested that the industry will
also need significant additional guidance and infrastructure. One
commenter suggested that health IT developers should receive guidance
regarding standards for developing a process for patient restriction
requests. Another commenter noted that without a robust communication,
education, and engagement effort, many entities essential to
implementing the final rule at medical practices, hospitals, and health
systems will be left out. Another commenter recommended that we
consider the use of an implementation guide in future rulemaking, and
one commenter requested that we provide full guidance on what different
types of information should be flagged and how such flags would be
addressed in FHIR resources.
Some commenters indicated ONC should provide education and work to
clarify how this proposal is balanced with information blocking
requirements. One commenter noted that confusion about information
blocking often results in compliance officers, administrative
personnel, in-house attorneys, and policy consultants misinterpreting
regulations. They relayed feedback that some health IT developers
refuse to provide patients or physicians granular controls over medical
information. The commenter noted that compliance with the information
blocking regulation is overriding compliance with other, more
protective laws and rules, and they recommend that we adequately
educate those involved in interpretating, implementing, and
operationalizing our policies. Another commenter also requested that we
address overlaps with information blocking, how and when to implement
Notices of Privacy Practices by providers, and other healthcare
workflow considerations that could allow this criterion to be
misinterpreted and potentially abused. A commenter also stated that
patients should be educated about information blocking and that patient
facing tools should be held to similar requirements for access,
privacy, and security as certified health IT products.
Response. We thank the commenters for the thoughtful consideration
of the impacts of our proposals. As we noted in the HTI-1 Proposed Rule
(see, for example, 88 FR 23748), health equity considerations are a
driving force behind our proposals. We described the importance of
expanding the interoperability of health data that is essential to
identifying health disparities, measuring quality, addressing gaps in
care access and outcomes, providing patient-specific preventative care
and intervention, and supporting researchers in their ability to
address the risk of unintended bias in clinical guidelines that may
exacerbate disparities (88 FR 23821). We also described how important
it is to ensure that with the expansion of exchange of granular health
equity data comes expanded needs for thoughtful and deliberate privacy
policies to support and protect patients (88 FR 23821). We discussed
how ONC has specifically focused on how health IT can support efforts
to reduce healthcare disparities and provide both insights and tools
for the purposes of measuring and advancing health equity. This
includes specific steps to expand the capabilities of health IT to
capture and exchange data that is essential to supporting patient-
centered clinical care that is targeted to supporting a patient's
unique needs (88 FR 23821). We believe that patients should be
empowered to make such decisions for themselves, and that support or
education from clinicians might most appropriately be based on clinical
impacts and considerations rather than a perceived lack of patient
understanding or competency to make informed decisions.
We appreciate commenters suggestion that to fully implement the
range of potential rights afforded by the HIPAA Privacy Rule,
additional guidance, infrastructure, and standards development is
needed to process for patient restriction requests. While we agree with
the need for future work on technical specifications and implementation
guides, we note that the behavior of covered entities and their role in
patient education related to the HIPAA Privacy Rule or other privacy
laws is outside the scope of ONC Certification Criteria for Health IT.
We encourage covered entities using certified health IT to review and
follow the obligations defined under the HIPAA Rules and other
applicable laws and programs. We likewise encourage all actors who are
required to comply with the HIPAA Rules, whether as HIPAA covered
entities or business associates, to know and to comply with all of
their obligations under the HIPAA Rules. In response to the comment
indicating concern for ONC to extend adequate education on information
blocking, we note our deliberate focus on developing accessible, user-
friendly resources to help inform the effective implementation of these
policies. This includes, but is not limited to, Frequently Asked
Questions, recorded national webinars, and infographics all accessible
on the ONC website.\183\ For discussion of the relationship of privacy
laws, including the HIPAA Rules and other laws, to the information
blocking regulations, please see section IV.A of this final rule.
---------------------------------------------------------------------------
\183\ ONC website: HealthIT.gov ``Information Blocking''.
https://www.healthit.gov/topic/information-blocking.
---------------------------------------------------------------------------
Finally, we appreciate commenters' suggestions about ONC's role in
educating patients about health IT capabilities and standards as they
relate
[[Page 1305]]
to the privacy and security of health information. We are committed to
continued public engagement for that purpose.
Comments. We received mixed feedback on the implementation timeline
proposed for health IT developers to comply with any new or revised
criteria. In general, commenters (both those opposed to and those
supportive of the implementation timelines proposed) address the
proposed timelines for updates to the criterion in Sec. 170.315(e)(1)
within the context of the implementation burden for that proposed
revision and the proposed new criterion in Sec. 170.315(d)(14)
together. Multiple commenters expressed concerns that the overall
implementation timeline is too aggressive. One commenter noted that if
the scope of the proposed new and revised criteria were not narrowed
and a holistic effort to also address updates to consent policies is
not pursued, a significantly longer implementation period will be
required (i.e., four years or longer). Commenters consistently noted
that a development project for the revised criterion in Sec.
170.315(e)(1) in addition to the proposed new criterion in Sec.
170.315(d)(14) would likely require two to three years to code and test
and another one to two years for healthcare organizations to implement.
Some commenters shared feedback regarding how to make the proposed
implementation timeframe more feasible. Multiple commenters suggested
that if we narrow the scope to a limited set of USCDI v3 data elements
in Sec. 170.315(e)(1) for which restrictions can be requested and
clearly and narrowly define the set of restrictions that certified
health IT must support (e.g., restricting the specified data from being
accessed by proxy users of the patient portal) in the proposed
criterion in Sec. 170.315(d)(14), two years from the publication of a
final rule would be feasible. Another commenter requested that we take
an incremental approach and start with a low risk, target use case for
the effective date of January 1, 2026. This would allow developers and
providers to test, learn from and build on this capability over time at
both the developer and user levels to address potential issues and
risks.
Conversely, some commenters felt the timeframe would be difficult
to operationalize and expressed concerns regarding the implementation
timeline as being too aggressive. Multiple commenters noted that the
proposed criterion would not be finalized until after the development
and finalization of the USCDI v3, which ONC released July 2022, so
there would not be perfect alignment between the use of USCDI v3 and
the applicability of our proposed new and revised criteria. Some
commenters recommended that ONC should have a constrained scope of
USCDI subject to the tagging and to start with a more focused set of
the most relevant data elements in the USCDI thus excluding certain
sensitive data from what is shareable from within the USCDI until the
criterion is fully operationalized. Commenters encouraged ``control''
or ``consent'' as an over-arching principle to be timed along with
USCDI's expansion to more person-centered information and concepts.
Commenters noted this alignment is essential for EHR developers to have
the incentive to give users control over their preferences and for
physicians be able to honor patients' expressed preferences related to
sensitive, life-changing, or abnormal results. In one instance, a
commenter also indicated that if ONC were to finalize this proposal
then it should reconsider implementation to an earlier requirement date
of January 1, 2024, to ensure that operationalizing patient requested
restrictions is an immediate priority for software developers if
finalized.
Response. We thank the commenters for their input and consideration
of implementation needs and challenges. As previously noted, we have
not finalized the proposed new criterion at Sec. 170.315(d)(14) nor
the corresponding changes to Sec. 170.550(h). We have only finalized
the revisions to the criterion in Sec. 170.315(e)(1). We believe that
the reduced scope of the changes we have finalized--focusing on the
revised criterion in Sec. 170.315(e)(1) and outlining our commitment
to encourage the further adoption, use, and advancement in support of
numerous care settings and use cases of the existing criteria in Sec.
170.315(b)(7) and (b)(8) for sending and receiving health information
with security labels--should help mitigate the concerns over scale,
implementation timeframes, and feasibility. We also believe this
approach is appropriate to supporting the advancement of health IT for
privacy workflows that place importance on the need to empower patients
with agency and control of their data, while acknowledging real
challenges, including but not limited to scale and feasibility, as
described earlier including from those in support of our proposals. We
also agree with commenters that the revisions to the criterion in Sec.
170.315(e)(1) for use of the USCDI v3 are finalized to occur at the
same time as the revisions to the criterion in Sec. 170.315(e)(1)
described in this section. We have finalized that these revisions to
the criterion in Sec. 170.315(e)(1) align with the updates made to
USCDI, as discussed in section III.C.1 of this final rule, so that the
functionality is synchronized with the USCDI v3 including any new or
updated data elements.
We have finalized our proposal to revise the criterion in Sec.
170.315(e)(1) as proposed, with the specific revision in Sec.
170.315(e)(1)(iii). Pursuant to other policy decisions discussed
elsewhere in this final rule on compliance timing, we have adopted our
proposal that conformance with this new paragraph will be required for
Health IT Modules certified to Sec. 170.315(e)(1) by January 1, 2026.
11. Requirement for Health IT Developers To Update Their Previously
Certified Health IT
In the HTI-1 Proposed Rule, we proposed to make explicit in the
introductory text in Sec. 170.315 that health IT developers
voluntarily participating in the Program must update their certified
Health IT Modules--including when new standards and capabilities are
adopted--and provide that updated certified health IT to customers in
accordance with the timelines defined for a specific criterion or
standard where included, such as via cross-reference, in Sec. 170.315
(88 FR 23827). We proposed that health IT developers with health IT
certified to any of the certification criteria in Sec. 170.315 would
need to update their previously certified Health IT Modules to be
compliant with any revised certification criterion adopted in Sec.
170.315 (please see section III.A.2 of this final rule for discussion
of the adopted definition of revised certification criterion (or
criteria)), including any certification criteria to which their Health
IT Modules are certified that reference new standards adopted in 45 CFR
part 170 subpart B, and capabilities included in the revised
certification criterion. Health IT developers would also need to
provide the updated health IT to customers of the previously certified
health IT according to the timelines established for that criterion and
any applicable standards (88 FR 23827).
We noted that in addition to supporting the goals of the Program,
we believe this approach will help to advance interoperability. We
stated that requiring health IT developers who voluntarily participate
in the Program to update Health IT Modules to revised certification
criteria (including new and revised standards) can help to advance
capabilities for access, exchange, and
[[Page 1306]]
use of EHI for authorized use under applicable State or Federal law. In
addition, we explained that ensuring health IT developers voluntarily
participating in the Program provide such updates to customers will
help to enable the secure exchange of EHI with, and use of EHI from,
other health information technology without special effort on the part
of the user. We also stated that the proposed timelines serve to
support clear and transparent benchmarks for furthering
interoperability throughout the health IT infrastructure (88 FR 23827).
We explained that the updates to criteria may include technical
capabilities such as security enhancements or additional electronic
transactions not previously supported for a criterion. These updates
may also include an expansion of the data supported by content,
vocabulary, and format standards to increase the scope of interoperable
EHI (88 FR 23827). The adoption of USCDI v3 and its incorporation into
certification criteria through updates to those criteria, as finalized
in this rule, means that certified health IT systems will be able to
support representation of this health information in a standardized
computable format. Updating current systems to incorporate these data
elements and providing updated certified health IT to customers would
allow users of certified health IT to begin to access, exchange, and
use such data without special effort. Over the long term, this
advancement of interoperability for certified health IT systems may
also have a positive impact on the availability of this essential data
and the capability to access, exchange, and use this data across a
nationwide health IT infrastructure--including for purposes not yet
specifically supported by certified health IT such as clinical research
(88 FR 23827).
Comments. Commenters outlined concerns regarding the definition of
``provide'' and, specifically, the preamble language that states,
``[we] propose that to `provide' the product means the developer must
do more than make the product available and there must be demonstrable
progress towards implementation in real-world settings.'' Commenters
expressed confusion about what ``demonstrable progress towards
implementation in real-world settings'' means and suggested ONC clearly
define this phrasing. Commenters also mentioned concerns about how the
responsibility of implementing or upgrading to health IT meeting the
revised certification requirements ultimately lies with the provider
and not the developer.
Response. We thank commenters for their input. We appreciate that
the responsibility of implementing a Health IT Module is not solely on
the developer. With this final rule, as discussed below, we recognize
the potential for variation in how implementation of certified health
IT proceeds, including implementation consistent with the agreements,
contracts, and licenses that exist between health IT developers and
their customers of certified health IT. Overall, our proposed approach
is not new or exclusive to the proposed updates in the HTI-1 Proposed
Rule, but rather is consistent with the approach ONC adopted for the
ONC Cures Act Final Rule updates to the 2015 Edition certification
criteria (85 FR 25664). From the effective date of the ONC Cures Act
Final Rule through December of 2022, and based on the programmatic
technical assistance, developers of certified health IT successfully
updated their technology and provided it to customers.\184\ However, as
discussed in the HTI-1 Proposed Rule, ONC used the terms ``provide''
and ``make available'' interchangeably in the ONC Cures Act Final Rule,
and subsequent technical assistance (including through correspondence
and via public forums) was required to support clarity and achieve that
transition (88 FR 23828). We also noted in the HTI-1 Proposed Rule that
``provide'' does not imply that the Health IT Module must be in
production use across all customers (88 FR 23828). Under this
clarification for the term ``provide,'' we have finalized as proposed
that ``provide'' does not mean that the Health IT Module must be in
production use across all customers. We encourage developers of
certified health IT to provide updated Health IT Modules to their
customers--and support them in their implementation of such updated
modules--in the manner most appropriate to support safety, security and
interoperability across settings and systems.
---------------------------------------------------------------------------
\184\ See ONC Achieving a Major Milestone: Health IT Developers
Certify to Cures Update https://www.healthit.gov/buzz-blog/health-it/achieving-a-major-milestone-health-it-developers-certify-to-cures-update.
---------------------------------------------------------------------------
It is beneficial or necessary to further define ``demonstrable
progress toward implementation in real world settings'' as the phrasing
or concept is not part of the finalized regulatory definition of
``provide.'' As noted by commenters, the phrasing/concept introduces
additional confusion over what might constitute demonstrable progress
and whether implementation includes production use.
We stated in the HTI-1 Proposed Rule, and continue to maintain,
that we do not intend for ``provide'' to mean either that customers who
no longer wish to use a certified Health IT Module must be provided the
update or that customers who do choose to use an updated certified
Health IT Module must have the updated Health IT Module in production
use by the timelines established for the health IT developer (88 FR
23828). We note that there are a number of instances in which a health
IT developer will have updated the Health IT Module, but the customer
may have declined the update. This can occur when the customer is not
yet ready to implement new functionalities, standards, and/or
workflows, or when the customer decides that the functionalities,
standards, and/or workflows are not relevant to their clinical
practice.
With consideration of the above explanations, we have finalized the
term ``provide'' with a further clarification that ``provide'' is
binary. That is, the updated Health IT Module is either provided to
customers (respective of customer choice) by the timeline established,
or it is not. Further and accordingly, we have also finalized that a
health IT developer must update a Health IT Module as described and
provide customers with updated Health IT Modules in order to maintain
certification of the Health IT Module. Consistent with the definition
of interoperability and the Assurances Condition and Maintenance
requirements discussed in section III.D, the certified Health IT Module
must be able to support all the capabilities to which it is certified,
and such capabilities must be provided to the customer for use without
special effort by the end of the regulatory specified timelines.
We also note that we proposed to include the definition of
``provide'' in Sec. 171.102, which stated that ``Provide is defined as
it is in Sec. 170.102.'' We did not intend to define ``provide'' in
part 171 of the HTI-1 Proposed Rule. Therefore, in this final rule, we
have not finalized the revision to add the definition of ``provide'' in
Sec. 171.102.
We have finalized in Sec. 170.315 for all revised certification
criteria and in 45 CFR part 170 subpart B for each applicable standard,
as proposed, that a Health IT Module may be certified to either the
existing certification criterion or the revised certification criterion
until the end of the transition period when the prior standard(s) and/
or certification criterion no longer meet certification requirements.
During this time period, existing customers may
[[Page 1307]]
continue to use the certified health IT they have available to them and
can work with their developers to implement updates in a manner that
best meets their needs consistent with the established regulatory
timeframes. Finally, as with the 2015 Edition Cures Update, in order to
support effective communication of the updates, we will implement a
practical approach to facilitate transparency using the Certified
Health IT Product List (CHPL),\185\ which is the tool that health care
providers and the general public may use to identify the specific
certification status of a certified health IT product at any given
time, to explore any certification actions for a product, and to obtain
a CMS Certification ID for a product, which is used when participating
in some CMS programs.
---------------------------------------------------------------------------
\185\ ONC Certified Health IT Product List: https://chpl.healthit.gov.
---------------------------------------------------------------------------
Comments. Commenters voiced concerns about how the HTI-1 Proposed
Rule aligns with CMS's Promoting Interoperability Program--
specifically, the impact on the timing of when hospitals and clinicians
implement or upgrade an EHR in order to comply with CMS regulations.
Response. We thank commenters for their feedback. We have worked
closely with CMS for more than a decade to ensure alignment between our
Program and CMS programs, including the Medicare Promoting
Interoperability Program and the Quality Payment Program (these
programs incorporate the programs previously known as the EHR Incentive
Payment Programs, or ``Meaningful Use'') and we will continue to do so
moving forward. For example, CMS finalized in the CY 2021 PFS final
rule (85 FR 84815 through 84828) that health care providers
participating in the Medicare Promoting Interoperability Program and
eligible clinicians participating in the Quality Payment Program must
use certified health IT that satisfies the definitions of CEHRT at 42
CFR 495.4 and 414.1305, respectively, and is certified under the
Program, in accordance with the 2015 Edition Cures Update, as finalized
in the ONC 21st Century Cures Act Final Rule (85 FR 25642).
As part of the CY 2024 PFS Final Rule, CMS finalized revisions to
the definitions of CEHRT in Sec. Sec. 495.4 and 414.1305 for the
Medicare Promoting Interoperability Program and for the Quality Payment
Program (88 FR 78308 through 79312) in a manner consistent with the
``edition-less'' approach to health IT certification that we proposed
in the ONC HTI-1 Proposed Rule. This included removing references to
the ``2015 Edition'' in the CEHRT definition, and that in order to meet
the CEHRT definitions, technology must meet ONC's certification
criteria in 45 CFR 170.315 ``as adopted and updated by ONC.'' CMS
stated that these revisions would ensure that updates to the 2015 Base
EHR or subsequent Base EHR definition at Sec. 170.102, and updates to
applicable health IT certification criteria in Sec. 170.315, would be
incorporated into CEHRT definitions, without requiring additional
regulatory action by CMS. CMS noted in its final rule that it will
continue to determine when new or revised versions of measures that
require the use of certified health IT would be required for
participation under the Medicare Promoting Interoperability Program and
the Quality Payment Program. In determining requirements for any
potential new or revised measures, CMS stated it will consider factors
such as implementation timelines and provider readiness to inform when
CMS proposes requiring participants to complete measures that rely on
the use of certified health IT (88 FR 79310). We will continue to work
with CMS as we finalize timeline requirements for developers of
certified health IT to update and provide certified health IT to their
customers so that their customers (e.g., health care providers) can
meet CMS requirements for the use of such certified health IT. We also
note that, historically, CMS has included additional guidance for
program participants within CMS proposed or final rules (see, for
example, 85 FR 84818-84828).
Comments. Commenters in general agreed that if a Health IT Module
is not updated to new or revised certification criteria, then the
Health IT Module should be retired at the ``expiration date'' of the
certification criterion and/or standard. One commenter expressed
confusion about using the term ``shall update'' when it is up to the
developer to determine if they want to update their health IT to comply
with new or revised certification criteria.
Response. We thank commenters for their input. Participation in the
Program is voluntary and, therefore, any ``shall'' statements within
the Program only apply to a health IT developer that is participating
and plans to continue to participate in the Program. If a developer
participating in the Program intends to no longer support a specific
certified Health IT Module, but intends to continue to participate in
the Program, previously finalized policies relating to the withdrawal
of a Health IT Module or modification of a certificate would remain
applicable (88 FR 23828). Otherwise, if a health IT developer
participates in the Program and intends to maintain certification of a
Health IT Module, the developer will need to comply with the
requirements of the Program, including the finalized requirement in the
introductory text to Sec. 170.315 stating ``[f]or all criteria in this
section, a health IT developer with a Health IT Module certified to any
revised certification criterion, as defined in Sec. 170.102, shall
update the Health IT Module and shall provide such update to their
customers in accordance with the dates identified for each revised
certification criterion and for each applicable standard in 45 CFR part
170 subpart B.''
D. Assurances Condition and Maintenance of Certification Requirements
In the HTI-1 Proposed Rule, we proposed to establish a new
Condition of Certification and accompanying Maintenance of
Certification requirements under the Assurances Condition of
Certification (88 FR 23828 through 23830). These new requirements would
serve to provide the assurances to the Secretary that Congress sought
in the Cures Act and further clarify Program requirements that are
established under the authority Congress provided in section 3001(c)(5)
of the PHSA, as amended by the Cures Act, and discussed in detail in
the HTI-1 Proposed Rule (88 FR 23826).
1. Condition of Certification
We proposed in Sec. 170.402(a)(5), that, as a Condition of
Certification, a health IT developer must provide an assurance that it
will not inhibit a customer's timely access to interoperable health IT
certified under the Program (88 FR 23829). To support this assurance,
we proposed accompanying Maintenance of Certification requirements,
which are discussed below. The Maintenance of Certification
requirements define the scope of this Condition of Certification and
provide clarity in terms of what it would mean to take the action of
``inhibiting,'' what constitutes ``timely access,'' and what is
``interoperable health IT certified under the Program'' (88 FR 23829).
Comments. In general, commenters supported the establishment of a
new Condition of Certification and the accompanying Maintenance of
Certification requirements. Commenters identified multiple benefits of
the proposed requirements such as ensuring timely access to
interoperable health IT and promoting the adoption of advanced
technologies and capabilities that can enhance patient care and
[[Page 1308]]
workflow efficiency. One commenter noted how these requirements will
positively impact the community of health centers by ensuring they have
access to the latest capabilities and standards.
Response. We thank commenters for their support. As noted above and
discussed in detail in the HTI-1 Proposed Rule (88 FR 23826), these new
requirements will serve to provide the assurances to the Secretary that
Congress sought and further clarify Program requirements. Interoperable
health IT is an underpinning of the Program and particularly the
conditions of certification found in the Cures Act and implemented in
45 CFR part 170 subpart D. Congress established support for health IT
interoperability beginning with the authority provided in section
3001(c)(5) of the HITECH Act to adopt standards (including
implementation specifications and certification criteria) and establish
the Program.
For purposes of certification and the maintenance of such
certification under the Program, a health IT developer will need to
provide an assurance that its health IT is certified to the most
recently adopted certification criteria and such certified health IT is
made available to its customers in a timely manner. These actions are
essential because certification criteria, and in particular revised
certification criteria (as defined in this final rule), include
standards, implementation specifications, and capabilities that support
and improve interoperability as that term is defined by the Cures Act
and incorporated in 45 CFR part 170. Since the inception of the
Program, ONC has updated certification criteria to include the most
recent versions of standards and implementation specifications that
most appropriately support and improve interoperability at the time of
adoption. We do this because as standards and implementation
specifications evolve, they, by their very nature, improve
interoperability by allowing for more complete access, exchange, and
use of all electronically accessible health information. Further, the
interoperability definition also focuses, in part, on the secure
exchange and use of EHI from other health IT without special effort on
the part of the user. The Assurances Condition of Certification is an
important piece to supporting and achieving these goals because it
seeks assurances from health IT developers that they will not take any
actions to inhibit the appropriate access, exchange, and use of EHI.
We, therefore, have finalized in Sec. 170.402(a)(5), as proposed that,
as a Condition of Certification, a health IT developer must provide an
assurance that it will not inhibit a customer's timely access to
interoperable health IT certified under the Program.
Comments. A handful of commenters expressed concern about how the
Maintenance of Certification requirements may be interpreted as
mandatory when the decision to participate in the Program is voluntary.
One commenter identified the use of the term ``shall update'' as
possibly being misunderstood as an obligation for developers to
continue to participate in the Program when, in fact, it is up to the
developer to determine if they want to pursue certification or to allow
the module to be retired.
Response. We thank the commenters for their input. Participation in
the Program is voluntary. Health IT developers do not have an
obligation to continue to participate in the Program. However, as
discussed under section III.C.11 ``Requirement for Health IT Developers
to Update their Previously Certified Health IT,'' if a health IT
developer does participate in the Program, it needs to comply with the
requirements of the Program, including the finalized Assurances
Condition and Maintenance of Certification requirements.
Comments. Two commenters identified difficulties in navigating
between the different requirements for certified health IT for ONC and
CMS. Both commenters recommended CMS delay the effective date of
changes to the definition of CEHRT referenced within CMS programs until
the next reporting period or performance year. The commenters stated
that this proposed modification would eliminate confusion and promote
cross-agency collaboration.
Response. We thank the commenters for their feedback. We recognize
that certain CMS programs, including the Medicare Promoting
Interoperability Program and the Quality Payment Program, require the
use of technology meeting the CEHRT definitions in 42 CFR 495.4 and 42
CFR 414.1305. The CEHRT definitions cross-reference health IT
certification criteria in 45 CFR 170.315, including relevant dates
within the certification criteria which define the requirements of the
certification criterion.
While changes to the definition of CEHRT maintained by CMS are
outside the scope of this final rule, we note that, as part of the CY
2024 PFS Final Rule, CMS finalized revisions to the definitions of
CEHRT in 42 CFR 495.4 and 414.1305 for the Medicare Promoting
Interoperability Program and for the Quality Payment Program (88 FR
78308 through 79312), including specifying that in order to meet the
CEHRT definitions, technology must meet the 2015 Base EHR or subsequent
Base EHR definition (as defined at 45 CFR 170.102) and other
certification criteria in 45 CFR 170.315 ``as adopted and updated by
ONC.'' CMS stated that these revisions would ensure that updates to the
2015 Base EHR or subsequent Base EHR definition at Sec. 170.102, and
updates to applicable health IT certification criteria in Sec.
170.315, would be incorporated into the CEHRT definitions, without
requiring additional regulatory action by CMS. We also note that CMS
stated that it did not agree with separate effective dates in the CEHRT
definitions for the use of updated certified health IT products within
the Medicare Promoting Interoperability Program or the Quality Payment
Program, as recommended by commenters (88 FR 79311). CMS stated that
emphasizing the timelines ONC adopts through notice and comment
rulemaking for health IT developers to update and provide certified
technology to their customers will reduce burden on participants in the
Medicare Promoting Interoperability Program and the Quality Payment
Program. CMS further stated that it will continue to determine when new
or revised versions of measures that require the use of certified
health IT would be required for participation under the Medicare
Promoting Interoperability Program and the Quality Payment Program and
will consider factors such as implementation time and provider
readiness to determine when to require reporting on these measures. We
agree with CMS' statements on these topics.
In order to support effective communication of the updates, we
intend to implement a practical approach to supporting CMS program
participants and other certified health IT users through the Certified
Health IT Product List (CHPL) in the same manner as was implemented for
the 2015 Edition Cures Update. As also discussed under section III.C.11
``Requirement for Health IT Developers to Update their Previously
Certified Health IT,'' the CHPL is the tool that health care providers
and the general public may use to identify the specific certification
status of a certified health IT product at any given time, to explore
any certification actions for a product, and to obtain a CMS
Certification ID for a product, which is used when participating in
some CMS programs. We note that historically, CMS has included
additional guidance for such
[[Page 1309]]
program participants within CMS proposed or final rules (see, for
example, 85 FR 84818-84828).
2. Maintenance of Certification Requirements
We proposed, in Sec. 170.402(b)(3)(i), that a health IT developer
must update a Health IT Module, once certified to a certification
criterion adopted in Sec. 170.315, to all applicable revised
certification criteria, including the most recently adopted
capabilities and standards included in the revised certification
criterion (88 FR 23829).
We also proposed, in Sec. 170.402(b)(3)(ii), that a health IT
developer must provide all Health IT Modules certified to a revised
certification criterion to its customers of such certified health IT.
We clarified that a customer, for this purpose, would be any individual
or entity that has an agreement to purchase or license the developer's
certified health IT (88 FR 23829).
We proposed separate ``timely access'' or ``timeliness''
Maintenance of Certification requirements for each of the two proposed
Maintenance of Certification requirements above that would dictate by
when a Health IT Module must be updated to revised certification
criteria, including the most recently adopted capabilities and
standards; and by when a Health IT Module certified to a revised
certification criterion, including the most recently adopted
capabilities and standard, must be provided to the health IT
developer's customers. We proposed, in Sec. 170.402(b)(3)(iii), that
unless expressly stated otherwise in 45 CFR part 170, a health IT
developer must complete the proposed ``update'' and ``provide''
requirements according to the following proposals. First, we proposed,
in Sec. 170.402(b)(3)(iii)(A), that a health IT developer must update
and provide a Health IT Module by no later than December 31 of the
calendar year that falls 24 months after the effective date of the
final rule adopting the revised certification criterion or criteria.
Second, we proposed that the ``provide'' requirement would need to be
completed within this same timeframe for customers of the previously
certified health IT that must be updated under the ``update'' proposal.
However, we proposed deviations to this timeframe because the
``provide'' requirement applies to all Health IT Modules that are
certified to a criterion that meets the revised certification criterion
definition (i.e., not just health IT previously certified to a `prior
version' of a revised certification criterion) and to new customers of
health IT certified to revised certification criteria (88 FR 23829
through 23830).
In all the above circumstances, we proposed that health IT
certified to revised certification criteria must be provided to all
customers, including new customers (i.e., new to the capabilities), of
health IT developers under the Program within reasonable timeframes (88
FR 23830).
Comments. Multiple commenters supported the Assurances Condition
and Maintenance of Certification requirements. One commenter suggested
health IT developers be required to provide all current and new
customers with the most current version of a certified Health IT
Module. Additionally, the commenter recommended that all health IT
developers who have chosen not to comply with new or revised
certification standards send a communication to customers in order to
better inform such customers.
Response. We thank commenters for their support. We have finalized
in Sec. 170.402(b)(3)(i), as proposed, that a health IT developer must
update a Health IT Module, once certified to a certification criterion
adopted in Sec. 170.315, to all applicable revised certification
criteria, including the most recently adopted capabilities and
standards included in the revised certification criterion. For clarity,
`applicable revised certification criteria' includes those
certification criteria to which the Health IT Module was previously
certified that meet the definition of a revised certification criterion
as finalized in this rule (please see section III.A.2 of the preamble,
including Table 1, and ``revised certification criterion (or
criteria)'' under Sec. 170.102 of the regulation text for the
definition of revised certification criterion (or criteria)). Equally
important, and, as stated above, to meet the requirement, the Health IT
Module will need to be updated to the most recently adopted
capabilities and standards included in the revised certification
criterion. Second, we have finalized, in Sec. 170.402(b)(3)(ii), that
a health IT developer must provide all Health IT Modules certified to a
revised certification criterion to its customers of such certified
health IT. As noted above, a customer, for this purpose, is any
individual or entity that has an agreement to purchase or license the
developer's certified health IT.
In response to the comment about sending a communication to
customers by a health IT developer not complying with the ``update and
provide'' requirements, we note that the developer would, under the
commenter's described circumstances, violate these new Maintenance of
Certification requirements and the Condition of Certification we have
finalized at Sec. 170.402(a)(5), by inhibiting a customer's timely
access to interoperable health IT certified under the Program. As such,
the developer will have committed non-conformities under the Program,
unless the health IT developer did so for a permissible reason as
described in section III.C.11 (for example, a developer of certified
health IT would not be required to provide updated certified health IT
to any customer that elected to decline the update for any reason; or a
health IT developer's exercising its ability to reduce the scope of a
certification while not under ONC-ACB surveillance or ONC direct
review). Because we did not propose a requirement that health IT
developers who have chosen not to comply with new or revised
certification standards send a communication to customers in order to
better inform providers and hospitals, we have not accepted this
recommendation. However, if the developer committed a non-conformity,
the Program process for correcting the non-conformity may involve
notification to all customers.
Comments. Commenters requested additional information regarding
when, as proposed, a regulatory exception (``unless expressly stated
otherwise in 45 CFR part 170'') to the 24-month criteria might be
applied by ONC in Sec. 170.402(b)(3)(iii)(A). Commenters outlined how
a possible exception creates additional timelines in an environment
where competing priorities between meeting deadlines associated with
ONC requirements and the requirements under CMS regulations already
exist. A few commenters requested ONC provided explicit guidelines
about when a regulatory exception to the ``24 months plus X''
requirement might be applied. One commenter expressed concern about how
this proposed regulatory exception may negatively impact development
roadmaps and the ability to fulfill requests falling outside of non-
regulatory functionality. Further, multiple commenters expressed
concerns about the proposed deadlines and the implications these
timeframes have on developers and providers. Commenters stressed the
importance of having 18-24 months to address any new or revised
certification requirements and identified the December 31st date
outlined in the HTI-1 Proposed Rule as a specific concern. One
commenter specifically stated
[[Page 1310]]
``[g]iven requirements on the implementation end of the cycle, vendors
must have 24 months prior to general availability to properly develop
and certify their solutions.''
Response. We appreciate commenters' feedback. For purposes of
regulatory clarity, we have revised the proposed ``timeliness''
provision in Sec. 170.402(b)(3)(iii)(A). We have modified the proposed
timeliness requirement to state, ``a health IT developer must complete
the ``update'' and ``provide'' requirements consistent with the
timeframes specified in part 170'' (Sec. 170.402(b)(3)(iii)(A)). This
means that the compliance dates included in the certification criteria
in Sec. 170.315 and standards in subpart B will establish when health
IT developers need to comply with these Maintenance of Certification
requirements. In Sec. 170.402(b)(3)(iii)(B), we have finalized the
provision that health IT developers will still have up to 12 months, at
a minimum, to provide new customers with health IT certified to revised
criteria. Specifically, we have finalized that for health IT developers
that obtain new customers after the effective date of a final rule, the
health IT developer must provide health IT certified to revised
certification criteria either in the timeframe identified in part 170
or not later than 12 months after the purchasing or licensing
relationship has been established between the health IT developer and
the new customer for the health IT certified to the revised criterion.
The timeframe, as noted above, will offer health IT developers no
less than 12 months to provide health IT certified to revised
certification criteria to new customers (i.e., customers new to the
capability). Based on the timeframe, a health IT developer has the
ability to plan both the certification to revised certification
criteria and the execution of contracts and agreements with new
customers to ensure that it can meet the above timeline for new
customers. To note, we have also finalized a conforming revision to the
Real World Testing Maintenance of Certification requirements in Sec.
170.405(b), as proposed at 88 FR 23830, in that we removed most of the
``update and provide'' requirements currently found in Sec.
170.405(b)(3) through (7) and (b)(10) because they will be moot based
on the effective date of this final rule (e.g., many timelines expired
on December 31, 2022). Therefore, in Sec. 170.405, we removed and
reserved paragraphs (b)(3) through (7) and (b)(10).
E. Real World Testing--Inherited Certified Status
In the ONC Cures Act Final Rule, we finalized requirements in Sec.
170.405(a) that a health IT developer with Health IT Module(s)
certified to Sec. 170.315(b), (c)(1) through (3), (e)(1), (f), (g)(7)
through (10), and (h) must: successfully test the real world use of the
technology for interoperability in the type(s) of setting(s) in which
such technology would be marketed. We established in Sec. 170.405(b)
that each developer's annual real world testing plan is required to be
published by December 15 of a given year and would need to address all
of the developer's Health IT Modules certified to criteria listed in
Sec. 170.405(a) as of August 31 of that year (85 FR 25769). We also
finalized that the annual real world testing plan would pertain to real
world testing activities to be conducted in the year following the
December 15 plan publication due date, with an annual real world
testing results report to be published by March 15 (Sec.
170.405(b)(2)(ii) of the year following the year in which the real
world testing is conducted) (85 FR 25774).
Many health IT developers, however, update their Health IT
Module(s) on a regular basis, leveraging the flexibility provided
through the Program's Inherited Certified Status (ICS) option.\186\
Because of the way that ONC issues certification identifiers, this
updating can cause an existing certified Health IT Module to be
recognized as new within the Program. All updates to certified health
IT must be tracked and recorded to support program integrity and
transparency within the Program. When a certified health IT developer
leverages ICS for Health IT Modules that have been updated, they
receive a new certification date for the newer version of the certified
Health IT Module. When an ICS certification is issued, a new
certification date is issued by the ONC-ACB to reflect these updates.
Regular updating, especially on a frequent basis such as quarterly or
semi-annually, creates an anomaly that could result in existing
certified Health IT Modules being inadvertently excluded from the real
world testing reporting requirements because of those updates.
---------------------------------------------------------------------------
\186\ https://www.healthit.gov/sites/default/files/policy/public_applicability_of_gap_certification_and_inherited_certified_status.pdf.
---------------------------------------------------------------------------
In order to ensure that all developers test the real world use of
their certified health IT, as required, we proposed in the HTI-1
Proposed Rule to eliminate this anomaly by requiring health IT
developers to include in their real world testing results report the
most recent version of those certified Health IT Module(s) that are
updated using Inherited Certified Status after August 31 of the year in
which the plan is submitted (88 FR 23831). This approach would ensure
that health IT developers fully test all applicable Health IT Modules
as part of their real world testing requirements. This policy would
also prevent a developer from avoiding, or delaying conducting or
reporting, real world testing specifically on the updated versions of
Health IT Modules certified through Inherited Certified Status after
August 31 of a given year. This policy would not change the underlying
requirement that a developer with one or more Health IT Modules
certified to any criterion listed in Sec. 170.405(a) must plan,
conduct, and report on real world testing of each of those Health IT
Modules on an annual basis.
Comments. A significant number of commenters supported our proposal
to require developers of certified health IT to include in their real
world testing results report newer versions of those certified Health
IT Module(s) that are updated using Inherited Certified Status after
August 31 of the year in which the plan is submitted. Many commenters
reiterated the importance of real world testing and expressed
appreciation for ONC's efforts to address the anomaly that could result
in existing certified Health IT Modules being inadvertently excluded
from the real world testing reporting requirements when updated using
Inherited Certified Status before their real world testing results
reports are due. Several commenters praised the requirement to
demonstrate conformity in a production environment and the assurance
gained from testing results that reflect the most recent version of the
certified health IT used to meet real world testing requirements. A
commenter in support of this proposal suggested that ONC make real
world testing mandatory for all health IT developers. Overall,
commenters in support of this proposal recognize real world testing as
a critical component to verifying certified health IT, eligible for
real world testing, works in real world scenarios and use cases, and
appreciate ONC's efforts to advance real world testing requirements by
requiring health IT updated using Inherited Certified Status to be
included in health IT developers' real world testing results reports.
One commenter requested that ONC clarify in rulemaking which versions
of the certified Health IT Module, after updating using ICS, are
required to be included in real world testing results report.
Response. We appreciate these comments and agree with the need to
[[Page 1311]]
ensure newer versions of certified Health IT Modules updated after the
August 31 deadline using Inherited Certified Status are accounted for
in real world testing and results reporting. We have issued public
resources that provide clarity on what versions of certified health IT
should be included in real world testing results reports and believe
that the guidance is sufficient for developers to determine, for their
unique circumstances, which versions of their certified health IT
should be included in their results reports.\187\ Currently,
certification criteria identified in Sec. 170.405(a) are required to
adhere to the Real World Testing Condition and Maintenance of
Certification requirements, and this final rule does not change the
applicable criteria (Sec. 170.315(b), (c)(1) through (3), (e)(1), (f),
(g)(7) through (10), and (h)).\188\ ONC will continue to collaborate
with interested parties to ensure all required certified health IT
continues to function in real-world scenarios and workflows as intended
by certification requirements for interoperability and data exchange.
We have finalized our requirements at Sec. 170.405(b)(2)(ii) for
health IT developers to include in their real world testing results
report the newer version of those certified Health IT Module(s) that
are updated using Inherited Certified Status after August 31 of the
year in which the plan is submitted.
---------------------------------------------------------------------------
\187\ See Real World Testing Resource Guide and other resources
at: https://www.healthit.gov/topic/certification-ehrs/real-world-testing.
\188\ Please see the Real World Testing Fact Sheet, page 3, for
a list of certification criteria at: https://www.healthit.gov/sites/default/files/page/2021-02/Real-World-Testing-Fact-Sheet.pdf#page=3.
---------------------------------------------------------------------------
Comments. One commenter was not supportive of this proposal and the
requirement for health IT developers to conduct real world testing on
their certified health IT and expressed concerns that it adds no value
to health IT certification. This commenter suggested that if available
functionality is not being implemented in production environments it
should not be required for real world testing.
Response. We did not propose any substantive changes or updates to
the real world testing requirements in Sec. 170.405. Congress required
the real world testing of certified health IT for interoperability in
the Cures Act (PHSA Sec. 3001(c)(5)(D)(v)). We have implemented this
requirement through the Real World Testing Condition and Maintenance of
Certification requirements. The real world testing of certified health
IT has value to the Program and users of certified health IT. Since
December 2022, more than 500 real world testing plans and results have
been submitted by developers of certified health IT with applicable
certification criteria. The plans and reports have provided insight
into how developers of certified health IT think about framing and
measuring the interoperability of their certified Health IT Modules in
production use. The plans and reports also provide interested parties
with information they can use to understand how a specific certified
Health IT Module is demonstrating real world interoperability.\189\ We
are aware of the challenges faced by health IT developers when
establishing approaches to meet their real world testing requirements.
ONC has released several public resources to assist the developer
community in developing real world testing plans and navigating unique
circumstances such as low adoption of specific certified health IT
capabilities.\190\ Among numerous points of guidance, the Real World
Testing Resource Guide includes information on how developers of
certified health IT should treat Health IT Modules that do not have
functionality or that have not yet implemented functionality in
production environments. We also reiterate that the Aug 31 deadline for
eligible certified health IT supports developer preparation activities
well before entering the applicable calendar year of real world
testing.
---------------------------------------------------------------------------
\189\ https://chpl.healthit.gov/#/collections/real-world-testing.
\190\ See Real World Testing Resource Guide and other resources
at: https://www.healthit.gov/topic/certification-ehrs/real-world-testing.
---------------------------------------------------------------------------
Comments. Several commenters raised concerns that are out of scope
for the proposal, including suggestions for additional certification
and real world testing requirements to improve interoperability, none
of which are addressed in this rulemaking. Some made recommendations
for how ONC may enhance certification and real world testing
requirements by further defining measures, data elements, and how
health IT should be assessed for data augmentation solutions. A number
of these commenters expressed the need for additional real world
testing requirements, such as more rigorous testing of data
segmentation, standards and implementation guides, and required
standard code sets. Some commenters requested more focus on public
health data and the use of standard code sets to improve data quality
for real world testing, stating that clinical and laboratory partners
require data inputs that are high quality, correctly coded, and not
reliant on human readability or narrative text to provide critical
information. Commenters asserted that these additions to real world
testing requirements would diminish mapping burden, improve data entry,
facilitate improvements to data quality, and lessen administrative
burden on clinical staff. One commenter requested that ONC require real
world testing of certified health IT before the sale and implementation
of the certified health IT in clinical settings. Another commenter
requested that ONC not consider standards mature until they have been
real world tested with publicly available comprehensive testing
reports. Lastly, one commenter raised issues related to human research
protocols when conducting real world testing using real patient data
and the need to protect this data from misuse.
Response. We thank commenters for the input. Because these
recommendations for certification and real world testing requirements
are out of scope for the HTI-1 Proposed Rule in that we did not propose
to change any related real world testing conformance requirements, we
decline to finalize any such changes. ONC previously finalized
requirements, through the ONC Cures Act Final Rule, for real world
testing plans and results reports, the required elements to be
included, and developers' responsibilities for establishing measure(s)
for their approach to assessing their health IT in real world settings
(see 85 FR 3580). We reiterate that the proposal finalized in this
final rule specifically addresses health IT developers who update their
certified Health IT Modules using Inherited Certified Status after the
August 31 deadline and before results reports are due for a particular
year of real world testing. We also note that the Inherited Certified
Status flexibility is specifically designed for updates to certified
Health IT Modules that do not adversely impact certified capabilities.
F. Insights Condition and Maintenance of Certification
1. Background and Purpose
The Cures Act specified requirements in section 4002(c) to
establish an EHR Reporting Program to provide reporting on certified
health IT in the categories of interoperability, usability and user-
centered design, security, conformance to certification testing, and
other categories, as appropriate to measure the performance of EHR
technology. Data collected and reported would address information gaps
in the health IT marketplace and provide insights on the use of
certified health IT.
[[Page 1312]]
To develop the EHR Reporting Program, ONC contracted with the Urban
Institute and its subcontractor, HealthTech Solutions, to engage the
health IT community for the purpose of identifying measures that
developers of certified health IT would be required to report on as a
Condition and Maintenance of Certification under the Program. Detailed
background and history on the overall process, and the Urban
Institute's reports, can be found in the April 18, 2023 Proposed Rule
titled, ``Health Data, Technology, and Interoperability: Certification
Program Updates, Algorithm Transparency, and Information Sharing'' (88
FR 23832). For clarity purposes, we refer to the Condition and
Maintenance of Certification associated with the ``EHR Reporting
Program'' as the ``Insights Condition and Maintenance of
Certification'' (also referred to as the ``Insights Condition'')
throughout this final rule. We believe this descriptive name captures a
primary policy outcome of this requirement.
2. Insights Condition and Maintenance of Certification--Final Measures
In the HTI-1 Proposed Rule (88 FR 23831), we stated that the
proposed measures associated with the Insights Condition related to and
reflected the interoperability category in section 3009A(a)(3)(A)(iii)
of the PHSA. We further stated that these measures related to four
aspects or areas of interoperability, which we referred to as
measurement ``areas:'' individuals' access to EHI, public health
information exchange, clinical care information exchange, and standards
adoption and conformance, as discussed in further detail below (88 FR
23831). We explained that the majority of our proposed measures were
data points derived from certified health IT. The measures generally
consisted of numerators and denominators that would help generate
metrics (e.g., percent across a population), which were further
detailed in each measure, but the measures could also serve as
standalone values. We noted that in some cases we planned to generate
multiple metrics by using different denominators for the same numerator
or using different numerators with the same denominator. For each
proposed measure, we included information on the rationale for the
proposed measure, proposed numerators and denominators, and key topics
for comment.
As stated in the HTI-1 Proposed Rule, we proposed to modify
measures developed by the Urban Institute to reduce ambiguities and to
address potential costs and burdens. Based upon public comment and
interested party input consistent with section 3009A(a)(3)(C) and (D)
of the PHSA, we proposed to modify the measures the Urban Institute
developed, as well as the proposed minimum reporting qualifications, to
ensure that small and startup developers are not unduly disadvantaged
by the measures.\191\
---------------------------------------------------------------------------
\191\ Urban Institute. See https://www.urban.org/policy-centers/health-policy-center/projects/ehr-reporting-program.
---------------------------------------------------------------------------
We also stated that in future rulemaking we anticipated proposing
additional measures for future iterations of the Insights Conditions
and Maintenance of Certification requirements under the Program and
that through this first set of measures we intended to provide insights
on the interoperability category specified in the Cures Act (as
codified at section 3009A(a)(3)(A)(iii) of the PHSA). We also stated
that we intended to explore the other Cures Act categories (security,
usability and user-centered design, conformance to certification
testing, and other categories to measure the performance of EHR
technology) in future requirements (88 FR 23832).
In the HTI-1 Proposed Rule (88 FR 23832), we stated that we
explored various pathways on how to make it easier for the public to
view and comment on the detailed technical specifications supporting
the measures. We directed readers to consult our website healthIT.gov
and provide comment on the technical specifications for measure
calculation. We received numerous comments regarding the information
described in the technical specifications for the measures, including
the definitions of various measurement-related terms such as encounters
and duplicate C-CDAs. We have included summaries of these comments
within their respective measure sections in this final rule. While the
substantive requirements for each measure are defined in this final
rule, we determined that measure specification sheets are a logical and
accessible method for the public to also view the technical
specifications that support those requirements. The finalized
specification sheets accompanying this final rule are available at
www.healthit.gov/hti-1. This is consistent with the approach used by
other HHS programs related to measure technical specifications (e.g.,
CMS Electronic Clinical Quality Measures (CMS
eCQMs)).192 193 This approach of publishing technical
specification separately allows for more effective viewing of the
technical details, including supporting public comment on those
specifications in a transparent manner. We welcomed comments on the
measure specifications sheets accompanying the HTI-1 Proposed Rule and
noted in the HTI-1 Proposed Rule (88 FR 23832) that such public comment
will be used to further refine the technical specifications. We also
stated that we intended to keep these measure specification sheets up
to date. We also note that if regulatory baselines associated with the
metrics change in the future--such as a revision to a criterion through
notice and comment rulemaking--the measure specification would also be
changed to ensure alignment with the revised criterion.
---------------------------------------------------------------------------
\192\ https://ecqi.healthit.gov/.
\193\ https://mmshub.cms.gov/get-involved/public-comments/overview.
---------------------------------------------------------------------------
Comments. Commenters, including health care provider specialty
organizations, technology advocates, health information exchanges,
healthcare quality organizations, and some health IT developers, were
generally supportive of our proposals to implement the new Insights
Condition, and of the measures and reporting processes described. A few
commenters emphasized the potential of information gleaned from the
Insights Condition to drive transparency in the health IT marketplace
and, in particular, to highlight ways for patients to access and use
their data. One commenter noted that ONC's development of the Insights
Condition demonstrates commitment to improving interoperability, and
encouraged ONC to envision a future state of health information
exchange capabilities that include patient-requested restrictions,
outcomes tracking, and integration of data from other sources such as
Prescription Drug Monitoring Programs. Commenters also lauded the
potential of the Insights Condition to clarify trends in current
capabilities for interoperability services such as APIs that will allow
the market to address gaps and improve interoperability. One commenter
noted that they believe public health programs and safety net providers
could particularly benefit from the Insights Condition and encouraged
ONC to work with community health centers to ensure that its
implementation supports the populations they serve.
Response. We thank commenters for the feedback and appreciate their
support for the potential of the Insights Condition to address
information gaps in the marketplace and improve interoperability. We
also appreciate comments taking note of our efforts to improve
interoperability and continue to explore avenues to increase efficient
information exchange for use in improving health and healthcare. As
[[Page 1313]]
stated in the HTI-1 Proposed Rule (88 FR 23831), data collected and
reported under the Insights Condition will address information gaps in
the health IT marketplace and provide insights on the use of certified
health IT. We also agree that public health and safety net providers
can benefit from increased market transparency that the Insights
Condition can provide. We will continue to engage with public health
professionals and safety net providers in our implementation of the
Program.
Comments. Some commenters suggested that information gained from
the Insights Condition will not benefit current users of certified
health IT, and some commenters questioned the value of the data in
furthering interoperability.
Response. We fundamentally disagree with this perspective offered
by some commenters. In the Cures Act, Congress established the
requirement to create an EHR Reporting Program and we believe that
submission of specific measures pursuant to the Insights Condition
under the Program will provide transparent reporting, address
information gaps in the health IT marketplace, and provide insights on
the use of certified health IT. The adopted metrics are specifically
meant to provide insights on how certified health IT enables various
aspects of interoperability, including individuals' access to EHI,
public health information exchange, clinical care information exchange,
and standards adoption and conformance. These metrics help address gaps
in information in the health IT marketplace by providing data on key
aspects of interoperability that are neither directly nor publicly
available from other sources. As described in greater detail within
this final rule, the metrics will be shared with the public in a
transparent manner on ONC's website.
Comments. A few commenters expressed support and understanding of
the use of numerators and denominators by ONC. One professional society
expressed support of all proposed measures and numerator/denominator
combinations. One commenter specifically voiced support for all the
various numerator/denominator combinations proposed as a key
opportunity to provide market transparency on various aspects of how
information is being exchanged and used by patients and health care
providers, and another commenter specifically supported requiring
health IT developers to report on the measures. Further, the commenter
highlighted the potential of the various combinations to help ONC
provide market transparency on various aspects of how information is
being exchanged and used by patients and health care providers.
On the other hand, a number of commenters expressed confusion
related to the terms numerator and denominator. One commenter requested
ONC establish more succinct separation and definition of numerators and
denominators for the Insights Condition. Further, the commenter stated
measure definitions for numerators and denominators are confusing and
overlap. Another commenter found the terms numerator and denominator
confusing and requested that ONC use different ones. One commenter
encouraged ONC to maximize reuse of collected data, such as allowing a
given measure to be submitted once and tagged to count for all relevant
metrics where it can be reused. One commenter suggested that ONC state
in the overview section for the Insights Condition that developers will
be required to submit raw data, and metrics will be calculated after
submission. Another commenter suggested removing expected metrics from
the specification sheets and only focusing on counts or metrics to be
collected by health IT developers.
Response. To reduce confusion, we have replaced the terms
``numerator'' and ``denominator'' with ``metric'' throughout the
Insights Condition. Numerator and denominator were terms meant to
identify how the metrics would be used to generate various statistics,
but given the confusion expressed through public comments related to
these terms, we have simplified and replaced these terms. Thus, instead
of a list of numerators and denominators that would be submitted,
health IT developers shall be responsible for submitting a list of
metrics. This applies across all the finalized measures. This
represents a change in terminology and does not represent a substantive
change. Developers of certified health IT are responsible for reporting
on the metrics, not calculating the derived statistics. We would like
to reiterate that ONC will be responsible for calculating any derived
statistics from the reported metrics using various combinations of the
metrics (previously known as numerators and denominators). In other
words, this final rule focuses on listing the metrics that developers
of certified health IT would be collecting and reporting, rather than
the derived statistics which ONC will calculate.
Comments. Some commenters requested clarification on the
information that would be required for submission by health IT
developers. One commenter requested ONC establish detailed, clear, and
consistent specifications for reporting and attestation under the
Insights Condition.
Response. As stated earlier in this preamble and in the HTI-1
Proposed Rule (88 FR 23832), we explored various pathways on how to
make it easier for the public to view the detailed technical
specifications supporting the measures. We determined that measure
specification sheets were a logical and accessible method for the
public to view the technical specifications supporting those
requirements in a clear and consistent manner and that measure
specification sheets have been used successfully by other agencies such
as CMS for detailing their measures. The information in this preamble
and in the measure specification sheets provides the list of metrics
and specifications for reporting and attestation under the Insights
Condition. We intend to provide up to date measure specification sheets
to assist with the community's understanding of the finalized measures
and metric calculations. The measure specifications provide granular
definitions and other information needed to operationalize the metrics
to ensure they are implemented in a consistent manner across health IT
developers. The updated measure specification sheets that reflect the
final set of metrics will be available for download and viewing on
ONC's website at www.healthit.gov/hti-1. We believe that the measure
specification sheets provide a more user-friendly format that is more
easily accessible. For example, given that not all metrics may be
applicable to all health IT developers, developers can select which
metrics they wish to review and download. We also intend to publish
educational materials on ONC's website that include graphics and other
visual displays to help explain the metrics and the reporting process.
Measurement Area: Individual Access to Electronic Health Information
In the HTI-1 Proposed Rule, we proposed in Sec. 170.407(a)(1) a
measure within the individuals' access to their EHI measurement area to
require that any developer of certified health IT with Health IT
Modules certified to the criteria specified in the measure to report on
the different methods individuals use to access their health
information. We refer readers to the HTI-1 Proposed Rule (88 FR 23833)
for detailed background associated with the ``individuals' access to
electronic health information supported by certified API technology''
measure.
Comments. Many commenters expressed support for the proposed
[[Page 1314]]
measure noting the importance of patients' engagement in their own
healthcare and the need to further understand how individuals access
their health data. Most commenters indicated support of the general
intent and focal points of the proposed measure, while including
recommendations to simplify the measure. Some commenters indicated this
measure would pose a high level of burden, particularly related to
encounter-based metrics. Another commenter stated the proposed measure
should not present a significant regulatory burden as the data can be
collected in real-time using established technologies.
Response. We have made revisions in response to public comment in
an effort to reduce burden and simplify reporting as further described
below. We note for readers that we have revised some of the measure
names (including the name of this measure, which we updated to
individuals' access to electronic health information through certified
health IT) for additional clarity and consistency. The revisions to the
measure names do not inherently reflect substantive changes to the
measure. We have used the phrase ``certified health IT'' across our
measures to provide clarity and consistency across the Program. We
thank commenters for expressing support for the proposed measure and
agree that it will contribute valuable insight into the methods that
individuals use to obtain access to their EHI. This information can
help ONC and others build an understanding of where EHI is available
for usage so that individuals can make informed decisions about their
healthcare.
Individuals' Access to Electronic Health Information Through Certified
Health IT Measure
We proposed (88 FR 23833) to adopt the ``individuals' access to
electronic health information supported by certified API technology''
measure within the ``individuals' access to electronic health
information'' area in sect; 170.407(a)(1). We proposed (88 FR 23833 and
23834) to require that any developer of certified health IT with Health
IT Modules certified to either the ``view, download, and transmit to a
3rd party'' certification criterion (Sec. 170.315(e)(1)), or the
``standardized API for patient and population services'' certification
criterion (Sec. 170.315(g)(10)), report the numbers of unique patients
that used each of the specified methods to access their EHI.
We proposed two distinct numerators and three denominators as part
of the measure (88 FR 23834) in Sec. 170.407(a)(1) and noted that we
planned to generate multiple metrics from a combination of different
numerators and denominators. We proposed (88 FR 23834) the first
numerator to be the number of unique individuals who had an encounter
and accessed their EHI at least once during the reporting period via at
least one of three types of methods: (1) third-party app using
technology certified to ``standardized API for patient population
services'' certification criterion under Sec. 170.315(g)(10); (2)
patient portal using technology certified to the ``view, download, and
transmit to 3rd party'' certification criterion under Sec.
170.315(e)(1) only; or (3) app offered by the health IT developer or
health care provider using technology certified to the API criterion
under Sec. 170.315(g)(10) (if applicable). We proposed (88 FR 23834) a
second numerator to be the number of unique individuals who accessed
their EHI regardless of an encounter during the reporting period using
at least one of the same three types of methods identified above. We
stated that each of these numerators would be stratified or reported by
type of method. For detailed background on the proposed measure, we
refer readers to the HTI-1 Proposed Rule (88 FR 23834).
We proposed (88 FR 23834) the first denominator for this measure to
be the total number of unique individuals who had an encounter during
the reporting period. We proposed (88 FR 23834) the second denominator
to be the total number of unique individuals who used at least one of
the types of methods referenced above to access their EHI who had an
encounter during the reporting period. We proposed (88 FR 23834) the
third denominator to be the total number of unique individuals who used
at least one of the three types of methods referenced above to access
their EHI during the reporting period (regardless of whether the
individual had an encounter or not).
Comments. Commenters representing EHR developers stated that the
proposed measure would result in medium to high qualitative ratings of
burden, particularly for the encounter-based measures, and shared
suggestions to modify its structure. Several commenters representing
health IT developers recommended separating the measure into two
measures: (1) a measure applicable to Health IT Modules certified to
the Sec. 170.315(g)(10) criterion; and (2) a measure applicable to
Health IT Modules certified to the Sec. 170.315(e)(1) criterion. These
commenters also expressed concern that the structure of the measure did
not align with product level reporting and could create issues and
inconsistencies in reporting and interpreting its results. These
commenters further stated that many Health IT Modules are certified
either to Sec. 170.315(g)(10) or 170.315(e)(1), but very few are
certified to both. They suggested that ONC revise the measure to report
on patient access (view, download, and transmit) via patient portal
versus FHIR via apps and reported at the developer level.
Commenters also recommended removing the third access method that
was proposed in the HTI-1 Proposed Rule (88 FR 23834) referred to as
``App offered by the health IT developer or health care provider using
technology certified to the API criterion under Sec. 170.315(g)(10)
(if applicable).'' They explained that, per the API Condition and
Maintenance of Certification requirements, developers of certified
Health IT Modules shall treat all (similarly situated) app developers
as the same. Therefore, they would be unable to distinguish whether an
app is offered by a developer of certified health IT or by a health
care provider. Two commenters stated that they would be able to
distinguish between access via apps that they developed versus others,
but they did not see the relevance of it.
Commenters also requested clarification on the measure structure
for numerators and denominators.
Response. We appreciate the assessment from commenters on the level
of effort to develop this measure. Considering the medium to high
burden ratings from health IT developers that commented on the measure,
we have made three modifications intended to simplify and reduce the
burden of implementing the measure while establishing a starting place
for initial reporting that can be expanded in the future.
First, given that commenters indicated that it would be difficult
to distinguish whether an app is offered by a developer of certified
health IT or by a health care provider, we have removed the third
method of access to EHI from the measure that we had proposed in the
HTI-1 Proposed Rule (88 FR 23843), referred to as, ``App offered by the
health IT developer or health care provider using technology certified
to the API criterion under Sec. 170.315(g)(10) (if applicable).''
Second, we have simplified the metrics (formerly referred to as
numerators and denominators) by removing the stratification related to
methods of access, and instead incorporated the stratification in the
metrics. This now aligns the metrics to each associated criterion and
addresses the concern that very few Health IT Modules are certified to
both criteria
[[Page 1315]]
(Sec. 170.315(g)(10) or Sec. 170.315(e)(1)). Third, as suggested by
commenters, we have removed the metrics related to encounters from this
measure. We acknowledge that health IT certified to one criterion only,
particularly to Sec. 170.315(g)(10), would not be able to report
encounters. By removing the requirement around unique individuals with
encounters, we expect that developers of products certified to only one
criterion will be able to report access to EHI via the applicable
method. We also finalized this measure without encounter-based metrics
as we considered how an encounter-based measure would apply to health
IT developers who offer and implement integrated systems across
ambulatory and inpatient settings, as well as developers who offer and
implement only ambulatory systems and only inpatient systems. For
developers offering integrated systems, an individual might have an
ambulatory visit and an inpatient visit within the reporting period and
access their EHI. However, the proposed construction of the encounter-
based metrics would have required developers to determine the unique
individuals and reconcile their encounters and EHI access across
ambulatory and inpatient value sets, which would be a complex endeavor.
Therefore, this measure does not include encounter-based metrics in
efforts to reduce both complexity and burden of implementing the
measure.
We will use a third metric, which counts the number of unique
individuals who access their EHI during the reporting period using any
method, to assess trends in individuals' use of the two methods of
access. This will allow ONC to evaluate as developers of certified
health IT continue to make more APIs available under Sec.
170.315(g)(10), and it will also provide insight into individuals' use
of methods beyond those required for certification that are
facilitating patient access to their electronic health information.
Comments. A commenter requested clarification on whether
individuals were expected to have both an encounter during the
reporting period and access their EHI during the reporting period, or
whether the reporting period refers only to the encounter. The
commenter also requested clarification on whether the individual has
ever accessed their EHI should be counted. A couple of commenters
expressed concern about whether deduplication is expected, noting that
most denominators and numerators are feasible if developers of
certified Health IT Modules are not expected to deduplicate
individuals' access counts. They suggested ONC should either change
counts to be transaction-based and avoid unique patient measurement, or
clarify that unique patient count will be unique only within each
instance of the EHR software and cannot be deduplicated across
instances.
Response. We have revised the encounter-based approach for the
measure so that encounters are no longer included. With regards to the
concern related to deduplication, we require unique patient counts of
access during the reporting period. However, we recognize that the
counts would only be unique within each instance of the EHR software.
To clarify, the measure should report on whether individuals accessed
their data during the reporting period; this is not a measure of an
individual ever accessing their EHI.
Comments. Several commenters requested that ONC clearly state
whether the scope is for patients accessing their own records,
exclusive of authorized representative access events. Most commenters
requested that the measure not include access by authorized
representatives. One commenter requested that ONC should include access
by an individual's authorized representative in the measure count.
Response. We thank commenters for their feedback on whether
patient-authorized representatives should count in the measure when
they access EHI and note that there was no consensus. While we agree
with the commenter suggesting that ONC should include access by an
individual's authorized representative, we did not propose this
distinction for our measure. As such, we may incorporate patient-
authorized representatives in future rulemaking, noting that it would
be beneficial to align this measure with the CMS Promoting
Interoperability (PI) Measure for patient access, which similarly
counts patients and their authorized representative in the numerator
for providing access to patient-authorized representatives for view,
download, and transmit (VDT), and apps of the patients' choice.\194\
The finalized measure only counts individuals.
---------------------------------------------------------------------------
\194\ CMS. 2022 MEDICARE PROMOTING INTEROPERABILITY PROGRAM FOR
ELIGIBLE HOSPITALS AND CRITICAL ACCESS HOSPITALS. Provider to
Patient Exchange Objective Fact Sheet https://www.cms.gov/files/document/2022-provider-patient-exchange-objective-fact-sheet.pdf.
---------------------------------------------------------------------------
Comments. We received comments indicating the need to clarify the
definition for access to EHI. Some commenters sought further
clarification on the proposed methods of portal and API access for this
measure. One commenter asked, in cases where the patient portal may
display several electronic health information elements on the log-in
landing page, if such a scenario counts as a patient accessing their
EHI via a patient portal. One commenter asked whether patient portal
access should count any use of the patient portal or specifically a
view, download, or transmit to a 3rd party activity. Regarding
individual access via a developer's app, a commenter requested clarity
on whether an app using different technology than what is included in
Sec. 170.315(g)(10) should be counted. For an API, one commenter
requested clarity on whether the measure should record the submission
of a request for information or the response to the request.
Response. We appreciate the opportunity to clarify how access to
EHI is defined for the finalized measure. The definitions associated
with this measure (as noted earlier) are described in detail in the
measure specifications. Access to EHI via patient portal using
technology certified to the ``view, download, and transmit to 3rd
party'' certification criterion under Sec. 170.315(e)(1) is counted as
a patient log-in with the access credential belonging to the individual
at least once during the reporting period. Access to EHI via technology
certified to the ``standardized API for patient population services''
certification criterion under Sec. 170.315(g)(10) is counted as the
individual's authorization, as indicated by an access token, at least
once during the reporting period. To summarize, access to EHI is based
upon an individual logging into a system (whether that be a portal or
third-party app or other system) within the reporting period and is not
based on accessing any specific piece of information or performing any
specific action within the system itself such as view, download and
transmit activities.
Comments. We received some comments suggesting expanding the
proposed measure. One commenter suggested that the data should report
on whether individuals are accessing their health information more than
once in the same reporting period. Another suggested that the data
should report those individuals who tried to access their health
information via the proposed methods and failed. Another commenter
suggested reporting ``percentage of use'' similar to what was proposed
for the ``use of FHIR bulk data access through certified health IT''
measure to measure the adoption of API-based means of access by single
users in a developer's client base. One commenter noted that the most
common
[[Page 1316]]
method for authenticating users of third-party health apps is via their
patient portal account and that some patients may only use their portal
to access their app of choice. They suggested ONC provide an additional
metric to determine whether the portal is being used to access health
information directly or to access health information via a third-party
app. Finally, one commenter suggested collecting additional data for
this measure to support health equity, suggesting the measure include a
patient's language.
Response. We appreciate comments suggesting expanding the
measurement of individual access to EHI and agree that there are
several important dimensions of access to EHI to explore. Given that we
also received numerous comments related to the burden associated with
reporting the current proposed measures, we have not added the
suggested additional requirements at this time, though they may provide
further insights. Our intent is to balance the value of the information
we now require to be collected with the burden of doing so. We may
consider these suggestions in future iterations of the measure through
rulemaking.
Comments. One commenter expressed concern and requested
clarification about how the measure may reflect on the quality of a
developer of certified Health IT Modules' products. The commenter
stated that health care providers have the relationships with patients
and provide the instructions to access their health information, while
developers have no influence on these activities.
Response. We acknowledge that there are many factors that influence
how and to what degree individuals access their EHI, including those
mentioned by commenters. While the results do not solely reflect on the
performance of the health IT developers, the methods health IT
developers provide to access EHI may vary in usability, implementation
of functionality, and robustness of functionality, which may influence
patient and provider use of EHI. The measure intends to shed light on
the role that health IT plays in facilitating access to EHI through
different methods.
Comments. One commenter asked about the entity that would be
responsible for reporting on the measure in a situation where the
health IT developer relies upon a different certified Health IT Module
(owned by a separate entity) in order to meet the certification
criteria associated with the Insights Condition (in this case Sec.
170.315(e)(1). Specifically, the commenter sought clarity on whether
the developer of the certified health IT module using the relied upon
software would be responsible for reporting, or if the developer of
that relied upon software would be responsible for reporting.
Response. We appreciate the request for clarification. In these
instances, similar to how this is addressed through the Real World
Testing requirements,\195\ we would expect a health IT developer using
relied upon software in its Health IT Module to meet the certification
requirement associated with Sec. 170.315(e)(1) to report on this
Insights Condition measure on its own accord. The health IT developer
may work with its relied upon software vendor, if necessary, to report
on the metrics.
---------------------------------------------------------------------------
\195\ ONC Health IT Certification Program. Real World Testing
Guide. (Last updated: May 23, 2023). See p. 18. https://www.healthit.gov/sites/default/files/page/2021-08/ONC-Real%20World%20Testing%20Resource%20Guide_Aug%202021.pdf.
---------------------------------------------------------------------------
Finalization of Measure
We have finalized the measure as ``individuals' access to
electronic health information through certified health IT'' in Sec.
170.407(a)(3)(i). We have revised the proposed measure based on public
comments received. Specific metrics to support this finalized measure
are listed below and described further in the accompanying measure
specification sheets located on ONC's website. We also note that if
regulatory baselines associated with the metrics change in the future--
such as a revision to a criterion through notice and comment
rulemaking--the measure specification would also be changed to ensure
alignment with the revised criterion. The reporting period for the
measure and related metrics below consists of one calendar year. Data
collection for the measures and associated metrics will begin during
the first phase of reporting (which is described later in the
preamble):
(1) Number of unique individuals who accessed their EHI during the
reporting period using technology certified to the ``standardized API
for patient population services'' certification criterion under Sec.
170.315(g)(10).
(2) Number of unique individuals who accessed their EHI during the
reporting period using technology certified to the ``view, download,
and transmit to 3rd party'' certification criterion under Sec.
170.315(e)(1).
(3) Number of unique individuals who accessed their EHI using any
method. The methods are not limited to third-party apps using
technology certified to ``standardized API for patient population
services'' certification criterion under Sec. 170.315(g)(10) or
patient portals using technology certified to the ``view, download, and
transmit to 3rd party'' certification criterion under Sec.
170.315(e)(1) during the reporting period.
Measurement Area: Clinical Care Information Exchange
In HTI-1 Proposed Rule (88 FR 23834), we proposed two measures
under the ``clinical care information exchange'' area in Sec.
170.407(a)(2) and (3) titled, ``C-CDA documents obtained using
certified health IT by exchange mechanism'' and ``C-CDA medications,
allergies, and problems reconciliation and incorporation using
certified health IT.'' These measures primarily focused on
characterizing the state of information exchange between health care
providers who are customers of health IT developers with certified
health IT, in contrast to other measures that capture exchange with
individuals, public health agencies, and other entities.
Comments. Numerous commenters indicated general support for both
clinical care information exchange measures. Commenters representing
health care providers valued the reconciliation and incorporation
measure because effective reconciliation and incorporation of
medication, allergy, and problem information through certified health
IT benefits patient safety and care coordination. Some commenters
suggested that examining volume alone would not be a good indicator of
interoperability advancement or quality. Rather, measures that focus on
the efficiency of reconciliation in combination with volume measures
would provide better insights into the advancements in
interoperability. One commenter suggested removal of both measures.
Response. We appreciate the support expressed for both clinical
care exchange measures. We believe measuring volume is important as it
provides the means to assess the extent that patient information is
moving between providers to facilitate high value care. Furthermore,
patient and encounter volume measures help contextualize and interpret
other measures designed to assess progress related to interoperability.
Current measures to understand the magnitude of information exchange
and use are fundamentally limited. For example, as noted in the HTI-1
Proposed Rule (88 FR 23835), publicly available information from some
health information networks can be difficult to interpret without also
knowing the
[[Page 1317]]
number of encounters occurring at sites using these methods, the number
of patients being treated, and other measures of volume. Measures
intended to provide insight into the volume of information exchanged
across the nation are not feasible to collect from end users through
clinical surveys, and the CMS PI Program measure is reported by a
subset of providers that participate in that program.
We agree with commenters that measures of efficiency and
effectiveness of health IT to support deduplication and reconciliation
alongside measures of volume of clinical care documents received and
incorporated will provide valuable insight on interoperability trends.
Both measures are discussed more fully below.
Consolidated Clinical Document Architecture (C-CDA) Documents Obtained
Using Certified Health IT by Exchange Mechanism Measure
We proposed (88 FR 23834 and 23835) to adopt the ``C-CDA documents
obtained using certified health IT by exchange mechanism'' measure in
Sec. 170.407(a)(2). We stated that this measure would report on the
volume of C-CDA documents obtained using certified health IT by
exchange mechanism relative to patient volume, and that a developer of
certified health IT with Health IT Modules certified to the ``clinical
information reconciliation and incorporation'' certification criterion
in Sec. 170.315(b)(2) would be required to report the proposed
numerators and denominators for this measure. We refer readers to the
HTI-1 Proposed Rule (88 FR 23834 through 23836) for detailed background
on the proposed measure.
We proposed four numerators and four denominators for this measure
(88 FR 23835). We noted in the HTI-1 Proposed Rule (88 FR 23835 and
23836) that we planned to generate multiple metrics from different
combinations of these numerators and denominators. We proposed to adopt
the following numerators for this measure: (1) number of unique C-CDA
documents obtained (which we defined for the purpose of this proposal
as either C-CDAs that are received--that is, C-CDAs that have been sent
or `pushed' by others and received using certified health IT or C-CDAs
that are queried--that is, C-CDAs that were found or `pulled' from a
network or central repository using certified health IT) using
certified health IT and Direct Messaging during the reporting period;
(2) number of unique C-CDA documents obtained (received or queried)
using certified health IT and a local/regional health information
exchange (HIE) or national health information network (HIN) during the
reporting period; (3) number of unique C-CDA documents obtained
(received or queried) using certified health IT and a developer-
specific HIN (i.e., a network that facilitates exchange between
entities using the same health IT developer's products) during the
reporting period; and (4) number of unique C-CDA documents obtained
(received or queried) using certified health IT and a method not listed
above and not including electronic fax during the reporting period.
We proposed (88 FR 23835) to adopt the following denominators for
this measure: (1) number of encounters during the reporting period; (2)
number of unique patients with an encounter during the reporting
period; (3) number of unique patients with an associated C-CDA document
during the reporting period; and (4) number of unique C-CDA documents
obtained (received or queried) using certified health IT during the
reporting period. We proposed (88 FR 23835) to include denominators for
the number of encounters during the reporting period and the number of
unique patients seen (i.e., with an encounter) during the reporting
period to provide a sense of the volume of C-CDA documents exchanged
relative to the number of instances when a C-CDA document might be
useful.
Comments. While numerous commenters expressed general support for
this measure, some commenters raised concerns. Their major concerns
related to: (1) burden associated with the measure and the overall
program; potentially including health care providers as they may need
to map their exchange partners to different types of networks for
reporting purposes; (2) rethinking the mechanisms which include a mix
of methods and standards that are not mutually exclusive; (3) measuring
beyond standards that reflect the current state such as FHIR, which may
become dominant in the future; (4) better defining and specifying the
selected exchange mechanisms; and (5) potentially including mechanisms
that do not result in structured, interoperable data, such as e-fax, to
more fully measure the totality of exchange, including exchange across
the care continuum with providers who do not possess electronic
exchange capabilities.
Response. We thank commenters for their feedback and agree with the
concerns raised by commenters related to the potential burden of some
metrics, including impacts on providers, the need to reduce overall
burden associated with the Insights Condition, and the ability to
meaningfully distinguish between the proposed exchange mechanisms given
the overlap between the use of standards and methods of exchange.
Therefore, we have not finalized the ``C-CDA documents obtained using
certified health IT by exchange mechanism'' measure. Although we value
measuring exchange mechanisms, the ecosystem for HIE methods is
evolving, particularly with the launch of TEFCA. The evolving landscape
for exchange calls for a measure that tracks trends related to the
adoption and use of each mode of exchange to better inform ONC's policy
making and health care providers' operational decisions. We may
consider proposing a revised version of this measure in a future
rulemaking with the intent of capturing trends in how clinical
information is being exchanged, inclusive of FHIR-based exchange.
Consolidated Clinical Document Architecture (C-CDA) Problems,
Medications, and Allergies Reconciliation and Incorporation Through
Certified Health IT Measure
We proposed (88 FR 23836) to adopt the ``C-CDA medications,
allergies, and problems reconciliation and incorporation using
certified health IT'' measure in Sec. 170.407(a)(3), which would
capture the number of C-CDA documents that are reconciled and
incorporated (as defined in Sec. 170.315(b)(2)(iii)) as part of a
patient's record by clinicians or their delegates. We proposed (88 FR
23836) that a developer of certified health IT with Health IT Modules
certified to the ``clinical information reconciliation and
incorporation'' certification criterion in Sec. 170.315(b)(2) would be
required to provide information on how data in C-CDA documents are
used, focusing on the reconciliation and incorporation of medications,
allergies and intolerances, and problems.
We proposed (88 FR 23836) the numerator to be the total number of
C-CDA documents of the Continuity of Care Document (CCD), Referral
Note, Discharge Summary document types that are obtained and
incorporated across all exchange mechanisms supported by the certified
health IT during the reporting period. The numerator would increment,
or increase in number, upon completion of clinical information
reconciliation of the C-CDA documents for medications, allergies and
intolerances, and problems, as described in the certification criterion
in Sec. 170.315(b)(2).
We proposed (88 FR 23836) the denominators for this measure, using
[[Page 1318]]
the definition of ``encounter'' described earlier in the preamble of
the HTI-1 Proposed Rule (88 FR 23832), as the following: (1) number of
encounters during the reporting period; (2) number of unique patients
with an encounter during the reporting period; (3) number of unique
patients with an associated C-CDA document during the reporting period;
and (4) number of unique C-CDA documents obtained using certified
health IT during the reporting period. For this fourth denominator, we
indicated that we were aware that in the current landscape, some
clinicians and hospitals are able to receive C-CDA documents through
multiple methods and it is possible to receive multiple copies of the
same C-CDA (e.g., via Direct Messaging and an HIE). We sought to only
include unique C-CDA documents in both the numerator and denominator
because we believed that clinicians were unlikely to reconcile multiple
copies of the same C-CDA and that by eliminating these duplicates, we
would avoid undercounting reconciliation (88 FR 23837).
Comments. Several commenters who indicated general support for the
measure also expressed concerns about the burden associated with the
measure. These commenters noted that their reports for clients on a
similar measure for the CMS PI Program do not necessarily create
efficiencies in aggregating the data across their clients. One
commenter indicated the value of the measure did not outweigh the
burden because many of their clients do not regularly reconcile and
incorporate documents they obtained.
Commenters representing EHR developers also provided qualitative
ratings of burden associated with these measures. They indicated that
the data points (e.g., numerators/denominators) ``number of
encounters'' and ``number of unique patients with an encounter'' would
be low level of effort; whereas ``number of unique patients with an
associated C-CDA document'' and ``number of C-CDA documents of the
Continuity of Care Document (CCD), Referral Note, Discharge Summary
document types that are obtained and incorporated across all exchange
mechanisms'' would be a high level of effort. The rest of the clinical
care exchange numerators and denominators were rated as medium level of
effort. The commenter expressed that the ``number of unique patients
with an associated C-CDA document'' was rated as high in burden because
greater clarification was needed related to what the term
``associated'' meant.
Response. We appreciate the feedback from commenters. In response
to public comments, we have revised metrics to reduce burden associated
with the measure as further discussed in this section below. We
appreciate that aggregating data across clients at the product level
requires additional effort even if the incorporation and reconciliation
measure is similar to the CMS PI measure, but we maintain that the
existence and use of the similar data structures to generate reports
for clients creates efficiencies for developers relative to the
counterfactual, in which no such data structures currently exist. We
believe the measure will provide value commensurate with the burden
described by commenters. As noted earlier, commenters representing
health care providers expressed value in the proposed incorporation and
reconciliation measure. If providers are not engaging in these
activities, it would be useful to make that information more widely
known to healthcare organizations, payers, and other interested parties
involved with patient safety through this measure. Providers may find
the measures useful to evaluate their workflows and health IT
configuration to optimize functionality that supports incorporation and
reconciliation.
The version of the metric included in the measure specification is
described in more detail below and in the measure specification itself.
We have included the following metrics described at 88 FR 23835 in the
measure specification: number of encounters during the reporting
period, number of unique patients with an encounter during the
reporting period, and number of unique patients with an associated C-
CDA document during the reporting period. These metrics are included as
described at 88 FR 23835, except for a revision to the measure of
encounters described further in this preamble.
We have revised the metrics, ``number of unique C-CDA documents
obtained (received or queried) using certified health IT during the
reporting period'' (88 FR 23835) and ``the total number of C-CDA
documents of the Continuity of Care Document (CCD), Referral Note,
Discharge Summary document types that are obtained and incorporated
across all exchange mechanisms through the certified health IT during
the reporting period'' (88 FR 23836) to better capture how health IT
functions and to reduce requirements specific to the Insights
Condition. The revisions are further described later in this section.
Comments. Numerous commenters requested clarification on whether
duplicate documents should be counted and asked how duplicates should
be defined. Some commenters recommended that all documents be counted,
whether duplicative or not, because all documents must be managed.
Furthermore, one commenter recommended that ONC require that all
documents are counted, whether considered duplicates or not, because
whether documents are duplicates or not, all must be processed,
deduplicated, and reconciled. Comments also indicated that
deduplication may not be necessary if the intended purpose is to
examine trends over time. Commenters noted that there is not
necessarily industry consensus on what it means for information to be
duplicative. Numerous commenters noted that examining the full content
of documents to verify if documents are duplicates may not be feasible.
Most commenters indicated that ONC should limit its definition to
duplicates based upon document identifiers as that was the most
feasible option, though these commenters acknowledged that relying on
document identifiers alone to identify them may not fully capture all
duplicative documents.
Response. We appreciate the input from commenters on how the
measures should manage duplicate C-CDAs. In response to feedback, the
approach to identifying duplicate C-CDAs to support metrics related to
unique C-CDA documents, as included in the measure specifications
accompanying the HTI-1 Proposed Rule, has been revised. We have removed
the requirement for health IT developers to identify C-CDAs that
``otherwise contain substantially identical data as identified by
developers of certified health IT.''\196\ In the measure specification
accompanying this final rule, we have provided a definition for
``unique C-CDAs'' so that duplicate C-CDAs shall be identified based
upon document identifier only, and only one of multiple C-CDAs with the
same document identifier will be included in a count of unique C-CDAs.
For example, if an HIE receives a C-CDA from a health care provider and
regenerates the C-CDA, the content of the document does not change, but
the document may have a new document ID. In this instance, we will not
require health IT developers to undertake the effort to analyze the
content to determine if it is identical to the original C-CDA's
content, and we recognize that
[[Page 1319]]
C-CDAs containing identical information would not be counted as a
duplicate if they have different document IDs.
---------------------------------------------------------------------------
\196\ ONC Health IT Certification Program Insights Condition:
Consolidated Clinical Document Architecture (C-CDA) Medications,
Allergies, and Problems Reconciliation and Incorporation Using
Certified Health IT https://www.healthit.gov/sites/default/files/2023-04/3.Measure_Spec_CCDA_Reconcile_1.3.pdf.
---------------------------------------------------------------------------
We agree with the commenters who highlighted the work necessary to
process, deduplicate, and reconcile both non-duplicative and
duplicative C-CDAs, and the importance of capturing the totality of all
C-CDAs processed. In response to this comment, we have added a metric
as the number of total C-CDA documents obtained, inclusive of potential
duplicate documents as described in the measure specification. This
reflects the totality of documents measured by health IT developers,
irrespective of document identifier. This metric relates directly to
the proposed metric ``number of unique C-CDA documents obtained using
certified health IT during the reporting period'' (88 FR 23835) and
would represent the count of C-CDAs before deduplication processes were
applied. Given the substantial comments we received on the
deduplication process as described in the measure specification, we
believe that this permutation on the underlying metric was both
anticipated by and supported by public comment.
We have also retained the metric counting the unique number of C-
CDAs and have made a revision by modifying the approach to identifying
duplicate C-CDAs underlying this metric. The metric, as described in
the measure specification accompanying the final rule, is the number of
unique C-CDA documents obtained. We clarify that unique C-CDAs are
identified by document ID and only one of multiple C-CDAs with the same
document identifier counted. This metric relates directly to the
proposed metric following revision of the deduplication process. The
difference between these two metrics represents the volume of duplicate
C-CDAs obtained, determined by document ID. This is critical to track
as health care providers have identified the potential negative
downstream impacts of duplicate documents exchanged on the complexity
of exchange and usability of the data.
Comments. Numerous commenters indicated that the proposed metric
did not explicitly include important automated aspect of the
reconciliation process, which includes deduplication through automated
means. Commenters pointed out that reconciliation by human users can be
assisted by underlying automation and that there was variation in these
practices. For instance, as noted above, commenters expressed concern
that there was not industry consensus on how to deduplicate information
contained within a C-CDA. The HITAC specifically noted that new tools
and automated processes are advancing to reduce the human burden
involved in reviewing exchanged information.\197\ Numerous commenters
also noted that the measure is specifically based on reconciliation
actions occurring at the C-CDA document level, whereas many developers
aggregate data across individual documents for consolidated or
``bundled'' clinical reconciliation for a more user-friendly workflow
to deduplicate C-CDAs. Commenters noted the measure should be modified
to better account for bundled reconciliation, and that doing so would
align this measure further with the CMS PI Program measures. Numerous
commenters recommended that ONC include documents reconciled not only
by human users, but those documents automatically reconciled via
electronic tools that reduce the need for manual review and
reconciliation of data. A commenter expressed that the metric was rated
as high in burden because auto-reconciliation was not included in the
proposed measure.
---------------------------------------------------------------------------
\197\ HITAC recommendation: HTI-1-PR-TF-2023_Recommendation 33
in Recommendations on the Health Data, Technology, and
Interoperability: Certification Program Updates, Algorithm
Transparency, and Information Sharing (HTI1) Proposed Rule https://www.healthit.gov/sites/default/files/page/2023-06/2023-06-15_HTI-1-PR-TF-2023_Recommendations_Report_Final_508.pdf.
---------------------------------------------------------------------------
Response. We appreciate considerations from commenters on the range
of evolving practices to automate and support reconciliation and
incorporation of C-CDAs, which can reduce burden on end-users. As noted
above, given this range of practices, we have specified in the measure
specification accompanying this final rule that the identification of
unique C-CDAs for the purpose of the Insights Condition depends only on
document identifier.
In proposing within the measure specification to define duplicates
based on the inclusion of substantially identical information as
identified by health IT developers, we intended to reflect what we
understood to be wide variation in developers' approaches to
determining whether information was duplicative.\198\ However, public
comments further highlighting variation in approaches to deduplication,
particularly automated processes to do so, coupled with comments about
similar automated processes that some developers use to reduce burden,
indicate that it is essential to measure automated processes to
meaningfully capture how information in C-CDAs is used. Without
including metrics on these processes, we believe the metrics as
proposed may have led to invalid inferences. For instance, the proposed
metrics may have inappropriately conflated fully automated processes
identifying no new information with processes involving clinician
review and resulting in new information incorporated into the Health IT
Module. This was confirmed by commenters indicating that it might be
infeasible or of little value to implement the proposed metrics in
cases where documents were bundled or otherwise pre-processed.
---------------------------------------------------------------------------
\198\ ONC Health IT Certification Program Insights Condition:
Consolidated Clinical Document Architecture (C-CDA) Medications,
Allergies, and Problems Reconciliation and Incorporation Using
Certified Health IT https://www.healthit.gov/sites/default/files/2023-04/3.Measure_Spec_CCDA_Reconcile_1.3.pdf.
---------------------------------------------------------------------------
We further agree with commenters that changes in health IT systems
that reduce provider burden are vital. The metrics described in the
measure specification accompanying the final rule will facilitate
insight into the extent to which health IT systems employ automated
processes to streamline reconciliation and incorporation of clinical
information and result in greater use of information in C-CDAs and
reduced burden. As a result, the measure will properly reflect the
success of developers with approaches that create efficiency for the
healthcare delivery system.
To support the final measure and to capture the range of methods
that support the reconciliation and incorporation process, we use
several terms in the measure specification sheets accompanying the
final rule. For purposes of clarity, we note the terms have the
following meanings:
``Pre-Processes for Reconciliation and incorporation'' is
any automated process that (1) deduplicates C-CDAs, for instance, based
on document identifier, the information contained within multiple C-
CDAs, or other means; (2) removes information for user review that is
identical to information in the Health IT Module; (3) aggregates data
across documents for bundled reconciliation; or (4) uses another means
to process C-CDAs to facilitate manual (by a clinician or their
delegate) or fully automated reconciliation and incorporation of
information into the Health IT Module.
``Reconciled and Incorporated via Any Method'' is any
approach to reconciling and incorporating information in the Health IT
Module, including but not limited to manual processes performed by a
clinician or their delegate only; a mix of manual and automated
processes; or fully automated
[[Page 1320]]
processes. This includes an affirmative action to (1) reconcile new
information from the C-CDA into the Health IT Module, for instance, by
comparison of medication information in the Health IT Module and
information in the C-CDA; or (2) indicate that no new information needs
to be incorporated into the Health IT Module.
``Fully automated processes for reconciliation and
incorporation'' is any process by which problems, medications, or
allergies and intolerances contained within C-CDAs are automatically
reconciled with information within certified health IT and incorporated
into health IT without an action by a clinician end-user or their
delegate. These processes include (1) reconciling new information from
the C-CDA into the Health IT Module, for instance, by comparison of
medication information in the Health IT Module and information in the
C-CDA; or (2) determining that no new information needs to be
incorporated into the Health IT Module.
``Determined to have no new problems, medications, or
allergies and intolerances information'' is any pre-process or fully
automated process that determines that the C-CDA contains no new
information.
In consideration of public comment received on the proposed
measure, we have included more specific metrics in the measure
specification accompanying the final rule. Three metrics account for
pre-processes and fully automated processes related to reconciling and
incorporating C-CDAs and two more clearly framed metrics related to C-
CDAs for which automated processes were not applied. We made these
adjustments to better reflect developers' existing practices related to
deduplication and similar pre-processing, including the bundling of C-
CDAs described in public comment on the HTI-1 Proposed Rule and
accompanying measurement specification. In contrast to the original
measure in the HTI-1 Proposed Rule, we have not finalized a requirement
that any complex deduplication be performed specifically for the
Insights Condition by those developers who do not currently deduplicate
or otherwise automatically process C-CDAs, which will result in reduced
burden on developers.
In so doing, we believe the updated metrics represent a direct
evolution of the focus in the HTI-1 Proposed Rule on deduplication that
is responsive to comments and reduces burden on developers. To that
end, in the measure specification accompanying this final rule, we sub-
divided the proposed metrics to more precisely capture rates of pre-
processes and fully automated processes described by commenters.
In addition to the metric, number of unique C-CDA
documents obtained, we have also included two metrics to enable the
proper and accurate capture of the use of pre-processing that may
facilitate efficient and effective review of information contained
within C-CDA documents: (1) number of total C-CDA documents obtained
that were pre-processed, and (2) number of total C-CDA documents
obtained that were not pre-processed. Following the change to what
constitutes a duplicate C-CDA previously discussed, the number of
unique C-CDAs will reflect elimination of an important subset of
duplicate C-CDAs, but will not reflect more complex deduplication
processes. The complementary metrics reflect the extent that developers
performed pre-processes, inclusive of those deduplication processes,
for obtained C-CDAs. This approach eliminates the need to perform
specific, complex deduplication processes for the Insights Condition
and the final metrics should decrease developer burden compared to what
was proposed. We expect that some developers that do not have the
capability to pre-process C-CDAs would report a zero for the first
metric.
We have divided the proposed metric ``number of C-CDA
documents of the Continuity of Care Document (CCD), Referral Note,
Discharge Summary document types that are obtained and incorporated
across all exchange mechanisms supported by certified health IT during
the reporting period'' into two metrics to more clearly differentiate
between reconciliation activities that were and were not supported by
pre-processes: (1) number of total C-CDA documents obtained that were
pre-processed where problems, medications, or allergies and
intolerances were reconciled and incorporated via any method; and (2)
number of total C-CDA documents obtained that were not pre-processed
where problems, medications, or allergies and intolerances were
reconciled and incorporated via any method. This division was made in
response to public comment requesting that we specify how the proposed
metrics accounted for pre-processing and requesting that we reduce the
complexity of C-CDA processing necessary, specifically for the Insights
Condition. We expect that some developers that do not have the
capability to pre-process C-CDAs would report a zero for the first
measure.
Finally, we have included a specific standalone metric to capture
fully automated processes that did not result in new information. In
the proposed measure specification, we stated, ``if no update is
necessary, the process of reconciliation may consist of simply
verifying that fact or reviewing a record received and determining that
such information is merely duplicative of existing information in the
patient record.'' We believe that this statement was ambiguous about
whether automated processes for making this determination would count
as reconciliation, and commenters indicated as much by comparison to
the CMS PI measure. Given commenters' interest in highlighting various
approaches to processing C-CDAs, we have included a metric focused
directly on this process as the number of total C-CDA documents
obtained that were determined to have no new problems, medications, or
allergies and intolerances information by pre-processes or fully
automated processes. This metric is intended to disambiguate how to
capture pre-processes and fully automated processes for verifying that
no new information was available relative to the measure specification
accompanying the HTI-1 Proposed Rule.
We believe this approach will facilitate measurement of C-CDAs that
are bundled together prior to end-user review. For instance, if the
bundle is not reviewed by a clinician end user or their delegate and
information is not automatically reconciled and incorporated, the
metric related to reconciling information that has been pre-processed
described above would not include C-CDAs that contained new information
presented in a bundle. Prior to manual review, C-CDAs that contributed
no new information to the bundle could either be counted as
contributing to both the metric related to reconciling information that
has been pre-processed and the metric related to determining that the
C-CDA contained no new information, or to neither metric depending on
the approach that most closely matched the product's logic. Once manual
review of a bundled C-CDAs is completed, each C-CDA that comprised the
bundled review would increment the metric related to reconciling
information that has been pre-processed above, and those that
contributed no new information to the bundle would increment the metric
related to determining that the C-CDA contained no new information as
well. We have adopted this approach to acknowledge the health IT
systems that have functionality that streamlines the reconciliation
process, with the interest
[[Page 1321]]
of understanding how this functionality reduces burden for end users.
We recognize that today many developers may apply no pre-processes or
fully automated processes to obtained C-CDAs, and these developers
would report a zero for these metrics.
C-CDA documents obtained via all mechanisms (including from
national networks, such as the Carequality framework and CommonWell,
Direct Trust, and eHealth Exchange; Health IT Developer networks; EHR
to EHR exchange; regional, local, and community HIE; and Direct Secure
Messaging) should be counted in the measure. However, we clarify that
the measure does not require any stratification by exchange mechanism.
Comments. One commenter raised a concern that it would be difficult
to deduplicate patients across EHR instances and thus ONC should
clarify that deduplication across EHR instances is not expected.
Response. We appreciate the request for clarification. We recognize
that this requirement represents a significant level of burden and do
not expect deduplication of patients across EHR instances for this
measure.
Comments. Many commenters recommended to include any valid C-CDA
R2.1 IG document-level template for measurement, as opposed to only the
CCD, Discharge Summary, and Referral Note templates described in the
measure specifications sheets related to this measure. Some commenters
also noted that including a broader set of document types would better
capture the full scope of C-CDA document exchange that is active in
healthcare today and aligns with CMS PI Program. Additionally, one
commenter representing health IT developers noted it would be less
burdensome to include all documents, rather than only the subset, as
they did not have the capability to identify the subset. Relatedly,
numerous commenters also suggested that we modify the definition for
obtaining C-CDAs. Many commenters indicated that excluding C-CDA
without any data would be problematic as that would involve reviewing
the content of the C-CDA which would be burdensome. One commenter noted
that a C-CDA without any data (such as a patient header) would be
rejected and not counted. Some commenters suggested including any
document received inbound that is in a valid file format with a header
indicating that it is a C-CDA R2.1 document template.
Response. In an effort to align with the ``automated measure
calculation'' (Sec. 170.315(g)(2)) criterion that health IT developers
follow to support reporting the CMS measures, we have revised the
measure specification so that the measure includes any valid C-CDA
document-level template referred to in the standards adopted for
certification to Sec. 170.315(b)(2) for measurement, as opposed to
only the CCD, Discharge Summary, and Referral Note templates. This
brings the measure into alignment with the CMS PI Program measure
(Support Electronic Referral Loops By Receiving and Reconciling Health
Information), which states ``Starting in 2019, for the Promoting
Interoperability measure an EP may use any document template within the
C-CDA standard for the purposes of the measure.'' We note that this
scope is substantially broader than the ``clinical information and
reconciliation and incorporation'' (Sec. 170.315(b)(2)) criterion,
which only requires that certified Health IT Modules be able to
reconcile and incorporate Continuity of Care Document, Referral Note,
and (inpatient setting only) Discharge Summary. We will not require
developers to exclude documents without data, acknowledging that some
developers do not parse or otherwise pre-process C-CDAs and, therefore,
cannot readily evaluate whether the C-CDA contains data. We plan to
collaborate with the community to determine if more nuanced levels of
analysis are warranted for future measure updates to refine the
measure.
Comments. Some commenters asked ONC for clarification on the
proposed denominator, ``number of unique patients with an associated C-
CDA document during the reporting period.'' One commenter indicated
they were not sure how it differed from ``documents obtained'' in one
of the other denominators and whether it was intended to only capture
new associations that occurred during a reporting period or a snapshot
of all patients at the end of the reporting period. One commenter also
inquired about how to count a document received during one reporting
period but matched in another reporting period.
Response. We clarify that the metric, number of unique patients
with an associated C-CDA document during the reporting period, refers
to the number of unique patients that have been matched to at least one
C-CDA within the certified Health IT Module by automated or manual
means in the reporting period and, therefore, have at least one
associated C-CDA. The metric, number of total C-CDA documents obtained
through certified health IT during the reporting period, refers to the
total number of C-CDA documents obtained across all patients for the
reporting period. For example, if two C-CDAs were received for a single
patient during the reporting period, the first metric would count this
as a single unique patient, while the second metric would count this as
two C-CDAs. These counts would not depend on whether information had
previously been received for a patient prior to the reporting period.
As noted in the HTI-1 Proposed Rule, we believe these denominators
support an understanding of the volume of C-CDA documents exchanged
relative to the number of instances when external information could
inform health care providers.
With regard to documents that may be obtained in one reporting
period and reconciled in another reporting period, the measure's
metrics call for counting C-CDAs obtained, reconciled, and incorporated
in the same reporting period. We recognize that some C-CDAs obtained
prior to the reporting period, but reconciled and incorporated during
the reporting period, are not counted in the metrics. However, we
expect these instances will not substantially impact the interpretation
of the metrics' results. We also recognize that some C-CDAs obtained
during the reporting period may be reconciled and incorporated
following the reporting period, but similarly believe these instances
will be uncommon. We expect that the shift to calendar year reporting
will further minimize the exclusion of documents that are received
before the start of a reporting period and reconciled during the start
of the reporting period.
Comments. One commenter suggested the encounter-based metrics may
not adequately measure one of the key areas of interest, which is to
assess the extent to which exchange of outside information can
potentially inform care. This commenter suggested that to identify the
extent to which encounters benefited from information exchange would
require a denominator of total number of encounters during the
reporting period, and a numerator of encounters in which information
from a C-CDA document was incorporated. Such a measure would provide
the percentage of encounters in which outside information was
potentially beneficial to the encounter was incorporated from received
documents.
Response. We agree with the commenter that many variations on the
required metrics could provide additional insight into how exchanged
information is used and that measures related to the proportion of
encounters in which obtained information was incorporated could be
particularly insightful. However, we have sought to
[[Page 1322]]
balance that consideration against the potential for additional burden
associated with the measure. To that end, we decline to revise or
extend measures to capture the proportion of encounters in which
information was incorporated. We plan to continue to collaborate with
the community to investigate the degree of development necessary to
link C-CDAs incorporated to their use to inform care during an
encounter.
Comments. Several commenters raised questions regarding what
actions count as reconciliation. One commenter requested clarification
on whether a document would be considered incorporated if any amount of
data was incorporated or by specific data element. A couple of
commenters requested ONC be more explicit about what types of data are
included for reconciliation, asking whether a document should be
included only if it had problems, allergies, or medications (PAM) for
reconciliation, or if reconcilable laboratory results (e.g., blood
tests) or immunizations should also be included. A commenter requested
that ONC limited it to reconciliation of PAM, given that it is a
certification requirement, and that the numerator be explicitly defined
in that manner. Relatedly, a couple of commenters recommended that if a
document did not contain any new information to be reconciled that it
should still increment the numerator to match the existing CMS PI
measure. Another commenter requested that ONC clarify that viewing
documents is not equivalent to reconciling documents.
Response. Our intent is to align the measure requirements with the
``clinical information reconciliation and incorporation'' (Sec.
170.315(b)(2)) certification criterion. As such, we describe in the
measure specification accompanying the final rule that metrics related
to reconciliation of C-CDAs would increment upon reconciliation of
medications, allergies and intolerances, or problems. The two metrics
are: (1) number of total C-CDA documents obtained that were pre-
processed where problems, medications, or allergies and intolerances
were reconciled and incorporated via any method; and (2) number of
total C-CDA documents obtained that were not pre-processed where
problems, medications, or allergies and intolerances were reconciled
and incorporated via any method. We clarify that the increment occurs
when reconciliation is completed for any one of the three types of
data, that is, when at least one medication, allergy and intolerance,
or problem is reconciled and incorporated or when it is determined that
no new information should be incorporated. We agree with the
recommendation from commenters that documents that do not contain any
new information for reconciliation should still increment the metrics
when an end-user or automated process verifies the fact that
information in the C-CDA is duplicative of existing information in the
patient record to match the existing CMS PI measure. The third metric,
number of total C-CDA documents obtained that were determined to have
no new problems, medications, or allergies and intolerances information
by pre-processes or fully automated processes, would also increment
when automated processes were used to make this determination. We
believe that distinguishing between automated processes that identify
no new information and other reconciliation is important for a valid
understanding of the use of information and burden on end-users. We
clarify that the act of simply viewing a C-CDA, without an affirmative
action verifying that information is either absent or duplicative,
would not increment these metrics.
Comments. One commenter suggested focusing measurement on
transitions between outside organizations/systems, as patients within
health systems are often referred, admitted, and discharged to
providers within the same system which might make it difficult to
interpret the results.
Response. The measure is intended to count C-CDAs that must be
exchanged outside of a ``one patient one chart'' system, where multiple
specialists within a system can access a single patient record and
manage a single list for problems, medications, and medication
allergies. We note that this measure applies to intra-system exchange,
where specialists within the same provider organization do not have
access to a ``one patient one chart'' health IT system, and inter-
system exchange, where specialists across different provider
organizations also do not have access to a ``one patient one chart''
health IT system. We also note that this measure is not limited to
transitions of care. We may consider if the measure should be reported
by transitions of care in future rulemaking.
Finalization of Measure
We have finalized the measure as ``consolidated clinical document
architecture (C-CDA) problems, medications, and allergies
reconciliation and incorporation through certified health IT'' in Sec.
170.407(a)(3)(ii). We have revised the proposed measure based on public
comments received related to variation in industry practices, including
approaches to deduplication and automation. Specific metrics to support
this finalized measure are described in the related measure
specification located on ONC's website and in the section above. We
also note that if regulatory baselines associated with the metrics
change in the future--such as a revision to a criterion through notice
and comment rulemaking--the measure specification would also be changed
to ensure alignment with the revised criterion:
1. Number of encounters
2. Number of unique patients with an encounter
3. Number of unique patients with an associated C-CDA document
4. Number of total C-CDA documents obtained
5. Number of unique C-CDA documents obtained
6. Number of total C-CDA documents obtained that were pre-processed
7. Number of total C-CDA documents obtained that were not pre-
processed
8. Number of total C-CDA documents obtained that were pre-processed
where problems, medications, or allergies and intolerances were
reconciled and incorporated via any method
9. Number of total C-CDA documents obtained that were not pre-
processed where problems, medications, or allergies and intolerances
were reconciled and incorporated via any method
10. Number of total C-CDA documents obtained that were determined
to have no new problems, medications, or allergies and intolerances
information by pre-processes or fully automated processes
The reporting period for the measure and related metrics consists
of one calendar year. Data collection for the measures and associated
metrics will begin during the second and third phases of reporting
(which is described later in the preamble).
Measurement Area: Standards Adoption and Conformance
We proposed (88 FR 23837) to adopt four measures in the ``standards
adoption and conformance'' area in Sec. 170.407(a)(4) through (7) to
provide insight into the role that standards play in enabling the
access, exchange, and use of EHI. We proposed to measure the following
aspects within this area: (1) availability of apps to support access to
EHI for a variety of purposes; (2) the usage of FHIR-based APIs to
support apps; (3) the use of bulk FHIR to support the access to EHI for
groups of individuals; and (4) the use of EHI
[[Page 1323]]
export functionality (88 FR 23837). We stated that together, these
measures will provide a foundation for understanding whether and to
what extent ONC's policies to promote standards are supporting users of
health IT, including patients, clinicians, researchers, and others to
access, exchange, and use EHI via certified health IT for a variety of
purposes. These measures would also provide visibility into industry
adoption of standards required by the Program and provide data to
inform future standards development work.
Comments. Many commenters supported the ``standards adoption and
conformance'' measurement area. One commenter expressed support for
interoperability measurement as a national priority. One commenter
disagreed with ONC's statement that data on the volume of information
exchanged would provide the means to assess the extent that patient
information is moving between providers to facilitate high value care,
stating that pure volume does not accurately reflect quality.
Response. We appreciate the support expressed by many commenters
and agree that only collecting data on the volume of information
exchanged will not strictly reflect the quality of care provided.
However, we plan to use this data in conjunction with other collected
data from the ``Insights Condition and Maintenance of Certification''
to create metrics that will assess the extent that patient information
is exchanged between providers to facilitate high value care.
Comments. We received numerous comments with suggestions for new or
revised measures in the ``standards adoption and conformance'' area.
Throughout this measurement area we use the abbreviation ``app'' for
the term application. Apps that may connect to ONC-certified health IT
via the capabilities enabled by 170.315(g)(10), refer to third-party
software or IT system not offered by the certified health IT developer
including but not limited to: mobile apps, web portals, locally hosted
software, enterprise software solutions, and custom software.
For the ``applications supported through certified health IT''
measure, the majority of comments received suggested metrics focused on
the availability (e.g., number of distinct apps) and accessibility
(e.g., number of accesses) of patient-facing and non-patient-facing
apps. Two commenters suggested metrics focused on requesting additional
qualitative context/information about the purpose for which apps were
developed or use cases, especially for specialty care apps, and
clinical decision support. One commenter requested for app developers
to report the turnaround time for app developer authentication and
authorization to production environments. One commenter requested for
app attestation to be included in the Insights Condition requirements.
For the ``use of FHIR in apps supported by certified API
technology'' measure, a majority of the comments suggested metrics
focused on IG development, adoption, and conformance beyond the US Core
IG. One commenter requested a metric that counts the number of queries
made by either a patient or a clinician. One commenter suggested
counting the total number of FHIR resources by individual resource.
For the ``use of FHIR bulk data access through certified health
IT'' measure, most of the commenters suggested metrics focused on
obtaining information related to the FHIR Bulk Data request metadata
(i.e., user-type of the FHIR Bulk Data requester, export time per
resource (average), and group size for successful exports (average)).
One commenter suggested a metric that counts the number of FHIR Bulk
Data export requests. Another commenter suggested a metric that focuses
on real-world performance of FHIR Bulk Data implementations.
Response. We thank all commenters for their thoughtful input. We
appreciate the interest expressed in requiring additional reporting
metrics for the ``standards adoption and conformance'' measurement
area, and may explore the feasibility of these suggested reporting
metrics in the future.
Applications Supported Through Certified Health IT Measure
In the HTI-1 Proposed Rule (88 FR 23837), we proposed to adopt the
``applications supported through certified health IT'' measure in Sec.
170.407(a)(4), which would provide information on how certified health
IT supports the health app ecosystem by asking certain health IT
developers under the Program to report app names and app developer
names, intended app purposes, intended app users, and whether a
registered app is in ``active'' use across a developer's client base
(as further detailed below). We stated in the HTI-1 Proposed Rule that
this measure would result in a listing of apps that could be used to
generate a variety of metrics. Only developers of certified health IT
with Health IT Modules certified to the ``standardized API for patient
and population services'' (Sec. 170.315(g)(10)) criterion would be
required to report data for this measure.
In the HTI-1 Proposed Rule (88 FR 23837 through 23840), we proposed
that developers of certified health IT with Health IT Modules certified
to Sec. 170.315(g)(10) provide certain information about the apps that
are connected to their certified technology. We proposed that the app
name and the developer (company/organization or individual) responsible
for the app would be reported for each app registered to a developer of
certified health IT whose Health IT Module is certified to the Sec.
170.315(g)(10) criterion. We noted that the app registration process
required under Sec. 170.315(g)(10)(iii) may provide an opportunity for
developers of certified health IT to gather standard information for
apps connecting to their certified API technology as part of existing
workflows. There may be other mechanisms besides the app registration
process by which developers of certified health IT wish to obtain this
information.
We proposed that developers of certified health IT with Health IT
Modules certified to Sec. 170.315(g)(10) obtain and report the
intended purpose(s) for each app connected to their certified API
technology using the following categories:
Administrative Tasks (e.g., scheduling & check-in, billing
& payment)
Clinical Tools (e.g., clinical decision support, risk
calculators, remote patient monitoring)
Individuals' Access to their EHI (e.g., enables patients
to access their health information, medications, test results, vaccine
records)
Research (e.g., used to perform clinical research)
Population Data (e.g., bulk transfer of data, population
analytics & reporting)
Public Health (e.g., electronic case reporting)
Patient-Provider Communication (e.g., secure messaging,
telehealth)
Educational Resources (e.g., patient and provider
educational resources)
Other Intended Purpose
Unknown (e.g., missing)
As stated in the HTI-1 Proposed Rule (88 FR 23838), developers of
certified health IT to whom the measure applies would report the
intended purpose(s) of the app for each app registered to their Health
IT Module(s) certified to the Sec. 170.315(g)(10) criterion. The
categories we proposed under this measure were informed by app category
taxonomies in published literature from Barker &
[[Page 1324]]
Johnson (2021),\199\ Ritchie and Welch (2020),\200\ and Gordon and
Rudin (2022).\201\ While we recognized this taxonomy may need to evolve
over time, we conveyed in the HTI-1 Proposed Rule our belief that the
proposed categories represented a large majority of the current market,
and that the types of information, if reported on a complete set of
apps, would provide insightful information to guide ONC's future
efforts to support individuals' access to their EHI via apps, along
with other priority uses, such as research and clinical care.
---------------------------------------------------------------------------
\199\ The ecosystem of apps and software integrated with
certified health information technology: https://academic.oup.com/jamia/article/28/11/2379/6364773?login=false.
\200\ Categorization of Third-Party Apps in Electronic Health
Record App Marketplaces: Systematic Search and Analysis: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7293052/.
\201\ Gordon WJ, Rudin RS. Why APIs? Anticipated value,
barriers, and opportunities for standards-based application
programming interfaces in healthcare: perspectives of US thought
leaders. JAMIA Open. 2022 Apr 6;5(2):ooac023. doi: 10.1093/
jamiaopen/ooac023. PMID: 35474716; PMCID: PMC9030107.
---------------------------------------------------------------------------
Additionally, we proposed (88 FR 23838) that developers of
certified health IT with Health IT Modules certified to Sec.
170.315(g)(10) obtain the following intended user(s) categories for
each app connected to their certified API technology:
Individual/Caregiver
Clinician
Healthcare Organization
Payer
Researcher
Other Intended User
Unknown (e.g., missing)
We also proposed (88 FR 23838) that developers of certified health
IT with Health IT Modules certified to Sec. 170.315(g)(10) obtain the
status for each app connected to their certified API technology using
the following categories:
Actively Used--An app is defined as ``Actively Used'' if
EHI has been transferred to the app using certified API technology for
10 or more unique patients during the reporting period
Not Actively Used--An app is defined as ``Not Actively
Used'' if EHI has been transferred to the app using certified API
technology for fewer than 10 unique patients during the reporting
period
Comments. Most commenters, including EHR and app developers, as
well as commenters representing health care providers, were generally
supportive of this measure and provided specific requests for
clarification and recommendations to constrain the measure. Several
commenters indicated that the data collection burden is high for this
measure. One commenter expressed concerns that the reporting of these
data could lead the public to believe that health IT developers had a
role in recruiting application developers to connect to Sec.
170.315(g)(10). Another commenter recommended that this information be
collected directly from application vendors to reduce burden on health
IT developers.
Response. We thank commenters for their general support. We believe
this measure provides greater transparency regarding apps that are
connected to certified health IT. Specifically, this measure would
enable ONC and the public to understand to what degree apps are
connecting across different certified health IT products, which is
important for enabling individuals' access to their EHI. The ONC Cures
Act Final Rule (85 FR 25750) emphasized the importance of
standardization, transparency, and pro-competitive business practices
through the API Condition and Maintenance of Certification requirements
that would make it easier for third-party apps to connect to certified
health IT, and subsequently facilitate individuals' access to their
EHI. This measure also provides insights into the types of apps that
integrate with certified health IT. Collecting this information will be
beneficial to developers as well, for it will provide them with
insights about available technologies and uses for data that are in
demand in the marketplace.
We acknowledge that collecting this information may require new or
updates to existing data collection as part of the app developer
registration processes. Although developers expressed concerns related
to the burden associated with collecting this information, most
commenters indicated that they have an existing app registration
process, and thus we believe that developers of certified health IT are
best positioned to collect and report this measure. The app
registration process would provide an opportunity to gather standard
information for apps connecting to their certified health IT as part of
existing workflows. We currently do not have data regarding which apps
are connected to their developers' health IT and thus cannot directly
collect this information. We also recognize that health IT developers
do not recruit application developers to connect to certified health
IT, but rather are collecting this information among those application
vendors that are connected to their systems and through the app
registration processes.
Comments. Numerous commenters recommended that ONC directly
acknowledge that mandatory collection of intended purposes and intended
users via the health IT developer registration process would not
violate the API Condition of Certification. One health IT developer
expressed concern that some of the measures will require collection of
new types of data, specifically app categories and audiences.
Commenters representing app developers indicated they supported this
measure and furthermore had suggestions for additional measures to
include.
Response. We appreciate the comments, and note that the collection
of app information required for this Insights Condition measure will
not violate the API Condition and Maintenance of Certification (Sec.
170.404(b)). Specifically, the requirements in Sec. 170.404(b) enable
a Certified API Developer to institute its own process to register
applications for production use, so long as it occurs within five days
of completing its verification of an API User's authenticity. We do not
believe requiring app developers to provide basic information such as
the characteristics of their application, including intended users and
purpose, to be creating undue burden on app developers. Given the
support we received for this measure, including from app developers, we
do not believe this will be a widespread concern or issue. However, we
remind Certified API Developers that the registration process must
still occur in the allotted five business days of completing its
verification of an API User's authenticity, pursuant to paragraph Sec.
170.404(b)(1)(i) and consistent with Sec. 170.404(b)(1)(ii).
Comments. Several commenters had questions related to which apps
would be subject for inclusion in this measure. Commenters representing
EHR developers inquired whether applications relevant for this measure
would be exclusively those registered for and using the scope of FHIR
resources required under the scope of the relevant program criterion at
Sec. 170.315(g)(10). Another commenter indicated that some Sec.
170.315(g)(10) certified health IT does not transfer patient EHI and
requested clarification on whether this technology would be subject to
reporting for this measure.
Response. We appreciate the feedback and offer the following
clarifications. Any app that is registered via the app registration
process for the Sec. 170.315(g)(10) criterion is subject for inclusion
in this measure. We note that the apps that are used by a variety of
interested parties to interact with health
[[Page 1325]]
IT certified to Sec. 170.315(g)(10) are in scope and could include,
but are not limited to, provider-, patient-, and payer-oriented apps.
This variety is also reflected in the category of intended user types
we plan to collect. We did not fully understand the comment regarding a
Sec. 170.315(g)(10) certified health IT that does not transfer patient
EHI because that is the primary point of such technology. As a result,
we are unable to provide further clarity in response to the comment
aside to reiterate that all apps registered through the Sec.
170.315(g)(10) app registration process is in scope for this measure.
Comments. Many commenters indicated that it would be difficult to
collect additional information from app developers that are already
registered with their certified health IT and that new information will
not be collected until app developers need to re-register their app.
Thus, ONC should expect a disproportionate number of ``unknown''
entries related to intended purpose of app and users during early years
of reporting. Another commenter indicated that it would be unable to
capture this information for applications that do not register with the
developer of certified health IT. One commenter noted that with a
dynamic client registration process, where the registration of
applications with an authorization server would be done dynamically
using a trust framework, might lead to attributes needing to be
collected as part of the registration assertion process. They
recommended that this may need to be reviewed, perhaps by a FHIR at
Scale Taskforce (FAST) workgroup.
Response. We appreciate these comments, and recognize that the
measure data may not be as comprehensive initially as it will be in
future years since the year 2026 will be the first measure collection
phase and some health care providers will still be implementing Sec.
170.315(g)(10) upgrades. Thus, there may be many ``unknown'' entries in
early years of reporting, and as apps re-register, this information
would be provided. Many developers certified to Sec. 170.315(g)(10)
may require app developers to register via a process that allows for
the collection of the data required for this measure. To the commenter
who indicated app information may be missing for those apps that do not
register, we recognize that apps not connected to the certified (Sec.
170.315(g)(10) API (and therefore not required to register) would not
be included. We also note that while the app registration process
required under Sec. 170.315(g)(10)(iii) may provide an opportunity to
collect this information, developers of certified health IT may wish to
use other mechanisms such as surveys, forms, or health IT system-based
methods to obtain this information. We are not limiting or specifying
the methods by which developers of certified health IT collect this
information. Developers should describe the method(s) they used to
collect the data in the required documentation they submit to ONC.
Further, we believe it will be possible to collect these data through
the dynamic client registration process; however, we note that existing
dynamic registration implementation guides may need additional
specification. We appreciate the recommendation to consult with a FAST
workgroup or other groups working on dynamic client registration to
ensure that this step is included as part of that process.
Comments. One commenter supported the proposed collection of user
type (intended user of app) for apps and encouraged collection of
information that would identify the types of users that are the focus
of the app (e.g., patient, provider, system) to the dataset of
information collected about apps. Another commenter requested
clarification between ``clinician'' and ``healthcare organization.''
One commenter suggested that the value sets for metrics, intended
purpose of app and intended user of app, be based upon a standardized
value set referenced in other interoperability initiatives such as
TEFCA and HL7 Role Class, respectively. One commenter also noted that
some apps may have multiple intended purposes and intended users and
wanted to confirm that reporting of multiples where relevant was
acceptable.
Response. We appreciate the input provided by commenters on
establishing or selecting an available value set for intended purpose
and intended user. We agree that ``clinician'' and ``healthcare
organization'' may seem duplicative and to avoid confusion we have
revised the value set by removing both of these options and replacing
``clinician'' with ``clinical team'' and ``healthcare organization''
with ``healthcare administrator/executive.'' We appreciate the
recommendation to consider standardized value sets and may consider
identifying relevant value sets in future rulemaking. With regards to
selection of metrics, intended purpose, and intended user, we
understand that there may be multiple purposes and users so apps should
select all that apply and not be limited to one response. Therefore,
these are the following intended user(s) categories for each app
connected to their certified health IT:
Individual/Caregiver
Clinical Team
Healthcare Administrator/Executive
Payer
Researcher
Other Intended User
Unknown (e.g., missing)
Comments. Several commenters requested clarification on whether an
application is ``actively used'' or ``not actively used,'' noting
applications that are ``not actively used'' are not a reflection of the
certified health IT. One commenter recommended that an application
should be designated as actively used based upon either a particular
threshold of total API call volume, or total authorization events
constituting a unique user session for the app. The commenter indicated
that this approach would help ensure that apps used in high frequency
for retrieving health information on a small number of patients are not
erroneously classified as ``not actively used.'' The same commenter
expressed concern about a threshold of 10 or more unique patients,
indicating that an app that is used daily by fewer patients should
still be considered ``actively used,'' especially for developers that
may only serve a smaller scope of providers. Another commenter
suggested an additional category of ``evaluating'' that represents an
app is connected but used by fewer individuals (such as 3 or 5), along
with a ``superactive'' designation for larger numbers of individuals,
therefore creating four categories, rather than two.
Response. We thank commenters for their input. We realize that
usage of apps is not necessarily a reflection on health IT developers.
However, this information is critical to collect in order to
distinguish between production apps that are registered and are in use
(e.g., 10 or more unique patients), production apps that are registered
and are not in use (e.g., less than 10 unique patients), and production
apps that are registered but not enabled by the health IT developer.
Without this information, the value of the overall data would be
limited.
The definition of active use is described in our measure
specification. The definition is based on whether EHI has been
transferred to the app using certified health IT for ten (10) or more
unique patients during the reporting period. By setting the threshold
at ten or more unique patients, we expect that this threshold will
represent active use. While mobile patient portal apps and well-known
healthcare apps (e.g., Apple
[[Page 1326]]
Health) have large user bases, for lesser-known healthcare apps that
filled specific healthcare segments (e.g., rare or terminal diseases,
chronic or hereditary diseases, age-related conditions, pediatrics,
behavioral and mental health), ONC expects smaller user bases.\202\ An
ONC internal analysis of the Google PlayTM store data found
that the number of Android installs for apps that enable patients to
access their data, ranged from 4 to over 400,000. There is little
public data on number of users specifically, and thus, in setting the
criteria of active use, we are relying upon the number of installs for
these types of apps, even though it is not equivalent to the number of
users. A mix of self-reported data show approximately 3.87 million
people use health and fitness apps, and data from app stores list
approximately 350,000 mobile health apps (many of which include apps
that do not integrate with EHRs and are not applicable to this metric);
on average, health apps have approximately 11 users each.\203\ However,
none of these data sources provide data on actual use for the apps that
connect with EHRs. We aim to be broad in determining active use and
balance the need to define app use to include apps that have a smaller
target audience. Thus, we have set a relatively low threshold of ten or
more unique patients for defining active use. We appreciate the
alternative suggestions for measuring whether an app is actively used.
However, using total API call volume to measure usage would skew
results and make it difficult to determine appropriate level of API
calls to qualify for ``active use,'' as certain apps may make API calls
multiple times per day. A lower threshold of less than ten users that
would also take into account the use of apps on a daily or weekly basis
may be more complex to implement, as this also involves measuring the
frequency of use (as opposed to simply the number of users). Also, the
call or requested data (which would be used to assess frequency of use)
may be difficult to interpret as apps using APIs regularly request data
from providers as part of their process to update the data within the
app, and it may not reflect user driven behavior. The other suggested
alternative, using authorization events, could be difficult to
implement because it would be difficult to determine the number of
authorization events that would define whether an app is actively used
given the number of authorization events could vary by individual and
app. However, we plan to continue collaborating with the community to
assess level of usage using authorization events for future iterations
of this measure.
---------------------------------------------------------------------------
\202\ https://www.healthit.gov/sites/default/files/page/2020-11/Accelerating_APIs_Consumer_Perspective.pdf.
\203\ https://www.mobius.md/2021/10/25/11-mobile-health-statistics/.
---------------------------------------------------------------------------
With regards to expanding usage from two to four categories, we may
consider expanding categories in the future.
Comments. A couple of commenters also had questions about the
inclusion of apps as of the last day of the reporting period (i.e.,
report only existing apps as of the last day of the reporting period)
or whether apps should be included based upon whether they had
registered at any point during the reporting period (i.e., report all
apps that had been registered during the reporting period, even if they
are not registered on the last day of the reporting period). A
commenter suggested counting the total number of apps active at any
point in the reporting period to appropriately account for onboarding
and offboarding activity, whereas a couple of commenters noted that
reporting of the app status is not a metric that is measured over a
reporting period and would be an indication at a point in time at the
end of the reporting period.
Response. We clarify that the app status (e.g., usage) should
include apps based upon whether they had registered at any point in
time during the reporting period. We seek to measure the unique number
of individuals who used the app during the reporting period (a calendar
year) and do not want to limit the inclusion to apps that are
registered as of the last day of the reporting period. For apps that
were registered during the reporting period and are not registered at
the end of the reporting period, we would want their status to be
calculated and included.
Comments. One commenter representing medical professionals
recommended that as part of this measure, ONC include a metric
requiring health app developers to attest to whether they adhere to
(yes/no) any of the following: (1) Industry-recognized development
guidance (e.g., Xcertia's Privacy Guidelines/Privacy Is Good Business:
a case for privacy by design in app development); (2) Transparency
statements and best practices (e.g., Mobile Health App Developers: FTC
Best Practices/CARIN Alliance Code of Conduct/AMA Privacy Principles);
and/or (3) A model notice to patients (e.g., ONC's Model Privacy
Notice). The commenter noted that almost all patients want transparency
on how apps access, exchange, or use their medical information, and
this would address that need.
Response. We thank the commenter for their recommendations to
include a metric on an app developer's adherence to various privacy and
security practices and frameworks. We may consider these
recommendations in future rulemaking. We also refer readers to other
federal regulations such as Section 5 of the FTC Act,\204\ Children's
Online Privacy Protection Act (COPPA) \205\ and the COPPA Rule,\206\
and other industry initiatives \207\ supporting consumers in app
privacy, security, and transparency.
---------------------------------------------------------------------------
\204\ https://www.federalreserve.gov/boarddocs/supmanual/cch/200806/ftca.pdf.
\205\ https://www.govinfo.gov/content/pkg/PLAW-105publ277/pdf/PLAW-105publ277.pdf.
\206\ https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa.
\207\ https://www.ftc.gov/business-guidance/resources/mobile-health-apps-interactive-tool.
---------------------------------------------------------------------------
Finalization of Measure
We have finalized the ``applications supported through certified
health IT'' measure in Sec. 170.407(a)(3)(iii). We have revised the
proposed measure based on public comments received. Specific metrics to
support this finalized measure are listed below and described further
in the accompanying measure specification located on ONC's website. We
also note that if regulatory baselines associated with the metrics
change in the future--such as a revision to a criterion through notice
and comment rulemaking--the measure specification would also be changed
to ensure alignment with the revised criterion.
1. Application Name(s);
2. Application Developer Name(s);
3. Intended Purpose(s) of Application;
4. Intended Application User(s); and
5. Application Status.
The reporting period for the measure and related metrics above
consists of one calendar year. Data collection for the measures and
associated metrics will begin during the first phase of reporting
(which is described later in the preamble).
Use of FHIR in Apps Through Certified Health IT Measure
In the HTI-1 Proposed Rule (88 FR 23839), we proposed the adoption
of the ``use of FHIR in apps supported by certified API technology''
measure in Sec. 170.407(a)(5), which would capture the volume of FHIR
resources transferred in response to API calls from apps connected to
certified API technology by FHIR resource type. We also proposed (88 FR
23839) that the FHIR resources transferred be reported by FHIR version
used and by US Core Implementation Guide version
[[Page 1327]]
deployed. This measure also proposed requiring developers to report
FHIR resources transferred in response to calls from two different
endpoint types: patient-facing and non-patient-facing, the latter of
which would include endpoints that do not facilitate individuals'
access (e.g., clinician, payer, or public health endpoints). We
explained that this measure proposed to require developers of certified
health IT with Health IT Modules certified to the ``standardized API
for patient and population services'' (Sec. 170.315(g)(10))
certification criterion to report on the number of deployments they
support across their customer base, and that together, these data
points would provide insights into the usage of certified APIs by
collecting data on the volume of FHIR resources transferred to apps in
response to API calls by FHIR resource type, type of endpoint, and US
Core Implementation Guide used.
We proposed (88 FR 23839) the first numerator to be the number of
FHIR resources returned/transferred in response to a call to a
certified API technology by resource type. We proposed the second
numerator to be the number of distinct certified API technology
deployments (across clients) associated with at least one FHIR resource
returned/transferred in response to a call. We noted that each of the
numerators would be stratified (e.g., divide into subsets) by type of
endpoint (patient-facing vs. non-patient-facing), by FHIR version, and
by US Core Implementation Guide.
We proposed (88 FR 23839) the denominator to be the total number of
distinct certified API technology deployments (across clients). In
addition, we proposed this denominator to be stratified by type of
endpoint (patient-facing vs. non-patient facing), FHIR version, and US
Core Implementation Guide. We noted that non-FHIR APIs, such as those
represented with proprietary standards, are excluded from this measure,
including numerators and denominators. We refer readers to the HTI-1
Proposed Rule for a complete listing of the metrics this measure would
enable us to calculate (88 FR 23839). As stated in the HTI-1 Proposed
Rule, this measure would require that developers report the volume of
FHIR resources transferred in response to calls by FHIR version and by
US Core Implementation Guide. While Health IT Modules certified to
Sec. 170.315(g)(10) are required to respond to requests according to
FHIR version Release 4, we are aware that there will be newer versions
of FHIR supported by newer versions of the US Core Implementation
Guide. Gaining insights into the frequency in use of US Core
Implementation Guides will inform ONC of the variability in the
implementation of FHIR across developers.
We requested feedback on whether information on both aspects of the
measure, FHIR version and US Core Implementation Guide, are necessary
as each provides unique insights, or whether focusing on one of these
(either FHIR version or US Core Implementation Guide) would be
sufficient to understand where the industry is in the implementation of
FHIR. We also requested comment on the feasibility of reporting the use
of different HL7 FHIR implementation guides and FHIR versions, versus
being stratified by type of endpoint, type of FHIR resources, and by
the number of certified API technology deployments (88 FR 23840).
We also proposed (88 FR 23840) to require developers of certified
health IT to whom the measure would be applicable to report the number
of certified API technology deployments (as a proxy for organizations
that have installed certified API technology) where FHIR resources were
transferred in response to a call (relative to the total number of
certified API technology deployments). We stated that this information
can shed light on whether usage is concentrated versus dispersed,
indicating the breadth of usage across end users and organizations.
However, given that API deployments may vary across developers, we
sought feedback on whether this measure would be a good proxy for
understanding usage across their client bases.
Comments. The majority of commenters expressed support for the
proposed measure. Two commenters, one of which represents ONC's Health
IT Advisory Committee, indicated the support for metrics that would
help inform the future development of interoperability standards,
including versions and variations. Commenters indicated these data
would provide use of standards in the field that can shed light on
industry-wide readiness for the adoption of standards, such as those
adopted through Standards Version Advancement Process (SVAP). One
commenter suggested to delay or eliminate the measure. Commenters
representing community healthcare associations expressed support for
this measure, stating that this measure benefits community health
centers by measuring the interoperability and seamless data exchange
between healthcare applications and exchange partners, which leads to
better care coordination and improved population health outcomes.
Response. We thank commenters for their support and believe that
these measures provide real-world usage data to help guide and inform
the future development of interoperability standards, and therefore we
do not plan to eliminate this measure as suggested by one commenter.
While the data for this measure will be collected in the first year of
the Insights Condition (CY 2026), the first response submission period
has been delayed to July, 2027 to provide more time to implement the
measure and reduce burden. More details on the compliance dates
associated with all the measures can be found in section III.F.3.
Comments. A couple of commenters provided qualitative ratings of
burden associated with the metrics. One commenter indicated that the
first metric (number of FHIR resources returned/transferred in response
to a call to a certified health IT by resource type) would be medium
level of effort; whereas the other commenter indicated that first
metric would be high level of effort. Both commenters indicated that
the second metric (number of distinct certified health IT deployments
(across clients) associated with at least one FHIR resource returned/
transferred in response to a call) would be low level of effort. A
couple of other commenters requested additional clarity on whether the
first metric intends for developers to report the number of total
resources returned for each resource, or the number of requests that
returned at least one (1) resource for each resource. For example, if a
request returns 100 different Observations, would that be considered a
count of 1 or 100 total resources. Two commenters recommended defining
the first metric to be the total number of resources returned. Another
commenter recommended simplifying the metric by measuring only the
number of queries or requests made by patients and by clinicians to
measure the actual usage of API functionality.
A few commenters requested clarifications on whether any FHIR
resources supported by CEHRT need to be counted. Commenters also
recommended for ONC to isolate USCDI v1 FHIR resources that are within
scope of Sec. 170.315(g)(10) for reporting consistency across health
IT developers. Several commenters recommended that this measure should
not require tracking of FHIR resources that developers may support
beyond USCDI v1, as required by Sec. 170.315(g)(10).
Response. We appreciate the feedback on the burden associated with
the
[[Page 1328]]
measure. As discussed earlier in the preamble, to address burden, we
have phased the implementation of the measures starting with a simpler
version in the first year and then added the additional complexity in
the subsequent years. Additionally, we have revised the measure to
address burden. We agree with commenters that for reporting consistency
and certain, clear requirements that the FHIR resources reported should
align with the criterion Sec. 170.315(g)(10). FHIR resources supported
by and within the scope of the Sec. 170.315(g)(10) criterion include
FHIR resources referenced in the US Core IG attributed to and that
support USCDI data elements. In this case, as an HTI-1 regulatory
baseline, would be version 6.1.0 and v3, respectively, because data
collection for this measure will begin after the technical requirements
for health IT developers to update their certified health IT to these
newer standards would have occurred as of January 1, 2026. We also note
that if regulatory baselines associated with the metrics change in the
future--such as a revision to a criterion through notice and comment
rulemaking--the measure specification would also be changed to ensure
alignment with the revised criterion. Additionally, if a health IT
developer chooses to use the SVAP to adopt a newer version of standards
referenced in Sec. 170.315(g)(10), they will need to report based on
the newer versions.
We also appreciate the requests for clarification on the metrics.
Our intent is to measure the adoption and use of FHIR by industry users
(e.g., third-party app developers, health IT developers, provider
organizations). To clarify on whether the metric intends for developers
to report the number of total resources returned for each resource, or
the number of requests that returned at least one resource for each
resource, we have revised the first metric to make it clear that we
expect the latter. Additionally, we have removed the phrase, ``in
response to a call'' across the metrics associated with the measure.
For example, we have revised the metric from, number of FHIR resources
returned/transferred in response to a call to certified API technology
by FHIR resource type to the following, number of requests made to
certified health IT that returned at least 1 FHIR resource by FHIR
resource type. Both the proposed and revised metric assess the types of
FHIR resources provided by certified health IT in response to a
request. A request made to certified health IT can return a variety of
different types and number of FHIR resources in response. The proposed
metric focused on both the number of resources and types of resources
returned; the revised metric focuses largely on the types of resources
returned rather than the volume of resources returned. This simplified
metric will still provide us with the necessary information on the
types of resources provided. As noted by commenters, the total volume
of FHIR resources returned is more difficult to interpret. The volume
of resources could be related to a small number of apps returning a lot
of data or many apps returning a little data. In contrast, the number
of requests that returned at least 1 resource by resource type provides
us insights into the ``demand'' for each resource and is easier to
interpret. Measuring queries alone doesn't provide insight into whether
data was shared in response to the query as there may not be data
available to return. The goal in this metric is to understand the
number of API requests that return various FHIR resources to gain
insight on the resources most commonly exchanged.
Comments. A couple commenters requested specific clarification on
whether the metric, number of distinct certified health IT deployments
(across clients) is intended to be the total number of API deployments
active at any time during the reporting period, or the total number
active as of the end of the reporting period. The commenters
recommended defining it to be the total number of API deployments
active at any time during the reporting period. Another commenter noted
a limited situation where an EHR user may have more than one production
database of a certified solution and requested additional clarification
for reporting on the measure, anticipating that they would count all
deployments of the certified solution regardless of the number of
clients that represents. A couple commenters provided qualitative
ratings of burden associated with the metric, indicating that this
would be low level of effort.
Response. We thank commenters for their feedback. Originally, we
proposed reporting the number of distinct certified API technology
deployments (across clients) during the reporting period. We clarify
that this refers to counting the total number of certified health IT
deployments active at any time during the reporting period, not the
total number active as of the end of the reporting period. We had not
intended, nor indicated, that we would be measuring this as of the end
of the reporting period. We also acknowledge situations where an EHR
user may have more than one production database of a certified solution
and have revised the measure to count all deployments of the certified
solution regardless of the number of clients that represents. The
metric now measures the number of distinct certified health IT
deployments (across clients) active at any time during the reporting
period (overall) and by user type (i.e., patient-facing and non-
patient-facing).
Comments. Several commenters expressed support for patient-facing
versus provider-facing stratification. One commenter expressed concern
about reporting in this manner as endpoints can serve multiple and
broad audiences. For example, the same endpoint could be used for both
patients and providers. The same commenter recommended to report based
on user type instead of endpoint types.
Response. We thank the commenter for their input and agree that
FHIR endpoints are not necessarily specific to a user type and can
serve multiple audiences. Given that endpoints can serve both patients
and providers (for example) and thus would have to be double counted if
that was the case, we have modified the metric to instead report the
types of users the endpoint serves. We believe this will simplify
reporting. Therefore, we have replaced the term endpoint type with user
type. The user type categories are patient-facing and non-patient-
facing. We believe the revision better represents our intention of
understanding the user types that are using FHIR resources and FHIR
APIs.
Comments. Commenters were generally split on the proposed
stratification of reporting both the FHIR version and the US Core
Implementation Guide (IG) version. Those in support of stratifications
indicated that the stratifications provide important distinctions for
understanding the use and development of FHIR and is appropriately
scoped in alignment with how most health IT developers' certified APIs
are deployed. One commenter noted that being able to track IG
conformance beyond US Core is essential to understanding how the
industry is using FHIR and the data being exchanged via FHIR.
Additionally, one commenter who supported the stratification noted that
given continued updating of the US Core IG, future FHIR versions and US
Core IG versions may not be synonymous in describing the capabilities
of a technology, making it necessary to stratify by both FHIR version
and the US Core IG version. One commenter recommended requiring the
reporting of each FHIR resource by IG conformance beyond the US Core IG
at
[[Page 1329]]
the installation level for all health IT developers, including smaller
developers that certify to FHIR API criteria. Several commenters
suggested that ONC remove the stratifications for FHIR version and US
Core IG version, noting that FHIR R4 is currently the only relevant
version of FHIR base specification version and that, in most cases,
health IT developers are only conformant to one version of the US Core
IG. However, one commenter was supportive of the inclusion of the
proposed stratifications for future reporting, as long as ONC provides
specific guidance to health IT developers. One commenter noted that
stratifying the number of deployments by the proposed stratification
attributes does not make sense unless ONC's objective is to measure
FHIR APIs or resources transferred and recommended stratifying
deployments by the version of the certified health IT product. Another
commenter highlighted that the proposed stratifications for FHIR
version and US Core IG version would be a high level of effort and
recommended limiting the measure stratifications to only patient-facing
and non-patient facing endpoints.
Response. We thank commenters for their feedback. We agree that the
stratifications provide real-world data regarding the implementation
and use of FHIR and US Core IG. This detailed reporting would help
inform our goal of guiding future development of standards and insights
on the current implementation and use of standards. We also acknowledge
some support for restricting the measure specification to FHIR R4 and
to one version of the US Core IG. In response to comments, we have made
changes to metrics related to this measure so that the metrics are
simplified and the stratification by FHIR version no longer needs to be
reported. We also have developed a phased approach to implement the
measure and related metrics over two years. Similar to the HTI-1
Proposed Rule metric, which called for reporting the number of FHIR
resources returned/transferred in response to calls (also called
requests) to a certified health IT by FHIR resource type, the first
metric listed below also assesses the types of FHIR resources provided
by certified health IT in response to a request. The revised metric no
longer requires the number of FHIR resources, but instead requires
counting the number of requests where at least one FHIR resource was
provided. As described earlier, we sought to simplify this metric in
response to comments and thus scaled back this metric to the number of
requests made that returned at least 1 FHIR resource by resource type.
For the second metric listed below, we have simply embedded the
original stratification--by user type (which replaced type of
endpoint)--within the metric; rather than listing the stratifications
separately. The third metric differs from the second metric because it
asks about the number of distinct certified health IT deployments
(across clients) overall and by user type, and is not limited to those
certified health IT deployments which were associated with at least one
FHIR resource returned or transferred. We note that for the third
metric, the word ``total'' was removed from the HTI-1 Proposed Rule
measure as there is no substantive difference between ``total number''
of distinct certified health IT deployments (across clients) by user
type (i.e., patient-facing and non-patient-facing) and ``number'' of
distinct certified health IT deployments (across clients) by user type
(i.e., patient-facing and non-patient-facing) and we seek to create
consistency across the metrics.
As noted earlier, to reduce burden, we have dropped the
stratification by FHIR version but have kept the US Core IG version
stratification. Given that we are aligning the reporting of FHIR
resources to those supported by the Sec. 170.315(g)(10) criterion and
health IT developers will also report on the US Core IG version which
aligns with the specific version of FHIR, we do not also need to
separately obtain information on FHIR version. The metrics indicate the
number of distinct certified health IT deployments (across clients)
associated with at least one FHIR resource returned by US Core IG
version(s). Together, the phasing of the reporting requirements and
simplifying metrics (including removing the FHIR version
stratification) will lower the initial reporting burden for health IT
developers, as well as provide health IT developers additional time to
develop the infrastructure necessary to report on the more advanced
stratification (US Core IG versions) which would have valuable
insights.
Finalization of Measure
We have finalized the measure as ``use of FHIR in apps through
certified health IT'' in Sec. 170.407(a)(3)(iv). We have revised the
proposed measure based on public comments received. Specific metrics to
support this finalized measure are listed below and described further
in the accompanying measure specification located on ONC's website. As
noted earlier, if regulatory baselines associated with the metrics
change in the future--such as a revision to a criterion through notice
and comment rulemaking--the measure specification would also be changed
to ensure alignment with the revised criterion. The reporting period
for the measure and related metrics below consists of one calendar
year. Data collection for the measures and associated metrics will
begin during the first and second phases of reporting (which is further
described later in the preamble):
In the first year (where responses will be due July 2027, and
annually thereafter), we require developers to report the:
Number of requests made to distinct certified health IT
deployments that returned at least 1 FHIR resource by FHIR resource
type.
Number of distinct certified health IT deployments (across
clients) associated with at least one FHIR resource returned, overall
and by user type (e.g., patient-facing and non-patient-facing).
Number of distinct certified health IT deployments (across
clients) active at any time during the reporting period, overall and by
user type (i.e., patient-facing and non-patient-facing).
In year 2, in addition to what is required in year 1, we require
developers to report the metrics below. These metrics will be due July
2028 (and annually thereafter):
Number of distinct certified health IT deployments (across
clients) associated with at least one FHIR resource returned by US Core
Implementation Guide version.
Use of FHIR Bulk Data Access Through Certified Health IT Measure
We proposed (88 FR 23840) to adopt the ``use of FHIR bulk data
access through certified health IT'' measure in Sec. 170.407(a)(6),
which would measure the number of bulk data downloads completed through
certified health IT relative to the number of certified health IT
deployments or installations. Specifically, we stated that this measure
would provide information on how certified health IT is being used to
perform ``read'' services for a specified patient population using the
HL7 FHIR[supreg] Bulk Data Access (Flat FHIR) V1.0.1 standard. A
developer of certified health IT with Health IT Modules certified to
the ``standardized API for patient and population services'' (Sec.
170.315(g)(10)) certification criterion would be required to report
under this proposed measure.
We proposed (88 FR 23840) the first numerator to be the number of
data/download requests completed during the reporting period using
certified health IT certified to the ``standardized
[[Page 1330]]
API for patient and population services'' (Sec. 170.315(g)(10)) in
response to a bulk data download request to export all data for
patients within a specified group. We proposed (88 FR 23840) the second
numerator to be the number of distinct certified health IT deployments
or installations certified to the ``standardized API for patient and
population services'' (Sec. 170.315(g)(10)) (across clients) that
successfully completed at least one bulk data download request during
the reporting period.
We proposed the denominator (88 FR 23840) to be the total number of
distinct certified health IT deployments or installations (across
clients). We requested comment on whether additional stratifications
would provide valuable insights, what additional data developers of
certified health IT are collecting, and what effort developers of
certified health IT are devoting to collecting additional data such as:
(1) intended use case (e.g., population analytics, reporting,
research); (2) entity calling the API (e.g., healthcare organization,
payer, public health agency); and (3) automated queries (refreshing the
data at certain intervals) versus ad hoc queries. For future measure
development, we requested comment on whether it is possible to collect
information on the number of authorized users calling a bulk FHIR API,
the level of effort required to collect this information, and whether
it would provide valuable insights.
We also noted and clarified that non-standard or proprietary
resources (e.g., non-FHIR based) transferred would be excluded from
this measure, and that the proposed data for this measure would not
include patient-facing applications, as individual patients only have
the right to access their own records or records of patients to whom
they are a personal representative.
Comments. The majority of commenters were supportive of the
proposed measure. Two community healthcare associations supported this
measure, expressing that this measure benefits community health centers
by monitoring the ability to leverage comprehensive data for population
health management and analytics, which will guide public health and
population health initiatives. One commenter strongly recommended
including at least one metric to track the real-world performance of
current HL7/SMART FHIR bulk data implementations. One commenter
expressed an opinion that the burdens of data capture for this
reporting purpose outweighed the value of additional stratification and
suggested starting with a ``core'' measure and layering on additional
stratifications using a phased approach. The commenter noted that while
reporting is feasible, it may require development to capture a specific
countable event for reporting purposes. A couple of commenters also
provided qualitative ratings of burden associated with the measure. One
commenter indicated that the first numerator would be medium level of
effort; whereas the other commenter indicated that the first numerator
would be low level of effort. Both commenters indicated that the second
numerator would be low level of effort, and that the denominator would
be low level of effort.
Response. We appreciate the support expressed by commenters as well
as the desire to phase in the measure, providing more time to implement
the measure which, overall, has relatively lower burden. We also
appreciate the suggestion to include at least one reporting metric to
track the real-world performance of current bulk FHIR implementations.
However, this will require additional research to determine whether the
reporting metric should be included for future rulemaking.
Comments. Several commenters requested additional clarity on
whether the specification of ``operationalized as [FHIR ServerBase]/
Group/[groupid]/$export'' is used for both numerators in this measure.
Additionally, commenters expressed confusion on whether the count for
both measures is defined as the number of group export completed or the
number of group export completed, accessed, and downloaded. The
commenters recommended to count the number of completed requests,
regardless of whether they are subsequently accessed and downloaded by
the requestor. One commenter noted that their health IT solution cannot
determine when a user has downloaded all queried and retrieved data
files. One commenter requested additional clarity on the difference
between ``requests completed'' in the first numerator and
``successfully completed'' in the second numerator for a bulk data
download request. Another commenter suggested defining ``complete'' as
when the Bulk Data Status Request reports a status of complete (i.e.,
the timepoint when the user may begin downloading files). One commenter
requested additional clarity on how ``rate'' will be measured under the
second numerator. One commenter requested clarification regarding the
requirement to include API-enable ``read'' services for multiple
patients across all endpoints regardless of whether it is publicly
available or not and specifically whether non-patient-facing endpoints
are to be counted, since regulations only require patient-facing URL
endpoints to be published. One commenter suggested for ONC to collect
data on bulk FHIR data queries by cohort type (e.g., research,
financial operations, care management, public health, electronic case
reporting).
Response. We thank commenters for their feedback. To clarify, the
bulk data download request using certified health IT to export all data
for patients within a specified group will be operationalized as
``[FHIR ServerBase]/Group/[groupid]/$export'' for the metrics
associated with this measure. We agree with commenters that the measure
should focus on the number of completed requests, regardless of whether
they are subsequently accessed and downloaded by the requestor and have
revised the wording of both metrics to reflect this change. Thus,
``completed'' is defined as when the Bulk Data Status Request reports a
status of complete (i.e., the timepoint when the user may begin
downloading files). We believe there is not a substantive difference
between ``successfully completed'' and ``completed,'' and to keep
consistency between these metrics, we have removed the proposed term
``successfully'' from both metrics. We have also replaced the term
``data/download'' to ``bulk data access'' for consistency with the
title of the measure.
We have removed ``expected metrics'' that we had originally listed
in the measure specifications sheets accompanying the HTI-1 Proposed
Rule, such as the rate of bulk data download requests. To clarify, it
is ONC that will be responsible for calculating derived statistics
based upon the metrics and data the developers report. We will also
determine how calculated metrics will be aggregated and reported
(whether at the national, developer, and/or product level) once we
receive the data. How the data is presented will depend in part upon
the completeness and quality of the data received.
These metrics apply to API-enabled ``read'' services for multiple
patients where the number reported should reflect the ``read'' access
queries that used the population services capabilities in Sec.
170.315(g)(10) (e.g., the FHIR Bulk Data Access IG). Given that bulk
FHIR is likely primarily for non-patient facing use cases, it should
not be limited to patient-facing endpoints; it needs to include ``all''
endpoints and use cases. Furthermore, these metrics are unrelated to
the API Condition of Certification requirements for publishing patient-
facing endpoints,
[[Page 1331]]
which supports patient access to their data using 3rd party apps and
not related to Bulk FHIR. To reiterate, the metrics should reflect
activity across all endpoints regardless of whether publicly available
or not and type of endpoint user. The endpoints included should not be
limited to those only used by patients. This is important as we seek
insight on bulk data usage volume independent of user type and have
developed a measure in a manner that does not differentiate between
public and private APIs. In addition, we note that the measure applies
to FHIR Bulk Data requests for FHIR resources that within the scope of
Sec. 170.315(g)(10) as discussed in more detail in the responses to
comments in the previous measure above.
We appreciate the interest expressed in a reporting metrics that
measure the adoption and conformance of FHIR Bulk Data APIs by cohort
type or use case and may explore the feasibility of this in the future.
Comments. One commenter recommended ONC to align the denominator to
the ``use of FHIR in apps supported by certified API technology''
measure. Another commenter requested clarification on whether the
denominator is intended to be the total number of API deployments
active at any time during the reporting period, or the total number
active as of the end of the reporting period and recommended to define
the denominator to be the total number of API deployments active at any
time during the reporting period. Another commenter noted a limited
situation where an EHR user may have more than one production database
of a certified solution and recommended to count all deployments of the
certified solution regardless of the number of clients that represents.
Response. We thank commenters for their input. In response to
comments, we have reviewed the metrics (previously referred to as
denominators) for the two measures (``use of FHIR in apps supported by
certified API technology'' [finalized as ``use of FHIR in apps through
certified health IT''] and ``use of FHIR bulk data access through
certified health IT''). We concur that these metrics should be
consistent with each other and measure the number of distinct health IT
deployments (across clients) active at any time during the reporting
period. Therefore, we will use the metric from the ``use of FHIR in
apps through certified health IT'' measure for calculating any derived
statistics.
We acknowledge situations where an EHR user may have more than one
production database of a certified solution and clarify that this
measure counts all deployments of the certified solution regardless of
the number of clients that represents.
Finalization of Measure
We have finalized the ``use of FHIR bulk data access through
certified health IT'' measure in Sec. 170.407(a)(3)(v). We have
revised the proposed measure based on public comments received.
Specific metrics to support this finalized measure are listed below and
described further in the accompanying measure specification located on
ONC's website. We also note that if regulatory baselines associated
with the metrics change in the future--such as a revision to a
criterion through notice and comment rulemaking--the measure
specification would also be changed to ensure alignment with the
revised criterion:
1. Number of bulk data access requests completed (across clients)
to export all data requested for patients within a specified group.
2. Number of distinct deployments of the certified health IT
deployments (across clients) that completed at least one bulk data
access request.
The reporting period for the measure and related metrics above
consists of one calendar year. Data collection for the measures and
associated metrics will begin during the second phase of reporting
(which is described later in the preamble).
Electronic Health Information Export Through Certified Health IT
Measure
We proposed (88 FR 23841) to adopt the ``electronic health
information export through certified health IT'' measure in Sec.
170.407(a)(7) which would capture the use of certified health IT to
export single patient and patient population EHI. A developer of
certified health IT with Health IT Modules certified to the
``electronic health information (EHI) export'' (Sec. 170.315(b)(10))
certification criterion will be required to report data under this
proposed measure.
We proposed (88 FR 23841) a count for this measure (rather than a
numerator and denominator) that includes the number of full data EHI
exports requests processed during the reporting period and reported by
the following subgroups: (1) by a single patient EHI export; and (2) by
patient population EHI export. We also proposed (88 FR 23841) reports
should include a ``yes'' or ``no'' attestation for enabling direct-to-
individual EHI exports. We stated that the proposed measure would
report on the number of EHI export requests processed by a health IT
developer and provide insights on the implementation of the EHI export
capability. We refer readers to the HTI-1 Proposed Rule for detailed
background on the measure (88 FR 23841).
As stated in the HTI-1 Proposed Rule (88 FR 23841), we also noted
in the ONC Cures Act Final Rule (85 FR 25695) that the EHI Export
certification criterion in Sec. 170.315(b)(10) does not require
``direct-to-patient'' functionality in order for a developer to
demonstrate conformance to the criterion. However, we did not preclude
this functionality, and we sought comment as part of the HTI-1 Proposed
Rule on whether any products support direct-to-patient EHI Export
functionality to inform future policy decisions. We also sought comment
on whether it would be valuable for this measure to be reported by
``use case'' for why the data was exported (e.g., moving to another
certified health IT system, use for a population health tool), and how
feasible would it be for impacted developers to report in this manner.
Lastly, we sought comment on whether it would be valuable, and if so,
how valuable, for this measure to include reports regarding the types
of recipients (e.g., patients, organizations) of the exported data, and
how feasible would it be for impacted developers to report this data in
this manner.
Comments. Most commenters expressed support of this measure with
numerous commenters indicating that this measure is feasible as written
and that the burden to report this measure is low. One commenter
recommended delay or removal of this measure though did not provide a
rationale. One commenter recommended ONC to consider how patient EHI
can be best protected upon export, given concern regarding
inappropriate use of information. Another commenter recommended
creation of patient-facing and provider-facing educational materials in
support of this measure. One commenter asked for clarity regarding the
term ``processed'' and whether it intended to indicate started or
completed. One commenter disagreed with an attestation reporting
requirement for functionality that is not required. One commenter who
supported attestation asked for clarification on ``direct-to-
individual,'' specifying whether the capability should be performed by
the patient without any health care provider involvement. One commenter
indicated that capturing and reporting ``use case'' does not provide
value and did not support this capability while requesting that the
``use case'' and ``recipient''
[[Page 1332]]
types be standardized across all health IT developers. One commenter
requested clarification of the definition of a ``full data export'' and
whether a subset of data in a timeframe or based upon patient request
would constitute ``full data'' in the context of this measure.
Response. We appreciate the support expressed by numerous
commenters, as well as the thoughtful feedback and suggestions for this
measure. However, in our overall efforts to reduce burden, we have not
adopted the ``electronic health information export through certified
health IT'' measure. We plan to revisit the EHI export capability in
Sec. 170.315(b)(10) as a potential measure when this capability is
more widely deployed and may propose measures that provide more
valuable insights in future rulemaking.
Measurement Area: Public Health Information Exchange
In the HTI-1 Proposed Rule (88 FR 23841), we discussed how the
COVID-19 pandemic exposed many gaps and challenges in the nation's
public health infrastructure, including a need for more accurate and
timely data, increased electronic exchange of patient health
information between health care providers and public health agencies,
and greater support for vulnerable individuals and communities
disproportionally affected by the pandemic.\208\ Therefore, in Sec.
170.407(a)(8) and (9), we proposed two measures within the ``public
health information exchange'' area for reporting health care providers'
use of certified health IT to exchange data with an immunization
information system (IIS) (88 FR 23841). We stated that the insights
from these measures could help ONC (and HHS more broadly) assess the
public health capabilities of certified health IT, and that we believe
that more detailed measurement of health care providers' ability to use
certified health IT to successfully exchange health information with
public health agencies would provide critical data for pandemic
response and other public health emergencies.
---------------------------------------------------------------------------
\208\ Dixon BE, Rahurkar S, Apathy NC. Interoperability and
health information exchange for public health. In Public health
Informatics and information systems 2020 (pp. 307-324). Springer,
Cham. https://doi-org.ezproxyhhs.nihlibrary.nih.gov/10.1007/978-3-030-41215-9_18.
---------------------------------------------------------------------------
Comments. We received broad support for the adoption of two
measures within the ``public health information exchange'' area. These
commenters also encouraged additional public health information
exchange measures in future iterations of the Insights Conditions, such
as for cancer reporting, electronic case reporting, syndromic
surveillance, and electronic laboratory reporting, along with an
estimated timeframe for the development and implementation of these
measures. A couple of commenters recommended that ONC align future
public health information exchange measures with CMS measures. One
commenter expressed support and requested clarity on how the
information will be used to evaluate performance, or inform policy or
other decision making. Another commenter requested ONC to make
aggregate responses available to the public.
Response. We thank commenters for their support and agree that the
goal is to help measure progress related to certified health IT's
ability to support public health information exchange. This data will
provide ``insights'' into health care providers' use of certified
health IT for public health information exchange that can guide policy
efforts to improve these efforts through initiatives such as the CDC
Data Modernization Initiative. In this iteration of the Insights
Condition, we have focused on immunization related exchange. However,
in future rounds, we plan to consider other areas of public health
information exchange to include as part of the Program, working with
CMS, CDC, and other federal partners as necessary to ensure alignment
of measures. As noted in the HTI-1 Proposed Rule (88 FR 23847), we plan
to make the measures and the required data documentation reported by
health IT developers available to the public.
Comments. One commenter expressed concern on the level of burden
required by health IT developers to obtain the necessary data for each
measure and recommended requiring only overall administration
submission numbers. Another commenter opined on whether engaging with
public health agencies to generate some meaningful data might be less
burdensome on vendors and their users and may paint a more complete
picture of the situation.
Response. We understand the concerns expressed regarding burden and
recognize that these measures may require discrete effort on the part
of health IT developers. We appreciate the feedback from commenters and
made revisions to reduce the burden associated with creating and
reporting these measures which are further detailed below in this
section of the preamble. This includes removing our proposal to report
by age for the ``immunization history and forecast'' measure, providing
additional time for implementation by phasing in the measures over two
years, and phasing in complex aspects of the requirements (e.g.,
reporting by age and/or IIS) over a span of three years.
Data from the measures we have finalized in this final rule will
provide insights into the level of exchange between certified health IT
systems and IISs, to identify opportunities to address gaps or lags
discovered. With regards to public health entities having similar
measures, the CDC's Immunization Integration Program (IIP) Testing and
Recognition initiative, an ONC approved alternative testing method for
the ``transmission to immunization registries'' (Sec. 170.315(f)(1))
criterion, share some similarities to the measures we had proposed and
subsequently finalized. We seek to build upon the IIP by expanding the
scope of their measures, which cover a sample of jurisdictions, to
include all jurisdictions. This expansion would provide national level
insights. In contrast to the IIP, ONC's electronic submission of
immunization administrations to IISs shall be reported by age
categories, which will help interpret the data as IISs are more likely
to have mandates for reporting vaccinations given to children and
adolescents compared to adults. We also have a unique measure in
comparison to the IIP, which measures the total number of vaccine
administrations. Developers that participate in the IIP should gain
experience that will help them with reporting for the Insights
Condition. Regarding the concern whether public health jurisdictions
may serve as an alternative source for this data, while an IIS serves
as a valuable source to understand vaccination coverage using unique
patient records and vaccination histories, not all jurisdictions have
access to or the ability to produce the measures that we proposed.
Jurisdictions with high performing IISs and staff to support them are
more likely to have these data and use them to improve data quality.
However, not all jurisdictions have access to these data. Thus, the
measures address an important gap in information that can help improve
interoperability between health care providers and jurisdictional IISs.
Immunization Administrations Electronically Submitted to Immunization
Information Systems Through Certified Health IT Measure
In the HTI-1 Proposed Rule (88 FR 23842), we proposed to adopt in
Sec. 170.407(a)(8) a public health exchange measure that would report
on the volume of immunization administrations electronically submitted
[[Page 1333]]
to an immunization information system through certified health IT. We
stated that this measure would capture the use of certified health IT
to send information on vaccination and immunization administrations to
an IIS. Specifically, the proposed ``immunization administrations
electronically submitted to an immunization information system through
certified health IT'' measure would require developers of certified
health IT with Health IT Modules certified to the ``transmission to
immunization registries'' (Sec. 170.315(f)(1)) criterion to report on
the number of records of immunizations administered that were sent
electronically to an IIS during the reporting period. We proposed that
developers of certified health IT with Health IT Modules certified to
Sec. 170.315(f)(1) that do not have users that administered
immunizations during the reporting period would attest that they are
unable to report on this measure.
We stated that the intent of the measure is to ensure that ONC has
the information necessary to assess whether Health IT Modules certified
to Sec. 170.315(f)(1) are being used to support electronically sending
vaccination information data to IISs, which has proven to be critical
to public health preparedness and response.
For the numerator, we proposed (88 FR 23842) developers of
certified health IT with Health IT Modules certified to Sec.
170.315(f)(1) report the number of immunization administrations from
which the information was electronically submitted to an IIS
successfully during the reporting period by IIS and age group. We
proposed (88 FR 23842) that the numerator and denominator counts would
be reported overall (across IIS and age subgroups) and by the following
subgroups: (1) number of administrations by IIS; and (2) number of
administrations by IIS and age group (adults (18 years and over) and
children/infants (17 years and under)). We defined a successful
submission to an IIS would be the total number of messages submitted
minus acknowledgments with errors (2.5.1, severity level of E). We
stated that we believe this definition will avoid limitations from IIS
jurisdictions that do not send HL7 Acknowledgment messages (ACKs) for
this measure. Given that, we proposed that ACKs with an error (severity
level of E) \209\ would not be counted, and we sought comment on
whether ACKs with a warning (severity level W) should still be counted
in the numerator. We also sought comment (88 FR 23842) on whether the
number of immunizations administered can be linked to immunizations
submitted to the IIS, effectively creating a subset of the numerator
(immunizations administered). Additionally, we sought comment (88 FR
23842) on whether a successful submission should be counted if a health
care provider is able to successfully submit to at least one registry,
as opposed to all the registries they submitted to (e.g., health care
providers who operate in multiple states sending data for the same
administration to multiple IISs). In the Proposed Rule (88 FR 23842),
we also considered whether ``replays,'' which involve resubmitting
administrations until they are successfully submitted, qualify as a
successful submission. In other words, we sought comment on whether
successful submissions should be limited to the first attempt to
submit.
---------------------------------------------------------------------------
\209\ HL7 Version 2.5.1. Implementation Guide for Immunization
Messaging. Release 1.5. October 1, 2014. https://www.cdc.gov/vaccines/programs/iis/technical-guidance/downloads/hl7guide-1-5-2014-11.pdf.
---------------------------------------------------------------------------
We proposed (88 FR 23842) the denominator for this measure to be
the number of immunizations administered during the reporting period,
and that the denominator be stratified by the following subgroups: (1)
number of administrations reported to each IIS; and (2) number of
administrations reported to each IIS, by age group (adults (18 years
and over) and children/infants (17 years and under)). Given the
variation in immunization reporting requirements and patient consent by
state or jurisdiction, reporting of administrations by IIS is critical
to interpreting the data correctly, therefore we proposed this measure
to be stratified by IIS. In addition, given that immunization
requirements are different for children and adults, we proposed
stratifying by age group as well. To further inform public health
exchange efforts, we also sought comment (88 FR 23842) on whether
adolescents/infants should be further stratified by age, and by what
age limits. For providers who operate in multiple states, and thus
would be sending data for the same administration to multiple IIS, we
sought comment (88 FR 23842) on whether a successful submission should
be counted if a provider is able to successfully submit to at least one
registry versus all the registries to which the provider submitted. As
stated in the HTI-1 Proposed Rule (88 FR 23843), the data collected for
this measure would enable ONC to calculate the percent of immunizations
administered where the information was electronically submitted to an
IIS.
Comments. The majority of commenters supported the proposed
``immunization administrations electronically submitted to an
immunization information system through certified health IT'' measure,
stating that these reporting metrics will encourage providers to
institute proven best practices for obtaining consent and report
vaccinations where consent is received. Commenters also stated that
organizations using certified health IT would benefit, as it would
provide aggregate numbers and user-friendly reports, and help detect
connectivity interruptions, as well as help federal agencies, public
health agencies, and health IT developers better understand the extent
to which health IT is exchanging data with an IIS. A commenter also
stated that this would provide real-time and comprehensive data on
immunization coverage, facilitating targeted interventions, and
contribute to overall population health protection. One commenter
recommended that ONC and CMS continue collaborating to consider how
their measures can be analyzed and interpreted in tandem to answer
questions about data exchange, as well as to collaborate on additional
future public health measures.
Response. We thank commenters for their support of the measure and
agree with the potential benefits of a measure that assesses how Health
IT Modules certified to the ``transmission to immunization registries''
(Sec. 170.315(f)(1)) criterion are being used to support
electronically sending vaccination information data to an IIS. This
criterion has proven to be critical to public health preparedness and
response. We believe this measure can provide insights beyond current
physician surveys limited by small sample size that do not provide
information on actual usage of functionality that supports
electronically sending vaccination data to an IIS.
Comments. Several commenters expressed concern regarding the burden
related to this measure. Commenters representing health IT developers
recommended we delay the patient age and IIS stratifications from the
measure and proceed with the overall administration submission numbers,
due to the high burden level rating for these stratifications. Other
commenters expressed support on the age group stratifications as
proposed and did not believe any additional age group stratifications
were necessary, stating that it may add unnecessary complexity
[[Page 1334]]
to the measure. One commenter suggested eliminating the measure.
Another commenter stated that since API access can be measured at
either endpoint of the transaction, ONC should request this information
from the IIS rather than from providers. One commenter recommended to
lessen the burden, ONC could provide standardized value sets for use by
all vendors in the counting of mandatory immunization requirements
across the nation, however, the commenter conveyed that the necessary
work for this effort would outweigh the benefits.
Response. We appreciate the support expressed on the
stratifications and have finalized the IIS and age stratifications as
proposed. The IIS stratification is critical for assessing both the
interoperability and exchange of information between certified health
IT and immunization information systems as well as the extent to which
health care providers are engaging in immunization reporting. Examining
these data by IIS will allow us to monitor the evolving state of
immunization data exchange as efforts are made to modernize public
health information technology. Additionally, public health
jurisdictions will obtain data which they currently don't have access
to, and understand the extent to which certified health technology is
used for immunization reporting. Therefore, we have kept the proposed
IIS stratification. We also believe stratifying by age is important for
the purpose of interpreting the results. Public health jurisdictions
commonly mandate immunization reporting for children, but do so less
for adults. Without the age stratification, it would be difficult to
assess whether high or low rates of submission were due to differences
in requirements related to adults versus children or another reason
(e.g., issues with exchange between certified health IT systems and
IIS). Thus, we kept the proposed stratification for age to provide
insights on trends related to reporting immunizations for adults and
children.
However, we also understand and acknowledge the concerns expressed
for the resources required to develop stratifications for this measure.
In response to commenters, we have updated the implementation timelines
to provide additional time for compliance by phasing in the
stratifications (IIS and age) by an additional year and refer readers
to the Insights Conditions and Maintenance of Certification section
(III.F.3) for a detailed discussion of timelines and the phasing in of
measures in this final rule.
We appreciate the comment inquiring about the potential role to
leverage public health APIs to support measurement. The measure focuses
on data submitted via certified health IT and note that the suggested
use of public health APIs for measurement is currently outside the
scope of the Program, and not all public health entities may have APIs
to support this type of measurement.
We also clarify that the measure does not require logic customized
to individual jurisdiction reporting mandates. As noted in the HTI-1
Proposed Rule (88 FR 23842) the number of immunizations transmitted to
an IIS will reflect the provider organization's existing practices to
transmit this data in accordance with jurisdictional requirements.
Therefore, we do not see an immediate need to create a value set that
would express those requirements. However, we may explore this
suggestion in the future rulemaking to reduce burden.
Comments. One commenter requested clarification on whether the age
to be used for counting purposes is the age at the time of immunization
administration or at the time the information is transmitted to the
IIS. Another commenter recommended that adolescent data extend through
age 18, rather than to age 18, to align with the Vaccines for Children
program age ranges, as well as requested expectations for jurisdictions
that either have limited adult reporting or have an adult ``opt-in''
model, as these jurisdictions will likely have a low level of
reporting.
Response. We thank commenters for their feedback. In response to
comments, we have modified the age categories for clarity. In alignment
with the CDC's Vaccines for Children program, we have modified the age
stratifications to the following two categories: (1) immunizations
administered for patients 18 years of age and younger (children and
adolescents) and (2) immunizations administered for patients 19 years
of age and older (adults). We are aware that age-related requirements
vary by jurisdiction but for the purposes of standardization and ease
of reporting, we have opted to align our requirements with the CDC's
Vaccine for Children Program. Patients in the measure's metrics should
be counted based on age at time of administration. We acknowledge that
a relatively small number of patients may fall into separate counts if
the date of immunization is close to the end of the reporting period,
but we expect that these instances should not significantly impact the
metrics calculated.
Comments. One commenter recommended that timeliness should be added
to this measure's numerator and stratify the measure by the definition
of ``timely'' to be less than or equal to 24 hours to provide health IT
developers, providers, and public health agencies with insights into
how rapidly immunization data is being shared with IIS registries and
accessed by health agencies.
Response. We appreciate the recommendation to factor timeliness and
agree this plays a critical role in data quality and utility. We may
consider this aspect for future potential measure enhancements as we
seek to appropriately factor variation in provider workflow and
jurisdictional reporting requirements.
Comments. One commenter requested clarification on whether a
message is a failure or success if the initial message for a
vaccination administration is successful, but the administration is
updated in the EHR, and the update message fails. One commenter
suggested collecting how many submissions needed to be repeated.
Several commenters stated that replays should qualify as a successful
submission since there are scenarios that could create a submission
failure at no fault of the developer, and immunization submitters
should be recognized for successful error remediation. One commenter
recommended that ``replays'' are considered successful submissions, but
each replay of a single immunization administration should not be
counted as a separate submission, as overcounting may result in
inflating the numerator of the measure.
Response. We thank commenters for their feedback. The intent of the
measure is to understand the process of submitting immunization to an
IIS and efforts by health care providers to successfully submit
immunization administrations to an IIS. While the process and effort
can involve resolving message failures, the measure counts the number
of immunizations administered that are submitted to the IIS, rather
than the number of attempts to successfully transmit the immunization.
With this in mind, we clarify that, in the instance where the initial
message for an immunization administration is successful and a
subsequent update in the EHR has an update message that fails, the
metrics for the number of immunizations administered that were
electronically submitted successfully to IISs overall, by age category
and IIS should reflect the final status of the immunization submission
to the IIS. There should not be two counts in these metrics for the
successful initial
[[Page 1335]]
message and the subsequent failure update message. We expect that the
shift to calendar year reporting will minimize instances where the
final status of successful vaccine submissions would not be available
to count in the measure. Therefore, the measure will count the status
of the final submission at the time the reporting period ends in these
metrics, rather than counting each attempt separately. This applies to
replays, which should not count as separate submission attempts in
these metrics. Although this measure will not separately document the
number of replays, we agree with commenters who supported counting
replays and multiple messages as separate attempts to successfully
submit an immunization and may consider future measures that would
document the level of effort taken for successful error remediation. We
encourage those reporting on this measure to include counts of replays
in the supplemental documentation as this could shape future iterations
of this measure.
Comments. Several commenters expressed support that those
acknowledgements with a severity level of ``E'' be considered a failure
for purposes of the measure's numerator. The commenters added that
acknowledgements with the severity level ``W'' should not be considered
a failure, given that they were likely successfully processed by the
IIS and their data accepted by the immunization program. However,
another commenter noted the possibility that including acknowledgements
with the severity level ``W'' could inflate the measure and make
interpretation challenging. One commenter requested confirmation that
only ``E'' responses should be subtracted from the success
acknowledgements and noted it would be helpful for ONC to define the
concepts of error and warning responses in the context of this measure.
One commenter stated that there is variation on how the error status of
level ``E'' is used in practices, noting that this would likely make
the aggregated data ONC proposes to report less than accurate, and
requested clarification on whether the purpose of the use of error and
warning messages in this context is to assess whether immunization
registries are functioning effectively. One commenter recommended that
the successful submission definition be revised to reflect that no
negative acknowledgement is a successful submission, until an
alternative mechanism is used to route acknowledgements from the
registry back to the EHR.
Response. We thank commenters for their feedback. We appreciate the
comment that acknowledgements from IIS with a severity level of ``W''
could potentially inflate the measure and acknowledges the variation on
how ``E'' is used in practices. We intend to collaborate with the
community to monitor how these instances may impact the interpretation
of the measure and determine if it should be revised in the future. We
also appreciate commenters requesting confirmation that the measure
should consider acknowledgements with a severity level of ``E'' as a
failed message. We confirm that this is the only severity level for
messages that should be excluded from the measure's metrics for the
number of immunizations administered that were electronically submitted
successfully to IISs overall, by age category and IIS. We thank
commenters for their consideration of the implications for error status
level ``E.'' We confirm that successful submissions are defined as the
total number of messages submitted to an IIS, minus acknowledgements
with errors (2.5.1, severity level ``E''). For these metrics, we
clarify that not all immunizations that are administered and submitted
during the period may receive a status of the submission
acknowledgement message from an IIS during the reporting period. In
this situation (where an acknowledgement from an IIS is not received),
the immunization submission should be counted as successful. We request
that health IT developers report the number of submissions that did not
receive acknowledgement in the supplemental documentation so these
metrics can be refined in the future if needed.
Comments. A few commenters stated that a successful submission
should be counted if a health care provider is able to successfully
submit to all of the registries to which the provider submitted,
including submissions to more than one IIS, stating that the inflation
of the count would be minimal.
Response. In response to comments, the metrics for the number of
immunizations administered that were electronically submitted
successfully to IISs overall, by age category and IIS, indicate that
each successful submission to an IIS to which a provider submits
immunizations should be included and counted as a successful
submission. Thus, an immunization that is successfully submitted to
more than one IIS would be counted the number of times it was
successfully submitted to each IIS. When the stratified metric is
reported by IIS, the count inflation should not be an issue as the
multiple submissions would be separated by IIS.
Comments. Several commenters requested clarification on the
denominator counts. One commenter requested clarification on whether a
patient who opts out of having certain administered immunizations
submitted to the IIS should be included in the denominator, as well as
if an immunization is ordered but refused by the patient. The same
commenter also requested clarification on whether the denominator
includes administered vaccines from provider organizations that do not
yet have connectivity in place to an IIS for reporting administered
vaccines. One commenter recommended that the denominator exclude the
number of patients who have opted out of vaccination reporting to
capture more accurately the proportion of immunization administrations
electronically submitted.
Response. We thank commenters for their request for clarification.
We clarify that the measure focuses on counting immunizations
administered and submitted. Patients who have been administered an
immunization and opt out of submitting their data to an IIS should
count in the metrics for the number of immunizations administered
overall, by age category and IIS, but not the metrics for the number of
immunizations administered that were electronically submitted
successfully to IISs overall, by age category and IIS. To ease burden
and given the assumption that the number of opt-outs are relatively
low, we believe it is sufficient to include them. However, there may be
value in counting the number of opt-outs in the future to determine
whether it is worth removing them (or separately report on these).
Patients who decline an immunization will not appear in the metrics for
the number of immunizations administered overall, by age category and
IIS, and there will be no immunization submission to count in the
metrics for the number of immunizations administered that were
electronically submitted successfully to IISs overall, by age category
and IIS. We also clarify that immunizations administered at health care
provider organizations that have certified health IT eligible for
reporting but do not have an existing, active connection to
electronically submit immunizations to an IIS will count in the metrics
for the number of immunizations administered overall, by age category
and IIS, while there will be no count in the metrics for the number of
immunizations administered that were electronically submitted
successfully to IISs overall, by age category and IIS. This approach
[[Page 1336]]
will contribute to insights on the number of immunizations that could
be electronically submitted to reduce provider burden associated with
manual submission.
Comments. One commenter stated that stratifying the denominator
(number of immunizations administered within the reporting period) by
IIS does not make sense since an IIS is not identified with an
immunization administration. One commenter expressed concern stating
that an EHR is unlikely to know of administrations reported to an IIS
through a web portal or alternate mechanism and recommended that the
measure should instead be out of the total number of doses administered
how many doses were submitted electronically, and of those
electronically submitted, how many were successful. A couple of
commenters recommended that the number of administrations reported to
each IIS should be revised to number of administrations valid for
reporting to each IIS to ensure that the count of doses sent
electronically only include those doses tagged as newly administered.
Another commenter requested guidance on how doses should be counted in
the metrics if two EHR systems merge, and another requested
clarification on how data submitted from a non-traditional location
should be counted.
Response. The metrics for the number of immunizations administered
overall, age category and IIS, is stratified or reported by IIS because
we seek to assess the extent to which an IIS is receiving data on
immunizations administered. While the location of the patient typically
determines the IIS to which vaccine administration information is sent,
given that it is unclear as to which data sources may be easily
accessible to make this determination, we provide two options regarding
how best to select the IIS for those vaccines that are administered but
not submitted: (1) based upon the primary IIS used by the client site;
or (2) based upon the jurisdiction associated with the client site's
location. Whatever approach is used should be documented in the
required documentation for this measure. We note that the
stratification by age in the total vaccines administered within the
reporting period enables comparisons with the vaccines submitted
electronically metric.
We clarify that the measure pertains to immunizations
electronically submitted to IISs through certified health IT.
Immunizations submitted via web portals or alternate mechanisms, such
as manual submission of spreadsheets, would not be reported in the
immunizations submitted electronically metrics, but, given that these
were administered but not electronically submitted via certified health
IT, they would be included in the metrics for the number of
immunizations administered overall, age category and IIS. We do not
believe it is feasible to remove these from the total vaccines
administered metrics; however, if available, the volume of
immunizations could be noted in the health IT developer's supplemental
reporting to provide additional insight and context.
We also appreciate the requests for clarification on whether doses
tagged as newly administered are included. We acknowledge that the
``transmission to immunization registries'' (Sec. 170.315(f)(1))
criterion includes historical vaccines and newly administered vaccines,
giving health IT developers that certify to this criterion the
capability to report both. We note this treatment of historical
vaccines administered applies to data migrated from one EHR to another,
and vaccines that were previously administered by another provider
site. Because the proposed measure referred to administered
immunizations (and not historical specifically), we clarify that the
finalized measure will only count immunizations newly administered
during the reporting period and will not count historical vaccines
previously administered that were recorded during the reporting period.
The inclusion of historical vaccines in addition to newly administered
vaccines within one measure would be difficult to interpret; in the
future we may consider the inclusion of historical vaccines based upon
industry experience and the input we have received. The measure is not
constrained to the type of health care provider who administered the
vaccine or the location the vaccine was administered, provided the
certified health IT is eligible for reporting.
Comments. One commenter requested clarification whether the
immunization administration would have to be within the reporting
period or the IIS submission in the reporting period (or both).
Response. For the metric, immunizations administered that were
electronically submitted successfully to IISs, immunizations should be
both administered and submitted during the reporting period. An
immunization administered outside the reporting period but submitted
during the reporting period would not count for these metrics. We note
that if no acknowledgment is received for immunizations administered,
and submitted during the reporting period, then the immunization would
count as successfully submitted.
Comments. One commenter requested clarification on whether health
IT vendors will be required to calculate a percentage and if so,
requested ONC provide explicit guidance on the calculation components.
Response. We clarify that ONC will be responsible for calculating
percentages based on the counts that health IT developers submit.
Finalization of Measure
We have finalized the measure as ``immunization administrations
electronically submitted to immunization information systems through
certified health IT'' in Sec. 170.407(a)(3)(vi). We have revised the
proposed measure based on public comments received. Specific metrics to
support this finalized measure are listed below and described in the
accompanying measure specification located on ONC's website. We also
note that if regulatory baselines associated with the metrics change in
the future--such as a revision to a criterion through notice and
comment rulemaking--the measure specification would also be changed to
ensure alignment with the revised criterion. The reporting period for
the measure and related metrics below consists of one calendar year.
Data collection for the measures and associated metrics will begin
during the first and second phases of reporting (which is described
later in the preamble):
1. Number of immunizations administered overall (year 1),
2. Number of immunizations administered overall by IIS and age
category (year 2).
3. Number of immunizations administered that were electronically
submitted successfully to IISs overall (year 1),
4. Number of immunizations administered that were electronically
submitted successfully to IISs overall, by IIS and age category (year
2).
Immunization History and Forecasts Through Certified Health IT Measure
In the HTI-1 Proposed Rule, in Sec. 170.407(a)(9), we proposed to
adopt a public health information exchange measure to require reporting
on the number and percentage of IIS queries made per individual with an
encounter (88 FR 23843). The ``immunization history and forecasts''
measure would capture the use of certified health IT to query
information from an IIS under the ``transmission to immunization
[[Page 1337]]
registries'' (Sec. 170.315(f)(1)) criterion. Therefore, we proposed
(88 FR 23843) that developers of certified health IT with Health IT
Modules certified to Sec. 170.315(f)(1) would be required to report
for this measure. We emphasized that understanding whether health care
providers are engaging in electronically querying immunization
information from IIS is critical to public health preparedness.
For the numerator, we proposed (88 FR 23843) developers of
certified health IT with Health IT Modules certified to Sec.
170.315(f)(1) report the number of query responses received
successfully from an IIS overall and by subgroup, by IIS and age group
(adults (18 years and over) and children/infants (17 years and
younger)) during the reporting period. The definition of a successful
response from an IIS should be the total number of messages submitted
minus acknowledgments with errors (2.5.1, severity level of E).
However, since HL7 Z42 messages contain both immunization history and
forecast, whereas Z32 messages exclusively contain history, we sought
comment (88 FR 23843) on whether both message types should be included
in the measure numerator.
As stated in the HTI-1 Proposed Rule (88 FR 23843), the first
denominator we proposed for this measure would be the total number of
immunization queries overall and by subgroup, by IIS and age group
(adults (18 years and over) and children/infants (17 years and
younger)) during the reporting period. We proposed to add this
denominator to the measure proposed by the Urban Institute to provide
data on the total number of query responses that are and are not
successfully received from an IIS, as this will give further insights
into any potential technical challenges that may be occurring during
query exchange. The second denominator we proposed for this measure
would be the total number of encounters overall and by subgroup during
the reporting period. However, since it is unlikely that queries happen
for every patient encounter, we sought comment (88 FR 23843) on whether
the second denominator should capture to total number of applicable
patient encounters during the reporting period regardless of whether a
query was sent to an IIS. We proposed (88 FR 23843) that the numerator
and denominator counts would be reported overall (across IIS and age
subgroups) during the reporting period and by the number of IIS queries
made by IIS and age group (adults (18 years and over) and children/
infants (17 years and younger) during the reporting period. In the HTI-
1 Proposed Rule (88 FR 23843), we conveyed our belief that reporting by
these subgroups would be necessary to interpret the data and create
public awareness that could inform IISs and other public health
participants about the progress being made in immunization data
exchange. We sought comment (88 FR 23843) on whether children/infants
should be further divided and by what age limits.
We also proposed (88 FR 23843) developers of certified health IT
with Health IT Modules certified to Sec. 170.315(f)(1) would attest
that they are unable to report on this measure if they have no users
that administered immunizations during the reporting period. There may
also be providers who do not administer immunizations but would want to
query an IIS to determine whether their patient has received a
vaccination. We sought comments (88 FR 23843) on whether we should
include this exclusion or suggestions on how we could better refine it.
Comments. A few commenters expressed support for the proposed
measure, stating that comprehensive immunization history and forecasts
through certified health IT enables health care providers to
proactively manage immunization programs and promote preventative care.
Also, by utilizing certified health IT to track history and generate
forecasts, health care providers can identify immunization gaps,
schedule timely vaccinations, and implement outreach initiatives to
increase vaccination rates.
Response. We thank commenters for their support of the proposed
measure and appreciate the examples of how the measure would support
improvements in preventive care for patients. We agree that this
measure, which provides insights on how certified health IT is used to
support health care providers to electronically query immunization
information from IIS, is critical to public health preparedness.
Comments. One commenter expressed concern with the second
denominator, stating that the total number of visits will not
accurately reflect the number of immunization query messages expected
to be generated, as not all encounters can reasonably be expected to
result in a query message, and suggested an alternate measure to
include a numerator defined as the total number of unique individuals
queried for during the reporting period and a denominator defined as
the total number of unique individuals with encounters during the
reporting period. Another commenter recommended that ONC develop a
simpler definition of encounters that developers can apply to their own
systems and encounter classification structures or establish a clear
set of encounter type categories with fully defined mapping such as
OMB/CDC Race categories/details. The same commenter suggested ONC
coordinate with CMS to ensure that the value set references include all
SNOMED and CPT codes in the proposal or identified alternatives. One
commenter recommended modifying the second denominator to include
encounters with immunizing provider sites rather than all encounters.
Response. We concur that not all encounters can be expected to
generate a query to an IIS. Therefore, as one commenter noted, the
number of visits may not reflect the number of immunization queries
expected. We may collaborate with the community to consider the measure
of unique patients for whom queries were made to the IIS for future
rulemaking. The measure does not include encounter-based metric from
the immunization measure domain to address the concern raised by
commenters that not all encounters can be expected to result in a query
message. We will still receive counts of the number of unique patients
with an encounter during the reporting period, as proposed (and
finalized) in the ``consolidated clinical document architecture (C-CDA)
problems, medications, and allergies reconciliation and incorporation
through certified health IT'' measure. We refer readers to the
definition of terms section immediately following this section for a
more detailed discussion on defining encounters.
Comments. A few commenters expressed concern with the intent and
interpretation of the proposed measure. One commenter stated that if
the intent is to assess the overall functioning of bidirectional query,
ONC should clarify this intent such that a low ratio does not reflect
poorly on the developer of certified health IT or the querying
organizations. One commenter commented that it was their experience
that some IISs are not ready to return the data for response to the
query and noted that this would impact the countable events for this
measure and should be publicly disclosed if/when the data is published.
One commenter recommended that these measures be considered exploratory
and should not be used to penalize any certified health IT product or
developer.
Response. We acknowledge that some IIS are not able to return data
for a query response and as such, agree that the finalized measure
should be seen as informative and reflects the role that the health IT
developers, health care
[[Page 1338]]
providers, and IIS systems play with the exchange of this information.
We acknowledge that an IIS may have issues in returning the data for
response to the query, thus impacting the value of this measure. We
recognize this contextual information will be important to note with
the publication of these data. Where health IT developers encounter
instances where a complete bidirectional loop is not possible, we
encourage health IT developers to document this information in the
supplemental reporting to allow for more complete understanding of the
metrics.
In this finalized measure, counts of queries sent to an IIS and
responses received successfully are intended to provide insight on the
functioning of bidirectional query to obtain immunization data. The
metrics reported by health IT developers will provide new insights for
ONC and the public health community that are currently unavailable at a
national level. By understanding trends related to queries made and
responses received over time, we will also gain feedback on the
performance of queries and responses, which are part of the
``transmission to immunization registries'' (Sec. 170.315(f)(1))
criterion. As noted above, we will receive counts of the number of
unique patients with an encounter during the reporting period, as
proposed (and finalized) in the ``consolidated clinical document
architecture (C-CDA) problems, medications, and allergies
reconciliation and incorporation through certified health IT'' measure,
and expect to use this data to provide encounter context to the
``public health information exchange'' measures. Together, these
metrics can inform efforts to increase the availability of IIS data for
health care providers to have a more complete immunization background
for individuals and groups of patients. We plan to collaborate with the
community to consider the measure of unique patients for whom queries
were made to the IIS for future rulemaking.
Comments. Several commenters requested clarification on the
proposed numerator. One commenter noted that the proposed numerator
reflects the interoperability of the IIS, not the certified health IT,
and requested clarification on ``received,'' stating that the
successful response definition is not clear in cases where the error
can be detected by the certified health IT in the IIS response such as
``received technically'' versus ``received into the chart.'' A few
commenters requested clarification on how ``refines'' are counted for
measurement, when a query attempt must be refined before a successful
attempt, and suggested the numerator should reflect total queries
performed.
Response. We appreciate the concern expressed that the metric does
not reflect the interoperability of certified health IT. Through our
measures we seek to assess bidirectional exchange activity between IIS
and certified health IT, which can help identify potential issues
related to interoperability and track trends over time. We appreciate
the comments and the opportunity to provider greater clarity. In this
final rule, we clarify that the metrics for the number of query
responses received successfully from IISs overall, and by IIS, should
count an IIS response as ``received technically,'' in the form of a
message or transaction. This clarification addresses that health care
providers may not ingest all responses into the record. We agree that
the initial query and each refined query should individually increment
the total number of immunization queries sent to an IIS in order to
acknowledge the effort to ensure a successful query.
Comments. A couple commenters expressed support that
acknowledgement with a severity level of ``E'' be considered a failure
for purposes of the measure. One commenter noted that an error with a
severity level of ``E'' could be included in either an acknowledgment
or a response (RSP) message. A couple commenters noted that a
significant portion of messaging failures are communication failures
where there will be no response received which should be excluded from
the denominator or included in a separate metric. The commenter
suggested that messages of ``no patient found'' or ``too many
patients'' found, as well as messages with no response from the IIS (in
the case of downtime, for example), would be considered successful. One
commenter requested clarification on whether a query response message
responding that a patient match was not possible should be counted in
the numerator. The commenter also suggested that the submission of
descriptive context should be required, stating that it may help with
future evolution and fine tuning of the measures.
Response. We appreciate the comments received regarding that the
measure should consider acknowledgements with a severity level of ``E''
as a failed message. We confirm that only severity level of ``E'' for
messages are excluded from the metrics, the number of query responses
received successfully from IISs overall and by IIS. We also appreciate
the additional description of communication failure scenarios due to
IIS downtime or other accessibility issues. We will collaborate with
the community to monitor how these instances impact the measure's
interpretation and determine if it should be revised in the future. At
this time, we will not require health IT developers to provide separate
counts for communication failures and counts of the descriptive context
levels. We encourage health IT developers to capture information about
communication failures as their functionality permits and include this
explanation in the supplemental documentation.
Comments. In our request for public comment regarding whether both
Z42 and Z32 messages should be included in the metrics, several
commenters suggested that both Z42 and Z32 messages be included,
stating that both are objectively relevant to patient care, contain
significantly similar content, and have both been implemented in the
real world.
Response. Given the support expressed in response to our specific
question, the metrics, the number of query responses received
successfully from IISs overall and by IIS will include Z42 and Z32
messages.
Comments. Commenters representing health IT developers expressed
concern related to the proposed measure's stratification by IIS and
age. These commenters suggested that the initial implementation of the
measure should only require administration submission counts and that
the development burden was high relative to the value of the
stratifications. Other commenters supported the stratifications as
defined, given that not all jurisdictions require comprehensive adult
reporting. One commenter noted that additional age stratification was
unnecessary and might add complexity. One commenter suggested delaying
or eliminating the ``immunization history and forecasts'' measure.
Response. We appreciate the comments that indicated support for the
measure's proposed stratifications, but that development burden would
be high especially associated with the age stratification. We
acknowledge that the age stratification is not as critical early on for
this measure (compared to the submission of immunization data) as there
are no state and jurisdiction level mandates for querying history and
forecasts which vary by age. Therefore, we have delayed the
implementation of this measure from ``year 1'' to ``year 2'' to provide
health IT developers more time to produce the measure.
[[Page 1339]]
Furthermore, the reporting by IIS will be delayed to ``year 3.'' We
have not removed this measure as suggested by one commenter as there
was a high level of support for this measure and we are providing
additional time to implement the metric and related stratification.
Comments. One commenter requested clarification on how a query sent
to multiple IIS should be counted. One commenter requested
clarification on whether the first denominator should include only
query response messages that support both the history and forecast. One
commenter requested clarification on whether developers would be
required to calculate a percentage and if so, ONC must provide explicit
guidance on the calculation components.
Response. We clarify that the metrics related to the total number
of immunization queries sent (overall and by IIS), should be
incremented for each query sent to an IIS and the metrics related to
number of query responses received successfully from an IIS (overall
and by IIS), should increment for each successful message received. The
measure should count queries and response messages so that the
increment occurs for history, forecast, or history and forecast. This
approach is supported by the ``transmission to immunization
registries'' (Sec. 170.315(f)(1)) criterion that treats forecast and
history separately. At this time, health IT developers are not required
to report separate metrics for forecast and history. We clarify that
ONC will calculate percentages based on the counts that the health IT
developer submits.
Comments. One commenter stated that they did not agree with
excluding queries performed by health care providers who do not
administer immunizations, while another commenter recommended excluding
these health care providers for simplicity.
Response. We acknowledge that the suggestion to constrain the
measure to only include health care providers who immunize simplifies
the interpretation of results. However, the National Vaccine Advisory
Committee (NVAC) recommends that all healthcare professionals,
regardless of whether they administer vaccines, routinely assess
patients for vaccines due.\210\ Furthermore, there was no consensus
across the comments to make this change. In this phase of reporting, it
may add burden for health IT developers to segment the measure by
whether the health care providers are immunizing providers. Therefore,
the measure does not make distinctions for health care providers who do
and do not administer immunizations and will collaborate with the
community to understand the potential to incorporate this aspect in
future rulemaking.
---------------------------------------------------------------------------
\210\ NVAC Standards for Adult Immunization Practice: https://www.cdc.gov/vaccines/hcp/adults/for-practice/standards/index.html.
---------------------------------------------------------------------------
Finalization of Measure
We have finalized the measure as ``immunization history and
forecasts through certified health IT'' in Sec. 170.407(a)(3)(vii). We
have revised the proposed measure based on public comments received.
Specific metrics to support this finalized measure are listed below and
described in the accompanying measure specification located on ONC's
website. We also note that if regulatory baselines associated with the
metrics change in the future--such as a revision to a criterion through
notice and comment rulemaking--the measure specification would also be
changed to ensure alignment with the revised criterion:
1. Number of immunization queries sent to IISs overall (year 2).
2. Number of immunization queries sent to IISs overall by IIS (year
3).
3. Number of query responses received successfully from IISs
overall (year 2).
4. Number of query responses received successfully from IISs
overall by IIS (year 3).
The reporting period for the measure and related metrics above
consists of one calendar year. Data collection for these measures and
associated metrics will begin during the second and third phase of
reporting (which is described later in the preamble).
Encounters
For measures where patient encounters are relevant, we proposed the
definition of an encounter should be based on the National Committee
for Quality Assurance (NCQA) outpatient value set and SNOMED CT
inpatient encounter codes. For outpatient codes, developers should use
NCQA's Outpatient Value Set.211 212 For inpatient codes,
developers should use SNOMED CT codes 4525004, 183452005, 32485007,
8715000, and 448951000124107.\213\ Listed below is a description of
each SNOMED CT code:
---------------------------------------------------------------------------
\211\ See: 2022 Quality Rating System Measure Technical
Specifications. Published October 2021. https://www.cms.gov/files/document/2022-qrs-measure-technical-specifications.pdf.
\212\ NCQA's Outpatient Value Set is available with a user ID
and login at https://store.ncqa.org/my-2021-quality-rating-system-qrs-hedis-value-set-directory.html; or https://vsac.nlm.nih.gov/valueset/expansions?pr=all OID:
2.16.840.1.113883.3.464.1003.101.12.1087.
\213\ Available for search at https://www.findacode.com/index.html.
Emergency department patient visit (procedure)--4525004
Emergency hospital admission (procedure)--183452005
Hospital admission (procedure)--32485007
Hospital admission, elective (procedure)--8715000
Admission to observation unit (procedure)--448951000124107
Comments. Several commenters requested guidance for implementation
of encounter value sets. Commenters representing health IT developers
suggested adopting a broad definition of encounters for developers to
apply and map to their own classification structures, while others
suggested constraining the codes to a more limited and defined set. One
commenter suggested limiting inpatient encounter codes to discharges
only.
Several commenters supported the proposed approach (FR 23832) to
align Insights Condition value sets for encounters with CMS programs.
Commenters representing quality measure developers supported the
proposed value sets that are used in electronic clinical quality
measures (eCQMs). While calling for alignment with CMS programs,
several commenters representing health IT developers recommended that
the encounter value sets should follow industry standards, such as the
FHIR Encounter.type field in the US Core Implementation Guide.\214\
---------------------------------------------------------------------------
\214\ https://build.fhir.org/ig/HL7/US-Core/index.html.
---------------------------------------------------------------------------
Response. We agree with commenters on the importance of aligning
encounter value sets with industry approaches as well as re-using
existing value sets that support CMS programs to reduce the burden of
developing and reporting Insights Condition measures. In the HTI-1
Proposed Rule (88 FR 23832), we proposed to define encounters
leveraging a code set defined by the National Committee for Quality
Assurance and recommended by the HITAC, while requesting comment on
alternative approaches. We proposed this approach in large part to
align with existing measurement approaches used within CMS programs. As
commenters described, not all codes included in the proposed approach
are reflected in the US Core IG version 6.1.0, which is the version we
believe commenters referenced. Based on public comment, we have revised
the definition of encounters to maintain alignment with
[[Page 1340]]
definitions of encounters within existing quality measurement
approaches used by CMS while responding to industry concerns about
burden and potential misalignment. Specifically, several CMS programs,
including the Promoting Interoperability Program and the Quality
Payment Program, require the counting of encounters using specific
codes, and CMS maintains an CQM library that specifies specific
encounter codes related to quality measurement.\215\ Developers of
certified health IT have years of experience with those reporting
efforts. Specifically, health IT certified to any criterion in Sec.
170.315(c)(1) through (4) supports recording, importing, reporting or
filtering CQMs, and health IT certified to Sec. 170.315(g)(1) or (2),
supports numerator recording and measure calculation for each Promoting
Interoperability Program percentage-based measure. For the purpose of
the Insights Condition, we define applicable encounters as all
encounters that the developer includes in its calculation of encounters
within the existing certification criteria in Sec. 170.315(g)(1) or
(2) and the CQMs that they have presented for certification as part of
certification to Sec. 170.315(c). For those developers that do not
attest to any of the certification criteria at Sec. 170.315(c), (g)(1)
or (2), we specify that they include all encounters regardless of
encounter code. Based upon analysis of the Certified Health IT Product
List (CHPL), we note that of the 306 products currently certified to
Sec. 170.315(b)(2), 281 are certified to at least one of the included
criteria, with 232 certified to criterion in Sec. 170.315(c) and 260
certified to Sec. 170.315(g)(1) or (g)(2).
---------------------------------------------------------------------------
\215\ Medicare Promoting Interoperability Program Specification
Sheets https://www.cms.gov/medicare/regulations-guidance/promoting-interoperability-programs/resource-library.
eCQM Library https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/eCQM_Library.
---------------------------------------------------------------------------
In finalizing this approach, we have eliminated the prescriptive
approach to defining value sets that delineate encounters taken in the
HTI-1 Proposed Rule, which was based on a specific set of quality
measures and their associated Value Sets. The finalized approach
instead relies on existing developer competencies and experience as
demonstrated by their existing certification to any criterion in Sec.
170.315(c)(1) through (4), (g)(1) or (g)(2) while retaining a close
link to existing quality measurement. Our goal in finalizing this
approach is to build upon existing CMS program requirements,
certification criteria, and developer of certified health IT's
experience with these requirements. Rather than specify specific value
sets, our intent is to allow the definition of an encounter to evolve
as use of CQMs and approaches within this Program and the Quality
Payment Program change. In finalizing this approach, we have also
emphasized alignment with measurement within CMS programs (i.e., eCQM
and Promoting Interoperability percentage-based measures) rather than
following industry standards, such as the FHIR Encounter.type field in
the US Core Implementation Guide. As approaches within CMS' programs
come into alignment with industry standards, the measure of encounters
within the Insights Condition will also come into alignment. For
developers that do not currently support the identification of specific
types of encounters, our intent is to avoid creating a new requirement
to implement specific terminologies or code sets.
Counts of Unique Patients
Comments. One commenter opposed the use of unique patient counts in
the proposed measures under the Insights Condition. Further, the
commenter stated unique patient counts when aggregating across many
certified health IT instances would require significant burden and cost
to deduplicate across customer databases. The commenter requested that
ONC either change to transaction-based counts or clarify that unique
patient counts will be unique only within each instance of the
certified health IT and can be duplicated across instances.
Response. We thank the commenter for this input, and as noted in
the individuals' access to EHI measurement area section in this
preamble, we have revised our definition of unique patient counts so
that counts would only be unique within each instance of the certified
health IT. We recognize the potential difficulty of de-duplicating
unique patients across more than one instance of a certified health IT
and clarify that the patient counts should be unique within the
instance and can be duplicative across instances.
3. Insights Condition and Maintenance of Certification--Requirements
As stated in the HTI-1 Proposed Rule (88 FR 23843), the Cures Act
specifies that a health IT developer be required, as a Condition and
Maintenance of Certification requirement under the Program, to submit
responses to reporting criteria in accordance with the ``Electronic
Health Record Reporting Program'' established under section 3009A of
the PHSA, as added by the Cures Act, with respect to all certified
technology offered by such developer. We proposed to implement the
Cures Act ``Electronic Health Reporting Program'' Condition and
Maintenance of Certification requirements as the ``Insights Condition
and Maintenance of Certification'' (Insights Condition) requirements in
Sec. 170.407. As a Condition of Certification, we proposed that
developers of certified health IT would submit responses to comply with
the Insights Condition's requirements, described in this section of the
preamble in relation to the Insights Condition's measures and
associated certification criteria.
Comments. A number of health IT developers expressed concern about
the burden that collecting and reporting measures for the Insights
Condition will impose on health IT developers. A commenter stated that
developing Insights Condition measures overlaps and competes with
health IT developers' other priorities, including CMS' digital quality
initiative and user requested analytics. One commenter expressed
concern that the requirements would introduce barriers to market entry
and reduce competition. However, one health IT developer commented that
they do not believe that the Insights Condition presents a significant
regulatory burden, as the measure data can be collected and reported
using currently widespread technologies.
Relatedly, many commenters, including health IT developers,
developer associations, and health systems, opposed the overall number
and type of measures proposed in Sec. 170.407 for the Insights
Condition. Commenters suggested reducing the number and complexity of
measures to reduce burden and improve feasibility for developers of
certified health IT and their customers. Commenters stated the number
of measures is higher than described due to the multiple numerators and
denominators. Commenters recommended ONC remove the list of expected
metrics or ratios and focus only on the individual data elements to be
collected and reported. Some commenters suggested 10 or fewer counts as
a starting point. One commenter indicated that there were duplicate
measures in the set that should be combined or harmonized. One
commenter recommended that ONC select measures that are well-defined
and targeted, and designed not to heavily burden health IT system
resources when collecting data. Commenters also suggested gradually
increasing the number of measures over several years.
[[Page 1341]]
Response. We appreciate the concerns expressed for the potential
burden imposed on health IT developers to report the Insight Condition
measures. We emphasize the Insights Condition fulfills the Cures Act
specified requirements in section 4002(c) to establish an Electronic
Health Record (EHR) Reporting Program to provide transparent reporting
on certified health IT.
We believe this final rule will address information gaps in the
health IT marketplace and provide useful insights on certified health
IT use while minimizing implementation burden on health IT developers.
Our final rule includes multiple revisions to our proposals, described
in greater detail throughout this section of the preamble under their
respective sections, that are intended to minimize the burden on health
IT developers in implementing the Insights Condition. In sum, for this
final rule, we have:
Delayed the submission of the first phase of measures and
related metrics to July 2027 to allow health IT developers adequate
time to develop and implement the measures.
Established a more incremental approach for implementing
the measures over a longer timeframe (three years), including phasing
in more complex aspects of the measures. Extending the time frame will
allow developers to work on other priorities, such as CMS' digital
quality initiative and user requested analytics, and not have to
exclusively focus on developing Insights Condition measures.
Not finalized two proposed measures (``electronic health
information export through certified health IT'' and ``C-CDA documents
obtained using certified health IT by exchange mechanism'').
Addressed potentially duplicate metrics to make it easier
to understand the total number of unique metrics that are required. For
example, the same encounter-related metrics were previously listed in
the patient access, immunization, and clinical exchange measure
specification. Those metrics are now only listed in the clinical
exchange section and measure specification.
Reduced the frequency of measure reporting from semiannual
to annual, and changed the submission date for more convenience to
health IT developers.
Provided an alternative reporting approach for health IT
developers who are not able to report on their entire customer base due
to contractual reasons. This should limit the need to renegotiate
contracts for the sole reason of complying with the Insights Condition
requirements addressing a major source of burden. This approach is
described below in section III.F.4 of this final rule.
Supported health IT developers who choose to use their
Insights Condition measurements and data as part of their Real World
Testing plans and results, thus reducing the need to generate separate
data for both Conditions of Certification.
Replaced the terms numerators and denominators, which
caused confusion from commenters, with lists of metrics within each
measure that health IT developers will be required to report, and
limited stratification of measures.
Consolidated the required Insights Condition measures and
related metrics into the table that is located later in this section of
the preamble.
We do not believe that the Insights Condition introduces a barrier
to market entry. The minimum reporting qualifications we proposed and
have subsequently finalized further below in this preamble are designed
to ensure that small and startup developers are not unduly
disadvantaged by the Insights Condition requirements. Further, the
availability of information on what capabilities are widely available
or lacking in the marketplace may encourage new entrants to provide
needed technologies.
Comments. Several commenters raised concerns that customers of
health IT developers will perceive burden and lack incentives that
would impact their willingness to allow access to data for health IT
developers to report in order to comply with the Insights Condition
requirements. A few commenters encouraged ONC to coordinate with CMS on
ways to provide insights on EHI access, exchange, and use while
reducing physician burden related to requirements for the Insights
Condition and the CMS Promoting Interoperability Programs.
Several commenters suggested ONC collaborate with CMS to adopt
regulatory requirements to promote customers of health IT developers to
agree to allow data from their systems to be used for the Insights
Condition. One medical professional society commenter suggested that
ONC coordinate with CMS and use the Insights Condition data and metrics
to augment CMS physician reporting requirements. Further, the commenter
stated the goals of reducing physician reporting burden and providing
CMS and ONC insight into EHI access, exchange, or use can be jointly
achieved by allowing physicians to attest to meeting CMS reporting
requirements, rather than reporting a numerator-denominator,
supplemented by health IT developers reported data under the Insights
Condition. One commenter stated that attestations exist for agreeing to
cooperate with ONC-ACB surveillance activities as a precedent for such
an attestation requirement.
Response. We appreciate the suggestion for ONC to collaborate with
CMS. We recognize that health care providers in certain CMS programs
were expected to attest to cooperate in ``good faith'' with both ONC-
ACB surveillance activities and ONC Direct Reviews.216 217
We will explore potential opportunities with CMS to encourage support
for the Insights Condition among hospitals, physicians and other
healthcare professionals that participate in CMS programs. We will also
explore potential opportunities with CMS on ways to reduce burden on
physicians and other health care providers related to reporting
requirements. We will continue to coordinate and work with CMS on
points of intersection for potential future rulemaking.
---------------------------------------------------------------------------
\216\ 42 CFR 495.40(a)(2)(i)(H). Demonstration of meaningful use
criteria. https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-G/part-495#p-495.40(a)(2)(i)(H).
\217\ 42 CFR 414.1375(b)(3). Promoting Interoperability (PI)
performance category. https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-414/subpart-O/section-414.1375.
---------------------------------------------------------------------------
Comments. Several commenters expressed concern that the Insights
Condition reporting requirements will lead to increased burden or
frustration for health care providers and health care provider
organizations and encouraged ONC to consider the impacts of Insights
Condition reporting by health IT developers on their customers.
Commenters also expressed concerns that health IT developers will `pass
on' the burden of reporting to end users (i.e., health care providers),
who will end up being required to assist their developers of certified
health IT in collecting data or creating reports for the Insights
Condition. Some commenters indicated that health care providers and
health care provider organizations are already overburdened with
reporting requirements. One commenter expressed concern about creating
any additional direct or indirect reporting burden for rural and
underserved health care providers. A few commenters suggested to reduce
health care provider burden by making healthcare organization
participation and data contribution optional and avoid selecting
measures that will require mapping of data by the healthcare
organization staff. One advocacy organization and a health system
expressed support for ONC efforts to
[[Page 1342]]
establish the Insights Condition and encouraged ONC to minimize its
administrative burdens.
Response. We appreciate the concerns expressed by commenters and
aims to minimize burden on customers of developers of certified health
IT related to the Insights Condition. We emphasize that developers of
certified health IT are responsible for reporting the Insights
Condition measures, and that health care providers, including health
care providers who provide care to rural and underserved populations,
are not responsible for reporting under the Insights Condition.
We have sought to design the measures so they would not require
providers to separately collect data outside of their normal activities
as part of delivering care or create reports to assist developers of
certified health IT for the Insights Condition measures. The measures
are designed to come from system-generated data and not involve
additional effort by health care providers. We believe that, using
widely available database technology, health IT developers should be
able to collect data required for reporting under the Insights
Condition without significant end-user burden. As noted in the clinical
care information exchange measurement area of the preamble, we did not
adopt the ``C-CDA documents obtained using certified health IT by
exchange mechanism'' measure, partly because it was identified as
potentially requiring mapping of data at the healthcare organization
level.
We describe earlier in this section of the preamble the multiple
changes to our proposals that are intended to minimize the burden on
health IT developers in implementing the Insights Condition. These
changes to our proposals are also intended to minimize the burden on
customers of health IT developers. We believe this final rule includes
several changes to our proposals that significantly reduce potential
indirect burden on users (i.e., health care providers) of certified
health IT. As noted earlier, we provide health IT developers with an
alternative reporting option if they are unable to report on all their
customers due to contractual reasons.
Comments. One health system expressed support for the Insights
Condition and requested clarification on how health IT developers will
have access to the information in locally installed systems to complete
the reporting while maintaining appropriate confidentiality.
Response. We appreciate this comment. We expect that
confidentiality would already be addressed in existing contracts or
business agreements between the health IT developer and their
customers. Health IT developers will not submit protected health
information or personally identifiable information to ONC under the
Insights Condition. The data that we are requiring health IT developer
to report is aggregated at the product level and is not at the health
care provider or patient level.
Comments. Several commenters were supportive of the measures in
general, but recommended restructuring the measures as a single set, in
table format identifying the associated certification criteria, with
numerator/denominator pair as its own row. Some commenters provided a
sample format for our consideration.
Response. We thank commenters for their feedback. We have taken a
more streamlined approach to categorizing, describing, and displaying
the measures under the Insights Condition. We also refer readers to the
HTI-1 Proposed Rule (88 FR 23831) for detailed background and history
of the proposed measures as each measure description includes
statements on the intent of the measure. For example, in the HTI-1
Proposed Rule (88 FR 23834), we specified under the ``individuals'
access to electronic health information supported by certified API
technology'' (now finalized as the ``individuals' access to electronic
health information through certified health IT'') measure that we
believe this measure would provide a national view into how individuals
access their EHI and would inform ONC and health IT community efforts
to empower individuals with access to their EHI.
We provide the table below to define the updated metrics that
health IT developers are required to provide to ONC at the product
level. The table identifies the metrics a health IT developer is
required to report based on the certification criterion to which the
health IT developer certifies. We reiterate that the health IT
developer is responsible for providing and aggregating the data for
each applicable ``metric'' at the product level. The table reflects the
metrics that have been modified in some cases based on public comment
and described in more detail below. We clarify that ``year 1'' refers
to the first implementation year of the Insights Condition. Data
collection during ``year 1'' starts in calendar year 2026 (January 1st,
2026-December 31st, 2026), with responses due in July 2027. Reporting
is on an annual basis thereafter. The measures designated with ``year
2'' will begin data collection calendar year 2027, with responses due
in July 2028 (and annually thereafter). The ``year 3'' measures start
data collection in calendar year 2028, with responses due July 2029
(and annually thereafter). The reporting period for each of the
measures below consists of one calendar year. Please refer to the
measure specifications for details on the metrics, including
definitions.
Table 2--List of Insights Condition Measure Metrics
----------------------------------------------------------------------------------------------------------------
Associated certification
Measure title criteria Metrics Program year
----------------------------------------------------------------------------------------------------------------
Individuals' Access to Sec. 170.315(g)(10)..... 1. Number of unique individuals Year 1.
Electronic Health Information who accessed their EHI using
Through Certified Health IT. technology certified to
``standardized API for patient
population services''
certification criterion under
Sec. 170.315(g)(10).
Sec. 170.315(e)(1)...... 2. Number of unique individuals Year 1.
who accessed their EHI using
technology certified to the
``view, download, and transmit
to 3rd party'' certification
criterion under Sec.
170.315(e)(1).
Sec. 170.315(g)(10) or.. 3. Number of unique individuals Year 1.
Sec. 170.315(e)(1)...... who accessed their EHI using
any method..
Consolidated Clinical Document Sec. 170.315(b)(2)...... 4. Number of encounters......... Year 2.
Architecture (C-CDA) Problems,
Medications, and Allergies
Reconciliation and
Incorporation Through
Certified Health IT.
5. Number of unique patients Year 2.
with an encounter.
6. Number of unique patients Year 2.
with an associated C-CDA
document.
[[Page 1343]]
7. Number of total C-CDA Year 2.
documents obtained.
8. Number of unique C-CDA Year 2.
documents obtained.
9. Number of total C-CDA Year 2.
documents obtained that were
pre-processed.
10. Number of total C-CDA Year 2.
documents obtained that were
not pre-processed.
11. Number of total C-CDA Year 3.
documents obtained that were
pre-processed where problems,
medications, or allergies and
intolerances were reconciled
and incorporated via any method.
12. Number of total C-CDA Year 3.
documents obtained that were
not pre-processed where
problems, medications, or
allergies and intolerances were
reconciled and incorporated via
any method.
13. Number of total C-CDA Year 3.
documents obtained that were
determined to have no new
problems, medications, or
allergies and intolerances
information by pre-processes or
fully automated processes.
Applications Supported Through Sec. 170.315(g)(10)..... 14. Application name(s)......... Year 1.
Certified Health IT.
15. Application developer Year 1.
name(s).
16. Intended purpose(s) of Year 1.
application.
17. Intended application user(s) Year 1.
18. Application status.......... Year 1.
Use of FHIR in Apps Through Sec. 170.315(g)(10)..... 19. Number of distinct certified Year 1.
Certified Health IT. health IT deployments (across
clients) active at any time
during the reporting period,
overall and by user type.
20. Number of requests made to Year 1.
distinct certified health IT
deployments that returned at
least one FHIR resource by FHIR
resource type.
21. Number of distinct certified Year 1.
health IT deployments (across
clients) associated with at
least one FHIR resource
returned overall and by user
type.
22. Number of distinct certified Year 2.
health IT deployments (across
clients) associated with at
least one FHIR resource
returned by US Core
Implementation Guide version.
Use of FHIR Bulk Data Access Sec. 170.315(g)(10)..... 23. Number of distinct certified Year 2.
Through Certified Health IT. health IT deployments (across
clients) that completed at
least one bulk data access
request.
Sec. 170.315(g)(10)..... 24. Number of bulk data access Year 2.
requests completed (across
clients) to export all data
requested for patients within a
specified group.
Immunization Administrations Sec. 170.315(f)(1)...... 25. Number of immunizations Year 1
Electronically Submitted to administered overall. (overall).
Immunization Information
Systems Through Certified
Health IT.
Sec. 170.315(f)(1)...... 26. Number of immunizations Year 2
administered overall, by IIS (by IIS and age
and by age category. category).
Sec. 170.315(f)(1)...... 27. Number of immunizations Year 1
administered electronically (overall).
submitted successfully to IISs
overall.
Sec. 170.315(f)(1)...... 28. Number of immunizations Year 2
administered electronically (by IIS and age
submitted successfully to IISs category).
overall, by IIS and by age
category.
Immunization History and Sec. 170.315(f)(1)...... 29. Number of immunization Year 2
Forecasts Through Certified queries sent to IISs overall. (overall).
Health IT.
Sec. 170.315(f)(1)...... 30. Number of immunization Year 3
queries sent to IISs overall by (by IIS).
IIS.
Sec. 170.315(f)(1)...... 31. Number of query responses Year 2
received successfully from IISs (overall).
overall.
Sec. 170.315(f)(1)...... 32. Number of query responses Year 3
received successfully from IISs (by IIS).
overall by IIS.
----------------------------------------------------------------------------------------------------------------
Comments. One commenter noted that ONC only proposed Insights
Condition measures for the interoperability category. The commenter
further noted that the Cures Act included other categories, including
usability and user-centered design, security, conformance to
certification testing, and other categories, as appropriate to measure
the performance of EHR technology. The commenter encouraged ONC to
focus on these
[[Page 1344]]
additional areas for future measure development for the Insights
Condition.
Response. We thank the commenter for their encouragement to
consider other areas for future measure development. As described in
our HTI-1 Proposed Rule (88 FR 23832), we intend for this first set of
measures to provide insights on the interoperability category specified
in the Cures Act. We intend to explore the other Cures Act categories
(security, usability and user-centered design, conformance to
certification testing, and other categories to measure the performance
of EHR technology) in future rulemaking.
Comments. One commenter stated that Conditions and Maintenance of
Certification requirements including the Insights Condition should
actively seek to identify bias and prevent use of algorithms that may
cause discrimination against patients.
Response. We appreciate this suggestion and will consider ways that
the Conditions and Maintenance of Certification requirements can help
reduce bias and prevent harmful use of algorithms in patient care. We
note that this final rule includes requirements that aim to introduce
information transparency about Predictive DSIs supplied by health IT
developers as part of their certified Health IT Modules, so that
potential users have sufficient information about how a Predictive DSI
was designed, developed, trained, and evaluated to determine whether it
is trustworthy, including evaluation of fairness or bias. We refer
readers to section III.C.5 (Decision Support Interventions and
Predictive Models) of this final rule.
Comments. One commenter questioned whether ONC could get the
information about some Insights Condition measures from existing
sources.
Response. We appreciate this comment. As described in our HTI-1
Proposed Rule (88 FR 23831), our approach for identifying measures for
the Insights Condition included several considerations, including
measures reflecting information that ONC cannot obtain without
regulation and efforts that are not duplicative of other data
collection. We will continue to consider ways to reuse other data and
reduce reporting burden while addressing information gaps in the health
IT marketplace through the Insights Condition. Thus, the measures we
finalized address an important gap in information that can help assess
interoperability.
Cross-Cutting Requirements
In the HTI-1 Proposed Rule (88 FR 23832), we also proposed to apply
certain requirements across multiple measures, including, but not
limited to: (1) data submitted by health IT developers would be
provided and aggregated at the product level (across versions); (2)
health IT developers would provide documentation related to the data
sources and methodology used to generate these measures; and (3) health
IT developers may also submit descriptive or qualitative information to
provide context as applicable.
We explained in the HTI-1 Proposed Rule (88 FR 23832) that overall,
the documentation should help ensure the responses/data are interpreted
correctly. Thus, the documentation related to the data sources and
methodology would include the types of data sources used, how the
measure was operationalized (e.g., any specific definitions), any
assumptions about the data collected, information on the providers or
products that are included/excluded from the reported data, and a
description about how the data was collected. As described earlier in
the preamble, we would then use the measure data submitted by health IT
developers to calculate the metrics (e.g., percentages and other
related statistics). Developers of certified health IT would submit
this information to an independent entity, per statutory requirements
in section 3009A(c) of the PHSA, as part of the implementation of the
Insights Condition, which we discuss later in this section of the
preamble.
Comments. Several commenters supported our proposal under the
Insights Condition to require developers of certified health IT to
report documentation used to generate each measure. Three commenters
also supported the proposal for reporting optional documentation. One
commenter favored requiring health IT developers to explicitly outline
how they collect, aggregate, and analyze the data for the Insights
Condition, including documentation on the assumptions made about the
data and decisions made about the inclusion or exclusion of specific
data and/or installations. Some commenters suggested that ONC establish
consistent topics and categories for the required documentation
submissions and requested having the option to keep the additional
information submissions confidential. One commenter recommended that
ONC prohibit developers from using trade secrets to prevent validation
of reporting data. One commenter requested ONC define a clear and
accessible pathway for public access to the Insights Condition data, as
well as how identified issues will be mitigated by developers certified
health IT. Further, the commenter noted that methodological
transparency is essential to inform customers, regulators, and
policymakers about what the Insights Condition was testing, how testing
was performed, and what the reporting informs about achievement of
interoperability objectives.
Response. We appreciate the feedback from commenters. We have
finalized that developers of certified health IT are required under the
Insights Condition to provide documentation related to the data sources
and methodology used to generate these measures, and health IT
developers may also submit descriptive or qualitative information to
provide context as applicable. Later in this preamble, we also note
that in accordance with the Cures Act, we intend to make responses (the
metrics and required documentation) to the Insights Condition publicly
available on our website. The metrics and required documentation will
provide methodological transparency and enable assessing progress
related to interoperability as requested by commenters.
We require that health IT developers, as part of their responses,
will provide documentation used to generate the measures for more
accurate and complete data calculation. As we stated in the HTI-1
Proposed Rule (88 FR 23832), the documentation should help ensure the
data are interpreted correctly. Therefore, the documentation related to
the data sources and methodology should include the types of data
sources used, how the measure was operationalized (e.g., any specific
definitions), any assumptions about the data collected, information on
the health care providers or products that are included/excluded from
the metrics, and a description about how the data was collected. We
intend to make the required documentation provided by health IT
developers publicly available for the purposes of transparency and to
allow interested parties to understand and interpret the data.
We do not anticipate that health IT developers will need to share
any information they consider proprietary, trade secret, or
confidential information for the required documentation related to the
Insights Condition. The documentation identified above does not
specifically require the disclosure of proprietary, trade secret, or
confidential information. Health IT developers should be able to report
without the
[[Page 1345]]
sharing of any such information. If health IT developers wish to
provide additional information as part of the optional documentation,
we strongly encourage them to not include any proprietary, trade
secret, or confidential information in their submission. Further, we
intend to provide a method for health IT developers to first indicate
whether they plan to share proprietary, trade secret, and/or
confidential information for purposes of either required or optional
documentation. If a health IT developer provides an affirmative
indication, ONC will engage the developer in dialogue about potential
alternative means of meeting either required documentation requirements
or providing optional documentation (e.g., in other generalized or
descriptive ways that may achieve the same goal). As we noted in the
Enhanced Oversight and Accountability (EOA) Final Rule (81 FR 72429),
we will implement appropriate safeguards to ensure, to the extent
permissible under federal law, that any proprietary business
information or trade secrets that are disclosed by the health IT
developer in its documentation would be kept confidential by ONC.\218\
---------------------------------------------------------------------------
\218\ The Freedom of Information Act, 18 U.S.C. 1905, and the
Uniform Trade Secrets Act, 18 U.S.C. Chapter 90, generally govern
the disclosure and descriptions of these types of information.
---------------------------------------------------------------------------
We also refer readers to section III.F.4 of this final rule where
we describe how we intend for health IT developers to submit the
metrics and related documentation electronically using a web-based
form, which will provide templates that enable submitting the data to
ONC in a structured, electronic format such as comma-separated values
(CSV) or JavaScript Object Notation (JSON) for this purpose. For
questions and comments that may arise in reviewing the results and
supporting documentation, we encourage the public to follow the
Certified Health IT Complaint Process described at: https://www.healthit.gov/topic/certified-health-it-complaint-process.
Comments. The majority of commenters opposed our proposal that
developers of certified health IT report measures aggregated at the
product level, across product versions. Several commenters recommended
that ONC adopt a flexible approach where health IT developers can
report either at the product or developer level with an attestation to
indicate which level the health IT developer reported. Commenters noted
that this level of flexibility is consistent with the Real World
Testing Condition.
Some commenters stated that health IT developers with integrated
products or platforms are not able to differentiate certain Insights
Condition measures per product as proposed, making product level
reporting impossible. In this circumstance, one action would be counted
under multiple products. One commenter recommended reporting be
permitted at the integrated database level instead of the product level
to make reporting feasible. One commenter recommended reporting at the
developer level to avoid duplicate counting. One commenter stated
health IT developers with both cloud and non-cloud-based products would
have problems aggregating data for reporting. Several commenters
opposed any reporting at a level lower than a certified Health IT
Module.
Three commenters requested reporting that is more granular, at the
product version level. Commenters stated product version level
reporting would better support health care provider and healthcare
organization evaluation and comparison of health IT capabilities.
Response. We thank commenters for their feedback and acknowledge
the variety of perspectives on this requirement. We have maintained and
finalized in Sec. 170.407(a)(1)(i)(A) that data submitted by health IT
developers would need to be provided and aggregated at the product
level (across versions). However, we recognize that integrated
products, which serve multiple settings or support multiple CHPL ID
products, will not be able to differentiate between the settings or
CHPL IDs when reporting on the measures. This could result in either
double-counting or only reporting for one product. To address this
issue, we have revised our requirement, related to integrated products,
so that integrated products will only have to report one response for
two or more products that are integrated. The web-based form and
templates will allow for health IT developers to identify as submitting
on behalf of an integrated product and to provide the associated CHPL
IDs with the response.
We believe that product level data would provide insights on how
performance on the measures vary by market (e.g., inpatient,
outpatients, specialty) and by capabilities of products, whereas this
type of insight would not be available at the developer level. A
product level focus is also aligned with other Program reporting
requirements that allow for product level reporting, such as the Real
World Testing Condition and Maintenance of Certification (85 FR 25765).
In considering alternatives, such as proposing to require health IT
developers to report measures at the health IT developer level or at
the most granular level of product version/CHPL ID, we concluded that
proposing to require data to be reported at the health IT developer
level is unlikely to reduce burden given that data would still need to
be obtained from each applicable product and then aggregated. We also
concluded that proposing to require reporting at the product version/
CHPL ID level could significantly increase burden because developers of
certified health IT would need separate reports for each version of
their products. A flexible approach with a mix of data at the developer
and product levels does not allow for a consistent analysis and
reporting across health IT developers.
Minimum Reporting Qualifications
As required by section 3009A(a)(3)(C) of the PHSA, ONC worked with
an independent entity, the Urban Institute, to develop measure concepts
for the Insights Condition that would not unduly disadvantage small and
startup developers. For detailed background, we refer readers to the
HTI-1 Proposed Rule (88 FR 23843). Additionally, we proposed (88 FR
23844) to implement the Insights Condition requirements in a way that
does not unduly disadvantage small and startup developers of certified
health IT. We proposed (88 FR 23844) to establish minimum reporting
qualifications that a developer of certified health IT must meet to
report on the measure. Developers of certified health IT who do not
meet the minimum reporting qualifications (as specified under each
measure), would submit a response to specify that they do not meet the
minimum reporting qualifications under the Insights Condition measure.
In this way, all developers of certified health IT would report on all
measures, even if some report that they do not meet the minimum
reporting qualifications.
In the HTI-1 Proposed Rule (88 FR 23844), we proposed that the
minimum reporting qualifications include whether a health IT developer
has any applicable Health IT Modules certified to criteria associated
with the measure, and whether the developer has at least 50 hospital
users or 500 clinician users across its certified health IT products,
which serves as a proxy for its size or maturation status (e.g.,
whether it is a startup) and refer readers to the HTI-1 Proposed Rule
for details on how we determined the proposed thresholds for health IT
developers (88 FR 23845).
We proposed (88 FR 23844) that if a developer of certified health
IT does not
[[Page 1346]]
meet these minimum reporting qualifications, it would be required to
submit a response that it does not meet the minimum reporting
qualifications on specific measures for a given Health IT Module(s)
subject to the Insights Condition requirements. In addition, we
proposed (88 FR 23844) that if a health IT developer does not have at
least one product that meets the applicable certification criteria
specified in the measure requirements, or a developer of certified
health IT that is certified to the criterion or criteria specified in
the applicable measure during the reporting period but does not have
any users using the functionality, the developer would still be
required to submit a response that it does not meet the applicable
certification criteria or the number of users required to report on the
measure.
Comments. Several commenters supported our proposal to establish
minimum reporting qualifications that a developer of certified health
IT must meet to report on each measure. However, commenters stated that
minimum reporting qualification would be more appropriate at the
product level instead of at the developer level. Commenters recommended
ONC maintain the proposed minimum reporting qualifications and apply
those qualifications to individual products. One commenter recommended
applying the thresholds at the product version level.
Response. We appreciate the interest expressed in applying the
minimum reporting qualifications at the product or product version
levels. However, we believe applying minimum reporting qualifications
at the developer level adequately addresses the Cures Act requirement
for the Insights Condition to not unduly disadvantage small and startup
health IT developers. Applying minimum reporting qualifications at the
product or product version levels could result in missing valuable data
related to the use of certain certified health IT products.
Comments. Commenters made a few requests for clarification on the
minimum reporting qualifications. One commenter indicated that our
minimum reporting qualifications are ambiguous and asked ONC to clarify
if the minimum reporting qualification is ``50 users in a hospital'' or
``50 hospital sites that have users.''
Response. We thank commenters for their input. We have finalized
the minimum reporting qualification in Sec. 170.407(a)(2) to be at
least 50 hospital sites or 500 individual clinician users across the
developer's certified health IT. We note that the 50 hospital sites
threshold is applicable to health IT modules used in inpatient or
emergency department settings, while the 500 individual clinician users
threshold is applicable to health IT modules used in outpatient/
ambulatory settings (non-inpatient).
Comments. One commenter expressed that requiring health IT
developers attest to not having technology certified to a given
criterion for purposes of not reporting data for a specific Insights
Condition measure was redundant since ONC maintains the list of
certified health IT products.
Response. The Cures Act requires that all developers of certified
health IT report on all Insights Condition measures. We believe this
attestation process provides for compliance with that requirement in
the simplest way.
Comments. One commenter requested that the definition of
``developer'' be more specific to include the actual architects and
engineers of the software itself. The commenter questioned if the
current definition of ``developer'' could also be interpreted to
include organizations that provide certified health IT access for
practices/clinicians under MSSP agreements. Further, the commenter
noted these healthcare organizations would not have resources to comply
with the Insights Condition.
Response. The Conditions and Maintenance of Certification
requirements in subpart D of 45 CFR part 170 apply to developers
participating in the Program (see 45 CFR 170.400). Therefore, the
finalized ``Insights Condition and Maintenance of Certification''
requirements (codified in Sec. 170.407) apply to developers
participating in the Program that meet minimum reporting
qualifications. Although we discuss the finalized ``offer health IT''
and updated ``health IT developer of certified health IT'' definitions
for purposes of the information blocking regulations (45 CFR part 171),
as discussed in sections IV.B.1 and IV.B.2 of this preamble, this
commenter's request is out of scope for this final rule since we did
not propose a definition in the HTI-1 Proposed Rule, and there is no
codified definition of ``developer'' specific to the Program
regulations in 45 CFR part 170 at this time.
4. Insights Condition and Maintenance of Certification--Process for
Reporting
We proposed (88 FR 23846) in Sec. 170.407(b)(1) that, as a
Maintenance of Certification requirement for the Insights Condition,
developers of certified health IT would need to submit responses every
six months (i.e., two times per year) for any applicable certified
Health IT Module(s) that have or have had an active certification at
any time under the Program during the prior six months. We also
proposed to provide developers of certified health IT with ample time
to collect, assemble, and submit their data. We proposed (88 FR 23846)
that developers of certified health IT would be able to provide their
submissions within a designated 30-day window, twice a year. Developers
of certified health IT would begin collecting their data twelve months
prior to the first 30-day submission window. The first six months of
this period would be the period that developers of certified health IT
would report on for the first 30-day submission window. Developers of
certified health IT would then have the next six months to assemble
this data for reporting. During the second six months of this period,
developers of certified health IT would begin collecting data for the
next 30-day submission window and so on. We refer readers to the
example we provided in the HTI-1 Proposed Rule (88 FR 23846).
We proposed (88 FR 23847) in Sec. 170.407(b)(1)(i) that a
developer of certified health IT must provide responses beginning April
2025 for the following measures: (1) individuals' access to electronic
health information; (2) applications supported through certified health
IT; (3) immunization administrations electronically submitted to an
immunization information system through certified health IT; and (4)
immunization history and forecasts. We proposed (88 FR 23847) in Sec.
170.407(b)(1)(ii) that a developer of certified health IT must provide
responses beginning April 2026 for the remaining measures: (1) C-CDA
documents obtained using certified health IT by exchange mechanism; (2)
C-CDA medications, allergies, and problems reconciliation and
incorporation using certified health IT; (3) use of FHIR in apps
supported by certified API technology; (4) use of FHIR bulk data access
through certified health IT; and (5) electronic health information
export through certified health IT. For further discussion regarding
our rationale for these proposals, we refer readers to the HTI-1
Proposed Rule (88 FR 23847).
We welcomed comments on our proposed approach, as well as the
proposed frequency of reporting, other frequencies of reporting such as
more or less frequent, and any additional burdens that should be
considered for developers of certified health IT to meet the proposed
``Insights Condition and Maintenance of Certification'' requirements.
[[Page 1347]]
We also noted in the HTI-1 Proposed Rule (88 FR 23847) that there
may be other factors that could impact a developer of certified health
IT's ability to easily collect data to comply with the Insights
Condition's requirements. For example, a developer of certified health
IT may have contracts or business agreements that inhibit the health IT
developer's ability to collect data from its customers. We noted that
in such scenarios, developers of certified health IT would need to
renegotiate their contracts if we finalized our proposals. We explained
that we expected developers of certified health IT would work to
mitigate any issues and provisions affecting their ability to comply
with this Condition and Maintenance of Certification requirement.
Therefore, a developer of certified health IT that is required to meet
the Insights Condition's requirements must submit responses or may be
subject to ONC direct review of the Conditions and Maintenance of
Certification requirements, corrective action, and enforcement
procedures under the Program. We welcomed comments on our approach, as
well as any specific hardships certified health IT may encounter with
the Insights Condition of Certification.
We proposed (88 FR 23847) that responses to the Insights Condition
would occur via web-based form and method, consistent with the
requirements in Sec. 3009A(c) of the PHSA. We noted that under the
statute, developers of certified health IT must report to an
``independent entit[y]'' to ``collect the information required to be
reported in accordance with the criteria established.'' We intend to
award a grant, contract, or other agreement to an independent entity as
part of the implementation of the Insights Condition and will provide
additional details through subsequent information. We stated that we
intend to make responses publicly available via an ONC website, and we
intend to provide developers of certified health IT the opportunity to
submit qualitative notes that would enable them to explain findings and
provide additional context and feedback regarding their submissions.
Further, we proposed (88 FR 23847) a new Principle of Proper
Conduct for ONC-Authorized Certification Bodies (ONC-ACBs) in Sec.
170.523(u) that would require ONC-ACBs to confirm that applicable
developers of certified health IT have submitted their responses for
the Insights Condition of Certification requirements in accordance with
our proposals. We stated an expectation that the ONC-ACBs would confirm
whether or not the applicable health IT developers submitted responses
for the Insights Condition of Certification requirements within the
compliance schedule. The intent of this responsibility is not to
duplicate the work of the independent entity in collecting and
reviewing the response submissions. Rather, it is meant to support the
ONC-ACBs' other responsibility in Sec. 170.550(l) to ensure that
developers of certified health IT are meeting their responsibilities
under the Conditions and Maintenance of Certification requirements
before issuing a certification.
Comments. Many commenters, including developers of certified health
IT, opposed our expectation related to Sec. 170.407(b)(1) in the HTI-1
Proposed Rule (88 FR 23847) that health IT developers would need to
renegotiate their contracts or business agreements that inhibit their
ability to collect data from their customers in order to comply with
this requirement. Commenters stated that this expectation to
renegotiate contracts or business agreements was unreasonable, not
feasible, or overly burdensome.
Two commenters questioned the authority of ONC to require
developers of certified health IT to renegotiate contracts or business
agreements in order to gain access to customer data for the Insights
Condition. Two developers of certified health IT commented that they
experienced challenges in soliciting participation from customers in
data collection for the Real World Testing Condition despite their
efforts. One commenter noted that it is not feasible to require a
renegotiation of client contracts specific to only one term without
reopening renegotiation of all contract terms. One commenter stated the
amount of time that finding, assessing, negotiating, and re-finalizing
a contract is unreasonable in the proposed timeframe.
Several developers of certified health IT commented that ONC should
require a good faith effort by developers to engage their customers to
participate. Also, commenters suggested ONC include language in the
Insights Condition that allows for exclusions or other flexibilities
from reporting where health IT developers have been unable to obtain
data for measures despite good faith efforts.
Several developers of certified health IT further commented that
establishing a minimum threshold of customers is not a viable way to
address their concerns. One developer of certified health IT commented
that ONC should set the expectation that health IT developers request
participation in data collection under the Insights Condition from all
of their U.S.-based customers of certified health IT and report all of
the data from participants who agree, as well as what percentage of
their total customers this represents. One commenter sought
clarification from ONC on whether there is an expectation that
developers of certified health IT obtain numerator and denominator data
from every U.S. customer using a product or only those customers
agreeing to participate.
One commenter noted that time and cost estimates were not included
in the Regulatory Impact Analysis for effort necessary from developers
of certified health IT, or health systems, for contract renegotiation
expectations related to Sec. 170.407(b)(1). The commenter further
noted that effort from both health IT developers and health systems
would be necessary for each renegotiated contract.
Response. We appreciate the commenters' concerns regarding the
feasibility of requiring developers of certified health IT to
renegotiate contracts, when needed, with their customers to comply with
the Insights Condition requirements. In response to public comment, we
have removed this proposed requirement. In a scenario where a developer
of certified health IT has contracts or business agreements with a
customer that inhibit the health IT developer's ability to comply with
the Insights Condition requirements, the health IT developer may
exclude that customer's data for reporting under the Insights
Condition.
In Sec. 170.407(b)(1) in the HTI-1 Proposed Rule (88 FR 23847) we
proposed that health IT developers provide us metrics based upon data
from all their customers. In response to health IT developers
expressing concerns regarding the difficulty in obtaining data from
clients whose contracts would require updating to access the needed
data, we have scaled back our requirement for health IT developers to
provide complete data on all clients. In addition to the data on
available clients that they report, health IT developers will provide
ONC with information on the degree to which the data they are
submitting is complete. We emphasize that the Insights Condition
fulfills the Cures Act specified requirements in section 4002(c) to
establish an Electronic Health Record (EHR) Reporting Program to
provide transparent reporting on certified health IT with respect to
all certified technology offered by a health IT developer, and
therefore, health IT developers should be as inclusive as possible.
[[Page 1348]]
Based upon the suggestion we received via comments, we have
finalized in Sec. 170.407(a)(1)(i)(C) that health IT developers will
report the percentage of their total customers, as represented by
hospitals for inpatient products and clinician users for their
outpatient products, that are included in their reported data for each
metric for which they submit a response. The percentage of health care
providers that are represented in the data provides transparency on the
degree to which the data are complete. Specifically, we seek to
determine whether the aggregated data that we receive from all health
IT developers will produce nationally representative measures will be
critical to generate and report the derived statistics and explain the
results. For example, if the percentage of total customers represented
is low across many health IT developers, then we would know that the
data are incomplete. This in turn, would enable ONC to consider whether
it would be valid to generate statistics at the national level.
Overall, this information shall help ONC interpret the results and
allow us to assess the degree to which the data are complete.
Comments. Many commenters opposed our proposal in Sec.
170.407(b)(1)(i) for the first Insights Condition reporting period to
begin in April 2024. Some commenters stated the timeline was
unrealistic, not feasible, or impossible given timeframes to develop,
deploy, test, and build the capability to compile the data. Commenters
offered various alternative timelines for the first Insights Condition
reporting period to begin. Several commenters requested delaying the
first reporting period to begin in calendar year 2025, such as in
January, April, or October of 2025. Several commenters requested
delaying the first reporting period to begin in calendar year 2026.
Some commenters requested delaying the first reporting period to begin
18 months after the final rule publication. One commenter requested ONC
reconsider implementation over a four- or five-year timeframe. One
commenter suggested longer timelines to ensure measures are validated
before phasing in new measures.
Response. We thank commenters for the feedback and have revised the
Insights Condition timelines. We have finalized in Sec.
170.407(b)(1)(i) to delay the first reporting period to allow
developers of certified health IT adequate time to develop and
implement the Insights Condition measures and related metrics. We have
finalized that the first data collection period will be January to
December 2026, followed by the submission of the first phase of
measures and related metrics due in July of 2027. This represents
``year one'' of the Insights Condition requirements. Reporting is on an
annual basis thereafter. We have further extended our phased approach
to measure requirements, including layering complexity associated with
certain measures over the course of three years, so that certain
measures (and related metrics) start in year one, while other measures
or stratifications to existing measures begin in subsequent years. We
have finalized ``year 2'' measures and related metrics start data
collection in calendar year 2027, with responses due in July 2028, and
annually thereafter. Finally, we have finalized ``year 3'' measures and
related metrics start data collection in calendar year 2028, with
responses due in July 2029 and annually thereafter. The phasing of the
measures and related metrics are illustrated in the table in this
section of the preamble.
We also appreciate the commenter's concern for needing additional
time to assess measure validity. Our revised approach of phasing in
more complex aspects of each of the measures enables reviewing baseline
measures before adding complexity. Furthermore, our revised approach
provides additional time for measure development and implementation and
will allow us to apply lessons learned from the smaller set of measures
to inform the implementation of next set.
Comments. Most commenters opposed our proposal in Sec.
170.407(b)(1) to require the frequency of semiannual (i.e., every six
months) data collection and reporting under the Insights Condition.
Most commenters suggested an annual frequency of data collection and
reporting to reduce burden. Many of these commenters suggested using a
calendar-year reporting period with reporting to occur mid-year to
better align with the CMS Promoting Interoperability Programs and the
Real World Testing Condition, and to avoid other April/October
requirements for Attestations submissions. One health system commenter
suggested an annual reporting period that does not overlap with
clinical quality measure reporting schedules. One commenter stated that
semiannual reporting would require two product upgrades within a one-
year timeframe and that their customers would not be willing to comply.
Three commenters supported our proposal to require semiannual (i.e.,
every six months) data collection and reporting in April and October.
One health IT developer commented the proposed six-month intervals are
feasible with current technology and not overly burdensome to health IT
developers. Commenters supported our proposal in Sec. 170.407(b)(1)
for six months to assemble and assess data collected prior to reporting
under the Insights Condition.
Response. We appreciate the feedback on reporting frequency and the
concerns expressed related to burden. To address these concerns, we
have finalized to reduce the reporting frequency to annually (once per
year) in Sec. 170.407(b), on a calendar year cycle, with data
collection to be completed from January to December. We have maintained
the six-month data assembly period, such that reports for a given
calendar year will be due to be submitted in July of the following
calendar year.
Comments. Many commenters requested clarification on whether
developers of certified health IT have the flexibility to reuse the
Insights Condition reporting measurements and outputs for their Real
World Testing plans and results.
Response. We appreciate the commenters request for clarity. We
appreciate that the data collected related to the Insights Condition
and Real World Testing could overlap. Therefore, developers of
certified health IT can choose to repurpose the Insights Condition
reporting measurements and/or data as part of their Real World Testing
plans and results.
Comments. One health IT developer suggested that ONC apply its
experience with Real World Testing to reduce measure ambiguity and
provide Real World Testing reports as examples for health IT developers
to use in planning for the Insights Condition.
Response. We agree with the commenter that the Real World Testing
Condition provides relevant experience for health IT developers. We
considered Real World Testing Condition reports in developing our
proposals for the Insights Condition and intend to provide examples. We
plan to leverage a system linked to the CHPL for reporting to make the
process similar to other certification related processes. We will use
web-based forms within that system for submission and plan to provide
templates for health IT developers to use in their data submission for
the Insights Condition. The templates will enable health IT developers
to submit the data (as noted in the 88 FR 23847) in a machine-readable
format, such as JavaScript Object Notation (JSON). We also intend to
provide educational sessions and resources for health IT developers to
support electronic reporting of the metrics and related documentation.
[[Page 1349]]
Comments. Some commenters recommended that ONC expand its
governance structure to include patients and other clinicians in
reviewing Insights Condition and Real World Testing results to identify
new opportunities for action.
Response. We thank the commenters for the input. As described in
our HTI-1 Proposed Rule, ONC, and our contractor, conducted various
engagement efforts with a variety of groups having potential interests
in the Insights Condition. This engagement process \219\ included a
request for information by ONC, public forums, listening sessions, and
discussions with experts and key groups, including health IT end users
(e.g., clinicians) and health IT developers. In addition to this
engagement and public comments, the Health IT Advisory Committee
(HITAC), which includes patient advocates and clinicians, provided
recommendations \220\ to ONC that informed the Insights Condition. We
will continue to look for opportunities to obtain input from a variety
of perspectives, including patients and clinicians, on the Insights
Condition.
---------------------------------------------------------------------------
\219\ https://www.urban.org/research/publication/what-comparative-information-needed-ehr-reporting-program.
\220\ https://www.healthit.gov/sites/default/files/page/2022-07/2021-09-09_EHRRP_TF_2021__HITAC%20Recommendations_Report_signed_508_Edit.pdf.
---------------------------------------------------------------------------
Comments. One health care provider organization recommended that
ONC make the Insights Condition metrics easily accessible to users of
certified health IT and to the public. One health IT developer sought
clarification from ONC if we intend to calculate and display
percentages using the reported numerators and denominators across the
universe of certified health IT that reported for a given measure, or
if we intend to calculate and display metrics at the developer or
product level. Another commenter encouraged ONC and developers of
certified health IT under the Insights Condition to evaluate measure
reliability and validity of the reported data before publicly
reporting.
Response. We thank the commenter for the opportunity to clarify how
ONC will calculate and display the Insights Condition metrics. In
accordance with the Cures Act, we intend to make responses (the metrics
and required documentation) to the Insights Condition publicly
available on an ONC website. Prior to publicly releasing the data or
publishing metrics, we will review and analyze the data to assess
completeness and generalizability, which relate to the reliability and
validity of the data. After this analysis, we will determine what
level(s) the calculated metrics would be displayed, such as at the
product, developer and/or national level. The aggregated data that is
reported needs to have an adequate number of data points at any given
level to make sure the metrics displayed are valid and reliable.
Comments. One commenter recommended that ONC create a public list
of the certification status of health IT developers.
Response. We thank the commenter for this input, and note that ONC
maintains the Certified Health IT Products List (CHPL) at https://chpl.healthit.gov/, which is a comprehensive and authoritative listing
of all certified health information technology that have been
successfully tested and certified by the Program and includes current
certification statuses.
Comments. One commenter suggested requiring health IT developers to
report on whether the certified health IT is hosted by the health IT
developer or installed locally under the direct control of the user.
Further, the commenter noted that this information may provide insight
into usage patterns and adoption of cloud services and other technology
that can inform HHS regulations.
Response. We thank the commenter for this suggestion, and we agree
that this data element could be useful and informative in assessing the
state of the certified health IT marketplace. We may consider this for
future rulemaking.
Comments. A commenter stated that ONC-ACBs will need more detailed
information on the degree of surveillance and validation that ONC-ACBs
will need to provide in support of the Insights Condition reporting
process in order to plan appropriately.
Response. Similar to other Conditions and Maintenance of
Certification requirements, we will provide additional guidance to ONC-
ACBs regarding their role and requirements related to oversight of the
Insights Condition as the workflow and reporting systems for the
Insights Condition are developed and finalized.
G. Requests for Information
1. Laboratory Data Interoperability Request for Information
We sought public feedback in the HTI-1 Proposed Rule (88 FR 23848)
that may be used to inform a study and report required by Division FF,
Title II, Subtitle B, Ch. 2, Section 2213(b) of the Consolidated
Appropriations Act, 2023 (Pub. L. 117-328, Dec. 29, 2022), or future
rulemaking regarding the adoption of standards and certification
criteria to advance laboratory data interoperability and exchange.
We sought public comment generally on any topics identified in the
Consolidated Appropriations Act, 2023, Section 2213(b) study on the use
of standards for electronic ordering and reporting of laboratory test
results, such as the use of health IT standards by clinical
laboratories, use of such standards by laboratories and their effect on
the interoperability of laboratory data with public health systems,
including any challenges of the types identified above. We also sought
comment on whether ONC should adopt additional standards and
laboratory-related certification criteria as part of the Program. We
received many valuable comments on this RFI. We appreciate the input
provided by commenters and may consider their input to inform a future
rulemaking.
2. Request for Information on Pharmacy Interoperability Functionality
Within the ONC Health IT Certification Program Including Real-Time
Prescription Benefit Capabilities
Section 119 of Title I, Division CC of the Consolidated
Appropriations Act, 2021, (Pub. L. 116-260) (CAA), requires PDP
sponsors of prescription drug plans to implement one or more real-time
benefit tools (RTBTs) after the Secretary has adopted a standard for
RTBTs and at a time determined appropriate by the Secretary. The law
specified that a qualifying RTBT must meet technical standards named by
the Secretary, in consultation with ONC. Section 119(b)(3) also amended
the definition of a ``qualified electronic health record'' in section
3000(13) of the PHSA to specify that a qualified electronic health
record must include or be capable of including an RTBT. In the 2014
Edition Final Rule, ONC established the term ``Base EHR,'' based on the
``Qualified EHR'' definition, for use within the Program (77 FR 54262).
As stated in the HTI-1 Proposed Rule (88 FR 23848), we intend to
propose in future rulemaking the establishment of a real-time
prescription benefit health IT certification criterion within the
Program and include this criterion in the Base EHR definition in Sec.
170.102. We intend to propose a criterion that would certify health IT
to enable a provider to view within the electronic prescribing workflow
at the point of care patient-specific benefit, estimated cost
information, and viable alternatives. We are also considering a
proposal to adopt and reference the National Council for Prescription
Drug Programs (NCPDP) Real-Time Prescription Benefit (RTPB) standard
version 12 as part of the potential
[[Page 1350]]
certification criterion.\221\ This standard would enable the exchange
of patient eligibility, product coverage, and benefit financials for a
chosen product and pharmacy, and identify coverage restrictions and
alternatives when they exist.
---------------------------------------------------------------------------
\221\ For further information about implementing the NCPDP RTPB
standard version 12, see resources at https://standards.ncpdp.org/Access-to-Standards.aspx.
---------------------------------------------------------------------------
While we believe that implementing RTBT functionality required for
inclusion in the Program under the CAA would be an important step
towards improving prescribing experiences for providers and patients,
we recognize that it is only one of a series of capabilities that are
part of a comprehensive workflow for evaluating and prescribing
medications (88 FR 23849).
Today, the Program addresses these additional capabilities in a
limited manner. For instance, in the ONC Cures Act Final Rule, ONC
adopted NCPDP SCRIPT standard version 2017071 and updated the
``electronic prescribing'' certification criterion in Sec.
170.315(b)(3)(ii) to reflect this standard, including specifying
electronic prior authorization transactions supported by the standard
as optional transactions, which health IT developers can elect to have
explicitly tested, or not, as part of certification of a product to
Sec. 170.315(b)(3) (85 FR 25680).
A ``drug-formulary and preferred drug list checks'' certification
criterion had been established for the 2015 Edition in Sec.
170.315(a)(10) but was later removed from the Program by the ONC Cures
Act Final Rule (85 FR 25660). ONC removed the criterion due to the lack
of associated interoperability standards and to reduce certification
burden on developers as this functionality had been widely adopted
across industry.
We requested comment in the HTI-1 Proposed Rule (88 FR 23849) from
the public about specific issues related to establishing a
certification criterion using NCPDP RTPB standard version 12 and other
potential actions that could support complementary and interoperable
workflows. Given the statutory definition in PHSA Sec. 3000(13) of
``qualified electronic health record'' as an electronic record of
health-related information on an individual that includes, or is
capable of including, RTBT functionality, we sought to understand
whether ONC should offer or require certification of other capabilities
to optimize the value of real-time prescription benefit capabilities to
clinicians and patients.
We requested input on how developers of certified health IT may be
able to support drug price transparency, patient choice, and meet other
market demands while ensuring reliable and trusted performance. We
received many insightful comments on this RFI. We appreciate the input
provided by commenters and may consider their input to inform a future
rulemaking.
3. FHIR Standard
This request for information included in the HTI-1 Proposed Rule
(88 FR 23855) focused on the FHIR standard for APIs (including FHIR
Subscriptions, CDS Hooks, FHIR standards for scheduling, and SMART
Health Links) and aligned with our aims of advancing interoperability
through the use of APIs for treatment, payment and operations use
cases. We welcomed technical and policy comments as we consider the
potential applicability of these standards and specifications. We
received many insightful comments on this RFI. We appreciate the input
provided by commenters and may consider their input to inform a future
rulemaking.
IV. Information Blocking Enhancements
In the HTI-1 Proposed Rule (88 FR 23746), we proposed enhancements
to support information sharing under the information blocking
regulations and to promote innovation and competition, as well as
address market consolidation (see Executive Summary discussion at 88 FR
23749 and 88 FR 23754 through 23755; see also preamble discussion in
section IV of the HTI-1 Proposed Rule at 88 FR 23857 through 23873). We
proposed new and revised definitions of terms for purposes of the
information blocking regulations in 45 CFR part 171. The revisions to
definitions included, as discussed in section IV.B.3, the removal of
references to a period of time now passed in the information blocking
definition (Sec. 171.103). We proposed (as discussed in IV.B.3 of this
preamble) to remove reference to the period of time, now passed, from
the exception in 45 CFR 171.301. We proposed, consequently, to rename
the ``Content and Manner Exception'' to simply the ``Manner
Exception.'' Each of these proposals is discussed, and public comments
received on each proposal summarized, in section IV.B of this preamble.
We proposed enhancements to certain information blocking exceptions
that had been established by the ONC Cures Act Final Rule (85 FR
25642). We proposed to clarify the uncontrollable events condition of
the Infeasibility Exception (Sec. 171.204) to make it clear that an
uncontrollable event must in fact have affected the actor's ability to
fulfill requests for access, exchange, or use of EHI (for a more
detailed summary, please see section IV.C.1.a of this preamble). We
also proposed to create new conditions for (options through which to
satisfy) the Infeasibility Exception when an actor has exhausted the
Sec. 171.301 Manner Exception and, separately, when a third party
requests to modify EHI held by the actor. These conditions are
discussed in sections IV.C.1.b and IV.C.1.c of this preamble. As
discussed in section IV.C.2 of this preamble, we proposed to add a
TEFCA manner condition to the proposed revised and renamed Manner
Exception codified in 45 CFR 171.301 (see 88 FR 23872 through 23873).
The HTI-1 Proposed Rule included (at 88 FR 23873 through 88 FR
23876) three information blocking requests for information (RFIs). The
first of these RFIs sought information on potential additional
exclusions from the definition of ``offer health IT.'' The second
sought information on possible additional TEFCA reasonable and
necessary activities. The third sought information on health IT
capabilities for data segmentation and user or patient access. We
discuss these requests for information below, in section IV.D.1 through
IV.D.3 of this preamble.
A. General Comments
Comments. In general, commenters expressed support for the proposed
enhancements and for updating the regulations over time to improve
clarity or reduce burdens for actors while continuing to encourage
interoperable access, exchange, and use of EHI to the full extent
permitted by applicable law and consistent with individual patients'
privacy preferences. Some commenters made suggestions, recommendations,
or requests for additional guidance, information and educational
resources, or for other tools to help actors appropriately share
information and avoid conduct that would be considered ``information
blocking'' (as defined in 45 CFR 171.103).
Response. We appreciate the support expressed by many commenters.
We include below additional explanation of provisions of this final
rule. Requests, recommendations, or suggestions that we provide
additional guidance, resources, or tools relevant to information
blocking are appreciated. As part of our ongoing outreach and education
efforts, all feedback and information we receive helps to inform our
consideration and development of resources such as webinar
[[Page 1351]]
presentations, fact sheets, and frequently asked questions (FAQs).
Comments. Several comments advocated for specific changes to the
information blocking regulations, to other HHS regulations, or to state
law. For example, a commenter advocated ``aligning HIPAA rules, 42 CFR
part 2 requirements, and other state and federal laws with information
blocking regulations.'' Another commenter stated that ``ONC needs to
clarify the national requirements for production of complete medical
records, especially absolute transparency on corrections, deletions,
delayed entries, and original content, upon ordinary request.'' A
commenter indicated health IT users may mis-apply the designated record
set (DRS) definition to electronic records and stated that ONC ``needs
to consider discouraging inappropriate DRS definition-based information
blocking of complete medical records through significant, powerful
disincentives.'' One commenter advocated for ONC to narrow the health
information network definition ``and clearly state in the regulatory
text payers are not included in this definition and thus are not
subject to the information blocking provision.'' Another commenter
expressed a view that specifying in the information blocking
definition's regulatory text the persons whose records access can be
affected by a practice would make the rule stronger.
Response. Comments related to the following are outside of the
scope of the information blocking provisions of this rulemaking:
establishment of health care provider disincentives for information
blocking conduct; changes to HHS regulations outside 45 CFR part 171;
adoption of requirements for creation or retention of specific metadata
by all health care providers nationwide; and any change to any state or
tribal law. However, comments recommending policy changes outside the
scope of this rule are part of the rulemaking record, and we may refer
to them as an information source when assessing potential future
rulemaking or outreach and education activities.
Comments. A substantial number of comments expressed concerns about
a perceived conflict between the goals of maximizing information
sharing and appropriately protecting patients' privacy interests. These
comments generally associated these concerns with specific policy
recommendations, including the creation of new information blocking
exception(s). Some commenters suggested that some Sec. 171.102 actors
may believe they have no option under information blocking regulations
but to enable the access, exchange, or use of all EHI in all
situations--including those where only some of the EHI can be used or
disclosed consistent with privacy laws or the patient's individual
privacy preferences. A few of these commenters specifically noted
sensitive information or information associated with sensitive types of
care, such as reproductive or behavioral health care.
Response. Some of the policy recommendations that commenters
offered to address these concerns, such as to establish new exceptions
or implement revisions beyond anything described in the HTI-1 Proposed
Rule, were outside the scope of this rulemaking. Some provisions
advocated by commenters appear to duplicate provisions already in
place, such as provisions of the Privacy Exception (Sec. 171.202) and
the Infeasibility Exception (Sec. 171.204). The expressed concerns and
advocacy of duplicative policy provisions suggest it may be helpful to
highlight here certain aspects of how the information blocking
regulations currently operate.
Where applicable law prohibits a specific access, exchange, or use
of information, the information blocking regulations consider the
practice of complying with such laws to be ``required by law.''
Practices that are ``required by law'' are not considered ``information
blocking'' (see the statutory information blocking definition in
section 3022(a)(1) of the PHSA and the discussion in the ONC Cures Act
Final Rule at 85 FR 25794). For example, when the HIPAA Privacy Rule
prohibits a covered entity or business associate from disclosing PHI,
an actor who is also a covered entity or business associate can comply
fully with the HIPAA Privacy Rule without implicating the information
blocking regulations. For another example, a Sec. 171.102 actor
subject to a state or tribal law that expressly prohibits a certain
access, exchange, or use of EHI can comply fully with that state or
tribal law without implicating the information blocking regulations.
We recognize that even where federal, state, or tribal law does not
expressly prohibit the actor from fulfilling a request to access,
exchange, or use EHI, or require an actor to engage in particular
privacy-protective practices, an actor may nevertheless wish to engage
in practices likely to interfere with access, exchange, or use in order
to honor their patients' privacy preferences. Actors covered by the
information blocking regulations--health IT developers of certified
health IT, health information networks or health information exchanges
(HIN/HIEs), and health care providers--may seek certainty that the
privacy-protective practices that are not required of them by law, but
in which they choose to engage, will not meet the definition of
information blocking.
In the ONC Cures Act Final Rule, we established the Privacy
Exception (45 CFR 171.202) to ensure that actors can engage in
reasonable and necessary practices that advance the privacy interests
of individuals (see 85 FR 25845 through 25859) without committing
``information blocking'' as defined in section 3022(a)(1) of the PHSA
and 45 CFR 171.103.
For example, the information blocking regulations in 45 CFR part
171 accommodate the fact that, in various circumstances, other
applicable law (federal, state, or tribal) does not permit EHI to be
used or disclosed unless certain preconditions are met. The
Precondition Not Satisfied (45 CFR 171.202(b)) sub-exception of the
Privacy Exception outlines a framework for actors to follow to be
assured their practices of not fulfilling requests to access, exchange,
or use EHI will not constitute information blocking when a precondition
of applicable state, tribal, or federal law has not been satisfied.
In addition, for purposes of the Precondition Not Satisfied sub-
exception, an actor operating under multiple state laws, or state and
tribal laws, with inconsistent preconditions for EHI disclosures may
choose to adopt uniform policies and procedures to address the more
restrictive preconditions (45 CFR 171.202(b)(3)).
Examples that highlight the alignment between the HIPAA Privacy
Rule and the information blocking regulations are included in the
``HIPAA Privacy Rule and Disclosures of Information Relating to
Reproductive Health Care'' guidance issued by the Office for Civil
Rights. As outlined in this guidance, there are certain preconditions
that must be met before disclosures about reproductive health care can
be made by health care provider workforce members, including to law
enforcement officials. For instance, if a law enforcement official
requests records of abortions from a reproductive health care clinic:
``If the request is not accompanied by a court order or other mandate
enforceable in a court of law, the Privacy Rule would not permit the
clinic to disclose PHI in response to the request. Therefore, such a
disclosure would be impermissible and constitute a breach of unsecured
PHI requiring notification to HHS and the individual affected.'' In
this example, federal law does not permit the disclosure of EHI unless
certain requirements are met, and therefore, the
[[Page 1352]]
actor's practice not to disclose EHI would not be information blocking.
We note that this is just one example of how the HIPAA Privacy Rule
gives individuals confidence that their protected health information,
including information relating to abortion and other sexual and
reproductive health care, will be kept private. Please see the guidance
from the Office for Civil Rights for additional information and
examples.\222\
---------------------------------------------------------------------------
\222\ https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html.
---------------------------------------------------------------------------
We also note that information blocking regulations in 45 CFR part
171 accommodate an actor, if they so choose, agreeing to an
individual's request for restrictions on sharing of the individual's
EHI beyond the restrictions imposed by applicable law(s). Specifically,
where the requirements specified in 45 CFR 171.202(e) are met, the
Respecting an Individual's Request Not to Share Information (Sec.
171.202(e)) sub-exception of the Privacy Exception applies to an
actor's practice of honoring an individual's request not to provide
access, exchange, or use of the individual's EHI. This aligns with the
individual's right to request a restriction on certain uses and
disclosures of their PHI under the HIPAA Privacy Rule (45 CFR
164.522(a)(1)), to which an actor that is a covered entity may choose
to agree but is not required by the HIPAA Privacy Rule to agree.
In scenarios where a Sec. 171.102 actor that is also subject to
the HIPAA Privacy Rule must agree to the request of an individual to
restrict disclosure of PHI as provided in 45 CFR 164.522(a)(1)(vi), the
actor's practice of agreeing to the request and complying with all
requirements of 45 CFR 164.522 applicable to such requests and
restrictions is, in our view, a practice that is ``required by law.''
We reiterate that practices that are required by law are excluded from
the statutory (PHSA section 3022(a)(1)) as well as the regulatory (45
CFR 171.103) definition of information blocking without needing to also
satisfy any of the 45 CFR part 171 exceptions. Therefore, when a Sec.
171.102 actor that is also a HIPAA covered entity engages in a practice
of complying with all requirements of 45 CFR 164.522 that are
applicable to requests to which a covered entity must agree (as
provided in 45 CFR 164.522(a)(1)(vi)) then that actor would not need to
also satisfy the Respecting an Individual's Request Not to Share
Information (45 CFR 171.202(e)) sub-exception of the Privacy Exception
in order for that practice to not be considered information blocking.
The practice would be excluded from the definition of information
blocking because it would be ``required by law'' and, therefore, an
information blocking exception for the practice would not be needed.
We refer commenters and other readers interested in learning more
about the interaction of the information blocking regulations with the
HIPAA Rules and other laws protecting individuals' privacy interests to
the discussion of the Privacy Exception in the ONC Cures Act Final Rule
(85 FR 25642, 85 FR 25845 through 25859). We also highlight the
availability of additional resources through our website (start at:
https://www.healthit.gov/topic/information-blocking). Resources focused
on how the information blocking rules work in harmony with privacy laws
include, for example, an ONC Health IT buzz blog post titled
``Information Blocking Regulations Work in Concert with HIPAA Rules and
Other Privacy Laws to Support Health Information Privacy'' \223\ and
the following three frequently asked questions (FAQs) highlighting how
information blocking regulations work in tandem with the HIPAA Privacy
Rule and other privacy protective laws:
---------------------------------------------------------------------------
\223\ https://www.healthit.gov/buzz-blog/information-blocking/information-blocking-regulations-work-in-concert-with-hipaa-rules-and-other-privacy-laws-to-support-health-information-privacy.
(Retrieved 7/12/2023.)
---------------------------------------------------------------------------
Would it be information blocking if an actor does not
fulfill a request to access, exchange, or use EHI in order to comply
with federal privacy laws that require certain conditions to have been
met prior to disclosure? \224\
---------------------------------------------------------------------------
\224\ Information blocking FAQ identifier: IB.FAQ48.1.2023APR.
URL: https://www.healthit.gov/faq/would-it-be-information-blocking-if-actor-does-not-fulfill-request-access-exchange-or-use-ehi.
(Retrieved 7/12/2023.)
---------------------------------------------------------------------------
If an actor, such as a health care provider, operates in
more than one state, is it consistent with the information blocking
regulations for the health care provider to implement practices to
uniformly follow the state law that is the most privacy protective
(more restrictive) across all the other states in which it operates?
\225\
---------------------------------------------------------------------------
\225\ Information blocking FAQ identifier: IB.FAQ49.1.2023APR.
URL: https://www.healthit.gov/faq/if-actor-such-health-care-provider-operates-more-one-state-it-consistent-information-blocking.
(Retrieved 7/12/2023.)
---------------------------------------------------------------------------
If an individual requests that their EHI not be disclosed,
is it information blocking if an actor does not disclose the EHI based
on the individual's request? \226\
---------------------------------------------------------------------------
\226\ Information blocking FAQ identifier: IB.FAQ47.1.2023APR.
URL: https://www.healthit.gov/faq/if-individual-requests-their-ehi-not-be-disclosed-it-information-blocking-if-actor-does-not.
(Retrieved 7/12/2023.)
---------------------------------------------------------------------------
The Infeasibility Exception may also be applicable to matters of
patient privacy preferences. Established by the ONC Cures Act Final
Rule, the Infeasibility Exception (45 CFR 171.204) applies when an
actor's practice meets one of the conditions set forth in Sec.
171.204(a) and also meets the condition in Sec. 171.204(b) (see 85 FR
25958, see also preamble discussion at 85 FR 25866 through 25870). The
segmentation condition of the Infeasibility Exception (Sec.
171.204(a)(2)) can be met in conjunction with other exceptions to
provide actors assurance that their practice does not constitute
information blocking. The segmentation condition is applicable when the
actor cannot fulfill the request for access, exchange, or use of EHI
because the actor cannot unambiguously segment the requested EHI from
EHI that:
cannot be made available due to the individual's
preference (such as where the individual has requested that the EHI not
be shared with a specific person(s), for a specific purpose(s), or
both); \227\
---------------------------------------------------------------------------
\227\ We use ``individual'' here, and for purposes of Sec.
171.204 in general, as it is defined in Sec. 171.202(a).
---------------------------------------------------------------------------
cannot be made available by law, for example, the HIPAA
Privacy Rule, other federal law, or applicable state or tribal law does
not permit the EHI to be made available to the person seeking it, for
the purpose it is sought, or both; or
may be withheld in accordance with the Preventing Harm
Exception (45 CFR 171.201).
Applicable law may restrict providing certain types of EHI to a
person or class of persons, for a specific purpose, or a combination of
types of persons and specific purposes. For example, federal, state, or
tribal law may require that certain information not be accessed, used,
or exchanged by the person seeking it, for the purpose it is sought, or
both. As we discuss above, an actor can, without engaging in
``information blocking,'' withhold information as required by law or
withhold information by meeting the Pre-condition Not Satisfied sub-
exception. Similarly, an individual (see definition of ``individual''
in Sec. 171.202(a)) may express a preference that some or all of the
EHI for a particular patient not be shared with a specific person(s),
for a specific purpose(s), or a specific combination of person(s) and
purpose(s). Such a preference could be expressed, for example, by the
individual making a request that a HIPAA covered entity restrict uses
and disclosures of their PHI that Sec. 164.522
[[Page 1353]]
requires covered entities to permit an individual to make. As we
discuss above, and in accordance with the Sec. 171.202(e) Respecting
an Individual's Request Not to Share Information sub-exception, an
actor may withhold information that a patient has requested the actor
not share.
The example above illustrates a specific alignment between the
information blocking regulations and HIPAA Privacy Rule. However, the
Sec. 171.202(e) sub-exception's alignment with the individual's right
under the HIPAA Privacy Rule to request restrictions does not limit the
sub-exception's availability to actors who are also subject to the
HIPAA Privacy Rule's requirements. Nothing in the Sec. 171.202(e) sub-
exception limits its availability based on whether the actor is a HIPAA
covered entity or business associate that must comply with the HIPAA
Privacy Rule. Likewise, Sec. 171.202(e) does not focus on whether the
individual requested restrictions under any specific provision of the
HIPAA Privacy Rule. Therefore, for purposes of the information blocking
regulations, the Sec. 171.202(e) Respecting an Individual's Request
Not to Share Information sub-exception can be satisfied by any actor
who chooses to meet the requirements of the sub-exception.
We recognize many actors may currently be unable to unambiguously
segment reproductive health and behavioral health information indicated
by some commenters on the information blocking provisions as sensitive
information, as well as gender-affirming care information, from other
EHI. These are also examples of types of information for which
individuals may be likely to request restrictions on uses or
disclosure. These are, however, not the only types of information to
which the Infeasibility Exception's segmentation condition might apply.
As we noted in the HTI-1 Proposed Rule, a health care provider might
choose to honor a patient's request for restrictions on sharing of
their EHI even if the provider did not know the patient's specific
reasons for the request. The Respecting An Individual's Request Not To
Share Information sub-exception (Sec. 171.202(e)) does not specify
that the individual requesting restrictions should have particular
reasons for requesting restrictions, or be required to share their
reasoning with the health care provider or other actor of whom they
make the request (88 FR 23874).
Where an actor engaging in a practice that is not (or practices
that are not) fully covered by a single exception seeks certainty that
such practices do not constitute information blocking, the actor could
choose to satisfy several applicable exceptions that, in complement, do
fully cover their practices. Applicable exceptions, and combinations of
exceptions, will vary based on the actor's specific practice and
particular facts and circumstances in which they engage and the
practices for which the actor seeks the certainty offered by
information blocking exceptions.\228\
---------------------------------------------------------------------------
\228\ It is important to remember that the information blocking
exceptions defined in 45 CFR part 171 subparts B and C are
voluntary, offering actors certainty that any practice meeting the
conditions of one or more exceptions would not be considered
information blocking. An actor's practice that does not meet the
conditions of an exception would not automatically constitute
information blocking. See, e.g., IB.FAQ29.1.2020NOV, URL: https://www.healthit.gov/faq/if-actor-does-not-fulfill-request-access-exchange-and-use-ehi-any-manner-requested-they-have. (Retrieved 7/
12/2023.)
---------------------------------------------------------------------------
In various circumstances, an actor may wish to engage in one or
more practice(s) that are covered in part, but not fully covered, by
the Privacy Exception (Sec. 171.202) or the Preventing Harm Exception
(Sec. 171.201). In some of these situations, such an actor may want to
consider the potential certainty that could be available by satisfying
a combination of the Infeasibility Exception (Sec. 171.204) with the
Privacy Exception (Sec. 171.202) or with the Preventing Harm Exception
(Sec. 171.201), or any combination of multiple exceptions applicable
to the specific practice in which the actor engages. We provide the
following example to illustrate how the use of a combination of
exceptions might occur. We note that we have intentionally omitted from
this example any consideration of why the individual may request, or
why the actor may have chosen to agree to the individual's request.
This is because the Sec. 171.202(e) sub-exception's application is not
limited based on what particular reasons an individual may have for
requesting restrictions of any or all of their EHI, and does not
specify that an actor must have specific reasons for choosing to grant
rather than deny an individual's request for restrictions. However, as
noted above, these exceptions could be exercised, separately or
together, when an individual requests certain information (e.g.,
reproductive health, behavioral health, or gender-affirming care
information) not be shared or when such information cannot be
unambiguously segmented from other EHI from the reasons noted above.
An individual makes a request of an actor not to share certain EHI.
The actor agrees to the request, documents the request, implements the
request, and does not otherwise terminate the request. After the actor
agrees to the individual's request not to share information, the actor
receives a request for the individual's EHI that encompasses
information the individual requested that the actor not share. The
actor determines that responding to the request is not prohibited by
applicable law. The actor then determines that the actor has the
technical ability to segment out some, but not all, of the requested
EHI from the EHI subject to the individual's request not to share. The
actor notifies the requestor in writing in 10 business days from the
receipt of the request that the actor cannot unambiguously segment the
EHI from the EHI that the actor cannot share for reasons consistent
with the Sec. 171.204(a)(2) segmentation condition. The actor provides
the requestor with EHI the actor can unambiguously segment from the EHI
that is subject to the individual's request, and the actor does not
provide the requester with certain EHI that the actor cannot
unambiguously segment from the EHI subject to the individual's request.
For purposes of this example, the actor has two exceptions
available. First, the actor has received an individual's request not to
share information, elected to grant the individual's requested
restriction on access, exchange, or use of EHI, and met the
requirements of the Sec. 171.202(e) Respecting an Individual's Request
Not to Share Information sub-exception of the Privacy Exception. (Note:
for purposes of the Sec. 171.202(e) Respecting an Individual's Request
Not to Share Information sub-exception, an actor (such as a health IT
developer of certified health IT) who maintains or manages EHI on
behalf of another entity (such as a health care provider) \229\ can
rely on the other entity's practice that meets the sub-exception's
requirements; the individual need not make a duplicative request for
EHI sharing restrictions directly to the actor who is maintaining or
managing EHI on behalf of the other entity.) Because the actor met the
requirements of that sub-exception, the actor's practice of not
providing the requested EHI that cannot be made available due to the
individual's request would not constitute information blocking.
---------------------------------------------------------------------------
\229\ ``Entity'' as used in this paragraph could be an
individual (such as a licensed health care professional) or an
organization (such as a health care facility).
---------------------------------------------------------------------------
Second, the actor cannot unambiguously segment certain EHI
from the EHI that would not be made available due to the individual's
request
[[Page 1354]]
that the actor has agreed to honor. The Infeasibility Exception is
satisfied by a practice that meets a condition in paragraph (a) of
Sec. 171.204, such as the segmentation condition (171.204(a)(2)) and
the responding to requests condition in Sec. 171.204(b). Meeting the
Sec. 171.204(b) condition does not require that an actor fulfill any
EHI in response to any request but does require that the actor provide
the requestor within 10 business days of receipt of the request, in
writing, the reason(s) the request is infeasible. Thus, the actor in
this example would satisfy the Infeasibility Exception for that portion
of EHI that cannot be unambiguously segmented from EHI that cannot be
made available due to the individual's request that the actor has
agreed to honor. In this example, no other exceptions apply to the EHI
that the actor can unambiguously segment from the EHI that cannot be
shared because the actor has agreed to the individual's request not to
share certain EHI. The actor, therefore, provides the EHI that can be
unambiguously segmented and is not subject to the individual's request
not to share information in response to the request. If the actor did
not provide the EHI that can be unambiguously segmented, then the actor
might be engaged in information blocking with respect to the EHI that
can be unambiguously segmented.
We note that this is only one example to illustrate how the
``stacking'' of exceptions may occur. We have chosen to detail here an
example scenario where an individual has requested restrictions to
reinforce actors' and individuals' awareness of the Sec. 171.202(e)
sub-exception and to emphasize that the information blocking
regulations accommodate actors' choosing to respect an individual's
request for restrictions on EHI about the individual. We emphasize,
however, that there may be a wide variety of scenarios where
``stacking'' other combinations of various exceptions with one another,
or with restrictions on use or disclosure of EHI under applicable law,
may occur.
Again, we refer actors and other persons interested in learning
more about how the information blocking regulations, and particularly
the exceptions, work in concert with the HIPAA Rules and other privacy
laws to support health information privacy, to the blog post \230\ as
well as the frequently asked questions referenced and linked above.
---------------------------------------------------------------------------
\230\ https://www.healthit.gov/buzz-blog/information-blocking/information-blocking-regulations-work-in-concert-with-hipaa-rules-and-other-privacy-laws-to-support-health-information-privacy
(Retrieved 12/07/2023.).
---------------------------------------------------------------------------
We will issue additional guidance as needed and intend to propose
additional exceptions in future rulemaking to further support health
information privacy, including for information that patients may view
as particularly sensitive such as reproductive health-related
information.
Comments. A commenter expressed concern about the applicability of
information blocking regulations where there are data interoperability
problems resulting from different implementations of standards by
different EHR vendors.
Response. We thank the commenter for their input. However, we did
not propose information blocking provisions specific to this topic in
the HTI-1 Proposed Rule.
B. Defined Terms
1. Offer Health Information Technology or Offer Health IT
``Health IT developer of certified health IT'' is defined for
purposes of the information blocking regulations in 45 CFR 171.102. As
we discussed in the ONC Cures Act Final Rule (85 FR 25798 through
25799), the definition finalized in that rule includes offerors of
certified health IT who do not themselves develop certified health IT
or take responsibility for the health IT's certification status under
the Program. Specifically, we explained that ``an individual or entity
that offers certified health IT'' would include ``any individual or
entity that under any arrangement makes certified health IT available
for purchase or license'' (85 FR 25798, quoted and cited in the HTI-1
Proposed Rule at 88 FR 23857). Both individuals or entities that
otherwise fall into at least one category of actor as defined in 45 CFR
171.102--such as health care providers--and individuals or entities
that otherwise would not fit the definition of any category of actor
could offer certified health IT that they did not themselves develop or
present for certification. As offerors of certified health IT, these
individuals or entities could engage in conduct that constitutes
information blocking as defined in Sec. 171.103, such as through
contractual terms or practices undertaken in operating and maintaining
health IT deployed by or for another individual or entity.
As discussed in the HTI-1 Proposed Rule (88 FR 23858), we proposed
to codify in Sec. 171.102 a definition of what it means to offer
certified health IT. As proposed, the definition would provide clarity
about the implications under information blocking regulations of making
available funding subsidies and certain features or uses of certified
health IT as well as engaging in certain other conduct (as discussed in
more detail below). Specifically, we proposed to define the term
``offer health information technology'' or ``offer health IT.'' For
ease of reference, in this preamble, we will generally use the shorter
version of the term, ``offer health IT'' when discussing or referencing
the definition. In light of our proposal to establish the ``offer
health IT'' definition, we also proposed (see 88 FR 23915 and 88 FR
23864) to update the wording of the ``health IT developer of certified
health IT'' definition specific to the exclusion of certain self-
developer health care providers. The proposal specific to the ``health
IT developer of certified health IT'' definition is summarized and
discussed in section IV.B.2 below.
As explained at 88 FR 23858 through 23859, the definition we
proposed for offer health IT generally includes providing, supplying,
or holding out for potential provision or supply, certified health IT
under any arrangement or terms, but explicitly excludes arrangements
and activities specified in paragraphs (1) and (2) of the offer health
IT definition (which are discussed in detail in section IV.B.1.a and b,
below). We proposed exclusions of certain arrangements and activities
from the offer health IT definition to serve two primary purposes:
(1) to encourage certain beneficial arrangements under which
providers in need can receive subsidies for the cost of obtaining,
maintaining, or upgrading certified health IT; and
(2) to give health care providers (and others) who use certified
health IT concrete certainty that implementing certain health IT
features and functionalities, as well as engaging in certain practices
that are common and beneficial in an EHR-enabled healthcare
environment, will not be considered an offering of certified health IT
(regardless of who developed that health IT).
We also proposed (in paragraph (3) of the offer health IT
definition in Sec. 171.102) to exclude from the offer health IT
definition the furnishing of certain legal, health IT expert
consulting, or management consulting services to health care providers
or others who obtain and use health IT. The paragraph (3) consulting
and legal services exclusion is discussed in detail in section
IV.B.1.c, below.
The HTI-1 Proposed Rule included examples illustrating when certain
arrangements or activities would or would not fall within a proposed
[[Page 1355]]
exclusion (paragraphs (1), (2), and (3)), and clarified that if any
individual or entity that engages in some conduct consistent with an
exclusion from the offer health IT definition but also engages in other
conduct that meets the definition of offer health IT, that individual
or entity would be considered a health IT developer of certified health
IT. We noted that once an entity meets the definition of health IT
developer of certified health IT based on any of its conduct, that
definition will apply to all practices of the entity.\231\ (see 88 FR
23860 through 23864).
---------------------------------------------------------------------------
\231\ Because we are aware that health care provider
organizations may be, have, or include one or more physician or
other clinicians' professional practices, we note for readers'
clarity that unless otherwise specified (such as by being preceded
by ``clinician'' or ``office''), we use the word ``practice''
throughout the section IV of this preamble with the meaning it has
in 45 CFR 171.102 (i.e., ``an act or omission by an actor'').
---------------------------------------------------------------------------
Comments. More than thirty commenters' submissions included
comments on the offer health IT definition, health IT developer of
certified health IT definition, or both definitions. Of these, over a
dozen expressed general support and none expressed general opposition
to the proposals.
Response. We appreciate all commenters' feedback. We have finalized
the proposed offer health IT definition with one revision to the
wording to replace ``for use by'' with ``for deployment by or for''
other individual(s) and entity(ies). Our response to the comments
summarized immediately below explains why we believe this finalized
wording change improves clarity of the definition for actors and other
interested parties.
Comments. With a reference to the exclusion proposed in paragraph
(2) of the offer health IT definition in Sec. 171.102, the Health
Information Technology Advisory Committee (HITAC) recommended that we
clarify that providing access to registries and similar data services
provided by public health authorities is not considered providing
health IT, regardless of the route used to request/access/receive data
(e.g., through direct logon to a public health information system, via
an app or third-party tool, or via HIN/HIE). The recommendation's
rationale was stated as: ``This change is necessary to provide users
the flexibility to connect to the data resource in the manner of the
user's choosing.'' Other comments requested that we explicitly exclude,
or clarify whether the offer health IT definition excludes, an actor
making EHI available through an API or enabling interaction with an
API. Commenters also requested clarification on whether such an API-
related exclusion would apply to specific types of individuals or
entities, or to specific purposes.
Response. Although focused on the detail of the exclusion proposed
in paragraph (2) of the offer health IT definition in Sec. 171.102,
HITAC's comment informed our review of the interaction between the
wording of the proposed offer health IT definition and the distinction
between the roles of API User and API Information Source, as we had
already defined these roles in Sec. 170.404(c) and (by cross-
reference) Sec. 171.102. Specifically, we believe that wording the
offer health IT definition in Sec. 171.102 to focus (as proposed, see
88 FR 23915) on holding out or providing or supplying under any
arrangement certified health IT ``for use by'' others may be a source
of uncertainty for health care providers, and for others who deploy
Certified API Technology in the role of an API Information Source. This
uncertainty, we believe, relates to the implications for purposes of
the offer health IT definition of a health care provider or other
individual or entity in the role of an API Information Source making
Certified API Technology available to individuals and entities (other
than their own employees and contractors) in the role of API User.
At this point, a brief review of the distinction between our
definitions of the API User and API Information Source roles, with
reference to their establishment in the ONC Cures Act Final Rule (85 FR
25748 through 25749), may help to explain why we now believe clarity is
improved by aligning the wording of the offer health IT definition with
those two definitions. In the ONC Cures Act Final Rule, we finalized in
Sec. 170.404(c) definitions of API User and API Information Source for
purposes of the ONC Health IT Certification Program, and by cross-
reference to Sec. 170.404(c) adopted those same definitions for
purposes of the information blocking regulations in 45 CFR part 171. As
discussed in the ONC Cures Act Final Rule at 85 FR 25748 through 25749,
we received in response to the ONC Cures Act Proposed Rule (see 84 FR
7477 for preamble discussion, 84 FR 7588 for proposed definitions)
comments requesting a definition of a ``First-Order User'' (to include
patients, health care providers, and payers that use apps/services) and
a definition of a ``Third-Party Users'' (to include third-party
software developers, and developers of software applications used by
``API Data Providers''). We decided, as explained in the ONC Cures Act
Final Rule (85 FR 25748 through 25749), that such a distinction was
unnecessary from a regulatory perspective, and we finalized the API
User definition in Sec. 170.404(c) (85 FR 25948) as ``a person or
entity that creates or uses software applications that interact with
the `certified API technology' developed by a `Certified API Developer'
and deployed by an `API Information Source.' '' We also defined an API
Information Source as an organization that deploys certified API
technology created by a Certified API Developer. We noted in the ONC
Cures Act Final Rule that the definitions finalized in Sec. 170.404(c)
were created to describe relationships and to help describe the
Condition and Maintenance of Certification requirements to which
developers participating in the ONC Health IT Certification Program are
subject (85 FR 25749).\232\
---------------------------------------------------------------------------
\232\ As we clarified in the ONC Cures Act Final Rule (85 FR
25749), health care providers are not subject to the Condition and
Maintenance of Certification requirements in Sec. 170.404(c)
``unless they are serving the role of a `Certified API Developer.'
''
---------------------------------------------------------------------------
A vast array of interoperable health IT items and services are
designed and implemented specifically to achieve increasingly efficient
access, exchange, and use of EHI for a wide range of permissible
purposes. Thus, in an interoperable health IT ecosystem, one may see
third-party apps adopted and used by patients, health care providers,
health plans, public health authorities, researchers, and others to
achieve access, exchange, or use of EHI by connecting to, interacting
with, or otherwise making use of Health IT Module(s) deployed within,
for example, a health care provider's EHR system or a public health
authority's case reporting infrastructure. Our definition of API User
in 45 CFR 170.404(c) illustrates this expectation: it includes both
those who create and those who use software applications that interact
with API technology deployed by anyone functioning in the role of an
API Information Source.
We have revised the wording of the finalized offer health IT
definition in order to improve certainty for individuals and entities
who function in the role of an API Information Source (as defined in
Sec. 171.102 by cross-reference to Sec. 170.404(c)) or function in an
equivalent role where any APIs involved are not certified but may be
part of health IT product(s) that also include one or more Health IT
Modules certified under the Program. Specifically, we have replaced in
the finalized offer health IT definition the phrase ``for use'' with
the phrase ``for
[[Page 1356]]
deployment by or for.'' We believe this wording is more consistent with
the distinction between the act of connecting to, interacting with, or
otherwise making use of a health IT item or service (for example, as an
API User) and the act of allowing for such connections or interactions
with the health IT that an individual or entity (for example, a health
care provider) relies on in conducting its own business operations.
In addition, we believe this updated wording encompasses the full
array of models through which individuals and entities obtain health IT
for implementation or other deployment in their operations. We include
``or for'' in this finalized wording to ensure it is clear that the
offer health IT definition is met regardless of whether the customer to
whom the health IT is provided or supplied deploys the health IT by
themselves or deploys the health IT by having the offeror or any third
party(ies) do some or all such implementation and maintenance for them.
Providing or supplying health IT that includes one or more Health
IT Modules certified under the Program meets the offer health IT
definition finalized in Sec. 171.102 regardless of whose employees,
contractors, or consultants actually install, configure, manage, or
maintain such health IT or other health IT with which such health IT
may be integrated, interfaced, or otherwise interact. Likewise, holding
out such health IT meets the offer health IT definition regardless of
whose employees, contractors, or consultants would be needed, expected,
or likely to set it up, manage, or maintain it in the event the holding
out of the health IT resulted in the health IT being provided or
supplied to one or more other individual(s) or entity(ies). To
reinforce this clarity, we note that ``deployment by or for'' includes,
without limitation, all of the following examples in which an
individual's or entity's conduct would meet the offer health IT
definition (and thus meet the health IT developer of certified health
IT definition) in Sec. 171.102:
An individual or entity holds out, or provides or
supplies, health IT for deployment by or for potential customer(s)
under a software-as-a-service (SaaS) model, infrastructure-as-a-service
(IaaS) model, or any combination of these and other model(s) under
which the offeror would implement and maintain on behalf of the
customer any instance of the health IT. For purposes of this example,
it would not matter whether a single-tenant instance would be
implemented for each customer or whether one or more customer(s) would
share multiple-tenant instance(s) of the health IT with the offeror or
other customer(s).
An individual or entity holds out, or provides or
supplies, health IT for the customer(s) to implement themselves, using
any combination of their own employees and contractors, any single- or
multiple-tenant instance(s) of the health IT.
An individual or entity holds out or provides or supplies
health IT that is implemented by a third party to customers. For
purposes of this example, it would not matter whether a single-tenant
instance would be implemented for each customer or whether one or more
customer(s) would share multiple-tenant instance(s) of the health IT
with the third party or other customer(s).
Comments. One commenter requested that we provide guidance or
examples of how we define ``beneficial'' and ``necessary'' in the
context of the exclusions from the offer health IT definition. A
commenter requested guidance on our use of the verb ``hold out'' in the
offer health IT definition. (Comments specific to particular exclusions
are addressed in subsections IV.B.1.a through c, below.)
Response. In the HTI-1 Proposed Rule, we discussed our purposes for
proposing the exclusions, including ``to encourage beneficial
arrangements under which providers in need can receive subsidies for
the cost of obtaining, maintaining, or upgrading certified health IT.''
Thus, ``encourage[ing] beneficial arrangements'' explains our intent
and rationale for the exclusions (88 FR 23858) and the term
``beneficial'' does not appear in the text of any of the exclusions.
The text of each exclusion defines and describes the arrangements that
it excludes from the offer health IT definition.
The word ``necessary'' appeared in the proposed text describing
excluded legal services furnished by outside counsel (subparagraph
(3)(i) of the Sec. 171.102, offer health IT definition). We did not
propose to establish a purpose-specific meaning for the word
``necessary'' in this context. We intended it to have its widely
understood and commonly used meaning of absolutely needed, required, or
of an inevitable nature.\233\ Upon review of the comments, we have
concluded that we can improve the clarity of subparagraph (3)(i) by
deleting the word ``necessary.'' The updated language uses the phrase
``as appropriate to legal discovery'' to encompass the activity of
facilitating the access or use of the client's health IT when it is
necessary as well as when it may be only one of the practicable options
through which the counsel's clients can fulfill their legal discovery
obligations.\234\
---------------------------------------------------------------------------
\233\ See definitions of the adjective ``necessary'' by
Merriam-Webster Dictionary: ``1: Absolutely needed:
required; 2 a of an inevitable nature'' (https://www.merriam-
webster.com/dictionary/
necessary#:~:text=%3A%20absolutely%20needed%20%3A%20required,of%20an%
20inevitable%20nature%20%3A%20inescapable, retrieved Nov 7, 2023);
Dictionary.com: ``1. Essential, indispensable, or
requisite. 2. Happening or existing by necessity.'' (https://www.dictionary.com/browse/necessary, retrieved Nov 7, 2023).
\234\ The offer health IT definition exclusion in subparagraph
(3)(i) encompasses the activities by counsel it describes for both
EHI and other electronically stored information (ESI). For purposes
of legal discovery, ESI includes writings, drawings, graphs, charts,
photographs, sound recordings, images, or other data or data
compilations. (See, e.g., Fed. R. Civ. P. 34(a)(1)(A).).
---------------------------------------------------------------------------
We use the term ``hold out'' in the text of the offer health IT
definition as a transitive verb. As such, we believe ``hold out'' is
generally understood in common usage to mean presenting an item or
service as something realizable, attainable, or for acceptance.\235\
With his common usage in mind, we use ``hold out'' to ensure it is
clear that an individual or entity's activities can meet the definition
of offer health IT without anyone accepting the proffer of a sale (or
resale) or of a license (or relicense), and without anyone otherwise
obtaining or using any Health IT Module(s) from that individual or
entity. This operates as a safeguard against, for example, the holding
out for sale or license one or more ONC-certified Health IT Module(s)
(or products containing such Module(s)) and ultimately only agreeing to
provide non-certified health IT in an attempt to avoid meeting the
offer health IT definition and to avoid being subject to information
blocking regulations. For purposes of the information blocking
regulations, if any individual or entity is holding out health IT that
includes one or more ONC-certified Health IT Modules, that individual
or entity will be considered to be offering health IT and thus would
meet the definition of health IT developer of certified health IT.
---------------------------------------------------------------------------
\235\ See e.g., https://www.merriam-webster.com/dictionary/hold%20out (Retrieved Jul 6, 2023): ``to present something as
realizable: proffer.''
---------------------------------------------------------------------------
We further note that whether such a scenario might implicate other
federal or state laws does not affect whether an individual or entity's
conduct meets the offer health IT definition.
Comments. A commenter requested we ensure adequate protection of
the
[[Page 1357]]
provision of open-source tools developed by open-source communities,
irrespective of the terms on which they are made available, whether the
tool is necessary for use of the product or the provision of care or
whether the tool is integrated into a certified health IT product as
part of the product. This comment appears to convey uncertainty on the
commenter's part about whether a health care provider's (for example, a
health system) integration of open-source modules with the certified
health IT products it deploys (or has deployed by a third party on its
behalf) to support its provision of patient care and other operational
activities meets the offer health IT definition. The commenter also
encouraged ONC to ensure that the provision of clinical decision
support modules by a health system through an open-source community is
protected. This comment also appears to convey uncertainty on the
commenter's part as to if or when a participant in an open-source
community might be considered to offer health IT and, therefore, would
meet the health IT developer of certified health IT definition in Sec.
171.102.
Response. We will discuss here how the finalized definition
addresses these concerns, in the order in which they are summarized
above.
First, specific to a health care provider deploying open-source
health IT to support its provision of patient care and other
operational activities, we do not believe that the fact that the health
care provider is deploying open-source health IT impacts the analysis.
As we discussed above, the offer health IT definition as finalized
aligns with the API User and API Information Source role definitions
previously established in Sec. 171.102 and we believe the finalized
definition of offer health IT provides clarity that deploying \236\
health IT that incorporates one or more Health IT Modules certified
under the Program is not an activity that meets the offer health IT
definition, regardless of whether, or how much of, the health IT in
question was developed by an open-source community or any other source
or developer of health IT. For purposes of the finalized offer health
IT definition, we do not treat deploying a health IT product developed
by an open-source community different from deploying a health IT
product developed by a commercial developer.
---------------------------------------------------------------------------
\236\ As discussed above, the individual or entity ``deploying''
the health IT need not, for purposes of the offer health IT
definition, do any or all of the implementation or maintenance of
the health IT. The deploying individual or entity could have any or
all implementation and maintenance work for the health IT done for
them by the offeror or one or more third party(ies).
---------------------------------------------------------------------------
Also of note, the finalized offer health IT definition focuses on
the holding out or provision or supply of certified health IT products
for deployment by or for other individual(s) or entity(ies). As cited
in the HTI-1 Proposed Rule in connection to the proposed implementation
and use activities exclusion (paragraph (2) of the offer health IT
definition (88 FR 23860)), we noted in the ONC Cures Act Final Rule
that ``some use of a self-developer's health IT may be made accessible
to individuals or entities other than the self-developer and its
employees without that availability being interpreted as offering or
supplying the health IT to other entities in a manner inconsistent with
the concept of `self-developer' '' (85 FR 25799, emphasis added). We
add emphasis here to ``other than . . . its employees'' and ``to other
entities'' to highlight that the offer health IT definition is not met
by an individual or entity deploying health IT for use or
implementation in their own operations by their employees and
contractors in the course of employment or scope of the contract. We
further note that the offer health IT definition is not met when the
action is deployment that makes the health IT available to individuals
in certain non-employee roles other than the deploying entity's
contractors. For these reasons, a health care provider deploying health
IT in the health care provider's own operations would not meet the
offer health IT definition--whether the health IT is open-source or
not.
Turning to the question of participation in an open-source
development effort, we believe the question of which participants in
such communities fall within the definition of offer health IT is,
necessarily, dependent on the specific facts and circumstances of any
given case. For example, relevant facts would include which
participants in an open-source community have undertaken what role(s)
and responsibility(ies) in relation to the certification status of the
Health IT Module(s) involved.
The question of whether or when a participant in an open-source
community engages in conduct that constitutes holding out, or providing
or supplying, health IT that includes at least one certified Health IT
Module is similarly, and also necessarily, dependent on the specific
facts and circumstances of the conduct. In any case, it is also
important to recall that the offer health IT definition that we
proposed, and have finalized, cannot be met unless the technology held
out, or provided or supplied, for deployment by or for others includes
one or more Health IT Module(s) certified under the Program. To the
extent an open-source community produces only non-certified health IT
items or services, the development or offering of that non-certified
health IT would not, of itself, result in the community or its
participants being considered health IT developers of certified health
IT--regardless of whether the product is intended, designed, or fit for
use only in conjunction with certified health IT in general or specific
certified health IT product(s). The community's exclusively non-
certified health IT items or services may be styled, branded, named by
the community, or commonly referenced in the marketplace as products,
apps, modules, or something else without affecting whether the
community's conduct falls within the Sec. 171.102 offer health IT
definition. Neither the holding out nor the providing or supplying of
entirely and exclusively non-certified health IT can meet the offer
health IT definition.
We recognize that once integrated with any deployment of a
compatible certified product (such as ONC-certified EHR software), a
non-certified health IT item such as a macro or template might be
difficult or impossible for the end user (such as a doctor using a
health system's EHR system to document a diagnosis) to distinguish from
the certified health IT product. For individuals or entities who deploy
certified health IT product(s), we recognize that sharing such items
with others may raise questions similar to the one posed by the comment
specific to open-source health IT: does sharing with other individuals
or entities a non-certified item that, as experienced by end users, may
seem like part of a certified health IT product meet the offer health
IT definition? \237\
---------------------------------------------------------------------------
\237\ For ease of reference, we may sometimes refer to suites,
bundles, or other combinations of health IT items, services, or
functions that include one or more Health IT Modules certified under
the Program as ``certified health IT products.''
---------------------------------------------------------------------------
We note that whether an actor's conduct meets the offer health IT
definition is not determined by the end user's perception of what is or
is not part of a single certified health IT product. Likewise, whether
an individual's or entity's conduct meets the offer health IT
definition is not determined by whether a particular health IT item or
service that is not certified health IT can or cannot be used
independently of certified health IT. The individual's or entity's
conduct can meet the offer health IT definition only when the health IT
that the individual
[[Page 1358]]
or entity holds out, or provides or supplies, includes at least one
Health IT Module certified under the ONC Health IT Certification
Program.
Even if a non-certified health IT item or service (for example, a
macro or template) can only be used in conjunction with a specific
certified health IT product, the offer health IT definition is not met
by holding out, or by providing or supplying, for deployment by or for
others only the non-certified health IT item or service. For example, a
health care provider might choose to make available to other members of
a developer's user group a macro that works only with one of the
developer's Health IT Modules that is certified to Sec. 171.315(b)(3).
The hypothetical macro in this example is not a Health IT Module that
is certified under the Program, and does not include any Health IT
Module(s) certified under the Program when the health care provider
makes it available to other members of the user group. In this example
scenario, the act of supplying the non-certified macro to other
individual(s) or entity(ies) does not meet the definition of offer
health IT.
For a similar example, an open-source community or its participants
could make available a ``clinical decision support'' (CDS) algorithm.
In this example, the CDS algorithm is not a Health IT Module that is
certified under the Program. The act of holding out the algorithm for
deployment by or for others does not meet the offer health IT
definition because the algorithm is not certified health IT. Likewise,
the act of providing or supplying the algorithm for deployment by
others does not meet the offer health IT definition. If, however, the
algorithm was included as a part of a certified health IT product, and
an individual or entity holds out, or provides or supplies, the
certified health IT with the algorithm in it for deployment by other
individual(s) or entity(ies), that conduct would meet the offer health
IT definition.
Comments. Two comments on the offer health IT definition referenced
reporting requirements in connection to the offer health IT definition.
These comments did not identify specific reporting requirements they
perceived entities would become subject to by engaging in conduct
meeting the offer health IT definition.
Response. As established by the ONC Cures Act Final Rule and
updated by the provisions finalized in this rule, the information
blocking regulations (45 CFR part 171) do not include any requirements
for any actor to proactively report to ONC.
Comments. Several commenters suggested that hosting, the provision
of hosting services, or ``extending their EHR'' by health care
providers for other health care providers should be excluded from the
definition of offer health IT. One such commenter stated a view that
such organizations should not be considered to offer health IT and
should not be subject to ``more stringent'' information blocking
requirements.
Response. In the HTI-1 Proposed Rule, we did not propose defining
what conduct would meet or not meet the offer health IT definition
based on whether it was done by an individual or entity that otherwise
meets the definition of any type of actor (as the term actor is defined
in Sec. 171.102). These commenters' rationale for excluding hosting,
the provision of hosting services, or ``extending their EHR'' by health
care providers for other health care providers centered on preventing
health care providers engaged in such conduct from also meeting the
definition of health IT developer of certified health IT. Therefore, we
discuss in context of our proposal to update the health IT developer of
certified health IT definition (see section IV.B.2 of this preamble,
below) why we decline to establish at this time any regulatory
provision with the effect these comments advocate.
Summary of finalized policy--offer health IT: we have finalized the
proposed offer health information technology or offer health IT
definition with a revision to its wording in response to comments
received. The wording revision is from ``for use by other individual(s)
or entity(ies)'' to ``for deployment by or for other individual(s) or
entity(ies).''
To increase clarity, we have further revised the definition by
replacing the phrase ``under any arrangement other than the following''
with ``under any arrangement except an arrangement consistent with
subparagraph (3)(iii), below.'' As discussed above, activities
described in other paragraphs and subparagraphs we do not interpret as
holding out or as providing or supplying health IT for deployment by or
for other individuals or entities. Thus, only subparagraph (3)(iii)
functions to exclude from the offer health IT definition arrangements
under which someone obtains from an individual or entity any certified
Health IT Module(s).
To improve readability, we also revised the opening phrases of the
definition. This revision was from ``. . . means to hold out for sale,
resale, license, or relicense; or to sell, resell, license, relicense,
or otherwise provide or supply health information technology (as that
term is defined in 42 U.S.C. 300jj(5)) that includes one or more Health
IT Modules certified under the ONC Health IT Certification Program, . .
.'' to ``. . . means: to hold out for sale, resale, license, or
relicense; or to sell, resell, license, relicense, or otherwise provide
or supply health information technology (as that term is defined in 42
U.S.C. 300jj(5) and where such health information technology includes
one or more Health IT Modules certified under the ONC Health IT
Certification Program) . . .'' as finalized.
For readability, we added a second sentence to the offer health IT
definition that also enhances clarity as to the function of the
definition's subparagraphs on the whole. That added sentence reads:
``Activities and arrangements described in subparagraphs (1) through
(3) are considered to be excluded from what it means to offer health
IT.''
The finalized definition is shown in its entirety in the CFR
amendatory instructions for Sec. 171.102 (see ``Regulation Text''
section of this rule, below).
a. Exclusion of Certain Funding Subsidy Arrangements From Offer Health
IT Definition
In the HTI-1 Proposed Rule, we included a provision to address
concerns regarding the potential of some health care providers and
other donors to stop making available funding subsidies that would go
toward the cost of certified health IT in situations where the
receiving health care provider is not able to afford the cost of the
certified health IT. The proposal, in paragraph (1) of the offer health
IT definition in Sec. 171.102, explicitly excluded certain
arrangements that focused on providing funding subsidies for providers
to obtain, maintain, and/or upgrade certified health IT. We explained
how this exclusion would operate in the HTI-1 Proposed Rule (88 FR
23859). We refer readers to the HTI-1 Proposed Rule for the full
discussion of the donation and subsidized supply arrangements exclusion
(paragraph (1)).
Comments. Of the comment submissions addressing this proposed
exclusion, six supported exclusion of funding subsidy arrangements from
the offer health IT definition. One comment submission did not express
general opposition to the exclusion but expressed opposition to the
definition of offer health IT excluding subsidies tied to a specific
product, or excluding subsidies that would promote or
[[Page 1359]]
prioritize imaging referrals of patients to the subsidizing entity or
its partners. This comment, from two large clinical societies,
recommended that if we finalize this exclusion, we state in preamble
that promotion or prioritization of the subsidizing entity's services
over those of unaffiliated, competing providers would not be exempted
from the offer health IT definition.
Response. We appreciate commenters' feedback. We have finalized the
exclusion of funding subsidy arrangements (paragraph (1) of the offer
health IT in Sec. 171.102) as proposed (88 FR 23915). The donation and
subsidized supply arrangements exclusion as proposed and as finalized
is conditional, as indicated by this language in paragraph (1) of the
offer health IT definition: ``provided such individual or entity offers
and makes such subsidy without condition(s) limiting the
interoperability or use of the technology to access, exchange, or use
electronic health information for any lawful purpose.'' Thus, the
donation and subsidized supply arrangements exclusion (paragraph (1))
does not apply if the subsidy is conditioned on limiting the
interoperability or use of the technology to access, exchange, or use
EHI for any lawful purpose. Any agreement terms, statements (written or
oral), patterns of conduct, or singular actions whereby the source of
donation or funding subsidy conditions the donation on the recipient's
limiting its use of health IT or its access, use, or exchange of EHI in
ways specified or signaled by the funding source would be considered a
condition limiting interoperability or use of the technology.
Therefore, we do not believe that the purpose of this exclusion would
be better served by limiting it at this time to arrangements under
which recipients can choose to apply a funding subsidy to a minimum
array of products or to any product on the market. However, we plan to
remain alert for signals that funding subsidy sources may be misusing
this exclusion.\238\ We note that we may consider amending this
definition in future rulemaking in response to changing market
conditions.
---------------------------------------------------------------------------
\238\ Patterns described to us in claims or suggestions of
possible information blocking submitted through the Report
Information Blocking Portal represent just one example of the ways
such signals may come to our attention. (The Report Information
Blocking Portal's URL is: https://inquiry.healthit.gov/support/plugins/servlet/desk/portal/6). Information on the claims process
that is publicly available on HealthIT.gov (https://www.healthit.gov/topic/information-blocking) includes a fact sheet
on the Report Information Blocking portal process (https://www.healthit.gov/sites/default/files/page2/2021-11/Information-Blocking-Portal-Process.pdf) and a resource titled ``Information
Blocking Claims: By the Numbers'' (https://www.healthit.gov/data/quickstats/information-blocking-claims-numbers). As of October 2023,
``Information Blocking Claims: By the Numbers'' provides the total
number of portal submissions received since April 5, 2021, the
number of these submissions that represent claims of possible
information blocking, and the number of these claims by type of
potential actor and type of claimant. (URLs confirmed Oct 18, 2023.)
---------------------------------------------------------------------------
We appreciate commenters' concerns about donation or subsidy
arrangements tied to specific technology where the donation or
arrangement is for the purpose of promoting referrals to the source of
the funding or its affiliates. We believe the proviso in the donation
and subsidized supply arrangements exclusion (paragraph (1)), as
proposed, is sufficient to ensure it does not apply to arrangements
conditioned by the source(s), donor(s), or giver(s) on limiting
interoperability or use of the technology. As stated in the HTI-1
Proposed Rule, we do not believe it is necessary to assess, for
purposes of determining whether a funding subsidy should be considered
an offer of certified health IT, whether the source(s) of the subsidy
conditions the subsidy on the recipient referring patients to or away
from the source. As we noted, there may be other laws implicated by
solicitation or receipt of any remuneration in return for referral
steering and similar conduct (88 FR 23859). For example, the Federal
Anti-Kickback Statute (42 U.S.C. 1320a-7b(b), section 1128B(b) of the
Social Security Act) could be implicated where remuneration is directly
or indirectly offered, paid, solicited, or received for the referral of
or arrangement of a referral of any item, service, or good for which
payment may be made in whole or part under a ``Federal health care
program'' (as defined in 42 U.S.C. 1320a-7b(f)). Nothing in this final
rule should be construed as creating an exception to any fraud and
abuse laws.
In light of the commenters' concern, we believe it may be useful to
clarify how the donation and subsidized supply arrangements exclusion
from the offer health IT definition operates for purposes of 45 CFR
part 171 in the context of a donor or funding source that is using a
subsidy to steer referrals or to distort the market for healthcare
items or services through a condition(s) that limit the use of
donation-supported or subsidized technology or the lawful access,
exchange, or use of EHI. As noted in the HTI-1 Proposed Rule (at 88 FR
23859), we interpret ``conditions limiting the interoperability or use
of the technology to access, exchange, or use electronic health
information'' broadly. Specifically, we noted we would consider
conditions to include not only the explicit terms of any written
agreement but also oral statements and patterns of conduct on the part
of the subsidy's source(s) toward, in the presence of, or made known by
the source(s) to the subsidy's recipient. We further noted that we
would consider a condition(s) to include a subsidy source limiting the
use of the subsidy to particular technology that includes, or otherwise
arranges for subsidy-supported technology to include, features,
functions, coding, or other means that would limit recipients' options
to lawfully use that technology to access, exchange, or use EHI. A
recipient health care provider's access, exchange, and use of EHI for
such purposes is not limited to but necessarily includes access,
exchange, and use by care team members in the course of making
diagnosis and treatment decisions within their scopes of practice and
making referrals in accord with their professional judgement and
understanding of their patient's preferences.
The limitation on the application of the offer health IT
definition's donation and subsidized supply arrangements exclusion in
paragraph (1) of the definition is, as noted in the HTI-1 Proposed
Rule, a safeguard against inappropriate use of the exclusion by
entities seeking to distort the health IT market. This would include
efforts to limit recipients' options to use additional technology or to
otherwise impede innovations and advancements in health information
access, exchange, and use (88 FR 23859). The donation and subsidized
supply arrangements exclusion (paragraph (1)) applies only where the
individual or entity donates, gives, or otherwise makes available
funding without condition(s) limiting the interoperability or use of
the technology to access, exchange, or use EHI for any lawful purpose.
We did not propose that the exclusion could apply to any arrangement
conditioned in any way on limiting the interoperability or use of the
subsidy-supported technology or the recipient's use of the technology
to access, exchange, or use EHI for any lawful purpose. We have
finalized the exclusion as proposed.
We further clarify in view of comments received that the limitation
on application of the donation and subsidized supply arrangements
exclusion in paragraph (1) of the definition does not consider what
underlying intent or motive the funding source may have for any
condition that limit the interoperability or use of the
[[Page 1360]]
technology to access, exchange, or use electronic health information
for any lawful purpose. Any condition that has such effect will mean
the arrangement falls outside of the donation and subsidized supply
arrangements exclusion (paragraph (1) of the offer health IT
definition). Then, whether such non-excluded funding subsidy or
donation arrangements would constitute the funding source offering
health IT would have to be evaluated to determine whether the conduct
constitutes holding out for sale, resale, license, relicense, or
otherwise providing or supplying health information technology for
deployment by other individual(s) or entity(ies).
To note, any third-party health IT developer of certified health IT
or HIN/HIE that may be engaged in funding subsidy arrangements related
to providing, configuring, or otherwise supporting health IT will want
to bear in mind that their engagement in any practice they know or
should know is likely to interfere with access, exchange, or use of EHI
could constitute information blocking on the part of the actor (unless
an applicable law requires or an exception set forth in 45 CFR part 171
is satisfied by such practice). This includes scenarios where the
practice occurred at the direction of or on behalf of a funding subsidy
source. This would be true for the health IT developer of certified
health IT or an HIN/HIE regardless of whether the funding subsidy
source or recipient is also an actor, and regardless of whether the
funding subsidy source or recipient also engaged in conduct meeting the
information blocking definition.
Comments. Several commenters recommended we adopt a policy under
which a health care provider would not be considered to offer health
IT, or be considered only a health care provider and excluded from the
``health IT developer of certified health IT'' definition, even if they
``extend their EHRs'' or otherwise donate or provide health IT on terms
more affordable to a recipient than those available from other vendors
of health IT items or services. Several commenters suggested such
provision of health IT be excluded from the definition of offer health
IT. A commenter that is a health system advocated for an explicit
exclusion in situations where a health care provider hosts instances of
a particular developer's EHR for other health care providers. A
developer of certified health IT advocated to exclude from the
definition of offer health IT any health IT resale or relicensing
arrangements on non-discriminatory bases between health care providers
or HIPAA covered entities. The developer's comment acknowledged the
potential for organizations hosting or otherwise reselling health IT to
make configurations or other implementation decisions potentially
implicating the information blocking definition but asserted they had
not observed this to have occurred among the providers reselling the
developer's health IT.
Response. We appreciate commenters' sharing their experiences and
perspectives. We did not propose that the donation and subsidized
supply arrangements exclusion from the offer health IT definition would
apply to a health care provider selling, licensing, or otherwise
providing or supplying certified health IT (whether such health IT is
self-developed by the provider offering it or obtained from a third-
party developer) to other health care providers on a subsidized,
discounted, or other basis. We decline to do so for reasons we discuss
in this response and in Section IV.B.2 of this preamble below.
We cannot be certain whether commenters' reference to providers who
``extend their EHRs'' or similar wordings are meant to describe the
donor health care provider entity selling, reselling, licensing,
relicensing, or otherwise providing or supplying the health IT itself
for deployment by the recipient providers. Therefore, to ensure
clarity, we note that we perceive a clear distinction between two kinds
of conduct. One distinct kind of conduct is donating, giving, or
otherwise making available to a recipient funding to cover costs of an
item or service (such as health IT that includes one or more Health IT
Modules certified under the Program). A distinctly separate kind of
conduct is the sale, resale, licensing, relicensing, or otherwise
providing or supplying of the item or service itself to the recipient.
We proposed that the donation and subsidized supply arrangements
exclusion (paragraph (1)) to encompass arrangements where ``an
individual or entity donates, gives, or otherwise makes available
funding to subsidize or fully cover the costs of a health care
provider's acquisition, augmentation, or upkeep of health IT'' (88 FR
23915). We stated in the HTI-1 Proposed Rule that the proposed donation
and subsidized supply arrangements exclusion ``would remove from the
definition of offer health information technology or offer health IT
the provision of subsidies, in the form of funding or cost coverage
subsidy arrangements for certified health IT'' (88 FR 23859). We have
finalized the donation and subsidized supply arrangements exclusion
(paragraph (1)) of the offer health IT definition (Sec. 171.102) as
proposed. Thus, the finalized first exclusion of the definition
encompasses furnishing monetary resources (as described at 88 FR 23859,
``subsidies, in the form of funding or cost coverage subsidy
arrangements'') for an item or service.
We reiterate that the donation and subsidized supply arrangements
exclusion as proposed and as finalized in paragraph (1) of the offer
health IT definition does not encompass any arrangement where an
individual or entity does any of the following to or with any health IT
that includes one or more certified Health IT Module(s):
holds out the health IT for sale, resale, license, or
relicense for deployment by or for other individual(s) or entity(ies);
sells, resells, licenses, relicenses the health IT for
deployment by or for other individual(s) or entity(ies); or
otherwise provides or supplies the health IT for
deployment by or for other individual(s) or entity(ies).
To prevent any potential confusion or misunderstanding about the
significance of our reference to ``subsidized supply'' arrangements in
the text of the exclusion in (paragraph (1) of the offer health IT
definition, we note that this is included to explicitly recognize a
type of arrangement whereby a donor or other subsidy source subsidizes
or fully covers costs by payment of such costs to the individual or
entity that develops or offers the health IT item(s) or service(s)
subsidized.
For an example of a scenario in which the donation and subsidized
supply arrangements exclusion (paragraph 1) applies: a health system
arranges with a health IT developer that the health system will pay
eighty-five percent of the cost of any contract for use of a (developer
hosted) EHR product suite by any health care provider that gives the
developer a particular code that was supplied to the health care
provider by the health system. Note that in this example the EHR
product suite includes one or more Health IT Modules certified under
the Program (because the offer health IT definition is not met if
health IT that is held out or that is provided or supplied does not
include any such Health IT Module(s).) The health system gives the code
to independent safety net providers in its service area as a means of
making funding available to the safety net providers to cover part of
the safety net providers' cost to obtain and maintain use of an EHR
product suite. A critical part of an analysis of the application of the
exclusion in this example is whether money covering (part of) the
contract costs for health IT
[[Page 1361]]
is being supplied or whether the health IT itself is being supplied by
the health system. Here the health system is only making a funding
subsidy available. The health IT developer is supplying the health IT
(EHR product suite).
In a different example, where a health system instead offers to
host and support ONC-certified health IT for a safety net provider, the
health system would be engaged in conduct to which the donation and
subsidized supply arrangements exclusion (paragraph (1)) would not
apply. Regardless of whether the entity doing the holding out or
furnishing of health IT (or anyone else) would be subsidizing (in whole
or in part) the costs of the health IT, the donation and subsidized
supply arrangements exclusion (paragraph (1)) does not apply where an
individual or entity holds out or, under any arrangement, provides or
supplies for deployment by or for other individual(s) or entity(ies)
any health IT product(s) that include one or more Health IT Modules
certified under the Program.
We recognize that some health care providers, or other individuals
or entities, may choose to engage, on a subsidized basis for the
recipient or as a donation to the recipient, in conduct that is not
encompassed by the exclusion in paragraph (1) but to which another
exclusion to the offer health IT definition applies. In the interest of
providing such individuals and entities certainty, we note that if any
exclusion to the offer health IT definition applies to any particular
conduct, it does not matter whether one or more other exclusion(s) do
or do not also apply. If at least one exclusion applies to any
particular conduct, that conduct is excluded from the offer health IT
definition.
Finally, we note again that donation and subsidized supply
arrangements can implicate other laws, including the Federal Anti-
Kickback Statute and nothing in this final rule should be construed as
creating an exception to any fraud and abuse laws.
We further discuss below, in the context of the health IT developer
of certified health IT definition (section IV.B.2), our current
position regarding health care providers who choose to engage in
conduct that meets the offer health IT definition. However, it is
important for providers and other individual(s) or entity(ies)
interested in engaging in any conduct that meets the offer health IT
definition to note that engaging in such conduct makes the individual
or entity one that offers health IT. This means such an individual or
entity will meet the health IT developer of certified health IT
definition regardless of whether the individual or entity also happens
to engage in any other conduct that is encompassed by an exclusion from
the definition or that otherwise does not meet the offer health IT
definition.
Comments. A commenter requested we confirm that subsidy
arrangements where the funding source is not otherwise a Sec. 171.102
actor are encompassed by the exclusion. The comment cited, as an
example, subsidies from health plans to providers. Another comment
recommended that we clarify the offer health IT definition excludes
subsidy arrangements between healthcare entities, such as a health plan
and community provider. Other comments suggested that we should
reiterate that engaging in activities described in exclusion (1) is not
a way for an individual or entity that is otherwise a Sec. 171.102
actor to opt out of being subject to information blocking regulations.
Response. The finalized donation and subsidized supply arrangements
exclusion (paragraph (1)) applies to the arrangements it describes. It
does not specify characteristics that the source of the subsidy must
have (or not have) for the arrangement to be excluded from the offer
health IT definition. If any person engages in conduct described in
paragraph (1), that means the excluded conduct does not fall within the
definition of offer health IT. Thus, engaging in conduct described in
paragraph (1) of the offer health IT definition will not turn an
individual or entity who does not otherwise meet the Sec. 171.102
actor definition into an ``actor'' for purposes of the information
blocking regulations.
It is important to remember, however, that engaging in conduct
described in the donation and subsidized supply arrangements exclusion
(paragraph 1) simply has no effect on whether a person is not or is
considered an actor as defined in Sec. 171.102 for purposes of 45 CFR
part 171. Even if an individual or entity that is otherwise an actor
engages in conduct described in subparagraph (1) of the offer health IT
definition, the person is still an actor. For example, if any entity
meets the Sec. 171.102 definition of health care provider then that
entity is a health care provider regardless of whether it also happens
to engage in conduct described in the donation and subsidized supply
arrangements exclusion from the offer health IT definition. Also, any
entity meeting the Sec. 171.102 definition of health IT developer of
certified health IT through any of its activities is a health IT
developer of certified health IT regardless of whether it also happens
to engage in conduct described in the donation and subsidized supply
arrangements exclusion (paragraph 1).
A health care provider or health IT developer of certified health
IT would remain subject to the information blocking regulations for any
of their conduct that meets the definition of information blocking in
Sec. 171.103, including when that conduct occurs in the course of
activities that fit the description of any exclusion from the offer
health IT definition. Similarly, when and to the extent a health plan,
health plan issuer, or any other entity engages in conduct meeting the
functional definition of health information network or health
information exchange (HIN/HIE), then that entity is a HIN/HIE
regardless of whether the entity also happens to engage, at the same
time, in conduct described in any exclusion from the offer health IT
definition.\239\
---------------------------------------------------------------------------
\239\ The health information network or health information
exchange definition is a functional definition. See 45 CFR 171.102,
see also 85 FR 25800 through 85 FR 25803.
---------------------------------------------------------------------------
Comments. A commenter who referenced experience with donation of
hospital equipment noted it is important for recipients of donated
technology to have access to design documents, data schema, and other
resources needed to facilitate the use of donated health IT systems
through maintenance, process improvement, and interoperability
concerns. This commenter encouraged ONC to provide a broad
dissemination of publicly available user manuals, access to spare
parts, and consumable resources to facilitate the use of donated
equipment. A commenter suggested we consider adjusting conditions of
the donation and subsidized supply arrangements exclusion to address
the impact of discontinued subsidies on the recipient's ability to
maintain the health IT over time.
Response. We appreciate the concerns raised by these comments.
Specific to Health IT Modules certified under the ONC Health IT
Certification Program, our Program regulations in 45 CFR part 170
provide for public availability of certain information and
documentation about the technology. (See 45 CFR 170.523 disclosures
applicable to certified Health IT Modules, 45 CFR 170.404(a)(2)
transparency conditions for Certified API Technology.) To the extent
documentation needed to effectively use health IT products that include
non-certified items and services in complement to one or more Health IT
Module(s) certified under the Program, such documentation would fall
outside
[[Page 1362]]
the scope of the Program's disclosures and transparency requirements.
However, we believe the information blocking regulations discourage an
actor from inappropriately withholding access to such documentation
from recipients of their health IT. If an actor's practice of denying
the recipients of health IT such information is likely to interfere
with access, exchange, or use of EHI, that practice could implicate the
information blocking definition. It is not clear what consumable
supplies or spare parts relevant to health IT were referenced by the
comment advocating ONC provide broad access to them. It is also not
clear what is meant by the commenter advocating ONC ``provide access''
to spare parts and consumables. We note that the information blocking
regulations maintain policies supportive of the access, exchange, and
use of EHI and include policies under which the individuals and
entities who actually supply health IT (donated or otherwise) for
deployment by or for other individuals or entities generally continue
to be subject to enforcement under the information blocking regulations
as health IT developers of certified health IT.
Concerns specific to a supplier of technology withholding access to
documentation and resources needed to use systems represents one
example of conduct likely to interfere with a recipient's access,
exchange, or use of EHI. This concern illustrates just one of many
possible practices any individual or entity that engages in conduct
meeting the finalized offer health IT definition would have opportunity
to engage in that would be likely to interfere with customers' and
others' ability to access, exchange, or use EHI in or through the
health IT ``offered.'' Such opportunities to interfere with customers'
access, exchange, or use of EHI are among the reasons we believe it
would be inappropriate to exclude from the offer health IT definition
the sale, resale, licensing, or relicensing of any Health IT Module
based on such offering being subsidized by the offeror or a third
party. Therefore, such conduct will generally continue to fall within
the offer health IT definition. By engaging in any conduct falling
within the offer health IT definition, the individual or entity engaged
in the conduct meets the health IT developer of certified health IT
definition and is subject to information blocking regulations
accordingly.
We further note that this comment highlights the importance of
prospective recipients of technology donations carefully considering
the full terms of both the donation or subsidy arrangement and any
contracts or other agreements with a developer, seller, reseller,
licenser, or relicenser of the technology involved. For example, and
for practical reasons entirely independent of the information blocking
regulations, it is important for a recipient to know what items and
services are included in the subsidy or donation and the level, extent,
and duration of support for those items or services that the donation
commits the funding source to cover. The information blocking
regulations do not eliminate the need for anyone contemplating adopting
health IT items or services pursuant to a donation or subsidy
arrangement to consider and plan for their ability to maintain the
health IT in good working order, or successfully transition away from
it, at the end of a one-time donation or subsidy arrangement or in the
event an arrangement providing an ongoing subsidy were to be
discontinued (or not renewed). This would be true for adoption of
initial, additional, upgraded, or replacement health IT items or
services.
We also note that whether, as potential recipients of subsidized
health IT or as a customer paying the full cost or market price
themselves, all prospective recipients of any health IT will likely
find it important to know and understand the terms of all agreements
with the developer or offeror of health IT items or services they
obtain. For example, a customer contemplating adoption of any health IT
item or service would want to consider the potential that they may want
to replace that particular product with another product in the future.
Such a customer would want to look closely at how any data the product
stores will be returned to the customer at the end of the agreement
with the developer or other offeror of the health IT, and what support
may be available, and on what terms, to help the customer (or a health
IT developer or support contractor of the customer) import the data
into the next product the customer will use to access, exchange, or use
that data.
Recipients of donated health IT, like all customers of health IT,
will also find it important to know whether technology they are
considering for adoption includes any Health IT Module(s), or if the
developer or offeror that would provide the technology has any Health
IT Module(s), certified under the Program. An individual or entity that
develops or offers health IT, but who does not develop or offer any
certified Health IT, might not be subject to information blocking
regulations unless the individual or entity is a health care provider
or a HIN/HIE as defined in Sec. 171.102.\240\
---------------------------------------------------------------------------
\240\ The Sec. 171.102 health care provider and HIN/HIE
definitions do not have a definitional component related to
certified health IT. An individual or entity can meet either or both
of these definitions without having, using, or offering any
certified health IT.
---------------------------------------------------------------------------
Summary of finalized policy--donation and subsidized supply
arrangements exclusion (paragraph 1): After consideration of the
comments received that are relevant to, and within the scope of, this
proposal, we finalized the policy, as proposed. Provision of funding to
a recipient who will use it to cover some or all of the recipient's
health IT acquisition, augmentation, or upkeep cost is explicitly
excluded from the offer health IT definition. Likewise, arrangements
whereby a funding source (whether or not referenced or styled as a
``donor'') pays, remits, or otherwise transfers to a third-party funds
covering the cost (in whole or part) of a health care provider's
acquisition, augmentation, or upkeep of health IT are explicitly
excluded from the offer health IT definition to the extent they are
consistent with paragraph (1). However, the text of paragraph (1)
explicitly and intentionally limits application of the donation and
subsidized supply arrangements exclusion to those arrangements whereby
the source of the subsidy makes available funding to cover costs of
acquisition, augmentation, or upkeep of health IT. The finalized
paragraph (1), donation and subsidized supply arrangements exclusion
from the offer health IT definition, does not apply to sale, licensing,
resale, relicensing, or provision or supply of the health IT itself--
regardless of whether such provision or supply is on subsidized or
other terms.
We reiterate that no individual or entity that otherwise meets the
definition of any type of actor in Sec. 171.102 can opt out of being
subject to information blocking regulations by engaging in any activity
excluded from the offer health IT definition.
b. Implementation and Use Activities That Are Not an Offering of Health
IT
In the ONC Cures Act Final Rule, we noted that there are certain
actions taken by health care providers who self-develop health IT for
their own use that we do not interpret as them offering or supplying
certified health IT to others (85 FR 25799). Specifically, we noted
that ``some use of a self-developer's health IT may be made accessible
to individuals or entities other than the self-developer and its
employees without that availability being
[[Page 1363]]
interpreted as offering or supplying the health IT to other entities in
a manner inconsistent with the concept of `self-developer,' and we
provided examples of activities that we do not consider offers (85 FR
25799). Some of the examples we noted (85 FR 25799) were discussed in
the context of practices amongst hospitals that purchase commercially
marketed health IT as well as self-developer hospitals.
While the examples focus on self-developers, these examples would
not be considered ``offering'' health IT regardless of who developed
the certified health IT. We also believe there are examples of
activities we did not discuss that should not be considered offers of
health IT. We, therefore, proposed in paragraph (2) of the offer health
IT definition (see 88 FR 23860 and 88 FR 23915) to explicitly exclude
from the definition of offer health IT certain implementation and use
activities of a health care provider or other entity (such as a HIN/
HIE, health plan, or public health authority). We refer readers to the
HTI-1 Proposed Rule (88 FR 23860) discussions of the activities
explicitly listed within the implementation and use activities
exclusion from (paragraph (2) of) the definition of offer health IT we
have now finalized within Sec. 171.102.
We sought comment on this proposal, including whether we should
consider revising or refining any of the descriptions or wordings of
the functionalities, features, actions, or activities listed in the
draft regulation text or whether we should consider explicitly
excluding additional activities, actions, or health IT functionalities
from what it means to offer health IT.
Comments. Comments referencing this exclusion supported the
provision. Several commenters recommended specific refinements to the
wording or clarifications to the intended scope of the exclusion.
Comments were received that recommended the implementation and use
activities exclusion encompass each of the following as implementation
and use activities:
a health care provider organization or other entity uses
pre-production staging or test environments for certified health IT;
use of health IT for purposes of clinical education and
improvement activities, including in simulation environments where no
care is furnished to actual patients;
a health care provider providing a public health
authority's employees or contractors with access to its health IT
systems;
providing access to registries and similar data services
that are provided by public health authorities, regardless of the route
used to request/access/receive data (e.g., through direct logon to a
public health information system, via an app or third-party tool, or
via HIN/HIE).
Response. We appreciate the comments received on the proposed
implementation and use exclusion. In response to comments received, we
have revised the wording of the finalized regulation text in the offer
health IT definition (as discussed in section IV.B.1 of this rule,
above) and have also revised the wording of subparagraphs within
paragraph (2) (discussed in the summary of finalized policy--
implementation and use exclusion (paragraph (2)) at the end of this
section, IV.B.1.b, of this rule).
As discussed in section IV.B.1 of this final rule, we reviewed the
wording of the offer health IT definition in light of a HITAC comment
about providing access to registries and similar data services provided
by public health authorities, regardless of the route used to request/
access/receive data. We believe the change in the offer health IT
definition's wording from ``for use by'' to ``for deployment by or
for'' better aligns the wording of this definition with the definitions
of ``API User'' and ``API Information Source'' previously established
in Sec. 171.102 by cross-reference to Sec. 170.404(c) (as discussed
in section IV.B.1 of this rule, above). We also believe this wording
change removed a need to catalog within paragraph (2) all of the
various manners in which access, exchange, or use of EHI with public
health entities and with others might be accomplished without the
individual or entity in the API Information Source role (or equivalent
role for non-certified API technology or other manners of access,
exchange, or use) meeting the offer health IT definition.
The excluded activity descriptions in subparagraphs (2)(ii), (iii),
and (iv) are intended to accommodate current heterogeneity in how
individuals and entities who deploy health IT (such as health care
providers) make EHI available for access, exchange, or use by their
information sharing partners. With the minor changes in wording that we
mention above, we believe it is clear that subparagraphs (ii) through
(iv) of paragraph (2) in conjunction with the revision to the offer
health IT definition's wording accomplish this intent. Although
subparagraph (2)(ii) discusses APIs and (2)(iii) discusses online
portals, we believe that they, when taken together with subparagraph
(2)(iv), provide for extensive heterogeneity in the manners of
information sharing available now or in the future to those who access,
exchange, or use EHI. Moreover, we believe the wording change that we
discuss above from ``for use by'' to ``for deployment by or for'' also
addresses commenters' concerns about whether the offer health IT
definition does or does not include interactions with or use of pre-
production or other non-production instance(s) of API technology.
We also reiterate that, as we stated in the HTI-1 Proposed Rule (88
FR 23860), we do not believe it is necessary to define a production
instance because we observe health IT developers, resellers, and
customers generally using and understanding a production instance as a
particular implementation of a given health IT product that has ``gone
live'' in a production environment (without needing to specify, for
this purpose, whether such instance is single- or multi-tenant).
Production environments, in turn, we observe are generally understood
as being the setting where health IT is implemented, run, and relied on
by end users in day-to-day conduct of their profession (such as
medicine, nursing, or pharmacy) or other business (such as a payer
processing healthcare reimbursement claims or a patient managing their
health and care).
Summary of finalized policy--implementation and use activities
exclusion (paragraph 2): After consideration of comments, we have
finalized the proposed implementation and use activities exclusion
(paragraph (2)) with revisions. As described in more detail below, we
have refined how we describe several types of activities within the
exclusion.
We have struck from subparagraph (2)(i), (ii), (iii), and (iv) the
parenthetical ``as defined in this section'' following the terms
``electronic health information'' and ``health information network or
health information exchange.'' The Sec. 171.102 definitions of these
terms apply throughout 45 CFR part 171 unless otherwise specified in a
particular subpart or section. Thus, the presence or absence of this
parenthetical has no effect on the meaning of the subparagraphs noted
above and has been removed from the final text.
The wording of the activity description in subparagraph (2)(i) has
been revised to remove reference to employees or contractors using the
individual's or entity's health IT to access, exchange, or use EHI in
the course of their employment. Instead, the exclusion lists a variety
of types of
[[Page 1364]]
activities that an individual's or entity's employees or contractors
might do within the scope of their employment or contract duties
specific to, or otherwise requiring use of, access to the health IT.
The finalized wording of subparagraph (2)(i) explicitly includes use,
operation, configuration, testing, maintenance, update, and upgrade
activities for an individual's or entity's health IT system(s) or
specific application(s) within such systems. It also includes explicit
reference to the individual's or entity's employees or contractors
giving or receiving training on the health IT.
We believe this explicit list of purposes for which employees or
contractors might need to use an individual's or entity's deployed
health IT provides the clarity some commenters sought regarding a
health care provider maintaining non-production instances of health IT
for various purposes other than supporting care delivery,
documentation, or billing of healthcare. We believe this clarity is
achieved by the rewording of subparagraph (2)(i) in complement to the
change from ``for use by'' to ``for deployment by or for'' others in
the offer health IT definition.
We have finalized subparagraph (2)(ii) with one revision to its
wording: we have removed the parenthetical statement ``(whether
certified or not)'' to improve readability. The deletion of ``(whether
certified or not)'' has no effect on the substance of subparagraph
(2)(ii) because the description references API technology in general.
As used in subparagraph (ii) of the implementation and use activities
exclusion, ``application programming interface (API) technology''
encompasses ``Certified API Technology'' as defined in 45 CFR
170.404(c) as well as any other API technology.
As proposed, subparagraph (2)(ii) referenced production instances
and did not reference pre-production instances. We have retained
reference to ``production instances'' of API technology in the excluded
activity description in the finalized definition as the finalized offer
health IT definition's wording change from ``for use by'' to ``for
deployment by or for'' makes it unnecessary to explicitly encompass
pre-production instances within subparagraph (2)(ii) of exclusion (2).
Specifically, the revised wording of the offer health IT definition
makes it clear that deploying any instance(s) of API technology with
which independent, outside persons participating in testing activities
might interact (in the course of testing or QI activities, or in the
role of API User as defined in Sec. 171.404(c) or an analogous role
for health IT other than ``Certified API Technology'' as defined in
Sec. 171.404(c)) does not, in and of itself, meet the offer health IT
definition. By contrast, the holding out, or the providing or
supplying, for deployment by or for other individuals or entities under
any arrangement not described in exclusion (3)(iii) of health IT that
includes one or more Health IT Module(s) would meet the offer health IT
definition, regardless of whether such other individual(s) or
entity(ies) were to deploy (or have deployed on their behalf)
production instance(s), pre-production instance(s), or any combination
of production and pre-production instances of the offered health IT.
We have removed from the finalized text of subparagraph (2)(iii) a
comma that immediately followed the word ``clinicians.'' This comma was
a typographical error that has been corrected so that the finalized
text describes making portals available to any or all of the following:
patients, clinicians or other health care providers, or public health
entities. We use ``public health entities'' here to encompass public
health authorities, their employees, and their contractor(s) acting in
the scope of the contract to the public health authority.
Specific to implementation and use activities of entities that need
to share information with public health authorities, the revised
wording of the offer health IT definition (from ``for use by'' to ``for
deployment by or for,'' as discussed in section IV.B.1 of this
preamble) renders the presence or absence of specific reference in
subparagraph (2)(iii) or (iv) to public health authorities' contractors
largely moot, because the activities subparagraphs (iii) and (iv)
describe (as proposed and finalized) do not involve or include
supplying health IT for deployment. However, we proposed the
implementation and use activities exclusion (paragraph (2)) for the
purpose of giving health care providers (and others) who use certified
health IT certainty that implementing certain health IT features and
functionalities, as well as engaging in certain practices that are
beneficial in an EHR-enabled healthcare environment, will not be
considered ``offering'' certified health IT (regardless of who
developed that health IT) (88 FR 23858). Therefore, we have finalized
subparagraph (2)(iv) with addition of explicit reference to public
health authorities' contractors to better serve subparagraph (2)(iv)'s
purpose.
By contrast, the activity described in subparagraph (2)(iv) was not
proposed to, and as finalized does not, encompass supplying health IT
for deployment by or for public health authorities or any other
individual(s) or entity(ies). Holding out, providing, or supplying
health IT that includes one or more certified Health IT Module(s) for
deployment by or for a public health authority will meet the offer
health IT definition. (see also the discussion of deployment versus use
of health IT in section IV.B.1 of this preamble.)
We have modified the wording of subparagraph (v) of exclusion (2)
in response to comments seeking explicit clarity regarding the
implications of a healthcare facility potentially allowing independent
healthcare professionals who furnish services in a healthcare facility
to use the facility's health IT for clinical education and improvement
activities or to receive training in the use of the healthcare
facility's health IT systems. Specifically, following ``furnishing,
documenting, and accurately billing for that care,'' we have added:
``participating in clinical education or improvement activities
conducted by or in the healthcare facility; or receiving training in
use of the healthcare facility's health IT system(s).'' With the
clarification of the wording of the offer health IT definition (as
discussed above in section IV.B.1 of this final rule) from ``for use
by'' to ``for deployment by or for'' other individuals, we believe the
distinction is clear between supplying independent healthcare
professionals with health IT to deploy in their outside practice(s) or
other endeavors and merely enabling independent healthcare
professionals to use a healthcare facility's health IT systems in the
course of the professional's engagement in patient care and other
activities conducted by or in the healthcare facility.
As is the case for subparagraph (2)(iv), we have nevertheless
decided to finalize subparagraph (2)(v) to serve the purpose for which
we proposed it: giving health care providers (and others) who use
certified health IT certainty that implementing certain health IT
features and functionalities, as well as engaging in certain practices
that are beneficial in an EHR-enabled healthcare environment, will not
be considered ``offering'' certified health IT (regardless of who
developed that health IT) (see 88 FR 23858 and 88 FR 23860).
We believe that patients generally benefit when independent
healthcare professionals who practice in a particular facility
participate in such activities as training for use of the facility's
health IT and other equipment. We believe patients also generally
benefit when independent healthcare professionals are able to
participate in a facility's clinical education activities,
[[Page 1365]]
and we note that this includes the independent clinician conducting or
leading clinical education or quality improvement activities in a
facility for or with other professionals. Quality improvement and
clinical education activities conducted in, but not necessarily by, the
healthcare facility could include activities that occur in the facility
that are partly or largely conducted by third parties (such as a
professional specialty society, Patient Safety Organization (PSO),\241\
Medicare's Quality Innovation Network--Quality Improvement Organization
(QIN-QIO),\242\ public health authorities (federal, state, or tribal),
or similar entities). Prior to issuing the HTI-1 proposed rule, we had
not had indications that healthcare facilities were experiencing
uncertainty specific to allowing independent healthcare professionals
to use the facility's systems in the course of clinical education or
quality improvement activities in the facility--which could, from a
health IT perspective, potentially make use of pre-production,
production, or a mix of production and pre-production instance(s) of
one or more system(s) or application(s).
---------------------------------------------------------------------------
\241\ Patient Safety Organizations (PSOs) collect and analyze
data voluntarily reported by healthcare providers to help improve
patient safety and healthcare quality. PSOs provide feedback to
healthcare providers aimed at promoting learning and preventing
future patient safety events. Under the Patient Safety and Quality
Improvement Act of 2005 (the Patient Safety Act), the Agency for
Healthcare Research and Quality (AHRQ) certifies and lists PSOs.
(https://pso.ahrq.gov/, retrieved Nov 24, 2023.)
\242\ Administered by CMS, the Quality Improvement Organizations
(QIO) Program is one of the largest federal programs dedicated to
improving health quality for Medicare beneficiaries. The QIO
Program's Quality Innovation Network-QIOs (QIN-QIOs) bring Medicare
beneficiaries, providers, and communities together in data-driven
initiatives that increase patient safety, make communities
healthier, better coordinate post-hospital care, and improve
clinical quality. By serving regions of two to six states each, QIN-
QIOs are able to help best practices for better care spread more
quickly, while still accommodating local conditions and cultural
factors. (https://www.cms.gov/medicare/quality/quality-improvement-organizations, retrieved Nov 24, 2023.)
---------------------------------------------------------------------------
Based on comments received in response to our proposing
subparagraph (2)(v), we are concerned that codifying subparagraph
(2)(v) with wording that explicitly references only furnishing,
documenting, and billing for care in the facility would risk creating
new uncertainty specific to independent professionals' use of a
facility's health IT in the course of quality improvement and clinical
education activities in the facility. By explicitly referencing
clinical education and quality improvement activities conducted by or
in a facility in addition to explicitly referencing furnishing,
documenting, and accurately billing for care an independent healthcare
professional furnishes to patients in a facility, we believe the
finalized wording of subparagraph (v) is beneficial.
We reiterate, however, that the holding out, provision, or supply
of health IT for deployment by or for other individual(s) or
entity(ies) is not encompassed by any subparagraph of the
implementation and use activities exclusion (paragraph (2)). (Again, we
refer readers to the discussion of deployment versus use of health IT
in section IV.B.1 of this preamble.)
c. Consulting and Legal Services Exclusion From the Offer Health IT
Definition
In defining what it means to offer health information technology or
offer health IT, we also considered whether it would be beneficial to
explicitly establish an exclusion of certain management consulting
services that play important roles in some providers' approaches to
operational management of their practice, clinic, or facility. The
bundled exclusions we proposed in paragraph (3) of the offer health IT
definition address ``consulting and legal services,'' including:
legal services furnished by attorneys that are not in-
house counsel \243\ of the provider (commonly referred to as ``outside
counsel'');
---------------------------------------------------------------------------
\243\ As noted in the HTI-1 Proposed Rule (see 88 FR 23860 and
23861 (footnote 407)), in-house counsel would for purposes of the
offer definition be considered ``employees'' of the provider.
Furnishing use of the provider's health IT to in-house counsel would
no more be an offer of that health IT than would be furnishing use
of that same health IT to members of the provider's nursing or
medical records staff.
---------------------------------------------------------------------------
health IT expert consultants' services engaged to help a
health IT customer/user (such as a health care provider) define their
business needs and/or evaluate, select, negotiate for or oversee
configuration, implementation, and/or operation of a health IT product
that the consultant does not sell/resell, license/relicense, or
otherwise supply to the customer; and
clinician practice or other health care provider
administrative or operational management consultant services where the
clinician practice or other health care provider's administrative or
operational management consulting firm effectively stands in the shoes
of the provider in dealings with the health IT developer or commercial
vendor, and manages the day-to-day operations and administrative duties
for health IT and its use alongside other administrative and
operational functions that would otherwise fall on the clinician
practice or other health care provider's partners, owner(s), or staff.
We refer readers to the HTI-1 Proposed Rule (88 FR 23860 through
23864) for discussion and examples of services that would be excluded
under each of subparagraphs (3)(i) through (3)(iii) of the proposed
offer health IT definition.
Comments. Six commenters referenced this exclusion and expressed
general support for the proposal. Some, however, recommended specific
modifications or clarifications to the described activities. (Comments
specific to each particular subparagraph of paragraph (3), the
consulting and legal services exclusion, are summarized below.)
Response. We appreciate commenters' sharing their perspectives on
this proposal through the public comment process. We have finalized the
consulting and legal services exclusion (paragraph 3) with minor
clarifications and revisions to each subparagraph, as discussed in
detail below under sub-headings specific to each of these
subparagraphs.
Legal Services Furnished by Outside Counsel
At subparagraph (3)(i) in the proposed offer health IT definition,
we proposed to explicitly exclude legal services furnished by outside
counsel (88 FR 23861). As we explained, this proposed exclusion would:
codify how we already view, in the context of the definitions currently
codified in Sec. 171.102, legal services furnished by outside counsel
in certain matters and remove an ambiguity that could, at least in
theory, otherwise have unintended effects on how parties may in the
future assess the best available options and mechanisms for efficient,
cooperative discovery. The proposed exclusion for legal services
furnished by outside counsel, like the proposed exclusion of health IT
expert consulting services, would focus on the services provided and
not on the type of organization providing them (88 FR 23861).
Comments. Several comments expressing support for the consulting
and legal services exclusion (subparagraph (3)(i)) acknowledged the
explicit exclusion of legal services furnished by outside counsel. No
comments expressed opposition or concern and no comments recommended
particular revisions or clarifications to the legal services
description in subparagraph (3)(i).
[[Page 1366]]
Response. After considering comments received on the offer health
IT definition and the consulting and legal services exclusion, we have
finalized subparagraph (3)(i) of legal services furnished by outside
counsel arrangements. We have, however, revised the text of
subparagraph (3)(i) to remove unnecessary words and improve
readability. These revisions are detailed below, under the summary of
finalized policy--consulting and legal services exclusion (paragraph
(3)) heading.
Health IT Consultant Assistance With Selection, Implementation, and Use
of Health IT
At subparagraph (3)(ii) in the proposed offer health information
technology or offer health IT definition, we proposed to explicitly
exclude the work of health IT expert consultants engaged to help a
health IT customer/user (such as a health care provider, health plan,
or HIN/HIE) do any or all of the following with respect to any health
IT product that the consultant does not sell or resell, license or
relicense, or otherwise supply to the customer under any arrangement on
a commercial basis or otherwise: define their business needs; evaluate
or select health IT product(s); negotiate for the purchase, lease,
license, or other arrangement under which the health IT product(s) will
be used; or oversee configuration, implementation, or operation of a
health IT product(s) (88 FR 23862).
Comments. Comments regarding the arrangements described in
subparagraph (ii) of the consulting and legal services exclusion
(paragraph 3) were generally supportive. Several comments recommended
clarification as to whether the description encompassed the full scope
of informatics consulting practice. One of these comments requested
additional detail as to specific domains and tasks within the practice
of clinical informatics. Several comments requested clarification as to
whether the exclusion applied to a consultant configuring,
implementing, or operating health IT on the customer's behalf, or
whether it was limited to a consultant overseeing such activities
conducted by others.
Response. After consideration of comments received, we have
finalized the description of health IT consultant assistance
arrangements in subparagraph (3)(ii) with revised wording to provide
additional clarity. Specifically, we have:
clarified the wording of the subparagraph's heading to
read ``health IT consultant assistance with selection, implementation,
and use of health IT'' (in the HTI-1 Proposed Rule (88 FR 23915) the
omission of the word ``with'' was a typographical error, which we
believe made the heading less readable); and
modified the wording of subparagraph (3)(ii)(C) from
``oversee'' to ``oversee or carry out'' so that the exclusion's wording
explicitly includes carrying out as well as overseeing configuration,
implementation, or operation of health IT products.
We believe the revised wording (``oversee or carry out'') in
subparagraph (3)(ii)(C) provides certainty and clarity to clinical or
biomedical informaticists and other consultants that they can take an
active role in configuring, implementing, or operating health IT on the
customer's behalf, as well as or instead of overseeing such activities
conducted by others, without the consultant's activities meeting the
definition of offer health IT.
As proposed and now finalized, subparagraph (3)(ii) is agnostic to
what specific domains of expertise, or what specific knowledge, skills,
or abilities, the consultant might apply to any of the activities
described in subparagraphs (3)(ii)(A) through (C) with respect to any
health IT product(s) that the consultant does not hold out or supply to
the customer under any arrangement. We do not at this time believe it
is necessary to limit the applicability of subparagraph (3)(ii) by
adding to it a catalog of specific domains in which a health
informaticist might be practicing when, or in order to be considered to
be, engaged in activities described in any of subparagraphs (3)(ii)(A)
through (C) under arrangements consistent with subparagraph (3)(ii).
A definition of ``health informatics'' that is often attributed to
the National Library of Medicine \244\ indicates that ``health
informatics'' is ``the interdisciplinary study of the design,
development, adoption and application of IT-based innovations in
healthcare services delivery, management and planning.''\245\ In our
observation, there is today considerable heterogeneity in what health
informaticists do, how they do it, and under what arrangements they
engage with employers, customers, or clients. Therefore, we believe it
would be more cumbersome than helpful to attempt to catalog all, and
difficult to identify an appropriately representative sampling, of the
tasks that a practitioner of health informatics might oversee or
conduct without themselves selling, reselling, licensing, relicensing,
or otherwise supplying the customer with health IT that includes one or
more Health IT Modules certified under the Program. Such a catalog of
tasks or domains of health informatics practice would risk rapidly
becoming more limiting than we intend the exclusion to be. Therefore,
we decline to do so. Instead, we emphasize that whether any activity or
conduct in the course of practicing clinical, biomedical, public
health, or any other variation of health informatics (or any other
profession) is encompassed by the consulting and legal services
exclusion under subparagraph (3)(ii) depends on whether the activity or
conduct is consistent with subparagraph (3)(ii).
---------------------------------------------------------------------------
\244\ See e.g., University of Michigan School of Information
(https://www.si.umich.edu/programs/master-health-informatics,
retrieved 10/25/2023); University of Pittsburgh School of Health and
Rehabilitation Sciences blog post ``Why Health Informatics Is Its
Own Discipline,'' Oct. 7, 2021 (https://online.shrs.pitt.edu/blog/why-health-informatics-is-its-own-discipline/, retrieved Oct. 25,
2023).
\245\ The definition including this quote appeared in frequently
asked questions (FAQs) for ``Health Services Research Information
Central'' updated Apr. 23, 2014, on a web page of the National
Library of Medicine's National Information Center on Health Services
Research and Health Care Technology (NICHSR). The quote's
attribution and citation on that web page read ``Procter, R. Dr.
(Editor, Health Informatics Journal, Edinburgh, United Kingdom).
Definition of health informatics [internet]. Message to: Virginia
Van Horne (Content Manager, HSR Information Central, Bethesda, MD).
2009 Aug 16 [cited 2009 Sept 21]. [1 paragraph].'' (https://wayback.archive-it.org/7189/20170515160548/https://www.nlm.nih.gov/hsrinfo/hsric_topic_definitions.html, retrieved Oct. 25, 2023).
---------------------------------------------------------------------------
We reiterate that if an individual or entity who engages in an
activity or arrangement encompassed by an exclusion from the offer
health IT definition happens to otherwise be an Sec. 171.102 actor,
that individual or entity is an actor subject to the information
blocking provision in section 3022 of the PHSA. If such actor engages
in conduct that meets the definition of information blocking in Sec.
171.103, that actor could be subject to enforcement action under the
information blocking provision in section 3022 of the PHSA even if they
engaged in the practice(s) meeting the information blocking definition
in the course of an activity that would not, itself, meet the offer
health IT definition.
For example, a clinical informaticist who is a doctor of medicine
(MD) or osteopathy (DO) might provide consulting services consistent
with subparagraph (3)(ii) of the offer health IT definition. The
services in this example do not meet the offer health IT definition.
Therefore, these services do not cause the informaticist to meet the
health IT developer of certified health IT definition. But the clinical
informaticist, as an MD or DO, meets the
[[Page 1367]]
Sec. 171.102 definition of a health care provider. Thus, the physician
in this example is a Sec. 171.102 actor and, were this physician to be
determined by OIG to have committed information blocking, the physician
would be subject to appropriate disincentives consistent with section
3022(b)(2)(B) of the PHSA.
If, however, an individual or entity who practices ``health
informatics'' is not otherwise a Sec. 171.102 health care provider,
health IT developer of certified health IT, or HIN/HIE, and would only
meet the Sec. 171.102 actor definition by offering health IT chooses
to only engage in conduct that does not meet the offer health IT
definition, then the individual or entity would not be considered an
actor.
Comprehensive and Predominantly Non-Health IT Administrative or
Operations Management Services
In subparagraph (3)(iii), we proposed to exclude from the offer
health IT definition comprehensive clinician practice or other health
care provider administrative or operational management consultant
services where the administrative or operational management consulting
firm effectively stands in the shoes of the provider in dealings with
the health IT developer or commercial vendor, and manages the day-to-
day operations and administrative duties for health IT and its use
alongside a comprehensive array of other administrative and operational
functions that would otherwise fall on the clinician practice or other
health care provider's partners, owner(s), or staff (88 FR 23862).
Alone among the three proposed exclusions of consulting and legal
services arrangements, the exclusion of clinician practice or other
health care provider administrative or operational management
consulting services would be likely to include arrangements where the
health IT deployed by or for the health care provider is supplied to
them by the consultant--for example, as part of a comprehensive (``turn
key'') package of practice management or other provider administrative
or operations management services. In proposing the exclusion from the
offer health IT definition of the activities specified in
subparagraph(3)(iii), we noted its implication for health care
providers' accountability for acts or omissions of their consultants
operating under the exception--particularly health care providers'
administrative or operational management services consultants--that
implicate the definition of information blocking in Sec. 171.103 (88
FR 23862). We refer readers to the HTI-1 Proposed Rule for the
rationale for the comprehensive and predominantly non-health IT
management services exclusion and explanation of how it operates (88 FR
23862 through 23864). The explanation includes the key factors that
differentiate excluded clinician practice or other health care provider
administrative or operational management consultant services from IT
managed service provider (MSP) services and arrangements (88 FR 23863).
The HTI-1 Proposed Rule preamble discussion may include one or more
instances of a typographical error in how subparagraph (iii) of
exclusion (3) is referenced. This typographical error results in citing
the paragraph as (3)(c) instead of (3)(iii). These typographical errors
in how the paragraph is cited in the HTI-1 Proposed Rule preamble have
no bearing on the substance of the proposal.
We solicited comment on this proposal, including specifically
whether:
this exclusion is more beneficial than harmful or
confusing to the public, including the regulated community (health care
providers, other information blocking ``actors,'' and those who may be
more likely to be considered a ``health IT developer of certified
health IT'' in the absence of this exclusion); and
different or additional criteria should factor into
differentiating whether a particular arrangement is a practice/
operational management services arrangement that happens to include
health IT as one of many necessities to operate as a health care
provider rather than an arrangement for the supply of health IT that
happens to include additional services (88 FR 23864).
Comments. We received comments discussing or referencing the
proposal to exclude arrangements for comprehensive and predominantly
non-health IT clinician practice or other health care provider
administrative or operations management services from four commenters.
No comments expressed opposition to excluding these activities from the
offer health IT definition. One comment expressed appreciation for the
clarity the proposal provides. Two comments recommended revising the
exclusion to encompass additional types of arrangements. One comment
advocated changing the effect of an activity's exclusion so that an
individual or entity that meets the actor definition through other
activities (such as by participating as a developer in the Program)
would not be considered an actor while engaging in the excluded
activity. One commenter shared thoughts specifically in response to the
HTI-1 Proposed Rule's prompt for comments on potential benefits and
harms of the proposal and potential additional criteria for
differentiating between a practice/operational management services
arrangement that happens to include health IT and an arrangement for
the supply of health IT that happens to include additional services.
Response. Upon consideration of comments received, we have
finalized the exclusion of comprehensive and predominantly non-health
IT clinician practice or other health care provider administrative or
operations management services (subparagraph (iii) of paragraph (3)).
We have revised the wording of subparagraph (3)(iii) to improve its
readability and clarity. We summarize and respond to specific, detailed
comments below.
Comments. A commenter advocated that we expand the exclusion to
explicitly encompass reselling and hosting certified health IT under a
particular vendor-specific model.
Response. A health care provider who wishes to stand in the shoes
of another provider in dealings with the health IT developer or
commercial vendor, in managing the day-to-day operations and
administrative duties for the health IT, or both, as part of a
comprehensive array of predominantly non-health IT administrative and
operational functions, can do so without meeting the offer health IT
definition. Such conduct would be excluded from the offer health IT
definition to the extent the arrangement is consistent with the
comprehensive and predominantly non-health IT management services
exclusion (subparagraph (3)(iii)). We refer readers to the HTI-1
Proposed Rule explanation of the key factors that differentiate
excluded clinician practice or other health care provider
administrative or operational management consultant services from IT
managed service provider (MSP) services and arrangements (88 FR 23863).
Although this discussion of key factors includes an instance of the
typographical error whereby subparagraph (3)(iii) is cited as
``(3)(c)'', the key factors discussed (88 FR 23863) apply to the
arrangements described by subparagraph (3)(iii), as proposed and as now
finalized.
We discuss in context of the health IT developer of certified
health IT definition preamble below (section IV.B.2) additional
concerns we would have for a potential policy under which health care
providers who choose to sell
[[Page 1368]]
or resell certified health IT under additional types of arrangements
would not be considered health IT developers of certified health IT.
Because of these concerns (discussed in IV.B.2, below) we do not
believe it would be appropriate to expand the exclusions from the offer
health IT definition to include the vendor-specific resale model cited
by this commenter.
Comments. Some comments cited potential risks, such as of anti-
competitive effects or conflicts of interest arising as a result of
exclusions potentially encouraging entities in the health sector or
beyond to develop consulting operations to supply health IT to
customers without the consulting operation being subject to the
information blocking regulations, as compared to entities that offer
similar services but also meet the health IT developer of certified
health IT definition. A comment recommended we ensure sufficient
protections are in place but did not suggest specific additional
criteria or considerations for determining which arrangements are or
should be encompassed by the comprehensive and predominantly non-health
IT management services exclusion (subparagraph (3)(iii) and which
should instead meet the offer health IT definition.
Response. We appreciate receiving a response to our request for
comment on these points. Subparagraph (3)(iii) explicitly indicates
that the consultant providing these services acts as the agent of the
health care provider or otherwise on behalf of the health care provider
in dealings with the health IT developer or vendor, day-to-day
operations and administration of the health IT, or both. This means
that for any (individual or entity) consultant's services to be
consistent with subparagraph (3)(iii), the consultant cannot also be
the developer of any included health IT items or services. For
subparagraph (3)(iii) to apply, the consultant also must explicitly
provide comprehensive and predominantly non-health IT administrative or
operations management services. Thus, the exclusion cannot apply if the
consultant is simply furnishing health IT managed service provider
(MSP) services and arrangements or any bundle of exclusively or
predominantly health IT items and services to the health care provider.
We believe excluded bundles of predominantly non-health IT services
are distinguishable from health IT MSP services and arrangements and
bundles of predominantly health IT items and services based on their
characteristics. For an arrangement to be consistent with the
comprehensive and predominantly non-health IT management services
exclusion (subparagraph (3)(iii)), the bundle of business
administrative and operational management services must demonstrate all
of the differentiating factors described at 88 FR 23863:
The individual or entity furnishing the administrative or
operational management consulting services acts as the agent of the
provider or otherwise on behalf of \246\ the provider in dealings with
the health IT developer(s) or commercial vendor(s) from which the
health IT the client health care providers ultimately use is obtained;
---------------------------------------------------------------------------
\246\ At 88 FR 23863, we used ``stands in the shoes of'' instead
of ``on behalf of, to parallel the wording of the subparagraph as
presented in the Proposed Rule. We have updated the statement of
this factor here to match the wording of the finalized subparagraph
(3)(iii).
---------------------------------------------------------------------------
The administrative or operational management consulting
services must be a package or bundle of services provided by the same
individual or entity and under the same contract or other binding
instrument, and the package or bundle of services must include a
comprehensive array of business administration functions, operations
management functions, or a combination of these functions that would
otherwise be executed by the health care provider; \247\
---------------------------------------------------------------------------
\247\ At 88 FR 23863, we referenced one example type of health
care provider (clinician practice) and various roles individuals
might have within health care provider organizations. We also used
the more colloquial ``fall on'' than ``be executed by.'' We used
that wording at 88 FR 23863 to parallel the wording of the
subparagraph as presented in the Proposed Rule. We have updated the
statement of this factor here to match the wording of the finalized
subparagraph (3)(iii).
---------------------------------------------------------------------------
The bundle of business administrative and operational
management consulting services must include multiple items and services
that are not health information technology as defined in 42 U.S.C.
300jj(5); and
The non-health IT services must represent more than half
of each of--
[cir] the person hours per year the consultant (individual or
entity) bills or otherwise applies to the services bundle (including
cost allocations consistent with Generally Accepted Accounting
Principles), and
[cir] the total cost to the client for, or billing from, the
consultant per year (including pass-through costs for the health IT
items and services).
These factors that differentiate comprehensive and predominantly
non-health IT management services tailor subparagraph (3)(iii) so that
it cannot be satisfied by a simple rebranding of health IT resale
models or managed service provider (MSP) services or by tacking a few
non-health IT service(s) onto a bundle of predominantly (half or more)
health IT items and services. Thus, we believe subparagraph (3)(iii) as
finalized is appropriately tailored to guard against misuse of the
exclusion in the market today.
We recognize, however, the potential for the market to evolve in
ways that would increase risk of unintended consequences or abuse of
this exclusion from the offer health IT definition. Although we have
finalized the exclusion of arrangements consistent with subparagraph
(3)(iii) without limiting its applicability based on characteristics,
features, or factors beyond those we proposed, we note that we may
consider amending the offer health IT definition (including any or all
of its exclusions) in future rulemaking in response to experience with
the definition in practice or other appropriate factors such as
changing market conditions.
Comments. A commenter that is a commercial developer of certified
health IT advocated that entities otherwise meeting the health IT
developer of certified health IT definition should be able to operate a
consulting entity that would engage in conduct excluded from the offer
health IT definition without the consulting entity's conduct in the
course of those activities implicating the developer as an actor. The
commenter suggested that a developer could otherwise be at a
competitive disadvantage specific to these consulting services compared
to consulting entities that engage only in activities excluded from the
offer health IT definition and do not otherwise meet the health IT
developer of certified health IT definition.
Response. Achieving the effect recommended by this comment would
require altering the structure and nature of the health IT developer of
certified health IT definition rather than the offer health IT
definition. Such modification of the health IT developer of certified
health IT definition would be beyond the scope of the wording update we
proposed in the HTI-1 Proposed Rule (see 88 FR 23864 and 23915).
Therefore, we interpret the comment primarily as a response to our
Request for Information on whether we should consider proposing in
future rulemaking any additional exclusions from the offer health IT
definition (section IV.C.1 of the HTI-1 Proposed Rule, starting at 88
FR 23873). We summarize and respond to this specific comment here
because we believe, in light of comments received from the health IT
customer community (including one addressed immediately below), it may
be helpful
[[Page 1369]]
to both health IT developers of certified health IT and their customers
for us to provide an overview of certain features and implications of
the information blocking regulations within which the finalized
subparagraph (3)(iii) of the offer health IT definition appears.
A baseline feature of information blocking regulations in place
since the ONC Cures Act Final Rule (85 FR 25642) is that the health
information network or health information exchange (HIN/HIE) definition
is currently the only Sec. 171.102 actor type definition that is
functional. As we stated in the ONC Cures Act Final Rule, ``the
individual or entity would be considered a HIN/HIE under the
information blocking regulations for any practice they conducted while
functioning as a HIN/HIE'' (85 FR 25802). In contrast, both the health
care provider and health IT developer of certified health IT
definitions in Sec. 171.102 are categorical, in the sense that an
individual or entity either meets one of these definitions or they do
not. For example, an individual or entity that meets the health IT
developer of certified health IT definition in any of its activities is
considered to be a health IT developer of certified health IT for any
of its practices that otherwise meet the information blocking
definition in 45 CFR 171.103--regardless of whether health IT involved
in a specific practice is certified. To read more about the health IT
developer of certified health IT definition's scope, including
applicability of the Cures Act's information blocking provision to a
developer's non-certified health IT, please see the ONC Cures Act Final
Rule preamble starting at 85 FR 25795.
We recognize that in a variety of circumstances developers and
offerors of certified health IT have business lines or other entities
that market various services also marketed by competitor entities that
do not develop or offer any certified health IT. We also recognize, and
would encourage customers to be aware, that any individual or entity
that (1) offers health IT products or consulting services in a way that
satisfies the exclusion, (2) does not engage in any other conduct
within the offer health IT definition, and (3) does not otherwise meet
the Sec. 171.102 actor definition would not be subject to the
information blocking regulations.
We believe any perceived competitive disadvantage a ``health IT
developer of certified health IT'' may experience as a result of
meeting the definition in Sec. 171.102 is offset by customers'
potential preferences to receive services from consultants who are
Sec. 171.102 actors. For example, in choosing among otherwise
competitive bids from a non-actor and a health IT developer of
certified health IT to serve in a specific consulting role, a customer
might weigh as favorable to a vendor or consultant that is a Sec.
171.102 actor the fact that the actor could be subject to enforcement
action under section 3022 of the PHSA if (except as required by law or
covered by an exception) the actor engages in conduct they know or
should know is likely to interfere with the access, exchange, or use of
EHI. We also refer readers to the discussion in the ONC Cures Act Final
Rule (85 FR 25795 through 25796) of a related concern about the
potential impact of the Cures Act's information blocking provision (42
U.S.C. 300jj-52) on health IT developers' decisions to participate in
the Program.
Comments. A commenter expressed concern about the risk of customers
being uncertain as to which entities offering consulting services
excluded from the offer health IT definition are subject to information
blocking regulations and which are not, and about other entities'
ability to support needs for data sharing within the healthcare space.
Response. We appreciate the commenter sharing this concern. We
recognize that whether a consultant has the skills and expertise to
deliver what the customer needs and expects for data sharing and other
activities involving or relying on data, is a foundational question.
Answering it, we believe, will continue to be something customers do by
assessing prospective consultants' qualifications against their
specific needs and priorities. Knowing that a consultant is an actor
subject to information blocking regulations is a useful piece of
information for customers to have, but a consultant meeting the Sec.
171.102 actor definition does not guarantee the consultant has the
level of particular knowledge, skills, abilities, or other capacity
that the customer wants or needs from a consultant or other vendor.
We also recognize that customers who prefer to obtain services that
are excluded from the definition of offer health IT from an entity that
is subject to the information blocking regulations may need to engage
in fact-finding to ascertain the status of entities that provide these
services. We note that it may be somewhat easier to identify the actor
status of a consultant where the consultant is also a developer
participating in the Program, or a health care provider, than where
they are not. This is because, for example, both individual and
organizational health care providers must typically be licensed in
jurisdiction(s) where they furnish healthcare. Most health care
providers in the United States will also have a National Provider
Identifier (NPI). Online directories of licensed health care providers
are available from or for U.S. states, and CMS supports an online
search utility for the NPI registry (available to the public free of
charge at https://npiregistry.cms.hhs.gov/search). Similarly, a search
of ONC's Certified Health IT Products List (CHPL) (https://chpl.healthit.gov/#/search) will indicate whether an entity has listed
under its name one or more Health IT Module(s) certified under the
Program. By contrast, an entity that only resells Health IT Module(s)
without having responsibility for the certification status of any such
Health IT Module(s) will not be listed on the CHPL. It is also
important to remember that entities' choices to engage in different
lines of business under different names may mean that the name under
which consulting services are furnished differs from the name(s) under
which: a developer of certified health IT is associated with any CHPL-
listed product(s); or an individual or entity that meets the Sec.
171.102 health care provider definition may be listed in any registry,
listing, or database of individual and organizational health care
providers. Therefore, a customer may need to refer to additional
sources of information, including those provided by the prospective
consultant, and may want to consider addressing the consultant's Sec.
171.102 actor status in the process of selecting the consultant or
contracting with the consultant for their services (such as through
representations and warranties).
One expectation we have for the improved clarity provided by the
offer health IT definition is that it will help customers to
differentiate between consultants who clearly are Sec. 171.102 actors
and those who might not be actors. With this clarity, we believe
customers will be in a better position to assess what additional
information, representations, or warranties they will require from a
consultant before making or finalizing a decision to engage the
consultant.
Summary of finalized policy--consulting and legal services
exclusion (paragraph (3)): After considering comments received, we have
finalized the substance of the consulting and legal services exclusion.
The finalized text of paragraph (3) includes minor revisions to
subparagraphs (i), (ii), and (iii) to improve clarity, address a
typographical error, and improve readability (as discussed above):
Revised the second sentence of subparagraph (i) to remove
unnecessary
[[Page 1370]]
words, increase precision, and improve readability, as follows:
[cir] Removed unnecessary words from ``if or when facilitating
limited access or use of the client's health IT or the EHI within it,''
resulting in the revised phrase reading ``when facilitating limited
access or use of the client's health IT.''
[cir] Revised the phrase ``to independent expert witnesses engaged
by counsel'' for readability and precision to read, as revised: ``by
independent expert witnesses engaged by the outside counsel.''
[cir] Revised the final phrase of the sentence from ``as necessary
or appropriate to legal discovery'' to ``as appropriate to legal
discovery.''
Revised the wording of the subparagraph (3)(ii) heading to
read ``health IT consultant assistance with selection, implementation,
and use of health IT,'' correcting the typographical error that had
omitted ``with'' from the text as published in the HTI-1 Proposed Rule
(88 FR 23915).
Revised the wording of subparagraph (3)(ii) to improve
readability by removing unnecessary reference to services being
potentially provided by an individual or a firm, and to ``expert.'' As
discussed in response to comments, subparagraph (3)(ii) applies to the
activities it describes. Application of subparagraph (3)(ii) does not
depend on the consultant having or applying specific type(s) or
level(s) of expertise, knowledge, or skills in furnishing expert
services to help the customer do (or do for the customer) the
activities described in subparagraph (3)(ii)(A) through (C). The
revision is from the HTI-1 Proposed Rule's wording ``. . . provided by
an individual or firm when furnishing expert advice and consulting
services to a health IT customer or user that help the customer or
user, or on the customer's behalf, do . . .'' to ``. . . advice and
consulting services furnished to a health IT customer or user to do (or
on behalf of a customer or user does).''
Revised wording of subparagraph (3)(ii)(A) to improve
readability, from ``define the customer or user business needs;
evaluate or select health IT product(s),'' as presented in the HTI-1
Proposed Rule, to the finalized wording of: ``define the business needs
of the customer or user or evaluate health IT product(s) against such
business needs, or both.''
In response to public comments, modified the wording of
subparagraph (3)(ii)(C) from ``oversee'' to ``oversee or carry out'' so
that, on its face, the wording provides immediate and explicit clarity
that the exclusion encompasses carrying out as well as overseeing
configuration, implementation, or operation of health IT products.
To improve readability of subparagraph (3)(iii), we have
revised its wording in the following ways:
[cir] Split the paragraph into two sentences instead of one. The
second sentence, as finalized, opens with ``To be consistent with this
subparagraph, such services must be furnished'' to connect this to the
preceding paragraph and ensure it remains clear that services are not
consistent with subparagraph (3)(iii) unless they are furnished as part
of a comprehensive array of predominantly non-health IT services (as
discussed above, in responses to comments).
[cir] From the first revised sentence, removed unnecessary
reference to clinician practice and other unnecessary words to improve
readability. This change is from ``provided by an individual or entity
when furnishing a clinician practice or other health care provider
administrative or operational management consultant services where the
management consultant acts as the agent of the provider or otherwise''
to the finalized wording: ``when an individual or entity furnishes a
health care provider with administrative or operational management
consultant services and the management consultant acts as the agent of
the provider or otherwise.''
[cir] Replaced in the first finalized sentence of the subparagraph
the phrase ``stands in the shoes of the provider'' with less colloquial
phrase ``acts on behalf of the provider.''
[cir] Revised description of dealings with health IT developers and
vendors to strike unnecessary adjective (``commercial'') and improve
facial clarity that the dealings could be with one or more developers
or vendors. This change in text is from ``in dealings with the health
IT developer or commercial vendor'' to ``in dealings with one or more
health IT developer(s) or vendor(s).''
[cir] At the end of what is, as finalized, the first sentence of
the subparagraph, we replaced ``and/or in managing the day-to-day
operations and administrative duties for the health IT,'' with ``or
managing the day-to-day operations and administrative duties for the
health IT, or both.''
[cir] Replaced in the second clause of the finalized second
sentence of the subparagraph the phrase ``fall on'' with less
colloquial phrase ``be executed by'' and struck unnecessary reference
to a specific type of health care provider entity, and unnecessary
reference to different roles within provider organizations. The
affected portion of the subparagraph as presented in the HTI-1 Proposed
Rule read: ``as part of a comprehensive array of predominantly non-
health IT administrative and operational functions that would otherwise
fall on the clinician practice or other health care provider's
partners, owner(s), or staff.'' As a result of the revisions described
here, the second sentence of the subparagraph reads as a whole: ``To be
consistent with this subparagraph, such services must be furnished as
part of a comprehensive array of predominantly non-health IT
administrative and operational functions that would otherwise be
executed by the health care provider.''
We reiterate here, because we believe it is worth amplifying, a
point we noted in the HTI-1 Proposed Rule (88 FR 23862) specific to the
comprehensive and predominantly non-health IT management services
arrangements (subparagraph (3)(iii)). That point is its implication for
health care providers' accountability for acts or omissions of health
care providers' administrative or operational management services
consultants operating under the exception that implicate the definition
of information blocking in Sec. 171.103: where an administrative or
operations management services firm would not be considered to offer
health IT for which they contract on behalf of one or more practices
(or facilities or sites of care) because they are acting as the
provider's agent or otherwise standing in the shoes of the provider in
selecting and contracting for a variety of services and supplies--
including, but not limited to, the health IT that includes at least one
certified Health IT Module--we would view the provider as retaining
accountability for any information blocking conduct that the management
services company perpetrates while thus acting on the provider's
behalf. We recognize this may have implications for how providers may
wish to structure administrative and operational services contracts in
the future, potentially including a provider seeking representations
and warranties giving the provider assurance that the administrative or
operations management services company will not, without the provider's
direction, knowledge, or approval, engage in any practice not required
by law or covered by an information blocking exception that is likely
to interfere with access, exchange, or use of EHI and could be
unreasonable. However, subparagraph (3)(iii) of the consulting and
legal services exclusion from the offer health
[[Page 1371]]
IT definition is not intended to have the effect of regulating or
otherwise interfering with contracting relationships between health
care providers and entities that do, or might, furnish them with
practice, facility, location, or site management consulting and
operational services packages.
We also remind, again, any individual or entity otherwise meeting
the Sec. 171.102 actor definition that engaging in activities that are
explicitly excluded from the offer health IT definition under paragraph
(1), (2), or (3), will not change the fact that they are a Sec.
171.102 actor. Where an individual or entity meets the actor
definition, that actor's having also engaged in any one or more
activities that satisfies an exclusion from the offer health IT
definition does not mean the individual or entity is no longer an
actor. The fact that an actor may engage in some conduct that is
consistent with an explicit exclusion from the offer health IT
definition does not mean that conduct on the actor's part is not
subject to the information blocking definition. The fact that
particular conduct of an individual or entity meets any exclusion from
the offer health IT definition only means that specific conduct does
not meet the definition of offer health IT.
2. Health IT Developer of Certified Health IT: Self-Developer Health
Care Providers
For reasons discussed in the ONC Cures Act Final Rule (85 FR 25799
through 25800), health care providers who self-develop certified health
IT ``for their own use'' were excluded from the health IT developer of
certified health IT definition. However, under that definition, if a
health care provider responsible for the certification status of any
Health IT Module(s) were to offer or supply those Health IT Module(s)
on any terms to other entities for those entities' use in their own
independent operations, that would be inconsistent with the concept of
the health care provider self-developing health IT ``for its own use.''
As we explained in the ONC Cures Act Final Rule (at 85 FR 25799), we
use the term ``self-developer'' in this context as the term has been
used in the ONC Health IT Certification Program (Program) and as
described in section VII.D.7 of the Cures Act Proposed Rule (at 84 FR
7507).
In the HTI-1 Proposed Rule, informed by our proposal to define
``offer health IT,'' we proposed to modify the health IT developer of
certified health IT definition in Sec. 171.102. To ensure it would be
immediately clear from the face of the regulations' text that we had
put all health care providers that engage in activities consistent with
the exclusions in paragraphs (1) through (3) of the offer health IT
definition on the same footing regardless of who develops the health IT
involved in these activities, we proposed to replace in the health IT
developer of certified health IT definition the phrase ``other than a
health care provider that self-develops health IT for its own use''
with the phrase ``other than a health care provider that self-develops
health IT not offered to others'' (See 88 FR 23864).
Comments. A majority of comments specific to this proposal
supported the proposal. Several comments stated that self-developer
health care providers should not be considered health IT developers of
certified health IT. Several comments stated that self-developer health
care providers who offer health IT should be included health IT
developers of certified health IT definition alongside other
individuals and entities that offer certified health IT.
Response. We appreciate all comments received. Having considered
the comments, we have finalized our proposal to align the self-
developer health care provider exclusion from the health IT developer
of certified health IT definition with our finalized definition of
``offer health IT.'' Stated another way, health care providers who
self-develop certified health IT that is not offered to others are
excluded from the health IT developer of certified health IT definition
unless they ``offer health IT'' as now defined in Sec. 171.102. We
have made one revision to the wording of the finalized updated text of
the definition for readability, specifically from ``other than a health
care provider that self-develops health IT not offered to others'' to
``other than a health care provider that self-develops health IT that
is not offered to others.'' We summarize and respond to additional
comments related to the health IT developer of certified health IT
definition below.
Comments. We received several comments advocating that we exclude
all providers who host EHRs for other providers (sometimes
characterizing it as extending the host provider's EHR) from the health
IT developer of certified health IT definition. These comments have
been discussed in section IV.B.1 because several of them discussed this
recommendation as an extension, clarification, or addition to the
proposed exclusions from the offer health IT definition. Some
commenters, however, connected the suggestion to the health IT
developer of certified health IT definition. Commenters' rationales for
excluding from the health IT developer of certified health IT
definition health care providers who ``extend their EHRs'' or otherwise
provide certified health IT to other providers included: health care
providers are already actors under the information blocking regulations
(Sec. 171.102); recipient providers would be unable to afford
interoperable health IT obtained from other sources; and the developer
should be held accountable for design defects in health IT. Several
other commenters, representing the health care provider as well as the
ONC Health IT Certification Program-participating developer
perspectives, explicitly supported our proposal to have all entities
that offer health IT (as we have defined such action) continue to meet
the definition of health IT developers of certified health IT
regardless of whether such health IT was self-developed or obtained
from a third-party developer.
Response. Whether done by a health care provider or anyone else,
hosting EHR systems, otherwise providing or supplying health IT items
and services, or holding out any certified health IT to health care
providers generally meets the offer health IT definition. Such actions
are excluded from the offer health IT definition only when and to the
extent it is consistent with subparagraph (3)(iii) of the offer health
IT definition. Any individual or entity, regardless of whether they
also meet the Sec. 171.102 definition of health care provider, who
engage in conduct meeting the offer health IT definition meet the
health IT developer of certified health IT definition on the basis of
that conduct.
We had not proposed, and we have not made, revisions to ``carve
out'' health care providers who offer health IT from the health IT
developer of certified health IT definition. We included in section
IV.C.1 of the HTI-1 Proposed Rule (88 FR 23873) a request for
information on additional exclusions from the offer health IT
definition but did not propose to exclude supply of health IT for
deployment by or for others from the offer health IT definition based
on the supplier being a health care provider. Further, as noted above,
we received comments supporting the health IT developer of certified
health IT approach we proposed. Therefore, any further exclusions from
the offer health IT definition are deferred for future consideration.
Regarding concerns about design flaws in the software created by
the developer of certified health IT, as a Sec. 171.102 actor, the
developer would be subject to information blocking penalties for
software design flaws to the extent such flaws constitute information
blocking. As we did in the ONC Cures Act Final Rule (see 85 FR
[[Page 1372]]
25798 through 25799), we again refer commenters concerned about holding
offerors that do not develop health IT accountable for the conduct of
the developer (or others) to section 3022(a)(6) of the PHSA, which
states that the term ``information blocking,'' with respect to an
individual or entity, shall not include an act or practice other than
an act or practice committed by such individual or entity. Where the
individual or entity that develops health IT is different from the
individual or entity that offers certified health IT, each such
individual or entity is only liable for the acts and practices that it
commits.
In the ONC Cures Act Final Rule (85 FR 25798-25800), we explained
that any that any individual or entity that develops health IT, except
for health care providers that self-developed certified health IT for
their own use, meet the definition of health IT developer of certified
health IT while they have one or more Health IT Modules certified under
the ONC Health IT Certification Program. We also explained that
individuals or entities meet the health IT developer of certified
health IT definition if they offer certified health IT. This remains
true with the conclusion of this rulemaking. Under the policies
finalized in this rule, any individual or entity, including a self-
developer health care provider or any other health care provider, that
offers health IT (as defined in Sec. 171.102) meets the definition of
health IT developer of certified health IT.
Comments. A commenter requested that we clarify what the term
health care provider means as used within the health IT developer of
certified health IT definition.
Response. The term health care provider is defined for purposes of
the information blocking regulations in 45 CFR 171.102. To help
interested parties better understand the definition, we make
information blocking resources available through our website,
HealthIT.gov. These resources include a fact sheet titled ``Health Care
Provider Definition'' that provides, in a single document, a copy of
the full text of the health care provider statutory definition (PHSA
section 3000) cited in Sec. 171.102 and the text of statutory cross-
references within the PHSA section 3000 definition of health care
provider.\248\
---------------------------------------------------------------------------
\248\ Health Care Provider Definition and Cross-Reference Table,
available at: https://www.healthit.gov/sites/default/files/page2/2020-08/Health_Care_Provider_Definitions_v3.pdf (Retrieved Jun 28,
2023.)
---------------------------------------------------------------------------
Summary of finalized policy--health IT developer of certified
health IT definition: After consideration of comments received, we have
finalized the revision to the definition substantively as proposed. We
have made a non-substantive change to the wording of the finalized
revised definition of health IT developer of certified health IT in
comparison to the HTI-1 Proposed Rule; specifically, in the clause
excluding self-developer health care providers to the extent their
self-developed health IT is not offered to others. In the HTI-1
Proposed Rule, that clause read: ``other than a health care provider
that self-develops health IT not offered to others.'' As finalized, we
added ``that is'' immediately before ``not offered to others'' to
improve readability of the finalized text.
We emphasize that any individual or entity that chooses to offer
health IT (as defined in Sec. 171.102) will meet the finalized revised
Sec. 171.102 health IT developer of certified health IT definition
regardless of who developed the certified health IT that the individual
or entity offers to others, and regardless of whether the health IT is
offered at or below cost, market rate, or other benchmark price for the
same or similar health IT items or services. This includes individuals
and entities that offer health IT while also meeting the definition of
health care provider, as both terms are defined in Sec. 171.102,
regardless of whether such individuals or entities also self-develop
any health IT (certified or otherwise) deployed only within their own
organization or operations. Regarding health care providers who might
engage in activities consistent with one or more exclusion(s) from the
offer health IT definition without also engaging in activities or
arrangements that meet the offer health IT definition, we note that all
such health care providers will stand on the same footing regardless of
whether they also self-develop health IT that is not offered to others.
3. Information Blocking Definition
As finalized in the ONC Cures Act Final Rule (85 FR 25642) and the
Cures Act Interim Final Rule (85 FR 70085), the information blocking
definition (Sec. 171.103) and the Content and Manner Exception (Sec.
171.301(a)) were limited for a period of time to a subset of EHI that
was narrower than the EHI definition finalized in the ONC Cures Act
Final Rule in Sec. 171.102. The narrower subset included only the EHI
identified by the data elements represented in the United States Core
Data for Interoperability (USCDI) for the first 18 months (until May 2,
2022) after the applicability date for 45 CFR part 171 (November 2,
2020) (85 FR 25792). The Cures Act Interim Final Rule extended the
applicability date of 45 CFR part 171 to April 5, 2021 (85 FR 70069).
This extended the end of the first 18 months of applicability of 45 CFR
part 171 until October 6, 2022 (85 FR 70069).
Because October 6, 2022, has passed, we proposed to revise the
information blocking definition (Sec. 171.103) to remove the paragraph
designating the period of time for which the information blocking
definition was limited to EHI that consists of the data elements
represented in the USCDI (88 FR 23864 and 88 FR 23916). This time
period designation was codified in Sec. 171.103(b), as finalized in
2020, and removal of this paragraph allows for redesignation of
remaining paragraphs within Sec. 171.103 as shown in the HTI-1
Proposed Rule (at 88 FR 23916).
Similarly, because we included the same date in two paragraphs of
the Content and Manner Exception (Sec. 171.301(a)(1) and (2)), we
proposed to revise Sec. 171.301 to remove the existing Sec.
171.301(a)(1) and (2) as no longer necessary (88 FR 23864 through 23865
and 88 FR 23916). The proposed revised version of Sec. 171.301 refers
simply to EHI. We further proposed to renumber several of the existing
provisions in Sec. 171.301 accordingly and rename the exception as the
``Manner'' exception.
Comments. Comments received on our proposal to remove obsolete text
from the information blocking definition (Sec. 171.103) generally
supported this proposal. Comments noted that the information blocking
definition prevents practices that hinder access to EHI, supports
improved access to EHI for patients and health care providers,
facilitates interoperability and encourages actors to prioritize
interoperability, and promotes transparency and accountability in the
healthcare ecosystem. A commenter stated the information blocking
regulations are beneficial to underserved, underrepresented patient
populations and the health care providers who serve them. This
commenter advocated for collaborative efforts among various parties
interested in information sharing, characterizing such efforts as
crucial to ensuring that the information blocking regulations
effectively support the goal of equitable access to high-quality
healthcare for underserved populations. No commenters opposed this
proposal. However, some commenters did note general concerns about the
importance of balancing information sharing goals with patient privacy
and data security.
Response. We appreciate commenters' feedback and have finalized the
update to the information blocking definition
[[Page 1373]]
(Sec. 171.103), as proposed. The topic of balancing information
sharing goals with patient privacy and security of patients' health
information is out of scope for this proposal, but it was also raised
in comments on other proposals. We discuss, at the beginning of section
IV of this final rule (above), comments raising general concerns about
a perceived conflict between the goals of maximizing information
sharing and appropriately protecting patients' privacy interests. We
agree that information sharing can help improve many aspects of health
care for all patients throughout the United States. We look forward to
continued engagement with actors, patients, and others who support
information sharing that contributes to improved care and health for
individuals, families, and communities.
Comments. We received one comment that expressed concern about
requirements to share mental health notes that were historically
blocked from the rest of the record. The comment identified as an issue
having all health care providers being able to access all mental health
notes when they may not be immediately relevant to the patient at the
point of care.
Response. In the HTI-1 Proposed Rule, we did not propose to modify
existing exclusions from the Sec. 171.102 definition of EHI for
purposes of the information blocking regulations. Psychotherapy notes
as defined in the HIPAA Privacy Rule at 45 CFR 164.501 are explicitly
excluded from the 45 CFR 171.102 definition of electronic health
information (EHI) for purposes of the information blocking regulations.
We have posted on our website information resources to help actors
understand the EHI definition and consider whether particular data is
EHI for purposes of 45 CFR part 171 (see https://www.healthit.gov/topic/information-blocking).
We note, and remind actors, that persons who engage in
inappropriate uses and disclosures of individuals' health information
may be violating other laws, including, but not limited to, the HIPAA
Privacy Rule, 42 CFR part 2, or state or tribal laws. Persons using or
disclosing individuals' health information in violation of one or more
such law(s) would be subject to the consequences for violating those
laws.
Comments. A commenter advocated for further revision of the
information blocking definition to specify who must be affected by a
practice that is otherwise consistent with the definition in order for
the practice to be considered information blocking. The comment
suggested as an example adding to paragraph (2)(b) of Sec. 171.103 an
explicit statement that the action can affect EHI access by physicians
as well as by patients.
Response. We did not propose such a revision in Sec. 171.103 and
decline to adopt it here. We reiterate that an actor's practice meeting
the information blocking definition is considered to be information
blocking regardless of whether it affects access, exchange, or use of
EHI by a patient, health care provider, health plan, or other person
(as defined in Sec. 171.102) that seeks access, exchange, or use of
EHI for any permissible purpose (as defined in Sec. 171.102).
Comments. A commenter requested we retain ``Content and Manner'' as
the title of the exception codified in Sec. 171.301 and retain wording
specific to limiting the content fulfilled for a request to recognize
the potential for an actor to be able to fulfill access, exchange, or
use of some, but not all, EHI in a particular requested manner. Another
commenter characterized our proposal to remove reference to the period
of time and limited EHI in Sec. 171.301 as removing a safe harbor
protection for limiting the content of a response. This commenter
stated that an actor may be able to satisfy Sec. 171.301 for only some
of the EHI requested. This commenter also stated that the proposed
revision to Sec. 171.301 creates uncertainty as to whether the Manner
Exception can be satisfied where an actor can fulfill access, exchange,
or use of only some EHI in the manner requested or in an alternative
manner consistent with Sec. 171.301.
Response. We decline to retain the prior title of the Manner
Exception. We note that the ``content'' condition we have removed from
regulatory text through this final rule has been moot since October 6,
2022, and we did not propose to re-instate it in the HTI-1 Proposed
Rule. In section IV.A, we discuss an example situation where multiple
exceptions could be used to provide an actor with certainty that their
practices in responding to a request for access, exchange, or use of
EHI will not be considered to be information blocking. Similarly, an
actor might be able to satisfy the Manner Exception for only some of
the EHI requested in a particular situation. In such instances, an
actor may want to consider whether another exception is applicable to
any other requested EHI.
Summary of finalized policy: After consideration of comments, we
have finalized the proposed removal of references to the USCDI, as well
as the time period designation, from Sec. Sec. 171.103 and 171.301. We
have also finalized corresponding redesignations of paragraphs, as
proposed.
C. Exceptions
1. Infeasibility
a. Infeasibility Exception--Uncontrollable Events Condition
We established the Infeasibility Exception in the ONC Cures Act
Final Rule (85 FR 25865 through 25870, 85 FR 25958; 45 CFR 171.204).
The Infeasibility Exception includes conditions under which an actor's
practice of not fulfilling requests for EHI access, exchange, or use
due to infeasibility will not be considered information blocking. One
of the conditions of the Infeasibility Exception, finalized by the ONC
Cures Act Final Rule in Sec. 171.204(a)(1), is the uncontrollable
events condition. Under the uncontrollable events condition, an actor's
practice of not fulfilling a request to access, exchange, or use EHI
that is infeasible for the actor to fulfill as a result of events
beyond the actor's control (listed in Sec. 171.204(a)(1)) will not be
considered information blocking provided such practice also meets the
condition in Sec. 171.204(b). In the HTI-1 Proposed Rule, we proposed
to revise Sec. 171.204(a)(1) to add clarity to the uncontrollable
events condition (88 FR 23865).
In the HTI-1 Proposed Rule (88 FR 23865), we reminded readers that
under the uncontrollable events condition, an actor's practice of not
fulfilling a request to access, exchange, or use EHI as a result of a
natural or human-made disaster, public health emergency, public safety
incident, war, terrorist attack, civil insurrection, strike or other
labor unrest, telecommunication or internet service interruption, or
act of military, civil or regulatory authority (Sec. 171.204(a)(1); 85
FR 25874) will not be considered information blocking provided such
practice also meets the condition in Sec. 171.204(b). We explained
that the fact that an uncontrollable event specified in Sec.
171.204(a)(1) occurred is not a sufficient basis alone for an actor to
meet the uncontrollable events condition of the Infeasibility
Exception. Rather, the use of the words ``due to'' in the
uncontrollable events condition (paragraph (a)(1) of Sec. 171.204) was
intended to convey, consistent with the Cures Act Proposed Rule, that
the actor must demonstrate a causal connection between the actor's
inability to fulfill access, exchange, or use of EHI and the
uncontrollable event. As we illustrated in the HTI-1 Proposed Rule (88
FR 23865), a public health emergency is listed as an uncontrollable
event under Sec. 171.204(a)(1). If the federal
[[Page 1374]]
government or a state government were to declare a public health
emergency, the mere fact of that declaration would not suffice for an
actor to meet the condition. To meet the condition, the actor would
need to demonstrate that the public health emergency actually caused
the actor to be unable to provide access, exchange, or use of EHI for
the facts and circumstances in question. The emergency need not be the
only cause of a particular incapacity, but the actor needs to
demonstrate that the public health emergency did in fact negatively
impact the feasibility of that actor fulfilling access, exchange, or
use in the specific circumstances where the actor is claiming
infeasibility.
While the uncontrollable events condition (Sec. 171.204(a)(1)) has
always required causal connection between the actor's inability to
fulfill the request and the natural or human-made disaster, public
health emergency, public safety incident, war, terrorist attack, civil
insurrection, strike or other labor unrest, telecommunication or
internet service interruption, or act of military, civil or regulatory
authority, we proposed to revise the condition by replacing the words
``due to'' with ``because of'' (88 FR 23865). We welcomed comments on
this proposal, including whether alternative or additional refinements
to the wording of the condition may make the causal connection
requirement more immediately obvious from the face of the text in Sec.
171.204(a)(1) (88 FR 23865).
Comments. In general, commenters expressed support for clarifying
the uncontrollable events condition by stating that the actor's
inability to fulfill the request is ``because of'' one of the events
listed. Commenters noted that the extra clarity adds certainty for
actors and demonstrates a clear causation requirement. Some commenters
supported the change but noted that ``due to'' and ``because of'' mean
the same thing and the change would not have any resulting implications
for actors. Another commenter agreed with the intent but did not
believe that the change of wording from ``due to'' to ``because of''
provides any more clarity. This commenter asked what change in impact
or obligation stemmed from the change, recommending a clear statement
of the causal connection between the uncontrollable event and the
impact on the actor. A commenter requested clarification as to how ONC
believes the ``due to'' and ``because of'' differ in terms of
implications for--or obligations now expected of-- actors. A commenter
recommended we make a clear statement about the causal connection
between the uncontrollable event and the impact on the actor but did
not suggest where, or in what words, we should consider making the
statement.
Response. We appreciate the support expressed by many commenters
and as discussed more fully below; we have finalized a revision of
Sec. 171.204(a)(1) with modifications to the regulation text to
provide additional clarity. As noted in the preamble to the HTI-1
Proposed Rule, the words ``due to'' convey that the actor must
demonstrate a causal connection between not providing access, exchange,
or use of EHI and the uncontrollable event (88 FR 23865). We proposed
to change the term to ``because of'' to provide further clarity. The
revised language was not intended to change the substance of the
condition, its implications, or what would be required of an actor for
purposes of meeting the condition.
We did not receive comments suggesting specific additional
refinements to the condition's text, or recommending specific
alternative wording for ``because of,'' to make the causal connection
requirement more immediately obvious from the text of the
uncontrollable events condition (Sec. 171.204(a)(1)). However, having
considered commenters' feedback, adding text to the finalized revision
to Sec. 171.204 will help actors and other interested persons
immediately recognize that a causal connection is required between the
uncontrollable event and the infeasibility of the actor's fulfilling a
request for EHI access, exchange, or use. We have, therefore, finalized
the proposed revision to Sec. 171.204(a)(1) with the additional clause
``that in fact negatively impacts the actor's ability to fulfill the
request'' at the end of the condition. This additional text is
consistent with our statement in the preamble of the HTI-1 Proposed
Rule that ``the actor must demonstrate a causal connection between not
providing access, exchange, or use of EHI and the uncontrollable
event'' (88 FR 23865). We intend for this additional clause to
reinforce clarity that the actor must demonstrate an actual negative
impact of the uncontrollable event on their ability to fulfill the
requested access, exchange, or use of EHI for the uncontrollable events
condition to be met. To reiterate, the finalized change to the wording
of Sec. 171.204 is only intended to improve clarity for actors and
other interested parties in comparison to the previous wording rather
than to make any change to the substance of the policy that it
codifies.
Comments. A commenter recommended that ONC expand the definitions
within the uncontrollable events condition to include impediments of
data access, exchange, or use because of any disaster or emergency
declared by an authorized governmental entity, noting that in addition
to declared emergencies, this would include response and recovery
periods associated with natural disasters that impacted the
availability of providers' information systems or data.
Response. We did not propose to change the list of uncontrollable
events or further define them, nor do we believe it is necessary to
revise the references to disasters and emergencies to refer to a
governmental declaration of that status or recovery or restoration
periods. The events listed in the condition include acts of ``military,
civil, or regulatory authority'' as well as natural or human-made
disasters and other types of events or emergencies that might prompt a
governmental authority to issue a declaration of disaster or emergency.
However, consistent with the scope of the proposal, we emphasize that a
key component of this condition is that an actor must demonstrate that
a request for access, exchange, or use is infeasible because the
uncontrollable event negatively impacts the actor's ability to fulfill
the request.
Comment. A commenter recommended that we consider reporting
flexibilities for this condition similar to those that other HHS
programs put in place for declared emergencies, citing waivers issued
in the context of public health emergencies for requirements of
programs administered by the Centers for Medicare & Medicaid Services
(CMS).
Response. We did not propose to create such a reporting system as
suggested by the commenter nor is there currently a requirement for
actors to routinely report to ONC which of their practices they believe
they have structured to satisfy any information blocking exception(s).
We thank the commenter for the suggestion.
Comment. A commenter noted the importance of minimizing
administrative burden on health care providers, and specifically
physicians delivering care in context of an emergency or disaster.
Response. The commenter did not specify the types of administrative
burden it was concerned about, but we suspect the concern is related to
documenting compliance with the conditions of the Infeasibility
Exception, including Sec. 171.204(b). We emphasize that the
uncontrollable events condition does not require specific documentation
to be satisfied, and we did not propose specific documentation
requirements for an
[[Page 1375]]
actor to satisfy the uncontrollable events condition in paragraph
(a)(2). We also did not propose to change the requirements of the
responding to requests condition (Sec. 171.204(b)). Both conditions
remain the same in this regard. The responding to requests condition
(Sec. 171.204(b)) does not include specific documentation
requirements, but does require the actor to provide the requestor, in
writing, the reason(s) why the request is infeasible within ten
business days of receipt of the request. An actor has flexibility in
demonstrating how they met the uncontrollable events and the responding
to requests conditions of the Infeasibility Exception.
Comments. A commenter asked about an actor's burden of proof with
respect to this exception.
Response. As noted in the response to the comment above, we did not
propose in the HTI-1 Proposed Rule specific documentation requirements
for an actor to satisfy the uncontrollable events condition or the
responding to requests condition of the Infeasibility Exception. In the
ONC Cures Act Final Rule (85 FR 25821), we stated that an actor seeking
an exception needs to meet all relevant conditions of the exception at
all relevant times. For the Infeasibility Exception, an actor seeking
to satisfy the exception would need to demonstrate it satisfied one of
the conditions in Sec. 171.204(a) and the condition in Sec.
171.204(b). Further, as we noted in the HTI-1 Proposed Rule, the actor
would need to produce evidence and ultimately prove that complying with
the request for access, exchange, or use of EHI in the manner requested
would have imposed a clearly unreasonable burden on the actor under the
circumstances (88 FR 23865, citing 85 FR 25866). We also refer readers
to the ONC Cures Act Final Rule (85 FR 25819) for additional discussion
on establishing that an actor's practice(s) meet the conditions of an
exception.
Comments. Some comments we received discussed the responding to
requests condition (Sec. 171.204(b)) as new or pending or in other
ways that suggested some commenters may not have reviewed the full text
of the existing Infeasibility Exception (Sec. 171.204) prior to
commenting on the HTI-1 Proposed Rule.
Response. We thank all commenters for their feedback. We appreciate
the opportunity to remind actors, and any persons who may seek EHI
access from actors, where and how to find all the information blocking
exceptions, and to discuss a bit further here the Infeasibility
Exception's structure and its requirements.
First, we note that actors seeking to satisfy an exception, or
other persons interested in when an exception applies, should review
the exception's full regulatory text (found in the exception's section
of 45 CFR part 171). In addition, the requirements and conditions of
each exception set forth in subparts B, C, and D of 45 CFR part 171
should be read in context with the subpart's ``availability and effect
of exceptions'' section (45 CFR 171.200, 45 CFR 171.300, and 45 CFR
171.400, respectively), as well as the general provisions in subpart A
of 45 CFR part 171. The conditions under which each exception can be
satisfied are specified in 45 CFR part 171. Where the conditions
include any requirements the actor's practice must satisfy for an
exception to apply, these requirements are included in that exception's
section of 45 CFR part 171. For example, all of the conditions and
requirements for the Infeasibility Exception to apply to an actor's
practice of not fulfilling requested EHI access, exchange, or use due
to the infeasibility of the request are specified in Sec. 171.204. The
general provisions in subpart A indicate the statutory basis and
purpose of the information blocking regulations, the applicability of
the regulations, and definitions of certain terms used in 45 CFR part
171.
Specific to the Infeasibility Exception, the requirement that, for
this exception to apply, the actor's practice must satisfy at least one
condition in paragraph (a) and also satisfy the condition in paragraph
(b) of Sec. 171. 204 has been in place since the Infeasibility
Exception (Sec. 171.204) was established in the ONC Cures Act Final
Rule (85 FR 25869 and 85 FR 25958; see also 85 FR 25867). Thus, as is
the case for a practice meeting any of the conditions codified in Sec.
171.204(a), an actor's practice consistent with the Sec. 171.204(a)(1)
uncontrollable events condition would also need to meet the
requirements of Sec. 171.204(b), the responding to requests condition,
for that practice to fully satisfy the Infeasibility Exception.
Comments. A few commenters suggested that 10 business days may not
be enough time for an actor severely impacted by a disaster to become
aware of and respond to requests received around the time the disaster
occurred, or that actors may need time to recover from an event before
they are able to respond to requests for EHI. One of these commenters
cited the potential for some events to be sufficiently disruptive and
that the actor would lose the ability to access requests received
before and during the disruption. The commenter noted that a 10-day
response time may be unreasonable in the middle of a major hurricane
involving power outage, facilities damage, and displacement of staff
members key to processing requests. A comment suggested specific
changes to the responding to requests condition so that an automated
notice a system is down be considered as sufficient ``notice'' to
satisfy the exception.
Response. We did not propose in the HTI-1 Proposed Rule to change
any aspect of the responding to requests condition (Sec. 171.204(b))
and decline to do so in this final rule. However, as it applies to
actors' practices of not fulfilling requests that are infeasible
because an uncontrollable event has, in fact, negatively impacted the
actor's ability to fulfill access, exchange, or use of EHI, we welcome
the opportunity to clarify that the responding to requests condition
(Sec. 171.204(b)) does not focus on when the requestor sends or
attempts to make the request. Rather, the responding to requests
condition (Sec. 171.204(b)) specifies the ``receipt of the request.''
Satisfying the responding to requests condition, therefore, requires
providing the reason for infeasibility in writing within ten business
days of the actor receiving the request rather than counting ten
business days from when a requestor may have sent or attempted to send
the request.
Comments. A commenter supported the Infeasibility Exception and
asked that ONC consider further examples and definitions of extreme and
uncontrollable circumstances to prevent abuse of the condition.
Response. We appreciate the support. We note that the finalized
revision to Sec. 171.204(a)(1) includes the following additional
clause at its end: ``. . . that in fact negatively impacts the actor's
ability to fulfill the request.'' This new additional clause makes it
clear that in order for the actor's not fulfilling a request to satisfy
the Sec. 171.204(a)(1) uncontrollable events condition, the
uncontrollable event must, in fact, have had an adverse impact on the
actor's ability to fulfill a request for EHI access, exchange, or use.
We believe the clarifying modification will help prevent abuse of the
condition because it will enable actors to more confidently and
accurately assess when and how the uncontrollable events condition
could be satisfied, thus deterring actors from asserting they cannot
fulfill a request merely because an uncontrollable event that did not
negatively impact the actor's ability to fulfill the request had
occurred.
Summary of finalized policy--uncontrollable events condition of the
Infeasibility Exception (Sec. 171.204(a)(1)):
[[Page 1376]]
After consideration of comments received, we have finalized the revised
uncontrollable events condition to the Infeasibility Exception with
modifications to the proposed regulatory text. We have finalized our
proposal to replace ``due to'' with ``because of'' in Sec. 171.204(a).
As discussed in response to comments, we have also added to the end of
the text of Sec. 171.204(a) the following: ``that in fact negatively
impacts the actor's ability to fulfill the request.'' This addition is
intended to improve the clarity with which the text conveys that to
meet this specific condition of the Infeasibility Exception with
respect to any request, an actor cannot simply assert that they cannot
fulfill a request because an event consistent with Sec. 171.204(a)
occurred. To meet the condition, the actor must demonstrate that the
uncontrollable event, in fact, negatively impacted the actor's
inability to fulfill a request.
b. Infeasibility Exception--Third Party Seeking Modification Use
In the HTI-1 Proposed Rule (88 FR 23865 through 23867), we proposed
to renumber the Infeasibility Exception's (45 CFR 171.204) infeasible
under the circumstances condition from paragraph (a)(3) to paragraph
(a)(5) and to codify at (a)(3) a new condition third party seeking
modification use. We proposed, as discussed in section IV.B.1.c below,
another new condition that would be codified as paragraph (a)(4) of
Sec. 171.204. We received no comments expressing a particular view on
the redesignation of infeasible under the circumstances condition as
subparagraph (a)(5) and have, based on finalization of proposed new
conditions in (a)(3) and (a)(4), finalized the redesignation of the
infeasible under the circumstances condition as (a)(5).
We proposed that the Sec. 171.204(a)(3) third party seeking
modification use condition would apply in certain situations where the
actor is asked to provide the ability for a third party (or its
technology, such as an application) to modify EHI that is maintained by
or for an entity that has deployed health information technology as
defined in Sec. 170.102 and maintains within or through use of that
technology any instance(s) of any electronic health information as
defined in Sec. 171.102. As a reminder, to fully satisfy the exception
in Sec. 171.204, an actor's practice must meet one of the conditions
in paragraph (a) of Sec. 171.204 and the requirements in paragraph (b)
of Sec. 171.204 (``. . . the actor must, within ten business days of
receipt of [a] request, provide to the requestor in writing the
reason(s) why the request is infeasible'').
We proposed (88 FR 23865 through 23867) that the third party
seeking modification use condition of the Infeasibility Exception would
be limited to situations when ``[t]he request is to enable use of EHI
in order to modify EHI (including, but not limited to, creation and
deletion functionality), provided the request is not from a health care
provider requesting such use from an actor that is its business
associate'' (88 FR 23916, emphasis added).
In Sec. 171.102, we define ``use'' for purposes of the information
blocking definition to mean ``the ability for electronic health
information, once accessed or exchanged, to be understood and acted
upon.'' We stated in the ONC Cures Act Final Rule that ``acted upon''
within the final ``use'' definition ``encompasses the ability to read,
write, modify, manipulate, or apply the information. . . .'' (85 FR
25806). Therefore, in Sec. 171.204(a)(3), we proposed to use ``third
party seeking modification use'' as a descriptive title for the new
proposed condition of the Infeasibility Exception applicable to an
actor's denial of requests from a third party for ``modification use''
of EHI. In particular, this new condition focuses on requests to modify
EHI held by or for a health care provider and is not applicable to
third-party requests for other activities that would fall within the
Sec. 171.102 definition of the broader term ``use.'' For example, the
new third party seeking modification use condition would not apply to
any request involving only the ability to read or apply the
information, which are other activities in the broader definition of
use we used in the ONC Cures Act Final Rule. The third party seeking
modification use condition is also not applicable to any request for
``access'' or ``exchange'' (as these terms are defined in Sec.
171.102) of EHI.
The information blocking definition (Sec. 171.103) refers to the
``access, exchange, or use'' of electronic health information, and each
of these terms is defined for purposes of 45 CFR part 171 in Sec.
171.102. In this portion of the preamble, as in the HTI-1 Proposed Rule
(88 FR 23865), we use the term ``modify'' or ``modification use'' to
describe the particular type of ``use'' covered by this new condition.
We do so to avoid confusion between this ``modification use'' and the
definition of the broader term use in Sec. 171.102. It is important to
note that the term ``modification use'' in the proposed and finalized
Sec. 171.204(a)(3) refers to a specific type of use within the Sec.
171.102 definition of the term use.\249\ Modification use focuses on
actions on the EHI that change it in some way. Specifically, the
condition focuses on requests to modify EHI held by or for a health
care provider, but not to other types of ``use,'' such as the ability
for EHI to be understood by a third party. The third party seeking
modification use condition does not implicate, indicate, or imply any
change to the definition of use in Sec. 171.102 for any other purpose
under 45 CFR part 171, or to any definition or other provision of the
HIPAA Rules in 45 CFR parts 160 and 164. We recognize that HIPAA
covered entities and business associates have an obligation under the
HIPAA Privacy Rule to only disclose or use, in the sense of ``use'' as
defined in 45 CFR 160.103, PHI as and when permitted or required under
subpart E of 45 CFR part 164 or subpart C of 54 CFR part 1600 (see 45
CFR 164.502(a)). We have structured the information blocking
regulations, including this finalized revision to the Infeasibility
Exception, to accommodate that obligation.\250\ We note that the third
party seeking modification use condition does not imply or indicate any
change to the HIPAA Rules (see 88 FR 23865).
---------------------------------------------------------------------------
\249\ In Sec. 171.102, we define ``use'' for purposes of the
information blocking definition to mean ``the ability for electronic
health information, once accessed or exchanged, to be understood and
acted upon.''
\250\ We discuss information blocking regulations' accommodation
of HIPAA and other privacy laws in section 4.A, general comments.
---------------------------------------------------------------------------
We proposed to add a definition of business associate to Sec.
171.102 because we use the term in the third party seeking modification
use condition. We proposed that the definition of business associate in
Sec. 171.102 would, by cross-reference to 45 CFR 160.103, be the same
as the HIPAA Rules' definition of ``business associate.'' We emphasize
that the Sec. 171.204(a)(3) third party seeking modification use
condition does not operate to change a business associate's rights or
responsibilities under their business associate agreement (BAA) with
any HIPAA covered entity. We also reiterate that the information
blocking regulations do not require actors to violate BAAs or
associated service level agreements. However, as we also previously
explained in the ONC Cures Act Final Rule (85 FR 25812) and in
information blocking FAQ28 (available at HealthIT.gov \251\), terms or
provisions of
[[Page 1377]]
BAAs could constitute an interference (and thus could be information
blocking) if used in a discriminatory manner by an actor to forbid or
limit access, exchange, or use of EHI that otherwise would be a
permitted disclosure under the HIPAA Privacy Rule. To determine whether
there is information blocking, the actions and processes (e.g.,
negotiations) of the actors in reaching the BAA and associated service
level agreements would likely need to be reviewed to determine whether
there was any action taken by an actor that was likely to interfere
with (``prevent, materially discourage, or otherwise inhibit''; Sec.
171.102) the access, exchange, or use of EHI, and whether the actor had
the requisite intent (85 FR 25812).
---------------------------------------------------------------------------
\251\ IB.FAQ28.2.2021APR: ``Do the information blocking
regulations require actors to violate existing business associate
agreements in order to not be considered information blockers?''
(Available at https://www.healthit.gov/faq/do-information-blocking-regulations-require-actors-violate-existing-business-associate.
Retrieved Sep 14, 2023.)
---------------------------------------------------------------------------
Comments. Comments received on the proposed Sec. 171.204(a)(3)
third party seeking modification use condition were generally
supportive. Comments supporting this proposal commended the proposal's
alignment with the policy goals expressed in the HTI-1 Proposed Rule,
including reducing the burden on actors to document each modification
use request in the same way that an actor would need to document its
actions for the infeasible under the circumstances condition of the
Infeasibility Exception. Some commenters supportive of this proposal
also expressed appreciation for the proposal's applicability to
situations where an actor may be concerned about the accuracy or
reliability of data that a third party would like to add to an
individual's designated record set maintained by the actor. A few
commenters also noted that the proposed condition would simplify the
handling of certain requests for EHI. A few commenters expressed
support for the proposal's exclusion of requests that come from health
care providers to their business associates.
Response. We appreciate the support expressed by many commenters.
We have finalized the Sec. 171.204(a)(3) third party seeking
modification use condition with the minor modification of deleting the
parenthetical ``(including but not limited to creation and deletion
functionality)'' from the regulatory text in Sec. 171.204(a)(3). This
is done solely for readability purposes. The requests covered by this
condition, as finalized, are to enable a third party EHI modification
use functionality, including, but not limited to, creation and deletion
functionality.
Comments. A few of the commenters did not support the proposal.
Some of these commenters expressed concern that the proposal could
potentially inhibit care coordination by making it too easy for an
actor holding EHI to simply refuse modification use requests from third
parties who also furnish services to the same patient(s). Some of these
commenters expressed concern that certain actors, such as health IT
developers of certified health IT, may seek to misuse the proposal to
restrict access to EHI in an overly broad manner.
Response. We thank commenters for bringing to our attention their
concerns about access, exchange, and use of EHI in support of care
coordination. In developing our discrete proposal to provide further
certainty to actors and now in finalizing this proposal, we have
considered these concerns. In the HTI-1 Proposed Rule discussion of the
reasons why this condition is not available to an actor when the actor
is a business associate of a health care provider who is making the
modification use request, we noted that there is often a level of trust
and contractual protections between covered entities and business
associates that removes certain concerns, such as security and data
provenance, that led us to propose this new condition as structured (88
FR 23866). Many of these matters are addressed in business associate
agreements, including security, as well as the permitted uses of the
EHI (ePHI) that the covered entity grants the business associate.
Further, the HIPAA Privacy and Security Rules place certain obligations
on covered entities and their business associates that protect the
privacy and security of EHI (and other PHI). For these reasons, we
finalized this condition, as proposed, which permits actors to deny
requests to modify EHI provided the request is not from a health care
provider for which the actor is the business associate.
This condition was not proposed to apply, and as finalized does not
apply, to an actor's practice of refusing to receive or process EHI via
health information exchange or refusing to make EHI available for
access, exchange, or use for permissible purposes. Where the manner or
means of EHI use sought by a third party would not involve enabling a
third party to modify (such as by adding to, creating, overwriting,
editing, or deleting) EHI, then the condition does not apply even if
the request is from someone other than a health care provider to whom
the actor is a business associate. We also clarify that the third party
seeking modification use condition applies only where a third party
seeks modification use functionality for EHI within the records or
systems maintained by the actor. This condition cannot be satisfied
where a third party seeks access or exchange of EHI, even if the actor
is certain that the requestor will or may make ``modification use'' of
the EHI once it (or a copy of it) is in the requestor's possession,
custody, or control. For example, the condition does not apply to
situations where a health care provider, or their health IT developer
chooses not to accept and process (such as through an EHR's receive and
incorporate functions) EHI from a patient's health plan or prior health
care provider or another of the patient's current health care
providers. The condition also does not apply to read-only access (such
as through API technology certified to any of the criteria in Sec.
170.315(g)(7) through (10)), or to an actor's practice of refusing to
make a patient's EHI available for access, exchange, or use by care
coordination partners for permissible purposes. ``Permissible
purposes'' is defined for purposes of the information blocking
regulations in Sec. 171.102.
Regarding commenters' concerns about entities potentially abusing
the third party seeking modification use condition to restrict access,
exchange, or use of EHI, the limited circumstances for which this
condition applies, as described above and below, will mitigate any
potential for abuse. This condition does not pose a problem for care
coordination because it is very narrowly focused only on a particular
manner of modification use of EHI (88 FR 23866) that the health care
provider or the business associate would not have to enable, and it
does not apply to a wide variety of manners by which health care
providers routinely access, exchange, and use EHI for care coordination
purposes. However, any abuse of this condition or any component of the
information blocking regulations would be of concern to ONC, and we
encourage anyone who believes they may have experienced or observed
information blocking by any health care provider, health IT developer
of certified health IT, or health information network or health
information exchange to share their concerns with us through the
Information Blocking Portal \252\ on ONC's website, HealthIT.gov.\253\
[[Page 1378]]
Information received by ONC through the Information Blocking Portal as
well as the Health IT Feedback and Inquiry Portal \254\ also helps
inform the development of resources we make publicly available on ONC's
website, HealthIT.gov.
---------------------------------------------------------------------------
\252\ URL https://inquiry.healthit.gov/support/plugins/servlet/desk/portal/6 (URL confirmed current and operational as of Sep 14,
2023).
\253\ URL to Information Blocking topic section of HealthIT.gov:
https://www.healthit.gov/topic/information-blocking. (URL confirmed
current and operational as of Sep 14, 2023.)
\254\ URL https://inquiry.healthit.gov/support/plugins/servlet/desk/portal/2 (URL confirmed current and operational as of Sep 14,
2023).
---------------------------------------------------------------------------
Comments. A few commenters requested that ONC provide further
guidance on specific use cases where the third party seeking
modification use condition could apply, including materials such as
FAQs, scenario-based guidance, and examples of documenting use of the
condition, including for behavioral health providers. One commenter
recommended that documentation requirements for the condition be
minimal.
Response. We thank commenters for their feedback. We release
educational resources on an ongoing basis. ONC-published resources can
be found on HealthIT.gov and to date include for the HTI-1 rulemaking:
recorded webinars (both general and tailored for particular topics and
audiences), fact sheets, measurement spec sheets, blog posts, and a new
website hub for links to various materials and educational resources.
In addition to the examples we provided in the HTI-1 Proposed Rule and
provide in this final rule describing the applicability of this
condition, we will continue to provide resources such as infographics,
fact sheets, webinars, and other forms of educational materials and
outreach. Resources specific to the information blocking regulations in
45 CFR part 171, across this and other ONC rules, are available on
HealthIT.gov. The short URL that redirects to the information blocking
landing page is: healthit.gov/informationblocking.
Regarding documentation requirements, we have not proposed or
finalized a specific documentation requirement for the third party
seeking modification use condition. In general, actors have flexibility
to determine what documentation to create or keep in the event that
they seek to claim an exception. However, as also discussed under the
uncontrollable events condition above, an actor would need to
demonstrate for each practice for which the Infeasibility Exception is
sought on the basis of the third party seeking modification use
condition (Sec. 171.204(a)(3)) that the condition was met at all
relevant times and that the condition in Sec. 171.204(b) was also met.
Comments. One commenter stated that the exceptions in subparts B
and C of 45 CFR 171 are too complex for small health care providers, do
not provide additional clarity, and that ONC should provide separate,
simplified exceptions for health care providers.
Response. As we noted in the ONC Cures Act Final Rule, (85 FR
25819), we tailor information blocking exceptions and provide
significant detail within each exception to clearly explain what an
actor must do to meet each exception. For each exception, we typically
propose and finalize conditions that can be consistently applied across
all actors. However, there are conditions within certain exceptions
that apply to one or a subset of actors, as applicable (85 FR 25819).
As we stated in the ONC Cures Act Final Rule, the clearest and most
equitable approach to the exceptions is to make all of the exceptions
apply to all actors (85 FR 25819). Therefore, we decline the
commenter's recommendation to provide ``separate, simplified exceptions
for health care providers.''
We believe that our explanations of the exceptions, as included in
the ONC Cures Act rulemaking and in the HTI-1 Proposed Rule and this
final rule provide the necessary clarity for health care providers,
including small health care providers, to understand and apply the
exceptions. As discussed throughout this final rule, we also invest in
educational outreach to interested parties, including small health care
providers and associations that represent them, in an effort to further
explain the exceptions through presentations and written resources such
as fact sheets.
We also note that the exceptions are voluntary and offer an actor
certainty that a practice that satisfies all of the relevant conditions
of an exception will not be considered information blocking. Further,
we reiterate that failure to meet an exception does not necessarily
mean a practice meets the definition of information blocking. By
satisfying an exception, an actor gains the assurance that the actor's
practice does not constitute information blocking. An actor's practice
that does not meet the conditions of an exception does not
automatically constitute information blocking, as the practice must
still meet all the elements of the information blocking definition to
be considered information blocking, including that the practice is
likely to interfere with the access, exchange, or use of EHI, and that
the actor acted with the requisite intent (85 FR 25820).
Comments. A few commenters responded to our request for comment on
whether the condition should be of limited duration, and specifically,
whether we should consider proposing to eliminate the condition if, at
some point in the future, health information technology is capable of
supporting lawful third-party modification use of EHI by any party with
no or minimal infeasibility or other concerns. The majority of comments
on this subject stated either that the proposal should not have a
sunset date, or that it would be premature to establish a sunset date
at this time. Two commenters stated that the condition should or could
be eliminated in the future if the future technology is capable of
supporting the aforementioned modification use of EHI, with no or
minimal infeasibility or other concerns.
Response. We thank the commenters for their feedback. We agree that
it would be premature to establish a sunset date for the condition
because the appropriateness of eliminating the condition depends on the
continued development of health IT's capability to support lawful
third-party modification use of EHI by any party and with no or minimal
infeasibility or other concerns. Because the pace of that continued
health IT development is difficult to predict, we are not establishing
a sunset date for Sec. 171.204(a)(3) at this time. If advances in
health IT capabilities or other changes in the interoperability and
information sharing environment indicate to us that this condition
should be modified or sunset, we would anticipate proposing such a
change in a future rulemaking.
Comments. Three commenters expressed a concern that, as written,
the condition would not apply to requests to ``exchange'' EHI by adding
new EHI to a system through exchange from a third party. The commenters
stated that ONC should add ``exchange'' of EHI to the condition.
Response. We thank the commenters for their feedback. The third
party seeking modification use condition of the Infeasibility Exception
is available to most actors to address situations where a third party's
request is to modify EHI stored or maintained by an actor (88 FR
23866). The condition focuses on requests for a third party to have
functionality to make modification use of EHI while, and as, it is held
in the records or systems of the actor. We did not propose the
condition to apply, and it cannot be met, where a third party is
seeking to exchange EHI with the actor or to access a copy of EHI, even
if the actor may know or reasonably suspect that the third party may
modify (or have modified) EHI that is in records, applications, or
systems maintained by the third party.
[[Page 1379]]
In situations where an actor receives EHI via exchange from a third
party, whether that EHI is reconciled and incorporated into the record
(``added'' to the record) is a determination for the health care
provider and potentially its business associates. Any such exchange of
EHI and subsequent determinations to reconcile and incorporate EHI into
the record (or not) is not within the scope of the proposed condition.
Such practices and scenarios may implicate the information blocking
definition, but there may also be other conditions or exception that
apply depending on the specific facts and circumstances.
Comments. Commenters stated that the limitation to this condition
is not broad enough, and that ONC should expand the limitation of this
condition to also apply when the actor's customers are not HIPAA
covered entities, or are not health care providers, but are maintaining
EHI in systems licensed by an actor. Two commenters stated that the
Sec. 171.204(a)(3) third party seeking modification use condition
should not apply in circumstances where the actor is a business
associate or contractor of the organization that has licensed the
interoperability elements or systems responsible for maintaining EHI.
Along these lines, two other commenters expressed a concern that an
actor, such as a health IT developer of certified health IT, that
maintains EHI on behalf of an HIN/HIE could use this condition to deny
an HIN/HIE's request, using third-party technology, for modification
use of EHI maintained by the HIN/HIE. The commenters suggested that ONC
clarify that the condition does not apply where a HIN/HIE requested
modification use of EHI held by a health care provider or their health
IT developer.
Response. We thank the commenters for their feedback. We finalized
the limitation to this condition to apply when the actor is a business
associate of a health care provider making the modification use
request, and we are not at this time expanding the limitation of the
condition as some commenters suggested. As we noted in proposing this
condition, there is often a level of trust and contractual protections
between covered entities and business associates that removes certain
concerns, such as security and data provenance, that led us to propose
this new condition (88 FR 23866). We explained in the HTI-1 Proposed
Rule discussion of the limitation of this condition that covered
entities (health care providers) and their business associates (as
permitted by their BAA) need to access and modify relevant EHI held by
other business associates of those covered entities on a regular basis
(88 FR 23866). Because our proposal focused on the obligations that the
HIPAA Privacy and Security Rules place on covered entities and their
business associates to protect the privacy and security of EHI (and
other PHI), we decline to expand the limitation of the condition at
this time.
Regarding the commenters' concern about the application of the
condition, we note that if the request for modification use is from the
health care provider requesting such use from an actor that is the
health care provider's business associate, the condition would not
apply. Even if the actor who is a business associate of a health care
provider could provide, or currently provides, items or services or
engages in activities similar or identical to those the health care
provider wants the third party to have modification use of EHI to
accomplish, the condition does not apply when the actor is the business
associate of the health care provider requesting modification use of
EHI. Likewise, the finalized condition does not apply to an actor's
denial of modification use by a third party where the actor is a
subcontractor of any business associate to a health care provider, and
the health care provider requests such use of EHI maintained by or on
behalf of the health care provider. A ``business associate'' is a
person or entity, other than a member of the workforce of a covered
entity, who performs functions or activities on behalf of, or provides
certain services to, a covered entity that involve access by the
business associate to PHI (Sec. 171.102). A ``business associate'' is
also a subcontractor that creates, receives, maintains, or transmits
PHI on behalf of another business associate.
For purposes of the provision ``carving out'' requests from a
health care provider to an actor that is its business associate from
application of Sec. 171.204(a)(3), it does not matter whether the
health care provider merely licenses or otherwise obtains from the
actor use of interoperability elements that would be necessary to
enable a third party's modification use of EHI that the health care
provider maintains, or the health care provider contracts with the
actor to maintain and manage on the health care provider's behalf. If
the actor is a business associate of the health care provider and the
provider requests modification use by a third party of EHI, then the
condition does not apply to the actor's denial of that request. \255\
---------------------------------------------------------------------------
\255\ Whether other conditions in Sec. 171.204(a) or another
exception codified in subpart B or C of 45 CFR part 171 could be or
have been satisfied in a particular situation would depend on the
specific facts and circumstances of the case.
---------------------------------------------------------------------------
For these reasons, and in consideration of these and all comments
received on our discrete proposal, we finalized, as proposed, a
condition that permits actors to deny requests to modify EHI provided
the request is not from a health care provider for which it is the
business associate. We have not at this time expanded the limitation to
the condition as the commenters requested. However, we note that we may
consider amending the third party seeking modification use condition or
taking other appropriate steps in future rulemaking in response to
changing market conditions, experience with the condition in practice,
or other signals that suggest amending the condition may be
appropriate.\256\
---------------------------------------------------------------------------
\256\ Patterns described to us in claims or suggestions of
possible information blocking submitted through the Report
Information Blocking Portal illustrate just one example of such
signals coming to our attention. (The Report Information Blocking
Portal's URL as of Jul 28, 2023, is: https://inquiry.healthit.gov/support/plugins/servlet/desk/portal/6).
---------------------------------------------------------------------------
As a reminder, the third party seeking modification use condition
does not operate to change an actor's contractual obligations to their
customers. When an actor engages in a practice to deny modification use
of EHI under the third party seeking modification use condition, they
may also wish to consider whether the practice violates any of their
existing contractual obligations.
Comments. Several commenters raised issues that are out of scope
for this proposal, including:
asking ONC to reiterate that actors cannot claim this
exception to prevent requests from an individual or their personal
representatives to amend the individual's PHI or record as permitted by
the HIPAA Privacy Rule;
a request for ONC to study what entities have access to
health care providers' EHRs, why those entities may request to access
or change authenticated documents or clinical notes, how health care
providers evaluate the accuracy of data a third party wants to add to
an individual's EHI, the potential benefits and harms of incorporating
such data, and whether this condition would be possible in a future
environment in which the Trusted Exchange Framework and Common
Agreement (TEFCA) is actively exchanging data;
asking ONC to consider whether patients should be
consulted before data from another health care provider is incorporated
into their EHI;
[[Page 1380]]
asking ONC to consider what annotation mechanisms are or
should be in place to create an audit trail for modifications to EHI;
asking ONC to establish incentives for third-party
applications to utilize best practices regarding maintaining the
integrity and security of electronic health information;
a request that the ten-business day timeline established
in Sec. 171.204(b) should be revised to be longer;
a request to include in the certification criteria for
health IT the functionality to alert an actor when a third party seeks
modifications to EHI in the actor's system(s);
recommending that ONC update certification criteria to
better support health care providers' ability to use third-party apps
maintained in certified health IT, utilizing existing APIs and support
for user-created fields, while minimizing risks to data security and
EHR performance;
requesting examples of how providers should store
information from a third party separate from the medical record, and
requesting ONC work with health IT developers to implement a mechanism
for providers to maintain data that has not been integrated into the
medical record.
Response. We thank commenters for their input and reiterate our
continued commitment to supporting EHI sharing consistent with patient
preferences and applicable law. Whether received as out-of-scope
comments on a proposed rule or through informal channels, the feedback,
and questions we receive, are appreciated and help to inform our
development of information resources that we make publicly available on
HealthIT.gov. Informal channels include, for example, the Health IT
Feedback and Inquiry Portal \257\ that is available year-round and not
tied to the comment period for a proposed rule.
---------------------------------------------------------------------------
\257\ URL https://inquiry.healthit.gov/support/plugins/servlet/desk/portal/2 (URL confirmed current and operational as of Sep 14,
2023).
---------------------------------------------------------------------------
Regarding the relationship between the finalized Sec.
171.204(a)(3) third party seeking modification use condition and the
HIPAA Rules, we note again, as we did in the HTI-1 Proposed Rule, that
the third party seeking modification use condition does not imply or
indicate any change to the HIPAA Rules (see 88 FR 23865). Actors should
note and should operate with awareness that a practice satisfying any
information blocking exception in 45 CFR part 171 simply means that
practice is not considered to be ``information blocking'' as defined in
Sec. 171.103. Any actor (as defined in 45 CFR 171.102) that is also
subject to any provision(s) in 45 CFR parts 160, 162, or 164 must
continue to comply with such provision(s) when and to the extent such
provisions of the HIPAA Rules are applicable to the actor's conduct.
Summary of Finalized Policy: Third Party Seeking Modification Use
Condition
As noted above and for the reasons stated above and in the HTI-1
Proposed Rule, we have finalized the condition as proposed with a non-
substantive edit to simplify the regulation text by removing the
parenthetical ``(including, but not limited to, creation and deletion
functionality).''
We note that for purposes of this condition, an actor may choose to
verify that the modification use request came from the health care
provider themselves or accept the third party's representation of a
request as coming from a health care provider. Any actor considering
whether to potentially avail themselves of the certainty offered by
this exception will have flexibility to structure their communications
approaches and operating procedures for communicating with the health
care provider of which the actor is a business associate, or with third
parties representing themselves as business associates of such health
care provider. This flexibility enables actors to operate and
communicate efficiently while complying with the actor's obligations
under the HIPAA Privacy Rule, other applicable law, and its binding
agreements (including its BAAs) with the health care providers who
choose to request modification use for a third party functionality
either directly from the actor or through one of the health care
provider's business associates. As discussed above under comments on
documentation, an actor would need to demonstrate for each practice for
which the Infeasibility Exception is sought on the basis of the third
party seeking modification use condition (Sec. 171.204(a)(3)), that it
met the third party seeking modification condition and also met the
Sec. 171.204(b) responding to requests condition at all relevant
times.
As with every other condition in Sec. 171.204(a), we note that the
Sec. 171.204(a)(3) third party seeking modification use condition
stands alone. This means an actor's practice could meet it without
needing to meet any other Sec. 171.204(a) condition. It also means an
actor's practice that fails to meet the Sec. 171.204(a)(3) third party
seeking modification use condition could nevertheless satisfy another
of the conditions, such as the infeasible under the circumstances
condition in Sec. 171.204(a)(5).
We emphasize that other conditions within Sec. 171.204(a) and all
of the other exceptions would remain available for consideration by the
actor as to their applicability to the situation and request where the
finalized Sec. 171.204(a)(3) third party seeking modification use
condition of the Infeasibility Exception would not be available.
c. Infeasibility Exception--Manner Exception Exhausted
In the HTI-1 Proposed Rule, we proposed to renumber the
Infeasibility Exception's (45 CFR 171.204) ``infeasible under the
circumstances'' condition from paragraph (a)(3) to paragraph (a)(5) and
to codify at (a)(4) a new ``manner exception exhausted'' condition (88
FR 23867). We stated that the proposed manner exception exhausted
condition would apply where an actor is still unable to fulfill a
request for access, exchange, or use of EHI after having exhausted the
exception in Sec. 171.301 (which we have in this rule renamed Manner
Exception, see Section IV.A.1), including offering all alternative
manners in accordance with Sec. 171.301(b), so long as the actor does
not currently provide to a substantial number of individuals or
entities similarly situated to the requestor the same requested access,
exchange, or use of the requested EHI (88 FR 23867).
In the ONC Cures Act Final Rule (85 FR 25642), we finalized the
Infeasibility Exception with modifications from the proposal (84 FR
7542 and 7603) to address concerns raised by commenters (see 85 FR
25866 through 25870). We finalized (85 FR 25858) three conditions that
more specifically address situations where the Infeasibility Exception
would be appropriately used. One of the conditions we finalized,
infeasible under the circumstances, requires the actor to demonstrate,
through a contemporaneous written record or other documentation, its
consideration, in a consistent and non-discriminatory manner, of
certain factors that led to its determination that complying with the
request would be infeasible under the circumstances. The Infeasibility
Exception (Sec. 171.204), as finalized in the ONC Cures Act Final
Rule, provides assurance to an actor that if it meets applicable
conditions of the exception at all relevant times, its practice will
not be considered information blocking.
Also, in the ONC Cures Act Final Rule, we finalized the ``Content
and Manner Exception'' (now the Manner Exception) (45 CFR 171.301).
Under Sec. 171.301, for the Manner Exception to apply, an actor must
fulfill a request for
[[Page 1381]]
access, exchange, or use of EHI in any manner requested, unless the
actor is technically unable to fulfill the request or cannot reach
agreeable terms with the requestor to fulfill the request (45
CFR[thinsp]171.301(b)(1)(i), as originally codified). If an actor and
requestor reach agreeable terms and the actor fulfills a request
described in the manner condition in any manner requested: (1) Any fees
charged by the actor in relation to its response are not required to
satisfy the Fees Exception in Sec. 171.302; and (2) any license of
interoperability elements granted by the actor in relation to
fulfilling the request is not required to satisfy the Licensing
Exception in Sec. 171.303 (45 CFR[thinsp]171.301(b)(1)(ii), as
originally codified) (85 FR 25877).
Section 171.301(b)(2) (original codification, redesignated in this
final rule as Sec. 171.301(b)) provides for fulfilling a request to
access, exchange, or use EHI in a manner other than the manner
requested. If an actor does not fulfill a request in any manner
requested because it is technically unable to fulfill the request or
cannot reach agreeable terms with the requestor to fulfill the request,
the actor must fulfill the request in an alternative manner agreed upon
with the requestor consistent with Sec. 171.301(b)(2) (original
codification, now redesignated Sec. 171.301(b)) in order to satisfy
the exception (85 FR 25877). The Manner Exception offers certainty that
an actor's practices that fully satisfy the Manner Exception's
conditions will not be considered information blocking and is meant to
incentivize offering an alternative manner (with priority to
interoperable manners based on HHS-adopted and available open
standards) when the actor is unable to fulfill access, exchange, or use
of the requested EHI in the manner initially requested.
As discussed in the HTI-1 Proposed Rule, actors expressed
uncertainty to ONC as to whether they have satisfied the infeasible
under the circumstances condition in instances where they contended
that fulfilling a request for access, exchange, or use of EHI would be
infeasible (85 FR 23867). Under the Infeasibility Exception, the
infeasible under the circumstances condition requires the actor to
demonstrate that complying with the request is infeasible when
considering, among other things, the financial and technical resources
available to the actor and why the actor was unable to provide access,
exchange, or use of EHI consistent with the Manner Exception.
Specifically, actors have expressed concern about circumstances where
the actor's inability to satisfy the Manner Exception's conditions
rests solely on the requestor refusing to accept access, exchange, or
use in any manner consistent with Sec. 171.301, and fulfilling the
request in the manner requested would require substantial technical or
financial resources (or both) in the view of the actor, including
significant opportunity costs. We have observed this being more of a
concern for actors with significant skills and other resources for
developing unique technical solutions or new technological capabilities
(e.g., EHR developers or HIN/HIEs) than for actors with few to no such
resources (e.g., small clinician office practices or safety net
clinics), because, as noted, the infeasible under the circumstances
condition of the Infeasibility Exception (Sec. 171.204(a)(5);
previously Sec. 171.204(a)(3)) requires actors to demonstrate their
consideration of the financial and technical resources available to
them, as well as why the actor was unable to provide access, exchange,
or use of EHI consistent with Sec. 171.301.
Among those actors with substantial skills and other resources to
develop new, unique or unusual manners of supporting access, exchange,
or use of EHI, we see actors who appear to be experiencing a
problematic level of uncertainty about whether they will be engaging in
information blocking if they decline demands from requestors for non-
standard or non-scalable solutions that they do not currently support
even after they have offered to provide access, exchange, or use of EHI
in the same manner(s) the actor makes generally available to its
customers or affiliates, and through standards-based manners,
consistent with Sec. 171.301--including offering terms for such
manners that are consistent with the Fees (Sec. 171.302) and Licensing
(Sec. 171.303) Exceptions. We anticipate that this uncertainty will
lead actors who, again, have already exhausted the Manner Exception
(Sec. 171.301), to divert their development capacity to fulfilling
requested manners of access, exchange, or use of EHI that they could
invent to meet the demands of a requestor determined to accept only the
original manner they specified and who are unwilling or unable to agree
to terms consistent with the Fees (Sec. 171.302) and Licensing (Sec.
171.303) Exceptions for their requested manner or any alternative
manner consistent with the Manner Exception (Sec. 171.301) (88 FR
23868).
We stated in the HTI-1 Proposed Rule (88 FR 23868) that this new
condition is necessary to ensure actors reasonably allocate resources
toward interoperable, standards-based manners rather than allowing
requestors, who, for whatever reason, do not build their products for
compatibility with open consensus standards or other industry standards
to attempt to force use of non-standard or non-scalable solutions by
simply refusing to accept access, exchange, or use of EHI in any other
manner. This diversion of resources away from standards-based and
scalable manners of exchange detracts from, instead of supporting,
achievement of key policy goals such as increased interoperability and
innovation in use of open consensus standards to achieve secure,
seamless exchange. Where novel approaches to system interfaces or other
aspects of access, exchange, or use of EHI represent improvements over
other available approaches, we anticipate these approaches will not
need to be forced upon the industry but will instead find a natural
foothold and diffuse according to a normal innovation curve.
Therefore, to reduce confusion and provide more certainty to
actors, we proposed and have finalized at Sec. 171.204(a)(4) a new
condition in the Infeasibility Exception, the manner exception
exhausted condition. Actors will be able to satisfy this exception when
they have ``exhausted'' the manner requested condition and alternative
manner condition of the Manner Exception and meet the other
requirements of the new condition. If an actor either technically
cannot provide the access, exchange, or use of EHI in the manner
requested, or the actor and requestor cannot reach agreeable terms on
the manner requested, then the actor must attempt to fulfill the
request using the alternative manners in Sec. 171.301(b) (85 FR 25877)
(previously Sec. 171.301(b)(2)(i)). Under the Manner Exception, for
any alternative manner, the requestor must either specify the manner
they would accept (Sec. 171.301(b)(2)(i)(A) and (B)) or specifically
agree with the machine-readable format that they would accept (Sec.
171.301(b)(2)(i)(C)). In situations where an actor offers the
alternative manners and the requestor does not specify or agree to
receive the EHI via the offered alternative manners (as may be the case
if the requestor does not want to receive the EHI in such a manner or
cannot receive the EHI in such a manner), an actor may now seek to
satisfy the new finalized manner exception exhausted condition of the
Infeasibility Exception.
Previously, an actor who offered all the alternative manners would
likely look to the infeasible under the circumstances condition of the
Infeasibility Exception, which requires actors to demonstrate that
complying with the request is infeasible when
[[Page 1382]]
considering many factors, including the cost to the actor of complying
with the request in the manner requested and the financial and
technical resources available to the actor. The newly finalized manner
exception exhausted provides actors the option of satisfying the
Infeasibility Exception without needing to assess whether they could
meet the requestor's particularized demands regarding the manner and/or
terms in which they want to obtain access, exchange, or use of the
requested EHI.
Comments. Most commenters were supportive of ONC's proposal to add
the manner exception exhausted condition to the Infeasibility
Exception. Commenters stated that it would reduce burden and allow
actors to focus on innovation. Many commenters appreciated that the
condition encourages use of standards-based mechanisms, and that it
removes the uncertainty that could come about if it is technically
infeasible for an actor to fulfill a request or when the actor has
offered the alternative manners, but the requestor has not specified or
agreed, as applicable, to access, exchange, or use of the EHI in any of
those manners. Many commenters also appreciated ONC's acknowledgment
that interoperable, standards-based exchange should be favored over
expensive, resource-intensive, one-off solutions. Other commenters
expressed appreciation that the condition allows health IT developers
of certified health IT and other actors the opportunity to reach
agreement on market-based terms and pricing to protect investments,
while still promoting interoperability. A few commenters also expressed
appreciation that the condition can be met without the actor needing to
demonstrate they considered the resources available to the actor, and
that exchanging entities will be protected from costly technical
changes or solutions made solely to avoid claims of information
blocking.
Alternately, a few commenters expressed general disagreement with
the proposed condition. One commenter expressed concerns that the
condition could be interpreted to allow actors to remain in exchange
patterns that do not expand interoperability across a range of
requestors and use cases. Another commenter noted that atypical
requests may be necessary to achieve a particular use of EHI that is
not adequately supported by existing standards.
Response. We thank commenters for their thoughtful feedback. Upon
consideration of all comments received related to this proposal, we
have finalized the condition as proposed with two modifications
discussed below. We agree that the manner exception exhausted condition
prioritizes interoperability and encourages efficiency by applying the
Infeasibility Exception under circumstances where the actor cannot
meet, or cannot be certain that they have met, the infeasible under the
circumstances condition. We recognize that custom, one-off solutions
can be costly and inhibit investment in innovative, scalable approaches
to interoperability and exchange. We also recognize that atypical
requests may be necessary to achieve a particular use of EHI and note
that nothing in the information blocking regulations would prevent a
requestor and actor from coming to an agreement to achieve innovative
solutions to interoperability challenges or atypical use cases. To this
point, we previously established the manner requested condition of the
Manner Exception, now codified in Sec. 171.301(a), which permits
actors and requestors to come to terms on access, exchange, and use of
EHI without such terms necessarily satisfying the Sec. 171.302 Fees
Exception or Sec. 171.303 Licensing Exception.
In response to concerns that this may allow actors to remain in
exchange patterns that do not expand interoperability, we note that
satisfying the finalized manner exception exhausted condition of the
Infeasibility Exception requires the actor to offer a standards-based
method of exchange, either through certified health IT or using
technology and transport standards published by the federal government
or a standards developing organization accredited by the American
National Standards Institute (ANSI). Both methods would support
interoperability, and the use of certified health IT incrementally
expands interoperability through certification to new and revised
certification criteria that include new and updated standards and
capabilities.
How many alternative manners are required to satisfy the condition?
In the HTI-1 Proposed Rule, we stated that it is important that the
Manner Exception not be considered exhausted if the actor offers only
one alternative manner, or only the least-interoperable ``alternative
machine-readable format'' now codified in Sec. 171.301(b)(1)(iii) (88
FR 23869). Therefore, we proposed a second factor requiring actors to
have offered all three alternative manners in accordance with Sec.
171.301(b) (88 FR 23869). We requested comments on how many of the
alternative manners an actor should be required to offer in order to
satisfy the proposed manner exception exhausted condition of the
Infeasibility Exception: one, two, or all three alternative manners.
As explained below, we have finalized the manner exception
exhausted condition of the Infeasibility Exception with a requirement
that an actor offer two alternative manners, at least one of which must
be either the alternative manner in Sec. 171.301(b)(1)(i) or
(b)(1)(ii). These alternative manners are, respectively, ``[u]sing
technology certified to standard(s) adopted in part 170 that is
specified by the requestor'' (in other words, via health IT certified
under the ONC Health IT Certification Program, 45 CFR part 170) or,
``[u]sing content and transport standards specified by the requestor
and published by: (A) the Federal Government; or (B) a standards
development organization accredited by the American National Standards
Institute'' (45 CFR 171.301(b)(1)). An actor may offer both of these
alternative manners to satisfy this particular factor of the manner
exception exhausted condition, or only one of these two and the manner
specified in Sec. 171.301(b)(1)(iii), which is ``[u]sing an
alternative machine-readable format, including the means to interpret
the electronic health information, agreed upon with the requestor.'' If
the actor offers the EHI in at least two manners including one of
either (b)(1)(i) or (b)(1)(ii), then this factor of the finalized
manner exception exhausted condition is satisfied.
Comments. Responses to our request for comment on how many
alternative manners an actor should be required to offer before this
condition would be available reflected a broad range of perspectives.
Many commenters said two alternative manners should be enough. Other
commenters said just one, and a couple of commenters suggested
requiring actors to exhaust all of the actor's own manners of exchange
prior to making use of the condition. Another commenter requested that
an actor be required to demonstrate that they have inventoried all of
the information sharing tools available that could be offered as an
alternative manner and require the actor to have made those available
to the requestor before they can satisfy the condition. One commenter
asked for a specific carve-out for health care providers that would
only require them to offer access, exchange, or use in the manners
supported by their certified health IT or any other manner that
requires minimal effort. Another commenter suggested a specific carve-
out for health care providers who do not use certified health IT,
stating that it should be
[[Page 1383]]
enough for such actors to offer access, exchange, and use only in a
machine-readable manner. One commenter suggested that ONC require
actors to offer a minimum of two manners for USCDI data elements, and
only one alternative manner for any EHI beyond USCDI.
Response. After reviewing all comments, in Sec. 171.204(a)(4)(ii),
we have finalized the regulatory text so that the manner exception
exhausted condition can be satisfied when an actor (who was unable to
fulfill a request for access, exchange, or use of EHI because they
could not reach an agreement with a requestor or were technically
unable to fulfill the request in the manner requested) offered the
requestor at least two alternative manners, one of which must use
either technology certified to standard(s) adopted in part 170 that is
specified by the requestor (Sec. 171.301(b)(1)(i)) or published
content and transport standards consistent with Sec.
171.301(b)(1)(ii).
By requiring actors to offer at least one of the first two
alternative manners (as listed in Sec. 171.301(b)(1)(i)-(iii)), we are
balancing the interest of the actor in achieving certainty that the
practice will fulfill the new condition, while also ensuring that
interoperable, standards-based exchange remains favored over other
methods of exchange. We believe that requiring all three alternative
manners, as originally proposed, would place an unequal burden on
actors who are not required by other government regulations or
incentivized by any public or private program to use certified health
IT. We believe that requiring two alternative manners, one of which
must be more interoperable than is typically the case with a machine-
readable format (i.e., Sec. 171.301(b)(1)(iii)), ensures that the
condition will not have the undesirable effect of dampening actors' or
requestors' enthusiasm for adopting and advancing standards-based
interoperability.
The finalized requirement for the actor to have offered at least
two alternative manners also balances the interests of those commenters
who requested the condition be satisfied with just one alternative
manner and those who wanted all three alternative manners. While
nothing would stop an actor from offering a requestor all available
manners at its disposal, we believe making that a requirement to
satisfy the manner exception exhausted condition would render the
condition impractical for many actors to satisfy and defeat at least a
portion of our purpose in proposing it: to offer actors a simpler
option for certainty than was already available in the infeasible under
the circumstances condition. We also note that an actor could respond
to a request by providing as much of the EHI as possible via any manner
requested or an alternative manner, and still make use of the
infeasible under the circumstances condition for any other EHI that
they are technically unable to offer via an alternative manner, so long
as the practice satisfies all the requirements of that condition (now
Sec. 171.204(a)(5)). As a reminder, to meet the Infeasibility
Exception as a whole, actors will still, regardless of the condition(s)
satisfied in paragraph (a) in Sec. 171.204, also need to satisfy the
condition in paragraph (b): responding to requests.
Comments. Some commenters expressed confusion over what exactly is
an ``alternative manner.'' One commenter stated that, taken literally,
``all alternative manners'' would force an actor to offer tens or
hundreds of possible technical solutions.
Response. We appreciate the comments and the opportunity to address
the confusion. When referring to ``alternative manners'' we do not mean
all possible manners of exchange other than the manner requested.
Rather, we specifically mean only manners that would be consistent with
subparagraph (i), (ii), or (iii) of Sec. 171.301(b)(1). Offering as
few as one option per category is sufficient to satisfy either
paragraph (b)(1) of the alternative manner condition of the Manner
Exception (Sec. 171.301) or the ``at least two alternative manners''
requirement finalized as part of this manner exception exhausted
condition (subparagraph (a)(4)) of the Infeasibility Exception (Sec.
171.204).
Comments. A commenter asked that ONC clarify that responding actors
are responsible to exchange EHI for the purpose and in the manner
requested, if they are able to do so, even if they are not accustomed
to utilizing the requested transaction pattern.
Response. We appreciate the opportunity to clarify. The commenter
is incorrect. An actor may satisfy any of the exceptions to the
information blocking definition in order to have certainty that their
practice is not information blocking. Under the manner requested
condition (now Sec. 171. 301(a)) of the Manner Exception, an actor
responding to a request to exchange EHI for a certain purpose and in a
certain manner must only do so if they are technically able to and
reach an agreement with the requestor. If they are not technically able
to do so, or cannot reach agreement with the requestor, then an actor
seeking certainty that their practice would not be information blocking
would need to either satisfy the other conditions of the Manner
Exception or satisfy a different exception to the information blocking
definition. The exceptions to the information blocking definition are
voluntary and offer an actor certainty that a practice that satisfies
all of the applicable requirements and conditions of an exception at
all relevant times will not be considered information blocking.
The manner exception exhausted condition is not available when
exchange is technically feasible and can be accomplished consistent
with the Manner Exception, whether because the parties have agreed to
terms for fulfillment in the manner requested (manner requested
condition) or because the requestor has specified and/or agreed to
accept access, exchange or use consistent with the Manner Exception's
alternative manner condition--even if the actor is not accustomed to
utilizing the requested manner to support access, exchange, or use of
the EHI the requestor seeks, in general or for the same or similar
permissible purpose a particular requestor seeks EHI access, exchange,
or use. In other words, this condition would not be available if a
responding actor is able to exchange EHI in the manner requested, and
the parties have either reached agreeable terms for such access,
exchange, or use; or the requestor has specified and/or agreed to
accept such access, exchange or use in an alternative manner consistent
with the Manner Exception. We emphasize that nothing about the manner
exception exhausted condition prevents an actor from providing a
requestor with a custom build for access, exchange, or use of EHI.
Rather, this condition has been adopted to alleviate actor uncertainty
as to whether they must provide the custom build or otherwise be
considered to have engaged in information blocking.
We note that in cases where a requestor seeks a specific
alternative manner of access, exchange, or use consistent with Sec.
171.301(b)(1), and the actor declines to offer that manner (even if the
actor is able to accommodate the requested alternative manner) and
instead offers a different alternative manner, the OIG may consider
this as a factor in determining whether information blocking has
occurred, particularly if the requestor is unable to access, exchange
or use the EHI in the offered alternative manner. For example, if a
requestor specifies a FHIR-based API as its preferred alternative
manner of access, exchange, or use, and the actor is capable of doing
so, then the
[[Page 1384]]
actor should prioritize fulfilling the request via FHIR, even if the
actor is also capable of fulfilling the request via another alternative
manner, such as C-CDA document exchange. ONC has consistently
maintained this policy approach because it best ensures that EHI is
made available where and when it is needed (for further discussion, see
the ONC Cures Act Final Rule at 85 FR 25877).
Comments. A commenter stated that if an actor is unable to reach
agreeable terms with a requestor for access, exchange, or use of EHI,
or is technically unable to fulfill a request in the manner requested,
and then proceeds to offer one or more alternative manners and the
requestor is still not satisfied, then the burden should shift to the
requestor to demonstrate and justify why the alternatives proposed by
the actor are infeasible or otherwise insufficient to meet their needs.
Further, the commenter stated that the actor who received the request
should have a duty to respond to the requestor only after receiving a
written statement setting forth such justification.
Response. We appreciate the comment. We decline to adopt this
suggestion, however, because we find it inappropriate to entirely shift
the burden to the requestor. Our information blocking regulatory
scheme, consistent with the statutory information blocking definition,
supports policy goals of discouraging interference with EHI access,
exchange, or use, and encouraging routine, interoperable EHI sharing
for permissible purposes consistent with patients' privacy preferences.
Although we recognize there is substantial variation in actors' and
requestors' circumstances, we do not believe our policy goals would be
well served by identifying as ``reasonable and necessary'' any actor's
practice of demanding a requestor to justify to the actor their need or
preference for a different manner of EHI access, exchange, or use than
the actor prefers to offer (42 U.S.C. 300jj-52). A key aim of our
information blocking regulatory scheme is to discourage information
blocking by actors and make it easier for requestors to obtain, for any
permissible purpose, EHI access, exchange, or use in a manner that
meets the requestor's needs. The condition, as finalized, requires the
actor to offer only two alternative manners, at least one of which is
standards-based. It, therefore, allows the actor enough flexibility to
avoid developing one-off, unique, custom solutions unless the actor
wants to do so. The actor who satisfies the Sec. 171.301 Manner
Exception by meeting the manner requested condition would not need to
also satisfy any condition in the Sec. 171.204 Infeasibility
Exception, assuming all requested EHI was provided consistent with the
Manner Exception. The Sec. 171.301(a) manner requested condition also,
we reiterate, allows the actor and requestor to come to any mutually
agreeable terms, thereby allowing for those requestors, able and
willing to do so, to satisfy any financial incentive the actor would
require to develop any requested manner, however unique or one-off, the
requestor might want developed.
Comment. At least one commenter stated that this condition should
still be available in circumstances where the only applicable option is
a ``machine-readable format,'' in other words, Sec.
171.301(b)(1)(iii).
Response. We appreciate the comment. As stated above, we have
finalized this condition with a requirement that the actor offer at
least two ``alternative manners'' from Sec. 171.301(b)(1)(i)-(iii),
one of which must be either the alternative manner in Sec.
171.301(b)(1)(i) or (b)(1)(ii). Because a machine-readable format is
the option of last resort, and the least-interoperable of all the
alternative manners, we believe that allowing a requestor to offer only
a machine-readable format would be at odds with the purpose of the new
condition. We note that an actor who is able only to offer access,
exchange, or use of EHI in a manner consistent with Sec.
171.301(b)(1)(iii) would not be able to make use of this condition but
could still conform its practice to another applicable condition (for
example, the infeasible under the circumstances condition of the
Infeasibility Exception) in order to have certainty that the practice
would not constitute information blocking. Moreover, even a practice
that does not satisfy any exception does not automatically constitute
information blocking. The facts and circumstances of any situation or
allegation would need to be evaluated, and whether the practice
constitutes information blocking depends on the unique facts and
circumstances of the practice.
What counts as a ``substantial number''?
We proposed, as the third factor of the manner exception exhausted
condition, that the condition would be available only if ``the actor
does not provide the same access, exchange, or use of the requested
electronic health information to a substantial number of individuals or
entities that are similarly situated to the requestor.'' In the HTI-1
Proposed Rule, we stated that ``this factor as a whole serves a similar
function to the Sec. 171.204(a)(5) (originally codified in Sec.
171.204(a)(3)) infeasible under the circumstances condition's factor
considering whether the actor's practice is non-discriminatory, and the
actor provides the same access, exchange, or use of electronic health
information to its companies or to its customers, suppliers, partners,
and other persons with whom it has a business relationship'' (88 FR
23870). We noted that the intent of the third factor is to provide a
basic assurance that actors would not be able to misuse the Sec.
171.204(a)(4) manner exception exhausted condition to avoid supplying
some particular requestor(s) with manner(s) of access, exchange, or use
of the requested EHI that would be more accurately characterized as
generally available than as new, unique, or unusual (88 FR 23870).
Given that intent, we stated that the proposed regulatory language of
subparagraph (iii) of the condition ``while on its face may seem
indefinite and is designed to address any potential request, is
intended to ensure that the actor offers any requestor . . . the same
access the actor provides to a substantial number of its customers . .
.'' (88 FR 23870). We requested comment on whether we should further
define ``substantial number'' for purposes of this condition.
Comments. A few commenters responded to this proposed provision of
the manner exception exhausted condition. Some suggested we keep the
``substantial number'' flexible and not further define it. One
commenter suggested that we set a certain percentage such that an actor
providing the same access, exchange, or use to a percentage of its
customers would not be able to deny the requestor the same access,
exchange, or use and still make use of this condition. Another
commenter suggested that even one customer should be enough, because
just one customer can constitute the bulk of an actor's business, or
one customer can request a more innovative manner that should be made
available to all requestors without the use of the condition to cover
an actor's practice of denying such access, exchange, or use. One
requestor stated that ``substantial number'' was an inappropriate
metric for the factor, because ``generally available'' or other terms
indicating the state of a product or service are not typically
dependent on the number of users but rather the actor's ability to
service any requests for such functionality. The same commenter noted
that lack of adoption of a given feature may occur for many reasons
that have no bearing on the usefulness of the
[[Page 1385]]
feature, and therefore any functionality that is considered usable by
customers should be considered normal and customary practice, even if
only one customer uses it. The commenter expressed concerns that the
adoption level could be kept artificially low by telling initial
requestors ``no,'' thereby preventing the particular feature from being
considered ``generally available'' or similar. Another commenter said
that if a functionality is considered usable by customers, then having
any customer use it should be considered normal and customary practice,
and it shouldn't matter if, for a time, they are the only customer
using that feature.
Other commenters supported keeping the term ``substantial number''
without further specifying a specific number. These commenters stated
that such an approach allows the right level of flexibility, with one
commenter remarking that it permits actors to consider the specific
means of access, exchange, or use of EHI contemplated by each request
and the specific use case for which the request is made. Another
commenter supported ONC's reasoning for not using a fixed number to
define ``substantial number,'' referring to the reasoning laid out in
the HTI-1 Proposed Rule (which is also discussed below).
Response. We thank the commenters for their feedback and input. We
have finalized in Sec. 171.204(a)(4)(iii) the term ``substantial
number'' without further specificity. We believe this allows the
appropriate amount of flexibility for all actor types, who may have
very different numbers of requestors, to satisfy this condition based
on what number of requestors is substantial for that actor. As we
stated in the HTI-1 Proposed Rule, using ``substantial number'' rather
than a specific number is important to recognize variation in actors'
operational contexts, including their organizational sizes. What may be
a trivial number to a large health IT developer of certified health IT
might be an important or consequential (``substantial'') number for a
small HIN/HIE (88 FR 23870). In addition, while we believe that
calculating a percentage may be helpful to an actor in determining
whether it provides a substantial number of customers the requested
access, we do not believe establishing a specific percentage would be
helpful given the wide variation in the number of customers an actor
may have. For example, an actor with a large number of customers who
provides the access to dozens of customers might only be providing such
access to ten percent of its customers. Further, we did not propose
such an approach for consideration.
In response to commenters who suggested we use a specific number,
such as one, we note that in some cases, even one customer could be a
substantial number, if, for example, it represents a large portion of
the actor's deployments or is considered ``generally available'' as
part of an actor's line of business (see below and 88 FR 23870 for a
discussion of ``generally available/general availability''). Simply
stating one, or more than one, could be overly broad and end up
capturing one-off manners, custom builds, or highly customized
deployments that are not easily replicable for another requestor
without abandoning open consensus standards or interoperable manners.
In other words, we believe that ``substantial number'' is flexible
enough to include as few as one customer, when appropriate, and as many
as all of a given actor's customers. Further, providing a fixed number
could be considered arbitrary.
In response to commenters who noted that if a functionality is used
by even one customer, it should be offered even if, for a time, there
is only one customer using it. We agree that there may be instances
where just one customer is using a particular functionality that is
suitable and scalable for use by requestors beyond that one customer.
However, in other instances, a functionality may be in use by only one
customer because it is a custom build that would be difficult to
replicate or scale, or because it is an obsolete product that this one
customer continues to find sufficient for their needs. We, therefore,
believe setting the standard that an actor cannot meet the manner
exception exhausted condition if any one customer is using a requested
build could too often prevent the condition from applying when a
requestor seeks a manner that is not generally available or
interoperable. Moreover, in the free market, especially useful features
would be expected to attract the notice of developers and their
customers, with the best features eventually being adopted by more than
one customer.
Finally, in the HTI-1 Proposed Rule preamble, we stated that we
chose to structure the Sec. 171.204(a)(4)(iii) factor to align with
the concept of whether the manner requested, including involved
interoperability elements, is in a stage of development or overall
lifecycle that would roughly approximate the ``general availability''
phase of the software release lifecycle, or a conceptually analogous
phase for non-software interoperability elements (88 FR 23870).
However, we recognize that not all actors are developers, and we intend
this condition of the Infeasibility Exception to be available for all
types of Sec. 171.102 actors. As we stated in the HTI-1 Proposed Rule,
health care providers, for example, do not typically develop software
for the market and, in our observation, are likely to characterize
components of their health IT systems in more operational terms--such
as what has ``gone live'' in their particular implementation--than in
software release lifecycle terms. We believe avoiding the specific
lifecycle term also avoids potential for misunderstandings among actors
and requestors, or for gamesmanship on the part of actors, around when
different actors consider a particular interoperability element to
enter or to be withdrawn from ``general availability'' as the term is
widely used in the software sector. We finalize ``substantial number''
with the same analysis and guidance found in the HTI-1 Proposed Rule
(see 88 FR 23870 through 23871).
What does ``provide'' mean in this context?
Comments. We received three comments requesting clarification of
the term ``provides'' as used in the manner exception exhausted
condition. A couple of commenters asked ONC to clarify that this
condition includes only current methods of sharing data, and not
former, replaced, or outdated methods of exchange. Another commenter
noted that clarification of the term ``provide'' in this context is
even more important, given other proposals related to information
blocking that also include concepts like ``making available'' or
``providing.'' One comment speculated the definition of provide
included in the HTI-1 Proposed Rule at Sec. 171.102 (information
blocking definitions) was included for purposes of this condition,
indicating that it was unclear why the definition was proposed and that
if finalized in the proposed form, it may add confusion to the
provisions of the conditions of information blocking exceptions in
general.
Response. We thank commenters for their feedback. We use the word
``provide'' in Sec. 171.204(a)(4)(iii) without further definition. We
unintentionally included a definition of provide in Sec. 171.102
(information blocking definitions) in the HTI-1 Proposed Rule. We have
not finalized any definition of the word ``provide'' in Sec. 171.102.
Further, we emphasize that the definition of provide finalized in Sec.
170.102 (health information technology certification program
[[Page 1386]]
definitions) is not applicable for 45 CFR part 171.
We offer the following points of clarification specific, and
limited in effect, to our use of the word ``provide'' in Sec.
171.204(a)(4)(iii). First, as we stated in the preamble of the HTI-1
Proposed Rule, our use of ``provide'' in the present tense is both
precise and deliberative. This factor tests for whether the actor
currently provides the same manner to a substantial number of
individuals or entities who are similarly situated to any given
requestor. Looking only at what the actor currently provides excludes
manners that are nearing or have exceeded the end of their supported
life cycles (88 FR 23870). We recommend reviewing the examples in the
HTI-1 Proposed Rule related to ``provide'' in context of Sec.
171.204(a)(4)(iii) and note that they remain appropriate as further
explanation of our finalized policy (88 FR 23870).
How should ``similarly situated'' be determined?
In the HTI-1 Proposed Rule, we discussed that the concept of
``similarly situated'' is familiar because we also use the phrase in
the Fees Exception (Sec. 171.302) and Licensing Exception (Sec.
171.303). We noted that it would serve here, as it does there, to
indicate that different specific individuals or entities within a class
of such individuals or entities who are similarly situated to one
another should be treated in a consistent and non-discriminatory manner
(88 FR 23871). We also stated that it is not our intent for the
``individuals or entities that are similarly situated to the
requester'' criteria of this new proposed condition to be used in a way
that differentiates the same access to EHI simply based on the
requestor's status, such as individual (e.g., a patient) or entity
(e.g., a healthcare system) (88 FR 23871).
Comments. A few commenters requested that ONC provide more specific
information on the types of characteristics that would designate
entities as similarly situated and provide examples or guidance on ways
for actors to easily group and document that entities are similarly
situated. One commenter expressed concern about the lack of clarity
related to the ``similarly situated'' clause. Another commenter argued
that the term was inappropriate and what should matter is not the
requesting entity's circumstances but its intended purpose of use for
the requested interoperability functionality, whether the use aligns
with what the functionality was designed to support, and whether the
use requires any substantially new development work.
Response. We appreciate the comments and have adjusted the
finalized policy to address commenters' concerns. As we noted in the
preamble to the HTI-1 Proposed Rule, ``similarly situated'' in the
manner exception exhausted condition's third factor was meant to
function in a fashion similar to the non-discrimination provisions in
the Fees and Licensing Exceptions (88 FR 23871). However, with the use
of the term ``similarly situated,'' we were proposing to permit certain
discrimination of requestors based on the similarity of their
situations to those already being provided access, exchange, or use. As
a comparison, we did not permit any discrimination under a parallel
construction of one of the factors used for the analysis under the
infeasibility under the circumstances condition of the Infeasibility
Exception (compare ``Whether the actor's practice is non-discriminatory
and the actor provides the same access, exchange, or use of electronic
health information to its companies or to its customers, suppliers,
partners, and other persons with whom it has a business relationship;''
45 CFR 171.204(a)(5)(i)(D)).
We provided guidance in the HTI-1 Proposed Rule on our thinking of
how a determination of similarly situated would work. We first provided
an example of categorizing requestors into ``similarly situated''
categories based on the size of the healthcare entity. We then
specified that even within these different categories, requestors would
not be treated differently based on extraneous factors, such as whether
any of them may be competitors of the responding actor or may obtain
more of their health IT from the actor's competitors than from the
actor (88 FR 23871). Finally, we noted that it was not our intent for
the ``individuals or entities that are similarly situated to the
requester'' criteria to be used in a way that differentiates the same
access to EHI simply based on the requestor's status, such as
individual (e.g., a patient) or entity (e.g., a healthcare system).
Based on comments received and further consideration of our
proposal and examples, we have revised the condition to exclude certain
factors from a similarly situated determination and are providing
additional clarification and guidance. Consistent with the HTI-1
Proposed Rule, we clarify that ``similarly situated'' cannot be used to
discriminate against requestors based on whether the requestor is a
competitor of the actor or whether the requestor will or might use the
requested access, exchange, or use in a way that facilitates
competition with the actor. Similarly, as we noted above and in the
HTI-1 Proposed Rule (88 FR 23871), an actor cannot discriminate in
providing a form of access, exchange, or use of EHI that it currently
provides to a substantial number of individuals or entities solely
based on the requestor's status. In this regard, we are specifically
clarifying in regulation text (Sec. 171.204(a)(4)(iv)) that such
statuses include requests by individuals, as we define that term in
Sec. 171.202(a), and the health care provider type and size. Regarding
health care provider type (e.g., radiology specialty practice or long-
term post-acute care facility) and size, we believe further clarity is
necessary based on comments and the example we provided in the HTI-1
Proposed Rule and recited above. While the example in the HTI-1
Proposed Rule may have suggested that size groupings are acceptable, we
clarify that such groupings as ``similarly situated'' would be
appropriate in terms of administering costs and licensing agreements
under the respective Fees and Licensing Exceptions but would not be
appropriate for discriminating in actually providing access, exchange,
or use of EHI that the actor provides to a substantial number of
individuals or entities. Costs associated with providing access,
exchange, or use of EHI or costs associated with licensing
interoperability elements, can logically vary based on the size of the
entity, so it makes sense to use this category for the Fees and
Licensing Exceptions. However, we don't see a similar reason to
discriminate based on the entity's size when an actor seeks to satisfy
this condition of the Infeasibility Exception because if an actor
already provides such access to a substantial number of entities, there
is not a parallel correlation that would make it infeasible to provide
such access to a ``differently'' sized requestor.
As an example, if a solo practitioner requests access, exchange, or
use of certain EHI in the same manner that an actor provides such
access, exchange, or use of the same EHI to a large hospital system,
then the actor would not be able to discriminate based on the
difference between the requestors (large hospital system versus solo
practitioner) and still use this condition to cover the practice.
Overall, these adjustments are responsive to comments and provide
further clarity for the concept of ``similarly situated'' as it applies
to this condition under the Infeasibility Exception.
[[Page 1387]]
Other Comments
Comment. One commenter asked that actors be required to report any
requests that they have rejected.
Response. We appreciate the comment but decline to finalize such a
policy at this time as we did not propose such an approach.
Comment. A few commenters asked ONC to explain why the first
requirement of this new condition restates ``technical inability'' as
the reason for the infeasibility under the Manner Exception when the
Manner Exception itself provides that an actor must fulfill the EHI
request in the manner requested ``unless the actor is technically
unable to fulfill the request or cannot reach agreeable terms with the
requestor to fulfill the request in the manner requested.'' A commenter
asked ONC to explain how this alternative requirement in the manner
exception exhausted condition is materially different from the options
for meeting the first requirement.
Response. There is no substantive difference between the
``technical inability'' under the Manner Exception and this new
condition. However, this requirement has been restated as it falls
under a new condition and under a different exception. ONC's intent in
including the technical infeasibility requirement is to ensure that an
actor who cannot, for technical reasons, fulfill a request for any
access, exchange, or use of EHI in any manner requested is able to use
this condition (provided all other relevant provisions are also met)
and an actor who does have the technical capability to provide access,
exchange, or use of EHI in the manner requested but cannot reach
agreeable terms with the requestor may also make use of this new
condition (provided all other relevant provisions are also met). In
other words, an actor who can technically fulfill the request but
cannot reach agreeable terms can still make use of this condition, so
long as all other relevant provisions are met.
Comments. We received many comments in response to this new
condition (and in response to other proposals in the HTI-1 Proposed
Rule) advocating we review or revise paragraph (b) of the Infeasibility
Exception, which requires an actor that does not fulfill a request for
access, exchange, or use of EHI consistent with any of the conditions
in paragraph (a) of Sec. 171.204 ``provide to the requestor in writing
the reason(s) why the request is infeasible'' within ten business days
of receipt of the request. One commenter noted that requests often come
in without the needed level of detail, meaning the developer must ask
questions and wait for answers from the requestor before determining
whether the request is feasible. In such instances, the commenter
stated, the timeliness rests on the requestor and not the responding
actor, and therefore a ten-day time frame is insufficient. The
commenter further contends that the ten-day clock should ``toll'' until
sufficient information about the request has been received. Other
commenters expressed agreement that ten days was too short, too
inflexible, and unrealistic. Another commenter asked ONC to clarify
that where an actor intends to apply the manner exception exhausted
condition of the Infeasibility Exception that the ten-day time frame
begins only after the actor and requestor have not been able to agree
on an acceptable alternative manner under the Manner Exception. Another
commenter noted that the ten-day time frame was so unrealistic as to
preclude the use of the exception in situations where it would
otherwise be relevant.
Response. While we appreciate the comments, we did not propose any
changes to the ten-day time frame in the HTI-1 Proposed Rule and are
not finalizing any changes to paragraph (b) of Sec. 171.204 in this
final rule. We may consider these comments in relation to future
regulatory action and guidance.
2. TEFCA Manner Exception
In the HTI-1 Proposed Rule, we proposed to add in Sec. 171.301(c)
a TEFCA manner condition to the proposed revised and renamed Manner
Exception codified in 45 CFR 171.301. The proposed condition was stated
as follows: ``If an actor who is a QHIN, Participant, or Subparticipant
offers to fulfill a request for EHI access, exchange, or use for any
purpose permitted under the Common Agreement and Framework Agreement(s)
from any other QHIN, Participant, or Subparticipant using Connectivity
Services, QHIN Services, or the specified technical services in the
applicable Framework Agreement, then: (i) The actor is not required to
offer the EHI in any alternative manner; (ii) Any fees charged by the
actor in relation to fulfilling the request are not required to satisfy
the exception in Sec. 171.302; and (iii) Any license of
interoperability elements granted by the actor in relation to
fulfilling the request is not required to satisfy the exception in
Sec. 171.303'' (88 FR 23872).
In proposing this condition, we sought to offer actors certainty
that fulfilling, or even attempting to fulfill, requests for EHI using
Connectivity Services, QHIN Services, or the specified technical
services in the applicable Framework Agreement (``TEFCA means'') would
satisfy the Manner Exception when an actor and requestors are parties
to the Common Agreement or a Framework Agreement under the Common
Agreement. As proposed, this would have been the case even when the EHI
may have exceeded the minimum data classes and elements required by the
Common Agreement as of the date a particular request is fulfilled,
assuming the TEFCA means could support the requested access, exchange,
or use of the EHI. We stated that the proposed condition could be
satisfied regardless of whether the requestor initially requested
access, exchange, or use via TEFCA means or some other manner (88 FR
23872). We noted that another important feature of the proposal was
that it could be satisfied by the actor either fulfilling or offering
to fulfill the requestor's request for EHI, again, assuming the TEFCA
means could support the requested access, and exchange, or use of the
EHI. We stated that the approach aligns with the Cures Act's goals for
interoperability and the establishment of TEFCA by acknowledging the
value of TEFCA in promoting access, exchange, and use of EHI in a
secure and interoperable way.
We stated that the proposed condition would identify as
``reasonable and necessary'' an actor's practice of prioritizing use of
TEFCA means, in lieu of other feasible manners, for all EHI for which
access, exchange, or use can be supported by TEFCA means for both the
actor and requestor, so long as the requestor is a TEFCA entity (QHIN,
Participant, or Subparticipant) and the purpose is permitted under the
TEFCA governing agreements. This would be true regardless of whether
the request is initially made through TEFCA means or otherwise; and
regardless of whether all of the particular data classes or exchange
purposes are yet required by TEFCA's governing agreements to be
returned in response to a TEFCA request (88 FR 23873). The condition
was designed to provide a clear, efficient regulatory path to
prioritize exchange amongst QHINs, Participants, and Subparticipants in
TEFCA using TEFCA means of sharing any and all EHI that TEFCA means can
support.
We requested comment on this proposal and received a substantial
number of responses from commenters. These comments are summarized and
addressed below.
Summary of Finalized Policy
For the reasons explained below, rather than include this condition
as part of the Manner Exception, we have
[[Page 1388]]
finalized a new subpart to the information blocking exceptions--Subpart
D, ``Exceptions That Involve Practices Related to Actors' Participation
in The Trusted Exchange Framework and Common Agreement (TEFCA).'' The
new subpart consists of three sections, Sec. 171.400 ``availability
and effect of exceptions,'' which mirrors Sec. Sec. 171.200 and
171.300, stating that a practice shall not be treated as information
blocking if the actor satisfies an exception to the information
blocking provision as set forth in this subpart D by meeting all
applicable requirements and conditions of the exception at all relevant
times. We have reserved Sec. 171.401 for definitions in future
rulemaking and reserved Sec. 171.402 for future use as well. At Sec.
171.403, we finalized a TEFCA Manner Exception that is based on the
TEFCA manner condition proposed in the HTI-1 Proposed Rule.
Similar to the proposed condition, the new TEFCA Manner Exception
(Sec. 171.403) provides that an actor's practice of limiting the
manner in which it fulfills a request for access, exchange, or use of
EHI to providing such access, exchange or use only via TEFCA will not
be considered information blocking when the practice follows these
conditions:
(a) The actor and requestor are both part of TEFCA;
(b) The requestor is capable of such access, exchange, or use of
the requested EHI from the actor via TEFCA;
(c) The request for access, exchange, or use of EHI is not via the
standards adopted in 45 CFR 170.215 or version approved pursuant to 45
CFR 170.405(b)(8); and
(d) Any fees charged by the actor and the terms for any license of
interoperability elements granted by the actor in relation to
fulfilling the request are required to satisfy, respectively, the Fees
Exception (Sec. 171.302) and the Licensing Exception (Sec. 171.303).
The first condition, in Sec. 171.403(a), that the actor and
requestor are both part of TEFCA, simply means that both the actor and
the requestor must be either a QHIN, Participant, or Subparticipant, as
those terms are defined in the Common Agreement as published at 88 FR
76773. For brevity, in the preamble, we will refer to these three terms
collectively as ``TEFCA entities'' or a ``TEFCA entity.'' This
exception will not be available in any situation where the actor, or
the requestor, is not a part of TEFCA.
The second condition, in Sec. 171.403(b), requires that the
requestor must be capable of receiving (accessing, exchanging, or
using, depending on the requestor's request) the EHI from the actor,
via TEFCA. In the Proposed Rule, we used the term ``TEFCA means'' to
describe fulfilling requests for EHI using Connectivity Services, QHIN
Services, or the specified technical services in the applicable
Framework Agreement (88 FR 23872, as those terms are defined at 88 FR
76773). In this final rule and in the regulation text, we describe an
actor's practice of responding to a request to access, exchange, or use
EHI ``via TEFCA'' to indicate that an actor may use any of the services
described by ``TEFCA means'' consistent with the terms that both the
actor and requestor separately agreed to for access to such TEFCA
means, and consistent with the other conditions of the exception.
As finalized in Sec. 171.403(b), the exception's condition for
responding to requests for EHI that the requestor can obtain from the
actor via TEFCA uses ``via TEFCA'' to communicate that the actor makes
the EHI available, and the requestor is able to obtain the requested
access, exchange, or use of the requested EHI using--what we referenced
in the HTI-1 Proposed Rule as making EHI available through ``TEFCA
means'' (88 FR 23872). This includes where Participants and
Subparticipants may be exchanging EHI within the same QHIN or across
different QHINs. In cases where the requestor is not capable of
accessing, exchanging, or using the EHI via TEFCA, for example because
the requestor does not support such exchange methods or its QHIN does
not, an actor would not be able to make use of this exception.
The third condition, in Sec. 171.403(c), excludes requests from
the exception where the requestor seeks to access, exchange, or use EHI
via the ``Application Programming Interface Standards,'' (or API
standards) (45 CFR 170.215) adopted by ONC on behalf of the Secretary
or another version of those standards approved pursuant to the
``Standards Version Advancement Process'' (45 CFR 170.405(b)(8)) under
the ONC Health IT Certification Program. When a requestor seeks to
access EHI via those API standards (essentially FHIR-based standards),
an actor cannot use this exception. In other words, the third condition
functions as a carve-out in that the exception is not available if the
requestor requested access, exchange, or use of EHI via the API
standards.
The fourth and final requirement for this condition, in Sec.
171.403(d), states that any fees an actor charges, and any licensing
terms an actor sets, must comply with the Fees Exception (Sec.
171.302) and the Licensing Exception (Sec. 171.303). This exception in
Sec. 171.403 would not be available in any situations where all four
of these conditions are not satisfied.
Rather than finalize the proposed definitions, in order to maintain
consistency between the most current version of the Common Agreement
and this regulation, we have decided to refer to the definitions used
in the Common Agreement (88 FR 76773) for the terms used in this
exception. The relevant definitions are similar to, or the same as, the
terms we proposed to define in the proposed TEFCA manner condition. For
example, when we refer to Framework Agreement(s), we mean any one or
combination of the Common Agreement, a Participant-QHIN Agreement, a
Participant-Subparticipant Agreement, or a Downstream Subparticipant
Agreement, as applicable. A Qualified Health Information Network (QHIN)
is, as defined in the most recent version of the Common Agreement, a
health information network (as defined in Sec. 171.102) that is a U.S.
entity that has been designated by the Recognized Coordinating Entity
(RCE) and is a party to the Common Agreement countersigned by the RCE.
Both Participant and Subparticipant are defined as they are in the
Common Agreement (88 FR 76773). In some cases, such as with the term
Connectivity Services, the definition proposed is different from the
most recent version of the Common Agreement, where it is defined as the
technical services provided by a QHIN consistent with the requirements
of the then-applicable QHIN Technical Framework and pursuant to the
Common Agreement with respect to all Exchange purposes. The Common
Agreement also defines Individual Access Services (IAS) as the services
provided to an Individual by a QHIN, Participant, or Subparticipant
that has a direct contractual relationship with such Individual in
which the QHIN, Participant or Subparticipant, as applicable, agrees to
satisfy that Individual's ability to access, inspect, or obtain a copy
of that Individual's Required Information using TEFCA Exchange. We
decided to reserve 171.401 for possible future use to incorporate these
definitions into the regulatory framework.
Timeliness of Exception
Comments. Some commenters stated that it would be premature to
adopt this proposal. Commenters noted that TEFCA is in its early stages
and has not yet launched. Others suggested ONC take a ``wait and see''
approach, monitor TEFCA deployments for utility, completeness,
timeliness, ease of access,
[[Page 1389]]
security, privacy, transparency, and consumer participation, and then
finalize an exception only if real world experience demonstrates a
need. A commenter noted that TEFCA is a voluntary program that does not
support the full breadth of use cases for EHI, and that such an
exception will designate other pathways as ``less interoperable'' even
if they have equal or greater utility compared to exchange through
TEFCA. Another commenter appreciated ONC's support for greater
interoperability, but also stated it was too soon to establish this
condition because it could result in less sharing of information in the
early stages of TEFCA's development. The commenter suggested, as an
alternative, that TEFCA-based exchange should be included as a
preferred approach to sharing EHI, but not in a way that enables an
actor to deny a request if the requestor cannot receive it via TEFCA-
based exchange.
Response. We appreciate the feedback. The policy as proposed (88 FR
23873) and as finalized in the new TEFCA Manner Exception is only
available when both the actor and the requestor are in TEFCA, which we
believe eliminates the concerns about the timeliness of identifying as
reasonable and necessary the practices that satisfy the exception.
Entities will join TEFCA with the expectation that they will exchange
EHI using TEFCA when possible. This exception reinforces that practice.
No actor is required to join TEFCA, so those that do so will do so with
the knowledge that this exception is available in certain
circumstances. As a voluntary exception, no actor is required to make
use of the exception--which we believe further negates the timeliness
concerns. In addition, an actor will not be able to use this exception
if, for whatever reason, the requestor is not capable of accessing,
exchanging, or using the requested EHI via TEFCA. In such cases, an
actor would need to provide the EHI in the manner requested, or in an
alternative manner agreed upon with the requestor or use another
exception to cover the practice to attain certainty that the actor's
practice will not be considered information blocking.
Fees and Licensing Terms Concerns
Comments. Many commenters expressed concern that we did not propose
to apply the restrictions found in the Fees Exception (Sec. 171.302)
and the Licensing Exception (Sec. 171.303) to this condition. These
commenters contended that, without such application, actors would be
able to charge outrageous fees or set unreasonable licensing terms for
interoperability elements. Other commenters noted that such fees could
interfere with an individual's right to access their EHI. A couple of
commenters asserted that, as proposed, the condition could result in
applications that charge patients for their services as the only
realistic way for patients to get their EHI. Some commenters further
asserted that because the only fees that are prohibited in the Common
Agreement are fees charged between QHINs, Participants and Sub-
participants would be able to charge fees for exchange of EHI that
would not need to satisfy the Fees Exception.
Response. We appreciate the comments and believe the commenters
raised valid concerns. In fact, when proposing the TEFCA manner
condition, we mistakenly assumed that all actors participating in TEFCA
would have already reached overarching agreements on fees and licensing
such that there would be no need for application of the Fees and
Licensing Exceptions. (See 88 FR 23872, ``[the proposal] facilitates an
actor reaching agreeable terms with a requestor to fulfill an EHI
request and acknowledges that certain agreements have been reached for
the access, exchange, and use of EHI (for example, by using standards
consistent with the Common Agreement or applicable flow-down Framework
agreements that the actor and requestor have agreed to abide by)''
(emphasis added)). In fact, the Common Agreement is silent on fees
except to forbid QHINs from charging fees to other QHINs. Therefore, to
correct our misunderstanding and in consideration of comments, we have
finalized the exception to include that any fees charged by the actor,
and any licensing of interoperability elements, must satisfy the Fees
Exception (Sec. 171.302) and the Licensing Exception (Sec. 171.303).
It was never our intent to permit fees or licensing agreements that
would not satisfy the information blocking regulations, either by being
agreed to ahead of time, as we presumed, or by satisfying the Fees and
Licensing Exceptions.
Concerns Regarding EHI Accessibility and Fees for Individuals
Comments. Many requestors expressed concerns that the proposed
TEFCA condition would interfere with an individual's access to their
own EHI. One commenter stated that the condition could be used to elect
out of participating in Individual Access Services in a national
network capacity. The commenter stated that while responding to
individual requests via TEFCA is required (by the Common Agreement),
QHINs are not required to initiate support for Individual Access
Services. One commenter expressed concerns that the exception will make
it more difficult for patients to get provider and payer data, and that
patients who do not understand how networks function will be
disadvantaged compared to others. A few commenters expressed concern
about patient matching within the TEFCA network. One commenter
expressed concerns about sensitive data, citing reproductive health
care as an example, and how a patient could control access to such EHI.
Some commenters indicated they were especially concerned with patient
privacy and the ability for applications to charge for access to
patient data or possibly ``traffic'' EHI through ``dark data''
exchanges. A commenter encouraged ONC to focus on FHIR-based
interoperability. A few commenters expressed concerns that the proposal
would allow actors to charge individuals for access to their own data.
Another commenter expressed significant concerns that the exception
would permit charging fees to Individual Access Services (IAS)
providers who are looking to access healthcare data on behalf of
individuals.
Response. We appreciate the comments. Consistent with our proposal,
the policy, as finalized, is applicable only when both the actor and
the requestor are part of TEFCA (88 FR 23873, see also 88 FR 23917-
23918). We would like to assure commenters that this exception cannot
be used in any case when an individual is requesting EHI, because an
individual cannot be a QHIN, Participant, or Subparticipant under
TEFCA. If the individual is using TEFCA's Individual Access Services to
query for or retrieve EHI via TEFCA instead of seeking to access,
exchange, or use EHI directly from their health care provider's portal
or FHIR APIs, then the QHIN, Participant, or Subparticipant, in its
role as an IAS provider, would be querying via TEFCA, not the
individual. Furthermore, as described previously, the finalized
exception includes the requirement that any fees charged for the
access, exchange, or use of the EHI must satisfy the Fees Exception
(Sec. 171.302), which specifically prohibits charging a patient
(including a third-party app on the patient's behalf) for API or other
electronic access to the patient's EHI (Sec. 171.302(b)(1) and (2)).
Regarding patient privacy, all Sec. 171.102 actors are required to
protect patients' privacy and restrict the access, exchange, and use of
[[Page 1390]]
EHI as required by all applicable law, including, but not limited to,
the HIPAA Privacy Rule for actors to whom the HIPAA Privacy Rule
applies.
Patient matching within TEFCA is addressed by applicable policy and
technical procedures as well as associated agreements under TEFCA. For
purposes of information blocking, any actor who receives a request for
access, exchange, or use of EHI that the actor knows, or reasonably
suspects, is misidentified or mismatched and who seeks certainty as to
the conditions under which they can withhold such EHI without engaging
in information blocking will want to consult the Preventing Harm
Exception in 45 CFR 171.201, which recognizes this type of risk in
Sec. 171.201(c)(2).
Concerns Regarding Interoperability and FHIR APIs
Comments. Many commenters expressed concerns with the limited
manner of exchange initially available in TEFCA and noted that when
TEFCA officially launches, the Common Agreement will require only IHE
document-based exchange. Commenters stated that restricting TEFCA
entities to IHE document-based exchange would limit the use of EHI
exchanged in that manner, would limit interoperability by not requiring
the use of modernized exchange protocols like FHIR, and could even
disincentivize joining TEFCA. Others noted that our proposal would push
actors to one exchange mechanism over another, which would remove
choice and optionality and could potentially eliminate or discourage
use of other exchange options, such as FHIR APIs, that may be
preferable for some use cases. A few commenters noted that many health
IT developers of certified health IT plan to connect their customers to
TEFCA such that their customers will have to actively choose to opt
out. Commenters expressed concerns that most actors will likely be
Participants or Sub-participants and, therefore, ``subject to this
exception.'' As a result, one of these commenters stated that most of
the information blocking regulations would be folded into the TEFCA
framework, which lags behind today's use of FHIR APIs.
Other commenters noted that requestors may have practical reasons
to ask for EHI in ways other than what TEFCA supports. Commenters
encouraged ONC to advance support for HL7 FHIR within TEFCA as quickly
as possible to allow third-party applications to access data more
easily on behalf of individuals. A few commenters noted that section
4003(a) of the Cures Act defined interoperability as health information
technology that enables the secure exchange of electronic health
information with, and use of electronic health information from, other
health information technology without special effort on the part of the
user. The commenters claimed that the proposed TEFCA condition would
require special effort on the part of the user, particularly with the
use of IHE document protocol. Other commenters stated that entities
should be able to choose the best interoperability mechanisms and
request data in any format the current source can reasonably support
using an exchange mechanism both can support. A commenter stated that,
because there may be a delay before TEFCA widely implements the use of
FHIR for all of the stated ``exchange purposes,'' organizations should
be able to negotiate for the manner of access that best suits their
requirements. In particular, the commenter stated that organizations
should be allowed to prioritize using EHR systems' SMART on FHIR
patient API endpoints, and for population-level use cases, bulk FHIR
export, even if TEFCA supports access to such EHI in another manner.
Response. We thank the commenters for their feedback. Currently,
TEFCA includes IHE document-based exchange, but publicly available
documents note that FHIR exchange is a TEFCA priority and is planned
for availability in 2024. IHE document-based exchange is a longstanding
standard for exchanging EHI. For example, organizations supporting
health information exchange nationally (e.g., CommonWell Health
Alliance, eHealth Exchange, Carequality) generally use IHE profiles
such as Cross-Community Patient Discovery (XCPD) \258\ and Cross-
Community Access (XCA) \259\ to enable clinical document exchange
between disparate communities.\260\ However, as many commenters pointed
out, FHIR-based exchange has certain advantages over IHE document-based
exchange. Over time, QHINs, Participants, and Subparticipants may well
be required to support broader uses of FHIR-based exchange, but it is
also likely that many Participants and Subparticipants will continue to
use document-based exchange instead of FHIR-based exchange for several
transition years.\261\ In addition, the information blocking exceptions
are all voluntary and are not ``required'' of any actor. The exceptions
serve to offer certainty to actors that by conforming a practice to the
conditions of an exception, such practice will not constitute
information blocking. A Participant or Subparticipant in TEFCA is not
``subject to'' any exceptions, but if such entity is an actor (as
defined in Sec. 171.102), the new finalized exception would be
available along with all the other exceptions.
---------------------------------------------------------------------------
\258\ IHE Cross-Community Patient Discovery (XCPD) profile--
available in the IHE IT Infrastructure (ITI) Technical Framework
Volume 1: Integration Profiles at: https://www.ihe.net/uploadedFiles/Documents/ITI/IHE_ITI_TF_Rev17-0_Vol1_FT_2020-07-20.pdf.
\259\ IHE Cross-Community Access (XCA) profile--available in the
IHE IT Infrastructure (ITI) Technical Framework Volume 1:
Integration Profiles at: https://www.ihe.net/uploadedFiles/Documents/ITI/IHE_ITI_TF_Rev17-0_Vol1_FT_2020-07-20.pdf.
\260\ https://rce.sequoiaproject.org/wp-content/uploads/2022/01/QTF_0122.pdf.
\261\ https://www.healthit.gov/buzz-blog/tefca/coming-in-hot-tefca-will-soon-be-live-and-add-support-for-fhir-based-exchange.
---------------------------------------------------------------------------
In consideration of both our stated goal to incentivize TEFCA
participation and comments suggesting that ONC should be promoting the
use of FHIR-based APIs (for example, the standards codified in 45 CFR
170.215, ``Application Programming Interface Standards''), we have
limited the finalized exception's availability. Specifically, in
instances where an actor that is part of TEFCA receives a request to
access, exchange, or use EHI via the API standards adopted in 45 CFR
170.215, including updated versions of such standards as may be
approved for voluntary use in the ONC Health IT Certification Program
pursuant to 45 CFR 170.405(b)(8), the Standards Version Advancement
Process, the actor cannot meet the finalized TEFCA Manner Exception. We
finalized this policy in Sec. 171.403(c), providing a limitation on
the use of the exception in that it does not apply to a request for
access, exchange, or use of EHI via the standards adopted in 45 CFR
170.215, including version(s) of those standards approved pursuant to
45 CFR 170.405(b)(8). This approach ensures that requestors seeking to
access, exchange, or use EHI via FHIR-based APIs can request such
access and be assured that an actor cannot use the TEFCA Manner
Exception to limit the manner in which it fulfills the request to only
via TEFCA. As many commenters noted, FHIR APIs advance interoperability
to a greater degree than IHE document-based exchange, which is a
currently permitted exchange mechanism under TEFCA. With the goals of
the proposed condition to acknowledge agreements reached by parties and
to promote both interoperability and TEFCA adoption (88 FR 23872-
23873), the FHIR-based API limitation in Sec. 171.403(c) is necessary
to achieve these goals.
[[Page 1391]]
It is crucial to note that an actor (e.g., a health IT developer of
certified health IT) that participates in the ONC Health IT
Certification Program cannot simply ``turn off'' API capabilities,
outside of TEFCA, to avoid offering such access, exchange, or use to a
requestor. Any developer that has chosen to participate in the Program
is subject to the Conditions of Maintenance and Certification
requirements in subpart D of 45 CFR part 170. The API Condition and
Maintenance of Certification requirements in Sec. 170.404 apply to
health IT developers that certify health IT to FHIR-based API
certification criteria. Such developers would not be compliant with the
API Condition and Maintenance of Certification requirements if they do
not, among other requirements, publish APIs and allow EHI access,
exchange, and use through the APIs. Any actor with certified health IT
who has deployed ``certified API technology'' (as defined in Sec.
170.404(c)) or other API technology using the standards and
implementation specifications adopted in Sec. 170.215, who disables,
disconnects, or otherwise ``turns off'' such API technology or
requestors' connections in order to avoid offering such access,
exchange, or use after joining TEFCA would do so explicitly outside the
applicability of the TEFCA Manner Exception finalized in Sec. 171.403
and such practices could constitute information blocking.
The TEFCA Manner Exception, as finalized, is not in conflict with
the PHSA section 3000(9) definition of ``interoperability'' or with
other ONC regulations. The exception only applies to entities that
choose to voluntarily participate in TEFCA and agree to the
interoperability means available under TEFCA, while also preserving the
availability of interoperable FHIR APIs to requestors for the access,
exchange, and use of EHI.
In sum, we believe that the proposed approach would not have led to
most of the negative consequences for FHIR API adoption theorized by
commenters. However, to address such confusion and concern and continue
to incentivize TEFCA participation, in Sec. 171.403(c), we have
finalized the explicit limitation condition within the exception to
remove any doubt about perceived conflicts between TEFCA and FHIR API
adoption. ONC has been and will continue to be at the forefront of
driving both TEFCA and FHIR API adoption across the industry and the
Federal Government.
Comments. Many commenters noted that some EHI requestors who will
likely be part of TEFCA may not have the technical capability to make
requests or receive responses for certain permitted but optional
exchange purposes.
Response. In situations where a requestor does not support the
capability to make or receive requests or perform other transmissions
for certain Exchange Purposes (including those that do not require a
response), the TEFCA Manner Exception would not be available because
the requestor would not have such access, exchange, or use of the EHI
consistent with the requestor capability condition in paragraph (b) of
Sec. 171.403.
Comments. Some commenters stated that the proposed TEFCA manner
condition could interfere with state reporting requirements, because,
for example, some states require payers to exchange data within a
specified network based on existing federal rules. One commenter stated
that the condition risked discriminating against mechanisms of exchange
and interoperability that are feasible and even required to be used by
regional or local authorities. Another commenter stated that the
inclusion of this exception demonstrates that there may be conflicting
or confusing mandates under different federal programs, making
compliance with information blocking regulations more difficult. The
commenter urged ONC to continue to review how all federal and state
laws, regulations, and programs interact to relieve the unnecessary
burden of varying requirements that may not align. A commenter stated
that the proposed condition risks discriminating against exchange
mechanisms and interoperability pathways that are otherwise
commercially and technically feasible, and in some cases, required
under law. The commenter noted that a diversion of such exchanges to
TEFCA would result in the loss of useful information that should be
added to the patient's record to provide additional context for
clinical care.
Response. We appreciate the comments. We remind commenters that the
exceptions exist as a voluntary means for actors to gain assurance that
their practice(s) does not constitute information blocking; and
similarly, participating in TEFCA is voluntary. Compliance with an
exception set forth in subpart B, C, or newly finalized D of 45 CFR
part 171, would mean that an actor's practice does not meet the
definition of information blocking in Sec. 171.103. However, this
would not, in or of itself, immunize the actor from any other
consequences to which they are subject to for violating, ignoring, or
otherwise failing to comply with other applicable laws.
In response to concerns that the exception risks discriminating
against exchange mechanisms and interoperability pathways that are
otherwise commercially and technically feasible, we note that a
requestor can request EHI in any manner, and an actor may seek to
satisfy the manner requested condition of the Manner Exception (Sec.
171.301(a)) and respond in that manner, if the actor and requestor can
come to agreeable terms for the access, exchange, and/or use of the
particular EHI. In such instances, the terms of the agreement need not
satisfy the Fees Exception (Sec. 171.302) or the Licensing Exception
(Sec. 171.303), and would meet the manner requested condition of the
Manner Exception (Sec. 171.301). Using the TEFCA Manner Exception is
voluntary, and in cases where a requestor would be unable to use its
preferred exchange method it could negotiate with the actor under the
manner requested condition (Sec. 171.301).
The TEFCA Manner Exception does not require actors to use TEFCA to
meet public health reporting requirements under other applicable laws.
Similarly, the TEFCA Manner Exception does prohibit the use of other
exchange methods. Rather, it acknowledges an exchange method (manner)
that both the actor and requestor have voluntarily chosen to use, and
are capable of using, as a method that would be reasonable and
necessary for purposes of not being considered information blocking. As
noted above, actors are still responsible for their other legal
obligations, such as under state law.
Regarding the concern about exchanging requested EHI only via TEFCA
when doing so would result in the loss of some of the responsive EHI
that the actor has and can (consistent with applicable law and patient
privacy preferences) make available to the requestor for the purpose(s)
applicable to the request, then this exception is not available to the
actor. The finalized TEFCA Manner Exception applies only to the EHI
that the actor is actually able to make available for access, exchange,
or use via TEFCA and that the requestor is capable of accessing,
exchanging, or using, as applicable, via TEFCA (Sec. 171.403(b)).
Incentivizing TEFCA Participation
Comments. Some commenters encouraged ONC to consider that while
this condition will be useful for those already in TEFCA, it will not
meaningfully incentivize participation in TEFCA. As an example, some
state agencies that do not have the technological resources to adopt
TEFCA technical services will contract with a
[[Page 1392]]
third-party entity and end up passing the cost of the contracts on to
others, including health care providers. Some commenters asked for a
``safe harbor'' period to allow participants to fully embrace TEFCA. A
commenter expressed concern that the condition will discourage third-
party apps from joining TEFCA because they will have more flexibility
to request data outside of TEFCA.
Many other commenters, however, agreed that the proposal will
incentivize and accelerate use of the available, interoperable, and
secure TEFCA technical services by TEFCA entities. Commenters noted
that the proposal would reinforce the transition to standards-based
exchange and prevent actors from unnecessarily devoting limited time
and resources to fulfilling burdensome, customized solutions. A
commenter appreciated strong regulatory incentives to join TEFCA.
A commenter expressed concern that the proposed condition could be
used to coerce use of TEFCA or be used as a defense to evade fulfilling
a request for access, exchange, or use of EHI when the requestor does
not use TEFCA for a permitted purpose for data beyond USCDI v1. Another
commenter suggested ONC use the policy exactly that way and require
only the actor be a part of TEFCA. The commenter contended that if the
requestor can receive the access, exchange, or use of EHI via TEFCA and
is eligible to join TEFCA, the actor should only be required to offer
EHI via TEFCA in order to satisfy the exception (in other words, make
the requestor join TEFCA to get the requested access, exchange, or use
of EHI).
Response. We appreciate the comments. We recognize that this
condition incentivizes, to differing degrees for different actors,
joining TEFCA, and that not all entities will be ready, willing, or
able to join TEFCA as soon as the first technical services under TEFCA
go ``live.'' However, we do not agree that a safe harbor period is
needed, as both joining TEFCA and using the exceptions are voluntary
and function only to offer actors certainty that their practices that
meet all relevant conditions of an exception, at all relevant times,
will not constitute information blocking.
At this time, we decline to use this exception as a means to propel
requestors into joining TEFCA or to justify, to us or to actors, why
they are not yet TEFCA entities. Such an approach is beyond what our
proposal or finalized exception is intended to achieve and may actually
undermine and frustrate the intent of the information blocking statute
and implementing regulations. We also recognize the concern that some
actors may wish to use the exception to evade fulfilling a request for
access, exchange, or use of EHI when the requestor does not use TEFCA
for a permitted purpose beyond USCDI v1. Attempts to misuse the
exception in that way would not be successful because, for the
exception to apply to an actor's practice of making EHI available only
via TEFCA, the requestor must be capable via TEFCA of, as applicable,
accessing, exchanging, or using the requested EHI from the actor. The
condition in Sec. 171.403(b), as finalized, addresses concerns about
limits to what EHI requestors can access via TEFCA by ensuring the
condition is only available when the EHI the requestor seeks can, in
practice, be accessed, exchanged, or used by the requestor via TEFCA.
Structuring the Exception Within the Existing Regulatory Framework
In creating a new subpart and finalizing a separate exception, we
have made it easier for actors and requestors to understand when an
actor's fulfillment of EHI access, exchange, or use only via TEFCA
would not constitute information blocking. By creating a new subpart,
we are clearly delineating that the exception is available only to
TEFCA participants. Also, by removing it from the Manner Exception, we
avoid introducing confusion about when an actor must offer alternative
manners and in what order they must do so. Further, in creating this
new subpart, we leave room for identifying other reasonable and
necessary activities related to TEFCA that do not constitute
information blocking, should we propose them in future rulemakings.
EHI That Can Be Made Available Versus EHI That Must Be Made Available
via TEFCA
Comments. Some commenters stated that because TEFCA only requires
the exchange of the USCDI, the exception will be of limited utility.
Another commenter asked for clarity that EHI can exceed the base set of
EHI required by TEFCA. Other commenters appreciated that the condition
would not be limited to a subset of EHI, so long as the EHI could be
accessed, exchanged, or used by the requestor, as applicable.
Response. We appreciate the feedback. As finalized, the exception
can be satisfied when any EHI requested by the requestor can be made
available to the requestor via TEFCA for the requested access,
exchange, or use of the EHI, including where the EHI requested is
beyond what is represented by the data elements within any USCDI
version. Nothing in this exception restricts how much or which EHI can
be shared via TEFCA or limits the exception's application to the
minimum data elements that TEFCA's terms require TEFCA entities to make
available in response to TEFCA queries. If an actor is capable of
sharing all the requested EHI via TEFCA, and, importantly, the
requestor is capable of accessing, exchanging, or using all of the EHI
via TEFCA, as applicable, then the exception could apply to the
practice (if all other conditions are also satisfied). Similarly, if an
actor is capable of providing access, exchange, or use of some, but not
all, of the requested EHI via TEFCA, the exception can cover the
practice for the EHI that the actor is capable of providing via TEFCA
and the requestor is capable of accessing, exchanging, or using (as
applicable). The actor could then provide the remaining EHI in a
different manner, for example, by using any of the methods in the
Manner Exception (Sec. 171.301), or resolve the request through other
means or applicable information blocking exceptions.
Other Concerns and Observations From Commenters
Comments. A couple of commenters stated that, in some cases, one
business unit may sign up for TEFCA, in which case the entire
organization would also become part of TEFCA. The commenters stated
that in such cases, a requestor may be unaware that they are considered
a part of TEFCA, may not have the technical capability to connect their
IT systems to the TEFCA network, and will want to receive EHI in
another manner.
Response. We thank the commenters for the feedback. The Sec.
171.403(b) requestor capability condition of the finalized TEFCA Manner
Exception ensures that the exception is only available when the
requestor is capable via TEFCA of accessing, exchanging, or using, as
applicable, the requested EHI from the actor at the time the request is
made. We cannot anticipate every corporate arrangement; however, if a
requester's organization is a party to the Common Agreement or a
Framework Agreement, it is the requester's responsibility to resolve
its approach to EHI access, exchange, and use within the organization.
Agreed Upon by the Requestor
Comments. Several commenters noted that, under the Manner
Exception, a requestor must agree to access,
[[Page 1393]]
exchange, or use of EHI if the actor offers to fulfill the request in
any alternative manner. The commenters stated that, in the proposed
TEFCA manner condition, requestors would not be required to agree to
receive the EHI via TEFCA. They noted that this shifts the balance of
power towards actors and away from requestors. Commenters expressed
concerns that the requestor cannot counter with an alternative manner
and are forced to accept via TEFCA. Other commenters appreciated that
the condition would simplify responses for many actors who participate
in TEFCA and allow requestors and actors to exchange EHI more
efficiently.
Response. In the Manner Exception, one policy objective is to
ensure the requestor receives the EHI in either the manner requested or
in an alternative manner to which the requestor agrees. This policy
assumes that the requestor would not agree to an alternative manner
unless that manner allowed them the access, exchange, or use of EHI
which they sought in the first place. In finalizing the TEFCA Manner
Exception, this policy objective is fulfilled by two conditions. The
requestor has agreed to be part of TEFCA and the requester capability
condition, which states that the requestor is capable, via TEFCA, of
accessing, exchanging, or using, as applicable, the EHI requested from
the actor. Although the requestor does not have to agree to receive the
EHI via TEFCA, the requestor did voluntarily join TEFCA, and assuming
the requestor has the necessary capabilities, the requestor will still
be able to access, exchange, and/or use the EHI, as applicable. In
other words, even if the requestor does not agree to a specific
instances of access, exchange, or use of EHI via TEFCA, the TEFCA
Manner Exception is still available to the actor for providing such
access via TEFCA, so long as an actor has satisfied all of the
conditions of the exception at all relevant times. We believe this
approach balances the policy interest of promoting interoperability and
TEFCA participation with the interest in ensuring EHI moves in a manner
that is usable by the requestor.
We also note that the comment and similar comments assume that
TEFCA participation will not streamline information exchange. Those who
join TEFCA are voluntarily seeking to get the benefits of scalable
nationwide trust and infrastructure services for IHE-based and, as the
transition to FHIR takes place, FHIR API exchange. Thus, those who join
TEFCA would be motivated to fulfill as much of their information
sharing obligations and practices as they are able to in order to
reduce the overhead associated with achieving interoperability outside
of TEFCA. In short, rather than hampering information sharing, we
believe that encouraging exchange via TEFCA will make it easier for
both actors and requestors to achieve access, exchange, and use of the
EHI.
Finally, to clarify the distinction between the Manner Exception
(Sec. 171.301) and its conditions (a) manner requested and (b)
alternative manner, we have finalized a new subpart D, ``Exceptions
That Involve Practices Related to Actors' Participation in The Trusted
Exchange Framework and Common Agreement (TEFCA)'' and finalized the
TEFCA Manner Exception within that subpart at Sec. 171.403.
Concerns About TEFCA Policies
Comments. A commenter asked for clarification about how to
distinguish exchange that occurs pursuant to a Framework Agreement
versus an intra-QHIN agreement. The same commenter also asked how
actors will be able to ascertain whether a request made for a certain
purpose (e.g., health care operations) outside the TEFCA network aligns
with the same purpose that they (the actors) would be offering to
respond to under TEFCA; and how to handle situations where a requestor
does not support the capability to make or receive requests or perform
other transmissions for certain Exchange Purposes that do not require a
response (e.g., Payment, Public Health, or health care operations).
Another commenter asked ONC to clarify which purposes are permitted
under TEFCA as applied to this exception. One commenter asked that ONC
clarify that if the EHI being requested or the exchange purpose for
which it was requested are not part of the current required parameters
of TEFCA, the condition will still be available.
Response. QHIN-to-QHIN exchange would be covered by this exception
because both parties, the QHINs, are ``part of TEFCA,'' having signed
the Common Agreement to become a QHIN. Exchange within QHINs (in other
words, exchange between Participants or Subparticipants who have joined
the same QHIN) would also qualify for this exception. In addition, the
purpose of the request is not relevant for the information blocking
definition, nor is the status of the parties beyond their being ``part
of TEFCA.'' So long as the actor can respond to the request via TEFCA,
and the requestor participates in TEFCA and is capable of access,
exchange, or use of the EHI, as applicable, then the condition can be
satisfied, assuming all the other conditions of the exception are also
met. In situations where a requestor does not support the capability to
make or receive requests or perform other transmissions for certain
Exchange Purposes that do not require a response, then the TEFCA Manner
Exception would not be available because the requestor would not be
able to access, exchange, or use the EHI if transmitted via TEFCA, and
thus the second condition of the exception, requestor capability (Sec.
171.403(b)) would not be met.
TEFCA Directory
ONC requested comment on whether an actor should be required to
search a directory prior to responding via TEFCA (88 FR 23873).
Comment. One commenter expressed concerns that the directory would
be unreliable, or that actors may not be recognized due to naming
issues. Another commenter asked if QHINs would be permitted to leverage
their own provider directories.
Response. We thank the commenters for their feedback. At this time,
for reasons such as those mentioned by the commenter as well as due to
the logistical complexities of providing real-time access to an easily
usable directory for purposes of identifying requestors of EHI, we have
not finalized a requirement that an actor search the TEFCA directory as
a condition of the exception. Actors should be able to determine
whether requestors are part of TEFCA through customary business
interactions, such as those that occur when parties engage in
exchanging EHI. Actors may also choose to use their own resources, such
as provider directories, to make affirmative determinations of whether
a requestor is part of TEFCA. However, it ultimately remains the
actor's responsibility in making a positive determination as to whether
a requestor is part of TEFCA for the purposes of satisfying this
exception.
General Comments
Comments. A few commenters recommended that ONC restrict the scope
of the proposed exception such that it covers only those reasonable
activities that are necessary to comply with and implement the Common
Agreement, and not to extend it to other practices. Commenters noted
this would still incentivize TEFCA participation without inadvertently
inhibiting innovation and competition.
Response. While we appreciate the commenter's position and agree
that
[[Page 1394]]
such an exception may incentivize TEFCA participation, the finalized
TEFCA Manner Exception will provide certainty to actors that the
practice of making EHI available for access, exchange, and use via
TEFCA to other TEFCA participants, and consistent with the relevant
outlined conditions, will not be information blocking. We may consider
proposing additional TEFCA exceptions in future rulemakings.
Comments. One commenter expressed support for the exception,
stating that it would reduce burden on physicians who connect to a QHIN
by allowing physicians to rely on that connection as a substitute for
fulfillment of tailored requests for EHI by redirecting the requestor
to the QHIN.
Response. We want to clarify that, as proposed and as finalized,
the TEFCA Manner Exception does not permit physicians to redirect all
requests for access, exchange, or use of EHI to a QHIN. However, TEFCA
participation and meeting the exception in applicable circumstances may
allow physicians to redirect a significant portion of EHI requests. The
exception outlines the specific circumstances under which an actor, who
is part of TEFCA, may respond to a requestor, who is also part of
TEFCA, via TEFCA services regardless of the manner requested, unless
the requestor asked for the access via the standards adopted in 45 CFR
170.215, including versions of those standards approved pursuant to 45
CFR 170.405(b)(8). Further, the requestor must be capable of accessing,
exchanging, or using the EHI, as applicable to the circumstances, via
TEFCA. Therefore, there will be circumstances when both the actor and
requestor may be part of TEFCA, but the exception would not apply
because the requestor cannot, for technical reasons or due to TEFCA-
related agreements, access, exchange, or use the EHI via TEFCA. We also
emphasize, again, that individuals cannot be ``part of TEFCA;'' thus,
if the requestor is an individual, the TEFCA Manner Exception will not
be available to any actor.
Comment. A commenter suggested ONC simplify the information
blocking regulations and create separate exceptions/conditions for
providers different from those for developers and networks and explore
provider-targeted exception options not tied to certified Health IT
Module use or TEFCA participation.
Response. We appreciate the comment, but we did not propose
exceptions specific to any one of the three categories of actors
(health care provider, HIN/HIE, and health IT developer of certified
health IT), and decline to adopt such an approach in this final rule.
The exceptions address reasonable and necessary activities that are not
considered information blocking and are designed to be used by any of
the regulated actors where appropriate. Generally, they are not
contingent on the use of certified health IT. Further, all of the
exceptions set forth in subparts B and C of 45 CFR part 171 are
available to any actor, when they are satisfied, regardless of whether
the actor has chosen to become a part of the TEFCA ecosystem. Health
care providers interested in learning more about any or all of the
information blocking exceptions can find more information about the
exceptions at https://www.healthit.gov/topic/information-blocking. The
exceptions themselves can be found in their entirety in 42 CFR part 171
(available online at: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171?toc=1).\262\
---------------------------------------------------------------------------
\262\ URLs retrieved Oct 26, 2023.
---------------------------------------------------------------------------
Comments Beyond the Scope of the Proposal
Comments. A commenter asked for clarification regarding the
participation of entities in TEFCA that are acting on behalf of other
entities, like business associates, and the data sharing requirements
for those entities.
Response. We appreciate the comment. The regulations and
requirements governing TEFCA are out of scope for the proposal.
Comments. One commenter asked ONC to better explain the controls
that are in place to ensure that QHIN requested data does not violate
HIPAA. Another commenter asked ONC to address how patients will provide
consent for the networked sharing of their data via TEFCA, and how
patients will even be informed about what of their data has been shared
by whom, to whom, and for what use. A few commenters asked ONC to
incorporate privacy-protective practices into the Common Agreement.
Response. These comments are beyond the scope of the proposal.
However, we offer the following information in response to these
comments about TEFCA. TEFCA includes strong privacy protections within
the Common Agreement, Qualified Health Information Network Technical
Framework (QTF), and standard operating procedures. Most connected
entities under TEFCA will be HIPAA covered entities or business
associates of covered entities, and thus will already be required to
comply with the HIPAA Privacy Rule. The Common Agreement requires each
non-HIPAA entity that participates in TEFCA to protect individually
identifiable information that it reasonably believes is TEFCA
information in substantially the same manner as HIPAA covered entities
protect PHI, including having to comply with most provisions of the
HIPAA Privacy Rule as if they were subject to the HIPAA Privacy Rule.
Further, in some ways, the TEFCA requirements related to the Individual
Access Services (IAS) exchange purpose require that IAS providers meet
an even higher bar of privacy than HIPAA, including providing
individuals with the right to delete their data.
For additional information about TEFCA requirements related to
privacy, we refer readers to the most recent versions of the Common
Agreement, QTF, and standard operating procedures. ONC's official
website, HealthIT.gov, also provides additional information about
TEFCA.
Comment. A commenter suggested ONC align with the approach taken by
CMS in its promoting interoperability programs to explicitly name TEFCA
as an optional alternative for claiming credit under the HIE Objective.
Response. We appreciate the comment. We are uncertain how or in
what manner the commenter recommends we align the TEFCA Manner
Exception with the approach CMS implemented for TEFCA participation
under the promoting interoperability programs. However, as mentioned
above, this comment is beyond the scope of the proposal.
Comment. One commenter requested ONC to consider how it can address
patient portals that cannot share a full record set with a patient, and
interoperability concerns that arise from portal configurations.
Response. We appreciate the feedback. Although ONC does consider
and regulate the interoperability capabilities of health IT as it
relates to patient portals through the ``view, download, and transmit
to 3rd party'' certification criterion (45 CFR 170.315(e)(1)) of the
Program, this comment is beyond the scope of the proposal.
D. Information Blocking Requests for Information
1. Additional Exclusions From Offer Health IT--Request for Information
In the HTI-1 Proposed Rule (at 88 FR 23873), we sought comment on
whether we should consider proposing in future rulemaking any
additional exclusions from the offer health information
[[Page 1395]]
technology or offer health IT definition proposed in Sec. 171.102 of
this proposal. We also welcomed information specific to how potential
additional exclusions could be structured or balanced by other measures
to mitigate risks of unintended consequences of such exclusions. We
also indicated we would welcome comments on other steps ONC might
consider taking to further encourage lawful donation or other
subsidized provision of certified health IT to health care providers
who may otherwise struggle to afford modern, interoperable health IT.
Comments. We received 14 comment submissions that included comments
in response to this RFI.
Response. We thank the commenters for their feedback. As noted in
the HTI-1 Proposed Rule, we may use this feedback to inform a future
rulemaking.
2. Possible Additional TEFCA Reasonable and Necessary Activities--
Request for Information
In the HTI-1 Proposed Rule (at 88 FR 23873 through 23874), we
sought comment on whether any other particular practices that are not
otherwise required by law, but are required of an individual person or
entity by virtue of their status as a QHIN, Participant, or
Subparticipant pursuant to the Common Agreement, pose a substantial
concern or uncertainty regarding whether such practices could
constitute information blocking as defined in 45 CFR 171.103. We sought
comment on which particular practices the commenters believe are not
covered by existing information blocking exceptions and that the
commenters would advocate we assess for potential identification as
reasonable and necessary activities that do not constitute information
blocking as defined in 45 CFR 171.103. We also sought comment on
whether and how any such identification of additional reasonable and
necessary activities might pose concerns about unintended consequences
for EHI access, exchange, or use by individuals or entities that are
not QHINs, Participants, or Subparticipants.
Comments. We received 16 comment submissions that included comments
in response to this RFI.
Response. We thank the commenters for their feedback. As noted in
the HTI-1 Proposed Rule, we may use this feedback to inform future
rulemaking.
3. Health IT Capabilities for Data Segmentation and User/Patient
Access--Request for Information
In the HTI-1 Proposed Rule (at 88 FR 23874 through 23875), we
discussed the importance of data segmentation capabilities and a
variety of situations in which segmentation of data may be required or
requested, including use cases where special handling or other
restriction of access, exchange, or use of particular portion(s) of a
patient's EHI is required by law or consistent with an individual
patient's expressed preference regarding their own or others' access to
their EHI. The HTI-1 Proposed Rule included a primary and several
alternative proposals for a new certification criterion specifically
focused on supporting patient preferences related to their right to
request restrictions on certain uses and disclosures of their PHI under
the HIPAA Privacy Rule (see 45 CFR 164.522). This proposal is addressed
in section III.C.10 of this final rule (see section III.C.10 for
further detail).
In addition to the specific right to request a restriction on
disclosure consistent with 45 CFR 164.522, there are other use cases
related to patient preferences--and specific nuances within use cases--
which present challenges from a technical point of view.
We sought comment to inform steps we might consider taking to
improve the availability and accessibility of solutions supporting
health care providers' and other information blocking actors' efforts
to honor patients' expressed preferences regarding their EHI (88 FR
23874). We also specifically sought (88 FR 23875) comment on additional
topics related to the capabilities of health IT products to segment
data, such as experiences with the availability and utility of
certified health IT products' capabilities to segment data in use
cases, including, but not limited to, the illustrative examples above.
Comments. We received 102 comment submissions that included
comments in response to this RFI.
Response. We thank the commenters for their feedback. As noted in
the HTI-1 Proposed Rule, we may use this feedback to inform a future
rulemaking.
V. Incorporation by Reference
The Office of the Federal Register has established requirements for
materials (e.g., standards and implementation specifications) that
agencies incorporate by reference in the Code of Federal Regulations
(79 FR 66267; 1 CFR 51.5(b)). Specifically, Sec. 51.5(b) requires
agencies to discuss, in the preamble of a final rule, the ways that the
materials they incorporate by reference are reasonably available to
interested parties or how it worked to make those materials reasonably
available to interested parties; and summarize, in the preamble of the
final rule, the material they incorporate by reference.
To make the materials we intend to incorporate by reference
reasonably available, we provide a uniform resource locator (URL) for
the standards and implementation specifications. In many cases, these
standards and implementation specifications are directly accessible
through the URLs provided. In most of these instances, access to the
standard or implementation specification can be gained through no-cost
(monetary) participation, subscription, or membership with the
applicable standards developing organization (SDO) or custodial
organization. Alternatively, a copy of the standards may be viewed for
free at the U.S. Department of Health and Human Services, Office of the
National Coordinator for Health Information Technology, 330 C Street
SW, Washington, DC 20201. Please call (202) 690-7171 in advance to
arrange inspection.
The National Technology Transfer and Advancement Act (NTTAA) of
1995 (15 U.S.C. 3701 et seq.) and the Office of Management and Budget
(OMB) Circular A-119 require the use of, wherever practical, technical
standards that are developed or adopted by voluntary consensus
standards bodies to carry out policy objectives or activities, with
certain exceptions. The NTTAA and OMB Circular A-119 provide exceptions
to selecting only standards developed or adopted by voluntary consensus
standards bodies, namely when doing so would be inconsistent with
applicable law or otherwise impractical. As discussed in section III.B
of this preamble, we have followed the NTTAA and OMB Circular A-119 in
adopting standards and implementation specifications, including
describing any exceptions in the adoption of standards and
implementation specifications. Over the years of adopting standards and
implementation specifications for certification, we have worked with
SDOs, such as HL7, to make the standards we adopt and incorporate by
reference in the Federal Register, available to interested parties. As
described above, this includes making the standards and implementation
specifications available through no-cost memberships and no-cost
subscriptions.
As required by Sec. 51.5(b), we provide summaries of the standards
we have adopted and incorporate by reference in the Code of Federal
Regulations. We also provide relevant information about these standards
and implementation specifications throughout the preamble.
[[Page 1396]]
We have organized the following standards and implementation
specifications that we have adopted through this rulemaking according
to the sections of the CFR in which they would be codified and cross-
referenced for associated certification criteria and requirements that
we have adopted.
Content Exchange Standards and Implementation Specifications for
Exchanging Electronic Health Information--45 CFR 170.205
Health Level 7 (HL7[supreg]) CDA[supreg] R2 Implementation
Guide: C-CDA Templates for Clinical Notes STU Companion Guide, Release
4.1--US Realm, June 2023, Specification Version: 4.1.1.
URL: http://www.hl7.org/implement/standards/product_brief.cfm?product_id=447.
Access requires a ``user account'' and a license agreement. There
is no monetary cost for a user account and license agreement.
Summary: The Consolidated Clinical Document Architecture (C-CDA)
Companion Guide R4.1, provides essential implementer guidance to
continuously expand interoperability for clinical information shared
via structured clinical notes. The guidance supplements specifications
established in the Health Level Seven (HL7) CDA[supreg] R2.1 IG: C-CDA
Templates for Clinical Notes. This additional guidance is intended to
make implementers aware of expectations and best practices for C-CDA
document exchange. The objective is to increase consistency and expand
interoperability across the community of data sharing partners who
utilize C-CDA for information exchange.
HL7 FHIR[supreg] Implementation Guide: Electronic Case
Reporting (eCR)--US Realm 2.1.0--STU 2 US (HL7 FHIR eCR IG), August 31,
2022.
URL: https://build.fhir.org/ig/HL7/case-reporting/.
Access requires a ``user account'' and a license agreement. There
is no monetary cost for a user account and license agreement.
Summary: With the adoption and maturing of Electronic Health
Records (EHRs), there are opportunities to better support public health
surveillance as well as to better support the delivery of relevant
public health information to clinical care. Electronic Case Reporting
(eCR) can provide more complete and timely case data, support disease/
condition monitoring, and assist in outbreak management and control. It
can also improve bidirectional communications through the delivery of
public health information in the context of a patient's condition and
local disease trends and by facilitating ad hoc communications, as well
as reduce health care provider burden by automating the completion of
legal reporting requirements. The purpose of this FHIR IG is to offer
opportunities to further enable automated triggering and reporting of
cases from EHRs, to ease implementation and integration, to support the
acquisition of public health investigation supplemental data, and to
connect public health information (e.g., guidelines) with clinical
workflows. Over time, FHIR may also support the distribution of
reporting rules to clinical care to better align data authorities and
make broader clinical data available to public health decision support
services inside the clinical care environment.
HL7 CDA[supreg] R2 Implementation Guide: Public Health
Case Report--the Electronic Initial Case Report (eICR) Release 2, STU
Release 3.1--US Realm (HL7 CDA eICR IG), July 2022.
URL: http://www.hl7.org/implement/standards/product_brief.cfm?product_id=436.
Access requires a ``user account'' and a license agreement. There
is no monetary cost for a user account and license agreement.
Summary: The purpose of this implementation guide (IG) is to
specify a standard for electronic submission of electronic initial
public health case reports using HL7 Version 3 Clinical Document
Architecture (CDA), Release 2 format. This implementation guide
specifies a standard that will allow health care providers to
electronically communicate the specific data needed in initial public
health case reports (required by state laws/regulations) to
jurisdictional public health agencies in CDA format--an interoperable,
industry-standard format.
HL7 CDA[supreg] R2 Implementation Guide: Reportability
Response, Release 1, STU Release 1.1--US Realm (HL7 CDA RR IG), July
2022.
URL: https://www.hl7.org/implement/standards/product_brief.cfm?product_id=470.
Access requires a ``user account'' and a license agreement. There
is no monetary cost for a user account and license agreement.
Summary: The purpose of this implementation guide (IG) is to
specify a standard for a response document for a public health
electronic Initial Case Report (HL7 eICR all releases) using HL7
Version 3 Clinical Document Architecture (CDA), Release 2 format.
Through the Reportability Response, public health seeks to support
bidirectional communication with clinical care for reportable
conditions in CDA format, which is an interoperable, industry-standard
format.
Reportable Conditions Trigger Codes Value Set for
Electronic Case Reporting. RCTC OID: 2.16.840.1.114222.4.11.7508,
Release March 29, 2022.
URL: https://ecr.aimsplatform.org/ehr-implementers/triggering/.
Access requires a ``user account'' and a license agreement. There
is no monetary cost for a user account and license agreement.
Summary: The Reportable Condition Trigger Codes (RCTC) are a
nation-wide set of standardized codes to be implemented within an
electronic health record (EHR) that provide a preliminary
identification of events that may be of interest to public health for
electronic case reporting. The RCTC are the first step in a two-step
process to determine reportability. The RCTC are single factor codes
that represent any event that may be reportable to any public health
agency in the United States. A second level of evaluation still must be
done against jurisdiction-specific reporting regulations, to confirm
whether the event is reportable and to which public health agency or
agencies. The RCTC currently includes ICD 10 CM, SNOMED CT, LOINC,
RxNorm, CVX, and CPT, representing condition-specific diagnoses,
resulted lab tests names, lab results, lab orders for conditions
reportable upon suspicion, and medications for select conditions.
Vocabulary Standards for Representing Electronic Health Information--45
CFR 170.207
HL7 Standard Code Set CVX--Vaccines Administered, dated
June 15, 2022.
URL: https://www2a.cdc.gov/vaccines/iis/iisstandards/vaccines.asp?rpt=cvx.
This is a direct access link.
Summary: The CDC's National Center of Immunization and Respiratory
Diseases (NCIRD) developed and maintains the CVX (vaccine administered)
code set. It includes both active and inactive vaccines available in
the US. CVX codes for inactive vaccines allow transmission of
historical immunization records. When a MVX (manufacturer) code is
paired with a CVX (vaccine administered) code, the specific trade named
vaccine may be indicated. These codes should be used for immunization
messages using HL7 Version 2.5.1.
National Drug Code Directory (NDC)--Vaccine NDC Linker,
dated July 19, 2022.
[[Page 1397]]
URL: https://www2.cdc.gov/vaccines/iis/iisstandards/ndc_tableaccess.asp.
This is a direct access link.
Summary: The Drug Listing Act of 1972 requires registered drug
establishments to provide the FDA with a current list of all drugs
manufactured, prepared, propagated, compounded, or processed by it for
commercial distribution. Drug products are identified and reported
using a unique, three-segment number, called the National Drug Code
(NDC), which serves as the universal product identifier for drugs. This
standard is limited to the NDC vaccine codes identified by CDC.
CDC Race and Ethnicity Code Set version 1.2, (July 08,
2021).
URL: https://www.cdc.gov/phin/resources/vocabulary/index.html.
The code set can be accessed through this link.
Summary: The CDC has prepared a code set for use in coding race and
ethnicity data. This code set is based on current federal standards for
classifying data on race and ethnicity, specifically the minimum race
and ethnicity categories defined by the U.S. Office of Management and
Budget (OMB) and a more detailed set of race and ethnicity categories
maintained by the U.S. Bureau of the Census (BC). The main purpose of
the code set is to facilitate use of federal standards for classifying
data on race and ethnicity when these data are exchanged, stored,
retrieved, or analyzed in electronic form. At the same time, the code
set can be applied to paper-based record systems to the extent that
these systems are used to collect, maintain, and report data on race
and ethnicity in accordance with current federal standards.
Medicare Provider and Supplier Taxonomy Crosswalk, 2021.
URL: https://data.cms.gov/provider-characteristics/medicare-provider-supplier-enrollment/medicare-provider-and-supplier-taxonomy-crosswalk/data/2021.
This is a direct access link.
Summary: The Medicare Provider and Supplier Taxonomy Crosswalk
dataset lists the providers and suppliers eligible to enroll in
Medicare programs with the proper healthcare provider taxonomy code.
This data includes the Medicare specialty codes, if available,
provider/supplier type description, taxonomy code, and the taxonomy
description. The Healthcare Provider Taxonomy Code Set is a
hierarchical code set that consists of codes, descriptions, and
definitions. Healthcare Provider Taxonomy Codes are designed to
categorize the type, classification, and/or specialization of health
care providers. The Code Set is available from the Washington
Publishing Company (https://wpc-edi.com/). The Code Set is maintained
by the National Uniform Claim Committee (https://www.nucc.org/).
Public Health Data Standards Consortium Users Guide for
Source of Payment Typology Code Set, December 2020, Version 9.2.
URL: https://nahdo.org/sites/default/files/2020-12/SourceofPaymentTypologyUsersGuideVersion9.2December2020.pdf.
This is a direct access link.
Summary: The Source of Payment Typology was developed to create a
standard for reporting payer type data that will enhance the payer data
classification; it is also intended for use by those collecting data or
analyzing healthcare claims information. Modeled loosely after the ICD
typology for classifying medical conditions, the proposed typology
identifies broad Payer categories with related subcategories that are
more specific. This format provides analysts with flexibility to either
use payer codes at a highly detailed level or to roll up codes to
broader hierarchical categories for comparative analyses across payers
and locations.
Logical Observation Identifiers Names and Codes (LOINC
[supreg]) Database Version 2.72, a universal code system for
identifying laboratory and clinical observations produced by the
Regenstrief Institute, Inc., February 16, 2022.
URL: https://loinc.org/downloads/.
Access requires registration, a user account, and license
agreement. There is no monetary cost for registration, a user account,
and license agreement.
Summary: Informed by tracking healthcare trends, evaluating concept
requests, and listening to guidance from the community, this release
contains new and edited concepts in Laboratory, Clinical, Survey,
Document Type, and other domains. It also includes a newly streamlined
release file structure for more efficient download and use.
The Unified Code for Units of Measure, Revision 2.1,
November 21, 2017.
URL: https://ucum.org/ucum.html.
This is a direct access link.
Summary: The Unified Code for Units of Measure is a code system
intended to include all units of measures being contemporarily used in
international science, engineering, and business. The purpose is to
facilitate unambiguous electronic communication of quantities together
with their units. The focus is on electronic communication, as opposed
to communication between humans. A typical application of The Unified
Code for Units of Measure are electronic data interchange (EDI)
protocols, but there is nothing that prevents it from being used in
other types of machine communication.
Systematized Nomenclature of Medicine Clinical Terms
(SNOMED CT[supreg]) U.S. Edition, March 2022.
URL: https://www.nlm.nih.gov/healthit/snomedct/us_edition.html.
Access requires a user account and license agreement. There is no
monetary cost for a user account and license agreement.
Summary: In addition to the 279 new active concepts specific to the
US Edition, the March 2022 SNOMED CT US Edition also includes the
SNOMED CT COVID-19 Related Content published in the January 2022 SNOMED
CT International Edition. This latest version of the US Edition also
includes the SNOMED CT to ICD-10-CM reference set, with over 126,000
SNOMED CT source concepts mapped to ICD-10-CM targets.
RxNorm, a standardized nomenclature for clinical drugs
produced by the United States National Library of Medicine, July 5,
2022, Full Update Release.
URL: https://www.nlm.nih.gov/research/umls/rxnorm/docs/rxnormfiles.html.
Access requires a user account and license agreement. There is no
monetary cost for a user account and license agreement.
Summary: RxNorm, a standardized nomenclature for clinical drugs, is
produced by the National Library of Medicine. RxNorm's standard
identifiers and names for clinical drugs are connected to the varying
names of drugs present in many different controlled vocabularies within
the Unified Medical Language System (UMLS) Metathesaurus, including
those in commercially available drug information sources. These
connections are intended to facilitate interoperability among the
computerized systems that record or process data dealing with clinical
drugs.
United States Core Data for Interoperability--45 CFR 170.213
United States Core Data for Interoperability (USCDI),
October 2022 Errata, Version 3 (v3).
URL: https://www.healthit.gov/USCDI.
This is a direct access link.
Summary: The United States Core Data for Interoperability (USCDI
establishes a minimum set of data classes that are required to be
interoperable nationwide and is
[[Page 1398]]
designed to be expanded in an iterative and predictable way over time.
Data classes listed in the USCDI are represented in a technically
agnostic manner to set a foundation for broader sharing of electronic
health information. ONC has established a predictable, transparent, and
collaborative expansion process for USCDI based on public evaluation of
previous versions and submissions by the health IT community and the
public, including input from a federal advisory committee.
Application Programming Interface Standards--45 CFR 170.215
HL7 FHIR US Core Implementation Guide Version 6.1.0--STU6,
June 19, 2023.
URL: http://hl7.org/fhir/us/core/.
This is a direct access link.
Summary: The US Core Implementation Guide is based on FHIR Version
R4.0.1 and defines the minimum set of constraints on the FHIR resources
to create the US Core Profiles. It also defines the minimum set of FHIR
RESTful interactions for each of the US Core Profiles to access patient
data. By establishing the ``floor'' of standards to promote
interoperability and adoption through common implementation, it allows
for further standards development evolution for specific uses cases.
HL7 FHIR[supreg] SMART App Launch Implementation Guide
Release 2.0.0, November 26, 2021.
URL: http://hl7.org/fhir/smart-app-launch/.
This is a direct access link.
Summary: This implementation guide describes a set of foundational
patterns based on OAuth 2.0 for client applications to authorize,
authenticate, and integrate with FHIR-based data systems.
VI. Collection of Information Requirements
Under the Paperwork Reduction Act of 1995 (PRA), codified as
amended at 44 U.S.C. 3501 et seq., agencies are required to provide a
30-day notice in the Federal Register and solicit public comment on a
proposed collection of information before it is submitted to the Office
of Management and Budget for review and approval. In order to fairly
evaluate whether an information collection should be approved by the
OMB, section 3506(c)(2)(A) of the PRA requires that we solicit comment
on the following issues:
1. Whether the information collection is necessary and useful to
carry out the proper functions of the agency.
2. The accuracy of the agency's estimate of the information
collection burden.
3. The quality, utility, and clarity of the information to be
collected; and
4. Recommendations to minimize the information collection burden on
the affected public, including automated collection techniques.
Under the PRA, the time, effort, and financial resources necessary
to meet the information collection requirements referenced in this
section are to be considered. We solicited comment on these issues in
the HTI-1 Proposed Rule (88 FR 23878 through 23880) for the matters
discussed in detail below.
A. Independent Entity
As stated in the HTI-1 Proposed Rule (88 FR 23847), we proposed
that response submissions related to the Insights Condition and
Maintenance of Certification requirements would be submitted to an
independent entity on behalf of ONC, and that we intend to award a
grant, contract, or other agreement to an independent entity as part of
the implementation of the Insights Condition and Maintenance of
Certification requirements.
For estimating potential burden, we stated that we believe the
independent entity would take approximately 5 minutes to review a
response submission for completeness, and approximately 30 minutes to
submit the completed response submission to ONC, based on how many
products a developer of certified health IT may be required to submit
responses for. We also stated that we plan to minimize burden for the
independent entity by automating parts of the response review and
submission process via an online tool.
Table 3--Estimated Annualized Burden Hours for Independent Entity To
Review and Submit Developer Responses to ONC per Insights Condition
Requirements
------------------------------------------------------------------------
Number of Average
Code of Federal regulations section independent burden Total
entity hours
------------------------------------------------------------------------
45 CFR 170.407(a)...................... 1 24 24
45 CFR 170.407(b)...................... 1 143 143
--------------------------------
Total Burden Hours................. ........... ......... 167
------------------------------------------------------------------------
Comments. We did not receive any comments specific to the response
submissions related to the Insights Condition and Maintenance of
Certification requirements that would be submitted to an independent
entity on behalf of ONC.
Response. We continue to maintain our estimated annualized burden
hours for an independent entity to take approximately 5 minutes to
review a response submission for completeness, and approximately 30
minutes to submit the completed response submission to ONC. We refer
readers to section VII (Regulatory Impact Analysis) of this final rule
for the cost estimates related to the Insights Condition.
B. Health IT Developers
We stated in the HTI-1 Proposed Rule (88 FR 23846), developers of
certified health IT would be required to submit responses associated
with the Insights Condition and Maintenance of Certification
requirements to an independent entity twice a year. For the purposes of
estimating potential burden, we estimated 52 developers of certified
health IT would be required to report on the Insights Condition. We
estimated it would take approximately 21,136 to 44,900 hours on average
for a developer of certified health IT to collect and report on the
proposed measures within the Insights Condition and Maintenance of
Certification requirements. For the purposes of estimating the total
potential burden for developers of certified health IT, we estimated an
average burden of 2,334,800 hours. We stated that this was crude upper
bound estimate as there are multiple measures with varying complexity
associated with the Insights Condition and Maintenance of
Certification, and the number of developers of certified health IT
required to report changes by each measure.
[[Page 1399]]
Table 4--Estimated Annualized Total Burden Hours for Health IT Developers To Comply With the Insights Condition
and Maintenance of Certification Requirements
----------------------------------------------------------------------------------------------------------------
Average burden Average burden
Code of Federal regulations section Number of health hours--lower hours--upper
IT developers bound bound
----------------------------------------------------------------------------------------------------------------
45 CFR 170.407(a)...................................... 52 17,445 38,750
--------------------------------------------------------
Total Burden Hours................................. ................. 790,806 1,767,692
----------------------------------------------------------------------------------------------------------------
In the HTI-1 Proposed Rule (88 FR 23797), we stated for Sec.
170.315(b)(11)(vii)(B), health IT developers would compile
documentation regarding the intervention risk management practices
listed in Sec. 170.315(b)(11)(vii)(A), and upon request from ONC, make
available such detailed documentation for any Predictive DSI, as
defined in Sec. 170.102, that the certified Health IT Module enables
or interfaces with. We stated that we believe ONC has the authority to
conduct Direct Review consistent with Sec. 170.580(a)(2) for any known
non-conformity or where it has a reasonable belief that a non-
conformity exists enabling ONC to have oversight of these requirements.
The PRA, however, exempts these information collections. Specifically,
44 U.S.C. 3518(c)(1)(B)(ii) excludes collection activities during the
conduct of administrative actions or investigations involving the
agency against specific individuals or entities.
Comments. We did not receive any comments specific to either
collection of information from developers of health IT or our
corresponding PRA determinations.
Response. For the first information collection, we have provided
updated burden estimates above in Table 4 to reflect revisions we have
finalized for the Insights Condition. Recognizing that there was some
overlap for the Insights and Real World Testing Condition of
Certification, we have finalized that health IT developers who were
required to report for the Insights Condition could leverage relevant
Insights measures for real world testing annual reporting to reduce
costs. In addition, due to significant overlap we have finalized across
many of the measures, we have reduced the estimated burden hours
assuming there will be a 10% overlap of developing infrastructure
across all measures. For a more detailed discussion and the cost
estimates of these new regulatory requirements associated with the
Insights Condition and Maintenance of Certification, we refer readers
to section VII (Regulatory Impact Analysis) of this final rule.
For the second information collection, we continue to maintain that
information collected pursuant to an administrative enforcement action
is not subject to the PRA under 44 U.S.C. 3518(c)(1)(B)(ii), which
excludes collection activities during the conduct of administrative
actions or investigations involving the agency against specific
individuals or entities.
C. ONC-ACBs
As stated in the HTI-1 Proposed Rule (88 FR 23782), we proposed in
Sec. 170.315(b)(11)(vii)(C) that a health IT developer that attests
``yes'' in Sec. 170.315(b)(11)(v)(A) submit summary information of the
intervention risk management practices listed in Sec.
170.315(b)(11)(vii)(A)(1) through (3) to its ONC-ACB via a publicly
accessible hyperlink that allows any person to directly access the
information without any preconditions or additional steps. To support
submission of documentation, and consistent with other Principles of
Proper Conduct in Sec. 170.523(f)(1), we proposed a new Principle of
Proper Conduct for documentation related to Sec.
170.315(b)(11)(vii)(C) in Sec. 170.523(f)(1)(xxi). In the 2015 Edition
Proposed Rule (80 FR 16894), we estimated fewer than ten annual
respondents for all of the regulatory ``collection of information''
requirements that applied to the ONC-ACBs, including those previously
approved by OMB. In the 2015 Edition Final Rule (80 FR 62733), we
concluded that the regulatory ``collection of information''
requirements for the ONC-ACBs were not subject under the implementing
regulations of the PRA at 5 CFR 1320.3(c).
Comments. We did not receive any comments specific to the new
Principle of Proper Conduct for the submission of documentation in
Sec. 170.523(f)(1)(xxi).
Response. We have finalized the requirements in Sec.
170.523(f)(1)(xxi), as proposed, which will require ONC-ACBs to ensure
that developers of certified health IT with Health IT Modules certified
to Sec. 170.315(b)(11) submit summary information of intervention risk
management practices (for each Predictive DSI supplied by the health IT
developer as part of its Health IT Module) via publicly accessible
hyperlinks that allow any person to access the summary information
directly without any preconditions or additional steps. We continue to
maintain our past determinations in that we estimate less than ten
annual respondents for all the regulatory ``collection of information''
requirements for ONC-ACBs under part 170 of title 45, including those
previously approved by OMB and in this final rule, and that the
regulatory ``collection of information'' requirements under the Program
described in this section are not subject under the implementing
regulations of the PRA at 5 CFR 1320.3(c). For the cost estimates of
these new regulatory requirements, we refer readers to section VII
(Regulatory Impact Analysis) of this final rule.
VII. Regulatory Impact Analysis
A. Statement of Need
This final rule is necessary to meet our statutory responsibilities
under the Cures Act and to advance HHS policy goals to promote
interoperability and mitigate burden for health IT developers and
users. Policies that could result in monetary costs for health IT
developers and users include: (1) updates to ONC Certification Criteria
for Health IT; (2) the Insights Condition and Maintenance of
Certification requirements; and (3) policies related to information
blocking.
While much of this final rule's costs will fall on health IT
developers who seek to certify health IT under the Program, we believe
the implementation and use of ONC Certification Criteria for Health IT,
compliance with the Insights Condition and Maintenance of Certification
requirements (``Insights Condition''), and the provisions related to
information blocking will ultimately result in significant benefits for
health care providers and patients. We outline some of these benefits
below. We emphasize in this regulatory impact analysis (RIA) that we
believe this final rule will remove barriers to interoperability and
EHI exchange, which will greatly benefit health care providers and
patients.
[[Page 1400]]
We note in this RIA that there were instances in which we had
difficulty quantifying certain benefits due to a lack of applicable
studies, data, or both. However, in such instances, we highlight the
significant non-quantified benefits of our policies to advance an
interoperable health system that empowers individuals to use their EHI
to the fullest extent and enables health care providers and communities
to deliver smarter, safer, and more efficient care.
B. Alternatives Considered
If there are alternatives to our policies, we have described them
within each of the sections within this RIA. In some cases, we have
been unable to identify alternatives that would appropriately implement
our responsibilities under the Cures Act and support interoperability.
We believe our policies take the necessary steps to fulfill the
mandates specified in the Public Health Service Act (PHSA), as amended
by the Health Information Technology for Economic and Clinical Health
(HITECH) Act and the Cures Act, in the least burdensome way. We
welcomed comments on our assessment and any alternatives we should
consider.
C. Overall Impact
We have examined the impacts of this rule as required by Executive
Order 12866 on Regulatory Planning and Review (September 30, 1993),
Executive Order 13563 on Improving Regulation and Regulatory Review
(January 18, 2011), Executive Order 14094 entitled ``Modernizing
Regulatory Review'' (April 6, 2023), the Regulatory Flexibility Act
(RFA) (September 19, 1980, Pub. L. 96-354), section 1102(b) of the
Social Security Act, section 202 of the Unfunded Mandates Reform Act of
1995 (March 22, 1995; Pub. L. 104-4), Executive Order 13132 on
Federalism (August 4, 1999), and the Congressional Review Act (5 U.S.C.
804(2)).
Executive Orders 12866 and 13563 direct agencies to assess all
costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). The
Executive Order 14094 entitled ``Modernizing Regulatory Review''
(hereinafter, the Modernizing E.O.) amends section 3(f)(1) of Executive
Order 12866 (Regulatory Planning and Review). The amended section 3(f)
of Executive Order 12866 defines a ``significant regulatory action'' as
an action that is likely to result in a rule: (1) having an annual
effect on the economy of $200 million or more in any 1 year (adjusted
every 3 years by the Administrator of OIRA for changes in gross
domestic product), or adversely affect in a material way the economy, a
sector of the economy, productivity, competition, jobs, the
environment, public health or safety, or state, local, territorial, or
tribal governments or communities; (2) creating a serious inconsistency
or otherwise interfering with an action taken or planned by another
agency; (3) materially altering the budgetary impacts of entitlement
grants, user fees, or loan programs or the rights and obligations of
recipients thereof; or (4) raise legal or policy issues for which
centralized review would meaningfully further the President's
priorities or the principles set forth in this Executive order, as
specifically authorized in a timely manner by the Administrator of OIRA
in each case.
A regulatory impact analysis (RIA) must be prepared for major rules
with significant regulatory actions and/or with significant effects as
per section 3(f)(1) ($200 million or more in any 1 year).
Based on our estimates, OMB's Office of Information and Regulatory
Affairs has determined this rulemaking is significant per section
3(f)(1) as measured by the $200 million or more in any 1 year, and
hence also a major rule under Subtitle E of the Small Business
Regulatory Enforcement Fairness Act of 1996 (also known as the
Congressional Review Act) (Pub. L. 104-121, Mar. 29, 1996).
a. Costs and Benefits
We have estimated the potential monetary costs and benefits of this
final rule for health IT developers, health care providers, patients,
and the Federal Government (i.e., ONC), and have broken those costs and
benefits out by section. In accordance with Executive Order 12866, we
have included the RIA summary table as Table 37.
Our cost calculations quantify health IT developers' time and
effort to implement these policies through new development and
administrative activities. We recognize that the costs developers incur
as a result of these policies may be passed on to certified health IT
end-users. These end-users include but are not limited to the nearly
5,000 non-federal hospitals who provide acute, inpatient care and over
one million clinicians who provide outpatient care to all Americans.
Official statistics show that nearly all U.S. non-federal acute care
hospitals (https://www.healthit.gov/data/quickstats/national-trends-hospital-and-physician-adoption-electronic-health-records) and the vast
majority of outpatient physicians use certified health IT (https://www.healthit.gov/data/quickstats/office-based-physician-electronic-health-record-adoption). These policies affect the technology that all
these health care providers use.
The benefits, both quantifiable and not quantifiable, articulated
in this impact analysis have the potential to remove barriers to
interoperability and EHI exchange for all these health care providers.
Though these policies first require effort by developers of certified
health IT to reflect them in their software, they must then be
implemented by end-users to achieve the stated benefits--to improve
healthcare delivery and the overall efficacy of the technology to
document, transmit, and integrate EHI across multiple data systems.
To this end, we acknowledge that these estimated costs may not be
borne solely by the developers of certified health IT and could be
passed on to end-users through health IT developers' licensing,
maintenance, and other operating fees and costs. We assume health IT
developers may pass on up to the estimated costs of these policies, but
not amounts above those estimated totals.
However, we have limited data on the fees and costs charged by
health IT developers and how those fees and costs are distributed
across various customer organizations. Given the ongoing nature of
updates made by ONC to the Certification Program, EHR developers may
have already built in the costs associated with making these updates in
their existing contracts. To the extent the costs associated with the
updates have not been taken into account, these costs may be passed on
to end-users in different ways by developers of certified health IT and
across different health care provider organization types. Large
integrated healthcare systems may face different fees and other pricing
than different sized or structured health care provider organizations.
The incredible diversity of the healthcare system also limits our
ability to accurately model how these costs could be passed on, even if
there were data available to estimate how these policies might alter
the pricing models and fee rates of the nearly 400 health IT developers
we estimate will be impacted.
What we can say with more certainty is the overall impact of these
policies on the healthcare system as a whole. These policies affect the
certified health IT used by the providers who give care to a vast
majority of Americans. Nearly all
[[Page 1401]]
emergency room visits, hospital stays, and regular check-ups are
documented and managed using certified health IT. These policies affect
the interoperability of EHI for these care events and patients'
electronic access to their health information. Certified health IT is
now a nearly ubiquitous part of U.S. healthcare, and the costs and
benefits estimated here encompass the widespread use of these
technologies and their impact on all facets of care.
Overall, it is highly speculative to quantify benefits associated
with the new technical requirements and standards for certification
criteria we have adopted in this final rule. Emerging technologies may
be used in ways not originally predicted. For example, ONC helped
support the development of SMART on FHIR, which defines a process for
an application to securely request access to data, and then receive and
use that data. ONC could not have predicted the scale this technical
approach has already achieved. Not only is it used to support major EHR
products, but is also leveraged, for example, by Apple to connect its
Health[supreg] App to hundreds of healthcare systems and for apps to
launch on the Microsoft Azure[supreg] product. It is also speculative
to quantify benefits for specific groups because benefits associated
with many of ONC's policies, which advance interoperability, don't
necessarily accrue to parties making the investments in developing and
implementing the technologies. Benefits related to interoperability are
spread across the healthcare ecosystem and can be considered a societal
benefit. We have sought to describe benefits for each of the specific
policies, and we welcomed comments on how to quantify these benefits
across a variety of interested parties.
We note that we have rounded all estimates to the nearest dollar
and that all estimates are expressed in 2022 dollars as it is the most
recent data available to address all cost and benefit estimates
consistently. The wages used to derive the cost estimates are from the
May 2022 National Occupational Employment and Wage Estimates reported
by the U.S. Bureau of Labor Statistics.\263\ We also note that
estimates presented in the following ``Employee Assumptions and Hourly
Wage,'' ``Quantifying the Estimated Number of Health IT Developers and
Products,'' and ``Number of End Users that Might Be Impacted by ONC's
Proposed Regulations'' sections are used throughout this RIA.
---------------------------------------------------------------------------
\263\ May 2021 National Occupational Employment and Wage
Estimates, United States. U.S. Bureau of Labor Statistics. https://www.bls.gov/oes/current/oes_nat.htm.
---------------------------------------------------------------------------
For policies where research supported direct estimates of impact,
we estimated the benefits. For policies where no such research was
identified to be available, we developed estimates based on a
reasonable proxy.
We note that interoperability can positively impact patient safety,
efficacy, care coordination, and improve healthcare processes and other
health-related outcomes.\264\ However, achieving interoperability is a
function of a number of factors including the capability of the
technology used by health care providers. Therefore, to assess the
benefits of our policies, we must first consider how to assess their
respective effects on interoperability holding other factors constant.
---------------------------------------------------------------------------
\264\ Nir Menachemi, Saurabh Rahurkar, Christopher A Harle,
Joshua R Vest, The benefits of health information exchange: an
updated systematic review, Journal of the American Medical
Informatics Association, Volume 25, Issue 9, September 2018, Pages
1259-1265, https://doi.org/10.1093/jamia/ocy035.
---------------------------------------------------------------------------
Employee Assumptions and Hourly Wage
We have made employee assumptions about the level of expertise
needed to complete the requirements in this section. Unless indicated
otherwise, for wage calculations for federal employees and ONC-ACBs, we
have correlated the employee's expertise with the corresponding grade
and step of an employee classified under the General Schedule (GS)
Federal Salary Classification, relying on the associated employee
hourly rates for the Washington, DC, locality pay area as published by
the Office of Personnel Management for 2022.\265\ We have assumed that
other indirect costs (including benefits) are equal to 100% of pre-tax
wages. Therefore, we have doubled the employee's hourly wage to account
for other indirect costs. We have concluded that a 100% expenditure on
benefits and overhead is an appropriate estimate based on research
conducted by HHS.\266\ Unless otherwise noted, we have consistently
used the May 2022 National Occupational Employment and Wage Estimates
reported by the U.S. Bureau of Labor Statistics (BLS) to calculate
private sector employee wage estimates (e.g., health IT developers,
health care providers, HINs, attorneys, etc.), as we believe BLS
provides the most accurate and comprehensive wage data for private
sector positions.\267\ Just as with the General Schedule Federal Salary
Classification calculations, we have assumed that other indirect costs
(including benefits) are equal to 100% of pre-tax wages. We welcomed
comments on our methodology for estimating labor costs.
---------------------------------------------------------------------------
\265\ Office of Personnel and Management. 2022 General Schedule
(GS) Locality Pay Tables https://www.opm.gov/policy-data-oversight/pay-leave/salaries-wages/2022/general-schedule/.
\266\ See U.S. Department of Health and Human Services, Office
of the Assistant Secretary for Planning and Evaluation (ASPE),
Guidelines for Regulatory Impact Analysis, at 28-30 (2016),
available at https://aspe.hhs.gov/reports/guidelines-regulatory-impact-analysis.
\267\ May 2021 National Occupational Employment and Wage
Estimates, United States. U.S. Bureau of Labor Statistics. https://www.bls.gov/oes/current/oes_nat.htm.
---------------------------------------------------------------------------
Quantifying the Estimated Number of Health IT Developers and Products
In this section, we describe the methodology used to assess the
potential impact of new certification requirements on the availability
of certified products in the health IT market. This analysis is based
on the number of health IT developers that certified Health IT Modules
for the 2015 Edition and the estimated number of developers that will
participate in the future and the number of products these developers
will certify.
These estimations are based on observed and expected conformance to
2015 Edition Cures Update requirements, market consolidation, industry
trends and business decisions by participating developers, and other
voluntary and involuntary withdrawals from the Program. In Table 5
below, we quantify the number of participating developers and certified
products for the 2011 Edition, 2014 Edition, and 2015 Edition. We found
that the number of health IT developers certifying products between the
2011 Edition and 2014 Edition decreased by 22.1% and the number of
certified products available decreased by 23.2%. Furthermore, we found
that between the 2014 Edition and 2015 Edition the number of
participating developers and certified products decreased by 38.3% and
33.9%.
[[Page 1402]]
Table 5--Number of Developers and Products for the 2011 Edition, 2014 Edition, and 2015 Edition
----------------------------------------------------------------------------------------------------------------
2011 Edition 2014 Edition Change (%) 2015 Edition Change (%)
----------------------------------------------------------------------------------------------------------------
Participating Health IT Developers.... 1,017 792 -22.1 489 -38.3
Certified Products Available.......... 1,408 1,081 -23.2 714 -33.9
----------------------------------------------------------------------------------------------------------------
Note: Counts for 2015 Edition reflect all certificates through 2021. These counts include certificates that are
active and withdrawn.
We recognize that certification for 2015 Edition and 2015 Edition
Cures Update is ongoing and the number of health IT developers
certifying products to the 2015 Edition and 2015 Edition Cures Update
is subject to change. The figures for 2015 Edition in Table 5 reflect
certifications through 2021 to provide a fixed point for analysis. We
have found it prudent to use certification data that represent entire
calendar years, and not to use certification stats mid-year. Therefore,
2015 Edition counts do not account for all certificates as of the
publication of this rulemaking.
These figures give us insight into how participation in the Program
and certification for individual certification editions has changed
over time--the effect of both market and regulatory forces. Given
historical trends and the asymmetric costs faced by developers of
certified technology with large and small client bases, we must
consider the effect of certification requirements going into effect and
adopted in this rulemaking on future participation in the Program to
make our best estimates of the cost and benefits of this rulemaking.
Our estimates of health IT developers and certified products
specifically factor in a reduction in Program participation due to non-
conformance with the 2015 Edition Cures Update criterion,
``standardized API for patient and population services (``standardized
API criterion''). The criterion replaces the 2015 Edition criterion,
``application access--data category request'' (``data category request
criterion''). The data category request criterion required no content
and exchange standard, although ONC communicated its intent to support
a standard for future rulemaking and did encourage the use of the FHIR
standard to meet criterion requirements. The new standardized API
criterion does require FHIR as a content and exchange standard.
Products that certified the data category request criterion must
certify the standardized API criterion by December 31, 2022.
In the RIA for the ONC Cures Act Final Rule, we estimated that
certified API products that did not support FHIR and must do so to meet
regulatory requirements may face up to $1.9 million in development and
other labor and maintenance costs to develop this technology for the
first time (85 FR 25921). In 2018 \268\ and 2021 \269\ analyses, we
found that support for FHIR was not common among 2015 Edition certified
API products, although health IT market leaders predominantly supported
the standard and used it as the content and exchange standard for their
certified API technology. As of the end of 2021, our analysis of
certification data found that approximately 60% of certified API
developers did not support FHIR as part of their certified API
technology. Considering this variation in support for the standard
under the 2015 Edition and the costs faced by developers of certified
health IT to meet this requirement, we expect some attrition from the
Program.
---------------------------------------------------------------------------
\268\ https://www.healthit.gov/buzz-blog/interoperability/heat-wave-the-u-s-is-poised-to-catch-fhir-in-2019.
\269\ https://www.healthit.gov/buzz-blog/health-it/the-heat-is-on-us-caught-fhir-in-2019.
---------------------------------------------------------------------------
Our model assumes that 1 in 4 certified API developers that do not
currently support FHIR will not certify the standardized API criterion
and withdraw their certificates. This is based on available market data
and the historical trend of developers with small client bases to exit
the Program as program requirements and their costs increase. Our
estimates may change as health IT developers meet 2015 Edition Cures
Update requirements and developers certify the standardized API
criterion.
Table 6--Estimated Number of Developers and Products
------------------------------------------------------------------------
Estimated number of Estimated number
Scenario health IT developers of products
------------------------------------------------------------------------
All Products--End of 2021..... 414 569
All Products--Modeled 368 502
Attrition....................
------------------------------------------------------------------------
Note: End of 2021 counts reflect active products only.
At the end of 2021, 414 health IT developers certified 569 products
with active certificates for the 2015 Edition or 2015 Edition Cures
Update. This is a 15% decrease in the number of health IT developers
and a 20% decrease in 2015 Edition certified products, overall. Using
our model of certification for the standard API criterion, we estimate
an additional 11% decrease in the number of health IT developers and a
12% decrease in the number of certified products. For this RIA, we will
use 368 as the number of health IT developers and 502 as the number of
certified health IT products impacted by this rulemaking.
Number of End Users That Might Be Impacted by ONC's Finalized
Regulations
For the purpose of this analysis, the population of end users
impacted are the number of health care providers that possess certified
health IT. Due to data limitations, our analysis is based on the number
of hospitals and clinicians who participate in Medicare and who may be
required to use certified health IT to participate in various CMS
programs, inclusive of those providers who received incentive payments
to adopt certified health IT as part of the Medicare EHR Incentive
Program (now known as the Promoting Interoperability Program).
[[Page 1403]]
One limitation of this approach is that we are unable to account
for the impact of our provisions on users of health IT that were
ineligible or did not participate in the CMS EHR Incentive Programs or
current Medicare performance programs (e.g., Promoting Interoperability
and Advanced Payment Model (APM) programs). For example, in 2017, 78
percent of home health agencies and 66 percent of skilled nursing
facilities reported adopting an EHR (https://www.healthit.gov/data/data-briefs/electronic-health-record-adoption-and-interoperability-among-us-skilled-nursing). Nearly half of these facilities reported
engaging aspects of health information exchange. However, we are unable
to quantify, specifically the use of certified health IT products,
among these provider types.
Despite these limitations, these Medicare program participants
represent an adequate sample on which to base our estimates. An
analysis of the CMS Provider of Services file for Hospitals (https://data.cms.gov/provider-characteristics/hospitals-and-other-facilities/provider-of-services-file-hospital-non-hospital-facilities) and CMS
National Downloadable File of Doctors and Clinicians (https://data.cms.gov/provider-data/dataset/mj5m-pzi6) provides a current
accounting of Medicare-participating hospitals and practice locations.
In total, we estimated about 4,800 non-federal acute care hospitals
from the Provider of Services file and 1.25 million clinicians
(including doctors and advanced nurse practitioners) across over
350,000 practice locations. If we assume that 96% of these hospitals
and 80% of these practice locations use certified health IT, as survey
data estimate, approximately 4,600 hospitals and 283,000 practice
locations may face some passed-on costs from these requirements.
We understand there will likely not be a proportional impact of
these costs across all health care providers. We can assume a hospital
will face different costs than a physician practice, and no two
hospitals will face the same costs, as those costs may vary based upon
various characteristics, including but not limited to: staff size,
patient volume, and ownership. The same is true for individual clinical
practices, for which costs may vary across the same characteristics as
hospitals. However, given our limited data, our approach to model pass-
through costs onto health care providers assumes that hospitals face
the same average costs and that they face a higher average cost per
site than an individual clinical practice. Furthermore, we assume that
clinical practices face the same average costs and lower average costs
per site than the average hospital.
Based upon our prior modeling work for the ONC Cures Act Final Rule
(https://www.federalregister.gov/documents/2020/05/01/2020-07419/21st-century-cures-act-interoperability-information-blocking-and-the-onc-health-it-certification), we assume that one-third of estimated costs
will be passed on to hospitals and the remaining amount on to clinician
practices. Table 7 shows an assumed distribution of the costs across
technology users. The cost to any one hospital or practice is small
compared to the cost as a whole. The average hospital user of certified
health IT could be expected to face up to $65,217 in average additional
costs associated with implementing technology that adopt these
policies. The average clinician practice site could be expected to face
up to $2,170 in average additional costs associated with implementing
technology that adopt these policies. These are considered pass-through
costs incurred by the health IT developer to adopt these policies and
not additional costs exogenous to health IT developer efforts to adopt
and engineer these policies into their certified health IT.
Table 7--Model of Cost Distribution Based on Estimated Number of Hospitals and Clinical Practices With Certified
Health IT
----------------------------------------------------------------------------------------------------------------
Est. $ per Total $ cost
Health care provider Est. count provider (m)
----------------------------------------------------------------------------------------------------------------
Hospitals....................................................... 4,600 65,217 300
Clinical Practices.............................................. 283,000 2,170 614
-----------------------------------------------
All......................................................... 287,600 3,178 914
----------------------------------------------------------------------------------------------------------------
These costs are not expected to be borne at once. Requirements from
this finalized rulemaking may be implemented over several years, so in
some cases an individual hospital or clinician's share of pass-through
costs from their health IT developer may be distributed over one or
more years. One issue to reiterate is that some of these costs may have
already been incorporated within existing contracts and thus it is
possible that the actual additional costs experienced by hospitals and
clinicians may be lower than what is estimated. We do not have insights
into proprietary contracts between EHR developers and their clients,
and thus cannot speculate the extent to which the estimated additional
costs will be passed on to their clients.
It's unknown if the estimated benefits will have the same
distribution. A single clinician may not benefit the same as a single
hospital, nor will one hospital benefit the same as another. However,
given the same constraints to model costs across different provider
types, we must assume a similar distribution for benefits as we propose
for costs.
General Comments on the RIA
Comments. Commenters were generally concerned with unmeasured costs
on entities beyond developers of certified health IT, including public
health authorities, health care providers, and patients, noting that
the proposed regulations have effects beyond developers of certified
health IT.
Response. We appreciate these comments and understand concerns
about the broader overall downstream impact of the proposed rulemaking
on entities beyond developers of certified health IT, which are
specifically regulated by ONC authorities. The impact analysis measures
the estimated costs for developers of certified health IT to meet the
proposed new Certification Program requirements--for example, to
develop or modify the technical functionality of their certified health
IT or adopt a new standard or standard version. These are the expected
direct costs of the proposals on developers of certified health IT.
However, we recognize that developers of certified health IT are
largely private businesses who operate in a competitive marketplace and
that they may not bear all costs to meet these requirements. We include
in the ``Costs and Benefits'' section of the Regulatory Impact Analysis
the estimated impact on certified health IT end users. In this case,
health care providers, such as
[[Page 1404]]
hospitals and clinicians. We believe these estimates provide a general,
but not necessarily comprehensive, understanding of the possible pass-
through costs borne by users of certified health IT.
Comments. Several commenters provided suggestions to broaden the
scope and depth of the regulatory impact analysis, with specific
recommendations to include patient-level measures.
Response. We appreciate commenters' thoughtful suggestions to build
upon the proposed regulatory impact analysis, however, we're confident
that the impact analysis provides the correct measurement of
quantifiable costs and benefits. Though patient-level impacts are
inherent to technology use, given the interconnectedness of healthcare,
we believe that patient impacts are more directly tied to the
implementation of the technology and not to its development and sale.
It is hard to predict the effect on patient outcomes of one unique
software technology from another, given that developers may choose to
differentiate their product offerings to provide choices and
competitive options to their customers. Furthermore, how the technology
end-user, here defined as the health care provider, chooses to use the
technology can affect outcomes for patient care, exogenous to the
requirements that must be met by the developers of certified health IT,
as part of Certification Program participation. Disentangling or
singling out differential impacts of how technology is used and how it
was designed or developed to be used is difficult to do and out of
scope for this impact analysis.
Comments. Several commenters expressed concerns about the total
costs measured and limited quantified benefits for this proposed
rulemaking and the broader impact of these costs on end-users, who must
adopt, learn, and use new versions of certified health IT.
Response. We understand commenters' concerns about the estimated
cost amounts for the proposed rulemaking and acknowledge the limited
quantifiable benefits for some of these proposals. The ONC Health IT
Certification Program, although voluntary, attracts participation from
hundreds of developers who certify hundreds of health IT products. The
impact analysis assesses the expected costs and benefits across all
these developers and products. The high rates of certified health IT
use further show the expansive market for health IT. In the ``Costs and
Benefits'' section of the Regulatory Impact Analysis, we estimate the
expected costs on certified health IT end-users, here defined as the
health care provider. When costs are distributed across these end
users, we see the expected average costs passed on to individual health
care providers. We recognize the hardships faced by health care
providers to finance technology upgrades and pay for new software
versions that incorporate the final rule's updates. We believe the
benefits from interoperability improvements, transparency, patient
access, and increased data sharing outweigh those costs.
``The ONC Certification Criteria for Health IT'' and Discontinuing Year
Themed ``Editions''
As discussed in section III.A of this preamble, we proposed to
rename Sec. 170.315 as the ``ONC Certification Criteria for Health
IT'' and replace all references throughout 45 CFR part 170 to the
``2015 Edition'' with this new description (this would impact
Sec. Sec. 170.102, 170.405, 170.406, 170.523, 170.524, and 170.550).
Costs
This policy is not intended to place additional burden on
developers of certified health IT and does not require new development
or implementation. We expect the costs associated with attesting to
these criteria to be de minimis because we do not expect any additional
effort on the part of health IT developers.
Benefits
Maintaining a single set of ``ONC Certification Criteria for Health
IT'' will create more stability for the health IT community and Program
partners and make it easier for developers of certified health IT to
maintain their product certificates over time. For example, when new
rules are released, unchanged certification criteria will remain
exactly as they are, rather than being placed in a new CFR section and
requiring health IT developers to seek an updated certificate
attributed to the new CFR section.
Comments. We received no comments on this impact analysis.
Response. We have finalized the impact analysis as proposed.
United States Core Data for Interoperability Version 3 (USCDI v3)
As discussed in section III.C.1 of this preamble, we have finalized
to update the USCDI standard in Sec. 170.213 by adding USCDI v3 and by
establishing an expiration date for USCDI v1 (July 2020 Errata) on
January 1, 2026, for purposes of the Program. We have finalized to add
USCDI v3 in Sec. 170.213(b) and incorporate it by reference in Sec.
170.299. We have finalized to codify the existing reference to USCDI v1
(July 2020 Errata) in Sec. 170.213(a). We have finalized that as of
January 1, 2026, any Health IT Modules seeking certification for
criteria referencing Sec. 170.213 would need to be capable of
exchanging the data classes and data elements that comprise USCDI v3.
Additionally, once the USCDI standard in Sec. 170.213 is updated to
include USCDI v3, we have finalized that in order for previously
certified Health IT Modules to maintain certification, health IT
developers would be required to update their certified Health IT
Modules to be capable of exchanging the data classes and data elements
that comprise USCDI v3 for all certification criteria referencing Sec.
170.213 by December 31, 2025. USCDI, via cross-reference to Sec.
170.213, is currently referenced in the following criteria, each of
which would refer to USCDI v1 and USCDI v3 until December 31, 2025 and
only to USCDI v3 thereafter:
``Care coordination--transitions of care--create'' (Sec.
170.315(b)(1)(iii)(A)(1)).
``Care coordination--clinical information reconciliation
and incorporation--reconciliation'' (Sec. 170.315(b)(2)(iii)(D)(1)
through (3));
``Patient engagement--view, download, and transmit to 3rd
party--view'' (Sec. 170.315(e)(1)(i)(A)(1)).
``Design and performance--consolidated CDA creation
performance'' (Sec. 170.315(g)(6)(i)(A)).
``Design and performance--application access--all data
request--functional requirements'' (Sec. 170.315(g)(9)(i)(A)(1)); and
``Design and performance--standardized API for patient and
population services--data response'' (Sec. 170.315(g)(10)(i)(A) and
(B)).
We note that Sec. 170.315(f)(5) also currently references Sec.
170.213. However, we have finalized to rely on specific implementation
guides for this certification criterion, rather than referencing Sec.
170.213. Health IT Modules certified to Sec. 170.315(f)(5) are no
longer required to support USCDI, as finalized by this rule.
Costs
The USCDI v3 adds five new data classes and 46 new data elements
that were not in USCDI v1. This will require updates to the
Consolidated Clinical Document Architecture (C-CDA) standard, the FHIR
US Core Implementation Guide, and updates to the criteria listed above.
We have estimated the cost to health IT developers to add support for
the additional data classes and data
[[Page 1405]]
elements in USCDI v3 in C-CDA, and to make the necessary updates to the
affected certification criteria. These estimates are detailed in Table
8 below and are based on the following assumptions:
1. Health IT developers will experience the assumed average costs
of labor and data model use. Table 8 shows the estimated labor costs
per product for a health IT developer to develop support for the
additional data elements and data classes in USCDI v3 for each affected
certification criteria. We recognize that health IT developer costs
will vary; however, our estimates in this section assume all health IT
developers will incur, on average, the costs noted in Table 8.
2. We estimate that 346 products certified by 269 developers will
be affected. These estimates are a subset of the total estimated health
IT developers and certified products we estimated above.
We estimate that, in total, 368 health IT developers will certify
502 health IT products impacted by this policy. However, not all these
developers and products certify USCDI applicable criteria and need to
meet the USCDI update requirements. As of the end of 2021, 73% of
developers and 69% of products certified to one of the USCDI applicable
criteria, listed above. We applied this modifier to our total developer
and product estimate as an overall estimate of the number of developers
and products impacted by the USCDI updates. In Table 9, we also applied
separate modifiers for individual criteria, calculated from an analysis
of certificates through 2021. This allows us to assess USCDI update
costs more accurately for individual criterion.
3. According to the May 2022 BLS occupational employment
statistics, the mean hourly wage for a ``Software Developer'' is
$63.91. As noted previously, we have assumed that other indirect costs
(including benefits) are equal to 100 percent of pre-tax wages, so the
hourly wage including other indirect costs is $127.82.
Table 8--Costs to Health IT Developers To Develop Support for the Additional USCDI Data Elements in Affected
Certification Criteria
----------------------------------------------------------------------------------------------------------------
Lower Upper
Tasks Details bound bound Remarks
hours hours
----------------------------------------------------------------------------------------------------------------
Update C-CDA creation.................. New development to support 1,800 3,600 (1) Lower bound assumes
USCDI v2 and v3 updates health IT product was
and changes to data voluntarily updated
classes and constituent through the ONC
data elements for C-CDA Standards Version
and C-CDA 2.1 Companion Advancement Process
Guide. (SVAP) and USCDIv2 data
elements are
incorporated in the
certified product. (2)
Upper bound assumes
certified product
conforms only to USCDIv1
and needs to be updated
to fully conform with
USCDIv3.
Sec. 170.315(b)(1)(iii)(A)(1) Care New development to support 200 600 Necessary updates to
coordination--Transitions of care-- USCDI v2 and v3 updates health IT to support the
Create. and changes to data new data classes and
classes and constituent data elements to meet
data elements for C-CDA the criteria
and C-CDA 2.1 Companion requirements.
Guide.
Sec. 170.315(b)(2)(iii)(D)(1) through New development to support 200 600 Necessary updates to
(3) Care coordination--Clinical USCDI v2 and v3 updates health IT to support the
information reconciliation and and changes to data new data classes and
incorporation--Reconciliation. classes and constituent data elements to meet
data elements for C-CDA the criteria
and C-CDA 2.1 Companion requirements.
Guide.
Sec. 170.315(e)(1)(i)(A)(1) Patient New development to support 200 600 Necessary updates to
engagement--View, download, and USCDI v2 and v3 updates health IT to support the
transmit to 3rd party--View. and changes to data new data classes and
classes and constituent data elements to meet
data elements for C-CDA the criteria
and C-CDA 2.1 Companion requirements.
Guide.
Sec. 170.315(g)(6)(i) Design and New development to support 200 600 Necessary updates to
performance--Consolidated CDA creation USCDI v2 and v3 updates health IT to support the
performance. and changes to data new data classes and
classes and constituent data elements to meet
data elements for C-CDA the criteria
and C-CDA 2.1 Companion requirements.
Guide.
Sec. 170.315(g)(9)(i)(A)(1) Design New development to support 200 600 Necessary updates to
and performance--Application access-- USCDI v2 and v3 updates health IT to support the
all data request--Functional and changes to data new data classes and
requirements. classes and constituent data elements to meet
data elements for C-CDA the criteria
and C-CDA 2.1 Companion requirements.
Guide.
Sec. 170.315(g)(10)(i)(A) and (B) New development to support 200 600 Necessary updates to
Design and performance--Standardized USCDI v2 and v3 updates health IT to support the
API for patient and population and changes to data new data classes and
services--Data response. classes and constituent data elements to meet
data elements for C-CDA the requirements.
and C-CDA 2.1 Companion
Guide.
----------------------------------------------------------------------------------------------------------------
Table 9--Total Cost To Develop Support for the Additional USCDI Data Elements in Affected Certification Criteria
[2022 Dollars]
----------------------------------------------------------------------------------------------------------------
Estimated Estimated cost
Tasks number of -------------------------------
products Lower bound Upper bound
----------------------------------------------------------------------------------------------------------------
Update C-CDA creation........................................... 346 $79,718,400 $159,436,800
Updates to Sec. 170.315(b)(1)................................. 281 7,193,600 21,580,800
Updates to Sec. 170.315(b)(2)................................. 261 6,681,600 20,044,800
Updates to Sec. 170.315(e)(1)................................. 246 6,297,600 18,892,800
Updates to Sec. 170.315(g)(6)................................. 341 8,729,600 26,188,800
Updates to Sec. 170.315(g)(9)................................. 276 7,065,600 21,196,800
Updates to Sec. 170.15(g)(10)................................. 276 7,065,600 21,196,800
-----------------------------------------------
[[Page 1406]]
Total Cost.................................................. 346 122,752,000 288,537,600
----------------------------------------------------------------------------------------------------------------
Notes: The number of estimated products that certify applicable criteria vary. We estimated separate modifiers
for each certification criterion to estimate the number of products impacted by the USCDI updates. Estimates
reflect the percent of all products that certify a criterion through 2021, except. Modifiers: (b)(1): 56%;
(b)(2): 52%; (e)(1): 49%; (g)(6): 68%; (g)(9): 55%. This estimate is subject to change.
The cost to a health IT developer to develop support for the
additional USCDI data classes and elements vary by the number of
applicable criteria certified for a Health IT Module. On average, the
cost to update C-CDA creation to support the additional USCDI data
elements range from $230,400 to $460,800 per product. The cost to make
updates to individual criteria to support the new data classes and
elements range from $25,600 to $76,800 per product. Therefore, assuming
346 products overall and a labor rate of $128 per hour, we estimate
that the total cost to all health IT developers will, on average, range
from $123 million to $289 million. This will be a one-time cost to
developers per product that is certified to the specified certification
criteria and will not be perpetual.
Benefits
We believe this policy will benefit health care providers,
patients, and the industry collectively. The USCDI comprises a core set
of structured and unstructured data needed to support patient care and
facilitate patient access to health information using health IT;
establishes a consistent baseline of harmonized data elements that can
be broadly reused across use cases, including those outside of patient
care and patient access; and will expand over time via a predictable,
transparent, and collaborative process, weighing both anticipated
benefits and industry-wide impacts. In Standards Bulletin 2022-2,\270\
we noted that based on these principles and the established
prioritization criteria, USCDI v3 contains data elements whose
collection and exchange promote equity, reduce disparities, and support
public health data interoperability as discussed in Standards Bulletin
2021-3,\271\ where we highlighted that the collection, access, use, and
reporting of SDOH as well as sexual orientation and gender identity
data can help identify and address differences in health equity and
improve health outcomes at an individual and population level. The
additional data elements in USCDI v3 expand the baseline set of data
available for health information exchange and thus provide more
comprehensive health data for both providers and patients. We expect
the resulting improvements to interoperable exchange of health
information to significantly benefit providers and patients and improve
the quality of healthcare provided. In addition, we believe the
increased availability of the additional data elements in USCDI v3 as
interoperable structured data will facilitate improvements in the
efficiency, accuracy, and timeliness of public health reporting,
quality measurement, health care operations, and clinical research.
However, we are not aware of an approach for quantifying these benefits
and welcomed comments on potential approaches to quantifying these
benefits.
---------------------------------------------------------------------------
\270\ https://www.healthit.gov/sites/default/files/page/2022-07/Standards_Bulletin_2022-2.pdf.
\271\ https://www.healthit.gov/sites/default/files/page/2021-07/Standards_Bulletin_2021-3.pdf.
---------------------------------------------------------------------------
Comments. We received no comments regarding the impact analysis for
required adoption of USCDI v3 by applicable developers of certified
health IT.
Response. The final impact analysis is consistent with the proposed
rulemaking. Cost estimates were updated to reflect wages of software
developers as of 2022.
Electronic Case Reporting
In section III.C.4 of this preamble, we discuss the finalized
updates to the 2015 Edition certification criterion for ``transmission
to public health agencies--electronic case reporting'' that would
require developers of certified health IT to adopt specific electronic
standards to support functional requirements that were previously
adopted as part of the Sec. 170.315(f)(5) certification criterion. We
have finalized as proposed that Health IT Modules certified to this
criterion must enable a user to: (i) create an electronic initial case
report (eICR) according to at least the Health Level Seven (HL7)
Clinical Document Architecture (CDA) eICR implementation guide (IG) or
the eICR profiles defined in the HL7 Fast Health Interoperability
Resources (FHIR) eCR IG and (ii) consume and process a reportability
response (RR) according to at least the HL7 CDA RR IG or the RR
profiles defined in the HL7 FHIR eCR IG. For the standards-based
requirements in Sec. 170.315(f)(5)(i) through (ii), we have finalized
as proposed that Health IT Modules support all ``mandatory'' and ``must
support'' data elements as applicable in the respective implementation
guides (IGs). We have also finalized as proposed that Health IT Modules
support the use of a version of the Reportable Conditions Trigger Code
(RCTC) value set in Sec. 170.315(f)(5)(1)(B) for determining potential
case reportability.
Costs
This section describes the estimated costs of meeting the
requirements in the updated ``transmission to public health agencies--
electronic case reporting'' criterion. The cost estimates are based on
the following assumptions:
Health IT developers will experience the assumed average
costs of labor and data model use. Tables 10-11 show the estimated
labor costs per product for a health IT developer to meet the
requirements in the eCR certification criterion. We recognize that
health IT developer costs will vary; however, our estimates in this
section assume all health IT developers will, on average, incur the
costs noted in the tables below.
The number of products that will update to the new eCR
criterion is estimated based on the total number of currently certified
products plus the number of new products we expect to certify to the
eCR criterion. Both estimates are adjusted for attrition. As of 2021,
54 developers certified 63 products to the eCR certification criterion
or 13% of developers and 11% of products. Beginning in 2022, CMS
[[Page 1407]]
required eligible hospitals and critical access hospitals in the
Medicare Promoting Interoperability Program and eligible clinicians
reporting on the Promoting Interoperability performance category in
MIPS to report on use of eCR as part of the Public Health and Clinical
Data Exchange Objective. The Electronic Case Reporting measure was
optional in prior program years. Due to this new program requirement,
we expect more Health IT Modules to certify the criterion in the coming
year(s). As a proxy for possible future certification of eCR, we used
the number of products that are currently certified to Sec.
170.315(f)(1) (transmission to immunization registries) to estimate
future certification of the eCR criterion. As of 2021, 31% of
developers and 28% of products certified to the immunization criterion,
but not the eCR certification criterion. We used these rates to
estimate future certification of the eCR criterion. We estimate that
368 developers will certify 502 products impacted by this rulemaking.
We estimate updates to the eCR certification criterion will impact 141
products certified by 114 developers for the first time (``New'') and
55 products already certified by 48 developers (``Current'') for an
estimated total of 196 products certified by 162 developers.
Wages are determined using BLS estimates. According to the
May 2022 BLS occupational employment statistics, the mean hourly wage
for a ``Software Developer'' is $63.91.\272\ We assume that other
indirect costs (including benefits) are equal to 100 percent of pre-tax
wages, so the hourly wage, including other indirect costs, is $127.82.
---------------------------------------------------------------------------
\272\ https://www.bls.gov/oes/current/oes151252.htm.
Table 10--Estimated Labor Hours To Meet eCR Certification Requirements--New Products
----------------------------------------------------------------------------------------------------------------
Estimated labor
hours
Activity Details ------------------ Remarks
Lower Upper
bound bound
----------------------------------------------------------------------------------------------------------------
Task 1: Case Report Creation........... (1) Enable a user to 1,000 1,500 (1) Lower bound assumes
create a case report for health IT product has
electronic transmission begun to implement at
according to (i) eICR least one of the two
profiles of HL7 FHIR eCR IGs.
IG, or (ii) HL7 CDA eICR (2) Upper bound assumes
IG; (2) Support RCTC health IT product does
value set. not support either IG or
has not begun to
implement.
Task 2: Case Report Response Receipt... Health IT Module must be 1,000 1,500 (1) Lower bound assumes
able to consume and health IT product has
process a reportability begun to implement at
response according to (1) least one of the two
RR profiles of HL7 FHIR IGs.
eCR IG, or (2) HL7 CDA RR (2) Upper bound assumes
IG. health IT product does
not support either IG or
has not begun to
implement.
Task 3: Support for Reporting.......... Health IT Module must be 0 160 (1) Lower bound assumes
able to report to a that health IT already
system capable of has the technical pre-
receiving case reports requisites for reporting
electronically. but is not yet connected
to platform or method to
enable reporting.
(2) Upper bound assumes
health IT does not have
technical pre-requisites
for reporting (e.g., no
support for electronic
connection and no
support for available
exchange methods).
----------------------------------------------------------------------------------------------------------------
Table 11--Estimated Labor Hours to Meet eCR Certification Requirements--Currently Certified Products
----------------------------------------------------------------------------------------------------------------
Estimated labor
hours
Activity Details ------------------ Remarks
Lower Upper
bound bound
----------------------------------------------------------------------------------------------------------------
Task 1: Case Report Creation........... (1) Enable a user to 0 1,000 (1) Lower bound assumes
create a case report for health IT product has
electronic transmission already implemented at
according to (i) eICR least one of the two
profiles of HL7 FHIR eCR IGs.
IG, or (ii) HL7 CDA eICR (2) Upper bound assumes
IG; (2) Support RCTC health IT product has
value set. begun to implement at
least one of the two
IGs.
Task 2: Case Report Response Receipt... Health IT Module must be 0 1,000 (1) Lower bound assumes
able to consume and health IT product has
process a reportability already implemented at
response according to (1) least one of the two
RR profiles of HL7 FHIR IGs.
eCR IG, or (2) HL7 CDA RR (2) Upper bound assumes
IG. health IT product has
begun to implement at
least one of the two
IGs.
Task 3: Support for Reporting.......... Health IT Module must be 0 160 (1) Lower bound assumes
able to report to a health IT already
system capable of supports at least one
receiving case reports reporting option, such
electronically. as to the AIMS platform,
state-based registries
or health information
exchanges.
(2) Upper bound assumes
health IT does not have
technical pre-requisites
for reporting (e.g., no
support for electronic
connection and no
support for available
exchange methods).
----------------------------------------------------------------------------------------------------------------
Total Costs, TC can be represented by the following equation:
[GRAPHIC] [TIFF OMITTED] TR09JA24.000
[[Page 1408]]
Number of currently certified products, pc = 55
Number of new certified products, pn = 141
Fully loaded wage, w = 127.82
Labor hours for IG implementation, hk, for each profile or IG, k
Labor hours for reporting, hr
Table 12--Example Calculation for the Lower Bound Estimated Cost to New Products To Perform Task 1 in Table 10
To Meet eCR Certification Requirements
----------------------------------------------------------------------------------------------------------------
Estimated
labor hours Projected
Activity ---------------- Developer salary products
Lower bound
----------------------------------------------------------------------------------------------------------------
Task 1...................................................... 1,000 hours $127.82 per hour 141 products
Example Calculation:
1,000 hours * $127.82 * 141 products = $18,022,620.
----------------------------------------------------------------------------------------------------------------
Table 13--Costs To Meet eCR Certification Requirements--New Products
------------------------------------------------------------------------
Estimated labor hours
Activity -------------------------------
Lower bound Upper bound
------------------------------------------------------------------------
Task 1 (141 products)................... $18,022,620 $27,033,930
Task 2 (141 products)................... 18,022,620 27,033,930
Task 3 (141 products)................... 0 2,883,619
-------------------------------
Total Cost.......................... 36,045,240 56,951,479
------------------------------------------------------------------------
Table 14--Costs To Meet eCR Certification Requirements--Currently
Certified Products
------------------------------------------------------------------------
Estimated cost
Activity -------------------------------
Lower bound Upper bound
------------------------------------------------------------------------
Task 1 (55 products).................... $0 $7,030,100
Task 2 (55 products).................... 0 7,030,100
Task 4 (55 products).................... 0 1,124,816
-------------------------------
Total Cost.......................... 0 15,185,016
------------------------------------------------------------------------
Table 15--Costs To Meet eCR Certification Requirements--All Products
------------------------------------------------------------------------
Estimated cost
Activity -------------------------------
Lower bound Upper bound
------------------------------------------------------------------------
Task 1 (196 products)................... $18,022,620 $34,064,030
Task 2 (196 products)................... 18,022,620 34,064,030
Task 3 (196 products)................... 0 4,008,435
-------------------------------
Total Cost.......................... 36,045,240 72,136,495
------------------------------------------------------------------------
Based on the stated assumptions and costs outlined in Tables 13-15,
the total estimated cost for certified health IT products to meet the
finalized eCR certification criterion requirements will range from $36
million to $72.1 million. Assuming 162 health IT developers, there will
be an average cost per developer ranging from $222,501 to $445,287,
with an average cost per product ranging from $255,640 to $403,911 for
new products and $0 to $276,091 for currently certified products.
Benefits
The primary benefit of adopting standards-based requirements for
the eCR certification criterion is to improve consistency and promote
interoperability over time. eCR is one of the pillars of ONC's and CMS'
broader efforts to support effective healthcare data interoperability,
which ensures that electronic health information is shared
appropriately between healthcare organizations and public health
agencies (PHAs) in the right format, through the right channel at the
right time.\273\ Adopting a standards-based approach to eCR facilitates
the exchange of health information between healthcare and public health
by requiring the use of a common format for the creation of case
reports and processing of a reportability response.
---------------------------------------------------------------------------
\273\ https://www.cdc.gov/datainteroperability/index.html.
---------------------------------------------------------------------------
Potential benefits of a centralized approach to eCR have been
assessed in an Association of State and Territorial Health Officials
(ASTHO)-sponsored economic analysis of the efficiencies gained at PHAs
by using centralized eCR services through the Association of Public
Health Laboratories (APHL) Informatics Messaging Services (AIMS)
platform, rather than using localized eCR solutions or manual, paper-
based methods.\274\ A key component of this service is the inclusion of
the CDC
[[Page 1409]]
supported Council of State and Territorial Epidemiologists' (CSTE)
developed decision support tool, Reportable Condition Knowledge
Management System (RCKMS), which helps determine whether initial case
reports are reportable in specific public health jurisdictions and
eliminates confusion regarding where reports should be
sent.275 276 According to the analysis, centralized eCR
components could provide, ``$2.5 million in increased efficiency per
jurisdiction over 15 years'' compared to manual reporting and
``$310,000 of net benefits over 15 years'' compared to localized eCR
solutions.\277\
---------------------------------------------------------------------------
\274\ https://www.aphl.org/programs/informatics/Pages/aims_platform.aspx.
\275\ CSTE Surveillance/Informatics: Reportable Conditions
Knowledge Management Systems. CSTE website. http://www.cste.org/group/RCKMS.
\276\ https://ecr.aimsplatform.org/cms/resources/blocks/digital-bridge-ecr-evaluation-report-12-32019.pdf.
\277\ Cooney MA, Iademarco MF, Huang M, MacKenzie WR, Davidson
AJ. The public health community platform, electronic case reporting,
and the digital bridge. Journal of Public Health Management and
Practice. 2018 Mar 1;24(2):185-9.
---------------------------------------------------------------------------
Benefits of eCR to the healthcare sector and public health that
will be promoted through standards adoption:
Automatic, complete, accurate data reported in real-time
(faster and more complete than manual entry) facilitates evidence-based
decision-making for public health.
Directly benefits public health response efforts by
supporting situational awareness, case management, contract tracing,
and efforts to coordinate isolation.
Helps improve public health efficiency for evaluation and
follow-up by providing PHAs with higher quality patient and clinical
data in a timely manner.
Reduces reporting burden for health care providers without
disrupting clinical workflow, which can result in time and cost savings
for the healthcare sector.
Fulfills legal reporting requirements as well as CMS PI
Program requirements for eCR, meaning benefits to public health would
not come at an additional cost to health care providers who are already
required to report.
Streamlines reporting to multiple jurisdictions.
Benefits of certification criterion update:
Adoption of standards for eCR will improve consistency and
interoperability over time.
Consistency in the reporting of specific data elements
will increase the efficiency of exchange (e.g., by facilitating
automated reporting, enabling RCKMS and PHA processing of eICRs and bi-
directional communication between providers and public health).
RCTC value set establishes a baseline for use in the
Program and enables developers of certified health IT to support newer
or updated versions of RCTC value sets as soon as new releases are
available.
Comments. We received no comments regarding the impact analysis for
updates to the electronic care reporting criterion.
Response. The final impact analysis is consistent with the proposed
rulemaking. Cost estimates were updated to reflect wages of software
developers as of 2022.
Decision Support Interventions and Predictive Models
In section III.C.5 of this preamble, we have finalized the proposed
new certification criterion for ``decisions support interventions'' in
Sec. 170.315(b)(11) with modifications, including more clearly
separating technical functionality and ongoing maintenance for
transparency purposes. The intent of this certification criterion is to
ensure the availability of sufficient information on decision support
interventions based on predictive models, including machine learning
and artificial intelligence, through a more comprehensive list of
source attributes and through the conduct and documentation of risk
management activities. That information is intended to enable the
selection and use of fair (i.e., unbiased), appropriate, valid, and
effective interventions. The certification criterion also would provide
additional transparency into evidence-based decision support
interventions by requiring that products allow decision support to be
enabled based on specific data classes.
Alternatives Considered
We considered several alternative regulatory approaches, but
believe this approach implies the lowest burden of available options
while having a high likelihood of impacting decision-making. Because we
seek to address a market failure related to inadequate and asymmetric
information, we proposed an informational intervention. The approach is
market-oriented and aimed at ensuring that model purchasers and users
have sufficient information to select and use models responsibly. We
believe that several alternative approaches, such as performance or
design standards would imply substantially higher regulatory burden and
are inappropriate given the ongoing research and development in this
area and uncertainty inherent in predictive model development.
Rather than mandatory reporting, we considered the potential for a
voluntary database to which model developers might report information
on the quality of their models. However, we are concerned that such a
database would achieve relatively low participation because of
disincentives for some developers to make the performance of their
models' public. We believe that the current approach in which we have
required reporting of a set of core source attributes that we strongly
believe should be available for all models (e.g., intended use) and
reporting of other attributes (e.g., external validation results) as
required if available but otherwise providing the option to clearly
label as missing, is a more effective balance between prescriptive
requirements and voluntary participation. Given the national
availability of many models, Federal regulation is beneficial to set a
common set of expectations across the national market.
Costs
This section describes the estimated costs of the ``Decision
Support Intervention'' certification criterion and associated
maintenance of certification requirements. The cost estimates are based
on the following assumptions:
Health IT developers will experience the assumed average
costs of labor and data model use. Table 16 shows the estimated labor
costs per product for a health IT developer to develop support for the
predictive decision support certification criterion. We recognize that
health IT developer costs will vary; however, our estimates in this
section assume all health IT developers will, on average, incur the
costs noted in Table 16.
The number of health IT developers and products certified
will closely align with certification of the 2015 Edition clinical
decision support (CDS) criterion. We estimate that 301 products
certified by 243 developers will be affected by our policy. These
estimates are a subset of the total estimated health IT developers and
certified products we estimated above. We estimate that, in total, 368
health IT developers will certify 502 health IT products impacted by
this rulemaking. However, we estimate that not all these developers and
products will certify the new Decision Support Intervention criterion.
As of the end of 2021, 66% of developers and 60% of products certified
to the CDS criterion. We assume that all products certified to the CDS
criterion will certify the new
[[Page 1410]]
Decision Support Intervention criterion. We, therefore, use
certification of the CDS criterion as a proxy for the percent of
developers and products that will certify the Decision Support
Intervention criterion in the future. We applied this modifier to our
total developer and product estimate as an overall estimate of the
number of developers and products that will certify this criterion and
be impacted by the costs of this new criterion.
Wages are determined using BLS estimates. According to the
May 2022 BLS occupational employment statistics, the mean hourly wage
for a ``Software Developer'' is $63.91.\278\ We assume that other
indirect costs (including benefits) are equal to 100 percent of pre-tax
wages, so the hourly wage, including other indirect costs, is $127.82.
---------------------------------------------------------------------------
\278\ https://www.bls.gov/oes/current/oes151252.htm.
---------------------------------------------------------------------------
We believe developers will expend substantial initial effort to
develop the technical capabilities to support the criterion and that
their effort will be varied depending on the extent, scope, and scale
necessary on their part to develop initial documentation related to
source attributes and intervention risk management as required as part
of their maintenance of certification to this certification criterion.
In this final rule, we require that developers maintain and keep
current information source attribute information for certain decision
support interventions. We also have finalized requirements for an
annual review of risk management information and documentation. We
believe that both requirements imply sustained annual effort, which we
have estimated in Table 16. However, we have constrained the scope of
responsibility for developers of certified health IT under this final
rule.
Table 16--Estimated Labor Hours To Develop and Maintain Updated Decision Support Functionality
----------------------------------------------------------------------------------------------------------------
Lower bound Upper bound
Activity hours hours Remarks
----------------------------------------------------------------------------------------------------------------
Task 1: Update decision support tools to 1,000 1,600 (1) Lower bound assumes health IT
enable interventions based on additional already has developed decision
data classes and enable selection of support modules that only need to
Predictive DSI. be updated for new data classes.
(2) Upper bound assumes further
data-structure related work is
necessary to facilitate CDS based
no additional classes.
Task 2: Enable end-users to provide 200 1,000 (1) Lower bound assumes that
feedback on evidence-based DSI. developers have already developed
feedback capabilities and will
need to make limited updates to
the reporting of that information.
(2) Upper bound assumes that
developer's current capability to
support feedback on decision
support needs to be significantly
enhanced to support enabling end-
users to provide effective
feedback and to create reports
from that feedback.
Task 3: Provide users the ability to 1,000 2,000 (1) Lower bound assumes that
record, change and access source attribute existing tools used to create
information. similar forms or documents can be
adapted to this purpose.
(2) Upper bound assumes a higher
burden due to more novel
development.
Task 4: Provide complete and up-to-date 0 annually 800 annually We expect a wide range of effort
source attribute information for based on the extent to which
Predictive DSI supplied by the developer. developers make DSI available in
the future, and whether they
author Predictive DSI s available.
For those that author Predictive
DSI in the future and, we believe
that evaluating and reporting
source attributes for those
Predictive DSI will imply
substantial costs.
Task 5: Additional effort to provide 0 1,600 We expect a wide range of effort
information for source attributes related based on the extent to which EHR
to Predictive DSI available as of December developers currently author
31, 2024. Predictive DSI s. For those that
do author predictive decision
supported interventions and do not
currently evaluate the models on
the attributes included, we
believe doing so will imply
substantial costs.
Task 6: Engage in risk management and 0 annually 285 annually We expect a wide range of effort
annually update risk management based on the extent to which EHR
information. developers currently author or
execute Predictive DSI s. The
total hours estimated to conduct
real world testing per developer
were 1,140 annually and that
accounted for numerous criteria
included as eligible for real
world testing. We believe that
conducting intervention risk
management for (b)(11), including
the provision of risk management
documentation, would require a
fraction of that time equivalent
to one quarter of the time for
real world testing.
Task 7: Additional initial engagement in 0 570 The total hours estimated to
risk management and updating risk conduct real world testing per
management information available as of developer were 1,140 annually and
December 31, 2024. that accounted for numerous
criteria included as eligible for
real world testing. We believe
that conducting initial
intervention risk management for,
including the provision of risk
management documentation, would
require time equivalent to about
one quarter of the time for real
world testing.
----------------------------------------------------------------------------------------------------------------
Table 17 provides the overall costs projecting that 301 products
will be certified to the criterion.
[[Page 1411]]
Table 17--Total Cost to Developers To Develop and Maintain Updated Decision Support Functionality
----------------------------------------------------------------------------------------------------------------
Estimated Total Cost (10 year) (assuming
software developer pay of $58.17 per hour
Projected software developers (bls.gov))
products -------------------------------------------------
Lower bound Upper bound
----------------------------------------------------------------------------------------------------------------
Task 1..................................... 301 $38,473,820 $61,558,112
Task 2..................................... 301 7,694,764 38,473,820
Task 3..................................... 301 38,473,820 76,947,640
Task 4..................................... 301 0 307,790,560
Task 5..................................... 301 0 61,558,112
Task 6..................................... 301 0 109,650,387
Task 7..................................... 301 0 21,930,077
--------------------------------------------------------------------
Total.................................. ................. 84,642,404 677,908,708
----------------------------------------------------------------------------------------------------------------
Benefits
Predictive DSIs are common, with some individual interventions
being applied to tens or hundreds of millions of individuals despite,
in some cases, crucial insufficiencies in the performance of those
models.\279\ However, there are a wide range of potential applications
of Predictive DSI, and we believe that the healthcare delivery field is
far from fully adopting these interventions in the circumstances where
they would be beneficial. Because Predictive DSIs are currently, and
potentially can be, applied to a wide range of contexts,
comprehensively estimating quantitative benefits from improved
interventions and underlying models is challenging, and for some types
of benefits infeasible. However, we have generated some quantitative
benefits related to the scope of potential cost savings and have
identified additional benefits, characterized qualitatively, to the
adopted certification criterion and its associated maintenance of
certification requirements.
---------------------------------------------------------------------------
\279\ Ziad Obermeyer, et al., Dissecting racial bias in an
algorithm used to manage the health of populations, 366 Science
(2019).
Andrew Wong, et al., External validation of a widely implemented
proprietary sepsis prediction model in hospitalized patients, 181
JAMA Internal Medicine (2021).
The Johns Hopkins ACG[supreg] System, available at https://www.johnshopkinssolutions.com/wp-content/uploads/2016/08/ACG-System-Brochure.pdf.
---------------------------------------------------------------------------
We believe that the most directly quantifiable benefits of the
adopted changes to predictive decision support relate to increased use
of more accurate and effective Predictive DSIs.\280\ We believe that
increased transparency into the performance of models and risk
management practices related to their development will result in (1)
wider uptake of Predictive DSIs overall due to greater certainty about
the intervention's performance, and (2) selection of fairer, more
appropriate, more accurate, more effective and safer models through
greater information on the available choices. However, we acknowledge
that there is substantial uncertainty in the degree to which the policy
will result in wider uptake and use of more effective interventions.
---------------------------------------------------------------------------
\280\ https://www.healthit.gov/buzz-blog/health-innovation/back-to-the-future-what-predictive-decision-support-can-learn-from-deloreans-and-the-big-short.
---------------------------------------------------------------------------
Given the sheer number of algorithms and applicable conditions and
uses, we have selected two relevant scenarios--sepsis onset and
ambulatory care sensitive admission--which have a fair amount of
supporting research, to show the potential benefits of our policy.
First, in patient populations in whom the risk of sepsis is moderate to
high, risk-assessments based on patient factors and characteristics
(i.e., data elements) are (or should be) made for implementing rapid
risk-based patient care. The potential impact of using Predictive DSIs
to more effectively conduct these risk-assessments can illustrate the
benefits. Admissions for sepsis cost $24 billion per year \281\ and
early detection of sepsis can lead to interventions that dramatically
reduce those costs. However, advanced Predictive DSIs for the
identification of sepsis are not widely used and instead older models,
such as Sequential Organ Failure Assessment (SOFA), are dominant.\282\
---------------------------------------------------------------------------
\281\ Epidemiology and Costs of Sepsis in the United States--An
Analysis Based on Timing of Diagnosis and Severity Level*--PMC
(nih.gov).
\282\ J-L Vincent, et al., The SOFA (Sepsis-related Organ
Failure Assessment) score to describe organ dysfunction/failure
(Springer-Verlag 1996).
---------------------------------------------------------------------------
Existing evidence indicates that more advanced predictive models
can provide substantial performance improvements over simpler, widely
used models.\283\ The potential benefits of more advanced models are
large. A prospectively evaluated sepsis Predictive DSI decreased in-
hospital mortality related to sepsis by 39.5%, decreased length of stay
by 32.3% and decreased readmission by 22.7% in one clinical trial.\284\
However, there is also substantial uncertainty about whether models
will offer that benefit when implemented on a broad scale. Performance
of the same model evaluated in that clinical trial was substantially
lower in a separate evaluation,\285\ and that difference may be
attributable to difference in performance in varied deployments and
locations.
---------------------------------------------------------------------------
\283\ As one example of a study demonstrating clear accuracy
improvements over widely used, simpler models see Ryan J Delahanty,
et al., Development and evaluation of a machine learning model for
the early identification of patients at risk for sepsis, 73 Annals
of Emergency Medicine (2019).
\284\ Burdick, Hoyt, et al. ``Effect of a sepsis prediction
algorithm on patient mortality, length of stay and readmission: a
prospective multicentre clinical outcomes evaluation of real-world
patient data from US hospitals.'' BMJ health & care informatics 27.1
(2020).
\285\ Topiwala, Raj, et al. ``Retrospective observational study
of the clinical performance characteristics of a machine learning
approach to early sepsis identification.'' Critical Care
Explorations 1.9 (2019).
---------------------------------------------------------------------------
Transparency has the potential to shed light on the variation in
performance across models and to drive uptake of higher performing
models. A systematic review of predictive models designed to detect
early onset of sepsis found that published evaluations demonstrated
sensitivities ranging from 64% to 98%.\286\ One sepsis model that was
recently widely adopted was found in subsequent validation to have
relatively poor performance with a sensitivity of 33%. This again
highlights
[[Page 1412]]
the potential value of greater information to evaluate these
models.\287\
---------------------------------------------------------------------------
\286\ Hassan, Nehal, et al. ``Preventing sepsis; how can
artificial intelligence inform the clinical decision-making process?
A systematic review.'' International Journal of Medical Informatics
150 (2021): 104457.
Makam, Anil N., Oanh K. Nguyen, and Andrew D. Auerbach.
``Diagnostic accuracy and effectiveness of automated electronic
sepsis alert systems: a systematic review.'' Journal of hospital
medicine 10.6 (2015): 396-402.
\287\ Wong, Andrew, et al. ``External validation of a widely
implemented proprietary sepsis prediction model in hospitalized
patients.'' JAMA Internal Medicine 181.8 (2021): 1065-1070.
---------------------------------------------------------------------------
Given the heterogeneity in the literature, it is challenging to
estimate the extent to which the availability of information that will
be facilitated by our policy will impact the average quality of
predictive models used or how that average quality will evolve over
time. Because models often perform less effectively in real-world
implementation than in test environments, we believe the likely impact
will be smaller than that implied by the literature but believe an
impact on the average sensitivity of models used of 5 percentage points
is reasonable. We note that in the cited systematic review, the median
sensitivity of included models was 81% so that our assumption is that
with the rule in place median sensitivity of available models will
increase by 5 percentage points to 86%. Based on cost savings indicated
in the available literature, we estimate that early detection of onset
will result in cost savings of 50% for the incrementally more commonly
detected patient event.
Beyond increases in the accuracy and effectiveness of models used,
it is also challenging to estimate the extent to which the adopted
certification criterion will result in increased use of more accurate
decision support interventions. Findings on other transparency related
public policies, such as nutrition labels, indicate that use of labels
can have substantial impacts on consumers choices.\288\ While these
findings indicate a likely increase in use of interventions from
transparency related policies, we believe it is difficult to transfer
these findings to the specific case of Predictive DSIs. We are assuming
that the policy will relate to application of improved models (with an
average increased sensitivity of 5%) by 2% a year beginning in the year
that requirements commenced.
---------------------------------------------------------------------------
\288\ For examples, see Joanne F Guthrie, et al., Who uses
nutrition labeling, and what effects does label use have on diet
quality? 27 Journal of Nutrition education (1995); Marian L
Neuhouser, et al., Use of food nutrition labels is associated with
lower fat intake, 99 Journal of the American dietetic Association
(1999).
---------------------------------------------------------------------------
Another example we wish to highlight along with sepsis is the use
of models to identify patients at risk for ambulatory care sensitive
conditions (ACSCs). Such conditions result in costs of $33.7 billion
(bn) per year.\289\ As in the sepsis example, there are several
existing predictive models, and they exhibit a wide range
accuracy.\290\ We therefore believe it is reasonable to apply the
estimates used in the prior example related to sepsis onset to estimate
potential benefits related to ambulatory care-sensitive admissions.
Given substantial differences in the sensitivity of models intended to
identify patients at risk of ambulatory care-sensitive admissions, we
believe this assumption is reasonable.\291\
---------------------------------------------------------------------------
\289\ https://www.hcup-us.ahrq.gov/reports/statbriefs/sb259-Potentially-Preventable-Hospitalizations-2017.jsp.
\290\ Emma Wallace, et al., Risk prediction models to predict
emergency hospital admission in community-dwelling adults: a
systematic review, 52 Medical Care (2014).
Seung Eun Yi, et al., Predicting hospitalisations related to
ambulatory care sensitive conditions with machine learning for
population health planning: derivation and validation cohort study,
12 BMJ Open (2022).
\291\ Garcia-Arce, Andres, Florentino Rico, and Jos[eacute] L.
Zayas-Castro. ``Comparison of machine learning algorithms for the
prediction of preventable hospital readmissions.'' The Journal for
Healthcare Quality (JHQ) 40.3 (2018): 129-138.
---------------------------------------------------------------------------
We estimate all benefits on a 10-year time horizon. Because
developers of certified health IT with Health IT Modules certified to
the existing certification criterion in Sec. 170.315(a)(9) are not
required to certify to the adopted criterion in Sec. 170.315(b)(11)
until 2024, we note that benefits would not commence until the third
year. We believe that period of time allows sufficient time for the
full impact of the policy to take effect, including developer
certification to the criterion, publication of risk management
information, and hospital resorting to improved predictive models. We
expect that the use of predictive models in healthcare will continue to
evolve well beyond that time horizon; however, given the dynamic and
uncertain nature of this area, we do not believe it would be
appropriate to provide estimates beyond that period.
We examined the sensitivity of our estimated benefits based on
uncertainty in the underlying rates. We varied two rates: the average
increase in the sensitivity of models used and the increased rate at
which more accurate models were used. Specifically, we recalculated
benefits with an assumed sensitivity increase of 2.5%, 5% or 10% (with
5% representing our primary estimate) and an assumed increase in
application of models of 1%, 2% and 3% (with 2% representing our
primary estimate). In these analyses, we estimated that the 10-year
undiscounted incremental impacts ranged from $259,650,000 to
$3,115,800,000. We also estimated the annualized benefits of the
incremental impacts using alternative modeling assumptions and present
them in Table 19.
Table 18--Select Benefits to Patients and Payers From Updated Decision Support Functionality
--------------------------------------------------------------------------------------------------------------------------------------------------------
Proportion of
Cost of admissions for Increased Assumed Incremental Incremental Incremental
Year impacts are incurred sepsis which more sensitivity costs saved impacts impacts (7% impacts (3%
admission sensitive model of models for impacted (undiscounted) * discount) discount)
(bn) used used admissions
--------------------------------------------------------------------------------------------------------------------------------------------------------
1.............................. .......... ............... ........... ............ .................. $0.00 $0.00
2.............................. .......... ............... ........... ............ .................. 0.00 0.00
3.............................. $24 0.02 0.05 0.5 $12,000,000 9,795,575 10,981,670
4.............................. 24 0.04 0.05 0.5 24,000,000 18,309,485 21,323,689
5.............................. 24 0.06 0.05 0.5 36,000,000 25,667,502 31,053,916
6.............................. 24 0.08 0.05 0.5 48,000,000 31,984,427 40,199,244
7.............................. 24 0.1 0.05 0.5 60,000,000 37,364,985 48,785,491
8.............................. 24 0.12 0.05 0.5 72,000,000 41,904,656 56,837,465
9.............................. 24 0.14 0.05 0.5 84,000,000 45,690,434 64,379,006
10............................. 24 0.16 0.05 0.5 96,000,000 48,801,532 71,433,016
------------------------------------------------------------------------------------------------------------------------
Total...................... .......... ............... ........... ............ 432,000,000.00 259,518,595 344,993,527 PV
.......... ............... ........... ............ .................. 36,949,610 40,443,766 Ann
--------------------------------------------------------------------------------------------------------------------------------------------------------
[[Page 1413]]
Cost of Proportion of
ambulatory admissions for Increased Assumed Incremental Incremental Incremental
Year impacts are incurred sensitive which more sensitivity costs saved impacts impacts (7% impacts (3%
admission sensitive model of models for impacted (undiscounted) * discount) discount)
(bn) used used admissions
--------------------------------------------------------------------------------------------------------------------------------------------------------
1.............................. .......... ............... ........... ............ .................. .............. ...............
2.............................. .......... ............... ........... ............ .................. .............. ...............
3.............................. $33.7 0.02 0.05 0.5 $16,850,000 $13,754,619 $15,420,136
4.............................. 33.7 0.04 0.05 0.5 33,700,000 25,709,569 29,942,014
5.............................. 33.7 0.06 0.05 0.5 50,550,000 36,041,451 43,604,874
6.............................. 33.7 0.08 0.05 0.5 67,400,000 44,911,466 56,446,439
7.............................. 33.7 0.1 0.05 0.5 84,250,000 52,466,666 68,502,960
8.............................. 33.7 0.12 0.05 0.5 101,100,000 58,841,120 79,809,274
9.............................. 33.7 0.14 0.05 0.5 117,950,000 64,156,985 90,398,854
10............................. 33.7 0.16 0.05 0.5 134,800,000 68,525,485 100,303,860
------------------------------------------------------------------------------------------------------------------------
Total...................... .......... ............... ........... ............ 606,600,000 364,407,361 484,428,410 PV
.......... ............... ........... ............ .................. 51,883,410 56,789,788 Ann
--------------------------------------------------------------------------------------------------------------------------------------------------------
Table 19--Select Benefits From Updated Decision Support Functionality Under Alternative Assumptions, $ Millions,
Annualized, 3% Discount Rate
----------------------------------------------------------------------------------------------------------------
Impact on model sensitivity
Impact on annual model application (%) -----------------------------------------------
2.50% 5% 10%
----------------------------------------------------------------------------------------------------------------
1............................................................... $24.3 $48.6 $97.2
2............................................................... 48.6 97.2 194.5
3............................................................... 72.9 145.9 291.7
----------------------------------------------------------------------------------------------------------------
We have highlighted one condition and one event that will benefit
from the more widespread use of more accurate predictive models under
this final rule. There are numerous other conditions and events in
which increased sensitivity could offer substantial cost savings.
However, given uncertainty in the estimates around the included
estimates, and important differences across various conditions and the
extent to which Predictive DSIs might impact care, we are not confident
that the assumptions generated here are transferable to other contexts.
In addition to benefits associated with more sensitive models, we
believe that there are numerous other potential benefits related to the
more widespread use of more accurate predictive decision support.
However, many of the benefits associated with greater accuracy,
specific models, such as reduced inappropriate treatment or reduced
burdens on providers, are difficult to quantify and have to date been
targeted by fewer predictive models. For salient examples, we note that
false-positives for screening for with $4 billion per year and that
more specific interventions could reduce the rates of false-
positives.\292\ We further note that provider burnout and fatigue are
important and costly issues, we believe these benefits may be
large.\293\ However, since we are aware of fewer estimates around the
potential impact of Predictive DSIs to address these issues, we have
not attempted to quantify the potential benefits associated with their
use.
---------------------------------------------------------------------------
\292\ Ong, Mei-Sing, and Kenneth D. Mandl. ``National
expenditure for false-positive mammograms and breast cancer
overdiagnoses estimated at $4 billion a year.'' Health affairs 34.4
(2015): 576-583.
\293\ Gregory, Megan E., Elise Russo, and Hardeep Singh.
``Electronic health record alert-related workload as a predictor of
burnout in primary care providers.'' Applied clinical informatics
8.03 (2017): 686-697.
---------------------------------------------------------------------------
Beyond the benefits associated with greater use of accurate models,
we believe there will be several important benefits associated with the
adopted transparency requirements. We believe that increased
transparency into the intended use of models will increase the
appropriate use of models. There is concern that models will be applied
to populations, contexts, and decisions for which they are not well-
suited to provide accurate information.\294\ A transparent display of
the intended use and what is out of scope could reduce the occurrence
of treatment decisions resulting in harm. However, we are not aware of
efforts to quantify harm from misapplied models today.
---------------------------------------------------------------------------
\294\ Richard Rib[oacute]n Fletcher, et al., Addressing
fairness, bias, and appropriate use of artificial intelligence and
machine learning in global health, 3 Frontiers in Artificial
Intelligence (2021).
---------------------------------------------------------------------------
We believe increased transparency into models and practices will
result in the selection and use of fairer models. Biased models, for
instance, exhibit higher sensitivity or specificity for some groups
than others and are likely to deprioritize treatment for certain
groups. They are also likely to recommend inappropriate treatment for
certain groups resulting in limited benefit and potential harm to those
certain groups relative to those for whom models the perform well.
Reliance on biased models, particularly those used in the context of
preventive care or early identification of a disease, could result in
greater costs for groups in which the model performs poorly compared to
developing a fairer model or not using the model altogether. Greater
transparency into the fairness of models will enable users to select
fairer models and reward producers of fairer models. This will lead to
the selection of models that further, opposed to hinder, the equitable
delivery of healthcare to groups that have been marginalized. We
requested comment on the feasibility of quantifying benefits associated
with increased model fairness, which may be identifiable through the
increased benefits to groups that have been marginalized.
We believe that increased transparency will lead to an effective
market for predictive models that adequately incentivizes and rewards
high-quality models. Currently, model developers have an information
advantage relative to consumers, and consumers of models act under
considerable uncertainty regarding the quality of the product they are
acquiring. This market dynamic can lead to harmful choices by consumers
and inadequate reward for high quality developers, potentially leading
to a
[[Page 1414]]
feedback loop through adverse selection that encourages market exit by
high quality, high-cost model developers. However, adequately
characterizing the benefits of a higher information market to the
overall quality of models developed and sold is not feasible.
Comments. We received no comments on this analysis.
Response. The final impact analysis was updated to include the
expected annual costs for applicable developers of certified health IT
to meet annual documentation requirements. Cost estimates were also
updated to reflect wages of software developers as of 2022.
Synchronized Clocks Standard
In section III.C.6 of this preamble, we discuss the proposed
removal of the current named specification for clock synchronization,
which is Network Time Protocol (NTP v4 of RFC 5905), in 45 CFR
170.210(g). However, we proposed to maintain an expectation that Health
IT Modules certified to applicable certification criteria continue to
utilize any network time protocol (NTP) standard that can ensure a
system clock has been synchronized and meets the time accuracy
requirements as defined in the applicable certification criteria in
Sec. 170.315(d)(2), (3), (10), and (e)(1).
Costs
This policy is not intended to place additional burden on health IT
developers as it does not require new development or implementation.
Rather, a health IT developer's costs will be de minimis because we are
providing flexibility to allow health IT developers to use any NTP
standard that exists. We welcomed comments on these expectations.
Benefits
We believe leveraging existing NTP standards and not requiring a
specific standard allows for more flexibility. We have heard from
health IT developers that the current required functionality is in
place but not fully used. This policy allows for additional flexibility
to meet the time accuracy requirements as defined in applicable
certification criteria. For example, under this policy, Microsoft-based
certified health IT using Operating System to synchronize network time,
may use Microsoft's version of Network Time Protocol (MS NTP) as an
alternative to Network Time Protocol Version 4 (NTP v4) of RFC 5905 as
specified in Sec. 170.210(g), and must meet the time accuracy
requirement as defined in the certification criteria. We welcomed
comments regarding potential approaches for quantifying these benefits.
Comments. We received no comments on this section of the analysis.
Response. We have finalized the impact analysis as proposed for
this section.
Standardized API for Patient and Population Services
As discussed in section III.C.7 of this preamble, we have finalized
as proposed, to update the certification criterion, ``standardized API
for patient and population services,'' to align with updated standards
and new requirements. We have finalized as proposed, to adopt the SMART
App Launch Implementation Guide Release 2.0.0 in Sec. 170.215(c)(2),
which would replace SMART Application Launch Framework Implementation
Guide Release 1.0.0 in Sec. 170.215(a)(3) (finalized in this rule in
Sec. 170.215(c)(1)).
We also have finalized as proposed, to revise the requirement in
Sec. 170.315(g)(10)(vi) to specify that Health IT Modules presented
for certification that allow short-lived access tokens to expire, in
lieu of immediate access token revocation, must be able to revoke an
authorized application's access at a patient's direction within one
hour of the request.
Additionally, we have finalized to amend the API Condition and
Maintenance of Certification requirements by adding the requirement
that Certified API Developers with patient-facing APIs must publish
their service base URLs for all customers, regardless of whether the
certified Health IT Modules are centrally managed by the Certified API
Developer or locally deployed by an API Information Source. We have
finalized that these service base URLs must conform to a specific data
format.
Finally, we have also adopted the FHIR US Core Implementation Guide
STU version 6.1.0 in Sec. 170.215(b)(1)(ii). Health IT systems that
adopt this version of the US Core IG can provide the latest consensus-
based capabilities for providing access to USCDI v3 data classes and
elements using a FHIR API.
Costs
We have estimated the cost to health IT developers to make these
updates. These estimates are detailed in Table 20 below and are based
on the following assumptions:
1. Health IT developers will experience the assumed average costs
of labor and data model use. Table 20 shows the estimated labor costs
per product for a health IT developer to implement these updates to the
criterion. We recognize that health IT developer costs will vary;
however, our estimates in this section assume all health IT developers
will on average, incur the costs noted in Table 20.
2.We estimate that 276 products certified by 228 developers will be
affected by our policies. These estimates are a subset of the total
estimated health IT developers and certified products we estimated
above. We estimate that in total, 368 health IT developers will certify
502 health IT products impacted by this rulemaking. However, not all
these developers and products will certify the Standardized API
criterion and need to meet these adopted requirements. As of the end of
2021, 62% of developers and 55% of products certified the ``application
access--data category request'' criterion. By December 31, 2022, all
products that certify this criterion must certify the new standardized
API criterion. We, therefore, use current certification of the data
category request criterion as a proxy for the percent of developers and
products certified to the standardized API criterion in the future. We
applied this modifier to our total developer and product estimate as an
overall estimate of the number of developers and products impacted by
these updates to the standardized API criterion.
3. Wages are determined using BLS estimates. According to the May
2022 BLS occupational employment statistics, the mean hourly wage for a
``Software Developer'' is $63.91. As noted previously, we have assumed
that other indirect costs (including benefits) are equal to 100 percent
of pre-tax wages, so the hourly wage including other indirect costs is
$128.
[[Page 1415]]
Table 20--Estimated Labor Hours To Update Standardized API for Patient and Population Services
----------------------------------------------------------------------------------------------------------------
Lower Upper
Task Details bound bound Remarks
hours hours
----------------------------------------------------------------------------------------------------------------
Task 1: Implementation to the FHIR US Implement FHIR US Core IG 500 1,000 (1) Lower bound assumes
Core IG 6.1.0 (per product). v6.1.0 to update API to health IT product
conform to US Core voluntarily updated to
v6.1.0, which adopts the USCDIv3 through SVAP.
USCDIv3 data classes and (2) Upper bound assumes
elements. health IT product only
supports USCDIv1 and
needs to update API to
support resources
aligned with data
elements in USCDIv3.
Task 2: Service-base URL Publication (1) Publish service-base 250 1,000 (1) Lower bound assumes
(per developer). URL in FHIR Endpoint API Technology Supplier
resource format (2) met the ONC Cures Act
Publish API Information Final Rule service-base
Source organization URL maintenance of
information in certification
Organization resource requirement and
format (3) Make both published endpoint and
available as FHIR bundle. organization data in
these standard formats.
(2) Upper bound assumes
API Technology Supplier
met the Cures Final Rule
service-base URL
maintenance of
certification
requirement but did not
publish in the standard
format.
Task 3: Develop support of 60-minute Develop support for 50 100 (1) Lower bound assumes
access revocation (per product). patients to revoke access developer needs to
to authorized app and for modify current
revocation to be revocation process and
fulfilled by server not rebuild is
within 60 minutes of necessary. (2) Upper
request. bound assumes revocation
process exists, as
required by ONC Cures
Act Final Rule, but
needs to be reprogrammed
to accommodate new
revocation step.
Task 4: Update security via SMART App Update API from SMART App 500 1,000 (1) Lower bound assumes
Launch Framework to IG 2.0 (per Launch Framework IG 1.0 update to SMART App
product). to IG 2.0. Launch Framework IG 2.0
underway. (2) Upper
bound assumes update to
Framework IG 2.0 not
underway.
----------------------------------------------------------------------------------------------------------------
Table 21--Example Calculation for the Lower Bound Estimated Cost to Products To Perform Task 1 in Table 20 To
Update API
[2022 Dollars]
----------------------------------------------------------------------------------------------------------------
Estimated labor
hours Developer Projected
Activity ----------------- salary (per products
Lower bound hour)
----------------------------------------------------------------------------------------------------------------
Task 1....................................................... 500 $128 276
Example calculation: 500 * $128 * 276 products = $17,664,000.
----------------------------------------------------------------------------------------------------------------
Table 22--Total Cost To Update Standardized API for Patient and
Population Services
[2022 Dollars]
------------------------------------------------------------------------
Estimated cost
Activity -------------------------------
Lower bound Upper bound
------------------------------------------------------------------------
Task 1 (276 products)................... $17,664,000 $35,328,000
Task 2 (228 developers)................. 7,296,000 29,184,000
Task 3 (276 products)................... 1,766,400 3,532,800
Task 4 (276 products)................... 17,664,000 35,328,000
-------------------------------
Total (276 products and 228 44,390,400 103,372,800
developers)........................
------------------------------------------------------------------------
The cost to a health IT developer to update the standardized API
criterion for their certified Health IT Modules will range from
$166,000 to $397,000 per product, on average. Therefore, assuming 276
products overall and a labor rate of $128 per hour, we estimate that
the total cost to all health IT developers will on average, range from
$44 million to $103 million. This will be a one-time cost to developers
per product that is certified to the specified certification criterion
and will not be perpetual.
Benefits
We believe these policies will benefit health care providers,
patients, and the industry. The adoption of the FHIR US Core IG v6.1.0
will, with the additional data elements in USCDI v3, expand the
baseline set of data available and
[[Page 1416]]
provide more comprehensive health data for both providers and patients.
Updates to the SMART App Launch Framework IG 2.0 will align the
certified API functionality with current adopted standards-based
methods to connect patients' health information to the app of their
choice. Furthermore, updated requirements to the service-base URL
publication API maintenance of certification requirement will provide a
standard format for all published FHIR endpoints to be securely
discovered and consumed by authorized applications. The standard
publication format will reduce the burden on patients, app developers,
and other third parties to find and connect to the appropriate FHIR
endpoint to initiate data access. This will directly benefit the speed
and efficiency of making these connections and reduce the level of
effort on third parties to access and use these standards-based APIs.
We expect the resulting improvements to interoperable exchange of
health information to significantly benefit providers and patients and
improve the quality of healthcare provided. In the ONC Cures Act Final
Rule (85 FR 25925), we estimated the total annual benefit of APIs on
average, to range from $0.34 billion to $1.43 billion. These updates to
the criterion ensure the benefits of APIs are maintained and the annual
benefit due to improved health outcomes and patients having access to
their online medical record is realized.
As described previously, there are additional potential future
benefits to the expanded availability of an interoperable API for
patient and population services that are not quantifiable at this time.
For some use cases, there is a clear indication of future technical
direction, but currently there is insufficient implementation to
clearly quantify the scope. For example, CMS has identified an intent
to leverage APIs for population services in order to modernize quality
measurement and quality reporting under value-based payment
programs.\295\ In 2016, a report found that quality measurement
reporting bears an estimate $15.4 billion cost on clinicians for chart
abstraction, data validation, and measure reporting.\296\ The potential
future use of FHIR-based APIs for quality measurement could provide
greater ability to implement real time data for quality purposes and
drastically reduce the costs of manual quality reporting workflows. We
sought comment on potential means to estimate these benefits and future
cost savings.
---------------------------------------------------------------------------
\295\ CMS Digital Quality Roadmap, March 2022: https://ecqi.healthit.gov/sites/default/files/CMSdQMStrategicRoadmap_032822.pdf.
\296\ Health Aff (Millwood), March 2016. US Physician Practices
Spend More Than $15.4 Billion Annually To Report Quality Measures.
https://pubmed.ncbi.nlm.nih.gov/26953292/.
---------------------------------------------------------------------------
Comments. We received no comments related to this impact analysis
of updates to the standardized API criterion.
Response. The final impact analysis is consistent with the proposed
rulemaking. Cost estimates were updated to reflect wages of software
developers as of 2022.
Patient Demographics and Observations Certification Criterion
As discussed in section III.C.8 of this preamble, we have finalized
as proposed to rename the ``demographics'' certification criterion
(Sec. 170.315(a)(5)) to ``patient demographics and observations.'' We
have finalized as proposed to add the data elements ``Sex Parameter for
Clinical Use'' in Sec. 170.315(a)(5)(i)(F), ``Name to Use'' in Sec.
170.315(a)(5)(i)(G), and ``Pronouns'' in Sec. 170.315(a)(5)(i)(H) to
the ``Patient demographics and observations'' certification criterion
(Sec. 170.315(a)(5)). Additionally, we have finalized as proposed to
replace the terminology standards specified for ``Sex'' in Sec.
170.315(a)(5)(i)(C), ``Sexual Orientation'' in Sec.
170.315(a)(5)(i)(D), and ``Gender Identity'' in Sec.
170.315(a)(5)(i)(E). As such, ONC has finalized as proposed to remove
the fixed list of terms for ``Sex'' in Sec. 170.315(a)(5)(i)(C),
``Sexual Orientation'' in Sec. 170.315(a)(5)(i)(D), and ``Gender
Identity'' in Sec. 170.315(a)(5)(i)(E) which are represented by SNOMED
CT and HL7[supreg] Value Sets for AdministrativeGender and NullFlavor
in Sec. 170.207(o)(1) and (2)), and replace it with the SNOMED CT code
sets specified in Sec. 170.207(n)(2) and (o)(3).
The proposed modifications to the ``patient demographics and
observations'' criterion will provide greater clarity and
standardization to how a patient's sexual orientation and gender
identity are recorded electronically in the electronic health record.
The USCDI v3 standard includes new data elements for Sexual Orientation
and Gender Identity. These data elements are required to be included as
part of a patient's electronic health information and included in any
record shared with the patient, the patient's caregiver, or health care
provider.
Costs
The adopted modifications to the ``patient demographics and
observations'' criterion include 6 tasks: (1) Modify Sex, (2) Modify
Sexual Orientation, (3) Modify Gender Identity, (4) Add Sex Parameter
for Clinical Use, (5) Add Pronouns, and (6) Add Name to Use. These
tasks have their own level of effort, and these estimates are detailed
in Table 23 below and are based on the following assumptions:
1. Health IT developers will use the same labor costs and data
models. Table 23 shows the estimated labor costs per product to modify
the ``patient demographics and observations'' criterion. We recognize
that health IT developer costs will vary; however, our estimates in
this section assume all health IT developers will incur the costs noted
in Table 23.
2. We estimate that 321 products certified by 261 developers will
be affected by our policy. These estimates are a subset of the total
estimated health IT developers and certified products we estimated
above.
The estimate of 321 products certified by 261 developers is derived
as follows. We estimate that, in total, 368 health IT developers would
certify 502 health IT products impacted by this rulemaking. However,
not all these developers and products certify the ``patient
demographics and observations'' criterion and need to meet the adopted
requirements. As of the end of 2021, 71% of developers and 64% of
products certified to the criterion. We applied this modifier to our
total developer and product estimate as an overall estimate of the
number of developers and products impacted by the modifications to the
criterion.
3. According to the May 2022 BLS occupational employment
statistics, the mean hourly wage for a ``Software Developer'' is
$63.91. As noted previously, we have assumed that other indirect costs
(including benefits) are equal to 100 percent of pre-tax wages, so the
hourly wage including other indirect costs is $128.
[[Page 1417]]
Table 23--Estimated Labor Hours To Modify Sec. 170.315(a)(5) Demographics Criterion
----------------------------------------------------------------------------------------------------------------
Lower bound Upper bound
Task Details hours hours
----------------------------------------------------------------------------------------------------------------
Task 1: Modify Sex [Sec. 170.315(a)(5)(i)(C)]. Value set for Sex removed and now 0 40
references SNOMED CT.
Task 2: Modify Sexual Orientation [Sec. Value set for Sexual Orientation 0 40
170.315(a)(5)(i)(D)]. removed and now references SNOMED
CT.
Task 3: Modify Gender Identity [Sec. Value set for Gender Identity 0 40
170.315(a)(5)(i)(E)]. removed and now references SNOMED
CT.
Task 4: Add Sex Parameter for Clinical Use [Sec. Add ``Sex Parameter for Clinical 240 580
170.315(a)(5)(i)(F)]. Use'' using LOINC.
Task 5: Add Pronouns [Sec. Add ``Pronouns'' using LOINC...... 240 580
170.315(a)(5)(i)(H)].
Task 6: Add Name to Use [Sec. Add ``Name to Use'' as a kind of 240 580
170.315(a)(5)(i)(G)]. name field.
----------------------------------------------------------------------------------------------------------------
Table 24--Example Calculation for the Lower Bound Estimated Cost to Products To Perform Task 1 in Table 23 To
Modify Demographics
[2022 dollars]
----------------------------------------------------------------------------------------------------------------
Estimated labor
hours Developer salary Projected
Activity ----------------- (per hour) products
Lower bound
----------------------------------------------------------------------------------------------------------------
Task 1................................................... 200 $128 321
Example calculation: 200 * $116 * 321 products =
$7,447,200.
----------------------------------------------------------------------------------------------------------------
Table 25--Total Cost To Modify Demographics
[2022 dollars]
------------------------------------------------------------------------
Estimated cost
Activity -------------------------------
Lower bound Upper bound
------------------------------------------------------------------------
Task 1 (321 products)................... $0 $1,643,520
Task 2 (321 products)................... 0 1,643,520
Task 3 (321 products)................... 0 1,643,520
Task 4 (321 products)................... 9,861,120 23,831,040
Task 5 (321 products)................... 9,861,120 23,831,040
Task 6 (321 products)................... 9,861,120 23,831,040
-------------------------------
Total (321 products and 261 29,583,360 76,423,680
developers)........................
------------------------------------------------------------------------
The cost to a health IT developer to make the modifications to the
``patient demographics and observations'' criterion for their certified
Health IT Modules will range from $92,160 to $238,080 per product, on
average. Therefore, assuming 321 products overall and a labor rate of
$128 per hour, we estimate that the total cost to all health IT
developers will, on average, range from $30 million to $76 million.
This will be a one-time cost to developers per product that is
certified to the specified certification criterion.
Benefits
Improved recording of sexual orientation and gender identity in the
medical record has multiple benefits. This has clinical benefits for
patients in the immediate term as information related to gender
identity and sexual orientation is critical for informing treatment.
Additionally, advances in treatment may result from researchers having
more reliable and accurate sexual orientation and gender identity data
available. Not only will this benefit clinical care teams who are
treating patients within a particular clinical setting, this will
improve the interoperability of this data when shared electronically
with the patient or the patient's authorized representative through the
technology of their choosing or when shared electronically with a third
party elected by the patient, such as an application developer, health
care provider, or other entity.
The benefits of these modifications are not quantifiable at this
time, but we expect the resulting improvements to interoperable
exchange of health information to significantly benefit providers and
patients and improve the quality of healthcare provided. Furthermore,
having a patient's information recorded uniformly and available across
their medical records would improve the patient's access to their
information and ensure the information is available uniformly across
technologies.
Comments. We received no comments specific to this update to the
``demographics'' criterion.
Response. The final impact analysis is consistent with the proposed
rulemaking. Cost estimates were updated to reflect wages of software
developers as of 2022.
Updates to Transitions of Care Certification Criterion in Sec.
170.315(b)(1)
As discussed in section III.C.9 of this preamble, we proposed to
modify the ``transitions of care'' certification criterion in Sec.
170.315(b)(1). We proposed to replace the fixed value set for the USCDI
data element Sex and instead enable health IT developers to represent
sex with the standard adopted in Sec. 170.207(n)(1) for the time-
period up to and including December 31, 2025; or Sec. 170.207(n)(2).
[[Page 1418]]
Costs
1. Health IT developers will use the same labor costs and data
models. Table 26 shows the estimated labor costs per product to modify
the transitions of care criterion. We recognize that health IT
developer costs will vary; however, our estimates in this section
assume all health IT developers will incur the costs noted in Table 26.
2. We estimate that 281 products certified by 236 developers will
be affected by our policy. These estimates are a subset of the total
estimated health IT developers and certified products we estimated
above.
The estimate of 281 products certified by 236 developers is derived
as follows. We estimate that, in total, 368 health IT developers will
certify 502 health IT products impacted by this rulemaking. However,
not all these developers and products certify the transitions of care
criterion and need to meet the adopted requirements. As of the end of
2021, 64% of developers and 56% of products certified to the
transitions of care criterion. We applied this modifier to our total
developer and product estimate as an overall estimate of the number of
developers and products impacted by the modifications to the criterion.
3. According to the May 2022 BLS occupational employment
statistics, the mean hourly wage for a ``Software Developer'' is
$63.91. As noted previously, we have assumed that overhead costs
(including benefits) are equal to 100 percent of pre-tax wages, so the
hourly wage including overhead costs is $128.
Table 26--Estimated Labor Hours To Modify Sec. 170.315(b)(1) Transitions of Care Criterion
----------------------------------------------------------------------------------------------------------------
Lower bound Upper bound
Task Details hours hours
----------------------------------------------------------------------------------------------------------------
Task 1: Modify Sex [Sec. 170.315(a)(5)(i)(C)]. Value set for Sex removed and now 0 40
references SNOMED CT.
----------------------------------------------------------------------------------------------------------------
Table 27--Total Cost To Modify Transitions of Care
[2022 dollars]
------------------------------------------------------------------------
Estimated cost
Activity -------------------------------
Lower bound Upper bound
------------------------------------------------------------------------
Modify Sex (281 products)............... $0 $1,438,720
------------------------------------------------------------------------
The cost to a health IT developer to make the modifications to the
transitions of care criterion for their certified Health IT Modules
will range from $0 to $5,120 per product, on average. Therefore,
assuming 281 products overall and a labor rate of $128 per hour, we
estimate that the total cost to all health IT developers will, on
average, range from $0 to $1.5 million. This will be a one-time cost to
developers per product that is certified to the specified certification
criterion.
Benefits
There are multiple benefits associated with having more granular
information available related to improved recording of sexual
orientation and gender identity. This has clinical benefits for
patients in the immediate term as information related to gender
identity and sexual orientation is critical for informing treatment.
Additionally, advances in treatment may result from researchers having
more reliable and accurate sexual orientation and gender identity data
available. Not only will this benefit clinical care teams who are
treating patients within a particular clinical setting, this will
improve the interoperability of this data when shared electronically
with the patient or the patient's caregiver through the technology of
their choosing or when shared electronically with a third party elected
by the patient, such as an application developer, health care provider,
or other entity.
The benefits of these modifications are not quantifiable at this
time, but we expect the resulting improvements to interoperable
exchange of health information to significantly benefit providers and
patients and improve the quality of healthcare provided. Furthermore,
having a patient's information recorded uniformly and available across
their medical records will improve the patient's access to their
information and ensure the information is available uniformly across
technologies.
Comments. We received no comments related to the impact analysis of
updates to the Transitions of care criterion.
Response. The final impact analysis is consistent with the proposed
rulemaking. Cost estimates were updated to reflect wages of software
developers as of 2022.
Patient Right To Request a Restriction on Use or Disclosure
As discussed in section III.C.10 of this preamble, we have
finalized as proposed to modify the existing criterion in Sec.
170.315(e)(1) to add a paragraph (iii) stating patients (and their
authorized representatives) must be able to use an internet-based
method to request a restriction to be applied for any data expressed in
the standards in Sec. 170.213. This policy is standards agnostic for
the implementation of functional requirements supporting workflows for
a patient to exercise their right to request restrictions on certain
uses and disclosures of their EHI and for a HIPAA covered entity, such
as a clinician that transmits any health information in electronic form
in connection with a HHS adopted standard transactions, to honor such
request.
Costs
The update to Sec. 170.315(e)(1) includes a new technical
functionality that provides patients (and their authorized
representatives) the ability to use an internet-based method to request
a restriction to be applied for any data expressed in the standards in
Sec. 170.213. This task has its own level of effort, and this estimate
is detailed in Table 28 below and is based on the following
assumptions:
1. Health IT developers will use the same labor costs and data
models. Table 29 shows the estimated labor costs per product to modify
Sec. 170.315(e)(1). We recognize that health IT developer costs will
vary; however, our estimates in this section assume all health IT
developers will incur the costs noted in Table 29.
2. We estimate that 246 products certified by 210 developers will
be affected by our proposal. These estimates are a subset of the total
[[Page 1419]]
estimated health IT developers and certified products we estimated
above.
The estimate of 246 products certified by 210 developers is derived
as follows. We estimate that, in total, 368 health IT developers will
certify 502 health IT products impacted by this rulemaking. However,
not all these developers and products certify Sec. 170.315(e)(1) and
need to meet the proposed requirements. As of the end of 2021, 57% of
developers and 49% of products certified Sec. 170.315(e)(1). We
applied this modifier to our total developer and product estimate as an
overall estimate of the number of developers and products impacted by
the proposed modifications to the criterion.
3. According to the Month 2022 BLS occupational employment
statistics, the mean hourly wage for a ``Software Developer'' is
$63.91. As noted previously, we have assumed that overhead costs
(including benefits) are equal to 100 percent of pre-tax wages, so the
hourly wage including overhead costs is $128.
Table 28--Estimated Labor Hours To Modify 170.315(e)(1)
----------------------------------------------------------------------------------------------------------------
Lower bound Upper bound
Task Details hours hours Remarks
----------------------------------------------------------------------------------------------------------------
Task 1: Add internet-based method for New technical functionality 240 580
patients (and their authorized to be added to criterion
representatives) to request a Sec. 170.315(e)(1). This
restriction. is a standards agnostic
method. Developer may choose
internet-based method of
choice (e.g., free-text box,
check boxes for applicable
data classes, etc.).
----------------------------------------------------------------------------------------------------------------
Table 29--Total Cost To Modify 170.315(e)(1)
[2022 dollars]
------------------------------------------------------------------------
Estimated cost
Activity ---------------------------------
Lower bound Upper bound
------------------------------------------------------------------------
Task 1 (246 products)................. $7,557,120 $18,263,040
------------------------------------------------------------------------
The cost to a health IT developer to modify Sec. 170.315(e)(1) for
their Health IT Modules would range from $30,720 to $74,240 per
product, on average. Therefore, assuming 246 products overall and a
labor rate of $128 per hour, we estimate that the total cost to all
health IT developers would, on average, range from $7.5 million to $18
million. This would be a one-time cost to developers per product that
is certified to the specified certification criterion and would not be
perpetual.
Benefits
In the ONC Cures Act Final Rule, we noted that the updated criteria
in Sec. 170.315(b)(7) and (b)(8) (``security tags--summary of care--
send'' and ``security tags--summary of care--receive'') would benefit
providers, patients, and ONC because it would support more complete
records, contribute to patient safety, and enhance care coordination.
We stated that implementing security tags enables providers to share
patient records more effectively with sensitive information, thereby
protecting patient privacy while still delivering actionable clinical
content. We emphasized that health care providers already have
processes and workflows to address their existing compliance
obligations, which could be made more efficient and cost effective
using health IT. We were, however, unable to quantify these benefits at
the time because we did not have adequate information to support
quantitative estimates (85 FR 25927).
Since we issued the ONC Cures Act Final Rule, the number of
developers certified to the voluntary criteria in Sec. 170.315(b)(7)
and (b)(8) has increased, but it remains a small percentage of the
total products certified. While we believe there will be similar
benefits to patients and other covered entities from our policies in
this rule to support privacy workflows, we similarly are limited in our
ability to estimate such impact at this time.
Comments. We received no comments specific to this impact analysis
of patient requested restrictions.
Response. The final impact analysis was updated to reflect the
final policy to include the ability for patients to request
restrictions for their information in the ``view, download, and
transmit'' criterion.
Insights Condition and Maintenance of Certification Requirements
The ``Insights Condition'' calls for developers of certified health
IT to report for each applicable product on measures which focus on
interoperability. For the initial requirements of the Insights
Condition, ONC proposed nine measures that relate to individual access
to electronic health information, clinical care information exchange,
public health information exchange, and standards adoption and
conformance.
Alternatives
Section 4002(c) of the Cures Act requires the creation of an
Electronic Health Record (EHR) Reporting Program. We have chosen to
implement the developer reporting through ONC's Health IT Certification
Program to integrate this legislative mandate with other reporting
requirements for developers of certified health IT as a Condition and
Maintenance of Certification requirement. This approach is aligned with
how we have interpreted other similar provisions of the Cures Act, and
it is intended to maximize participation among developers of certified
health IT while aligning participation with other requirements of the
Program. Other alternatives to implementing this provision of the Cures
Act could be to conduct a survey of developers of certified health IT
to report on measures; however, such an effort would reflect only those
developers who participated in the survey, thus limiting the
generalizability of the results. A survey approach would also
complicate ONC's ability to standardize developer results reporting and
thus the quality and the rigor of the data would be affected. Thus, in
order to be consistent with ONC's implementation of other Cures Act
Condition and Maintenance of Certification requirements, to maximize
the generalizability and accuracy of the data gathered through this
effort, and to align it with other activities, we have chosen
[[Page 1420]]
to implement the Condition and Maintenance of Certification through
ONC's Health IT Certification Program.
Costs
In calculating the cost of reporting each measure m we applied the
following expression:
Cm = #Hours x Wage x # of Developers
The data for each of the elements (e.g., #hours, wages,
#developers) were extracted from various sources and there are
assumptions associated with each element, which are described in this
section.
The #Hours represents the labor hours it takes to produce measure
m. The developers of certified health IT were asked the average number
of hours they would need to develop and report a measure. Based on
their reporting, we created a lower bound that represents 25% less than
the reported number and an upper bound that represents 35% more than
the reported number. We adjusted the number of hours required for
developing each measure according to the difficulty level as ranked by
developers of certified health IT.\297\ We attributed more hours to
skillful labor categories (from administrators to programmers and
managers) than what was provided by developers as we believe these will
be more accurate estimates.
---------------------------------------------------------------------------
\297\ Blavin F., et al. 2020. Urban Institute. Electronic Health
Record (EHR) Reporting Program: Developer-Reported Measures.
Available at https://www.urban.org/sites/default/files/publication/105427/electronic-health-record-ehr-reporting-program-developer-reported-measures.pdf. Accessed March 16, 2023.
---------------------------------------------------------------------------
The Wage represents hourly wage of a particular occupation needed
to produce a measure. The wage estimates were extracted from the 2022
Bureau of Labor Statistics data and multiplied by two to account for
administrative and other indirect costs, representing the median hourly
wage of a software developer ($128) and a management analyst ($101)
(the numbers incorporate other indirect costs of labor).\298\ We
assumed that the time used only by these occupations was sufficient for
completing the task. The number of health IT developers is a function
of the finalized small developer threshold and certified criteria
requirements, which are described in more detail in section III.F.3 of
this preamble under Associated Thresholds for Health IT Developers. We
used data from the 2019 CMS Promoting Interoperability (PI) program and
the Certified Health IT Product List to estimate the number of
developers that would be reporting measures to the program. Per the
finalized small developer threshold, developers whose certified health
IT products were used by at least 50 hospitals, or 500 clinicians would
have to report measures to the Program. In addition to having these
minimum number of users across their certified health IT products, per
the policy, we limited developers to those with products that certify
to at least one of the following criteria associated with the adopted
measures (see Table 30):
---------------------------------------------------------------------------
\298\ See BLS at https://www.bls.gov/oes/current/oes_nat.htm.
Accessed September 15, 2023.
Transitions of care Sec. 170.315(b)(1)
Clinical information reconciliation and incorporation Sec.
170.315(b)(2)
Transmission to immunization registry Sec. 170.315(f)(1)
View, download, and transmit to 3rd party Sec. 170.315(e)(1)
Standardized API for patient and population services Sec.
170.315(g)(10)
For each measure, the estimated the number of developers of
certified health IT depended on whether developers' products certified
to criteria associated with a particular measure (as shown in Table 31)
and whether they meet the threshold requirement for a small developer.
Table 30--Estimated Number of Hours and Developers Associated for Each Measure
[per developer]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Estimated Management analyst Software developer
number of Estimated number estimated hours (per estimated hours (per
applicable of applicable developer) developer)
Measure Related criterion developers of developers of -------------------------------------------
certified certified health
health IT (no IT (threshold Lower Upper Lower Upper
threshold) applied) bound bound bound bound
--------------------------------------------------------------------------------------------------------------------------------------------------------
Individuals' Access to EHI............... Sec. 170.315(e)(1); Sec. 157 53 320 800 1,100 2,220
170.315(g)(10).
Immunization Submission to IIS........... Sec. 170.315(f)(1)........ 115 37 480 1,200 2,800 5,600
Immunization History and Forecasts....... Sec. 170.315(f)(1)........ 115 37 470 1,200 1,380 2,760
C-CDAs Reconciliation and Incorporation.. Sec. 170.315(b)(1); Sec. 171 56 400 1,400 3,200 8,700
170.315(b)(2).
Apps Supported........................... Sec. 170.315(g)(10)....... 176 59 320 800 1,850 3,700
Use of FHIR in in Apps................... Sec. 170.315(g)(10)....... 176 59 400 1,000 2,300 4,600
Use of FHIR Bulk Data Access............. Sec. 170.315(g)(10)....... 176 59 400 1,000 2,300 4,600
--------------------------------------------------------------------------------------------------------------------------------------------------------
Data Source: ONC analysis of 2019 CMS Promoting Interoperability Program Data & CHPL.
We decided the small developer thresholds based upon analyses we
conducted of the 2019 CMS PI Program and Certified Health IT Product
List. We examined the various alternatives for setting user thresholds
based on the percentage of users and developers that would be
represented and reporting measures, respectively in the Program (see
Table 31 below). The thresholds we decided upon maximize coverage and
while not unduly disadvantaging smaller developers. The thresholds were
determined based upon analysis of 2019 CMS PI program data and the CHPL
data. The data from the CMS PI program included 4,209 non-federal acute
hospitals and 691,381 clinicians who attested to the program. After
limiting hospitals and clinicians to those using existing 2015 Edition
certification criteria, the 2015 Edition Cures Update criteria, or a
combination of the two; and to those products of developers who had
certified to at least one of the criteria associated with the measures
adopted in the Program (see Table 30), we ended up with 3,863 hospitals
and 689,801 clinicians. For example, based upon a threshold of 50
hospitals, we would be able to include approximately 99% of all
hospital users and the top 18 developers (based upon market share)
while excluding the bottom 33 developers (based upon market share).
This 99% value is based upon the percentage of users who are not
exclusively using products from developers who meet the small developer
threshold. Thus, in the case of a 50-hospital threshold, only 1.4% of
hospital users are exclusively using
[[Page 1421]]
products from small developers, and thus about 99% of the inpatient
market is covered.
Table 31--Thresholds Options at the Developer Level
----------------------------------------------------------------------------------------------------------------
Estimated
number of Estimated % Estimated Estimated
users only of users only number of number of
using small using small small remaining
developers developers developers developers
----------------------------------------------------------------------------------------------------------------
Hospitals:
Option (a) 100 Threshold.................... 142 3.7 39 12
Option (b) 50 Threshold..................... 56 1.4 33 18
Clinicians:
Option (a) 2,000 Threshold.................. 21,075 3.1 176 31
Option (b) 1,000 Threshold.................. 11,251 1.6 160 47
Option (b) 500 Threshold.................... 7,828 1.1 146 61
----------------------------------------------------------------------------------------------------------------
In calculating the aggregate cost of developing all measures, we
applied the concept of economies of scope, where the total cost of
production is not incrementally increasing in the number of measures,
but it is rather attenuating. Specifically, the aggregate cost in this
application is governed by the following expression: The total cost
(TC) of producing measures 1 and 2 is the sum of producing the two
measures separately minus the cost of producing them together.
To calculate the cost of producing measures together, developers of
certified health IT were asked during discussions to provide an
estimate on the extent to which there would be an overlap in developing
infrastructure between the measures published by the Urban Institute
and level of difficulty by measure.\299\ While some measures we have
finalized differ from those the Urban Institute published, there is
significant overlap across many of the measures, which would retain the
validity of these estimates. The weighted average for selected measures
suggested that there would be considerable overlap on the immunization
measures (see Table 32). We note that for the incorporation measure,
there is overlap between the proposed measure and the CMS PI Program
Measure. We welcomed comments that provide us information on the level
of perceived overlap so that we can adjust the estimates accordingly
for the costs associated with that measure.
---------------------------------------------------------------------------
\299\ Blavin F., et al. 2020. Urban Institute. Electronic Health
Record (EHR) Reporting Program: Developer-Reported Measures.
Available at https://www.urban.org/sites/default/files/publication/105427/electronic-health-record-ehr-reporting-program-developer-reported-measures.pdf. Accessed March 16, 2023.
Table 32--Percent Overlap in Developing the Following Combination of
Measures
------------------------------------------------------------------------
Percent
------------------------------------------------------------------------
Immunization Submission to IIS and Immunization History 50
and Forecasts.........................................
------------------------------------------------------------------------
Additionally, we assessed that there will be a 10% overlap of
developing infrastructure across all measures. We applied these rates
accordingly when calculating the total cost of developing measures for
the Insights Condition.
Following this approach, the aggregate cost estimates over a 10-
year period to develop and report on these measures are presented by
different alternatives associated with thresholds in Table 33. The
first row shows the total cost assuming developers have at least 50
hospital or 500 clinician users, which generates the cost between $98
and $218 million. In addition to estimating the costs associated with
the 50 hospitals or 500 clinician user thresholds, we also present the
cost for two alternatives where the number of users for hospitals is
100 and for clinician ranges from 1000 to 2000. The total cost would be
reduced by about a half compared to the previous specification because
smaller number of developers would qualify for the Insights Condition.
Table 33--Aggregate Cost Estimates for the Insights Condition by
Threshold Alternatives
------------------------------------------------------------------------
Options Lower bound Upper bound
------------------------------------------------------------------------
50 Hospitals and 500 Clinicians $98,373,673 $218,671,106
Threshold (Proposed Approach)..........
100 Hospitals and 1000 Clinicians 69,268,381 153,852,086
Threshold (Alternative 1)..............
100 Hospitals and 2000 Clinicians 47,638,637 105,007,568
Threshold (Alternative 2)..............
No Threshold Applied.................... 297,027,045 660,807,830
------------------------------------------------------------------------
In Table 30, we present the estimated number of labor hours to
develop and report by measure for each individual developer. This table
served as the basis for the cost estimates, prior to adjusting as
described above.
In Table 34, we present cost estimates for each individual measure
by developer and across all developers. The measures vary in cost
because we made adjustments based on synergies discussed above (e.g.,
similar measures, common infrastructure) and the level of
[[Page 1422]]
expected burden to develop each measure.
Table 34--Estimated Costs by Measure per Developer of Certified Health IT and Across All Eligible Developers of
Certified Health IT
[No threshold]
----------------------------------------------------------------------------------------------------------------
Estimated costs (per Total estimated costs (all
Number eligible developer) eligible developers)
Measure developers ---------------------------------------------------------------
Lower bound Upper bound Lower bound Upper bound
----------------------------------------------------------------------------------------------------------------
Individuals' Access to EHI... 157 $169,924 $353,846 $26,678,005 $55,553,791
Immunization Submission to 115 360,023 739,508 41,425,606 85,043,311
IIS.........................
Immunization History and 115 109,227 228,908 12,561,105 26,324,363
Forecasts...................
C-CDAs Reconciliation and 171 402,305 1,116,610 68,794,070 190,940,267
Incorporation...............
Applications Supported....... 176 238,088 488,773 41,903,326 86,024,030
Use of FHIR in Apps.......... 176 300,186 616,256 52,832,657 108,461,034
Use of FHIR Bulk Data Access. 176 300,186 616,256 52,832,567 108,461,034
----------------------------------------------------------------------------------
All Measures: Total Cost. ................. 1,880,136 4,160,155 297,027,425 660,807,830
----------------------------------------------------------------------------------------------------------------
Table 35--Estimated Costs by Measure per Developer of Certified Health IT and Across All Eligible Developers of
Certified Health IT
[Threshold applied]
----------------------------------------------------------------------------------------------------------------
Estimated costs (per Total estimated costs (all
Number eligible developer) eligible developers)
Measure developers ---------------------------------------------------------------
Lower bound Upper bound Lower bound Upper bound
----------------------------------------------------------------------------------------------------------------
Individuals' Access to EHI... 53 $169,924 $353,846 $9,005,951 $18,753,827
Immunization Submission to 37 260,223 739,508 13,328,238 27,361,761
IIS.........................
Immunization History and 37 109,227 228,908 4,041,399 8,469,578
Forecasts...................
C-CDAs Reconciliation and 56 402,305 1,116,610 22,529,052 62,530,146
Incorporation...............
Apps Supported............... 59 238,088 488,773 14,047,138 28,837,601
Use of FHIR in Apps.......... 59 300,186 616,256 17,710,948 36,359,097
Use of FHIR Bulk Data Access. 59 300,186 616,256 17,710,948 36,359,097
----------------------------------------------------------------------------------
All Measures: Total Cost. ................. 1,880,136 4,160,1550 98,373,673 218,671,106
----------------------------------------------------------------------------------------------------------------
For the Insights Condition of Certification, we have indicated that
developers of certified health IT who were required to report for
Insights could leverage relevant Insights measures for real world
testing annual reporting. We recognize some overlap in the two
Conditions of Certification and that Insights measures would be
appropriate to meet real world testing requirements for applicable
certification criteria. An analysis of the CHPL shows that among
developers required to report for Insights, 25% to 50% of their real
world testing reporting requirements could be satisfied leveraging
Insights metrics. Considering this we estimate that 25% to 50% of an
average developer's annual real world testing costs could be saved by
using Insights reporting as part of their real world testing plans.
We estimated cost savings for developers required to report for
Insights. Cost savings were modeled using the real world testing cost
estimates we have finalized in the ONC Cures Final Rule. We estimated
in that final rule that a developer, on average, would face annual
costs of $109,557 (2017 dollars) to meet real world testing reporting
requirements. In 2022 dollars, we estimate this is $130,811 in annual
costs. In Table 36 we show the impact of these cost savings on the
total 10-year cost of developers to meet Insights requirements. We
estimate this flexibility in meeting both Insights and real world
testing reporting requirements will yield $13.6 million to $27.4
million in cost savings in total. We estimate these costs savings will
reduce the overall total cost of developers reporting for Insights. The
total cost of Insights is estimated to be $84.7 million to $191.2
million.
Table 36--Estimated Cost Savings From Reporting for Both Real World
Testing and Insights
------------------------------------------------------------------------
Options Lower bound Upper bound
------------------------------------------------------------------------
50 Hospitals and 500 Clinicians $98,373,673 $218,671,106
Threshold (No Cost Savings
applied)..........................
50 Hospitals and 500 Clinicians 84,735,783 191,233,443
Threshold (Cost Savings applied)..
------------------------------------------------------------------------
Benefits
The ONC Cures Act Final Rule seeks to advance interoperability and
support the access, exchange, and use of electronic health information.
There is currently limited transparency and information regarding
interoperability; this not only stymies informed decision-making by ONC
but also others in the industry, including health care providers, and
entities that enable
[[Page 1423]]
exchange, including various types of health information networks and
health app developers. ONC's measurement of interoperability is
currently reliant primarily on self-reported survey data from end users
of health information technology. While this information does provide
some insights on interoperability from end-user perspectives, the
insights derived are limited. The adopted measures will provide system-
generated metrics on interoperability that will complement self-
reported, user perspective data sources, such as surveys. Through the
Insights Condition section of this final rule, we have identified where
surveys have been limited in providing a clear picture of certain
aspects of interoperability that these measures will elucidate. In
addition, they will reach a greater number of health care providers
than surveys, giving a more complete and representative national
perspective. Greater transparency and information on interoperability
of health IT products has the potential to benefit several interested
parties, including ONC and other entities that enable exchange,
including health app developers and health information networks. The
adopted measures are also designed to identify areas that are working
well and problems that we can monitor over time. This will help
identify the need for technical and policy solutions as well as spur
innovation that builds on successes and addresses gaps. While we
currently do not have a means to quantify these benefits, we welcomed
any feedback on methods to better quantify the impact these measures
can have for healthcare and health IT.
The measures in this final rule for the Insights Condition will
help improve and inform ONC programmatic and regulatory decision-
making. ONC's programs and policies are designed to make direct and
positive impacts on health IT use, care delivery, and patient health.
ONC does this primarily through supporting standards development and
the Program. The adopted measures will help ONC and others better
understand the use, progress, and value of health IT standards. This
has practical implications for improving the work ONC leads that
increases the use of standards. For example, ONC has limited empirical
information to provide guidance on the usage of standards associated
with the Interoperability Standards Advisory. With the addition of the
adopted measures, ONC can provide guidance to industry that is grounded
in data from health IT developers rather than anecdotes. This has the
potential to move industry to adopt standards more quickly, which has
downstream impacts on improved interoperability. In addition, the
adopted measures will increase transparency regarding the capability
and usage of certified products. Through these measures, ONC and other
interested parties will be able to identify areas that are problematic
and in need of further investigation, such as cross-cutting policy and
technical issues. They will also provide needed data to develop
solutions to these complex problems.
The adopted measures from the Insights Condition will focus on four
key priority areas: individual access to electronic health information,
clinical care information exchange, standards adoption and conformance,
and public health information exchange. Under the individuals' access
to electronic health information measurement area, the measure will
inform on the ONC Cures Act Final Rule goal of increasing access of
electronic health information to individuals, particularly through the
use of third-party apps. Increased patient engagement has been
associated with improved health outcomes, and improved ease of access
to their own medical records can improve patient engagement.\300\ Thus,
a better understanding of how patients are using apps through certified
health IT will help inform ONC and other interested parties on the
progress to reaching this goal. In addition, this measure will help
inform app developers and developers of certified health IT, who are
supporting apps on what individual's needs are to access their EHI. It
will also inform health care provider organizations regarding action
they may need to consider in supporting EHI and the need for outreach
to patients and caregivers.
---------------------------------------------------------------------------
\300\ Health Affairs. (2013). Health Policy Brief: Patient
Engagement. Accessed March 16, 2023, at: http://healthaffairs.org/healthpolicybriefs/brief_pdfs/healthpolicybrief_86.pdf.
---------------------------------------------------------------------------
The clinical care information exchange measure will help ONC and
other interested parties better understand the volume of information
exchanged using C-CDA documents and how the information exchange is
subsequently used via incorporation and reconciliation. Understanding
the rates of C-CDA document incorporation is valuable for interested
parties supporting C-CDA document exchange (e.g., is it incorporated
and used). This measure can also support further development in the
incorporation of C-CDA documents.
Currently, ONC has limited data on the use of certified API
technology in the app market. The ONC Cures Act Final Rule established
the rules for the use of certified API technology in such a way to
increase access to health information for both patients and health care
providers. By understanding which apps are using FHIR-based APIs and
the volume of transfer of FHIR resources, ONC and standards development
organizations (SDOs) will be able to prioritize their work toward high-
use data elements as well as explore why some data elements may not
have as much use as anticipated. This will not only benefit ONC and
SDOs, but in the long-term this will benefit patient care as exchange
at the data element level is likely to be less cumbersome than
document-based exchange. In addition, these measures are expected to
increase transparency in the health IT app market which should lead to
improved efficiencies, more competition, and better use of data.
Greater transparency will inform decision-making among app developers,
patients, health care providers, and other key parties (e.g., CARIN
Alliance). Through better insights into the intersections of health IT
and the app market, gaps as well as areas of strength can be identified
that may spur further innovations in the market.
The ONC Cures Act Final Rule also introduced certification criteria
and policies for the exchange of bulk patient health information. The
goal of these functionalities is to make patient data requests easier
and less expensive as well as allow health care providers a greater
choice of health IT applications. Understanding how these
functionalities are being used will allow ONC and others to assess the
progress toward those goals and identify where there may be areas in
need of refinement. It will provide interested parties, such as
Accountable Care Organizations (ACO), researchers, and others with
interest in secondary use of certified health IT data with insights as
to whether such data is easily moved out of health IT products to
support a variety of use cases to advance patient care.
Finally, because of the COVID-19 epidemic, there has been increased
attention on the capabilities of health care providers to share public
health information with public health agencies (PHA).\301\ There has
been a focus on the electronic exchange of immunization data to an
immunization information system (IIS) via certified health IT. The
[[Page 1424]]
adopted measures will identify trends and patterns in IIS' ability to
receive immunization data to enable innovative solutions and improve
the utility of IIS' and IIS data. Thus, this data would be beneficial
to IIS registries to help make improvements to their systems and
policies to better support exchange of immunization data. In addition,
these measures can help support the numerous HHS efforts aimed at
improving the flow of information between health care providers and
PHAs, such as ONC's STAR HIE Program and the CDC's ongoing Data
Modernization Initiative.
---------------------------------------------------------------------------
\301\ Dixon BE, Caine VA, Halverson PK. Deficient Response to
COVID-19 Makes the Case for Evolving the Public Health System.
American Journal of Preventive Medicine. 2020;59(6):887-891. https://doi.org/10.1016/j.amepre.2020.07.024.
---------------------------------------------------------------------------
Comments. We did not receive specific comments related to the
Insights impact analysis. Commenters did, however, raise general
concerns about the overall cost of the rulemaking, including costs
estimated for Insights.
Response. We updated the Insights impact analysis based upon
updates to the condition of certification, as adopted in this final
rule. The impact analysis reflects reduced costs, as well as cost
savings, to implement this finalized Condition of Certification.
Information Blocking Enhancements
We proposed in section IV of this preamble several enhancements
with respect to the information blocking provisions in the ONC Cures
Act Final Rule. These include defining in regulation text what it
means, and what it does not mean, to ``offer'' health IT. The
enhancements also include updating the Infeasibility (45 CFR 171.204)
and Manner (45 CFR 171.301, formerly known as the ``Content and
Manner'') Exceptions for clarity and to add more ways for actors'
practices to satisfy these exceptions and thus not be considered
``information blocking'' for purposes of 45 CFR part 171.
Costs
We expect ONC to incur an annual cost for issuing educational
resources related to the proposed information blocking enhancements. We
estimate that ONC would issue educational resources each quarter, or at
least four times per year. We assume that the resources would be
provided by ONC staff with the expertise of a GS-15, Step 1 federal
employee(s). The hourly wage with benefits for a GS-15, Step 1 employee
located in Washington, DC is approximately $142.\302\ We estimate it
would take ONC staff between 100 and 200 hours to develop resources
each quarter, or 400 to 800 hours annually. Therefore, we estimate the
annual cost to ONC would, on average, range from $56,800 to $113,600.
---------------------------------------------------------------------------
\302\ Office of Personnel and Management. https://www.opm.gov/policy-data-oversight/pay-leave/salaries-wages/salary-tables/pdf/2022/DCB.pdf. Accessed March 16, 2023.
---------------------------------------------------------------------------
Benefits
Currently, ONC has limited data and research available to
reasonably estimate the benefits of how often an actor may avail itself
of one of the permitted exceptions or the costs for an actor to meet a
condition to an exception.
We anticipate that the adopted information blocking enhancements
will enable actors to determine more easily and with greater certainty
whether their practices (acts or omissions) that may or do interfere
with access, exchange, or use of EHI (as defined in 45 CFR 171.102)
meet the conditions to be considered a ``reasonable and necessary''
activity under an information blocking exception. As such, we expect
these policies will further ease the burden and costs of complying with
the information blocking regulations, while providing increased
predictability. This predictability will permit regulated entities to
plan and invest resources in developing and using interoperable
technologies and services to improve healthcare efficiency and value
more effectively. Additionally, we anticipate as a result of the
revised definitions and exceptions, there will be reduced interference
with the access, exchange, and use of electronic health information
because of the added clarity the policies will provide the market
regarding certain practices. Thus, we anticipate an increase in the
overall benefits derived from reducing the prevalence of information
blocking. We welcomed comment on these conclusions and the supporting
rationale.
Total Annual Cost Estimate
We estimate that the total annual cost for this final rule for the
first year after it is finalized (including one-time costs), based on
the cost estimates outlined above and throughout this RIA, would result
in $437 million. The total undiscounted perpetual cost over a 10-year
period for this final rule (starting in year two), based on the cost
estimates outlined above, would result in $477 million. We estimate the
total costs to health IT developers to be $914 million while the
government (ONC) costs to be between $56,800 to $113,600.
Total Annual Benefit Estimate
We estimate the total annual benefit for this final rule, based on
the benefit estimates outlined above, would be on average $1.0 billion.
Total Annual Net Benefit
We estimate the total undiscounted perpetual annual net benefit for
this final rule (starting in year three), based on the estimates
outlined above, would result in a net benefit of $124 million.
b. Accounting Statement and Table
When a rule is considered significant under Section 3(f)(1) under
Executive Order 12866 and E.O. 14094, we are required to develop an
accounting statement indicating the classification of the expenditures
associated with the provisions of the final rule. Monetary annual
effects are presented as discounted flows using 3% and 7% factors in
Table 38 below. We are not able to explicitly define the universe of
all costs but have provided an average of likely costs of this final
rule as well as a high and low range of likely costs.
Table 37--E.O. 12866 Summary Table
[2022 Dollars]
------------------------------------------------------------------------
Primary (3%) Primary (7%)
------------------------------------------------------------------------
Present Value of Quantified Costs... $853,114,341 $784,445,719
Present Value of Quantified Benefits 829,421,937 623,925,956
Present Value of Net Benefits....... 23,692,404 160,519,763
Annualized Quantified Costs......... 100,011,026 111,687,422
Annualized Quantified Benefits...... 103,155,077 101,704,924
Annualized Net Quantified Benefits.. 3,144,051 9,982,498
------------------------------------------------------------------------
[[Page 1425]]
Table 38--E.O. 12866 Summary Table Non-Discounted Flows
[2022 Dollars]
----------------------------------------------------------------------------------------------------------------
Year 1 Year 2 Year 3 Year 4 Year 5
----------------------------------------------------------------------------------------------------------------
Costs..................................... $437,500,845 $264,945,762 $50,769,243 $31,235,512 $21,692,039
Benefits.................................. ............ ............ 28,850,000 57,700,000 86,550,000
----------------------------------------------------------------------------------------------------------------
Year 6 Year 7 Year 8 Year 9 Year 10
----------------------------------------------------------------------------------------------------------------
Costs..................................... 21,692,039 21,692,039 21,692,039 21,692,039 21,692,039
Benefits.................................. 115,400,000 144,250,000 173,100,000 201,950,000 230,800,000
----------------------------------------------------------------------------------------------------------------
D. Regulatory Flexibility Act
The Regulatory Flexibility Act (RFA) requires agencies to analyze
options for regulatory relief of small entities, if a rule has a
significant impact on a substantial number of small entities.
The Small Business Administration (SBA) establishes the size of
small businesses for Federal Government programs based on average
annual receipts or the average employment of a firm.\303\ The entities
that are likely to be directly affected by the requirements in this
final rule requirements are health IT developers. We note that the
finalized updates and clarifications to the reasonable and necessary
activities that do not constitute information blocking will provide
flexibilities and relief for health IT developers of certified health
IT, health information networks, health information exchanges, and
health care providers in relation to the information blocking provision
of the Cures Act. We welcomed comments on the impact of our information
blocking-related proposals on small entities.
---------------------------------------------------------------------------
\303\ The SBA references that annual receipts mean ``total
income'' (or in the case of a sole proprietorship, ``gross income'')
plus ``cost of goods sold'' as these terms are defined and reported
on Internal Revenue Service tax return forms.
---------------------------------------------------------------------------
Comments. We received no comments on our approach.
Response. We have finalized as proposed.
While health IT developers that pursue certification of their
health IT under the Program represent a small segment of the overall
information technology industry, we believe that many health IT
developers impacted by the requirements adopted in this final rule most
likely fall under the North American Industry Classification System
(NAICS) code 541511 ``Custom Computer Programming Services.'' \304\ OMB
advised that the Federal statistical establishment data published for
reference years beginning on or after January 1, 2022, should be
published using the 2022 NAICS United States codes.\305\ The SBA size
standard associated with this NAICS code is set at $34 million annual
receipts or less. There is enough data generally available to establish
that between 75% and 90% of entities that are categorized under the
NAICS code 541511 are under the SBA size standard. We also note that
with the exception of aggregate business information available through
the U.S. Census Bureau and the SBA related to NAICS code 541511, it
appears that many health IT developers that pursue certification of
their health IT under the Program are privately held or owned and do
not regularly, if at all, make their specific annual receipts publicly
available. As a result, it is difficult to locate empirical data
related to many of these health IT developers to correlate to the SBA
size standard. However, although not perfectly correlated to the size
standard for NAICS code 541511, we do have information indicating that
over 60% of health IT developers that have had Complete EHRs and/or
Health IT Modules certified to the 2011 Edition have less than 51
employees.
---------------------------------------------------------------------------
\304\ https://www.sba.gov/sites/sbagov/files/2023-06/Table%20of%20Size%20Standardslowbar;Effective%20March%2017%2C%202023%
20%282%29.pdf.
\305\ https://www.sba.gov/article/2022/feb/01/guidance-using-naics-2022-procurement.
---------------------------------------------------------------------------
We estimate that the finalized requirements in this final rule will
have effects on health IT developers, some of which may be small
entities, that have certified health IT or are likely to pursue
certification of their health IT under the Program. We believe,
however, that we have adopted the minimum number of requirements
necessary to accomplish our primary policy goal of enhancing
interoperability. Further, as discussed in this RIA above, there are
very few appropriate regulatory or non-regulatory alternatives that
could be developed to lessen the compliance burden associated with this
final rule because at least a few of the policies are derived directly
from legislative mandates in the Cures Act.
We do not believe that the finalized requirements of this final
rule will create a significant impact on a substantial number of small
entities and we received no comments on whether there are small
entities that we have not identified that may be affected in a
significant way. The Predictive DSI policy within the criterion adopted
in the criterion at Sec. 170.315(b)(11) and the Insights condition of
certification represent the highest potential costs for health IT
developers in our estimates. The finalized Decision Support
Interventions policy establishes different requirements for developers
of certified health IT that supply Predictive DSIs than those
developers that do not supply Predictive DSIs. Many developers who do
not supply a Predictive DSI as part of their Health IT Module are among
those developers with smaller revenues and fewer clients. These
developers will be able to certify to the criterion at Sec.
170.315(b)(11) while expending limited additional development resources
on products they have certified currently. Specifically, these
developers will likely have little to no costs related to providing
complete and up-to-date source attribute information for Predictive DSI
supplied by the developer or engaging in risk management and annually
update risk management information. Furthermore, the Insights Condition
of Certification excludes small entities from reporting on the
finalized measures. Small entities will face no additional costs for
meeting the finalized measures, as described in the final policy and
RIA for the Insights Condition.
The Secretary certifies that this final rule will not have a
significant impact on a substantial number of small entities.
Comments. We received no comments.
Response. We have finalized as proposed.
E. Executive Order 13132--Federalism
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a final rule) that imposes
substantial direct requirement costs on state and local governments,
preempts state law, or otherwise has federalism implications.
[[Page 1426]]
Nothing in this final rule imposes substantial direct compliance costs
on state and local governments, preempts state law, or otherwise has
federalism implications. We are not aware of any state laws or
regulations that are contradicted or impeded by any of the policies in
this final rule.
Comments. We received no comments.
Response. We have finalized as proposed.
F. Unfunded Mandates Reform Act of 1995
Section 202 of the Unfunded Mandates Reform Act of 1995 requires
that agencies assess anticipated costs and benefits before issuing any
rule that imposes unfunded mandates on state, local, and tribal
governments or the private sector requiring spending in any one year of
$100 million in 1995 dollars, updated annually for inflation. The
current inflation-adjusted statutory threshold is approximately $177
million in 2023. While the estimated potential cost effects of this
final rule reach the statutory threshold, we do not believe this final
rule imposes unfunded mandates on state, local, and tribal governments,
or the private sector.
Comments. We received no comments.
Response. We have finalized as proposed.
OMB reviewed this final rule.
List of Subjects
45 CFR Part 170
Computer technology, Electronic health record, Electronic
information system, Electronic transactions, Health, Healthcare, Health
information technology, Health insurance, Health records, Hospitals,
Incorporation by reference, Laboratories, Medicaid, Medicare, Privacy,
Reporting and record keeping requirements, Public health, Security.
45 CFR Part 171
Computer technology, Electronic health record, Electronic
information system, Electronic transactions, Health, Healthcare, Health
care provider, Health information exchange, Health information
technology, Health information network, Health insurance, Health
records, Hospitals, Privacy, Reporting and recordkeeping requirements,
Public health, Security.
For the reasons set forth in the preamble, 45 CFR subtitle A,
subchapter D, is amended as follows:
PART 170--HEALTH INFORMATION TECHNOLOGY STANDARDS, IMPLEMENTATION
SPECIFICATIONS, AND CERTIFICATION CRITERIA AND CERTIFICATION
PROGRAMS FOR HEALTH INFORMATION TECHNOLOGY
0
1. The authority citation for part 170 continues to read as follows:
Authority: 42 U.S.C. 300jj-11; 42 U.S.C 300jj-14; 5 U.S.C. 553.
0
2. Amend Sec. 170.102 by:
0
a. Removing definitions for ``2015 Edition Base EHR'' and ``2015
Edition health IT certification criteria''; and
0
b. Adding definitions for ``Base EHR'', ``ONC certification criteria
for health IT'', ``Predictive Decision Support Intervention'',
``Provide'', and ``Revised certification criterion (or criteria)'' in
alphabetical order.
The additions read as follows:
Sec. 170.102 Definitions.
Base EHR means an electronic record of health-related information
on an individual that:
(1) Includes patient demographic and clinical health information,
such as medical history and problem lists;
(2) Has the capacity:
(i) To provide clinical decision support;
(ii) To support physician order entry;
(iii) To capture and query information relevant to healthcare
quality;
(iv) To exchange electronic health information with, and integrate
such information from other sources; and
(3) Has been certified to the certification criteria adopted by the
Secretary in--
(i) Section 170.315(a)(1), (2), or (3); (a)(5) and (14), (b)(1),
(c)(1), and (g)(7), (9), (10); and (h)(1) or (2);
(ii) Section 170.315(a)(9) or (b)(11) for the period up to and
including December 31, 2024; and
(iii) Section 170.315(b)(11) on and after January 1, 2025.
* * * * *
ONC certification criteria for health IT means the certification
criteria in Sec. 170.315.
* * * * *
Predictive Decision Support Intervention or Predictive DSI means
technology that supports decision-making based on algorithms or models
that derive relationships from training data and then produces an
output that results in prediction, classification, recommendation,
evaluation, or analysis.
* * * * *
Provide means the action or actions taken by a developer of
certified Health IT Modules to make the certified health IT available
to its customers.
* * * * *
Revised certification criterion (or criteria) means a certification
criterion that meets at least one of the following:
(1) Has added or changed the capabilities described in the existing
criterion in this part;
(2) Has an added or changed standard or implementation
specification referenced in the existing criterion in this part; or
(3) Is specified through notice and comment rulemaking as an
iterative or replacement version of an existing criterion in this part.
* * * * *
0
3. Amend Sec. 170.205 by:
0
a. Revising paragraph (a)(5); and
0
b. Adding paragraphs (a)(6) and (t).
The revision and additions read as follows:
Sec. 170.205 Content exchange standards and implementation
specifications for exchanging electronic health information.
(a) * * *
(5) Standard. HL7 CDA[supreg] R2 Implementation Guide: C-CDA
Templates for Clinical Notes R2.1 Companion Guide, Release 2
(incorporated by reference, see Sec. 170.299). The adoption of this
standard expires on January 1, 2026.
(6) Standard. HL7[supreg] CDA[supreg] R2 Implementation Guide: C-
CDA Templates for Clinical Notes STU Companion Guide, Release 4.1--US
Realm (incorporated by reference, see Sec. 170.299).
* * * * *
(t) Public health--electronic case reporting--(1) Standard.
HL7[supreg] FHIR[supreg] Implementation Guide: Electronic Case
Reporting (eCR)--US Realm 2.1.0--STU 2 US (HL7 FHIR eCR IG)
(incorporated by reference, see Sec. 170.299).
(2) Standard. HL7 CDA[supreg] R2 Implementation Guide: Public
Health Case Report--the Electronic Initial Case Report (eICR) Release
2, STU Release 3.1--US Realm (HL7 CDA eICR IG) (incorporated by
reference, see Sec. 170.299).
(3) Standard. HL7[supreg] CDA[supreg] R2 Implementation Guide:
Reportability Response, Release 1, STU Release 1.1--US Realm (HL7 CDA
RR IG) (incorporated by reference, see Sec. 170.299).
(4) Standard. Reportable Conditions Trigger Codes Value Set for
Electronic Case Reporting. (incorporated by reference, see Sec.
170.299).
0
4. Amend Sec. 170.207 by:
0
a. Adding paragraph (a)(1);
0
b. Removing and reserving paragraph (a)(3);
[[Page 1427]]
0
c. Adding paragraph (c)(1);
0
d. Removing and reserving paragraph (c)(2);
0
e. Adding paragraphs (d)(1) and (4);
0
f. Adding paragraphs (e)(1) and (2), (f)(3)and (m)(2);
0
g. Revising paragraph (n)(1);
0
h. Adding paragraphs (n)(2) and (3);
0
i. Revising paragraphs (o)and (p); and
0
j. Adding paragraphs (r)(2) and (s)(2).
The additions and revisions read as follows:
Sec. 170.207 Vocabulary standards for representing electronic health
information.
(a) * * *
(1) Standard. SNOMED CT[supreg], U.S. Edition, March 2022 Release
(incorporated by reference, see Sec. 170.299).
* * * * *
(c) * * *
(1) Standard. Logical Observation Identifiers Names and Codes
(LOINC[supreg]) Database Version 2.72, a universal code system for
identifying health measurements, observations, and documents produced
by the Regenstrief Institute, Inc., February 16, 2022 (incorporated by
reference, see Sec. 170.299).
* * * * *
(d) * * *
(1) Standard. RxNorm, a standardized nomenclature for clinical
drugs produced by the United States National Library of Medicine, July
5, 2022 (incorporated by reference, see Sec. 170.299).
* * * * *
(4) Standard. The code set specified at 45 CFR 162.1002(b)(2) as
referenced in 45 CFR 162.1002(c)(1) for the time period on or after
October 1, 2015.
(e) * * *
(1) Standard. HL7[supreg] Standard Code Set CVX--Vaccines
Administered, dated through June 15, 2022 (incorporated by reference,
see Sec. 170.299).
(2) Standard. National Drug Code Directory (NDC)--Vaccine NDC
Linker, dated July 19, 2022 (incorporated by reference, see Sec.
170.299).
* * * * *
(f) * * *
(3) Standard. CDC Race and Ethnicity Code Set Version 1.2 (July 08,
2021) (incorporated by reference, see Sec. 170.299).
* * * * *
(m) * * *
(2) Standard. The Unified Code for Units of Measure, Version 2.1,
November 21, 2017 (incorporated by reference, see Sec. 170.299).
(n) * * *
(1) Standard. Birth sex must be coded in accordance with
HL7[supreg] Version 3 Standard, Value Sets for AdministrativeGender and
NullFlavor (incorporated by reference, see Sec. 170.299), up until the
adoption of this standard expires January 1, 2026, attributed as
follows:
(i) Male. M;
(ii) Female. F;
(iii) Unknown. NullFlavor UNK.
(2) Standard. Sex must be coded in accordance with, at a minimum,
the version of SNOMED CT [supreg] U.S. Edition codes specified in
paragraph (a)(1) of this section.
(3) Standard. Sex Parameter for Clinical Use must be coded in
accordance with, at a minimum, the version of LOINC[supreg] codes
specified in paragraph (c)(1) of this section.
(o) Sexual orientation and gender information--(1) Standard. Sexual
orientation must be coded in accordance with, at a minimum, the version
of SNOMED-CT[supreg] U.S. Edition codes specified in paragraph (a)(4)
of this section for paragraphs (o)(1)(i) through (iii) of this section
and HL7 Version 3 Standard, Value Sets for AdministrativeGender and
NullFlavor (incorporated by reference, see Sec. 170.299), up until the
adoption of this standard expires on January 1, 2026, for paragraphs
(o)(1)(iv) through (vi) of this section, attributed as follows:
(i) Lesbian, gay or homosexual. 38628009
(ii) Straight or heterosexual. 20430005
(iii) Bisexual. 42035005
(iv) Something else, please describe. NullFlavor OTH
(v) Don't know. NullFlavor UNK
(vi) Choose not to disclose. NullFlavor ASKU
(2) Standard. Gender identity must be coded in accordance with, at
a minimum, the version of SNOMED-CT[supreg] codes specified in
paragraph (a)(4) of this section for paragraphs (o)(2)(i) through (v)
of this section and HL7[supreg] Version 3 Standard, Value Sets for
AdministrativeGender and NullFlavor (incorporated by reference in Sec.
170.299), up until the adoption of this standard expires January 1,
2026, for paragraphs (o)(2)(vi) and (vii) of this section, attributed
as follows:
(i) Male. 446151000124109
(ii) Female. 446141000124107
(iii) Female-to-Male (FTM)/Transgender Male/Trans Man. 407377005
(iv) Male-to-Female (MTF)/Transgender Female/Trans Woman. 407376001
(v) Genderqueer, neither exclusively male nor female.
446131000124102
(vi) Additional gender category or other, please specify.
NullFlavor OTH
(vii) Choose not to disclose. NullFlavor ASKU
(3) Standard. Sexual Orientation and Gender Identity must be coded
in accordance with, at a minimum, the version of SNOMED CT[supreg]
codes specified in paragraph (a)(1) of this section.
(4) Standard. Pronouns must be coded in accordance with, at a
minimum, the version of LOINC[supreg] codes specified in paragraph
(c)(1) of this section.
(p) Social, psychological, and behavioral data--(1) Financial
resource strain. Financial resource strain must be coded in accordance
with, at a minimum, the version of LOINC[supreg] codes specified in
paragraph (c)(1) of this section and attributed with the LOINC[supreg]
code 76513-1 and LOINC[supreg] answer list ID LL3266-5.
(2) Education. Education must be coded in accordance with, at a
minimum, the version of LOINC[supreg] codes specified in paragraph
(c)(1) of this section and attributed with LOINC[supreg] code 63504-5
and LOINC[supreg] answer list ID LL1069-5.
(3) Stress. Stress must be coded in accordance with, at a minimum,
the version of LOINC[supreg] codes specified in paragraph (c)(1) of
this section and attributed with the LOINC[supreg] code 76542-0 and
LOINC[supreg] answer list LL3267-3.
(4) Depression. Depression must be coded in accordance with, at a
minimum, the version of LOINC[supreg] codes specified in paragraph
(c)(1) of this section and attributed with LOINC[supreg] codes 55757-9,
44250-9 (with LOINC[supreg] answer list ID LL361-7), 44255-8 (with
LOINC[supreg] answer list ID LL361-7), and 55758-7 (with the answer
coded with the associated applicable unit of measure in the standard
specified in paragraph (m)(2) of this section).
(5) Physical activity. Physical activity must be coded in
accordance with, at a minimum, the version of LOINC[supreg] codes
specified in paragraph (c)(1) of this section and attributed with
LOINC[supreg] codes 68515-6 and 68516-4. The answers must be coded with
the associated applicable unit of measure in the standard specified in
paragraph (m)(2) of this section.
(6) Alcohol use. Alcohol use must be coded in accordance with, at a
minimum, the version of LOINC[supreg] codes specified in paragraph
(c)(1) of this section and attributed with LOINC[supreg] codes 72109-2,
68518-0 (with LOINC[supreg] answer list ID LL2179-1), 68519-8 (with
LOINC[supreg] answer list ID LL2180-9), 68520-6 (with LOINC[supreg]
answer list ID LL2181-7), and 75626-2 (with the answer coded with the
associated applicable unit of measure in the standard specified in
paragraph (m)(2) of this section).
[[Page 1428]]
(7) Social connection and isolation. Social connection and
isolation must be coded in accordance with, at a minimum, the version
of LOINC[supreg] codes specified in paragraph (c)(1) of this section
and attributed with the LOINC[supreg] codes 76506-5, 63503-7 (with
LOINC[supreg] answer list ID LL1068-7), 76508-1 (with the associated
applicable unit of measure in the standard specified in paragraph
(m)(2) of this section), 76509-9 (with the associated applicable unit
of measure in the standard specified in paragraph (m)(2) of this
section), 76510-7 (with the associated applicable unit of measure in
the standard specified in paragraph (m)(2) of this section), 76511-5
(with LOINC answer list ID LL963-0), and 76512-3 (with the associated
applicable unit of measure in the standard specified in paragraph
(m)(2) of this section).
(8) Exposure to violence (intimate partner violence). Exposure to
violence: Intimate partner violence must be coded in accordance with,
at a minimum, the version of LOINC[supreg] codes specified in paragraph
(c)(1) of this section and attributed with the LOINC[supreg] code
76499-3, 76500-8 (with LOINC[supreg] answer list ID LL963-0), 76501-6
(with LOINC[supreg] answer list ID LL963-0), 76502-4 (with
LOINC[supreg] answer list ID LL963-0), 76503-2 (with LOINC[supreg]
answer list ID LL963-0), and 76504-0 (with the associated applicable
unit of measure in the standard specified in paragraph (m)(2) of this
section).
* * * * *
(r) * * *
(2) Standard. Medicare Provider and Supplier Taxonomy Crosswalk,
2021 (incorporated by reference, see Sec. 170.299).
(s) * * *
(2) Standard. Public Health Data Standards Consortium Users Guide
for Source of Payment Typology, Version 9.2 (incorporated by reference,
see Sec. 170.299).
0
5. Amend Sec. 170.210 by revising paragraph (g) to read as follows:
Sec. 170.210 Standards for health information technology to protect
electronic health information created, maintained, and exchanged.
* * * * *
(g) Synchronized clocks. The date and time recorded utilize a
system clock that has been synchronized using any Network Time Protocol
(NTP) standard.
* * * * *
0
6. Revise Sec. 170.213 to read as follows:
Sec. 170.213 United States Core Data for Interoperability.
The Secretary adopts the following versions of the United States
Core Data for Interoperability standard:
(a) Standard. United States Core Data for Interoperability (USCDI),
July 2020 Errata, Version 1 (v1) (incorporated by reference, see Sec.
170.299). The adoption of this standard expires on January 1, 2026.
(b) Standard. United States Core Data for Interoperability Version
3 (USCDI v3) (incorporated by reference, see Sec. 170.299).
0
7. Revise Sec. 170.215 to read as follows:
Sec. 170.215 Application Programming Interface Standards.
The Secretary adopts the following standards and associated
implementation specifications as the available standards for
application programming interfaces (API):
(a) API base standard. The following are applicable for purposes of
standards-based APIs.
(1) Standard. HL7[supreg] Fast Healthcare Interoperability
Resources (FHIR[supreg]) Release 4.0.1 (incorporated by reference, see
Sec. 170.299).
(2) [Reserved]
(b) API constraints and profiles. The following are applicable for
purposes of constraining and profiling data standards.
(1) United States Core Data Implementation Guides--(i)
Implementation specification. HL7[supreg] FHIR[supreg] US Core
Implementation Guide STU 3.1.1 (incorporated by reference in Sec.
170.299). The adoption of this standard expires on January 1, 2026.
(ii) Implementation Specification. HL7[supreg] FHIR[supreg] US Core
Implementation Guide STU 6.1.0 (incorporated by reference, see Sec.
170.299).
(2) [Reserved]
(c) Application access and launch. The following are applicable for
purposes of enabling client applications to access and integrate with
data systems.
(1) Implementation specification. HL7[supreg] SMART Application
Launch Framework Implementation Guide Release 1.0.0, including
mandatory support for the ``SMART Core Capabilities'' (incorporated by
reference, see Sec. 170.299). The adoption of this standard expires on
January 1, 2026.
(2) Implementation specification. HL7[supreg] SMART App Launch
Implementation Guide Release 2.0.0, including mandatory support for the
``Capability Sets'' of ``Patient Access for Standalone Apps'' and
``Clinician Access for EHR Launch''; all ``Capabilities'' as defined in
``8.1.2 Capabilities,'' excepting the ``permission-online'' capability;
``Token Introspection'' as defined in ``7 Token Introspection''
(incorporated by reference, see Sec. 170.299).
(d) Bulk export and data transfer standards. The following are
applicable for purposes of enabling access to large volumes of
information on a group of individuals.
(1) Implementation specification. FHIR[supreg] Bulk Data Access
(Flat FHIR[supreg]) (v1.0.0: STU 1), including mandatory support for
the ``group-export'' ``OperationDefinition'' (incorporated by
reference, see Sec. 170.299).
(2) [Reserved]
(e) API authentication, security, and privacy. The following are
applicable for purposes of authorizing and authenticating client
applications.
(1) Standard. OpenID Connect Core 1.0, incorporating errata set 1
(incorporated by reference, see Sec. 170.299).
(2) [Reserved]
0
8. Amend Sec. 170.299 by:
0
a. Revising paragraph (a) and the introductory text of paragraph (d);
0
b. Adding paragraphs (d)(17) through (19);
0
c. Revising the introductory text of paragraph (e) and adding paragraph
(e)(6)
0
d. Removing paragraph (j) and redesignating paragraphs (f) through (i)
as paragraphs (g) through (j), respectively;
0
e. Adding new paragraph (f);
0
f. Revising the introductory text of newly redesignated paragraph (g)
and adding paragraphs (g)(35) through (40);
0
g. Revising the introductory text of paragraph (m) and adding paragraph
(m)(6);
0
h. Revising the introductory text of paragraph (o) and adding paragraph
(o)(2);
0
i. Revising the introductory text of paragraph (p) and adding
paragraphs (p)(5) and (6);
0
j. Revising the introductory text of paragraph (r) and adding
paragraphs (r)(8) and (9).
The revisions and additions read as follows:
Sec. 170.299 Incorporation by reference.
(a) Certain material is incorporated by reference into this part
with the approval of the Director of the Federal Register under 5
U.S.C. 552(b) and 1 CFR part 51. All approved incorporation by
reference (IBR) material is available for inspection at the U.S.
Department of Health and Human Services (HHS) and at the National
Archives and Records Administration (NARA). Contact HHS at: U.S.
Department of Health and
[[Page 1429]]
Human Services, Office of the National Coordinator for Health
Information Technology, 330 C Street SW, Washington, DC 20201; call
ahead to arrange for inspection at 202-690-7151. For information on the
availability of this material at NARA, visit www.archives.gov/federal-register/cfr/ibr-locations or email [email protected]. The
material may be obtained from the sources in the following paragraphs
of this section.
* * * * *
(d) Centers for Disease Control and Prevention, 2500 Century
Parkway, Mailstop E-78, Atlanta, GA 30333; phone: (800) 232-4636);
website: www.cdc.gov/cdc-info/index.html
* * * * *
(17) HL7[supreg] Standard Code Set CVX--Vaccines Administered,
dated June 15, 2022; IBR approved for Sec. 170.207(e).
(18) National Drug Code Directory (NDC)--Vaccine NDC Linker, dated
July 19, 2022; IBR approved for Sec. 170.207(e).
(19) CDC Race and Ethnicity Code Set version 1.2 (July 08, 2021);
IBR approved for Sec. 170.207(f).
(e) Centers for Medicare & Medicaid Services, Office of Clinical
Standards and Quality, 7500 Security Boulevard, Baltimore, Maryland
21244; phone: (410) 786-3000; website: www.cms.gov.
* * * * *
(6) Medicare Provider and Supplier Taxonomy Crosswalk, 2021; IBR
approved for Sec. 170.207(r).
(f) Council of State and Territorial Epidemiologists, 2635 Century
Parkway NE, Suite 700, Atlanta, GA 30345; phone: (770) 458-3811;
website: www.cste.org/
(1) Reportable Conditions Trigger Codes Value Set for Electronic
Case Reporting. RCTC OID: 2.16.840.1.114222.4.11.7508, Release March
29, 2022; IBR approved for Sec. 170.205(t).
(2) [Reserved]
(g) Health Level Seven, 3300 Washtenaw Avenue, Suite 227, Ann
Arbor, MI 48104; phone: (734) 677-7777; website: www.hl7.org/
* * * * *
(35) HL7 CDA[supreg] R2 Implementation Guide: C-CDA Templates for
Clinical Notes STU Companion Guide, Release 4.1 (US Realm) Standard for
Trial Use, Specification Version: 4.1.1, June 2023 (including
appendices A and B); IBR approved for Sec. 170.205(a).
(36) HL7 FHIR[supreg] Implementation Guide: Electronic Case
Reporting (eCR)--US Realm, Version 2.1.0--STU 2 US (HL7 FHIR eCR IG),
August 31, 2022; IBR approved for Sec. 170.205(t).
(37) HL7 CDA[supreg] R2 Implementation Guide: Public Health Case
Report--the Electronic Initial Case Report (eICR) Release 2, STU
Release 3.1--US Realm (HL7 CDA eICR IG), July 2022, volumes 1 and 2;
IBR approved for Sec. 170.205(t).
(38) HL7 CDA[supreg] R2 Implementation Guide: Reportability
Response, Release 1, STU Release 1.1--US Realm (HL7 CDA RR IG), July
2022, volumes 1 through 4; IBR approved for Sec. 170.205(t).
(39) HL7 FHIR US Core Implementation Guide Version 6.1.0--STU 6,
June 19, 2023; IBR approved for Sec. 170.215(b).
(40) HL7 FHIR[supreg] SMART App Launch [Implementation Guide],
2.0.0--Standard for Trial Use, November 26, 2021; IBR approved for
Sec. 170.215(c).
* * * * *
(m) Office of the National Coordinator for Health Information
Technology (ONC), 330 C Street SW, Washington, DC 20201; phone: (202)
690-7151; website: https://healthit.gov.
* * * * *
(6) United States Core Data for Interoperability (USCDI), Version 3
(v3), October 2022 Errata; IBR approved for Sec. 170.213(b).
* * * * *
(o) Public Health Data Standards Consortium, 111 South Calvert
Street, Suite 2700, Baltimore, MD 21202; phone: (801) 532-2299;
website: www.Ph.D.sc.org/.
* * * * *
(2) Users Guide for Source of Payment Typology, Version 9.2,
December 2020; IBR approved for Sec. 170.207(s).
(p) Regenstrief Institute, Inc., LOINC[supreg] c/o Regenstrief
Center for Biomedical Informatics, Inc., 410 West 10th Street, Suite
2000, Indianapolis, IN 46202-3012; phone: (317) 274-9000; website:
https://loinc.org/ and https://ucum.org/ucum.
* * * * *
(5) Logical Observation Identifiers Names and Codes (LOINC[supreg])
Database Version 2.72, February 2022; IBR approved for Sec.
170.207(c).
(6) The Unified Code for Units of Measure, Version 2.1, November
21, 2017; IBR approved for Sec. 170.207(m).
* * * * *
(r) U.S. National Library of Medicine, 8600 Rockville Pike,
Bethesda, MD 20894; phone (301) 594-5983; website: www.nlm.nih.gov/.
* * * * *
(8) SNOMED CT[supreg] [Systematized Nomenclature of Medicine
Clinical Terms] U.S. Edition, March 2022 Release; IBR approved for
Sec. 170.207(a).
(9) RxNorm, Full Update Release, July 5, 2022; IBR approved for
Sec. 170.207(d).
* * * * *
0
9. Amend Sec. 170.315 by:
0
a. Revising the section heading, introductory text, and paragraphs
(a)(5) paragraph heading, (a)(5)(i) introductory text, (a)(5)(i)(A)(1)
and (2), (a)(5)(i)(C), (D), and (E);
0
b. Adding paragraphs (a)(5)(i)(F), (G), and (H) and (a)(9)(vi);
0
c. Revising paragraphs (a)(12), (b)(1)(iii)(A)(1) and (2);
(b)(1)(iii)(B)(2), (b)(1)(iii)(G) introductory text, (b)(1)(iii)(G)(3),
(b)(2)(i) and (ii), (b)(2)(iii)(D), and (b)(2)(iv), (b)(3),
(b)(6)(ii)(B)(2), (b)(9)(ii);
0
d. Adding paragraph (b)(11);
0
e. Revising paragraphs (c)(4)(iii)(C), (E), (G), (H), and (I);
0
f. Revising paragraphs (e)(1)(i)(A)(1) and (2), (e)(1)(i)(B)(1) and
(2), and adding paragraph (e)(1)(iii);
0
g. Revising paragraphs (f)(1)(i)(B) and (C), (f)(3)(ii), (f)(4)(ii),
(f)(5); and
0
h. Revising paragraphs (g)(3) introductory text, (g)(6)(i)(A) and (B),
(g)(9)(i)(A)(1) and (2), (g)(10)(i)(A) and (B), (g)(10)(ii)(A) and (B),
(g)(10)(iv)(A) and (B), (g)(10)(v)(A)(1)(i), (ii) and (B), (2)(i) and
(ii), (g)(10)(vi), and (g)(10)(vii).
The revisions and additions read as follows:
Sec. 170.315 ONC Certification Criteria for Health IT.
The Secretary adopts the following certification criteria for
health IT. Health IT must be able to electronically perform the
following capabilities in accordance with applicable standards and
implementation specifications adopted in this part. For all criteria in
this section, a health IT developer with a Health IT Module certified
to any revised certification criterion, as defined in Sec. 170.102,
shall update the Health IT Module and shall provide such update to
their customers in accordance with the dates identified for each
revised certification criterion and for each applicable standard in 45
CFR part 170 subpart B.
(a) * * *
(5) Patient demographics and observations. (i) Enable a user to
record, change, and access patient demographic and observations data
including race, ethnicity, preferred language, sex, sex parameter for
clinical use, sexual orientation, gender identity, name to use,
pronouns, and date of birth.
(A) * * *
(1) Enable each one of a patient's races to be recorded in
accordance with, at a minimum, the standard specified in Sec.
170.207(f)(3) and whether a patient declines to specify race.
(2) Enable each one of a patient's ethnicities to be recorded in
accordance with, at a minimum, the standard
[[Page 1430]]
specified in Sec. 170.207(f)(3) and whether a patient declines to
specify ethnicity.
* * * * *
(C) Sex. Enable sex to be recorded in accordance with the standard
specified in Sec. 170.207(n)(1) for the period up to and including
December 31, 2025; or Sec. 170.207(n)(2).
(D) Sexual orientation. Enable sexual orientation to be recorded in
accordance with, at a minimum, the version of the standard specified in
Sec. 170.207(o)(1) for the period up to and including December 31,
2025; or Sec. 170.207(o)(3), as well as whether a patient declines to
specify sexual orientation.
(E) Gender identity. Enable gender identity to be recorded in
accordance with, at a minimum, the version of the standard specified in
Sec. 170.207(o)(2) for the period up to and including December 31,
2025; or Sec. 170.207(o)(3), as well as whether a patient declines to
specify gender identity.
(F) Sex Parameter for Clinical Use. Enable at least one sex
parameter for clinical use to be recorded in accordance with, at a
minimum, the version of the standard specified in Sec. 170.207(n)(3).
Conformance with this paragraph is required by January 1, 2026.
(G) Name to Use. Enable at least one preferred name to use to be
recorded. Conformance with this paragraph is required by January 1,
2026.
(H) Pronouns. Enable at least one pronoun to be recorded in
accordance with, at a minimum, the version of the standard specified in
Sec. 170.207(o)(4). Conformance with this paragraph is required by
January 1, 2026.
* * * * *
(9) * * *
(vi) Expiration of Criterion. The adoption of this criterion for
purposes of the ONC Health IT Certification Program expires on January
1, 2025.
* * * * *
(12) Family health history. Enable a user to record, change, and
access a patient's family health history in accordance with the
familial concepts or expressions included in, at a minimum, the version
of the standard in Sec. 170.207(a)(1).
* * * * *
(b) * * *
(1) * * *
(iii) * * *
(A) * * *
(1) The data classes expressed in the standards in Sec. 170.213
and in accordance with Sec. 170.205(a)(4), (5), and paragraphs
(b)(1)(iii)(A)(3)(i) through (iii) of this section for the time period
up to and including December 31, 2025, or
(2) The data classes expressed in the standards in Sec. 170.213
and in accordance with Sec. 170.205(a)(4), (6), and paragraphs
(b)(1)(iii)(A)(3)(i) through (iii) of this section, and
* * * * *
(B) * * *
(2) At a minimum, the version of the standard specified in Sec.
170.207(a)(1).
* * * * *
(G) Patient matching data. First name, last name, previous name,
middle name (including middle initial), suffix, date of birth, current
address, phone number, and sex. The following constraints apply:
* * * * *
(3) Sex Constraint: Represent sex with the standards adopted in
Sec. 170.207(n)(2).
(2) * * *
(i) General Requirements. Paragraphs (b)(2)(ii) and (iii) of this
section must be completed based on the receipt of a transition of care/
referral summary formatted in accordance with the standards adopted in
Sec. 170.205(a)(3) through (5) using the Continuity of Care Document,
Referral Note, and (inpatient setting only) Discharge Summary document
templates, for time period up to and including December 31, 2025; or in
accordance with the standards adopted in Sec. 170.205(a)(3), (4), (6).
(ii) Correct patient. Upon receipt of a transition of care/referral
summary formatted according to the standards adopted Sec.
170.205(a)(3) through (5) for the period up to and including December
31, 2025; or according to the standards adopted Sec. 170.205(a)(3),
(4), and (6), technology must be able to demonstrate that the
transition of care/referral summary received can be properly matched to
the correct patient.
(iii) * * *
(D) Upon a user's confirmation, automatically update the list, and
incorporate the following data expressed according to the specified
standards:
* * * * *
(iv) System verification. Based on the data reconciled and
incorporated, the technology must be able to create a file formatted
according to the standard specified in Sec. 170.205(a)(4) using the
Continuity of Care Document template and the standard specified in
paragraph (a)(5) of this section for the time period up to and
including December 31, 2025; or according to the standard specified in
Sec. 170.205(a)(4) using the Continuity of Care Document template and
the standard specified in paragraph (a)(6) of this section.
* * * * *
(3) * * *
(ii) * * *
(A) Enable a user to perform the following prescription-related
electronic transactions in accordance with the standard specified in
Sec. 170.205(b)(1) and, at a minimum, the version of the standard
specified in Sec. 170.207(d)(1) as follows:
(6) * * *
(ii) * * *
(B) * * *
(2) At a minimum, the version of the standard specified in Sec.
170.207(a)(1).
* * * * *
(9) * * *
(ii) The standard in Sec. 170.205(a)(5) for the time period up to
and including December 31, 2025; or Sec. 170.205(a)(6).
* * * * *
(11) Decision support interventions --
(i) Decision support intervention interaction. Interventions
provided to a user must occur when a user is interacting with
technology.
(ii) Decision support configuration. (A) Enable interventions
specified in paragraphs (b)(11)(iii) of this section to be configured
by a limited set of identified users based on a user's role.
(B) Enable interventions when a patient's medications, allergies
and intolerance, and problems are incorporated from a transition of
care or referral summary received and pursuant to paragraph
(b)(2)(iii)(D) of this section.
(C) Enable a user to provide electronic feedback data for evidence-
based decision support interventions selected via the capability
provided in paragraph (b)(11)(iii)(A) of this section and make
available such feedback data to a limited set of identified users for
export, in a computable format, including at a minimum the
intervention, action taken, user feedback provided (if applicable),
user, date, and location.
(iii) Decision support intervention selection. Enable a limited set
of identified users to select (i.e., activate) electronic decision
support interventions (in addition to drug-drug and drug-allergy
contraindication checking) that are:
(A) Evidence-based decision support interventions and use any data
based on the following data expressed in the standards in Sec.
170.213:
(1) Problems;
(2) Medications;
(3) Allergies and Intolerances;
(4) At least one demographic specified in paragraph (a)(5)(i) of
this section;
(5) Laboratory;
(6) Vital Signs;
(7) Unique Device Identifier(s) for a Patient's Implantable
Device(s); and
(8) Procedures.
(B) Predictive Decision Support Interventions and use any data
expressed in the standards in Sec. 170.213.
[[Page 1431]]
(iv) Source attributes. Source attributes listed in paragraphs
(b)(11)(iv)(A) and (B) of this section must be supported.
(A) For evidence-based decision support interventions:
(1) Bibliographic citation of the intervention (clinical research
or guideline);
(2) Developer of the intervention (translation from clinical
research or guideline);
(3) Funding source of the technical implementation for the
intervention(s) development;
(4) Release and, if applicable, revision dates of the intervention
or reference source;
(5) Use of race as expressed in the standards in Sec. 170.213;
(6) Use of ethnicity as expressed in the standards in Sec.
170.213;
(7) Use of language as expressed in the standards in Sec. 170.213;
(8) Use of sexual orientation as expressed in the standards in
Sec. 170.213;
(9) Use of gender identity as expressed in the standards in Sec.
170.213;
(10) Use of sex as expressed in the standards in Sec. 170.213;
(11) Use of date of birth as expressed in the standards in Sec.
170.213;
(12) Use of social determinants of health data as expressed in the
standards in Sec. 170.213; and
(13) Use of health status assessments data as expressed in the
standards in Sec. 170.213.
(B) For Predictive Decision Support Interventions:
(1) Details and output of the intervention, including:
(i) Name and contact information for the intervention developer;
(ii) Funding source of the technical implementation for the
intervention(s) development;
(iii) Description of value that the intervention produces as an
output; and
(iv) Whether the intervention output is a prediction,
classification, recommendation, evaluation, analysis, or other type of
output.
(2) Purpose of the intervention, including:
(i) Intended use of the intervention;
(ii) Intended patient population(s) for the intervention's use;
(iii) Intended user(s); and
(iv) Intended decision-making role for which the intervention was
designed to be used/for (e.g., informs, augments, replaces clinical
management).
(3) Cautioned out-of-scope use of the intervention, including:
(i) Description of tasks, situations, or populations where a user
is cautioned against applying the intervention; and
(ii) Known risks, inappropriate settings, inappropriate uses, or
known limitations.
(4) Intervention development details and input features, including
at a minimum:
(i) Exclusion and inclusion criteria that influenced the training
data set;
(ii) Use of variables in paragraphs (b)(11)(iv)(A)(5) through (13)
of this section as input features;
(iii) Description of demographic representativeness according to
variables in paragraphs (b)(11)(iv)(A)(5) through (13) of this section
including, at a minimum, those used as input features in the
intervention;
(iv) Description of relevance of training data to intended deployed
setting; and
(5) Process used to ensure fairness in development of the
intervention, including:
(i) Description of the approach the intervention developer has
taken to ensure that the intervention's output is fair; and
(ii) Description of approaches to manage, reduce, or eliminate
bias.
(6) External validation process, including:
(i) Description of the data source, clinical setting, or
environment where an intervention's validity and fairness has been
assessed, other than the source of training and testing data
(ii) Party that conducted the external testing;
(iii) Description of demographic representativeness of external
data according to variables in paragraph (b)(11)(iv)(A)(5)-(13)
including, at a minimum, those used as input features in the
intervention; and
(iv) Description of external validation process.
(7) Quantitative measures of performance, including:
(i) Validity of intervention in test data derived from the same
source as the initial training data;
(ii) Fairness of intervention in test data derived from the same
source as the initial training data;
(iii) Validity of intervention in data external to or from a
different source than the initial training data;
(iv) Fairness of intervention in data external to or from a
different source than the initial training data;
(v) References to evaluation of use of the intervention on
outcomes, including, bibliographic citations or hyperlinks to
evaluations of how well the intervention reduced morbidity, mortality,
length of stay, or other outcomes;
(8) Ongoing maintenance of intervention implementation and use,
including:
(i) Description of process and frequency by which the
intervention's validity is monitored over time;
(ii) Validity of intervention in local data;
(iii) Description of the process and frequency by which the
intervention's fairness is monitored over time;
(iv) Fairness of intervention in local data; and
(9) Update and continued validation or fairness assessment
schedule, including:
(i) Description of process and frequency by which the intervention
is updated; and
(ii) Description of frequency by which the intervention's
performance is corrected when risks related to validity and fairness
are identified.
(v) Source attribute access and modification. (A) Access. (1) For
evidence-based decision support interventions and Predictive Decision
Support Interventions supplied by the health IT developer as part of
its Health IT Module, the Health IT Module must enable a limited set of
identified users to access complete and up-to-date plain language
descriptions of source attribute information specified in paragraphs
(b)(11)(iv)(A) and (B) of this section.
(2) For Predictive Decision Support Interventions supplied by the
health IT developer as part of its Health IT Module, the Health IT
Module must indicate when information is not available for review for
source attributes in paragraphs (b)(11)(iv)(B)(6);
(b)(11)(iv)(B)(7)(iii), (iv), and (v); (b)(11)(iv)(B)(8)(ii) and (iv);
and (b)(11)(iv)(B)(9) of this section.
(B) Modify. (1) For evidence-based decision support interventions
and Predictive Decision Support Interventions, the Health IT Module
must enable a limited set of identified users to record, change, and
access source attributes in paragraphs (b)(11)(iv)(A) and (B) of this
section.
(2) For Predictive Decision Support Interventions, the Health IT
Module must enable a limited set of identified users to record, change,
and access additional source attributes not specified in paragraph
(b)(11)(iv)(B) of this section.
(vi) Intervention risk management. Intervention risk management
practices must be applied for each Predictive Decision Support
Intervention supplied by the health IT developer as part of its Health
IT Module.
(A) Risk analysis. The Predictive Decision Support Intervention(s)
must be subject to analysis of potential risks and adverse impacts
associated with the following characteristics: validity, reliability,
robustness, fairness,
[[Page 1432]]
intelligibility, safety, security, and privacy.
(B) Risk mitigation. The Predictive Decision Support Intervention
(s) must be subject to practices to mitigate risks, identified in
accordance with paragraph (b)(11)(vi)(A) of this section; and
(C) Governance. The Predictive Decision Support Intervention(s)
must be subject to policies and implemented controls for governance,
including how data are acquired, managed, and used.
(c) * * *
(4) * * *
(iii) * * *
(C) Provider type in accordance with, at a minimum, the standard
specified in Sec. 170.207(r)(2).
* * * * *
(E) Patient insurance in accordance with the standard specified in
Sec. 170.207(s)(2).
* * * * *
(G) Patient sex in accordance with the version of the standard
specified in Sec. 170.207(n)(2).
(H) Patient race and ethnicity in accordance with, at a minimum,
the version of the standard specified in Sec. 170.207(f)(3).
(I) Patient problem list data in accordance with, at a minimum, the
version of the standard specified in Sec. 170.207(a)(1).
(e) * * *
(1) * * *
(i) * * *
(A) * * *
(1) The data classes expressed in the standards in Sec. 170.213
(which should be in their English (i.e., non-coded) representation if
they associate with a vocabulary/code set), and in accordance with
Sec. 170.205(a)(4) and (a)(5), and paragraphs (e)(1)(i)(A)(3)(i)
through (iii) of this section for the time period up to and including
December 31, 2025, or
(2) The data classes expressed in the standards in Sec. 170.213
(which should be in their English (i.e., non-coded) representation if
they associate with a vocabulary/code set), and in accordance with
Sec. 170.205(a)(4) and (a)(6), and paragraphs (e)(1)(i)(A)(3)(i)
through (iii) of this section.
* * * * *
(B) * * *
(1) Patients (and their authorized representatives) must be able to
use technology to download an ambulatory summary or inpatient summary
(as applicable to the health IT setting for which certification is
requested) in the following formats:
(i) Human readable format; and
(ii) The format specified in accordance with the standard specified
in Sec. 170.205(a)(4) and (5) for the time period up to and including
December 31, 2025, or Sec. 170.205(a)(4) and (6), and following the
CCD document template.
(2) When downloaded according to the standard specified in Sec.
170.205(a)(4) through (6) following the CCD document template, the
ambulatory summary or inpatient summary must include, at a minimum, the
following data (which, for the human readable version, should be in
their English representation if they associate with a vocabulary/code
set):
* * * * *
(iii) Request for restrictions. Patients (and their authorized
representatives) must be able to use an internet-based method to
request a restriction to be applied for any data expressed in the
standards in Sec. 170.213. Conformance with this paragraph is required
by January 1, 2026.
* * * * *
(f) * * *
(1) * * *
(i) * * *
(B) At a minimum, the version of the standard specified in Sec.
170.207(e)(1) for historical vaccines.
(C) At a minimum, the version of the standard specified in Sec.
170.207(e)(2) for administered vaccines.
(3) * * *
(ii) At a minimum, the versions of the standards specified in Sec.
170.207(a)(1) and (c)(1).
(4) * * *
(ii) At a minimum, the versions of the standards specified in Sec.
170.207(a)(1) and (c)(1).
(5) Transmission to public health agencies--electronic case
reporting. Enable a user to create a case report for electronic
transmission meeting the requirements described in paragraphs (f)(5)(i)
of this section for the time period up to and including December 31,
2025; or the requirements described in paragraph (f)(5)(ii) of this
section.
(i) Functional electronic case reporting. A Health IT Module must
enable a user to create a case report for electronic transmission in
accordance with the following:
(A) Consume and maintain a table of trigger codes to determine
which encounters may be reportable.
(B) Match a patient visit or encounter to the trigger code based on
the parameters of the trigger code table.
(C) Case report creation. Create a case report for electronic
transmission:
(1) Based on a matched trigger from paragraph (f)(5)(i)(B).
(2) That includes, at a minimum:
(i) The data classes expressed in the standards in Sec. 170.213.
(ii) Encounter diagnoses formatted according to at least one of the
standards specified in Sec. 170.207(i) or Sec. 170.207(a)(1).
(iii) The provider's name, office contact information, and reason
for visit.
(iv) An identifier representing the row and version of the trigger
table that triggered the case report.
(ii) Standards-based electronic case reporting. A Health IT Module
must enable a user to create a case report for electronic transmission
in accordance with the following:
(A) Consume and process case reporting trigger codes and identify a
reportable patient visit or encounter based on a match from the
Reportable Conditions Trigger Code value set in Sec. 170.205(t)(4).
(B) Create a case report consistent with at least one of the
following standards:
(1) The eICR profile of the HL7 FHIR eCR IG in Sec. 170.205(t)(1);
or
(2) The HL7 CDA eICR IG in Sec. 170.205(t)(2).
(C) Receive, consume, and process a case report response that is
formatted to either the reportability response profile of the HL7 FHIR
eCR IG in Sec. 170.205(t)(1) or the HL7 CDA RR IG in Sec.
170.205(t)(3) as determined by the standard used in (f)(5)(ii)(B) of
this section.
(D) Transmit a case report electronically to a system capable of
receiving a case report.
* * * * *
(g) * * *
(3) Safety-enhanced design. User-centered design processes must be
applied to each capability technology includes that is specified in the
following certification criteria: paragraphs (a)(1) through (5), (9)
until the criterion's expiration date, and (14), and (b)(2), (3), and
(11) of this section.
* * * * *
(6) * * *
(i) * * *
(A) The data classes expressed in the standards in Sec. 170.213 in
accordance with Sec. 170.205(a)(4) and (a)(5) and paragraphs
(g)(6)(i)(C)(1) through (4) of this section for the time period up to
and including December 31, 2025; or
(B) The data classes expressed in the standards in Sec. 170.213,
and in accordance with Sec. 170.205(a)(4) and (6) and paragraphs
(g)(6)(i)(C)(1) through (3) of this section.
* * * * *
(9) * * *
(i) * * *
(A) * * *
(1) Respond to requests for patient data (based on an ID or other
token) for all of the data classes expressed in the
[[Page 1433]]
standards in Sec. 170.213 at one time and return such data (according
to the specified standards, where applicable) in a summary record
formatted in accordance with Sec. 170.205(a)(4) and (5) following the
CCD document template, and as specified in paragraphs
(g)(9)(i)(A)(3)(i) through (iv) of this section for the time period up
to and including December 31, 2025; or
(2) Respond to requests for patient data (based on an ID or other
token) for all of the data classes expressed in the standards in Sec.
170.213 at one time and return such data (according to the specified
standards, where applicable) in a summary record formatted in
accordance with Sec. 170.205(a)(4) and (6) following the CCD document
template, and as specified in paragraphs (g)(9)(i)(A)(3)(i) through
(iv) of this section.
* * * * *
(10) * * *
(i) * * *
(A) Respond to requests for a single patient's data according to
the standards and implementation specifications adopted in 170.215(a)
and in Sec. 170.215(b)(1), including the mandatory capabilities
described in ``US Core Server CapabilityStatement,'' for each of the
data included in the standards adopted in Sec. 170.213. All data
elements indicated as ``mandatory'' and ``must support'' by the
standards and implementation specifications must be supported.
(B) Respond to requests for multiple patients' data as a group
according to the standards and implementation specifications adopted in
Sec. 170.215(a), (b)(1), and (d), for each of the data included in the
standards adopted in Sec. 170.213. All data elements indicated as
``mandatory'' and ``must support'' by the standards and implementation
specifications must be supported.
(ii) * * *
(A) Respond to search requests for a single patient's data
consistent with the search criteria included in the implementation
specifications adopted in Sec. 170.215(b)(1), specifically the
mandatory capabilities described in ``US Core Server
CapabilityStatement.''
(B) Respond to search requests for multiple patients' data
consistent with the search criteria included in the implementation
specification adopted in Sec. 170.215(d).
* * * * *
(iv) * * *
(A) Establish a secure and trusted connection with an application
that requests data for patient and user scopes in accordance with the
implementation specifications adopted in Sec. 170.215(b)(1) and (c).
(B) Establish a secure and trusted connection with an application
that requests data for system scopes in accordance with the
implementation specification adopted in Sec. 170.215(d).
* * * * *
(v) * * *
(A) * * *
(1) * * *
(i) Authentication and authorization must occur during the process
of granting access to patient data in accordance with the
implementation specification adopted in Sec. 170.215(c) and standard
adopted in Sec. 170.215(e).
(ii) A Health IT Module's authorization server must issue a refresh
token valid for a period of no less than three months to applications
using the ``confidential app'' profile according to an implementation
specification adopted in Sec. 170.215(c).
* * * * *
(B) Authentication and authorization for system scopes.
Authentication and authorization must occur during the process of
granting an application access to patient data in accordance with the
``SMART Backend Services: Authorization Guide'' section of the
implementation specification adopted in Sec. 170.215(d) and the
application must be issued a valid access token.
(2) * * *
(i) Access must be granted to patient data in accordance with the
implementation specification adopted in Sec. 170.215(c) without
requiring re-authorization and re-authentication when a valid refresh
token is supplied by the application.
(ii) A Health IT Module's authorization server must issue a refresh
token valid for a new period of no less than three months to
applications using the ``confidential app'' profile according to an
implementation specification adopted in Sec. 170.215(c).
* * * * *
(vi) Patient authorization revocation. A Health IT Module's
authorization server must be able to revoke and must revoke an
authorized application's access at a patient's direction within 1 hour
of the request.
(vii) Token introspection. A Health IT Module's authorization
server must be able to receive and validate tokens it has issued in
accordance with an implementation specification in Sec. 170.215(c).
* * * * *
0
10. Amend Sec. 170.402 by adding paragraphs (a)(5), and (b)(3) and (4)
to read as follows:
Sec. 170.402 Assurances.
(a) * * *
(5) A health IT developer must not inhibit its customer's timely
access to interoperable health IT certified under the Program.
(b) * * *
(3)(i) Update. A health IT developer must update a Health IT
Module, once certified to a certification criterion adopted in Sec.
170.315, to all applicable revised certification criteria, including
the most recently adopted capabilities and standards included in the
revised certification criterion.
(ii) Provide. A health IT developer must provide all Health IT
Modules certified to a revised certification criterion, including the
most recently adopted capabilities and standards included in the
revised certification criterion, to its customers of such certified
health IT.
(iii) Timeliness. A health IT developer must complete the actions
specified in paragraphs (b)(3)(i) and (ii) of this section:
(A) Consistent with the timeframes specified in part 170; or
(B) If the developer obtains new customers of health IT certified
to the revised criterion after the effective date of the final rule
adopting the revised criterion or criteria, then the health IT
developer must provide the health IT certified to the revised criterion
to such customers within whichever of the following timeframes that
expires last:
(1) The timeframe provided in paragraph (b)(3)(iii)(A) of this
section; or
(2) No later than 12 months after the purchasing or licensing
relationship has been established between the health IT developer and
the new customer for the health IT certified to the revised criterion.
(4) For developers of Health IT Modules certified to Sec.
170.315(b)(11), starting January 1, 2025, and on an ongoing basis
thereafter, review and update as necessary source attribute information
in Sec. 170.315(b)(11)(iv)(A) and (B), intervention risk management
practices described in Sec. 170.315(b)(11)(vi), and summary
information provided through Sec. 170.523(f)(1)(xxi).
0
11. Amend Sec. 170.404 by revising paragraph (b)(2) to read as
follows:
Sec. 170.404 Application programming interfaces.
* * * * *
(b) * * *
(2) Service base URL publication. For all Health IT Modules
certified to Sec. 170.315(g)(10), a Certified API Developer must
publish, at no charge, the service base URLs and related organization
details that can be used by patients to access their electronic health
[[Page 1434]]
information, by December 31, 2024. This includes all customers
regardless of whether the Health IT Modules certified to Sec.
170.315(g)(10) are centrally managed by the Certified API Developer or
locally deployed by an API Information Source. These service base URLs
and organization details must conform to the following:
(i) Service base URLs must be publicly published in Endpoint
resource format according to the standard adopted in Sec. 170.215(a).
(ii) Organization details for each service base URL must be
publicly published in Organization resource format according to the
standard adopted in Sec. 170.215(a). Each Organization resource must
contain:
(A) A reference, in the Organization.endpoint element, to the
Endpoint resources containing service base URLs managed by this
organization.
(B) The organization's name, location, and facility identifier.
(iii) Endpoint and Organization resources must be:
(A) Collected into a Bundle resource formatted according to the
standard adopted in Sec. 170.215(a) for publication; and
(B) Reviewed quarterly and, as necessary, updated.
* * * * *
0
12. Amend Sec. 170.405 by:
0
a. Revising paragraphs (a) and (b)(2)(ii); and
0
b. Removing and reserving paragraphs (b)(3) through (7) and (b)(10).
The revisions read as follows:
Sec. 170.405 Real world testing.
(a) Condition of Certification requirement. A health IT developer
with one or more Health IT Module(s) certified to any one or more of
the ONC Certification Criteria for Health IT in Sec. 170.315(b),
(c)(1) through (3), (e)(1), (f), (g)(7) through (10), and (h) must
successfully test the real world use of those Health IT Module(s) for
interoperability (as defined in 42 U.S.C. 300jj(9) and Sec. 170.102)
in the type of setting in which such Health IT Module(s) would be/is
marketed.
(b) * * *
(2) * * *
(ii) For real world testing activities conducted during the
immediately preceding calendar year, a health IT developer must submit
to its ONC-ACB an annual real world testing results report addressing
each of its certified Health IT Modules that include certification
criteria referenced in paragraph (a) of this section by a date
determined by the ONC-ACB that enables the ONC-ACB to publish a
publicly available hyperlink to the results report on CHPL no later
than March 15 of each calendar year, beginning in 2023. For certified
Health IT Modules included in paragraph (a) of this section that are
updated using Inherited Certified Status after August 31 of the year in
which the plan is submitted, a health IT developer must include the
newer version of the certified Health IT Module(s) in its annual real
world testing results report. The real world testing results must
report the following for each of the certification criteria identified
in paragraph (a) of this section that are included in the Health IT
Module's scope of certification:
* * * * *
0
13. Add Sec. 170.407 to read as follows:
Sec. 170.407 Insights Condition and Maintenance of Certification.
(a) Condition of Certification. (1) Measure responses. A health IT
developer must submit (to the independent entity designated by the
Secretary) for each reporting period pursuant to paragraph (b) of this
section:
(i) Responses for the measures specified in this section, which
must include:
(A) Data aggregated at the product level (across versions);
(B) Documentation related to the data sources and methodology used
to generate measures; and
(C) Percentage of total customers (e.g., hospital sites, individual
clinician users) represented in provided data; or
(ii) A response (attestation) that it does not:
(A) Meet the minimum reporting qualifications requirement in
paragraph (a)(2) of this section; or
(B) Have health IT certified to the certification criteria
specified in each measure in paragraphs (a)(3)(i) through (vii) of this
section; or
(C) Have any users using the certified health IT specified in each
measure in paragraphs (a)(3)(i) through (vii) of this section during
the reporting period.
(2) Minimum reporting qualifications requirement. At least 50
hospital sites or 500 individual clinician users across the developer's
certified health IT.
(3) Measures. (i) Individuals' access to electronic health
information through certified health IT. If a health IT developer has a
Health IT Module certified to Sec. 170.315(e)(1) or (g)(10) or both,
then the health IT developer must submit responses for the number of
unique individuals who access electronic health information (EHI)
overall and by different methods of access through certified health IT.
(ii) Consolidated clinical document architecture (C-CDA) problems,
medications, and allergies reconciliation and incorporation through
certified health IT. If a health IT developer has a Health IT Module
certified to Sec. 170.315(b)(2), then the health IT developer must
submit responses for:
(A) Encounters;
(B) Unique patients with an encounter;
(C) C-CDA documents obtained (unique and overall); and
(D) C-CDA documents reconciled and incorporated both through manual
and automated processes.
(iii) Applications supported through certified health IT. If a
health IT developer has a Health IT Module certified to Sec.
170.315(g)(10), then the health IT developer must submit responses on
how their certified health IT is supporting the application ecosystem,
by providing the following information for applications that are
connected to their certified health IT including:
(A) Application Name(s);
(B) Application Developer Name(s);
(C) Intended Purpose(s) of Application;
(D) Intended Application User(s); and
(E) Application Status.
(iv) Use of FHIR in apps through certified health IT. (i) If a
health IT developer has a Health IT Module certified to Sec.
170.315(g)(10), then the health IT developer must submit responses on
the number of requests made to distinct certified health IT deployments
that returned FHIR resources, number of distinct of certified health IT
deployments active at any time, the number of distinct deployments
active at any time that returned FHIR resources in response to API
calls from apps connected to certified health IT, including stratifying
responses by the following:
(A) User type;
(B) FHIR resource; and
(C) US Core Implementation Guide version.
(v) Use of FHIR bulk data access through certified health IT. (i)
If a health IT developer has a Health IT Module certified to Sec.
170.315(g)(10), then the health IT developer must submit responses for
the total number of FHIR bulk data access requests completed through
the certified health IT, and the number of distinct deployments of the
certified health IT active at any time overall, and by whether at least
one bulk data download request was completed.
(vi) Immunization administrations electronically submitted to
immunization information systems
[[Page 1435]]
through certified health IT. (i) If a health IT developer has a Health
IT Module certified to Sec. 170.315(f)(1), then the health IT
developer must submit responses for the use of certified health IT to
electronically send immunizations administered to immunization
information systems (IIS), including stratifying responses based on the
following subgroups:
(A) IIS; and
(B) Age group.
(vii) Immunization history and forecasts through certified health
IT. (i) If a health IT developer has a Health IT Module certified to
Sec. 170.315(f)(1), then the health IT developer must submit responses
for the use of certified health IT to query immunization history and
forecast information from immunization information systems (IIS),
including stratifying responses based on the following subgroup:
(A) IIS.
(B) [Reserved]
(b) Maintenance of Certification. (1) A health IT developer must
provide responses to the Insights Condition of Certification specified
in paragraph (a) of this section annually for any Health IT Module that
has or has had an active certification at any time under the ONC Health
IT Certification Program during the prior six months:
(i) A health IT developer must provide responses for measures
specified in:
(A) Paragraphs (a)(3)(i), (iii), (iv)(A) and (B), and (vi) of this
section beginning July 2027;
(B) Paragraphs (a)(3)(ii)(A) through (C), (iv)(C), (v), (vi)(A) and
(B), and (vii) of this section beginning July 2028; and
(C) Paragraph (a)(3)(ii)(D), (vii)(A) of this section beginning
July 2029.
(2) [Reserved]
0
14. Amend Sec. 170.523 by:
0
a. Revising paragraph (f)(1) introductory text and adding paragraph
(f)(1)(xxi);
0
b. Revising paragraphs (g)(1), (k)(1)(i) and (ii); and
0
c. Adding paragraph (u).
The revisions and addition read as follows:
Sec. 170.523 Principles of proper conduct for ONC-ACBs.
* * * * *
(f) * * *
(1) For the ONC Certification Criteria for Health IT:
* * * * *
(xxi) Where applicable, summary information of the intervention
risk management practices listed in Sec. 170.315(b)(11)(vi) is
submitted by the health IT developer via publicly accessible hyperlink
that allows any person to access the summary information directly
without any preconditions or additional steps.
* * * * *
(g) * * *
(1) Retain all records related to the certification of Health IT
Modules to the ONC Certification Criteria for Health IT beginning with
the codification of those certification criteria in the Code of Federal
Regulations through a minimum of 3 years after the end of calendar year
that included the effective date of the removal of those certification
criteria from the Code of Federal Regulations; and
* * * * *
(k) * * *
(1) * * *
(i) The disclaimer ``This Health IT Module is compliant with the
ONC Certification Criteria for Health IT and has been certified by an
ONC-ACB in accordance with the applicable certification criteria
adopted by the Secretary of Health and Human Services. This
certification does not represent an endorsement by the U.S. Department
of Health and Human Services.''
(ii) For a Health IT Module certified to the ONC Certification
Criteria for Health IT, the information specified by paragraphs
(f)(1)(i), (vi) through (viii), (xv), and (xvi) of this section as
applicable for the specific Health IT Module.
* * * * *
(u) Insights. Confirm that developers of certified health IT submit
responses for Insights Conditions and Maintenance of Certification
requirements in accordance with Sec. 170.407.
0
15. Amend Sec. 170.524 by revising paragraph (f)(1) to read as
follows:
Sec. 170.524 Principles of proper conduct for ONC-ATLs.
* * * * *
(f) * * *
(1) Retain all records related to the testing of Health IT Modules
to the ONC Certification Criteria for Health IT beginning with the
codification of those certification criteria in the Code of Federal
Regulations through a minimum of three years after the end of calendar
year that included the effective date of the removal of those
certification criteria from the Code of Federal Regulations; and
* * * * *
0
16. Amend Sec. 170.550 by revising paragraphs (g) introductory text
and (m) introductory text to read as follows:
Sec. 170.550 Health IT Module certification.
* * * * *
(g) Health IT Module dependent criteria. When certifying a Health
IT Module to the ONC Certification Criteria for Health IT, an ONC-ACB
must certify the Health IT Module in accordance with the certification
criteria at:
* * * * *
(m) Time-limited certification and certification status for certain
ONC Certification Criteria for Health IT. An ONC-ACB may only issue a
certification to a Health IT Module and permit continued certified
status for:
* * * * *
PART 171--INFORMATION BLOCKING
0
17. The authority citation for part 171 continues to read as follows:
Authority: 42 U.S.C. 300jj-52; 5 U.S.C. 552.
0
18. Amend Sec. 171.102 by
0
a. Adding, in alphabetical order, the definition of ``Business
associate'';
0
b. Revising the definition of ``Health IT developer of certified health
IT''; and
0
c. Adding, in alphabetical order, the definition of ``Offer health
information technology or offer health IT''.
The additions and revision read as follows:
Sec. 171.102 Definitions
* * * * *
Business associate is defined as it is in 45 CFR 160.103.
* * * * *
Health IT developer of certified health IT means an individual or
entity, other than a health care provider that self-develops health IT
that is not offered to others, that develops or offers health
information technology (as that term is defined in 42 U.S.C. 300jj(5)),
and which has, at the time it engages in a practice that is the subject
of an information blocking claim, one or more Health IT Modules
certified under a program for the voluntary certification of health
information technology that is kept or recognized by the National
Coordinator pursuant to 42 U.S.C. 300jj-11(c)(5) (ONC Health IT
Certification Program).
* * * * *
Offer health information technology or offer health IT means to
hold out for sale, resale, license, or relicense or to sell, resell,
license, relicense, or otherwise provide or supply health information
technology (as that term is defined in 42 U.S.C. 300jj(5) and where
such health information technology includes one or more Health IT
Modules certified under the ONC Health IT Certification Program) for
deployment by or for other individual(s) or entity(ies) under any
arrangement
[[Page 1436]]
except an arrangement consistent with subparagraph (3)(iii), below.
Activities and arrangements described in subparagraphs (1) through (3)
are considered to be excluded from what it means to offer health IT.
(1) Donation and subsidized supply arrangements are not considered
offerings when an individual or entity donates, gives, or otherwise
makes available funding to subsidize or fully cover the costs of a
health care provider's acquisition, augmentation, or upkeep of health
IT, provided such individual or entity offers and makes such subsidy
without condition(s) limiting the interoperability or use of the
technology to access, exchange or use electronic health information for
any lawful purpose.
(2) Implementation and use activities conducted by an individual or
entity as follows:
(i) Issuing user accounts or login credentials to the individual's
or entity's employees in the course of their employment or contractors
within the scope of their contract in order for such employees or
contractors to: use, operate, implement, configure, test, maintain,
update or upgrade, or to give or receive training on, the individual's
or entity's health IT system(s) or specific application(s) within such
system(s).
(ii) Implementing, operating, or otherwise making available
production instances of application programming interface (API)
technology that supports access, exchange, and use of electronic health
information that the individual or entity has in its possession,
custody, control, or ability to query or transmit from or across a
health information network or health information exchange.
(iii) Implementing, operating, and making available production
instances of online portals for patients, clinicians or other health
care providers, or public health entities to access, exchange, and use
electronic health information that the individual or entity has in its
possession, custody, control, or ability to query or transmit from or
across a health information network or health information exchange.
(iv) Issuing login credentials or user accounts for the
individual's or entity's production, development, or testing
environments to public health authorities, or such authorities'
employees or contractors, as a means of accomplishing or facilitating
access, exchange, and use of electronic health information for public
health purposes including but not limited to syndromic surveillance.
(v) Issuing login credentials or user accounts for independent
healthcare professionals who furnish services in a healthcare facility
to use the facility's electronic health record or other health IT
system(s) in: furnishing, documenting, and accurately billing for care
furnished in the facility; participating in clinical education or
improvement activities conducted by or in the healthcare facility; or
receiving training in use of the healthcare facility's health IT
system(s).
(3) Consulting and legal services arrangements as follows:
(i) Legal services furnished by outside counsel--when furnishing
legal services to a client in any matter or matters pertaining to the
client's seeking, assessing, selecting, or resolving disputes over
contracts or other arrangements by which the client obtains use of
certified health IT. Outside counsel also does not offer health IT when
facilitating limited access or use of a client's health IT by
independent expert witnesses engaged by the outside counsel, opposing
parties' counsel and experts, and special masters and court personnel,
as appropriate to legal discovery.
(ii) Health IT consultant assistance with selection,
implementation, and use of health IT --furnished to a health IT
customer or user to help the customer do (or to do on behalf of a
customer) any or all of the following with respect to any health IT
product that the consultant does not sell or resell, license or
relicense, or otherwise supply to the customer under any arrangement on
a commercial basis or otherwise:
(A) Define the business needs of the customer or user or evaluate
health IT product(s) against such business needs, or both;
(B) Negotiate for the purchase, lease, license, or other
arrangement under which the health IT product(s) will be used; or
(C) Oversee or carry out configuration, implementation, or
operation of health IT product(s).
(iii) Comprehensive and predominantly non-health IT administrative
or operations management services--when an individual or entity
furnishes a health care provider with administrative or operational
management consultant services and the consultant acts as the agent of
the provider or otherwise acts on behalf of the provider in dealings
with one or more health IT developer(s) or vendor(s), or managing the
day-to-day operations and administrative duties for the health IT, or
both. To be consistent with this subparagraph, such services must be
furnished as part of a comprehensive array of predominantly non-health
IT administrative and operational functions that would otherwise be
executed by the health care provider.
* * * * *
0
19. Revise Sec. 171.103 to read as follows:
Sec. 171.103 Information blocking.
(a) Information blocking means a practice that except as required
by law or covered by an exception set forth in subparts B, C, or D of
this part, is likely to interfere with access, exchange, or use of
electronic health information; and
(b) If conducted by:
(1) A health IT developer of certified health IT, health
information network or health information exchange, such developer,
network or exchange knows, or should know, that such practice is likely
to interfere with access, exchange, or use of electronic health
information; or
(2) A health care provider, such provider knows that such practice
is unreasonable and is likely to interfere with access, exchange, or
use of electronic health information.
0
20. Amend Sec. 171.204 by revising paragraphs (a)(1) and (3) and
adding paragraphs (a)(4) and (5) to read as follows:
Sec. 171.204 Infeasibility exception--When will an actor's practice
of not fulfilling a request to access, exchange, or use electronic
health information due to the infeasibility of the request not be
considered information blocking?
* * * * *
(a) * * *
(1) Uncontrollable events. The actor cannot fulfill the request for
access, exchange, or use of electronic health information because of a
natural or human-made disaster, public health emergency, public safety
incident, war, terrorist attack, civil insurrection, strike or other
labor unrest, telecommunication or internet service interruption, or
act of military, civil or regulatory authority that in fact negatively
impacts the actor's ability to fulfill the request.
* * * * *
(3) Third party seeking modification use. The request is to enable
use of EHI in order to modify EHI provided that the request for such
use is not from a health care provider requesting such use from an
actor that is its business associate.
(4) Manner exception exhausted. The actor is unable to fulfill a
request for access, exchange, or use of electronic health information
because paragraphs (a)(4)(i), (ii), and (iii) of this section are all
true; and the actor complied with paragraph (a)(4)(iv) of this section.
[[Page 1437]]
(i) The actor could not reach agreement with a requestor in
accordance with Sec. 171.301(a) or was technically unable to fulfill a
request for electronic health information in the manner requested.
(ii) The actor offered at least two alternative manners in
accordance with Sec. 171.301(b), one of which must use either
technology certified to standard(s) adopted in part 170 (Sec.
171.301(b)(1)(i)) or published content and transport standards
consistent with Sec. 171.301(b)(1)(ii).
(iii) The actor does not provide the same access, exchange, or use
of the requested electronic health information to a substantial number
of individuals or entities that are similarly situated to the
requester.
(iv) In determining whether a requestor is similarly situated under
paragraph (a)(4)(iii), an actor shall not discriminate based on:
(A) Whether the requestor is an individual as defined in Sec.
171.202(a)(2)
(B) The health care provider type and size; and
(C) Whether the requestor is a competitor of the actor or whether
providing such access, exchange, or use, would facilitate competition
with the actor.
(5) Infeasible under the circumstances. (i) The actor demonstrates,
prior to responding to the request pursuant to paragraph (b) of this
section, through a contemporaneous written record or other
documentation, its consistent and non-discriminatory consideration of
the following factors that led to its determination that complying with
the request would be infeasible under the circumstances:
(A) The type of electronic health information and the purposes for
which it may be needed;
(B) The cost to the actor of complying with the request in the
manner requested;
(C) The financial and technical resources available to the actor;
(D) Whether the actor's practice is non-discriminatory and the
actor provides the same access, exchange, or use of electronic health
information to its companies or to its customers, suppliers, partners,
and other persons with whom it has a business relationship;
(E) Whether the actor owns or has control over a predominant
technology, platform, health information exchange, or health
information network through which electronic health information is
accessed or exchanged; and
(F) Why the actor was unable to provide access, exchange, or use of
electronic health information consistent with the exception in Sec.
171.301.
(ii) In determining whether the circumstances were infeasible under
paragraph (a)(3)(i) of this section, it shall not be considered whether
the manner requested would have:
(A) Facilitated competition with the actor; or
(B) Prevented the actor from charging a fee or resulted in a
reduced fee.
* * * * *
0
21. Revise Sec. 171.301 to read as follows:
Sec. 171.301 Manner exception--When will an actor's practice of
limiting the manner in which it fulfills a request to access, exchange,
or use electronic health information not be considered information
blocking?
An actor's practice of limiting the manner in which it fulfills a
request to access, exchange, or use electronic health information will
not be considered information blocking when the practice follows the
conditions of this section.
(a) Manner requested. (1) An actor must fulfill a request for
electronic health information in any manner requested, unless the actor
is technically unable to fulfill the request or cannot reach agreeable
terms with the requestor to fulfill the request in the manner
requested.
(2) If an actor fulfills a request for electronic health
information in any manner requested:
(i) Any fees charged by the actor in relation to fulfilling the
request are not required to satisfy the exception in Sec. 171.302; and
(ii) Any license of interoperability elements granted by the actor
in relation to fulfilling the request is not required to satisfy the
exception in Sec. 171.303.
(b) Alternative manner. If an actor does not fulfill a request for
electronic health information in any manner requested because it is
technically unable to fulfill the request or cannot reach agreeable
terms with the requestor to fulfill the request in the manner
requested, the actor must fulfill the request in an alternative manner,
as follows:
(1) The actor must fulfill the request without unnecessary delay in
the following order of priority, starting with paragraph (b)(1)(i) of
this section and only proceeding to the next consecutive paragraph if
the actor is technically unable to fulfill the request in the manner
identified in a paragraph.
(i) Using technology certified to standard(s) adopted in part 170
that is specified by the requestor.
(ii) Using content and transport standards specified by the
requestor and published by:
(A) The Federal Government; or
(B) A standards developing organization accredited by the American
National Standards Institute.
(iii) Using an alternative machine-readable format, including the
means to interpret the electronic health information, agreed upon with
the requestor.
(2) Any fees charged by the actor in relation to fulfilling the
request are required to satisfy the exception in Sec. 171.302.
(3) Any license of interoperability elements granted by the actor
in relation to fulfilling the request is required to satisfy the
exception in Sec. 171.303.
0
22. Add Subpart D, consisting of Sec. Sec. 171.400 through 171.403 to
read as follows:
Subpart D--Exceptions That Involve Practices Related to Actors'
Participation in The Trusted Exchange Framework and Common
Agreement (TEFCASM)
Sec.
171.400 Availability and effect of exceptions.
171.401 [Reserved]
171.402 [Reserved]
171.403 TEFCA manner exception.
Authority: 42 U.S.C. 300jj-52; 5 U.S.C. 552.
Sec. 171.400 Availability and effect of exceptions.
A practice shall not be treated as information blocking if the
actor satisfies an exception to the information blocking provision as
set forth in this subpart D by meeting all applicable requirements and
conditions of the exception at all relevant times.
Sec. 171.401 [Reserved].
Sec. 171.402 [Reserved].
Sec. 171.403 --TEFCA manner exception--When will an actor's practice
of limiting the manner in which it fulfills a request to access,
exchange, or use electronic health information to only via TEFCA not be
considered information blocking?
An actor's practice of limiting the manner in which it fulfills a
request for access, exchange, or use of electronic health information
to only via TEFCA will not be considered information blocking when the
practice follows the conditions specified in paragraphs (a) through (d)
of this section.
(a) Mutually part of TEFCA. The actor and requestor are both part
of TEFCA.
(b) Requestor capability. The requestor is capable of such access,
[[Page 1438]]
exchange, or use of the requested electronic health information from
the actor via TEFCA.
(c) Limitation. The request for access, exchange, or use of EHI is
not via the standards adopted in 45 CFR 170.215, including version(s)
of those standards approved pursuant to 45 CFR 170.405(b)(8).
(d) Fees and licensing. (1) Any fees charged by the actor in
relation to fulfilling the request are required to satisfy the
exception in Sec. 171.302; and
(2) Any license of interoperability elements granted by the actor
in relation to fulfilling the request is required to satisfy the
exception in Sec. 171.303.
Xavier Becerra,
Secretary, Department of Health and Human Services.
[FR Doc. 2023-28857 Filed 1-2-24; 4:15 pm]
BILLING CODE 4150-45-P