In this Article …
- Health Data, Technology, and Interoperability – Some Background
- The United States Core Data for Interoperability Version 3 (USCDI v3)
- Electronic Case Reporting
- Decision Support Intervention
- Predictive Decision Support Intervention
- Patient Demographics and Observations
- Patient Right to Request a Restriction on Use or Disclosure
- Requirement for Health IT Developers To Update Their Previously Certified Health IT
- Information Blocking Enhancements
- Other Changes to the ONC Health IT Certification Program
Health Data, Technology, and Interoperability – Some Background
On January 9, 2024, the Office of National Coordinator for Health Information Technology (ONC) of the US Department of Health and Human Services (HHS) released its HTI-1 Final Rule to implement changes to the Electronic Health Record (EHR) Reporting Program of the 21st Century Cures Act. This rule updates the Conditions and Maintenance requirements applicable to Health Information Technology (Health IT) developers under the ONC Health IT Certification Program. Over the next 2 years, developers of Health IT will have to update their Health IT offerings to maintain certification of their EHR software applications as a certified electronic health record.
The regulations are covered on 247 pages of the Federal Register and are officially in force as of March 11, 2024. In this post, we will cover some of the issues that are likely to be of interest to the health care providers who are users of EHR applications, leaving the more technical issues relevant to developers of certified Health IT to others.
The United States Core Data for Interoperability Version 3 (USCDI v3)
The ONC Certification criteria have required developers of certified health it to incorporate USCDI data elements into their software to support standardized reporting. USCDI v3 is the third version of the core data set. These data elements cover information from allergies to immunizations to procedures to medications. Updating the certification criteria to include the latest core data set is designed to facilitate the sharing of health data for health information exchanges. With the publication of the HTI-1 Final Rule, the ONC noted Version 3 of the constituent data elements will be the only version acceptable as of July 1, 2026. But stay tuned since USCDI Version 4 is already published and Version 5 is in draft form!
Electronic Case Reporting
This function supports the reporting of patient cases to public health agencies. The new certified Health IT criteria replace previous functional and descriptive criteria with consensus-based, industry-developed electronic standards and implementation guides, such as HL-7. It also specifies the requirement is to transmit a case report electronically to a system capable of receiving a case report.
Decision Support Intervention
This certification program element, Decision Support Intervention (DSI) is slated to replace the clinical decision support (CDS) certification criteria no later than January 1, 2025. Until then, developers of certified health IT could certify to either version (CDS or DSI) of the certification criteria. This change will also be reflected in the definition of a Base EHR.
The CDS certification criteria required demonstrating at least one electronic intervention related to one data element and a combination of one of a list of other elements such as vital signs. Besides updating the functionality, the new DSI certification criteria are also designed to support elements related to health equity. This portion of the HTI-1 final rule also addresses predictive algorithms that are supposed to aid decision-making in health care.
Predictive Decision Support Intervention
In the final rule, ONC included new certification criteria for Predictive Decision Support Intervention or Predictive DSI. As with CDS Certification criteria, developers of certified health IT must support source attributes (categories of technical performance and technical information) for evidence-based DSI and predictive algorithms. And there must be a limited set of clinical users (healthcare providers) who can activate predictive algorithms.
Another new certification criterion under this section involves implementing risk management practices related to Predictive DSI. This includes subjecting Predictive DSI to ongoing risk analysis and risk mitigation and evaluating factors such as validity, reliability, safety, and fairness to name just a few. This algorithm transparency caution is well-founded given the concerns that have emerged recently about racially biased algorithms and artificial intelligence hallucinations.
Patient Demographics and Observations
In the HTI-1 Final Rule, ONC has changed the name of patient demographics to “Patient Demographics and Observations“. It made this change in the certified health IT criteria to account for changes in the USCDI v3 which describe health data elements such as sex, sexual orientation, and gender identity. Earlier versions of the certified health IT criteria only accounted for a limited range of entries for what is sometimes a complicated category. Other health data elements added include “Name to Use” and “Pronouns” to support providing culturally competent patient care.
Patient Right to Request a Restriction on Use or Disclosure
This addition to the certification program’s latest final rule is designed to make it easier for patients to exercise their rights under HIPAA to request restrictions on the use or disclosure of their Protected Health Information (PHI). Certified health IT developers will have to provide an internet-based method for patients to request restriction of use, viewing, or disclosure of their PHI to a third party.
While the ONC has recognized the complexity and challenges associated with implementing patient-directed privacy restrictions, it remains committed to advancing standards that support privacy workflows. This commitment is evident in their ongoing engagement with the industry and standards development community to refine and implement effective privacy measures, ensuring that patients have a greater say in the management of their health information.
Requirement for Health IT Developers To Update Their Previously Certified Health IT
The ONC-certified health criteria now contain requirements for health it developers to update their previously certified health it modules to be compliant with new or applicable revised certification criteria and with new standards in the underlying regulations. Another new certification criterion requires developers to provide updated health IT to existing customers of their previously certified health IT. This is important to users who are continuing to attest to their use of certified health IT as part of the Medicare Promoting Interoperability Program.
Information Blocking Enhancements
Two clarifications were made to the provisions of the regulations covering information-blocking definitions.
- The information blocking regulations included exceptions for actors to respond to requests for electronic health information (EHI) sharing when the actor (a user of health information technology or developers of certified health IT) claimed an uncontrollable event prevented the actor from responding to the request. Uncontrollable events included things like human-made or natural disasters, civil insurrection, war, terrorist attacks, and telecommunication or internet service interruption. The ONC says it has always required that there be a causal element between the uncontrollable event and the inability to respond to a request. Now the ONC is adding a further qualifier: the uncontrollable event must also have hurt the actor’s ability to respond to the request for EHI access, exchange, or use.
- A new provision added to the list of infeasibility exceptions concerns requests to actors from third parties who plan to use EHI, including modifying or deleting it, is also added to the provisions for enhanced information blocking requirements. There is an exception to this exception (of course!). An actor may not deny the request if it comes from a business associate of the actor. The term business associate has been defined as having the same meaning as the term in the Privacy Privacy Regulations.
In the HTI-1 proposed rule, ONC outlined how certified health IT users could benefit from participation in the Trusted Exchange Framework and Common Agreement (TEFCA). ONC will permit actors participating in TEFCA to not fulfill a request for access, exchange, or use EHI in any manner other than TECFA, providing the actor meets certain conditions. The actor and requestor must be part of TEFCA, and the requestor must be able to access, exchange, or use the requested EHI via TEFCA.
Other Changes to the ONC Health IT Certification Program
There are several other changes to the certified health IT program that Health IT developers should be aware of. They include certification program updates in the following areas:
- C–CDA Companion Guide Updates
- “Minimum Standards” Code Sets Updates
- Synchronized Clocks Standard
- Standardized API for Patient and Population Services
- Updates to Transitions of Care Certification Criterion in § 170.315(b)(1)
- Real World Testing—Inherited Certified Status
- Insights Condition and Maintenance of Certification
Health It developers should review these portions of the Final Rule to have a complete understanding of the scope of each new and revised certification criterion.
The ONC Certified Health program has come a long way in the last twelve years. With more focus on information sharing and interoperability-focused reporting metrics, the ONC is certainly pushing the electronic health information technology industry in a positive direction.
Given the evolving landscape of EHR requirements, expertise in navigating these changes is invaluable. At The Fox Group, we’re committed to staying ahead of these developments to support healthcare technology professionals.