Electronic Health Reporter

By Stephanie Jamison, Executive Committee Chair and Public Policy Leadership Workgroup Vice Chair, EHR Association.

In the months that have passed since the Office of the National Coordinator for Health Information Technology (ONC) issued the final Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) rule, the health IT sector has been working diligently to meet the earliest compliance timelines even as it continues an in-depth analysis of the regulatory impact on both developers and the providers who use certified technology.

For the EHR Association, that analysis has given rise to several concerns and ambiguities that need to be addressed to ensure HTI-1, which was published in the Federal Register on Jan. 9, 2024, achieves ONC’s stated goal of advancing patient access, interoperability, and standards.

The new regulations are an important step toward implementing key provisions of the Cures Act and enhancing ONC’s Certification Program. However, there are several aspects of HTI-1 that we believe may have unintended consequences for certified EHR technology (CEHRT) developers and users.

Decision Support Interventions (DSI)

One significant area of concern is with regulations around DSI, which carry the earliest compliance deadlines. While the scope of DSI requirements was narrowed in the final rule, many of the compliance timelines are still insufficient for developing, testing, and implementing the necessary upgrades.

The first deadline is Dec. 31, 2024. That is when CEHRT developers must deliver DSI capabilities to maintain certification. Achieving compliance will necessitate substantial development efforts, including in novel areas for the program like AI/ML for predictive DSIs. Other areas of concern include requirements for:

• Developing an end-user feedback function for evidence-based DSIs, including an export capability for machine-readable formatted feedback data.
• Developing support for a significantly expanded set of data concepts for which selection of evidence-based DSIs must be available.
• Developing support for enabling the selection of predictive DSIs using any data expressed in the USCDI.
• Producing nine new source attribute data points for all evidence-based DSIs supplied by developers and more than 30 source attribute data points for all developer-supplied predictive DSIs.
• Developing support for customer users to access and modify source attribute information provided by developers for those DSIs they supply.
• Developing support for enabling customer users to record and modify their own source attribute entries in the system for DSIs they create or implement on their own.
• Developing detailed intervention risk management policies and procedures for ongoing management of predictive DSIs supplied by developers.

Meeting these requirements within the 12-month timeframe presents a formidable challenge for CEHRT developers – a challenge amplified by the lack of a certified companion or other resource guide to support developers with compliant updates. Also coming into play are current CMS requirements governing providers’ use of CEHRT that would force developers to deliver updated technology to their customers well in advance of the ONC deadline.

To alleviate these challenges, we are urging ONC to consider implementing an enforcement discretion period of six to 12 months. This would provide much-needed relief for CEHRT developers and healthcare providers alike, while still ensuring that meaningful progress is made toward real-world implementation of DSI provisions by the 2024 deadline.

Artificial Intelligence (AI)

In general, the EHR Association recognizes the significance of regulating AI and ensuring its responsible design, development, and deployment in healthcare. However, we have numerous concerns with the establishment of guidelines for clinical validation of AI, such as those created by ONC in HTI-1 for DSI and by the FDA for Software as a Medical Device.

As many AI products directly interface with EHR data, it is important that they adhere to the highest standards of clinical validity. In this context, that refers to a rigorous process of evaluating and confirming AI systems’ effectiveness and reliability. It entails extensive testing and verification to ensure that outcomes align with established clinical standards, providing accurate and clinically meaningful results and ensuring the trustworthiness and accuracy of AI technologies in healthcare.

We also support:

• Implementation of ongoing audits and fairness metrics to ensure that AI remains impartial, particularly when processing a wide array of diverse EHR datasets.
• Holding any non-HIPAA regulated AI solutions interfacing with EHRs to privacy standards consistent with HIPAA requirements to guarantee the utmost privacy and security of patient data.
• Establishment of testing any AI that integrates with CEHRT in real-world clinical settings, involving both developers and clinicians and establishing a robust feedback mechanism to continuously monitor and improve the performance.

Finally, we support establishing measures to clearly identify and hold original AI developers accountable for any issues or outcomes directly linked to their technology when it is integrated into CEHRT. This will simplify the process of determining responsibility and foster trust among end-users and patients.

Edition-less Certification and Use of CEHRT

The ONC’s transition to edition-less certification under HTI-1 raises several red flags with the EHR Association about the impact of CMS’s most recent approach to CEHRT use deadlines on update availability and implementation.

There are benefits to moving away from editions. It gives ONC greater flexibility in updating or creating certification criteria. When coupled with the Standards Version Advancement Process, it also enables targeted regulatory updates that let ONC regulate functionality in an area that may be ripe for advancement while allowing necessary advancements in other areas. However, edition-less certification also introduces uncertainties about when health IT updates need to be implemented by providers to comply with CMS regulations.

Historically, CMS has aligned its implementation timelines for new CEHRT editions with ONC’s certification edition compliance dates. But in the 2024 Physician Fee Schedule final rule, CMS indicated that if ONC moves to an edition-less certification program structure – which it does under HTI-1 – it would hold users to the same deadlines ONC places on developers for providing updated CEHRT to their customers. This is unrealistic for several reasons.

First, CEHRT upgrades present considerable challenges for developers and providers, particularly when introducing new functionalities or workflow changes (e.g., adding new data collection fields in line with USCDI v3 data elements). It is an arduous process that has defied streamlining efforts, as developers must ensure system quality and work with providers on adequate user training and minimizing disruptions. As a result, most providers prefer to limit major upgrades to once per year.

Second, to ensure their customers have ample time to plan and execute upgrades, health IT developers often need to make new functionality available at least a year ahead of provider compliance dates. CMS has facilitated this process in the past by offering a “flex” year during which providers could choose between the older certification edition or the new one for compliance. This flexibility no longer exists.

Third, health IT developers and their CEHRT-using clients must concurrently navigate a broad and growing spectrum of regulatory requirements beyond HTI-1. For example, the CMS electronic Prior Authorization (ePA) final rule, ongoing TEFCA updates and new requirements, and state-level regulations concerning health IT usage.

Providers must have sufficient time between update availability and regulatory deadlines. Therefore, we have asked CMS to resume using the flex year concept and align CEHRT usage requirements with those for electronic Clinical Quality Measures where providers have until the end of the reporting year to implement CEHRT fully.

Information Blocking

The EHR Association’s primary concerns with HTI-1 rules on Information Blocking compliance relate to the finalization of the TEFCA Manner Exception, which did address several issues raised during the proposed rule’s public comment period.

The TEFCA Manner Exception allows QHINs, Participants, or Subparticipants to utilize TEFCA exchange as their primary method of exchanging electronic health information (EHI) if it meets the exception definition. Under the most significant exception, the TEFCA Manner exception cannot be used if the requester wants to access, exchange, and/or use the data through FHIR-based APIs that meet certification criteria. This is designed to allow app developers seeking specific FHIR-based API access the ability to do so without being re-directed through other TEFCA exchange methods.

However, if both the requester and the actor/request recipient are TEFCA participants, then nearly all other requests for EHI can be pushed to be performed through TEFCA exchange manners, as long as the requester is capable of doing so. Any fees or licensing requirements must also meet the fees and licensing exceptions for information blocking.

ONC has reserved two sections of the regulation (45 CFR 171.401 and 402) for use in future regulations related to TEFCA-based exceptions. These will likely include at least one new TEFCA-based exception related to privacy exchange concerns that might arise within TEFCA, such as the exchange of reproductive health information across state lines after the Dobbs decision, or other similar concerns that certain actors may have before exchanging information within TEFCA.

The TEFCA Manner exception incentivizes participation in TEFCA by enabling an actor to create a sort of safe harbor around any exchange occurring within TEFCA that meets the exception. While the TEFCA Manner exception has limitations, there is one more – possibly two – TEFCA-based exceptions coming through future ONC regulatory action, possibly as soon as HTI-2.

We don’t know the full scope of these exceptions, but we can make an educated assumption that the new TEFCA exception(s) will help alleviate additional concerns to encourage participation in TEFCA, thereby providing additional incentive and, likely, safe harbor from information blocking enforcement for exchange occurring within TEFCA.

A Work in Progress

The EHR Association has long supported the nation’s goals of advancing interoperability, improving transparency, and supporting further access, exchange, and use of EHI, and we appreciate the pressure ONC faces in carrying out the complex requirements of the 21^st Century Cures legislation. However, care must be taken to ensure it is done in a manner that ensures meaningful progress without imposing upon CEHRT developers and users unrealistic regulatory burdens and deadlines.

CEHRT developers need appropriate time to deliver safe, compliant, and high-quality versions of certified products and providers need sufficient time to implement and train on that upgraded software. We have already shared many of our concerns with ONC and hope to continue a meaningful dialog and collaborative approach to ensuring the regulations established in HTI-1 achieve the objectives of advancing patient access, interoperability, and standards.

Contributing Authors:  Joining Jamison (Greenway Health) as contributing authors are Leigh Burchell (Altera Digital Health), Executive Committee Member and Vice Chair of the Information Blocking Compliance Task Force; Josh Mast (Oracle Health), Chair of the Public Policy Leadership Workgroup; and Greg Thole (Oracle Health), Chair of the Certification Workgroup.