Artificial intelligence (AI) is evolving rapidly, reshaping the health IT landscape while state and federal governments race to put regulations in place to ensure it is safe, effective, and accessible. For these reasons, AI has emerged as a priority for the EHR Association. We sat down with EHR Association AI Task Force Chair Tina Joros, JD (Veradigm), and Vice Chair Stephen Speicher, MD (Flatiron Health), to discuss the direction of AI regulations, the anticipated impact on adoption and use, and what the EHR Association sees as its priorities moving forward.
Stephen Speicher, MD
EHR: What are the EHR Association’s priorities in the next 12-18 months, and is/how is AI changing them?
Regulatory requirements from both D.C. and state governments are a significant driver for the decisions made by the provider organizations that use our collective products, so a lot of the work the EHR Association does relates to public policy. We’re currently spending a fair amount of our time working on AI-related conversations, as they’re a high-priority topic, as well as tracking and responding to deregulatory adjustments being made by the Trump administration. Other key areas of focus are anticipated changes to the ASTP/ONC certification program, rules that increase the burdens on providers and vendors, and working to address areas of industry frustration, such as the prior authorization process.
EHR: How has the Association adapted since its establishment, and what areas of the health IT industry require immediate attention, if any?
The EHR Association is structured to adapt quickly to industry trends. Our Workgroups and Task Forces, all of which are led by volunteers, are evaluated periodically throughout the year to ensure we’re giving our members a chance to meet and discuss the most pressing topics on their minds. Most recently, that has meant the addition of new efforts specific to both consent management and AI, given the prevalence of those topics within the general health IT policy conversation taking place at both the federal and state levels.
Tina Joros
EHR: If you were to welcome young healthcare entrepreneurs to take on the sector’s most pressing challenges, what guidance would you offer them?
Health IT is a great sector for entrepreneurs to focus on. The work is always interesting because it evolves so quickly, both from a technological perspective and the fact that public policy impacting health IT is getting a lot of attention at the federal and state levels. There are a lot of paths to work in the industry, so it’s always helpful for both entrepreneurs and potential health IT company team members to have a clear understanding of the complexities of our nation’s healthcare system and how the business of healthcare works. Plus, they need a good grasp of the increasingly critical role of data in clinical and administrative processes in hospitals, physician practices, and other care settings.
EHR: What principles are critical to the safe and responsible development of AI in healthcare? How do they reflect the Association’s priorities and position on current AI governance issues?
One of the first things the AI Task Force did when it was formed was to identify certain principles that we believe are essential for ensuring the safe and high-quality development of AI-driven software tools in healthcare. These guiding principles should also be part of the conversation when developing state and federal policies and regulations regarding the use of AI in health IT.
Focus on high-risk AI applications by prioritizing governance of tools that impact critical clinical decisions or add significant privacy or security risk. Fewer restrictions on other use cases, such as administrative workflows, will help ensure rapid innovation and adoption. This risk-based approach should guide oversight and reference frameworks like the FDA risk analysis.
Align liability with the appropriate actor. Clinicians, not AI vendors, maintain direct responsibility for AI when it is used for patient care, when the latter provides clear documentation and training.
Require ongoing AI monitoringand regular updates to prevent outdated or biased inputs, as well as transparency in model updates and performance tracking.
Support AI utilization by all healthcare organizations, regardless of size, by considering the varying technical capabilities of large hospitals vs. small clinics. This will make AI adoption feasible for all healthcare providers, ensuring equitable access to AI tools and avoiding the exacerbation of the already oversized digital divide in US healthcare.
Our goal with these principles is to strike a balance between innovation and patient safety, thereby ensuring that AI enhances healthcare without unnecessary regulatory burdens.
EHR: In its January 2025 letter to the US Senate HELP Committee, the EHR Association cited its preference for consolidating regulatory action at the federal level. Since then, a flurry of state-level activity has introduced new AI regulations, while federal regulatory agencies work on finding their footing under the Trump Administration. Has the EHR Association’s position on regulation changed as a result?
Our preference continues to be a federal approach to AI regulation, which would eliminate the growing complexity we face in complying with multiple and often conflicting state laws. Consolidating regulations at the Federal level would also ensure consistency across the healthcare ecosystem, which would reduce confusion for software developers and providers with locations in multiple states.
However, while our position hasn’t changed, the regulatory landscape has. In the months since submitting our letter to the HELP Committee, California, Colorado, Texas, and several other states have enacted laws regulating AI that take effect in 2026. Even if the appetite for legislative action was there, it’s unlikely the federal government could act quickly enough to put in place a regulatory framework that would preempt those state laws. Faced with that reality, we’re working on a dual track of supporting our member companies’ compliance efforts at the state level while continuing to push for a federal regulatory framework.
EHR: What benefits will be realized by focusing regulations on AI use cases with direct implications for high-risk clinical workflows?
Centering AI regulations on high-risk clinical workflows makes sense because they represent a higher possibility of patient harm, and that focus would simultaneously ensure room for innovation on lower-risk use cases. Our collective clients have many ideas as to how AI could help them address areas of frustration, and that’s where our member companies therefore want room to move from development to adoption more expediently, unencumbered by regulation—for example, administrative AI use cases like patient communication support, claims remittance and streamlining benefits verification, all of which our internal polling shows are in high demand by physicians and provider organizations.
A smart, efficient risk-based regulatory framework would be grounded in the understanding that not all AI use cases have a direct or consequential impact on patient care and safety. That differentiation, however, is not happening in many states that have passed or are contemplating AI regulations. They tend to categorize everything as high-risk, even when the AI tools have no direct impact on the delivery of care or the risk to patients is minimal.
The unintended consequence of this one-size-fits-all approach is that it stifles AI innovation and adoption. It’s why we believe the better approach is granular, differentiating between high- and low-risk workflows, and leveraging existing frameworks that stratify risk based on the probability of occurrence, severity, and positive impact or benefit. This also helps ease the reporting burden on all technologies incorporated into an EHR that may be used at the point of care.
EHR: Where should the ultimate liability for outcomes involving AI tools lie–with developers or end users–and why?
This is an interesting aspect of AI regulation that remains largely undefined. Until recently, there hasn’t been any discussion about liability in state rulemaking. For example, New York became one of the first states to address liability when a bill was introduced that holds everyone involved in creating an AI tool responsible, although it’s not specific to healthcare. California recently enacted legislation stating that a defendant—including developers, deployers, and users—cannot avoid liability by blaming AI for misinformation.
Given the criticality of “human-in-the-loop” approaches to technology use—the concept that providers are ultimately accountable for reviewing the recommendations of AI tools and making final decisions about patient care—our stance is that liability for patient care ultimately lies with clinicians, including when AI is used as a tool. Existing liability frameworks should be followed for instances of medical malpractice that may involve AI technologies.
EHR: Why must human-in-the-loop or human override safeguards be incorporated into AI use cases? What are the top considerations for ensuring those safeguards add value and mitigate risk?
The Association strongly advocates for technologies that incorporate or public policy that requires human-in-the-loop or human override capabilities, ensuring that an appropriately trained and knowledgeable person remains central to decisions involving patient care. This approach also ensures that clinicians use AI recommendations, insights, or other information only to inform their decisions, not to make them.
For truly high-risk use cases, we also support the configuration of human-in-the-loop or human override safeguards, along with other reasonable transparency requirements, when implementing and using AI tools. Finally, end users should be required to implement workflows that prioritize human-in-the-loop principles for using AI tools in patient care.
Interestingly, we are seeing some states address the idea of human oversight in proposed legislation. Texas recently passed a law that exempts healthcare practitioners from liability when using AI tools to assist with medical decision-making, provided the practitioner reviews all AI-generated records in accordance with standards set by the Texas Medical Board. It doesn’t offer blanket immunity, but it does emphasize accountability through oversight. California, Colorado, and Utah also have elements of human oversight built into some of their AI regulations.
By Stephanie Jamison (Greenway Health) and Leigh Burchell (Altera Digital Health), Chair and Vice Chair, EHR Association Executive Committee, and Greg Thole (Oracle), Chair, EHR Association Certification Workgroup
Following an in-depth analysis of HTI-2 and the process of drafting comments (available here), the EHR Association has identified several overarching issues, as well as specific concerns related to Insights measures within the proposed rule.
Highlighting the Positives
Before we delve into the negatives, however, it is important to note that we are highly supportive of several of ASTP’s recommendations. One is the proposal to expand the Certification Program to include criteria focused on the adoption and use of certified health IT by both payers and public health agencies (PHAs) to supplement criteria for healthcare providers. Holding all parties to specific and consistent standards and procedures is critical to achieving real end-to-end interoperability.
Greg Thole
Another is the way ASTP has structured the numerous new proposed FHIR API-based required features (e.g., dynamic registration, SMART Health Cards, CDS Hooks, Subscriptions) in a manner that allows developers to re-use the same capability for multiple different use-case-focused criteria. This is a helpful format that allows developers to streamline and avoid duplicating work effort.
Finally, in the context of the Insights requirements, many of ASTP’s proposals demonstrate attentiveness to the questions and concerns raised by the Association and its member companies since the measures were originally finalized in HTI-1 rulemaking. Some of these tweaks to measurement specifications will reduce the burden and make for more consistent and valuable reporting data.
Overarching Concerns
While we do support many elements of HTI-2, there are also several areas of real concern. We’ve raised many of them previously in comments, but they have yet to be adequately addressed by ASTP and other regulatory agencies.
For example, a common refrain in the Association’s comment letters and RFI responses is that compliance timelines and the scope of work in ASTP regulations create significant burdens for all health IT developers, as well as our healthcare provider customers. We delivered this message related to HTI-1, and our members are now devoting extensive resources to compliance—sometimes at the cost of innovation clients have requested.
Yet, as evidenced by the extensive scope of the HTI-2 proposals, ASTP and CMS continue to ignore the significant and serious timeline concerns we’ve voiced for years. CMS programs, such as the Medicare Promoting Interoperability program and Merit-based Incentive Payment System (MIPS), require healthcare providers to use upgraded certified EHR technology effective essentially on the same deadlines set by ASTP for vendors to deliver those updates. This forces developers to deliver compliant solutions significantly earlier than the deadlines officially listed by ASTP and does not allow adequate runway after the deadline for healthcare providers to adopt the updates, potentially compromising a safe and effective implementation process.
By Stephanie Jamison (Greenway Health), Chair, EHR Association Executive Committee
It’s been 20 years since 21 of the industry’s leading EHR vendors came together to create the HIMSS EHR Vendor Association in 2004 to accelerate the widespread adoption of EHRs. The new association was also tasked with helping HIMSS establish its strategic direction and official positions on issues related to the EHR and providing input and feedback on the certification process established by CCHIT.
Now called the EHR Association, what started as a bold concept is still going strong in 2024 with a current membership base of 29 companies: competitors working collaboratively to advance health data interoperability, safely embrace new technologies, and improve the quality and efficiency of care. Our initial focus on furthering the initiatives laid out in the Health IT Strategic Framework, released in July 2004 by the Office of the National Coordinator for Health Information Technology (now known as the Assistant Secretary for Technology Policy, or ASTP), has expanded and evolved along with the state and federal regulatory environment.
At the time, founding Chair Charlene Underwood described the establishment of the EHR Association as a historic opportunity to directly impact healthcare delivery in the US, noting in the press release announcing the new association that “EHR technology has proven its ability to make healthcare safer, more efficient, and more convenient for patients as well as providers.
“As EHR vendors,” she continued, “we have a responsibility to our customers to shape the future of interoperability for effective and secure sharing of patient data, and to the nation to promote the widespread adoption of this life-saving technology.”
Today’s health IT market is vastly different from those early years when hospital EHR adoption was 9% and office-based physician practice adoption was 17%. Now, well over 96% of hospitals and 78% of physicians use an EHR, most of which are certified through the ASTP-driven process. In the years since its establishment, many of the EHR Association’s founding member companies have gone through acquisitions or mergers, and new entrants have stepped up.
The Developer’s Voice
The Association’s record of accomplishments since 2004 reflects the health IT market’s evolution. Over the years, we’ve worked to ensure our members’ voices were heard on regulatory and policy issues of critical importance to both EHR developers and the providers using our technologies. We’ve met with policymakers and submitted comments on everything from meaningful use and standards development to the Nationwide Health Information Exchange and TEFCA to the 21st Century Cures Act and, most recently, HTI-1 and HTI-2.
Our efforts weren’t limited to offering recommendations and feedback, however. We’ve held numerous Congressional Briefings over the years, focusing on issues such as the role of EHRs in value-based care and the 21st Century Cures Act, as well as COVID-19 and health IT, information blocking, and social determinants of health and health equity.
We’ve also leveraged our collective expertise to provide member companies with tools to navigate a tumultuous regulatory landscape. This includes publishing the industry’s first EHR Developer Code of Conduct reflecting our members’ commitment to supporting safe healthcare delivery, fostering continued innovation, and operating with high integrity in the market—a commitment we maintain to this day.
By Stephanie Jamison, Executive Committee Chair and Public Policy Leadership Workgroup Vice Chair, EHR Association.
In the months that have passed since the Office of the National Coordinator for Health Information Technology (ONC) issued the final Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) rule, the health IT sector has been working diligently to meet the earliest compliance timelines even as it continues an in-depth analysis of the regulatory impact on both developers and the providers who use certified technology.
For the EHR Association, that analysis has given rise to several concerns and ambiguities that need to be addressed to ensure HTI-1, which was published in the Federal Register on Jan. 9, 2024, achieves ONC’s stated goal of advancing patient access, interoperability, and standards.
The new regulations are an important step toward implementing key provisions of the Cures Act and enhancing ONC’s Certification Program. However, there are several aspects of HTI-1 that we believe may have unintended consequences for certified EHR technology (CEHRT) developers and users.
The first deadline is Dec. 31, 2024. That is when CEHRT developers must deliver DSI capabilities to maintain certification. Achieving compliance will necessitate substantial development efforts, including in novel areas for the program like AI/ML for predictive DSIs. Other areas of concern include requirements for:
Developing an end-user feedback function for evidence-based DSIs, including an export capability for machine-readable formatted feedback data.
Developing support for a significantly expanded set of data concepts for which selection of evidence-based DSIs must be available.
Developing support for enabling the selection of predictive DSIs using any data expressed in the USCDI.
Producing nine new source attribute data points for all evidence-based DSIs supplied by developers and more than 30 source attribute data points for all developer-supplied predictive DSIs.
Developing support for customer users to access and modify source attribute information provided by developers for those DSIs they supply.
Developing support for enabling customer users to record and modify their own source attribute entries in the system for DSIs they create or implement on their own.
Developing detailed intervention risk management policies and procedures for ongoing management of predictive DSIs supplied by developers.
Meeting these requirements within the 12-month timeframe presents a formidable challenge for CEHRT developers – a challenge amplified by the lack of a certified companion or other resource guide to support developers with compliant updates. Also coming into play are current CMS requirements governing providers’ use of CEHRT that would force developers to deliver updated technology to their customers well in advance of the ONC deadline.
To alleviate these challenges, we are urging ONC to consider implementing an enforcement discretion period of six to 12 months. This would provide much-needed relief for CEHRT developers and healthcare providers alike, while still ensuring that meaningful progress is made toward real-world implementation of DSI provisions by the 2024 deadline.
Many center on the proposed implementation timeframes associated with various concepts included in HTI-1, as well as ONC’s failure to sufficiently consider the burden compliance will place on provider organizations and health IT developers. Specifically, health IT developers need more time than allotted in HTI-1 to deliver safe, compliant, and high-quality versions of their certified products. Providers will also need sufficient time to implement and become proficient with that upgraded software.
We also encourage ONC and the Centers for Medicare and Medicaid Services (CMS) to work more closely together to address the misalignments that frequently occur between when ONC tells software developers to deploy new certified versions and when CMS requires providers to be using them. There are also proposals in HTI-1 that create a dependency on collaboration with healthcare provider organizations for developers to be successful in meeting their obligations, but CMS has included in rulemaking no corresponding incentives for them to do so – making compliance for vendors significantly more challenging.
We have also identified issues with four specific provisions of HTI-1: Insights Condition, USCDI v3, Decision Support Interventions (DSI) and Predictive Models, and Patient Requested Restrictions.
By Stephanie Jamison (Greenway Health), Chair, EHR Association Executive Committee
