The Undue Burden of ONC’s HTI-1 On Providers, HIT Developers

David Bucciferro

By David Bucciferro, chair, EHR Association.

The EHR Association has long supported the goals of the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing Proposed Rule (HTI-1) released in April by the Office of the National Coordinator for Health Information Technology (ONC). However, we have real concerns about the impact it would have on the industry if finalized as proposed.

Many center on the proposed implementation timeframes associated with various concepts included in HTI-1, as well as ONC’s failure to sufficiently consider the burden compliance will place on provider organizations and health IT developers. Specifically, health IT developers need more time than allotted in HTI-1 to deliver safe, compliant, and high-quality versions of their certified products. Providers will also need sufficient time to implement and become proficient with that upgraded software.

We also encourage ONC and the Centers for Medicare and Medicaid Services (CMS) to work more closely together to address the misalignments that frequently occur between when ONC tells software developers to deploy new certified versions and when CMS requires providers to be using them. There are also proposals in HTI-1 that create a dependency on collaboration with healthcare provider organizations for developers to be successful in meeting their obligations, but CMS has included in rulemaking no corresponding incentives for them to do so – making compliance for vendors significantly more challenging.

We have also identified issues with four specific provisions of HTI-1: Insights Condition, USCDI v3, Decision Support Interventions (DSI) and Predictive Models, and Patient Requested Restrictions.

Insights Condition

In addition to a timeframe that is too short, the proposed Insights measures harken back to the early days of the meaningful use program but without incentives for providers to cooperate. This puts EHR vendors in the middle of data aggregation from multiple sources. It is also a distraction from other analytics initiatives that software developers are expected to support, like CMS’ digital quality measures project.

Because the work involved with compliance will be consequential, we urge ONC to delay the start of the first measurement period until at least CY 2025. We would also like to see it restructured for annual reporting, preferably mid-year to avoid conflict with significant year-end deadlines, development and deployment obligations, and April/October attestations.


We recommend moving the deadline for USCDI v3 to be included in upgraded software versions until the end of the second calendar year following the publication of the final rule (estimated to be Dec. 31, 2025).

We also reiterate our desire to see ONC move away from the current all-or-nothing certification requirement and towards a dynamic approach based on the data actually managed by the EHR or other health IT in use by a provider. Specialty EHRs and provider organizations that don’t benefit from supporting all USCDI criteria should be allowed to achieve certification by adding only those aspects beneficial to meet user needs. Adopting the more flexible model would alleviate unnecessary burdens for both health IT vendors and those providers to whom the broader USCDI data list is not applicable.

DSI and Predictive Models

ONC is clearly attempting to leverage its certification program to help the Food and Drug Administration (FDA) increase transparency related to decision alerts, but this is an inefficient and burdensome application of the certification lever. We recommend that regulations imposing transparency requirements be applied by the FDA or HHS more broadly to those creating the decision alerts rather than the developers of EHRs, which serve primarily as alert delivery mechanisms.

The burden inherent to the proposals about DSIs is significant and would result in duplicative work across software developers who rely on decision support content sourced from the same vendors. It also disregards the fact that many healthcare organizations create their own alerts; vendors have no oversight or responsibility for those decisions or the content underlying them. As such, the Dec. 31, 2024, compliance timeline is unrealistic.

In terms of specific proposed changes:

Patient Requested Restrictions

The proposed rule would require the new “patient requested restrictions” certification criterion for the Privacy and Security Framework by Jan. 1, 2026, which is too broad as proposed for the timeframe. A targeted use case to focus on for the deadline is also needed. For example, ONC could refocus its certification capability requirement around the ability of patients to request that certain sensitive notes or lab results not be shared with proxy users in the patient portal. This would also give patients more granular control over data sharing without jeopardizing their care by preventing other clinicians from viewing the information.

Additionally, the provider community has expressed concerns about pronounced negative unintended consequences that could result from broad requirements to support segmentation, including heightened risks of preventable medical errors from incomplete records and increased burden on providers. Finally, there must be the opportunity to adjust privacy and patient consent rules and infrastructure over time to keep pace with the long-term impacts of changes under HTI-1.

Refinement Required

HTI-1 is an expansive proposed rule whose impact will be felt for years to come. It is vitally important that ONC gets it right the first time – without impeding innovation. We ask that ONC fully consider the concerns the EHR Association shares with other impacted stakeholders as it moves forward with finalizing the rule to ensure its end goals can be achieved without unrealistic deadlines and without placing an undue burden on healthcare providers and health IT developers.

Write a Comment

Your email address will not be published. Required fields are marked *