ONC says stakeholders can ‘pick up and run’ with new regs

Touted as the product of 10 years of work, the most recent proposed rule issued July 10 by the Office of the National Coordinator for Health IT will usher in an age of automation for healthcare interoperability through application programming interface-based exchange capabilities, officials said on Wednesday. 

The second version of ONC’s Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing and Public Health Interoperability rule, or HTI-2, is designed to support the data exchange needs of patients, providers, payers and public health agencies.

The new proposed rule establishes the first health IT certification criteria for public health and payers under the ONC Health IT Certification Program. It also advances cybersecurity standards for multifactor authentication in certified health IT and creates an information blocking exception for certain reproductive health data, among other features.

HTI-2 is something the “market can pick up and run with,” said Micky Tripathi, the national coordinator, said during a media briefing Wednesday.

The U.S. Department of Health and Human Services has already required Fast Healthcare Interoperability Resources APIs in all certified electronic health record systems across the provider ecosystem, which currently covers 97% of hospitals and more than 80% of ambulatory provider organizations, Tripathi noted.

But the proposed HTI-2 rule furthers the agency’s interoperability goals by outlining two new sets of certification criteria focused on standards-based APIs.

“Right now, the regulations that we have in place have ‘read’ capabilities – so that allows a FHIR API to be used to be able to see information and download information,” Tripathi explained. “But we want to be able to say we need to keep pushing the envelope on what those APIs are capable of doing that we’ve seen in almost every other part of the Internet.” 

Those capabilities – such as sending patient data to authorized users like payers, other providers or patients themselves – will keep the industry moving forward, he said. 

Tripathi also noted that the new version of the Trusted Exchange Framework and Common Agreement, effective July 1, positioned participating Qualified Health Information Networks to move forward on FHIR-based exchange. 

“And an important part of that is what’s called dynamic client registration,” he explained. “It’s an automation that will enable FHIR APIs to connect to an EHR system, which right now is a very kludgy manual process. You want to be able to do that in an automated way so that you can have many apps able to connect to EHR systems in a much more seamless way.”

Enabling many applications to connect to EHRs “will eliminate a serious friction point that we have right now,” said Tripathi.

Hoping payers will step up

On the payer side, ONC said it worked closely with the Centers for Medicare and Medicaid Services in creating voluntary certification requirements, for “greater assuredness that systems that go through that certification process will actually be able to interoperate with the provider organizations.” 

Released in January, the CMS interoperability rule built voluntary payer certification requirements on FHIR standards to enable plan members to access their information through various applications, providing more transparency and speed around the prior authorization process. 

ONC’s proposed rule would also create standard approaches for patients to access their information with six new criteria validated through HL7 and the Da Vinci Project.

The ability to conduct a real-time benefits check at the point of care to “determine for the patient what benefits are they entitled to,” including prescriptions, could improve patient care while payer-to-payer APIs for enrollment and coverage ensure continuity of care,” Tripathi said.

However, “there is nothing in regulation right now that would compel anyone who is deploying that CMS-required API to get it certified,” he acknowledged. “What we’re hoping is that by creating that voluntary certification program, the market itself wants to be able to step up and leverage that interoperability.”

Public health provisions

With HTI-2, ONC would also establish some “anchor points” that advance public-private governance – ensuring that providers aren’t stuck using older, nonelectronic capabilities to complete their required public health reporting.

In requiring the adoption of United States Core Data for Interoperability version 4 by January 1, 2028, “we have adopted an entire suite of public health data,” explained Elisabeth Myers, deputy director of the Office of Policy at ONC, noting there is more information in the agency’s fact sheet.

The new library of data elements will add facility and medication information in order to enhance public health and drug-quality tracking and analyses, she said. It also adds new data elements for laboratory information – such as the source of clinical specimens and other identifiers around labs. 

During the COVID-19 pandemic, public health agencies could not navigate critical lab data – reference numbers were unclear, leaving government agencies unclear on whether a piece of data referred to an actual patient specimen or where it was coming from, Myers reflected.

“We want to make sure that when those [public health] dollars are used for health IT systems, that they have certain core capabilities that will allow the public health practitioners in jurisdictions to have the assuredness that those systems are actually going to support the kinds of capabilities that they need to be able to have,” Tripathi added.

Privacy and security protections

The proposed HTI-2 rule also addresses protections around sharing reproductive data. HTI-2 adds a “Protecting Care Access” exception, which would allow information blocking in certain circumstances to reduce the risk of legal exposure on patients, providers and others “based on the mere fact that the patient got lawful reproductive health care in a jurisdiction where that’s allowed.”

To address cybersecurity, ONC is proposing requirements that require multifactor authentication in certified EHR products, as well as encryption of data on the server side. 

“There are already requirements for encryption of data. If it’s an end-user system, like a laptop, like a mobile device, now the requirement is that it be encrypted on the server itself, the EHR database,” said Tripathi.

When it debuted in 2019, FHIR 4 – which was built on FHIR DSTU2 and FHIR STU3 standards – had “the primary added advantage of facilitating backward compatibility,” proposing to remove significant obstacles for developers and “warranting its widespread use,” Dr. Blackford Middleton, a global advisory board member at Smile Digital Health and an HL7 Advisory Council member had told Healthcare IT News.

Fast forward to November and Providence Health System – one of the largest U.S. health systems with 52 hospitals and more than 900 clinics across seven states – said it was the first U.S. health system to use the Clinical Data Exchange specs developed by HL7’s Da Vinci Project to build a FHIR-based data-as-a-service platform.

The new clinical data exchange technology developed with Premera Blue Cross is alleviating administrative and financial burdens in the transition to value-based care, Providence said in its announcement.

While ONC finalized HTI-1 in December, the agency said that it expected to further FHIR exchange by including new certification provisions for APIs in HTI-2.

In June, ONC marked the Health Resources and Services Administration’s use of FHIR-based APIs in a proof-of-concept that streamlined reporting processes and enhanced data quality with live data while awaiting HTI-2’s review by the Office of Management and Budget.

“The rule covers a wide variety of dimensions, all of it with an eye towards saying we need to push as hard as we can, as fast as we can, to get the interoperability that all of us have been dreaming for,” Tripathi said during the media briefing. 

“It’s now here with a number of these different things that we’re putting into place, and we’re really excited about what this rule will do for the American public.”

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.