On January 29, 2025, the Office of the Assistant Secretary for Technology and Policy/National Coordinator for Health IT (“ASTP/ONC”) published two Proposed Rules. The first, is intended to clean-up the HTI-2 provisions that were never finalized, and the second is intended to encourage investment in health IT by paring back the number of existing EHR certification criteria, and by closing loopholes in the Information Blocking Manner and TEFCA Manner exceptions that have made it difficult for electronic health information to be shared in an alternative manner.
How the Regulatory Sausage is Made
Why did ONC have to publish two separate Rules?
Federal agencies use the Administrative Procedures Act (“APA”) notice and public comment rulemaking (“NPRM”) process to announce new rules or changes to existing rules. See 5 U.S.C. § 533. It can take the better part of a year for an agencies to draft the preamble, explain the legal authority, and the need for proposed regulations. Then, the time spent reviewing and responding to comments can take months, before a proposed Rule becomes final.
ASTP/ONC proposed HTI-2 in August 2024, just before the elections that ushered in a new Administration and an emphasis on de-regulation. HTI-2 was a HUGE Rule, 314 pages of dense technical information, with a lot of moving parts. In order to get important provisions finalized before the Administration changed, ASTP/ONC took a measured approach, and only finalized provisions that were considered high priorities, e.g., protecting reproductive health information, electronic prior authorization and modernizing e-prescribing, and Real-time Prescription Benefit (RTPB) information.
While the APA does not address “withdrawing” a proposed rule, when a withdrawal notice is published it effectively erases the proposed rule and creates a public record that communicates to the public that the rule is no longer in play and will not take effect. Nothing in a withdrawn rule can be relied upon and if the agency later wants to revive the proposed rule, the rulemaking process must start all over again from the beginning.
Out with the Old to Make Room for What’s Next
Once ASTP/ONC cleared the deck of those provisions of HTI-2 that were never finalized, ASTP/ONC proposed a rule to remove and revise thirty-four (34) of the existing sixty (60) electronic health records (EHR) certification criteria. In essence, ASTP/ONC gutted their primary program that is the cornerstone of the Office of the National Coordinator for Health IT. But it was for a very good and important reason; they were old, outdated and redundant, and the time had come to take the digitization of health care to the next level.
Here are some examples of what ASTP/ONC had to let go of:
- Certification criteria for Consolidated Clinical Document Architecture (“CDA”):. CDA is a technical standard for exchanging a whole static document that may mean that 100’s of pages of a patient record is sent, when only certain lab values or vital signs are needed. With FHIR APIs data not documents can be exchanged, the recipient can get access to the data they request/need and are not left thumbing through documents to find a needle in a haystack.
- Certification criteria for care plans, family health history, implantable devices, and “all data requests” are slated for removal because they are redundant and overlap with the United States Core Data for Interoperability (“USCDI”) standards. USCDI defines the essential health data that must be shared, while FHIR is the standard for structuring and exchanging that data through APIs..
- Thirteen (13) Privacy and Security certification criteria are in the crosshairs. Not because security obligations and protecting health information aren’t important, but because ONC is not the regulator responsible for overseeing Privacy and Security. The Office for Civil Rights, the Federal Trade Commission, and states are well equipped with authority to enforce Privacy and Security requirements under HIPAA, the Unfair and Deceptive Practices Act, the Health Breach Notification Rule, and a myriad of state data protection and privacy laws. It begs the question as to whether Congress needs to address Privacy and Security in the age of AI, anyways.
If its Broken, Fix it Fast
With respect to Information Blocking, ASTP/ONC proposed changes to the Manner Exception because they received feedback that part of the Manner exception wasn’t working as expected. If it really wasn’t working, we probably would have seen some enforcement of the Information Blocking Rules, but if ASTP/ONC’s vision for a FHIR Forward Future becomes a reality, interoperability will (hopefully) be achieved organically, without the sticks and stones and wasteful spending of protracted investigations and penalties that are imposed so long after the violation occurs that it losing its meaning.
As for the TEFCA Manner, by all counts, TEFCA is gaining momentum and participants. Sequoia is fleshing out purposes for exchange, like Government Benefits Determinations with the Social Security Administration like champions. But giving TEFCA participants a shield from having to comply with the Information Blocking Rule was not what was intended. .
The way the Manner Exception is written, an actor that doesn’t want to fulfill a request for access, use or exchange to EHI can avoid it by offering format(s) that the actor knows are not the format the requester wants or needs. However, the actor is technically offering different manners, and thereby meeting their obligation under the Manner Exception. ONC needed toto refine how alternative manners are assessed to prevent actors from getting around providing a manner that actually works.
What’s Next?
Now that ASTP/ONC has shown a willingness and done the hard work of retiring certification criteria that support legacy technologies, health IT stakeholders are better positioned for what comes next. A FHIR-forward future will make the movement of patient data more efficient, but FHIR is ultimately a transport standard. The harder question remains: how do we overcome persistent data silos, where patient information is locked inside provider and payer systems, and where a truly patient-centered, longitudinal record still does not exist? The next chapter of interoperability policy must focus not only on how data is moved and exchanged, but on whether patients and providers can actually access the information they need, when and where they need it.