The latest proposed regulations, issued July 10 by the Office of the National Coordinator for Health IT, are seen as the culmination of 10 years of work and usher in an era of automation for healthcare interoperability through API-based exchange capabilities, officials said Wednesday.
The second version of ONC’s Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing and Public Health Interoperability regulations, or HTI-2, is designed to address the data sharing needs of patients, providers, payers, and public health authorities.
The new proposed rule establishes the first health IT certification criteria for public health and payers under the ONC Health IT Certification Program. It also advances cybersecurity standards for multifactor authentication in certified health IT and creates an information blocking exception for certain reproductive health data, among other features.
HTI-2 is something that “the market can pick up and run with,” Micky Tripathi, the national coordinator, said at a press conference on Wednesday.
The U.S. Department of Health and Human Services has already mandated Fast Healthcare Interoperability Resources APIs in all certified electronic health record systems across the healthcare ecosystem, which currently covers 97% of hospitals and more than 80% of outpatient care settings, Tripathi said.
But the proposed HTI-2 rule advances the agency’s interoperability goals by outlining two new sets of certification criteria focused on standards-based APIs.
“Right now, the regulations that we’ve written have ‘read’ capabilities, so a FHIR API can be used to see and download information,” Tripathi explained. “But we want to be able to say that we need to continue to push the boundaries of what those APIs can do, which we’ve seen in almost every other part of the internet.”
Those capabilities — such as sending patient data to authorized users such as payers, other providers or patients themselves — will help move the industry forward, he said.
Tripathi also noted that the new version of the Trusted Exchange Framework and Common Agreement, which went into effect on July 1, enables participating Qualified Health Information Networks to move forward with FHIR-based exchange.
“And a key part of that is what’s called dynamic client enrollment,” he explained. “It’s an automation that allows FHIR APIs to connect to an EHR system, which is currently a very cumbersome manual process. You want to be able to do that in an automated way so that you have a lot of apps that can connect to EHR systems in a much more seamless way.”
By connecting many applications to EHRs, “we eliminate a serious bottleneck that we have now,” Tripathi said.
Hoping that the payers take their responsibility
On the payer side, ONC said it has worked closely with the Centers for Medicare and Medicaid Services to create voluntary certification requirements, for “greater assurance that systems that go through that certification process can actually collaborate with the health care providers.”
Released in January, the CMS Interoperability Rule Voluntary payer certification requirements based on FHIR standards, so that plan members can access their data across applications. This provides greater transparency and speed in the pre-authorization process.
ONC’s proposed regulations would also create standard approaches for patients to access their information using six new criteria validated by HL7 and the Da Vinci Project.
Tripathi said the ability to perform real-time benefits checks at the point of care to “determine what benefits the patient is entitled to,” including prescriptions, could improve patient care, while APIs for enrollment and coverage between payers would ensure continuity of care.
“However, there’s nothing in the regulations right now that would force someone who implements that CMS-required API to get it certified,” he acknowledged. “What we’re hoping is that by creating that voluntary certification program, the market itself will be able to scale and leverage that interoperability.”
Public health provisions
With HTI-2, ONC would also create a number of “anchor points” that promote public-private governance, so that providers are not locked into using older, non-electronic options to complete their required public health reporting.
By requiring the implementation of United States Core Data for Interoperability version 4 by January 1, 2028, “we’ve brought in a whole suite of public health data,” explains Elisabeth Myers, deputy director of the Office of Policy at ONC, who notes that more information is in the agency’s documents. information sheet.
The new library of data elements will add facility and medication information to improve public health and drug quality and to conduct analysis, she said. It also adds new data elements for laboratory information, such as the source of clinical samples and other laboratory identifiers.
During the COVID-19 pandemic, public health agencies were unable to navigate critical lab data. Reference numbers were unclear, leaving government agencies unsure whether a piece of data corresponded to an actual patient sample or where it came from, Myers said.
“We want to ensure that when that (public health) money is used for health IT systems, that they have certain core capabilities that give public health professionals in those jurisdictions the assurance that those systems actually support the capabilities that they need,” Tripathi added.
Privacy and security protection
The proposed HTI-2 rule also focuses on protections around sharing reproductive data. HTI-2 adds an exception for “Protecting Care Access,” which would allow information to be blocked in certain circumstances to reduce the risk of legal exposure for patients, providers, and others “based solely on the fact that the patient has lawfully received reproductive health care in a jurisdiction where that is permissible.”
To address cybersecurity, ONC is proposing requirements that require multi-factor authentication in certified EHR products, as well as server-side encryption of data.
“There are already requirements for encryption of data. If it is an end-user system, like a laptop, like a mobile device, then the requirement now is that it is encrypted on the server itself, the EHR database,” Tripathi said.
When it debuted in 2019, FHIR 4 – which was based on the FHIR DSTU2 and FHIR STU3 standards – “had the primary added benefit of facilitating backwards compatibility,” and proposed to remove significant hurdles for developers and “justify its widespread adoption,” Dr. Blackford Middleton, a global advisory board member at Smile Digital Health and a member of the HL7 advisory board, told VICE. Healthcare IT News.
In November, Providence Health System, one of the largest U.S. health systems with 52 hospitals and more than 900 clinics in seven states, reported that it was the first U.S. health system to use the Clinical Data Exchange specifications developed by HL7’s Da Vinci Project to build a FHIR-based data-as-a-service platform.
The new clinical data exchange technology developed with Premera Blue Cross eases the administrative and financial burden of transitioning to value-based care, Providence said in its announcement.
Although ONC finalized HTI-1 in December, the agency indicated that it expected to advance FHIR sharing by including new certification provisions for APIs in HTI-2.
In June, ONC showcased the Health Resources and Services Administration’s use of FHIR-based APIs in a proof-of-concept that streamlined reporting processes and improved data quality with live data, pending the Office of Management and Budget’s HTI-2 review.
“The regulations cover a wide range of aspects, but they do aim to make it clear that we need to work as hard and as fast as possible to achieve the interoperability we all dream of,” Tripathi said during the press conference.
“We’re now working on a number of these different measures and we’re very excited about what this rule will mean for the American public.”
Andrea Fox is Editor-in-Chief of Healthcare IT News.
Email address: afox@himss.org
Healthcare IT News is a publication of HIMSS Media.