Overview
On December 13, 2023, the US Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) issued the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) final rule to update ONC Health IT Certification Program requirements and amend the information blocking regulations that ONC issued under the 21st Century Cures Act (Cures Act). The HTI-1 final rule substantially finalizes policies ONC set forth in the HTI-1 proposed rule but does not finalize the controversial proposal on patient-requested restrictions for certain data uses and disclosures (sometimes referred to as data segmentation).
This On the Subject discusses the final rule’s updates to select standards, criteria and requirements of the Health IT Certification Program that apply to health IT developers of certified health IT (certified health IT developers), including:
- Adoption of the United States Core Data for Interoperability (USCDI) Version 3 to replace USCDI Version 1 as the baseline USCDI standard beginning January 1, 2026
- New requirements for the standardized application programming interface (API) for patient and population services certification criterion, including requirements for issuing refresh tokens and revoking access privileges
- Implementation of the Cures Act’s EHR Reporting Program provisions to require certain health IT developers to report on interoperability metrics through the new Insights Condition and Maintenance of Certification
- Requirements for new privacy functionality that enable an internet-based method for a patient to request a restriction on the use and disclosure of their electronic health information (EHI)
We will release a separate publication summarizing the algorithmic transparency framework and the revised decision support interventions certification criterion. We also separately published a summary of the final rule’s information blocking provisions, which includes a discussion of new and expanded exceptions to the information blocking prohibition. Note that the HTI-1 final rule includes other updates and additions to the Health IT Certification Program that are not discussed in this On the Subject.
In Depth
DISCONTINUING YEAR-THEMED EDITIONS FOR ONC CERTIFICATION CRITERIA FOR HEALTH IT
One noteworthy structural change to the Health IT Certification Program finalized by HTI-1 is that ONC will no longer maintain an edition naming convention for its health IT certification criteria. Previously, ONC bundled updates to certification criteria into editions and required certified health IT developers to test and certify health IT modules to applicable certification criteria. ONC last released a new edition in 2020, when it updated the 2015 Edition certification criteria with the Cures Update.
Following the HTI-1 final rule, ONC may now update individual certification criterion through notice and comment rulemaking. As a “Condition of Certification,” certified health IT developers must commit to rolling out updated versions of health IT modules that meet ONC’s adopted changes to applicable certification criteria. Failure to do so would result in the certified health IT developer losing its certification for non-updated health IT modules.
Without editions, all certification criteria within the Health IT Certification Program are renamed to “ONC Certification Criteria for Health IT.” ONC believes that maintaining a single set of certification criteria will create more stability for healthcare providers and other users of health IT and Health IT Certification Program stakeholders, such as the Centers for Medicare and Medicaid Services, as well as make it easier for certified health IT developers to maintain product certification over time. Some certified health IT developers noted in their comment letters, however, that edition-less certification could increase the frequency of burdensome certification updates. Certified health IT developers and healthcare providers will need to stay up to date on future ONC rulemakings that update certification criteria and should consider participating in ONC-facilitated public forums to provide input on the development and implementation timeframes for such updates.
KEY REVISED STANDARDS AND CERTIFICATION CRITERIA
USCDI Version 3 Updates
USCDI is the standard for data required to be accessible through certified health IT for numerous certification criteria. In the industry, USCDI is also considered the minimum data set required for interoperability. The data set is updated on an annual cycle with federal agency and industry input. In the HTI-1 final rule, ONC finalized, as proposed, USCDI Version 3 (USCDI v3) as the new baseline standard of data classes and constituent data elements for certified health IT but changed the effective date from January 1, 2025, to January 1, 2026. This change requires health IT modules certified to criteria that reference USCDI to update to USCDI v3 by the new deadline. (See the chart below for certification criteria that reference USCDI.) The USCDI v3 standard incorporates data elements on patient demographics (e.g., sexual orientation and gender identity) that were not included in prior USCDI versions and social determinants of health. Expanding the data elements and data classes included in the required version of USCDI increases the amount of data available to be used and exchanged for patient care. However, a significant number of the data elements included in USCDI v3 lack a vocabulary standard. Note that ONC has already published USCDI Version 4 and is now reviewing public comments on USCDI Version 5.
| Certification Criteria Referencing USCDI | |
|---|---|
| § 170.315(b)(1): Transitions of care | § 170.315(g)(6): Consolidated CDA creation performance |
| § 170.315(b)(2): Clinical information reconciliation and Incorporation | § 170.315(g)(9): Application access—all data request |
| § 170.315(b)(9): Care plan | § 170.315(g)(10): Standardized API for patient and population service |
| § 170.315(e)(1): View, download, and transmit to 3rd party | |
Standardized API for Patient and Population Services
The HTI-1 final rule also includes revisions to the standardized API for patient and population services certification criterion aimed at improving the security of patient APIs by requiring quicker expiration of the tokens issued to applications when a patient or provider enters a correct username and password. Specifically, certified health IT modules must ensure that:
- Their authorization server issues a refresh token according to a new implementation specification
- For health IT modules that allow short-lived access tokens to expire, such access tokens must be permitted to expire within one hour of the request (instead of immediate revocation)
Additionally, ONC finalized amendments to the API Condition and Maintenance of Certification requirements by specifying that certified health IT developers that have adopted a certified API must meet the publication requirements associated with service base URLs according to a specified format. This change is aimed at making it easier for patient-facing apps to access certified health IT developer APIs through more predictable service base URLs.
ONC also adopted the Substitutable Medical Apps, Reusable Technologies (SMART) App Launch Implementation Guide Release 2.0.0 (SMART v2 Guide), which replaces the SMART Application Launch Framework Implementation Guide Release 1.0.0 (SMART v1 Guide). ONC’s adoption of the SMART v2 Guide impacts the standardized API for patient and population services certification criterion. The SMART v2 Guide includes new features and technical revisions based on industry consensus, including features that reflect security best practices. Beginning January 1, 2026, the SMART v2 Guide will replace the SMART v1 Guide as the only version of the implementation guide available for use in the Certification Program.
Electronic Case Reporting
In the HTI-1 proposed rule, ONC proposed to replace the functional requirements of the existing electronic case reporting certification criterion with industry standards. ONC finalized revisions to the “transmission to public health agencies — electronic case reporting” criterion to require health IT modules to adopt consensus-based, industry-developed standards for electronic case reporting. Specifically, the revised certification criterion requires health IT modules to create a case report for electronic transmission, consume and process a case report response, and consume and process electronic case reporting trigger codes. Previously, the electronic case reporting criterion did not have a named standard associated with these functions. Under HTI-1, certified health IT developers will now need to implement certain HL7 electronic case reporting standards to obtain certification.
Patient-Requested Restrictions
ONC finalized a requirement for health IT modules certified to the “view, download, and transmit to 3rd party” certification criterion to support an internet-based method for a patient to request that a restriction be applied for electronic protected health information contained in the data elements in the required version of USCDI. Health IT modules certified to this criterion must comply by January 1, 2026.
Notably, in the HTI-1 proposed rule, ONC proposed a certification criterion that would have required support for the right of an individual to request restrictions on uses and disclosures of certain electronic protected health information. Many commenters raised concerns about implementation feasibility, patient safety and potential provider burden associated with ONC’s proposal. Based on the feedback received, ONC decided not to finalize the bulk of its proposals for patient-requested restrictions at this time. ONC’s certification criterion does not specify that a patient’s request for a restriction must be accommodated.
Requirement for Certified Health IT Developers to Update Certified Health IT
ONC finalized a requirement for certified developers with technology certified to any of the current certification criteria to update their previously certified health IT modules to meet revised certification criteria. Certified developers must also provide updated health IT to customers using their previously certified health IT according to the dates established for that criterion and any applicable standards.
ASSURANCES CONDITION AND MAINTENANCE OF CERTIFICATION
ONC strengthened the Assurances Condition and Maintenance of Certification requirement to require certified health IT developers to provide an assurance that they will not interfere with a customer’s timely access to interoperable certified health IT. This Condition of Certification also includes two accompanying Maintenance of Certification requirements that require certified health IT developers to:
- Update a health IT module, once certified to a certification criterion, to all applicable revised certification criteria including the most recently adopted capabilities and standards in the revised certification criterion
- Provide all health IT modules certified to a revised certification criterion to their customers of such certified health IT, all within timeframes established and specified in the final rule, with a 12-month timeframe for new customers
INSIGHTS CONDITION AND MAINTENANCE OF CERTIFICATION
Section 4002 of the Cures Act required ONC to establish an electronic health record (EHR) reporting program to provide transparent reporting on certified health IT in certain categories, including interoperability, usability and user-centered design, security, and conformance to certification testing. The Cures Act directed ONC to develop reporting criteria for certified health IT developers to submit responses with respect to their certified health IT. The HTI-1 final rule partially implements this Cures Act requirement through the new Insights Condition and Maintenance of Certification (Insights Condition), which requires certified health IT developers to report on certain interoperability metrics with respect to their certified health IT. ONC opted not to use the Cures Act term “EHR reporting program” for this new certification requirement. ONC intends for the Insights Condition’s reporting requirements to:
- Provide transparency through reporting
- Address information gaps in the health IT marketplace
- Provide insights on the use of specific certified health IT functionalities
- Provide information about the use of certified functionalities by end users
Which Certified Health IT Developers Must Report on the New Measures?
The finalized Insights Condition requires a certified health IT developer to report on a measure if it has each of the following:
- At least 50 hospital sites or 500 individual clinician users across its certified health IT
- Any health IT certified to the certification criteria specified in each measure
- Any users using the certified health IT associated with the measure
Certified health IT developers that do not meet the qualifications above must submit a response (an attestation) to indicate that they do not meet the minimum reporting qualifications for a measure.
What Are the Reporting Measures and When Is Reporting Required?
The HTI-1 final rule adopts seven reporting measures across four topic areas related to interoperability: individuals’ access to EHI, public health information exchange, clinical care information exchange, and standards adoption and conformance. ONC will require implementation of the Insights Condition requirements in three phases over three years.
Insights Condition Reporting Measures and Metrics
| Topic Area | Measure | Related Certification Criteria | Metrics | Initial Data Collection Year / Reporting Deadline |
|---|---|---|---|---|
| Individual Access to EHI | Individuals’ Access to Electronic Health Information Through Certified Health IT |
Standardized API for patient and population services – 45 C.F.R. § 170.315(g)(10) View, download, and transmit to 3rd party – 45 C.F.R. § 170.315(e)(1) Standardized API for patient and population services – 45 C.F.R. § 170.315(g)(10) OR View, download, and transmit to 3rd party – 45 C.F.R. § 170.315(e)(1) |
|
Year 1 January to December 2026 / July 2027 |
| Clinical Care Information Exchange | Consolidated Clinical Document Architecture (C-CDA) Problems, Medications, and Allergies Reconciliation and Incorporation Through Certified Health IT | Clinical information reconciliation and incorporation – 45 C.F.R. § 170.315(b)(2) |
|
Year 2 January to December 2027 / July 2028 |
|
Year 3 January to December 2028 / July 2029 |
|||
| Standards Adoption & Conformance | Applications Supported Through Certified Health IT | Standardized API for patient and population services – 45 C.F.R. § 170.315(g)(10) |
|
Year 1 January to December 2026 / July 2027 |
| Standards Adoption & Conformance | Use of FHIR in Apps Through Certified Health IT | Standardized API for patient and population services – 45 C.F.R. § 170.315(g)(10) |
|
Year 1 January to December 2026 / July 2027 |
|
Year 2 January to December 2027 / July 2028 |
|||
| Standards Adoption & Conformance | Use of FHIR Bulk Data Access Through Certified Health IT | Standardized API for patient and population services – 45 C.F.R. § 170.315(g)(10) |
|
Year 2 January to December 2027 / July 2028 |
| Public Health Information Exchange | Immunization Administrations Electronically Submitted to Immunization Information Systems Through Certified Health IT | Transmission to immunization registries – 45 C.F.R. § 170.315(f)(1) |
|
Year 1 January to December 2026 / July 2027 |
|
Year 2 January to December 2027 / July 2028 |
|||
| Public Health Information Exchange | Immunization History and Forecasts Through Certified Health IT | Transmission to immunization registries – 45 C.F.R. § 170.315(f)(1) |
|
Year 2 January to December 2027 / July 2028 |
|
Year 3 January to December 2028 / July 2029 |
Certified health IT developers must also provide a percentage of their total customers (e.g., hospital sites and individual clinician users) represented in the data provided for each response. In addition, they must submit documentation on the data sources and the methodology used to generate the data. Responses and submitted documentation will be made publicly available via ONC’s website.
While the finalized reporting measures focus on interoperability, ONC indicated it intends to explore the other Cures Act reporting categories (e.g., security, usability and user-centered design, and conformance to certification testing) in future years. ONC published specification sheets with additional details about the metrics associated with each Insights Condition measure on its website (also linked in the table above).
If you have questions about how the final rule affects your organization, contact your regular McDermott lawyer or any of the authors of this On the Subject.
