Key Developments in Artificial Intelligence (AI) and Digital Health Signal Growing Federal Activity (Q1 2024)

Digital health companies, investors, and other healthcare organizations should follow policy developments with a strategic lens towards their market opportunities for key potential growth and risk mitigation.

• Federal Regulatory and Executive Branch Updates

  • OMB Issues Policy Memorandum Establishing Agency Use of AI (March 28, 2024)

  • FTC Releases 2023 Privacy and Data Security Update (March 28, 2024)

  • ONC Requests Comments on the Draft 2024-2030 Federal Health IT Strategic Plan (March 27, 2024)

  • FDA Issues a White Paper to Outline AI Medical Device Regulation (March 15, 2024)

  • President Biden Proposes Healthcare Sector Cybersecurity and Other Health Provisions in the FY 2025 President’s Budget (March 11, 2024)

  • President Biden Issues Executive Order to Protect Americans’ Sensitive Personal Data (February 28, 2024)

  • HHS Finalizes Significant Modifications Aligning Part 2 Regulations with HIPAA (February 16, 2024)

  • NIST Finalizes an Updated Special Publication Supporting HIPAA Security Rule Implementation (February 14, 2024)

  • CMS Issues Guidance on HIPAA-Compliant Secure Texting Platforms (February 8, 2024)

  • Draft Common Agreement Version 2.0 and Updated TEFCA Materials are Released (January 19, 2024)

  • CMS Issues Interoperability and Prior Authorization Final Rule (January 17, 2024)

  • CMS Innovation Center Announces New Value-based Care Models (January 2024)

• Federal Legislative Updates

• Upcoming Policy Developments

---

Federal Regulatory and Executive Branch Updates

OMB Issues Policy Memorandum Establishing Agency Use of AI (March 28, 2024)

• The White House Office of Management and Budget (OMB) issued a government-wide policy directing federal departments and agencies’ use of artificial intelligence (AI), which was mandated by President Biden’s Executive Order (EO) 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.” The OMB memorandum establishes new agency requirements and guidance for AI governance, innovation, and risk management, including through specific minimum risk management practices for certain AI uses. Specifically, it requires each agency to designate a Chief AI Officer (CAIO) within 60 days of the date of the memorandum; record inventory AI use cases on an annual basis; establish an agency program that supports identifying and managing risks from the use of AI, especially for safety-impacting and rights impacting AI; and conduct risk assessments to ensure compliance with the OMB memorandum. OMB also issued a request for information (RFI) to help inform its development of an initial means to ensure that agency contracts for the acquisition of AI systems and services align with the guidance provided in the memorandum. The comment period for the RFI closes April 29, 2024.
• Why it matters for you: The recent OMB memorandum demonstrates that federal agencies are coordinating to advance safe use of AI, including addressing cybersecurity, misinformation, and safety. Stakeholders should expect to see in the coming months subsequent activity from agencies implementing the various provisions included in the AI EO. 

---

FTC Releases 2023 Privacy and Data Security Update (March 28, 2024)

• The Federal Trade Commission (FTC) issued its 2023 Privacy and Data Security Update, which highlights its work to protect consumer privacy and respond to companies’ use of consumer data in various systems and technologies, including consumers’ non-Health Insurance Portability and Accountability Act of 1996 (HIPAA) health data and the development of AI tools. The FTC update outlines its privacy and data security work (e.g., enforcement actions, rulemaking and other policy work) which occurred between 2021 and 2023. Relevant to healthcare stakeholders, the FTC has initiated enforcement actions against several companies the shared sensitive health data with third-party companies for advertising purposes and violated the Health Breach Notification Rule (HBNR). It also mentions the June 2023 Notice of Proposed Rulemaking (NPRM) to strengthen and modernize the HBNR, including by clarifying its application to health apps and similar technology. Additionally, the FTC brought a number of AI-related enforcement actions related to the collection, retention, or use of consumers’ personal information to develop machine learning (ML) or similar algorithms.
• Why it matters for you: Stakeholders may use the FTC’s 2023 Privacy and Data Security Update as an informational resource. The FTC update reminds stakeholders of the FTC’s enforcement and policy work in the last few years, highlighting its priority to protect consumers’ privacy and health data privacy compliance. Companies that collect health information outside of HIPAA should carefully consider their data practices and review their privacy policies.

---

ONC Requests Comments on the Draft 2024-2030 Federal Health IT Strategic Plan (March 27, 2024)

• The Office of the National Coordinator for Health Information Technology (ONC) released and requested public comment on the 2024-2030 Federal Health IT Strategic Plan (the Draft 2024-2030 Strategic Plan), which establishes goals and objectives to serve as a roadmap for federal health information technology (IT) initiatives and activities, and as a catalyst for private sector action. ONC developed the Draft 2024-2030 Strategic Plan with more than 25 federal organizations. The Draft 2024-2030 Strategic Plan includes the following four goals:
  
  • Promote health and wellness;
  • Enhance the delivery and experience of care;
  • Accelerate research and innovation; and
  • Connect the health system with health data.
• Why it matters for you: ONC outlines a number of objectives to achieves its intended purpose, including promoting interoperable exchange of health data; enabling safe and responsible use of healthcare AI; advancing health equity and the social determinants of health; and bolstering privacy and security compliance. Stakeholders should consider submitting comments on the ONC Health IT Feedback and Inquiry Portal (available here) to ensure the priorities are aligned with industry priorities. The public comment period on the draft Plan ends on May 28, 2024.

---

FDA Issues a White Paper to Outline AI Medical Device Regulation (March 15, 2024)

• The U.S. Food and Drug Administration (FDA) released a white paper, which outlines how FDA’s medical product centers are working together to develop regulatory approaches that would advance responsible use of AI for medical products. FDA is taking the following actions, focused on four areas, regarding the uses of AI across the medical product life cycle:
  
  • Foster collaboration to safeguard public health;
  • Advance the development of regulatory approaches that support innovation;
  • Promote the development of standards, guidelines, best practices, and tools for the medical product life cycle; and
  • Support research related to the evaluation and monitoring of AI performance.

Notably, the white paper states that during 2024 the agency will issue draft guidance on life cycle management considerations and premarket submission recommendations for AI-enabled medical devices, draft guidance on the use of AI for regulatory decision making on drugs and biological products, and final guidance on marketing submission recommendations for predetermined change control plans. The white paper also states that FDA will organize demonstration projects to detect and mitigate bias in AI development, support projects on health inequity in AI, and conduct ongoing monitoring of AI within demonstration projects to promote standards adherence and performance reliability.

• Why it matters for you: Stakeholders that develop and market AI-enabled medical devices should be aware of upcoming guidance and the FDA’s plan to regulate these products as this can impact go-to-market strategies and regulatory compliance obligations for innovative technologies. We expect that FDA and other federal health agencies will increase scrutiny on these technologies.

---

President Biden Proposes Healthcare Sector Cybersecurity and Other Health Provisions in the FY 2025 President’s Budget (March 11, 2024)

• On March 11, 2024, President Biden issued the fiscal year (FY) 2025 President’s Budget, which included numerous healthcare proposals to reduce health care costs, increase access to health care coverage, and strengthen U.S. public health infrastructure. Notably, the FY 2025 President’s Budget proposes implementing through the existing Medicare Promoting Interoperability (PI) Program, incentives and penalties to encourage acute care hospitals and critical access hospitals (CAHs) to upgrade their cybersecurity practices. The President’s Budget also includes provisions to build upon the Inflation Reduction Act to reduce prescription drug prices, make permanent expanded Affordable Care Act premium tax credits, and provide Medicaid-like coverage to individuals in states that have not adopted Medicaid expansion.

• Why it matters for you: Each year, the Administration issues to Congress a non-binding budget framework to direct Congressional action to fund the federal government. While it is unlikely that the entirety of proposals would be enacted, the President’s Budget provides insight into the Biden Administration’s healthcare policy priorities and may preview forthcoming regulations.

---

President Biden Issues Executive Order to Protect Americans’ Sensitive Personal Data (February 28, 2024)

• On February 28, 2024, President Biden issued an Executive Order (Data Protection EO) directing federal agencies to issue regulations to protect sensitive personal data from exploitation by countries of concern that threaten U.S. national security and foreign policy. The Data Protection EO explains that countries of concern try to gain access to Americans’ bulk sensitive personal data (e.g., genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personal identifiers) or U.S. Government-related data in order to use that data for a wide range of malicious activities. The Data Protection EO includes directives for HHS and those related to the healthcare sector, including ensuring that federal resources are not used to facilitate access to Americans’ sensitive health data by countries of concern and issuing a report assessing the risks and benefits of transactions involving types of human ‘omic data (i.e., human proteomic data, human epigenomic data, and human metabolomic data).

• Why it matters for you: The Data Protection EO includes directives for various departments and agencies to issue proposed guidance and publications in the coming months. As more health and human ‘omic data is collected and exchanged electronically by the health care sector, healthcare organizations and digital health companies should review guidance and other publications that may impact their data management practices.

---

HHS Finalizes Significant Modifications Aligning Part 2 Regulations with HIPAA (February 16, 2024)

• HHS issued a final rule modifying regulations at 42 C.F.R. part 2 (Part 2) governing the confidentiality of substance use disorder (SUD) records to implement section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act and more closely align Part 2 with privacy rules under HIPAA. At a high level, the final rule relaxes some of Part 2’s stringent requirements, which have historically limited the ability to include SUD data in health information exchange and care coordination efforts. The final rule’s most significant changes are related to consent to use, disclose, and redisclose Part 2 records. Compliance with the final rule is required by February 16, 2026.
• Why it matters for you: The Part 2 final rule’s provisions are likely to help reduce the burden on healthcare organizations and enhance care coordination and comprehensive care by facilitating access to and exchange of SUD-related information that has traditionally been siloed and subject to extremely stringent limitations. The Part 2 final rule is likely to impact health care organizations of all types, since many health care organizations receive Part 2 records and become lawful holders subject to certain Part 2 rules. Healthcare organizations should review and update various materials, including agreements, policies and procedures, training resources, consent forms, patient notices, and breach notification letters to make sure they remain consistent with the significant modifications codified through the Part 2 final rule.

---

NIST Finalizes an Updated Special Publication Supporting HIPAA Security Rule Implementation (February 14, 2024)

• The National Institute of Standards and Technology (NIST), in collaboration with the HHS Office for Civil Rights (OCR), issued an updated special publication for HIPAA-regulated entities to follow to improve cybersecurity and compliance with the HIPAA Security Rule, superseding the previous version (October 2008). The updated publication, Revision 2 of NIST Special Publication 800-66: Implementing the HIPAA Security Rule (NIST SP 800-66r2), provides guidance for HIPAA-regulated entities on assessing and managing risks to electronic protected health information (ePHI); identifies questions and activities that a HIPAA-regulated entity might consider in designing and implementing an information security program that complies with the HIPAA Security Rule standards and implementation specifications; and lists additional resources that HIPAA-regulated entities may find useful when implementing the Security Rule.
• Why it matters for you: The updated publication provides specific, actionable recommendations that many HIPAA-regulated entities will likely find useful in designing their information security programs. Compared to Revision 1, NIST SP 800-66r2 adds more detailed risk assessment and risk management guidance based on other publications (i.e., NIST Special Publication 800-30), highlighting the importance of these activities.

---

CMS Issues Guidance on HIPAA-Compliant Secure Texting Platforms (February 8, 2024)

• The Centers for Medicare & Medicaid Services (CMS) issued a quality standard memorandum clarifying that hospitals and CAHs may transmit patient information and orders via text message under certain conditions. Specifically, although Computerized Provider Order Entry (CPOE) continues to be the preferred method of order entry, healthcare team members are permitted to share patient information and orders among themselves through a HIPAA-compliant secure texting platform (STP) in accordance with Medicare and Medicaid Conditions of Participation (CoPs). The Memorandum reverses CMS’s position in a January 2018 memorandum and is effective immediately.
• Why it matters for you: CMS’ memorandum signals the agency’s growing acceptance of certain digital health technologies, such as text messaging platforms, in an effort to drive innovation and efficiencies in delivering patient care. Currently, there is scant agency guidance on text messaging in compliance with HIPAA, which has led to many providers’ reluctance to permit any text messaging of protected health information. The memorandum could encourage providers and other organizations to more readily embrace text messaging.

---

Draft Common Agreement Version 2.0 and Updated TEFCA Materials are Released (January 19, 2024)

• The Trusted Exchange Framework and Common Agreement (TEFCA) Recognized Coordinating Entity® (RCE), the Sequoia Project requested public comment on the draft Common Agreement Version 2.0 in addition to other draft TEFCA materials, including the Qualified Health Information Network (QHIN)™ Technical Framework Version 2.0, Participant/Subparticipant Terms of Participation, and various Standard Operating Procedures documents. The overall goal of TEFCA is to establish a universal governance, policy, and technical floor for nationwide interoperability. The Common Agreement is the legal contract that the RCE will sign with each QHIN. We expect that the RCE will release soon the finalized Common Agreement and other TEFCA materials.
• Why it matters for you: ONC recently officially designateda number of QHIN participants that have begun operating to share data under the Common Agreement’s policies and technical requirements It is also likely that more entities will increase data sharing via TEFCA and that more entities will take advantage of a new vehicle for data exchange.

---

CMS Issues Interoperability and Prior Authorization Final Rule (January 17, 2024)

• CMS issued the Interoperability and Prior Authorization Final Rule, which establishes requirements applicable to certain impacted payers, which are intended to improve the electronic exchange of health information and prior authorization processes. This final rule builds upon policies included in the CMS Interoperability and Patient Access Final Rule and adds several new provisions to increase data sharing and reduce overall payer, healthcare provider, and patient burden through improvements to prior authorization practices and data exchange practices.
• Why it matters for you: The CMS Final Rule’s application programming interface (API) requirements will take effectJanuary 1, 2027, while the operational provisions will take effect January 1, 2026. CMS has issued a helpful slide deck summarizing the Final Rule. We encourage impacted payers to develop a roadmap for implementation and assign teams that can ensure that these APIs are implemented effectively, timely, and in accordance with the requirements.

---

CMS Innovation Center Announces New Value-based Care Models (January 2024)

• Earlier this year, the CMS Innovation Center (Innovation Center) announced opportunities for different healthcare stakeholders and released details on a number of models in order to provide access to alternative methods of payment and to expand access to value-based care. We have highlighted recent developments below:
  • The Innovation in Behavioral Health Model (IBH Model): On January 18, 2024, the Innovation Center announced the IBH Model to test approaches for addressing the behavioral and physical health and health-related social needs (HRSNs) of Medicaid and Medicare beneficiaries. CMS states that the overall goal of the IBH Model is to improve the quality of care and outcomes for adults with mental health conditions and/or SUD by connecting them with the physical, behavioral, and social supports needed to manage their care. The IBH model will also promote interoperability by incentivizing health IT capacity building through infrastructure payments and other activities. Led by state Medicaid Agencies, the IBH is a state-based model with a goal of aligning payment between Medicaid and Medicare for integrated services. CMS will release a Notice of Funding Opportunity (NOFO) in Spring 2024, and up to eight states will be selected to participate. The model will launch in Fall 2024 and run for eight years.
  • The ACO Primary Care Flex Model (ACO PC Flex Model): On March 19, 2024, the Innovation Center announced the ACO PC Flex Model to provide funding to primary care providers in eligible Accountable Care Organizations (ACOs) to treat people with Medicare using innovative, team-based proactive care. It provides a one-time advanced shared savings payment and monthly prospective primary care payments (PPCPs) to ACOs in order to shift payment for primary care away from fee-for-service to enhance the predictability and amount of primary care funding for low revenue ACOs. The ACO PC Flex Model is a five-year voluntary model test within the Shared Savings Program that begins January 1, 2025.

• Why it matters for you: The recent release of these models demonstrates the Innovation Center’s focus to address barriers for certain populations and increase access to care, including behavioral health and primary care. Health care organizations should consider if taking advantage of these new models.

---

Federal Legislative Updates

Senate HELP Committee Ranking Member Releases a Report Including Digital Health Data Privacy Policy Recommendations (February 21, 2024)

• Senator Bill Cassidy (R-LA), Ranking Member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, released a report to propose policy recommendations to revise the HIPAA framework and ensure privacy protections for health data and information. In the report, Senator Cassidy highlights recent reports of breaches and violations of patients’ health data privacy and outlines several proposals to modernize the HIPAA framework and other privacy regulations and to fill in gaps left by the current frameworks. Senator Cassidy released an RFI in late 2023 regarding updating health privacy laws. In response to the RFI, trade association, hospitals, electronic health record (EHR) vendors, health technology companies, and think tanks submitted responses. The report includes recommendations based on public comment in addition to those developed by Senator Cassidy.
• Why it matters for you: The release of this report is part of a larger Congressional effort to create a comprehensive data privacy framework. The report emphasizes the need for Congress to pass legislation to advance health privacy law. Any legislative changes would impact HIPAA covered entities and business associates as well as other digital health companies that operate outside of HIPAA, including direct-to-consumer digital health technology. The report suggests building on the current infrastructure, but any legislative change would have broad implications for any entity that collects, maintains or exchanges health information.

---

House Leaders Launch a Bipartisan AI Task Force (February 20, 2024)

• U.S. House of Representatives Speaker Mike Johnson (R-LA) and Democratic Leader Hakeem Jeffries (D-NY) announced and appointed 24 bipartisan members to a task force to create a report that will include “guiding principles, forward-looking recommendations and bipartisan policy proposals” on AI. In a press release, Speaker Johnson emphasized the importance of Congress working in a bipartisan way to both understand and address regulatory gaps around the advancing technology. The task force will be co-chaired by Representatives Jay Obernolte (R-CA) and Ted Lieu (D-CA) and will include representatives from the key committees of jurisdiction.
• Why it matters for you: Any organization that is incorporating AI-enabled technology in health care should keep apprised of the upcoming report and additional action from the task force, including opportunities to comment. This new task force is a part of a larger Congressional effort to discuss the benefits and dangers of AI, including in clinical and healthcare settings, and may lead to legislation that could impact digital health.

---

House Members Launch the Congressional Digital Health Caucus (February 1, 2024)

• Representatives Troy Balderson (R-OH) and Robin Kelly (D-IL) announced the launch of the bipartisan Congressional Digital Health Caucus to inform policymakers of the rapid advancements in digital health innovation, work and partner with stakeholders across the health care system, and democratize access to digital health tools. The caucus will act as a public-private partnership to educate policymakers about the latest developments in digital health by serving as a hub for collaboration between government agencies, private sector innovators, and healthcare professionals. Additionally, the caucus will advocate for regulatory policies that will aim to foster innovation and ensure patient safety and data security. The announcement was followed by a panel discussion on healthcare AI and generative AI, featuring representatives from Microsoft, Amazon Web Services, Google, and Hippocratic AI.
• Why it matters for you: The recent launch of the Congressional Digital Health Caucus demonstrates Congress’ interest to understand and bolster federal support for widespread use of AI and digital health technologies. It also provides an opportunity for the private sector to maintain an open dialogue with federal legislators

---

Upcoming Policy Developments

In the coming months, we are watching out for the following policy updates from the Administration. For additional information, please see our blog that outlines our healthcare policy expectations for 2024.

• The Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability Proposed Rule (HTI-2) (Q2 2024): The HTI-2 Proposed Rule is under review by OMB. ONC has stated that the HTI-2 Proposed Rule will propose new standards to enable interoperability; establish certification requirements for APIs focused on use cases such as electronic prior authorization (ePA), patient engagement, care management, and care coordination; address information blocking; and bolster public health data infrastructure.
• Establishment of Disincentives for Health Care Providers Who Have Committed Information Blocking Final Rule (likely Q3 2024): ONC is reviewing comments on a proposed rule that would establish enforcement of violations of the Information Blocking Rule by health care providers. While ONC has highlighted the importance of provider compliance, there will not be enforcement against providers until after a final rule is published and in effect. Related to information blocking, we are still awaiting any enforcement action from the HHS Office of Inspector General (OIG) under information blocking regulations.

Crowell Health Solutions is a strategic consulting firm focused on helping clients to pursue and deliver innovative alternatives to the traditional approaches of providing and paying for health care, including through digital health, health equity, and value-based care. We provide this monthly update on AI and digital health policy issues for health care stakeholders and innovators. Follow Crowell Health Solutions’ Trends in Transformation blog for the latest updates and in-depth analysis.