Crowell Health Solutions Update: Key Developments in AI and Digital Health Signal Growing Federal Activity (Q3 2024)

Digital health companies, investors, and other healthcare organizations should follow policy developments with a strategic lens towards their market opportunities for key potential growth and risk mitigation. On a quarterly basis, we provide relevant legislative and regulatory updates on artificial intelligence (AI) and digital health policy developments.

Executive Branch and Federal Agency Updates

Assistant Secretary for Technology Policy and Office of the National Coordinator for Health Information Technology (ASTP/ONC)

• ASTP/ONC Finalizes 2024-2030 Federal Health IT Strategy (September 30, 2024)
  • ASTP/ONC issued the final 2024-2030 Federal Health IT Strategic Plan (the Strategic Plan), which outlines the federal government’s health information technology (health IT) goals and objectives in the coming years. ASTP/ONC collaborated with more than 25 federal organizations to prioritize resources and align and coordinate efforts. Specifically, the Strategic Plan includes four goals: 1) promote health and wellness; 2) enhance the delivery and experience of care; 3) accelerate research and innovation; and 4) connect the health system with health data. In March 2024, ASTP/ONC published a draft version of the Strategic Plan (see here) and received public comments from numerous organizations, including health systems, associations and specialty societies, electronic health record developers, patient advocates, and others.
  • Why it matters for you: ASTP/ONC highlights a number of objectives included in the Strategic Plan, including promoting interoperable exchange of health data; enabling safe and responsible use of healthcare artificial intelligence (AI); advancing health equity and the social determinants of health; and bolstering privacy and security compliance. Healthcare organizations should look at the Strategic Plan’s detailed provisions, since they will impact various agency priorities over the next five years.
• ASTP/ONC Releases Draft Federal FHIR Action Plan (September 24, 2024)
  • ASTP/ONC released the 2024 Draft Federal FHIR Action Plan (Draft Action Plan), which was developed to help guide federal agency investment decisions in and adoption of the Health Level Seven (HL7) Fast Healthcare Interoperability Resources (FHIR) standard and associated implementation specifications. In the Draft Action Plan, ASTP outlines six FHIR components currently in active development. The FHIR components include the following: 1) Core Components; 2) Network Components; 3) Payment and Health Quality Components; 4) Care Delivery and Engagement Components; 5) Public Health and Emergency Response Components; and 6) Research Components. The Draft Action Plan’s primary goal is to align federal agencies’ adoption and use of FHIR around a set of essential components and capabilities that agencies have implemented or are planning to implement in the next two years.
  • Why it matters for you: Recent interoperability regulations published by ASTP/ONC and the Centers for Medicare and Medicaid Services (CMS) rely on FHIR standards, and the agencies will continue to build FHIR into future policy and regulations. ASTP/ONC requests feedback on the Draft Action Plan to identify areas in which additional development and investment is needed and states it will be updated to reflect improvements based on the recommendations received. Organizations, including those in the standards development community, those that are required to comply with ASTP/ONC and CMS interoperability regulations, and those that may have products that leverage these FHIR standards to access electronic health data, should consider providing comments (see here) on the Draft Action Plan by November 25, 2024.
• HHS Rule Proposes Using Procurement Policy to Push Health IT Standards (August 9, 2024)
  • ASTP/ONC issued a proposed rule to modify the Health and Human Service Acquisition Regulation (HHSAR) to implement an HHS-wide policy to align requirements related to the procurement of health IT with standards and implementation specifications adopted by ASTP/ONC or compliance with the voluntary ONC Health IT Certification Program. This rule would apply to health IT that is:
    • Procured on behalf of HHS entities; or
    • Procured through HHS contracts with health care providers, health plans, or health insurance issuers that involve implementing, acquiring, or upgrading health IT.

This is one component of implementing the HHS Health IT Alignment Policy, which requires all HHS divisions broadly to include requirements applicable to all HHS divisions to include, to the extent legally permissible, “standard health IT language in applicable grants, cooperative agreements, contracts, and rulemaking to ensure alignment of the Department’s health IT investments.” Additional information on the proposed rule is available here.

• • Why it matters for you: If finalized, organizations that contract with HHS to implement, acquire, or upgrade health IT used 1) for the direct exchange of individually identifiable health information between agencies and non-Federal entities, or 2) by healthcare providers, health plans, or health insurance issuers, would be impacted by the proposed rule. Comments on the proposed rule were due by October 8, 2024.

• HHS Reorganizes ONC and Bolsters AI Leadership (July 25, 2024)
  • HHS announceda number of organizational changes, including renaming the Office of the National Coordinator for Health Information Technology (ONC) to the Assistant Secretary for Technology Policy and Office of the National Coordinator for Health Information Technology (ASTP/ONC) and announcing recruiting for several HHS-wide roles, including Chief Technology Officer, Chief Data Officer, and Chief AI Officer. It also acted to bolster federal efforts to address health sector cybersecurity by moving the 405(d) Program from the Assistant Secretary for Administration (ASA) to HHS Administration for Strategic Preparedness and Response (ASPR) Office of Critical Infrastructure Protection. Additional information on the reorganization is available here. 
  • Why it matters for you: HHS’ recent organizational changes reflect heightened focus to provide oversight and issue policies governing the use of individuals’ health data and the development of AI technologies. It also demonstrates HHS’ aim to address recent cyberattacks against the health sector entities. ASTP/ONC will be responsible for actions under the AI Executive Order. Additional information on the AI Executive Order is available here.
• ASTP/ONC Proposes Changes to Health IT Certification Program and Information Blocking Regulations, Codifies Certain TEFCA Provisions (July 10, 2024)
  • ASTP/ONC released the Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability (HTI-2) proposed rule (HTI-2 Proposed Rule) for public comment. In the HTI-2 Proposed Rule, ASTP/ONC builds on the January 2024 HTI-1 Final Rule (see our client alert here). ASTP/ONC proposed updating the United States Core Data for Interoperability (USCDI) and offered new and revised standards and certification criteria in the voluntary ONC Health Information Technology (IT) Certification Program (Certification Program), including advancements in FHIR standards related to public health interoperability. It also proposed new and revised exceptions under the information blocking regulations and provided greater transparency and implementing certain provisions related to the Trusted Exchange Framework and Common Agreement (TEFCA).
  • Why it matters for you: If finalized, the HTI-2 Proposed Rule’s Certification Program requirements, including those related to public health and API capabilities, would help to facilitate the use of industry-wide data standards and improve health information exchange. Other proposals, including the information blocking and TEFCA provisions, support greater transparency and organizations’ compliance with regulatory and legal rules governing health IT and health information exchange. We are also continuing to see changes and iterations to the information blocking rules, which have not yet been enforced by HHS.
    
    The HTI-2 Proposed Rule was published in the Federal Register on August 5, 2024. Comments on the HTI-2 Proposed Rule were due by October 4, 2024 at 5 PM EST.

Advanced Research Projects Agency for Health (ARPA-H)

• ARPA-H Announces Initiative to Support Healthcare Innovators (September 16, 2024)
  • ARPA-H announced the ARPA-H Emerging Health Innovators (EHI) Initiative, which is intended to increase access to government research funding and address healthcare gaps. The EHI Initiative begins with a Network Survey, which will gather information and insights from early career investigators, community innovators, and administrators at academic institutions. Through the EHI Network Survey, ARPA-H seeks to learn from these emerging health innovators about their specific needs, challenges, and concerns and states that these responses will inform a forthcoming funding solicitation. ARPA-H intends the solicitation to offer two tracks: 1) technology-driven innovation to support early career investigators in developing innovative health technologies; and 2) community-center innovation to empower community innovators to develop technology that addresses specific community needs.
  • Why it matters for you: Since its inception in 2022, ARPA-H has been working to spur innovation in the health sector and to address disparities and advance equity. Comment on the EHI Network Survey were due by October 25, 2024. The EHI solicitation is anticipated to be available in late 2024. Future EHI awards would generally be in the form of other transaction agreements. This new initiative demonstrates ARPA-H’s support for early career innovators and community health centers.
• ARPA-H launches Program Supporting AI-enabled Medical Tools (August 29, 2024)
  • ARPA-H announced a new funding opportunity through the Performance and Reliability Evaluation for Continuous Modifications and Useability of Artificial Intelligence (PRECISE-AI) program, which is intended to support the performance of AI-enabled tools in health care. PRECISE-AI will develop techniques that analyze AI-enabled tools and identify root causes for performance deterioration, including when an AI-enabled tool used in real-world clinical care settings is potentially out of alignment with its underlying training data. Overall, the purpose of this program is to improve AI-enabled tools to make them more helpful to clinicians and to benefit patients.
    
    PRECISE-AI will address: 1) automatic extraction and integration of data across different clinical use cases; 2) model performance, degradation, and automatic corrections; 3) quantifying uncertainty and improve clinical outcomes; 4) aggregating and sharing data across; and 5) performing independent verification and validation.

• • Why it matters for you: ARPA-H has released its program solicitation and anticipates issuing multiple awards. Awards will depend on the quality of the proposals received and the availability of funds. Additional information is available on the PRECISE-AI program page here.

Centers for Medicare & Medicaid Services (CMS)

• CMS Establishes a Provider Directory Pilot (September 23, 2024)
  • CMS is partnering with the Oklahoma Insurance Department to launch a pilot to establish a statewide centralized directory that allows Qualified Health Plans (QHPs) and providers to submit and access pre-populated provider data to improve accuracy and reduce burden. CMS is working to improve data accuracy, lessen burden on providers and payers, lower administrative costs, support interoperable data exchange, and improve patient and provider experiences. This pilot follows a Request for Information (RFI) on a National Directory of Healthcare (NDH) that CMS published two years ago.
  • Why it matters to you: As HHS pushes for greater exchange of electronic health information, there continues to be challenges in maintaining accurate provider directories. Healthcare directories that contain aggregated information about healthcare providers, facilities, and other entities involved in patient care are crucial resources for consumers and the healthcare industry; however, the fragmented directories often contain inaccurate information and lead to unnecessary health care costs. Entities that develop or maintain directories should pay close attention to this pilot and subsequent policies as CMS intends to use the pilot to inform the design and feasibility of any future efforts.
• CMS Requests Information on AI Technologies to Improve Health Care Outcomes and Service Delivery (September 9, 2024)
  • CMS issued a request for information (RFI) seeking input from healthcare companies, providers and payers, start-ups, and other developers on the use of artificial intelligence (AI) in health care. CMS aims to select organizations to provide demonstrations of their AI products/services during a series of “CMS AI Demo Days” to help the agency better understand AI uses. While CMS will accept comments from all interested parties, it is specifically interested in hearing from organizations that develop generative AI, diagnostics and imaging analysis, clinical documentation and summarization, clinical decision support systems, and business administration automation and efficiencies, among other AI functionalities in the health sector.

• • Why it matters for you: CMS’ RFI provides an opportunity for companies developing and implementing AI technologies to demonstrate to CMS leaders AI use cases in the health sector. The deadline for questions was September 27, 2024 and responses were due by October 7, 2024. Selections and notifications will be made on a quarterly basis starting October 2024.
• CMS Innovation Center Outlines Data Sharing Principles (August 21, 2024)
  • The CMS Innovation Center (the Innovation Center) publishedits data-sharing strategy, which seeks to further enable data sharing while ensuring proper security, risk management, and privacy obligations. Specifically, the Innovation Center outlines the following data strategy principles:
    • Promote access to CMS data, including enabling application programming interface (API) access to claims data for participants beyond accountable care organizations (ACOs) and exploring participation in the Trusted Exchange Framework and Common Agreement (TEFCA);
    • Formulate data-sharing strategy early in model design;
    • Focus on standards (e.g., investing in FHIR);
    • Invest in data tools and resources;
    • Enhance CMS data collection capabilities (including through file-based exchange and use of APIs); and
    • Partner broadly to enhance data-sharing capabilities.
  • Why it matters for you: Innovation Center model participants and others can benefit from increased access to data, which may address data readiness barriers and promote timely access to data intended for clinical management. This may also help to further encourage participation in value-based programs. The strategy also reflects recent federal efforts to promote interoperability and health data sharing, as demonstrated by greater adoption of industry-wide standards and recent policy developments to implement TEFCA.  
• CMS Releases CY 2025 Hospital Outpatient and ASC Proposed Rule (July 9, 2024)
  • CMS releasedthe Calendar Year (CY) 2025 Hospital Outpatient Prospective Payment System (OPPS) and Ambulatory Surgical Center (ASC) proposed rule (CY 2025 OPPS/ASC Proposed Rule), which contains proposals to update OPPS and ASC payment rates by 2.6 percent in addition to proposals that address health disparities, expand access to behavioral health care, advance maternal health care, and promote safe, effective, and patient-centered care. CMS is required annually to propose updating the payment policies and rates for services furnished to Medicare beneficiaries in hospital outpatient department (HOPD) and ASCs. The CY 2025 OPPS/ASC Proposed Rule includes policies for remotely furnished outpatient therapy services, Diabetes Self-Management Training and Medical Nutrition Therapy services and mental health services furnished remotely to beneficiaries in their homes by hospital staff to maintain alignment across payment systems. Additional information on the CY 2025 OPPS/ASC Proposed Rule is available here.

Related to digital health, CMS proposes changing the current review timeframe for prior authorization requests for HOPD services from 10-business days to 7-calendar days for standard reviews. This proposal aligns with the CMS Interoperability and Prior Authorization Final Rule (see our client alert here), which established timeframes for certain payers to send prior authorization decisions. CMS also proposes that beginning with the CY 2025 reporting period/CY 2027 payment determination, a HOPD using electronic health record (EHR) technology certified to the ONC health IT certification criteria would be required to have its EHR technology certified to all electronic clinical quality measures (eCQMs) that are available to report under the Hospital Outpatient Quality Reporting (OQR) Program. CMS further proposes that for the CY 2025 reporting period/CY 2027 payment determination and subsequent years, HOPDs would be required thereafter to use the most recent version of the eCQM electronic measure specifications​.

• Why it matters for you: The comment periodlasted for 60 days and ended on September 9, 2024. If finalized, CMS states that the CY 2025 OPPS/ASC Final Rule will be issued in November 2024. 

• CMS Releases CY 2025 Medicare Physician Fee Schedule Proposed Rule (July 8, 2024)
  • CMS releasedthe Calendar Year (CY) 2025 Medicare Physician Fee Schedule Proposed Rule (2025 PFS Proposed Rule), which contains proposals to update PFS payment rates, improve payment for and access to behavioral health services, extended telehealth flexibilities, establish ways to enhance access to primary care services, and strengthen the Medicare Shared Savings Program (MSSP). The CY 2025 PFS Proposed Rule continues efforts by the Biden-Harris Administration to strengthen access to primary and behavioral health care by establishing new codes and payments and adding services to help beneficiaries and practitioners to safely administer and receive care in their own home. Additional information on the 2025 PFS Proposed Rule is available here.
    
    Related to digital health, CMS includes a number of proposals to make changes to the Quality Payment Program, including the Merit-Based Incentive Payment System (MIPS) Promoting Interoperability (PI) objective. CMS proposes that a data submission for the PI performance category must include all of the following elements to be considered a qualifying data submission and scored: 1) performance data, including any claim of an applicable exclusion, for the measures in each objective, as specified by CMS; 2) required attestation statements, as specified by CMS; 3) CMS EHR Certification ID (CEHRT ID); and 4) the start date and end date for the applicable performance period as set forth in § 414.1320. The CY 2025 PFS Proposed Rule also issues a request for information (RFI) pertaining to the Public Health and Clinical Data Exchange Objective under the PI performance category.

• • Why it matters for you: Public comments on the Medicare PFS Proposed Rule closed on September 9. If finalized, the proposed rule is expected to be finalized by November 1 and will take effect on January 1, 2025. The complete proposed rule can be found in the Federal Register here.

U.S. Food and Drug Administration (FDA)

• FDA Issues Digital Health and AI Glossary (September 26, 2024)
  • FDA published a digital health and artificial intelligence (AI) glossary and educational resource to support consistent use of digital health and AI terminology by the FDA and interested parties. It includes the definitions for Artificial Intelligence, Artificial Intelligence Performance Monitoring (AI Performance Monitoring), Digital Health Technology (DHT), Generative Artificial Intelligence (Generative AI), Interoperability, Large Language Model (LLM), Machine Learning (ML), among others.
  • Why it matters for you: As healthcare organizations, digital health developers, health care professionals, and other stakeholders are discussing frameworks and best practices related to AI and ML or negotiating agreements, and as the federal government develops policy related to AI and ML in healthcare, it is really important to have consistency in understanding of terminology that is addressed. This document is helpful as an educational resource and creates standardized language for complex terms. It provides insight into FDA’s understanding of terms that it will use in guidance and regulation. Organizations may send to the FDA input and questions on this glossary by email to digitalhealth@fda.hhs.gov, with “Attn: DH/AI Glossary,” in the subject line.
• FDA Announces Digital Health Advisory Committee Roster (August 1, 2024)
  • FDA announced the roster of the Digital Health Advisory Committee, which is comprised of representatives from academia and health systems, health technology companies, and other organizations. The Committee will advise the FDA on issues related to digital health technologies (DHTs), providing relevant expertise and perspective to enhance the agency’s understanding of the benefits, risks, and clinical outcomes associated with the use of DHTs. The Committee may also advise the FDA on topics such as AI and Machine Learning, Cybersecurity, and patient generated health data.
  • Why it matters for you: On November 20-21, 2024, the FDA plans to hold the first Digital Health Advisory Committee meeting to discuss how the use of Generative AI may impact safety and effectiveness of medical devices enabled with this technology. Further, the Committee will discuss premarket performance evaluation, risk management, and post-market performance monitoring for generative AI-enabled devices. Healthcare stakeholders may wish to attend the upcoming Committee meeting because findings and discussions may inform FDA policymaking.
• FDA Issues Guidance on Using EHR and Medical Claims Data in Clinical Studies (July 25, 2024)
  • FDA issued final guidance, titled “Real-World Data: Assessing Electronic Health Records and Medical Claims Data to Support Regulatory Decision-Making for Drug and Biological Products.” The guidance aims to provide drug sponsors with considerations should they wish to use real-world data (RWD) drawn from electronic health records (EHRs) or medical claims data in their clinical studies to support regulatory decisions related to the safety and efficacy of a drug. Specifically, it directs sponsors to address the appropriateness, relevance, and comprehensiveness of certain data sources; study design elements (i.e., clearly defining relevant time periods included in the data); and data quality by recommending multiple data quality checks, cleansing, and monitoring of data quality at each stage of the process. Additional information on the final guidance is available here.
  • Why it matters for you: FDA’s guidance includes a broad array of topics sponsors should consider when developing their study protocols. In particular, the FDA is focused on the reliability (accuracy, completeness, and traceability of data) and relevance (availability of data for key study variables such as exposures, outcomes, covariates, and sufficient numbers of representative patients for the study) of the data being used.

The Sequoia Project, Inc.

• RCE Issues Technical Guidance Governing TEFCA Exchange (August 6, 2024)
  • Over the summer, the Sequoia Project, Inc., The Recognized Coordinating Entity (RCE) for the Trusted Exchange Framework and Common Agreement (TEFCA), released several Standard Operating Procedures (SOPs), which are written procedures or other provisions that are adopted pursuant to the Common Agreement, among other documents governing TEFCA Exchange. Since the publication of Common Agreement Version 2.0, some operating details from Common Agreement Version 1.1 were moved to the SOPs. These SOPs and other resources that support implementation of Common Agreement Version 2.0.
    
    The following TEFCA resources and SOPs were released on July 1, 2024:

• • • QHIN Technical Framework (QTF) Version 2.0 (updated, see here)
    • Facilitated FHIR Implementation SOP (see here)
    • Individual Access Service (IAS) Provider Requirements SOP (see here)
    • Governance Approach SOP (see here)
    • Delegation of Authority SOP (see here)
    • Expectations for Cooperation SOP (see here)
    • Exchange Purposes SOP (see here)
    • RCE Directory Service Requirements Policy SOP (see here)
    • TEFCA Security Incident Reporting SOP (see here)
    • Treatment Exchange Purpose (XP) Implementation SOP (see here)

The following SOPs were released on August 6, 2024:

• • • The Exchange Purposes (XP) SOP (updated, see here)
    • The Public Health XP Implementation SOP (see here)
    • The Health Care Operations XP Implementation SOP (see here)
    • The Individual Access Services (IAS) XP Implementation SOP (see here)
    • The QHIN Security for the Protection of TEFCA Information (updated, see here)

• • • Why it matters for you: Not only are the recently released SOPs are important to understand as they are required for QHINs and TEFCA participants, but also because they may drive policies for health information exchange outside of TEFCA. The RCE states that it will continue to roll out additional SOPs to identify technical specifications supporting TEFCA Exchange.

Federal Legislative Developments

• Senators Introduce Healthcare Cybersecurity Bill (September 26, 2024)
  • Senate Finance Committee Chair Ron Wyden (D-OR) and Senator Mark Warner (D-VA) introduced a bill titled the “Health Infrastructure Security and Accountability Act,” to bolster U.S. healthcare system cybersecurity in response to recent attacks against the health sector. The proposed bill would require HHS, within two years, to develop and enforce minimum security standards for Health Insurance Portability and Accountability Act (HIPAA) covered entities and business associates to protect health information and health information systems. It would require covered entities and business associates to conduct and document a security risk assessment and require HHS to annually audit the data security practices of at least 20 covered entities or business associates. It would provide $800 million in Medicare funding over two years for rural and urban safety-net hospitals to adopt essential security standards over a two-year period and $500 million to incentivize all hospitals to adopt enhanced security practices. It would codify HHS’ authority to provide advanced and accelerated Medicare payments in the event of a cybersecurity disruption to the health system. It would also increase civil money penalties for entities’ failure to comply with security standards and requirements for health information, among other provisions.
  • Why it matters for you: Members of Congress, including Senate Finance Committee members, have been working to increase federal support and oversight of healthcare cybersecurity in the wake of recent attacks. Healthcare organizations should review and update their security practices and continue to keep apprised of policy developments in this area (including those being proposed by Congress).

Upcoming Policy Developments

In the coming months, we are watching out for the following policy updates from the Administration.

• Calendar Year (CY) 2025 Hospital Outpatient PPS (OPPS) Policy Changes and Payment Rates and Ambulatory Surgical Center Payment System Policy Changes and Payment Rates (CMS-1809): Organizations should expect this final rule, which revises the Medicare hospital outpatient prospective payment system to implement statutory requirements and describes changes to the amounts and factors used to determine payment rates for services.
• CY 2025 Revisions to Payment Policies Under the Physician Fee Schedule (PFS) and Other Revisions to Medicare Part B (CMS-1807): Organizations should expect this final rule, which revises payment polices under the Medicare physician fee schedule and makes other policy changes to payment under Medicare Part B. These changes would apply to services furnished beginning January 1, 2025.
• Proposed Modifications to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information: This rule will propose modifications to the Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) under HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These modifications will attempt to improve cybersecurity in the health care sector by strengthening requirements for HIPAA regulated entities to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats.
• Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability: The rulemaking advances interoperability, as defined by the Public Health Service Act, through proposals for: standards adoption; public health IT certification; expanded uses of certified application programming interfaces (APIs), such as for electronic prior authorization, patient engagement, care management, and care coordination; and information sharing under the information blocking regulations. Organizations should expect the release of this final rule in the coming months. Some portions of the rule may be expedited in anticipation of the change in Administration, particularly if Trump wins the election.

Crowell Health Solutions is a strategic consulting firm focused on helping clients to pursue and deliver innovative alternatives to the traditional approaches of providing and paying for health care, including through digital health, health equity, and value-based care. We provide this monthly update on AI and digital health policy issues for health care stakeholders and innovators. Follow Crowell Health Solutions’ Trends in Transformation blog for the latest updates and in-depth analysis.