End of Year Regulations on Interoperability

Federal policy efforts to advance health data exchange and interoperability are continuing to change rapidly. The latest changes are the publication of two final rules by the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) finalizing parts of the of the Health Data, Technology, and Interoperability (HTI-2) Proposed Rule. These rules adopt requirements regarding the Trusted Exchange Framework and Common Agreement (TEFCA) (HTI-2 Final Rule), and create a new Information Blocking exception under Protecting Care Access (HTI-3 Final Rule), on December 16^thand 17^th, respectively.

HTI-2 Final Rule focuses on changes to CFR Parts 170 and 171, finalizing updates to the Privacy and Security Framework criterion and certification, information blocking regulations including definitions related to the TEFCA Manner Exception, and several administrative updates. This regulation comes in the wake of recent policy developments released by the Recognized Coordinating Entity in coordination with ASTP/ONC. This rule is effective on January 15, 2025.

HTI-3 Final Rule finalizes proposals related to reproductive health data and information blocking regulations, including modifications to the existing information blocking exceptions (Privacy Exception and Infeasibility Exception) and a new information blocking exception (Protecting Care Access). This rule was effective upon publication.

The release of HTI-2 and HTI-3 Final Rules is intended to advance interoperability and support the access, exchange, and use of electronic health information. We note that there are a number of proposed changes with regards to health IT certification that were not finalized.  We expect that ASTP/ONC will continue to work on these changes with the intent of finalizing them in 2025.

In this client alert, we summarize the most relevant components of HTI-2 and HTI-3 Final Rules.

Key Changes

ONC Health IT Certification Program

With respect to the ONC Health IT Certification Program, HTI-2 Final Rule made both administrative updates and corrected the Privacy and Security Certification Framework found in § 170.550(h).

Administrative Updates | ASTP/ONC removed the following references, criteria, and provisions, which were applicable during statutorily designated time periods that have since elapsed:

• • References to “Complete EHRs” and “EHR Module;”
  • Certification criteria finalized under the ONC Cures Act Final Rule including (1) drug-formulary and preferred drug list checks, (2) patient-specific education resources, (3) data export, (4) secure messaging, and (5) application access—data category request; and
  • Provisions that permitted health IT to demonstrate security tagging of Consolidated-Clinical Document Architecture (C-CDA) documents.

Privacy and Security Framework | The final rule incorporated requirements to comply with existing privacy and security criteria when being certified to the decision support intervention (DSI) Health IT Module, which the ONC HTI-1 Final Rule had previously omitted as an oversight. The enumerated privacy and security criteria are: “authentication, access control, and authorization;” “auditable events and tamper-resistance;” “audit reports;” “automatic access time-out;” “emergency access;” “end-user device encryption;” “encrypt authentication credentials;” and “multi-factor authentication.”

To “provide developers of certified health IT time to comply,” ASTP/ONC set January 1, 2028 as the date by which Health IT Modules certified to decision support inventions must also be certified to the privacy and security certification criteria.

Information Blocking

In HTI-2 Final Rule, ASTP/ONC finalized the new TEFCA Manner Exception to the Information Blocking rule, with no revisions, to encourage health information exchange via TEFCA and codified definitions of certain terms relevant to TEFCA.

TEFCA Manner Exception (HTI-2 Final Rule) | This exception provides that limiting EHI exchange to only via TEFCA will not be considered information blocking when the following conditions are met: (1) the actor and requestor are both part of TEFCA; (2) the requestor is capable of such access, exchange, or use of the requested EHI from the actor via TEFCA; and (3) any fees charged by the actor and the terms for any license of interoperability elements granted by the actor in relation to fulfilling the request satisfies the Fees Exception and Licensing Exception. The final rule notes that the TEFCA Manner Exception is available only if the request is not made via the standards adopted in 45 C.F.R. § 170.215, which include the Fast Healthcare Interoperability Resources (FHIR) Application Programming Interface (API) standards.

Definitions (HTI-2 Final Rule) | Rather than finalize a definitions section, ASTP/ONC relies upon the TEFCA definitions in the new 45 CFR §172 (discussed in further detail below) in order to maintain consistency between the Common Agreement and the new TEFCA regulations.

In HTI-3 Final Rule, ASTP/ONC added a definition for “reproductive health care,” finalized revisions for two existing information blocking exceptions (Privacy Exception and Infeasibility Exception), and finalized a new information blocking exception, Protecting Care Access Exception.

Reproductive Health Care Definition | The HTI-3 Final Rule final rule defines “reproductive health care” as health care, as defined in HIPAA, “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”  The rule notes that the definition does not set forth a standard of care for or regulate what constitutes clinically appropriate reproductive health care.

Privacy Exception | This exception provides that limiting EHI exchange will not be considered information blocking when done to protect an individual’s privacy if certain conditions are met.  The HTI-3 Final Rule final rule makes two changes to this exception.  First, it modifies the definition of “Individual” to include “any other natural person who is subject to the EHI being accessed,” and personal representatives, legal representatives, and executors, administrators, and other persons acting on behalf of a deceased person.    The final rule also removes the phrase “unless otherwise required by law” from the sub-exception for an individual’s request not to share EHI. ASTP/ONC explained that removing this phrase makes clear that an actor’s decision to honor an individual's requested restriction on sharing their EHI when confronted with ambiguous or unclear legal requirements to share such information will not be considered information blocking.

Infeasibility Exception | This exception provides that limiting EHI exchange will not be considered information blocking where complying with the request for EHI is infeasible as described in the conditions to the exception.  The HTI-3 Final Rule final rule broadened the segmentation condition of this exception to include where the requested information cannot be unambiguously segmented from EHI that cannot be shared (i) due to applicable law, or (ii) because it falls under one of the other exceptions to information blocking.  The condition previously only referenced applicable law and the inability to segment EHI that would fall under the Preventing Harm Exception.  Now, the inability to unambiguously segment EHI that would fall under any part of the Privacy Exception as well as the new Protecting Care Access Exception would also fall under this exception.

Protecting Care Access Exception | The HTI-3 Final Rule final rule established a new exception at § 171.206 to address reducing potential exposure to legal action related to reproductive health care.  To meet the conditions of this exception, the restriction must meet the threshold condition that (1) the actor is acting on a good faith belief that “(a) persons seeking, obtaining, providing, or facilitating reproductive health care are at risk of being potentially exposed to legal action that could arise as a consequence of particular access, exchange, or use of specific electronic health information; and (b) specific practices likely to interfere with such access, exchange, or use of such electronic health information could reduce that risk,” (2) the practice is no broader than necessary to reduce this risk, (3) the practice is documented in writing, and (4) the practice is  implemented in a consistent and non-discriminatory way.  The practice may be documented as an organizational policy or as applied on a case-by-case basis.  Other actors, including business associates and actors who otherwise maintain EHI, may rely on this good faith belief. 

Such practices can be implemented where the EHI would carry a substantial risk of supporting a reasonable inference that the patient “(i) obtained reproductive health care; (ii) inquired about or expressed an interest in seeking reproductive health care; or (iii) has any health condition(s) or history for which reproductive health care is often sought, obtained, or medically indicated.”  But a patient can direct the disclosure of such EHI notwithstanding the actor’s practice or policy.  Similarly, such practices can be implemented where the EHI would carry a substantial risk of supporting a reasonable inference that a provider provides or facilitates, or has provided or facilitated, reproductive health care.  The final rule includes a definition of legal action to include criminal, civil, or administrative investigations or actions sought for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.

Trusted Exchange Framework and Common Agreement (TEFCA)

The HTI-2 Final Rule final rule codifies select TEFCA provisions “to provide greater process transparency” and to further implement TEFCA provisions in the 21st Century Cures Act (“Cures Act”).

ASTP/ONC stated that TEFCA provisions are codified to:

• Establish qualifications necessary for an entity to receive and maintain designation as a QHIN under the Common Agreement;
• Establish of procedures governing QHIN onboarding and designation, suspension, termination, and administrative appeals to ASTP/ONC to “support reliability, privacy, security, and trust within TEFCA;” and
• Meet Cures Act requirement, as follows:
  • ASTP/ONC will publish online a list of the health information networks (HINs) that adopted the Common Agreement and are capable of trusted exchange under the Common Agreement; and
  • HHS will establish (through notice and comment rulemaking) a process for HINs that voluntarily elect to adopt TEFCA to attest to such adoption.

ASTP/ONC also emphasized in the final rule, “we do not believe it would benefit TEFCA to codify all TEFCA requirements in regulation due to the need, as commenters noted, for TEFCA to move quickly and evolve with the ever-changing interoperability landscape.”

Takeaways

In general, TEFCA changes are not significant policy changes, but rather putting in regulation the policies that ASTP/ONC has already articulated. The Information Blocking changes are more significant as they provide additional exceptions that permit withholding of electronic health information.  We note that there has yet to be any federal enforcement of the information blocking rules; however, we are seeing information blocking raised in commercial disputes.

Regulated entities will want to ensure that their policies and procedures governing electronic health information sharing are in compliance with, including, as applicable: updates to policies and procedures on ONC Health IT Certification Program criteria; determining instances in which the TEFCA Manner Exception may apply; updates to policies and procedures on reproductive health care and related exceptions; and ensuring QHIN designation and operation under TEFCA. We note that these rules have been published late in the Administration and expect that there will be discussions about finalizing other parts of the proposed HTI-2 rule after the new HHS leadership is confirmed.

For further guidance on how regulated entities that exchange health information can prepare for compliance, please contact our team.