ONC Steps into AI Regulation by Imposing Requirements for ‘Predictive Decision Support Interventions’; Also Updates Information Blocking Rules

On December 13, 2023, the U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) published a wide-ranging final rule, Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1), which was published in the Federal Register on January 9, 2024.¹  This rule finalizes extensive transparency and risk management requirements for “predictive decision support interventions” (predictive DSI), which includes predictive tools based on artificial intelligence (AI), as well as significant updates to the information blocking regulations. In several respects, the rule appears to subject AI-based software regulated by the Food and Drug Administration (FDA) as a medical device to additional requirements. The rule also establishes a new Insights Condition and Maintenance of Certification and finalizes other updates to the ONC Health IT Certification Program (Certification Program).  

Predictive DSI

ONC finalized substantial certification criterion requirements related to algorithm transparency and risk management for predictive DSI. We discussed the proposed predictive DSI requirements in a prior alert.

Predictive DSI means “technology that supports decision-making based on algorithms or models that derive relationships from training data and then produces an output that results in prediction, classification, recommendation, evaluation, or analysis.”²  ONC’s requirements apply to a wide range of predictive tools, including AI-based tools, “supplied by” a health information technology (Health IT) developer as part of its certified Health IT Module—both clinical and non-clinical predictive technology,³  as well as medical device software regulated by FDA.⁴  As a result, certain software as a medical device (SaMD) cleared or approved by FDA will be subject to requirements that may differ from terms of their clearance and approval, existing device Quality System requirements and labeling requirements; sponsors of SaMD subject to this rule will need to assess whether these new requirements create any conflicts with FDA requirements. The application of predictive DSI requirements is not tied to a technology’s level of risk⁵  or the developer of the predictive tool.⁶

Predictive DSI supplied by certified Health IT is subject to certain “intervention risk management” and “source attribute” (i.e., transparency) requirements.⁷  Intervention risk management requirements relate to predictive DSI risk analysis, risk mitigation and governance.⁸  Significantly expanding upon the 14 proposed source attributes, ONC finalized 31 source attributes across nine categories to be made available directly to end users, including those related to intervention details, intervention development, “quantitative measures of intervention performance,” “ongoing maintenance of intervention implementation and use” and “update and continued validation or fairness assessment schedule.”⁹  Additionally, the final rule requires certified Health IT Modules to enable “a limited set of identified users” to modify existing source attributes and create new source attributes.¹⁰

This predictive DSI certification criterion goes into effect January 1, 2025.

Information Blocking

Under the information blocking regulations,¹¹  health IT developers of certified health IT, health information networks (HINs), health information exchanges (HIEs) and health care providers are prohibited from engaging in practices that are likely to interfere with access, exchange or use of electronic health information (EHI), except as required by law or as covered by an exception set forth in regulation.¹²  Enforcement of information blocking regulations against developers, HINs and HIEs, with penalties up to $1 million per violation, began September 1, 2023.¹³  HTI-1 finalized significant changes to the information blocking requirements.

ONC revised and created new information blocking definitions:

• “Offer Health IT.” ONC defined what it means for an individual or entity to “offer health IT,” clarifying when implementations and uses of certified Health IT are considered an offer. Whether an individual or entity offers health IT will determine whether that individual or entity is considered a health IT developer—and therefore a covered actor subject to the information blocking rules.¹⁴
• “Health IT Developer of Certified Health IT.” ONC revised the definition of “health IT developer of certified health IT” to clarify that health care providers who self-develop certified health IT “that is not offered to others” are not health IT developers of certified health IT.¹⁵
• “Information Blocking.” ONC made minor technical changes to the definition of “information blocking,” removing language that applied prior to October 6, 2022.¹⁶

ONC also revised and created new information blocking exceptions, expanding and clarifying the practices that do not constitute information blocking.

Under the Infeasibility Exception, an actor’s practice of not fulfilling a request to access, exchange or use EHI due to the infeasibility of the request is not considered information blocking if: (1) one of several possible “conditions” for infeasibility is met, and (2) the actor provides to the requestor in writing the reason(s) why the request is infeasible within 10 business days of receipt of the request.¹⁷  HTI-1 updated one existing condition and established two new conditions for the Infeasibility Exception to be met:

• Uncontrollable events condition (revised).¹⁸  HTI-1’s revisions to the uncontrollable events condition clarify that an actor’s inability to fulfill the request must be “because of” the uncontrollable event that “in fact negatively impact the actor’s ability to fulfill the request.”
• Third party seeking modification use condition (new).¹⁹  Under the third party seeking modification use condition, an actor’s practice of not fulfilling a request to access, exchange or use EHI meets this new condition of infeasibility if the “request is to enable use of EHI in order to modify EHI provided that the request for such use is not from a health care provider requesting such use from an actor that is its business associate.”
• Manner exception exhausted condition (new).²⁰  HTI-1 created a new condition for infeasibility based on the factors required to meet the existing but renamed Manner Exception²¹  (formerly, Content and Manner Exception).

HTI-1 also created a new stand-alone TEFCA²²  Manner Exception,²³  which applies to certain requests for access, exchange or use of EHI where the actor and requestor are both part of TEFCA and where the requestor is capable of such access, exchange or use of EHI via TEFCA. This new exception does not apply to requests made via application programming interface (API) standards adopted in 45 C.F.R. § 170.215 and is only met when the actor satisfies the Fees Exception²⁴  and Licensing Exception (as applicable).²⁵

These changes to information blocking definitions and exceptions are set to go into effect on February 8, 2024.

Other Updates and Upcoming Rulemaking

In addition to the new predictive DSI requirements and information blocking updates, ONC finalized several other requirements, including:

• Revisions to Certification Program criteria and standards, including adoption of USCDI v3 as the new baseline standard (beginning January 1, 2026).
• Creation of the Insights Condition and Maintenance of Certification within the Certification Program to provide transparent reporting of certified health IT, starting with the adoption of seven measures related to interoperability.

As indicated by the rule’s acronym, ONC intends to follow HTI-1 with HTI-2. Although ONC has not provided a specific timeline as to when the HTI-2 proposed rule will be published, the agency indicated in a January 4, 2024 information session that this rule is under development.

^{1 Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing, 89 Fed. Reg. 1192 (Jan. 9, 2024) (to be codified at 45 C.F.R. pts. 170, 171) [hereinafter HTI-1].}

^{2 See HTI-1, 89 Fed. Reg. 1426 (to be codified at 45 C.F.R. § 170.102).}

^{3 See HTI-1, 89 Fed. Reg. at 1244.}

^{4 See HTI-1, 89 Fed. Reg. at 1244-45.}

^{5 See HTI-1, 89 Fed. Reg. at 1244, 1247.}

^{6 See HTI-1, 89 Fed. Reg. at 1247-48.}

^{7 HTI-1, 89 Fed. Reg. at 1431-32 (to be codified at 45 C.F.R. §170.315(b)(11)(iv), (vi)).}

^{8 HTI-1, 89 Fed. Reg. at 1431-32 (to be codified at 45 C.F.R. §170.315(b)(11)(vi)).}

^{9 HTI-1, 89 Fed. Reg. at 1267-68 (to be codified at 45 C.F.R. § 170.315(b)(11)(iv)(B)).}

^{10 HTI-1, 89 Fed. Reg. at 1431 (to be codified at 45 C.F.R. §170.315(b)(11)(v)(B)).}  

^{11 45 C.F.R. pt. 171.}

^{12 45 C.F.R. § 171.103.}

^{13 Grants, Contracts, and Other Agreements: Fraud and Abuse; Information Blocking; Office of Inspector General’s Civil Money Penalty Rules, 88 Fed. Reg. 42,820 (Jul. 3, 2023). Enforcement against providers is on hold pending finalization of a rule proposed by the Centers for Medicare & Medicaid Services (CMS) in November. See 21st Century Cures Act: Establishment of Disincentives for Health Care Providers That Have Committed Information Blocking, 88 Fed. Reg. 74,947 (Nov. 1, 2023).}

^{14 HTI-1, 89 Fed. Reg. at 1435-36 (to be codified at 45 C.F.R. § 171.102).}

^{15 HTI-1, 89 Fed. Reg. at 1435 (to be codified at 45 C.F.R. § 171.102).}

^{16 HTI-1, 89 Fed. Reg. at 1436 (to be codified at 45 C.F.R. § 171.103).}

^{17 45 C.F.R. § 171.204.}

^{18 HTI-1, 89 Fed. Reg. at 1436 (to be codified at 45 C.F.R. § 171.204(a)(1)).}

^{19 HTI-1, 89 Fed. Reg. at 1436 (to be codified at 45 C.F.R. § 171.204(a)(3)).}

^{20 HTI-1, 89 Fed. Reg. at 1436-37 (to be codified at 45 C.F.R. § 171.204(a)(4)).}

^{21 45 C.F.R. § 171.301.}

^{22 “TEFCA” is the acronym for the Trusted Exchange Framework and Common Agreement.}

^{23 HTI-1, 89 Fed. Reg. at 1437-38 (to be codified at 45 C.F.R. § 171.403).}

^{24 45 C.F.R. § 171.302.}

^{25 45 C.F.R. § 171.303.}