Photo: Art Wager/Getty Images
The healthcare technology industry supports reducing health IT certification complexities. But some of the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology's latest proposed changes – which eliminate 34 requirements and revise seven others – still need tweaking, industry experts say.
The EHR Association spoke with Healthcare IT News recently about some key aspects of the latest health IT certification proposed rulemaking – Health Data, Technology, and Interoperability version 5, or HTI-5 – including reductions to data exchange and security conditions.
For example, "while the Manner Exception Exhausted policy change appears straightforward on paper, it doesn’t align with how information sharing negotiations and technical decisions actually occur," said Leigh Burchell of Altera Digital Health, chair of the EHR Association.
Adding autonomous AI
Updates that modify information blocking rules, such as revising the electronic health information exchange rules, add access by autonomous AI systems to definitions.
"We propose to explicitly codify that access means the ability or means necessary to make EHI available for exchange or use, including by automation technologies such as robotic process automation and autonomous artificial intelligence systems," ASTP/ONC said in the draft notice of proposed rulemaking.
"Similarly, we propose to explicitly codify that 'use' means the ability for EHI, once accessed or exchanged through whatever technological means, to be understood and acted upon, including, without limitation, by automation technologies such as autonomous AI systems and robotic process automation."
Many in the EHR industry have long said a patchwork approach to the general use of AI in healthcare would present a challenge to software developers, so adding autonomous systems to EHI access and use definitions could help to alleviate any burdens posed by state data exchange rules.
Reducing infeasibility claims
Other updates include eliminating nominal participation in the Trusted Exchange Framework and Common Agreement as a justification for information blocking, and updates to the Manner Exception Exhausted condition that aim to address varying interpretations.
"We're proposing to require all three alternative manners in the exception to be offered," Michael Lipinski, ASTP director, said in an information session earlier this month. "And, then eventually, machine-readable format."
Members of the Information Blocking Compliance Task Force at the EHR Association were able to clarify some of the changes and offer insights.
"Today, actors can rely on the Manner Exception Exhausted pathway if they cannot reach an agreement on fulfilling an information-sharing request in the original manner and in one of two alternative manners," Burchell explained Monday by email.
"HTI-5 proposes tightening this standard by requiring actors to offer all three prescribed 'manner' categories before claiming infeasibility," she said. "ASTP/ONC’s rationale for the proposed change appears to be based on concern about actors’ misinterpretation or misuse of the current flexibility when responding to requestors.
"The three 'manner' buckets – certified functionality, standards-based exchange and machine-readable exports – often overlap in practice," she said.
"In real-world integration discussions, vendors typically present all viable options at once to avoid delays, especially given the tight Infeasibility Exception timelines.
"The ASTP/ONC requirement to walk through the options sequentially and in a prescribed order does not reflect how technical teams or requesters practically evaluate interoperability pathways, thus risking adding bureaucratic burden to an already administratively-heavy process," said Burchell.
However, the proposed changes may also fail to consider the operational burdens they would create.
"The burden is potentially extensive, based on our member companies' experience to date in complying with ASTP/ONC regulations, and we will work over the next several weeks to determine how we can most effectively ensure the agency understands the real impact of the proposed changes," she added.
Confusing security compliance
Proposed privacy and security changes may also pose regulatory challenges for providers.
According to Kate Tipping, deputy director of the ONC Regulatory and Policy Affairs Division, the agency is proposing to remove all the privacy and security certification criteria and the associated privacy and security certification framework.
"We include an alternative proposal where we would retain the certification criteria related to audits, because they may serve to help identify fraud and abuse," she said during the information session.
However, some of the measures taken to streamline health IT certification would not change obligations under other regulatory frameworks, according to EHRA's Privacy & Security Workgroup.
ASTP/ONC included several of the organization's suggested revisions proposed in responses to RFIs last year, said Burchell.
"The proposed elimination of the 170.315(d) criteria within the health IT certification program could serve to address long-standing industry challenges, including those specific to mapping expectations to EHR functionality and the associated testing and administrative burdens, including some specific to privacy and security requirements.
"While the proposal could remove criteria and free up resources that more directly support providers and patients," removal of the 170.315(d) criterion would not change the obligations of health IT developers or providers under the current or proposed HIPAA Security Rules.
"However, ASTP/ONC proposals to integrate security expectations into functional criteria is promising," she said. "Privacy and security remain paramount issues that are a priority for our member companies.
"The EHR Association supports an approach that simplifies certification now and urges ASTP/ONC to take additional action to provide clear proposals for modernized security requirements, ensuring the industry has the opportunity to weigh in before they are finalized," she added.
"New market entrants will also need to understand the privacy and security demands of their healthcare covered entity clients, even if certification criteria are removed," said Burchell.
Comments on HTI-5 are due Feb. 27.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
