The Office of the National Coordinator for Health Information Technology released a sweeping proposed rule Tuesday that includes plans to improve data sharing with public health authorities — a major challenge during the COVID-19 pandemic.
The proposal, called the Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability rule, or HTI-2, builds on the agency's long-term work to improve interoperability and information sharing between providers, payers and the public health ecosystem, said ONC head Micky Tripathi during a press conference Wednesday.
The rule comes months after the agency finalized the HTI-1 rule, another extensive regulation aimed at boosting interoperability. The latest proposal includes first-of-their-kind criteria for software used by public health agencies and payers to be certified by the ONC. The ONC Health IT Certification Program is a voluntary program that outlines standards and functionality for health IT.
“It doesn’t make sense for us to have silos separating public health information from provider and clinical information from payer information. We need more of a holistic perspective,” Tripathi said.
Easing public health data exchange
The proposed rule would update and add certification criteria designed for public health data exchange, like immunization information, electronic lab and case reporting, birth information and prescription drug monitoring.
Those certification requirements would help public health authorities more easily share and analyze data, including across state borders without using cumbersome methods like phone calls or faxes, Tripathi said.
“We saw during the pandemic that one of the pain points that we had in our public health infrastructure was the inability for our public health systems to be able to communicate with each other,” he said. “[...] And in many cases, those systems fell down at the most dire time of need.”
The proposal would also update the United States Core Data for Interoperability standard, a baseline set of data elements that can be exchanged between health IT systems, by 2028. The updated version would include new data elements aimed at improving public health and decreasing health inequities, according to ONC.
Those classes include updates like healthcare facility information, allergy and intolerance information and more specific lab data, which can be key for public health, said Beth Myers, deputy director at the office of policy in the ONC, at the press conference.
Lessening prior authorization burden
The proposal also includes certification criteria for health technology used by payers, including plans to make prior authorization — when providers need approval from a patient’s insurer before offering a service — less burdensome.
This section of the proposed rule aims to complement and advance a rule finalized by the CMS earlier this year that set time limits for urgent prior authorization requests and required payers to standardize their application programming interfaces, Tripathi said.
The ONC is proposing setting certification requirements for payers’ APIs, including a standard aimed at speeding prior authorization requests. Providers say the prior authorization process is time-consuming and delays needed care for patients.
“A huge bulk of the transaction issues for prior [authorization] can be addressed by leveraging this API,” Myers said. “It really helps to take complex scenarios and make them more simplified in a way that will actually address a big bulk of that and make them more instantaneous.”
The proposed rule also includes certification requirements that aim to lessen patient burden when accessing imaging results and real-time benefits checks. Those provisions could prevent patients needing to share imaging results via CD or being surprised with an unexpected co-pay when going to pick up a prescription, Tripathi said.
Exceptions to information blocking for reproductive healthcare
The ONC is also looking to implement an exception to prohibitions on information blocking for reproductive healthcare, a growing concern as states enact abortion restrictions in the wake of the Dobbs Supreme Court decision.
The number of people traveling out-of-state to access abortion care doubled in the first six months last year compared with 2020, according to the Guttmacher Institute, a research group that supports abortion rights. Some states that restrict the procedure have made efforts that could impose penalties on people who travel to jurisdictions where abortion is more available.
Under the rule, providers wouldn’t need to share data when there are concerns that disseminating the information could expose patients, providers or others that helped them to legal risk when patients received lawful reproductive healthcare, Tripathi said.
Boosting cybersecurity in EHRs
The ONC’s proposal also includes new cybersecurity requirements for certified electronic health records, as the risk of cyberattack becomes a significant challenge for the healthcare sector.
The industry has faced major incidents this year — including the long outage at UnitedHealth-owned technology firm Change Healthcare and the attack on large nonprofit health system Ascension.
The rule would require that certified EHRs support multifactor authentication, which requires a second method to verify a user’s identity beyond a password.
Multifactor authentication is a key cybersecurity practice, but it can falls through the cracks. An attacker used compromised credentials to access a portal at Change that didn’t have multifactor authentication turned on.
EHR data would need to be encrypted on the server side and not just on end-user devices, like laptops or mobile devices. Authentication credentials, like usernames and passwords, would also need to be encrypted.
“We want to make sure that there are no weak links, and that we’re doing everything we can to firm up and harden those different components,” Tripathi said.