AHA Comment Letter on HHS HTI-2 (Interoperability) Proposed Rule
October 4, 2024
The Honorable Micky Tripathi, Ph.D.
Assistant Secretary for Technology Policy
National Coordinator for Health Information Technology
Department of Health and Human Services
Mary E. Switzer Building
Mail Stop: 7033A
330 C Street SW
Washington, D.C. 20201
RE: Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability (RIN 0955-AA06)
Dear Assistant Secretary Tripathi,
On behalf of our nearly 5,000 member hospitals, health systems and other health care organizations, our clinician partners — including more than 270,000 affiliated physicians, 2 million nurses and other caregivers — and the 43,000 health care leaders who belong to our professional membership groups, the American Hospital Association (AHA) appreciates the opportunity to provide comments to the Assistant Secretary for Technology Policy (ASTP) on the Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability (HTI-2) proposed rule.
The AHA supports the Assistant Secretary’s efforts to advance interoperability, improve transparency and support electronic access and exchange of electronic health records (EHRs). Thoughtful integration of health information technology (HIT) is crucial to ensure that patients receive the best care possible. HIT can help streamline patient care processes, as well as provide patients and their families with the information they need to take a more informed and proactive role in their health management. These objectives can be realized by promoting clear, consistent and reasonable HIT standards without adding excessive administrative or regulatory demands on health care professionals and health IT innovators.
In summary, we support several provisions including:
- Establishing criteria that align with the Centers for Medicare & Medicaid Services (CMS) application programming interfaces (API) requirements and recommendations.
- Continued development of United States Core Data for Interoperability (USCDI) standards.
- Continued commitment to protecting patient data.
- More robust public health data interoperability.
- The Trusted Exchange Framework and Common Agreement (TEFCA).
- Revising request-response criteria under information blocking exceptions.
However, we are concerned that providers would still be held to a higher accountability standard for data sharing, USCDI version deadlines are too aggressive, new encryption requirements are burdensome, and TEFCA’s current governance structure may be inadequate.
Our detailed comments follow.
Prior Authorization Application Programming Interfaces
The AHA supports the proposal to establish HIT certification criteria that align with the CMS application programming interfaces (API) requirements and recommendations. This proposal would ensure that the APIs developed to meet the CMS regulations adhere to relevant interoperability standards and support effective information sharing. Importantly, HTI-2 would update certification criteria and standards to facilitate electronic prior authorization using certified HIT. Specifically, ONC proposes adopting two “Prior Authorization APIs” certification criteria, which specify requirements for certified HIT that providers and payers can leverage to conduct electronic prior authorization. This certified technology would enable streamlined implementation of the CMS final rule to ensure that patients receive the care they need in a timely manner, lower administrative costs, and reduce complexity for providers and patients. Furthermore, we support the proposal's alignment with CMS mandates for Patient Access APIs, as outlined in the CMS Interoperability and Patient Access rule. This alignment is critical as this proposal allows patients to choose the application they want to use to access their health information. However, although we support the Prior Authorization API, the AHA is concerned that it holds providers to a higher level of accountability in data sharing than the current voluntary requirements that payers are held to in the CMS final rule. As such, the AHA suggests the agency work with CMS to better align the CMS requirements applicable to payers with HTI-2 and require a mandatory certification for payers, rather than a voluntary one, to ensure that protecting the privacy of patient data is prioritized.
United States Core Data for Interoperability Version 4
The AHA is supportive of ASTP’s commitment to updating USCDI and acknowledges the impact that standardizing data can have on patient outcomes by ensuring providers have consistent and comprehensive information related to care. Specifically, the AHA appreciates that, in USCDI Version 4 (v4), ASTP continues adding depth to data elements under the clinical notes category. However, we encourage ASTP to continue building out vocabulary standards for all these USCDI v4 elements where those standards are limited or missing, such as they did by requiring the use of Systematized Nomenclature of Medical Clinical Terms (SNOMED CT) for the “Encounter Information” data class. This will ensure that the standard continues to evolve from a collection of narrow data points into a more holistic and complete picture of the patient's health.
That said, we urge the agency to give providers adequate time to implement new standards and updates. We encourage ASTP to carefully examine the technical lift and additional administrative burdens associated with meeting the compliance requirements of USCDI v4 especially as many organizations are still working to meet the requirements of USCDI Version 3 (v3). In this rule, ASTP proposes that USCDI v3 will expire on Dec. 31, 2027, and “that by January 1, 2028, a health IT developer of a Health IT Module certified to certification criteria referencing § 170.213 must update its Health IT Module to USCDI v4 and provide the updated version to their customers to maintain certification of that Health IT Module.” This is an aggressive timeline that puts many smaller hospitals at risk of non-compliance because the common technology vendors for smaller hospitals have historically struggled to keep up with USCDI updates. As such, the AHA requests that ASTP extend the expiration date of USCDI v3 an additional year to Dec. 31, 2028, and consider the ongoing impact of these updates on all stakeholders in the health sector.
Encryption
The AHA appreciates ASTP’s commitment to protecting patient data and understands the possible benefits of end-to-end encryption. In addition, we support the security recommendations in HTI-2 that align with existing HIPAA Security Rule Safeguards and the Healthcare and Public Health Sector Cybersecurity Performance Goals (HPH CPGs). However, the requirement to encrypt all electronic health information (EHI) at rest on all servers does not align with either the current HIPAA safeguards or the HPH CPGs.
EHI stored on end-user devices is treated differently than such data on servers because end-user devices pose a significantly different risk level. Whether virtual or physical, servers operate in physically secure environments behind the protection of multiple layers of network security. While requiring data on servers would add an additional layer of protection, it is unclear that the benefits outweigh the costs and burden on both the developers of certified EHR technology (CEHRT) as well as on all users of CEHRT applications. Currently, the HPG CPGs call for “strong encryption” and enable health care organizations to meet this requirement by “Deploy[ing] encryption to maintain confidentiality of sensitive data and integrity of Information Technology (IT) and Operational Technology (OT) traffic in motion” (NIST reference: 800-53 REV 5.1.1; SC-08, and SC-11). Simply put, the HPH CPGs do not call for data to be encrypted “at rest.” Adding BitLocker encryption to Windows servers or open-source encryption tools like cryptsetup to Linux servers, as suggested by the proposed rule, would require significant configuration, cost, testing and potential system downtimes, especially considering the proposed rule would require this of any server storing EHI, and not just EHRs. In hospitals, this can mean dozens of applications running on hundreds of servers that would require the added encryption. We urge ASTP to consider directly aligning the encryption requirements of HTI-2 with the current encryption best practices of HPH CPGs. In lieu of this direct alignment, we ask that rather than Jan. 1, 2026, ASTP push the effective date of this requirement to Jan. 1, 2028.
Public Health Interoperability
The AHA agrees with ASTP that for Public Health Agencies (PHAs) to effectively promote and protect the health of all people and their communities, they need public health information exchange with hospitals and health systems as well as other providers, labs, schools and community service organizations. We also agree that PHAs generally lack the necessary access and ability to share the data needed to address public health needs. The AHA appreciates ASTP’s recognition of the complexity, safety issues and added work that arises from the manual processes required by hospitals and health systems to share information with PHAs, and we fully support policies to improve interoperability in support of more effective data exchange with PHAs. However, the AHA questions whether the ONC has the authority to influence how PHAs manage and share EHI.
Trusted Exchange Framework and Common Agreement
The AHA supports the TEFCA objective to create a common national framework that provides a universal technical foundation for interoperability. We broadly support ASTP’s proposed updates to the requirements under TEFCA participation for Qualified Health Information Networks (QHINs). Specifically, we support the recommendation that any organization aspiring to become a QHIN must adhere to specific privacy and security guidelines, with additional stipulations for those providing Individual Access Services. However, the AHA is concerned about the lack of details about the suspension and termination processes for QHINs. While we appreciate that there is a process to suspend or terminate QHINs from TEFCA for cause, it’s unclear what happens to the hospitals and health systems that relied on that QHIN. The AHA requests that ASTP clarify the rights and obligations of hospitals or health systems that are using a QHIN that gets suspended or terminated from TEFCA to ensure that they remain compliant with interoperability rules and are not liable for information-blocking claims because their QHIN was suspended or terminated. More broadly, we also have concerns about the existing governance structure of TEFCA which gives QHINs the primary responsibility for ensuring that their participants abide by TEFCA’s requirements. This governance structure runs the risk of quickly exceeding the capabilities of both QHINs and the Recognized Coordinating Entity – the organization responsible for TEFCA’s oversite - of effectively managing it. This is particularly concerning given the anticipated expansion of TEFCA. As such, the AHA recommends ASTP build more internal capacity to directly oversee and ensure adherence to TEFCA's stipulations including at a minimum establishing an attestation schedule for all QHINs. Further, ASTP should publish all “Designation” documentation on its website information for public review.
Infeasibility Exception: Responding to Requests Condition. ASTP proposes updating the conditions for responding to requests under the Infeasibility exception. These updates include varying the response times for written replies to the requester, tailored to the specific infeasibility condition cited. Specifically, the agency proposes to commence the 10-day response period at the point when the party confirms, promptly and upon a fair evaluation of the situation, that the requested access, exchange or usage of EHI cannot be fulfilled as originally asked, or that fulfilling the request as made is impracticable under the given conditions. The AHA appreciates ASTP’s consideration of the fact “that ten business days may not allow actors sufficient time to engage with requestors and fully evaluate all factors relevant to meeting certain conditions.” The AHA supports revising the request-response criteria and the additional flexibility in calculating the 10-day period. We appreciate ASTP’s recognition that several variables may affect the start of this period, including how requests are received and processed and the circumstances causing the infeasibility. The AHA proposes extending the time for the request-response conditions to a maximum of 30 days and simplifying the language of the “responding to requests conditions” to just “within 30 days of the actor receiving the request” to provide clear and concise guidance on response timeframes.
We appreciate your consideration of these issues. Please contact me if you have questions or feel free to have a member of your team contact Stephen Hughes, AHA’s director for health information technology policy, at stephen.hughes@aha.org.
Sincerely,
/s/
Ashley Thompson
Senior Vice President, Public Policy