Final rules to support interoperability among healthcare stakeholders leave out key proposals

New regulations implemented by the Biden administration in December are designed to ease information-blocking compliance considerations for providers.

Nonetheless, providers may be disappointed that technical provisions related to interoperability did not carry over from a wide-ranging proposed rule to a pair of streamlined final rules.

Most notably, the finalized regulations exclude certification standards for application programming interfaces (APIs) to enhance information exchange among providers, payers, patients and public health stakeholders.

Key elements on hold

As published in August by HHS’s Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC), the proposed version of the rule included various noteworthy provisions. Among them were IT standards to support requirements in a February 2024 CMS rule regarding APIs to enhance the accessibility of health information.

One of the APIs is intended to improve the flow of information between providers and payers during prior authorization processes, while others would ease information exchange from payers to patients, providers and other payers.

A deluge of comments on the technical implications of the new criteria gave ASTP/ONC pause about expeditiously finalizing the provisions. Although the agency says the provisions are on track to be implemented in 2025, that would require either accelerating the regulatory drafting process over the next 18 days or leaving it to the incoming Trump administration. The core provisions in the CMS rule potentially would stay on the books even without the certification standards proposed in the ASTP/ONC rule, however.

Other key aspects of the ASTP/ONC proposed rule that remain in limbo include certification standards for a new real-time prescription benefit tool, along with a progression to version 4 of the U.S. Core Data for Interoperability (USCDI).

In comments on the rule, the American Hospital Association (AHA) supported the API requirements and recommendations, as well as the advancement of the USCDI standards, albeit along a more relaxed timeline than proposed. However, the AHA was concerned that data-sharing standards would be stricter for providers than for payers.

What’s in the new rules

One new final rule clarifies exceptions to information-blocking regulations. The subtext of the clarifications is the Biden administration’s ongoing push to ensure continued access to reproductive healthcare. As such, the Trump administration may look to negate certain provisions or the entire rule.

An existing privacy exception allowing providers to block information at the patient’s request had appeared to conflict with some state laws requiring that the electronic health information (EHI) be made accessible. While the federal government is not in position to override those laws, the new regulatory language establishes that withholding the EHI at the individual’s request won’t be considered information blocking.

In addition, a new exception established in the regulations is meant to protect care access by allowing providers to restrict information sharing in a specific situation: to avoid exposing a patient’s effort to access lawfully provided reproductive healthcare. The exception also applies if the information potentially would relate to any such access.

An exception related to the infeasibility of providing EHI in certain circumstances has been expanded in the new rule. If information that otherwise would need to be provided cannot be segmented from information that may be withheld, all of the EHI may be withheld. An AHA recommendation to extend the 10-day window in which a provider can respond to a request for EHI in those scenarios was not addressed in the finalized regulations.

Changes to TEFCA

In a separate final rule making regulatory updates to the Trusted Exchange Framework and Common Agreement (TEFCA), another information-blocking exception clarifies the circumstances in which limiting EHI exchange to TEFCA-based processes is permissible.

Finalized TEFCA updates also pertain to qualified health information networks (QHINs), including designation criteria and processes related to suspension, termination and administrative appeals. A list of QHINs that have adopted and are capable of trusted exchange as defined by TEFCA regulations will be publicly posted, and QHINs must attest to their adoption of trusted exchange.

In its comments on the proposed rule, the AHA said HHS should better clarify what happens to hospitals and health systems if they use a QHIN that gets suspended or terminated. Among the potential concerns is whether hospitals would then be subject to information-blocking allegations. Another suggestion was to build regulatory capacity to supervise QHIN adherence to TEFCA requirements, rather than leaving QHINs to essentially conduct oversight of participants.

ASTP/ONC did not address those issues, saying they were outside the scope of the narrowly written final rule.

Without delay

The final rule on information-blocking exceptions took effect Dec. 17, the same date of its publication. ASTP/ONC said the 30-day mandatory interval between publication and implementation could be waived because the rule does not impose new requirements but rather offers new options.

“Actors are not under any obligation to alter practices because of this final rule, as the information-blocking exceptions generally, and the specific regulations finalized here, are voluntary,” the rule states.

The TEFCA final rule is set to go into effect Jan. 15.

Previously issued regulations established information-blocking penalties for providers and other stakeholders. For providers, instances in which they knowingly commit such infractions can reduce their annual Medicare payment update.