ONC Final Rule Adopts New Health IT Certification Requirements

ONC’s HTI-1 Final Rule Adopts New Health IT Certification Requirements

On December 13, 2023, the US Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) issued the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) final rule to update ONC Health IT Certification Program requirements and amend the information blocking regulations that ONC issued under the 21st Century Cures Act (Cures Act). The HTI-1 final rule substantially finalizes policies ONC set forth in the HTI-1 proposed rule but does not finalize the controversial proposal on patient-requested restrictions for certain data uses and disclosures (sometimes referred to as data segmentation).

This +Insight discusses the final rule’s updates to select standards, criteria and requirements of the Health IT Certification Program that apply to health IT developers of certified health IT (certified health IT developers), including:

  • Adoption of the United States Core Data for Interoperability (USCDI) Version 3 to replace USCDI Version 1 as the baseline USCDI standard beginning January 1, 2026
  • New requirements for the standardized application programming interface (API) for patient and population services certification criterion, including requirements for issuing refresh tokens and revoking access privileges
  • Implementation of the Cures Act’s EHR Reporting Program provisions to require certain health IT developers to report on interoperability metrics through the new Insights Condition and Maintenance of Certification
  • Requirements for new privacy functionality that enable an internet-based method for a patient to request a restriction on the use and disclosure of their electronic health information (EHI)

We will release a separate publication summarizing the algorithmic transparency framework and the revised decision support interventions certification criterion. We also separately published a summary of the final rule’s information blocking provisions, which includes a discussion of new and expanded exceptions to the information blocking prohibition. Note that the HTI-1 final rule includes other updates and additions to the Health IT Certification Program that are not discussed in this +Insight.

IN DEPTH


DISCONTINUING YEAR-THEMED EDITIONS FOR ONC CERTIFICATION CRITERIA FOR HEALTH IT

One noteworthy structural change to the Health IT Certification Program finalized by HTI-1 is that ONC will no longer maintain an edition naming convention for its health IT certification criteria. Previously, ONC bundled updates to certification criteria into editions and required certified health IT developers to test and certify health IT modules to applicable certification criteria. ONC last released a new edition in 2020, when it updated the 2015 Edition certification criteria with the Cures Update.

Following the HTI-1 final rule, ONC may now update individual certification criterion through notice and comment rulemaking. As a “Condition of Certification,” certified health IT developers must commit to rolling out updated versions of health IT modules that meet ONC’s adopted changes to applicable certification criteria. Failure to do so would result in the certified health IT developer losing its certification for non-updated health IT modules.

Without editions, all certification criteria within the Health IT Certification Program are renamed to “ONC Certification Criteria for Health IT.” ONC believes that maintaining a single set of certification criteria will create more stability for healthcare providers and other users of health IT and Health IT Certification Program stakeholders, such as the Centers for Medicare and Medicaid Services, as well as make it easier for certified health IT developers to maintain product certification over time. Some certified health IT developers noted in their comment letters, however, that edition-less certification could increase the frequency of burdensome certification updates. Certified health IT developers and healthcare providers will need to stay up to date on future ONC rulemakings that update certification criteria and should consider participating in ONC-facilitated public forums to provide input on the development and implementation timeframes for such updates.

KEY REVISED STANDARDS AND CERTIFICATION CRITERIA

USCDI Version 3 Updates

USCDI is the standard for data required to be accessible through certified health IT for numerous certification criteria. In the industry, USCDI is also considered the minimum data set required for interoperability. The data set is updated on an annual cycle with federal agency and industry input. In the HTI-1 final rule, ONC finalized, as proposed, USCDI Version 3 (USCDI v3) as the new baseline standard of data classes and constituent data elements for certified health IT but changed the effective date from January 1, 2025, to January 1, 2026. This change requires health IT modules certified to criteria that reference USCDI to update to USCDI v3 by the new deadline. (See the chart below for certification criteria that reference USCDI.) The USCDI v3 standard incorporates data elements on patient demographics (e.g., sexual orientation and gender identity) that were not included in prior USCDI versions and social determinants of health. Expanding the data elements and data classes included in the required version of USCDI increases the amount of data available to be used and exchanged for patient care. However, a significant number of the data elements included in USCDI v3 lack a vocabulary standard. Note that ONC has already published USCDI Version 4 and is now reviewing public comments on USCDI Version 5.

Certification Criteria Referencing USCDI
§ 170.315(b)(1): Transitions of care § 170.315(g)(6): Consolidated CDA creation performance
§ 170.315(b)(2): Clinical information reconciliation and Incorporation § 170.315(g)(9): Application access—all data request
§ 170.315(b)(9): Care plan § 170.315(g)(10): Standardized API for patient and population service
§ 170.315(e)(1): View, download, and transmit to 3rd party

Standardized API for Patient and Population Services

The HTI-1 final rule also includes revisions to the standardized API for patient and population services certification criterion aimed at improving the security of patient APIs by requiring quicker expiration of the tokens issued to applications when a patient or provider enters a correct username and password. Specifically, certified health IT modules must ensure that:

  • Their authorization server issues a refresh token according to a new implementation specification
  • For health IT modules that allow short-lived access tokens to expire, such access tokens must be permitted to expire within one hour of the request (instead of immediate revocation)

Additionally, ONC finalized amendments to the API Condition and Maintenance of Certification requirements by specifying that certified health IT developers that have adopted a certified API must meet the publication requirements associated with service base URLs according to a specified format. This change is aimed at making it easier for patient-facing apps to access certified health IT developer APIs through more predictable service base URLs.

ONC also adopted the Substitutable Medical Apps, Reusable Technologies (SMART) App Launch Implementation Guide Release 2.0.0 (SMART v2 Guide), which replaces the SMART Application Launch Framework Implementation Guide Release 1.0.0 (SMART v1 Guide). ONC’s adoption of the SMART v2 Guide impacts the standardized API for patient and population services certification criterion. The SMART v2 Guide includes new features and technical revisions based on industry consensus, including features that reflect security best practices. Beginning January 1, 2026, the SMART v2 Guide will replace the SMART v1 Guide as the only version of the implementation guide available for use in the Certification Program.

Electronic Case Reporting

In the HTI-1 proposed rule, ONC proposed to replace the functional requirements of the existing electronic case reporting certification criterion with industry standards. ONC finalized revisions to the “transmission to public health agencies — electronic case reporting” criterion to require health IT modules to adopt consensus-based, industry-developed standards for electronic case reporting. Specifically, the revised certification criterion requires health IT modules to create a case report for electronic transmission, consume and process a case report response, and consume and process electronic case reporting trigger codes. Previously, the electronic case reporting criterion did not have a named standard associated with these functions. Under HTI-1, certified health IT developers will now need to implement certain HL7 electronic case reporting standards to obtain certification.

Patient-Requested Restrictions

ONC finalized a requirement for health IT modules certified to the “view, download, and transmit to 3rd party” certification criterion to support an internet-based method for a patient to request that a restriction be applied for electronic protected health information contained in the data elements in the required version of USCDI. Health IT modules certified to this criterion must comply by January 1, 2026.

Notably, in the HTI-1 proposed rule, ONC proposed a certification criterion that would have required support for the right of an individual to request restrictions on uses and disclosures of certain electronic protected health information. Many commenters raised concerns about implementation feasibility, patient safety and potential provider burden associated with ONC’s proposal. Based on the feedback received, ONC decided not to finalize the bulk of its proposals for patient-requested restrictions at this time. ONC’s certification criterion does not specify that a patient’s request for a restriction must be accommodated.

Requirement for Certified Health IT Developers to Update Certified Health IT

ONC finalized a requirement for certified developers with technology certified to any of the current certification criteria to update their previously certified health IT modules to meet revised certification criteria. Certified developers must also provide updated health IT to customers using their previously certified health IT according to the dates established for that criterion and any applicable standards.

ASSURANCES CONDITION AND MAINTENANCE OF CERTIFICATION

ONC strengthened the Assurances Condition and Maintenance of Certification requirement to require certified health IT developers to provide an assurance that they will not interfere with a customer’s timely access to interoperable certified health IT. This Condition of Certification also includes two accompanying Maintenance of Certification requirements that require certified health IT developers to:

  • Update a health IT module, once certified to a certification criterion, to all applicable revised certification criteria including the most recently adopted capabilities and standards in the revised certification criterion
  • Provide all health IT modules certified to a revised certification criterion to their customers of such certified health IT, all within timeframes established and specified in the final rule, with a 12-month timeframe for new customers

INSIGHTS CONDITION AND MAINTENANCE OF CERTIFICATION

Section 4002 of the Cures Act required ONC to establish an electronic health record (EHR) reporting program to provide transparent reporting on certified health IT in certain categories, including interoperability, usability and user-centered design, security, and conformance to certification testing. The Cures Act directed ONC to develop reporting criteria for certified health IT developers to submit responses with respect to their certified health IT. The HTI-1 final rule partially implements this Cures Act requirement through the new Insights Condition and Maintenance of Certification (Insights Condition), which requires certified health IT developers to report on certain interoperability metrics with respect to their certified health IT. ONC opted not to use the Cures Act term “EHR reporting program” for this new certification requirement. ONC intends for the Insights Condition’s reporting requirements to:

  • Provide transparency through reporting
  • Address information gaps in the health IT marketplace
  • Provide insights on the use of specific certified health IT functionalities
  • Provide information about the use of certified functionalities by end users

Which Certified Health IT Developers Must Report on the New Measures?

The finalized Insights Condition requires a certified health IT developer to report on a measure if it has each of the following:

  • At least 50 hospital sites or 500 individual clinician users across its certified health IT
  • Any health IT certified to the certification criteria specified in each measure
  • Any users using the certified health IT associated with the measure

Certified health IT developers that do not meet the qualifications above must submit a response (an attestation) to indicate that they do not meet the minimum reporting qualifications for a measure.

What Are the Reporting Measures and When Is Reporting Required?

The HTI-1 final rule adopts seven reporting measures across four topic areas related to interoperability: individuals’ access to EHI, public health information exchange, clinical care information exchange, and standards adoption and conformance. ONC will require implementation of the Insights Condition requirements in three phases over three years.

Insights Condition Reporting Measures and Metrics

Topic Area Measure Related Certification Criteria Metrics Initial Data Collection Year / Reporting Deadline
Individual Access to EHI Individuals’ Access to Electronic Health Information Through Certified Health IT Standardized API for patient and population services – 45 C.F.R. § 170.315(g)(10)

View, download, and transmit to 3rd party – 45 C.F.R. § 170.315(e)(1)

Standardized API for patient and population services – 45 C.F.R. § 170.315(g)(10) OR View, download, and transmit to 3rd party – 45 C.F.R. § 170.315(e)(1)

  • Number of unique individuals who accessed their EHI using technology certified to the “standardized API for patient population services” certification criterion under § 170.315(g)(10)
  • Number of unique individuals who accessed their EHI using technology certified to the “view, download, and transmit to 3rd party” certification criterion under § 170.315(e)(1)
  • Number of unique individuals who accessed their EHI using any method
Year 1

January to December 2026 / July 2027

Clinical Care Information Exchange Consolidated Clinical Document Architecture (C-CDA) Problems, Medications, and Allergies Reconciliation and Incorporation Through Certified Health IT Clinical information reconciliation and incorporation – 45 C.F.R. § 170.315(b)(2)
  • Number of encounters
  • Number of unique patients with an encounter
  • Number of unique patients with an associated C-CDA document
  • Number of total C-CDA documents obtained
  • Number of total C-CDA documents obtained that were pre-processed
  • Number of total C-CDA documents obtained that were not preprocessed
Year 2

January to December 2027 / July 2028

  • Number of total C-CDA documents obtained that were pre-processed where problems, medications, or allergies and intolerances were reconciled and incorporated via any method
  • Number of total C-CDA documents obtained that were not pre-processed where problems, medications, or allergies and intolerances were reconciled and incorporated via any method
  • Number of total C-CDA documents obtained that were determined to have no new problems, medications, or allergies and intolerances information by pre-processes or fully automated processes
Year 3

January to December 2028 / July 2029

Standards Adoption & Conformance Applications Supported Through Certified Health IT Standardized API for patient and population services – 45 C.F.R. § 170.315(g)(10)
  • Application name(s)
  • Application developer name(s)
  • Intended purpose(s) of application
  • Intended application user(s)
  • Application status
Year 1

January to December 2026 / July 2027

Standards Adoption & Conformance Use of FHIR in Apps Through Certified Health IT Standardized API for patient and population services – 45 C.F.R. § 170.315(g)(10)
  • Number of distinct certified health IT deployments (across clients) active at any time during the reporting period, overall and by user type
  • Number of requests made to distinct certified health IT deployments that returned at least one FHIR resource by FHIR resource type
  • Number of distinct certified health IT deployments (across clients) associated with at least one FHIR resource returned overall and by user type
Year 1

January to December 2026 / July 2027

  • Number of distinct certified health IT deployments (across clients) associated with at least one FHIR resource returned by the US Core Implementation Guide version
Year 2

January to December 2027 / July 2028

Standards Adoption & Conformance Use of FHIR Bulk Data Access Through Certified Health IT Standardized API for patient and population services – 45 C.F.R. § 170.315(g)(10)
  • Number of bulk data access requests completed (across clients) to export all data requested for patients within a specified group
  • Number of distinct certified health IT deployments (across clients) that completed at least one bulk data access request
Year 2

January to December 2027 / July 2028

Public Health Information Exchange Immunization Administrations Electronically Submitted to Immunization Information Systems Through Certified Health IT Transmission to immunization registries – 45 C.F.R. § 170.315(f)(1)
  • Number of immunizations administered overall
  • Number of immunizations administered that were electronically submitted successfully to Immunization Information Systems (IISs) overall
Year 1

January to December 2026 / July 2027

  • Number of immunizations administered overall by age category and IIS
  • Number of immunizations administered that were electronically submitted successfully to IISs overall by age category and IIS
Year 2

January to December 2027 / July 2028

Public Health Information Exchange Immunization History and Forecasts Through Certified Health IT Transmission to immunization registries – 45 C.F.R. § 170.315(f)(1)
  • Number of immunization queries sent to IISs overall
  • Number of query responses received successfully from IISs overall
Year 2

January to December 2027 / July 2028

  • Number of immunization queries sent to IISs overall by IIS
  • Number of query responses received successfully from IISs overall by IIS
Year 3

January to December 2028 / July 2029

Certified health IT developers must also provide a percentage of their total customers (e.g., hospital sites and individual clinician users) represented in the data provided for each response. In addition, they must submit documentation on the data sources and the methodology used to generate the data. Responses and submitted documentation will be made publicly available via ONC’s website.

While the finalized reporting measures focus on interoperability, ONC indicated it intends to explore the other Cures Act reporting categories (e.g., security, usability and user-centered design, and conformance to certification testing) in future years. ONC published specification sheets with additional details about the metrics associated with each Insights Condition measure on its website (also linked in the table above).

If you have questions about how the final rule affects your organization, please contact: Kristen O’Brien, Rachel StaufferAlya Sulaiman (McDermott Will & Emery–Partner)Scott A. Weinstein (McDermott Will & Emery–Partner), Daniel F. Gottlieb (McDermott Will & Emery–Partner)Karen S. Sealander (McDermott Will & Emery–Counsel), or James A. Cannatti III (McDermott Will & Emery–Partner).