Dive Brief:
Regulators on Wednesday finalized a scaled down version of a sweeping rule that aims to boost health data interoperability.
The final regulation is focused on provisions related to the Trusted Exchange Framework and Common Agreement, a governance framework for data exchange. However, the final rule did not include a number of other sections, like first-of-its-kind certification criteria for health IT tools used by public health agencies and payers, that were in the proposed rule.
The scope of the rule and the number of comments made it challenging to finalize the proposed regulation in its entirety quickly, a spokesperson for the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology told Healthcare Dive. But the proposals may be included in later final regulations.
Dive Insight:
The Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability rule, or HTI-2, doesn’t feature a number of provisions included in the proposed rule released this summer, like certification criteria aimed at easing public health data exchange — a major concern during the COVID-19 pandemic.
The final rule also doesn’t include certification standards for payer application programming interfaces, which could speed prior authorization requests, another big issue for providers who say the process takes too much time and can harm patient care.
But those provisions could be featured in later rulemaking, an ASTP/ONC spokesperson told Healthcare Dive.
“We (ASTP) have focused on a specific set of proposals we could finalize and publish in the Federal Register to be responsive to the public comments,” the spokesperson said. “Comments received in response to other proposals from the proposed rule are beyond the scope of this final rule and are still being reviewed and considered for purposes of issuing subsequent final rules, including another potential final rule before the end of this administration.”
The final rule largely focuses on TEFCA, which went live last year and sets technical requirements and exchange policies for companies to pull together clinical information sharing networks across the country.
The framework designates Qualified Health Information Networks that facilitate data sharing between healthcare organizations like providers, payers and healthcare IT vendors. There are currently seven designated QHINs, and Oracle Health said it would apply for the status in late October.
The latest regulation sets provisions that will support reliability, privacy, security and trust in TEFCA, according to the ASTP/ONC.
For example, the rule lays out the requirements for designating QHINs, like requiring networks to be able to exchange data among more than two unaffiliated organizations or being able to keep up transaction volume that meets users’ demands.
Organizations seeking QHIN status will also have to maintain certain privacy and security policies, like having an independent third party conduct an annual security assessment or employing a chief information security officer.
The regulation also implements standards for onboarding QHINs, as well as policies for suspending and terminating networks.
Finally, the rule set a new TEFCA Manner Exception, which says organizations that only exchange data via TEFCA won’t be considered to be information blocking if they follow certain criteria.
The regulation is set to publish on the Federal Register on Dec. 16, and it will go into effect 30 days later.
