Data Strategy — Healthcare interoperability

The Office of the National Coordinator for Health IT (ONC) issued the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) final rule on 13 December 2023. The regulation modernizes the ONC Health IT Certification Program to promote trusted decision support, expand FHIR-based interoperability, and reinforce the federal information blocking framework. Certified health IT developers and provider teams must now orchestrate governance, setup, and privacy programs that can deliver the required upgrades while preserving reliable evidence for HIPAA right-of-access requests and other DSAR obligations.

The headline change is the new Insights Condition and Maintenance of Certification, which targets predictive and generative decision support interventions (DSIs). Beginning 31 December 2024, certified developers must provide healthcare teams with plain-language summaries explaining a DSI’s purpose, training data, limitations, and known risks; publish source attribute metadata describing provenance, performance, and fairness evaluations; and maintain risk management plans that document monitoring, mitigation triggers, and responsible personnel. Annual summary reporting on risk management and real-world performance begins in March 2025. Governance teams at provider teams should designate algorithm oversight committees that review these artifacts before clinical deployment, compare them against internal responsible-AI policies, and ensure clinicians and patients can access transparency documentation through DSAR channels when they question automated recommendations.

ONC also updated the Decision Support Intervention certification criterion to distinguish between evidence-based and predictive tools. Developers must separate reference information from predictive insights, disclose when outputs rely on machine learning, and enable users to review input data and adjust parameters. Implementation teams should work with clinical leadership to map how DSIs are surfaced in electronic health records (EHRs), confirm audit logs capture user interactions, and integrate these logs with DSAR workflows so patients can request an accounting of how predictive scores influenced their care.

The final rule advances interoperability by updating the Standardized API for Patient and Population Services criterion. Certified technology must support the latest HL7® FHIR® Release 4-based setup guides, including US Core and SMART App Launch capabilities, publish conformance details, and enable both single-patient and population-level access. Developers must offer demonstrable bulk FHIR export (Flat FHIR) functionality and publish service base URLs, rate limits, and attribution policies. Compliance deadlines align with the annual Real World Testing cycle, with upgraded API capability statements due for review in December 2024 plans and full rollout by 31 December 2025. Provider teams should update third-party app registration processes, security reviews, and consent management to reflect the expanded API surface. Privacy teams must verify that DSAR fulfillment systems can use the new APIs to deliver machine-readable data to patients within HIPAA timelines.

HTI-1 adopts Version 3 of the U.S. Core Data for Interoperability (USCDI v3) as the baseline data set for certified health IT. Developers must deliver updates supporting new data classes—such as health insurance information, device identifiers, laboratory result interpretation, and sexual orientation and gender identity—no later than 1 January 2026. Provider governance teams should oversee data quality initiatives, ensuring that clinical workflows capture the new data elements accurately and that privacy notices explain how sensitive attributes are used. DSAR procedures must be updated to retrieve and, when appropriate, redact these data points when responding to patient requests.

The rule strengthens Real World Testing expectations. Developers must include customer participation plans, success metrics for FHIR API adoption, and corrective action triggers in their 2025 testing plans, due by 15 December 2024. Health systems should negotiate contract clauses that guarantee visibility into testing results, remediation timelines, and data-handling safeguards. When real-world testing uncovers issues that could affect patient access or DSAR fulfillment, governance councils should escalate findings to compliance, privacy, and risk management teams to coordinate remediation and external communications.

HTI-1 revises information blocking provisions to reinforce patient access. The rule clarifies the “Preventing Harm” and “Infeasibility” exceptions, emphasizing that actors must document specific facts when withholding electronic health information (EHI) and evaluate less restrictive alternatives before denying access.

It also introduces new documentation expectations for the “Content and Manner” exception and aligns the “Manner” hierarchy with TEFCA-based exchange agreements. Provider compliance officers should update policies, staff training, and DSAR templates to reflect these clarifications. Maintaining detailed logs explaining any denial of access will be essential if the HHS Office of Inspector General investigates potential information blocking.

To encourage participation in the Trusted Exchange Framework and Common Agreement (TEFCA), ONC designates exchange through a Qualified Health Information Network (QHIN) as a permitted manner for fulfilling access requests. Developers must describe how their certified APIs support TEFCA connectivity, and providers should evaluate whether joining a QHIN can simplify DSAR fulfillment for multi-organizational records. Governance committees should align TEFCA participation decisions with vendor capabilities, cybersecurity requirements, and contractual obligations to business associates.

Implementation roadmaps will span multiple years. Phase 1, running through mid-2024, should focus on gap assessments, contract reviews, and governance updates—establishing cross-functional working groups that include clinical, IT, compliance, privacy, and patient experience leaders.

Phase 2 should concentrate on technology upgrades: scheduling vendor releases, validating API performance, configuring bulk export security, and testing DSI transparency artifact ingestion. Phase 3, stretching into 2025 and 2026, should encompass deployment, training, and assurance—conducting user acceptance testing, updating patient portals, auditing DSAR processing times, and rehearsing response plans for algorithm malfunctions or access complaints.

Throughout setup, teams must maintain meticulous documentation. This includes algorithm registries, transparency artifact repositories, FHIR endpoint catalogs, real world testing results, information blocking logs, and DSAR case files.

Linking these records within a governance, risk, and compliance (GRC) platform enables boards to monitor progress, regulators to verify compliance, and patients to receive timely answers when they exercise their data rights. By treating HTI-1 as an enterprise-wide governance initiative rather than a narrow IT upgrade, healthcare teams can improve trust in AI-enabled care, deliver interoperable records, and show privacy stewardship in an now data-driven health system.

Data Management Implementation

Data management teams should assess how this development affects data collection, processing, storage, and sharing practices. Policy updates should address any new requirements for data handling, consent management, or purpose limitations. Technical setups should align with documented policies and support audit evidence collection demonstrating compliance with data management requirements.

Ongoing monitoring should verify that data processing activities continue to align with documented purposes and comply with applicable requirements as practices evolve.

Adoption timeline

If you are affected, develop setup roadmaps that account for resource constraints, dependencies, and risk priorities. Phased approaches typically provide better outcomes than attempting full changes simultaneously. Early wins build momentum and show value to teams.

Progress monitoring should track setup activities against planned timelines and identify potential issues requiring intervention. Regular reporting keeps teams informed and maintains organizational focus on setup priorities.

Working with stakeholders

Effective stakeholder engagement ensures alignment on objectives, expectations, and setup approaches. Communication should be tailored to different audiences, providing appropriate levels of detail for technical and executive teams.

Change management processes should address organizational readiness and potential resistance to new requirements or practices. Training and support resources help ensure successful adoption of required changes.

Long-term improvement

Continuous improvement processes should incorporate lessons learned and feedback from setup experiences. Regular reviews help identify improvement opportunities and ensure approaches remain aligned with evolving requirements.

Documentation of setup activities and outcomes provides evidence of due diligence and supports ongoing maintenance. Knowledge capture ensures institutional learning is preserved for future reference.

You may also find useful

Hand-picked articles on adjacent topics.

Data Strategy · Credibility 73/100 · December 12, 2023

Tefca Fhir Roadmap Release

ONC and the TEFCA Recognized Coordinating Entity published the FHIR Roadmap, setting 2024 pilot milestones and technical deliverables for nationwide exchange.

Data Strategy · Credibility 73/100 · December 12, 2023

Tefca First Qhins Designated

ONC and the TEFCA Recognized Coordinating Entity named the first Qualified Health Information Networks, opening nationwide exchange onboarding for 2024.

Data Strategy · Credibility 73/100 · March 15, 2024

Data Strategy — EU regulation

EU institutions reached a provisional agreement on the European Health Data Space, setting governance for primary and secondary health-data use across Member States.

Data Strategy · Credibility 73/100 · April 24, 2024

Data Strategy — Healthcare interoperability

The European Parliament approved the European Health Data Space, launching final negotiations on secondary-use permits, EHR certification, and cross-border infrastructure build-outs that land in 2025.

Data Strategy · Credibility 86/100 · March 20, 2025

Data Strategy — Healthcare interoperability

European Health Data Space access body deadlines are approaching. Member states need to establish health data access bodies to help secondary use of health data for research. Healthcare data governance in the EU is…

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

December 13, 2023

Coverage pillar

Data Strategy

Source credibility

73/100 — medium confidence

Topics

Healthcare interoperability · United States regulation · Data governance

Sources cited

3 sources (healthit.gov, federalregister.gov, iso.org)

Reading time

6 min

Documentation

1. HTI-1 Final Rule — U.S. Office of the National Coordinator for Health IT
2. Health Data, Technology, and Interoperability: HTI-1 — Federal Register
3. ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization