Data Strategy Briefing — December 13, 2023

The Office of the National Coordinator for Health IT (ONC) issued the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) final rule on 13 December 2023. The regulation modernises the ONC Health IT Certification Program to promote trusted decision support, expand FHIR-based interoperability, and reinforce the federal information blocking framework. Certified health IT developers and provider organisations must now orchestrate governance, implementation, and privacy programmes that can deliver the required upgrades while preserving reliable evidence for HIPAA right-of-access requests and other DSAR obligations.

The headline change is the new Insights Condition and Maintenance of Certification, which targets predictive and generative decision support interventions (DSIs). Beginning 31 December 2024, certified developers must provide healthcare organisations with plain-language summaries explaining a DSI’s purpose, training data, limitations, and known risks; publish source attribute metadata describing provenance, performance, and fairness evaluations; and maintain risk management plans that document monitoring, mitigation triggers, and responsible personnel. Annual summary reporting on risk management and real-world performance begins in March 2025. Governance teams at provider organisations should designate algorithm oversight committees that review these artefacts before clinical deployment, compare them against internal responsible-AI policies, and ensure clinicians and patients can access transparency documentation through DSAR channels when they question automated recommendations.

ONC also updated the Decision Support Intervention certification criterion to distinguish between evidence-based and predictive tools. Developers must separate reference information from predictive insights, disclose when outputs rely on machine learning, and enable users to review input data and adjust parameters. Implementation teams should work with clinical leadership to map how DSIs are surfaced in electronic health records (EHRs), confirm audit logs capture user interactions, and integrate these logs with DSAR workflows so patients can request an accounting of how predictive scores influenced their care.

The final rule advances interoperability by updating the Standardized API for Patient and Population Services criterion. Certified technology must support the latest HL7® FHIR® Release 4-based implementation guides, including US Core and SMART App Launch capabilities, publish conformance details, and enable both single-patient and population-level access. Developers must offer demonstrable bulk FHIR export (Flat FHIR) functionality and publish service base URLs, rate limits, and attribution policies. Compliance deadlines align with the annual Real World Testing cycle, with upgraded API capability statements due for review in December 2024 plans and full rollout by 31 December 2025. Provider organisations should update third-party app registration processes, security reviews, and consent management to reflect the expanded API surface. Privacy teams must verify that DSAR fulfilment systems can leverage the new APIs to deliver machine-readable data to patients within HIPAA timelines.

HTI-1 adopts Version 3 of the U.S. Core Data for Interoperability (USCDI v3) as the baseline data set for certified health IT. Developers must deliver updates supporting new data classes—such as health insurance information, device identifiers, laboratory result interpretation, and sexual orientation and gender identity—no later than 1 January 2026. Provider governance teams should oversee data quality initiatives, ensuring that clinical workflows capture the new data elements accurately and that privacy notices explain how sensitive attributes are used. DSAR procedures must be updated to retrieve and, when appropriate, redact these data points when responding to patient requests.

The rule strengthens Real World Testing expectations. Developers must include customer participation plans, success metrics for FHIR API adoption, and corrective action triggers in their 2025 testing plans, due by 15 December 2024. Health systems should negotiate contract clauses that guarantee visibility into testing results, remediation timelines, and data-handling safeguards. When real-world testing uncovers issues that could affect patient access or DSAR fulfilment, governance councils should escalate findings to compliance, privacy, and risk management teams to coordinate remediation and external communications.

HTI-1 revises information blocking provisions to reinforce patient access. The rule clarifies the “Preventing Harm” and “Infeasibility” exceptions, emphasising that actors must document specific facts when withholding electronic health information (EHI) and evaluate less restrictive alternatives before denying access. It also introduces new documentation expectations for the “Content and Manner” exception and aligns the “Manner” hierarchy with TEFCA-based exchange agreements. Provider compliance officers should update policies, staff training, and DSAR templates to reflect these clarifications. Maintaining detailed logs explaining any denial of access will be essential if the HHS Office of Inspector General investigates potential information blocking.

To encourage participation in the Trusted Exchange Framework and Common Agreement (TEFCA), ONC designates exchange through a Qualified Health Information Network (QHIN) as a permitted manner for fulfilling access requests. Developers must describe how their certified APIs support TEFCA connectivity, and providers should evaluate whether joining a QHIN can streamline DSAR fulfilment for multi-organisational records. Governance committees should align TEFCA participation decisions with vendor capabilities, cybersecurity requirements, and contractual obligations to business associates.

Implementation roadmaps will span multiple years. Phase 1, running through mid-2024, should focus on gap assessments, contract reviews, and governance updates—establishing cross-functional working groups that include clinical, IT, compliance, privacy, and patient experience leaders. Phase 2 should concentrate on technology upgrades: scheduling vendor releases, validating API performance, configuring bulk export security, and testing DSI transparency artefact ingestion. Phase 3, stretching into 2025 and 2026, should encompass deployment, training, and assurance—conducting user acceptance testing, updating patient portals, auditing DSAR processing times, and rehearsing response plans for algorithm malfunctions or access complaints.

Throughout implementation, organisations must maintain meticulous documentation. This includes algorithm registries, transparency artefact repositories, FHIR endpoint catalogs, real world testing results, information blocking logs, and DSAR case files. Linking these records within a governance, risk, and compliance (GRC) platform enables boards to monitor progress, regulators to verify compliance, and patients to receive timely answers when they exercise their data rights. By treating HTI-1 as an enterprise-wide governance initiative rather than a narrow IT upgrade, healthcare organisations can enhance trust in AI-enabled care, deliver interoperable records, and demonstrate privacy stewardship in an increasingly data-driven health system.