21st Century Cures Act:Interoperability, Information Blocking,and the ONC Health IT CertificationProgram Final RuleOverviewPresented to the Health InformationTechnology Advisory CommitteeMarch 18, 2020

2Please Note: The materials contained in this presentation are based on the provisions containedin 45 C.F.R. Parts 170 and 171. While every effort has been made to ensure theaccuracy of this restatement of those provisions, this presentation is not a legaldocument. The official program requirements are contained in the relevant laws andregulations. Please note that other Federal, state and local laws may also apply. This communication is produced and disseminated at U.S. taxpayer expense.

Overview & 2015 EditionCures UpdatesElise Sweeney Anthony,Executive Director,Office of Policy, ONCBeth Myers,Deputy Director,Office of Policy, ONC

4Purpose of the Final Rule Patients: Right of Access to their Chart, Supporting Patient Privacy andSecurity, the Ability to Shop for Care and Avoid Bankruptcy Doctors and Hospitals: Making Patient’s Chart Data Requests Easy andInexpensive, Allowing Choice of Software, Implementation Patients, Doctors, and Hospitals: Improving Patient Safety Health IT Developers: Minimizing API Development and Maintenance Costs,Protecting Intellectual Property American Public: Maximizing Innovation, Transparency in Health Care

5Information Blocking – Path to the 21st Century Cures ActIn a 2015 report to Congress,ONC provided a definition ofinformation blocking, ananalysis of the extent to whichthe practice exists in theindustry, and recommendationsto address the issue.ONC continued to engagewith stakeholders andprovided ongoing technicalassistance to Congress.In December 2016, the 21stCentury Cures Act was signedinto law. It included a definitionof information blocking andprovisions for addressinginformation blocking.

6Information Blocking – Path to the Final RuleFollowing theenactment of theCures Act, ONCcontinuously metwith stakeholders.ONC listened toand reviewedcomplaints ofinformationblocking.ONC consultedwith federalagencies, includingthe HHS OIG,HHS OCR, andthe Federal TradeCommission.After release of theONC proposed ruleon March 4, 2019,ONC received over2,000 commentsubmissions. ONCmet with stakeholdersand consulted withfederal agencies.ONC’s final rulereleased onMarch 9, 2020.

7Updates to the 2015 Edition Certification CriteriaTime-Limited and Removed Criteria Drug formulary/Drug List ChecksPatient-Specific EducationSecure MessagingProblem List, Medication List, Med Allergy ListSmoking StatusRevised Criteria Interoperability criteria (C-CDA, VDT, etc.) Updated with USCDI Updated with C-CDA Companion Guide ASTM criteria Common Clinical Data Set summary record –create & receive criteria (replaced with USCDI) API (replaced with Standardized API criterion) Data Export (replaced with EHI export criterion) Security tags send & receive criteria Electronic Prescribing (aligned with CMS) CQM – report criterion (aligned with CMS)New Criteria Electronic Health Information (EHI) export Standardized API for patient and population services Privacy and Security Attestation Criteria

8Revised: United States Core Data forInteroperability StandardThe United States Core Data for Interoperability (USCDI) standard willreplace the Common Clinical Data Set (CCDS) definition 24 months afterpublication of this final rule.USCDI includes the following new required dataclasses and data elements:ProvenanceClinicalNotesPediatricVital SignsHealth IT developers need to update their certified health IT to support theUSCDI for all certification criteria affected by this change within 24 months afterthe publication of the final rule.USCDI Standard Annual Update ScheduleONC will establish and follow a predictable, transparent, and collaborative processto expand the USCDI, including providing stakeholders with the opportunity tocomment on the USCDI’s expansion.Address, Email &Phone Number

Conditions and Maintenanceof CertificationAvinash Shanbhag,Acting Executive Director,Office of Technology, ONCRobert Anthony,Director Certification &Testing ONCMichael Lipinski,Director Division ofFederal Policy &Regulatory Affairs, ONC

10AgendaConditions and Maintenance of Certification Information Blocking Assurances Communications Application Programming Interfaces (APIs) Real World Testing Attestations (Future) EHR Reporting Criteria Submission

11Conditions and Maintenance of CertificationThe 21st Century Cures Act (Section 4002) requiresthe Secretary of HHS to establish Conditions andMaintenance of Certification requirements for theONC Health IT Certification ProgramThere are seven Conditions of Certificationwith accompanying Maintenance ofCertification Requirements. They are:The Conditions and Maintenance of Certificationexpress initial requirements and ongoingrequirements for health IT developers andtheir certified Health IT Module(s).1. Information BlockingAny noncompliance with the proposed Conditionsand Maintenance of Certification requirementswould be subject to ONC direct review, correctiveaction, and enforcement procedures under theONC Health IT Certification Program.5. Real World Testing2. Assurances3. Communications4. Application Programming Interfaces (APIs)6. Attestations7. (Future) Electronic Health Record (EHR)Reporting Criteria Submission

12Information Blocking - § 170.401CONDITIONS OF CERTIFICATIONA health IT developer may not take anyactions that constitutes “informationblocking” as defined in section 3022(a)of the Public Health Service Act (PHSA)and § 171.103MAINTENANCE OF CERTIFICATIONNo accompanying Maintenance ofCertification requirements beyondongoing compliance with the Conditionvs. "Actors" regulated by theinformation blocking provision: Health Care Providers Health IT Developersof Certified Health IT Health Information Exchanges Health Information Networks

13Assurances - § 170.402CONDITIONS OF CERTIFICATIONA health IT developer must:1.2.Provide assurances that it will not take anyaction that constitutes information blocking,or any other action that may inhibit theappropriate exchange, access, and use ofelectronic health information3. Not take any action to interfere with a user’s abilityto access or use certified capabilitiesEnsure full compliance and unrestrictedimplementation of certification criteriacapabilities5. Certify a health IT product which electronically storesclinical information to the § §170.315(b)(10) criteria4. Disclose and attest whether a health IT productpresented for certification stores clinical informationMAINTENANCE OF CERTIFICATION For a period of 10 years beginning from thedate of certification, retain all records andinformation necessary that demonstrate initialand ongoing compliance with the requirementsof the ONC Health IT Certification Program Certify to the criterion in § 170.315(b)(10) within36 months of the final rule’s publication date, ifa health IT product electronically storesinformation

14Electronic Health Information (EHI)Export CriterionIn response to comments onthis criterion and for theproposed information blockingpolicies, we have adopted afocused definition of EHI.We also defined the scope of datathat needs to be exported to EHI,as defined, that can be stored atthe time of certification by theproduct, of which the Health ITModule is a part.General RequirementsA certified Health IT Module must include exportcapabilities for:a) a single patient EHI export to support patientaccess andb) patient population EHI export to supporttransitions between health IT systemsThe export file(s) created must:a) be electronic and in a computable format, andb) the publicly accessible hyperlink of the export’sformat must be included with the exported file(s).Note: Health IT developers have the flexibility todetermine their products' standard format for thepurpose of representing the exported EHI

15Communications - § 170.403CONDITIONS OF CERTIFICATIONA health IT developer may not prohibit or restrict communicationregarding the following subjects for certified Health IT Modules:1. The usability of its health IT2. The interoperability of its health IT3. The security of the health IT4. Relevant information regarding user’s experiences when using its health IT5. The business practices of developers of health IT related to exchanging EHI;6. The manner in which a user of the health IT has used such technology

Conditions and Maintenanceof CertificationAvinash Shanbhag,Acting Executive Director,Office of Technology, ONCRobert Anthony,Director Certification &Testing ONCMichael Lipinski,Director Division ofFederal Policy &Regulatory Affairs, ONC

17Communications - § 170.403UNQUALIFIED PROTECTION FOR CERTAIN COMMUNICATIONS Making a disclosure required by law; Communicating information about adverse events, hazards, and otherunsafe conditions to government agencies, health care accreditationorganizations, and patient safety organizations; Communicating information about cybersecurity threats and incidents togovernment agencies; Communicating information about information blocking and other unlawfulpractices to government agencies; or Communicating information about a health IT developer’s failure to complywith a Condition of Certification requirement, or with any other requirementof this part, to ONC or an ONC-ACB.

18Communications - § 170.403PERMITTED PROHIBITIONS AND RESTRICTIONS Developer employees and contractors Non-user-facing aspects of health IT Intellectual property, provided that— No broader than necessary to protect the developer’s legitimateintellectual property interests consistent with the permittedprohibitions and restrictions. It does not restrict or preclude a public display of a portion of a worksubject to copyright protection (without regard to whether thecopyright is registered) that would reasonably constitute a “fair use”of that work.

19Communications - § 170.403PERMITTED PROHIBITIONS AND RESTRICTIONS (cont.) Screenshots and videoA health IT developer may require persons who communicate screenshots or video to — Not alter the screenshots or video, except to annotate the screenshots or video orresize the screenshots or video; Limit the sharing of screenshots to the relevant number of screenshots needed tocommunicate about the health IT Limit the sharing of video to: The relevant amount of video needed to communicate about the health IT; and Only videos that address temporal matters that cannot be communicated throughscreenshots or other forms of communication Pre-market testing and development.

20Communications - § 170.403MAINTENANCE OF CERTIFICATION Notify all customers annually starting in 2020 that any communication orcontract/agreement provision that violates the Communication Condition ofCertification will not be enforced by the health IT developer Notify all customers annually up to an until the health IT developer amendsthe contract or agreement to remove or void any contractual provisions thatviolate the Condition of Certification

21Application Programming Interfaces (APIs)- § 170.404ONC has established API Conditions ofCertification to address the use of certifiedAPI technology and the healthcareecosystem in which certified API technologywill be deployed, including health ITdevelopers’ business practice.Key DefinitionsCertified API TechnologyCapabilities of health IT that fulfillany of the API-focused certificationcriteria adopted in the ruleCertified API DeveloperHealth IT developer that creates the“certified API technology”SCOPE OF ELECTRONIC HEALTH INFORMATIONThe scope of patients’ electronic health informationthat must be accessible via certified API technologyis limited to the data specified in the United StatesCore Data for Interoperability standard (USCDI).API Information SourceOrganization that deploys certifiedAPI technologyAPI UserPersons and entities that create or usesoftware applications that interact with “certifiedAPI technology”

22Application Programming Interfaces - § 170.404API Conditionsof CertificationAPI Conditions of CertificationApplies to actions and behaviors of certifiedhealth IT developers related to the use of theirCertified API TechnologyAPI Certification Criteria Certified API criteria (§ 170.315(g)(7) through (10)) Scope of EHI limited to United States Core Data forInteroperability (USCDI)APICertificationCriteria Includes new 2015 Edition Secure, Standards BasedAPI criteria ((§ 170.315(g)(10)) “read-only” focus HL7 FHIR Release 4.0.1 as base standard Support for single patient and population services

23API Conditions of Certification –High Level OverviewTransparencyThis condition clarifies the publication requirements on certified APIdevelopers for their business and technical documentation necessary tointeract with their certified API technology.FeesThis condition sets criteria for allowable fees, and boundaries for the feescertified API developers would be permitted to charge for the use of thecertified API technology, and to whom those fees could be charged.Openness and Pro-CompetitiveThese conditions set business requirements that certified API developerswill have to comply with for their certified API technology to promote anopen and competitive marketplace.

24API Maintenance of CertificationThe API maintenance of certification requirements address ongoing requirements thatmust be met by certified API developers and their certified API technologyRequirements for Certified API developer related to use of certified API technologyadopted in § 170.315(g)(10)Authenticity VerificationA Certified API Developer is permitted to institute a process to verify the authenticityof API Users so long as such process is objective and the same for all API Users andcompleted within ten business days.Application RegistrationA Certified API Developer must register and enable all applications for production usewith