Skip to main content
All
January 22, 2024

ONC Final Rule on Health Data, Technology, and Interoperability Focuses on AI and Algorithm Transparency

Advisory

On January 9, 2024, the Office of the National Coordinator for Health Information Technology (ONC), part of the Department of Health and Human Services (HHS), published in the Federal Register its final rule titled Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (the Final Rule).1 The Final Rule, a proposed version of which was published for comment in April 2023,2 is designed to enhance the access, exchange, and use of electronic health information, while also advancing equity, innovation, and interoperability in health information technology (HIT).3 The Final Rule imposes significant new transparency and risk management requirements for the use of artificial intelligence (AI) and algorithms used in certified health information technology.

Background

ONC is responsible for administering the ONC Health IT Certification Program (the Program), which provides certification criteria for health IT developers and their health IT modules4. In 2010, the Program established certification criteria for clinical decision support (CDS) within health IT modules5. CDS encompasses a variety of tools to enhance decision-making in the clinical workflow, including computerized alerts, relevant clinical guidelines, and drug-disease interaction checks. In 2012, ONC began requiring health IT modules to (1) support evidence-based CDS grounded on a defined set of data elements, (2) support CDS configuration for both inpatient and ambulatory settings, and (3) display source attribute or bibliographic citation of CDS.6

In the past decade, health IT modules have played an increasingly significant part in healthcare across various clinical settings, but the use of AI in healthcare has gone largely unregulated. In late 2022 and early 2023, the Biden administration published three guidance documents outlining principles to prevent discriminatory algorithmic decision-making and advance accountable AI systems.7 In October 2023, the Biden administration directed HHS to prepare a strategy for the responsible deployment and use of AI in healthcare, which led to the present rulemaking.8

Decision Support Interventions and Predictive Models

Decision Support Interventions

The Final Rule replaces the Program’s CDS criterion with a new certification criterion, “decision support interventions” (DSIs), which is designed to ensure that health IT modules “reflect an array of contemporary functionalities, support data elements important to health equity, and enable the transparent use of predictive models and algorithms to aid decision-making in healthcare.”9 As discussed below, the Final Rule differentiates between “evidence-based DSIs” and “predictive DSIs” and imposes different transparency requirements on each.

Evidence-Based DSI

Evidence-based DSIs are non-predictive interventions actively presented to users in clinical workflow to enhance, inform, or influence decision-making related to the care a patient receives.10 Evidence-based DSIs rely on pre-defined rules based on expert consensus rather than empirical data to support decision-making, such as the SOFA Index and NYHA Heart Failure classification.11 The new requirements for evidence-based DSIs generally track evidentiary requirements that were part of the CDS criterion.12

Predictive DSI

Predictive DSI is defined as “technology that supports decision-making based on algorithms or models that derive relationships from training data and then produce an output that results in prediction, classification, recommendation, evaluation, or analysis.”13 Predictive DSIs “learn[] or deriv[e] relationships to produce an output.”14

Predictive DSIs may include techniques such as algebraic equations, machine learning, and natural language processing.15 Some of these tools might be used to predict, for example, whether a given image contains a malignant tumor or whether a given patient is at risk for sepsis.16 Large language models and other forms of generative AI also will likely be classified as Predictive DSIs, to the extent they are supplied by developers of certified health IT and are used to support decision-making.17

Source Attributes

The Final Rule requires health IT developers to produce an expanded set of information, or “source attributes,” related to both evidence-based DSIs and Predictive DSIs. “Source attributes” are categories of technical performance and underlying quality information used to create both evidence-based and Predictive DSIs.18 The new requirements aim to reduce uncertainty, enhance market transparency, and establish consistency in information availability.19

Requirements for DSIs

Under the Final Rule, evidence-based DSIs must now support 13 source attributes, including the developer and funding source of the intervention, as well as the intervention’s use of patient demographics data and social determinants of health data.20 The Final Rule imposes more expansive transparency requirements on Predictive DSIs, which must support 31 source attributes. Among other requirements, developers of Predictive DSIs must produce information about the intervention’s training data set, external validation process, and quantitative measures of performance, as well as the process used to ensure fairness and eliminate bias in the development of the intervention.21

The Final Rule also establishes capabilities that health IT modules must support related to source attributes.22 First, the module must provide plain language descriptions of all required source attributes.23 Second, for Predictive DSIs, the module must indicate when information is not available for review for certain source attributes. If and when information related to these source attributes is generated, the developer of certified health IT must make this information available to users.24 Finally, the module must enable a limited set of identified users to record, change, and access the required source attributes.25

Starting on January 1, 2025, and on an ongoing basis thereafter, developers of health IT modules certified to § 170.315(b)(11) must review and update, as necessary, required source attribute information, as well as risk management practices described in § 170.315(b)(11)(vi) and summary information provided through § 170.523(f)(1)(xxi).26

Coordination With the Food and Drug Administration

Whether DSIs enabled by or interfaced with certified health IT are subject to FDA regulation is separate and distinct from the question of whether a developer or a particular technology is subject to regulatory oversight by ONC’s Program.27 In finalizing the rule, ONC declined to exclude from the definition for Predictive DSI software that are FDA-regulated medical devices or to exclude third-party software that qualify as non-device software functions per the statutory exemption for certain CDS software functions.28 Thus, technologies that meet the definition for Predictive DSI within the Program may be considered non-device CDS, be considered CDS with device software functions, or lie outside of FDA’s purview, depending on the specifics of the technology.29 As explained by ONC, FDA and ONC have separate and distinct authorities and regulate for separate and distinct purposes with separate and distinct policy objectives.

Although FDA-regulated CDS are not exempt from the Final Rule, ONC worked with the FDA to minimize duplication of effort and maximize alignment across the distinct and different authorities. For example, ONC coordinated with FDA to ensure source attributes are complementary and not conflicting with the information FDA describes in its September 2022 CDS software guidance.30 For CDS software that are medical devices and the focus of FDA oversight, the requirements of the Final Rule are consistent with best practices and recommendations provided by the FDA.31

This consistency across agencies could reduce burdens on developers who may be responsible for meeting both FDA and ONC requirements for three reasons.32 First, an entity that develops device software that also meets the definition of Predictive DSI would be able to fulfill informational requirements for both FDA and ONC purposes using the same or similar information. Second, such software may be eligible to be considered non-device CDS according to FDA guidance if the software developer fulfills informational requirements pursuant to the Program. Finally, burdens will be reduced across entities regulated by FDA and ONC because an entity that develops device software that also meets the definition of a Predictive DSI could leverage Program requirements to enable users to select Predictive DSIs and access source attribute information. These capabilities could serve as the technical means to deliver information to users about the credibility of the device software function that is necessary for “independent review,” without having to build a parallel technological means to deliver such information.33 However, a determination regarding the information necessary for independent review will continue to lie with the FDA.34

Intervention Risk Management

The Final Rule mandates that health IT developers apply intervention risk management (IRM) for each Predictive DSI included in their health IT module.35 Health IT developers will need to analyze potential risks and adverse impacts by considering the DSI’s validity, reliability, robustness, fairness, intelligibility, safety, security, and privacy,36 and implement practices to mitigate those risks. Developers must also submit summary information of IRM practices through a publicly accessible hyperlink that allows any person to access the summary information directly.37

Implications

In addition to imposing detailed new requirements on HIT developers, the Final Rule makes significant changes to access and support for source attributes, transparency of predictive DSIs, and intervention risk management practices. The Final Rule focuses significantly on enhancing the trustworthiness, transparency, racial equity, and innovation of DSIs to ensure high-quality decisions that improve and support patient care. ONC believes these requirements will help to address disparities and bias that may be propagated through DSIs, as well as to establish consistency in information availability, improve overall data stewardship, and guide the appropriate use of data derived from health information about individuals.38 ONC also believes the increased transparency the Final Rule requires will allow users to make better informed decisions about whether and how to use emerging software.39

By taking advantage of the new transparency requirements, users of Predictive DSIs can become smart shoppers in a rapidly evolving health IT landscape. Going forward, health IT developers and those interested in developing or collaborating on DSIs will be required to make significant investments and updates in current and future systems and technology to meet the Final Rule’s DSI requirements. Life sciences companies, labs, pharmacies, and others with financial interests in DSIs should also be aware of ONC’s acknowledgement that financial arrangements with DSI developers could implicate the Anti-Kickback Statue and that ONC is focused on increased transparency around such arrangements to mitigate the risk of bias or potential patient harm.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

  1. Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing, 89 Fed. Reg. 1192 (Jan. 9, 2024).

  2. Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing, 88 Fed. Reg. 23917 (Apr. 18, 2023) (proposed rule).

  3. 89 Fed. Reg. at 1193.

  4. Id. A Health IT Module is any service, component, or combination thereof that can meet the requirements of at least one ONC certification criterion, such as Electronic Health Record (EHR) software. See 45 C.F.R. § 170.102.

  5. Id. at 1202.

  6. Id. at 1231. ONC finalized its updated CDS criterion in 2015. See 45 C.F.R. § 170.315(a)(9).

  7. See White House, Principles for Enhancing Competition and Tech Platform Accountability, Sept. 8, 2022; White House, Blueprint for an AI Bill of Rights (Oct. 4, 2022); E.O. 14091, 88 FR 10825-10833.

  8. E.O. 14110, 88 FR 75191.

  9. 89 Fed. Reg. at 1196.

  10. Id. at 1240.

  11. Id. at 1246.

  12. Id. at 1239.

  13. Id. at 1244; see also 88 Fed. Reg. 23917, 23788 (proposing a broad interpretation of “intended to support decision-making”).

  14. 89 Fed. Reg. at 1243.

  15. Id.

  16. Id. at 1245-46.

  17. Id. at 1246.

  18. Id. at 1196-97.

  19. Id. at 1233-34.

  20. Id. at 1431.

  21. Id.

  22. Id. at 1256.

  23. Id.

  24. Id. at 1256-57.

  25. Id. at 1257.

  26. Id. at 1254.

  27. Id. at 1245.

  28. Id.

  29. Id. at 1262.

  30. Id.

  31. Id. at 1263.

  32. Id.

  33. Id.

  34. Id.

  35. Id. at 1272.

  36. Id. at 1274.

  37. Id.

  38. Id. at 1234.

  39. Id. at 1233.