ONC Proposes Sweeping Health IT Certification Program Requirements for “Predictive Decision Support Interventions”—Featuring FDA-Like Standards
On April 18, 2023, the U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) published a far-reaching proposed rule, Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (Proposed Rule HTI-1).1 The proposed updates to the ONC Health IT Certification Program and the Information Blocking Rule include sweeping requirements related to algorithm transparency and risk management for “predictive decision support interventions” (predictive DSI), such as artificial intelligence (AI)-based predictive decision support tools. Notably, this proposal would establish criteria for predictive DSI that are similar to U.S. Food and Drug Administration (FDA) requirements applicable to medical devices. These expansive requirements for the ONC Health IT Certification Program seemingly would extend to device and non-device predictive clinical decision support (CDS) as well as to nonclinical predictive decision support software.
Background
The ONC Health IT Certification Program (Certification Program) certifies health information technology (Health IT), including electronic health records (EHRs), to specific standards, implementation specifications and certification criteria.2 The use of certified Health IT by health care providers is required for participation in a number of government and nongovernment programs,3 and the vast majority of hospitals and office-based physicians have adopted certified EHRs.4 Other providers, such as stand-alone specialty clinics, clinical laboratories, and pharmacies, as well as insurers, may also use certified Health IT. The proposed predictive DSI criterion would affect developers of certified Health IT, third-party developers of software (such as AI-based tools) that may be enabled by or interfaced with certified Health IT, and certified Health IT users. ONC noted that the agency worked with counterparts at the HHS Agency for Healthcare Research and Quality (AHRQ), FDA, and the HHS Office for Civil Rights (OCR) in developing these proposals.5
Predictive Decision Support Intervention Certification Criterion
ONC proposes to replace the existing CDS certification criterion for the Certification Program with a more broadly applicable and rigorously regulated “decision support intervention” (DSI) criterion. Within this criterion, ONC proposes a number of new requirements for predictive DSI, which is defined as “technology intended to support decision-making based on algorithms or models that derive relationships from training or example data and then are used to produce an output or outputs related to, but not limited to, prediction, classification, recommendation, evaluation, or analysis.”6 This criterion would apply to clinical, medical, financial, administrative, and other algorithms intended to support a wide range of decision making.7 Proposed Rule HTI-1 would require developers of certified Health IT Modules that enable or interface with predictive DSIs to meet a number of algorithm transparency and risk mitigation requirements.
ONC proposes that developers of Health IT Modules make certain “source attributes” related to predictive DSIs available directly to end users. ONC noted that source attributes are “intended to provide users with greater insight into the model incorporated into a particular predictive DSI and will provide information for an array of uses,” including, for example, algorithm “nutrition labels.”8 Proposed source attributes fall under the following categories:
- Intervention Details (e.g., the intended use of the intervention);
- Intervention Development (e.g., input features of the intervention including description of training and test data);
- Quantitative Measures of Intervention Performance (e.g., the validity of prediction in test data); and
- Ongoing Maintenance of Intervention Implementation and Use (e.g., ongoing measuring and monitoring of the model’s performance in the local environment).
ONC proposes a number of “intervention risk management” (IRM) requirements for predictive DSI, including risk analysis, risk mitigation, and governance requirements. ONC further proposes that “detailed documentation” regarding IRM practices, including documentation specific to individual predictive DSIs, be made available to ONC upon request.
The proposed rule is noteworthy for its intersection with FDA device regulations. Some CDS, a subset of DSI, is regulated as a medical device by FDA.9 The proposed rule would potentially apply to such tools that are already cleared or approved by FDA as devices. On the other hand, many CDS and other software tools are not subject to medical device regulation, including by operation of the exemptions for certain software functions enacted by Congress in the 21st Century Cures Act. Those, too, would be subject to the proposed rule if they fall within the broad ambit of predictive DSI. For all of these tools, the requirements would mimic certain standards applicable to software-based medical devices. For example, ONC compares its risk management proposals to FDA’s current good manufacturing practice (CGMP) requirements, and a required source attribute regarding ongoing maintenance to FDA’s draft guidance on Marketing Submission Recommendations for a Predetermined Change Control Plan for AI/ML-Enabled Device Software Functions.10
ONC invites comment on these proposed requirements, as well as a wide array of potential criterion updates under consideration. For example, ONC solicits input on:
- Whether the criterion should require additional source attributes to be shared with end users.
- Whether predictive DSI source attribute information should be made available to the public.
- Whether certain information regarding the use of predictive DSI should be made available directly to patients.
Other Updates and Changes
Beyond the sweeping changes for predictive DSI, ONC sets forth a number of other proposals, including:
- Other new and revised Certification Program criteria, including some that may intersect with other requirements, such as regulation by FDA, OCR (HIPAA11), and the Federal Trade Commission (Section 5 of the FTC Act and the HBNR12).
- New and revised Certification Program standards (including adoption of USCDI v313).
- Information Blocking Rule changes, such as new definitions of what it means to “Offer Health IT” and be a “Health IT Developer of Certified Health IT,” and modifications to the information blocking exceptions.
Next Steps and Deadline for Comments
Affected entities should assess carefully the potential implications of the proposals ONC has set forth and consider providing input on the specific questions ONC has raised. Comments on Proposed Rule HTI-1 may be submitted until 5 p.m. ET on June 20, 2023.
1 Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing, 88 Fed. Reg. 23746 (proposed Apr. 18, 2023) (to be codified at 45 C.F.R. pts. 170, 171) [hereinafter Proposed Rule HTI-1].
2 See, e.g., 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 85 Fed. Reg. 25642 (May 1, 2020) (45 C.F.R. pts. 170, 171). See also U.S. Dept. Health & Hum. Servs. (HHS), Off. Nat’l Coordinator for Health Info. Tech. (ONC), About The ONC Health IT Certification Program, https://www.healthit.gov/topic/certification-ehrs/about-onc-health-it-certification-program (last modified Nov. 9, 2021).
3 See, e.g., Ctrs. For Medicare & Medicaid Servs., Promoting Interoperability Programs, https://www.cms.gov/regulations-and-guidance/legislation/ehrincentiveprograms (last modified May 2, 2023). For a list of government and non-government programs that reference certified Health IT, see ONC, Programs Referencing ONC Certified Health IT, https://www.healthit.gov/topic/certification-ehrs/programs-referencing-onc-certified-health-it (last modified Mar. 27, 2019).
4 ONC, National Trends in Hospital and Physician Adoption of Electronic Health Records, https://www.healthit.gov/data/quickstats/national-trends-hospital-and-physician-adoption-electronic-health-records (last visited May 6, 2023).
5 Proposed Rule HTI-1, 88 Fed. Reg. at 23811.
6 Proposed Rule HTI-1, 88 Fed. Reg. at 23905.
7 Proposed Rule HTI-1, 88 Fed. Reg. at 23785.
8 Proposed Rule HTI-1, 88 Fed. Reg. at 23788.
9 See U.S. Food & Drug Admin (FDA), Clinical Decision Support Software: Guidance for Industry and Food and Drug Administration Staff (Sept. 28, 2022), https://www.fda.gov/media/109618/download. See also, N. Brown et al., FDA Changes Direction in Final CDS Guidance, Akin (Oct. 4, 2022), https://www.akingump.com/en/insights/alerts/fda-changes-direction-in-final-cds-guidance.
10 FDA, Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions: Draft Guidance for Industry and Food and Drug Administration Staff (Apr. 3, 2023), https://www.fda.gov/media/166704/download.
11 “HIPAA” refers to the regulatory regime enacted under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009, codified at 45 C.F.R. pts. 160, 162 and 164.
12 See 15 U.S.C. § 45(a) (Section 5 of the FTC Act); Health Breach Notification Rule, 16 C.F.R. pt. 318 (HBNR).
13 See ONC, United States Core Data for Interoperability (USCDI) Version 3 (v3) (October 2022 Errata), https://www.healthit.gov/isa/sites/isa/files/2022-10/USCDI-Version-3-October-2022-Errata-Final.pdf. See also, ONC, United States Core Data for Interoperability (USCDI), https://www.healthit.gov/isa/united-states-core-data-interoperability-uscdi#uscdi-v3 (last visited May 6, 2023).