New security and privacy certification criteria as well as a standardized FHIR API for patient and population services are among the interoperability policy updates for the coming year. Many of these requirements have deadlines of December 31, which means that providers and developers will need to work to ensure they are in compliance.
The Office of the National Coordinator for Health Information Technology (ONC) reports that developers are making progress with the new criteria regarding privacy and security certification. Developers whose products are certified to the applicable criteria are required to provide these functionalities by December 31, 2022.
The requirements include transparency attestations as to whether the health IT developer supports encrypting authentication credentials and multi-factor authentication. There are also requirements around the use of more granular security tags that will restrict redisclosure of sensitive information when the data is entered.
Standardized Fast Healthcare Interoperability Resources (FHIR) application programming interfaces (API) are among the Cures Update certification criteria that are facing the December 31, 2022, deadline. ONC explains that standardized FHIR APIs will facilitate interoperability across certified health IT developers and independent practices. The APIs serve as a foundation for innovation and support the development of new and innovative applications.
Elation Health enables you to connect your data with easy-to-use APIs. Learn more here.
The goal of these policy updates and certification requirements is to ensure that healthcare providers as well as insurers, accountable care organizations, and other healthcare entities can access and use patient data in interoperable, appropriate, and secure ways to manage patients’ healthcare for improved outcomes. Standards-based APIs will also benefit patients, who will be able to connect to different sources of their own medical data more easily. They will be able to use different apps to access and understand their health status.
Certified health IT developers must incorporate USCDI v1 data elements into their health IT as a requirement of the 2015 Edition Cures Update. USCDI v1 represents the minimum set of data that health IT is required to support for data access and exchange. Certified health IT developers must provide these USCDI v1 updated capabilities to providers by December 31, 2022.
Several new and additional requirements of the 2015 Edition Cures Update include:
- Attestation Maintenance of Certification: April 1, 2022
- Real World Testing 2023 Plans: December 15, 2022
- § 170.315(g)(10) – Standardized APIs for Patient and Population Services: December 31, 2022
- Privacy and Security Transparency Attestations: December 31, 2022
- USCDI/Consolidated – Clinical Document Architecture (C-CDA) Companion Guide: December 31, 2022
- § 170.315(b)(3) Electronic Prescribing: December 31, 2022
- Update to Support Security Tags: December 31, 2022
United States Department of Health and Human Services (HHS) Secretary Xavier Becerra states that “our job is far from finished” in enforcing the information blocking rules in the 21st Century Cures Act. The regulation, which actually went live last April, requires healthcare providers, health IT developers, and health information exchanges (HIEs) to enable patients to access their healthcare records with third-party apps.
Other policy updates for 2022 include digital quality measures reducing the collection burden on providers and enabling broader data analytics. In the coming year, the federal government will also be taking an in-depth look at algorithmic bias, reviewing the impact it may have on health equity.