The next Health Data, Technology, and Interoperability (“HTI) rule looks like it is coming in March. The Office of Management and Budget’s Office of Information and Regulation Affairs’ Unified Agenda, which is published at https://www.reginfo.gov/public/, has an indication on it that a fourth “HTI” rule will be published under the title “Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability,” and has been assigned a unique RIN of 0955-AA08.
The new “HTI” rule was proposed in August 2024 under the Biden administration, and touched on a range of issues including data standards, TEFCA, and information blocking. It then finalized two rules to finalize that proposal: HTI-2 (covering mainly TEFCA) and HTI-3 (covering mainly the protecting care and privacy exceptions) (0955-AA06 and 0955-AA07 respectively). If you go to federalregister.gov and search using the RINs 0955-AA06 and 07, you will find those two final rules. If you search for RIN 0955-AA08, you get nothing, but, reginfo.gov shows a final action under that RIN as scheduled for March 2025.
This is the regulation that I suspect the new administration is going to use to put its first mark on the health IT world and ONC/ASTP business. Any time administrations change, prior regulations that were recently promulgated come under scrutiny. The Senate confirmed Secretary Robert F. Kennedy Jr. today. I am willing to bet that the Senate will also confirm Dr. Mehmet Oz to act as CMS Administrator. With its political leadership in now more or less locked in, HHS is going to start actively marching towards the policy directives set by President Trump. So how will this effect HTI-2 and HTI-3? I think we will find out in the regulation that’s stamped 0955-AA08.
First, I think this rule will walk back HTI-3’s protections for actors who provide abortion services and refuse to provide electronic health information on a privacy basis when under a subpoena. Specifically, HHS stated “we proposed to revise the sub-exception to remove a limitation that applied the exception only to individual-requested restrictions on EHI sharing where the sharing is not otherwise required by law. Thus, we proposed to extend the availability of the § 171.202(e) subexception to an actor’s practice of implementing restrictions the individual has requested on the access, exchange, or use of the individual’s EHI even when the actor may have concern that another law or instrument could attempt to compel the actor to fulfill access, exchange, or use of EHI contrary to the individual’s expressed wishes.”
It went on and explained that “[w]hen the sub-exception was established, health care providers and other actors did not raise explicit concerns regarding when they must comply with statutes, regulations, or instruments (such as subpoenas) issued under the laws of states in which they are not licensed, do not reside, and do not furnish care. In 2022, the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization overturned precedent that protected a federally protected constitutional right to abortion and altered the legal and health care landscape. Since the Court’s decision, across the United States, a variety of states have newly enacted or are newly enforcing restrictions on access to abortion and other reproductive health care. The Court’s ruling—and subsequent state restrictions—have had far-reaching implications for health care beyond the effects on access to abortion”
This sort of cross-jurisdictional legal play is happening right now in the news between Texas, Louisiana, and New York. I believe this administration will roll back this modification to the privacy exception due to the importance of the pro-life coalition, and in spite of Secretary Kennedy’s prior pro-choice positions.
HTI-3 also created a new exception to the prohibition against information blocking called “Protecting Care Access.” This exception permits an actor to restrict sharing information where it reduces the risk of exposing a person seeking reproductive healthcare that is lawful in the circumstances in which it is furnished if that legal action is predicated on the fact that such care was sought, obtained, provided or facilitated. This exception, like the modifications to the privacy exception, will probably be rolled back to reflect the Trump administration’s policy preferences.
HTI-4 also stands to address the last gap left in HHS’s August proposals: data standards. Here I also think we may see some significant changes. By way of example, President Trump signed an executive order stating that there are only two biological sexes. The United States Core Data for Interoperability (“USCDI”) may be modified to reflect that order by modifying how a clinician may use the fields “Gender Identity” and “Sex.”
Finally, as DOGE turns its eye towards HHS, I am not sure what the future of the ONC/ASTP really is. President Bush created the agency by executive order. That means (at least arguably) that it could be undone by executive order. That said, I think the certification program itself will continue in substance.
The certification program itself will probably survive because: 1) it is a creation of Congress, 2) has been featured in some bipartisan and wide ranging healthcare legislation (namely the 2015 Medicare and CHIP Re-authorization Act), and 3) its absence could actually instigate a lawsuit. Use of technology certified through this program affects most Medicare physician payments visa-vi programs like the Merit-based Incentive Payment System. There’s money to made and there’s money to be lost in those payment systems, and tinkering with physicians’ payments often carries a political and legal cost.
eHealth Law Blog 