Introduction

Ensuring secure, interoperable health information technology (IT) systems and data exchange has been a critical US national priority for more than a decade.  Below, we briefly describe selected US Federal legislative activity in this area, following Executive Order 13410 signed by President George W. Bush mandating secure, interoperable health information exchanges within the federal government and its consortia.  In the time since this gauntlet was laid, many legislative and executive actions have impacted health technology, data exchange, and health care practitioners and patients.

Here, we provide a partial list, which we will keep up-to-date as events unfold.

• The Health Information Technology for Economic and Clinical Health Act (HITECH). This legislation was part of The American Recovery and Reinvestment Act of 2009[1] (ARRA).   It created the Office of the National Coordinator for Health IT and introduced requirements for meaningful use (MU) of common data, promoted electronic health record (EHR) adoption, expanded data breach notification requirements, and identified electronic protected health information (ePHI)
• The Medicare Access and CHIP Reauthorization Act(MACRA)[2]of 2015 provides a new framework for reimbursing clinicians who successfully demonstrate value over volume in patient care, which is critically contingent on interoperability of healthcare data.
• The 2015 Edition Health IT Certification Criteria Final Rule[3]specifies the capabilities, standards, and specifications that certified electronic health record technology need to include to, at a minimum, achieve meaningful use under the Medicare and Medicaid EHR Incentive Programs. 
• The 21st Century Cures Act[4](2016). Requires health care information systems to allow individuals to securely and easily access structured (i.e., located in a fixed field in a record) electronic health information “without special effort”

• patient access to health information electronically;
• developers’ assurance that their products meet recognized structure and functionality. Appendix B provides a list of the certification criteria for developers, providers, and vendors.

One of the central elements of the proposed interoperability rules is the expanded use of application programming interfaces (APIs).  APIs hold new promise in health care as a powerful and positive disrupter to enable clinical data inoperability and convenient patient access to personal data.  (See here)

This NPRM suggests that the USCDI “will need to continually expand data elements and upgrade capabilities associated with Certified APIs as the FHIR standard and its implementation specifications mature, and the National Coordinator expands the USCDI…”[15]. In particular, the proposed rule calls for the use of “USCDI as a minimum data set expected for exchange; the USCDI is included in such criteria as ‘transitions of care’ [16], ‘view, download, and transmit to 3rd party’[17], and the API criteria[18].

FHIM supports the mandated data standards identified in the HHS regulations.  It is the only health information model where ONC required data standards are easily accessible for developers and analysts to quickly develop APIs and applications that will be interoperable.  FHIM enables health plans and payers to participate in the exchange of data via APIs using the same set of standards or, most importantly, different standards that are mapped to it.

Trusted Exchange Framework and Common Agreement (TEFCA)

One way the Cures Act aims to drive greater interoperability is by asking ONC to assist and encourage development of public-private partnerships to create a “trusted exchange framework, including a common agreement among health information networks (HINs) [RB4] nationally.” Overall, the legislation aims to promote interoperability among disparate EHRs.  ONC developed the Trusted Exchange Framework and Common Agreement[19](TEFCA) standards-based technology to exchange EHI with other HINs and to promote interoperability using FHIR APIs and Common Core Profiles.[RB5]  If successful, it will give patients, health care providers, payers, HINs, health IT developers, and other stakeholders electronic access to data when and where it’s needed to better support patient care. 

• API= Application Programming Interface
• APM= Alternative Payment Models
• ARCH= API Resource Collection in Health
• ARRA= American Recovery and Reinvestment Act of 2009 
• ARCH= API Resource Collection in Health
• CFR= Code of Federal Regulations
• EO= Executive Order
• FHIR®= Fast Healthcare Interoperability Resources (an HL7® standard)
• Health IT= Health Information Technology
• HINs= Health Information Networks
• HITECH= Health Information Technology for Economic and Clinical Health Act
• IG= Implementation Guide
• MACRA= Medicare Access & CHIP Reauthorization Act of 2015
• MIPS= The Merit-based Incentive Payments System
• MRTC= Minimum Required Terms and Conditions
• MU= Meaningful Use
• NPRM= Notice of Proposed Rulemaking
• QDRA= Quality Reporting Document Architecture
• QHIN= Qualified Health Information Network
• QTF= QHIN Technical Framework
• USCDI= United States Core Data for Interoperability

Subpart B – Standards and Implementation Specifications for Health IT

45 CFR 170.205 – Content exchange standards and implementation specifications for exchanging electronic health information

• 170.205(h)CMS Implementation Guide (IG) for Quality Reporting Document Architecture (QDRA) Category I Hospital Quality Reporting Implementation Guide for 2019, May 4, 2018
• 170.205(k)CMS Implementation Guide for Quality Reporting Document Architecture Category III Eligible Clinicians and Eligible Professionals Programs Implementation Guide for 2019, October 8, 2018 
• 170.205(a)Health Level 7 (HL7®) CDA R2 IG: C-CDA Templates for Clinical Notes R1 Companion Guide, Release 1 (C-CDA 2.1 Companion Guide),March 2017 
• 170.205Health Level 7(HL7®) CDA R2 Implementation Guide: C-CDA Supplemental Templates for Unique Device Identification (UDI) for Implantable Medical Devices, Release 1-US Realm 
• 170.205(b)National Council for Prescription Drug Programs (NCPDP), Script Standard Implementation Guide, Version 2017071(Approval Date for ANSI: July 28, 2017)  

45 CFR 170.213 – United States Core Data for Interoperability (USCDI)

• The United States Core Data for Interoperability (USCDI), Version 1 (v1) 

45 CFR 170.215 – Application Programming Interface (API) Standards

• 170.215(a) HL7® Fast Healthcare Interoperability Resources (FHIR®) Release 2.0, Draft Standard for Trial Use (DSTU) Version 1.0.2-7202, October 24, 2015
• 170.215(b) OpenID Connect Core 1.0 incorporating errata set 1, November 8. 2014
• 170.215(c)(1) HL7® Fast Healthcare Interoperability Resource Specification (FHIR®) Release 3 Standard for Trial Use (STU), Version 3.0.1, February 21, 2017
• 170.215 Health Level 7 (HL7®) Version 4.0.0 Fast Healthcare Interoperability Resources Specification (FHIR®) Release 4, December 27, 2018
• 170.215(c) Health Level 7(HL7®) Implementation Specification – FHIR Profile: Consent2Share FHIR® Consent Profile Design, December 11, 2017 
• 170.215(a)(5) SMART Application Launch Framework Implementation Guide Release 1.0.0170.215(a)(3) HL7® FHIR® Foundation, Argonaut Data Query Implementation Guide, Version 1.0.0, December 23, 2016
• 170.215(a)(4) HL7® FHIR® Foundation, Argonaut Data Query Implementation Guide Server, Version 1.0.2, December 15, 2016 
• 170.215 OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591), July 2015
• 170.215(a)(2) API Resource Collection in Health (ARCH) Version 1
• 170.215(b) OpenID Connect Core 1.0 Incorporating Errata Set 1, November 8. 2014 

45 CFR 170.299 – Incorporation by reference 

• Standard. HL7® CDA® R2 Implementation Guide: C-CDA Templates for Clinical Notes R1 Companion Guide, Release 1
• Standard. National Council for Prescription Drug Programs (NCPDP), Script Standard Implementation Guide, Version 2017071
• Standard. CMS Implementation Guide for Quality Reporting Document Architecture Category I Hospital Quality Reporting Implementation Guide for 2019 
• Standard. United States Core Data for Interoperability Version 1 (USCDI v1)
• Standard HL7® Fast Healthcare Interoperability Resources (FHIR)® Draft Standard for Trial Use (DSTU) 2 (v1.0.2-7202)
• Implementation specifications. API Resource Collection in Health (ARCH) Version 1
• Implementation specifications – FHIR® profiles. Argonaut Data Query Implementation Guide Version 1.0.0
• Implementation specifications – FHIR® server conformance. Argonaut Data Query Implementation Guide Server
• Implementation specification – Application authorization. HL7® SMART Application Launch Framework Implementation Guide Release 1.0.0, including mandatory support for “refresh tokens,” “Standalone Launch,” and “EHR Launch” requirements
• Application authentication.Standard.OpenID ConnectCore1.0incorporatingerrataset 1
• Standard. HL7® Fast Healthcare Interoperability Resources (FHIR)® Release 3 Standard for Trial Use (STU) 3 (v3.0.1)
• Implementation specification – FHIR® consent resources. HL7® Consent2Share FHIR® Consent Profile Design
• CMS Implementation Guide for Quality Reporting Document Architecture Category I Hospital Quality Reporting Implementation Guide for 2019, May 4, 2018
• CMS Implementation Guide for Quality Reporting Document Architecture Category III Eligible Clinicians and Eligible Professionals Programs Implementation Guide for 2019, October 8, 2018
• HL7® CDA Release 2 Implementation Guide: C-CDA Templates for Clinical Notes R1 Companion Guide, Release 1, March 2017
• HL7® Fast Healthcare Interoperability Resources (FHIR®) Release 2.0, Draft Standard for Trial Use (DSTU) Version 1.0.2-7202, October 24, 2015
• HL7® Fast Healthcare Interoperability Resource Specification (FHIR®) Release 3 Standard for Trial Use (STU), Version 3.0.1, February 21, 2017
• HL7®FastHealthcareInteroperabilityResourcesSpecification(FHIR®)Release4,Version4.0.0, December27, 2018
• HL7®ImplementationSpecification– FHIR®Profile:Consent2ShareFHIRConsentProfileDesign,December11, 2017
• HL7® CDAR2ImplementationGuide: C-CDASupplementalTemplatesforUnique Device Identification(UDI)forImplantableMedicalDevices
• HL7® SMARTApplicationLaunchFrameworkImplementationGuideRelease1.0.0,November 13, 2018
• Argonaut Data Query Implementation Guide. Version 1.0.0, December 23, 2016
• Argonaut Data Query Implementation Guide Server, Version 1.0.2, December 15, 2016
• OAuth2.0 DynamicClientRegistrationProtocol(RFC 7591),July2015
• National Council for Prescription Drug Programs (NCPDP), Script Standard ImplementationGuide,Version2017071 (ApprovalDate for ANSI:July28,2017)
• ONC United States Core Data for Interoperability (USCDI), Version 1 (v1), February 11, 2019
• API Resource Collection in Health (ARCH) Version 1, February 1, 2019
• OpenID Connect Core 1.0 Incorporating Errata Set 1, November 8, 2014

Subpart C – Certification Criteria for Health IT 

45 CFR 170.315 – 2015 Edition Health IT Certification Criteria

• 170.315(a) Family health history (familial conditions relevant for children)
• 170.315(a)(5) Demographics Pediatric Care – captures of values and value sets relevant for pediatric health care settings and patient matching
• 170.315(a)(15) Social, psychological and behavioral data – integration of behavioral health data into child’s record across the care continuum based on Systematized Nomenclature of Medicine Clinical Terms (SNOMED CT®) and Logical Observation Identifiers Names and Codes (LOINC) codes
• 170.315(b)(1) Transition of care (USCDI v1.0) – Structured transition of care summaries and referral summaries for children
• 170.315(b)(2) Clinical Information Reconciliation and Incorporation 
• 170.315(b)(3) Electronic Prescribing – optional Structured and Codified Sig Format with capability to exchange weight-based dosing calculations within NCPDP SCRIPT 10.6 and limits prescribing all oral, liquid medications in only metric standard units for pediatrics
• 170.315(b)(9) Care Plan
• 170.315(b)(10) Electronic Health Information (EHI) Export – export of EHI for a single patient or health care provider transition or migration to another health IT system
• 170.315(b)(12) DS4P Create Summary Record – HIT tagging DS4P data consent for C-CDA information exchange or FHIR®-based exchange standards 
• 170.315(b)(13) DS4P Receive Summary Record – HIT receiving DS4P data consent for C-CDA information exchange or FHIR®-based exchange standards
• 170.315(c1)(1)-(c)(3) Clinical Quality Measures (CQMs)
• 170.315(d)(12) Encrypt authentication – certification criteria for secure electronic transmission and secure electronic messaging by developers of Health IT modules
• 170.315(d)(13) Multi-factor authentication – certification criteria for secure electronic transmission and secure electronic messaging by developers of health IT modules
• 170.315(e)(1) View, download and transmit to 3^rdparty (VDT) – transferrable access authority for pediatric health care setting and patients
• 170.315(e)(3) Patient health information capture – provider ability to accept health information from patient or authorized representative for children 
• 170.315(f)(1) Transmission to immunization registries – child health care through immunization and health care registries
• 170.315(g)(6) Consolidated CDA Creation Performance
• 170.315(g)(7) API Condition of Certification
• 170.315(g)(8) Application access – Data category request
• 170.315(g)(9) Application Access – All Data request
• 170.315(g)(10) Certified API for patient and population services from the FHIR® resources in ARCH Version 1
• 170.315(g)(10)(i) Data Response
• 170.315(g)(10)(ii) Search Support
• 170.315(g)(10)(iii) App Registration proposed (RFC 7591 OAuth Dynamic Client Registration Protocol)
• 170.315(g)(10)(iv) Secure connection, authentication and authorization
• 170.315(g)(10)(v)(A) User authentication (OpenID Connect Core 1.10 Errata Set 1)
• 170.315(g)(10)(v)(B) User authorize applications to access data (SMART Application Launch Framework Implementation Guide Release 1.0.0)
• 170.315(g)(10)(vi) Authentication and app Authentication and app authorization –Subsequent connections (refresh token for FHIR® server)
• 170.315(g)(10)(vii) Detail information for certification of FHIR® API
• 170.315(g)(11) Electronic prescribing
• 170.315(h) Transport methods and other protocols

Application Programming Interface (API) Conditions of Certification 

45 CFR Part 170.4xx – Conditions and Maintenance of Certification for Health IT Developers

• 170.401 Information blocking
• 170.402 Assurances
• 170.403 Communications
• 170.404 APIs Transparency Conditions (without special effort), permitted and prohibited fees, non-discrimination
• 170.405 Real world testing
• 170.406 Attestations Condition and Maintenance of Certification
• 170.40x EHR Reporting Program

45 CFR 171.2xx – Information Blocking Exceptions

• 171.201 Preventing harm
• 171.202 Promoting the privacy of electronic health information
• 171.203 Promoting the security of electronic health information
• 171.204 Recovering costs reasonably incurred
• 171.205 Responding to requests that are infeasible
• 171.206 Licensing of interoperability elements on reasonable and non-discriminatory terms
• 171.207 Maintaining and improving health IT performance by adoption of code sets, terminology and nomenclature as Vocabulary standards for representing electronic health information for interoperability.

• RxNorm Medication List
• SNOMED CT®

* Elements updated or added in the 2019 revised version of U.S. Core Data Interoperability (USCDI) specification.