Proposed Health IT Certification Rules Target AI, PrivacyHHS Rules Aimed at Beefing Up Health IT Systems, Patient Data Privacy, Security
Federal regulators have proposed new rules aimed at securing certified healthcare software products, helping patients decide which records to keep private, and protecting data used by AI and predictive tools. The hefty, 556-page Department of Health and Human Services proposed rule seeks to promote innovation and data sharing while tightening security and privacy.
The proposed rule - Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing - also known as HTI-1, will be published in the Federal Register and stay open for public comment for 60 days starting April 18.
The HHS Office of the National Coordinator for Health IT said it has four key priorities related to the regulations: building the foundation for making digital health information useful and usable, making interoperability easy, promoting information sharing, and ensuring proper use of digital health information and tools.
"This proposed rule covers many aspects of those four things," said Micky Tripathi, HHS national coordinator for health IT, during a press briefing discussing the document.
Beefing Up Privacy, Security
The proposal includes additional ways for health IT developers to enable "patient-requested restrictions" on certain disclosures and uses of their protected health information to support patient privacy under HIPAA.
"Advances in genetic testing and genomic research offer opportunities for early intervention and preventative care, but again, they represent a potential risk that may not be fully addressed by current privacy laws," the proposal says. Also, "there are types of clinical information that could impact the patient if disclosed, such as reproductive health, behavioral health and substance abuse information," the document says.
"We specifically intend the proposed [regulation] to advance the technological means to support clinicians and other covered entities when honoring patient requests for the restriction of uses or disclosure of PHI through certified health IT," the proposed rule says.
For instance, the proposal addresses various implementation alternatives for "flagged data" in health IT applications to ensure it is not made part of a patient's summary care record, displayed in a patient portal or shared over an application programming interface.
HHS ONC included proposals for health IT developers to address cybersecurity and privacy issues as well as a host of other concerns involving their products, including the use of artificial intelligence and machine-learning technology tools, such as predictive decision support interventions.
Developers of certified health IT would be required to attest to certain intervention risk management activities for the life cycle of their products, such as analyzing potential risks and adverse impacts associated with a predictive decision support intervention including reliability, safety, security and privacy.
"We believe that predictive decision support intervention risk should be managed like other types of risk - continuously across the software development life cycle," the proposed rule-making document says. The agency pointed out that, in the same way the HIPAA Security Rule requires ongoing risk analysis, software developers should review their intervention risk management practices and update their documentation if they enable or interface with predictive decision support intervention technologies.
The proposal also includes the implementation of new information-blocking provisions aimed at promoting innovation, encouraging market competition and addressing consolidation in the interest of the patient to advance interoperability, improve transparency and support the access, exchange and use of electronic health information.