Where Is Interoperability Headed? Micky Tripathi On ONC Turning 20, The Epic-Particle Health Dispute, And How Health Information Exchange Is Expanding
It’s been an incredibly busy summer for the Office of the National Coordinator, which has responsibility for developing federal policy and rules regarding health information technology. The agency received new authority, has been restructured and renamed. Its director, Micky Tripathi, has been named the administration’s acting Chief AI Officer. And the agency itself has published a plethora of proposed policies and final rules in the past 90 days. If ever health technology policy were a pop culture topic, perhaps this summer’s ONC would be described as Brat.
Below is a Q&A with Micky Tripathi, now formally known as Assistant Secretary for Technology Policy and National Coordinator for Health Information Technology (ASTP/ONC), and Chief Artificial Intelligence Officer (Acting).
Topics include (i) the Trusted Exchange Framework and Common Agreement, which is the federal government’s way of driving to true nationwide health information exchange, (ii) the proposed HTI-2 rules that ONC just published which expand the scope of health information exchange requirements, (iii) the Epic-Particle Health dispute around how to ensure appropriate uses of health information exchange, and (iv) information blocking updates.
Q. ONC just celebrated 20 years, and you recently had the opportunity to gather with previous ONC directors at Health Evolution Summit. As you’ve had an opportunity to reflect, what do you see as ONC’s biggest priorities over the next 5 years?
It was really fun to spend a bunch of time together. I think one of the things we recognized as a group is that a lot of what we’ve done sort of tracks the maturity of health IT. From a technology and adoption perspective, we’ve sort of been surfing on top of that in a way. The things that we do are always going to follow where we think the level of maturity is for the industry.
At the time when there were no electronic health records (EHRs) and no funding for it, you know, David [Brailer] and Rob [Kolodnik] were focused on the fact that ONC only had a budget of $50 million per year. Ninety percent of providers didn’t have EHRs. So the big focus then was on well, how do you think about nationwide networks that once people get them, at least they have something to point to and to connect to and, you know, things to hang things off of.
And then, of course, HITECH [the Health Information Technology for Economic and Clinical Health Act] came in 2010 and David Blumenthal, Farzad, Karen DeSalvo, and Vindel Washington all became stewards to think about implementation and a set of granular policies about what it means to implement an EHR.
And then Don Rucker and I came along, and could make the assumption that we’ve got a lot of digital natives. What were the real goals? It wasn’t getting rid of paper records.
If you just look at the rule we published recently, getting into payer interoperability, getting into public health interoperability, and TEFCA [Trusted Exchange Framework and Common Agreement], we’re saying we have to solve this network interoperability thing once and for all with a framework and governance that are flexible to the future and research and the other really important use cases that are there on the horizon.
Q. OK. The rule you just referenced, HTI-2 was just published. Why is it a big deal?
Yeah, well, you know, it’s 1000 pages. So that’s gonna be a big deal itself. [Laughs]
There’s a number of different things in it, right?
Our rules are kind of in between event-driven rules and time-driven rules. We do update the certification criteria on a regular basis, really to keep pace with industry to keep pace with technology. Our rule that we released in December starting to look at AI and having explicit policy is an example [of an event-driven rule].
And then some are a mixture [of event- and time-driven rules]. Some of the important policy things are moving further into our statutory authority to broaden the horizon of interoperability. Payor information is vitally important to interoperability and we shouldn’t pretend it’s not. CMS regulations about making claims data available. Prior authorization. Payer to payer. Member-facing APIs. All of those should be brought under the same umbrella that we consider every other part of interoperability.
Similarly, with public health, we’ve got an ecosystem issue where the public health systems, though they’re receiving federal dollars – in the same way that providers are – we weren’t putting the requirements on them to have systems that will be interoperable.
So we need to be thinking about interoperability in an all encompassing manner. And bring all these things together. A key goal of ours is to have better integration between public health and health care delivery, for example.
Q. That’s quite a broadening of how we think about interoperability. What else should folks know about HTI-2?
The other thing was about protecting care access, which was related to provider concerns – that the information that they share regarding reproductive health could be used in ways that could invite legal liability or legal exposure, for either them or their patients.
So we put in a set of policies related to their ability to exercise an exception in the information blocking policies, so that providers weren’t compelled by [existing information sharing] rules. Without that, you’re compelled actually to share that information. We propose an exception.
So that’s another important policy.
Q. You mentioned payers earlier. A lot of the focus on interoperability and information blocking has focused on providers and EHRs. But increasingly, both of these constituents need access to payer data in order to adequately engage in value-based care programs. Can you shed a bit more light on how ONC is increasing the scope of interoperability as it applies to payers? ONC doesn’t regulate payers, does it?
Sure. I think there are two dimensions to it. The first is the certification [of health tech] component.
First, it’s really important for everyone to understand that ONC’s statutory authority for certification limits it to voluntary certification. ONC has no authority to tell Epic or Elevance that they are required to have a certified system.
Epic is not required by ONC regulations to have a certified system. The reason that they do is because CMS tells providers that if they want to participate in a payment model, well you’ve got to have a certified system. And this becomes the demand signal to Epic that it’s important to get certified.
Now, there’s nothing in CMS regulations that says to payers they have to have technology certified by ONC. CMS did put out a requirement in January that said that regulated payers have to make available a provider access API. And there is the CMS interoperability rule, which in January they said all commercial payers need to do the same thing. And the prior authorization rule.
The point is the established policy tells the payers you are required to make available this API. Now, they don’t say that API is required to be certified by ONC, right?
But we [ONC] come along and say, we’re going to set up a voluntary certification program that allows someone to test their system conformance against the requirements that our sibling agency here has required.
And the initial hope is that it provides value to the market because that’s the opportunity for providers and payers to get together and to say, Hey, if we really want to have interoperability here, we will voluntarily certify our system.
And that enables scalability because now we know we’re going to have better future conformance. We’re hoping that creates more momentum.
Q. OK, so the first par of ONC’s role in driving payer interoperability is certification. What’s the second part?
Payor-provider interoperability is a top priority, and the second is related to TEFCA.
I was very involved before joining the federal government with all the state Health Information Exchanges (HIEs) as well as the nationwide ones, like the Board of Sequoia Project, the Board of the Commonwealth Alliance, and so saw firsthand that they did great work in getting provider-to-provider health information exchange for treatment purposes. Tens and tens of millions of transactions every single day happening vendor to vendor, right?
There are still problems to tackle. I’m not pretending that those aren’t there. But the point is data is actually being exchanged. All those networks do allow payers to participate, but the issue is that no one responds to the payers, right?
Because providers feel like they’re not getting anything in return and all they get is downside risk that payers are going to use that against them in the next contract.
Unless you have a level playing field, we’d have providers saying they’re not going to join and then we’d all be worse off.
A big part of what we’re doing with TEFCA is trying to fix that asymmetry. So there is going to be a required response because that’s how interoperability has to work. You better have some skin in the game.
Where we tied this together now is we’re working with the payers to say if you want the providers to respond to you, then payors have to make provider access APIs for claims data available. So providers can query and get claims data back [for their own patients], so they can track quality measures. I think that’s huge.
Q. Shifting to provider-to-provider interoperability, the Epic-Particle Health dispute highlights the challenges with maintaining trust in decentralized health information exchange networks, and what happens if that trust is lost. How do we fix the issues that Brendan Keeler has written about and raised?
The data holding entities [such as hospitals] under HIPAA have an obligation to steward the information that’s in their control. I think HIPAA actually has been very good and served us very well, I would argue, over a number of years. One of the ways that it has is this idea of reasonable reliance and reasonable assurance.
If it’s the hospital across the street asking for data, I don’t need to do a whole lot of diligence [to ensure they are who they say they are]. But for other parties, maybe a company with a weird name that you’ve never heard of, there needs to be more diligence. You know, ‘I am not disclosing information until I actually have satisfied myself with respect to compliance.’
But the minute a hospital joins a network that has required response, though, the hospital has said ‘We are now deputizing the network governance for performing those [diligence and compliance] functions to give me reasonable assurance and reasonable reliance.
If the network structure and governance is not giving the hospital that reasonable assurance and reliance, then it absolutely ought to have the ability to say ‘I’m turning it off until I figure out what’s going on. Or maybe I won’t even participate in this? All it is is risk.’
We’ve taken that very seriously. So we’ve been doing a bunch of things – I mean, almost everything that Brendan was talking about are things that we’re putting in place. So let me unpack that.
One is a more structured and disciplined and responsive governance framework so organizations have to have a place to go when they have concerns about what’s happening to the information that they are disclosing to other parties.
And they need to have a process where they can raise a question at a sub dispute level, so they don’t have to go all the way to saying, I am formally submitting a dispute. Where they can say, I’m just asking a couple of questions. I am the disclosing entity at the end of the day. I am holding the bag on HIPAA compliance. And so I need to always be able to ask questions and expect to get some answers. So we’re establishing a review process within TEFCA with a set of SLAs [service level agreements].
If the parties are unsatisfied with the sub dispute level, they can escalate. And then appeal.
We’re also narrowing the scope of what’s allowed in ‘required response’ for treatment and expanding the availability of other use cases. We are going to narrow that to say you’ve got to be a covered entity provider or a government provider, or a delegate of either of those.
And then we have strict policies about who can be a delegate and that the delegate has to be identified and backed by the provider organization. So an organization can’t approach TEFCA and say, ‘Hey, I’m a delegate of Mayo Clinic.’ And it’s like ‘Well, that’s great. Until we hear from Mayo Clinic, you’re not a delegate of anyone.’
That’s been a problem for some networks: companies have been allowed to represent that they are the delegates of these other parties. And then what was discovered later was they weren’t actually. So you’ve got to be confirmed as a delegate. And you’ve got to be performing treatment under the HIPAA definition of treatment.
And then the third element is you have to be doing those services where there is a direct interaction between a patient and a licensed individual provider. For other [non-treatment related use cases] we are saying we now are putting into place explicit timelines for making healthcare operations an optional use case. And individual access as an optional use case as well. And then create a glide pass for saying, when do those shift from optional to required response?
And that’ll take some of the heat off of the treatment use case.
Q. Information Blocking was a concept introduced by the 21st Century Cures Act, and has been in force for a couple of years. But ONC recently introduced a final rule. What do people need to know?
The statute in 21st Century Cures is complicated, right? There are three types of actors. Providers, networks, and certified technology developers. Then they [Congress] said, for two of the actors [networks and certified technology developers], we are actually going to establish new authority.
OIG [Office of Inspector General] will assess civil monetary penalties on them of up to a million dollars per incident if they are found guilty. So OIG has new authority to define the penalty and they have the enforcement capability for the technology vendors and for the networks for providers.
For the third type of actor, providers, HHS [Health and Human Services] is responsible and has to define the penalties. But HHS was not given any new authority. What they [Congress] said to HHS is you can establish appropriate disincentives, but you have to do it with existing authorities.
So that’s why a final rule for providers took longer – because it’s really complicated. If you look at it, the [Information Blocking] statute covers providers, but the definition of providers is a very expansive list that covers physical therapists, dentists, long term and post-acute, the whole span. But if you look at the appropriate disincentives rule, it’s just hospitals and ambulatory physicians. The importance I think is that it establishes the framework. If you read the preamble and also from the Secretary’s comments in the release of the rule, we’re basically saying now we’ve got the policy framework and the structure for how we’re going to do it for other types of providers who don’t have any penalties currently. On an ongoing basis, we will keep adding appropriateness incentives as we go through, you know, which authorities do we have and where we can exercise those.
Q. The applicability date for complying with Information Blocking was April, 2021. The OIG final rule specifying civil monetary penalties was published August 2023. Have there been investigations concerning information blocking?
ONC publishes the aggregate number of complaints we get. People can submit complaints. They can call us. I think we get something like 5 to 7 per week. We actually have a schematic that shows what happens to a complaint, kind of walks through a little bit.
We have SLAs [service level agreements] that we’ve built internally for the ONC part of the process where, when we get a complaint, we will notify the submitter that we’ve received it. I think we say that within 72 hours we will report back to them the initial disposition of the complaint. And the initial disposition is ONC does the first screen where we say, based on the facts that we are presented with here, is it a plausible information blocking complaint? Because sometimes we get a complaint against a payer, for example, which is not [subject to] information blocking.
It’s important for people to know that the statute requires that we keep it entirely anonymous. So they should feel comfortable that they can submit their name, which is obviously helpful because in the event of investigation, then we can actually follow up.
So then we’ll get back to them and say, ‘Thank you for submission. Unfortunately, payers are not a part of that.’ If it does pass that first screen, we pass it to OIG. In that case we get back to the complaint, and we let them know we have passed your complaint to the office of an inspector general.
At that point, it’s actually completely in OIG land. So, you know, they’re a law enforcement agency. And I think just as a matter of policy, I don’t think they disclose anything about investigations that they’re doing that they intend to do.
Q. Does the Supreme Court’s decision in Loper Bright Enterprises V. Raimondo, in which the court overturned the traditional Chevron deference approach, have any implications for what ONC is doing? For instance, Congress did not attempt to provide a robust definition of what constitutes information blocking, or what might constitute acceptable exceptions to the rule.
Well, gotta go, Seth. It’s been great talking to you. [Laughs] Just kidding.
I think a lot is left to be determined, but yeah, I think, we’re generally concerned about the decision. The President’s made statements, Secretary Becerra has made pretty strong statements and our feelings are pretty well known.
It doesn’t affect any of our day to day at ONC right now. We are going to keep doing what we need to keep doing to exercise the amazing expertise and experience that exists in the federal workforce, to do the best for the American people.
link