Taking A Closer Look At ONC's AI Transparency Regulations

In recent years, organizations have been developing and using predictive models, which are powered by artificial intelligence (AI) and machine learning (ML) technologies, for numerous use cases in clinical and health care settings, including to aid in clinical decision-making. Currently, healthcare AI systems and tools have both clinical and administrative applications, namely monitoring patients, recommending treatments, predicting health trajectories, recording clinical notes, optimizing operational processes, and supporting population health management.

The Department of Health and Human Services (HHS) and federal agencies have been developing policies to advance transparency and manage risks for the development and use of AI/ML-powered health care technologies. Most recently, the Office of the National Coordinator for Health Information Technology (ONC) issued regulations that addresses predictive models and health AI systems.

Summary

In December 2023, ONC released the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule.As outlined in our client alert, the HTI-1 Final Rule addresses information blocking and updates the ONC Health IT Certification Program (Certification Program). The HTI-1 Final Rule will impact health care providers, developers of certified health IT, health information networks (HINs) and health information exchanges (HIEs).

Among the provisions in the HTI-1 Final Rule was the adoption of the decision support interventions (DSI) certification criterion in its voluntary Certification Program. ONC explains that the DSI criterion is a revised certification criterion, serving both an iterative update and replacement criterion for the existing clinical decision support (CDS) certification criterion. According to ONC, the DSI provisions enable the transparent use of predictive models and algorithms to aid decision-making in health care and align with the President's recent Executive Order (EO) to advance trustworthy AI.

ONC has held information sessions to outline and explain the provisions included in the HTI-1 Final Rule. During the DSI session, ONC provided a helpful slide deck that provides background and summarizes the provisions.

Decision Support Intervention and Predictive Models

Since 2010, the Certification Program has maintained a CDS certification criterion and has updated its requirements for health information technology (IT) modules to support CDS over the past several years. According to ONC, CDS provides clinicians and patients with knowledge and person-specific information to enhance health care delivery. Specifically, it encompasses a variety of tools to enhance clinical decision-making, including computerized alerts and reminders; clinical guidelines; condition-specific order sets; and focused patient data reports and summaries, among other tools.

ONC notes that developers of certified health IT create and deploy predictive algorithms or models for use in production environments through their health IT modules. They also continue to enable third-party developers and the developer of certified health IT's customers to create and deploy predictive models through the developer's health IT modules. ONC believes that the continued evolution of decision support software, especially as it relates to AI or ML-driven "predictive decision support intervention" (Predictive DSI), necessitates new requirements for the Certification Program's CDS criterion.

In the HTI-1 Final Rule, ONC finalized provisions that would establish requirements for certified health IT developers to make information available that would enable users to determine if a DSI tool is acceptably fair, appropriate, valid, effective, and safe (i.e., according to ONC's FAVES principles). By January 1, 2025, ONC requires developers of certified health IT to comply with the finalized DSI provisions in order to continue to meet the Base Electronic Health Record (EHR) definition at § 170.102. ONC's finalized DSI certification criterion includes a definition for Predictive DSI; issues additional requirements for health IT modules (e.g., enabling users to access source attributes for evidence-based and Predictive DSIs); establishes requirements for intervention risk management practices (IRM) to be applied for Predictive DSIs; and establishes a new Assurances Maintenance of Certification requirement to review and update DSI-related information on an ongoing basis.

ONC applies to Predictive DSIs "supplied by" the health IT developer as part of its health IT module. "Supplied by" the health IT developer includes; (i) Predictive DSIs that are authored or developed by the certified health IT developer, and (ii) Predictive DSIs that are authored or developed by other parties if those Predictive DSIs are sold, marketed, or otherwise explicitly included as part of a health IT module. According to ONC, "supplied by" means that the certified health IT developer has taken on stewardship and accountability for that Predictive DSI for the purposes of the health IT module and has knowledge of its use. This does not likely include apps available through a certified health IT developer's app store. Developers of certified health IT are not accountable for populating source attribute information for or applying IRM practices to Predictive DSIs in instances where their customers choose to deploy a self- developed Predictive DSI or another party-developed Predictive DSI for use within their certified health IT. This is true even if the customer leverages data from the developer of certified health IT's health IT module and even if the output from another party's Predictive DSI is delivered to or through a health IT module into a customer's clinical workflow.

Specifically, the HTI-1 Final Rule includes the following DSI provisions:

• Definition of Predictive DSI: ONC finalized the Predictive DSI definition as follows: "predictive decision support intervention or Predictive DSI means technology that supports decision-making based on algorithms or models that derive relationships from training data and then produce an output that results in prediction, classification, recommendation, evaluation, or analysis."
• Source attributes: ONC expanded the number of required source attributes (categories of technical performance and quality information) that health IT certified to the DSI criterion must support, including 13 for evidence-based DSIs and 31 source attributes applicable to Predictive DSIs. Evidence-based DSIs are limited to DSIs that are actively presented to users in clinical workflow to enhance, inform, or influence decision-making related to the care a patient receives and that do not meet the definition for Predictive DSI. New source attributes required for Predictive DSIs include the following: details and output of the intervention; purpose of the intervention; cautioned out-of-scope use; intervention development details and input features; process used to ensure fairness in development; external validation process; quantitative measures of performance; ongoing maintenance of intervention implementation and use; and update and continued validation or fairness assessment schedule. The stated goal of the requiring source attributes is to provide users of health IT modules access to information about the design, development, training, and evaluation of Predictive DSIs.
• IRM provisions: ONC finalized requiring that IRM practices must be applied for each Predictive DSI supplied by the health IT developer as part of its health IT module, including i) risk analysis, ii) risk mitigation, and iii) governance. Specifically, Predictive DSIs must be subject to an analysis of potential risks and adverse impacts; practices to mitigate identified risks; and policies and implemented controls for governance, including how data are acquired, managed, and used.
• Assurances Maintenance of Certification Condition: ONC requires health IT developers with certified health IT modules to review and update as necessary, source attribute information, risk management practices, and summary information. According to ONC, this reinforces a health IT developer's ongoing responsibility to enable users to access complete and up-to-date descriptions of DSI source attribute information review and update as necessary IRM practices for all Predictive DSIs it supplies, and to ensure the ongoing public availability of summary IRM practice information.

Differences between ONC and FDA regulatory oversight, but both may apply

The HTI-1 Final Rule's DSI provisions could implicate CDS software that has been approved by the U.S. Food and Drug Administration (FDA). ONC did not exempt from compliance with its requirements CDS software that has been approved by the FDA. When developing the final rule, ONC stated that it worked with FDA to support a complementary and harmonized approach and that the two agencies have distinct regulatory oversight: ONC evaluates transparency and trustworthiness of software functions and tools that are integrated within certified health IT modules while FDA regulates the safety and effectiveness of a software function if such software functionality meets the definition of a "device." However, depending on the specific qualities of the technology, DSI tools may be subject to both FDA and ONC oversight, only FDA or only ONC oversight, or neither agencies' oversight.

Takeaways

HHS continues to find ways to provide oversight regarding AI-enabled technologies that are used in health care. Various agencies will put out different regulations and guidance based on their authority since there is no specific agency responsible for oversight of these tools. This will continue to create a patchwork of requirements and best practices which may create confusion.

Under the HTI-1 Final Rule, developers of AI/ML tools used within certified health IT should be aware of the DSI requirements and one-year compliance timeline. They should note that ONC purposely focused on ensuring trustworthiness and transparency in addition to advancing health equity and innovation when developing the DSI provisions to ensure high-quality decisions that improve and support patient care.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.