Back To Good Reads

2023: A Year in Regulatory Review

December 12, 2023 Janice Karin

2023 was an interesting year with a lot of activity and what we've taken to calling a regulatory tsunami - but also with a surprisingly few of those regulations being finalized (something to look for in 2024).

Q1: CMS Interoperability and Prior Authorization

While technically released at the very end of 2022, the first quarter of the year was dominated by the CMS Advancing Interoperability and Improving Prior Authorization Processes Proposed Rule and, to a lesser extent, the related CMS Adoption of Standards for Health Care Attachments Transactions and Electronic Signatures, and Modification to Referral Certification and Authorization Transaction Standard proposed rule. The comment period for the first ran through mid-March and for the second through mid-April (after a 30 day extension).

The interoperability and prior authorization rule extends the May 2020 CMS interoperability rules to add several new things including:

  • Requirements to use FHIR for prior authorization processing (excepting the components of the process required to use X12 by HIPAA) and several associated requirements around the prior authorization process (required timelines, required denial reasons, and more)
  • A new Provider Access API requiring payers to send providers clinical and administrative data (including prior authorization information) via FHIR for patients they treat
  • Revocation of the previous Payer => Payer exchange requirements that had been on enforcement delay coupled with a new requirement for a Payer => Payer exchange using FHIR (including prior authorization information)
  • The addition of prior authorization information to the existing Patient Access APIs
In all of these exchanges, the required prior authorization information includes both active and adjudicated requests, status of requests including denial reasons, and all of the information used to make decisions about prior authorization requests (whether or not it's included in USCDI).

A preview of the final version of this rule was released by ONC yesterday (12/13/23) with publication in the Federal Register expected soon. We have not had a chance to review it prior to finalizing this article. The attachment rule is a bit more up in the air. It was based on a 2016 recommendation and does not address more modern technology options; it also has some compatibility issues with the prior authorization requirements in the other CMS rule. It is still in a holding pattern at this time, with rumors swirling around that it's likely to be scrapped - but we won't know until we know. You can find our comments on the interoperability and prior authorization rule HERE and the attachments rule HERE.

Q1: OMB Race and Ethnicity

The first quarter of 2023 also saw the release of proposed new race and ethnicity standards from the OMB. This proposal collapses race and ethnicity into a single data point, adds a new Middle Eastern and North African major category, and expands the current concept of ethnicity to include all sorts of global options instead of just being a marker of whether someone is or is not Hispanic. Expected to be finalized during this past summer, we're still waiting for further actions in this area. You can find our comments on the proposal HERE.


The second quarter of the year brought us ONC's HTI-1 rule, a mishmash of various updates and new rules around data standards, certification rules, use of clinical decision support and AI (bundled under the name decision support interventions or DSI), EHR reporting requirements, information blocking, and more.

There are too many items covered in this rule to call everything to your attention, but some of the highlights include:

  • Upgrading the default baseline data exchange expectations to USCDI v3 (and likely the corresponding US Core v6.1.0, although that version was not released at the time of the proposed rule)
  • A new approach to clinical decision support and AI focused on allowing users to access whether options follow FAVES: fair, appropriate, valid, effective, and safe. The DSI requirements also include significant new reporting around both design and use as well as prioritizing transparency around data input and output, algorithm design, governance, risk management, intended use, and more.
  • Creation of new EHR quality measures program (called Insights) to measure interoperability and other performance factors of EHRs and the provider organizations using them. The initial program includes nine measures in four main categories (individual access to EHI, clinical care information exchange, standards adoption and conformance, and public health information exchange) to be phased in over two years. More measures and additional categories are likely in future expansions.
  • Changes to the information blocking rules, most notably the addition of a TEFCA condition to the Manner exception indicating organizations signed up for TEFCA have the right to insist all of their data exchange with anyone else signed up for TEFCA happen through TEFCA, even if the requesting party prefers a different exchange mechanism (such as a FHIR API).

The rule also included RFIs on laboratory interoperability, pharmacy interoperability, and additional FHIR functionality (including both FHIR subscriptions and CDS Hooks). The final version of this rule is also currently being evaluated by OMB and is expected by mid-January. You can find our comments on HTI-1 HERE.

Q2: USCDI+ for Quality

Also in the second quarter was our first look at USCDI+ for Quality, a joint ONC-CMS project to define baseline data requirements for quality measures. The initial draft was opened for public comment without extensive descriptions or context and our comment (found HERE) reflects that. ONC has since said a more formal draft proposal will be forthcoming, likely in the first portion of 2024.

Q2: ICD-11

NCVHS also offered the first opportunity for public comment on ICD-11 via RFI (a second RFI is currently open with a mid-January deadline and they will accept comments from the first RFI as well as new comments asked in the second RFI). The last two NCVHS public meetings have had significant sessions on ICD-11 and they have started presenting on it at various industry events. ICD-11 is definitely in the works, although the timeline is still very unclear.

Q3: FTC Health Data Breach

The third quarter of the year was a bit quieter when it came to regulatory activity. The highlight was a proposed update to the FTC Health Data Breach rule which made it very clear that inappropriate sharing of health information via third party tooling or by third parties that acquired data under the rules is a breach in their eyes. It also addressed non-traditional sources of health information such as grocery and other retail purchases and location or calendar data. You can find our comment HERE.

Summer Conference Season

The summer months - late May through early August - had a lot of other industry activity including two WEDI conferences, FHIR DevDays, the annual CMS FHIR Connectathon, and more. These were chances to learn about the implications of all those proposed regulations, hear about projects and plans from healthcare organizations across the country and even the rest of the world, catch up with all of the standards organizations and major implementation guide producers, and ask different agencies within HHS a lot of questions.

Q4: Provider Disincentives for Information Blocking

The fourth quarter of the year included a lot of smaller regulatory activity and guidance in a wide variety of areas including several clarifications and new proposed rules around the No Surprises Act Independent Dispute Resolution (IDR) process which has been beset by legal actions. The most notable proposed rule so far (ONC's HTI-2 is still expected at the time this article is being written) is the joint ONC and CMS proposal for disincentives when providers are found to be information blocking. Civil monetary penalties are already in place for other actors subject to the information blocking rule (developers of certified health IT, health information networks, and health information exchanges) but consequences for providers have been on hold pending finalization of this rule.

While ONC had long communicated they had the ability to determine provider penalties for information blocking violations, the proposed rule outlines the actual process in the Cures Act law that introduces the concept of information blocking and it's a bit more complicated. OIG still makes information blocking determinations and they refer providers found to have committed information blocking to another agency to apply disincentives within the confines of the rules of programs those agencies manage. This limits both the providers who can be penalized for information blocking and the ways in which they can be penalized. This rule outlines three proposed disincentives within programs managed by CMS:
  1. Declaring a hospital is not a meaningful user of EHRs under the Medicare Promoting Interoperability program
  2. Declaring a clinician or clinician group is not a meaningful user of EHRs for the MIPS Promoting Interoperability performance category
  3. Disenrolling an ACO, ACO participant, or an ACO provider/supplier from all Shared Savings Programs

These are imperfect solutions that can only be applied once per year regardless of how many or how many types of information blocking rules are violated by a specific provider. They will also have a different financial impact on different organizations including having no impact if the provider already did not qualify for the criteria being removed and no impact on providers that do not participate in any of them. ONC is asking for thoughts on how to do better - feel free to let us know your thoughts (we may include them in our upcoming comment on the proposed rule) or send ONC and CMS your own comment by the January 2 deadline HERE.

Near Future

We are also expecting the ONC HTI-2 proposed rule by the end of the year (it was scheduled for November in the last Unified Agenda). We have no idea what the rule will include except it will be focused on interoperability in some way. We're hoping it includes components to make automated prior authorization work on the provider side, but we'll have to see when it drops.

While this review has mostly focused on future facing activity throughout 2023, we would be remiss not to remind folks of the last deadline from the original May 2020 Interoperability rule, fast approaching this December 31. At that time, all certified health IT vendors are required to make full EHI export available to all of their customers. This means that users of certified health IT will be able to export all of the electronic health information (electronic information that would be part of the designated record set for HIPAA) for either an individual patient or a cohort of patients.

Summing Up

This was just a sample of the legislative, regulatory, and executive actions during 2023 on many different topics. In addition to interoperability, some of the most prevalent include artificial intelligence, price transparency and surprise billing, health equity, and data privacy. We expect the tsunami to continue in 2024 and beyond. As you can see, MHDC - mainly through its work with the Data Governance Collaborative (DGC) - has made understanding and helping our members participate in the regulatory process a priority this year (you can find all of the comments mentioned in this article and quite a few more HERE). We will continue promoting the use of better data standardization and interoperability to advance equity, improve outcomes, and reduce burdens across Massachusetts, the United States, and even the world.

Share This: