Skip to main content

HHS, ONC HTI-1 Final Rule Introduces New Transparency Requirements for Artificial Intelligence in Certified Health IT

The Department of Health and Human Services (HHS) was tasked with coordinating efforts to regulate artificial intelligence (AI) in health care under the November 2023 Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI EO), but has already begun its formal regulation of AI within certain certified health IT.

HHS and Office of the National Coordinator for Health Information Technology (ONC) recently published the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule. The HTI-1 Final Rule featured several key updates to the ONC Health IT Certification Program (Program), including new transparency requirements for certain AI components and predictive algorithms that are built into certified health IT. The Program is a voluntary, standards-based certification program established by ONC for the certification of health IT products and has a substantial footprint across health care, as more than 96% of hospitals and 78% of office-based physicians around the country use ONC-certified health IT under the Program.

The HTI-1 Final Rule was published on the Federal Register on January 8, 2024 and will be effective as of February 8, 2024.

Decision Support Interventions Replace Clinical Decision Support Criterion

With the goal of making the development and details of AI and predictive algorithms more visible to users of certified electronic health record (EHR) technology, the HTI-1 Final Rule made significant updates to the baseline requirements for Health IT Modules, which are any service, component, or combination thereof that can meet the requirements of at least one certification criterion, that comprise a “Base EHR”. A Base EHR has traditionally been defined under Program’s 2015 Edition Cures Update to include the following certification criterion: patient demographic and clinical health information; clinical decision support (CDS); physician order entry support; capacity to capture and query information relevant to health care quality; and capacity to exchange electronic health information with, and integrate such information from other sources.

The CDS criterion, which generally includes clinical workflow tools such as computerized alerts and reminders, clinical guidelines; condition-specific order sets; focused patient data reports and summaries; documentation templates; diagnostic support, and contextually relevant reference information, will be replaced by new decision support interventions (DSI) capabilities. This was the first substantial revision to the Program’s CDS-related capabilities requirements since 2012, and ONC’s stated intention in adding DSIs was to incorporate certain guardrails into certified health IT that would increase health equity and enable the informed use of predictive models and algorithms to ultimately improve decision-making in health care.

Notably, though the HTI-1 Final Rule replaced CDS criterion with DSI criterion, the Program's use of the term “intervention” is meant to be in reference to tools within a standard health IT workstream, such as alerts, order sets, flowsheets, dashboards, patient lists, documentation forms, relevant data presentations, protocol or pathway support, reference information or guidance, and reminder messages. This use of “intervention” differs from the use of the term, for example, in the practice of medicine or “clinical intervention” as defined under Food and Drug Administration (FDA) regulations.

Health IT developers’ Health IT Modules may meet the Base EHR definition’s minimum requirements by either (i) being certified to the existing CDS criterion in 45 C.F.R. § 170.315(a)(9); or (ii) being certified to the revised DSI criterion in 45 C.F.R. § 170.315(b)(11) until December 31, 2024. Beginning on January 1, 2025, the CDS criterion will expire and only the DSI criterion will be included in the Base EHR definition. Additionally, as of January 1, 2025, developers with health IT certified to the DSI criterion must comply with the associated Maintenance of Certification requirement adopted at 45 C.F.R. § 170.402(b)(4) by reviewing their ongoing compliance with requirements under the DSI criterion.

Predictive DSIs and Evidence-Based DSIs

Health IT Modules certified to DSI criterion will need to enable a limited set of identified users to review and activate Predictive Decision Support Interventions (Predictive DSIs) and evidence-based DSIs that are included within a certified EHR product (Evidence-Based DSIs).

Evidence-Based DSIs are currently defined under existing CDS criterion in 45 C.F.R § 170.315(a)(9) as interventions that “enable a limited set of identified users to select (i.e., activate) one or more electronic clinical decision support interventions (in addition to drug-drug and drug-allergy contraindication checking) based on each one and at least one combination of the following data: (A) Problem list; (B) Medication list; (C) Medication allergy list; (D) Demographics; (E) Laboratory tests and values/results; and (F) Vital signs.” Consistent with the AI EO, the HTI-1 Final Rule defines Predictive DSIs as “technology that supports decision-making based on algorithms or models that derive relationships from training data and then produces an output that results in prediction, classification, recommendation, evaluation, or analysis.”

Though they are not required to include Predictive DSIs within Health IT Modules, developers of certified health IT that choose to use Predictive DSIs within their certified health IT must provide end users with sufficient technical performance information in the form of "source attributes". This information will help users to determine on their own whether Predictive DSIs within Health IT Modules are fair, appropriate, valid, effective, and safe (FAVES). ONC did not establish specific thresholds for what constitutes FAVES, but a group of 28 health care providers and payers announced voluntary commitments on the “safe, secure, and trustworthy use and purchase and use” of AI in health care, including alignment with FAVES, as summarized by the following in the commitment letter:

  • Fair: Outcomes of model do not exhibit prejudice or favoritism toward an individual or group based on their inherent or acquired characteristics.

  • Appropriate: Model and process outputs are well matched to produce results appropriate for specific contexts and populations to which they are applied

  • Valid: Model and process outputs have been shown to estimate targeted values accurately and as expected in both internal and external data.

  • Effective: Outcomes of model have demonstrated benefit in real-world conditions.

  • Safe: Outcomes of model are free from any known unacceptable risks and for which the probable benefits outweigh any probable risk.

This group also committed to informing users if content is largely or exclusively AI-generated, unless the content is edited or closely reviewed by a human before being shared with end users and adhering to a risk management framework covering Risk Analysis, Risk Mitigation, and Governance – similar to HTI-1 Final Rule.

To clarify the distinction between Evidence-Based DSIs and Predictive DSIs and distinguish which requirements pertain to each DSI type, ONC stated that the scope of Evidence-Based DSIs is limited to only those DSIs that are actively presented to users in clinical workflow to enhance, inform, or influence decision-making related to the care a patient receives and that also do not meet the definition of Predictive DSIs. Additionally, relative to Predictive DSIs, ONC noted that “the development process whereby models under this definition “learn” relationships in training data and then are used to generate an unknown label or value (via prediction, classification, recommendation, evaluation, or analysis) that is based on the “learned” relationships is a fundamental differentiator from Evidence-Based DSIs.”

Examples of technologies that would likely meet the definition for Predictive DSI include use of predictive modeling that is trained based on relationships observed in large data sets, often using neural networks, to determine whether an image contains a malignant tumor or whether a patient would report pain based on review of an image.

Alternatively, examples of technologies that would likely not meet the definition of Predictive DSI – and would instead likely be considered Evidence-Based DSI – include classification systems such as the Sequential Organ Failure Assessment (SOFA) or New York Heart Association (NYHA) Classification. Since the score would be based on pre-defined rules through expert consensus instead of empirical data, and not relationships learned in training data, these would likely be Evidence-Based DSI.

These DSI criterion requirements are limited to Predictive DSIs included by developers within certified health IT and do not extend to Predictive DSIs developed by the customers of developers or other-party Predictive DSIs implemented by their customers.

DSI Source Attributes

EHR Health IT Modules certified to DSI criterion will need support and keep up to date certain “source attributes” in categories of technical performance and quality information that would enhance decision-making for Evidence-Based DSIs (13 total source attributes) and Predictive DSIs (31 total source attributes). Source attributes must be in the form of plain language descriptions and omit difficult-to-understand technical details to help guide health care decisions by end-user health care providers and assist with determinations whether Predictive DSIs are FAVES.

Source attributes for Evidence-Based DSIs include:

  • intervention bibliographic citation; 

  • intervention developer; 

  • intervention funding source of the technical implementation; 

  • intervention release and, if applicable, revision dates;

  • use of race, as expressed in United States Core Data for Interoperability (USCDI) v3;

  • use of ethnicity, as expressed in USCDI v3;

  • use of language, as expressed in USCDI v3;

  • use of sexual orientation, as expressed in USCDI v3;

  • use of gender identity, as expressed in USCDI v3;

  • use of sex, as expressed in USCDI v3;

  • use of date of birth, as expressed in USCDI v3;

  • use of social determinants of health data, as expressed in USCDI v3; and

  • use of health status assessments data, as expressed in USCDI v3.

Predictive DSI source attributes are organized into the following categories: 

  • details and output of the intervention; 

  • purpose of the intervention; 

  • cautioned out-of-scope use of the intervention; 

  • intervention development details and input features; 

  • process used to ensure fairness in development of the intervention; 

  • external validation process; 

  • quantitative measures of performance; 

  • ongoing maintenance of intervention implementation and use; and 

  • update and continued validation or fairness assessment schedule.

HHS and ONC did not specify that users must actually review source attribute information, only that the information be made available to them. ONC was also not prescriptive as to how this information should be included within certified health IT, but recommended that developers work with their customers to determine the best format and structure of source attribute information.

Intervention Risk Management Practices

Health IT developers are also required to employ or engage intervention risk management (IRM) practices to Predictive DSIs within their EHR Health IT Modules and make summaries about these practices publicly available. Specifically, developers must use the following IRM practices:

  • Risk Analysis – Predictive DSIs must be subject to analysis of potential risks and adverse impacts associated with “validity, reliability, robustness, fairness, intelligibility, safety, security, and privacy”

  • Risk Mitigation – Predictive DSIs must also be subject to practices to mitigate the risks above.

  • Governance – Predictive DSIs must also be subject to governance control policies, including how data are acquired, managed, and used.

ONC Alignment with FDA Oversight of AI/ML

Commenters to HTI-1 proposed rule expressed concern that there would be possible overlap and unnecessary burden in connection with CDS offerings that include AI and machine learning (ML) components and may already be regulated – as device CDS or Non-Device CDS – by FDA. These were relevant questions given FDA’s oversight of AI and predictive algorithms within certain device software, as the agency has cleared, authorized, or approved more than 690 AI-enabled devices to date. Our recent blog post covered FDA guidance documents, public requests for information, and discussion papers related to AI/ML in 2023, including publication of two discussion papers and draft guidance on Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions.

In response to these queries, ONC noted that it chose not exclude regulated medical devices or Non-Device CDS from the scope of the definition of Predictive DSI. While it worked closely with FDA on the development of the DSI criterion and Predictive DSI-specific source attributes, ONC asserted that it is well-positioned to regulate certified health IT within EHRs differently from how FDA regulates device software functions. ONC added that it acted in accordance with the existing intersecting regulatory oversight with FDA and coordinated its proposals with FDA to ensure that the proposals were not in conflict with – and instead would be complementary of – FDA’s CDS Guidance, finalized in September 2022, and FDA’s Content of Premarket Submissions for Device Software Functions Guidance, finalized in June 2023.

To the extent that there is overlap in regulatory oversight of CDS software products, for example, HHS and ONC also noted that there may be instances in which required Program source attributes may be used to determine whether software is Non-Device CDS in accordance with FDA guidance. Additionally, ONC and HHS stated that once Device CDS has been cleared, approved, or otherwise authorized for marketing by the FDA, the manufacturer would conceivably have access to most of the information necessary for it to comply with the new requirements in 45 C.F.R. § 170.315(b)(11) as a developer of certified health IT.

Next Steps

The finalization of the HTI-1 Final Rule will be among the first steps taken by HHS as it develops an AI Task Force and Safety Program required by the AI EO and the Final Rule will have impacts beyond just health IT developers. While the HTI-1 Final Rule directly imposes obligations on health IT developers seeking to meet EHR certification requirements, health care provider users will be using the developer-supplied information to assess potential risks associated with AI and predictive algorithms incorporated into their health IT products. Health IT developers and health care providers should carefully review the key updates referenced above to EHR certification criteria effective January 1, 2025. All health care stakeholders will be watching closely in 2024 to see how this Final Rule will ultimately intersect with software and devices under current oversight by the FDA and future regulation by other health care agencies that will result from the AI Task Force and Safety Program.

Subscribe To Viewpoints


Pat focuses his practice on advising health care organizations on regulatory, compliance, data privacy, and transactional matters. He is also a Certified Information Privacy Professional–US (CIPP–US).