HHS ONC proposes new AI / ML requirements for certified Health IT

The NPRM proposes to incorporate new requirements into the ONC Health IT Certification Program for Health IT Modules that support AI and ML technology. While participation in the ONC Health IT Certification Program is voluntary, the majority of large electronic health record (EHR) systems used by U.S. hospitals and office-based providers have obtained such certification. Use of a certified EHR is a requirement for clinician participation in certain Medicare programs, such as the Merit-Based Incentive Payment System (MIPS) for Medicare Part B providers. The Health IT Certification Program already has requirements for EHRs that incorporate CDS functionality, and the NPRM proposes to replace and expand those requirements.

Specifically, the NPRM proposes:

1. Definition of Predictive DSI. ONC proposes to broadly define the term “predictive decision support intervention,” or predictive DSI, as “technology intended to support decision-making based on algorithms or models that derive relationships from training or example data and then are used to produce an output or outputs related to, but not limited to, prediction, classification, recommendation, evaluation, or analysis.” ONC notes that “our use of the term predictive DSI is not tied to a specific use case, such as those that fall under treatment (clinical or medical purpose), payment (financial) or health care operations (administrative), nor those that support clinical research or public health, but rather encompasses the broad forms that DSIs can take, including...alerts, order sets, flowsheets, dashboards, patient lists, documentation forms, relevant data presentations, protocol or pathway support, reference information or guidance and reminder messages.” ONC notes that models that analyze text or images would fall within the proposed definition of predictive DSI.

2. Predictive DSI vs. Evidence-Based Decision Support Intervention. The NPRM seeks to differentiate the terms “predictive DSI” and “evidence-based decision support intervention,” which is currently used to describe CDS in the regulation. The agency notes that predictive DSIs are “those that support decision-making by learning or deriving relationships to produce an output, rather than those that rely on predefined rules based on expert consensus, such as computable clinical guidelines, to support decision-making.” The NRPM appears to consider “evidence-based decision support interventions” as the latter, and applies different rules to such interventions.

3. Attestation Requirement. ONC proposes that developers of certified health IT would attest “yes” or “no” to whether their Health IT Module enables or interfaces with predictive DSIs, including predictive DSIs that are 1) self-developed, 2) developed or used by the system end user (such as a healthcare organization or medical center), or 3) developed by a third party technology company.

4. Source Attributes. ONC proposes an expansion of its current source attribution requirement for EHRs with evidence-based decision support intervention, and new requirements for predictive DSIs. Specifically, under ONC’s proposal, certified Health IT developers must enable users to review a plain language description of source attribute information via direct display, drill down, or link within the Health IT Module.

5. 1. Evidence-based decision support intervention source attributes. ONC is supplementing its existing requirements for bibliographic, developer identification, funding, and release and revision date attribution elements to also include patient demographic and observations data, use of social determinants of health (SDOH) data, and use of Health Status Assessments.

6. 2. Predictive DSI source attributes. ONC proposes significant new source attributes for predictive DSIs that enable or interface with HIT Modules. For some of the attributes, ONC acknowledges that certain information may not be available. The information required would be significantly more than we have seen in other federal government programs that utilize AI or ML services. Specifically, ONC proposes that certified HIT system users be able to review a plain language description of:

7. 1. 1. Intervention details, such as the output, intended use, and cautioned out-of-scope use of the intervention;

      2. Intervention development, such as input features (including a description of training and test data), process used to ensure fairness in model development, and external validation process (ONC asks that descriptions include information regarding statistical characteristics and efforts to address bias);

      3. Qualitative measures of intervention performance, including the validity and fairness of test and external data and references to evaluation of the use of the model on outcomes; and

      4. Ongoing maintenance of intervention implementation and use, including update and validation or fairness assessment schedule (including information on revalidation frequency), and validity and fairness of predictive in local data.

8. 3. Public Posting. ONC seeks comments on whether it should require certified HIT developers to publicly post information regarding the above source attributes.

9. 4. Not Available or Developed by External Parties. For certain source attributes, ONC proposes that a certified HIT developer may note that such information is not available, or that the decision support intervention, is developed by other parties that are not developers or certified health IT. ONC stresses that such notice must be conspicuous to a user.

10. 5. Authoring or Revising Source Attributes. ONC proposes that a “limited set of identified users” would be able to author and revise source attributes for predictive DSI. ONC offers the example of a health organization modifying or adding a source attribute for a predictive DSI after local testing.

5. Intervention Risk Attributes. By December 31, 2024, the NPRM would require certified health IT developers who enable or interface with predictive DSIs to engage in certain risk management practices. Specifically, such certified health IT developers would need to conduct a risk analysis of potential risks and adverse impacts associated with a predictive DSI for the following characteristics: validity, reliability, robustness, fairness, intelligibility, safety, security, and privacy. ONC offers detail and examples for analysis of each of these characteristics. Of note, ONC does not mention FDA authorization in its description of a safety analysis. ONC also proposes to require certain risk mitigation measures, such as prioritization practices, change control plans, deactivation procedures, and subject matter expert validation and measurement. ONC also outlines substantial new requirements around predictive DSI governance, including how data are acquired, managed, and used in a predictive DSI. If finalized, certified HIT developers would also be required to keep detailed documentation of such risk mitigation measures, as well as annually review and publicly post such information.

In addition to the NPRM proposals outlined here, ONC seeks feedback on a number of additional issues and concepts related to AI transparency, safety, ethics, equity, and other topics. The pre-publication copy of the NPRM is more than 100 pages long and provides a detailed look into HHS’ deliberation on AI health policy issues in general. ONC comments in both the rule preamble and its announcement that it collaborated with the FDA, HHS Office of Civil Rights, Federal Trade Commission, and U.S. Department of Veterans Affairs in its development of the NRPM.

Authored by Cybil Roehrenbeck