Trump Take 2 - What Will It Mean for Health IT?

There is no doubt that the first few weeks of the 2nd Trump Administration has been turbulent, fraught, and dynamic. But my purpose here is not a political one, but one of trying to make an educated guess on where the regulatory environment for Health IT is headed with this administration.

First, we have the inevitable regulatory freeze with the change in administration, and the change as to the party in control of the Executive Branch. It has three main effects.

• It instructs federal departments to refrain from proposing or issuing any rule until department heads are in place and have had the chance to review and approve the rule.

• It calls for the withdrawal of any rules sent to the Office of the Federal Register but not yet published so they can also be reviewed and approved by a newly appointed agency head.

• It asks agencies to consider postponing effective dates of any recent final rules by 60 days to allow for review of questions of fact, law, and policy – in other words, to assess if such rules should be allowed to go into effect or withdrawn.

Meanwhile, another executive order mandated that federal agencies eliminate 10 federal regulations, guidance, rules, administrative orders, or other regulatory actions for every new one they issue. This quintuples the requirement of a similar executive order from Trump’s first administration. The Director of the Office of Management and Budget will have discretion to allow for exemptions that “impose minimal costs or burdens on the private sector or that are requested to be exempted by the Assistant to the President and Chief of Staff or the Assistant to the President and Deputy Chief of Staff for Policy”.

So, for pending regulations left over from the Biden Administration, what is likely to happen beyond the obvious that little in the way of new regulations will be published to the Federal Register from the US Department of Health and Human Services (HHS) for some months to come? Let me try to prognosticate a little on a select number of proposed rules that I have been watching.

First, there is the proposed HIPAA Security Rule on cybersecurity of electronic protected health information. The rule strikes the tone that the industry may have undershot the original regulatory intent for HIPAA Security. Ironically, the original HIPAA Privacy final rule issued by the Clinton Administration was subject to withdrawal and reissue by the Bush Administration during a similar period of changes in administration and political party in charge in the White House some 24 years ago. I think the proposed rule from the Biden Administration has a lot of good in it, but I also think it was misclassed as a “minor” HIPAA rule. I also believe that it underestimated the impact of some of the more significant requirements such as the implementation of Multi-Factor Authentication, expanding the scope of what systems are subject to HIPAA Security requirements, and expanding the scope of encryption and integrity requirements. While laudable things, I bet many covered entities and business associates have a lot of work to do to comply. So, my guess is this one gets withdrawn and revised.

Second, we have the proposed HIPAA rule for adoption of transaction standards for healthcare attachments, update of the HIPAA transaction standard for referral certification and prior authorization, and adoption of an electronic signature standard for healthcare attachments. I am mystified why this one never saw final rule action under the Biden Administration considering it has been out there for more than two years. This would serve to fulfil a need from the original HIPAA statute as it is the last of the standard transactions mentioned in the law not to have ever been adopted. My guess is since this has already been sitting out there for two years, the new administration will not be in any great hurry to finalize it although they did strongly advocate for electronic prior authorization in the first Trump Administration rushing a final rule through in the last weeks without even allowing for a normal length public comment period. That was withdrawn and reissued by the Biden Administration and set up the oddball situation where we have the HL7 FHIR standard required for use by CMS regulated types of health plans for electronic prior authorization but not as a HIPAA standard. Stuff still needs to be resolved there in my opinion despite CMS’s enforcement discretion decision.

Third, we have what is left over from the Office of the National Coordinator for Health Information Technology (ONC)/Assistant Secretary for Technology Policy (ASTP) of HHS (do they get to keep that name?) with their original proposed HTI-2 rule. If you have been following developments since late in 2024, you may know ONC finalized an HTI-2 rule to codify the Trusted Exchange Framework and Cooperative Agreement (TEFCA) into federal regulation, and an HTI-3 rule for finalizing their information blocking exception proposals particularly around reproductive health records. Those rules themselves may face regulatory review or change but that is another matter. My focus is on what would be “HTI-4” for the certification criteria proposals including for electronic prior authorization, public health, and other FHIR API related criteria. Again, the 2nd Trump Administration seems a fan of electronic prior authorization so that may well survive. However, I think they are quite mixed on their views of the value of public health, and considering the deregulatory bent of this new administration, they may not be big fans of pushing state and local public health agencies to consider adopting new capabilities that would leverage the FHIR standards. My guess is an HTI-4 rule gets significantly reduced and revised, and we may see it by summer. There is also the question of whether or not a new coordinator will stay with the rather irregular rhythm of "annual" certification rulemaking ONC is supposedly doing. With the delay of HTI-4, it is not exactly that, is it? We also need to see who the new ONC head is. Rumors I hear are that it may be someone from the HIT developer industry. We shall see.

Finally, what of TEFCA itself? Last we looked, it was still mainly about required exchange for treatment, and for individual access based mostly on HL7 CDA with an emerging use of the FHIR standard. Additional purposes exist yet are not required, and do not represent significant shares of exchange volume, and payers are still notably absent as participants. Mickey Tripathi was not just an advocate but an apostle for TEFCA. Will a new coordinator be as excited about it? I think it still has some challenges for its value proposition especially for providers who are involved in many other health information exchanges both for treatment and other exchange purposes on a more local level. By simply saying those HIEs can be participants themselves even if not becoming Qualified Health Information Networks is not the answer to the question of “what do I use for what” or “tell me why I want to do this” for provider communities who still are most significantly worried about local exchange. But all of that is for another blog! My guess is a new coordinator will want to take a close look at TEFCA and its progress and future direction.

For other matters, I recommend looking at the last regulatory docket from Fall 2024 that the Biden Administration published as the Trump Administration points to it as the limiting factor on what regulations might be published under the “10 for 1” executive order. All of what I discuss above are on it.

As always, I am here to try to help untangle things for those who are interested, and I will be watching and waiting to see what unfolds. Feel free to reach out to me at [email protected] anytime if you need help with the unpacking! Meanwhile, hang on to your hats!

#ONC #CEHRT #CuresAct #healthit #hit #ehr #hipaa #hipaaedi #cms # Medicare #PriorAuthorization #ONCcertification #HL7DaVinci