HHS Strategy and Health IT: Policy Layering, Agency Alignment and Strategic Compliance

By Kim Boyd, Regulatory Resource Center Lead

The healthcare information technology (Health IT) landscape has evolved dramatically with federal agencies, particularly within the Department of Health and Human Services (HHS), shifting from disjointed, siloed policymaking to a more coordinated and layered approach. This has significant implications for payers, providers and their technology partners who face increasingly complex regulatory requirements. The traditional “bare minimum” compliance mindset is no longer sufficient. Today’s layered and aligned policies not only reduce regulatory conflicts but present opportunities for strategic compliance — in which organizations leverage regulatory investments to drive broader business objectives.

Historical Context: From Disjointed Policies to Strategic Alignment

Fifteen years ago, the policy environment was characterized by limited coordination among key agencies like the Centers for Medicare and Medicaid Services (CMS) and Office of the National Coordinator for Health IT (ONC). Policies were often developed independently, leading to conflicting requirements and confusion among stakeholders. This disjointed approach fostered a culture whereby organizations focused solely on doing the bare minimum to meet the intent of the policy or to avoid penalties rather than aligning compliance with business goals. A significant turning point came with the 21st Century Cures Act of 2016, which emphasized interoperability and patient access to health information. This legislation mandated greater coordination between HHS agencies, paving the way for more cohesive policymaking that supports a unified health IT strategy. One just has to take a moment to digest the latest Federal Health IT Strategic Plan to get a sense of the mindset of policymakers related to health IT and what is ahead.

The ONC’s Cures Act final rule and CMS’s Interoperability and Patient Access final rule, developed through extensive collaboration, marked a shift toward harmonized health IT standards. These regulations not only addressed existing gaps but set a precedent for future policies that would continue building on each other, reducing redundancy and enhancing the overall impact of federal health IT initiatives. This evolution has made compliance not just a regulatory necessity but a strategic opportunity for forward-thinking organizations.

Policy Layering: Building on Previous Rules for Greater Impact

Modern policymaking increasingly employs a layered approach in which new regulations build on existing ones to create a more cohesive framework. For example, the CMS-0057 rule expands on the Patient Access application programming interface (API) rule by adding new requirements for data increasing patient access to their health information and functionalities that enhance data exchange across payers, providers and patients. More recently, the proposed HTI-2 rule includes voluntary certification requirements for the APIs required by CMS-0057. This layered approach helps organizations integrate compliance activities into broader operational strategies.

The HHS Data Acquisition proposed rule requiring HHS contracted entities to use ONC-specified standards such as Fast Healthcare Interoperability Resources (FHIR) and National Council on Prescription Drug Programs exemplifies this strategy. It enforces compliance with federal standards and indirectly pressures subcontractors and downstream vendors to align with these requirements. This ensures continuity and consistency across the regulatory framework, making compliance efforts more aligned with real-world needs. More on this can be explored in our HTI-2 Blog Series and a recent article on Payer Interoperability that digs into CMS-0057 Final Rule and other regulatory updates.

ONC’s Next Chapter: Restructuring and the Expanded Role of the Assistant Secretary for Technology Policy

As a further indication of HHS's commitment to aligning policy across agencies, a transformative restructuring and rebranding of ONC to the Assistant Secretary for Technology Policy (ASTP) was announced earlier this summer. This restructuring represents a significant shift in how HHS approaches technology policy, aligning ONC’s work more closely with broader technological and regulatory trends and needs to meet the goals of information sharing and interoperability, including the expanding role of artificial intelligence (AI) in healthcare.

The New Role of the Assistant Secretary for Technology Policy

The restructuring reflects HHS’s commitment to creating a more integrated approach to health IT policy. This new structure not only changes the name but also redefines the scope and responsibilities of the office, positioning it to better address the rapidly evolving landscape of digital health technologies. The ASTP now serves as a critical hub for coordinating technology policy across HHS, enhancing the role of ONC in driving innovation and regulatory alignment.

This new focus allows the ASTP to oversee a broader range of technology-related issues, including the incorporation of AI into healthcare systems. The expansion into AI regulation is a notable addition as technology continues to play a growing role in clinical decision-making, administrative processes, and patient engagement. With AI now under the ASTP’s purview, HHS intends to establish clear guidelines that promote the ethical, safe, and effective use of AI in healthcare settings, aligning these technologies with existing standards for data privacy, security, and interoperability.

For more insights into the expanded role of ONC and ASTP’s new direction, you can read about it on the ONC’s Next Chapter - Health IT Buzz.

Revisiting HIPAA: Aligning with the Evolving Policy Ecosystem

While the restructuring of ASTP and layering of modern health IT policies reflect a coordinated effort to align regulations, some existing laws, such as the Health Insurance Portability and Accountability Act (HIPAA), need revisiting. Enacted in 1996, HIPAA’s primary goal was to protect patient privacy and secure health information. However, with rapid advancements in technology, HIPAA’s foundational structure is showing signs of age, potentially limiting its effectiveness in today’s digital environment.

HIPAA has undergone updates, including the significant 2013 Omnibus Rule, but there are growing concerns it may not fully address emerging risks associated with technologies like AI, cloud computing, and advanced data analytics. As these digital tools become more prevalent, revisiting HIPAA to ensure it aligns with modern data privacy needs is increasingly important. For a deeper look into HIPAA's evolution, see Navigating the Ripples of Change: HIPAA’s 2023-2024 Evolution.

The need for a modernized HIPAA is further underscored by its intersection with newer regulations such as interoperability and information-blocking rules. Misalignment between HIPAA’s existing standards and evolving requirements for data sharing can create compliance challenges for healthcare organizations. More insights on these compliance challenges are discussed in HIPAA Compliance Challenges.

Looking forward, adjustments to HIPAA could include updated guidance on emerging technologies and enhanced enforcement measures to align it with the broader health IT policy landscape, ensuring robust protections for patient information while supporting the goals of strategic compliance.

Strategic Compliance: Turning Policy into Opportunity

Layered and aligned policies present opportunities for organizations to adopt a strategic approach to compliance, turning regulatory mandates into avenues for operational improvement and competitive advantage. Strategic compliance means recognizing regulatory requirements not as burdens but as opportunities to enhance service delivery, streamline operations, and improve patient and provider engagement.

One area where this has been particularly impactful is the implementation of APIs for streamlined data exchange and, where possible, automated functions. One can look to the proactive API implementation project undertaken by Multicare and Regence to see real-world examples of what return on investment can look like. This work was done before publication of the CMS-0057 final rule, which means both organizations enjoyed operational efficiencies and reported reduced burden by providers from streamlining prior authorization (PA) transactions while also positioning themselves for regulatory compliance. This work resulted in these organizations being awarded the 2023 KLAS Points of Light Award. Improvements reported from this work include:

• 60% of authorization requests were able to be completed immediately as “no auth required” and communicated to the provider via their EHR.
• 41% of requests requiring PA (from an initial data sample) were auto-approved, which means no human review was required.
• The provider achieved 140% to 230% increase in PA productivity.
• Improved workflows for the payer and provider, leading to faster authorization decisions. Many determinations were returned in seconds, compared with a previous turnaround time of three to five days.
• Reduced administrative burden for stakeholders and faster access to care for patients.

Coordinated Policymaking: A Collaborative Vision for Health IT

The move toward coordinated policymaking reflects a deep engagement between HHS and the healthcare industry. This collaborative approach, evident in initiatives such as the HL7 FHIR Accelerator Program and Connectathons, involves policymakers and industry stakeholders working together to refine and implement interoperability standards. These engagements help HHS ensure policies are practical, effective, and aligned with the needs of the industry and intent of a true national infrastructure for information access, use, and exchange.

One recent example of coordinated policymaking is the new focus on AI regulation within HHS led by the Assistant Secretary for Technology Policy. This office is spearheading efforts to integrate AI into the federal regulatory framework, demonstrating how HHS continues to adapt its strategies to meet emerging challenges in health IT. For more information on these priorities, see the full details on FedScoop's Staffing AI Policy coverage.

Layering Policies: Preparing for the Future of Compliance

Policy layering is expected to continue, making it essential for organizations to adopt a proactive approach to compliance. Each new rule builds upon the last, expanding requirements and reinforcing the overarching regulatory framework.

Organizations can benefit from developing a roadmap that outlines how they will implement current regulations and prepare for future expansions. This roadmap should consider technology investments, staff training, and strategies for integrating compliance into broader business objectives. Recognizing compliance as a continuous, evolving process rather than a series of isolated mandates allows organizations to maximize their investments and remain agile in the face of changing regulations.

For another example of how policies overlap and connect, take a look at the HTI-2 proposed rule. It highlights how different components interact with other policies and initiatives, whether it's certification requirements, public health data modernization, or related regulations. 

The Strategic Imperative of Compliance

The shift toward layered and coordinated policymaking by HHS agencies provides a clear pathway for organizations to move beyond minimal compliance. By embracing strategic compliance, payers and other stakeholders can not only meet regulatory requirements but leverage these investments to drive operational efficiencies, improve patient outcomes, and gain a competitive edge.

As health IT continues to evolve, the alignment of policies within HHS will further emphasize the need for a strategic approach to compliance. Organizations that recognize the value of compliance as a strategic asset — integrating regulatory requirements into their broader business plans — will be best positioned to thrive in this new era. Moving forward, layered and aligned policies will not just shape the compliance landscape but provide a roadmap for organizations to innovate, adapt, and succeed.

For more insights on the impact of regulatory changes and strategic compliance, check the following resources:

• HIPAA Journal on Recent Changes
• Chevron Ruling Implications
• Chevron Decision Implications

If your organization is facing challenges in navigating the complexities of health IT policies or is unsure how to turn compliance efforts into strategic advantages, POCP can help. Understanding the layered, evolving regulatory landscape is crucial to staying ahead and maximizing the return on your compliance investments. Our expertise in health IT policy can guide you through the intricacies, helping you align regulatory requirements with broader business objectives for operational improvements, competitive advantage, and enhanced patient outcomes. Contact us to set up a time to talk about your challenges and learn how we can support your organization in making compliance a strategic asset.