Skip to main content

First Into the Breach: ONC Final Rule Addressing AI Transparency in Health Care

The Office of the National Coordinator for Health Information Technology (ONC) within the Department of Health and Human Services (HHS) recently finalized groundbreaking transparency requirements for artificial intelligence (AI) and predictive algorithms. Although it has notable limitations, the rule aims to demystify the complexities of certain AI tools in health care.

The Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) final rule is the first federal regulation to set specific reporting requirements for developers of AI tools and might set the stage for future government action. ONC could take this landmark step because health care is different from other sectors that use AI in at least three important ways:

  • Health care operates under existing privacy frameworks: The health care industry’s regulated nature has laid the groundwork for additional AI rules. Unlike many other industries, health care already operates under a federal privacy standard set by the Health Insurance Portability and Accountability Act (HIPAA). This existing framework provides a strong foundation for AI regulation in health care, despite HIPAA potentially requiring updates to fully address AI-related issues.
  • HHS has technical expertise: HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act positioned individuals in HHS with expertise in emerging technologies, including AI.
  • Regulatory developments are spurring ONC action: The Office of Civil Rights (OCR) has also begun to address AI liability as part of its nondiscrimination proposed rule. If OCR finalizes its rule as proposed, providers—rather than AI developers—will likely be liable for AI-related actions. As such, it is crucial for providers to have information about the AI tools they use.


The ONC final rule implements provisions of the 21st Century Cures Act (P.L. 114-255) and updates ONC’s Health Information Technology (Health IT) Certification Program. The certification program is a voluntary initiative that certifies health IT products—including electronic health records—that meet standards for data exchange, privacy, and security. Through the HITECH Act, Congress requires certain providers participating in Medicare and Medicaid to utilize certified health IT.

Transparency Requirements for Health Care AI

The final rule establishes transparency requirements for predictive decision support interventions (DSIs) that are part of certified health IT.

Read Next

The rule adopts strategies from a toolbox of options to enhance transparency in AI development and deployment.

Transparency in AI development: The final rule requires developers of certified health IT to conduct risk management for all predictive DSIs in their health IT modules. Developers must describe their data governance procedures—including how data are acquired, managed, and used—and evaluate and mitigate risks related to accuracy, bias, and safety.

In addition, developers of certified health IT must submit summary information on their intervention risk management practices to a publicly accessible ONC site. Many commenters on the proposed rule expressed concerns about exposing trade secrets or proprietary information. In response, ONC emphasized the importance of transparency and stated they do not see new risks related to proprietary information.

Transparency in AI deployment: ONC requires certified health IT modules with predictive DSIs to disclose comprehensive performance information—conceptualized as a “model card” or “nutrition label”—to end users. These labels aim to provide clear information about the design, development, training, and evaluation of predictive DSIs, and to help health care professionals understand potential limitations or biases programed into a model. As part of these requirements, health IT developers must disclose whether their AI systems have undergone external testing and validations, which might include third-party audits. ONC’s goal is to enable providers to determine if a predictive DSI meets the ONC-developed ‘FAVES’ criterion (fair, appropriate, valid, effective, and safe).

The final rule does not directly specify the model cards, nutrition labels, datasheets, data cards, or algorithmic audits required for compliance. Rather, the developer must choose which mechanism is most appropriate to communicate information about their AI tools and can choose a process that avoids sharing their AI models with an outside entity.


The HTI-1 final rule specifically applies to predictive DSIs integrated into certified health IT systems, such as electronic health records.[1] The risk management and transparency requirements apply to predictive DSIs “supplied by the developer” and generally do not extend to third-party tools. They also do not apply to predictive DSIs developed internally by health care providers for their own use. Moreover, the rule does not directly regulate the payer sector (i.e., health insurers), leaving a notable gap in oversight.

Additionally, the rule puts the onus on health care providers to interpret the information presented in model cards and assess the trustworthiness of AI tools. It underscores the growing need for technical literacy among health care professionals.

Moving Forward

The ONC rule represents a significant step for AI transparency in health care, but it also highlights the challenges in regulating AI technologies. The rule is narrow in scope and relies upon technical literacy among health care professionals.

The rule has also sparked discussion about how ONC and the FDA will align efforts to regulate AI and machine learning in medical devices. Some industry stakeholders would like a separate, easier pathway for AI-enabled medical devices that have already gone through FDA review.

Regulators, developers, and health care providers will need to collaborate to navigate these complexities and ensure the safe, effective, and equitable use of AI technologies.

On February 6th, ONC announced it will delay the effective date of the final rule to provide for a 60-day delay from the date of publication in the Federal Register. Vendors of certified health IT must comply with the rule by March 11, 2024. 

[1] As of 2021, 78% of office-based physicians and 96% of non-federal acute care hospitals used certified EHR. See:


Support Research Like This

With your support, BPC can continue to fund important research like this by combining the best ideas from both parties to promote health, security, and opportunity for all Americans.

Give Now