Health Systems Express Concern About HTI-2 Imaging Link Proposed Rule

In their recent public comments to the Office of the National Coordinator for Health Information Technology, several large health systems expressed concern with a proposed certification rule requirement to support capturing and documenting hyperlinks to diagnostic imaging. 

In its HTI-2 Proposed Rule published in August 2024, Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT  (ASTP) noted that diagnostic images are often stored in systems external to the EHR, such as picture archiving and communication systems (PACS) or vendor neutral archives (VNAs), and that promoting access to images via EHR hyperlink functionality may encourage more widespread adoption and integration of these already existing pathways and reduce inefficient CD-ROM-dependent exchange. In the proposed rule, the requirement would go into effect by Jan. 1, 2028.

In its public comment letter, Kaiser Permanence expressed concern “that the proposed certification requirements do not adequately address the complexity associated with viewing and managing large image sets.”


Kaiser was particularly concerned about security risks: use of unsecured URLs significantly increases the risk for unauthorized access to protected health information (PHI), the organization said. “We are also concerned with the lack of clear technical standards and requirements to support sharing images via imaging links between providers and between patients and providers.”

KP recommended that ASTP/ONC extend the effective date to no earlier than Jan. 1, 2030, to provide vendors sufficient time to develop and test secure methods for patients and providers to download and view images using a variety of modalities (e.g., personal computers, tablets, smartphones). The health system noted that there are existing vendor solutions in place today that allow providers to share images; however, these solutions lack clear technical standards and a common infrastructure. KP recommended that ASTP/ONC work with EHR vendors and providers to coalesce around industry technical standards and a common infrastructure to support secure image sharing between and among providers and patients.

California-based Sutter Health also expressed reservations regarding the proposal to exchange hyperlinks to diagnostic and other images. Directing users to external platforms via hyperlinks introduces the risk of unfamiliarity with third-party tools, which could hinder access to critical images, the health system said. “Additionally, storing images externally rather than integrating them within the patient’s chart raises concerns about future accessibility to images integral to medical decision-making. For both clinical and legal reasons, it is crucial that diagnostic images remain embedded within the patient's medical record to ensure that they are available when needed for ongoing care. We recommend that ASTP/ONC revisit this proposal to safeguard the integrity of patient care and ensure seamless record-keeping.”

Nonprofit OCHIN, whose Epic-based network now reaches more than 6.3 million patients through more than 34,000 providers at over 2,000 healthcare delivery sites nationwide, also mentioned security concerns in its comments, and recommended that ASTP not finalize its proposal. “While we understand that intent of ASTP’s in making this proposal is to improve access to imaging, we are concerned about the potential security risks of generating hyperlinks to images that could potentially expose patients’ information if there are no sufficient cyber protections,” OCHIN wrote. “Healthcare organizations would have to anticipate all potential external users and provide credentials creating an infeasible administrative burden. Organizations may also be hesitant to provide unaffiliated clinicians access to their systems.”

The Providence health system said it supports the proposal to revise the requirements for modules certified to provide digital imaging to offer “imaging links” to analyze and share those digital images. But it remains concerned about how quickly some specialties, like radiology, will be able to implement these changes because they have not historically used hyperlinks to share large image files.

“We request that ONC convene subject matter experts in imaging specialties along with IT developers and EHR vendors to determine best practices for incorporating this into the existing workflow in a way that causes the least disruption for patients,” Providence wrote. 

Despite these concerns stated by health systems, not all of the response was negative. For instance, the American College of Radiology (ACR) supported the proposed addition of imaging links to the certification criteria.

In its comments, the association said the proposal “is generally aligned with the ACR’s longstanding goal—shared broadly by many radiologists, companies, and organizations in the radiology provider community—for medical images to be electronically exchanged without use of physical media (known on social media as the “#DitchTheDisk” campaign). We believe the ASTP/ONC could also promulgate the DICOM standard in Part 170 to ensure the clinical utility of this criterion for certifying EHR modules used by referring providers; although as accurately stated in the NPRM, DICOM is the de facto industry standard regardless of Part 170 certification.”