New federal rules intended to improve interoperability and boost patient access to healthcare information present new risks for healthcare organizations, with many of the specific mechanisms for compliance and enforcement yet to be defined.
It’s likely that the industry will get some grace period before the rules are enforced, but organizations should start now to map out how best to comply with the new requirements, said two experts on interoperability and past government compliance programs.
The requirements also can present opportunities for organizations that can demonstrate performance with the rules, said Mark Segal, principal of Digital Health Policy Advisors, and Steven Gravely, founder and CEO of the Gravely Group, who presented information on emerging regulations a recent HIMSS20 Digital presentation, Implementing 21st Century Cures: A Data Access Gamechanger.
In March, the Office of the National Coordinator for Health IT and the Centers for Medicare and Medicaid Services finalized how rules will spell out requirements for interoperability, the use of application programming interfaces to enable data sharing and requirements to prevent instances of information blocking. The rules are expected to be formally published in the Federal Register on or soon after May 1, starting the clock for the time organizations have to comply.
The rules specify that they will go into effect six months after they are formally published, but it’s likely that enforcement of the rules will be delayed, since many healthcare entities are focusing attention on dealing with the global COVID-19 pandemic, the presenters said. Still, healthcare organizations should begin to take action to understand the rules and begin compliance efforts, they said.
Enforcement also is likely to be delayed until the Office of the Inspector General of the Department of Health and Human Services publishes a final rule on civil and monetary penalties. A notice of proposed rulemaking has not yet emerged, and “it can take a long time for the proposed rule to make it into final form,” Gravely said. For healthcare providers, the rules will be enforced by CMS and the OIG; for vendors of certified HIT, oversight will come from ONC.
The 21st Cures Act broadly defines information blocking as a practice “that interferes with, prevents or materially discourages the exchange of electronic health information, or whether an actor knows a practice is likely to interfere with access to EHI,” Gravely said. The rule is likely to be applied differently to providers vs. technology developers, health information exchanges or health information networks, he added.
“Your intent is really important,” Gravely noted. “It’s not only what you did, but what you meant to do. The rule states that an action has to prevent or materially discourage; [the government] doesn’t have to show that the practice actually blocked information from flowing. That last term – likely to interfere – is a much lower standard [than actual interference] and it’s much easier to trip you up.”
The ONC rule contains nearly four dozen detailed examples of information blocking, Segal noted. “The focus is really on the actors that control interoperability elements, as well as those who are under the control of a particular actor.”
ONC decided to limit the scope of electronic health information for the first two years of the rule to the data elements in the United States Core Data for Interoperability (USCDI), a standardized set of health data classes intended to foster interoperable health information exchange.
The CMS final rule on interoperability builds on existing efforts to encourage the free flow of information through the use of application programming interfaces (APIs), Segal said. The implementation date is set as Jan. 1, 2021, but enforcement will be delayed for at least six months.
The CMS rules acknowledged concerns about privacy of patient information that might be compromised by app developers, saying a health plan can deny or discontinue access to data if a plan reasonably determines that an API puts an unacceptable level of risk on patient privacy. Payers also must share information resources with members to educate them about potential risks.
Compliance will be important because penalties are likely to be high. For non-provider actors, the fine can be as much as $1 million per violation, Gravely said. “We don’t know what the penalties for provider organizations are going to look like, but given the economic impact of COVID-19, provider organizations already will be financially weakened, so any monetary penalty will be material.” Actors will carry the burden of proof in defending themselves against complaints, he added.
It’s not clear who within healthcare organizations will bear the responsibility for compliance with information blocking requirements, Gravely said. “Information blocking is so broad, it touches IT, medical records, marketing, product development and more. Because it’s hard to identify who owns it, the risk is that no one will own it.” Education about the requirements and risks thus becomes important.
“Organizations need to look at these rules from a perspective of how they are going to implement them,” Segal added. “Any organization needs a formal plan to implement operational and business responses, and it needs to be integrated with the compliance plan. It’s important to take a phased approach to create a risk management model that reduces chances that someone will allege you participated in information blocking.”
Meeting requirements of the rules could provide a competitive advantage for organizations, Gravely concluded. “The health information ecosystem is undergoing tremendous transformation,” he said. “CMS rules are coming on line to ensure that data flows without any obstacles. This is a huge opportunity for those organizations that embrace [this change] and implement it effectively. Business will flow to them if they demonstrate that they are on top of it.”
In an earlier interview to preview their HIMSS20 session, Segal and Gravely had highlighted the opportunities available to organizations that embrace the rules with the spirit in which they were written, and put in the hard work to implement them.
“There are opportunities – particularly for organizations and technology developers who will benefit from the ability to get access to data from EHRs and other systems and to integrate with those systems,” said Segal. “For example, clinical-decision-support functionality that might be able to closely integrate and both read and write for EHRs. Apps have been a big area of focus. And just generally, if this goes as intended, just to have higher-quality data flowing much more freely in a system […] should absolutely be to the benefit of patients.
“There is also an opportunity for organizations to differentiate themselves from their competitors,” said Gravely, by embracing information liquidity and saying, this [is] now the law of the land, and we’re embracing it, and we’re committed to not withholding information, but making sure it’s available for the benefit of our patients and customers.”