Just days prior to President Trump’s declaration of a national emergency on March 13, 2020, the U.S. Department of Health and Human Services (HHS) rolled out two significant final regulations aimed at bolstering the accessibility and exchange of electronic health information (EHI). These final regulations were published in the Federal Register today, May 1, 2020, marking the start of the implementation timetables.
Last week, on April 21, HHS announced it will delay enforcement of these final rules, which otherwise are set to become effective June 30, 2020. The reason for the delayed enforcement, according to HHS, is “to allow compliance flexibilities . . . in response to the coronavirus disease (COVID-19) public health emergency.” The Department further said that it would “continue to monitor the implementation landscape to determine if further action is needed.”
For the new information blocking penalties, the enforcement timetable will depend on when HHS finalizes regulations implementing its new enforcement authorities. On April 21, HHS took an important step toward implementing its new civil monetary penalty (CMP) authority. The HHS Office of Inspector General (OIG), charged by Congress with investigating the information blocking practices of providers, IT developers, health information exchanges (HIEs) and health information networks (HINs), issued a proposed rule that would, among other things, allow the OIG to impose CMPs—up to $1 million per violation—on those actors found to have knowingly interfered with the access, use or exchange of EHI.
This client alert highlights important information for providers, payers and health IT developers regarding the new enforcement timelines.
Overview of Recent Regulatory Activity
The ONC Interoperability, Information Blocking, and Health IT Certification Program Final Rule (“ONC Final Rule”)
On March 9, 2020, the Office of the National Coordinator for Health Information Technology (ONC), which is charged with supporting the adoption of health information technology, released long-awaited regulations implementing certain provisions of the 21stCentury Cures Act (the “Cures Act”) meant to advance interoperability and support the access, exchange and use of EHI, including significant changes to ONC’s Health IT Certification Program.1
One key component of the Final Rule is the implementation of Section 4004 of the Cures Act, which created new federal penalties to deter the practice of information blocking. Broadly speaking, information blocking is any practice that may interfere with the use, access or exchange of EHI and that is not “reasonable and necessary.” The Final Rule establishes key definitions around the individuals and entities that are “covered actors” subject to penalties for information blocking. It also finalizes exceptions to the definition for activities are “reasonable and necessary,” including a “content and manner” exception that will allow covered actors to restrict content to a more limited set of EHI. These regulations are technically effective on June 30, 2020, but ONC delayed the compliance date until November 2, 2020.
The Final Rule also establishes new Conditions and Maintenance of Certification requirements for health information technology (health IT) developers under the ONC Health IT Certification Program (Program), and standards for the voluntary certification of health IT for use by pediatric health care providers.2 Among other conditions, the ONC Final Rule requires as Conditions of Certification that a health IT developer not take any action that constitutes “information blocking” and that a health IT developer provide assurances to the agency that it will not take any such action (unless for certain legitimate purposes) or any other action that may inhibit the appropriate exchange, access and use of EHI.
ONC also adds new API Conditions of Certification that address the practices developers of certified health IT should engage in, such as minimizing the “special effort” necessary to access, exchange and use EHI via certified API technology. Compliance with these Conditions of Certification is required by November 2, 2020, but ONC will exercise enforcement discretion for three months thereafter (until February 2, 2021).
CMS Interoperability and Patient Access Final Rule (“CMS Final Rule”)
Centers for Medicare & Medicaid Services (CMS) issued a final regulation in tandem with the ONC Final Rule geared toward interoperability and patient access to health information. The CMS Final Rule3 creates new data-sharing standards for payers participating in Medicare Advantage (MA), Medicaid, CHIP and the Federally-facilitated Exchanges (FFEs). Two of the new requirements to implement and maintain standards-based APIs (for claims and encounter information and provider directory information) are due to take effect on January 1, 2021, but CMS said it will delay enforcement for six months, until July 1, 2021.
CMS has also modified its Medicare Conditions of Participation (CoPs) to require hospitals, including psychiatric hospitals and critical access hospitals, to send electronic patient event notifications of a patient’s admission, discharge and/or transfer to another healthcare facility or to another community provider or practitioner. According to CMS, these measures will improve care coordination by allowing a receiving provider, facility or practitioner to reach out to the patient and deliver appropriate follow-up care in a timely manner. These CoPs will be applicable May 1, 2021, or 12 months after publication of the Final Rule.
Most recently, on April 21, OIG issued a proposed rule implementing new CMP authorities, including the Cures Act CMP authority at Section 4004.4 Section 4004 of the Cures Act added Section 3022 to the Public Health Service Act (PHSA), which, among other provisions, provides OIG the authority to investigate claims of information blocking and authorizes the Secretary to impose CMPs against a covered actor that OIG determines committed information blocking.5 In the proposed rule, OIG proposes to implement Section 3022(b)(2)(C) by adding the information blocking CMP authority to the existing regulatory framework for the imposition and appeal of CMPs, assessments and exclusions.6
The proposed rule also explains OIG’s anticipated approach to enforcement and coordination within HHS to implement the information blocking authorities. OIG explains that it will likely focus its enforcement efforts on conduct that: (i) resulted in, is causing, or had the potential to cause patient harm; (ii) significantly impacted a provider’s ability to care for patients; (iii) was of long duration; (iv) caused financial loss to Federal health care programs, or other government or private entities; or (v) was performed with actual knowledge. OIG further explains that it will “closely coordinate” with ONC given its separate authority under the PHSA to regulate information blocking and its expertise on the information blocking regulations. Furthermore, OIG will be referring information blocking claims to OCR if consultation regarding HIPAA regulations would “resolve” an information blocking claim.
What Providers Need to Know
Health care providers are “covered actors” under the information blocking rules, but HHS has yet to propose a specific enforcement mechanism.
A health care provider is a “covered actor” under the information blocking rules and may be subject to sanction if found to have knowingly engaged in any practice that “is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” Notably, HHS elected to use the broad definition of “health care provider” in the PHSA, which includes facilities like hospitals, ambulatory surgical centers, labs, pharmacies and nursing facilities, as well as individual practitioners like physicians and pharmacists.7
OIG is charged with investigating allegations of information blocking, and determining whether a violation has occurred. However, unlike other covered actors subject to the information blocking rules, health care providers are not subject to the $1 million-per-violation CMPs under Section 4004 of the Cures Act. Rather, Congress directed OIG to refer provider violations to “the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary sets forth through notice and comment rulemaking.”8 HHS has yet to identify the agency or agencies that will handle information blocking referrals, and also has yet to identify the “disincentive” that will apply to providers that engage in information blocking.
While a provider-specific information blocking enforcement policy is being developed, health care providers may still be subject to other adverse action if practices violate HIPAA right of access or Medicare payment rules.
While the provider-specific information blocking enforcement mechanism will take time to develop and implement through rulemaking, other authorities already in existence could serve as a basis for the sanction of health care providers.
For covered actors that are also covered entities under the Health Insurance Portability and Accountability Act of 1996 and Health Information Technology for Economic and Clinical Health Act of 2009 (together with their implementing regulations, HIPAA), some conduct that constitutes information blocking could potentially be punishable as a violation of a patient’s right of access under existing authority. The HHS Office for Civil Rights (OCR) investigates alleged HIPAA violations, and has the authority to impose CMPs of up to almost $1.8 million per violation.9 Many OCR investigations end in a settlement agreement accompanied by a corrective action plan—the highest settlement payment to date is $16 million.10
For covered actors that participate in the Medicare Quality Payment Program or Medicare and Medicaid Promoting Interoperability Program, engaging in practices that are considered information blocking could affect performance scores and payment adjustments under those programs. Further, CMS has said that it would begin publicly reporting providers that may be failing to comply with certain information sharing expectations in “late 2020.” The agency explained that it will name providers who do not list or update their digital contact information in the National Plan and Provider Enumeration System (NPPES). CMS will also report eligible clinicians, hospitals, and critical access hospitals that may be information blocking based on how they attested to certain Promoting Interoperability Program requirements in data collected for the 2019 performance year.
Health care providers that meet the definitions of HINs or HIEs may be subject to CMPs, but not before OIG finalizes its proposals.
Notably, in its final rule, ONC emphasized that the definitions of HIE and HIN are functional definitions, meaning that they will include any individual or entity that performs certain functional activities. In its proposed rule, OIG pointed out that some health care providers may meet the definition of an HIN or an HIE. In cases where a health care provider is acting in its capacity of one of these other “covered actors,” the provider may be subject to CMPs under the Cures Act.11 For example, if a large health care provider leads an effort to establish a network that facilitates the movement of EHI between itself and a group of smaller health care providers through health IT, the large health care provider could come within the definition of an HIN or HIE.
For providers subject to the new Medicare Conditions of Participation, enforcement will be delayed 12 months (until May 1, 2021).
The CMS Final Rule requires, as a condition of participation in the Medicare program, that hospitals, including psychiatric hospitals and critical access hospitals, send electronic notification of a patient’s admission, discharge or transfer to another health care facility, community provider or other practitioner. Failure to meet a condition of participation could ultimately result in the termination of a hospital’s Medicare provider agreement. This requirement was originally set to take effect six months after the rule was published in the Federal Register. CMS has extended this implementation timeline to 12 months after the rule is published, or May 1, 2021.
What Payers Need to Know
Payers are not specifically identified as “covered actors” under the information blocking rules, but could be subject to enforcement if functioning as an HIN or HIE.
Payers are not subject to the information blocking rules and penalties unless they meet the functional definition of one or more “covered actor”—i.e., a developer or offeror of HIT, an HIE or an HIN. As noted above, in its final rule, ONC explained that the definitions of HIE and HIN are functional definitions, meaning that they will include any individual or entity that performs certain functional activities. Payers should understand these definitions and determine whether they may be subject to the new information blocking rules and penalties.
Payers offering plans in Medicare, Medicaid, CHIP and the Federally-facilitated exchanges must meet new data access and sharing requirements, but CMS has delayed enforcement of certain requirements until July 1, 2021.
Payers that participate in one or more federal health care programs will also need to understand the new CMS requirements for data access and exchange. The regulations finalized in the CMS Final Rule apply to Medicare Advantage (MA) organizations; Medicaid fee-for-service (FFS) programs and managed care plans; Children’s Health Insurance Program (CHIP) FFS programs and managed care plans; and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs), with certain exceptions (collectively, “covered payers”).
The CMS Final Rule imposes the following requirements on covered payers:
- Patient Access Application Programming Interface (API). Covered payers must implement and maintain a secure, standards-based API that affords patients easy access to their claims and encounter information, including cost and certain clinical information, through third-party applications of their choice. Under the CMS Final Rule, covered payers are required to implement this patient access API beginning January 1, 2021. QHP issuers on the FFEs are required to implement it for plan years beginning on or after January 1, 2021. However, CMS has announced that it will not enforce this requirement for any covered payer until July 1, 2021.
- Provider Directory API. Covered payers must make provider directory information publicly available via a standards-based API. Under the CMS Final Rule, payers are required to implement this provider directory API by January 1, 2021, but CMS will not enforce this requirement until July 1, 2021.
- Payer-to-Payer Data Exchange. Covered payers must exchange certain patient clinical data with other payers at the patient’s request. Covered payers are required to implement a process for this data exchange beginning January 1, 2022. QHP issuers on the FFEs are required to implement this process for plan years beginning on or after January 1, 2022.
Depending on payer type, failure to meet these requirements could affect a program or plan’s participation in the Medicare, Medicaid or CHIP programs, or on the FFEs.
What Health IT Developers Need to Know
Health IT developers and other entities that offer certified health IT are “covered actors” under the information blocking rules, and will be subject to CMPs once the OIG’s CMP rule is finalized and becomes effective.
Developers of health IT, entities offering certified health IT, HIEs, HINs, and, as noted above, health care providers, are among the individuals and entities that Congress identified as “covered actors” subject to penalty for information blocking. Such entities are therefore subject to OIG investigation and (except for providers) CMPs for engaging in practices that the entities know or should know are likely to interfere with, prevent or materially discourage access, exchange or use of EHI. Once OIG determines that an individual or entity has engaged in information blocking, the Cures Act mandates a penalty of up to $1 million per violation for covered actors other than health care providers.
In its proposed rule, the OIG stated that it would not begin enforcing the information blocking CMPs until the final rule is issued and the regulations become effective (likely 60 days from the date of publication of a final rule). Depending on how quickly the regulations become finalized, it is possible that OIG enforcement will begin before the end of this year. For IT developers and other covered actors that have heretofore not been subject to direct HHS regulation and enforcement, understanding compliance obligations and OIG enforcement priorities is critically important.
For developers of certified health IT, enforcement of new conditions of certification for information blocking and APIs are delayed until February 2, 2021.
Developers of certified health IT will need to comply with the new ONC standards for obtaining and maintaining certification. The regulations establishing these standards become effective on June 30, 2020, but ONC delayed the compliance date for many of the new requirements. And, on April 21, ONC said it would also delay enforcement of the new requirements until three months after the compliance date has passed.19 In other words, ONC will be allowing IT developers a grace period of noncompliance, and forbear from action to remedy or sanction the noncompliance.