Many innovative startup companies struggle to gain access to data housed in EHR systems. This has been a source of frustration for provider organizations, and has limited their ability to engage with the startup community. Provider organizations have spent millions of dollars replacing their EHR systems, only to find that their vendor contracts limit data access to new innovative Health IT entrants. The 21st Century Cures Act includes provisions designed to address these so called ‘data blocking’ concerns. This is just a first step.
House and Senate leaders announced last week that they had hammered out a deal on landmark legislation designed to speed federal approval of new drugs and devices and boost funding of medical research. If the bill goes through, it would impose significant new requirements related to the regulation of health IT; most significantly, requiring that in order to qualify for beneficial treatment under certain Federal laws, qualified EHRs must meet newly specified interoperability standards. Failing to achieve interoperability is significant because it directly risks decertification of the vendor’s IT and, as a result, risks the loss of a provider’s Meaningful Use incentive payments and eligibility for the Stark Law Exception and Anti-Kickback Safe Harbor. The bill also would require that vendors of EHR technology certify interoperability to HHS, and would prohibit vendors and providers from information blocking.
Due to the magnitude of health information maintained in EHRs and the numerous relationships patients maintain with health care entities and professionals, the ability to access and exchange medical information is paramount to medical innovation and patient care. Effectively, the bill addresses the pervasive need to standardize health IT in an efficient and timely manner to achieve health IT interoperability. Specifically, the bill requires that health IT vendors ensure that their certified EHRs:
- Securely transfer all electronic health information to and from all other certified health IT for authorized use; and
- Allow for the complete access, exchange, and use of all electronic health information for authorized use without special efforts by the requestor.
In order to achieve the secure and complete exchange of information contemplated by the bill, vendors will need to incorporate baseline interoperability standards in six identified areas: (1) vocabulary and terminology; (2) content and structure; (3) transport; (4) security; (5) service; and (6) querying and requesting health information for access, exchange, and use. The bill tasks HHS with providing clarifying guidance on the interoperability standards while allowing vendors flexibility in implementing product compatibility.
Prohibited Information Blocking
In addition to requiring interoperability, the bill prohibits information blocking by vendors, health care providers, and health information system providers. “Information blocking” is broadly defined to include practices that prevent, interfere, or burden information exchange. These practices range from charging unreasonable fees, to contractually agreeing to restrict an authorized exchange, to developing or implementing health IT likely leading to fraud or waste.
Such a broad definition risks the imposition of civil monetary penalties for not only egregious information blocking, but for actions resulting from internal policies and industry best practices vendors and providers have in place to protect the privacy and security of the entity and/or its patients. Providers may be especially susceptible to confusion, considering that providers historically have been given the ability to control the release of information based on professional judgment and business decisions.
Guidance and Implementation
The bill requires that HHS provide vendors with an initial set of interoperability standards and implementation specifications. Vendor compliance would be required 12 months after the rulemaking. In contrast, enforcement for information blocking could begin as early as 30 days after the issuance of the rule.
The bill requires that vendors’ certification of qualified EHRs made after January 1, 2018, comply with the interoperability standards. In certifying, vendors of qualified EHRs must specifically:
- Attest to HHS that the entity has implemented the interoperability standards and that it has not and will not information block; in doing so, it must include pricing information related to data exchange for the purpose of future public comparison among health IT products;
- Attest that the entity has successfully and rigorously tested the real world use of the record;
- Attest that the entity has in place data-sharing programs based on common data elements through such mechanisms as application programming interfaces without the requirement for vendor-specific interfaces;
- Publish application programming interfaces and associated documentation, with respect to health information within such records, for search and indexing, harmonization and vocabulary translations, and use interface applications; and
- Demonstrate to HHS that information from the EHR can be exchanged, accessed, and used through the interfaces without special effort.
As stated, failure to comply risks decertification of the technology for Meaningful Use purposes under CMS’ EHR Incentive Program. Moreover, decertified IT and services cannot be donated under the Stark Law or Anti-Kickback Safe Harbor that protect donations of certain EHR. For these reasons, decertified IT is not attractive to provider customers. The bill makes clear that providers would not be penalized for the actions of its vendors for failing to meet the interoperability standards for certification. As such, for EHRs that become decertified due to failing to meet the interoperability standards for the Meaningful Use reporting periods for payment years beginning 2020, providers will receive a minimum one-year hardship exception and be allowed to transition to different EHRs.
HHS would be given authority to investigate claims of vendors offering providers qualified EHRs in violation of any attestation. Vendors and other entities offering providers qualified EHRs in violation of an attestation shall be subject to a civil monetary penalty in an amount determined by HHS through rulemaking. The bill is not likely to alter the current governmental approach, under which providers generally will not be the target of interoperability enforcement; however, a provider without a qualified EHR may risk enforcement if it represents to HHS otherwise, for example, during Meaningful Use attestation. Providers without qualified EHRs also risk the loss of Meaningful Use payments if they cannot meet a hardship exception. Additionally, providers would need to consider that even without Federal enforcement, the failure to maintain a qualified EHR could risk violation of contractual terms that incorporate such requirements, of data security laws, or of internal procedures based on best practices, due to inadequate technology. The bill also would grant HHS the authority to subject any person or entity to civil monetary penalties for information blocking. The National Coordinator, acting as a technical consultant, would be authorized to share information related to investigations with the Federal Trade Commission, potentially magnifying any violation and penalty.
Data Privacy Implications
The bill states that HHS will set forth exceptions to information blocking to protect patient safety and privacy and to promote competition and consumer welfare, although it is unclear at this time how the exceptions will interact with existing laws, like HIPAA. Notably, HIPAA does not generally mandate that a provider make accessible or disclose patient health information to another entity; however, the bill’s information blocking requirements may push entities to disclose information more freely or expand system access to other entities. Such activities may expose the entity to other liabilities.
The bill’s impact on how providers and contractors treat health information is significant due to the potential conflict with patient authorizations, proprietary rights, and breach notification obligations, as well as state laws that restrict the use of sensitive data such as mental health and HIV records. For instance, the bill’s prohibition of information blocking may risk the disclosure of patient information that requires additional protection. Alternatively, the bill may negate the need for a patient’s authorization, whereas an internal policy or state law may require consent regarding certain information. Conflicting requirements and unclear guidance may burden entities to carve out accessible information and maintain differentiating policies and updates to Notice of Privacy Practices.
This piece was originally published on LinkedIn Pulse by Orlando Portale, founder of Health Innovation Partners, and former Chief Innovation Officer at Palomar Health.