Published May 2021
Federal regulations stemming from the Cures Act – which covers access to information by patients and restricting information blocking – have only just gone into effect, but the long-term impact on healthcare organizations has generally been underestimated, contends Dr. Kel Pults, chief clinical officer for MediQuant. Penalties could be significant, and patients will be able to report providers that do not comply with the new rules, she says, which expands the oversight that healthcare organizations can expect. Complying with the regulations will be complicated by merger and acquisition activity in the healthcare space, because providing patients and other entities with easy access to clinical information will be complicated when merging organizations operate different IT systems. Pults shared her thoughts in an interview with healthsystemCIO Founder and Editor-in-Chief Anthony Guerra, highlighting how organizations can meet the underappreciated work needed to achieve compliance with the new rules.
Podcast: Play in new window | Download (Duration: 29:40 — 20.4MB)
Guerra: Today we’re talking with Dr. Kel Pults, chief clinical officer with MediQuant, about the new information sharing requirements for health systems, the high level of M&A activity among those health systems, and how this dynamic has created big challenges for IT professionals. Kel, thanks for joining me.
Pults: Thanks for having me.
Guerra: Can you start off by telling me a little bit about MediQuant and your role there.
Pults: MediQuant is a pioneer in the active archive space. We’ve been around for a little more than 20 years now – 21 this year. I’ve been with MediQuant for about seven and a half years; I’m the chief clinical officer currently, so I have responsibility for client services, all things clinical in house, and I’m also the HIPAA privacy officer for the company.
Guerra: So what we’re going to talk about today is the M&A activity, the juxtaposition of that with the information sharing requirements and the conditions that’s created. So let’s start by giving me an overview of the information sharing, information blocking – all the things that are coming out. There have been some delays and now the deadlines are coming. What do health systems have to do, what deadlines have recently passed and what are coming up?
Pults: Maybe let’s start with a little bit of history about the Cures Act. It came about in 2016, and the point of the Cures Act was originally to increase innovation, to allow more access to records and to improve interoperability to start that process. In March 2020, ONC actually increased that capability requirement, so they put in some clauses around information blocking, some interoperability, some APIs, and they put in some information around what we call USCDI, which is the data set around clinical data that three actors are going to have to support and comply with. So when we talk about actors, we’re talking about providers, HIEs and payers. Also, part of that is not just providers but also the certified HIT providers, so some of the big EMR systems vendors, they’re going to have to comply. So if you’re certified under ONC, you’re part of that requirement.
So the point of the second part of the Cures Act is really to improve interoperability. Interoperability, as you know, years ago when we started out with the American Reinvestment and Recovery Act, it was to increase interoperability, and so EMR vendors took that to mean interoperability with themselves – they increased that component. The Cures Act is going to change that a little bit. It’s going to mean that they’re going to have to have interoperability with competitors, with HIEs, with healthcare facilities outside an organization. This is going to increase that requirement for interoperability.
With APIs, it involves how you’re going to access that data. So whether it’s a patient accessing data, a payer providing the API so a provider can get it or a patient can get their own information, that’s changing as part of the Cures Act here.
So one of the major components is around information blocking. Patients want access to their records – in the past, providers have had reasons or different requirements for a patient to get access to their records. And so part of the Cures Act is to stop that practice of coming up with excuses for why a patient can’t get access to their records. So the interoperability provisions initially starts applying with (providers) having about 15 days; some of the new information will come out in the new HIPAA rules this year. For payers, information blocking rules started out about April 1, and payers are required to comply with the information blocking rules, so there are very few exceptions for why you’re not providing patients with records, or even providers with records – so if you have a provider that’s outside a health organization and requesting records on behalf of a patient, you have to send them.
That information blocking rule is in effect, and penalties will start to apply. The Cures Act then extends, so that later in the process, you’re going to have additional penalties for those who don’t comply. This starts in 2021 and 2022; it’s going to continue. Eventually the APIs and in particular the use of FHIR – so FHIR is going to be the standard for sending information electronically from one provider to another, from a payer to a provider – patients can get access and request that that information be sent as well. The USCDI is the initial data set that needs to be sent through the FHIR transaction, so where we have HL7 as a standard in the past, FHIR 4.0 will be the new standard for sending information. So this will increase information sharing, interoperability absolutely and patient access to their own records.
Guerra: This is a heavy lift, and people are all over on the spectrum. There are different sizes of organizations, the sizes of their IT staffs, their sophistication. If we can come up with, in our head, an average health system, is this a really heavy lift? Is this impossible or is this manageable? How would you describe it for the average health system?
Pults: I think that’s a great question. This is going to be a pretty heavy lift for several organizations, and also for the health IT vendors themselves – they have been working on some interoperability; a lot of the bigger HIT vendors have created patient portals already. But this will be a heavy lift (for providers), first, sharing and collaborating with one another so that they can actually send the information back and forth. In addition, vendors are going to have to talk to each other, which is something that’s not really done today. They understand that they want to protect their intellectual property; the interoperability requirement to share data across vendors is going to be interesting to see – that’s where I see more of the heavy lift that’s going to happen with this. They’re going to have to collaborate more to make this happen.
They do have a little time – I anticipate that, just like meaningful use got pushed out a little bit, certain components of that, this very may also (be pushed back), but I wouldn’t count on that. Healthcare organizations need to focus on this right now, and part of this interoperability and sharing of data and even accessing it using APIs, they need to plan right now in part of their strategy is how do they get a unique EMPI for all of their patients. You mentioned M&A activity earlier – it’s increased significantly, so for safety purposes, for being able to share the correct data for patients getting access or providers getting access to the right data, they need to establish a unique EMPI. And this is absolutely a challenge with all of the M&A activity going on.
Guerra: You mentioned that the vendors have a heavy lift. Let’s primarily focus on the health systems. I understand that it’s very connected – so if I’m a CIO at a health system, to what degree am I relying on my key vendors to make sure I can do what’s required of me by them doing what’s required of them, by them working out communications with other vendors for interoperability? How much do I have to do, and how much do I have to hope that my key vendors do what they have to do? Or is it in combination?
Pults: It’s in combination – that’s a very good point, and there are two separate asks here. The hospital system is going to have either a patient portal or the ability to send (data), so they’re going to focus more on the EMPI component. Though the HIT vendors offer some EMPI creation, historically what we find when we’re on the archive side of this is they’re not assigning a unique identifier to every patient. They acquire facilities, whether it’s a provider, an ambulatory site or they’re merging, so we’ve had some really big mergers in the last few years – Baylor Scott and White is a good example. CommonSpirit is one of the most recent mergers. All of these, once they merge, they don’t have unique identifiers for these patients, but that is going to be necessary. So from the healthcare side, they really need to put as part of their strategy, from a financial as well as a human resource perspective, to plan to get that in place.
From a health IT perspective, they need to have the software to support FHIR. So being able to send those transactions back and forth is key, and then there’s going to be a lot of testing, a lot of working with not just the health system to do that testing to make sure they’re going where they need to, but it’s going to be a lot of working together that they’re going to have to do.
Guerra: So now let’s bring in the M&A side. It makes me think of trying to change the wheels on a car while it’s moving. You never have a steady state usually – hospitals go 24 hours a day, and the M&A will continue – I don’t picture the CEOs or those in charge of those activities saying, “Well, let’s hold off until you get all this straightened out, and then we’ll start acquiring again.” So what are the implications of trying to manage and meet these regulations when you’re leading an environment that is continuing to grow through physician practice acquisition and hospital acquisition? How much more complicated does that make it?
Pults: It does make it more complicated. I think you gave a great analogy. We tend to use that as well. You’re in the race – you’re working on everything and going 200 miles per hour and trying to change the wheels at the same time. So as we talked about this earlier, part of this is really your planning – you’ve got to plan, whether you are acquiring or you’re doing a merger, think of that as part of the strategy – how do you, as part of the planning phases, say, “OK, we’re going to have to run every application that comes in; all of the patient data, we’re going to run that through; and create a unique EMPI. We’re going to bump it up against what we have and everyone’s going to get a unique EMPI.” And think about doing it with all accounts, not just three years’ worth or five years’ worth, because you will have mismatches in there absolutely if you only do a certain number of years back. Your goal is really one patient, one record, especially if you are including other sites in there.
I’m just thinking about the huge lift this is for HIM right now, in medical records. When you have mergers and acquisitions going on, in addition to putting in a new HIS system in house – say you’re putting in a new big HIS system, say Epic or Cerner or Meditech or Allscripts, and you’re replacing smaller systems in house – right now, HIM has to go to all of these systems to pull out records, even if they’ve just designated something in house as their legal medical record – archive is typically part of that now, the active archive.
When you add M&A in there, and you’ve multiplied the number of places that HIM has to go to find these records, and with the new proposed rules for HIPAA, they’re going to go from 30 days to 15 days to get your record. You’re not going to be able to extend that; the fines will increase. And any time you’ve got this increased footprint obviously, you have to think of security, so that’s another issue that they’ll have to consider.
Guerra: So we’ve said for a long time that you have to involve IT in acquisition considerations, your due diligence and all that kind of thing. These new requirements make me thing that’s even more important because the day that hospital or physician practice becomes yours, you have to be able to comply with greatly enhanced interoperability requirements. So you need to see where that entity you’re acquiring is, whether they are up to speed and how quickly you can get them up to speed once they’re acquired, because you can’t say, “Oh, we just bought them, we need some time.” You have to comply on Day One, when they become yours.
Pults: You’re absolutely right, and that goes back to that planning. So not only do you have to figure out what you have in house already – what are the applications that you have that you’re going to have to pull data out of, that are going to be a part of that interoperability plan. And then, focus on your patients – getting that unique identifier. But you really need to put any system that’s coming in through a rationalization exercise that includes what data do we have and what do we now own?
To something you said a second ago, you own them now that you’ve acquired something, so you have responsibility for that data. You need to have a plan in place that really blocks out: here’s what we have now, so let’s get everything we have in an inventory. As we bring things in, those get added to the inventory, and everything goes through a rationalization exercise. You’re not just inheriting clinical data or financial data – you’re often inheriting ERP systems and other systems that are sitting out there, and you need to determine if these are things we’re going to have to put in our interoperability plan, is this something we’re going to need to keep? Who needs access to this? Is this something that is a patient access-type of application, or is it something that we can archive it off and we don’t need to worry about it as far as the Cures Act, but we do need to have access to it. So there’s a whole rationalization component.
I will tell you that rationalization is not a simple process; it is a time-consuming process, but it’s a necessary thing to do. And part of it is just getting your arms around what do you own. And as you acquire or merge with other groups, you need to keep up with that so that you know what you’ve got, because that’s going to determine that you don’t have holes, you’re not missing anything that needs to be part of interoperability or long-term storage. So your retention guidelines are going to play a part in that; but that’s kind of what you do – you bump that up against the question of what are our retention guidelines? What do we need to keep? What needs to be part of Cures? There are so many things to think about, and I do recommend that these organizations get some assistance for this. Typically, they’re so busy in day-to-day operations that this is not something that they can spend the time to focus on – they may want to bring an expert in to help them get organized, because that’s going to be your first step – to get organized. And then you come up with a plan based on what you know that you have.
Guerra: You hear from organizations – if an organization is calling you for help, they’re on it, they’re active, they’re looking into it. We’ve seen sometimes in healthcare, with things like this, there’s a wait-and-see approach. With the price transparency rules, nobody did it, or if they did it, they hid it and you couldn’t find it. Some people say let wait and see what the stick is; there may not be much of a stick, and if there is a stick, then we’ll get moving. I’m imagining you think that’s a big mistake.
Pults: I think that’s a huge mistake. There are no carrots or sticks in this. This is not one of those carrot-sticks situations. You’re going to get to the end and they’re going to start penalizing. They’ve gotten it figured out. So if you think about even when HIPAA came out, and people started reporting or getting violations; it took a little bit for them to get organized to start penalizing people and how to collect that. And so people did a wait and see. This is not going to be a wait and see activity – they’re going to start looking at this for information blocking. Patients can report on this – so breaches are kind of self-reported, and if an organization has a breach, they self-report; you get some big penalties, we see them out there, some really big penalties. Last year, there was about $48 million, roughly, overall.
So if you start looking at these, patients can report if there is information blocking going on, so not only do you have self-reporting potentially for things, but you’ve got patients out there saying, “Look, I can’t get my data.” I anticipate that reporting mechanism will emerge – once they realize they can do that, they are going to do that. That’s why we have this in the first place – these rules are usually in reaction to something happening, like patients saying, “I can’t get my records,” or “it’s taking too long to get my records.” That kind of stuff is what drove the rule in the first place.
Guerra: I think you’re absolutely right. That stuff is going to get reported. We all know that that’s irritating. Everyone has been irritated about how much it would cost to get their record. Do you have any thoughts around budgeting for this? Is there any way to figure out the dollars over and above what organizations would normally spend on IT?
Pults: That’s going to vary depending on how big the organization is. There are two big components – the EMPI creation; you’re going to expect to probably get a solution that not only generates the EMPI but it keeps those things in sync going forward, so I expect there’s going to be a licensing component with that. The health IT vendors obviously are going to have their own cost to get the USCDI and FHIR APIs in place, so it is going to vary. I wish that I could say it was a certain amount that you could count on that, but it’s really sitting down and determining with the organization, how big is it, and that’s where they’re going to get their budget from.
They need to start looking at it now, though, because they’re making budgets for next year even – they’re already going to start on budget processes, depending on what their budget cycle is – some of them may be in the middle of budgeting now, some may not do it until they do an annual budget for the fiscal year. They need to start working this on right now if they have not done it. Or if they are looking at going to a new EMR or M&A activity, they really need to sit down and plan it in the budget. This seems to be an afterthought – even HIPAA, those kinds of things are an afterthought and they ended up paying a lot more as they were trying to play catchup, so they paid extra. With this, if they plan it in their initial resourcing and their budgeting, they’re going to be able, if nothing else, they’re going to be able to capitalize this stuff and pay the cost over a period of time, or at least in alignment with the rollout, which makes a lot more sense than trying to come up with all the money at the end.
Guerra: Back to the vendors – if you were giving advice to CIOs at health systems, which of their vendors, in terms of types, do they need to talk to and what should they be asking?
Pults: First, they need to talk to their HIS vendor. They need to reach out to whoever they currently have right now, if they’ve got someone or if they have a plan to replace their current HIS, those are the first ones to talk to because they’re going to drive this – they’re going to have the biggest lift and they’re going to have the biggest impact for training, for interoperability. They need to talk to them immediately and ask, “What is your plan, what is your rollout plan, how do we get this done and I need some cost analysis so I can work this into my budget.” Whether it’s an HIS vendor, whether it’s their active archive vendor, because that’s part of their new rollout for most hospitals now, because they archive the old systems – they will do limited conversion work into their new HIS because they’re trying to keep that as clean as possible because those legacy systems have a lot of dirty data, so they don’t want to fill up their new, clean, pretty system with old legacy data so they separate that out, so that has to be part of the discussion as well. Anywhere that you’re looking at a combination of patient access, provider access and anything that’s going to store USCDI, part of that record set, you need to be talking to those vendors.
Guerra: Internally, for a health system CIO, who should they be talking to, either by department or by title to make sure they’re ready?
Pults: Your CFO needs to be in the discussion because they will be looking at the financial resources to cover this. The CIO, the IT department for supporting HIM – HIM is going to be huge. You need your provider champion, your nurse champion. This is the same team you’re going to start with for your governance, and make sure you’re including legal and compliance in there. You should have your legal compliance officer, your HIPAA privacy officer and your security officer. That team of people right there is going to have to make some serious decisions about how you’re going to get ready for this. HIM often gets left off the list, I will tell you, and it’s important to make sure that they’re in there. Your financial/business office folks – you have those major heads of departments there that have an impact or they’re going to be affected by information blocking.
So as this current rollout for the new information blocking piece of it started, it’s more related to payers. How the payers are getting (data) back and forth. But patients are also going to get access to the financial records in the long run; it’s not just the clinical. So make sure your business office is involved in this also.
Guerra: So health systems are going to do this because they have to do it and they don’t want to get penalized, they don’t want to get called out on the carpet and cause reputational issues. But healthcare seems to be becoming more competitive, more consumer-centric, more patient-centric. They’re thinking more about taking care of their customers. I imagine that’s another reason you want to be even a little above and beyond on this – not just doing what you have to do but trying to get patients their records or act on their behalf even above and beyond what’s required, for competitive reasons.
Pults: You’re absolutely right. It is more competitive in healthcare. Organizations are competing with one another. Patient feedback, where patients can rate their provider, they can rate their healthcare system – their focus is on patient experience in-house, and part of that experience is very patient-centric. It used to be that you’d go see a provider and your provider would tell you, “Here’s what’s wrong; take this medicine or here’s your treatment.” With the introduction of Google and social media, all the different places that someone can go on and search for disease process, they can search for symptoms, they can search all of these things, they now have the ability to go out and they’re getting more involved in their own healthcare, which means it’s turned it into commercialization – it really is a business, healthcare is a business.
For providers, even though they are in this competitive business now, their main focus is still patient care, patient safety, so they’re balancing this need to take care of their patients and do the best they can to keep them safe with all the requirements now for interoperability, you’ve added the technology into the middle of it; you’re not going to get rid of it. There was a health system down a couple weeks ago for a ransomware attack, and they went back to paper. Once a health organization goes back to paper, they realize how much they rely on the technology to be right to provide you with everything at the point of care. It’s not until you go back and fall back on something like that that you realize how dependent you’ve become on technology. And that’s not going to change; as long as the technology is there, your providers get more dependent on it – all the providers in medical school and nurses in medical school, they all are growing up on technology. I started on paper – I’m dating myself, documenting on paper. And then going to electronic, there’s nothing like being able to spend more time with your patient. And they’ve worked through that over the years.
Guerra: Yes, you can see from a historical perspective that you and your cohorts were in that difficult, transitional phase, it’s the hardest place to be when you train in one environment and you have to work in another. You did the pioneering work, right?
Pults: That’s right.
Guerra: Well, we’re almost out of time. I just wanted to see if you have any final thoughts, piece of advice for our healthsystemCIO listeners.
Pults: I think, if anything, start now, if you’ve not started looking at this, if you’ve not read about the Cures Act, if you’ve not focused too much on the interoperability. I know our CIOs are really busy and they’re trying to support systems and the implementation of systems. Get your legal involved, get involved with this because you want to work this into your budgeting, you want to work it into your plans, and make sure that you’re including your important people in house as you go through these activities. Make sure you’re getting your inventory up to date; be prepared, so when you do have M&A activity, whether you’re being acquired, whether you’re merging with someone else or whether you’re doing the acquisition, you can work this into your inventory and you can get your arms around these systems and make a really solid plan for this.
Guerra: Well, that’s awesome Kel. Thanks so much for joining me today. I think this is a lot of great information.
Pults: Thanks so much for having me, Anthony. I appreciate the opportunity.