Distracted by the COVID-19 Pandemic, Many Healthcare Organizations Will Have to Hurry to Comply with New Federal Rules …
Published September 2020
Deadlines have a way of sneaking up on everyone, and the healthcare industry is finding itself only weeks away from the Nov. 2 start date for when federal rules governing information blocking go into effect. With trying to manage patient care during the COVID-19 pandemic, any oversight might be understandable – but absent any last-minute reprieve, provider organizations will be responsible for compliance, says Chelsea Wyatt, a principal in the informatics and technology practice of The Chartis Group, an advisory firm specializing in healthcare. Attaining compliance will be difficult and potentially costly for many organizations, but improving patients’ ability to access their health information could become a competitive advantage for those organizations that see this initiative as a strategic opportunity, she believes. Research is indicating that patients highly value access to their data in order to manage their care, and will favor organizations that give them easy access to their records. In this episode of healthsystemCIO’s Partner Perspective Series, Wyatt talks with Editor-In-Chief Anthony Guerra about these compliance challenges.
Podcast: Play in new window | Download (Duration: 31:47 — 21.8MB)
Guerra: Today, we’re talking to Chelsea Wyatt, principal at the Chartis Group about the 21st Century Cures Act and some of its upcoming deadlines. Why don’t we start out by your telling us a little bit about Chartis Group and your role there.
Wyatt: Chartis is really a healthcare consulting firm. We provide comprehensive advisory services, analytics services and so much more to the healthcare industry across the board. We provide strategic planning, performance excellence, and consulting on informatics and technology. We’ve got a great digital practice, health analytics practice and a clinical quality practice that’s been No. 1 at KLAS for a long time. And we work with academic medical centers, integrated delivery networks, children’s hospitals, medical groups and a lot of other healthcare service organizations as they navigate the healthcare industry. I am a principal with the Chartis Group, so I’m one of the junior partners helping lead a couple of different service lines, including our implementation advisory services service line and our service line for the 21st Century Cures Act.
Guerra: November 2 is the six-month deadline for the new rule. I, probably like many CIOs, was not paying too much attention, and I’ll get into the reasons why CIOs weren’t paying too much attention. So what do we want them to know; what do you want to call out to them about what they need to do?
Wyatt: Interoperability has been around for a while. The government started really fostering it in 2004 with the creation of the Office of the National Coordinator, whose whole purpose is to foster interoperability. And so, we progressed to the ARRA and HITECH Act, which set up and got everybody established to have electronic health records. But nobody was really sharing data. You had these little information pockets with different vendors, and so the 21st Century Cures Act was passed in 2016 to say, “You really need to foster interoperability.” And interoperability is how we’re going to have a very healthy health ecosystem. We need to prohibit information blocking, which is restricting, preventing or discouraging any access of a patient’s electronic health information, and so what just came up is how do we enact the 21st Century Cures Act, which is what the ONC and CMS Interoperability rules set, which were published on March 9 of this year. And the compliance date is November 2 of this year, so it’s less than 60 days away now.
So there’s a big impact for provider organizations with these deadlines – there’s a lot of things that they really need to do. There are three covered actors that are under the requirements for information blocking, which are provider organizations, health information networks and health information exchanges, and then healthcare IT developers. Most of these covered actors also have requirements that are beyond information blocking, but that’s the biggest one that’s coming up. What that means is that healthcare providers need to make sure to look at all their workflows and policies to make sure that they’re not blocking patient information. And what’s amazing about this is it’s such a huge mindset change from where we were, which was HIPAA was restricting the flow of the information and what you could share with other organizations about patients. Now, the mindset has totally changed, and we really need to open up and share information with anybody who’s authorized – that includes the patients themselves; that includes third parties. And what’s transformative about this is it’s really enabling patients to be at the center of their own care.
Guerra: When you think of information blocking, you think of the vendors, typically in terms them saying, “You’re going to have to pay a lot of money if you want your data to go from here to there.” We don’t think of it a lot with providers. Talk a little bit about that, the fact that providers are on the hook here, and it might look very different for providers not information blocking.
Wyatt: There are vendor requirements, too, under these rules when it comes to information blocking, but those aren’t enacted quite as early as the provider requirements. The IT vendors are considered developers under the rule, and they have a lot of requirements, too. They’ve got to share and be able to share patient data via APIs; they’ve got to become a certified healthcare IT platform.
There’s a lot of additional requirements that these rules have now related to providers. Instead of sharing what they had to share before, which was just the clinical common data set, it really gets enhanced. They have to share a new data set, called USCDI, and that is including things like clinical notes, and that includes imaging notes and procedure notes and everything else as well. There’s an enhanced requirement for providers in terms of what they need to share. And the requirements are earlier than what developer requirements are, so in that little stopgap period, they need to figure out how do we make sure we’re not information blocking, because our vendors aren’t required to have everything in place yet. So we need to create workflows and policies so that we’re OK from a provider perspective by November 2.
Guerra: There can be easy stuff and hard stuff. Does it run the gamut, is there stuff that takes months and months to effect?
Wyatt: Absolutely. It really depends on a lot of our clients in terms of how far they are in the progression of this in being able to meet the requirements on information blocking. There’s a lot of things to consider, so you’ve got things like Open Notes, where clinical notes now have to be shared, you’re going to have to make sure that you have information in those notes that are applicable and correct and not outdated, that other folks can make clinical decisions on. You’re going to have to make sure your providers understand and know that those notes are going to be shared. So there’s a lot of groups that are impacted by that one potential component. Then you look at other things like results release, like making sure you have a method to receive patient data requests and a method to respond to patient data requests, so that you’re meeting all of the requirements of the rules without having to regularly use an exception to information blocking. There’s a lot to consider across the board and a lot to set up for this.
Guerra: With health systems, it’s never going to end; you have to catch up at some point. It’s just going to get harder and harder.
Wyatt: We’re getting requests from clients asking if (the federal agencies) going to push (the start date for compliance) back further. Right now, there’s no indication that they are. So we’re saying that you need to make sure that you’re enabling your organization to be at least compliant with these rules.
And then what’s kind of incredible about this is that some forward-looking organizations are looking to go above and beyond compliance, so you can look at this as a strategic opportunity. So you really can ensure that you’re enabling the patient and giving the patient the ability to manage their own care by providing them the data. And what we’ve seen from some different surveys, including a Black Book survey that just came out, is patients really want that. They’re saying that two-thirds of them will actually switch and not use their current healthcare provider and maybe go to a different provider or different physician if they feel like their information is being blocked. So the onus of ensuring that you’re not information blocking really does lie with the provider organization, and if you get ahead of this and talk to patients and say, “We’re going to be an enabler for your healthcare experience; we’re going to be able to get you this data effectively,” that could be a competitive advantage, and how incredible would that be.
Guerra: Chartis is providing services around helping organizations get ready for these kinds of things. So at a high level, let’s talk about costs involved – not specific Chartis costs, but costs of compliance. We’ll get more into the financial situation that health systems are in right now, but overall, do you associate big dollars with getting into compliance with this?
Wyatt: I think that answer depends as well. It depends on how far you are as an organization itself, and how much you want to invest in ensuring you’re promoting interoperability. Or do you just want to be compliant? We’ve heard from a few of our health system CIOs that they’re planning to spend anywhere between $500,000 to $1.5 million over the next few years to ensure that they’re compliant with the rules. Others are really thinking of this as a strategic opportunity. And where that money goes is really establishing an interoperability steering committee, to figure out how you’re going to respond to compliance, how you’re going to start your strategy, becoming educated on the rules across your organization and not just within your C-suite, and delivering that education across the enterprise so that everyone understands the rules and the changes for compliance. Then there’s making sure that you socialize the communication plan internally and with your patients and potentially third parties, and then really looking at your current contracts with third party organizations, your policies, the data flow you already have and then any interoperability processes as well as your strategy around digital and other things that touch on interoperability, and identify gaps that exist. Then you want to create a plan to plug those gaps, and that’s what we help organizations with. We also connect them with third party legal advice, and we have a couple of firms that are versed in this area to do that.
Guerra: Half the battle here is figuring out exactly what you have to do, right? Understanding the law, the regulations, and then determining the current state and the gap analysis, right?
Wyatt: And there are some major nuances to the law, and right now there seems to be a lot more questions than there are answers. We think as this progress this really will change, but it’s definitely something that you want to get in front of. You don’t want to be one of the last kids in the class.
Guerra: So, you mentioned an interoperability committee. This is right in the CIO’s wheelhouse and they’ll have to head this up, or do you see it being handed off to someone who reports to the CIO, or is it not even directly in IT and someone who will have to lead compliance with the Cures Act?
Wyatt: I’m glad you asked that, because this is one of the largest complications of implementing interoperability. It really needs to be across the organization. There are so many key players that have to be involved. So although the onus of responsibility may largely fall on the CIO because this is an IT area because of the need for compliance with the ONC and CMS rules, the efforts are going to take a village. So even small components of the compliance requirements, like sharing clinical notes, touches groups from HIM and current release of information processes, to physicians’ advisory groups, to training, to compliance, to the patient experience group. There’s going to have to be a lot of operational workflow and process changes as well, as well as facets within IT, so your operation team needs to be very involved.
Guerra: Sounds like a lot and we know that health systems have been dealing with a lot. What do you think the effect, the COVID effect, on this? Did you think that organizations would be much further along with this if not for COVID? It’s been a 100 percent of their focus?
Wyatt: These rules came out at such a difficult time, and even though interoperability has been in the works for a long time, the rules came out on March 9 of this year, and the final rules came out on May 1. If you look at the timeframe of that, it was literally a week before the pandemic really began to sweep the country. That’s been a huge impact when it comes to distraction of CIOs and everyone else across the organization. A lot of our clients had to split their organization almost in two and have one organization that was keeping the lights on and delivering all the incredible care that they already were, and the other part of the organization was standing up and dealing with becoming a hospital that can handle COVID-19 patients. So they already had that large distraction. This is going to be a big impact to them because of that, and a lot of our clients are saying, “How did I not know about this?” Well, it’s because of the timeframe when this all came out. About 10 percent of the organizations we talk to, the CIOs really had no idea that this was something that they needed to comply with, and there are others that had some things in the works, but they’re not nearly as far along.
Guerra: There are financial pressures from the loss of revenue from COVID. They don’t have the money to do it.
Wyatt: We’ve seen a lot of the demand for our provider organizations come back, but there was a huge dip following the onset of the pandemic in this country. And a lot of folks are still 20 percent off of their regular revenue numbers. We’ve got a great performance and strategy group that helps evaluate how do we improve those types of financial metrics, but this is definitely an additional item that needs to be budgeted for and taken care of as folks are finishing out this year and getting into next year. And it’s something that we think is going to pay dividends in the future, but definitely will have a big financial impact.
Guerra: It almost seems stunning that they would keep the original deadline. I know people are hoping and praying (that it will get delayed), but that’s not a strategy, right?
Wyatt: It’s not an effective strategy. It’s not one that we suggest our clients use. The deadlines actually were pushed back six months, so Dr. Rucker and the ONC came in and has already pushed back the compliance deadline to November 2 so they’re already six months delayed. We’re not anticipating a future delay. What is interesting is that there are impacts that have been designated as financial impacts for healthcare information exchanges and for developers, it’s a million dollars per transaction for any information blocking event. Those financial impacts have not been stipulated when it comes to provider organizations. We are expecting that there is going to be a final rule that comes out from the ONC, and that will be some time after the November 2 date. We’re hearing from some our legal partners that they’re not expecting that to be retroactive, but there should be an enforcement date that comes out that gives civil monetary penalties for provider organizations, and that’s what hasn’t been stipulated yet. So there’s not going to be any “carrot” for this; the carrot was really the funds that came out for ARRA and HITECH. This is now the stick saying that that was intended to make sure we were fostering interoperability, and we really need you to, and if you don’t, here’s the impact that’s going to come down.
Guerra: That’s always fun, just the stick. This is something that’s been debated a little bit – the HITECH Act and the way they pushed out. Do you think it was a missed opportunity to have integrating more interoperability initiatives with that mass rollout of EHRs?
Wyatt: I think the difficulty was that a lot of players in the industry thought that if we got everybody up on EHRs and it was pervasive, then interoperability would just naturally follow. And nobody’s done this before; everyone was working on paper. The interesting impact of this is that it didn’t naturally follow, and that there were these pockets of vendors and different players that didn’t realize how valuable this data was and they didn’t want to share it with one another. They were almost looking at patient data as their (intellectual property). So now, it’s a really fantastic force that’s happening in the industry, where the government is saying, “You need to share this. It’s in the patient’s best interest; it’s in your best interest as well. So here are the methods for how we’re going to make sure that this happens, because it didn’t happen before.”
Guerra: I’ve heard very intelligent people swear to me that information blocking is a myth, and I’ve heard just as bright people say information blocking is absolutely real and it happens. So which is it?
Hyatt: We’ve seen a lot of instances of information blocking definitely occurring. I think in some instances, organizations think that it’s really in the best interests of the patient, and they’re doing it for patient safety reasons, or they’re doing because information wasn’t shared with the patient by the provider, and that’s just the better method for doing it. There’s other areas where I think there’s been information blocking in an attempt to ensure there’s a lack of competition in the industry and what I think is so incredible about these rules is that it’s going to potentially generate a whole new frontier, where there’s going to be third party organizations that are disruptive organizations that can now come in and, with the patient’s consent, get access to this healthcare data and do so much with it. That’s going to further help healthcare than we’ve seen. The EHR vendors have been doing a lot in this space to really foster great patient care, but I don’t think they can do it alone. So now we’re going to have patients managing their own care without having huge stacks of patient records printed out, and we’re going to have third-party organizations helping with very innovative methods of looking at patient data like we’ve never had before.
Guerra: You have the three constituencies – the providers, the developers/vendors and then HIEs, correct? Anything you want to say about the developers and vendors, because their deadlines are further out, any heads up that you want to give those folks?
Wyatt: I think they’re very on top of it. From talking with a couple of the major EHR vendors, they’ve got some great informational webinars that they’ve done with their clients. They’ve got some great information that they’re sharing. They’re already doing development to make sure that they’re in compliance. They’ve actually been part of the conversation and the feedback to create these final rules. Before the final rules came out March 9, there was actually an entire year where folks were able to give feedback on how the rules were going to be constructed, and a lot of the developers took part in responding to that. And that’s why the final rules are so long. They are 1,244 pages and 450 pages because it includes a lot of their comments.
Guerra: I would imagine that the vendors are a little better at dealing with this than the providers, who are dealing with patients and COVID-19, right?
Wyatt: I think there’s fewer distractions, and I think it’s something that they were a little better prepared for and they have whole teams of people who can take care of it. Provider organizations aren’t just big hospital systems; it’s everything down to your neighborhood self-employed physician, so there’s going to be a lot of folks that need to come up with a strategy on how to manage this.
Guerra: Let’s talk a little bit about security. HIPAA was almost prohibitive of moving data – that was one of the reasons people cited. I’ve heard health security executives talk about the challenges they face in being responsible for protecting data and then manage things like these interoperability initiatives. So they’re in a tough spot. How do you see security factor into all of this, and how do you see IT executives working with their CISOs to make sure they’re sharing, but sharing safely?
Wyatt: We talked with our security experts. The good news is there are security audit organizations and there is already guidance surrounding HIPAA and surrounding interoperability requirements. This does open up the data to a whole new group of users, to patients and to third-party organizations. One of the biggest things to note for provider organizations, though, is that once the data leaves their doors securely and to an authorized recipient – those are the big things that they have to make sure is happening, that the recipient is authorized and that data is leaving securely – it’s specified in the rules that it’s no longer their responsibility what happens to the data beyond that. This is a big area of potential consumer education, too, though, because they need to understand who they’re authorizing to have their data and what that organization may do with it.
And then one of the other largest impacts for provider organizations is that the ONC rules stipulated that application programming interfaces, or APIs, are what is going to be used to be the messenger to transmit patient data in the future. So what the rule suggests is that the application developers should use these to minimize the effort needed to transmit patient data. And so provider organizations may want to look at how to make an API that complies with that requirement and communicates with outside organizations as well. And the standard for those APIs is specified as being HL7’s FHIR, so the rules try to make it a little bit easier in terms of how to communicate with other organizations. One of the biggest things to look at though is how are you going to qualify who is an authorized recipient, and how are you going to educate your patients that, once that data leaves your hands, they really to understand what is going to be used for.
Guerra: That’s a good point; a lot of patients won’t think of it that way. The patient, unless they’re educated, they’re going to look at the health system and say, “I gave it to you, and now there’s a problem.” Not that it was passed along to a third party.
Wyatt: There may need to be updates to policies or patient releases that you put into place as a provider organization to account for that as well.
Guerra: Anything else that you want to touch on to tell CIOs or IT execs who are listening? Is there a cramming for the test kind of thing that they can do?
Wyatt: The biggest things are going to be looking at your organization and determine if you first just want to comply with the rules or if want to go above and beyond. They may already be doing so many things as a provider organization that are very strategic; they are probably coming up with an overall digital strategy or you’re looking at a lot of workflows and making changes to those workflows. What we’re suggesting is that if you are already doing all of those actions, make sure that you’re incorporating the knowledge that these interoperability rules are out and that these are the requirements, so maybe you just have to touch these workflows once, or when you come up with your digital strategy, you can incorporate interoperability, too. And then the last closing words of wisdom I have is that there are some major benefits to this for patients and families. We think that it’s going to show that there’s a greater understanding of patient medical conditions. There’s going to be enhanced trust in their physicians and in their provider organizations. Patients are going to feel more in control of their care, and what we’re seeing from studies that have been done at UPMC and other organizations is that there’s actually more demand for additional and future services once patients have the information. And so it could be an increase in patient traffic and an increase in the strength of the relationship that you have with the patient that comes from making sure that you’re really complying with the rules.
Guerra: So it sounds like the big message you’re giving out is that if organizations have any capacity to go beyond basic compliance, do so or at least try to position yourself to be ready to do so, because you’re going to have to do a lot of work to get into compliance, and if you just do a little bit more, you’re going to get some real strategic benefits.
Wyatt: Exactly. I couldn’t have said it better myself.