Under the 21st Century Cures Act (Cures Act), the Health and Human Services (HHS) Secretary is mandated to have promulgated regulations by Dec. 13, 2017 that, among other requirements, prohibit “information blocking” as a condition to Electronic Health Record (EHR) certification, which is a requirement that EHRs must meet to qualify for use in Medicare/Medicaid EHR Incentive Programs. Although the HHS Secretary has yet to do so, and the Office of the National Coordinator for Health Information Technology (ONC) continues to work on defining the Cures Act broad definition of information blocking through exemptions, the prohibition is already supported by the 2015 Edition Health IT Certification Criteria, as well as other federal regulations and programs, such as HIPAA and MACRA.
Accordingly, vendors and providers should avoid practices that may be considered “information blocking” when negotiating their contracts for services, including technical limitations that make authorized access to the electronic health information difficult, burdensome or expensive for health care providers or patients. Such restrictions on health IT (HIT)’s certified technical capabilities may result in risk to the technology’s EHR Certification and/or result in civil penalties.
Cures Act’s Implications for Health Care Providers
While software developers would seem to be the main target of the Cures Act, they are not the only professionals that must be aware of such prohibitions. Under the Merit-based Incentive Payment System (MIPS) for the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), health care practitioners are now expected to submit a “Prevention of Information Blocking Attestation,” which indicates that such providers will make a “reasonable attempt” to maintain interoperability. Regulators fear that practitioners may engage in information blocking activities in an attempt to prevent patients from going to a competing provider or blaming confusion over complying with HIPAA or other state and federal privacy laws.
Under MIPS, however, individual practitioners are expected to get adequate assurances from their HIT vendors that they comply with information sharing requirements. Many practitioners have voiced concerns about meeting these requirements in light of challenges they already face with fully utilizing EHR technology, much less being cognizant of technological functionality or enhancements that support data sharing. Furthermore, given EHR vendors’ current lack of clarity on what would be considered “information blocking,” health care providers are concerned that they may not be able to obtain “adequate assurances” that all information sharing requirements are adequately met.
Information Blocking
In recent years, EHR vendors have been accused of intentionally complicating and monetizing the interoperability of electronic health records. Enacted on Dec. 13, 2016, the Cures Act was established, in part, to prohibit EHR vendors from such activities collectively referred to as “information blocking.”
The Cures Act broadly defines “information blocking” as any “practice that … is likely to interfere with, prevent, or discourage access, exchange, or use of electronic health information” if the practice is known or should be known by the relevant entity to “interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information.”
The Cures Act also provides wide sweeping examples of information blocking, such as “[i]mplementing HIT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging or using electronic health information.” These examples are likely based on the 2015 ONC Report to Congress on Health Information Blocking (2015 ONC Report), which discussed vendors “charging prices or fees (such as for data exchange, portability, and interfaces) that make exchanging and using electronic health information cost prohibitive,” and “developing or implementing health IT in non-standard ways that are likely to substantially increase the costs, complexity, or burden of sharing electronic health information.”
EHR Certification
For purposes of EHR Certification, the Cures Act mandates that EHR and HIT vendors must attest that they are not engaging in information blocking. Vendors that make false attestations risk being penalized with revocation of the certification. This certification is essentially a requirement of doing business as a HIT developer, in light of the fact that the ONC has required that health care providers use a certified EHR to qualify for Medicare and Medicaid EHR Incentive Programs.
The Cures Act also requires that the HHS Secretary establish a process for collecting complaints of information blocking and for investigating such complaints, with the Office of Inspector General (OIG) as the agency designated for carrying out such investigations. The 2015 ONC Report recommended that health IT vendors engaging in information blocking should face corrective action, up to and including the suspension or termination of its EHR certification. The Cures Act specifies that the penalty for information blocking is up to $1 million “per violation.”
Current Regulatory Guidance for Software Developers
Although the 2015 ONC Report currently serves as the ONC’s best guidance as to its stance on information blocking, the 2015 Edition of ONC’s Health IT Certification Criteria already require EHR software to enable users to export patient summaries in a customizable and user-friendly manner.
Additionally, the Privacy Rule of the Health Information Portability and Accountability Act (HIPAA) promotes the interoperability of EHR software, including the flow of patient health information to providers for treatment, payment, and health operations purposes, as well as to patients themselves. Furthermore, the Health Information Technology for Economic and Clinical Health (HITECH) Act requires that patients must be able to transmit data at little or no cost to a location of the individual’s choosing, even if that may be a competing health care provider or to an alternate HIT vendor.
Many vendors claimed that meeting the Cures Act’s requirements is prohibitively difficult, especially in conjunction with the HIPAA Privacy Rule, which places significant restrictions on how certain entities, including health care providers, may use or disclose patients’ health information. However, as noted, HIPAA promotes the interoperability of EHR software to enable the permitted sharing of patient health information not only for personalized healthcare but also to advance medical research and public health.
Thus, regardless of the ONC’s final rules, HIPAA promotes the development of EHR software that permits the transmission of health information freely to authorized users, regardless of the software environment in which it sits.
Next Steps
These heightened requirements come at a complicated time for EHR vendors and healthcare providers.
Almost all health care providers have already implemented an EHR system, and thus, with customer demand at an all-time low, EHR vendors are seeking out new revenue opportunities. On the other hand, health care providers are looking for more cost-effective ways to minimize the ongoing costs of medical software and services, while maintaining high expectations for EHR software to provide a secure storage solution for patient information.
HIT developers and health care providers anticipate that the ONC, tasked with drafting rules for these processes by the HHS Secretary, would soon clarify what activities qualified as information blocking; standard and “nonstandard” ways of burdening the exchange of health information, and how an entity can be determined to be in compliance with such requirements.
While the ONC has reportedly been meeting with stakeholders and other government agencies to determine what practices shall be exempted from information blocking’s broad definition, the ONC’s Deputy National Coordinator has not yet offered a timeline as to when such publications may be released. The OIG, on the other hand, has indicated its readiness to investigate and take enforcement actions against information blocking violators, but must await the implementation of the ONC’s rules prior to taking any actions. Currently, the OIG does not have a legislated investigation process, so it is unclear which entity would have the burden of proving whether information blocking has occurred and what standards of implementation would act as operational benchmarks.
Moving forward, EHR developers will need to work closely with health care providers and interoperability standard groups to avoid any practices that may be considered to be information blocking in order to maintain their ONC certification and to avoid costly penalties. At a critical time with regard to EHR vendors’ financial viability, these entities are challenged to balance not only enabling cost-effective and outcome-based healthcare delivery, developing interoperable EHR software that does not run afoul of the information blocking restrictions, while protecting the vendors’ intellectual property rights in its software and other innovations and maintaining profitability. However, HIT vendors and health care providers alike await the ONC’s future guidance on information blocking to ensure the requisite interoperability of EHR systems.