With the release of final regulations from both the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare & Medicaid Services (CMS) earlier this year, federal health officials delivered a clear message to industry stakeholders, one they have been constructing for at least a few years: that patients need to be more in control of their healthcare, and giving them easier access to their data is the first principal step in making that happen.
Of course, when one pulls back the curtains, it’s apparent that the regulations from ONC and CMS are full of complexities and details that will need to be further ironed out—as evident by the nearly 1,800 pages the rules are written on. They apply to all hospitals, physicians, and health plans that receive any reimbursement through either the Medicare or Medicaid programs. They also affect the technology vendors that these organizations use.
Broadly, the final ONC rule ups the ante for providers, health IT vendors, health information exchanges (HIEs), and health information networks, via its information-blocking provisions. While the information-blocking concept was originally defined by Congress in the 21st Century Cures Act, ONC was tasked to define what doesn’t constitute data blocking. As such, the final rule clarifies where penalties will be enforced and exceptions granted; it’s expected that enforcement of the information-blocking provisions will begin sometime this fall, though the COVID-19 pandemic might push that date back.
From the provider perspective
This is because via CMS’ Promoting Interoperability program, eligible hospitals and providers have to attest they are in good faith when implementing and using their electronic health records (EHRs) to exchange data. “It’s important for health systems to understand that if you attest you aren’t information blocking and then you get investigated for an information-blocking claim, which OIG will [inspect], and you are found to have data blocked, you will get penalized for the year you attested falsely.”
On the provider side, she continues, “You would potentially owe money back if you were able to get incentive funds in the Promoting Interoperability [program]. And you would also be liable for penalties under the False Claims Act for because you falsely attested to a CMS program,” explains Morris. I don’t think a lot of health systems realize this. They don’t have to figure out if they [qualify] for information blocking. They are in, for sure.”
Morris believes the outcome of this, from a provider perspective, will be that every single health system and provider practice will need a compliance program demonstrating why they’re not sharing data for particular reasons, that they meet one of the exceptions outlined by ONC, and that they’re following the rules when it comes to business associate agreements. “That’s a lot to have in place and a lot of providers probably haven’t thought through the massive lift that will be,” she contends.
How vendors will be impacted
When the government announced the proposed versions of the two rules at the 2019 HIMSS conference, CMS Administrator Seema Verma stated at the meeting that some hospitals actually have to ask their technology vendors—who they are already paying—for permission to use their own data. Is this a reality that’s being experienced in the marketplace?
Morris says there’s a large dichotomy. She’s seen some vendors “jack up the prices for creating interfaces [for their customers]. And I have seen [such] unreasonable numbers for what they are quoting—numbers that would shock you,” she contends. Conversely, she also knows that some other vendors believe charging for custom interfaces on top of everything else isn’t where money should be made and is part of what the company does as its core business. “These folks understand that in some ways this is a public good, and part and parcel of what you pay for with an EHR system,” says Morris.
In the ONC rule, “reasonable profit margin” is one of the allowed data-blocking exceptions, meaning vendors are allowed to charge fees, but they will be regulated. So, the vendors that do charge $50,000 for a practice to create an interface to a health information exchange (HIE), for instance, will have to change their fee structures, says Morris. “It costs money to run a business and pay engineers, but that’s very different than the price gouging I have seen,” she says.
Paul Wilder, the new executive director of the CommonWell Health Alliance, an organization that provides interoperability services for its members—most of which are EHR vendors—admits that some interface fees “are ridiculous.” However, he contends that vendors would drop their prices if all their competitors did the same.
He says that in an ideal world, there would be a set deadline for when vendors need to make their services and fees transparent to the market. That way, there won’t be the “first-mover disadvantage to being an information sharer” that exists today, he says. Rather, packaging services in a bundle at the onset would lead to higher transparency and avoid situations in which customers have to pay extra for a bolt-on three years after purchasing the original product, Wilder explains. “By setting a deadline, information blocking gets rid a lot of the game-theory trickery that you have had in the past,” he says.
Exceptions to the rule
Although information sharing is critical to improving U.S. healthcare, there are also very legitimate instances in which data exchange can’t happen, notes Micky Tripathi, Ph.D., president and CEO of the Massachusetts eHealth Collaborative. As he explains it, those exceptions fall under two categories: one being that the entity is not fulfilling a data-sharing request for a certain reason, and the other being around fulfilling such a request, but in a different way than what was expected.
One example of an allowed exception, Tripathi offers, could be that an organization didn’t share the diagnostic results of a pathology report suggesting a patient has cancer. “Maybe [as the provider], I say I won’t releasee that data via an app because I want to talk to the patient first. That’s a legitimate use case and I want to make an exception for this,” he says. An app presenting a security issue for the host organization is another example of an authentic exception, he adds. Another might be that the data being requested is bundled and the entity on the other end cannot parse it out. This would fall under the infeasibility justification.
According to Morris, ONC has already stated that information-blocking investigations and penalties will evolve much like case law evolves in other sectors. “So as they go through their investigations, they will build out more examples of what is allowed and what’s not, and what’s reasonable for exchanging data and what’s not,” she says.
Notably, Morris also notes there is an expectation that industry stakeholders “will leverage an information blocking complaint as a way to hurt their competitors.” Ultimately, however, Wilder advises that organizations should not structure programs around trying to leverage the exceptions. “It’s better to start in the other direction and figure out how to [comply] with the rule.”