ONC’s Interoperability Rule Drops: Key Elements Stakeholders Need to Know
Industry stakeholders have been anxiously awaiting the release of two regulations on interoperability and patient access that were finally delivered on Monday. Now, health IT leaders hope to have more clarity around how requirements around information blocking and concerns over patient privacy will impact their businesses and practices moving forward.
Final rules from both the Officae of the National Coordinator for Health IT (ONC) and the Centers for Medicare & Medicaid Services (CMS) were released today, and this piece will focus on the ONC rule specifically, which is 1,244 pages long. According to National Coordinator for Health IT Don Rucker, M.D., who spoke about the ONC rule on a March 9 press call, the regulation aims to “allow for the safe and secure access of health information [going] back to patients.” The rule, which Rucker called “unprecedented in his 30 years of working in health IT,” implements the clinical interoperability aspects of the 21st Century Cures Act. Rucker added that finalizing these policies will enable Americans to have electronic access to their health data on their smartphones, if they choose.
The rule, he continued, requires hospitals and doctors to provide software access points, or endpoints, to their electronic health record (EHR) databases so that patients can download these records to their smartphones. Ultimately, what the government is striving towards, said Rucker, is to give patients the ability to manage their healthcare the same way they manage their travel or other parts of their lives.
“By giving patients computable control of their health information, we will see a growth in patient-facing health IT markets from an entirely new app ecosystem that will be fueled by transparency about both product and price. We think this health app economy will have new services, and we see the smartphone as a tool to connect other devices to it, [such as] glucometers, blood pressure cuffs, digital scales, peak flow meters and heart rate monitors. The technology we are unleashing here will democratize healthcare in powerful ways,” Rucker stated.
Rucker noted that more than 2,000 comments were received on the rules in the past year, and its length is largely due to responding to those comments rather than the rulemaking itself.
Another information blocking exception and new timelines
As it relates to data blocking, the final rule, officials stated, “identifies and finalizes the reasonable and necessary activities that do not constitute information blocking while establishing new rules to prevent information blocking practices (e.g., anti-competitive behaviors) by healthcare providers, developers of certified health IT, health information exchanges, and health information networks as required by the Cures Act."
Notably, while there were originally seven proposed exceptions to information blocking, as outlined by ONC last year, federal health officials added an eighth in its final version—a “Content and Manner Exception,” which according to the health IT department, applies if an actor, at a minimum, provides the content within the United States Core Data for Interoperability (USCDI) standard in response to a request for access. “This exception supports innovation and competition by allowing actors to first attempt to reach and maintain market negotiated terms for the access, exchange, and, use of EHI,” according to ONC.
The other seven "reasonable and necessary" exceptions to the definition of information blocking include: preventing harm, promoting electronic health information privacy, responding to infeasible requests, maintaining and improving health IT performance, promoting information security, recovering reasonably incurred costs, and licensing interoperability elements.
The final rule stated that healthcare providers, health IT developers of certified health IT, health information exchanges (HIEs), and health information networks (HINs)—called actors—must comply with the information blocking provision six months after publication of the final rule in the Federal Register, which is expected to be next week, said Rucker. One change in this section from the proposed rule to the final version is that the definitions of HIEs and HINs are combined “to create one functional definition that applies to both statutory terms in order to clarify the types of individuals and entities that would be covered.”
However, ONC and the Office of Inspector General (OIG) still need to coordinate timing of the compliance date and the start of information blocking enforcement— or in other words, at least six months from now. ONC added that the enforcement of information blocking civil monetary penalties will not begin until future rulemaking is issued by OIG. In the proposal, it was stated that vendors, HIEs and HINs are subject to up to a $1 million fine per information blocking violation, if they are found to be bad actors. In an emailed statement, McDermott Will & Emery Washington, D.C.-based Partner James Cannatti said that “HHS’ intent to delay enforcement of the information blocking civil monetary penalties until the OIG completes notice-and-comment rulemaking provides a further reprieve to wary stakeholders.”
Privacy concerns---alleviated or not?
In recent weeks leading up the rules’ release, a new controversy emerged when EHR giant Epic emailed the chief executives of some of the largest hospitals in the U.S., urging them to oppose the proposed regulation. Then, in a Jan. 27 statement posted to its website, the EHR vendor—whose technology systems house data for some 250 million patients—said the rule contains “serious risks to patient privacy,” in its current form. There was even some talk that Epic could sue HHS if the proposed rules were as “objectionable” as proposed, though that notion was quickly dismissed.
Indeed, as laid out by ONC in the rulemaking, EHR systems would be required to allow patients to download their medical data to apps of the patient’s choosing, which Epic and other stakeholders believe presents a major risk since third-party apps will not be required to follow data blocking policies under ONC's rule. About 60 health systems did pledge their loyalty to Epic by signing a letter to the government opposing the rule, though many of Epic’s largest health system customers did not.
Rucker acknowledged that there’s always risk involved when operating within a digital ecosystem. He noted, “The postulated risks raised were under the theory that patients would somehow be at risk if they used an app with undisclosed or nefarious privacy policies, that they would then have the medical data downloaded in what would be called secondary use of data.”
But, he added, it’s important to consider that “it’s the choice of patients whether or not they want to download anything whatsoever.” Under the ONC rule, patients exercise their right of access, said Rucker, and the regulation binds in consent the government believes is enforceable, both by the Federal Trade Commission and a large number of states, to enforce that what apps say about their privacy policies is in fact truthful.
ONC Deputy National Coordinator for Health IT, Steve Posnack, offered to the press an example of the process. If a patient chooses an app that he or she believes will help meet his or her healthcare needs—say a medication management app—that app could be sent to the provider’s portal by the patient. At this point, using the certified API technology and the OAuth2 technical standard, the patient is asked by the provider via the app authorization screen whether they want to approve or reject the app’s ability to receive their electronic health information (EHI). The healthcare provider can then warn the patient if the app has not adhered to certain privacy practices as recommended by ONC, ultimately giving the patient the final choice of whether or not to proceed with sending data. It is emphasized that these privacy policies and practices of third-party apps are only encouraged by ONC—not required.
In the final rule, ONC clarified that it would not be considered an “interference with” the access, exchange, or use of EHI—and thus not information blocking—if an information blocking actor engaged in practices to educate patients about the privacy and security risks posed by the apps they choose to receive their EHI.
Rucker was asked on the press call why these privacy practices couldn’t be mandated, rather than simply recommended, to which he noted legal constraints allowing ONC to take that action. At the same time, he called the protections around access and use of patient data by third-party apps “powerful.”
It remains to be seen how stakeholders will respond to these patient privacy elements in the rule, though some very early feedback has already come in. Anders Gilberg, senior vice president, government affairs, at the Medical Group Management Association (MGMA), noted in a statement, “MGMA is concerned that the ONC rule permits EHR vendors to push API costs onto providers.” Meanwhile, the American Hospital Association (AHA) stated that the finalized regulations don't do enough on the privacy front. "The rule lacks the necessary guardrails to protect consumers from actors such as third-party apps that are not required to meet the same stringent privacy and security requirements as hospitals," the group said. "This could lead to third-party apps using personal health information in ways in which patients are unaware,” the group said.
Other important rule provisions
- ONC noted that currently, many EHR contracts contain provisions that either prevent or are perceived to prevent users from sharing information related to the EHRs in use, such as screen shots or video. “The ONC final rule updates certification requirements for health IT developers and establishes new provisions to ensure that providers using certified health IT have the ability to communicate about health IT usability, user experience, interoperability, and security including—with limitations—screenshots and video, which are critical forms of visual communication for such issues,” officials stated. Examples of limitations include not altering the screenshots or video except to annotate or resize them, and limiting the screenshots or videos to only the information that’s necessary to communicate a health IT-related need.
- In its draft version, ONC proposed to adopt the HL7 Fast Healthcare Interoperability Resources (FHIR) standard as a foundational standard and requested comment on four options to determine the best version of FHIR to adopt. It finalized that FHIR Release 4 will be the one that developers will be required to adopt.
- The final rule also mandates the SMART/HL7 bulk data export API for ready extraction of population data from EHRs.
- In general, most implementation timelines related to elements such as EHR updates and API-related requirements will go into effect starting in two years from when the rule is published in the Federal Register.