Interoperability & HIE
Breaking Down ONC’s Information Blocking Proposed Provisions: What HIT Stakeholders Need to Know
With the release of a 724-page proposed rule from the ONC (Office of the National Coordinator for Health IT), industry observers received long-anticipated critical information around information blocking—such as what constitutes it, what qualifies as exceptions, and what the consequences are for those found in offense.
Per the proposal, which is lined up to take effect in 2020, there will be four categories of healthcare “actors” that will be regulated by the information blocking provision: providers, certified health IT developers, HIEs and HINs (health information networks). Vendors, HIEs and HINs are subject to up to a $1 million fine per information blocking violation, if they are found to be bad actors. Providers are not subjected to a monetary fine.
Depending on who you ask, the answer to the questions of “How much information blocking truly occurs in healthcare?”; “Who are the primary offenders?”; and “How seriously will organizations respond to the proposals?” will differ.
Jodi Daniel, a former ONC policy director who was a key agency official in writing ONC’s information blocking report to Congress back in 2015, believes that the proposed rule is significant enough that it will change how businesses operate. “For the first time, folks are really being forced to interoperate, and there are substantial penalties for not doing so. I think it will change practices,” says Daniel, who is now a partner in the law firm Crowell & Moring’s healthcare group. She adds, “Vendors will take it seriously. It will force vendors to look at their practices and it will give entities that have been trying to access data and have had challenges that were raised in this information blocking report [to Congress] more leverage.”
Those who are in the vendor or provider communities may offer different perspectives. Jitin Asnaani, the executive director of the CommonWell Health Alliance, an association that provides an interoperability platform and services for its members—inclusive of some of the top health IT vendors—says he has seen concrete examples of information blocking from both vendors and providers. Asnaani recalls two separate vendor companies telling him a few years ago that they didn’t want to participate in CommonWell because it threatened their business model of charging for interfaces—an action that could qualify as information blocking.
Asnaani, however, contends he has not seen or heard of hospitals having to ask permission from EHR vendors to use their own data. “If it is true, that’s abhorrent,” he asserts. “In no scenario, does the EHR or health IT vendor own patient data. They have to protect it, but in no scenario do they have a right to control where that patient data goes such that the patient or provider needs to ask them permission about it,” he says.
Asnaani says he does know of provider organizations who actively do not participate in certain interoperability initiatives because they want to control who they share data with. “And that’s because of competition; they literally tell me they don’t want the hospital [down the street] to take patients [from us]. If someone put a gun to my head and asked if I could write these provider names down, I could. That is a reality. I have more than enough evidence that it’s very real,” he says.
A third viewpoint comes from the provider side, as Marc Probst, CIO at the Salt Lake City-based Intermountain Healthcare told Healthcare Innovation that he has “never heard of providers [withholding patient data for competition purposes],” while adding that he’s “not naïve enough to believe that it doesn’t happen at all.”
Regarding exceptions and penalties, the devil is always in the details when determining if a specific situation qualifies as an “exception” or not, and there is a considerable amount of grey area, even with the proposed exceptions laid out in the rule.
“The regulators cannot come up with every possible example and situation. Things still come up with HIPAA and that [law] is over 20 years old,” notes Daniel. “There will always be ambiguity; if someone in good faith [tries to] comply with the exception, documents it, and has done their due diligence, that would be considered if there was an allegation of information blocking—even if the enforcers disagreed,” she adds, suggesting that the best advice for someone when there is ambiguity “is to do the diligence, document your justification, and make sure it’s defensible in case someone comes and questions it.”
The review and enforcement, Daniel says, will likely be handled by the ONC and the OIG (Office of Inspector General), noting that information blocking fines will be beyond what stakeholders are accustomed to. “Per violation, they are a magnitude higher than HIPAA penalties,” she says. “It’s up to a $1 million [per instance], so there is a lot of flexibility in the amount they could fine [you] for egregious behavior.”
Asnaani, meanwhile, who acknowledged at the time of the interview that he has not read through the rule in its entirety yet, believes that the proposed penalties are “very non-committal for providers.” He further notes, “They made it nebulous. You don’t know if you will get penalized or not, which is tricky from a provider point of view.”
Interestingly, while ONC is primarily going to be in charge of the information blocking provisions and penalties, CMS said in its aligned proposed rule that it would make public the names of clinicians and hospitals that submitted “no” to three attestation statements committing them to data sharing. Asnaani believes that a provider organization having “its name strung up nationally” could have enough teeth, but at the same time, in the local communities where the clinic or hospital exists, it’s already known which practices make it difficult to work with them.
In the end, health IT stakeholders seem to be in universal agreement about the substantive nature of these proposals. Dan Golder, a principal at the Illinois-based consulting firm Impact Advisors, believes that the benefits of information sharing outweigh the negatives, and that initiatives to advance these movements are already underway. To this point, Golder notes, in an email to Healthcare Innovation,“ ONC will need to be cautious in applying the proposed information blocking rules so as to not hinder the current progress by vendors and health systems, and to not be perceived as too restrictive nor unreasonable in requirements, timelines and penalties.”
Policy & Value-Based Care
Medicare Actuaries Predict: U.S. Healthcare Spending Will Hit $6 Trillion by 2027
National health expenditure growth is expected to average 5.5 percent annually from 2018 to 2027, reaching nearly $6 trillion by 2027, according to a report published on Feb. 20 by the independent Office of the Actuary at the Centers for Medicare & Medicaid Services (CMS).
The report projects the health share of Gross Domestic Product (GDP) to rise from 17.9 percent in 2017 to 19.4 percent by 2027, as growth in national health spending is projected to be faster than projected growth in GDP by 0.8 percentage points over the same period.
According to the analysis, the outlook for national health spending and enrollment over the next decade is expected to be driven primarily by:
• Key economic factors, such as growth in income and employment, and demographic factors, such as the baby-boom generation continuing to age from private insurance into Medicare; and
• Increases in prices for medical goods and services, which are projected to grow 2.5 percent over 2018-2027 compared to 1.1 percent during the period of 2014 to 2017).
Similar to the findings in last year’s report, this report found that by 2027, federal, state and local governments are projected to finance 47 percent of national health spending, an increase of 2 percentage points from 45 percent in 2017. As a result of comparatively higher projected enrollment growth in Medicare, average annual spending growth in Medicare (7.4 percent) is expected to exceed that of Medicaid (5.5 percent) and private health insurance (4.8 percent).
Underlying the strong average annual Medicare spending growth are projected sustained strong enrollment growth as the baby-boomers continue to age into the program and growth in the use and intensity of covered services that is consistent with the rates observed during Medicare’s long-term history, according to the report.
Cybersecurity
CHIME Responds to Senate HELP Committee’s RFI on Rising Healthcare Costs
Healthcare associations have written to the Senate Committee on Health, Education, Labor, and Pensions (HELP), responding to committee Chairman Lamar Alexander’s (R-Tenn.) request for information to address healthcare’s rising costs.
One main area of focus for the College of Healthcare Information Management Executives (CHIME), the Michigan-based association that represents more than 2,800 CIOs and other health IT senior leaders, was cybersecurity. CHIME noted that “we must ensure the implementation of stringent privacy and security standards,” and the association is calling upon the committee to address the growing nature of cybersecurity threats to patient data and ensure that security is included in any policy recommendations.
Specifically, CHIME said, the complexities with meeting HHS (Department of Health & Human Services) privacy and security requirements “can be staggering.” The comments went on, “Audits by the Office for Civil Rights (OCR) are perceived as being punitive and not assisting the organization to recover and learn from a breach. Providers today must dedicate highly valuable resources to navigate a complex and often unbalanced and punitive regulatory landscape. Resources and efforts are often focused on compliance with OCR requirements, which may not always represent the greatest threats faced by a healthcare provider, diminishing rather than aiding their ability to guard protected health information (PHI).”
And to further enhance proactive collaboration, CHIME wrote that “safe harbors from resolution agreements as an incentive for organizations that demonstrate, and certify, cybersecurity readiness should be offered, which may warrant Congress to amend provisions of the HITECH Act.”
According to CHIME, this will “encourage the investment into cybersecurity from the providers in an age when it is understood no organization can prevent all cybersecurity attacks.” Further, CHIME said, “it may be necessary for Congress to consider revising some of the definitions set forth in HITECH, such as the definition of a breach, as to not presume guilt.”
CHIME also offered that in its cybersecurity assessments, OCR should acknowledge provider efforts and investments to safeguard information and information systems. “HHS should be encouraged to pursue policies which reward providers and other covered entities for engaging in good faith efforts to prevent cybersecurity attacks rather than unduly punitive ones,” the association wrote. Providers should also be able to maximize protections allowed under business associates agreements (BAAs) by redistributing responsibility for security more evenly among covered entities and their business associates (BAs), CHIME said.