- Trump administration healthcare officials on Monday finalized two highly anticipated rules prohibiting the practice of information blocking and giving patients more agency over their medical data. The rules had been held up amid controversy and a fierce industry discussion about patient access versus privacy and security.
- Providers and entrenched health IT interests are unlikely to be pleased with the final iterations, which seem to largely mirror the proposed versions and include added burden on payers. The timeline to come into compliance has been pushed back and they include a new exception to information blocking. The American Hospital Association quickly reacted Monday with a statement saying the regulations don't protect consumer health information.
- The final CMS rule includes a controversial provision requiring hospitals to send electronic notifications to other caregivers when a patient is admitted, discharged or transferred. Provider interests slammed the plan in their comments on the proposed rule, saying it would add more EHR burden onto already stressed clinicians. It will go into effect in six months.
The CMS and ONC rules, which have been under review by the Office of Management and Budget since late September and late October, respectively, were proposed more than a year ago and garnered thousands of comments.
The ONC final rule is aimed at giving consumers free electronic access to their structured and unstructured medical data at no cost by trying to get all healthcare organizations singing off the same sheet of music when it comes to interoperability.
It does so by standardizing application programming interfaces (APIs), the part of the server that receives requests and sends responses between disparate computer systems. It also updates the 2015 Edition certification EHR criteria to ensure IT systems send and receive electronic health information in a synchronous manner, while allowing patients to export and view their data.
"What we want to do here ultimately is finalizing the policies we believe will allow patients to manage their healthcare the same way they manage their finances or their travel — on their smartphone," ONC head Don Rucker told reporters Monday.
Vendors and providers will be required to send and receive a limited set of data in U.S. Core Data for Interoperability — a national standardized set of core data classes and elements that must be interoperable between systems — starting two years from when the rule is published in the Federal Register.
USCDI includes clinical notes, data on allergies, medications and demographics to in theory make it easier to match patients to their records. The types of data required to be interoperable will be slightly expanded in 2023, Rucker said.
The ONC rule would also allow EHR and health IT software users to communicate about the systems' usability including taking screenshots and video, which is currently prohibited under the contracts of a handful of major EHR companies, including market giant Epic.
It also enacts elements of the 21st Century Cures Act by identifying what does and does not constitute information blocking.
The proposed rule included seven "reasonable and necessary" exceptions to the definition of information blocking: preventing harm, promoting electronic health information privacy, responding to infeasible requests, maintaining and improving health IT performance, promoting information security, recovering reasonably incurred costs, and licensing interoperability elements.
The final ONC rule adds an eighth: the "content and manner" exception, which an actor can satisfy if it provides at least the content within the USCDI in response to a request for access.
Businesses will not be subject to civil penalties or other legal measures if their actions satisfy one or more of these exceptions, and the information blocking section of the rule will not go into effect for six months. But under Cures, HHS and ONC are required to regulate the interoperability of healthcare information, taking action against any malfeasance or wrongdoers impeding the electronic flow of patient data.
The bodies can impose up to $1 million in financial penalties per violation. However, ONC and HHS' Office of the Inspector General won't enforce the penalties until they go through additional notice and comment rulemaking.
The CMS rule requires Medicaid, the Children's Health Insurance Program, Medicare Advantage plans and Affordable Care Act exchange plans to provide their collective 125 million patients with free electronic access to their personal health data, including medical claims and encounter information including cost, by 2021.
The push builds off the 2018 Blue Button 2.0 initiative in Medicare, agency officials say, which currently hosts 55 organizations with apps in production.
MA plans, state Medicare and CHIP programs, CHIP managed care entities, Medicaid managed care plans and qualified health plans in the federal exchanges now have to "implement, test, and monitor" a Health Level Seven FHIR-compliant API, which the government has selected as the new national standard.
Those plans also have to make their provider directories available to current and potential enrollees through the API technology, too (excepting the federal exchanges, which already do so), by 2021, with the hope insurers will carry over those practices to private plans as well.
That will allow third-party applications to pull that information and help patients evaluate which plans are right for them and what doctors are in-network in real time, CMS Administrator Seema Verma said.
Additionally, by 2022, plans are now required to share certain clinical information with each other at the patient's request, allowing patients' cumulative health records to follow them as they move between insurers and plans.
In the proposed version, payers in its programs would be required to participate in a trusted exchange network, an online network that automatically verifies the security and identity of participants to enable the free flow of information. However, those requirements were not included in the final rule.
CMS will publicly report any players that may be information blocking using performance data from the 2019 plan year, with the hope that public shaming will incentivize businesses to prioritize the free flow of information and help patients choose interoperable providers.
Though industry supports interoperability in theory, payers, providers and health IT companies have been skittish of the rules, which would make it easier for patients to switch between plans, companies and sites of care, from the start.
Stakeholders should be happy the government pushed back compliance dates for the rules, however, which were originally slated to go into effect as early as Jan. 1 this year. Payers and providers objected to the quick turnaround given the number of steps necessary to get into compliance, including developing and certifying new EHR functions, provider adoption and customization and staff training.
The rules were mired in controversy over privacy and security from the start, with software companies in particular warning they didn't go far enough to protect patients' highly sensitive medical information. Allowing patients to export their health data into third-party apps, which aren't held to the same privacy standards as healthcare organizations, could result in a tsunami of leaks, critics said.
The American Hospitals Association on Monday said in a statement the finalized regulations don't do enough on the privacy front. "The rule lacks the necessary guardrails to protect consumers from actors such as third party apps that are not required to meet the same stringent privacy and security requirements as hospitals," the group said. "This could lead to third party apps using personal health information in ways in which patients are unaware."
Epic, which has a business model threatened by the rules, aired its concerns early this year that making it easier to share patient data between healthcare organizations and third-party apps would compromise the privacy and security of the sensitive medical information. Controversially, Epic CEO Judy Faulkner urged the company's health system clients to sign a letter to HHS opposing the rules.
But patient knowledge and consent is paramount to the rules, Trump administration officials said Monday. Patient consent is baked into the patient authentication process, allowing providers to let patients know what they're agreeing to and give them a heads up about any privacy concerns before they export their data.
"I think we've put in some powerful protections here," Rucker concluded.
HHS estimates the regulations will save about $3.3 billion per year while giving roughly 125 million patients easier access to their records. And health IT experts say they're necessary given the messy state of interoperability. An ONC report out just this month found a majority of hospitals are still relying on fax and mail to access summary of care records.
Originally, President Donald Trump was slated to announce the release of the rules at major health tech conference HIMSS in Orlando, also Monday. However, the massive conference, which attracted some 45,000 attendees last year, was canceled for the first time in almost six decades due to the spreading outbreak of the novel coronavirus.