The Trump administration is expected any day to issue new rules laying out how HHS will curb providers from hoarding data via information blocking, amid calls from Congress and industry to act.
Sec. 4004 of the 21st Century Cures Act charges the secretary of HHS to issue regulations to limit data blocking and identify "reasonable and necessary activities that do not constitute information blocking." Yet 19 months have lapsed since the Cures Act was signed into law, and no information blocking regulations have been issued.
CMS Administrator Seema Verma talked tough on information blocking at HIMSS18, telling healthcare leaders that information blocking would no longer be tolerated and has stood firm on requiring providers to use 2015 Edition certified EHRs, which open APIs, by 2019. "Let me be crystal clear, the days of finding creative ways to trap patients in your system must end," she said.
Health IT Now, a broad group made up of companies from Aetna to athenahealth to Oracle, as well as some patient and provider groups, has been griping for months about the holdup.
"To be clear, Health IT Now has met with countless officials in the Trump administration who share our commitment to combat information blocking," group executive director Joel White wrote in a recent op-ed. "But those sentiments must be met with meaningful action."
The coalition threw its weight behind a Senate amendment that would require the administration to provide Congress with an update on its progress on the information blocking regulations by the end of this month. The amendment was adopted late last month as part of the FY 2019 Labor-HHS appropriations bill.
With the clock ticking and increasing pressure from lawmakers, providers and others, HHS earlier this month sent a proposed rule to the Office of Management and Budget for regulatory review prior to publication.
According to a preview released by HHS, the proposed rule would "update the ONC Health IT Certification Program (Program) by implementing certain provisions of the 21st Century Cures Act, including conditions and maintenance of certification requirements for health information technology (IT) developers, the voluntary certification of health IT for use by pediatric healthcare providers, health information network voluntary attestation to the adoption of a trusted exchange framework and common agreement in support of network-to-network exchange, and reasonable and necessary activities that do not constitute information blocking."
HHS recently issued a call for feedback on criteria for its EHR reporting obligations under the Cures Act. The request seeks industry's views on issues such as use of product integration to gauge interoperability and what criteria will indicate if an EHR system meets users’ security and privacy needs.
Cures requires the Office of the National Coordinator for Health Information Technology to release regulations on APIs that allow access to all data elements within EHRs. It also authorizes HHS to investigate if companies are blocking information exchange and thus preventing interoperability. Violators may be fined up to $1 million per infraction, but as yet have little insight on what practices are prohibited.
A delicate balancing act
So why the hold up in implementing the law's interoperability provisions?
Some point to industry expectations. "We understand that ONC and OIG are focused on development of exceptions and safe harbors to define what are legal practices under the 21st Century Cures Act, similar to the approach taken by the Stark law and Anti-Kickback statute," John Travis, vice president of regulatory research at Cerner, told MedTech Dive via email.
Vendors are generally on board with open APIs, and their clients are increasingly comfortable providing patient data and services using APIs built on the emerging HL7 FHIR standard or app standards such as SMART on FHIR, he wrote.
That said, "expansion of API coverage should be carefully profiled and tested by the vendor community before becoming a regulatory requirement,” he said. “This process can help support that the proposed standard works as intended, as each vendor can interpret them differently."
Ensuring a level playing field is also key, Travis stressed. Hospitals and vendors are looking for guidance from ONC and OIG that exchange of data and applications accessing APIs will be done in a trusted and secure manner, without unnecessarily blocking information. "It is less a matter of agreeing to standards, as the industry has gravitated to a core set of standards but its own merit," he said.
Still, sharing across vendor platforms continues to be a challenge for providers, said Chantal Worzala, vice president of health information and policy operations at the American Hospital Association.
"We are seeing new tools and technologies, including APIs and apps, that will allow for more convenient and flexible access to health information and new ways for individuals to engage in their health," she told MedTech Dive. "But movement in this positive direction must be balanced against the real and developing risks to systems security and the confidentiality of health information from cyber criminals and other bad actors."
In comments on the FY 2019 Inpatient Prospective Payment System proposed rule, the AHA urged CMS to establish an interoperability framework for technology and health information exchange, and to not impose Condition of Participation or Condition of Coverage requirements as a means of encouraging interoperability. The group also pressed CMS to finalize a method for rating and crediting hospitals for their efforts to promote interoperability.
Enhancing the data set
One of the prerequisites to effective interoperability is the ability to match patient records across disparate locations using standardized data and other means. Currently, there are APIs available for patient access to data that focus on the common clinical data sets. But other data elements outside these CCDS could also be useful to clinicians and patients and should be included in APIs, says Ben Moscovitch, project director at Pew Charitable Trusts. For example, better standards for demographic data and identifying what demographic data to collect could enhance patient matching.
What currently is in the regulations on the 2015 Edition certification program are APIs that make the CCDS available for patient access to data. Moscovitch expects the upcoming regulations will go beyond that expectation.
"There are certainly opportunities to improve interoperability, and these forthcoming regulations from ONC are among those opportunities," he told MedTech Dive. "This API provision can support greater access to data for clinicians and patients so they can better use this information to improve patient care."
Correction: In a previous version of this article, Ben Moscovitch's last name was misspelled.