Breaking Down ONC’s Information Blocking Proposed Provisions: What HIT Stakeholders Need to Know
With the release of a 724-page proposed rule last week from the ONC (Office of the National Coordinator for Health IT), industry observers received long-anticipated critical information around information blocking—such as what constitutes it, what qualifies as exceptions, and what the consequences are for those found in offense.
As the proposed rule lays out, information blocking—which the 21st Century Cures Act defined as interfering with, preventing, or materially discouraging access, exchange, or use of electronic health information—"is a practice that is profoundly anti-consumer and anti-competition. Information blocking can be used to increase revenue, escalate prices, and prevent market competition both for current and future competitors and for new services.”
What’s more, in the rule, ONC officials referred to a 2017 study of 60 HIE (health information exchange) leaders by notable health IT researcher Julia Adler-Milstein, Ph.D, which found that half of leaders of health information exchange efforts nationwide reported that they routinely encountered information blocking by health IT developers. The top three types of information blocking practices they encountered on a routine basis included: deployment of products with limited interoperability (49 percent); high fees for health information exchange unrelated to cost (47 percent); and making third-party access to standardized data difficult (42 percent).
Because information blocking in of itself can be quite subjective, the ONC also proposed several exceptions, which it says, if finalized, “would create clear guidelines for [the] industry regarding pro-competitive and other beneficial activities and would enable stakeholders to determine more easily and with greater certainty whether their activities are excepted from the information blocking definition.”
The exceptions, which can be read in more detail here, broadly include: preventing harm; promoting the privacy of EHI (electronic health information); promoting the security of EHI; recovering the costs reasonable incurred; responding to requests that are infeasible; licensing of interoperability elements on reasonable and non-discriminatory terms; and maintaining and improving health IT performance.
Per the proposal, which is lined up to take effect in 2020, there will be four categories of healthcare “actors” that will be regulated by the information blocking provision: providers, certified health IT developers, HIEs and HINs (health information networks). Vendors, HIEs and HINs are subject to up to a $1 million fine per information blocking violation, if they are found to be bad actors. Providers are not subjected to a monetary fine.
How “Real” is Information Blocking?
Depending on who you ask, the answer to the questions of “How much information blocking truly occurs in healthcare?”; “Who are the primary offenders?”; and “How seriously will organizations respond to the proposals?” will differ. At HIMSS19 last week in Orlando, Healthcare Innovation spoke to multiple sources in different sub-sectors of health IT about these critical questions.
Jodi Daniel, a former ONC policy director who was a key agency official in writing ONC’s information blocking report to Congress back in 2015, believes that the proposed rule is significant enough that it will change how businesses operate. “For the first time, folks are really being forced to interoperate, and there are substantial penalties for not doing so. I think it will change practices,” says Daniel, who is now a partner in the law firm Crowell & Moring’s healthcare group. She adds, “Vendors will take it seriously. It will force vendors to look at their practices and it will give entities that have been trying to access data and have had challenges that were raised in this information blocking report [to Congress] more leverage.”
Those who are in the vendor or provider communities may offer different perspectives. Jitin Asnaani, the executive director of the CommonWell Health Alliance, an association that provides an interoperability platform and services for its members—inclusive of some of the top health IT vendors—says he has seen concrete examples of information blocking from both vendors and providers. Asnaani recalls two separate vendor companies telling him a few years ago that they didn’t want to participate in CommonWell because it threatened their business model of charging for interfaces—an action that could qualify as information blocking.
Last week, during Seema Verma’s speech at HIMSS19, the CMS (the Centers for Medicare & Medicaid Services) Administrator remarked that she has heard of some hospitals having to ask permission from EHR vendors to use their own data. “Yes, you heard me right—hospitals have to ask the vendors they pay for permission for the right to actually use the data,” Verma said, adding that “the idea that patient data belongs to providers or vendors, is an epic misunderstanding”—placing a forceful emphasis on the word “epic.”
But Asnaani contends he has not personally heard of this happening in the real world. “If it is true, that’s abhorrent,” he asserts. “In no scenario, does the EHR or health IT vendor own patient data. They have to protect it, but in no scenario do they have a right to control where that patient data goes such that the patient or provider needs to ask them permission about it,” he says.
Asnaani says he does know of provider organizations who actively do not participate in certain interoperability initiatives because they want to control who they share data with. “And that’s because of competition; they literally tell me they don’t want the hospital [down the street] to take patients [from us]. If someone put a gun to my head and asked if I could write these provider names down, I could. That is a reality. I have more than enough evidence that it’s very real,” he says.
A third viewpoint comes from the provider side, as Marc Probst, CIO at the Salt Lake City-based Intermountain Healthcare told Healthcare Innovation that he has “never heard of providers [withholding patient data for competition purposes],” while adding that he’s “not naïve enough to believe that it doesn’t happen at all.”
To this end, using what Verma called “the strongest lever we have,” CMS, in a rule alongside ONC’s, is proposing to make it a condition of participation in Medicare that all Medicare-participating hospitals, psychiatric hospitals, and CAHs [critical access hospitals] send electronic notifications when a patient is admitted, discharged or transferred. While most of the industry reaction has thus far been in favor of these data-sharing requirements, the American Hospital Association is one group that opposes this proposed requirement, specifically.
“We cannot support including electronic event notification as a condition of participation for Medicare and Medicaid,” stated Ashley Thompson, AHA senior vice president for public policy analysis and development. “We believe that CMS already has better levers to ensure the exchange of appropriate health information for patients. We recommend the agency focus on building this exchange infrastructure rather than layering additional requirements on hospitals.”
Weighing in on Exceptions, Penalties
Of course, as Daniel and others note, the devil is always in the details when determining if a specific situation qualifies as an “exception” or not, and there is a considerable amount of grey area, even with the proposed exceptions laid out in the rule.
“The regulators cannot come up with every possible example and situation. Things still come up with HIPAA and that [law] is over 20 years old,” notes Daniel. “There will always be ambiguity; if someone in good faith [tries to] comply with the exception, documents it, and has done their due diligence, that would be considered if there was an allegation of information blocking—even if the enforcers disagreed,” she adds, suggesting that the best advice for someone when there is ambiguity “is to do the diligence, document your justification, and make sure it’s defensible in case someone comes and questions it.”
The review and enforcement, Daniel says, will likely be handled by the ONC and the OIG (Office of Inspector General), noting that information blocking fines will be beyond what stakeholders are accustomed to. “Per violation, they are a magnitude higher than HIPAA penalties,” she says. “It’s up to a $1 million [per instance], so there is a lot of flexibility in the amount they could fine [you] for egregious behavior.”
Asnaani, meanwhile, who acknowledged at the time of the interview that he has not read through the rule in its entirety yet, believes that the proposed penalties are “very non-committal for providers.” He further notes, “They made it nebulous. You don’t know if you will get penalized or not, which is tricky from a provider point of view.”
Interestingly, while ONC is primarily going to be in charge of the information blocking provisions and penalties, CMS said in its proposed rule last week that it would make public the names of clinicians and hospitals that submitted "no" to three attestation statements committing them to data sharing. Asnaani believes that a provider organization having “its name strung up nationally” could have enough teeth, but at the same time, in the local communities where the clinic or hospital exists, it’s already known which practices make it difficult to work with them.
Daniel also brings up another noteworthy element related to penalties: that the information blocking rule can change the presumption of making data available. Under HIPAA, Daniel explains, “the presumption is that you can’t share data unless you have a permissible purpose for sharing the data. But the information blocking [proposal] seems to take the opposite approach; you must share the data unless you meet one of the exceptions that says you can withhold the data. What I think will be challenging for folks who try to figure out how to comply with this, is that they have these two competing regimes where on the one hand if there is ambiguity, they would normally hold onto the data, but now if there is ambiguity, they might have to release the data.”
Daniel goes on to note that compliance with HIPAA is one of the seven exceptions permitted in the information blocking proposed rule. But the problem, as Daniel envisions, is when there’s a grey area. “If you take a conservative view of HIPAA, is that in violation of the information blocking rules? It’s subject to interpretation,” she says.
In the end, health IT stakeholders seem to be in universal agreement about the substantive nature of these proposals. Dan Golder, a principal at the Illinois-based consulting firm Impact Advisors, believes that the benefits of information sharing outweigh the negatives, and that initiatives to advance these movements are already underway. To this point, Golder notes, in an email to Healthcare Innovation, “ONC will need to be cautious in applying the proposed information blocking rules so as to not hinder the current progress by vendors and health systems, and to not be perceived as too restrictive nor unreasonable in requirements, timelines and penalties.”