On July 10, 2015, the House of Representatives approved the 21st Century Cures Act (HR 6) (the “bill”) by a vote of 344-77. In addition to increasing medical research funding and expediting the process of making breakthrough therapies available to patients, if enacted into law, the bill would impose significant new requirements related to the regulation of health information technology (“IT”). Most significantly, the bill would require that in order to qualify for beneficial treatment under certain Federal laws, qualified electronic health records (“EHRs”) must meet newly specified interoperability standards. Failing to achieve interoperability is significant because it directly risks decertification of the vendor’s IT and, as a result, risks the loss of a provider’s Meaningful Use incentive payments and eligibility for the Stark Law Exception and Anti-Kickback Statute Safe Harbor applicable to the donation of EHRs and services. The bill also would require that vendors of EHR technology certify interoperability to the U.S. Department of Health and Human Services (“HHS”), and would prohibit vendors and health care providers from information blocking. This Alert summarizes key elements of these important changes to the Federal regulation of digital health information.
Due to the magnitude of health information maintained in EHRs and the numerous relationships patients maintain with health care entities and professionals, the ability to access and exchange medical information between providers and researchers is paramount to medical innovation and patient care. Effectively, the bill addresses the pervasive need to standardize health IT in an efficient and timely manner to achieve health IT interoperability. Specifically, the bill requires that health IT vendors ensure that their certified EHRs:
- Securely transfer all electronic health information to and from all other certified health IT for authorized use; and
- Allow for the complete access, exchange, and use of all electronic health information for authorized use without special efforts by the requestor.
In order to achieve the secure and complete exchange of information contemplated by the bill, vendors will need to incorporate baseline interoperability standards in six identified areas: (1) vocabulary and terminology; (2) content and structure; (3) transport; (4) security; (5) service; and (6) querying and requesting health information for access, exchange, and use. The bill tasks HHS with providing clarifying guidance on the interoperability standards while allowing vendors flexibility in implementing product compatibility.
Prohibited Information Blocking
In addition to requiring interoperability, the bill prohibits information blocking by vendors, health care providers, and health information system providers (e.g. operators of health information exchanges and data registries). “Information blocking” is broadly defined to include numerous practices that prevent, interfere, or burden information exchange. These practices range from charging unreasonable fees, to contractually agreeing to restrict an authorized exchange, to developing or implementing health IT likely leading to fraud or waste.
Such a broad definition risks the imposition of civil monetary penalties for not only egregious information blocking, but for actions resulting from internal policies and industry best practices vendors and providers have in place to protect the privacy and security of the entity and/or its patients. Providers may be especially susceptible to confusion, considering that providers historically have been given the ability to control the release of information based on professional judgment and business decisions.
Guidance and Implementation
The bill requires that HHS provide vendors with an initial set of interoperability standards and implementation specifications by January 1, 2017.1 Vendor compliance would be required 12 months after the rulemaking. In contrast, enforcement for information blocking could begin as early as 30 days after the issuance of the rule.
The bill requires that vendors’ certification of qualified EHRs made after January 1, 2018, comply with the interoperability standards. In certifying, vendors of qualified EHRs must specifically:
- Attest to HHS that the entity has implemented the interoperability standards and that it has not and will not information block; in doing so, it must include pricing information related to data exchange for the purpose of future public comparison among health IT products;
- Attest that the entity has successfully and rigorously tested the real world use of the record;
- Attest that the entity has in place data-sharing programs based on common data elements through such mechanisms as application programming interfaces without the requirement for vendor-specific interfaces;
- Publish application programming interfaces and associated documentation, with respect to health information within such records, for search and indexing, harmonization and vocabulary translations, and use interface applications; and
- Demonstrate to HHS that information from the EHR can be exchanged, accessed, and used through the interfaces without special effort.
As stated, failure to comply risks decertification of the technology for Meaningful Use purposes, under the CMS Medicare and Medicaid EHR Incentive Program. Moreover, decertified IT and services cannot be donated under the Stark Law Exception or Anti-Kickback Safe Harbor that protect donations of certain EHR. For these reasons, decertified IT is not attractive to provider customers. The bill makes clear that providers would not be penalized for the actions of its vendors for failing to meet the interoperability standards for certification. As such, for EHRs that become decertified due to failing to meet the interoperability standards for the Meaningful Use reporting periods for payment years beginning 2020, providers will receive a minimum one-year hardship exception and be allowed to transition to different EHRs.
HHS would be given authority to investigate claims of vendors offering providers qualified EHRs in violation of any attestation. Vendors and other entities offering providers qualified EHRs in violation of an attestation (whether providing false information at the time of the attestation or by act or practice after such attestation) shall be subject to a civil monetary penalty in an amount determined by HHS through rulemaking. The bill is not likely to alter the current governmental approach, under which providers generally will not be the target of interoperability enforcement; however, a provider without a qualified EHR may risk enforcement if it represents to HHS otherwise, for example, during Meaningful Use attestation. Providers without qualified EHRs also risk the loss of Meaningful Use payments if they cannot meet a hardship exception. Additionally, providers would need to consider that even without Federal enforcement, the failure to maintain a qualified EHR could risk violation of contractual terms that incorporate such requirements, of data security laws, or of internal procedures based on best practices, due to inadequate technology. The bill also would grant HHS the authority to subject any person or entity to civil monetary penalties for information blocking. The National Coordinator, acting as a technical consultant, would be authorized to share information related to investigations with the Federal Trade Commission (“FTC”), potentially magnifying any violation and penalty.
Data Privacy Implications
The bill states that HHS will set forth exceptions to information blocking to protect patient safety and privacy and to promote competition and consumer welfare, although it is unclear at this time how the exceptions will interact with existing law, like the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Notably, HIPAA does not generally mandate that a provider make accessible or disclose patient health information to another entity; however, the bill’s information blocking requirements may push entities to disclose information more freely or expand system access to other entities. Such activities may expose the entity to other liabilities. The bill’s impact on how providers and contractors treat health information is significant due to the potential conflict with patient authorizations, proprietary rights, and breach notification obligations, as well as state laws that restrict the use of sensitive data such as mental health and HIV records. For instance, the bill’s prohibition of information blocking may risk the disclosure of patient information that requires additional protection. Alternatively, the bill may negate the need for a patient’s authorization, whereas an internal policy or state law may require consent regarding certain information. Conflicting requirements and unclear guidance may burden entities to carve out accessible information and maintain differentiating policies and updates to Notice of Privacy Practices.
Prospects for the Legislation
Although the Cures Act has cleared the hurdle of the House, the prospects of passage in the Senate remain uncertain. The Senate Health, Education, Labor & Pensions Committee (“HELP Committee”) has held numerous hearings over the past several months as it considers its own medical innovation legislation. However, the HELP Committee has not yet released even a discussion draft of its legislation, and one is not expected until at least the end of the Senate recess in August. Following the House’s passage of the Cures Act, HELP Committee Chairman Lamar Alexander (R-TN) stated that the Senate’s work would continue “on a parallel track . . . to produce a bill that [the Senate] can combine with 21st Century Cures and send to the President’s desk.”
Prior passage of the Cures Act, the White House, via a statement of administration policy, objected to the bill’s use of the government’s Strategic Petroleum Reserve to offset the bill’s funding increases. The White House would have preferred that the bill directly address sequestration and ensure that FDA has sufficient funding to support all the programs established in the bill. The White House also expressed concern regarding the proposals relating to drug exclusivity and drug manufacturer communications with payors. Whether the Senate’s proposed legislation will address the White House’s concerns remains to be seen.
Re-authorization of the Prescription Drug User Fee Act (“PDUFA VI”) is slated to occur in 2017. Given that PDUFA VI is considered “must-pass” legislation, it is possible that a number of issues under consideration in the Cures Act, particularly those issues lacking consensus, will be deferred until that latter debate.