Editor’s Note: Earlier this year, the federal Office of the National Coordinator for Health Information Technology (ONC) and the Department of Health and Human Services (HHS) issued proposed rules implementing the information blocking prohibition in the 21st Century Cures Act. “Information blocking” refers to activities that unreasonably limit the availability and use of electronic health information (EHI), undermining public and private investments in the nation’s health IT infrastructure and frustrating efforts to use technology to improve healthcare quality and efficiency.
The proposed rule—designed to create a more interoperable healthcare system that supports seamless data exchange and improved care coordination—is likely to be adopted in final form in late 2019 or early 2020. Once the rule goes into effect, it will impose significant compliance obligations on healthcare stakeholders, including providers, electronic health record vendors and health information exchanges. Noncompliance could trigger serious consequences. For example, health information exchanges and networks are subject to penalties of up to $1 million for lack of interoperability.
In a recent webinar, Manatt Health explained what the new rule will mean for healthcare organizations—and how healthcare stakeholders can be sure they are prepared and compliant when the new rule is implemented. In part 1 of our article summarizing the webinar, we provided a background and overview of the new rule, as well as reviewed the exceptions to the definition of information blocking. In part 2 of our summary, below, we share guidance on how to comply. Click here to view the full webinar free on demand (and earn CLE)—and here to download a free copy of the presentation.
A health IT developer’s, health information network’s and health information exchange’s failure to comply with the information blocking rule could result in monetary penalties of up to $1 million per violation. Providers, on the other hand, may not be subject to such high dollar penalties but may be subject to investigation by the Office of the Inspector General (OIG), the Office of Civil Rights (OCR) and others—and could be subject to disincentives if they engage in information blocking.
As it is written, the proposed rule is set to go into effect on the day that it is finalized, which makes compliance challenging, given the ambiguities that exist in the proposed rule. Industry stakeholders have requested to delay the effective date, but so far it is not clear whether the effective date will be delayed or there will be a phased-in approach to complying with certain provisions. Therefore, it is prudent for all actors subject to the rules to make preparations to comply with the proposed rule.
Identify All Necessary Elements for Implementation Planning
The first step in preparing to comply with the information blocking rule is identifying all the necessary elements for implementation planning:
- Identify and convene all stakeholders who are critical to compliance. The stakeholders may include the privacy and security officers and representatives from the counsel’s office, compliance department, information technology team and finance team. A provider also may find it useful to include clinicians who may receive requests for patient information and business development staff who may receive requests for patient information from other providers.
- Identify where all electronic health information (EHI) is held within the organization. Actors should identify and list all the systems that contain or store EHI and the types of EHI within each system. Given the broad definition of EHI, it is possible that EHI, such as pricing, analytics and population-based data, may be held outside of the electronic health record.
- Identify policies and procedures that address information sharing. This includes Health Information Portability and Accountability Act (HIPAA) policies and IT policies, as well as any policies in place related to governing confidential and proprietary information.
- Identify potentially impacted or absent workflows. For example, consider how information requests are processed within the organization; who is responsible for reviewing the requested information; how much time such reviews usually take; what the security testing requirements are, if any; and whether processes are all sufficiently documented.
Assess the Current State to Uncover Barriers to Compliance
The following questions can help reveal any barriers to compliance that exist within the organization:
- What are the technological challenges to accessing, exchanging or using EHI?
- Can the organization ingest EHI from other providers or systems? If so, where will this EHI reside?
- How are fees assessed when a client or provider requests data to be exchanged or a system to be interoperable?
- How are requests for the exchange of information considered—and by whom?
- How long does it take to assess whether access or exchange can be granted?
- What contractual provisions may impact the ability to access, exchange or use EHI?
- Are there relationships with third parties that present challenges to the access, exchange or use of EHI? (If so, it is important to ensure that any business associates are well versed in the requirements of the information blocking rule and are able to access or exchange information, if the organization requests it.)
Remove Any Barriers to Complying With the Information Blocking Rule
If any barriers to compliance are identified, it is important to remove them—and establish clear and detailed procedures to ensure full compliance is achieved. This may include speaking with vendors and third parties to make sure they have a sophisticated understanding of the information blocking rule, so they can work to support total compliance and execute amendments to existing agreements, including potentially renegotiating fee structures.
Identify All Necessary Elements for Implementation Planning
It is prudent to have specific organizational policies in place that address each of the rule’s exceptions. (For more information on the seven exceptions to the information blocking rule, please see part 1 of our webinar summary.) Handling exceptions on a case-by-case basis will be difficult to manage over time—and potentially may make it challenging to demonstrate consistent application of the rule and ongoing compliance.
The organizational policies should detail how each exception can be met, including the documentation required, to ensure the exception is applied as narrowly as possible and in a nondiscriminatory manner. In particular, the policies may not be drafted in a manner that results in the application of an exception being more onerous to a particular class of individuals or entities. For example, when considering the application of the security exception, the organization may not make determinations about the worthiness of a third-party data recipient. As part of this process, the organization needs to define its reasonableness standard, upon which many of the exceptions rely.
The Office of the National Coordinator (ONC) has solicited comment about what the documentation and standardized methods to demonstrate compliance should look like. What is already clear is that organizations will need a tremendous amount of documentation to be able to demonstrate compliance with the information blocking rule. Policies and procedures should be readily producible in the event of an audit or investigation related to noncompliance.
The procedures outlined in policies should provide a detailed workflow regarding where case-by-case findings will be documented and by whom, as well as how decisions will be communicated.
Any existing HIPAA policies and procedures should be reviewed and updated, as needed, to ensure alignment with the information blocking rule. ONC makes it clear that organizations will not be able to hide behind HIPAA to avoid sharing information as required by the rule.
Train and Educate
Organizations should develop training plans that ensure everyone who may receive a request to access, exchange or use EHI is aware of the information blocking prohibition. Training programs should be customized for each stakeholder group and include relevant examples. The training must include information regarding to whom requests should be forwarded to ensure requests go to the right people who can evaluate them promptly—and provide access in a timely fashion.
It also can be valuable to incorporate training on the information blocking prohibitions into HIPAA training programs. For instance, training should make clear when consent may be (and when it is not) required to share information.
Organizations may want to consider patient education programs, because questions remain about how an organization could prove that it did not impede getting consent from a patient to share information. One answer may be training programs that inform patients about their right to provide consent, and educate them about the information blocking rule. Therefore, it may be prudent to develop a patient education campaign—or at least make the information available to patients on a website or as part of a provider’s admission packet.
Test, Monitor, Audit…and Repeat
Once policies, procedures and workflows are established, organizations need to test, monitor and audit compliance with them—and repeat that process on an annual basis. Before going live, all systems should be tested, and it should be confirmed that the organization can follow all policies and procedures for sharing information, as required by the rule. It is then critical to revisit policies, procedures and workflows as technology evolves or hiccups are identified.