Covered entities and their business associates need to focus on compliance with the Office of the National Coordinator for Health Information Technology ("ONC") final rule on "information blocking." This rule reflects a huge shift by mandating the access, use, or disclosure of electronic health information ("EHI") in certain cases.
o In March, HHS announced two final rules, one by the Centers for Medicare & Medicaid Services ("CMS") and the other by the ONC, implementing parts of the 21st Century Cures Act, designed to enhance interoperability and support access to and exchange of health information. The rules were published in the May 1, 2020 Federal Register.
o Together, the rules have far-reaching implications for the U.S. health care system. While no provision should be discounted, the ONC information blocking rule merits particular attention.
o Generally, "information blocking" is a practice that is likely to interfere with the access, use, or exchange of electronic health information ("EHI") if done by (i) a health IT developer, health information network, or health information exchange that knows or should know the practice is likely to materially interfere with, prevent, or materially discourage access, exchange, or use of EHI, or (ii) a health care provider that knows the practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI. The ONC rule calls those subject to the ban on information blocking "actors."
o Pursuant to the Cures Act, the ONC rule adopts 8 exceptions to information blocking. The exceptions work as safe harbors, giving actors certainty their practices do not entail information blocking. Practices outside a safe harbor will be evaluated case by case.
- As covered entities, most health care providers and their business associates understand their HIPAA compliance obligations. The ban on information blocking does not change those obligations, but it adds a layer of complexity. While HIPAA applies to protected health information ("PHI"), and the ONC final rule applies to EHI, generally, EHI is defined as electronic PHI to the extent that it would be included in a designated record set, regardless of whether the group of records are used or maintained for or on behalf of a covered entity.
o Although the ONC final rule does not require disclosure of EHI in a manner not already permitted under HIPAA (or other laws), an access, exchange, or use of EHI permitted under HIPAA now may be required to avoid information blocking.
o For example, the ONC observes of business associate agreements, "[w]hile the information blocking provision does not require actors to violate these agreements, a BAA or its associated service level agreements must not be used in a discriminatory manner by an actor to forbid or limit disclosures that otherwise would be permitted by the Privacy Rule. For example, a BAA entered into by one or more actors that permits access, exchange, or use of EHI by certain health care providers for treatment should generally not prohibit or limit the access, exchange, or use of the EHI for treatment by other health care providers of a patient."
o In light of the information blocking provision and the associated ONC commentary, covered entities and business associates should evaluate their forms of agreement, as well as their existing agreements, including BAAs and service level agreements, along with their relevant policies and procedures, to accommodate these new provisions against information blocking.
- The compliance date for the ONC information blocking provision is November 2, 2020 for healthcare providers, health IT developers of certified health IT, health information exchanges, and health information networks.
o For the first 18 months (i.e., until May 2, 2022), the scope of EHI subject to the information blocking provision is limited to EHI represented by the data elements in the United States USCDI adopted under 45 C.F.R. 170.213, giving actors more time to gain experience applying the exceptions to the limited scope EHI, but ONC strongly recommends actors apply the exceptions to all EHI.
o Enforcement via civil monetary penalties ("CMPs") will not begin until established through rulemaking by HHS's Office of Inspector General ("OIG"), which published a proposed rule in the April 24, 2020 Federal Register with comments due June 23, 2020. That rule addresses CMPs for information blocking by health IT developers or other entities offering certified health IT, health information exchanges, and health information networks. OIG's information blocking CMP authority does not cover health care providers, so OIG proposed to refer health care providers to the appropriate agency for suitable disincentives when information blocking is encountered. Those disincentives will be laid out in a future notice and comment rulemaking by the HHS Secretary.
Health systems need to remain focused on addressing compliance risks associated with physician employment.
o Last week, we noted how health systems continue to face risk and uncertainty with respect to qui tam actions under the False Claims Act ("FCA") premised on violations of the Stark Law and the general increase in settlement amounts and success rates for relators in cases where DOJ declined intervention over the past 10 years.
o A substantial portion of those Stark Law-related FCA settlements over the past 10 years, including several high-profile and high dollar amount settlements, involved employed physician arrangements. A majority of those physician employment-related settlements arose out of whistleblower cases, and on average the settlement amounts for those cases have been much higher than for other instances of Stark noncompliance.
o The potential risk exposure associated with physician employment arrangements may be overlooked sometimes, given that the Stark Law exception (and the corresponding AntiKickback Statute safe harbor) for employment arrangements is generally viewed as having less exacting standards, and physician employment is generally viewed as presenting less of a compliance risk than other types of financial arrangements.
o This potential risk exposure has expanded with the significant pace in health system employment of physicians over the past 10 years, along with associated demands on health systems to develop broader varieties of compensation structures and meet competitive demands on physician compensation.
o The finalization of much-needed clarifications from the CMS October 17, 2019 Proposed Rule on updates to the Stark Law regulations may help reduce some risk exposure related to uncertainties in the interpretation of certain Stark Law provisions (particularly around the volume or value of referrals standard, which has often been an issue in physician employment-related settlements).
o Health systems should also recognize, however, that the potential risk exposure related to physician employment arrangements is likely to increase as the COVID-19 crisis pushes more independent physicians to seek financial security through health system employment at the same time as many health system compliance and legal departments are stretched thin by dealing with the challenges of COVID-19, often with a reduced workforce.
o Key takeaway: Physician employment arrangements are likely to continue to be one of the most significant areas of potential risk exposure. Health systems need to maintain vigilance in structuring and monitoring physician compensation arrangements with appropriate involvement and oversight by knowledgeable healthcare counsel and valuation experts.
Finally, if agency rulemakings were not enough to keep providers and other health industry participants on their toes, recent court decisions are changing the legal environment at warp speed, and the significance of these changes is likely underappreciated and poorly understood. These decisions may end up having profound consequences for providers and others.
o The Supreme Court's recent determination that "sex" in the Civil Rights Act of 1964 includes sexual orientation and gender identity is likely to have far-reaching consequences in the workplace that have not even begun to be understood. What types of claims are employers likely to see in the wake of this expanded reading of this law, and how can they manage to limit the risks associated with those claims?
o At the district court level, the American Hospital Association lost its challenge to the CMS rule requiring publication of standard charges for hospital services. Unless implementation is delayed pending appeal, hospitals will quickly confront an extremely challenging set of requirements to comply with this new mandate as of January 1, 2021. Might this requirement prompt hospitals to rethink entirely the manner in which services are priced and paid for? Squaring up compliance under that rule with the historic manner of standardized pricing via the hospital's chargemaster will be a huge task.
o Lastly, the Supreme Court's determination that the DACA program, established during the prior administration without legislative authorization and without formal agency rulemaking, could not be rescinded without formal agency rulemaking suggests that changing a discretionary agency enforcement policy may be a far more complicated undertaking than anyone previously thought. To the extent this decision is seen as reining in informal agency action, will it limit the ability of agencies to rely on FAQs and sub-regulatory guidance in undertaking enforcement actions? Recall that the recent tranches of billions in CARES Act relief funds were distributed without formal agency guidance and accompanied by successive (sometimes contradictory) waves of FAQs and so-called "terms and conditions."