Will (understandably) harsh information blocking penalties liberate data for patients?
Key Takeaways
- The Biden administration’s recent confirmation that it will start to impose sanctions on health IT companies that obstruct the flow of health information is a significant step towards promoting greater transparency and seamless healthcare data sharing.
- The healthcare industry must follow the CMP Final Rule starting on September 1, 2023. It prevents information blocking and promotes the exchange of health information among providers. Those who engage in information blocking may face penalties enforced by the OIG and ONC, improving patient care quality.
As of October 6th, 2022, patients now have unrestricted access to their complete health records in digital format, thanks to new federal rules. This eliminates the need for fax machines and excessive charges for printed pages (though we all know fax isn’t leaving the industry any time soon). Patients now have control over their data and can choose who else can access it; in theory, this will empower them to make informed healthcare decisions. The rules are expected to improve transparency and coordination of care, as well as reduce healthcare costs.
In the past, health systems and data networks determined patients’ access to their data. In contrast, private data brokers made profits by selling de-identified medical records without patients’ knowledge or consent. The new rules aim to promote transparency by giving patients control over their data and allowing them to choose who else can access it. This marks the beginning of a patient-mediated data economy, much like the fluidity seen in the banking sector. While implementing these rules and bringing about significant change may be gradual and challenging, patient benefits are expected to be substantial.
However, companies that choose to obstruct the flow of information will now face significant fines of up to $1 million per violation, depending on the level of harm caused and the severity of the obstruction. This indicates the government’s commitment to ensuring patients receive the best care and that health IT companies are held accountable for their actions.
Furthermore, any claims of information blocking that may have harmed patients, hindered healthcare providers from carrying out their duties, caused government healthcare program costs to rise, or were intentionally made will be thoroughly investigated by the Office of the National Coordinator for Health Information Technology (ONC).
It is essential to note that healthcare providers may also be subject to fines for non-compliance with these regulations. While the timeline for implementing penalties has been postponed several times, now that the final rules are in place, the Office of Inspector General (OIG) will be responsible for enforcing them.
Info Blocking: A Crash Course
The healthcare industry is transforming towards a patient-centered approach, and the CURES Act and the Office of the National Coordinator for Health Information Technology’s Final Rule play a crucial role in this process. Information blocking is in direct violation of HIPAA, but despite being a substantial offense in the healthcare industry, particularly healthcare IT, there has been little in the way of prosecution against violators to date.
Quite simply, it refers to any action that hampers accessing, exchanging, or using electronic health information (EHI). The ONC has established eight exceptions (download the ONC PDF that defines each here) to prevent such practices. These exceptions cover scenarios where blocking is necessary to avoid harm to patients, comply with privacy laws, and ensure the security of EHI, among others.
Recently, new rules have been implemented to ensure healthcare providers cannot engage in practices hindering patient health information sharing either. This includes blocking access to electronic health records (EHRs) and charging excessive fees for data exchange. Unlike with the solution developers, the consequences for noncompliance have yet to be established for providers, but they can result in significant fines.
It is worth noting that there is a content exception that organizations should be aware of. Information blocking will only apply to US Core Data for Interoperability (USCDI) data for the next 24 months. After this period, blocking will expand to apply to any information related to the individual. To avoid fines, healthcare organizations should open up the most critical use cases and data assets for access, exchange, and use.
Compliance with the new interoperability rules is crucial for healthcare organizations. The lack of interoperability has been a longstanding issue, with some organizations building whole business models around limiting data accessibility. However, the new rules aim to make data more accessible, benefiting patients and hospitals with greater data liquidity, enabling new tools and features. Although guidance on implementation is currently lacking, organizations need to adhere to technical standards for interoperability. Organizations like The Sequoia Project are underway to establish common standards (like FHIR) and prevent future challenges.
By digitizing processes such as sending medical reports to patients, the need for physical pickups can be eliminated, leading to improved efficiency. Embracing interoperability rules is a positive step for healthcare organizations in the long run, and it can lead to better outcomes for patients and providers alike.
Physicians need to understand the requirements of the IBR and take steps to comply with its provisions. Failure to do so may result in accusations of information blocking and potential penalties. While it is uncertain how this will develop, it is quite foreseeable that providers may also be held liable by their vendors if fines are levied against the solution developer due to actions taken by the healthcare delivery organization. The IBR emphasizes that data must be shared in most cases, but there are exceptions to this rule. Healthcare providers who fail to share data when an applicable exception does not exist may face the consequences.
What comes next?
Entities involved in healthcare, particularly those who have submitted information-blocking claims to the Information Blocking Portal, will be pleased to know that the Office of Inspector General (OIG) and the Office of the National Coordinator for Health Information Technology (ONC) have taken a significant step towards enforcing penalties associated with violations of the Information Blocking Rules.
The CMP Final Rule imposed by the OIG and ONC penalizes health IT developers, certified health IT entities, HIEs, and HINs who block information. It is important to note that healthcare providers may also be subject to penalties if they meet specific criteria. This is a significant step towards ensuring accountability for information blocking under the Information Blocking Rules.
On July 3, 2023, they published a final civil monetary penalty (CMP) rule for certain Information Blocking Actors in the Federal Register. The CMP Final Rule, effective beginning September 1, 2023, allows OIG and ONC to enforce penalties against health IT developers of certified health IT, entities offering certified health IT, health information exchanges (HIEs), and health information networks (HINs) who engage in information blocking.
It is important to note that the CMP Final Rule will only apply to healthcare providers if they meet the definition of a developer of certified health IT or is an HIN or HIE. For healthcare providers, appropriate disincentives will be established through a separate notice and comment rulemaking process by the Department of Health and Human Services (HHS). The enforcement of penalties and the clarification of enforcement priorities and approaches mark significant progress in holding entities accountable for information blocking under the Information Blocking Rules.
0 Comments