By Chris Emper, Government Affairs Advisor and Andy Riedel, Senior Director, Regulatory Affairs, NextGen Healthcare
Twitter: @NextGen
The 21st Century Cures Act and information blocking are back in the news.
Recently a coalition of ten provider organizations led by the American Medical Association (AMA) and American Hospital Association (AHA) formally requested that the U.S. Department of Health and Human Services (HHS) postpone for a period of one year certain information blocking compliance requirements due to be implemented on October 6, 2022.
In response, HHS’s Office of the National Coordinator for Health Information Technology (ONC) published an over 2,000-word blog post reiterating its intent to move forward with the October 6 deadline while also seeking to clarify several issues raised by the provider groups.
Between the October 6 deadline, the requested delay of that deadline, and ONC’s lengthy new blog post, many physician groups are probably scratching their heads wondering what they need to do and when to comply with this latest update in the Cures Act rules.
With that in mind, here’s our quick guide to the October 6 Information Blocking Deadline:
The October 6 deadline simply changes the scope of electronic health information (EHI) covered by the information blocking rules. In 2020, ONC issued its final information blocking regulation and established April 5, 2021 as the initial applicability date for the rules. However, in order to give the industry some extra time to digest the complex rules and prepare to fully comply with them, ONC limited the definition of electronic health information (EHI) from April 5, 2021 to October 5, 2022 to the data elements represented in the United States Core Data for Interoperability (USCDI) standard. The October 6 deadline simply represents the lifting of this temporary 18-month limitation on the definition of EHI, which expands the definition (and subsequently the scope of the information blocking rules) to include the Designated Record Set (DRS) as defined under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
The expansion in the scope of EHI is significant. USCDI is a highly specified and standardized set of health data classes and data elements. In fact, the USCDI v1 data set fits neatly on a single page, consisting of 16 classes and 52 constituent data elements. By comparison, the DRS is extremely broad and ambiguously defined. While USCDI 1 is limited to demographic and clinical information such as labs, notes, medications, and allergies, the scope of EHI after October 5 would include both medical and billing records, claims adjudication data, and other information used by a healthcare provider or other HIPAA-covered entity to make decisions about individuals. As with USCDI, the EHI associated with the DRS and within the purview of the information blocking rule is not limited to what is in certified EHR systems. Rather it is any electronic data residing within the possession of a healthcare provider or other information blocking (IB) actor.
There is no change on October 6 to what healthcare providers must do when they receive a request for EHI. ONC states: “While the facts and circumstances that an IB actor may face with respect to the scope of EHI has [sic] changed, an IB actor’s approach to meeting an information blocking exception generally remains the same as it was when the information blocking regulations became applicable on April 5, 2021.” Because the rule does not require healthcare providers to implement, upgrade or adopt certified EHR or any other specific technology, the process for making EHI available for access, exchange and use will likely vary from one provider or organization to another, based on the type of technology they use.
It is important to remember that HHS is still not yet enforcing its information blocking rules. There are three categories of “actors” subject to the information blocking rules (healthcare providers, health information networks/exchanges, and developers of certified health IT/EHRs), and enforcement of the rules varies depending on those categories. For health IT developers and health information networks/HIEs, the HHS Office of the Inspector General is currently engaged in rulemaking to finalize an initial compliance date to enforce the civil monetary penalties called for under the Cures Act. For healthcare providers, HHS still has to issue a rule to establish “appropriate disincentives” for those found to be in violation of the rules. Critically, this October 6 deadline does not change anything regarding these yet-to-be finalized enforcement policies. Thus, healthcare providers still do not know how (or when) HHS will establish these “appropriate disincentives” and begin enforcing the information blocking rules.
The October 6 information blocking deadline has nothing to do with the December 31, 2022 EHR certification deadline. Both the provider community’s letter to HHS and related press coverage have suggested that a lack of vendor readiness negatively impacts provider compliance with the October 6 expanded EHI deadline. However, information blocking and HIT certification are the subjects of two separate sections of ONC’s Cures Act final rule. The rule covers the EHI definition and related October 6 deadline under the information blocking portion of the rule, while outlining changes to EHR certification criteria and the December 31, 2022 certification deadline under the certification section. While it remains to be seen how many EHR vendors meet the end-of-year certification deadline, that has no practical or regulatory bearing on the ability of providers and other actors to comply with the October 6 deadline.
Providers should treat the information blocking rule as they do HIPAA Privacy and Security regulations by implementing a formal compliance program in consultation with legal and regulatory advisors. Confusion persists on the part of providers concerning their roles and responsibilities as actors under the ONC rule. Technology plays a key role in helping providers achieve and maintain compliance. However, the ONC rule does not require specific technology, nor does the use of technology confer compliance. Much like the HIPAA law, compliance with the Cures Act requires a formal compliance plan, including education for clinicians and staff and written policies and procedures, which should per AMA recommendations align with the permissible information blocking exceptions.
Cures Act compliance will remain a moving target after October 6. In 2016, the U.S. Congress passed the Cures Act into law. It included three major health IT provisions: 1) EHR certification updates, 2) information blocking, and 3) the trusted exchange interoperability framework. Now, nearly six years later, some of the health IT rules called for by the law are in effect, others are in effect but are not being enforced, and others still have yet to be written. Furthermore, each of these provisions is set to be implemented in stages. For information blocking, the October 6 deadline should simply be considered another “stage” or escalating “step” in compliance. This means physician groups should educate themselves about what these latest changes mean, ensure compliance with any new requirements, and then focus on what’s coming next.
This article was originally published on the NextGen Healthcare blog and is republished here with permission.