Final Health IT “Information Blocking” Rules:
What ACOs Need to Know
OVERVIEW
On March 9, the U.S. Department of Health and Human Services (HHS) released a pair of final rules that together aim to make it easier to share patients’ health records and data among healthcare providers, plans, and patients. Most notably, the Centers for Medicare & Medicaid Services (CMS) will require hospitals to share electronic notifications of patients’ admission, discharge, and transfer (ADT) from an inpatient facility, as well emergency department presentations, with patients’ established primary care providers. In a companion rule, HHS’s Office of the National Coordinator for Health IT (ONC) outlines exceptions from “information blocking,” with the expectation that those in health care must share patient information with others unless one of eight exceptions are met. The final rules promote care coordination through better information sharing and should help the work of accountable care organizations (ACOs).
Most of the finalized policies stem from the 21st Century Cures Act of 2016. Congress examined the state of health information technology (IT), following more than $35 billion in investment from incentive payments to doctors and hospitals through the meaningful use program. NAACOS submitted comments on the proposed rules last year and was largely supportive at the time. Several changes we recommended were included in the final rules, including those around electronic ADT notifications, a narrower definition of electronic health information, and wider use of application programing interfaces, all of which are detailed below.
**UPDATE** On November 4, ONC published an interim final rule extending the deadline to comply with the rule’s information blocking requirements. ONC is recognizing the healthcare industry’s response to the COVID-19 public health emergency. More information is provided in this fact sheet and these frequently asked questions. For now, CMS’s ADT-sharing requirement will take effect on May 1, 2021. CMS has released additional information on its implementation deadlines for their respective parts of the rule.
Below is a summary of the two final rules NAACOS compiled to help ACOs understand implications for their work. It has been updated to reflect the new implementation deadlines. CMS’s final rule can be found here, and ONC’s here. CMS offers this fact sheet, while ONC created a website with more information. If you have feedback or comments on the final rule, please reach out by emailing [email protected].
ELECTRONIC ADMISSION, DISCHARGE, TRANSFER NOTIFICATIONS
In its rule, CMS finalized its decision to make a condition of hospitals’ participation in Medicare and Medicaid a requirement that they share electronic notifications of patients’ admission to, discharge from, or transfer between an inpatient hospital. Following NAACOS advocacy, CMS will also require alerts on patients seen in a hospital’s emergency department. These alerts should be sent to other healthcare facilities or community providers. The requirement takes effect on May 1, 2021, 12 months after the final rule’s publication. By receiving these alerts, ACOs can more effectively manage their patients’ care by intervening when notified of a hospital admission or emergency department visit and providing proper follow-up care.
The alerts must contain at a minimum the patient’s basic personal information, demographic information, the patient’s diagnosis (if not prohibited by other law, for example, with mental health or a substance use disorder), as well as the sending institution’s name. Alerts should go to patients’ “established primary care practitioner; the patient’s established primary care practice group or entity; or other practitioners or practice groups or entities identified by the patient as the practitioner or practice group or entity primarily responsible for his or her care.”
Following NAACOS advocacy, CMS clarified that nothing prevents ACOs with relationships with patients’ primary care providers from receiving notifications on behalf of the intended recipients. Alerts could be sent through an intermediary, such as a health information exchange. However, CMS states in the rule that hospitals who exclusively use such an intermediary might still have to send alerts to patients’ primary care providers if the intermediary has limited ability to deliver notifications to the required providers.
This condition of participation (CoP) applies to hospitals, critical access hospitals, and psychiatric hospitals. The requirement is limited to hospitals that currently possess electronic health records (EHRs) with the technical capacity to generate such alerts. However, data standards in EHRs to deploy these notifications have been widely adopted. Furthermore, alerts could be sent from a hospital’s registration system, not just their EHR system, which primarily used for clinical purposes.
CMS notes that many hospitals already comply with this requirement and send more information than required under the new CoP. However, the agency stated in the final rule that they don’t want to restrict hospitals from providing more information or advanced delivery options then what’s required.
CMS in the final rule points to several research studies citing improvements in cost and quality from health information exchange as justification for making this a hospital CoP. The agency also encourages hospitals to work with patients and providers to offer more robust information and clinical data. The requirement also follows a request for information CMS sought in 2018, which NAACOS also responded to.
INFORMATION BLOCKING
Section 4004 of the 21st Century Cures Act defines “information blocking” as a practice by a healthcare provider, health IT developer, health information exchange (HIE), or health information network (HIN) that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI). The law requires HHS to outline “reasonable and necessary” activities or exceptions to information blocking and allows the HHS Inspector General to fine providers, developers, HIEs, and HINs for practices it deems as intentionally hindering the flow of patient records.
Exceptions
ONC finalized eight exceptions to rules otherwise prohibiting information blocking. Actors will not be subject to civil monetary penalties or other enforcement actions if they satisfy at least one exception. ONC provides more details on the eight exceptions and conditions that must be met to qualify for each in this fact sheet.
|
Information Blocking Exceptions |
|
|
Exceptions that are not fulfilling requests to access, exchange, or use EHI |
|
|
Preventing harm |
It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met. |
|
Privacy |
It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met. |
|
Security |
It will not be information blocking for an actor to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met. |
|
Infeasibility |
It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met. |
|
Health IT performance |
It will not be information blocking for an actor to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT, provided certain conditions are met. |
|
Exceptions for procedures for fulfilling requests to access, exchange, or use EHI |
|
|
Content and manner |
It will not be information blocking for an actor to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met. |
|
Fees |
It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met. |
|
Licensing |
It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met. |
Definitions of actors
How ONC defines healthcare provider, health IT developer, HIE, or HIN is important because the penalties for information blocking are different for the provider and the other three categories. In the final rule, ONC will use the same definition for provider as the Public Health Service Act (42 U.S.C. 300jj).
For simplicity, ONC will use a single definition for HIE and HIN, defining each as an individual or entity that determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of EHI:
- Among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other; and
- That is for a treatment, payment, or health care operations purpose, as such terms are defined in 45 CFR 164.501 regardless of whether such individuals or entities are subject to the requirements of 45 CFR parts 160 and 164.
In comments to the proposed rule, NAACOS expressed concern that an ACO, which is really a conglomeration of providers, shouldn’t be considered a HIE or HIN. However, in the preamble of the final rule, ONC acknowledges that providers could fall into either category depending on how information is used or practices enacted. A health system would be considered a provider if they utilize the network to move patient information, but the health system would be considered a HIN through its policies, technology, or services. ONC provides this fact sheet on the above definitions.
Definition of Electronic Health Information
Information blocking applies to electronic health information (EHI), which is not defined in law unlike protected health information. Following NAACOS advocacy, ONC finalized a narrower definition of EHI than it proposed. The final EHI definition means electronic protected health information, as defined as the designated record set under the Health Insurance Portability and Accountability Act (HIPAA) in 45 CFR 160.103. Additionally, EHI won’t include psychotherapy notes or information collected in anticipation of a civil, criminal, or administrative proceeding.
Compliance date and fines
The 21st Century Cures Act prescribes civil monetary penalties of up to $1 million per information blocking violation for health IT developers, HIEs, and HINs. The penalties for providers are defined as “appropriate disincentives.” Following the announced delay in enforcement because of the COVID-19 pandemic, compliance will not take effect until April 5, 2021. Furthermore, ONC won’t begin information blocking enforcement until there’s a final rule on civil monetary penalties from the HHS Inspector General. The Inspector General published a proposed rule on April 21.
Public reporting
CMS finalized its proposal to publicly report on the Physician Compare website clinicians and groups that submit a “no” to any of the three information blocking attestation questions asked of providers. CMS will do the same for hospitals that submit a “no” to any of the three information blocking attestation questions on a different CMS website. Attestations left blank will be considered incomplete and will not appear with an information blocking indicator on the site. This will start with the 2019 performance period data starting in late 2020.
USE OF OPEN, STANDARDIZED APPLICATION PROGRAMMING INTERFACES
Under the 21st Century Cures Act, Congress mandated that HHS require EHRs make patients’ medical records available through application program interfaces (APIs). APIs are the technological highways that allow data and information to flow between different software, allowing easier communication with disparate systems and websites. Following NAACOS advocacy, ONC finalized a decision to require EHRs use two types of API-enabled services — that for which a single patient’s data is the focus and that for which multiple patients’ data are the focus.
In comments to HHS, NAACOS supports efforts that make it easier to gain access to patient health information. Patients have an undeniable right to access their records — it’s their data and they should own it — and APIs enable access “without special effort,” as the Cures Act states. With easier access to EHR data through APIs, third-party app developers can build platforms that allows patients to access their records and store them on consumer-facing devices like smartphones. ONC finalized several policies to protect patients’ privacy, including a provision that allows patients to revoke an authorized app’s access at their direction. APIs will be required to be offered by EHR developers by December 31, 2022.
The final rule also supports services for which multiple patients’ data are the focus, including a specific provider’s patient panel and a group of patients cared for through an alternative payment model. ACOs face challenges in trying to extract data from multiple EHR systems to pool into a single source to access patient records, analyze data, and generally manage the care and quality of their assigned patient populations. If successful, wider use of APIs and easier access to data through APIs will help ACOs who today must deal with disparate EHR systems and deploy costly techniques to access, exchange, and use data. ONC provides more information on APIs in this fact sheet.
DIGITAL CONTACT INFORMATION AND PROVIDER DIRECTORIES
CMS will begin to publicly report the names and National Provider Identifier of clinicians who don’t list their digital contact information in the National Plan and Provider Enumeration System (NPPES) system beginning in the second half of 2020. The agency also encourages providers to include Fast Healthcare Interoperability Resources (FHIR) endpoint information in NPPES if available. In 2018, CMS updated NPPES to include providers’ FHIR digital contact information. The 21st Century Cures Act required CMS to create a centralized provider digital contact information index, which in theory, would make it easier to find others to electronically share patient information with when needed and make it less necessary to exchange records through fax or other means.
In an effort to make it easier for patients and referring clinicians to find in-network providers, CMS finalized a proposal to require health plans make available a standard-based API to publicly share their provider directories. Through this API, information must include provider names, addresses, phone numbers, and specialties. Information must be made available within 30 days of its availability or updates. This requirement takes effect on January 1, 2021. However CMS will not enforce the new requirements until July 1, 2021.
HEALTH PLANS AND DATA EXCHANGE
The CMS final rule creates several changes for health plans the agency regulates, including Medicare Advantage plans, Medicaid Children’s Health Insurance Program (CHIP) managed care plans, state agencies, and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs). Health plans must make available adjudicated claims (including costs), encounters with capitated providers, and clinical data, including laboratory results, to patients through APIs. This would allow consumers to access their information without special effort through third-party applications. Data must be made available no later than one business day after a claim is adjudicated or encounter data are received. Data must go back to January 1, 2016. This requirement takes effect on January 1, 2021. However CMS will not enforce the new requirements until July 1, 2021.
Additionally, plans will be required to send certain patient clinical data at patients’ request to other plans. This aims to make it easier for patients to have their information as they move from payer to payer over time. This requirement starts in January 2022. Lastly, states will be required to exchange data on individuals dually eligible for Medicare and Medicaid with CMS on a daily basis starting on April 1, 2022. This is currently done on a monthly basis. Neither the payer-to-payer data exchange nor the requirement around dual eligibles was delayed because of COVID-19.
|
Timeline of requirements |
|
|
May 1, 2021* |
Hospitals send event notifications regarding admission, discharge, and transfer to other providers |
|
Late 2020 |
Public reporting of clinician or hospital data blocking and providers without digital contact info in NPPES |
|
Jan. 2021** |
Patient healthcare claims and clinical information made available through standards-based APIs for Medicare Advantage, Medicaid and CHIP FFS, Medicaid and CHIP managed care, and Qualified Health Plans on the FFE |
|
Jan. 2021** |
Payer provider directories made available through standards-based APIs |
|
Jan. 2022 |
Payers required to exchange patient USCDI data upon request |
|
April 2022 |
Improved benefits coordination for dually eligible individuals |
|
*Delayed from its original deadline of fall 2020 **CMS won’t enforce until July 1, 2021 |
|
ELECTRONIC HEALTH INFORMATION EXPORT
ONC finalized its decision to require health IT developers provide the capability to electronically export all EHI they produce and electronically manage in a computable format. This change acknowledges that switching EHR systems is time consuming and expensive for providers and that it’s difficult for patients to access their medical information. This requirement takes effect in on May 1, 2023, three years after the final rule’s publication. There will be an additional three months of enforcement discretion exercised because of the COVID-19 pandemic.