Healthcare Information "Unblocking" is Here. Now What?
Federal rules have a way of making life challenging for healthcare IT executives. Often, new regulations saddle them with responsibilities over which they may have only partial influence.
On April 5, CIOs began to take ownership of their piece of interoperability. It’s something that will require industrywide compliance and cooperation to reach the benefits that the regulations envision.
A few weeks ago, rules from the 21st Century Cures Act affecting information blocking went into effect. This culmination of years of efforts by federal agencies to encourage broader information sharing among healthcare industry participants. With the new rules, the floor of what constitutes compliance has been delineated.
The law impacts healthcare providers, health IT developers of certified health IT, health information networks, and health information exchanges. The Cures Act defines information blocking and establishes penalties for entities that interfere with the access, exchange, or use of electronic health information (EHI).
The industry gets 18 months to adjust to the change, with EHI being defined as the data elements represented in the United States Core Data for Interoperability (USCDI Version 1). “This initial 18-month period and limited scope give the regulated community time to grow more experienced with the information blocking regulation, including when and how to meet an ‘exception,’ before the full scope of the regulation’s EHI definition comes into effect,” said the announcement of the implementation of the new rule.
So in the month since the regulations went into effect, healthcare organizations have been working to ensure that they are not running afoul of the new requirements. IT department leaders and organizations’ compliance departments have been working behind the scenes to establish and modify policies to ensure that their practices align with the regulations. Beyond just technical activity, compliance also has resulted in new educational pushes to provide medical staff, and others in charge of the flow of information are aware of the implications of the new rules.
These new rules have caused concern among execs because releasing information to outside parties raises how external entities might use patients’ clinical data. There’s been some good news on this front, as the Office of the National Coordinator for Health Information Technology has offered guidance that establishes flexibility here, intending to get the ruling live. ONC has stated that misuse of patient data by an outside third-party app will not be the provider’s fault, as long as the app developer is not a business associate of the provider. This type of risk has been a massive concern for health systems and their IT executives, so this immediate relief promises a degree of insulation from risk.
Still, the ONC guidance shows that some previous discretion in compliance won’t be available. For example, the agency said a covered entity cannot refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives.
This and many other changes will make compliance a learning experience for many organizations, mainly as they work with their HIT vendors. Most health systems’ IT departments are not development shops but instead rely on commercial off-the-shelf solutions. It is crucial to ensure that the vendor landscape complies and has made adjustments to comply with the information blocking criteria. The struggle is that health systems are still on the hook for compliance, so vendor management is essential.