On October 29th, the United States Department of Health and Human Services’ Office (HHS) and the National Coordinator for Health IT (ONC) announced deadline extensions for the newly implemented Information Blocking Rule and Health IT Certification Requirements.
The Health IT Certification Requirements enhance patients’ smartphone access to health information at no cost to the patient. Greater efficiency is accomplished through the use of Application Programming Interfaces (APIs).
ONC originally set the compliance deadline for the Information Blocking Provisions and Conditions and Maintenance of Certification (CoC/MoC) requirements for November, 2, 2020. However, due to the Public Health Emergency, ONC has exercised its enforcement discretion to provide new applicability and compliance timeframes.
By April 5, 2021, Providers will be expected to comply with the following provisions/requirements:
- Information Blocking provisions;
- Information Blocking provisions;
- Assurances CoC/MoC requirements;
- API CoC/MoC requirements; and
- Communications CoC/MoC requirements.
By December 31, 2022, providers will be expected to comply with the following:
- 2015 Edition Health IT certification criteria updates (except for EHI export, which has been extended until December 31, 2023); and
- New standardized API functionality.
ONC has also provided a One-Calendar Year extension for the submission of initial attestations, submission of initial plans, and results of real-world testing.
Information Blocking Provisions and CoC/MoC Requirements
The Program’s CoC/MoC requirements now outline initial, as well as ongoing, certification requirements for health IT developers and their certified Health IT Modules. These new requirements seek to ensure that, unless specifically provided for, that certified health IT developers ensure that all of its health IT and related actions do not constitute information blocking, or in any way inhibit appropriate access, exchange, or use of Electronic Health Information.
The Information Blocking rule requires that electronic health data be made available to patients at no cost while also defining exceptions to Information Blocking. These exceptions include:
- Preventing Harm;
- Health IT Performance;
- Cost; and
- Content and Manner.
Each Information Blocking exception comes with certain conditions that must be met to satisfy the exception.
Assurances CoC/MoC Requirements
As a Condition of Certification, the health IT developer must provide assurances to the Secretary that, unless for a legitimate purpose specified by the Secretary, the developer will not take any action that constitutes Information Blocking.
API CoC/MoC Requirements
Health IT developers will now be required to publish APIs that allow “health information from such technology to be accessed, exchanged, and used without special effort through the use of APIs or successor technology or standards, as provided for under applicable law” (85 FR 25642).
Additionally, health IT developers must provide access to all data elements of the patient’s electronic health record (EHR), so long as that access is permissible under the privacy laws.
Communications CoC/MoC Requirements
Health IT developers must, as a Condition of Certification, ensure that they do not prohibit or restrict communications about the performance of health IT and the developers’ related business practices. Provisions of the Certification requirements permit developers to limit prohibitions and restrictions provided that a balance exists between open communication and the developers need to protect a legitimate business interest. However, health IT developers may place limitations on certain types of communications, such as screenshots or video.
Additionally, as a Maintenance of Certification requirement, a health IT developer may not enter into or propose a contract that would waive the requirement to have open communication. A developer with existing contracts should amend or make void any such provision when the contract is next modified.
Impact to Hospitals
CMS estimates hospitals, psychiatric hospitals, and critical access hospitals will spend approximately $5.2 million in the first year on the new rules and subsequently $1 million per year.
As the Rules apply to hospitals, key aspects include a new condition for those participating in Medicare and Medicaid to create electronic notifications to be sent to another facility, provider, or practitioner upon patient admission, discharge, or transfer. Additionally, by late 2020 CMS will begin reporting publically on providers that engage in information blocking. Public reports will be based on responses to Promoting Interoperability Program requirements and those that do not provide digital contact information in the National Plan and Provider Enumeration System (NPPES).
While the American Hospital Association (AHA) is generally aligned with the ONC final rule, they have acknowledged that the rule falls short of fully protecting consumers’ private information. The AHA raised concern with a lack of protection from third-party apps not held to the same security and privacy standards as hospitals. Concern remains that this difference in standards could lead to misuse of patient information.
Advis is available to perform a compliance review for your IT department. Advis is prepared to review any policies, procedures, and/or contracts that may exist related to patient access to information. Advis will continue to monitor for any changes or clarifications to the above requirements. As always, we will report any changes or clarifications to you in a timely manner. For any assistance with these specific requirements, please contact our office at 708-478-7030.
Published: November 10, 2020