In my first article on 21st Century Cures rulemaking, of what is to be many posts and presentations, we are first going to talk about the need to take this rule seriously, and its inevitable enforcement.
21st Century Cures prohibits “information blocking,” which is any practice that could materially interfere with a patient’s (or their authorized representative’s) ability to access, exchange, or use their electronic health information without special effort – unless an exception applies. HISTalk, a great source for health IT news and gossip, has reported that both the Office of the National Coordinator for Health IT (“ONC”) and the Centers for Medicare & Medicaid Services (“CMS”) are going to release their final rules implementing the prohibition tomorrow morning. In the next few days, lawyers, compliance professionals, and policy gurus will be writing about what the rule means, this blog included. However, prior to its release, it is important to take note on how this is going to be enforced. And we know enforcement is coming.
Enforcement is left to the Office of the Inspector General (“OIG”), who has requested $5.3 million to enforce the prohibition in their 2021 annual budget. Within the OIG, the attorneys at the Affirmative Litigation Branch – who are generally focused on fraud, waste, and abuse actions – will take the lead. The budget also states that OIG will bring on three full-time employees to help enforce the prohibition. The OIG will likely pair the investigation of inbound complaints about health IT developers and providers with proactive audits to achieve its goals. When the OIG finds a developer engaged in information blocking, it may impose a civil monetary penalty up to $1 million.
However, that is not the end of enforcement. 21st Century Cures rulemaking also bakes attestations regarding information blocking into the health IT certification process. This gives the ONC enforcement capabilities by virtue of ONC Direct Review of certified health IT. If the ONC finds that a vendor engaged in information blocking, it would constitute a certification nonconformity. When ONC finds a certification nonconformity, it may take three paths depending on the severity of the issue:
- Implement a corrective action plan;
- Suspend a developer’s certification, which means it may not be sold until the suspension is lifted;
- Removing the health IT product’s certification; and in the most extreme cases,
- Banning a health IT developer from the ONC Health IT Certification Program.
Option (3) and (4) would likely be even more severe than a mere $1 million penalty because it essentially kills the product’s or company’s viability in the health IT market.
Other enforcement mechanisms exist as well. Invariably, certifiers will have to face questions regarding information blocking, and they have powers similar to the ONC. Given that these attestations invariably become related to reimbursement from federal healthcare programs, False Claims Act (“False Claims Act”) actions are another viable enforcement tool. On the provider side, we’re already seeing conditions of participation crop up as one blunt tool. Further, information blocking attestations are already a part of the Merit-based Incentive Payment System’s reporting process – which again ties this back to the FCA.
For health IT developers and health information networks/exchanges, the stakes could not be higher. Conforming with these rules is not an option: it is potentially a matter of life or death. Get ready to listen to all those lawyers, compliance professionals, and policy folks. They’re banging the drum because this is a big deal, and it’s here.
eHealth Law Blog 
Great Article David! Very informative. Information sharing has been a primary topic of discussion with our clients lately. We have been suggesting Common-well Health alliance to them, but those that have enrolled in Common-well and consented their patients are still not getting the up to date patient information they really need from hospitals and other providers because the patient has to be consented by both entities. Some of these other entities, particularly hospitals seem to be reluctant to share information electronically. I hope the ONC is considering this as well in their decision. HIE’s are a cost effective way to look at updated patient information and pull the discreet data that is needed into the treating providers EHR. I know it has been very beneficial to the clinical teams we work with that do TCM (Transition of Care) as well as treating many chronically ill patients that see multiple specialists with different EMR/EHR platforms. It would be great if everyone had Direct messaging and used it, unfortunately it has been around for quite awhile and still has not caught on like intended. I hope the ONC looks at making HIE’s Mandatory for patients being seen under Medicare/Medicaid. Sharing data freely will certainly save lives and costs. After all, if i am consented to share my health information by my provider, then it should be for every provider that sees me, right? Commercial Insurance will surely follow. This would make the population health platforms more effective as well. Predictive algorithms and risk stratification don’t work as well without all the Patients Discreet data as all know.
LikeLiked by 1 person
I think the devil will be in the details of enforcement. With this rule, if a patient wants their data to go to an HIE and the HIE is willing to receive it, the data custodian (whether a healthcare provider, or health IT developer, or other data custodian that falls within the statute’s scope) must release it, subject to certain exceptions. The developer fines are well defined (up to $1mn). The scope of enforcement for healthcare providers – we’ll have to see. More rulemaking is coming from OIG too, which may add more clarity.
LikeLike