Where Health IT Stakeholders Stand (Part 1): ONC Rules on API’S, Information Blocking and Data Exchange

Health Consulting

Since this past February, many health IT companies have been reviewing, commenting on, and trying to understand the business model and production implications of the newly proposed Federal rules on health data interoperability, information blocking, health IT certification, and health data exchange related to Medicare/Medicaid conditions of participation. If your business touches the health IT sector and you haven’t been following these rules, you should be—the final versions of these rules will be game changers for the health IT sector. Now that the comment periods for these rules have closed, Elevation Health Consulting is working to support savvy health IT business leaders in trying to understand public sentiments and anticipate regulatory language for the upcoming final versions of these rules to accurately steer their companies.

We have poured over the public comments submitted on these draft rules and want to provide you with important common themes that have risen from health IT stakeholders across the health sector. Here, we’ll focus on the draft rule released by the Office of the National Coordinator for Health IT (ONC) that focuses on ensuring that health information technology (HIT) systems send and receive electronic health information (EHI) in a way that would make the information more readily available to users across platforms while ensuring patient privacy and security. Notably, the rule includes information blocking exceptions, which specify what is and is not information blocking. Information blocking is defined as: a health care provider, health IT company, or health information exchange or network attempting to block the sharing of EHI. The goal of these updated rules is to encourage competition in the Health IT field while simultaneously helping patients access their information in a helpful, secure way.

Here are the top 5 issues raised in public comments on the February 2019 ONC draft rule:

1. Movement towards FHIR APIs for certification: While most commenters supported the ONC’s decision to update the certification program to Fast Healthcare Interoperability Resources (FHIR®) standards, there were a mix of commenters who want the ONC to drop the certification requirement for application programming interfaces (APIs) or felt that compliance would be too expensive, both for the Health IT company as well as patients. In order to assuage these cost worries, both monetary and level of effort, most commenters believed that FHIR Release 4 would be the best option, as it is the most standardized and forward-looking. Additionally, developers not currently using Release 4 will have time to adopt and implement these standards. Commenters also noted that Release 4 is the only version that has backwards compatibility with prior versions of FHIR and can manage population level-data.

What this may mean for your companyYour company should be thinking about adopting FHIR Release 4 for data exchange. Consider the fact that you may need to invest additional business resources to update your product design and become ONC certified. That said, if ONC finalizes a requirement for certified health IT developers to adopt FHIR Release 4 there will be plenty of time for vendors to adopt the standard.

2. The definitions of HIN, EHI, and Providers: Many of the commenters felt that the way the ONC rule applied these terms to companies and providers was much too broad. They felt that this could lead to misunderstandings about who the information blocking rules are applicable to and what information could, or should, be disclosed. For example:

a. On the HIN (Health Information Network) definition, the feedback noted that basically every vendor who provides even a tiny slice of interoperable capabilities is a HIN, and could include organizations such as banks who provide electronic payment for claims. This would encompass a number of companies that have not considered themselves part of the industry, and require them to follow ONC’s rules.

b. Many commenters worried that the definition of EHI was too broad and could cause companies to release more information than necessary in order to avoid an information blocking penalty. The expansive definition also makes data not normally thought of as health data (such as risk scores, clinical decision support rules, etc.) freely available to everyone, including those who did not pay for the development of such data .

c. In the current version, commenters felt that ONC’s definition of “provider” is too broad and includes many sectors of stakeholders who never received Health IT incentive dollars for the government’s Meaningful Use (of Health IT) program to improve their health information interoperability capabilities. Commenters from these sectors felt that it would not be fair to be held under the same umbrella as those groups who received government assistance over the last decade.

What this may mean for your company If your business products and data platforms hold data, you will want tighter definitions of these terms that provide clarity on which rules will apply more specifically to you. Broader definitions will require more effort and resources to avoid government penalties for non-compliance. However, if your company’s products rely on increased data access to information from other health data stakeholders, you will want ONC to stick to broader definitions so that information blocking rules will apply more widely to entities from which you want data access. Note that most products that rely on access to information from other stakeholders would also be regulated themselves should the broader definitions remain.

3. Clarification on EHI privacy and security updates: Many commenters were concerned about the stated exceptions to information blocking regulations and how they would interact in real life situations. They are worried about having to choose which rule to break, HIPAA or information blocking. Additionally, commenters are concerned about entities that take overly broad interpretations of HIPAA, as they worry these organizations will use it as a justification for avoiding information blocking requirements. Stakeholders have asked for clearer rules that lay out specifically how to release/hide information to protect patient confidentiality without violating information blocking rules or running into an issue of other companies not acting in good faith and trying to hide information blocking tactics behind adhering to HIPAA regulations.

What this may mean for your company Clearer rules will help your company avoid accusations of information blocking (and the possible legal and monetary consequences) or prevent other companies from using these overlaps to gain an unfair advantage. Wherever the ONC rule remains ambiguous, you will have to create a business model that incorporates time and resources to learn from real-world evidence regarding what penalties the federal government will enforce around information blocking practices.

4. Definition of “costs reasonably incurred”: Commenters were noticeably worried about what “reasonable costs” meant in relation to companies using information blocking (particularly blocking access to, exchange of, or use of EHI) to recoup costs (or make a profit). Some commenters were concerned that this was open to a large array of interpretations and that companies could choose to understand it as they wanted. Others were concerned that companies would not be able to remain sustainable and may be beholden to product design decisions made before this rule was proposed. Commenters seem to be looking for a more defined explanation of what “reasonable” might mean in regards to company size or age, and want the ONC to lay out how companies can generate appropriate profit for valuable tools and services without federal overstepping.

What this may mean for your company If your company’s revenue model relies on fees for data access, data processing data exchange, or even services such as risk score or clinical decision support generate, this portion of the ONC rule can have major consequences to your bottomline. You will want ONC to lay out an even playing field that ensures your cutting edge technology can be a profitable business without withholding access to patient, customer, and client information arbitrarily.

5. Timeframe of rule enforcement: As we noted in a prior blog, just because a law is signed does not mean it immediately goes into effect. Many commenters interpreted the information blocking provisions as going into effect the day the rule is finalized, and worried about the new business and accounting practices that entities would need to adopt to comply with the regulations. This will be a reality for some of the information blocking rule exceptions. However, the certification requirements in the rule would not go into effect until years after the final ONC rule is published. This would give invested parties plenty of time to make their companies compliant in a reasonable and responsible way.

What this may mean for your company Your company must consider scenarios where information blocking may be enforced immediately. That said, ONC’s intent seems to be for case precedent to define information blocking outside of what they have specifically defined as “not information blocking.” This means that in some cases, it may take some time to identify some of the nuances around the definition of information blocking against which your company can design evolved business strategies and product designs. It will be important to seek counsel from experts on the breath of the “information blocking” definition throughout the next few years.

Overall, commenters appreciated ONC’s aim to improve the flow of information, but advised that the final outcome of ONC’s rule would not produce the intended results and would in fact lead to multiple unintended consequences. Stakeholders are looking to ONC to release a final Rule with less confusion and potential pitfalls, that incorporates better business sustainability. Whatever direction ONC takes, it will be important for you to work with regulatory experts, like Elevation Health Consulting, to stay ahead of the competition and to navigate this changing environment seamlessly.

Stay tuned for our next blog where we will cover the business implications of the top issues stakeholders addressed in the 2019 CMS Interoperability and Patient Access Proposed Rule.

Get our latest insights on healthcare regulatory compliance delivered directly to your inbox.

Health Consulting

Regulatory alignment for the next generation of health tech companies

© 2020 Elevation Health Consulting. All Rights Reserved. Privacy Notice