Digital Debut

CMS, ONC Release New Regulations on EHI

What these rules could mean for ASCs

BY ALEX TAIRA | MARCH 2019

On February 11, 2019, the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) concurrently released two, long-awaited federal regulations addressing health information technology (HIT). The two rules seek to ease the flow of healthcare information, both from provider to patient as well as between providers, and add to a continually expanding regulatory framework governing electronic health information (EHI).

ASCA is continuing to work with officials at Medicare and in the ONC to determine what impact, if any, these regulations will have on ASCs. Until more information specific to ASCs becomes available, this overview of recent actions in this area can help ASCs anticipate how federal activity surrounding these priorities might affect their facilities, physicians and patients in the future.

The ONC proposed rule is called the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program or the Information Blocking Rule. As its title suggests, the rule seeks to define “information blocking,” a key term that has caused industry consternation since its introduction in Sec. 4004 of the 21st Century Cures Act. The rule also proposes a number of changes to elements of the ONC Health IT Certification Program and the 2015 Edition Certification Criteria.

The CMS proposed rule is called the Interoperability and Patient Access Rule. Whereas the Information Blocking Rule adds definition to existing rules and regulations, the Interoperability Rule builds on some of the current administration's policy priorities, namely, giving patients access and control over their personal health information (e.g. claims data) across public payers and providers.

As of the writing of this piece both rules are open for public comment until May 3, 2019. Additionally, there is strong industry pressure for CMS and ONC to extend the comment deadlines.

A Summary of Relevant HIT Regulation

The history of EHR regulation has been covered in the May 2018 issue of ASC Focus but is worth revisiting as the new rules directly build on previous laws and regulations.

The foundation for this year’s rules, and the governance of HIT overall, was laid in 2009’s Health Information Technology for Economic and Clinical Health (HITECH) Act, which carved out billions of federal dollars for the promotion and proliferation of HIT. Much of the HITECH dollars were for electronic health record (EHR) implementation stimulus via the Medicare and Medicaid EHR Incentive Programs; if a hospital or physician could prove that they were “meaningfully using” an EHR that adhered to certain federal standards they could receive thousands of dollars in incentive payments (beginning in 2014, there also were penalties for not using an EHR).

The federal standards delineating what qualifies as an acceptable EHR for physicians and hospitals to use are set by the ONC Health IT Certification Program. In 2010, ONC collaborated with the National Institute of Standards and Technology (NIST), to develop a multi-step process by which EHR platforms could be tested for compliance with a list of certification criteria (i.e., minimum EHR capabilities). The list of standard criteria has been updated through the years, with full criteria set “editions” released in 2011, 2014 and 2015. The 2015 Edition EHR Certification Criteria is the current standard.

The Incentive and Certification programs had their intended effect; ONC reports that more than 90 percent of eligible hospitals and clinicians are using certified EHR technology as of November 2018, up from 17 percent of physicians and 9 percent of hospitals in 2008, according to the November 2016 HHS report to Congress on HIT progress. EHR penetration is significantly lower in ASCs; rough estimates place EHR usage in ASCs under 20 percent.

However, incentivizing providers to implement a quality EHR was just the initial goal of HITECH. A more expansive goal was the free movement of EHI, both between providers—creating more efficient, precise care coordination—as well as from providers to patients. These two goals, respectively referred to as interoperability and patient access, were the purview of a landmark December 2016 bill called the 21st Century Cures Act. This act set new governmental parameters and responsibilities in a number of HIT areas, including specialty EHR certifications, an EHR reporting system and, most notably, the need for further definition for the term interoperability and its inverse, “information blocking.”

At this time, there is no ASC-specific EHR certification; while some ASCs use EHRs in their facilities, most products continue to be designed for use in either a hospital or physician office. This burdens clinicians who primarily operate in ASCs but treat enough Medicare patients to be eligible for payment adjustments (± 4 percent in 2019 rising to ± 9 percent by 2022) under the Quality Payment Program (QPP). To combat this burden, Congress included Section 16003 in the 21st Century Cures Act, which states that no payment adjustment related to meaningful EHR use will be made for eligible professionals who furnish “substantially all” of their services in an ASC. The definition of “substantially all” was clarified in the CY 2018 Inpatient Prospective Payment System (IPPS) Final Rule: an ASC-based eligible professional is one who furnishes 75 percent or more of covered professional services in an ASC setting.

From 21st Century Cures to the Information Blocking Rule

Section 4003 of the 21st Century Cures Act gives a definition to interoperability: “such healthcare technology that enables the secure change of electronic health information … without special effort on the part of the user.” However, the act also adds an important caveat, that technology is only considered interoperable if it “does not constitute information blocking.” Although Section 3022 of the act gives a broad definition of “information blocking”—practices “likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information”—and gives a few examples of such practices the definition is vague at best.

The 21st Century Cures Act did establish enforcement authority, giving the Health and Human Services (HHS) Office of the Inspector General (OIG) the power to levy civil penalties up to $1 million against entities found to be information blocking. First, however, the HHS secretary was to refine OIG’s enforcement power by establishing a list of reasonable business practices that would not constitute information blocking. This list of exceptions would be published in what stakeholders called the Information Blocking Rule. After several of delays causing significant industry displeasure, the rule was released in February 2019.

First, it is important to understand the actors who are subject to regulations in the rule: providers, developers of certified HIT, health information exchanges (HIEs), and health information networks (HINs). ASCs are included in ONC’s definition of “providers” (Section 3022 of the Public Health Service Act). ONC also proposes a new comprehensive definition for EHI: information that is 1) transmitted or maintained electronically, 2) identifies an individual, and 3) relates to the health condition of an individual, the provision of healthcare, or the payment for the provision of healthcare. Note that the definition as proposed certainly encompasses traditional clinical, electronic protected health information (ePHI) but also includes a broader range of healthcare-related information. ONC also requests comment on whether to include price information in their EHI definition, thereby giving them the power to regulate price transparency issues under the information blocking mandate.

How these broad definitions will affect the ASCs, and the healthcare landscape in general, is unclear. Although ONC has traditionally kept its purview to monitoring certified EHRs and the data they encompass, this rule suggests a much broader range of authority. At the time of publication ASCA is seeking clarification from ONC on ASCs exposure to regulation under the rule and will formulate comments that seek the least burden for ASC compliance accordingly.

As promised, ONC delineates seven circumstances which, if occurring, would not constitute information blocking. The circumstances are more categorical than specific, as ONC sought to provide a comprehensive response to industry concern regarding information blocking while also accounting for “legitimate practical challenges” that actors might face in individual cases. The seven exceptions are:

1. Preventing harm
2. Promoting the privacy of EHI
3. Promoting the security of EHI
4. Recovering costs reasonably incurred
5. Responding to requests that are infeasible
6. Licensing of interoperability elements on reasonable and non-discriminatory terms
7. Maintaining and improving health IT performance

Although the information blocking proposal was the most anticipated and the longest section of the rule, ONC asserts a few other proposals as well. ONC proposes a new approach for initial and ongoing certification for health IT developers and their certified products. This is essentially a matched regulatory structure: developers must adhere to seven conditions—such as not information blocking, publishing application programming interfaces, and undergoing real world testing—to participate in the Health IT Certification Program. These are initial requirements, and for each of the seven conditions there are separate Maintenance of Certification Requirements that demonstrate ongoing compliance. If a developer or platform is found to be in violation of the initial conditions or maintenance conditions, their participation in the program may be terminated.

The rule also includes changes to the 2015 Edition Certification Criteria and the Health IT Certification Program overall. The Common Clinical Data Set (CCDS), the standard for common clinical vocabulary in HIT, is being replaced by a new US Core Data for Interoperability (USCDI) Standard. The electronic prescribing and clinical quality measures criteria are being updated to align with CMS standards and two new certification criteria—EHI export and Application Programming Interfaces (APIs) are being proposed. Finally, to show support for health IT across the care continuum ONC asserts recommendations for the voluntary certification of HIT by pediatric providers, noting the 2015 Edition criteria which best support care in pediatric settings.

For more information on the proposed rule visit the ONC website.

Interoperability and Patient Access Rule

Whereas the Information Blocking Rule expands the regulatory framework set forth in the previous laws and regulations, CMS’ Interoperability and Patient Access Rule expands on the current administration’s policy priorities.

In March 2018, CMS Administrator Seema Verma announced two new initiatives—My Health eData and Blue Button 2.0—aimed at empowering patients by giving them greater control over their healthcare data. The initiatives were a direct response to President Trump’s October 2017 Executive Order 13813: Promoting Healthcare Choice and Competition Across the United States. In her address announcing the initiatives, Verma asserted that empowering patients, that is allowing them to “make their own decisions based on quality and value,” is the key to reducing overall healthcare costs.

Blue Button 2.0 is an extension of an ongoing federal initiative started in 2010, which gave patients a simple, user-friendly mechanism to download their personal healthcare data. The specific information varies by payer (i.e., the Department of Defense’s TRICARE or Aetna) but can include information from a medical record, medications, lab results and claims information. Blue Button 2.0 extends this capability to developers working with Medicare enrollees, giving any developer the ability to integrate their platform with four years of health data from Medicare’s 53 million beneficiaries.

One year after Verma’s announcement details are much scanter on My Health eData. The initiative involves a number of governmental agencies and has the broad goal of giving patients “true control of their own health records from the device or application of their choice.” The proposals contained in this year’s Interoperability and Patient Access Rule give some visibility into the regulatory framework for achieving that goal. Entities subject to the rule’s proposals are generally limited to Medicaid and CHIP Fee-For-Service (FFS) programs/state agencies, Medicare Advantage (MA) organizations, Medicaid and CHIP Managed care entities and Qualified Health Plans (QHPs) in federally facilitated exchanges (FFEs).

Parallel to the efforts of the Blue Button 2.0 initiative, CMS is proposing to require that the above listed entities make healthcare information available to patients/enrollees via openly published APIs. This would allow third-party developers to build programs that give patients access to their healthcare data in a user-friendly platform. Entities also would be required to forward enrollee information to a different plan designated by the beneficiary even up to five years after a beneficiary has disenrolled. CMS states that these proposals could allow health information to follow up to 125 million enrollees, easing transitions of care and reducing burden and redundancy. Although most if not all of the entities in question already have a requirement to publish a provider and pharmacy directory, CMS is proposing an additional requirement that both directories be made available through an API.

The most controversial proposal in the new rule regards an update to the hospital conditions of participation (CoP). CMS is interested in leveraging electronic patient event notifications as a tool for improving beneficiary care coordination. Therefore, CMS is proposing to revise the CoPs for Medicare and Medicaid hospitals to require them to send electronic patient event notifications for admission, discharge or transfer to other facilities and community providers. The information sent could vary, but at minimum would include the patient’s demographic information, the treating practitioner name and the sending institution. The patient would identify the facilities and providers that would receive automatic notices. Because this is a change to the CoP, hospitals that cannot demonstrate compliance with this proposal would lose the ability to receive reimbursement for treating Medicare enrollees. Upon release of the rule, a number of hospital organizations expressed strong disapproval for the proposal.

Together, the Information Blocking Rule and the Interoperability and Patient Access Rule represent significant expansions in the regulatory framework for EHI. As noted above, a number of stakeholders have already expressed concern that the traditional 60-day comment period is insufficient to formulate a comprehensive response. For more information, write Alex Taira."