BACKGROUND IMAGE: stock.adobe.com
The exchange of health information remains a key area of focus in the ongoing efforts by the U.S. Department of Health and Human Services (HHS) to reduce healthcare costs and improve population health.
However, there are often several hurdles that make it difficult for healthcare organizations and EHR software vendors to participate in health information exchange that range from software limitations to high technology costs and a lack of data access processes. Despite those challenges, HHS is not taking no for an answer with a proposed rule to facilitate health data exchange.
The recent proposed rule from the Office of the National Coordinator for Health Information Technology (ONC) is designed to encourage healthcare providers to facilitate health data exchange by imposing civil penalties on those who actively block health information from flowing in and out of their EHR into an exchange, another EHR platform or as an export for a patient. This is a departure from the agency's previous efforts that incentivized physicians to adopt certified health IT systems and meet the requirements of meaningful use in order to receive bonus payments.
Healthcare organizations will have to determine if their current EHR meets ONC's updated certification requirements for health IT modules in order to avoid any penalties. Some of these certifications focus on the EHR capabilities around information blocking, assurances, communications, APIs and real-world testing, as well as attestation. An organization will have to decide whether to move away from its current system if the system doesn't meet the new requirements or work toward finding an alternative that supports health data exchange.
Healthcare organizations are also required to adopt policies that eliminate obstacles that prevent patients from accessing their health data. Patients should also be able to transfer their data to other entities for review or record-keeping. These entities include personal health records, research institutions, medical registries and HIEs.
Information blocking exceptions
The 21st Century Cures Act proposed rules for interoperability and information blocking do take into consideration that some healthcare organizations simply can't meet the new mandates for information sharing. There are currently seven published exceptions to the ruling.
- An actor may engage in practices that are reasonable and necessary to prevent physical harm to a patient or another person.
- The actor must have a reasonable belief that the practice will directly and substantially reduce the likelihood of physical harm to a patient or another person.
- The practice must implement an organizational policy that meets certain requirements or must be based on an individualized assessment of the risk in each case.
- An actor may engage in practices that protect the privacy of EHI.
- An actor must satisfy at least one of four discrete sub-exceptions that address scenarios that recognize existing privacy laws and privacy protection practices.
- Practices that satisfy preconditions prescribed by privacy laws.
- Certain practices not regulated by HIPAA, but which implement documented and transparent privacy policies.
- Denial of access practices that are specifically permitted under HIPAA.
- Practices that give effect to an individual's privacy preferences.
- The information blocking provision will not require that actors provide access, exchange or use of EHI in a manner that is not permitted under the HIPAA Privacy Rule.
- General conditions apply to ensure that practices are tailored to the specific privacy risk or interest being addressed and implemented in a consistent and non-discriminatory manner.
The change in requirements isn't just on the software front -- healthcare organizations need to adjust their workflows and processes to facilitate health data exchange.
By allowing more systems to access health data, security concerns will become one of the biggest issues organizations face as they try to balance information access while also ensuring data is adequately protected under HIPAA and other privacy laws.