The 21st Century Cures Act covers a great deal of territory, with provisions that dedicate billions to NIH funding, Alzheimer’s research, FDA operations and the war on opioid addiction. It also contains a section prohibiting “information blocking.”
One section of the law lists attempts to define information blocking, and lists some of the key ways healthcare players drag their feet when it comes to data sharing. The thing is, some industry organizations feel that these provisions raise more questions than they answer.
In an effort to nail things down, a trade organization calling itself Health IT Now has written to the HHS Office of Inspector General and ONC head Donald Rucker, MD, asking them to issue a proposed rule answering their questions. Parties signing the letter include a broad range of healthcare and health IT organizations, including the American Academy of Family Physicians, athenahealth, DirectTrust, AMIA, McKesson and Oracle.
I’m not going to list all the questions they’ve asked. You can read the entirety yourself. However, I will share two questions and offer responses of my own. One critical question is:
- What is information blocking and what is not?
I think most of us know what the law is trying to accomplish, e.g. foster the kind of data sharing needed to accomplish key research and patient care outcomes goals. And the examples of what it considers information blocking make sense:
- Practices that restrict authorized access, exchange, or use [of health data] under applicable State or Federal law
- Implementing health information technology in nonstandard ways that are likely to substantially increase the complexity or burden of accessing exchanging or use of electronic health information
- Implementing health information technology in ways that are likely to lead to fraud, waste, or abuse, or impede innovations and advancements health information access, exchange, and use
The problem is, there are many more ways to hamper the sharing of electronic health data. The language used in the law can’t anticipate all of these strategies, which leaves compliance with the law very much open to interpretation.
This, logically, leads to how businesses can avoid running afoul of the law:
- The statute institutes penalties on vendors to $1 million per violation. How should “per violation” be defined?
Given the minimum detail included in the legislation, this is a burning question. Vendors need to know precisely whether they’re in the clear, violated the statute once or flouted it a thousand times.
After all, vendors may violate the statute
- When they refuse data access to one individual within a business one time
- When they don’t comply with a specific organization’s request regardless of how many employees were in contact
- When a receiving organization doesn’t get all the data requested at the same time
- When the vendor asks the receiving organization to pay an administrative fee for the data
- When individuals try to access data through the web and find it difficult to do so
Would a vendor be on the hook for a single $1 million fine if it flat out refused to share data with a client? How about if it refused twice rather than once? Are both part of the same violation?
Does the $1 million fine apply if the vendor inadvertently supplies corrupted data? If so, does the fine still apply if the vendor attempts to remedy the problem? How long does the vendor have to respond if they are informed that the data isn’t readable?
What about if dozens or even hundreds of individuals attempt to access data on the web can’t do so? Has the vendor violated the statute if it has an extended web outage or database problem, and if so how long does it should have to get web-based data access back online? Does each attempt to access the data count as a violation?
What standard does the statute establish for standard vs. non-standard data formats? Could a vendor be cited once, or more than once, for using a new and emerging data format which is otherwise respected by the industry?
As I’m sure you’ll agree, these are just some of the questions that need to be answered before any organization can reasonably understand how to comply with the law’s information blocking provisions. Asking regulatory agencies to clarify their expectations is more than reasonable.