Electronic Healthcare Records , Governance , Healthcare Information Exchange (HIE)

HHS Scolded for Delay in Issuing Health Info Blocking Regs

21st Century Cures Act of 2016 Required Action to Help Prohibit Blocking of Data Sharing
HHS Scolded for Delay in Issuing Health Info Blocking Regs

More than a dozen technology and medical organizations are asking the Department of Health and Human Services why it's taking so long to issue regulations aimed at limiting the blocking of health information sharing as called for under the 21st Century Cures Act of 2016. Such blocking can impede the delivery of care.

See Also: Live Webinar | Soaring Global Cyber-Gotchas: Dissecting the Ever-Expanding Threat Landscape

"It has been 601 days since the 21st Century Cures Act was signed into law. Every day that the administration delays implementation of these critical provisions places patients at risk of harm," says a letter the organizations sent to HHS on Monday.

Among those signing the letter were the American Medical Informatics Association, the American Academy of Family Physicians, Oracle and Reasearch!America.

"Information blocking impedes provider access to the most current, accurate or complete information on their patients. As the administration proposes and implements new rules related to open application programming interfaces and interoperability in Medicare's payment rules for hospitals and doctors, the lack of clear rules of the road needlessly creates uncertainty for vendors and providers alike," the letter states.

Under the 21st Century Cures Act, HHS is required to issue regulations to prevent inappropriate health information blocking and to also identify reasonable and necessary activities that do not constitute information blocking, the letter notes.

Further, the law requires the Office of the National Coordinator for Health IT to implement a standardized process for the public to submit reports on health information technology products not being interoperable or resulting in information blocking, the letter states. HHS' Office of the Inspector General has enforcement authority over vendors and providers who are found to engage in information blocking.

"The administration has had [more than] 601 days to draft and publish clear information blocking regulations," the letter notes. "We understand the nuance required but feel that it is past time for a proposal to be made."

Work in Progress

An ONC spokesman tells Information Security Media Group that the office is reviewing the letter. "We are working to issue the proposed rules as quickly as we can," he adds.

ONC is hosting an August 6-8 interoperability forum in Washington, which is addressing the topic of key barriers to interoperability.

During a session at the conference on Monday, Donald Rucker, M.D., who heads ONC, said information blocking is "hard to sort out" and the rule is a "work in progress," according to the news site Politico.

The HHS OIG did not immediately respond to an ISMG request for comment.

The 21st Century Cures Act calls for imposing monetary penalties of up to $1 million for organizations that participate in intentional and inappropriate information blocking - preventing or materially discouraging access, exchange or use of electronic health information as permitted by law.

ONC has been studying the issue of information blocking for several years, including issuing a report to Congress in April 2015 (see Overcoming Health Info Exchange Blocking).

What's Taking So Long?

A number of factors are likely contributing to the delay in HHS's information blocking regulations.

"The Cures Act is a tremendously complicated piece of legislation."
—Attorney Kirk Nahra

"The Cures Act is a tremendously complicated piece of legislation," says privacy attorney Kirk Nahra of the law firm Wiley Rein. The information blocking provision "is a small but very important part of it."

The government, Nahra says, "will need to balance a number of practical, technological and operational concerns with the generally accepted goal of preventing information blocking. I am not particularly surprised at the delays, between the administration change, the need for new appointees and the challenges in developing this approach."

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine, says the delay is likely due "in large part to significant turnover following the administration change, which has resulted in delays in rulemaking and guidance throughout HHS.

"Additionally, while the current administration vocally supports interoperability efforts, it's not clear to me that they are supportive of the regulatory and punitive approach - [up to] $1 million in penalties - provided for in the 21st Century Cures Act, as opposed to more 'organic' solutions to improving interoperability."

The main impediment to interoperability has always been competitive forces, Greene asserts. "Whether you are a healthcare provider, health plan or health IT vendor, there has always been limited incentive to share health information with other providers, plans or vendors, respectively," he notes. "HIPAA often serves as a convenient excuse for not sharing data, but I don't think that it has ever been a true obstacle to sharing."

Addressing the Challenges

So, what can HHS potentially do to promote secure health information exchange and discourage inappropriate information blocking?

"I would like to see HIPAA and 42 CFR part 2 [regulations for federal substance abuse treatment programs] changed to focus less on unlawful disclosure of information when done through health information exchange, and more on unlawful access to or use of information," Greene suggests (see HHS Weighs Changes to Health Data Privacy Regulations).

"For example, there should be a safe harbor if an entity makes its records available to others and follows certain clearly defined requirements. Breach notification exposure and costs should fall on entities that access health information impermissibly, not entities who open their records to others for treatment purposes and then become the victim of bad employees at other organizations," Greene says.

What makes the issue of battling blocking so complex, Nahra says, is the question of what actually constitutes "blocking," when it's acceptable and when it's inappropriate.

Information Sharing Mandate?

Should healthcare providers be mandated to share patient information?

"I don't think that generally mandating disclosures under HIPAA is a good idea," Nahra says. "HIPAA gives permission to disclose in many circumstances, and then allows covered entities to exercise their reasonable professional discretion to determine whether a disclosure is appropriate."

Nahra calls on HHS to solicit ideas on the topic of addressing information blocking from a broad array of industry participants before issuing rules.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.