Overcoming Health Info Exchange BlockingONC Study Points to Missteps Among Providers, Tech Companies
The Office of the National Coordinator for Health IT has issued a new report to Congress outlining how the secure exchange of health information is sometimes intentionally and unreasonably blocked by healthcare organizations, technology services providers and electronic health record vendors. In some cases, the players are inappropriately invoking privacy and security concerns, ONC says.
The report, released on April 10, also shows how ONC is attempting to address the information blocking problem, but the agency says there is still more work that needs to be done, including ONC potentially working with other federal agencies, and Congress, to find solutions to tackle the challenges involved.
ONC's Report to Congress on Health Information Blocking was issued in response to a Congressional request last year for ONC to produce a report on the extent of health information blocking and a comprehensive strategy to address it.
ONC, which oversees standards and policies for the HITECH Act's financial incentive program for EHRs, has an effort under way to promote the interoperability of EHRs so that patient data can be securely exchanged among healthcare providers nationally, with the aim of improving patient safety and treatment outcomes.
Information blocking represents "an important challenge for achieving interoperability," said ONC leader Karen DeSalvo, M.D., during an April 10 press briefing to discuss the new report. "We know we have an opportunity to offer more clarity" about the issues involved with information blocking and interoperability, she said. ONC also has "tools" to address the information blocking issue, and is looking into "what other tools we might need," she added.
When Info Blocking Occurs
The report explains that information blocking occurs "when persons or entities knowingly and unreasonably interfere with the exchange or use of electronic health information." The study offers several examples of how information blocking is achieved by healthcare providers, EHR vendors and services providers. The excuses given for why healthcare information cannot be exchanged include contractual restraints, technical issues as well as patient privacy and security.
For example, when healthcare providers are accused of information blocking, a common charge is that some engage in blocking to control referrals and enhance their market dominance, the report notes. "Providers have cited many reasons for constraining access to electronic health information. The most common reason cited is to comply with privacy and security requirements," the report says.
"It has been reported to ONC that privacy and security laws are cited in circumstances in which they do not, in fact, impose restrictions. For example, providers may cite the HIPAA Privacy Rule as a reason for denying the exchange of electronic protected health information for treatment purposes, when the rule specifically permits such disclosures."
EHR vendors that intentionally block information exchange also are often motivated by competitive concerns, the report says. "Some complaints and anecdotes allege that developers are preventing the exchange of health information with competitors or with specific providers. A recurring allegation is that certain EHR developers refuse to establish interfaces or connections with certain technologies or entities - or will do so only on terms so onerous that they amount to a refusal for all practical purposes."
Some EHR vendors also cite security concerns, as well as business justifications, for these information sharing blocking practices. "Others provide no justification or, in some cases, appear to acknowledge a strong preference not to exchange information using federally adopted standards and to instead drive more users to exchange information using proprietary platforms and services."
EHR Vendor Woes
"Clearly some vendors make it harder than others to support export [of data] out of their products," says Devore Culver, executive director and CEO of HealthInfoNet, Maine's statewide health information exchange organization. "For some reason, they have come to believe there is a revenue opportunity moving clinical content to organizations like HealthInfoNet, so they create challenges and added expense for their clients."
In one of the worst cases Culver has seen involving a software developer blocking information sharing, he says one EHR vendor refused to support connection to HealthInfoNet unless the provider purchased a very expensive "hub" solution. "They also tried to then charge on a transaction basis. This really puts a damper on provider adoption of sharing information."
David Holtzman, vice president of compliance at security consulting firm CynergisTek, notes: "Over the years, ONC and OCR [HHS Office for Civil Rights] have substantiated complaints from healthcare providers that vendors hold health information in an EHR hostage over the payment of service or equipment rental fees. However, HHS had been hard-pressed to find regulatory authority to take action in what were essentially contractual disputes between two private parties - a healthcare provider and a vendor of technology services. ... The government should consider requiring EHR vendors to employ technology that allows for interoperability or common exchange."
One example cited in the report involves software providers implementing a "kill switch" that, once activated, "encrypt all patient health records stored on provider's computer systems and renders the data inaccessible to the provider and its patients."
The "kill switch" has been used by EHR services vendors on healthcare provider clients involved with billing disputes, the report notes. While the report did not name a specific vendor or healthcare provider, such a conflict took place last year between Full Circle Health Care in Presque Isle, Maine, and CompuGroup, an EHR software provider based in Germany that has U.S. headquarters in Boston.
In that case, CompuGroup blocked Full Circle staff from accessing the medical histories on its 4,000 patients after the medical practice stopped paying CompuGroup a $2,000 monthly maintenance fee for 10 months (see EHR Vendor Dispute: Lessons Learned).
ONC noted that among other problems with the "kill switch" being used to block information sharing, "the vendor's refusal to make available electronic PHI to the healthcare provider may be a violation of state and/or federal security laws that require the availability of patient health information be maintained.
The agency says information blocking problems "can be most effectively addressed through a comprehensive approach, consisting of both targeted actions to deter and remedy information blocking as well as broader strategies that address the larger context in which information blocking occurs. ONC is already taking a variety of actions to target, deter and remedy information blocking and will coordinate with federal agencies that have the ability to investigate and take action against certain types of information blocking."
Actions to Take
Among the actions that can help address information blocking are measures involving ONC's certification program for EHRs that qualify to be used by providers receiving incentives under the HITECH Act. ONC's recommended steps include:
- Increasing in-field-surveillance of EHR products. The report notes that "ONC has proposed more aggressive surveillance requiring disclosure by developers of any limitations of the technology that may interfere with the ability of users to access or use certified health IT capabilities."
- Enhancing conformance testing, both in the controlled testing environment in which health IT is initially tested for certification and "in the field" during post-implementation surveillance and testing. "The latter is especially important for verifying that users of certified health IT are able to successfully access and implement certified capabilities that enable data portability and health information exchange."
- Establishing governance rules that deter information blocking. "Many types of information blocking could be mitigated by encouraging or requiring providers, developers and others that facilitate the exchange of electronic health information to adhere to certain basic expectations related to the availability and sharing of information for purposes of patient care."
- Improving stakeholder understanding of the HIPAA privacy and security standards related to information sharing. "Misapplication of privacy law may result in the denial of individuals' access to their electronic health information, prevent individuals from directing a healthcare provider to send their health information to another healthcare provider of their choice ... or prevent or deter providers from sharing individuals' health information with other entities for legitimate purposes allowed under applicable law."
- Referring illegal business practices to appropriate law enforcement agencies. "In limited circumstances, some types of information blocking may violate state or federal law. ONC will provide assistance where appropriate to help federal and state law enforcement agencies identify and investigate such conduct."
- Working with the Centers for Medicare and Medicaid Service to coordinate healthcare payment incentives and leverage other market drivers to reward interoperability and exchange and discourage information blocking. "Evolving healthcare payment from a volume to value-based system could play a significant role in preventing information blocking."
ONC also notes that there are still "significant gaps in current knowledge, programs and authorities that limit the ability of ONC and other federal agencies to effectively target, deter and remedy [information blocking] conduct." Adds Desalvo: "We're willing to work with Congress and others" to address the gaps.
An ONC spokesman says no Congressional hearings are yet slated on information blocking.