Providers worry info blocking rules could be ‘weaponized’
Complaints are being filed on federal websites, charging restricted access to patient data, even though enforcement action is yet to be released.
Healthcare policy executives and other stakeholders are running scared over the upcoming enforcement of the information blocking rules, released this April, and that fear is twofold.
First, consumers have already begun to file complaints charging violations of the rule, forcing those who have been attacked to get legal counsel prior to an enforcement reg even being established. Secondly, penalties can be as much as $1 million for health IT vendors, health information exchanges and health information networks.
Compounding the problem, some observers say the federal government is having trouble determining how to interpret exceptions to the rule and has indicated it may learn as it goes. This means that federal enforcers will be refining their approach on the first organizations charged with violations of the regulation, some industry experts fear.
The Department of Health and Human Services’ Office of the Inspector General (OIG) sometime this fall is expected to release an enforcement regulation that will apply to health IT vendors, health information exchanges and health information networks.
Enforcement for healthcare providers will come in the form of disincentives under a policy to be released by the Centers for Medicare & Medicaid Services (CMS). One policy executive interviewed for this article in the last couple months said decisions are nearing on this component of the regulation, although final decisions have yet to be made.
Either way, there is concern in the industry that the regulation could be overzealously employed in instances where it is not merited. Complaints about potential information blocking can be lodged on the website of The Office of the National Coordinator for Health IT (ONC), and several have already been filed, according to healthcare attorney Stephen Gravely.
Gravely, of Richmond, Va.-based Gravely Group, says he expects enforcement of this rule to be “a huge deal. It’s a freight train coming down the tracks.” His firm has fielded ONC complaints for a couple of clients that he can’t name, which were cited on the ONC website.
“The rule is a sleeper,” Gravely says. “Folks are already weaponizing this rule. This is a big club that people can try and use to scare people.”
Even though complaints can’t lead to an enforcement action at present, they pose legal expenses as organizations have responses prepared. Currently, the complaints are not being made public by ONC or the OIG, but they could be in the future, he says.
Gravely says everything that happens between April 6 and whenever the final rule is made enforceable could leave organizations vulnerable. “We haven’t seen anything yet that doesn’t say OIG won’t go back to April 6 to see what an actor has been doing,” he says.
Leigh Burchell, vice president of government affairs and public policy for Allscripts, says it’s not out of the question that the regulation could be weaponized. “I wonder if ONC and OIG are prepared for the number of misunderstandings that will come their way,” she says. “You’re going to see a lot of industry churn around this rule; people filing complaints but misunderstanding what the reg allows for or requires. It will be a good amount of work for lawyers.”
According to Burchell, Allscripts supports the kind of enforcement rollout on this reg that was used for the Health Insurance Portability and Accountability Act of 1996 (HIPAA), where education and corrective actions were used first, to help the industry learn before penalties were levied. Burchell will be looking to see something like that is in the final rule.
Mariann Yeager, CEO of the Sequoia Project, says because the rules aren’t fully clarified by ONC yet, it’s difficult to know what constitutes a best practice at this point. These rules require “getting down into the specifics,” including the rights for those filing complaints, and how to address those complaints, she says.
“Enforcement will be where the rubber meets the road,” Yeager says. “There’s so much work to do in advance of that. These rules are very complicated, requiring more than just a one-time review and setting up a compliance policy. It boils down to scenarios.”
Avoiding penalties will involve seeing how regulators interpret the rules and the perspective they will take on particular gray areas, Yeager says.
Joseph Cody, associate director of research and innovation policy at the American College of Cardiology, says enforcement for physicians could range anywhere from fines to being excluded from Medicare. ACC has had conversations regarding the disincentives at a high level with CMS, with their top objective being to ensure that if a physician is accused of information blocking, the process doesn’t become overly burdensome to raise a defense oneself. “Anyone can issue an accusation on the ONC website. We want it to be fair,” he says.
Andrew Tomlinson, director of federal affairs at the College of Healthcare Information Management Executives (CHIME) says when it comes to enforcement, the professional organization would like to know how the OIG wants requests documented. In addition, there is significant ambiguity around how providers who act as an HIE or HIN will be treated. CHIME has queried ONC on these matters and at the time this story was reported has not received further clarification. It is imperative that providers that function as an HIE or HIN – and do so for the purpose of furthering interoperability to improve patient care -- are not subjected to punitive enforcement. “We strongly believe these actors should always be treated as providers and not as HIEs/HINs for enforcement purposes,” he says.