Groups Urge HHS to Extend 'Information Blocking' DeadlineConfusion and Other Challenges Still Hinder Compliance Efforts, Says Letter
A slew of heavyweight lobbying groups from the healthcare industry is calling on the federal government to hold off from penalizing medical providers who don't facilitate the easy digital sharing of patient data.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The College of Healthcare Information Management Executives and nine other health industry groups including the American Medical Association say their members need at least another year after a looming Oct. 6 deadline before they can comply with regulations that prohibit "information blocking."
"The need for more time to ensure all providers and clinicians understand the policies, are prepared to meet them and have the technology to support these policies are critical," the associations wrote in a letter addressed to Department of Health and Human Services Secretary Xavier Becerra.
An HHS spokesman tells Information Security Media Group the agency is not aware of any intention to delay the Oct. 6 deadline. "The facts and circumstances of each alleged information blocking situation would need to be evaluated by HHS before any potential enforcement action is made," he said. "Whether a practice constitutes information blocking depends on the unique facts and circumstances of the practice."
Information blocking is a term that has weighed on the health industry since Congress approved a 2016 law aimed at giving patients access to their data via application programming interfaces (see: 21st Century Cures Act Awaits President's Signature).
Under the HHS regulations, information blocking is a practice by an entity likely to interfere with the access, exchange or use of electronic health information, except as required by law or specified in eight exceptions.
"We want patients to get their medical records on their smartphones. We want consumers to shop for care on their smartphones," said then-National Coordinator for Health Information Technology Donald Rucker during a 2018 House committee hearing.
The law put an Oct. 6, 2022, deadline on organizations to start sharing all the data contained in a designated record set or, depending upon the type of entity, potentially face designation as an information blocker subject to civil penalties of up to $1 million.
The record set generally includes medical records, billing records, payment and claims records and case management records - anything used by providers to make medical care decisions.
Patients have already logged 277 complaints against the healthcare industry for alleged information blocking based on the narrower set of patient data the Cures Act already requires providers to share. That information includes vital signs, patient demographic information, immunizations records, allergies and medications.
Signatories to the letter "are not just trying to kick the can - they really want to get this right on behalf of their patients," said Chelsea Arnone, CHIME director of federal affairs, in a statement for Information Security Media Group.
Besides extending the information-sharing compliance deadline for one year, CHIME and the other groups also ask that HHS give healthcare entities a chance to come into compliance before a formal investigation potentially resulting in penalties begins.
More Guidance Needed?
What's missing, the lobbying associations say, is a clear definition of what data is covered by the expanded definition of "electronic health information" and better guidance on how to apply the exceptions. Those exceptions extend to privacy and security (see: Information Blocking Rule: Understanding the Exceptions).
"Significant knowledge gaps and confusion still exist within the provider and vendor communities with respect to implementation and enforcement of information blocking regulations," the letter states.
The HHS spokesman told ISMG the exemptions aren't meant to be prescriptive. The information blocking security exception "is intended to cover all legitimate security practices by actors but does not prescribe a maximum level of security or dictate a one-size-fits-all approach."
But in any case, it's premature for the healthcare industry to be particularly worried about information blocking fines, said regulatory attorney Helen Oscislawski of law firm Attorneys at Oscislawski LLC.
"With regard to health information exchanges, health information networks and vendors of certified health IT, there is currently only a proposed rule from HHS' Office of Inspector General published April 24, 2020," she said.
During the rule-making process, Oscislawski added, the Office of the National Coordinator for Health Information Technology "specifically said actors would not be subject to penalties" until the rules concerning civil monetary penalties are final.
"Until then, ONC also stated during its rule-making that 'discretion' will be exercised such that conduct that occurs before the CMP rule comes out will not be subject to the information blocking CMPs," she said.
Healthcare providers, on the other hand, are not subject to civil monetary penalties, she says. Instead, they are will be subject to “appropriate disincentives” for engaging in information blocking, she says.
"To date, there has not been a proposed rule released for enforcement against healthcare providers engaged in information blocking," she says.