The Department of Health and Human Services released its draft 2020-2025 Federal Health IT Strategic Plan for public comment. This article outlines the goals of the plan, as well as challenges in healthcare that ONC hopes the final Strategic Plan will mitigate.

On January 15, 2020, the Department of Health and Human Services (HHS) released its draft 2020-2025 Federal Health IT Strategic Plan (draft plan) for public comment. The draft plan, developed by the Office of the National Coordinator for Health Information Technology (ONC) in collaboration with more than 25 federal organizations, aims to provide a roadmap for federal agencies and serve as a catalyst for activities in the private sector. Don’t be surprised, however, that there is little implementation detail in the draft. ONC followed federal requirements for agency strategic plans set forth in White House Circular No. A-11, December 2019. Thus, the draft sets forth “what we want, why we want it and who benefits,” but does not explain the specifics of how ONC expects to get there.

In developing the draft plan, ONC looked to its “2018 Report to Congress: Annual Update on the Adoption of a Nationwide System for the Electronic Use and Exchange of Health Information“. In preparing the final version of the Strategic Plan, ONC will look to the 2019 Annual Report, which is expected to be finalized in the next several months. The recommendations of the Health Information Technology Advisory Committee (HITAC) in 2019 also informed the draft Strategic Plan. In addition, the HITAC plans to discuss the draft plan in detail at its February 19 meeting. As with all HITAC meetings, a brief opportunity for public comment will be provided. Public comments are due by March 18, and further information regarding the public comment process can be found at the end of this article. The final Strategic Plan is expected this summer.

The draft Strategic Plan sets forth four outcomes-driven goals. HHS identifies these goals within a larger context that includes the federal health information technology (IT) vision and mission, specific federal health principles, and observations about challenges and opportunities. HHS articulates the federal health IT vision as “a health system that uses information to engage individuals, lower costs, deliver high quality care, and improve individual and population health” and its mission as “improv[ing] the health and well-being of individuals and communities using technology and health information that is accessible when and where it matters most.”

The draft Strategic Plan also identifies federal health principles, which articulate specific guideposts that federal agencies will use to carry out the mission and vision. Before the government takes any action in the health space, it will evaluate that action against these six guideposts:

1. Focus on value: Promote and pursue activities that improve health and care quality, efficiency, safety, affordability, equity, effectiveness, and access.
2. Put individuals first: Embrace person-centered care that values the whole individual, including their goals, values, culture and privacy.
3. Build a culture of secure access to health information: Support secure health information access, exchange and use by individuals, caregivers, healthcare providers and other stakeholders.
4. Put research into action: Strengthen feedback loops between scientific and healthcare communities to efficiently translate evidence into clinical practice and improvement.
5. Encourage innovation and competition: Support and protect innovation and competition in health IT that result in new solutions and business models for better care and improved outcomes.
6. Be a responsible steward: Develop health IT policies through open, transparent and accountable processes; use federal resources judiciously; and, when possible, rely on the private sector.

Within this context, HHS sets forth four goals, each of which includes specific objectives and strategies. Set forth below are the goals as well as the objectives for each goal. Note that the fourth goal is meant to be crosscutting and supportive of the first three goals.

GOAL 1: Promote health and wellness

• Objective 1a: Improve individual access to health information
• Objective 1b: Advance healthy and safe practices through health IT
• Objective 1c: Integrate health and human services information (this includes a strategy to integrate social determinants of health data into electronic health records)

GOAL 2: Enhance the delivery and experience of care

• Objective 2a: Ensure safe and high-quality care through the use of health IT
• Objective 2b: Foster competition, transparency and affordability in healthcare
• Objective 2c: Reduce regulatory and administrative burden on providers
• Objective 2d: Enable efficient management of resources and a workforce confidently using health IT

GOAL 3: Build a secure, data-driven ecosystem to accelerate research and innovation

• Objective 3a: Advance individual- and population-level transfer of health data
• Objective 3b: Support research and analysis using health IT and data at the individual and population levels

GOAL 4: Connect healthcare and health data through an interoperable health IT infrastructure

• Objective 4a: Advance the development and use of health IT capabilities
• Objective 4b: Establish transparent expectations for data sharing
• Objective 4c: Enhance technology and communications infrastructure
• Objective 4d: Promote secure health information that protects patient privacy

As noted above, the Strategic Plan is not an implementation plan, and while its goals and strategies provide some level of detail, they are forward looking and do not address specific issues that the regulated community faces. Accordingly, we can look to the challenges in healthcare that ONC hopes the final Strategic Plan will mitigate in order to help develop a sense of how federal agencies might pursue these goals. The challenges identified are:

1. Increasing levels of healthcare spending
2. Poor health outcomes despite increasing healthcare spending
3. Increasing rates of mental illness and substance use disorders
4. The adverse impact of rising insurance premiums, which increase the rate of uninsured individuals who experience greater challenges in accessing and receiving care
5. Access to technology, with one quarter of Americans lacking broadband internet access at home

Similarly, the draft plan enumerates seven opportunities in a digital health system:

1. Patient empowerment: Patient access to their healthcare data, which health IT can help to secure, is seen by the government as a key component in patient empowerment. Notably, in his introductory letter, included in the draft plan, National Coordinator for Health IT Donald W. Rucker, MD, notes that “[t]he digitization of the nation’s healthcare system has resulted in greater accessibility of health information to patients and caregivers. Yet the system’s transformation is hindered by entrenched interests looking to prohibit access to that information”. Dr. Rucker insists that “…patients’ right to control their health must include the right to access and control their information”. These sentiments of Dr. Rucker will very likely be reflected in the long-awaited ONC “21st Century Cures Act: Interoperability, Information Blocking and the ONC Health IT Certification Program Final Rule,” which would require developers of certified EHR technology (CEHRT) to allow patients to download health information from an advanced application programming interface (API) to a third-party application of the patient’s choice. As of this writing, the final rule remains under White House review, where it has been since October 28, 2019.
2. Movement to value-based care: ONC recognizes that data is essential to success in value-based care. Provider access to robust healthcare data allows providers to “better understand the needs of their patients, stratify their patients by risk, engage in additional patient outreach, and track improvement over time”. Health plans require “new types of data at the population level to define and measure outcomes and assure improved health for Americans.”
3. Achieving interoperability: Interoperability has long been a federal goal for improving health IT functionality. ONC proposes in the strategic plan that the use of common agreements for health information exchange can ease the path to interoperability, which suggests that ONC believes its Trusted Exchange Framework and Common Agreement (TEFCA) will play an important part of efforts to achieve interoperability over the next five years.
4. New technologies and available data: New technologies allowing for increasingly refined data analysis can create more and better uses of existing health IT infrastructure. ONC again in the proposed Strategic Plan points to its proposed requirements for advanced APIs as a potential tool for making EHR data more available for research and public health purposes through population-level queries.
5. Reducing regulatory and administrative burden: There appears to be an appreciation for the need to reduce regulatory burden arising from the current misalignment between the regulatory environment and broader policy goals associated with the use of health IT tools.
6. Privacy of health information: Addressing concerns about healthcare data privacy requires a coordinated effort across both the public and private sectors. ONC suggests that efforts to address privacy and security considerations should be “built in” to health IT solutions, and patients given more control over how their data is exchanged and used for secondary purposes.
7. Security of health information: ONC believes the need for more robust security measures will increase as interoperability and the use of health IT expands.

According to HHS, the final 2020-2025 Strategic Plan will help to prioritize agency resources, align and coordinate efforts across agencies, signal priorities to the private sector, and benchmark and assess progress over time. The draft Strategic Plan can be found here. Comments are due by March 18, 2020, and can be submitted through https://www.healthit.gov/topic/2020-2025-federal-health-it-strategic-plan. If you have questions about the draft Strategic Plan or need assistance with comments, please contact your regular McDermott Will & Emery lawyer or any of the authors of this On the Subject.

CMS issued a long-awaited proposed rule aimed at enhancing interoperability and increasing patient access to health information. If finalized, CMS’s proposed rule may require hospitals and payors to make significant investments in their health information technology to comply with the new requirements. In this On the Subject, we analyze CMS’s proposals, which include a new requirement that CMS-regulated payors and agencies offer application programming interfaces, and a new Medicare condition of participation that would require hospitals that have implemented EHRs to send electronic patient event notifications to communicate transitions of care.

On February 11, 2019, the Centers for Medicare & Medicaid Services (CMS) issued a long-awaited proposed rule aimed at enhancing interoperability and increasing patient access to health information (the Proposed Rule). CMS’s Proposed Rule would require CMS-regulated payors and agencies (Covered Plans and Agencies) to implement application programming interfaces (APIs) that allow patient information to be shared more readily between patients, health care providers and payors. The Proposed Rule would also require hospitals that have adopted electronic health records (EHRs) to engage in event reporting with community providers and others as a condition of participation (CoP) in the Medicare program. CMS hopes that these new requirements will allow patients to have greater access to their health information and improve care coordination between hospitals and other health care providers. If finalized, hospitals and payors may need to make significant investments in their health information technology to comply with the new requirements.

The public will have 60 days to submit comments following official publication of the Proposed Rule in the Federal Register, which we expect to occur in the near future.

1. Application Programming Interface

CMS proposes to require Medicare Advantage (MA) plans, Medicaid state agencies, Medicaid managed care plans, Children’s Health Insurance Program (CHIP) agencies, CHIP Managed Care entities, and issuers of qualified health plans (QHPs) in Federally-Facilitated Exchanges (FFEs), except for stand-alone dental plans (SADPs) (i.e., Covered Plans and Agencies), to adopt and implement an “openly published” API that permits third-party software applications to retrieve—at the direction of the patient—a significant amount of clinical and payment information. CMS proposes requiring compliance by January 1, 2020 for MA plans and QHP issuers in FFEs, and by July 1, 2020 for Medicaid FFS, Medicaid managed care plans and CHIP managed care entities. The information made available through the Covered Plan or Agency’s API would consist of (1) data concerning adjudicated claims, including claims data for payment decisions that may be appealed, were appealed, or are in the process of appeal, and provider remittances and enrollee cost-sharing pertaining to such claims and (2) clinical data, including laboratory results, if the Covered Plan or Agency manages any such data. The Proposed Rule requires Covered Plans and Agencies to make claims data and laboratory results available no later than one business day after the Covered Plan or Agency receives the data.

For MA plans, the API must also allow access to a provider directory of the MA organization’s network of contracted providers, including names, addresses, phone numbers and specialties, updated no later than 30 business days after changes are made to the provider directory. For MA organizations that offer Part D plans, the API must allow the third-party application to retrieve:

• Standardized data concerning adjudicated claims for covered Part D drugs, including remittances and enrollee cost-sharing, no later than one business day after a claim is adjudicated;
• Pharmacy directory data, including the number, mix and addresses of network pharmacies; and
• Formulary data that includes covered Part D drugs and any tiered formulary structure or utilization management procedure which pertains to those drugs.

Covered Plans and Agencies also would be (upon request) required to forward patient information to new plans or other entities designated by the requesting beneficiary for up to 5 years after the beneficiary has disenrolled with the plan. The API technology must meet health information technology standards established by the Office of the National Coordinator for Health Information Technology (ONC).

While the open API initiative in the Proposed Rule specifically applies to Covered Plans and Agencies, CMS also expressed the hope that other stakeholders, such as state-operated exchanges and private payors, would adopt similar requirements for access to information and interoperability so that even more patients can broadly access their health information and better manage care.

With the exception of SADPs in FFEs, Covered Plans and Agencies would also be required to participate in trusted health information exchange networks that meet criteria for interoperability. The trusted exchange network selected by the Covered Plan or Agency must be able to: (1) exchange PHI in compliance with all applicable state and federal laws; (2) connect both inpatient EHRs and ambulatory EHRs; and (3) support secure messaging or electronic querying by and between patients, providers and payers. ONC has not yet finalized the Trusted Exchange Framework and Common Agreement (TEFCA), a set of policies and procedures for interoperable exchange to which CMS could eventually align this trusted exchange participation requirement. CMS has requested comment in the Proposed Rule on whether it should require plans and agencies to participate in trusted exchanges that meet the requirements of TEFCA once finalized by ONC.

2. Hospital Conditions of Participation

CMS further proposes to modify the CoPs for hospitals, Critical Access Hospitals (CAHs), and other hospital classifications to require these participating hospitals to send electronic patient event notifications upon a patient’s transition to another provider or care setting. CMS would require hospitals to include the patient’s basic personal information as well as his or her diagnosis (to the extent not prohibited by other applicable law) in the report.

CMS hopes that this proposal will result in hospital EHR systems having a baseline capability to generate messages that conform to common standards (e.g., Admission, Discharge or Transfer messaging) that may be received and processed by a wide range of providers. Electronic patient event notifications, or automated, electronic communications from discharging providers to another facility, could improve care coordination and potentially reduce readmissions by making a receiving provider aware of the care the patient has received elsewhere.

We note that these CoPs would create a new set of requirements related to the use of EHRs that are separate from the existing Promoting Interoperability measures. Hospitals must already spend significant resources to achieve the Promoting Interoperability measures, and the new proposed CoP requirement will likely increase hospitals’ overall compliance burden with respect to EHRs. The Proposed Rule does not establish a defined timeframe for adopting these new CoPs and instead requests comment on what would be a reasonable timeframe.

3. Information Blocking and Public Reporting

CMS also proposed to further discourage health care providers from engaging in the practice of information blocking by requiring the public display of clinicians, through an indicator on the Physician Compare website, who fail to attest as part of the CMS Promoting Interoperability program that they:

• Did not knowingly and willfully take action to limit or restrict the compatibility or interoperability of certified EHR technology;
• Implemented technologies and practices to ensure that their certified EHR technology is connected and compliant with applicable law; and
• Responded in good faith and in a timely manner to requests to retrieve or exchange electronic health information.

CMS requires hospitals and clinicians to make these “yes/no” attestations to participate in the Promoting Interoperability incentive program for the use of EHR technology. If a health care provider failed to attest “yes” under the proposal, not only would the provider face a potential reduction of Medicare reimbursement, but also a negative indicator on the CMS Physician Compare website – a resource available to patients who are seeking to compare participating Medicare providers. Similarly, CMS proposes that a hospital’s failure to attest “yes” would result in a negative indicator on a future CMS website that will display hospitals’ attestations under the Medicare Promoting Interoperability Program. CMS hopes that these proposed public reporting requirements, the required attestations under the Promoting Interoperability program and the guidance on what constitutes information blocking in ONC’s 21st Century Cures Proposed Rule will discourage Medicare hospitals and clinicians from engaging in information blocking. For our coverage of the information blocking provisions of ONC’s proposed rule, please read our separate On the Subject.

4. Health IT Requests for Information

CMS issued two requests for information (RFIs) related to interoperability and health IT adoption in post-acute care settings, and the role of patient matching in interoperability and improved patient care.

CMS’s incentive programs for the adoption of EHRs have never applied to post-acute care facilities. Perhaps in part due to the absence of incentives, EHR adoption by post-acute care facilities has lagged behind hospitals and clinicians reimbursed under the Medicare Physician Fee Schedule. In the Proposed Rule, CMS notes that hospitals frequently transition Medicare patients to post-acute care facilities such as a skilled nursing facility (SNF) and, based on a national survey, only 29 percent of SNFs can send or receive health information. CMS is seeking input on how it can more broadly incentivize the adoption of interoperable health IT systems and the use of interoperable data across long-term and post-acute care settings. In particular, CMS is seeking comment on whether standardized patient assessment data elements defined by CMS under the IMPACT Act would be appropriate to incorporate into national interoperable data elements—the United States Core Data for Interoperability (USCDI)—established by ONC in the 21st Century Cures proposed rule.

CMS is also seeking public comment on potential strategies to improve patient matching between health information technology systems. Consistently used patient matching strategies could potentially make it easier to combine patient information housed in multiple EHRs or exchanges. CMS is particularly interested in public comment on the security and privacy risks associated with patient matching through algorithms versus the risks inherent with use of a unique patient identifier (UPI). Currently, the creation of a government-issued UPI is prohibited by statute due to privacy concerns, but Congress has opened the door for the US Department of Health and Human Services (HHS) to coordinate private sector efforts to adopt UPIs. CMS also requested comment on whether it should leverage the newly established Medicare ID, which has replaced Social Security Numbers on Medicare ID cards, by requiring Medicaid and CHIP agencies to use the Medicare ID for dually eligible beneficiaries.

Comments are due within 60 days of the date of the Proposed Rule’s publication in the Federal Register. If you would like assistance in preparing comments, please contact one of the authors or your regular McDermott lawyer.

The 21st Century Cures Act encourages biomedical research investment and facilitates innovation review and approval processes, but also serves as a vehicle for a wide variety of other health-related measures, including provisions relating to health information technology (HIT) and related digital health initiatives. President Barack Obama has expressed support for the Cures legislation and is expected to sign the bill this month. This On the Subject summarizes the HIT and digital health tool provisions in title IV of the new legislation. Our continuing coverage of the 21st Century Cares Act addresses additional titles and provisions.

On December 7, 2016, the US Congress approved the 21st Century Cures Act (Cures legislation), which is intended to accelerate the “discovery, development and delivery” of medical therapies by encouraging public and private biomedical research investment, facilitating innovation review and approval processes, and continuing to invest and modernize the delivery of health care. The massive bill, however, also served as a vehicle for a variety of other health-related measures, including provisions relating to health information technology (HIT) and related digital health initiatives. President Barack Obama has expressed support for the Cures legislation and is expected to sign the bill this month.

This On the Subject summarizes the HIT provisions in title IV of the new legislation. Other titles and provisions will be examined through other On the Subject articles.

Overview of the Health Information Technology Provisions in the Cures Legislation

The HIT provisions of the Cures legislation in general seek to

• Reduce administrative and regulatory burdens associated with providers’ use of electronic health records (EHRs)
• Advance interoperability
• Promote standards for HIT
• Curb information blocking
• Improve patient care and access to health information in EHRs

Why These Provisions Matter

As public and private payers increasingly move from fee-for-service payments to value-based payment models, with a focus on maximizing health outcomes, population health improvement, and patient engagement, HIT—including EHRs and digital health tools—will be increasingly relied upon to collect clinical data, measure quality and cost effectiveness; assure continuity of care between patients and providers in different locations; and develop evidence-based clinical care guidelines. Further, newly implemented government programs like the Quality Payment Program will increasingly require clinicians and hospitals to use certified EHR technology (CEHRT) that meets certification guidelines specified by the Office of the National Coordinator for Health Information Technology (ONC) of the US Department of Health and Human Services (HHS). The continued evolution of these certification guidelines will also influence the development of digital health tools that are designed to interface or otherwise interact with CEHRT and assist providers to succeed under value-based payment models.

Congressman Tom Price (R-GA), a physician and a strong advocate for reducing burdens associated with the use of EHRs by providers, has been nominated to serve as HHS secretary in the administration of President-elect Donald Trump. Should Congressman Price be confirmed by the Senate, industry can likely expect HHS to use the new authority provided to it under the Cures legislation to reduce requirements of the Meaningful Use and Advancing Care Information programs, electronic clinical quality measure reporting requirements and other federal requirements relating to HIT that are perceived to make providers less efficient without improving quality or reducing costs. The new HHS secretary, however, will face competing pressures to leverage the expansion of HIT adoption and quality measure reporting to incentivize high-quality care at lower Medicare program costs.

What Is Required by These Cures Legislation Provisions

Reduction of Burdens ‒ In response to clinician and hospital concerns about the regulatory and administrative burdens associated with EHR technology

• The HHS secretary is required within one year of enactment to develop with public comment from providers, suppliers, payers, technology developers and others a strategy and recommendations to reduce regulatory or administrative burdens related to the use of EHRs; this strategy must prioritize the Medicare and Medicaid EHR Incentive Programs, HIT certification, the Merit-based Incentive Payment System, the Hospital Value-Based Purchasing Program, Alternative Payment Models, and other value-based payment programs that the HHS secretary determines are appropriate;
• Physicians may delegate EHR documentation requirements to unlicensed assistants, or “scribes” (to the extent permitted by state law), provided the physician signs and verifies the documentation;
• The HHS secretary must encourage, keep or recognize voluntary certification of HIT for use in sites of services and medical specialties for which no certified technology is currently available, with the goal of making EHR certification more relevant and useful for those who use such EHRs.
• The HHS secretary must report to the new HIT Advisory Committee statistics on attestation of Meaningful Use under the Medicare and Medicaid EHR Incentive Programs to assist in informing standards adoption and related practices. The statistics must include, to the extent practicable, the number of providers who did not meet the minimum criteria necessary to attest, and must be made publically available on the HHS website;
• Authorizes $15 million to award grants, contracts or agreements to independent entities on a competitive basis to develop a required CEHRT reporting system to address provider concerns that CEHRT technology does not always work as intended. As a condition of certification and attestation, CEHRT would be required to report measures developed by the independent entity on attributes that include
  • Security
  • User-centered design
  • Interoperability
  • Testing in real-world conditions

This provision aims to create an unbiased reporting system on EHR product usability, interoperability and security to assist providers in choosing product. This reporting system replaces a proposed “Star Rating” plan for EHR technology found in an earlier version of the legislation.

Advancement of Interoperability ‒ In response to lawmakers’ and stakeholders’ concerns that while the Health Information Technology for Economic and Clinical Health Act (HITECH) increased the adoption by clinicians and hospitals of electronic health records, it did not sufficiently move the national needle on interoperability, the Cures legislation seeks to advance interoperability through

• Creating a definition for “interoperability” as HIT that
  • Enables the secure exchange of electronic health information with, and use of electronic health information from, other HIT without special effort on the part of the user
  • Allows for complete access, exchange and use of all electronically accessible health information for authorized use under applicable state or federal law
  • Does not constitute information blocking as defined in the Cures legislation
• Replacing the HIT Policy and Standards Committees with a new HIT Advisory Committee. This new committee will consist of at least 25 members, eight of whom shall be appointed by Congress, three appointed by the HHS secretary and the remainder appointed by the comptroller general of the US Government Accountability Office (GAO). Specific health sectors must be represented on the committee. This new federal advisory committee will address, in general, issues related to interoperability and privacy and security of health information and will also engage stakeholders to identify priorities for standards adoption. The Cures legislation provides additional direction on priority target areas on which the committee shall make recommendations. These directives are highly similar to those provided to the predecessor HIT Policy and Standards Committee in HITECH. This reiteration of areas for consideration likely signals that lawmakers believe that many of the objectives set forth in HITECH have not yet been fully achieved.One new priority area is patient matching, which relates to the unfulfilled directive to further interoperability between EHR systems. Specifically, the Cures legislation requires the new HIT Advisory Committee to make recommendations for “technology that provides accurate patient information for the correct patient, including exchanging such information, and avoids the duplication of patient records.” This directive and the call for a GAO study on patient matching indicates that policy makers recognize the importance of accurately identifying patients for electronic exchange of health information among providers in different organization and locations as well as for patient safety.

• Tasking ONC to create a process by which the public could submit complaints that HIT products or developers are not interoperable or engage in information blocking.
• Directing ONC to, within six months of enactment, convene stakeholders to develop or support (within 12 months of convening) a trusted exchange framework for trust policies and practices and for a common agreement for exchange between health information networks. ONC and the National Institute of Standards and Technology are to provide technical assistance on developing this trusted exchange framework and common agreement. A process will be established through rulemaking by which health information networks may voluntarily adopt the framework and common agreement. Federal agencies may by contracting or entering into agreements with health information exchange networks that require such networks to adopt the trusted exchange framework and common agreement.

Promotion of Standards – Lawmakers have increasingly recognized that stronger leadership is needed to ensure the consistent implementation and use of common standards. Accordingly, the Cures legislation requires the ONC to, not later than six months after the date on which the HIT Advisory Committee first meets, convene the HIT Advisory Committee to

• Enhance the use of common standards with deference given to standards published by private standards development organizations and voluntary consensus-based standards bodies.
• Identify priority use cases for HIT, focusing on use cases relating to
  • The implementation of Medicare’s EHR Incentive Program, the Merit-based Incentive Payment System, Alternative Payment Models, the Hospital Value-Based Purchasing Program and any other value-based payment program determined appropriate by the HHS secretary
  • Quality of patient care
  • Public health
  • Clinical research
  • Privacy and security of electronic health information
  • Innovation in the field of HIT
  • Patient safety
  • Usability of health information technology
  • Individuals’ access to electronic health information
• Identify existing standards and implementation specifications that support such use cases.
• Publish a report summarizing the findings of the analysis and make appropriate recommendations.
• Evaluate the need for a core set of common data elements and associate value sets to enhance the ability of CEHRT to capture, use and exchange structured electronic health information.

Starting five years after the enactment of the Cures legislation, and every three years thereafter, the ONC must convene stakeholders to review the existing set of adopted standards and implementation specifications and make recommendations for maintaining or phasing out such standards and implementation specifications.

Combating Information Blocking ‒ The Cures legislation builds on the April 2015 ONC Report to Congress on Health Information Blocking and the voluntary ONC interoperability pledges signed earlier this year by companies that provide at least 90 percent of EHRs used by hospitals, and takes even stronger steps to combat information blocking by

• Defining “information blocking” as a practice, except as required by law or allowed by the HHS secretary pursuant to rulemaking, that
  • Is likely to interfere with, prevent or materially discourage access, exchange or use of electronic health information
  • If conducted by an HIT developer, exchange or network, such entity knows or should know that such practice is likely to interfere with, prevent or materially discourage the access, exchange or use of electronic health information
  • If conducted by a health care provider, such provider knows that such practice is unreasonable and is likely to interfere with, prevent or materially discourage access, exchange or use of electronic health information
• Establishing that information blocking practices may include
  • Practices that restrict authorized access, exchange or use of such information for treatment and other permitted purposes under such applicable law, including transitions between certified HIT systems
  • Implementing HIT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging or using electronic health information
  • Implementing HIT in ways that are likely to
    • Restrict access, exchange or use of electronic health information with respect to exporting complete information sets or in transitioning between HIT systems
    • Lead to fraud, waste or abuse, or impede innovations and advancements in health information access, exchange and use, including care delivery enabled by HIT
• Establishing new civil monetary penalties of up to $1 million per information blocking violation, including false attestations, that would be applicable to HIT developers, health information exchanges and networks. In contrast, provider penalties will be determined through notice and comment rulemaking. Importantly, for enforcement purposes, information blocking does not include any practice or conduct occurring prior to the date that is 30 days after enactment

Improving Patient Care and Improving Patient Access to Their Health Information in EHRs

• Requires the GAO to conduct two studies
  • A study on patient matching within two years of enactment. In calling for this study, lawmakers recognize that, with the increasing use of EHRs and the push toward interoperability, identifying accurately a single individual represented in multiple databases of different provider, payer and clearinghouse organizations is increasingly important for facilitating health information exchange and ensuring patient safety
  • A study on patient access to their own health information, including barriers to patient access
• Enables developers of HIT to participate in discussions with patient safety organizations without fear of liability risk in order to help improve the safety of HIT products for patients. Within four years after the date of enactment, the HHS secretary must submit to Congress a report concerning the best practices and current trends voluntarily provided, without identifying individual providers or developers
• Requires CEHRT to be capable of transmitting data to, and receiving data from clinician-led clinical data registries

Action Steps for Providers and Developers of HIT and Digital Tools

Providers and Developers of HIT and Digital Tools Should

• Review the definition of information blocking and take measures necessary to avoid engaging in practices that may constitute information blocking as defined in the new statute.
• Review applicable state laws that permit physician delegation to scribes to determine if the new federal flexibility applies.
• Assess potential interest in seeking representation on the new HIT Advisory Committee, either directly or through an association or other group (note that it is unclear how quickly after enactment ONC will form the HIT Advisory Committee, as a timeline for the transition from the HIT Policy Committee and the HIT Standards Committee to the new HIT Advisory Committee is not specified).
• Assess their implementation of HIT standards to determine the extent to which different standards and inconsistent implementation of the same standards may be prevalent.
• Be aware that changes to existing government requirements relating to EHRs are likely forthcoming.

Providers Should

• Assess their unique regulatory environment to provide input on the forthcoming HHS efforts to reduce regulatory burdens.
• Determine whether their sites of service or specialties would benefit from CEHRT certified to meet their sites’ or specialties’ unique needs.

Developers of HIT and Digital Tools Should

• Consider participating in stakeholder outreach efforts to advise ONC on
  • The establishment of a trusted exchange framework and common agreement
  • Criteria and measures for the new CEHRT reporting system
  • The HIT Advisory Committee’s review of the existing set of adopted standards and implementation specifications every three years
• Adapt HIT development and testing strategies based on the criteria and measures established by the independent entity selected by ONC.
• Consider opportunities to partner with clinician-led organizations or professional societies to develop clinician-led clinical data registries.
• Keep abreast of new HIT requirements to inform the development of digital tools.
• Evaluate how best to work with patient safety organizations to promote shared learning to improve HIT safety now that privilege and confidentiality protection has been extended to HIT developers.

On October 16, 2015, the Centers for Medicare and Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC) of the U.S. Department of Health and Human Services published the Meaningful Use Stage 3 final rule (MU Final Rule) and the 2015 Edition Health Information Technology Certification Criteria (2015 Edition Certification Criteria) final rule (2015 Certification Final Rule) in the Federal Register. Together, the final rules (Stage 3 Final Rules) incentivize eligible acute care hospitals (EHs), critical access hospitals (CAHs), and physicians and other professionals (EPs) eligible for the Medicare and Medicaid electronic health record (EHR) incentive programs to engage patients in the management of their care outside traditional clinical settings and encourage technology vendors to develop mobile health and wellness applications and other software to support such efforts.

Background

The Meaningful Use Stage 2 Core Measure for Patient Electronic Access required EHs, CAHs and EPs (collectively, Eligible Providers) to encourage patients to view, download and transmit their health information through online “patient portals” in order to achieve meaningful use and earn EHR incentive payments or avoid Medicare reimbursement penalties. Once logged into a patient portal, a patient could view their health information, download it in electronic form or transmit it to third party. Signing onto a patient portal for the first time, however, often required a patient to take multiple steps outside of the provider’s office or facility. Additionally, since most EHR systems have their own portal, patients typically need to access multiple portals to interact with health information from each of their health care providers and lack a composite, patient-centric view of their health information. These issues reduced the user-friendliness of the portals and frustrated patient engagement goals of providers and the Medicare and Medicaid EHR incentive programs.

Introduction of APIs

To address the frustrations with patient portal technology and spur patient engagement efforts, the 2015 Certification Final Rule requires certified EHR technology (CEHRT) to include an application programming interface (API), and two of Stage 3 Meaningful Use measures under the MU Final Rule require Eligible Providers to make EHR data available through an API which a patient may access through a properly configured online or mobile application of their choice.

An API is a similar concept to a power outlet. By creating a common set of electric principles, a common type of outlet and plugs, any number of different electronic devices can use a power outlet to “plug in” to the power grid and receive the electricity needed to power the device. Like the power outlet, an API consists of a common set of programming principles that allows websites and mobile applications to “plug in” and receive computable information. By requiring EHR vendors to create APIs, CMS and ONC’s goal is that any number of websites and mobile applications could “plug in” to the EHR at a patient’s request, receive health information from the EHR and provide a service to the patient. According to CMS, APIs will allow a patient to collect health information from multiple providers so that they can potentially incorporate their health information into a single portal, application, program or other software.

The 2015 Edition Certification Criteria establish the requirements for CEHRT (2015 CEHRT) that Eligible Providers seeking to achieve Meaningful Use Stage 3 in 2018 will need to adopt. To be included in 2015 CEHRT, an API would need to meet three different functional requirements. First, the API will need to be able to query for identification or other token of a patient’s record to execute data requests for that record. Second, the API will need to support requests and responses for EHR data by data category. Third, the EHR’s API will need to support requests and responses for all EHR data. The API will also need to meet ONC’s privacy and security certification framework by demonstrating the capability to establish a trusted connection with the application requesting patient data, authorize the user to request data and log all interactions with the data source.

Notably, ONC elected to not create specific standards requirements for the API, with the goal of allowing EHR vendors to meet the above functional requirements in innovative ways. Without common technical standards for the API, however, EHR vendors may adopt varying programming principles for their APIs. This may make it difficult for developers to build applications that can interact with multiple EHRs’ APIs and frustrate efforts to promote the exchange of health information among providers that use different EHR systems.

ONC indicated that it may use future rulemaking to establish required standards for APIs. In light of the bipartisan disappointment about barriers to interoperability among EHR systems, we expect ONC to re-visit its decision to not establish standards.

Stage 3 Meaningful Use Objectives Focused on Patient Engagement

The Meaningful Use Stage 3 measures for the “Patient Electronic Access” and “Coordination of Care through Patient Engagement” Meaningful Use objectives establish the key patient engagement steps that Eligible Providers must take in order to achieve Stage 3 Meaningful Use beginning in 2018 (or at their option beginning in 2017).

Stage 3 Patient Electronic Access MU Objective

To achieve the Patient Electronic Access objective, EPs must meet the following two measures:

• For more than 80 percent of all unique patients seen by the EP—
  • The patient (or the patient’s authorized representative) is provided timely (i.e., within 48 hours of a patient visit) access to view online, download and transmit the patient’s health information; and
  • The provider ensures the patient’s health information is available for the patient (or patient-authorized representative) to access using any application of their choice that is configured to meet the technical specifications of the API in the provider’s CEHRT.
• The EP must use clinically relevant information from CEHRT to identify patient-specific educational resources and provide electronic access to those materials to more than 35 percent of unique patients seen by the EP during the EHR reporting period.

EHs and CAHs must provide the same capability as summarized above for EPs to at least 80 percent of their patients within 36 hours of a patient’s discharge (rather than within 48 hours of a patient visit). In the proposed Meaningful Use Stage 3 rule, CMS would have allowed Eligible Providers to either offer view, download and transmission capabilities through a patient portal or offer an API instead. In the MU Final Rule, however, CMS requires Eligible Providers to offer both patient portal and API functionalities to 80 percent of their patients to meet this measure.

Stage 3 Coordination of Care through Patient Engagement Objective

To achieve the Coordination of Care through Patient Engagement objective beginning in calendar year 2018, Eligible Providers must encourage patient engagement in all three of the following ways, but only achieve the percentage thresholds in two of the three:

• At least 10 percent of unique patients seen during the calendar year (or other applicable EHR reporting period) must engage with the Eligible Provider’s CEHRT by
  • Viewing, downloading, or transmitting their health information through a patient portal
  • Accessing their health information through the use of an API that can be used by applications chosen by the patient and configured to the API in the provider’s CEHRT, or
  • A combination of the portal and API. The 10 percent threshold represents a marked reduction from the 25 percent threshold proposed by CMS in the Meaningful Use Stage 3 proposed rule, but still doubles Meaningful Use Stage 2’s current five percent threshold;
• The Eligible Provider sends a secure message to patients or responds to secure messages sent from patients or their representatives for more than 25 percent of all unique patients seen during the applicable EHR reporting period; or
• The Eligible Provider incorporates patient-generated health data or data form a non-clinical setting into the CEHRT from more than five percent of all unique patients seen during the applicable EHR reporting period. CMS intends the sources of this non-clinical data to include mobile applications for tracking health and nutrition, home health devices and wearable devices, such as activity trackers or health monitors. While these non-clinical applications have proliferated rapidly in the past several years, health care providers are only beginning to interact with the data created by these applications. CMS’ goal in creating this new measure is to incentivize the sharing of this information to improve care coordination and overall patient wellness outside of the care setting.

Joining of Provider-Generated Health Data and Patient-Generated Health Information

CMS’ and ONC’s decision to encourage the development of APIs and interaction between EHRs and third-party web and mobile applications reflects a shift in the EHR incentive programs. Previously, EHRs represented a separate informational ecosystem dis-connected from consumer technology used in non-clinical settings. While patients could view their health information from the EHR through the patient portal, the “download” and “transmit” functionalities were focused mainly on the transmission of the information to another health care provider or EHR system. The expected proliferation of APIs has the potential to facilitate the gathering of data from multiple EHR systems and consumer fitness, nutrition and wellness applications into a patient-centric personal health and wellness record, and could also further fuel the explosion of “big data” analytic tools for care improvement and personalized medicine both at the bedside and in the connected, outside world. For technology developers, it may create opportunities to create new innovative patient engagement solutions that leverage a rapidly expanding treasure trove of health data and other personal information.

Implications for Value-Based Payment Initiatives

These innovative patient engagement solutions can also help providers participating in new governmental and commercial payers’ value-based payment arrangements that require providers to share risk for patient outcomes and incentivize quality improvement and cost reduction. The successful use of patient engagement technology to collect health and wellness data from patients, aggregate the data into sophisticated data warehouses, and analyze the data with cognitive computing and analytic tools will help providers to identify the need for care (or lack thereof) between patient visits and calibrate the quantity of care to patient need.

The Stage 3 Final Rules are subject to a 60-day comment period, which was added to account for the passage of the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) after CMS had already issued a proposed rule for Meaningful Use Stage 3. MACRA will sunset the Medicare EHR Incentive Program for EPs in 2019 in favor of mandatory participation in certain alternative payment models (such as accountable care organizations) or the new Merit-Based Incentive Payment System (MIPS) that emphasize value-based payment rather than fee-for-service. While MACRA included the adoption and use of CEHRT as required criteria for evaluating EPs’ participation in alternative payment models and MIPS, CMS will need to engage in additional rulemaking to clarify whether and how the Stage 3 Meaningful Use requirements will apply when MACRA becomes effective for EPs. Interested parties may submit comments to CMS prior to December 15, 2015.