New rules giving patients free access to their health information and preventing providers and health tech vendors from improperly exchanging or withholding the data are likely coming this year despite outcry from the health industry.
Representatives from hospitals, health technology groups, and insurers have urged Congress and the Department of Health and Human Services to halt the upcoming final rule. They argue the proposed version is full of confusing definitions and exemptions, data privacy and security concerns, and pricey penalty and compliance fees.
The HHS’ Office of the National Coordinator for Health Information Technology, however, plans to finalize the rule by the end of the year, according to an ONC spokesperson. Developing smoother exchanges of health information has been a top priority for the government for many years. There will be time after the rule is out for the industry to adjust, the agency says.
The rule as proposed says four types of health entities—health-care providers, IT developers, health information exchanges, or health information networks—can’t stop or discourage the exchange or use of patients’ digital health information.
The rule comes with a price tag for private sector as high as $933 million to get the industry in compliance, according to government estimates. However, the changes are projected to provide as much as $9 billion in benefits, although the government doesn’t specify where those savings would come from.
Health IT developers, health data exchanges, and networks could also be hit with a penalty up to $1 million for each violation if HHS’s inspector general determines they tried to block patients from accessing their data.
That specific penalty doesn’t apply to hospitals and physicians, but the law says the inspector general could impose “appropriate disincentives.” The HHS hasn’t outlined what those penalties would be, but they could come in the form of costly extra compliance and reporting requirements if the providers are found to have hoarded patients’ data.
Getting Up to Speed
One answer to the health industry’s concerns, according to the ONC, is that the final rule will likely not take effect for two years, giving medical professionals time to prepare.
The two-year period could help the health technology industry and ONC find a common ground on how the requirements will be implemented, according to Kirk J. Nahra, a privacy and cybersecurity partner at WilmerHale in Washington, D.C.
“In the past, there typically has been a lot of grumbling. Then companies try reasonably hard to do what they are supposed to do, and then there is a ‘let’s work it out’ period, where people work through the bugs,” Nahra said.
“The two-year time period will create meaningful pressure, but then will also push companies to adapt to problems once that period kicks in. It’s not a great system, but we haven’t found a better one yet,” he added.
The ONC rule is intended to work in tandem with an upcoming Centers for Medicare & Medicaid Services rule, already being reviewed by the White House, that also aims to improve data sharing.
There are exceptions to the decree that health providers hand over patient data. For example, hospitals, doctors, IT developers, and other data exchange channels can refuse to share the data if it would cause physical harm or if it would violate the patient’s privacy.
Trying to prove that caveat, however, gives hospitals pause.
Thomas P. Nickels, the executive director of the American Hospital Association, said in a June 3 letter to ONC that the final rule needs to give examples of the types of evidence hospitals would be required to submit to meet the various exemptions.
“If ONC is going to put the burden of proof on regulated hospitals and health systems, it must provide numerous, detailed examples of acceptable documentation for each of the exceptions,” Nickels said. “Hospitals and health systems should not be put at risk of being labeled information blockers simply because ONC did not specify what documentation would be needed.”
America’s Health Insurance Plans, a trade group for health insurers, wants the physical harm exception to include psychological and other forms of non-physical harm.
Everyone Wants Out
Several players in the health industry say the big penalties in the rule shouldn’t apply to them. AHIP says health plans shouldn’t be considered to be part of health information networks that could receive $1 million fines, but the definitions in the proposed rule don’t make that clear.
Small and mid-sized physician practices also could be harmed, said the College of Healthcare Information Management Executives. The organization represents chief information officers at hospital systems, physician practice groups, and other providers.
CHIME is particularly concerned that enforcers will subject hospitals and physician practices to the $1 million penalty if that do any work with health information networks, it said in a May 15 letter. “We worry a punitive policy of this nature could also further diminish rural provider access and could unintentionally lead to additional hospital consolidation.”
“I think that stakeholders—particularly providers—are looking for greater regulatory guidance, so that they don’t inadvertently trigger enforcement and penalties,” Janet Marchibroda, a fellow for the Bipartisan Policy Center and senior vice president at the Bockorny Group, said.