Sweeping new rules issued this week by the Trump administration to push the industry toward interoperability have put EHR vendors and providers on a strict timeline to comply.
Though the government — and at least one major IT company — says the schedule is appropriate, some players worry the deadline to freely share health information can't easily be met. It's still up in the air whether financial penalties will be imposed if they can't.
The rules out from HHS on Monday impose myriad strictures on health IT vendors and providers. In the final information blocking rule from the Office of the National Coordinator for Health IT, providers will be required to freely share a limited set of data, called the U.S. Core Data for Interoperability, using their standardized application programming interfaces within two years. Specific compliance requirements, like information blocking and APIs, phase in within just six months.
Providers must have HL7 FHIR API and other 21st Century Cures required update criteria rolled out no later than 24 months after publication, and be able to export all electronic health information within three years.
The release timeline is "much quicker than we've asked for" on first glance, Mari Savickis, VP of public policy for the College of Healthcare Information Management Executives, told Healthcare Dive. "I think [ONC] has overshot on what the readiness factor will be."
EHR giant Cerner, however, seemed confident that the timeline is feasible.
"More time is always good, but we've all been working on this for years," Cerner SVP Dick Flanigan told Healthcare Dive in an interview. "It's not a surprise and, while we'd always like more time, there's enough time in here to do what we need to do."
Six months is more than enough for a setting-in period for EHR vendors to work through their compliance process, test their technology and integrate it into the software systems of their provider clients without fear of being called an information blocker, he said.
But not all EHR vendors are as quick to greenlight the timeline as Cerner.
A spokesperson for Verona, Wisconsin-based Epic, which lobbied fiercely against the interoperability regulations, told Healthcare Dive it was still digesting the more than 1,700 pages of rules, but planned to zero in on implementation timelines.
Allscripts VP of Government Affairs Leigh Burchell told Healthcare Dive via email there are a number of elements the EHR player would have liked to see finalized differently, the timeline among them. "The development lift is going to be substantive in what is still a fairly short period of time," she said.
The American Medical Association also said Monday it was looking closely at the EHR implementation timeline for physicians, noting it was interested in making it less aggressive and potentially divorcing it from the timeline for vendors.
But the Trump administration argued that most software developers have already built those APIs, making it relatively simple to bring them to their provider clients.
"This is a matter of life and death in many instances," CMS Administrator Seema Verma told reporters on a call Monday. "Look at what's happening with the coronavirus. Having a complete medical record at the time of service will make a difference."
Ben Moscovitch, health IT project director at Pew Charitable Trusts, told Healthcare Dive the timeline was "appropriate," noting that a slew of value-based providers, employers and major technology companies like Apple and Microsoft that could benefit from the app economy opened up by the rules have been calling for these regulations for months.
Patient advocates and lawmakers have also advocated for a quick turnaround on the rules. But heath IT companies and providers wanted these regulations delayed from the start, saying the government was moving too quickly given the number of steps to get in compliance, including developing and certifying new EHR functions, provider adoption and customization and staff training.
But the new ONC regulation puts less of an onus on developers. Software companies endorsed the final rule's addition of an eighth exception to information blocking and a more limited interoperability dataset over the next two years, which narrow the amount of health information that needs to be shared electronically in the short term.
Delay in civil monetary penalties
HHS delayed enforcement of financial penalties for actors found information blocking, providing a "further reprieve to wary stakeholders," James Cannatti, a partner at McDermott Will & Emery, told Healthcare Dive via email. However, some worry providers won't be prodded to adopt the new standards without the threat of a stick.
The four-year-old Cures act tells HHS and ONC to delineate exceptions to information blocking, taking action against any malfeasance or wrongdoers impeding the electronic flow of patient data.
The final interoperability rule lays out eight exceptions. Businesses will not be subject to civil penalties or other legal measures if their actions satisfy one or more of these exceptions, and they have six months to get into compliance. The government can impose up to $1 million in financial penalties per violation.
However, ONC and HHS' Office of the Inspector General have decided not to enforce the penalties until they go through additional notice and comment rulemaking. That means that although it's unlikely actors will risk not abiding by the information blocking provisions, they don't have any financial incentive to come into compliance.
"We're still working on the rule, working on how those will be enforced, and what the disincentives for providers will be as that was not called out explicitly in the Cures Act," ONC head Don Rucker said.
Health systems, hospitals and doctor's offices were never going to be held financially liable for information blocking in the proposed rule (though HHS is working on some sort of punitive measure for providers), but its final iteration was expected to enact the penalty for certified EHR vendors, health information networks and exchanges found blocking the free flow of health data.
That rulemaking to enact the civil monetary penalties will be "coming out very soon," Deputy National Coordinator for Health IT Steve Posnack told Healthcare Dive.
However, the decision to move forward without a clear deterrent injects significant gray area.
"In the final rule, I think they're trying to placate us and say, 'Don't worry, the CMP stuff hasn't been finalized yet,'" CHIME's Savickis said. "It's coming 'soon'? 'Soon' is not really something a board member can hang their hat on."
Despite the uncertainty, some software companies still want to come in lockstep with the rule as quickly as possible — if only to mitigate expenses and overhead down the line.
"Our clients and we are really going to work to comply with the spirit of this, with or without the financial penalties," Cerner's Flanigan said. "We understand the penalties will come as part of enforcement."