- Health IT vendors that do not meet key data-sharing standards by Jan. 1, 2018 will face tough penalties under the newest 21st Century Cures Act draft.
- Following passage, HHS would receive $10 million to hire a "charter organization" to assess the state of interoperability in the industry. The results would be published in a public report in July 2016. The agency would post a follow-up report on Dec. 31, 2017 announcing whether vendors' software complied with certification requirements. Vendors would then be required to attest in January 2018 or face decertification.
- Vendors would have to satisfy HHS' demand for "everyday" data exchange, with interoperability requirements including a lack of barriers to data sharing, transparent pricing information on data transmission and APIs.
So far, industry reactions have been guardedly positive: "[I am] still reviewing the details, but [am] pleased by the focus on information blocking and the teeth given those provisions," Dan Haley, vice president of government and regulatory affairs at athenahealth, told Modern Healthcare; Jeff Smith, senior policy advisor at the College of Healthcare Information Management Executives, said he thought the bill was "improved."
There has been some criticism surrounding the decertification penalty. Critics suggest this punishes the providers who purchased offending vendors' software—they would need to either accept the Medicare penalty or go through the expense of changing EHRs. There is a hardship exemption built into the bill (one to five years at the agency's discretion), but the indication here is that providers will have to accept a certain level of responsibility for selecting an interoperable EHR. Caveat emptor.
Some other notable changes: The draft states that patients "have the right to the entirety of the health information contained in the electronic health record"—something that is arguably already true, if you have the money and the time to acquire it. The bill also explicitly states that with the exception of mental health records, providers don't need patient consent to share data for their care.