The Office of the National Coordinator for Health IT has had a busy year supporting public health agencies during the COVID-19 response, working to improve health equity, improving electronic health record standards adoption and continuing to hammer away at information blocking regulations, as complaints against providers and health IT vendors roll in.
The ball on information blocking enforcement is already rolling, as the ONC receives hundreds of complaints, mostly from patients, accusing actors of blocking the free flow of health data. But the HHS has yet to finalize long-awaited penalties against providers and vendors found guilty of information blocking, which are some of the final hurdles in implementing the information blocking tenets of the 21st Century Cures Act, passed in 2016 to try to improve the free flow of health data in the U.S.
In an interview, ONC head Micky Tripathi shared his thoughts on information blocking complaints, provider worries about compliance and what’s holding up the HHS in delineating punishments for actors found obstructing data — a major gap in the enforcement of the rules.
Info blocking complaints accelerate, but future volume uncertain
In the 11 months from April 2021 through February, the ONC received about 300 complaints of information blocking. In the eight months from March through October, the ONC received another 240, representing a slight acceleration. But the ONC isn’t sure what volume or pace to expect moving forward, given that its still the early days of the interoperability complaints, Tripathi said.
It’s “uncharted territory” without a clear frame of reference, according to the ONC head. For example, the 540 complaints received are “a drop in the bucket” compared to HIPAA complaints, which can number in the tens of thousands per year.
“What’s more surprising to me is actually the composition of the complaints that we’ve gotten so far,” Tripathi said.
Claims against providers continue to make up a clear majority, continuing the trend first seen in March. The large majority of complaints are still filed by patients and patient advocates.
That’s surprising given information blocking is “still kind of an esoteric concept,” Tripathi said. It’s harder for people to be aware of the reporting process, while vendors pay strict attention given they can be held liable for high fines if they’re in violation. Tripathi said that as awareness grows and enforcement kicks in, that could raise the visibility of the information blocking regulations and cause the number of complaints to increase.
“It’s surprising to me that it’s percolated down to the patients,” Tripathi said. “But we’ll see. Again, it’s very early. We could see other types of complaints against other types of actors build over time.”
Enforcement complexity delaying HHS
After the ONC receives complaints, the agency does an initial, high-level screen to determine whether the complaint could plausibly be an information blocking violation by a covered actor. If the answer is yes, the ONC passes the complaint along to the HHS Office of the Inspector General for investigation.
The OIG has the statutory authority to issue up to $1 million in civil monetary penalties against health IT vendors found guilty of information blocking. However, regulators have yet to finalize a rule proposed in 2020 outlining how their investigations will be performed and the size of any penalties.
That could result in a backlog of information blocking complaints, since OIG has yet to start investigating — and can’t until the regulation is finalized.
“In general, until you have your final rule out, you don’t really do the things that you’re spelling out in the rule,” Tripathi said. “We’re hoping for this calendar year, but I can’t speak for them.”
In addition, the HHS has yet to define penalties for providers found blocking the free flow of information. Tripathi declined to lay out a timeline on when industry can expect a rule, but said “we’re working really, really hard.”
Regulators have run up against a slew of difficulties in crafting a rule. The 21st Century Cures Act separated penalties for providers from penalties for other actors, and left it up to the secretary of the HHS to determine “appropriate disincentives” without defining the disincentives —or giving the HHS any additional authority to enact them.
There’s not a lot of clarity there for regulators, Tripathi said.
As a result, the HHS has had to identify agencies and programs where existing authority could be used as an appropriate disincentive. That could be the CMS, or any other agency with funding programs. And, regulators have had to do this while navigating a federal bureaucracy that tends to be fairly conservative in interpreting what the statute allows it to do.
“It’s certainly a little bit frustrating — the complexity of it,” Tripathi said. “That’s the reason for the extended timeline here. Despite our efforts to work really hard, we were handed something that was inherently complex, that we’re having to sort our way through.”
Leniency of disincentives?
Some provider groups have lobbied the HHS for an initial warning and corrective action letter before regulators move toward a penalty phase. Tripathi stressed that the ONC is not involved with deciding how punitive the disincentives will be, and that the OIG — and whatever other agencies oversee “appropriate disincentives” — will have sole responsibility for enforcement.
The ONC head declined to comment on whether the HHS is considering a warning phase before enacting penalties. However, Tripathi said it’s likely punishments will differ based on the offense of the actor.
“The OIG does the enforcement, and then you’ve got agencies that will ultimately be the ones who are administering the appropriate disincentives through their existing programs. And so they themselves may sort of define a spectrum, let’s say, based on severity of violation, according to a set of criteria or whatever. You can imagine that would be a part of the process,” Tripathi said.
‘As well defined as it could possibly be’
The amount of electronic health information that providers and health IT vendors had to share significantly expanded in October. Initially, the information blocking rule’s definition of “electronic health information” was limited to the data elements represented in the USCDI dataset. However, as of Oct. 6, that definition expanded to include all electronic health information in a record that qualifies as protected health information under HIPAA.
The American Hospital Association and other provider groups in September asked the ONC to delay the change by a year. Providers argued they’re not ready to meet the deadline due to confusion over the regulations’ implementation and enforcement requirements, including what they say is an unclear definition of EHI and a lack of technical infrastructure to support its exchange.
Tripathi said providers’ concerns are valid, but noted it’s been six years since 21st Century Cures was passed. The ONC also gave providers an 18-month path from USCDI sharing to the requirement for full EHI data sharing, Tripathi said.
“No one’s ever going to feel ready, right?,” Tripathi said. “You say, ‘Well, if we delayed it another 12 months, everyone’s all of a sudden going to be ready. That doesn’t make any sense to me. I don’t think that’s actually the way the world works. We didn’t see any reason to delay it any further.”
The ONC leader also pointed to the eight information blocking exceptions giving actors more wiggle room to operate within the rules. For example, if an organization can’t make an emergency department note available to a patient electronically, there’s an infeasibility exception that would cover that.
And regulators were careful to define EHI in a construct that providers should already understand, Tripathi said. The EHI that providers are now required to make available is essentially the electronic portion of the HIPAA-designated record set that providers have been handling for decades.
”I would say that it’s actually as well defined as it could possibly be,” Tripathi said. “I appreciate there might be some things that are like, is that? or isn’t it? But it goes back to HIPAA. And you were supposed to do this 20 years ago. Just build on the thing that you’re already supposed to do.”