The Cures NPRM added a new section to regulations that covers not just certified EHR technology, but the behaviors of organizations in possession of patient data with regard to information exchange, which I covered earlier this week in my #NoBlocking tweet stream.
The rule itself is a difficult read, the preface, I hope is a lot easier to comprehend. Remember, I read the regulation text first, I haven't gotten to the preface yet. It gives me an opportunity to get my own impression of the regulations without achoring myself on ONC's justifications for why they did what they did. I'll be coming back to these again after going through the front matter.
Generally, as I understand this section, ONC is seeking to ensure that all parties who want to use APIs to enable access to patient data (with the patient's authorization) are treated fairly and equally, and that bars to competition are not raised on the basis of access to patient data.
By all parties, ONC applies this section (45 CFR 171) to health care providers, health IT developers of certified products (including API developers and technology suppliers), health information exchanges and networks. So, if you are a user, developer, reseller, or other third party that essentially deals with deploying, maintaining, using, updating, or otherwise providing access to software certified to use APIs to facilitate the exchange of patient data, this applies to you.
The whole point of this rule authorized under the Cures Act is to prevent ANYONE from interfering with, preventing or discouraging exchange of health data. ONC makes it clear, ignorance of the requirements aren't an excuse (knows or SHOULD KNOW is the specific wording). Now, it's pretty clear that ONC understands that there are reasons to prevent access to data, either permanently or temporarily, and that some essential industry behaviors will be seen by some as "information blocking". The very fact that organizations are making money from healthcare is anathema to some, and so ONC is working hard to try to figure out how to explain the behaviors that aren't considered to be information blocking by listing out the various practices that are allowed. This is a difficult task for an organization that doesn't engage in business, and I suspect that this part of the Cures NPRM will be the most commented on.
There are a list of things that organizations are permitted, anything not explicitly permitted is at the very least behavior that could be questioned with regard to "information blocking", and this is a case where ONC is the referee who gets to make the decision.
- Preventing harm
- Promoting privacy and security
- Recovering reasonable costs incurred,
- Avoiding infeasibility,
- Allowing for reasonable and non-discriminatory licensing fees
- Maintenance and updates.
Arian Malec presents an excellent sound track and interesting commentary on items 3 and 5 above and a great follow up on contractual requirements that highlight some of the most difficult parts of 45 CFR 171.
Many of exceptions are pretty straightforward to understand. The first of these falls clearly within the pervue of providers under "do no harm", and is also aligned with HIPAA. HIPAA and the no blocking rule rule are also aligned on promoting privacy and security (my #2 above). And lastly, allowing information providers to take information offline temporarily for maintenance and updates is something we all expect and should allow.
Sections 3-5 have to address API providers, but also those who might need to respond to a request for health information. I think this section is having a little bit of an identity crisis simply because it has to cover so much territory. I think ONC needs to divest some parts of this section which are already covered under HIPAA (perhaps even by referencing that regulation). This could help greatly, and in fact make it easier to maintain this section of the regulation.
Avoiding infeasibility addresses a host of issues and concerns. Many API providers today for example, place limits on the amount of information that can be accessed in a single request, which could be viewed as "information blocking". These are essential constraints in order to enable responsiveness in technology (returning all of the lab results for the past ten years for a single patient who has been very ill could take a VERY long time, and prevent others from accessing data depending on implementation). But this section also has to address other sorts of requests for information, which is part of it's identity crisis. In this section, ONC makes it very clear, using your access to electronic health information as a means to prevent competition or to force others into paying a fee to access it doesn't make a request for access infeasible.
So, health data is still a commodity under #NoBlocking, but no longer a strategic commodity that the "haves" can hold over the "have nots", and further more, treating it as such could be cause for a claim of "information blocking". I'm pretty sure I'm in agreement with that general principle, but I'm also sure that this portion of the rule is going to be gone over (by me and others) with an extremely fine-toothed comb.
Keith
No comments:
Post a Comment