March 2017

The 21st Century Cures Act — Can It Cure HIT's Biggest Woes?
By Sarah Elkins
For The Record
Vol. 29 No. 3 P. 18

On December 13, 2016, after nearly two years of congressional work, then President Obama signed the 21st Century Cures Act into law. The act, which garnered overwhelming bipartisan support, is touted by many as the most important piece of legislation to come out of Congress in 2016. Indeed, it seems nearly everyone is happy with its passage.

In large part, the 21st Century Cures legislation is celebrated for its inclusion of the "Cancer Moonshot," led by former Vice President Joe Biden, which will allocate funding to accelerate cancer research and make therapies more readily available. Additionally, the legislation provides funding to battle the country's devastating opioid addiction epidemic and mental health research and treatment. The bill was not without its critics; a handful of senators opposed provisions that expedite the drug approval process, ostensibly lining the pockets of drug companies. Nevertheless, the 21st Century Cures Act was passed by an easy margin.

HIT Provisions
It is worth noting that not all of the "cures" sought by this sweeping legislation involve human ailments. Some arguably less publicized sections of the law seek to address serious HIT pain points. Calling for increased transparency, interoperability, and improved certification of HIT, the new law gives teeth to issues industry leaders have been pushing for years. In particular, hefty civil penalties for information blocking and the threat of EHR decertification have HIT developers and users standing at attention.

Sheri Stoltenberg, CEO of Stoltenberg Consulting, an HIT consulting firm, lauds the act for "paving the way for better standardization with a call for health care information exchange infrastructure." As a solid reminder that the Cures legislation is as much about technology as it is about safe and effective patient care, Stoltenberg views its passage as part of a "continued push for value-based care."

Stakeholders are optimistic about the establishment of a working group to develop clarification on disclosure of protected health information (PHI) for research. And after a year of increased industry attention on accurate patient identification and data integrity, the Cures Act calls for a Government Accountability Office (GAO) report on patient matching policies at the Office of the National Coordinator for Health Information Technology (ONC).

Russell Branzell, FCHIME, CHCIO, president and CEO of the College of Health Information Management Executives (CHIME), said in a statement published just prior to the act's passing, "The health IT provisions in the 21st Century Cures Act reflect the importance of being able to safely and securely share patient information across the care continuum and the vital role technology plays in improving patient outcomes and reducing health care spending. We stand ready to work with the administration to deliver on the promises of this important legislation."

In short, the HIT provisions set forth by the new 21st Century Cures Act will reverberate throughout the industry for some time. Experts agree it's too early to tell what the impact will be; it may be another two years before outcomes are clear.

Information Blocking
The provision that may have the most immediate effect on HIT developers, exchanges, or networks addresses information blocking. According to the law, technologies or entities discovered to knowingly "interfere with, prevent, or materially discourage access, exchange, or use of electronic health information" will be subject to fines up to $1 million per violation.

This decisive stance against information blocking is an answer to the ONC's 2015 Report to Congress on Health Information Blocking. The report outlines a standard definition of information blocking, provides anecdotal evidence of industry interference in the exchange of health information, and proposes solutions. One of the report's major complaints was as follows: "Even in egregious cases, most information blocking does not violate any current provision of law." Congress' short answer: not anymore.

David Kibbe, MD, CEO and president of DirectTrust, a collaborative nonprofit association of HIT and provider organizations that works to establish interoperability and secure exchange of health information, is optimistic. From what he has seen in the industry, IT developers are not as Machiavellian as the new regulations might lead one to believe.

According to Kibbe, many instances of information blocking weren't intentional obstruction. Rather, he argues, "Information blocking has been an unintended consequence of the way meaningful use incentives were designed. In most cases it was a technological problem and has been largely resolved."

Kibbe is referring to the stage 2 meaningful use requirement that a percentage of discharges and referrals must be sent electronically. In an effort to check off that requirement, vendors made sure messages could be sent electronically. The trouble occurred when the receiving of messages was not equally incentivized. Messages were being sent, but they were not necessarily being received on the other end. Therein existed the information blockage.

Kibbe isn't too worried. "I tend to be forgiving," he says. "Think of how long it took to integrate ePrescribing—over five years. We're only one to two years in. I think these problems are being worked out in the marketplace. I doubt we'll be seeing many million dollar fines."

While it's not clear how the ONC will enforce this new crackdown on information blocking, it is at least, according to Kibbe, "a clear message that information blocking—or information channeling—is going to be scrutinized at a new level."

EHR Transparency and Certification
Since 2011, the Centers for Medicare & Medicaid Services and the ONC have enforced standard certification criteria for EHRs, but the certification process has had no shortage of critics. The new law is designed to create greater transparency in the certification process by establishing the EHR Reporting Program, requiring HIT developers to attest to their product's security, user-centered design, interoperability, and real-world functionality. Additionally, the ONC is charged with creating a portal by which the public can compare EHRs based on price. The deadline to launch the portal is January 1, 2019.

As a result, beginning January 1, 2019, EHRs that have not met interoperability requirements will be decertified. Reminiscent of Health and Human Services' (HHS) famed Wall of Shame, which publicizes PHI breaches affecting 500 or more individuals, the identities of decertified EHRs will be publicized. Health care providers that discover their EHR has been decertified will receive a one-year hardship exemption from meaningful use penalties.

The Cures legislation extends EHR certification to other groups in an effort to fill unintended gaps. "The issue is that certain specialties and groups were not involved in meaningful use," Kibbe explains. "A perfect example is pediatrics. There are no Medicare patients in pediatrics, therefore there is no incentive for EHR vendors specializing in pediatrics to comply with any of the meaningful use requirements. The Cures Act remedies that."

Specifically, the act states, "[The] ONC also would be required to encourage the certification of HIT for use in medical specialties and sites of service, and to adopt certification criteria for HIT used by pediatricians." The phrase "required to encourage" leaves room for interpretation.

Interoperability and Patient Matching
If there is an overarching theme to the HIT provisions of the 21st Century Cures Act, interoperability is probably the leading candidate. The insistence upon easy exchange of health information, the push for transparency in EHR development, and increased scrutiny of EHR certification all point, at some level, to interoperability. Hundreds of technology developers are vying for a seat at the health care table, but without clear interoperability standards the industry has discovered it's succeeded only in building the Tower of Babel.

With Cures now calling for development of interoperability standards, the Health IT Advisory Committee is charged with implementing specifications focused on three primary areas: the provision of accurate patient information, the protection of privacy and security of health information, and the facilitation of an individual's secure access to his or her health information. The work of the advisory committee will undoubtedly inform the EHR Reporting Program and, as with much of the act, the next two years will tell the story.

The act drills down on the commitment to provide accurate patient information in a provision dedicated solely to patient matching. The law requires a GAO report to "review policies and activities at ONC and other relevant stakeholders to ensure appropriate patient matching to protect patient privacy."

It's not surprising that Congress would take up the patient matching issue since data integrity and the debate around the need for a national patient identifier reached a low roar throughout 2016.

In January 2016, CHIME announced a global competition challenging innovators to design a workable patient identification system. The winner, to be announced soon, will collect $1 million for their efforts. In early 2016, AHIMA launched a petition to remove the nearly 20-year federal budget ban preventing HHS from developing unique patient identifiers. At the same time, industry leader Beth Haenke Just, MBA, RHIA, FAHIMA, CEO and president of Just Associates, which provides patient data integrity solutions, published new data suggesting patient data errors were even more expensive than previously believed.

While the act falls short of mentioning unique patient identifiers as a topic of investigation for the GAO, it seems Congress is allowing space for the conversation; specifically, it has asked the organization to determine whether the ONC could improve patient matching by "defining additional data elements."

When asked how close we are to adoption of a national patient identifier, Stoltenberg says, "I think we're getting closer but still not there yet. Cures and initiatives like the CHIME National Patient ID Challenge bring the issue to the forefront, connecting both federal push and the private sector. Without them working concurrently, there isn't the combined authority and creative solution to advance the space."

HIPAA Guidance and Training
Perhaps the most misunderstood HIT provisions in the Cures Act involve HIPAA. Early versions of the act included language on the expansion of PHI disclosures for research purposes without the authorization of the patient. Under the scrutiny of privacy and security experts, expansion of PHI disclosure was removed from the final draft. Instead the law authorizes the formation of a committee to study the implications of modifying disclosure regulations to include research.

Jodi Daniel, JD, a partner with Crowell & Moring and former director of the Office of Policy at the ONC, explains, "They're trying to make sure Congress keeps hearing from lots of people—researchers, ethicists, patients, and other experts. I was glad to see Congress didn't try to set the policy but instead set the process."

HIPAA is mentioned in other sections of the act, namely in "Compassionate Communication on HIPAA." This clause similarly orders HHS to form a committee to offer guidance on circumstances when disclosure of PHI to family members, specifically in the case of mental health and substance abuse, is appropriate and protected by the law.

Daniel says, "This is not necessarily about changing the rules. [HIPAA is] long and complicated. There are probably a limited number of folks who understand the nuances. Because there are penalties, it seems easier not to disclose PHI, but that might not be the best policy for patient care, research, or improvements to health."

Daniel, who was instrumental in the original writing of HIPAA, views the Cures Act's call for increased guidance as being a positive and does not view the motions as an early attempt at rewriting the 1996 act, a law she considers her "baby."

"More guidance is always good. The OCR has actually been stepping up their release of guidance and that has been really helpful," Daniel notes.

A common misconception, even among some HIPAA experts, is the idea that mental health information is treated more securely under the law than other types of health information. "HIPAA treats all health information as equally sensitive," Daniel says. "HHS made a very conscious decision to treat all health information the same, but state laws don't."

Daniel warns that additional guidance on the disclosure of PHI in cases of mental health, and accordingly substance abuse, may not solve current issues. "State laws, which are often more strict, would remain in effect regardless of HIPAA," she explains. "HIPAA isn't invoked in many of those cases."

Throughout various sections of the Cures Act, HIPAA education is mentioned, in particular, to support the use of health information exchanges and patients' right to access their own health information. However, funding is set aside specifically to "develop and disseminate model training programs" to educate providers on the disclosure of PHI related to mental health and substance use disorders. Congress has allocated $10 million to be spent over the next four years for these training programs.

Follow Through
While the 21st Century Cures Act authorizes funding for various HIT projects, the reality is the funding must be approved every year in the federal budget. Experts are taking a wait-and-see attitude toward the law. How the legislation plays out in the real world will depend greatly on how new HHS Secretary Tom Price, MD, chooses to move forward.

"It will be very interesting to see how Dr. Price and his team manage this bill," Kibbe says. "Will they move quickly or take a go-slow attitude? Will they focus primarily on the requirements to alleviate administrative burdens or certification issues?"

— Sarah Elkins is a freelance writer based in West Virginia.