2023 has been a busy year for information blocking regulations: HHS ONC’s HTI-1 proposed rule in April (which was finalized on December 13, after this podcast was recorded), OIG’s final rule in June, and November’s proposed enforcement rule for health care providers. Dawn Morgenstern, Senior Director of Consulting Services and Chief Privacy Officer, Clearwater, speaks with Beth Pitman, Partner, Holland & Knight, about the information blocking regulations and their practical application in matters such as health information management and operations, technology licensing, and M&A diligence. They also share insights on documenting exceptions and structuring contracts and transactions to limit liability. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
2023 has been a busy year for information blocking regulations: HHS ONC’s HTI-1 proposed rule in April (which was finalized on December 13, after this podcast was recorded), OIG’s final rule in June, and November’s proposed enforcement rule for health care providers. Dawn Morgenstern, Senior Director of Consulting Services and Chief Privacy Officer, Clearwater, speaks with Beth Pitman, Partner, Holland & Knight, about the information blocking regulations and their practical application in matters such as health information management and operations, technology licensing, and M&A diligence. They also share insights on documenting exceptions and structuring contracts and transactions to limit liability. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for A HLA comes from Clearwater. As the healthcare industry's largest pure play provider of cybersecurity and compliance solutions, Clearwater helps organizations across the healthcare ecosystem move to a more secure, compliant and resilient state so they can achieve their mission. The company provides a deep pool of experts across a broad range of cybersecurity, privacy, and compliance domains. Purpose-built software that enables efficient identification and management of cybersecurity and compliance risks. And the tech enabled twenty four seven three hundred and sixty five security operation center with managed threat detection and response capabilities. For more information, visit clearwater security.com.
Speaker 2:Hello and welcome to this episode of American Health Law Association's podcast. Speaking of health law. I'm your host, Don Morgan Stern, senior Director of Consulting Services and the Chief Privacy Officer for Clearwater, where I advise and support our healthcare clients on how to move their organizations to a more secure, compliant and resilient state. With me today is Beth Pittman, a partner with the law firm of Holland and Knight Beth advises healthcare systems and providers and healthcare information technology businesses when navigating healthcare privacy and regulations. So it's great to speak with you today, Beth.
Speaker 3:Thank you, Dawn . I'm , I'm happy to be here. Um, we're looking forward to our discussion of , um, information blocking regulations and the impact that those information blocking rules, regulations, and health IT certification requirements have on the compliance risk of healthcare providers and also healthcare , um, developers of, of it.
Speaker 2:And I thought we may wanna start with what is new and any upcoming milestones, and then work into the how of understanding the exceptions to infor the information blocking rule and how they apply to different healthcare organizations, how to navigate the exceptions in specific transactions scenarios, and then any insights you may have on how to structure contracts , uh, to limit liability. So if that sounds good, we can dive right in.
Speaker 3:Sure. Sounds great.
Speaker 2:Alright . So what's new? Uh, the most pressing deadline is the December 31st requirement that certified health it, that stores EHI are prepared to certify certain functionality and make this functionality available to their healthcare customers. Um, in your experience, what is the impact of this on healthcare providers?
Speaker 3:Yeah, so the , the December 23 deadline is, is definitely coming up fast for certified health IT developers. And at this point , uh, probably most healthcare providers have gotten some sort of communication from their EMR vendor or their other healthcare technology vendor regarding whether they want to move forward with implementing this specific type of functionality that's required by the certification criteria . Um, so let's sort of take a step back as a refresher just to discuss what actually is EDHI. So electronic health information is the type of information that is governed by the information blocking rules and the Cures Act. And , um, this is the electronic PHI that a patient would have the right to request and receive. And it generally constitutes all of the designated records set information that's maintained electronically by a healthcare provider. So the certification requirement for healthcare , um, health IT developers is that they provide an EHI export cer . They certify that they have an EH bot , EHI export , um, hyperlink that is , um, publicly accessible and it allows any user to directly access the export file information without any kind of preconditions or additional steps. And it also provides both for a single patient EHI export, which could be used when, when a patient requests access their information directly or, or a physician who's a , who's who's , or a , you know, another healthcare provider needs access to that, that single patient information or it can, it can it , and it can also require , um, export of the entire patient population that's in the ex , you know , that that is in the electronic health health information format. So this would be , um, that is particularly helpful for healthcare providers when they're transitioning between vendors or they're bringing on a new vendor that's gonna , that will need access to the entire set of, of , of data that they have in their , um, in their EMR or other, other , um, health IT transit , um, technology. The , um, one of the advantages I think for healthcare providers is that this will significantly reduce the cost currently incurring when they have to change vendors or they have to bring on Right for another purpose. You amount of , of costs involved in , in , um, extracting Yeah , getting the data extract and then transferring it to another vendor for whatever reason, whether it's transfer or your , you're , or you're, you're using a , an additional technology platform. So those , those are costs that, that , um, hopefully this, this functionality will help produce . Um, the advantage really of the single patient export is that it does enable faster transfer of records . So, you know, particularly between, between healthcare providers. So if you're, you know, if you're, if you're on vacation, you know, this, this winter in Colorado snow ski and you have a , have an accident and you go to the hospital there, they, they, if they, if they have this, this type of , um, export, techno export , um, functionality available, then the hospital can, can easily get your patient records from your hospital in , in Tennessee or wherever you might be from. So that's , um, that is a , that's a, both , both a huge benefit for the healthcare provider and also for the patient in addition. That's
Speaker 2:Yeah, absolutely. Yeah . Yeah .
Speaker 3:Yeah. And it should also help reduce administrative costs , you know, because the health information management departments now are , are just overwhelmed, I think, with trying to respond. They are. So the Yeah. For all of them, this should help , help reduce that, that sort of issue. And , um, and you know , and also there's this, you know , HIPAA has a request for access of records requirement and the right that patients have for that and other , another , other individuals. And so this should also help facilitate that sort of process in addition to being responsive to the information blocking , um, regulations. Mm-Hmm , <affirmative> . So , um, while I think from a healthcare provider standpoint, one of the things to think about is that , um, the MR vendors will have this, you know, they're required to have this, the ones that have certified technology or required to have this available by, by December 23rd, 23rd and, and available for implementation. This does not mean the healthcare providers themselves have an obligation to, to implement that on that date.
Speaker 2:Right. So that, that brings up my next question. Is that because not all the healthcare providers will use a certified health, it , um, how does that deadline affect those healthcare providers?
Speaker 3:Yeah, so the , the, you know , this, this deadline, December 23rd only applies to the health IT developers. It does not apply to healthcare providers themselves. Um, healthcare providers have had the obligation since October of 2022 to be able to provide someone with access to the full EHI dataset to the extent that their technology has that ability to do that, right ? So there are , we'll talk later on about a number of the exceptions that are to information blocking that are available. And , um, and those, the content and manner exception , um, and feasibility, those are, those are types of exceptions that apply when, when someone does not have technology that gives them the ability to meet some of the obligations under the information blocking regulation for access and exchange. Um, so healthcare, he , you know , healthcare providers are not necessarily required to comply with or to implement this technology. Now, if they don't have a certified health it , um, product, which they're also not required to use a certified health IT product. If they don't have one, then, then the best, I think the best option really is to determine to what extent their technology does allow them to exchange EHI mm-Hmm , <affirmative> . Um, so EHI , again, is a broader dataset than what was previously defined as the valve that had to be exchanged, which was the US CDI dataset. That's a little more, that's a little limited. Um, and for the us CDI, which makes it easier, it had a specific, there's a document that tells you exactly what's in it, what categories of data are in it. The EHI is broader because it depends on the client's data, designated de designated data, sorry, designated records set and how they have , how the client or the, or the, you know, the healthcare provider has defined that. So one of one that we , we encourage our, our, our, you know, clients to do and and other healthcare providers is to, is to, you know, review your review your HIPAA policies, the designated, the hipaa, HIPAA designated record set policy. It specifically applies to this situation and determines what the EHI is. So there's two different, right , two different things they can do is , um, well first let's talk about what a designated records set is. So HIPAA defines that as medical records, obviously, billing records, payment and claims records, health plan, enrollment records, case management records, imaging records, lab records. But , um, so it includes everything that was in the U-S-C-D-I dataset, but then it's a much broader amount of information. And , um, they sort of have a catchall, and it's any records or information that's used to make a decision about an individual. So that's pretty comprehensive , um, right,
Speaker 2:No, exactly. It's very comprehensive when you take it in its totality.
Speaker 3:Yeah. So when you look at that, it's a little overwhelming. So the, one of the first steps in this process is for, is for , um, is for a healthcare provider to really identify where all of their patient information is, and you have to, they're, they're, they're really required to do that and encouraged to do that as part of the, part of their annual risk assessment, which is, is to be done through hipaa. So they should, should have already a map that indicates where all of their patient information lives, you know, what systems it is in, what the , what it does with the data, why it is there. And they can use that, that assessment that then, then to look at this and determine, you know, out of these locations where, where do we actually have information that would be considered a designated record set, whereas information that would be used to make a payment decision, a decision regarding payment decision regarding treatment of a patient , um, a decision regarding patient's rights, you know, under HIPAA and other rights. So those are the, they can look at that, that larger map and make that decision, then use that as a way to, to really define in a policy what the designated record set is. And then that sort of governs where the EHI is. So the map is important both for defining the designated record set mapping of, of , um, where their, their electronic PHI lives, but also it's, it's important , um, because it also then helps them respond to and, and comply with information blocking rule, because then you , they have to, they have to have a , a practice in place to allow them to then provide, provide, you know, fast access, you know, to, to this information. Not just when it's requested, but just have a , have a practice and policy in place that this a this information is available and, and understand how it can be made available.
Speaker 2:Yeah, I would , uh, I definitely would agree that that is an exercise that all healthcare providers should embrace for exactly what you said. Number one, it's gonna make it, first of all, it educates them on where all that information is and the decision making , as well as the fact that it also will facilitate and streamline the process. I think even for providing those access requests, when your workforce definitively understands what is the designated record set,
Speaker 3:Having the math is also helpful because there are times when there may be electronic PHI that is subject to privacy regulations that would, that would prohibit DISTRI distribution or exchange of that information. Um, and so having the map then label enables a healthcare provider, then identify where that information is, how it needs to be restricted, and then they can use that to also comply with the privacy exception under the information blocking rules. Mm-Hmm . <affirmative> , which we'll talk about. Yeah,
Speaker 2:I think that, yeah, I think that data mapping , uh, or data flow diagramming is, is really valuable because in my experience, one of the things we've done is not only just identifying the systems, the applications and where the data is living, but also what types of data. And I think that goes back to your point exactly, Beth, about understanding that and understanding what those different data types are, so that if there is an exception to access, that it is much more easily identified.
Speaker 3:True. And then there's also, you know, we have all these outstanding hipaa, HIPAA proposed rules, <laugh>, which
Speaker 2:Someday
Speaker 3:Will be, someday we'll find out what's gonna happen to those. But one of those is , um, that the patient, that one proposed rules that the patient will have , um, under, under both the, the information blocking proposed rules and under, under HIPAA, is an additional , um, a ability for the patient to request a restriction, an additional restriction on, on disclosure of information that would then, could then be used to , um, you know, to help prevent disclosure in the event of that there's a request or, or, you know, through the information blocking rules would prevent immediate, immediate disclosure of that information. So , um, knowing where the information is, because it may not all , may not only be in the EMR knowing where,
Speaker 2:Right, right.
Speaker 3:<crosstalk> is very important so that you can fully comply with that patient's request if you, if a healthcare provider determines to, to, to , um, accept it and, and put that into place. Um, so again, the, the, with regard to the, again, regard to the EHI certification requirements, those really only, those do only apply to the health health IT developers. They do not apply directly to the healthcare providers. But that , but it does, it does provide some additional , um, functionality for the providers. And to the extent that they, that a provider , um, has reporting obligations under, under some of the CMS payment programs like MIPS promoting interoperability, there may be a requirement that they do have certain functionality in place. Mm-Hmm . <affirmative> that some point in time that , you know, those again, would be under the high tech rules, which should be amended.
Speaker 2:So let's shift gears a little bit here. Um, especially since we're talking about providers and with the publication of the grants contracts and other agreements, the fraud and abuse information blocking , um, civil monetary penalty final rule in July, and then the most recent one, just November 1st with the 21st Century Cures Act, the establishment of the disincentives for healthcare providers that have committed information blocking that proposed rule, what do you see as the, the most significant impact to your clients between the CMPs and the disincentives , um, that are applicable to certain healthcare providers that have committed information blocking?
Speaker 3:Yeah, so for the, for the health IT developers and the health information exchanges, the , um, the CMP enforcement process really provides a lot more certainty. That process has been in place for a , for a long time, and , um, it's well struck . It is , you know, structured. Everyone knows what to expect. OID has specific priorities that have been established for years, and , um, you have at least a good understanding of what the process would be , um, and when, when there might be opportunities for resolution and settlement as opposed to having to go through the entire process. And , um, and ending up with A CMP there. Um, there are also clear paths for appeal and review. So if a healthcare , so if a health IT developer, an HIE decides to challenge the, you know , does not agree with OIGs decision and decides to move forward, there is a , a , a faster path to having that resolved through the court system. Um, the downside is, of course, that the CMPP penalties are fairly large. It's 1 million per violation. Right . And yeah , so depending on the , depending on the conduct, it could be substantial. You could have multiple violations and that would all stack up. Um, you know, in the, you know , we, we , when you look at, when we look at the hipaa , um, penalties and regulations, if anybody wants to know, you know, what's the, what's the, what's the worst case scenario that could happen, you start adding those up. It is just, it's astronomical and it , you know , it's mind blowing . But the, I think that the reality is that , um, there may be large, you know, you may a end up with a large potential CMP, but through the resolution and settlement process, you can get it, get it, you know, reduced down to more reasonable amount. Um, right, right . Yeah. And so OIG is generally pretty, pretty receptive to, to , um, enter into a resolution agreement. Um, there would probably be, you know, in addition to that, I'm assuming that they would also have , um, a corrective action plan and some sort of oversight agreement , um, you know , like a CIA or something that would , that OIG would also put in place , um, that's similar to other types of CMP resolutions. Um, I think that one of the things to be, you know, to be thankful to thinking for , you know , that that is , that I am thankful about for there , there was that earlier post rule , um, HTI one, which was issued in April, and for health IT developers and for organizations that are considered to be offering health, it, there was some clarity that, that there , there is some clarity through that, through that proposed rules, which has not been finalized yet. But , um, so the, I think O C'S position has been that under the, the way the language is written now, anyone who offers health by too , whether it's through a management agreement or through some other type of services arrangement , um, if you're a hospital offering that as part of your HO hospital system, offering that to your affiliated , um, practices or, or organizations, if you're a management company offering it to your managed , managed providers, then you, you know, you would've been considered, technically considered to be a health IT developer. So the proposed rule does soften that, and it, and it basically, you know, provides, provides an exception so that you're not considered to be offering health IT for purposes of becoming a health IT developer if you're offering it as part of a service package to, to , um, to healthcare providers. So that, that does provide some relief to some, some , um, some organizations in the healthcare industry. So it does, it does remove from, for them the burden of not trying to be considered to be a , being considered a health IT developer, and also subject to both, both maybe the healthcare provider penalties and these additional, you know, $1 million pervi per penalty violation. Per violation.
Speaker 2:Um , yeah , because I see, yeah , I , I was gonna say, I see the way it was originally defined really could have encompassed a large number of healthcare providers, hospitals, like you said , uh, that, that are licensing the software, the EMR software, and that could have very far reaching impact when you think about it from, from the way it's defined. So that's, that's good to know that, that there is that softening of the language.
Speaker 3:Yeah, it is , it is , it is very helpful because, you know, the , they generally, these health systems when they're, when they have it licensed and they're providing it to the affiliate , to their, you know, practices they own or affiliated with them, they're doing that as a service to try to help, help prevent , you know , facilitate exchange of information, patient
Speaker 2:Care . Yeah.
Speaker 3:Patient care, you know , care. So they have access the records in a prompt way. And , um, it's, it's, so the softening of that language, I believe will be very helpful. We'll have to wait and see how it finally comes out in the final rule. Mm-Hmm . <affirmative> for healthcare providers , um, it's a little, it's, it's a little different. Healthcare providers. The currently proposed structure , um, is admin , it will be administered through CMS , um, after referral by OIG. So OOIG would make a determination , uh, that there has been informa information blocking occurring. Then they would refer the healthcare provider to CMS for enforcement. And CMS would then , um, make a determination that the , the healthcare provider has not been a meaningful user of the EHR . And by doing that, that means that they lose the benefit of the promoting interoperability category and mips, or if they're a hospital system, they, they, they lose the promoting it , they lose the benefit of being considered, you know, being, being compliant with the promoting interoperability requirements for reimbursement. So both of those have a, have a negative impact on reimbursements , um, on a proclaim basis for mips, it is, you know, it would be two years in the future. So because MIPS is a , you have a performance year, and then you have a payment year, the payment year is two years ahead. So if a healthcare provider is determined, for instance, this year, 2023, not to be a meaningful user, then any impact on their payments or their reimbursements would be in 2025. Um , the, I think for an AC for there , the other, the other one is that if you're an A CO , um, contractor or, or a participant in an A CO or you're a participating provider through an A CO , if, if you are determined not to be meaningfully not to, you know , to have engaged information blocking, then CMS would have the option of, of , um, either terminating your contract, requiring the a CO to terminate your contract or denying you the ability to contract with a CO as an a CO , um, all of , so all of those are , um, all of those do not, those, those penalties and disincentives, disincentives do not address all of the healthcare providers that are regulated by the information block mules . The only, only impact those who , um, have Medicare reimbursements and those who are eligible providers under mips or are hospitals or critical access hospitals under that, that report from promoting interoperability or participate participants of an A CO . Um, so that , that does still seem , yeah. Yeah , I was
Speaker 2:Gonna say, it still seems like that's a big number, though.
Speaker 3:That is a big number. I think that there are, there are , um, you know , the Hoss , all hospitals and critical access hospitals have to have to have to , um, report promoting interoperability. So those that , that, that, you know, addresses, that really covers all of the hospital systems. The , um, physician practices, mayor , you know, there , there're still, there are a large number of physician practices, group practices, and other types of provider organizations that do report to MIPS or, or would be eligible providers in MIPS who would also be impacted. Um, but there's, that does still leave a large group of healthcare providers who , um, who don't currently have a disincentive in place. Um, so what CMS estimated is that for promoting interoperability, they believe that the sort of median impact would be approximately $400,000. So obviously for a larger healthcare system, if you're found to be , um, an information blocker, the impact on your reimbursements would be significantly higher. If it's a small, yeah , small critical access hospital, it would be a lot lower. Um, and for those, it's not , um, the, the impact is, is just a , a loss of their, of their cost. They get, instead of being reimbursed a hundred percent of the cost , a hundred , 1% of the cost , they would just be reimbursed a hundred percent of the cost . So they lose that 1% re , um, reimbursement amount . The , um, mips MIPS impact really depends on the number of, of providers in the group . So a large group practice could have a pretty hi , pretty big hit, but if you only have a couple of providers in your, in your practice, or it's a small, a small, you know, a small group practice center 10 , which you already get a , a discount anyway , um, then it's the amount is, you know, could be as low as, you know, a thousand dollars or so. So it's, it , um, it does have a disparate impact on definitely on the larger organizations than, than the smaller ones.
Speaker 2:So with the newest proposed rule that was released November , uh, the proposed disincentives for the healthcare providers such as the Medicare Promoting Interoperability program, the Merit-based Incentive Payment system, and then the Medicare Shared Savings Program, what are some of the key elements , uh, there that were discussed in the proposed rule for each of those categories?
Speaker 3:Sure. So for the Medicare Promoted Interoperability program, that applies to eligible hospitals or critical access hospitals. So the OIG in that context would have to determine that the hospitals have committed , um, information blocking first, and they would make a determination then that they would not be a meaningful electronic health record user. As a result, they would not be able to earn the , um, three quarters of an annual market base increase that's associated with qualifying as an EHR user . So this is an amount, this is an amount that is , um, that is, that changes from year to year based on the, the final rules issued by CMS. But they would lose, they would lose three quarters or 75% of that market base increase. And , um, that's for a hospital, the critical critical access hospital, on the other hand, would have their , um, their reasonable cost reimbursement reduced from 101% to a hundred percent. So they would lose 1%. The merit base incentive payment system , um, applies to healthcare providers , um, of , of a variety of healthcare providers, all of whom, you know, all of, most of whom are, are identified in the , um, in the list of providers who are subject to information blocking, but doesn't address everyone. So healthcare eligible providers don't include , um, may not include a dentist, for instance. But , um, in any event, these would, these are, if, if , uh, if OIG again determines if there's an instance of information blocking by that healthcare provider or group practice, then they would be determined not to be a meaningful user of the , of the EHR . And so they would lose, they would lose , um, the promoting interoperability category for mips . mips , that's 25% of the MIPS score. And because, because MIPS has sort of a , they have a threshold, if the, if the threshold is , um, is 75% or below, then obviously they would have a negative score, which could then, which then would negatively impact their reimbursement for , um, on a per claim basis. And again, that would be two years after the, after the, the performance year. That's, that's , um, impacted the Medicare Shared Savings Program is a , is a program , um, through CMS that , um, that's based on the Accountable Care organization. And so there are, there, I guess there are three levels. There's the accountable court care organization, there's an a CO participant, which could be, which could be a hospital system, it could be which, which then would make the hospital system subject both to that and to the promoting interoperability disincentive. Um, it could be a practice. Um, and then under that you have the a CO provider, supplier, which is the actual clinician. And so each, at each level, each of those could be considered to be an information blocker . And then subject to , um, the , I think the thing that's important to think about with this , which is , um, a little unique is that the , if you have , if the a CO organization itself is found to be an information blocker, then that does actually penalized both the participant and the healthcare, the a CO provider who may have contracted with the A CO . They can't. They also, if the ACOs, if the ACOs contracts terminated CMS or they're not allowed to continue or renew their contract or enter into a contract 'cause of this, then it does, it does. And , you know, indirectly penalize the A CO participant and the provider
Speaker 2:Right, seems to really create a comp a , a , a level of complexity. So especially when we look at , um, you know, what are some of their enforcement priorities and considerations , um, because like you said, especially in the A A CO , uh, example, I mean, that has a considerable amount of downstream impact, not just to the, the , uh, a CO itself, but to, like you said, the participants, the providers, the suppliers . So what, what are we looking at when we're, when , uh, OIG is, is considering imposing CMPs?
Speaker 3:Yeah, so there's, so there's the CMPs and they're the healthcare provider disincentive . So with the cmp , um, OIG really has , they have some priorities that they, that , um, they've developed based on their, sort of , their priorities that they also use for fraud and abuse. So they wanna look at whether the conduct , um, resulted in or is causing, or has the potential to cause patient harm. So it didn't have to actually cause any patient harm, but if it does have that potential, that's their number one, I prioritize priority. The second one is , um, has it significantly impacted healthcare provider's ability to care for the patients? That's something that's different from patient harm, but , um, so it does , it interferes with care, you know, care and care and treatment of patients than that. That is their second concern. How long was the inform ? Has information blocking activity been going on? Has it caused any financial loss to the federal healthcare programs? Of course, they wanna , they always wanna look at that. And then the last one for that applies to , um, healthcare, our health IT developer and HIE was, was this done with actual knowledge? Um, for healthcare providers, they use the same set of priorities, but they dropped, they dropped the requirement. They actually look at whether or not it's performance. He with , um, actual knowledge, because the definition of , um, information blocking for a healthcare provider already includes a knowledge requirement. So in order to be, to have , be found to be an information blocker, if you're an , if you're a healthcare provider, you have to, that OIG would have to find that you had actual knowledge that your conduct was causing, that was causing the blocking of information.
Speaker 2:I think , um, something else that I found that was interesting in the proposed rule was that, that they stated it was the first step that focuses on authorities, which pertain to certain healthcare providers. What do you, what is your understanding of what that could lead to when they talk about it being the first step?
Speaker 3:Well , I thought that was very interesting. Um, it , I believe it means this is just the beginning <laugh> as we
Speaker 2:<laugh> . That's what I'm afraid of. <laugh> .
Speaker 3:So we talked , as we talked earlier before the , this, this for healthcare providers, this particular disincentive does not cover the whole bucket of healthcare providers that are, that are subject to information blocking regulation. Um, right . Also , the, the, you know , the regulatory requirement for OIG to refer a healthcare provider who's an information blocker to an appropriate agency for enforcement, that requires a lot more thought and enter and interagency cooperation because there has the agency to which, to whom the , or to which the healthcare provider is referred must already have an enforcement authority and regulatory process in place. Um, and that has to be the information blocking enforcement has to, has to fall under that authority and be authorized through that, through that regulation. So , um, that's gonna probably require some amendments of regulations. Um, an example is this currently proposed disincentive that relates to mips and healthcare providers will require an amendment of the high tech regulation so that the, to amend the definition of meaningful, of, of meaningful user to include and identify information blocking conduct and make that an express violation of , um, of the, of the criteria that someone has to attest to in order to obtain Mm-hmm , <affirmative> the incentive payment under mips . Um, the amendments, the amendments are gonna have to go through , uh, uh, an additional administrative rulemaking process. And then through the OMB and regulatory affairs review, it's gonna be time consuming and a lot , a lot more complicated than the more straightforward process that is set up for health health IT developers and HIEs . I mean , that one <inaudible> through, through OIG is subject to the CMP regulations, which are, which are already structured, don't , does not require any additional, you know, amendment regulations. But this process will likely re require some additional , um, amendment of regulations, which you have to bring in all, you know , all the policy makers that HHS are already super busy, they're gonna be Right.
Speaker 2:<laugh> <laugh> .
Speaker 3:So that's, this is , um, this'll be , um, this that's interesting. The other, the other thing that, that sort of relates to the , you know, this is, you know , the first step is OIGs repeated reference both , um, in all of , in , in all, all of the , um, in all of the proposed rules that have , that have come out regard , you know , by ONC, by CMS and by O-I-O-I-G regarding information blocking. And each of those have repeatedly referred to referrals of information blocking actors to OCR to f to the federal state . Right,
Speaker 2:Right.
Speaker 3:Yeah. And, and, and they've left it open to other agencies. So , um, you know , there's, there's, there's definitely going, there will definitely be some cooperation between the agencies, which they already have in place now, but, but I believe we'll see more of that. One of the things that I've found interesting is that, you know , the Federal Trade Commission has become more active in the healthcare space, and so they , um, OYG has repeatedly referred to referrals of, of information blockers to the Federal Trade Commission when the, when the claim involves a potential anti-competitive conduct, some sort of fraudulent or deceptive marketing practice or other kind of unreasonable business practice. Um , so when you have the, you know, when you're negotiating a health, it develop a great contract developer or, or , um, or negotiating the sale of a sale of a, of a healthcare provider or merger and acquisition, it's important really to keep all of this in context and, and think through that as part of the terms of those agreements so that you , um, do have the right kind of protections in place. Um, I guess I think one example is that they've used , so is this a contract that contains, in constable terms, regarding the sharing of the patient data? So for instance, if a health IT developer, if you're contracting with an EMR and the EMR wants to charge you an unreasonable amount of money to then , um, extract the data and transfer it in the event that you have a termination event, that would be considered to be an unconscionable conduct because it's, it's pretty, you know, creating an , an barrier in there that's, that's unreasonable in the , in the context , right, right. Talking rules . So , um,
Speaker 2:And that's interesting as it relates back to , uh, the o the , uh, OCR , uh, rule with regard to electronic access and fees imposed too. Yeah. Um, yeah . Yeah . So it , it , I think it, I think it will be interesting to see how , uh, the CMPs and the disincentives are handled in combination , um, especially in light of the complexity , uh, in the enforcement process between both that the July and the November , um, the November rule . So what are your thoughts on that? I mean, the , the complexity itself is, is, I mean, we've seen scenarios in the past where, for example, the FTC and OCR have worked together on , uh, resolution agreements and CMPs, but , um, with these new rules, where do you, where do you see it going in that regard?
Speaker 3:Yeah, so for, I think for the health IT developer and the HIEs , we , we, you know , we will see probably some, some coordination between agencies. Um, if, if particularly if there's some , if there's deemed to be an anti-competitive conduct going on or some, some sort of a, of a practice that would, that would, you know , impede healthcare provider's ability to access records and, and provide care to patients, we , we would see some, see something there that would put into place both, both a , um, you know , both the CMP and a, a corrective action plan and, and oversight by, by one or more of the agencies , um, for healthcare providers. Because, because of this , um, you know, referral to appropriate agency, and also you have the, you know, potential that, that, that could be referral to OCR for a HIPAA related violation. I think we, we will certainly see more , um, more cooperation between the agencies, both in enforcement and an oversight for an event that someone is determined to be an information blocker. Um,
Speaker 2:Mm-hmm , <affirmative> ,
Speaker 3:It's, it's, it's, you know , it's gonna be tricky for, for healthcare providers and to navigate , um, probably more so than health IT developers and HIEs . But , but the , um, I think one of the, yeah , I think one of the, one of the things we just have to look for is how, you know, when, when, you know, when the final rule, final rule is released for healthcare providers, do they have some sort of processes in there that are, that are, make this more clear? And so we said that the healthcare provider can understand, right ? The process is how long is it gonna take? Do they have, do they have a , an option, you know, at some point to, to try to work out a resolution or a settlement? What would that look like? And then, right . So since the, you know , since there's not really any financial penalty that's goes back to an agency look like, like the CMP, you know, how would that , um, you know, the other one goes there , there's <inaudible> there , you know, the disincentive does, does, does save money for CMS, but it doesn't, right? Right. Yeah . So there , you know, it would be interesting to see how the , how that resolution process would , would look and what the opportunities are. The other thing for healthcare providers that makes it a little more complicated is that there's not a , um, with the OIG with the CMP final rule , um, there is, you know , a more clear path for appeal if there , if they disagree with the , um, with the Right, yeah. With this current one. If you, if you disagree with OIG G'S decision and, and the enforcement, then the question is, you know, where do you go for to appeal that? Do you, do you, you know, do you have to appeal it through, through the CMS , um, audit , you know, through their process and ,
Speaker 2:And how ,
Speaker 3:Yeah. Yeah. So there's not, there, there, there again, there's some, a lot of uncertainty with regard to how this is handled with for a healthcare provider.
Speaker 2:Yeah. But I think also too, from what we've seen , uh, with from OCR, I mean, we've got 43 settlement agreements and two CMPs just regarding access with two and a half million dollars in fines. So it seems like that is, is serves as a way of educating covered entities on access is a key focus. And then that just ties primarily into the information blocking. Um, I know we've got just a short bit of time left, so I wanted to maybe talk through some of the exceptions and get your impressions on what you think , uh, are good things for , uh, entities to be aware of, and what constitutes information blocking, if that , uh, works for you.
Speaker 3:Oh, sure. Absolutely. Absolute .
Speaker 2:Sure. Um, so I think as we move into the eight exceptions, you know, looking at exceptions that involve not fulfilling requests to access exchange or use of EHI and then , um, exceptions that involve procedures for fulfilling the request to access exchange or use EHI . So maybe let's touch on the first one, preventing harm, which is the exception that recognizes the public interest in protecting patients and other persons against unreasonable risk of harm. And you talked about harm before, and , uh, they can justify practices that are likely to interfere with access. So maybe tell us a little bit more about that and maybe some examples of what you see.
Speaker 3:Yeah, so that, that particular , um, exception is caused I think, more consternation for healthcare providers than any of the other ones, <laugh>, because , um, one of the, one of the biggest concerns that came up initially with, with a lot of, a lot of providers is the idea that you have to immediately make available to a patient their lab results and, and radiology reports for imaging. And for some providers, this is very concerning. 'cause that information may be sensitive, it could, it could cause severe distress to a patient who has, who's getting a bad result back and do so before they've had a chance to meet with their, with their physician and discuss it. So that was, that is something that has caused , um, you know, some, some concern. And how can they, you know , how could they possibly comply with that? The preventing harm exception is limited to a physical harm, so it does not include an emotional or mental harm issue. So, and it is , um, it is restricted to a case by case basis. You can't have a practice or policy set up that would say for all of these types of situations, we will withhold the lab results . So, for instance, with an oncology provider, if a , if a patient comes in and has a PET scan , um, the report comes back, the physician has not yet had a chance to review it, but under the information blocking rules, that report would immediately go into the patient's portal and the patient would be able to see it and view it, and the results could be devastating. Mm-Hmm . <affirmative> . Um , so that, that is very concerning, but that doesn't necessarily create a physical harm for the patient, so it wouldn't fit into the, the preventing harm exception as it is. Mm-Hmm . <affirmative> . So the , in these cases, it's really important to have patient education at first, you know, to say the patient, this is a report that you're , you know , you're having this test done under these rules, we have, we're required to, to have that report available to you immediately on your portal when we receive it, same time that we receive it. If you do not want that to occur, if you'd rather meet with your doctor and discuss the results prior to you seeing those , um, we can, we can withhold that and restrict it from your record, you know , your patient portal record until you've had , until you've had a chance to meet with your physician. So there are ways to educate patients, provide them with opportunity to say, no, I don't want that disclosed to you right away. I'd rather just, you know, meet with my doctor Right . Results because the, the lab result report may be confusing. The language use is not necessarily something that a , that , uh, you know, a lay person understands, right. Might be a new , so, so there are ways to address that. Um, and , and in any event, if, if a , if a physician does determine, I mean , there are certain cases, so there are times when , um, for instance, if you're, if you have a, if you're an , an OB provider and you have someone that comes in and they've had , um, and they've, they've previously had an abortion, they don't want, they don't want their spouse or someone else to know about that, then they can request that that information not be available in their portal because they don't want, they may have given their, their spouse access to the portal. So there are , there are certain, certain types of information that might be sensitive to an individual that could, you know, in , in certain circumstances, the physician could say that might, that might pose a risk of harm, right ? This patient if the, if another party finds out about it or, or there are some patients, like for instance, patients that are, that are, that have , um, maybe maybe have a mental health, health history where you wouldn't want them to receive certain information advance because that they could, you know, physically harm themselves. So there are times when a , when a physician can, on a case by case basis, make that determination. So with each of these exceptions, we, we generally recommend that that healthcare providers have have an exception form that they would fill out at any, at any point in time, if an exception applies, either because it's a , on a case by case basis, or if they put into place a policy that regarding something that as that is permitted under these exceptions, then they would complete the form attaching the applicable documentation that might go with it. So, for instance, we'll talk about the feasibility exception. If their technology's unable to do something release form , then they would attach something that, that supports that. So that would be attached and kept in their records, kept in the compliance records so that if there is a claim of information blocking, they can then have that, have that form that's been completed. They, they can demonstrate that they comply with the exception, and that there is in fact no information blocking occurring. So for preventing harm . And yeah, preventing harm is important to get the physician's documentation to support the physician's termination. That is, that is an applicable except right .
Speaker 2:Yeah. So that leads us into the , um, the privacy exception, which recognizes that if, if an actor is permitted to provide access under a privacy law , uh, then that actor should provide that access, however, they talk about an actor should not be required to use or disclose EHI in any way that is prohibited under state or federal privacy laws <laugh> . So how do you see that exception applying ?
Speaker 3:So that exception is one of the ones that is just
Speaker 2:<laugh> . You laugh, <laugh> ,
Speaker 3:You know , every, I think every day I get an alert in my email that there's been some new privacy law passed in a state or, or an amendment to a privacy law. The , um, exactly
Speaker 2:Gets confusing after a while .
Speaker 3:Oh , it is, it is overwhelming. And so for healthcare providers, they're , they really have to, I think probably de depend on their privacy council and or their internal privacy department to track and document, you know, if they're , if it's a national organization, it's pretty , it's gonna be pretty difficult, but whatever, you know, the privacy laws that apply to their patients, they have to be able, they, they should already have a document that identifies what those are in any event and identify, you know, when there are prohibitions against disclosure , um, you know, one of the bigger ones is part two, substance use disorder information. They, they have, they would have to restrict that. Um, psychotherapy notes, which are the, which, which is always been a difficult one to define. But those are the, the notes, the , the, the actual personal notes of the therapist, the therapist has taken during the counseling session, not the, not necessarily the full mental health record, but those personal dose and those should be segregated anyway and not in the general , um, patient record. Um, there are a lot of other, each states have also have some very specific restrictions. There's now pending before , um, there's a now proposed rule for reproductive health data protection under hipaa. And so that one, that would be another one that could potentially , um, impact this, this privacy law. And then , um, the states, you know, every, every, every day there's a new state law that changes , um, privacy laws. And so those are , um, that is something that's interesting. The , one of the, one of the things that's coming about now too is the , um, the more , um, more expansive use of, of , um, AI technology and when information's released to the AI for its own learning purposes, and then used by the ai. So the privacy, the privacy laws , um, California just has, has proposed law pending now regarding, you know, what can be used by an AI program and , and when, so there are , um, there are a lot of moving parts that go along with this privacy exception. Bottom line is, if you put into a place, if you have, you know, if you have certain data, you need to have a policy in place that protects that data. If it's needed, if it's protected by law and, and that policy, then she could be expanded to include the information blocking exception and specifically identify that in the policy as, as a component of that policy so that , um, you then have it flagged. Um, we go back to the EHI map mapping, you know, knowing where all your protected health information is is important and being able to flag it and identify where it's located and when required, right . Certain protection. So that, that sort of goes into this whole privacy exception. And again, if you, you know, it doesn't, as we've the , um, an information blocker blocking activity doesn't occur just because there's been a request for access, it's been denied or delayed . It occurs because there's been a practice or ongoing conduct in place that that then leads to it. So you don't even have to have a denial of access in order to be considered to be an information blocker. So from the privacy rule of exception, it's important to to know exactly when there is that, you know, prohibited disclosure and, and have that documented. So this is, this is one of the times when you would wanna have a policy in place and include, they go ahead and have the exception established, have the documentation to provide, you know , available for it and identify, you know, when, when certain information would be protected and restricted from disclosure.
Speaker 2:So Beth, I know we won't have a lot of time left to cover all of the exceptions , uh, but I really wanted to ask you about the infeasibility exception where we recognize that legitimate practical challenges may limit an actor's ability to comply with the request for access. So an actor may not have or may not be able to obtain the required technological capabilities or the legal rights or other means necessary to enable access. So how do you see this impacting?
Speaker 3:Yeah, so there are , um, there, there are times when the information, when your , your healthcare technology just does not have the, the type of functionality required for you to meet a specific request or to , or to , or a , a , you know, to be able to exchange information. So for instance, being able to exchange all of the EHI that you have in your organization, they may not have the , the technology may not have the ability to do that yet. And , um, that while, while the requirement is that they have a cert , they certify that they have , that there is a, a link and an ability to do that. The technology itself still may not pull all the EHI into a single source in order to facilitate that. So in that case, you would have, you would have the ability to document that the feasibility exception applies and , um, and provide, provide that sort of response. One of the things to note is that at any point in time when you receive a request, when a healthcare provider receives a request from information , um, or another actor does, there's a requirement that you respond within 10 days to indicate, you know , mm-hmm , <affirmative> what , you know, yes, you can comply. No, you can't comply, but if you can't comply immediately, this is why you cannot, and this are the exceptions that would apply. So then feasibility except exceptions, one that probably most, most commonly applies to, to healthcare providers.
Speaker 2:One last quick question around your insights on how to structure the contracts to limit the liability. So we talked about the contracts and the vendors , uh, being more accountable for compliance. What are your recommendations there?
Speaker 3:Yeah, so , um, it's, it's really important when you're, when you're negotiating with a health IT developer or a , or another type of technology that that will, that either maintains your data or will provide with, you know, access to the data that you, I guess first of all require that there's a compliance with laws provision in there. And also that the , that the provider agreed to maintain certification, assuming it's a certified health, IT to begin with, maintain certification of, of their product, and then , um, and continue to update it. Um, it's important to have , um, make sure that's a provision in their warranty, that they will, they will protect the data in compliance with the security obligations under hipaa and then, but , but also be able to have , um, to protect the data in the event of , um, in the event of an , of a , of an attack. So that the data integrity and the availability is, is, is protected , um, both, both purposes of complying with hipaa, but also purposes complying with the information blocking rule . Um , one of the things that has, that the ONC proposed in the April rule was that , um, in addition to the , OR as a component, the infeasibility, they proposed an additional condition, which is called uncontrollable events. So in the event that that , um, that a vendor has a ransomware attack and you're not able to then provide access the data , access an exchange of, of patient information, a healthcare provider would be able to claim that that is, that has occurred. It is one of the , is it is part of the exception now , um, or will be once they finalize that rule . So that is, that is a , um,
Speaker 2:That's ,
Speaker 3:Yeah. Yeah.
Speaker 2:That has a significant impact.
Speaker 3:Yeah, that has .
Speaker 2:So I wanted to thank you. Yeah, I wanted to thank you for your excellent insights that you've shared, Beth and I really enjoyed our conversation. Enjoyed and thanks to our audience for listening. Uh , hope you have a great day.
Speaker 1:Thank you for listening. If you enjoyed this episode, be sure to subscribe to a HLA speaking of health law wherever you get your podcasts. To learn more about a HLA and the educational resources available to the health law community, visit American health law.org .