Info blocking exceptions need special attention from providers
Photo: Art Wager/Getty Images
While comments on HHS' proposed rules on information blocking disincentives for Medicare providers aren't due until January 2, 2024, with no set date for publication of a final rule, "the federal government is moving more quickly than we tend to see with other laws," said one expert this week – and substantial financial penalties could be in the offing sooner than many providers might think.
When it comes to info blocking, HHS takes it "very seriously; they understand this is a problem," said Jennifer Hennessy, data privacy attorney with Foley & Lardner LLP, during a webinar hosted by the American Telemedicine Association on Monday.
"So, I don't think it'll be a situation where we don't have any penalties for five years. I think they will come relatively quickly."
The session examined five key exceptions to info blocking and aimed to equip attendees with actionable insights and strategies to ensure adherence to information blocking regulations and ensuring patient data security.
On Wednesday, HHS hosted its own a webinar to review the proposed info blocking requirements and answer only any questions specific to the draft.
Provider penalties through CMS programs
The proposed information blocking rules from HHS could cost noncompliant providers thousands, penalizing hospitals directly under the Promoting Interoperability Program and affecting the eligibility status of clinicians and accountable care organizations under other Centers for Medicare and Medicaid Services programs.
For instance, if the HHS Office of the Inspector General were to refer a critical access hospital or eligible hospitals to CMS because they were found to engage in information blocking – the acts of interfering with, preventing or materially discouraging access, exchange or use of electronic health information – under the Medicare Promoting Interoperability Program, the CAH would no longer be a meaningful electronic health record user in an applicable EHR reporting period.
Electronic health information, or EHI, as defined by HHS represents a designated record set broader than what's in a medical record, Hennessy notes.
Elizabeth Holland, CMS senior technical advisor, said that under the disincentives proposal, eligible hospitals would not be able to earn 75% of the annual market basket increase for qualified meaningful EHR users. For example, an information blocking referral to CMS in 2025 would apply to the 2027 payment adjustment, she said.
For CAHs, a referral from OIG in 2025 would result in CMS reducing reimbursement for reasonable costs from 101 percent to 100 percent that year.
Holland noted that each information blocking determination would only affect an eligible hospital's meaningful EHR user status in a single reporting period.
"There is just one penalty per year," she noted, even with additional referrals for the same time period.
Clinicians under the Merit-based Incentive Payment System would be similarly affected an eligible clinician or group would not be a meaningful user of certified EHR technology in a performance period. Promoting Interoperability performance is a significant portion of MIPS' annual scoring – 25%.
Conceivably, perfect scores in the other MIPS categories would result in a "neutral payment adjustment."
During the call, one attendee asked how MIPS-eligible group practices if an individual provider in a practice were found to be info blocking.
According to the draft proposal, "If the group chooses to report as a group, if one person in the group is found to be information blocking, the penalty would apply to the whole group," Holland said.
Case by case for investigations, penalties
Each info blocking referral investigated will require OIG to disentangle which developers and providers of certified health IT caused it, and decide who might be accountable.
"We've emphasized from the beginning that with every single information blocking claim, it's always going to be a case by case analysis," Deputy National Coordinator for Health IT Steve Posnack said during the ONC announcement on October 31.
Holland said CMS would also be looking at all OIG referrals on a case-by-case basis to determine how to apply the disincentives.
If OIG determined an ACO provider or supplier under the Medicare Shared Savings Program to be info blocking, it could become ineligible to participate in the program for one year as a penalty.
Exceptions require significant training
There are eight nuanced exceptions to the proposed info blocking rules for denying a request for access to information that will require employees to be well trained – "to make sure that they understand those exceptions and aren't running afoul of the information blocking rules unintentionally," Hennessy said.
"It's going to be very important for your organization to start developing policies and procedures, if you haven't already, that outline what is required to meet these various exceptions," she said.
Hennessy focused on a few of the key exceptions that involve not fulfilling the request at all.
For the privacy exception, "if HIPAA or another law would require the patient's authorization or consent to make a disclosure, the information blocking rules don't change that," she said.
The patient's consent or authorization would be required, but what "turns HIPAA on its head a little bit" is if HIPAA and other laws would permit the disclosure, then the information blocking rules require it.
One example of this is provider to provider transmission of patient data.
"For those of us that were used to living under HIPAA, which permitted certain disclosures but didn't require them, in most cases, the information blocking rules will now require certain disclosures to decline to disclose information under the privacy exception," Hennessy said.
Reasonable practice must be taken to obtain authorization, such as including a copy of the authorization needed to exchange the requested information, she noted.
The infeasibility exception can protect healthcare providers from info blocking disincentives if it can't segregate data from other information that cannot be exchanged. One example is substance use disorder information regulated by 42 CFR part two.
"There's other information that's commingled with it in a way where it's just not feasible to pull out what you could disclose versus what you couldn't disclose," she explained.
However, the provider has 10 days of receiving the request to document why it can't provide the access, exchange or use of the EHI and the costs of complying and its financial and technical resources.
Preventing harm is another important exception with "strict conditions in place."
Hennessy said the exception allows for the protection of patients and other persons against substantial risk of harm that might arise if there was an access, use or exchange of the EHI.
"It's actually very narrow," she said, explaining that the type of harm must be described by an HCP that has a relationship with the patient.
"In addition, the type of harm has to be one of the types of harm that a HIPAA covered entity could use to deny access to the patient's own protected health information under HIPAA," Hennessy said.
Although a cancer diagnosis on a lab result could trigger an emotional response, it can't be relied on under preventing harm exception as a reason for info blocking. "So emotional harm is not enough," she said.
The harm has to be a danger to the actual life or physical safety of someone. A healthcare provider could deny a patient's personal representative access to the patient's EHI based on the professional determination "that there is actually a potential for danger to the patient's physical safety based on something that's in that EHI," Hennessy said.
If the patient alleges that the personal representative is physically abusing them or neglecting them, then the healthcare provider can deny the personal representative access to that information.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.