The Department of Health and Human Services Office of Inspector General will begin enforcing information blocking penalties today, which include potential compliance violations for "acts and omissions" and penalties up to $1 million.

Info blocking, info sharing and consumer education

Healthcare IT vendors have been getting ready for two years to make patient electronic health information available for access, exchange or use on September 1, according to leaders from the Electronic Health Record Association.

They can use patient portals, other web interfaces, APIs, and an abundance of technologies and platforms to make it happen. However, while OIG published its final rule on June 27, the Office of the National Coordinator for Health IT is still working out certification rules proposed earlier this year, they told Healthcare IT News this week.

"Information blocking isn't finished from a regulatory perspective," said Leigh Burchell with Altera Digital Health, vice chair of the EHRA's information blocking compliance task force and member of the organization's executive committee.

"ONC is continually releasing new things that are all towards that purpose of easing access, exchange and use of information. So while the enforcement date from OIG starts [today], we know there's still more coming. We're all just going to kind of keep chugging along delivering what we need to deliver. It's the right thing to do, and it's not finished from a regulatory perspective," she said.

Info sharing is what the organization has come to call its unprecedented efforts to work together and make patient data accessibility happen and pave the way for healthcare providers to deliver more comprehensive care.

EHRA has voiced reservations about IT companies balancing new regulatory compliance with other HHS requirements. But despite being competitors, Burchell, David Bucciferro with Foothold Technology-Radicle Health and chair of the EHRA's executive committee, and Dr. Bill Hayes with CPSI and EHRA vice chair, all felt its members rose to the challenges posed to them under the intent of the Cures Act.

Bucciferro pointed out that facing info blocking brought the industry together in a unique way – "as in trying to help each other understand ways of sharing information within the rules that are being put in front of us," he said.

"It was very refreshing from the start of our information group that started off as information blocking. Once we got through understanding what was being asked for, all of our companies shifted towards an information sharing perspective," he said.

"Agreed. That is the whole concept of this thing," Hayes said.

Critical to the work of regulatory compliance for health IT, they say, is educating healthcare consumers so they understand "what is being shared, how it can be shared and what various pieces of patient data may not be shared."

That is going to be challenging enough for vendors to grapple with. A patchwork of developing privacy laws at both the federal and state levels will require juggling, such as a referendum on the 2024 ballot in Maryland that would legally restrict reproductive data.

Then there's the legal cases. 

Burchell said there have been a lot of conversations lately about what happens if a patient comes directly to a vendor to get their data if they can't get it from their doctors, since providers are not currently disincentivized with penalties. 

"What are the information blocking implications? What does that look like, especially for on-premise installations where we don't actually control the data?"

Over the next couple of years, there will be a lot of conversations. Healthcare entities may be required to follow state or federal laws applicable to the release of medical records, which can raise allegations of privacy breaches under HIPAA. 

"There are so many scenarios where there are these use cases around data segmentation and withholding of data that I think we're going to see worked out probably in the courts," Burchell said. 

The HHS Office of Civil Rights is currently investigating Vanderbilt University Medical Center over a legal battle with transgender patients who say the unauthorized disclosure of their personal health information to Tennessee Attorney General Jonathan Skrmetti was a privacy violation.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.