Adapting to new conditions introduced by the Coronavirus pandemic has been all-consuming, which is why many organizations asked the U.S. Department of Health and Human Services (HHS) to delay implementation of the ONC and CMS interoperability rules. Unfortunately, there wasn’t much flexibility granted and on May 1, 2020, the rules were published in the Federal Register. That means compliance deadlines are quickly approaching, with November 1 being the first one related to information blocking.
So what steps can you take to prepare your organization to be compliant with the new rules? Follow these simple building blocks that we have developed based on our study of the rules and our conversations with customers and you will ready to successfully meet the requirements for interoperability and avoid information blocking.
Assess
The scope of the rules is broad, but not all elements apply to healthcare providers. The first step is to understand what is required and the status of internal preparations.
Information blocking
Since information blocking enforcement is the first element to go into effect, it is sensible to spend time understanding information blocking, which the 21st Century Cures Act defined as, “A practice by a health care provider, certified HIT developer or HIE/HIN that, except as required by law or specified by the HHS Secretary as a reasonable or necessary activity, is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI.
Review the following:
- ONC’s eight exception categories to confirm referenced elements are in place (e.g., security and privacy policies are publicly posted and equally applied to any requestors)
- Your organization’s online privacy policies and other notices disclosed to individuals relating to EHI; these policies may need to be updated to reflect instances where requests for electronic health information may be denied.
- Potential security risks that could arise from increased digital requests and how these risks are addressed by existing information security risk assessment tools, policies, and practices
Sources of clinical data
It is always best practice to have a current map of all of the locations where clinical data could reside. Information blocking enforcement provides an impetus for refreshing that map and making the map readily available to any individuals who may interact with requests for electronic health information.
Attestation statements
According to its “Interoperability and Patient Access” rule, CMS will make public when hospitals submit a “no” response to any of the three attestation statements related to the prevention of information blocking under the Promoting Interoperability Program. Organizations should assess how they are currently responding and whether inter-departmental coordination is required for attestation going forward.
Build
Once organizations have assessed the new rules and their existing preparatory actions, it becomes time to build any new elements required for compliance.
Interoperability program office
One of the most important elements is standing up or joining a cross-functional team with responsibility for compliance with the ONC and CMS rules. Given that the requirements span IT, Compliance, HIM, and perhaps other departments, it is helpful to designate responsibility within these groups as well as establish ongoing transparency and communication between the groups.
The rules advance a vision of healthcare providers as key enablers of the patient and third-party access to clinical data. While various internal groups may take lead responsibility for individual requirements in the rules, healthcare organizations would benefit from having a central vision for digital access to clinical data and implications for compliance with the interoperability rules.
Interoperability roadmap: technical and user experience
The ONC rule includes several requirements for health IT developers to meet in order for their products to meet the definition of certified electronic health record technology (CEHRT). Healthcare organizations should develop a roadmap for interoperability that addresses technical functionality that will be built into products like the EMR and considers how those functions should actually be deployed for staff and patients. Some of these technical functions are not required to be built until 2022 or 2023, so it would be prudent for organizations to create a comprehensive roadmap and execution plan that will meet organizational needs.
Policy revision and creation
Following from assessment of existing policies, there may be a need to revise existing or create new policies to reflect new considerations relating to the information blocking prohibition. A coordinated effort between HIM, Compliance, and IT (for security and privacy considerations) will be beneficial.
Change
As mentioned above, the interoperability rules represent a changing approach towards access to clinical data that will require education and continued support.
Mindset and operations
While HIM staff may be the group most directly affected by the information blocking prohibition, other areas of the healthcare organization may also have interactions with requests for access, exchange, or use of electronic health information. For example, we heard from one organization that raised a potential scenario of an IT support person being asked for access to data.
Organizations need to develop comprehensive, broad internal communications that describe how the organization is supporting authorized and secure access, exchange, and use of electronic health information and provide specific guidance on any process changes employees should implement.
Staff and patient education
It is equally important for healthcare organizations to help patients understand their options for accessing clinical data as well as implications for privacy. It is likely that there will be increases in third-party organizations seeking access to patient clinical information. Healthcare organizations and patients should be aware that HIPAA does not apply to third parties who are not covered entities or business associates. As a result, patients cannot assume that third parties will provide the same protections and safeguards as they expect of their healthcare organizations.
Healthcare organizations can enhance the patient experience by helping educate patients about the privacy and security of health information, setting expectations, and providing some guidance on how to make informed choices about sharing electronic health information.
Assess — Build — Change
While the interoperability rules are detailed and sometimes complex, following these ABCs gives healthcare organizations a running start in preparing for compliance.