Cures Act enforcement looms
It’s chilling to know that the Office of the National Coordinator of Healthcare Information Technology (ONC), the U.S. Department of Health and Human Services (HHS) Office of the Inspector General (OIG), and the Centers for Medicare & Medicaid Services (CMS) have been promulgating additional 21st Century Cures Act rules lately that are identifying and setting the basis for enforcement of the potentially profound amounts of financial penalties, including million-dollar Civil Monetary Penalties (CMPs) as well as major CMS market basket impacts.[1] These enforcement mechanisms require time to establish, but their rulemaking provisions—except for the final rule for appropriate disincentive rules of providers which has recently dropped.[2] Enforcement of the Cures Act—which has been missing for years—can begin whenever the government desires to do so after appropriate notice periods. The election year may be throwing wrinkles in that timeline, but no one knows for sure when the hammer may begin to fall among those subject to the rules.
That doubt—and the magnitude and scope of the rules—require that the Cures Act (45 C.F.R. Parts 170 and 171) be implemented with haste.[3] It’s tricky, however, because this must be done according to the unique way of this rule and also according to when electronic health record (EHR) providers are able to develop, certify, negotiate additional licenses (if needed), and implement the rules that have dropped so far. The result has been planning activities, interface building, and advancements for some providers of care working with some EHR vendors toward useable implementation of the many parts of the Cures Act, like application programming interfaces (APIs) and electronic health information (EHI) exports. But it’s an uneven implementation pace so far, and not having consistent enforcement has not yet been a driver in making adoption more uniform. While some healthcare provider sites have gone a long way in both their technical and operational implementations, others have less-than-optimal Cures Act technology and operational policies, it’s not a topic that is currently getting a lot of print space and attention. A recent view of vendors at the recent Healthcare Information and Management Systems Society event in Orlando, FL, showed anecdotally that other than in the interoperability exhibit hall space, there were not many vendors with Cures Act-type offerings besides general connectivity technology and services.
Health information, compliance, and privacy governance at many U.S. providers of care organizations have not yet had much volume of Cures Act incidents or requests, and information blocking is not yet universally tracked for denied requests that meet Cures Act information blocking requirements. However, incidents and requests will gradually ramp up over time to be new areas to manage for already burdened provider staff, with some type of best practices and automation becoming available and adopted over time as they develop. Health information departments, release of information vendors, and other internal parties, including compliance, privacy—and especially IT—all need to design new operational flows as the EHR and other API/EHI export technologies develop. Increasingly, compliance and privacy (as well as others) may get into negotiating Trusted Exchange Framework and Common Agreement (TEFCA) arrangements and spend time working with health information exchange between their organizations and others to which there is a desire to connect and formalize interoperability of patient information. This will become commonplace.
But be aware, despite the thoughts by some that all data exchanges are to be automated, there will always be the need for human interaction with some number of exceptions, denials, failed exchanges, patient ID mismatches, breach prevention, determination—the list goes on. We are only on the cusp of the new world of Cures Act data exchanges; how it eventually plays out with efficiency gains and other areas that require resources is to be seen.
One of the latest 21st Century Cures Act rules to drop is “Health Data Technology, and Interoperability Certification Program Updates, Algorithm Transparency and Information Sharing” (HTI-1 final rule).[4] It is a substantial amount of information to unpack, and as of February 8, 2024, it is already in effect. To be clear, although the EHR vendors and health IT developers are mostly impacted, the fact that this rule keeps on codifying details of Cures Act interoperability and information blocking provisions is highly important to factor in that as these vendors get their respective products meeting the certification criteria they will be rolling out capabilities that have to be planned and adopted by provider, as well as, payer and other Cures Act actors to stay in compliance with myriad Cures Act requirements.
The title of the HTI-1 final rule tips us off to its expansive contents. This is, in a way, a milestone rule in that it opens a new and/or updated line of regulation with decision support interventions, which increasingly cross into the artificial intelligence (AI) realm within computerized physician order entry and other clinical EHR documentation (typically, but not exclusively) modules.
According to the rule summary, this final rule implements the EHR Reporting Program provision of the 21st Century Cures Act by establishing several differing regulations. ONC cites improved interoperability and algorithm transparency and EHI’s access, use, and exchange for making these updates and new rules. This final rule also updates numerous technical standards within the EHR Certification Program.
Updates for vendors and developers of healthcare IT that are certified by the government—mostly, but not exclusively EHR vendors—include new Conditions and Maintenance of Certification requirements such as:
-
Various updates to certification criteria and standards recognized by the certification program
-
Revised certification criteria for decision-support interventions
-
Revised/updated patient demographics and observations
-
Adds a new baseline version of the U.S. Core Data for Interoperability (USCDI) standard utilizing version 3
-
Revisions to electronic case reporting, including new required reporting
Additionally, the final rule provides enhancements to support information sharing under the information blocking regulations.
Discussion of EHR Certification Program updates and revisions
Deep examination of this rule’s changes reveals a serious effort to obtain the details needed to facilitate data exchange to levels far exceeding those in use today. The EHR Certification Program Update category—which revises and adds to the criteria that certified systems must meet for their customers to qualify for federal funds—creates standardization in interoperability and EHI exports, many details have been settled.
Mandate of USCDI version 3
With a move from USCDI standard version 1 to version 3, the scope of data classes identified for EHRs (and other systems) has expanded considerably. This is significant in that it continues to identify, specify, and standardize the data classes, including data and documentation, that comprise the “medical and billing records” Cures Act actor and HIPAA-covered organizations create, manage, and exchange. This specificity has never been defined to such a level of detail and has been needed for decades. EHR and other clinical and billing vendors have not extensively standardized data classes and have named and indexed schemas on a voluntary basis. As a result, high volumes of data exchange have foundered for years. ONC and their partner agencies and departments at HHS, like CMS, are pushing hard to enable interoperability and data exchange to overthrow perceived blockages that nonstandardization and HIPAA (which is debatable) have caused. Lack of standardization now moves from trying to correctly scope the identification of what data and documentation comprise the entirety of medical and billing records to more detailed nuances of each data class with other attributes, such as versioning, provenance, and metadata. The updates are, according to ONC, “focused on advancing more accurate and complete patient characteristics data that could help promote equity, reduce disparities, and support public health data interoperability.”[5]
Decision support algorithm transparency
According to the final rule, it “establishes first of its kind transparency requirements for the artificial intelligence (AI) and other predictive algorithms that are part of certified health IT.” HHS belies that their “leading-edge regulatory approach will promote responsible AI and make it possible for clinical users to access a consistent, baseline set of information about the algorithms they use to support their decision making and to assess such algorithms for fairness, appropriateness, validity, effectiveness, and safety.” Clearly, ONC is trying to get ahead of abuses caused by AI introduction into clinical processes, either through development or real-time analysis. Decision support—which has been automated for decades—continues to evolve and requires careful management. Transparency requirements for certified health EHR and IT modules to improve AI trustworthiness and support consistency around using predictive algorithms or models in healthcare will strongly impact the decision-support elements of modern EHR systems. Transparency, meaning being able to decipher what technology is used, when, and how, with resulting data attributes, is what regulators are trying to foster and engender trust and confidence in AI by bringing controls to the wrap guardrails around the use of the swiftly emerging and maturing technology that is AI.
Interoperability-focused reporting metrics for certified health IT
There are extensive new reporting requirements, now mandated, which are to be understood by compliance and IT professionals—among others—who are responsible for governmental (especially EHR) reporting. The rule implements the Cures Act’s requirement to adopt a Condition of Certification called the “Insights Condition” for developers of certified health IT to report certain metrics as part of their participation in the certification program. These metrics intend to give more insight into how certified health IT is used to support care delivery and will help report on interoperability. This is an interesting set of metrics in that it could help with interoperability enforcement at some point in the future. This reporting should be built into the EHR, but its delivery will vary by vendor and version of their product. It is incumbent upon those in charge of governmental reporting to be on top of Insight Condition reporting to ensure they are planned for in EHR implementation and put into place to occur on the required frequency.
Enhanced information blocking requirements
The HTI-1 rule revises some information blocking definitions and exceptions to support information sharing and adds a new exception; there are now nine. It is a bit confusing; exception conditions were added, and other(s) were removed. It is important for all actors to implement policies and procedures for information blocking exception invocation and revocation. The new rule may change the educational content and forms currently used. The rule also encourages the use of TEFCA standards.
Conclusion
ONC’s HTI-1 final rule is already in effect. Although many of the rules’ elements primarily impact EHR and IT module developers, the changes they introduce should be planned for in healthcare organizations that qualify as actors under the 21st Century Cures Act. The time to move on these rules is now. Other specifics in the rules, for example, regarding information blocking, have changed and need to also be adopted and implemented by Cures Act actors as well.
Takeaways
-
New 21st Century Cures Act rules continue to be published with implementation dates that have already passed.
-
The Cures Act rules include interoperability and information blocking, which are different from each other but also interrelated.
-
HIPAA and the Cures Act requirements build upon each other, intertwine, and should be examined together for compliance purposes.
-
Other initiatives such as the Centers for Medicare & Medicaid Services Prior Authorization rules are adopting Cures Act interoperability standards, this will continue to be the trend.
-
The new Cures Act Health Data Technology, and Interoperability Certification Program Updates, Algorithm Transparency and Information Sharing final rule comprises decision support intervention rules, including transparency regarding artificial intelligence (AI) use. This is the first in what are sure to be many iterations of rules regulating AI development and use.