Although comment on HHS’s proposed rules on blocking information for Medicare providers is not expected until January 2, 2024, and there is no firm data for the publication of a final rule after that, “the federal government is moving faster than we tend to are to be done’. we have to see it with different laws,” one expert said this week – and significant financial penalties could be on the horizon sooner than many providers would think.
When it comes to blocking information, HHS takes it “very seriously; they understand this is a problem,” Jennifer Hennessy, a data privacy attorney at Foley & Lardner LLP, said during a webinar Monday hosted by the American Telemedicine Association.
“So I don’t think it will be a situation where we won’t have penalties for the next five years. I think they will come relatively quickly.”
The session explored five key exceptions to information blocking and aimed to equip participants with actionable insights and strategies to ensure compliance with information blocking regulations and ensure the security of patient data.
On Wednesday, HHS hosted its own webinar to review the proposed information blocking requirements and only answer questions specific to the concept.
Vendor penalties through CMS programs
HHS’ proposed information blocking rules could cost non-compliant health care providers thousands of dollars, directly penalizing hospitals under the Promoting Interoperability Program and affecting the eligibility status of physicians and accountable care organizations under other Centers for Medicare and Medicaid Services programs.
For example, if the HHS Office of the Inspector General were to refer a critical access hospital or eligible hospitals to CMS because they were found to have engaged in information blocking – actions that involve the access, exchange, or use of electronic information is disrupted, prevented or materially discouraged. health information – under the Medicare Promoting Interoperability Program, CAH would no longer be a meaningful user of electronic health records in an applicable EHR reporting period.
Electronic health information, or EHI, as defined by HHS, represents a designated record that is broader than what’s in a medical record, Hennessy notes.
Elizabeth Holland, CMS senior technical advisor, said that under the disincentives proposal, eligible hospitals would not be able to earn 75% of the annual market increase for qualified meaningful EHR users. For example, an information-blocking referral to CMS in 2025 would apply to the 2027 payment adjustment, she said.
For CAHs, an OIG referral in 2025 would result in CMS reducing the reasonable expense reimbursement from 101 percent to 100 percent that year.
Holland noted that any determination that information is being blocked would impact an eligible hospital’s meaningful EHR user status in only one reporting period.
“There is only one fine per year,” she noted, even with additional citations for the same period.
Physicians covered by the Merit-based Incentive Payment System would be similarly affected; an eligible physician or group would not be a meaningful user of certified EHR technology in a performance period. Advancing interoperability performance makes up a significant portion of MIPS’s annual score: 25%.
It is conceivable that perfect scores in the other MIPS categories would result in a “neutral payment adjustment.”
During the conversation, a participant asked how a MIPS-eligible group would act if it turns out that an individual provider in a practice is blocking information.
According to the draft proposal, “If the group chooses to report as a group and if one person in the group is found to be blocking information, the penalty would apply to the entire group,” Holland said.
Case by case for investigations, sanctions
For each investigated referral that blocks information, OIG must unravel which certified healthcare IT developers and providers are to blame and decide who may be responsible.
“We have emphasized from the beginning that with any claim that blocks information, it will always be a case-by-case analysis,” Deputy National Coordinator for Health IT Steve Posnack said during the ONC announcement on Oct. 31.
Holland said CMS would also look at all OIG referrals on a case-by-case basis to determine how to apply the barriers.
If OIG determines that an ACO provider or supplier is blocking information under the Medicare Shared Savings Program, it may lose eligibility to participate in the program for one year as a penalty.
Exceptions require significant training
There are eight nuanced exceptions to the proposed information blocking rules for denying a request for access to information, for which employees must be properly trained – “to ensure they understand those exceptions and do not inadvertently conflict with the information blocking rules,” Hennessy said.
“It will be very important for your organization to begin developing policies and procedures, if you have not already done so, that outline what is required to comply with these various exceptions,” she said.
Hennessy focused on some of the key exceptions that mean the request is not fulfilled at all.
As for the privacy exception, “if HIPAA or another law were to require the patient’s consent or consent to make a disclosure, the information blocking rules do not change that,” she said.
The patient’s consent or authorization would be required, but what “turns HIPAA on its head a bit” is that if HIPAA and other laws allowed the disclosure, the information blocking rules would require it.
An example of this is the transfer of patient data from provider to provider.
“For those of us accustomed to living under HIPAA, which allowed but did not require certain disclosures, the information blocking rules will now, in most cases, require certain disclosures to decline to disclose information under the privacy exception,” Hennessy said. .
Reasonable practices should be used to obtain consent, such as attaching a copy of the consent required to exchange the information requested, she noted.
The infeasibility exception can protect healthcare providers from disincentives for blocking information if data cannot be separated from other information that cannot be exchanged. An example is information about substance abuse disorders, regulated by 42 CFR part two.
“There’s other information that’s mixed in with that in a way where it’s just not feasible to pick out what you could reveal versus what you couldn’t reveal,” she explained.
However, the provider has ten days from receipt of the request to document why it cannot provide access to, exchange or use of the EHI and the costs of compliance and its financial and technical resources.
Preventing damage is another important exception for which ‘strict conditions apply’.
Hennessy said the exception allows for the protection of patients and other individuals from a substantial risk of harm that could arise if the EHI were to be accessed, used or exchanged.
“It’s actually very limited,” she said, explaining that the type of harm must be described by a health care provider who has a relationship with the patient.
“Additionally, the type of harm must be one of the types of harm that a HIPAA covered entity could use to deny access to the patient’s own protected health information under HIPAA,” Hennessy said.
Although a cancer diagnosis based on a laboratory result might provoke an emotional response, it cannot be relied upon under the prevention of harm exception as a reason for blocking information. “So emotional damage is not enough,” she said.
The damage must pose a danger to someone’s actual life or physical safety. A health care provider could deny a patient’s personal representative access to the patient’s EHI based on a professional determination “that there is in fact a potential danger to the patient’s physical safety based on something contained in that EHI.” , Hennessy said.
If the patient alleges that the personal representative is physically abusing or neglecting him, the health care provider may deny the personal representative access to that information.
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.