21st Century Cures Act: After 10 years of broken promises, is EHR interoperability finally at hand? Insight Article Electronic Health Records Business Operations Technology HIT Regulations Sign in to save David N. Gans MSHA, FACMPE, SENIOR FELLOW Marion Jenkins PhD, FHIMSS A decade ago, most policymakers and many healthcare leaders touted passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act as the opportunity to change how health information is stored and communicated. HITECH, included in the American Recovery and Reinvestment Act of 2009 (ARRA), was signed into law by President Barack Obama on Feb. 17, 2009. HITECH authorized financial incentives for healthcare providers to adopt “certified” EHR systems. The adoption goal was undoubtedly achieved. MGMA research documented that in 2005, only 11.5% of medical groups had adopted an EHR.1 Thirteen years later, the Office of the National Coordinator (ONC) for Health Information Technology reported that almost 80% of office-based physicians have adopted a certified EHR.2 In addition, 96.7% of respondents reported having an EHR at their organization in the 2018 MGMA DataDive Cost and Revenue.3 The keys to qualifying for HITECH’s financial incentives were having an ONC-certified EHR and meeting a set of requirements set forth in the CMS EHR Meaningful Use (MU) Incentive Payment Program. The initial program requirements focused on exchanging information among providers and providing patient access to their medical information. Over time, standards for eligible clinicians evolved to mandate that medical practices attest to eight separate but related measures:4 Protecting electronic health information Transmitting electronic prescriptions Using clinical decision support tools Using computerized physician order entry for medication, laboratory and imaging orders Providing patients with electronic access to their health information Directly engaging patients to coordinate their care Providing a summary of care record when transitioning or referring a patient to another setting of care Actively engaging with a public health agency or clinical data registry to submit electronic public health data. Hundreds of EHR vendors have developed products for the physician market but have focused more on meeting incentive program requirements and less on improving the usability of the software or interoperability solutions. Further, despite the software using common toolsets, databases and platforms, vendors created EHR solutions that have unique features and permit substantial end-user customization. That uniqueness was a major selling point for EHR vendors. Unfortunately, that lack of standardization also contributed to substantial frustration on the part of physician practices in their efforts to optimize workflows. Practices complain that EHRs interfere with their patient interaction, with many reporting that they must literally “turn their back” on the patient as they enter data into the system. Combined, the difficulties associated with modifying workflow, the purchase and ongoing maintenance costs, “change fatigue” associated with EHR adoption, the need for additional add-on products, integration with third-party vendors and meeting related compliance burdens are near the top of nearly every physician satisfaction survey. Lack of standardization and interoperability has also made the process of moving from EHR vendor product to another extremely challenging. It is clear that the HITECH Act has achieved mixed results. Physicians typically are not happy with either the cost or the performance of their EHRs, administrators feel burdened with the increased overhead and system complexity, and patients complain about providers shifting eye contact to the keyboard and monitor. The lack of standardization and interoperability continues to frustrate everyone. The Cures Act In an effort to address the continuing challenges associated with EHRs and data interoperability, Congress passed the bipartisan 21st Century Cures Act in December 2016. The legislation sought to address many seemingly unrelated issues, including Food and Drug Administration drug approvals, the opioid epidemic and medical research, among others.5 It also contains very aggressive and laudable objectives to improve the interoperability of EHRs for providers and access to data for patients. The Cures Act directs the Secretary of Health & Human Services (HHS) to operationalize many of the legislative provisions, which has spawned the publication of two proposed rules in 2019: one from CMS6 focused primarily on health plans and hospitals, and one from ONC,7 targeted at physician practices and other providers, technology developers and patients. These proposals include: New EHR certification requirements that would require significant upgrades to the approximately 680 2015 Edition products currently certified by ONC.8 CMS is likely to require the more robust certification level for providers seeking to participate in future iterations of its quality reporting programs. A requirement that certified EHRs support application programming interfaces (APIs), standards to provide increased transparency and data access between/across different EHR vendors, systems and third-party applications. A requirement for physician practices to export a medical record to a third-party app if requested by a patient. Adoption of the United States Core Data for Interoperability standard, the minimum set of patient data elements to be shared between provider EHRs (replacing the existing Continuity of Care Document standard). Limits on fees that can be charged by health IT developers, both for API development and ongoing API upgrades. A requirement to export an individual patient record, in “computable” form, upon request by an individual patient, or for an entire group of patients, if a provider elects to switch IT systems — at no cost. Identifying exceptions to the current prohibition against practices and others engaging in “information blocking” (in other words, refusing to share patient data with authorized entities). Examples of proposed exceptions include blocking data to prevent harm to a patient or another person, blocking data because it has been deemed infeasible by the provider to share, or blocking data to prevent a potential security breach.9,10 In addition, CMS is proposing additional requirements for its part of implementing the Cures Act, including: A national provider database that includes digital contact information A requirement for health plans to offer patients access to claims data via API technology A requirement for states to participate in the daily exchange of data by April 1, 2022 A request for information on the issue of a national patient identifier A request for information on the promotion of health IT systems in post-acute care providers.11 The proposed rules contain many promises for physician practices and patients, but also some significant concerns. Promises: Patients will have access to their medical records via apps on mobile devices. EHR vendors will be limited in the fees they can charge practices for implementing API technology. Providers will be able to switch IT systems and transfer all their patient data in a structured format at no cost. Through the deployment of a new EHR reporting system, there will be increased transparency for health IT vendor usability, interoperability, costs and interface fees. Perils: The requirement that practices share health information with patient-directed third-party app developers (many of whom will not be a Covered Entity or Business Associate and therefore will not be required to comply with HIPAA) could lead to unauthorized disclosures and unauthorized use of patient data. There is significant administrative burden attached to the process for a physician practice to document citing one of the seven proposed exceptions to information blocking contained in the ONC rule. Practices will need to deploy algorithmic software or manually check information to ensure that records are matched correctly as currently no national patient ID exists. There is a lot of “change fatigue” in practices, a result of the accelerated adoption timetable from the original flag-drop of HITECH, followed by years of changing program requirements under three stages of MU and then Promoting Interoperability. Much of the development effort from EHR vendors will continue to focus on complying with these new rules rather than making the systems more user-friendly. Some EHRs will lose their certifications, which will put their customers (practices) at risk of not being able to fully participate in the quality reporting programs. Practices frequently have five to 10 add-on products such as patient portals, patient engagement, kiosk systems, etc. These add-on products and their associated interfaces will need to be assessed both for workability with new EHR version(s) and compliance with the information blocking provisions of the Cures Act. Providers who elect not to participate in the national electronic provider database will be listed as noncompliant, which could cause potential harm to their reputation. By aggregating more data centrally in health information exchanges, there could be an increased threat from hackers seeking access to this much more attractive target. Industry efforts underway Nonprofit healthcare technology industry organization Health Level Seven (HL7) was started more than 30 years ago, with the stated purpose of creating technical and data library standards that support data exchange and interoperability.12 HL7 has initiated the Da Vinci Project,13 which seeks to develop and pilot the use of standard APIs by utilizing the Fast Healthcare Interoperability Resources (FHIR) standards framework.14 Da Vinci has set up specific data-sharing use cases using the FHIR standard, including prior authorization support, gaps in patient care, patient cost transparency and others. Fortunately, the Cures Act requires all health IT vendors comply with FHIR (and other standards already underway in these industry workgroups) to retain their ONC certification. On the policy front, MGMA submitted detailed comments to both the ONC and CMS proposed rules. While generally supportive of the government’s efforts to promote interoperability, the Association outlined concerns regarding the potential cost and administrative burdens associated with any new mandates and raised privacy and security issues related to the required use of API standards to transmit patient information.15 Conclusion The Cures Act puts an important and valuable stake in the ground to take healthcare IT to the next level of interoperability and data sharing. The resulting proposed rules from CMS and ONC are tied closely with technology frameworks that have been in the works for decades. There is growing concern that these new rules will create additional administrative burdens on physician practices for the requisite upgrades and ongoing compliance. While the Cures Act calls for improved EHR usability, significant EHR vendor resources will again be focused on interoperability and data sharing and less on improving the end-user clinician experience. MGMA will continue to monitor the development of HIT regulations impacting physician practices and provide education and resources to assist members to understand and implement any new requirements. Perhaps this excerpt from the MGMA letter to ONC sums it up best:16 We urge ONC to avoid pushing physician practices too far, too fast. The risks of moving too quickly include additional administrative and financial burdens on practices, weaker privacy and security protections for sensitive health information, an increased level of physician burnout, and the potential of compromised patient care. Action steps Become familiar with the Cures Act and the proposed rules from ONC and CMS. Ask your EHR vendors what they know about/what they’re doing about the Cures Act and proposed rules from ONC and CMS. Evaluate your add-on third-party technology vendors for their compliance with HIPAA. Continue to strengthen your practice’s privacy and security policies and procedures. Increase the quantity and quality of structured patient data in your EHR(s). Leverage MGMA resources such as the online Member Community, face-to-face educational sessions and web-based toolkits. Notes: 1. Gans D, Kralewski J, Hammons T, Dowd B. “Medical groups’ adoption of electronic health records and information systems.” Health Affairs, Vol. 24, #5. Available from: bit.ly/2YZ0RaC. 2. ONC. “2018 report to Congress.” December 2018. Available from: bit.ly/2KPW2Yr. 3. MGMA. 2018 MGMA DataDive Cost and Revenue. 4. “Eligible Professional Medicaid EHR Incentive Program Stage 3 Objectives and Measures.” CMS, August 2017. Available from: go.cms.gov/2MdG5yg. 5. The 21st Century Cures Act. Pub. L. 114-225. Dec. 13, 2016. 42 USC 201 note. Available from: bit.ly/2KBm41b. 6. CMS. “Patient Protection and Affordable Care Act; Interoperability and Patient Access for Medicare Advantage Organization and Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans in the Federally- facilitated Exchanges and Health Care Providers.” Federal Register. Vol. 84, No. 42, March 4, 2019. Available from: bit.ly/2KyplhS. 7. ONC. “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program.” Federal Register. Vol. 84, No. 42, March 4, 2019. Available from: bit.ly/2GWGGjF. 8. ONC. “Certified Health IT product list.” Available from: bit.ly/2Z2FAgA. 9. CMS. 10. ONC, 2019. 11. CMS. 12. “About HL7.” HL7. Accessed Aug. 9, 2019. Available from: bit.ly/2HbCZH1. 13. “Da Vinci Project.” HL7. Accessed Aug. 9, 2019. Available from: bit.ly/2Z2FRjC. 14. Ibid. 15. MGMA. “RE: 21st Century Cures Act: Interoperability, information blocking, and the ONC Health IT certification program.” May 30, 2019. Available from: mgma.com/onc-letter-may19. 16. Ibid.