Cures Act enforcement looms
It’s chilling to know that the Office of the National Coordinator of Healthcare Information Technology (ONC), the U.S. Department of Health and Human Services (HHS) Office of the Inspector General (OIG), and the Centers for Medicare & Medicaid Services (CMS) have been promulgating additional 21st Century Cures Act rules lately that are identifying and setting the basis for enforcement of the potentially profound amounts of financial penalties, including million-dollar Civil Monetary Penalties (CMPs) as well as major CMS market basket impacts.[1] These enforcement mechanisms require time to establish, but their rulemaking provisions—except for the final rule for appropriate disincentive rules of providers which has recently dropped.[2] Enforcement of the Cures Act—which has been missing for years—can begin whenever the government desires to do so after appropriate notice periods. The election year may be throwing wrinkles in that timeline, but no one knows for sure when the hammer may begin to fall among those subject to the rules.
That doubt—and the magnitude and scope of the rules—require that the Cures Act (45 C.F.R. Parts 170 and 171) be implemented with haste.[3] It’s tricky, however, because this must be done according to the unique way of this rule and also according to when electronic health record (EHR) providers are able to develop, certify, negotiate additional licenses (if needed), and implement the rules that have dropped so far. The result has been planning activities, interface building, and advancements for some providers of care working with some EHR vendors toward useable implementation of the many parts of the Cures Act, like application programming interfaces (APIs) and electronic health information (EHI) exports. But it’s an uneven implementation pace so far, and not having consistent enforcement has not yet been a driver in making adoption more uniform. While some healthcare provider sites have gone a long way in both their technical and operational implementations, others have less-than-optimal Cures Act technology and operational policies, it’s not a topic that is currently getting a lot of print space and attention. A recent view of vendors at the recent Healthcare Information and Management Systems Society event in Orlando, FL, showed anecdotally that other than in the interoperability exhibit hall space, there were not many vendors with Cures Act-type offerings besides general connectivity technology and services.
Health information, compliance, and privacy governance at many U.S. providers of care organizations have not yet had much volume of Cures Act incidents or requests, and information blocking is not yet universally tracked for denied requests that meet Cures Act information blocking requirements. However, incidents and requests will gradually ramp up over time to be new areas to manage for already burdened provider staff, with some type of best practices and automation becoming available and adopted over time as they develop. Health information departments, release of information vendors, and other internal parties, including compliance, privacy—and especially IT—all need to design new operational flows as the EHR and other API/EHI export technologies develop. Increasingly, compliance and privacy (as well as others) may get into negotiating Trusted Exchange Framework and Common Agreement (TEFCA) arrangements and spend time working with health information exchange between their organizations and others to which there is a desire to connect and formalize interoperability of patient information. This will become commonplace.
But be aware, despite the thoughts by some that all data exchanges are to be automated, there will always be the need for human interaction with some number of exceptions, denials, failed exchanges, patient ID mismatches, breach prevention, determination—the list goes on. We are only on the cusp of the new world of Cures Act data exchanges; how it eventually plays out with efficiency gains and other areas that require resources is to be seen.
One of the latest 21st Century Cures Act rules to drop is “Health Data Technology, and Interoperability Certification Program Updates, Algorithm Transparency and Information Sharing” (HTI-1 final rule).[4] It is a substantial amount of information to unpack, and as of February 8, 2024, it is already in effect. To be clear, although the EHR vendors and health IT developers are mostly impacted, the fact that this rule keeps on codifying details of Cures Act interoperability and information blocking provisions is highly important to factor in that as these vendors get their respective products meeting the certification criteria they will be rolling out capabilities that have to be planned and adopted by provider, as well as, payer and other Cures Act actors to stay in compliance with myriad Cures Act requirements.
The title of the HTI-1 final rule tips us off to its expansive contents. This is, in a way, a milestone rule in that it opens a new and/or updated line of regulation with decision support interventions, which increasingly cross into the artificial intelligence (AI) realm within computerized physician order entry and other clinical EHR documentation (typically, but not exclusively) modules.
According to the rule summary, this final rule implements the EHR Reporting Program provision of the 21st Century Cures Act by establishing several differing regulations. ONC cites improved interoperability and algorithm transparency and EHI’s access, use, and exchange for making these updates and new rules. This final rule also updates numerous technical standards within the EHR Certification Program.
Updates for vendors and developers of healthcare IT that are certified by the government—mostly, but not exclusively EHR vendors—include new Conditions and Maintenance of Certification requirements such as:
-
Various updates to certification criteria and standards recognized by the certification program
-
Revised certification criteria for decision-support interventions
-
Revised/updated patient demographics and observations
-
Adds a new baseline version of the U.S. Core Data for Interoperability (USCDI) standard utilizing version 3
-
Revisions to electronic case reporting, including new required reporting
Additionally, the final rule provides enhancements to support information sharing under the information blocking regulations.