What the ONC's Proposed Rule on Information Blocking Means for Your Work


Dan Orenstein:             Hi, everybody. This is Dan Orenstein, General Counsel Health Catalyst. Thanks for joining me for this important topic on the ONC’s Proposed Rule on Information Blocking, pursuant to the 21st Century Cures Act.

Dan Orenstein:             So, one thing people often observe when they crack open the rule is hundreds of pages of regulation and the preamble rules, the complexity. I wanted to start by grounding us why we’re here together this afternoon. So, I think a good way to think about this is, what is the problem? So, I want to talk about that for a minute. What are we trying to solve? Why is this problem worth solving? What are the problematic behaviors that the regulation is trying to address? And is this a good way to address them? Is legislation an effective means in addressing them? And then does it actually do a good job and what are people saying about it? And then, importantly, what do you have to say about it? I’m looking forward to some questions on this as well.

Dan Orenstein:             So we have a problem, the industry has a problem of information siloing. So, we have a lot of information. We’ve come a long way in making it electronic and generating a lot of electronic data. But we have an issue with sharing it and getting results from it. We struggle with establishing an effective longitudinal record, giving patients adequate access to their information across providers and in different environments, making data and information available to innovative companies, including app developers, device developers and suppliers, wellness and developers and others who can enhance insights and provide useful information for treatment and operations and financial purposes.

Dan Orenstein:             So, that’s the problem. Legislation is one way to deal with it. So what we’re going to talk about, what I’d like to do is to talk a little bit about interoperability, get into the legislation, which is the 21st Century Cures Act, and then the rules on information blocking that implement those provisions and the Cures Act, the proposed rule on information blocking. Talk about the exceptions to the rule. We’re at a fun point now where we actually have public comments, the comment period closed on June 3 so we’ve been able to read some of those. And I can talk about what I’ve seen so far and get some of your thoughts. And then talk about how you might be affected and what you might want to do to prepare.

Dan Orenstein:             All right. So let’s talk about interoperability for a minute because this is really the problem and the issue that the legislation was designed to address. I like the ONC’s definition of interoperability, this is really simple. And if you look at this definition and then you start looking at the Act and the regulations, you’re going to see it again and again, interoperability is the ability of a system, this is the ONC’s definition to exchange electronic health information with and use electronic health information from other systems without special effort on the part of the user.

Dan Orenstein:             And the ONC is in my opinion, done a good job. ONC is the office of the National Coordinator for Health IT, which is part of HHS, by the way. They’ve done a good job sticking with this principle without special effort. It should flow freely and easily as their concept. And they use the terms access use and exchange over and over again.

Dan Orenstein:             Here’s another way to look at interoperability. It’s sometimes described as having four elements and finding the information that’s kind of critical first step is sourcing the data. Where is it? Can you get to it? And then sending and receiving it, that’s exchange of the information. And most importantly, using and integrating. So, can you actually take that information, use it in a useful way, analyze it, integrate it into the workflow, maybe get information back into an EHR or other system. And then hopefully experience some positive results for patient care or financial or operational results.

Dan Orenstein:             So, just a little bit more on interoperability. There’s evidence that shows substantial treatment and efficiency gains in making information available as part of the workflow. Again, interoperability is not an end in itself. It can be used for better outcomes and to improve patient engagement and care coordination. So, this slide cites a study which shows substantially higher effectiveness of getting relevant information to the right person at the right time at the point of care in particular.

Dan Orenstein:             And similarly, this becomes relevant in the definition of electronic health information under the proposed rule is, you know, where’s this data coming from? So there’s benefit in generating and sourcing data from sources that are not just the EMR, EHR. Such as socially based determinants of care, the big buzzword these days, but it’s true, there’s a lot of other sources and only a fraction of the information is found in the EHR itself. Clinical decision support and other analytic tools have a lot of promise and we’re really at the beginning of those capabilities right now.

Dan Orenstein:             This is just a list of some other areas that can benefit from interoperability, more availability of information precision medicine, population health analytics, integration of patient generated data, wellness data, monitoring, integration of medical devices, chronic disease management, identification of high risk and high cost patients. Another thing I wanted to note, care coordination, is that, as we look at the capabilities of artificial intelligence and machine learning to enhance all of these efforts, you need a lot of data to train those systems. Often it’s going to be large de-identified information sets. So that may be derived from the electronic health information that’s made available, but that’s also kind of a critical feature from my standpoint in interoperability and one of the great promises of it and needs for it.

Dan Orenstein:             So, again, EHR systems have made fantastic strides. When I started my career, we’re in the single digits of adoption and the big push was for adopting EHR technology and the push was to get the information into an electronic format. So it’s great that we’re there or almost there, and now looking at activating some of the capabilities beyond supporting the clinical encounter.

Dan Orenstein:             Looking back over the last one or two decades, interoperability has faced a lot of challenges. HIEs have had some success at the local and regional level. So that’s positive there. There have been great efforts like Blue Button Direct, Trusted Exchange Framework that have tried from the government perspective to try to solve the problem. And private efforts such as Commonwell and Carequality.

Dan Orenstein:             So, there’s been some progress. Another thing we have going for us right now is a real interest in increasing interoperability. Focus from the government, focus from industry. We have some headwinds as well. There’s still no national patient identifier, although I think the house just gave authority this last week to study that issue again, whether we want to adopt one. And information blocking practices have slowed our progress. That is what the Cures Act and the proposed rule are trying to address. So, I think it’s important to observe that they’re not trying, the regulation doesn’t try to solve all of these problems. It’s focused on behaviors that lead to information blocking that can slow down progress.

Dan Orenstein:             All right. Now let’s get into the statute and the regulations. But before we do that, I’d like to, be helpful for me to understand who the attendees are. And we’re going to go to our first poll question to ask you who you are. So, poll question number one, what type of organization do you work for provider, payer, health information exchange, vendor or consultant.

Sarah Stokes:                All right, great. Votes are pouring in. You’re not asking a tough question to start, so I think it’s easy for people to cast their votes pretty quickly here. Okay, we’ll leave that open for just one more moment. And if you joined late, we do encourage you to submit questions throughout the presentation for Dan. We are recording today’s session and you will have access to it after the fact.

Sarah Stokes:                Okay, I’m going to go ahead and close that poll and share the results. So, 36% of folks on the line say are providers, 5% work for payers, 11% for health information exchanges, 26% vendors and 24% consultants. You have a pretty even spread, though it looks like payers and HIEs are a little bit smaller group.

Dan Orenstein:             Great, that’s really helpful. And it’s also useful to see large provider and vendor representation since those are really the primary, I don’t think you want to say targets or the subjects of the proposed rule. Let’s go to the next slide.

Dan Orenstein:             Okay. So the 21st Century Cures Act. We’re already almost three years, guess two and a half years since enactment of 21st Century Cures. It was broad and sweeping legislation that covered a lot of stuff besides information blocking and interoperability. Those aren’t going to be the topics today, we’re focused on information blocking and interoperability. But the overall focus was increasing innovation in drug discovery, medical device development, new therapies for substance abuse treatment and the like.

Sarah Stokes:                Just saying, you know, we’re sharing from my computer now because yours was having an issue.

Dan Orenstein:             Okay, cool. Now that we’re a little bit into it, let’s advance and take a look at how interoperability is defined under the 21st Century Cures Act. The reason I want to go to the act first is it’s helpful to see the origin of some of the provisions in the proposed rules. And there’s actually some features of the Act that aren’t in the proposed rules which add a little bit of color and nuance to it.

Dan Orenstein:             So, looking at the definition of interoperability, interoperable HIT is HIT that enables a secure exchange of electronic health information within use of electronic health information from other HIT, again, without special effort on the part of the user. So it’s access exchange and use without special effort that also does not constitute information blocking. So, there was also a provision establishing a trusted exchange framework, which a lot of you might be familiar with. This is a separate topic which I’m not going to get into except to the extent that it’s referenced in the proposed rule. There’s a request for comment on whether that should be part of the certification for vendors.

Dan Orenstein:             So, let’s go ahead. There is enforcement, so penalties of up to a million dollars per violation. So that’s new. It’s enforced by the Office of Inspector General of HHS. And the definition in the Act is exactly the same definition for information blocking in the proposed rule, which is any practice that except is required by law or specified by the Secretary of HHS is likely to interfere with, prevent, or materially discourage access, exchange or use of electronic health information. So if you look at that definition for a minute, you have the access, exchange or use which is from interoperability. And what’s added is the practice that’s likely to interfere with, prevent or materially discourage that. And it’s pretty broad.

Dan Orenstein:             So, practices that are prohibited, those practices that restrict the authorized access exchange or use under applicable state or federal law. Implementing HIT in non-standard ways. We’re going to get into some of these examples. And implementing HIT in ways likely to restrict access or lead to fraud, waste or abuse. So it’s not just about the blocking practice itself. It can also be the way HIT is implemented.

Dan Orenstein:             So, the language in the act that talks about the exceptions is this one provision here which authorizes HHS to identify reasonable unnecessary activities that do not constitute information blocking. So, we have seven exceptions to practices that are information blocking and the proposed rule. And this is the only language in the act. I’m just going to do a little tangent here to know that there’s a lot of discussion in Washington now about the scope of federal power that is delegated to the executive branch.

Dan Orenstein:             So, this is a really good example of delegation, where you tell the agency to identify reasonable and necessary activities, and the agency comes back with a lot of detail on that, that’s the proposed rule, and a lot of discussion. And if you look at some of the comments, some of the commenters note that maybe the delegation was too broad and more than congress intended

Dan Orenstein:             Another feature of the Cures Act that I wanted to mention, we’ve just been through the public comment period, lot of comments have come in. Commenting publicly is not the way everybody wants to interact with their federal agency. So, the Cures Act provides another mechanism, which is a confidential communication to ONC, which is protected from disclosure. So, this is something that can be used at any time. If you’ve already commented, great. If you have something more on your mind and you want to get with ONC or OIG, except if you complain to OIG, it’s going to be the formal complaint mechanism. It’s not going to be something that is considered by the agency and is protected from disclosure. So, just wanted to note that because this is not part of the proposed rule.

Dan Orenstein:             Okay. So, on March 4th, we got the proposed rule. This is that statement of reasonable and necessary activities, over 775 pages. And they gave the industry a 60 day comment period, which then got extended to 90 days, so it closed on June 3rd. The way the rule is structured is there’s the preamble that discusses a bunch of information blocking practice examples. And by the way, there’s a lot of discussion on the standards and APIs which we’re going to touch on a little, but focusing here more on the information blocking practices. And then it sets forth seven exceptions to the prohibition. And just with regard to APIs and notes that there’s a rule that establishes APIs as a condition for certification for electronic health, information technology.

Dan Orenstein:             So, before we get into the rule, we’re going to do another poll question. Poll question number two, how much does information availability and exchange impact your organization’s effectiveness? So, select either no impact, some impact, moderate impact, high impact or significantly impairs effectiveness.

Sarah Stokes:                Right, great. Again, the votes are pouring in. Keeping it easy on us today. We’ll leave that open for just one more moment here. All right, we’re going to go ahead and close that poll and share the results. All right, so only 2% said no impact. So I think this is a relevant topic, we’re getting that opinion. 14% said some impact, 21% said moderate impact, your majority, 41% said high impact, and then 21% said significantly impairs effectiveness.

Dan Orenstein:             That’s interesting, actually. So 62% are high impact or significantly impairs effectiveness. I’d say that’s, this is a highly relevant issue for this crowd. Thank you, that’s really helpful.

Dan Orenstein:             Okay, so, let’s get into some of the examples of information blocking practices. I assure you, this is going to be time well spent. If you haven’t read the 300 pages of preamble, we’re going to actually spend a few minutes talking about the most useful part of that, which is the behaviors and, you know, again, what behaviors are we trying to address is the legislation and the regulation trying to address. And then did it do a good job of that?

Dan Orenstein:             So, let’s move on to the categories here. So starting on page 364 of the PDF version of the rule, you’ll see it’s broken into five categories by the agency. Restrictions on access, exchange or use, limiting or restricting interoperability of HIT, impeding innovations and advancements and access exchange or use, rent seeking and other opportunistic practices and nonstandard implementation practices.

Dan Orenstein:             So, there are technical issues also for interoperability, I think the API standard addresses those and the adoption of the USCDI as the health information standard. But, these really get into the behaviors and the administrative processes that constitute information blocking practices. So, let’s get into some of these examples.

Dan Orenstein:             Okay, category one. I think the first thing to note here is that providers get addressed as well as EHR vendors. So I think some of the impression out there is the behaviors that the regulation addressed were mostly geared towards HIT vendors, but there’s actually a lot of discussion about provider behavior. I’m actually interested in hearing whether you all think that these characterizations are accurate or not. So, under restrictions on access exchange or use, ONC calls out, basically making stuff up under HIPAA to restrict information from going out of the health system or the hospital system, and blocking information flows and blocking leakage, I suppose, is one way to put it.

Dan Orenstein:             So, that’s one example given here. Another addressing EHR vendors is vendor suing to prevent a clinical data registry from providing interfaces to physicians to submit to the registry, claiming that they had copyrights in the database and that there were mappings to the table, headings and rows. This is a really significant issue. It’s addressed by one of the exceptions, like is their intellectual property in this information, in table headings and rows, in data models. Huge issue here. But they’re calling it out as a significant information blocking practice.

Dan Orenstein:             And then another one some of you may have seen, it’s been kind of widely publicized as information blocking practices, a vendor requiring a third party developer to grant rights in its source code to be able to have access to the health information.

Dan Orenstein:             Let’s move on. So, limiting or restricting interoperability, some of the examples here is configuration of an EHR so that it’s hard to send referrals in and out. That’s very similar to the prior example, except it doesn’t involve HIPAA, it involves a configuration. EHR vendor prevents third party CDS app from writing to it. So kind of, and it may be through configuration or by imposing fees on that. So there are different behaviors at issue. Selectively disabling EHR functionality that allows transmission to third parties or delaying transmissions. And the high fee issue is also one that gets a lot of play in the exceptions.

Dan Orenstein:             Let’s keep going. Category three. Impeding innovations and advancements in access. So, conducting an endless security review before allowing access, that seems to never end, that’s the first example. This kind of gets into administrative processes that sometimes can be really hard to challenge. An EHR vendor won’t provide technical documentation to an integrator unless they sign a broad non-compete that prohibits them from working with other vendors.

Dan Orenstein:             And then the last one is a freezing the market, example, Health IT vendor discouraging customers from getting services from a third party saying it’s going to have the functionality itself. But then, time goes by and a lot of time goes by and they still don’t have those features. So, the client never gets the results which the ONC views as problematic. And then again, that one is, that’s tough to challenge because it’s hard to prove that the functionality is not coming up.

Dan Orenstein:             Rent seeking and other opportunistic practices. So an analytics company providing services including de-identification. In this example, the vendor who’s a source of some of that information wants a percentage of revenue and that percentage of revenue in the ONC example exceeds reasonable costs. And another cost example, vendor charges more to export EHI when a provider’s transitioning to competing technology. So, it’s kind of discriminating against a competitor, but it might facilitate that if it’s not a competitor.

Dan Orenstein:             And then non-standard implementation practices. This is interesting because it talks about implementation and not just some of the more overt practices. So, implementing but doing it in a proprietary or obsolete format so that it’s hard to send an exchange, electronic health information, or a health IT vendor that complies with some aspects of a standard but then wherever possible uses its own proprietary standards, and that kind of defeats the purpose of using the widely available standards.

Dan Orenstein:             All right. So, those were some of the examples. And now, the proposed exceptions are the agency’s attempt to address those behaviors. These are circumstances in which an organization, if it receives a request to share information can decline to provide that that access if it thinks it needs one of these exceptions. This is where all of the real substance of the rule is in these exceptions.

Dan Orenstein:             So, there are seven of them. The first is preventing harm. So, an organization can engage in practices that are reasonable and necessary to prevent physical harm to a patient or other person. So, the term reasonable and necessary we’re going to see again and again in these exceptions. This is one that some of the commenters have said could be synced up better with HIPAA because there are already provisions in HIPAA that address disclosures that might harm another person. If you look at some of the conditions, they have to have a reasonable basis to believe that it will substantially reduce the likelihood of harm to a patient and they have to adopted a policy or make case by case findings.

Dan Orenstein:             So, my feeling about this and some of the other exceptions is that they are broad and could be applied very subjectively with a lot of variation. And I’m not the only commenter who noted that. So, that’s preventing harm.

Dan Orenstein:             Promoting the privacy of electronic health information. An organization may engage in practices to protect privacy. That seems reasonable. They’ve got a demonstrated basis for their actions through HIPAA or other privacy laws, maybe state privacy laws and the practice or the activity has to be narrowly tailored to the specific privacy risk addressed. That’s another key condition. Again, it can be very subjective. I’m not sure that here that the agency’s done a good enough job of answering its own question about whether if you looked at the examples of those used as a blocker, did this do a good enough job I think is open and other commenters have noted this in kind of synchronizing with HIPAA and answering that.

Dan Orenstein:             So, promoting security of electronic health information. This is very similar. An organization, by the way, the regulation uses the word actor, and every time I see actor, I think the theater. So, I used organization. So, that’s my own little tweak here. I think it just is a better description of healthcare organizations. But if you refer back to the regulation, the defined term is actor. So, an organization can implement measures to protect security of EHI. Again, you see this language being narrowly tailored and being reasonable, applied in a consistent and non-discriminatory manner. If it hasn’t adopted a policy, it’s got to make case by case determinations. So, same comments on this could be broad and subject to abuse, subjective.

Dan Orenstein:             And now, I think we’re getting into the real substance of these exceptions. The critical ones from my standpoint are this one, cost recovery and the intellectual property exception. So these are the questions everyone has on their mind. Can I charge and do I have IP? So this one says, yes, you can charge. It has to be a reasonable cost and this reasonable cost language, I think that it’s a good approach because it doesn’t micromanage the issue. It doesn’t establish schedules or limits or require a lot of process. That’s the positive.

Dan Orenstein:             On the downside, reasonable cost has a checkered history in health care and in Medicare in particular and carries a lot of baggage as I’m sure a lot of you appreciate. Reasonable cost reimbursement was phased out. We went to prospective payment systems and DRGs, for a reason, it was subject to abuse. Now, that was the abuse of federal payment systems. But there’s a question here is, you know, could this be abused by those receiving data requests, charging unreasonable amounts or on the other side, requesters thinking that reasonable cost is lower than it should be.

Dan Orenstein:             So, that’s a big question here. But it does establish that there can be a charge for the work done to make the information available. It’s not free. You’ve got to set up the API’s, you’ve got to respond to requests. There is work there. This acknowledges that. But again, it can be hard to verify the true cost and it can be very subjective.

Dan Orenstein:             Responding to requests that are infeasible. I don’t love this one because while this is just really subjective, what’s infeasible, what’s not infeasible? All it says is you’ve got to use objective and verifiable criteria uniformly applied. I demonstrate the burden of making the HI available. So at least there are findings and demonstrations required but this could be subject to a lot of debate and discussion. It’s wide open. So it’s problematic in my opinion.

Dan Orenstein:             Now, licensing of interoperability elements. Okay. Well, is there IP behind the information that’s made available? This acknowledges that there is or there may be. Its agency acknowledging that and saying if you think you have IP, well, that doesn’t allow you to block information. You can assert your copyright or your patent or your trade secret. But you have to respond to the requester within 10 days and make a license available on reasonable and non-discriminatory terms. It can include cost recovery under the other exception, but that also has to be non-discriminatory and not favor non competitors and so forth.

Dan Orenstein:             I’ll give my editorial comments on this and it’s in our Health Catalyst commentary as well. I don’t think generally speaking that there is IP issue here. I think that the most likely intellectual property to be asserted is copyright. So copyrighted data compilation and federal case law I think is fairly conclusively established that, unless you have a creative work of authorship, which I don’t think databases and data models are. I think they’re just kind of form compilations. They do not include copyright.

Dan Orenstein:             Interestingly, if you look at commentary from the large EHR vendor association, some of the vendors of EHRs, they kind of conceded the point that there’s no copyright and fall back on trade secret. Trade secret is one of these really ambiguous areas where you can say anything is a trade secret. So alphabetical order could be the way they arrange table headers or it could be just, more likely, it’s just standard healthcare designations for the table headers. But those are not trade secrets, those are industry accepted generic terms.

Dan Orenstein:             Similarly, alphabetical order is not a trade secret. So, I think that there’s a lot of ink on this and how these systems are trade secret. I don’t think they are. So my overall comment on this one is that it’s kind of an unnecessary process to go through to have to get a license, review license terms, and so forth, when a lot of the time there’s really no IP to license.

Dan Orenstein:             On the other hand, it does provide a mechanism and kind of takes the dispute out of it if this gets finalized, and says, here’s a mechanism. If one party is claiming IP, you can still get access, you just have to go through this process. So we’ll see where that winds up.

Dan Orenstein:             And then the last one is I think one that is likely going to be non-controversial. It’s basically just saying you can make a system temporarily unavailable for maintenance or upgrades and have some downtime. And during that time, you don’t have to make EHI available.

Dan Orenstein:             All right. So public comments. So, most of the commenters, at least the interesting ones came in right at the deadline, that’s not surprising. So we haven’t had a ton of time to look at these. I’m not sure if you have but I look forward to your thoughts as well. I’m just going to talk about some of the themes, and they’re really kind of dichotomies that I saw so far coming out the proposed, I mean, the public comments.

Dan Orenstein:             The first, timing. And I love this because you kind of have different camps on both sides of the same issue kind of fairly consistently across these themes. So some want a lot more time. And it tends to be the community that are likely going to be the recipients of the requests, rather than the requesters who want the more time. And among the things that they’re asking for is the entire rule should be reworked because it was tone deaf and just didn’t hit the mark. More studies have to be done first. There should be a grace period before it becomes effective is I think the way the agency’s thinking about it now. And this one actually seems a little kind of legitimate to me. It’s going to be finalized and then almost immediately effective or within 30 days. So that that could be adjusted.

Dan Orenstein:             And then it represents a lot, their proposed rule represents a lot of requirements, and the industry just needs more time to digest and maybe there should be an interim final rule with more time for comment. So that’s on the needs more time side. On the should be finalized as soon as possible side commentary is that this is a real problem. The Cures Act came in in 2016 but it had been a problem for a long time before that. There’s really, we’re talking about making EHI available. It’s not rocket science. It’s just responding to requests, making the information available. From our perspective at Health Catalyst, we are kind of in the data sourcing community.

Dan Orenstein:             And most vendors don’t really have a problem with this. We efficiently set up interfaces and sourced the data, and it’s really not that big of a deal. So, that’s on the should be finalized as soon as possible. And if you’re wondering, yes, we commented that it should be finalized soon as possible in our comments.

Dan Orenstein:             So, let’s go to the next one, definition of EHI. This one I thought had, there were legitimate points on both sides. So is EHI, electronic health information, which basically is a very similar definition to protected health information, PHI, should it be expanded? And this is a real opportunity to include social determinants of care information, information from other systems beyond EHR, making sure it gives a complete picture of the patient.

Dan Orenstein:             And then on the other side, restriction. There’s a concern that it would be unmanageable to respond to request for all EHI, so let’s pick one of the standards that’s in the rule, the USCDI and go with that. Then there’s uniformity and predictability, we know what we need to respond to, standardizing around USCDI. So I think there are legitimate points on both sides there and I’m interested to see what the agency does with that.

Dan Orenstein:             Innovation. Okay, so on the more data sharing, increases innovation. This is your standard policy argument. One of the reasons we were talking about before for interoperability, for sharing the information is increasing, getting better results and increasing innovation and getting better at AI and machine learning and applications, all of that stuff that you can do with data. You would think that would be a given but there is a counterpoint, which is that over-sharing could expose IP that could chill innovation. So it could discourage HIT developers knowing that they need to share their data models and so forth from innovating because they’re going to be, let’s say, giving their IP away or being required to license it.

Dan Orenstein:             So, to me, this one is clear that if you haven’t guessed my perspective on this, there is no innovation in data models. The innovation is with the data. Please submit a question if you disagree with that. I’m actually really interested in who might just have a different point of view on the call. I hope the ONC stands firm on this one.

Dan Orenstein:             Unintended consequences, good points on both sides, I think. And maybe there aren’t even two sides on this one. So, I kind of touched on the first one, open-ended rules could perpetuate information blocking as an unintended consequence. They’re subjective, they’re open-ended, they could be subject to abuse and more information blocking or delays and so forth. So, I think that’s a point that a lot of folks made. Open-ended rules and post too high a burden on recipients of requests. This is one that’s I think probably a little overplayed. I think that, you know, first of all requests for information are going to need to comply with HIPAA or some other legitimate pathway. We’re talking about providers and HIT, responsible, presumably mostly responsible industry actors that are going to be requesting things for a legitimate purpose.

Dan Orenstein:             I recall back to the brouhaha over the accounting for disclosure requirements in HIPAA. Everyone thought it would create incredible burdens of requests for accounting of disclosures of PHI and there were virtually no requests. I think these requests are going to be legitimate. It’s going to be manageable but there is a point there that it could create a burden. And I think probably a bunch of you are worried about that burden as well.

Dan Orenstein:             Then unintended consequence of transformed data, this is the IP theme again. Are we being required to make available value-added transformed data that includes our IP or includes a lot of work that we did on that data? I actually think this could be solved with a pretty simple tweak. We’re just talking about raw data, this is just EHI. It’s not your proprietary algorithm or your IP or your trade secret. We’re just talking about getting the data flowing.

Dan Orenstein:             Cost recovery. This is actually, if you love antitrust law, there’s some good stuff in there. It’s like little antitrust briefs from some of the commenters on whether, and also if you love the issue that we were talking about of government overreach and whether this was in the scope of authority, there’s some commenters are characterized this reasonable cost method as an unlawful cost cap. And also, there was a request for information on price transparency and there’s some great comments on there, whether that could lead to antitrust problems. Vendors and providers should be allowed to decide what they charge, they should be allowed to make a reasonable profit. This is a free market system, there should be free market exchange for health information.

Dan Orenstein:             And another fascinating dichotomy here is, a lot of these comments characterize these caps as leading to a market failure. With the argument that a free market for information exchange is a good one. And then if you cap that and pose a lot of requirements, you may suppress that market. But interestingly, the whole purpose for addressing information blocking is because information blocking is a market failure. In a free market, you’re supposed to get to the highest and best use of an item. The very problem with health information exchange is that we can’t get the results and can’t get the development because of this market failure kind of tragedy of the comments, the siloing of information.

Dan Orenstein:             So I love that one. I’m very interested to see, I think there’d probably be some adjustment to that, but I hope it retains its simplicity and elegance, allowing for cost recovery without a lot of requirements, is I think that responsible people can figure this out. As long as it’s non-discriminatory and reasonable, which are some of the requirements there. So, the other side is cost recovery is a good and appropriate method. Okay.

Dan Orenstein:             So, how many healthcare organizations be effective? So, we’re going to talk about this a little bit. But before, I want to go to our poll question number three. How would you describe your organization’s readiness to comply with the Cures Act provisions? And this is a three choice answer. Familiar with requirements, not prepared to comply, outline steps needed to comply or ready to comply now or within six months?

Sarah Stokes:                All right, great. We do have votes coming in a little slower on this one. People have to think about where they are. We’ll leave that open for just one more moment. And we are nearing the end of the presentation so if you have questions, now’s a great time to submit them. Okay, we’re going to go ahead and close that poll and share the results.

Sarah Stokes:                Okay, so it looks like 54% say they’re familiar but not prepared to comply yet. So that’s your majority. 18% have outlined the steps needed to comply and 29% feel that they’re ready to comply now or within six months.

Dan Orenstein:             Great. Okay. That’s interesting. So the majority are familiar but not ready to comply. That’s kind of what I expected. There actually are a decent amount are ready to comply now, which doesn’t surprise me either because we’ve known about this for a while. This is complex. A few things I just wanted to note about it. If you’re in that majority group or still outlining, this is going to take a while. This is a proposed rule. This is a procedure that is under the Administrative Procedure Act. It’s called noticing comment rulemaking. There’s a proposal, the comments come in. HHS digests them. And then issues of final rule.

Dan Orenstein:             So that I think is going to take at least a year, probably two years. So there’s a little runway, and we should have more information coming out over time about how these may be finalized. And then hopefully, I think a little time to digest the final requirements before they become effective.

Dan Orenstein:             On the other hand, there are a lot of folks expressing urgency to get this done now because it’s been quite some time. And the final thing is that the requirements may change. So, I don’t get too excited when I see a lot of legislative proposals coming out or proposed rules that sometimes they can change fairly substantially. They can change between administrations and so forth. So, the truth is in the final rule not the proposed rule.

Dan Orenstein:             Okay, now next. So some things to consider as you start preparing or continue preparing, will your organization be directly covered in the final rule? This actually might change as well. So I think it’s pretty clear, it’s going to cover HIT vendors and providers, HIEs, health information networks. But some commenters said it should go broader. Maybe other organizations that don’t fit into those specific categories should also be covered. So, consultants on the line. If your organizations might be one of those, you should also look at how it’s being finalized.

Dan Orenstein:             Consider where and how many requests for EHI you may get, where they may come from, and from whom you might request electronic health information. If you’re in the outlining step or preparation step, that could be a useful exercise to go through to figure out what your implementation or development steps need to be based on the use cases. And it’s going to be a more limited set of use cases than the industry wide issues that the ONC is trying to address. And then, are you set up to implement the standard? So, FHIRs adopted in the proposed rule, so again, may not be in the final but likely will, USCDI. There’s other standards articulated. Do a gap analysis. What are the gaps that you might need to address to get the standards in place to respond to requests and just to comply with the rule?

Dan Orenstein:             And then, there are people out there who can help, who have expertise in this. So, based on the use case that you identify, is it your consultant, is it your lawyer, is it your technology developer, you know, that you might want to get some assistance with on this? So those are some considerations, and should we move to some questions or do we have some other stuff?

Sarah Stokes:                Yeah, we just have a couple of closing polls before we dive into the Q&A and you have lots of questions coming in.

Dan Orenstein:             Okay.

Sarah Stokes:                A lot of content that you’ve covered here. Before we move into the Q&A, we have a few giveaways for complimentary Healthcare Analytics Summit Registrations. This is an annual event with more than 1000 provider and pair attendees occurring September 10 to 12 this year here in Salt Lake City, Utah. We’ll be featuring brilliant keynote speakers from the healthcare industry and beyond and this slide just gives you a glimpse at some of the speakers that we have confirmed for this year’s event.

Sarah Stokes:                So then, we’re going to dive into these few quick giveaways here so I’m going to go ahead and launch this first poll question. So if you know that you’re able to attend and are interested in being considered for complimentary passes for a team of three to attend the Healthcare Analytics Summit, please answer this poll question. And we’re going to have you act fast on those because we only have a few minutes left for the Q&A and loads of questions for Dan. All right, so we’re going to go, three, two, one, we’re going to go ahead and close that. Sorry, you got to act fast today.

Sarah Stokes:                And then we have one more here that if I can get my mouse back, we’ll go ahead and launch this one as well, which is similar to that last poll. If you know that you’re able to attend and are interested in being considered for a complimentary individual pass to attend the Healthcare Analytics Summit, please answer this poll question. So again, we’ll just give you a couple moments. People are acting fast around that one. They were prepped for that this time. All right, we’re going to give you a three, two, one. All right, we’re going to go ahead and close that poll.

Sarah Stokes:                And then move into our last poll here, which we’ll leave this one open as we do go into the Q&A. So, while today’s webinar was focused on the ONC’s proposed rule on information blocking, some of you may want to know more about Health Catalyst and our products or professional services that we offer. If you would like to learn more, please answer this poll question. And while we have that open, I’m going to go ahead and pull up the questions here, Dan. Chris has been here in the room flagging some of them for us. So, if they cut off here, you can read the full question down here. And I’m happy to read it for you. It just displayed in pretty small font size there.

Dan Orenstein:             Okay. This is about addressing security and access controls, how to manage and monitor for HIPAA, not block interoperability. Okay. Well, we’re kind of running out of time on that one but I guess I would just note on that that we should, did not plan to address the specific security and access controls but it’s something that we should note for a future topic.

Sarah Stokes:                There’s definitely demonstrated interest that we may want to hold the follow up as more gets finalized here. I can read you this one. This one’s from Daniel. He says, from a provider, our major issue is the total unwillingness of our data vendors who we have chosen to replace to release our historic data. How can end users hold vendors accountable? How do we file a claim under Cures?

Dan Orenstein:             Yeah. Okay. This sounds like a data export issue to the new vendor. So, I wish that this were final today because it would be easier to hold vendors accountable. Since it’s a proposed rule, it’s not effective yet. One thing I will say about that is that there are standards in here that can be cited in use and you can also just cite the standard under the Cures Act, which is not to interfere with materially discourage or prevent the exchange of EHI.

Dan Orenstein:             So, in terms of further steps, I think I noted in one of the slides, there’s basically two methods that are currently available under the Cures Act. First of all, address it as much as possible with the vendor. And if there’s just literally no way to do it, then maybe get a lawyer involved. But there is a mechanism to complain to the OIG under the Cures Act. And that’s something that can done before the rule’s effective.

Sarah Stokes:                Right. This next question comes from Valerie who asks, if a vendor certifies the EHR with direct and charges a fee to then implement. If a provider chooses not to implement direct because of the fees along with lack of use by other providers they regularly exchange data with, would that constitute information blocking?

Dan Orenstein:             Yeah, yeah. So this is where, the vendor’s got the certification with direct, but provider chooses not to implement. This one I think is probably a gray area. So, choices made not to implement it. If you extrapolate the final rule with regard to the fees and you can establish that they were reasonable and non-discriminatory and so forth, that’s where the meat of the analysis would come in. Since we don’t have that in final form yet, I would say this is, it’s even harder to define at this point in time. So this is why it’s important that we get this done fast, in my opinion.

Sarah Stokes:                All right. And we are at the top of the hour. Dan has agreed to go a couple of minutes over the top. Definitely won’t be able to address all of these questions but we’ll get to a few. And if we miss your question, we apologize, we’ll still try and get your response after the fact.

Sarah Stokes:                This next question comes from Carol who asks, does the proposed rule remove the concept of practicible-

Dan Orenstein:             Practicable.

Sarah Stokes:                Practicable, apologies, for implementation Statement Two in the prevention of information blocking fact sheet? A healthcare provider must attest that they implemented technology standards, policies, practices and agreements reasonably calculated to ensure to the greatest extent practicable …

Dan Orenstein:             So I’m not sure I’m familiar off hand with statement two or what the source of that in prevention information blocking fact sheet. But I would say that the standard in the proposed rule is similar but not exactly the same. So, it’s reasonable implement, generally, there’s language on reasonable implementing in a reasonable and non-discriminatory manner that doesn’t disfavor competitors and so forth. So I would refer to this, the language of the specific exception for those.

Sarah Stokes:                Okay. This next question comes from Jay who asks, the regulation includes a statement that says, initiative aims to empower patients … the ability to decide how their data will be used. Given the global reliance on treatment, payment and operations, where does patient consent to opt out of the wide sharing discrete data element or from specific episodes of care?

Dan Orenstein:             I love that question. So, it’s kind of pointing out maybe a conflict between this policy statement, this question of empowering patients, and then really not addressing the HIPAA TPO patient consent provisions. And I think that’s a legitimate point. There was recently a request for information for modernization of HIPAA where the patient empowerment consent and opt out was an issue that comment was sought on. I think that is likely going to be addressed through the HIPAA modifications rather than through information, the information blocking rule. But we’ll see. There’s a lot of discussion in there so it’s not unexpected that they would get into HIPAA and patient rights.

Sarah Stokes:                Okay. Next question comes from John who asks, so can a patient go to RandomCo and ask anyone holding the patient’s data to export it? But if I think RandomCo is not secure and hold up the approval, then it becomes a violation?

Dan Orenstein:             So again, there’s a little interplay with HIPAA here as well. So patients have access rights under HIPAA and those clearly have to be complied with. But I think this is going to that security exception saying, okay, I don’t have to, if I’m RandomCo, can I say, well, I’m a third party and I’m going to damage your security by releasing the information. So I’m going to block that. And that’s where. I think the agency probably needs to do a little more work to reconcile the HIPAA responses to patient access requests with the privacy and security exceptions. So, I think it could be a violation but I think that’s probably going to be clarified a little in the final rule.

Sarah Stokes:                All right. Next question here is coming from Rahul apologies if I ruin your name there. And he’s asking yes, about the timeframe for when the rule will actually go into effect.

Dan Orenstein:             So there’s no great answer to this. We did that, you know, we saw the comments on timing and the dichotomy of responses and comments there. ONC and CMS and HHS, they’ve all indicated their intention to do this on an expedited basis. And I don’t doubt that. So, when a government agency says that I think a year is short time, that would be aggressive. I might be surprised but I would think it’s going to be at least a year. But again, I’m kind of just speculating. I’d say one to two years. I’d probably put my money on the two years.

Sarah Stokes:                Another question from Jesse who asks, is there word on a national database of HISP addresses for HIE?

Dan Orenstein:             HISP addresses for HIE. I am not sure. And we can get back to you on that one. That’s for health information exchange. Addresses, don’t know. But beyond that, the potential for a patient identifier, I’m not aware of any other new developments on that.

Sarah Stokes:                Okay, great. We are at five minutes past. You have time for just these three final questions?

Dan Orenstein:             Yeah, yeah.

Sarah Stokes:                Okay. We’ll just get through these.

Dan Orenstein:             Whoever’s here, thank you for staying.

Sarah Stokes:                All right. Next question is from Daniel, who asks, Is that $1 million penalty in the Cures Act active or is it a component of the proposed rules subject to review?

Dan Orenstein:             Yeah. It is a current requirement, I mean, a provision of the Cures Act. However, I don’t expect there to be enforcement until the rule becomes final. I think that’s just the way they’re going to implement it, most likely, unless there’s something very egregious that comes across.

Sarah Stokes:                Okay, great. Next question is from Courtney, who asks, what do you think patients need to know about this proposed rule? Many commenters relayed concern about education for patients regarding their EHI and how that data will be shared.

Dan Orenstein:             Yeah. I think the first thing I go back to is, you have your rights under HIPAA, those have not been affected as a patient. The counting of disclosures access to information. So, I think that’s the, those establish the primary patient rights and that’s probably where they’re going to get expanded as well. That’s how I would respond to that. I think, although it technically applies to patients, the rule is more geared towards other industry organizations.

Sarah Stokes:                And our last question for today is going to come from Jay who asks, from time to time, factually inaccurate information will enter a medical record. Once the data is released outside a facility, the data takes on a life of its own and can have serious downstream consequences even after corrected at the source. The rules seem silent on this point. What are your thoughts on that?

Dan Orenstein:             Yeah. I think that’s a legitimate point. So, one of my thoughts on this is that by expanding the patient’s ability to review their record from all the multiple sources, they can correct some of those errors. So I actually hope that becomes part of either the HIPAA or the final rule requirements. In terms of other checks and balances on that, I’m sure there’s other ways to do it. And part of it may be like if you look at, it could be AI technologies similar to the crawlers that are running through looking for bad content in the social media sites. You could see something similar in health care, provided the patient authorizes the crawler to go in and correct their data.

Sarah Stokes:                That’d be a bit of a HIPAA problem there.

Dan Orenstein:             Yeah. Hopefully those are some of the results and improvements we can get from wider use and dissemination of data.

Sarah Stokes:                Awesome. Well, we’re going to wrap up the Q&A there today. Thank you, everyone.