As we approach April 5, 2021, the applicability date for the information blocking provisions of the 21st Century Cures Act to take effect, many of our provider customers have asked us to continue to share what we know. This is part three in a series on the latest information being communicated on this topic.
In part one, we covered who is considered an actor under the regulations. Then, in part two, we explored the topic of information blocking by actors. In this installment, we will talk about the most important step providers can take to ensure compliance, avoid blocking, and successfully manage and defend exceptions when applicable: you need a plan.
Step 1: Assign an Owner
The first step in successful planning for 21st Century Cures Act compliance is to assign a compliance champion who will take the lead in managing and coordinating the planning and documentation process across your organization. This process owner is key to accountability and developing the right governance structure to develop an action plan, and to avoid having critical details fall through the cracks. If an issue arises, you need to have a single source for all the documentation you need for your response.
In larger organizations, the owner will have team members who are accountable to assist with regulatory compliance. The owner should identify key subject-matter experts who can assist the organization in defining, documenting, and planning for compliance. The owner should also identify all teams that are affected by the regulations and plan for training to ensure they are well-versed in their responsibilities and prepared for compliance.
In addition, any organization that works with external vendors should ensure these vendors are prepared for compliance as well, if they are providers of certified health IT. This is a good time to review all agreements with external vendors to ensure they have plans in place to meet any compliance requirements and that all agreements include compliance language where needed.
Step 2: Review the Regulations
If you are the owner of the planning process, you will need to read the full regulatory text for compliance. Then, you can assess your existing best practices based on this careful review of the regulations and see where you may have gaps to fill. Evaluate all the various scenarios where requests for electronic health information (EHI) might arise. How do your current practices deal with these requests?
Step 3: Plan for Compliance
Once you understand any gaps and risks in your current procedures, you can put a risk-mitigation strategy and plan into place to bridge these gaps, with a timeline for complete compliance. You will need to know what documentation is required to show compliance. Keep in mind that it is important to implement policies and procedures that are objective in terms of individuals and systems. Your plan should also include a checklist to plan each step of your monitoring, tracking, and documentation processes.
Step 4: Make a Plan to Close all Data Gaps!
An important element of the changes for the 21st Century Cures Act is the shift from the Common Clinical Data Set (CCDS) to the United States Core Data Set for Interoperability (USCDI). To comply, you will need to ensure there are no gaps between your current data set and the USCDI. After identifying all data sources, your team will need to map data fields from the Health Level 7 (HL7) transaction sets to the USCDI standards.
Step 5: Plan for Exceptions
If your plan includes using allowed exceptions, you need to be sure that you understand how exceptions work and what documentation and alternatives are required for success. Exceptions are not a reactive tool. You need an exceptions plan in place, with well-communicated policies and careful documentation, before any triggering event. Careful planning, documentation, and communication across your organization is vital – before, during, and after any exception.
Just a reminder, the exceptions are:
1. Preventing Harm: Blocking information is acceptable to prevent harm to a patient or another person.
2. Privacy: An actor is not required to use or disclose EHI in a way that is prohibited under state or federal privacy laws.
3. Security: Blocking is permitted to protect the security of EHI.
4. Infeasibility: Legitimate practical challenges may limit an actor’s ability to comply with requests for access, exchange, or use of EHI.
5. Performance: If an app is “hammering the database” or “disrupting others,” it is okay to deny access and it is also okay to take scheduled downtimes.
6. Content and Manner: These are new exceptions enumerated in the final ONC rule. According to ONC, this exception supports innovation and competition by allowing actors to first attempt to reach and maintain market-negotiated terms for the access, exchange, and use of EHI. For content, USCDI is acceptable for 24 months, then an actor must respond to a request to access, exchange, or use EHI. Regarding manner, it is acceptable to fulfill requests in a manner different from what was requested if there is technical incompatibility or agreeable terms cannot be achieved with the requester. If specific data elements are not included in the EHI controlled by the actor, the Content and Manner exception may be the appropriate exception to use if the request includes the full USCDI definition.
7. Fees: You can charge reasonable fees with the expectation that you can make a profit if it is transparent and applied consistently across the board.
8. Licensing: An API provider can require licensing of API elements provided it is done in a reasonable and non-discriminatory way.
Remember: failing to meet an exception does not mean a practice is information blocking. The information blocking provisions of the statute allow for careful consideration of facts and circumstances to determine the actor’s Intent or knowledge (Final Rule, p. 25820). Make sure your team understands this important nuance as you plan to avoid information blocking.
Step 6: Track and Document (Ongoing)
Your plan should include detailed checklists for tracking and documentation procedures. This means ongoing oversight to monitor implementation and assure full documentation of all requests, fulfillments, and exceptions.
Step 7: Adjust as Needed (Ongoing)
Any plan, no matter how carefully constructed and conscientiously followed, will require some fine-tuning. Your ongoing monitoring efforts will no doubt surface areas where adjustments are needed. As time passes, the governing bodies may make changes to rules, as well as the expected methods of compliance and penalties for non-compliance. Staying current as new information is made available is critical for your success. Make the adjustments, document them, communicate them, and begin the monitoring and tracking process again.
A single owner (perhaps working with a cross-organizational team), a well-documented plan that includes exceptions, documentation and monitoring, good cross-organizational communication, and regular reviews to identify needed adjustments are the cornerstones for success.
There are many resources available to help your organization put a robust compliance plan into place, here are just a few:
https://www.healthit.gov/curesrule/