Safe & Sound with Marianne Kolbasuk McGee

Electronic Healthcare Records , Healthcare Information Exchange (HIE) , HIPAA/HITECH

How MACRA Final Rule Promotes Secure Info Exchange

Providers Must Attest They Do Not Block Info Sharing
How MACRA Final Rule Promotes Secure Info Exchange

What do intentional and inappropriate blocking of secure information exchange by doctors and hospitals have to do with Medicare payment reform? The answers are buried in the 2,204-page Medicare Access and CHIP Reauthorization Act's "quality payment program" final rule issued the other day by the Department of Health and Human Services.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

While it's not exactly light reading, the sweeping MACRA Quality Payment Program final rule - as its name implies - ultimately aims to better reward healthcare providers for the quality of patient care they deliver.

And according to the MACRA rule, a big part of making that happen relies on the use of health information technology to improve the secure exchange of patient data so that healthcare providers - and patients themselves - have access to pertinent information in their care decision-making processes.

Blaming HIPAA

However, for at least a couple of years now, federal regulators have said they often hear complaints that some healthcare organizations intentionally "block" the information of their patients from being shared with other healthcare providers, or with patients themselves (see Overcoming Health Info Exchange Blocking).

These entities sometimes knowingly and inaccurately blame the HIPAA Privacy Rule for their refusal to disclose patient information, when for instance, the organizations actually may be more concerned about a competitor luring patients away, regulators say.

To nip this kind of intentional and inappropriate information blocking in the bud, the new MACRA final rule contains provisions requiring that healthcare providers - as part of their related "meaningful use" of certified health information technology - attest that they support secure information exchange and will prevent information blocking. MACRA vows, if you will.

Here are excerpts of the three information blocking statements that healthcare providers must attest to under the MACRA final rule:

  • That the healthcare provider did not knowingly and willfully take action - such as to disable functionality - to limit or restrict the compatibility or interoperability of certified electronic health records technology;
  • That the healthcare provider implemented technologies, standards, policies, practices and agreements to ensure, to the greatest extent practicable and permitted by law, that the certified EHR technology was at all relevant times able to exchange information. That includes technologies being implemented in a manner that allows for timely access by patients to their electronic health information and that allowed for the timely, secure, and trusted bidirectional exchange of structured electronic health information with other healthcare providers;
  • That the healthcare provider responded in good faith and in a timely manner to requests to retrieve or exchange electronic health information, including from patients, other healthcare providers and other persons, regardless of the requestor's affiliation or technology vendor.

Digging Deeper

Along with the attestation statements, the final rule also aims to flesh out examples of what regulators expect in terms of providers facilitating health information exchange or preventing information blocking.

For instance, "whether a healthcare provider has knowingly and willfully limited or restricted the interoperability of certified EHR technology will depend on the relevant facts and circumstances," the rule notes.

"Healthcare provider must attest that it responded in good faith and in a timely manner to requests to retrieve or exchange electronic health information. [However,] what will be 'timely' will of course vary based on relevant factors such as a healthcare provider's level of technology adoption and the types of information requested," the rule notes.

"For requests from patients, we note that while the HIPAA privacy rule provides that a covered entity may take up to 30 days to respond to a patient's written request for access to his or her PHI maintained by the covered entity, it is expected that the use of technology will enable the covered entity to fulfill the individual's request in far fewer than 30 days."

However, not everyone is convinced that healthcare providers are intentionally blocking information sharing. "In my experience, the incidence of healthcare providers programming or setting their electronic health record technology to prevent the sharing of patient information is a myth," says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.

"What we have heard time and time again from healthcare providers is that the barriers to information exchange and connectivity were due to the design and architecture of the EHR systems that were not able to speak the same language. Hopefully, the steps taken by HHS to impose interoperability standards, along with recent signs that the government will put into place measures to police the marketplace, will finally enable the long promised dream of exchange and connectivity of protected health information."

One of Many Requirements

Overall, I think it is also important to note that the information blocking attestation is just one of many other complex requirements and quality measurements that regulators will use to "score" healthcare providers under new MACRA payment schedules (see Medicare's New Physician Plan: Impact on Security).

However, the fact that the prevention of information blocking is part of payment reform potentially puts pressure on reluctant healthcare organizations to more willingly participate in secure health information exchange for the betterment of patients.

HHS also hints that false attestations could translate into potential trouble for healthcare providers - especially if they're chosen for a HHS audit or are the target of information blocking complaints later filed to HHS by other parties.

So, do you think the attestation requirements will actually help deter information blocking and promote secure information exchange in the healthcare sector? Why?

Or maybe you have a better idea of how the feds can promote secure health information exchange in the quest for improved quality of care - but with less regulation than a 2,000-plus-page rule.

Please let me know what you think in the comments space below.



About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.