Datica Podcast

March 31, 2020

ONC Final Rules on Information Blocking - Part 1

In this episode of 4x4 Health, we talk with Michael Lipinski, Director of the Regulatory Affairs Division within the office of policy in the Office of the National Coordinator for Health Information Technology (ONC) and Mark Knee, JD, a Senior Policy Advisor with the ONC Office of Policy. Both Mike and Mark are at ground zero when it comes to the federal government’s current efforts to promote interoperability and the free exchange of health data.

In part-one of this two-part episode, we cover the overall intent of the rules and dig into the details related to information blocking. Part-two will cover the planned roll out and enforcement of the rules.

Dr. Dave Levin: Welcome to 4 x 4 Health sponsored by Datica. Datica, bringing healthcare to the cloud. Check them out at www.datica.com. I'm your host, Dr Dave Levin. Today I'm talking with Michael Lipinski, director of the regulatory affairs division within the office of policy in the office of the national coordinator for health information technology, usually referred to as ONC and also Mark Knee, JD a senior policy advisor with the ONC office of policy.

Michael leads ONCs’ development of regulations and contributes to HHS policies, regulations and initiatives that support the US healthcare system through the adoption and use of Health IT, electronic health information exchange and patients access to their health information. Mark works on federal Health IT policy and regulatory affairs with a focus on information blocking. Both Mike and Mark are at ground zero when it comes to the federal government's current efforts to promote interoperability and the free exchange of health data. The recently released final rules from ONC on interoperability and information blocking are getting enormous attention as they should. These are some of the most important issues in Health IT today. Mike and Mark have played key roles in developing these final rules and we're delighted that they're here today to talk about information blocking. Welcome to 4 x 4 Health Mike and Mark.

Michael Lipinski: Thanks for having us Dave.

Mark Knee: Yeah, thank you. Excited to be here.

Dr. Dave Levin: Mike, you and I recorded a podcast on the proposed rules for information blocking almost exactly one year ago this week. For today's discussion. I'd like us to dive into the substance of the final roles. To get us started though, let's take a few minutes to learn a little bit more about each of you and the work you're doing. So Mike, if you'll go first, tell us just a bit more about you and the ONC and then we'll have Mark follow up.

Michael Lipinski: Sure. Again, Mike Lipinski. I've been at ONC for I think it's going on 11 years this year. So since the high-tech act, if everybody remembers back to then that started, the EHR incentive programs also now is promoting interoperability programs because it's all about interoperability and I’ve been working on regulation since that time. We've done a lot of regulations, surprisingly for a small agency in that period of time focusing mainly on the certification of Health IT, making sure Health IT does what providers need and at that rolled out to providers. And then there's an oversight for that Health IT to make sure it's working and process to keep bringing it back into compliance if it's not. Obviously most recently ONC is main focus has been on implementing the cures act, that passed at the end of 2016 and all of our efforts have been involved in that, whether it's, setting up a new Health IT advisory committee, which we've done. Focusing on the trusted exchange in common agreement which is also part of the cures act.

And then of course, what we're going to talk about today, which is been three years in the making, the interoperability and information blocking final rules. So that rule making, we started working on it as soon as cures passed. And like you said, talked with you about a year ago regarding the proposed rule. And now I'm an annual, I guess guest and this year, right now we'll talk about the final rule. And for this one, since there's so much to it, I brought along my sidekick, Mark Knee. He's like my, I was going to say my Robin to my Batman or Mini me to Dr. Evil or vice versa. I'm his Chewbacca to him being Han Solo what have you. I say that because, with the extra time I got the watch, I don't know if you guys seen it, it's Hobbs and Shaw, which somehow I miss like six fast and the furious movies that apparently have taken place since the ones that I saw, but nonetheless, they talked about each other in that regard in the movie. So I thought it was appropriate since I had just watched it catching up on my movies this weekend today with having Mark here.

Dr. Dave Levin: Well, that's great. Yeah, Mark, let's give you a chance for a counterpoint here.

Mark Knee: Yeah, no, I appreciate it, appreciate you all having me here and that I'm glad that I'm able to be here with Mike and I'm not sure how I feel about the Batman Robin analogy, but I think it's, just a little bit about myself. I came to ONC in 2015 so I'm not an ONC lifer like Mike yet, but really enjoy my time here. Been in public service my entire career. Worked at a number of different agencies before I got to ONC. And at a previous position I became interested in healthcare when I was a presidential management fellow and luckily landed a position with ONC and I’ve been working with Mike and others at ONC on advancing Health IT and interoperability, I guess for the last five years or so now. So really excited to be here.

Dr. Dave Levin: That's great. So let's get into this topic of information blocking and to get us started, can one of you just give us a simple definition of information blocking, what does that term mean?

Michael Lipinski: Sure. I'll take a crack at that. I think, generally just means that if there isn't a reason, a viable reason that we've identified for you in the final rule or that there's a law that says not to, you should share information. Share with patients, share with other providers. So that's really what it is. And so obviously, I mean to put a little bit of color on that, we've acknowledged the current health landscape. So, HIPAA says you can't share it, of course you don't share the information or if there's another state privacy law that says that, then you don't share it. But, generally speaking, the goal of this rule is to get the information out to the patient, and I’ll tell the providers to improve care.

Dr. Dave Levin: Yeah. The assumption is really the information should flow, correct. And that unless there's specific kinds of exceptions, sort of common-sense exceptions, and we can go a little deeper into that. But the general philosophy was this information should flow pretty freely for the benefit of patients. Is that a fair layman summary?

Michael Lipinski: Definitely. And that's what we're hoping to sign a rule will achieve that it will change the market and besides just improving care and access that it will create, will spur innovation and create other apps and that will help patients with improved care and also providers. I don't want to lose sight of that. The rule should help open up a competition amongst EHR vendors and other third parties to provide covered entities or in our case, healthcare providers, actors, the ability to choose other vendors that provide services related to the use of that Health IT, excuse me you said that at EHI.

Dr. Dave Levin: Yeah. And it's, you've touched on what I see as another broad theme in these rules, which is, is promoting competition. And as I read them, they're intended to address what appear to be market failures in that respect and to create some boundaries on a playing field that will enhance competition and therefore drive things forward. At least that's my reading of it. Again, I encourage you to enlarge on that or disagree and correct me if I'm mistaken.

Mark Knee: Okay. Yeah, I was going to say I think that's absolutely right. I'm guessing that's what Mike was going to say as well. And there are different provisions in the rule that we say will advance the competition and innovation and are receptive to feedback that we receive from commenters that, that people were concerned about what impact our rule would have on the market. And like Mike said, we really think that our rule is going to do great things for opening up access, exchange and use of electronic health information to innovators in the market and to push the market forward and in the right direction.

Dr. Dave Levin: You know, guys, when I think about this challenge of getting information to flow, I typically think about it as occurring in three layers, if you will, or three groups of issues to deal with. So, one is the technical protocols and the rules largely addressed that through the promotion of use of APIs and specifically the use of the FHIR standard API. The second is to define, okay, if that's the pipe, what's the data that should flow through that pipe, at least a minimal set. And for that we've identified the US CDI; core data elements for interoperability. So we have the pipe and we have, if you will, the definition of the material that should flow through that pipe.

But then we get to something that's in some ways I think more complicated, which is behavior. And as is often the case, it's solutions come in the form of people, process and technology. And the language is pretty clear that people should have free access to the data quote without special effort or cost. And to some degree the technical solution of using API and having a defined data set gets us there. But behavior can be a slippery thing to deal with. And yet when I think about that aspect of it, to me that's a large part of the rules around information blocking. So to sort of follow this line of information blocking as a behavior, I’m wondering what you heard as you develop the rules and as you went into this period of feedback and public comment. Because sometimes it can be really obvious, it can be a vendor saying, no, you can't have the data. But it can also be really subtle and almost passive aggressive. And those conversations typically go along the lines of, yeah, you can have it, but it's going to be really expensive and it's going to take a long time for me to do that for you. So kind of long-winded way for me to get there, but would you agree that a significant part of this is about behaviors and what were some of the behaviors that you specifically identified and have tried to address here?

Michael Lipinski: So I'm going to, I’ll go first and then I’ll turn it to Mark, and he can talk a little bit more about the comments that we saw and, and how we address those on the behavior. I did want to kind of say, set something straight here for all your listeners. And that's, there's really like two rules here. So just like with Mark and me today, it's kind of a twofer you get with the rule as well. So that first part you talked about with the technical part and US CDI and API, that focuses in FHIR, focuses on technology that has to get certified under our program and rolled out to providers and that's interoperability. And we're going to push inter-operability and we want to push more data for interoperability as well, obviously as the years go on. But Info blocking is going to sit on top of that and info blocking doesn't necessarily only, the way we proposed it, yes in the first 24 months, it focuses on the US CDI, which isn't all interoperable data. Just to be clear, there's some demographic data and other data, that's clinical notes, for example, not standardized. But again, it sits on top and it's going to be a broader set of data eventually than that in two years. And it's also different ways. I want to be clear about that too. So it's not just API, it's still your patient portal, getting your data out of there, all your EHI. And again, as you pointed out at, if it's electronic access of EHI, then it should be at no cost for a patient. And that includes, whatever app they choose to use to get that data out when it's "electronic access," which generally just means no manual effort is involved in getting that data out.

I'll just talk about one thing that I saw and paid close attention to about, the subtle interferences and then I’ll turn it over to Mark. And that is, contract terms. So terms don't always have to be about money and what it's going to cost you to get access to the EHI. But also terms that are so either erroneous or as an attorney and using that like unconscionable. And what do I mean by that? I mean terms where you're indemnifying them for gross negligence, essentially like they can go out and commit manslaughter with their products and you're going to be liable for it. And or they'll take all your IP rights, you get some of their IP rights obviously, and that makes sense. But that there you will have to give them your IP rights to your product.

So we've seen terms like that through comments that we've heard, and we've talked about that. You'll see that in the rule about, when the terms become such that they are an interference. We'll take a closer look at that. Mark, do you have a, I'm sure you have a lot of other ones that we saw, and we've talked about and addressed in the rules. So Mark, why don't you jump in and talk about a few of those?

Mark Knee: Yeah, yeah, definitely and totally agree with what Mike said there. And we've heard from all kinds of different stakeholders and the public through many different means over the years, as you know, we made the report to Congress and kind of laid out how big of a problem information blocking was and it was based on stakeholder meetings and listening sessions and we even have a complaints mailbox where we have ongoing complaints being submitted about information blocking and other topics. So, we've heard about many different stakeholders being affected by information blocking, other providers trying to change their EHR system from one type of tech to another and being kind of locked into the system or patient access like Mike talked about either being charged a high fee for your access to your data or getting it in a manner that you didn't really want it and it wasn't the most helpful or pushing the market forward like we've talked about with third party apps being able to access important data in a responsible way to get patients and providers the EHI that they need when and where it's needed the most. So it's all kinds of different scenarios. We could talk all day about that probably.

Dr. Dave Levin: Yeah, I think this is a really entering aspect of it. And let's go a little bit deeper on it. And Mike, I think you touched on this briefly, which is the concepts here are applied not just to the clinical data, the information about the patient, but to other kinds of information as well. And specifically calls out the ability of the various stakeholders to openly discuss and share their experiences in the usability interoperability, security, safety, performance, all the things that we typically do when we're trying to do performance improvement, which is we collect stories and data and we analyze it and we look for patterns and then we try to respond to that. And I sort of, I cut my teeth in the early days of the patient safety movement and this was really foundational. And so it's been troubling to me over the years to see some barriers to our ability to both collect and then to share in meaningful ways that kind of, if you will, system and performance information as well. Is that a fair summary? And what else have you seen or hoped to see and in that aspect of the impact of the rules?

Michael Lipinski: Yeah. I think, that's a new Days dawning type of thing with the rule now final. We obviously we talked about this and the proposal and clearly Congress cared about what you're talking about. They put that right in the statute that the areas you're talking about. And what Dave is getting at is that, developers of the product, the EHR systems that are implemented for provider settings, hospitals and clinicians that they were called what are called gag clauses institute and wouldn't let providers or users of the talk about those areas that Dave mentioned. So, usability and patient safety, the interoperability of the product, the security of the product. And what we ended up doing from an implementation perspective is we balanced that interest against interests of developers. So developers don't have interests and I can talk to you quickly about what those are, but they have interest in, the people they hire as contractors and employees. They have interests in non-user facing aspects of products. So for example, how we thread the needle here when it comes to that. So say there's a security issue with the product and in effect the source code. Well, what we said is, yeah, you can talk to the government agencies, a user about that and say, look, there's this horrible security flaw in this product. I want to let you know about it and we have no problem with that. That's what we're encouraging is users to do that. But you can't put that out on the internet on YouTube. That's not going to be good for the product and security of the health care systems using it. So you can see like that tension there where we need to address, can't just share it with everybody. So we've tried to address that.

Another topic area is, intellectual property. I think that's one of the key areas in terms of when can you disclose and who can you disclose it to and what can you disclose. And we think we've also hit the right balance on that too. So we identify again certain areas where the subject, the topic of the communication needs to be disclosed because it's a safety issue for example. And then we say who you can disclose it to irrespective of intellectual property. So if it's a safety issue, you can go to your patient safety organization, you can go to the federal government with that concern, even if there's intellectual property in what you're reporting, the communication. But when it comes to trying to share that information with the general public, we want to respect the intellectual property rights of a developer. So they're allowed to restrict such disclosures as long as it's consistent with the other requirements we have there. So one, they can't be no broader than necessary, those restrictions and they have to comply with some of the other areas that we've identified.

So for example screenshots. Screenshots and video now. So in the final rule, we made clear that visual communications are a part of communications in general as we define them and that included video. So when it comes to the video, we were saying that those can be, certain things can be disclosed to the general public. And video can be used to do it if it's a temporal in nature type of issue and it can't be disclosed for example, through screenshots. So what is that possibly, maybe a latency issue with your EHR. You're making drug orders and using CTEP or e-prescribing, what have you. And you're thinking the order went through, but actually it didn't, so then you make a double order. So that's a safety issue, right? So those are the things that better be disclosed and communicated through a visual communication such as video versus a written communication or even screenshots where you can't really show that latency issue. So yes, we're hoping that this overall will do some good for Health IT safety, but not just Health IT safety Dave, security too. And some of these other issues that congresses have identified.

Dr. Dave Levin: Yeah. And I would add system performance as well. And we've got increasing data to support the contention that the usability of these systems affects physician and other provider satisfaction and burnout and just general efficiency of delivery of healthcare. And so the ability to look at those issues for different health systems and others to share what they've learned and what challenges they're facing. It's just an important part of advancing the science and practice of medicine and the use of technology to support that. You've touched on another big challenge that you guys face, which is balanced because there are legitimate and competing interests here. So technology vendors have a right to run their business and to make a reasonable profit, but at the same time we know that we can't let excessive fees be a barrier to connecting and exchanging data. So you guys have had to walk some interesting balances, the discussion about the legitimate protection of IP and yet still being able to collect anecdotes and information to support safety activities and performance improvement. My guess is there were many long and interesting debates about the balancing of those different types of issues.

Michael Lipinski: Definitely. Mark, maybe this is a great time for you to talk about, I don't want to call it just a new exception because it really comes out of the infeasibility exception and comments, we got on EHI. But Mark can talk to you about how we dealt with that directly. So Mark.

Mark Knee: Yeah. And even just taking it a step back, I'd love to talk about the new exception, but Dave you said, like all of the exceptions that we lay out in the final rule, it really is about balance and just to kind of level set for all the folks who didn't listen in for you and Mikes conversation a few months ago, the 21st century cures act defined information blocking broadly. And what my office was tasked with and Mike and others in the office, is to come up with these exceptions for situations when an actor. So by that I mean a Health IT developer, a provider, a health information network or health information exchange does something, has a practice that looks like it could be information blocking, but there's a really good reason that they did it. And that's what we call the exception. So what Congress said, come up with these exceptions for reasonable and necessary activities that should not be considered information blocking. So in the final rule, we have eight exceptions and as Mike said, there's one new one. So there were seven that we proposed, and we received over 2000 comments submissions. So like you said, there was lots of lots of debate over which direction to go. And when you have that many comments, some people are happy with what you proposed. Some people, many people have suggestions for improvement and I just want to emphasize how appreciative we are as an office of all the feedback we received because it really did help us come up with policies in the final rule that we think are very sound and create the right balance that we were looking for.

So real quickly, the one new exception it kind of, it's called, we call it the content and manner exception and it addresses a lot of comments we received about the scope of electronic health information. And also the way that actors are required to provide access exchange or use of electronic health information. And what it says is that over the course of the first 24 months from publication of our final rule, or 18 months from the compliance date, which is six months after publication actors only needed to provide in order to meet the exception, the data elements within the US CDI. So that is a more focused set of data than we had proposed originally in the proposed rule. And we think that that strikes the right balance. And then after that 24-month period, actors would be responsible for providing the full scope of EHI as defined in our rule.

Additionally, in the second part of this exception, we describe how actors would be required to provide access, exchange or use of electronic health information to meet the exception. And we allow the market to work in this regard. And that we say that as the first step is really to try to negotiate terms. If you can't negotiate terms or you're not technically able to provide access exchange or use of electronic health information, then we provide an ordered list of how an actor would provide such access. And it goes from a certified tech under our program to standardized to alternative machine-readable format. So we think of this way, we've created a really flexible and fair approach for allowing actors to first negotiate rates that are reasonable from a market perspective. But then also saying, if you can't meet agreeable terms, then here's another way that you can provide access to change, use without being information blockers.

Dr. Dave Levin: This is really helpful. And as I read the exceptions, including the eighth edition they really read as common-sense kinds of things. Places where the enforcement would actually make the situation worse, places where it could actually interfere with safety or privacy. And you guys have touched on a couple of those. And again, it goes back to what we said at the top, which is the assumption is that data will flow for the benefit of the patient unless these certain kinds of exceptions occur. And as I said to my read, these are largely common sense and they seem to strike the balance that you're after here.

This concludes part one of our interview with Michael Lipinski, director of regulatory affairs at ONC and Mark Knee, a senior policy advisor with the ONC office of policy. In our next episode, Mike and Mark will take us through the plans to roll out and enforce the new rules as well as some thoughts on how things will evolve and how others can get involved. We thank them both for their time today.

You've been listening to 4 x 4 health sponsored by Datica. Datica, bringing healthcare to the cloud. Check them out at www.datica.com. I hope you'll join us next time for another 4 x 4 discussion with healthcare innovators. Until then, I'm your host, Dr Dave Levin. Thanks for listening.