10/08/2024 | News release | Distributed by Public on 10/08/2024 07:47
Our country has made tremendous strides and invested billions of private and public dollars in establishing the digital future of the health care system. We are thus highly concerned about ongoing and recent reports that we have received about potential violations of both the letter and spirit of the various laws and regulations now in place to ensure information-sharing to improve our health care system and enhance the lives of all Americans. In this blog post we describe some of the issues that have been brought to our attention and the steps that we are taking to address them.
More than 96% of hospitals and 78% of physician offices now use electronic health records (EHRs) certified through the ONC Health IT Certification Program. To catalyze adoption of modern interoperability approaches, the 21st Century Cures Act of 2016 required that those EHRs be configured to enable data to be "accessed, exchanged, and used without special effort through the use of application programming interfaces (APIs)." Since January 1, 2023, all certified EHR users are now required to have standardized FHIR APIs for patient and population services available to exchange information with authorized business partners and with patients. As we discussed in a January 2024 blog post, the vast majority of certified developers have published their certified APIs and associated documentation on the publicly accessible Certified Health IT Product List. In addition, our agency partners at the Center for Medicare and Medicaid Services (CMS) now require that regulated payers use modern API technology to interoperate with providers, other payers, and patients.
Furthermore, to remove any doubt about the policy imperative of information sharing, the 21st Century Cures Act also banned the practice of "information blocking" to ensure that these EHR and API technologies are actually accessible "without special effort." Those provisions are now in effect through separate but linked rules promulgated by the U.S. Department of Health and Human Services and CMS, the Office of the National Coordinator for Health IT, and the HHS Office of the Inspector General.
This is a tremendous achievement made possible only through many years of hard work by the private and public sectors. It is thus of great concern that there still exists considerable friction to information-sharing. In recent months, in addition to reviewing the hundreds of information blocking complaints that have been reported to us, ASTP has had a number of listening sessions with API users and healthcare organizations to better understand the challenges faced by patients, providers, payers, and developers who simply want to access API and EHR technology in the way that the law intends.
What is abundantly clear is that it is behavior, rather than technology, that is far and away the biggest impediment to progress. These are some of the experiences we've heard about:
Among the many concerns raised is the possibility of Certified API developers potentially being out of compliance with Conditions and Maintenance of Certification requirements specific to APIs (45 CFR 170.404) and information blocking (45 CFR 170.401). Moreover, as actors subject to information blocking regulations (45 CFR part 171), Certified API Developers that engage in any practice they should know is likely to interfere with access, exchange, and use of EHI may be committing information blocking (unless the practice is required by law or covered by an exception).
Failing to comply with any of the Conditions and Maintenance of Certification requirement not only violates terms of the Certification Program but also undermines the spirit in which the requirements were created. Such conduct on the part of Certified API Developers leads to reduced trust in health IT, lower adoption of new technologies, higher costs, ongoing inefficiencies in the healthcare system, and ultimately, poorer outcomes for patients.
ASTP will continue to direct review Certified API Developers and their health IT to assess compliance with all applicable Certification Program requirements. Certified health IT developers with identified non-conformities in their business practices or certified health IT could face suspension or termination of the affected certification(s). Termination of certification of one or more of a developer's Health IT Modules carries the added consequence of the developer being banned from the Certification Program.
Simultaneously, our partnerships with the HHS Office of Inspector General (OIG) and CMS are crucial in deterring and addressing information blocking. OIG stands prepared to investigate cases of potential information blocking and to impose civil monetary penalties of up to $1 million per violation on health IT developers, health information networks, or health information exchanges-and refer to CMS for application of appropriate disincentives on any health care providers-determined by OIG to have committed information blocking.
Ensuring that certified API technology is working in healthcare is a top priority for ASTP. We will be working with ONC-Authorized Certification Bodies (ONC-ACBs), engaging with OIG, and hearing from more API Users to monitor the health information sharing landscape for areas where help is needed. Over the coming weeks and months, here is some of what you can expect to see:
HHS is committed to fulfilling the vision of the 21st Century Cures Act and ensuring that our digital health ecosystem is a vibrant, competitive landscape for innovative health IT solutions to deliver value to the American people. We recognize that enforcement of these policies is critical to achieving this vision. We strongly encourage any person or organization to report complaints about information blocking to the ASTP/ONC Information Blocking Portal and/or the HHS OIG Hotline.