Health information technology developers have until December to submit their annual plans for real-world testing and establish their ability to export electronic health information (EHI), with the next deadlines approaching in March 2024.
These deadlines stemming from the 21st Century Cures Act and its implementing regulations do not apply directly to health care providers, but do apply to health care providers’ IT developers.
Health IT developers include any non-vendor organization developing or offering health IT certified for compliance with the Cures Act by the Department of Health and Human Services’ Office of the National Coordinator for Health IT (ONC). Because an IT developer’s compliance with these requirements may affect the provider’s own ability to comply with the Cures Act—and result in potential liability for the provider—healthcare providers would benefit from ensuring that their health IT developers meet these deadlines .
Effective April 5, 2021, the Cures Act requires healthcare providers to provide patients with unrestricted access to their EHIs. Any conduct that would block this access (known as information blocking) is illegal unless it falls within a listed exception. The deadlines imposed on health IT developers drive this requirement for EHI access, ensuring that providers’ EHI platforms are appropriate.
By December 15 each year, health IT developers must submit to their ONC-approved authorized certification body a real-world testing plan for their health IT. The provisions of the Medicines Act establish technology certification criteria that health IT must meet to enable the sharing of EHI. ONC authorizes private entities (Authorized Certification Bodies or ONC-ACBs) to enforce these criteria and certify health IT developers’ compliance with them. Current ONC-ACBs include Drummond Group, Leidos, Inc. and SLI Compliance.
A health IT developer must submit to its ONC-ACB a plan showing how the developer will ensure that its health IT meets ONC’s certification criteria in the coming calendar year. Health IT developers must submit their test results from the previous calendar year to their ONC-ACBs by March 15 each year.
But the key deadline is 31 December 2023, by which date health IT developers must ensure their health IT can export EHI. EHI’s exports mainly consist of the following capabilities:
- Enabling a patient to export electronic files of their EHI on request
- Enable export of all EHIs to a health IT system
- Keeping export formats up to date
Finally, although the Drug Act and its regulations do not specify exact timelines for this requirement, every six months the health IT developer must certify that it meets the applicable requirements of 45 CFR §§ 170.401 through 170.405. These regulations provide the aforementioned health IT rules, prohibit the blocking of information, and require a series of certifications and notices regarding these requirements.
Health IT developers face hefty fines for non-compliance: up to $1 million per case of information blocking. The enforcement of these fines began on September 1, 2023. However, the supplier sanctions have not yet been determined. Providers who engage in information blocking will be “subject to appropriate disincentives,” but HHS has yet to provide any guidance on what that means (although a proposed rule is under development).
Until HHS provides such guidance, the extent to which providers may be liable for health IT developers engaging in information blocking remains unclear. On the one hand, the Treatment Act provides that “health care providers [will] no [be] punished for failing to [a health IT developer] to ensure that “its health IT system is compliant. On the other hand, the Cures Act also says that a provider who “knows[ingly]” blocks information will be subject to sanctions.
The interplay between these provisions is equally ambiguous: one reading would say that if a health IT system is non-compliant, as long as the fault lies with the developer, the provider cannot be penalized for subsequently blocking information, no matter what the provider does; another reading would say that any provider knowingly using a non-compliant health IT system would be subject to penalties.
Therefore, HHS rulemaking may be necessary to determine the extent to which providers should be concerned about noncompliance by health IT developers. But until such rulemaking arrives, there remains at least the potential for vendors to face penalties related to developer non-compliance. Therefore, providers have an interest in ensuring that their health IT developers are on track to meet these compliance deadlines.
Neville M. Bilimoria is a partner in the Chicago office of the Healthcare Practice Group and a member of the Post-Acute Care and Senior Services Subgroup at Duane Morris LLP, [email protected].
Taylor Hertzler is an associate in HLPG’s Philadelphia office at Duane Morris LLP, [email protected].
The opinions expressed in McKnight Long Term Care News guest statements are those of the author and are not necessarily those of McKnight Long Term Care News or its editors.
Have a column idea? See our submission guidelines here.