Health information technology developers have until December to submit their annual real-world testing plans and to establish their ability to export electronic health information (EHI), with further deadlines approaching in March 2024.
These deadlines, which come from the 21st Century Cures Act and its implementing regulations, do not apply directly to healthcare providers, but they do apply to a healthcare provider’s IT developers.
Health IT developers include any non-provider entity developing or offering health IT certified for Cures Act compliance by the Department of Health and Human Services’ Office of the National Coordinator for Health IT (ONC). Since an IT developer’s compliance with these requirements may affect a provider’s own ability to comply with the Cures Act — and bring potential liability for the provider — healthcare providers would benefit from ensuring that their health IT developers are on top of these deadlines.
Effective April 5, 2021, the Cures Act requires healthcare providers to give patients unrestricted access to their EHI. Any conduct that would block that access (known as information blocking) is illegal unless it falls within an enumerated exception. The deadlines imposed on health IT developers enforce this EHI-access requirement by ensuring that providers’ EHI platforms are adequate.
By December 15 of each year, health IT developers must submit to their ONC-endorsed Authorized Certification Body a real-world testing plan for their health IT. Cures Act regulations establish technological-certification criteria that health IT must meet to enable EHI sharing. ONC authorizes private entities (Authorized Certification Bodies, or ONC-ACBs) to enforce these criteria and certify health IT developers’ compliance with them. Current ONC-ACBs include Drummond Group, Leidos, Inc. and SLI Compliance.
A health IT developer must submit to its ONC-ACB a plan showing how the developer will ensure its health IT meets ONC’s certification criteria in the upcoming calendar year. Health IT developers must submit the results of their testing from the previous calendar year to their ONC-ACBs by March 15 of each year.
But the key deadline is Dec. 31, 2023, by which date health IT developers must ensure that their health IT can perform EHI export. EHI export consists primarily of the following capabilities:
- Enabling a patient to export electronic files of his EHI on demand
- Enabling the export of all EHI in a health IT system
- Keeping export formats up to date
Finally, though the Cures Act and its regulations do not specify exact deadlines for this requirement, every six months, a health IT developer must attest that it is compliant with the applicable requirements of 45 C.F.R. §§ 170.401 to 170.405. These regulations provide the above health IT rules, prohibit information blocking and require a series of attestations and notices concerning these requirements.
Health IT developers face hefty fines for noncompliance: up to $1 million per instance of information blocking. Enforcement of those fines began on Sept.1, 2023. Provider penalties, however, have yet to be determined. Providers who commit information blocking will “be subject to appropriate disincentives,” but HHS has yet to provide any guidance on what that means (though a proposed rule is in development).
Until HHS provides such guidance, the extent to which providers may be liable for health IT developers committing information blocking remains ambiguous. On one hand, the Cures Act provides that “healthcare providers [will] not [be] penalized for the failure of [a health IT developer] to ensure that” its health IT system is compliant. On the other hand, the Cures Act also says that a provider who “know[ingly]” commits information blocking will be subject to penalties.
The interplay between these provisions is similarly ambiguous: one reading would say that if a health IT system is noncompliant, as long as the fault is the developer’s, a provider cannot be penalized for any resulting information blocking, no matter what the provider does; another reading would say that any provider who knowingly uses a noncompliant health IT system will be subject to penalties.
HHS rulemaking may, therefore, be necessary to determine the extent to which providers should be concerned about health IT developers’ noncompliance. But until such rulemaking arrives, there remains at least potential for providers to face penalties connected with developer noncompliance. Providers therefore have an interest in ensuring that their health IT developers are on track to meet these compliance deadlines.
Neville M. Bilimoria is a partner in the Chicago office of the Health Law Practice Group and member of the Post-Acute Care And Senior Services Subgroup at Duane Morris LLP, [email protected].
Taylor Hertzler is an associate in the Philadelphia office of the HLPG at Duane Morris LLP, [email protected].
The opinions expressed in McKnight’s Long-Term Care News guest submissions are the author’s and are not necessarily those of McKnight’s Long-Term Care News or its editors.
Have a column idea? See our submission guidelines here.
