Industry players continue to assess the recently released final federal rules on interoperability and information blocking, but many observers are anxious to hear the verdict of the nation’s largest healthcare software vendor.
Representatives from electronic health record giant vendor Epic say they’re still poring over the 2,000 pages of rules issued Monday by the Centers for Medicare and Medicaid Services and the Office of the National Coordinator for Health Information Technology to assess their impact.
Earlier this year, Epic voiced major concerns about provisions of the proposed rules, with reports suggesting it sought to engender support for its perspective – and even suggesting it might sue the federal government if the final rules were substantially similar to the proposed. Meanwhile, other industry players are offering support for the rules, even as their assessments of the details continue.
Most notably, Cerner issued an open letter to Alex Azar, secretary of the Department of Health and Human Services, and National Coordinator of Health IT Dr. Donald Rucker, offering “ardent support” for provisions in the rules.
“Cerner appreciates the work by ONC and CMS to advance interoperability between health systems and ensure that patients remain at the center of healthcare,” according to a separate statement by the company. “Cerner has been an outspoken advocate of patient data access and interoperability for many years. These rules are a major step forward in the right direction.”
By contrast, Epic released a measured statement on Monday, consistent with most other healthcare organizations, saying it would be reviewing the final rules to see what changes regulators had made to the initially proposed rules, which were released about a year ago.
“We keep the patient at the heart of what we do and we focus on improving healthcare for patients,” Epic’s statement noted. “We have been working closely with HHS and ONC to try to improve the rule, and we appreciate their willingness to hear our feedback. The rule is very important to health systems and their patients, so we will read it carefully to understand its impact before making judgments.”
Specifically, Epic says it will review the final rule to see how it impacts four specific areas. These include:
- The extent of the rules’ focus on standards as a basis for meaningful interoperability
- The impact of the rule on hospitals and physicians, “and Epic’s ability to support them in delivering care”
- The implementation timelines for required development and effective dates
- The transparency afforded to patients into companies’ data use and data handling practices
These topics were hot buttons for Epic in the months leading up to the release of the final rules. They were key components of Epic’s comments to federal agencies in its response to proposed rules issued last year.
The company continued to publicize its concerns early this year. In late January, Epic posted a long note on its homepage noting the company’s support for the patient access goals of the ONC rules, with their focus on API-enabled data exchange, but it called for new protections for patient privacy.
“By requiring health systems to send patient data to any app requested by the patient, the ONC rule inadvertently creates new privacy risks,” Epic noted then. The company pointed to a recent study showing that 79 percent of healthcare apps resell or share data, noting that, “there is no regulation requiring patient approval of this downstream use.”
The final rules did reflect some changes that line up with comments that Epic had filed last June. For example, the final rule clarifies requirements on the use of screenshots of software to highlight challenges with its use. Epic and other vendors expressed concern that the proposed rules would jeopardize intellectual property rights of the companies. The final rules also offer some relaxation of time deadlines and enforcement for compliance, compared with those offered in the proposed rules.
“Enforcement of information blocking civil monetary penalties (CMPs) in section 3022(b)(2)(A) of the PHSA will not begin until established by future notice and comment rulemaking by OIG. As a result, actors would not be subject to penalties until CMP rules are final,” a federal analysis notes.
That may be of little comfort to industry companies. For example, the Electronic Health Records Association’s comment letter, published this past June, suggested that proposed rules significantly underestimated how much time would be needed to revamp IT systems.
“Developing and implementing software takes time, from the time EHR developers spend in designing workflows, writing code, and performing extensive testing, to the time spent by healthcare organizations installing, customizing, and educating their users on the new workflows and expectations.
“Data from a survey of EHR Association members shows that the proposed rule severely underestimates the development time required for its many components,” the group’s comments noted. “Every hour spent on these projects is an hour not spent on software and usability enhancements requested by our clients.”
In Epic’s comments to the NPRM, it noted that “the Proposed Rule significantly underestimates the development effort and time needed to comply. To avoid fines and follow the Proposed Rule’s requirements will require tens to hundreds of thousands of development hours—exponentially more than ONC estimates.”
The most significant concern of Epic – and that of many other industry organizations – involves protection of the privacy of patient data. The IT vendor and other organizations continue to voice concerns that third-party app developers are not subject to strict restrictions laid out by HIPAA.
It’s not clear whether the final rule will assuage concerns that grew out of the initial proposed rule, says Robert Tennant, director of health information technology policy for the Medical Group Management Association.
“There’s a fact sheet on the major changes from the proposed rules to the final version, and it’s suspiciously short,” Tennant said. However, details such as time deadlines and other provisions may be pushed back and relaxed over time, which has happened with other federal regulations governing healthcare IT, he noted.
