Will the new 21st Century Cures Act rules make a difference?

The Cures Act, an amendment to the Health Information Technology for Economic and Clinical Health (HITECH) Act, has crawled forward at a snail’s pace, making its way through the halls of government since 2015 when it was first passed by the U.S. House of Representatives. It went on to the Senate for approval, finally becoming law in December 2016. Among other things, the Cures Act directed ONC and CMS to develop policies that foster interoperability for the exchange of data and prohibit information blocking, defined as anything that gets in the way of access to electronic health information.

Fast Forward to 2019 and the ONC has finally gotten around to proposing a rule that defines activities that do not count as information blocking by Health IT systems. Concurrently, the CMS has proposed changes to the healthcare system that support the goals of the MyHealthEData initiative that was announced a year ago at HIMSS 2018.

Together, these proposed rules make it clear the current administration wants to give patients access to their health data. But will these proposed rulings move us any closer to that goal? Here are some things to ponder as we try to figure that out.

The only reason MU worked (if you believe it worked) is that it not only provided incentives but it also threatened reimbursement penalties. Before MU, there were reimbursement incentives for things like e-prescribing but they weren’t widely popular like MU since “not losing money” was more important to most organizations than “making 1% more money.” As such, the success of the 21st Century Cures Act will be based on what powers it has to penalize healthcare organizations (Read, not EHR vendors) on being interoperable.

It seems like the only provision that incurs a penalty is on “information blocking,” yet the legal definition of information blocking is pretty vague. It’s basically, a ‘don’t be a jerk’ kind of admonition. It also has a plethora of exceptions which can also be vague. For example, you can block data for the sake of security, but what exactly is security? Is it being HITRUST certified? Is it scout’s honor, or something else altogether? There are a ton of gray areas in there and it’s not as if the government did a great job of enforcing non-measurable criteria during MU, so I’m pretty skeptical this will work.

Complying with the rule will affect the certification of EHRs, but this matters slightly less in the new era since not every Medicare/Medicaid organization needs to be running a certified EHR. Most will comply by default but this isn’t quite the threat as before, so won’t be likely to have much of an influence.

The rule seems to try and crack down on vendors but most “information blocking” still occurs at a hospital level, either by intent, bureaucracy, or utter lack of competency. Heck, we’ve done more than 250 smooth and successful integrations and my team still has to constantly establish even the most basic bona fides every time we want to work with a healthcare organization. I understand the government is very keen to want to point a gun at the EHR vendors after giving them $30+ billion dollars and feeling like they didn’t get their value out of it, but if there’s no edge towards hospitals then this will ultimately fail. I think the vendor app stores have done exponentially more to fix this than any government regulations ever will by shifting bureaucracy from hospitals to vendors (who usually have at least some marginal incentive to be more agile).

The one thing we are already seeing is more implementation of patient-centric APIs and I think this part of the law will ultimately be successful. Either the bit has already flipped or it is about to so that it’ll probably be easier to ask patients for their own data than it will be to get it from a health system. This doesn’t help traditional business associates in a HIPAA sense, but it will help some folks trying to “free the data”.

I’m mostly pretty supportive of government regulation trying to fix EHR problems at this point. And, it’s worth noting that most of my criticism of the Cures Act is to the heart of the challenge of fixing the healthcare interoperability problem, not the hard-working public servants who have been working for years on getting us this far. The initial goal of MU — digitizing data — was an earnest one and it was a market inefficiency that only 10% of “Eligible Providers” used EHRs pre-MU. MU succeeded in digitizing data, but other than also making e-prescribing widespread and giving us patient portals (kind of), it was an absolute failure. We’ll probably continue to hear more stories like those of eCW and Greenway Health in how vendors completed absolute fraud to serve their customers. We get to see a lot of what is happening in the industry and honestly, I think good old-fashioned capitalism is going to do much more to improve interoperability than any government intervention. Here are some examples:

• Medical Device companies, knowing now that patient data is digitized, can use digitized data to better predict signal on demand and improve getting their products into their customers hands.
• Non-healthcare companies like life Insurance companies realize that they can get the milk directly from the cow vs. having to rely on patients to give them accurate information about their health.
• Diagnostic vendors realize they can improve interoperability by just paying Epic, and EHR vendors realize they can have good customers that aren’t hospitals.

Health systems, constantly merging to cope with a post-ACA world, are beginning to realize they can’t keep switching EHR vendors as they roll up like Russian nesting dolls. Instead of continually consolidating, placing centralized data from 30 systems into something like the Azure API for FHIR and exposing it via Microsoft Teams seems like a better idea than going through another vendor selection process.

I hope the 21st Century Cures Act works. Of course, I dream for a day when healthcare interoperability is truly simple. I tell people all the time that I hope our Compliant Managed Integration service is a product that one day no longer needs to exist. But a rule without teeth might as well not exist at all. We’ve had HIPAA for more than 20 years now and it still doesn’t stop Covered Entities and Business Associates from continually shooting themselves in the foot. GDPR was designed with enforcement in mind and you can read about the number of fines which the UK has levied in a clear format.

Is the 21st Century Cures Act going to make a difference? We’ll all have to wait to find out.