Information Blocking Under Attack: The Challenges Facing EHR Developers and Vendors

In March 2017 Milbank Quarterly, researchers Julia Adler-Milstein and Eric Pfeifer found that information blocking — which they define as a set of practices in which “providers or vendors knowingly and unreasonably interfere with the exchange or use of electronic health information in ways that harm policy goals” – occurs frequently, and is motivated by revenue gain and market-share protection.

Among the practices most often cited were deployment of products with limited interoperability (49%) and high fees for health information exchange unrelated to [actual] cost (47%).  Of note: This is the first empirical research identifying and quantifying the specific information blocking practices reported by a group of information exchange experts.

The authors concluded “Information blocking appears to be real and fairly widespread. Policymakers have some existing levers that can be used to curb information blocking and help information flow to where it is needed to improve patient care. However, because information blocking is largely legal today, a strong response will involve new legislation and associated enforcement actions.”

The legal situation regarding the controversial subject of information blocking may have already changed dramatically.  Two important events occurred since this research was undertaken.  First, the strongly bipartisan-backed 21st Century Cures Act was signed into law by President Obama late last year.  The health information technology (HIT) provisions of the law now make it illegal for a vendor or provider to engage in information blocking. Second, the new law provides the nation with a new and comprehensive statutory definition of information blocking:

A practice, except as required by law or allowed by the HHS secretary pursuant to rulemaking, that:

–Is likely to interfere with, prevent or materially discourage access, exchange or use of electronic health information.

–If conducted by an HIT developer, exchange or network, such entity knows or should know that such practice is likely to interfere with, prevent or materially discourage the access, exchange or use of electronic health information.

–If conducted by a health care provider, such provider knows that such practice is unreasonable and is likely to interfere with, prevent or materially discourage access, exchange or use of electronic health information.

(Emphasis added)

The law further directs that information blocking may include the following:

– Practices that restrict authorized access, exchange or use of such information for treatment and other permitted purposes under such applicable law, including transitions between certified HIT systems.

– Implementing HIT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging or using electronic health information.

– Implementing HIT in ways that are likely to restrict access, exchange or use of electronic health information with respect to exporting complete information sets or in transitioning between HIT systems.

– Lead to fraud, waste or abuse, or impede innovations and advancements in health information access, exchange and use, including care delivery enabled by HIT.

In case there is any doubt about the gravity placed on this issue by the authors of the law, consider that Cures requires the Secretary of HHS establish a process for collecting complaints of information blocking and investigating them, and designates the Inspector General as the party responsible for carrying out the investigations. It assigns a penalty of up to $1 million per information blocking episode and funds program operations with the proceeds from such fines and penalties after a $10 million start-up allocation is made.

The law also makes it mandatory for EHR and other HIT vendors seeking federal certification of their products to attest they are not engaging in any form of information blocking as described in the law, and that false attestation may be cause for removal of certification status.  Certification is virtually a requirement of doing business as an HIT developer or vendor in health care, since many federal Medicare and Medicaid payments to doctors and hospitals are tied to the use of products certified by the Office of the National Coordinator for HIT (ONC), and known as certified EHR technology (CEHRT).

No one knows for certain whether these provisions will trigger a large number of complaints from providers, patients and other interested parties who have been frustrated by problems encountered when they have tried to move, share, or exchange data and health information between organizations and across the boundaries of HIT systems.  But the widespread practices described in the Milbank Quarterly research do not augur well for EHR technology vendors and developers being able to avoid at least some negative attention.

At the very least, it is likely that the new Cures information blocking provisions will pose challenges to vendors and developers for the next couple of years.  The law’s language is remarkably broad and, in my opinion, purposely comprehensive.  For example, EHR vendors  cannot use lack of knowledge about their conduct as an excuse if it is found that they should know about the information blocking effects of that conduct.  They can be found in violation of the law for restricting access to, exchange of, or use of health information.This means software vendors and their customers will need to carefully monitor and audit information flows for data, both at rest and in storage, to assure potential authorized users don’t suffer restrictions.  Monitoring these flows and processes will increase awareness and knowledge of any potential restrictions, thus obligating them to remove them. The law sets a very low bar by stipulating that merely making it “likely” that restricting information occurs is information blocking, but also creates new (and high) expectations for what must be exchanged when it references “exporting complete information sets” as the object of such restrictions.

The law’s list of practices considered information blocking includes “Implementing HIT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging or using electronic health information.”

I find this last provision to be a particularly worrisome challenge for vendors to attempt to avoid, and to defend against should they be accused of such behavior.  The issue here will revolve around what are considered “standard and nonstandard ways” of implementing HIT, and what constitutes a “substantial increase in complexity or burden” of accessing, exchanging or using electronic health information.  And, of course, who gets to decide these matters is equally important.  If, in the process of investigating complaints of a vendor implementing HIT in nonstandard ways that cause a “substantial increase in the complexity of health information exchange”, will the Inspector General make it the burden of the vendor to prove that it has used standardized ways? Or that there are no standards for the implementation in question?  Or that the standards ought not to apply in a particular case?  And in what situations?  Will those standards be those of a local community, or those that are state-wide or national?

I fear that the “next patch” is likely to be difficult for many EHR vendors. Additional challenges include these considerations:

  1. They do not have the new MU revenue coming in as they did for the past five years.  With 80+% adoption of EHRs, there is little new business to be had, limited to a small amount of rip and replacement going on.  Vendors will be looking for new sources of revenue and profit, but there have been complaints  that their products and service contracts are already over-priced.  Every health care provider organization in the country is looking for ways to stabilize or reduce the ongoing costs of ownership of their health IT software and services, while at the same time improving security.  Value-based care and risk taking contracts, along with repeal of coverage under the replacement for Obamacare, may only increase the economic pressure.
  2. New certification criteria under the law require EHR developers and vendors to work harder on interoperability and to demonstrate usability in the field to maintain certification.  As we all know, real world testing of software can reveal a lot of warts.  Contractual agreements recently imposed by EHR vendors that prohibit users from sharing screen shots and features sets are prohibited under the law’s HIT provisions.  New certification criteria under the law requires EHR developers and vendors to attest that they do not engage in any form of information blocking, as defined in the law, and levels penalties for both information blocking and false attestation.  This new definition of information blocking is deep and wide.
  3. New measures for interoperability are one of the responsibilities of the new HIT Advisory Committee being formed to work with Secretary Price and National Coordinator Rucker at HHS/ONC, as is the establishment of a Trust Framework and Agreement.  These activities will likely put new pressures on vendors to make their products more network-able and more able to share data with authorized providers and patients/consumers.  In a statement released by ONC on May 23, 2017, quoted from Politico’s Morning eHealth May 24, the agency indicated their interest in information blocking thus: “In FY 2018, ONC will continue to address and discourage information blocking by aggressively implementing ONC Certification Program rules, creating and promoting channels for reporting information blocking, and enforcing information blocking provisions required by the Cures Act.”

Working with physicians, hospitals, and with interoperability standards groups like DirectTrust, will be in the best interest of EHR developers and vendors as they seek to avoid problems of information blocking, real or imagined. There are legitimate reasons for restricting access to health care information in electronic formats, including security measures and identity assurances needed to protect the privacy of that information.  The vendors need to articulate these carefully and with the interest of their customers and their customers’ patients – not their own profits – clearly in mind.  Physicians and clinicians will tend to put the interests of patients and consumers of health care services first. They must also—as does DirectTrust and other like-minded communities—do what is reasonable to better knit together the fabric of the entire health care system so that care is better and costs are lower.  That is our duty under the new laws. Quite simply, we cannot make good progress toward meeting these goals without the collaboration of the major EHR vendors, their customers, and the public.

Categories: Uncategorized

6 replies »

  1. I was talking to a psychologist from Kaiser. He said that because of EPIC, he cannot document safely all the patient information and that, accordingly, his EMR records become so bland and similar to one another that he can’t remember his patients very well. He thus is rendering less skilled service to his patients compared to his older hand written charts.

  2. It must be true that making information flow more facile for the stakeholders also makes it a little more facile for the hackers and other predators.

    It must be true that enhancing interoperability also somewhat degrades patient privacy.

    It must be true that using hospitalists more to develop information on an inpatient restrains and often blocks information flow from PHP doctors’s offices and other outpatient facilities.

    It must be true that the price of the ransomware demand is greater the wider the location and dissemination of the information to be ransomed….simply because more parties attach value to it.

    It must be true that the more interoperability going on, the more litiginous activity about intellectual property is going on.

    It must be true that the wider the interoperability the more legal malpractice observers are able to see the information.

    It must be true that patients assigned to ACOs deserve to know that particular information flow too…in order to be part of the spirit and philosophy of non-blocking of information. As we read here in THCB, this is most often kept secret.

    It must be true that the higher the exchange of information, the fewer the trade secrets are possible amongst the EHR vendors and the lower their innovation incentives.

    It must be true that the lower are the chances for the EHR vendors to obtain monopoly prices, the fewer there will be in the market and the more de facto monopoly will exist in this sector.

  3. We should join Great Britain and the Veterans Administration and start over. It should begin with a planned phase-out of the HITECH Act 2009 over 10 years. Its my notion that the plausible options for an EMR as of 2017 are far different that the systems designed beginning 10-15 years ago.
    Three observations may apply. Most physicians are trained to read and learn from a 8 1/2″ X 11″ page of information with 2, and rarely, 3 columns of information. The columns usually contains lines of words involving 6-8 words involving 1-4 phrases. We learn by scanning the phrases. Books and medical journals are ALL published with this format. Newspapers have their origin with the same format. Also, the originating character of medical data documentation followed the same format. Oddly, I also have perceived that a physician’s thinking is analog in character, for which hand writing is its best representation.
    Here is a quotation from Gertrude Stein (1874 – 1946): “You will write, if you write, without thinking of the result in terms of a result, but think of the writing in terms of discovery, which is to say the creation must take place between the pen and the paper, not before in a thought or afterwards in a recasting. Yes, before in a thought, but not in careful thinking. It will come if it is there and if you will let it come. Writing is the only thing that, when I do it, I don’t feel I should be doing something else.” The last words say so much about the time and mental energy wasted while entering a set orders at the time of a person’s hospital admission.
    So, is there anyone using a touch screen to hand-write orders that then are interpreted by the lap top for approval?