For years, the question of who actually owns patient healthcare data loomed unanswered. With the passage of the 21st Century CURES Act, this issue has been definitively resolved: health systems and providers do not own healthcare data — patients do.
In a November Becker's Hospital Review webinar sponsored by MediQuant, John Showalter, MD, former CMIO and CHIO of the University of Mississippi Medical Center in Jackson, Miss., and Kel Pults, DHA, MSN, chief clinical officer at MediQuant, discussed the 21st Century CURES Act and what it means for health systems.
Five key takeaways were:
- One key part of the 21st Century CURES Act prevents information blocking by health systems. According to Dr. Showalter, unless a specific reason exists that prevents the sharing of electronic health information (EHI), health systems must eliminate barriers that keep patients from accessing their own health information. "Health systems must collaborate with all of the different parties to get those releases done and that electronic health information shared," he said. "The big focus has been on the health system level, making sure that everyone is working together to meet those requirements."
- To avoid penalties, health systems must clearly document any information blocking exceptions. Only eight information blocking exceptions are permitted: preventing harm, privacy, security, infeasibility, health IT performance, licensing, fees and content and manner. "There are very few exceptions, and these are extremely limited," Dr. Pults said. "You need to come up with a policy on how you document any of the exceptions that are allowed by the law."
"Ultimately, the government is going to decide whether your definition of infeasibility was acceptable or if it was blocking," Dr. Showalter said. "It's a gray area that has had a lot of discussion and still remains unclear. When we talk about penalties, the health system doesn't get to make the final decision."
- The definition of EHI has expanded. As of October 6, 2022, the definition of electronic health information is no longer limited to United States Core Data for Interoperability (USCDI) data but will expand to include at least 50 new data classes. "That expansion to 50 new complicated data classes is huge," Dr. Showalter said. "They're not data classes that we're used to thinking about sharing or that we even historically considered part of the designated record set. Now they are part of that information ecosystem that has to be shared and released. There's a need for an expansion of thinking and collaboration with IT to inventory where all of this data could sit and then figure out how we're going to share it. And if we can't share it, we'll need to describe why in a way that's going to be defensible."
In addition, archive data can be an overlooked area, but it is clearly included as part of EHI. "Archive data, specifically, is called out, so compliance is essential," Dr. Pults said. "There's critical data living in all your decommissioned systems," Dr. Pults said. "When you archive or replace a legacy applications, you need to make sure you're getting that data from the source system, because all of those notes are now part of the designated record set. It’s data you need to keep, and you must be able to access."
- Reporting information blocking is simple for the patient, and penalties for blocking can be significant. "Patients have the ability to fill out a simple form to report information blocking, and investigations get handled pretty quickly," Dr. Pults said. Fines can be upwards of a million dollars each, with no limit on how many penalties can be accrued. "It can get very expensive very quickly," she said. Currently, 77 percent of complaints are against providers.
- To remain compliant, health systems must create a strategy to store as much data in an accessible form as possible. "It's the right defensive position," Dr. Showalter said. "What we know is that the data classes are not shrinking, and to be prepared for that, we need to have the data and be able to move it into a releasable system."
By working closely with IT and partners such as MediQuant, health systems can identify, collect and store the vast amounts of data required as part of the 21st Century CURES Act. In doing so, providers can comply with the expanding requirements or build a defensible case for an exception, avoiding expensive penalties and fines.