By the EHR Association Executive Committee

Recently, a blog post appeared on the Health Affairs website* painting a gloomy picture of patient access to their electronic health information and suggesting a new theory on how HIPAA can be used to accelerate expansion of interoperability.

Disappointingly, this timely blog post makes inflammatory and inaccurate assertions about EHR vendors, regulatory requirements, and progress made toward interoperable health records.  It also seemingly advocates for a “gotcha” system of penalizing potential missteps by providers and developers, which is the wrong approach to encouraging information sharing.

EHR developers provide tools to help our customers care for patients and increase these patients’ access to their health information. The assertion that individuals “struggle to get their information out of EHRs in an electronic format” overstates the situation and does not reflect progress made.  Although the extent of exchange is not yet where the healthcare industry collectively would like it to be, interoperability is growing quickly between providers, as well as between providers and patients.

Specifically regarding information exchange between clinicians and their patients, those being cared for have broad electronic access to the information in their provider’s EHR.  All certified EHRs make available clinical summaries in a readable format based on standards adopted by the ONC via the View, Download, and Transport capability, typically through patient portals. It is expected that widespread roll-out of “APIs” as a mode of such access, coupled with new legislative and regulatory approaches, will further accelerate and build on the significant progress already made.

It is inconceivable to us that a vendor would not “allow” sharing of data with a registry just because it is not a customer. Ideally the registry with whom a hospital or other provider wants to share information uses standards-based tools and identifies data requirements that make it straightforward for the provider to submit data. Of course, if the registry employs a non-standard information exchange approach or requires data elements not captured in the provider’s clinical workflow, which is not uncommon, there reasonably may be fees for creation of any needed interface or other customization necessary to collect the additional data, in addition to any normal fees for integration with the registry, depending on the particular EHR’s architecture and business model. That is not information blocking under any reasonable standard.

We are also skeptical of the novel assertion that HIPAA limits on the monetization of patients’ Protected Health Information also applies to the ability of developers to charge for interoperability services. Other capabilities have associated charges, such as software development and services costs, and it is clear that the same allowance is given to products and services oriented toward information exchange, given developers’ costs and the associated investments to provide these capabilities.

The blog post also misleadingly describes results of a recent HHS Inspector General report.  The OIG report alleges that as much as $729 million in inappropriate meaningful use incentive payments were made to providers.  However, none of the deficiencies identified by the Inspector General related to interoperability or data exchange capabilities. That large and seemingly precise figure was extrapolated from an audit of only 100 providers (0.04% of providers participating in the program), and the report found mostly minor problems—e.g. documentation retention, which is not a technical issue—with 14 providers. Pursuit of potential “information blocking” has no relevance to this specific audit finding.

In sum, we believe that current regulatory approaches, including those already clearly stemming from HIPAA (including those relating to patient access to their information), HITECH and the 21st Century Cures Act, provide ample policy and enforcement tools related to potential instances of information blocking. The major drivers of interoperability will continue to be provider business cases, augmented by these existing regulatory requirements.

Layering on additional theories aimed at providers and developers wrapped in HIPAA adds little and unproductively makes the focus of interoperability one of compliance rather than meeting the real data-sharing needs of providers and their patients, a task to which our members are committed. Certainly, not all (or even most) HIPAA misinterpretations by providers can or should be considered information-blocking based on government descriptions. The task we should all focus on is education on what HIPAA permits and requires, not punishing providers who make mistakes or simply live in the real world of complex interoperability and HIPAA implementation decisions.

* To Combat ‘Information Blocking,’ Look To HIPAA