Alert

Recommended Alerts

Sign Up For Alerts

Ninth Circuit Affirms Ruling that Plaintiffs Have Article III Standing in Illinois Biometric Privacy Class Action

On August 8, 2019, a panel of the Ninth Circuit Court of Appeals affirmed a California district court’s decision allowing plaintiffs to proceed on claims against Facebook under the Illinois Biometric Information Privacy Act (“BIPA”), 740 Ill. Comp. Stat. 14/ (2008). Patel v. Facebook, Inc., 2019 U.S. App. LEXIS 23673. The ruling marks the first federal appellate court decision affirming a broad Article III standing precedent for plaintiffs asserting claims under BIPA – which may impact both BIPA cases as well as data breach cases under the California Consumer Privacy Act (“CCPA”). The appeals court also held that the potential for large statutory damages did not constitute grounds to refuse to certify the proposed class.

Read More

In Coordinated Proposed Rules, ONC and CMS Seek to Tackle Interoperability, Information Blocking, and Patient Access to Health Information


Time to Read: 7 minutes Practices: Health Care, Digital Health

Printer-Friendly Version

On February 11, 2019, two agencies of the U.S. Department of Health and Human Services (“HHS”) coordinated the release of complementary proposed rules designed to support and advance seamless and secure access, exchange, and use of electronic health information (“EHI”). Taken together, these proposed rules seek to address both technical and practical obstacles that create barriers to the exchange of, and access to, health information. For various stakeholders in the health care industry—particularly health information technology (“health IT”) developers, health plans / payors, and health care providers—these proposed rules, if finalized, would clarify provisions of the 21st Century Cures Act, particularly regarding interoperability and information blocking, and create significant new requirements.

The first rule was issued by the Office of the National Coordinator for Health Information Technology (“ONC”), and implements key provisions of the 21st Century Cures Act (the “Cures Act”), including provisions designed to advance interoperability; to support the access, exchange, and use of EHI; and to address occurrences of “information blocking” (the “ONC Proposed Rule”). The second rule, issued by the Centers for Medicare & Medicaid Services (“CMS”), centers on advancing interoperability and patient access to EHI using the authority available to CMS and in alignment with ONC’s efforts and the Cures Act (the “CMS Proposed Rule”). We describe both below.

ONC Proposed Rule

The ONC Proposed Rule contains proposals to implement various aspects of the Cures Act, and to revise ONC’s existing Health IT Certification Program more generally. We highlight four of the most important aspects of the ONC Proposed Rule: Information Blocking, API Standards, EHI Exports, and Conditions and Maintenance of Certification. ONC has indicated that it will host a series of webinars to explain the Proposed Rule, and also issued helpful fact sheets summarizing key aspects of the rule.

Information Blocking. First, the ONC Proposed Rule promulgates the information-blocking provisions of the Cures Act, including provisions identifying “reasonable and necessary activities” that do not constitute information blocking. The Cures Act defined “information blocking” broadly, and directed HHS to promulgate exceptions. Information blocking, generally speaking, means practices that are likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI. Here, ONC proposes seven “reasonable and necessary activities” as exceptions to the information-blocking provisions codified in the Cures Act, provided certain conditions are meet. The first three exceptions address activities deemed reasonable and necessary to promote public confidence in the use of health IT and the exchange of EHI—specifically, activities intended to protect patient safety, to promote the privacy of EHI, and to promote the security of EHI. The next three exceptions address activities deemed reasonable and necessary to promote competition and consumer welfare—specifically, activities intended to recover costs reasonably incurred, excusing entities from responding to requests that are infeasible, and permitting the licensing of interoperability elements on reasonable and nondiscriminatory terms. The last exception addresses activities that are reasonable and necessary to promote the performance of health IT, by providing an exception for making health IT temporarily unavailable for maintenance or improvements that benefit the overall performance and usability of health IT. ONC made a specific request for information for additional exceptions.

API Standards. Second, the ONC Proposed Rule revises the 2015 Edition certification criteria for the certified health IT for application programming interfaces (“APIs”) and establishes certain Conditions and Maintenance of Certification, implementing the Cures Act’s requirement that health information from API technology be accessed, exchanged, and used “without special effort.” In doing so, ONC seeks to move the health care industry toward adoption of standardized APIs. In particular, ONC’s new “standardized API for patient and population services” requirement for certified health IT requires use of Health Level 7 Fast Healthcare Interoperability Resources (“FHIR®”) standards, with several implementation specifications. ONC is also proposing restrictions on API-related fees. ONC’s overall goal is to allow individuals securely and easily to access structured and unstructured EHI formats using mobile devices.

EHI Exports. Third, ONC proposes a new certification criterion for EHI exports, to permit the export of EHI in computable, electronic format, both in the context of an individual patient request and when a health care provider chooses to transition or migrate information to another health IT system. The proposal’s other revisions to the 2015 Edition certification criteria include new privacy and security attestations and the adoption of the United States Core Data for Interoperability (“USCDI”) as the standard for establishing a set of data classes and constituent data elements, which would be exchanged in support of interoperability nationwide. ONC also proposes revisions to the required health IT disclosures to include a detailed description of all known material information concerning additional types of costs or fees that a user may be required to pay to implement or use the health IT module’s capabilities.

Conditions and Maintenance of Certification. Fourth, ONC proposes certain “Conditions and Maintenance of Certification” requirements for health IT developers based on the conditions and maintenance of certification requirements outlined in the Cures Act. Notably, ONC proposes to implement any accompanying Maintenance of Certification requirements as stand-alone requirements to ensure that not only are the Conditions of Certification met, but also that they are continually being met through the Maintenance of Certification requirements.

CMS Proposed Rule

The CMS Proposed Rule focuses on advancing interoperability and patient access to EHI by targeting health plan and payor entities, as well as health care providers. In the proposed rule, CMS emphasized its fundamental belief that “patients should have the ability to move from health plan to health plan, provider to provider, and have both their clinical and administrative information travel with them throughout their journey.” CMS issued a fact sheet summarizing key aspects of the proposed rule, and has indicated that it has an active listserv dedicated to its interoperability efforts.

Health Plan / Payor APIs. The centerpiece of the proposed rule is a range of new interoperability and patient access obligations that CMS proposes to require of the various health plans and payors within its jurisdiction, including Medicare Advantage organizations, state Medicaid and Children’s Health Insurance Program (“CHIP”) fee-for-service programs, Medicaid managed care plans, CHIP managed care entities, and Qualified Health Plan issuers in Federally-facilitated Exchanges. In particular, in alignment with CMS’ “Blue Button 2.0” approach for Medicare fee-for-service, these entities must deploy standardized, open APIs to make certain information available to enrollees, consistent with the API (FHIR®) technical standards proposed in the ONC Proposed Rule, as well as the same content and vocabulary standards. These APIs must provide enrollees with immediate electronic access to medical claims and other health information, through third-party applications and developers.

Health Plan / Payor Transitions of Care. CMS also proposes to require the above-mentioned health plans and payors within its jurisdiction to implement open data sharing technologies to support transitions of care as patients move between plans, including requiring plans to exchange, at enrollee request at the specified time, at a minimum, the data elements in the same USCDI standard using that standard’s aligned set of content and vocabulary standards for clinical data classes. These data include information about diagnoses, procedures, tests and providers seen. CMS also proposes that, if asked by the beneficiary, plans must forward a beneficiary’s information to a new plan or other entity designated by the beneficiary for up to five years after the beneficiary has disenrolled with the plan.

Health Care Provider Information Blocking. CMS also proposes to publicly report providers or hospitals that attest negatively to any of the prevention of “information blocking” statements, which providers must address in context of certain Medicare interoperability support programs. CMS believes that making this information publicly available may incentivize providers and clinicians to refrain from such practices. Other CMS proposals include measures addressing dual-eligibility data syncing, the provision of provider contact information, and new provider requirements relating to discharge, admission and transfer notifications.

Requests for Information. In addition to the policy proposals described above, CMS also included two requests for information. One request related to how CMS can improve patient identification conventions, such as through the use of a unique patient identifier, while another relates to how CMS can promote wide adoption of interoperable health IT systems for use across various health care settings, including those where adoption rates are currently low, such as post-acute settings.

* * *

Comment Period. ONC and CMS are soliciting comments on both proposed rules and the proposals also include a number of specific requests for information. The comment period is expected to close 60 days after the rules’ publication in the Federal Register, likely sometime in mid-April 2019.

If you would like to learn more about the issues raised by this update, please contact your usual Ropes & Gray attorney.

Printer-Friendly Version

Cookie Settings