In one of his last official acts, President Obama signed the 21st Century Cures Act into law on December 16, 2016. The health information technology (health IT) community may have overlooked this bipartisan, $6.3 billion piece of legislation. The name doesn’t sound like it involves health IT and large portions are devoted to more mainstream health issues, such as expanding medical research, speeding approval of new drugs and medical devices, addressing the opioid epidemic and expanding access to mental health services. Many people may recognize the act due to considerable press coverage of its $1.8 billion in funding for the cancer research “moonshot” championed by former Vice President Joe Biden.
What many health IT stakeholders may have missed is Title IV of the act, which is devoted almost exclusively to health IT. My blog summarizes the numerous relevant sections of Title IV. Here’s a look at some of the provisions.
Electronic health records (EHRs). EHR vendors will have their hands full meeting the legislation’s requirements. They will have to ensure their products meet new certification requirements concerning interoperability, such as the free and secure exchange of patient information. These undoubtedly will be dealt with through notice and comments rule making, so vendors will need to stay tuned for these draft regulations.
Vendors ultimately will have to address requirements for developing products for pediatrics, other specialties and sites of services “for which no such technology is available or where more technological advancement or integration is needed.” The law requires the Secretary of the Department of Health and Human Services (DHHS) to consult with stakeholders and make recommendations within the next 18 months for voluntary certification of health IT that meets the requirements of pediatricians across various sites of care. The statutory language is vague as to whether this applies to all EHRs or some subsets. Does it mean that those EHRs not offering a pediatric-specific version of their software would be required to build one? In terms of voluntary certification, pediatric-focused products certainly will have to meet specific criteria — such as a meaningful use (MU)-like certification for a specialty. This indeed would be uncharted territory, which could pave the way for future certifications for other specialties down the road. That said, specialties have discrete requirements, so one size will not fit all. It also remains to be seen whether there would be penalties for vendors who choose to ignore ensuing voluntary certification requirements.
It also is unclear whether the statutory language means only EHRs or includes various modalities, such as mobile health, depending on how DHHS interprets the statute. Health IT is a broad term, after all. To ensure their voices are heard, vendors should monitor and participate in the stakeholder group that will be convened to address those requirements for pediatric health IT. These recommendations undoubtedly will form the basis of future rule making, which will lock down requirements to which the industry will have to conform.
The act’s requirements could hasten further consolidation of the EHR market with additional functional and certification requirements, over and above those required for MU and the Medicare Access and CHIP Reauthorization Act (MACRA). Piling on these 21st Century Cures Act requirements might prove too burdensome for smaller vendors.
Interoperability. The law makes it clear that interoperability is not going away as an issue and will continue to be a policy driver in the world of health IT. The act approaches interoperability from several different directions. Among the most significant is creation of a framework for a trusted exchange network for health IT. This will be spearheaded by the Office of the National Coordinator for Health IT (ONC) in conjunction with the National Institute of Standards (NIST) and stakeholders. The law also calls for the development and certification of patient-centered EHRs. Expect to see rulemaking further down the line to flesh out implementation and adoption details and timelines. In addition, application program interfaces (APIs) also figure into the picture, following a growing trend in legislation and policy making over the past few years. The act requires them to be part of ONC’s Health IT Certification Program.
In an unusual move, this legislation creates “teeth” for enforcement against information blocking. It establishes authority for the DHHS' Office of the Inspector General to investigate claims of information blocking and fine those found to be in violation. That appears to include developers, networks and exchanges. Those fines can be substantial — up to $1 million per violation. It also appears that enforcement actions also may be taken against noncompliant providers; forthcoming notice and comment rule making will provide details. All of this is rare, indeed. Stakeholders have been put on notice.
Office of the National Coordinator (ONC). The act further enhances the value of ONC in terms of its expertise, oversight, accountability and interoperability of health IT. For example, it expands the role of ONC as a certifier of health IT and establishes it as a resource to help providers select appropriate health IT. The agency also could be involved in pilot testing various solutions. As mentioned previously, it will work with NIST and stakeholders to develop a framework for the trusted exchange of health information.
That said, ONC-related regulations for 21st Century Cures Act implementation currently are on hold due to an across-the-board freeze placed in effect by the Trump administration. One would have created authority for ONC to oversee health IT certification, the EHR reporting program and the newly created Health IT advisory committee. A second was to begin the process of renewing the contract for ONC’s approved accreditor. That job of overseeing the EHR certification program currently is held by the American National Standards Institute (ANSI), whose three-year term expires in June.
Patients. The act clearly emphasizes the patient perspective and experience, suggesting these will continue to be important to regulators going forward. It carries on the patient focus seen over the past few years with requirements for MU, the creation of value-based reimbursement based on patient-centered care models (think patient-centered medical homes) and new requirements under MACRA. With respect to health IT, the 21st Century Cures Act contains requirements to make EHRs more patient friendly and more readily able to exchange patient information. EHRs will be required to exchange information with registries, although harmonization of these provisions and similar ones in MACRA may be in order. These and other patient-centered provisions clearly signal that patient empowerment and patient-centric care should be considered by payers, providers and health IT vendors must continue in the future.
The new law also requires the General Accountability Office to study challenges related to patient access to health information. These include barriers to access, complications health care providers experience when providing access and methods patients may use for requesting their personal health information. If the past is prologue, this study will be used as the basis for future rules making to address issues that haven’t been covered.
Standards. Standards clearly were on the minds of the drafters of the 21st Century Cures Act. For example, it clearly spells out that various activities, such as development of a trusted exchange network, must use standards created by recognized standards development organizations. It also sunsets and combines existing Health IT policy and standards advisory committees to create a new Health IT advisory committee that will engage stakeholders to identify priorities for standards adoption. Standards harmonization and implementation are also part of its portfolio, as well as pilot testing certain standards. The committee will also specifically address issues related to interoperability, privacy and security. In sum, it will be very influential. Its recommendations are likely to be translated into rules making and policy. As a result, its membership and deliberations will be of critical importance to the health IT community.
Telehealth. Telehealth is an under-the-radar trend that has been quietly gaining traction over the past several years. The act clearly aims to expand Medicare adoption of telehealth services. It calls for Medicare to identify which beneficiaries might find telehealth useful, which high-volume health care services would be amenable to this approach and barriers to adoption. MedPac is to weigh in on related financial matters. Further adoption of —and payment for — telehealth services by Medicare will push the private sector to follow suit. This will create opportunities for EHRs and APIs to facilitate the capture and exchange of patient data.
Clearly, the 21st Century Cures Act could significantly impact health IT.
Edited by Alicia Young