Embed Size (px)
Citation preview
2/19/2021
1
The Information Sharing Journey
Presented to Health Care Compliance Association St. Louis Regional Conference
February 26, 2021
Ann Cappellari, M.D. and Scott Didion
1. API = Application Programming Interface
2. ONC = Office of the National Coordinator for Health Information Technology
2
2
NOTE: This presentation is for educational purposes only. We are not attorneys. The
views expressed in this presentation are based on the experience of the presenters and
do not represent legal advice or a legal opinion on any matter discussed.
1
2
2/19/2021
2
3
37607
ANNCAPPELLAR760
Audience participation activity*
Text to:
37607Text message:
ANNCAPPELLAR760
*Standard rates apply
4
3
4
2/19/2021
3
5
The Patient Engagement Journey
May 2016 • Mandatory provider notes shared
• 3 hospital system
6
The Patient Engagement Journey
May 2016 • Mandatory provider notes shared
• 3 hospital system
Dear CEO,
5
6
2/19/2021
4
7
The Patient Engagement Journey
May 2016
Aug 2019
• Mandatory provider notes shared
• 3 hospital system
• Defaulted provider notes to share with ability to
unshare
• 25 hospital system
Dear CEO,
8
The Patient Engagement Journey
May 2016
Aug 2019
• Mandatory provider notes shared
• 3 hospital system
• Defaulted provider notes to share with ability to
unshare
• 25 hospital system
Dear CEO,
Dear CEO,
7
8
2/19/2021
5
9
Overview of the Rules
On May 1, 2020, DHHS published two Final Rules that focused on giving
patients greater access to their medical records, interoperability, and
preventing information blocking.
• CMS published the “Interoperability and Patient Access” Final rule which gives
patients greater rights to their information and makes health IT interact
better.
• Office of the National Coordinator for Health Information Technology (ONC)
published the “21st Century Cures Act: Interoperability, Information Blocking,
and the ONC Health IT Certification Program” Final Rule which establishes,
among other things, what practices are considered not to be information
blocking and how patients can access their medical information in new,
untraditional and generally untested ways (e.g., APIs).
• The compliance date for both Rules was November 2, 2020; however, on
October 29, 2020, DHHS delayed the compliance date to April 5, 2021.
10
9
10
2/19/2021
6
11
What is Information Blocking
The ONC Rule defines information, information blocking and sets out practices
that are considered reasonable and necessary activities that would not constitute
information blocking by certain actors.
• Information: electronic health information (EHI) that would be included in a patient’s
designated record set/legal medical record. Does not include psychotherapy notes (as
defined by HIPAA) or information compiled in the reasonable anticipation of litigation. Until
October 6, 2022, EHI is limited to the data elements in the USCDI (more on that later).
After October 6, 2022, EHI means a patient’s entire designated record set.
• Blocking: unless required by law or an exception, a practice by an actor that is likely to
interfere with, present or materially discourage access, exchange, or use of EHI.
• Exceptions: eight practices that are not considered information blocking.
• Actor: a health care provider, health IT developer of certified health IT, health information
exchanges, and health information networks.
12
What is an API?
• APIs are like menus. Menus define a list of dishes and, when someone orders one of those
dishes, the restaurant does a bunch of stuff and then sends the requested dish back.
• APIs define a list of commands and, when a program uses one of those commands, the
other program does a bunch of stuff and then sends back what was requested by that
command (usually some kind of data).
• In Healthcare, APIs are developed to allow patient-facing, clinical, and other apps to pull
information from providers, payors, and others who store electronic health information.
Epic, Cerner, Meditech, etc.
People-focused applications that are
designed for customers, partners and
employees
Enterprise-level applications that are
process-oriented and provide a
repository for needed information
MyChart, Insurance Portals, etc.
11
12
2/19/2021
7
13
Practical Applications
• Patients can request access to their own EHI and can ask that their EHI be shared with
representatives, and/or their designees in a variety of ways including selecting an App on
the internet or their mobile device by authorizing an interface with MyChart.
• Vendors, payors, and other third parties can request access to EHI.
• It is expected that our vendors and payors will request access through APIs and that
third parties not known by SSM will request access to EHI (with patient authorization).
• Initially, SSM will allow its patients access to their EHI through MyChart so they can easily
access and share their information with vendors without SSM’s direct involvement.
14
How Does this work with HIPAA
• As the Covered Entity, we are not to share PHI without patient authorization except for
Payment, Treatment, and Operations purposes.
• Even for a Payment, Treatment, or Operations purpose, the Covered Entity is not to share
PHI with a third party providing services on its behalf without a Business Associate
Agreement.
So how can we just give patient data to third parties without it violating HIPAA?
• With interoperability, the patient is making the disclosure, directing the Covered Entity to
provide their PHI or the third party to “get” the data from the Covered Entity.
• If the third party loses the data, misuses the data, or is breached, the Covered Entity has no
obligation; it is between the patient and the developer/owner of the app.
13
14
2/19/2021
8
15
Looking Under the Hood
15
16
2/19/2021
9
17
What’s in the USCDI (United States Core Data for Interoperability)?
• Allergies• Assessment of plan of
treatment• Care team• Clinical notes• Goals• Health concerns• Immunizations• Labs
• Medications• Demographics• Problems• Procedures• Provenance*• Smoking status• Unique device identifier
for implants• Vitals
Highest impact to clinicians*Definition: Data must contain
author time stamp and author’s org.
18
Note types required for sharing by April 5, 2021
What are “Clinical Notes?”
• Consultation Note• Discharge Summary Note• History & Physical• Imaging Narrative• Laboratory Report Narrative• Pathology Report Narrative• Procedure Note• Progress Note (includes ambulatory
clinic, IP, and ED notes)
17
18
2/19/2021
10
19
Patient Request for Medical Records: What’s Changing?
Any requests for electronic information must be addressed, tracked, and all responses documented.
Current state
Future state
20
Exceptions to Information Blocking – Denying Request
Guiding principle: We must share a patient’s medical information with the
patient, the patient’s representative, or the patient’s designee, in the manner
requested, unless one of the eight exceptions applies.
1. Preventing Harm: An actor has a reasonable belief that blocking access to (i) a patient to
his/her EHI will prevent harm to the life or physical safety (not psychological or emotional
harm) of the patient; (ii) a patient’s representative to the patient’s EHI will prevent
substantial harm to the patient; or (iii) a patient or patient’s representative to a patient’s
PHI will prevent substantial harm to another person. 45 CFR 171.201.
2. Maintain Privacy: An actor that is a covered entity (CE) may block access to EHI if doing
so would cause the CE to violate HIPAA Privacy Rule (including a patient’s request not to
share EHI) or state privacy laws.
19
20
2/19/2021
11
3. Enforce Security: An actor may block access to EHI if doing so would cause the actor to violate the HIPAA Security Rule or state laws.
4. IT Performance: “Downtime exception” where information will be temporarily unavailable due to maintenance, performance issues, and extraordinary circumstances.
5. Request is Infeasible: technological limitations, legal restrictions, or other legitimate reasons prevent an actor from complying with a request.
NOTE: This is not an “easy” exception to defend and a written response detailing why the request is infeasible must be provided within 10 business days of the request.
21
Exceptions to Information Blocking – Denying Request, cont.
22
Exceptions to Information Blocking – Alternatives
Alternative Ways to Fulfill a Request to Access, Use, or Exchange EHI (and
not be considered information blocking)
6. Manner and Content: If an actor is technically unable to fulfill a request in a certain
manner, content of data or manner in which the requester has asked for the data is not
supported by the actor, then the parties may agree on reasonable alternatives.
7. For a Fee: Actors may charge reasonable fees (including profit margin) for accessing,
exchanging, or using EHI.
8. With a license: Actors may license software (including profit margin) used for accessing,
exchanging, or using EHI.
21
22
2/19/2021
12
23
How to Restrict a note from going to MyChart
Click on the blue highlighted
“Share w/ Patient” button to
prevent sharing. When
UNhighlighted it won’t share.
• Within the EMR clinicians may choose NOT to share information with a patient,
but they are prompted to provide a rationale that aligns with the Preventing Harm
or Privacy exception.
24
Auditing for Compliance
Interoperability
“turn on”
Provider Total Notes Total notes
blocked
% blocked
Elders, Joycelyn 96 42 44 %
McCoy, Leonard 365 25 7%
Quinn, Michaela 544 334 61%
Fauci, Anthony 483 13 3 %
23
24
2/19/2021
13
How do you operationalize the rules?
26
25
26
2/19/2021
14
27
Operationalizing the Rules
Several workstreams were developed to operationalize compliance with the regulations:
Legal and Compliance• Develop Information Sharing Policy
• Review of State Laws
• Evaluate Actor Class Types
• Determine When Exceptions Apply in the Real World
Information Technology• Remove intentional time delays (lab results) and unblocking notes and departments
• Evaluate Non-EPIC Information (PACS, Home Health, Legacy EHI, etc.)
• Impact on Affiliates, Business Associates, and other Third Parties
• Review ADT Feeds and Provider Directory (NPPES)
Communications• Stay in front of Leadership Communications
• Schedule and Issue Internal Communications
• Provide External Communications with Patients
• Communicate Periodically with Community Connect Affiliates
Clinical Operations• Provide change management to physicians and service line leaders
• Consider implications to nursing and other clinical staff change
• Set up the intake processes to receive and respond to info sharing requests
• Evaluate the implications to HIM and the current ROI processes
Training and Auditing• Intranet Site that includes internal FAQs and Tip Sheets
• Learning Management System Training Module
• Review of High Blocking Usage Patterns
• CMIO/Medical Group Retraining and Enforcement of Non-Compliance
28
Operationalizing the Rules – Legal Considerations
Legal and Compliance
• Information Sharing Policy – “SSM Health will not engage in any activity that is likely to
interfere with, prevent, or materially discourage access, exchange, or use of electronic health
information…”
• Analysis of Applicable State Privacy Laws – to ensure compliance with the Privacy Exception
(none found)
• Actor Class – is SSM a “health IT developer of certified health IT” when it allows its “affiliates”
to use it EIPC instance? YES! This increased the compliance risk in terms of financial
penalties (up to $1M per instance) and burden of proof from “knowing” to “should have
known.”
• Valid Requests – how does SSM balance HIPAA with the new Rules
• Requests for EHI created before the (original) compliance date of 11/2/20 – SSM relied on
the Infeasibility Exception because we didn’t have the opportunity to make individual
determinations prior to the law being enacted.
• Categorical Exclusions – we worked to avoid categorical restrictions of USCDI data and
instead encouraged clinicians making individualized determination with documented reason
at the time of restriction. For example, we established the “reasonable expectation of
privacy” rationale when pediatricians talk to teens about psycho-social issues, sexual history,
and other sensitive notes and lab results.
27
28
2/19/2021
15
29
CMS Rule
• As stated, mostly geared to Payors who, among other things, must also offer
APIs.
• Adds a new Medicare Condition of Participation, 42 CFR 482,24(d), that requires
hospitals to send electronic notifications upon a patient’s admission, discharge or
transfer (“ADT”) to or from the hospital’s emergency department or inpatient.
• The notification must include:
• patient
• treating practitioner
• sending institution
• And be sent to patient’s established PCP or other practitioner or practice
group identified by the patient as primarily responsible for the patient’s
care.
• Requires providers to have digital contact information in the NPPES
• Medical Group is 70% complete
30
Critical Challenges and Clinician Concerns
Pediatrics
• Poorly addressed in either CMS or ONC rules
• Our proxy access to MyChart allows them every function and view the patient
sees
• Since pediatric patients can independently consent to certain healthcare
services, we block any lab or procedures to which they could consent
(reproductive health, AODA, eg)
Behavioral Health
• Second highest “adamant request to have things blocked” department after
pediatrics
• “Our patients have thought disorders such that they can’t properly integrate this
information readily so notes should not be shared.”
• Psychotherapy notes
29
30
2/19/2021
16
31
Critical Challenges and Clinician Concerns
Genetics
• Labs with very vague and difficult to understand results
• Can be related to amniocentesis and other prenatal fetal tests
• Resulting as “abnormal” but actually this abnormality has no clinical significance
Provenance/Authorship
• Nursing: I don’t want patients to know my last name
• Inpatient pediatric social work: I assess the ability of parents to maintain child
custody
• Transplant social work: My evaluation can be key to someone being on or off a
transplant list
32
Critical Challenges and Clinician Concerns
How timely is too timely?
31
32
2/19/2021
17
Take-Aways
34
Lessons Learned
• Having a PMO (in fact two) and cross-functional teams were critical to staying on track
due to tight regulatory timelines• Interoperability Steering Committee
• Legal Medical Record Governance Committee
• HIM Regional Directors and MyChart Apps Dev Group
• Clinical buy-in was the single most important aspect of successful adoption
• Communication and training were imperative. We utilized multiple forms of communication
including board presentations, service-line discussions, a website that included FAQs, role-
specific tip sheets, and even a Learning Management System (LMS) module.
• Despite the delay in the compliance date, we decided to “Stay the Course” to capitalize on
momentum and use the “grace period” for audit, education, and further deliberation on some
of the most high-risk aspects of the implementation
• We developed processes to intake requests, evaluate against the rule, and respond as
required.
• There is expected to be much more to come as the entire LMR becomes available on
10/6/2022 and subject to these rules.
• The “side effects” of this work…• Brought to the surface the need to clearly define psychotherapy notes and right of access for
behavioral health
• Created a burning platform to re-evaluate Release of Information and Amendment processes
• Highlighted the need for data governance and cross-functional team to look at our definition
of legal medical record
33
34
2/19/2021
18
Discussion
35
36
Questions for the HCCA Audience if time allows…
• Specific to your organization, what do you think will be the biggest challenges with
including the Designated Record Set in October of 2022?
• We talked about the HIM implications, the patient care aspects, and the resources and
infrastructure needed. What are other unexpected “surprises” that folks have encountered
so far in their interoperability journey? What has been the biggest barrier to adoption?
• Can anyone share with me any interoperability requests that they have received? How
was it handled?
• How did you spend your gift of additional time?
35
36
