As health systems are working toward compliance with the provider requirements of the 21st Century Cures Act, many are discovering that interpretation and application of the federal rules raise many questions and misconceptions.
The 10 most common misconceptions we have seen among health systems are:
- You must release all results and notes as soon as possible for any encounter.
- You only need to send notifications to primary established practitioners upon patient request.
- Requests for electronic health information will refer only to episodic records and date no farther back than 2016.
- You must respond to requests for information from certain channels.
- Providers should only request electronic health information (EHI) via DirectTrust messages, not other routes.
- You always have to send a notification to the primary established practitioner(s) if you are able and the patient has not prohibited it.
- The Cures Act requires that you ask the patient’s permission to send a notification.
- If you obtain the information for the primary established practitioner(s) after the admission is complete, you still must send a notification.
- Extending the EHR to another provider group does not meet the definition of a developer.
- Requests to send data to third-party applications through application programming interfaces (APIs) need to be filled within 10 days.
What are the correct concepts to these misconceptions? It depends. The reality is that in many nuanced areas of the rules, the application can be nuanced as well.
While every health system should make sure it is compliant with the Cures Act, each organization needs to make unique decisions in the nuanced areas, based on best practices for their patients, providers, and other stakeholders.
Here are a few examples of the nuances and key decisions that must be made:
You must release all results and notes as soon as possible for any encounter.
Not every organization will decide to release all results and notes as soon as possible for each encounter. Organizational culture varies with regard to patient and provider preferences on immediate release or withholding of certain notes and results. This will affect how much a health system can “open its notes” to prohibit information blocking. The health system must decide whether it will release notes immediately, pre-request based on EHR system design, or based on provider discretion. To ensure no delays when patients request electronic information, the health system must develop a compliance strategy it can support through workflow design, operational decisions, implementation, and policy.
You only need to send notifications to primary established practitioners upon patient request.
Health systems will need to mobilize to meet the ADT Notification mandate, which requires notification to all established primary practitioner(s) for the patient, not just upon patient request. Consider the oft-cited example of a patient with multiple comorbidities being cared for by a primary care provider, cardiologist, and transplant team. Provisions must be made to send EHR notifications promptly to those practitioner(s) beginning May 1, 2021.
Requests for EHI will refer only to episodic records and date no farther back than 2016.
The gravest concern organizations anticipate is requests from provider groups and third-party vendors for population data spanning a certain length of time. For instance, an endocrinologist could request all patient data for the last 15 years to be sent to a new diabetes application. Given the heavy potential lift, health systems will need new processes to capture these requests, evaluate them impartially, and ensure responses are sent within 10 business days, if infeasible. Workflow design, consistent legal interpretations and decisions, implementation, and supporting policy will be critical success factors.
You must respond to requests for information from certain channels.
Health systems must also recognize that requests can come not only from patients but also from other entities, including attorneys, billing agencies, providers, and third-party vendors. These requests currently may be verbal from patient to staff, via email, or in meetings. Health systems need to funnel these requests centrally to provide a consistent response process, adhere to their new information blocking policy, and be able to rely on detailed tracking of request events if a complaint is filed.
The Cures Act requires that you ask the patient’s permission to send a notification.
While health systems don’t need to get patient permission to send notifications, they do need to be able to withhold notifications at a patient’s request. That means health systems must ensure their EHRs are designed to stop a notification if the patient requests that it not be sent. Appropriate stakeholder involvement, workflow design, and EHR build are critical to ensure valid notifications are sent, patient and provider notification requests are honored where possible, and alert fatigue is kept to a minimum.
Extending the EHR to another provider group does not meet the definition of a developer.
Providers that extend their EHR to another provider organization can be considered developers under certain circumstances, which would mean exposure to Civil Monetary Penalties of up to $1 million per violation. If the provider is deemed a developer, they must work with their connected provider organizations to ensure information-sharing functionality enhancements from the source EHR are extended to the provider organization. Keep in mind that you may be the provider organization that extends the EHR or the provider organization that is the recipient of the EHR extension.
Requests to send data to third-party applications through APIs need to be filled within 10 days.
Various requestors will ask for data to be sent to third-party applications beginning April 5. If the API technology is available from the EHR, the provider organization must use it and cannot cite infeasibility. In the case of a new application that is available through the EHR, communicate to the requestor regarding a turnaround time to connect the data to the new application. Only if the request is truly infeasible can the provider deny filling the request, and that denial must be within 10 business days. We recommend that provider organizations have a list of known feasible and infeasible applications ready with response so that only the unknown “new” requests go through a feasibility review.
While these are merely a few examples of nuances, they underscore that preparing for compliance requires input across providers, HIM, clinical operations, IT, compliance, legal, marketing, and other departments within the organization.
The Key to Success: A Strategic Interoperability Plan
In the short term, the linchpin for compliance with the Cures Act requirements is holistic interoperability — with a cohesive plan, strong project management and governance, and a robust change management and training approach.
In our experience, a major key to success is overall program oversight, including a program plan that spans all relevant workstreams and subprojects throughout the organization. Disciplined RAID (risks, actions, issues, decisions) analysis and governance are also critical to prevent any gaps and ensure a smooth journey to success.
In the long term, the broadest vision of success, however, involves looking at more than the law. Beyond compliance, following the Cures Act rules is an opportunity for increased efficiency, better coordination of care, and improved clinical decision-making. True interoperability will lead to improved patient outcomes, quality of care, management of populations, management of outcomes, communication of critical patient data, and enhanced consumer experience. Fully committing to interoperability through strategic workflow enhancement, system design, program oversight, and change management will deliver benefits that far outweigh the challenges.
© 2023 The Chartis Group, LLC. All rights reserved. This content draws on the research and experience of Chartis consultants and other sources. It is for general information purposes only and should not be used as a substitute for consultation with professional advisors.