ONC and CMS Delay Enforcement Dates for Certain Provisions of the 21st Century Cures and Interoperability Final Rules, and OIG Announces Proposed Rule to Implement Information Blocking Enforcement Authority

The Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS) first displayed the contents of their information blocking and interoperability final rules on March 9, 2020. Those rules contained various compliance dates for new requirements that were tied to the publication date of the final rules in the Federal Register. After initially delaying the compliance dates by withholding the final rules from publication in the wake of the Coronavirus (COVID-19) public health emergency, the agencies have now announced that the final rules will be published in the Federal Register on May 1, 2020. ONC and CMS will then exercise discretion to delay enforcement of certain provisions beyond the compliance dates published in the final rules in recognition of the health care industry’s current focus on the ongoing COVID-19 public health emergency.

Importantly, the enforcement delays announced by ONC and CMS do not affect the substantive requirements of the final rules. For more information on the substance of the final rules, please see our Special Alert and our other On The Subjects here and here.

In this On The Subject, we discuss the new compliance dates of the ONC and CMS final rule requirements and review OIG’s proposed amendments to the CMP rules.

ONC Final Rule

ONC announced that it will exercise its discretion and not enforce the new certification requirements of its final rule until three months after each compliance date or timeframe identified in the ONC final rule. Along with the announcement, ONC published a helpful table outlining the compliance timeframes for each of these provisions and the effect of the enforcement delay. ONC did not extend the compliance date for the information blocking provisions of its final rule, but as discussed below OIG’s rulemaking will determine the timing of enforcement activity. Below, we provide the key compliance dates based on the enforcement delays announced by ONC:

• ONC will begin enforcing two of the new conditions of certification (CoCs) on September 30, 2020 (three months from the June 30, 2020, compliance date in the final rule):
  • Under the final rule, certified health IT developers may only prohibit or restrict communications by its customers about certified health IT under limited exceptions intended to allow the developer to reasonably protect its intellectual property. While developers must adhere to this CoC beginning September 30, 2020, they will have until March 31, 2021, to provide the required notice for the 2020 calendar year to customers stating that non-compliant confidentiality provisions or other restrictions or limitations on communications in existing contracts between the developer and the customer are invalid.
  • Certified health IT developers must ensure that their certified health IT conforms to the full scope of the certification criteria applicable to the developer, and that the developer has not taken any action to interfere with a user’s ability to access or use certified capabilities.
• ONC will enforce the following CoCs on February 1, 2021 (three months after the November 1, 2021, compliance date for these provisions in the final rule):
  • Certified health IT developers may not take any action that constitutes information blocking under the final rule.
  • Certified application programming interface (API) developers must meet the CoCs relating to API transparency (publicly publishing business and technical documentation), charge only permissible API fees and offer APIs on open and pro-competitive terms.
• ONC will enforce the following CoCs on August 1, 2022 (three months after the May 1, 2022, compliance date for these provisions under the final rule):
  • Certified health IT developers with currently certified APIs must meet the new API certification criteria, which includes implementation of the Fast Healthcare Interoperability Resources (FHIR) standard.
  • Certified health IT developers will by this date need to have updated their products to comply with the United States Core Data for Interoperability (USCDI) criteria.
• Certified health IT developers must submit initial plans for real-world testing to their certification bodies so that their certification bodies may evaluate the plan’s completeness and submit the plan to the ONC’s Certified Health IT Product List (CHPL) by March 15, 2021 (three months from the December 15, 2020 compliance date in the final rule). Certification bodies will be required to post certified health IT developers’ real-world testing results to the CHPL by June 15, 2022 (three months from the March 15, 2022, compliance date in the final rule).
• Certified health IT developers will be required to submit their initial attestation that they adhered to the CoCs effective during the period of September 30, 2020 – March 31, 2021 by July 30, 2021.
• Developers must meet the new electronic health information (EHI) export certification criterion by August 1, 2023 (three months after the May 1, 2023, compliance date under the final rule).

CMS Interoperability Final Rule

The CMS final rule requires Medicare Advantage plans, Medicaid state agencies, Medicaid managed care plans, CHIP agencies, CHIP managed care entities, and issuers of qualified health plans on federally-facilitated exchanges (Covered Plans and Agencies) to implement APIs that allow patient information to be shared more readily with third-party applications selected by patients. The new API requirement for Covered Plans and Agencies was scheduled to go into effect on January 1, 2021. However, CMS announced it will exercise enforcement discretion for the API requirement for a period of six months until July 1, 2021.

Notably, however, CMS announced that all other policies in the final rule concerning Covered Plans and Agencies will be implemented and enforced on schedule. Covered Plans and Agencies will therefore still be expected by January 1, 2022, to have the ability to, in response to a patient’s request, forward patient information electronically to other payors designated by a requesting patient for up to five years after the patient has disenrolled from the plan.

The CMS final rule also requires Medicare hospitals that have adopted electronic health record systems to, as a condition of participation (CoP) in the Medicare program, electronically report patient admissions, discharges, and transfers to patients’ primary care practitioners or other practitioners primarily responsible for the patient’s care. Originally, the final rule made the new CoP effective for hospitals six months following publication of the final rule. However, CMS announced that it has changed the text of the final rule to state that the CoP will now be effective May 1, 2021 (12 months after the final rule’s publication).

OIG Proposed CMP Rule Amendments

On April 21, 2020, OIG released a proposed rule amending its civil monetary penalty (CMP) regulations. Among other things, OIG’s proposed rule would incorporate statutory changes, including those related to new CMP authorities for information blocking, into OIG’s existing CMP regulations. OIG states that it intends for the proposed information blocking enforcement regulations to “improve coordination within the health care system and patients’ access to their health care data.”

Enforcement Timing

Consistent with ONC’s discussion in the preamble to its final rule, OIG states that it will not begin CMP enforcement before ONC’s information blocking compliance date (November 1, 2020). OIG also proposes that, in any event, it will not begin enforcement until at least 60 days after OIG issues a final rule. Conduct occurring between ONC’s compliance date and OIG’s effective date—if ONC’s compliance date occurs first—will not be subject to CMPs. Of note though, OIG is considering an alternative proposal that would establish an effective date on a date certain. OIG identifies October 1, 2020, as a date under consideration, but is also considering earlier or later dates. OIG is seeking comment on when it should begin enforcement and how various considerations, including the ongoing COVID-19 pandemic, should affect information blocking enforcement timing.

OIG Enforcement Priorities

OIG states that its proposed rule does not include new information blocking requirements, but instead seeks to formally incorporate ONC’s information blocking regulations as the basis for OIG imposing information blocking CMPs. OIG does, however, provide examples of how it plans to determine whether an actor’s practice resulted in one or many information blocking violations, which is relevant to determining the amount of potential penalties and is an area where the regulated industry is likely to have a significant interest in providing feedback.

Like other OIG authorities that include an intent element, OIG acknowledges that each information blocking allegation will require a facts and circumstances analysis, which OIG will conduct in coordination with ONC and the HHS Office for Civil Rights. In terms of enforcement priorities, OIG states that it will focus on investigating conduct that (1) involves patient harm; (2) impacts providers’ ability to deliver patient care; (3) continues for a long time; (4) results in financial loss for Medicare, Medicaid, and other federal health care programs as well as other government and private entities; and (5) involves an actor engaging in the conduct with “actual knowledge.”

The last focus area is noteworthy because the 21st Century Cures Act provides for CMPs to be issued in situations in which health IT developers, health information exchanges and health information networks “know” or “should know” that their practices are likely to interfere with the access, exchange or use of EHI. OIG seems to be saying that it plans to focus on a subset of conduct that it could otherwise pursue for CMPs. That said, OIG goes out of its way in the proposed rule to note that the stated priorities in the preamble guidance will not legally restrict OIG’s discretion to choose the complaints it investigates.

Public Comment

OIG seeks public comment on its proposed rule. Interested stakeholders will have 60 days from the date of the proposed rule’s publication in the Federal Register to submit comments, though OIG stated that it will monitor requests for an extended comment period due to the COVID-19 public health emergency. The proposed rule is scheduled for publication on April 24, 2020.

Please do not hesitate to contact your regular McDermott lawyer or any of the authors of this On The Subject if you have questions or need assistance with your compliance obligations under the ONC/CMS final rules or if you have questions or wish to comment on the OIG proposed rule.