peshkova - Fotolia

For ONC final rule, compliance clock is ticking

Having passed the June 30 effective date, healthcare CIOs will be playing a significant role in ensuring compliance with the federal regulator's final rule.

Months after new healthcare interoperability rules were finalized, they are now officially in effect -- having passed another milestone in the countdown to enforcement.  

The 21st Century Cures Act final rule from the Office of the National Coordinator for Health IT (ONC) was published May 1 in the Federal Register with an effective date of June 30, which gave healthcare organizations and health IT developers varying deadlines to comply with provisions laid out in the rules. Because of the pandemic, ONC provided three-month deadline extensions to the information blocking and interoperability rule, which focuses largely on healthcare organizations and developers stopping the flow of healthcare data as well as the implementation of APIs based on the Fast Healthcare Interoperability Resources standard to give patients easy access to their data.

Jeffery SmithJeffery Smith

The recent effective date of June 30 serves as a reminder to healthcare CIOs that the compliance clock is ticking, said Jeffery Smith, vice president of public policy at the American Medical Informatics Association.

"There's not one but several hourglasses that have been flipped," Smith said. "The initial hourglass was the publication date, which was officially May 1. There's another hourglass that's been flipped because of the effective date. The third hourglass is around the enforcement discretion period ONC announced as a result of COVID-19."

Most of the pressure to adhere to new requirements, such as implementing standardized APIs to make sharing of healthcare data seamless, will fall on EHR vendors. But CIOs will have to monitor the progress EHR vendors and other health IT developers are making toward compliance.  

The CIO role 

Smith said CIOs may not be responsible for building out the required APIs, but they will need to keep communication with EHR vendors as well as compliance deadlines front and center to make sure requirements are met.

"From the position of the CIO, they're going to have to be as knowledgeable as their developer counterparts in terms of the big picture and the big timeline," he said.

David ChouDavid Chou

David Chou, a health IT expert and CIO at Harris Health System in Houston, said larger, more established vendors likely won't need the same kind of oversight as smaller vendors, which he thinks will require more attention and monitoring.

"Think about the number of [technology vendors] a typical hospital CIO manages; it could be anywhere between 600 to 1,000 for a medium-size organization," he said. "A third of those are smaller vendors; that's a lot to manage. I would say that's definitely something CIOs are thinking about."

One of the complicated conversations is around delineating what is it that the hospital is on the hook for versus their vendor.
Jeffery SmithVice president of public policy, AMIA

CIOs will also need to discern and even negotiate who is responsible for what, according to Smith, which adds to the importance of establishing good communication between the healthcare organization, EHR vendors and other health IT developers.

"One of the complicated conversations is around delineating what is it that the hospital is on the hook for versus their vendor," he said. "ONC's rule is 100% targeted at vendors. But it's hard to disentangle, from the provider's perspective, what are they going to be in trouble for if their vendor doesn't meet the timelines that ONC has set out. That's going to be an ongoing struggle."

Smith said information blocking provisions will be some of the first healthcare organizations will need to comply with, and it's a good place for CIOs to focus their attention. Unless a healthcare organization can claim one of the eight exceptions defined in the ONC final rule, Smith said the organization could be liable for claims of information blocking if there is interference with healthcare data sharing.

Due to the COVID-19-related compliance delay, healthcare organizations have nine months instead of six months after final rule publication to comply with the information blocking provisions. Similarly, the Centers for Medicare and Medicaid Services (CMS) has delayed enforcement of certain provisions in its accompanying Interoperability and Patient Access Rule, such as the admission, discharge and transfer notification requirement that has been delayed six months.

Dig Deeper on Federal healthcare regulations and compliance

Cloud Computing
Mobile Computing