Back in 2009, when the Health Information Technology for Economic and Clinical Health (HITECH) Act became law, US taxpayers committed $300 million to seed nationwide health information exchange. Taxpayers also agreed to pay what turned out to be $35 billion in incentive payments for physicians and hospitals to adopt and “meaningfully use” electronic health records (EHRs). In implementing the meaningful-use program, the Centers for Medicare and Medicaid Services (CMS) required eligible providers and hospitals to attest to certain activities, including engaging in health information exchange and providing their patients with health information electronically. Concomitantly, the Office of the National Coordinator for Health Information Technology (ONC) required that, to be certified for use in the meaningful-use program, EHRs had to have the technical capability that enabled the meaningful-use requirements to be accomplished.

More than eight years later, according to the Department of Justice (DOJ) and the Department of Health and Human Services (HHS) Office of Inspector General (OIG), some of those billions in meaningful-use payments may have been improperly paid. And, while we have widespread adoption of EHRs, we do not have widespread exchange of health information. Individuals still struggle to get their health information out of EHRs in an electronic format. Fortunately, there may be a solution that can help ensure that meaningful-use payments are well spent. It comes in the form of a 20-year-old federal privacy law—the Health Insurance Portability and Accountability Act, also known as HIPAA.

Misspent Funds

On May 31, the DOJ in conjunction with OIG announced a $155 million settlement with eClinicalWorks (eCW), a developer of certified EHR technology. A first of its kind, the OIG and the DOJ settled allegations that eClinicalWorks had improperly taken advantage of the meaningful-use program in the way eClinicalWorks developed, certified, and sold its EHRs. One of the DOJ’s allegations was that “eCW’s software failed to satisfy data portability requirements intended to permit healthcare providers to transfer patient data from eCW’s software to the software of other vendors.”

Less than two weeks later, the OIG reported that CMS had paid as much as $729 million in fraudulent meaningful-use payments because physicians and hospitals had attested to meaningful-use measures that they could not prove they met. In the wake of the DOJ settlement with eClinicalWorks and of the OIG’s report, Senators Orrin Hatch (R-Utah) and Chuck Grassley (R-Iowa) on July 12 wrote to HHS secretary Tom Price asking, among other questions: “Given the estimated $729,424,395 in inappropriate incentive payments, why has CMS not made greater attempts to recover these funds?”

Finally, as the eClinicalWorks settlement was being finalized in early June, Politico reported on long-standing allegations that EHR developers make it prohibitively expensive for providers to contribute protected health information to clinical registries. This was happening despite the fact that federal law on health privacy and incentives in the meaningful-use program and the Medicare Access and CHIP Reauthorization Act of 2015 actually permit and encourage providers to participate in clinical registries; EHRs must have this technical capability. More importantly, as national coordinator for health information technology Dr. Don Rucker acknowledged on July 11, “Patients have a right to their electronic record under HIPAA.” This includes contributing their data to a clinical registry if they want. On August 15 and 16, the ONC hosted a two-day listening session on information blocking. Much of the session focused on semantic interoperability and technological sources of information blocking. However, Rucker as well as John Fleming, the HHS deputy assistant secretary for health technology reform, and Elise Anthony, the ONC director of policy, all called out the need for health information to flow more freely to benefit patients.

This summer’s developments underscore that Congress expected the OIG to use robustly the new powers Congress conferred in the 21st Century Cures Act to pursue inappropriate blocking, as well as the encouragement Congress gave to the Office for Civil Rights to dispel misconceptions about HIPPA that result in blocking.

In exercising its authority to recover incorrectly paid incentive payments and root out information blocking, the OIG should look to the HIPAA privacy rule. Specifically, the OIG should make clear that the protected health information in the custody of the EHR developers is not theirs to monetize. This is because HIPAA specifically prohibits business associates (which EHR developers are) from using protected health information for their own business operations (45 CFR 166.504(e)). Rather, because the protected health information is the legal responsibility of the provider and hospital EHR customers (aka covered entities), EHR developers can only use the protected health information for their customer’s health care operations. Building a revenue stream out of charging exorbitant fees to transmit the protected health information is arguably the EHR developer’s business, not the provider or hospital’s health care operations.

Protected Health Information Is For Patient Care

Moreover, in the HITECH Act, Congress made it clear that individuals have a right to transmit at little or no cost their data directly from an EHR to the location of the individuals’ choosing, even if that is a competing provider, hospital, or EHR developer (HITECH sec. 13405(e) and 45 CFR 164.524). These two principles—that the protected health information cannot be monetized by the EHR developer and that individuals have a right to transmit—are rules the OIG should consider as it plans its next steps relative to the improper meaningful-use payments.

Let me illustrate: Imagine a scenario in which all the lung cancer patients at a marquee cancer specialty hospital want to ensure that their data is supplied to a specific cancer registry hosted by an academic medical center unaffiliated with the specialty hospital. When those patients direct their hospital to transmit the relevant data to the registry, both of these rules—limits on monetization and the individual’s right to transmit—kick in.

First, the developer cannot hold the data hostage for a fee (or for any other reason) just because the receiving academic medical center is not its customer. Holding the identifiable data hostage would be an impermissible exploitation of the protected health information for the business associate/EHR developer’s own revenue-generating purposes. This is not allowed.

Second, in keeping with the individual rights articulated under HIPAA, the hospital cannot refuse to transmit the data to the registry. Nor can the EHR developer refuse to assist the hospital to fulfill its rights. That is because by virtue of the EHR developer’s role as a business associate it is bound to cooperate with obligations imposed on its customer, the hospital.

Critics ask: What about the totality of the effort the EHR developer put into its product? What about its intellectual property? My response: When the EHR developer started down its business path, all the above rules applied—there are no surprises here. Consistent with federal health policy, the protected health information in that software system must be free to be transmitted regardless of the software environment in which it sits. The protected health information, even in a digital form, is merely a representation of the health status of an actual person. A patient can disclose that status—not to mention, supply their spit, blood, or any other personal health information wherever they want. Software as a holding place for the protected health information should have no more ability to constrain this individual’s right than does hospital-branded stationery on which protected health information may have been written in an earlier time.

HIPAA, although much misunderstood and maligned, provides solid reasons why no EHR developer should be allowed to keep protected health information from being exchanged or transmitted, or to impose self-serving financial requirements for copying, transmission, and so forth. Indeed, information blocking may be grounds for recovering some of that $729 million in improperly paid meaningful-use incentives. It remains to be seen whether the OIG or the DOJ will investigate, expose, or punish such efforts in a sentinel effort to both advance interoperability and improve HIPAA compliance.