Former ONC privacy officer: OIG investigators should use HIPAA to crack down on information blocking

HIPAA document
After the eClinicalWorks settlement, HIPAA may be the ideal vehicle for the OIG to address information blocking among EHR providers.

A former federal health IT privacy official has some words of wisdom for investigators looking to claw back misallocated EHR incentive dollars: Use HIPAA as your guide.

Data portability was one of several issues raised in a complaint filed by federal prosecutors alleging EHR vendor eClinicalWorks falsified its EHR certification, which culminated in a $155 million settlement in June. Former officials with the Office of the National Coordinator for Health IT said eClinicalWorks is not the only EHR that has pushed the envelope when it comes to certification.

RELATED: eClinicalWorks settlement hints at broader certification infractions throughout the EHR industry

Former ONC National Coordinator Farzad Mostashari, M.D., who now serves as CEO of Aledade, told FierceHealthcare vendors often tell the providers his company works with that they have to purchase new interfaces or pay additional fees to export patient records.

That’s one of several issues OIG investigators may be interested in as the agency digs into an estimated $729 million in improper payments it identified within the meaningful use program. The OIG has been given the authority under the 21st Century Cures Act to investigate and fine companies for instances of information blocking. Lucia Savage, Omada Health’s chief privacy and regulatory officer and the former chief privacy officer at ONC, says HIPAA already provides a solid framework that prohibits vendors from holding patient data hostage.

RELATED: Whistleblower attorney expects more false claims lawsuits against EHR vendors

“In exercising its authority to recover incorrectly paid incentive payments and root out information blocking, the OIG should look to the HIPAA privacy rule,” she wrote on Health Affairs Blog. “Specifically, the OIG should make clear that the protected health information in the custody of the EHR developers is not theirs to monetize. This is because HIPAA specifically prohibits business associates (which EHR developers are) from using protected health information for their own business operations.”

Some have blamed the lack of interoperability equally on providers, vendors and policymakers. Although critics have argued that handing over patient data free of charge infringes on a company’s intellectual property, Savage writes that the platform that holds patient data is no different than “hospital-branded stationary on which protected health information may have been written in an earlier time.”