Download as PDF

June 3, 2019 

The Honorable Don Rucker, M.D.
National Coordinator for Health Information Technology 
U.S. Department of Health and Human Services
330 C Street, S.W.
Washington, D.C. 20201 

Submitted electronically via  

RE: (RIN 0955-AA01) 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT 

Dear Dr. Rucker:  

The National Association of ACOs (NAACOS) is pleased to submit comments in response to the proposed rule, 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health, as published in the March 4, 2019 Federal Register.[1] We appreciate the efforts of the Office of the National Coordinator for Health Information Technology (ONC) to build a truly interoperable health system, which has been a shared goal of every administration since President George W. Bush. Furthermore, the bipartisan goal of shifting to a value-based payment system won’t be possible without improving the flow of health information among patients, providers, and payers. 

NAACOS, the largest association of ACOs, representing more than 6 million beneficiary lives through 330 Medicare Shared Savings Program, Next Generation Model, and commercial ACOs, completely agrees with remarks that Seema Verma, administrator of the Centers for Medicare & Medicaid Services (CMS), that the seamless flow of healthcare data is essential to a value-based payment system.[2] To properly manage and coordinate care, ACOs need to be able to easily exchange data between hospitals, physician offices, and other community providers. As one witness told lawmakers during a recent Senate hearing on health information technology (IT), “interoperability is not simply desirable. It's absolutely necessary.”[3] Unfortunately, it’s far from reality today. 

As concluded in a recent Office of Inspector General (OIG) report, “the full potential of health IT has not been realized” for ACOs’ care coordination efforts.[4] ACOs must work with little or incomplete data from health information exchanges (HIEs), making it difficult to coordinate care when patients saw providers outside of ACOs’ networks. ACOs using multiple EHR systems rely on other means to share data, including phone calls and faxes. That’s not the way care should be delivered in 2019.

The ACO model is a market-based solution to fragmented and costly care that empowers local physicians, hospitals, and other providers to work together and take responsibility for improving quality, enhancing patient experience, and reducing waste. ACOs today are assigned responsibility for roughly 20 percent of Medicare beneficiaries. Importantly, the ACO model also maintains patient choice of clinicians. In order to manage patient care, we must work across providers who work with different electronic health records (EHR) systems. ACOs should be the poster child of interoperability. We feel the brunt not just when a hospital patient’s record doesn’t sync with their admitting physician, but each ACO is a collection of providers whose every encounter is linked to either performance or care coordination programs. 

That’s why NAACOS embraces many of the concepts laid out in this proposed rule from ONC and its companion regulation published by CMS also on March 4, 2019.[5] NAACOS also submitted comments in response to the CMS proposed rule. Wider use of application programming interfaces (APIs) will allow ACOs to more easily connect with and share information between providers who use different EHR systems. Enforcement of “information blocking” will hopefully stop the willful intent to hinder the flow of patient information. And greater attention given to fees charged for medical record access and data exchange will help shed greater light on the practice. 

But ONC should be cautious of unintended consequences of certain proposed polices. We outline several below. For example, ONC should be careful and ensure none of the proposed policies lead to patients’ records being fragmented with parts held by some places and not others. This can be problematic and lead to worse patient care. Our members, more than many other healthcare organizations, want to see an effective, coordinated, patient-centric care process. 

Summary of Key Recommendations 

  • NAACOS is supportive of new API certification criterion to support population-level data access, which if successful, will allow ACOs to extract data from multiple EHRs to analyze and generally manage the care and quality of their assigned patient populations.
  • ACOs could face enormous costs to access patient data through APIs, and NAACOS urges ONC to pay attention to possible instances of this occurring and act when necessary.
  • ONC is correct to raise concern that a broad exception for the recovery of costs, for example because of non-standard design or implementation choices, could protect the very rent-seeking, opportunistic fees, and exclusionary practices it seeks to bar.
  • NAACOS requests ONC create a regulatory exceptions list to clarify the types of individuals and provider entities that are not included in definitions of HIEs and health information networks for purposes of information blocking.
  • ONC should furthermore adopt the Health Insurance Portability and Accountability Act (HIPAA) Rules’ definition of health care provider in §160.103. It’s a broader and more inclusive of innovative, alternative payment entities like ACOs.
  • NAACOS recommends ONC mimic HIPAA’s penalty structure for information blocking disincentives in order to lower administrative complexity and redundancy.
  • ONC should alter its proposed definition of electronic health information (EHI) to include information needed to support value-based care, specifically data captured in the U.S. Core Data for Interoperability (USCDI) data set.
  • NAACOS believes including pricing information in a definition of EHI is not the appropriate forum, and the topic, while potentially beneficial, warrants further study. 

Certification Criteria for Application Programming Interfaces (APIs) 

Proposals:ONC proposes a set of certification requirements for health IT developers to allow health information to be accessed, exchanged, and used without special effort through the use of APIs. Requirements focus on standardized, transparent, and pro-competitive practices to support the access, exchange, and use of EHI by patients and providers. ONC proposes to place limits on fees charged for access to APIs. Money can’t be charged for “value-added services” or in connection with activities that relate to patients’ ability to access, exchange, or use the medical records. Fees can be charged if they reasonably cover the cost of technology of APIs. 

Comments:NAACOS is supportive of efforts that make it easier to gain access to patient health information. The proposed rule creates new API certification criterion to support services for which multiple patients’ data are the focus, including a specific provider’s patient panel and a group of patients cared for through an alternative payment model. We appreciate the attention given to “population-level focused API services,” which ideally can improve clinical workflow and decision support through the application of data analyses to inform the quality and effectiveness of care delivered. 

As stated above, ACOs face challenges in trying to extract data from multiple EHR systems to pool into a single source to access patient records, analyze data, and generally manage the care and quality of their assigned patient populations. If successful, wider use of APIs and easier access to data through APIs will help ACOs who today must deal with disparate EHR systems and deploy costly techniques to access, exchange and use data. 

For the proposed API certification criterion to be successful, ONC must pay careful attention to fees charged by API data providers. It’s clear ONC has given time and attention to outlining what are permitted and prohibited charges. But there is still great ambiguity in allowing developers to “recover costs reasonably incurred to develop, deploy, and upgrade API technology.” ACOs today are confronted with enormous costs to interface with EHRs and could face those same costs to access patient data through APIs. NAACOS urges ONC to pay attention to possible instances of this occurring and take action when necessary. We provide further comment below about the allowance of fees charged for data exchange. NAACOS appreciates the reference to API data providers still being subject to information blocking provisions and providers comments below on the recovering of costs reasonable incurred by health IT companies. 

Information Blocking Exceptions 

Proposals: Under the 21st Century Cures Act, the Department of Health & Human Services (HHS) OIG can fine providers, health IT developers, HIEs, and health information networks for practices it deems as intentionally hindering the flow of patient records, or “information blocking.” ONC defines what activities shouldn’t be considered information blocking and the proposed rule outlines seven allowable exceptions: preventing harm; promoting privacy; promoting security; recovering costs reasonably incurred; responding to requests that are infeasible; licensing of interoperability on reasonable and non-discriminatory terms; and maintaining and improving health IT performance. For infeasible requests, ONC says stakeholders must provide a reasonable, alternative way to access the electronic health data.  

Comments:NAACOS supports the intention of 21st Century Cures Act provisions that promote information sharing and prohibit the purposeful not sharing of patient information. These actions undermine the work of ACOs, who are dependent on sharing patient medical records to coordinate care. 

Recovering Costs Reasonably Incurred

ONC proposes to exempt from its definition of information blocking the costs that actors seek to recover that were reasonably incurred in enabling access, exchange, or use of EHI. ONC specifically will continue to allow costs due to non-standard design or implementation choices; subjective or speculative costs; fees prohibited under the HIPAA Privacy Rule; individual electronic access; and export and portability of EHI maintained in EHR systems. 

The charging of fees, such as for data exchange and interfaces, was a prominent practice identified inONC’s 2015 report to Congress on information blocking as a barrier to data exchange.[6] About half of respondents to a 2017 Milbank Quarterly survey of 60 HIE leaders found vendors charged high fees for data exchange that were unrelated to costs.<a " href="#7">[7] These fees can vary widely and can make it cost-prohibitive for most customers to send, receive, or establish interfaces that enable EHI to be exchanged with other providers. A foundational aspect of ACOs and care coordination efforts is to communicate with non-affiliated providers and entities that use different EHR systems, making interfaces necessary. Costs to establish those interfaces or to engage in data exchange represent a roadblock on the path to delivery system and payment reform. 

ONC is correct to raise concern that a broad exception for the recovery of costs, for example because of non-standard design or implementation choices, could protect the very rent-seeking, opportunistic fees, and exclusionary practices it seeks to bar. In fact, most interfaces ACOs must build between disparate EHR systems could be considered a non-standard design and therefore the practice of charging of high, opportunistic fees would continue. 

ONC should be aware of how this exception works in conjunction with another proposed exception – the licensing of interoperability elements. While the latter’s intent is to provide for market-based innovation, the two combined could mean higher prices for health IT services as vendors charge more for value-added interoperability services, which are allowed in ONC’s proposed seven exceptions. 

NAACOS is also concerned that recovered costs based on “objective and verifiable criteria” could force ACOs to detail granular costs and fees that places an administrative burden on practices. The exception could be interpreted to mean a provider must retain extensive records to document all the costs incurred to implement a system. Conversely, it would also be difficult to know or verify the costs health IT venders incur for services and software, so ACOs can know if those costs were “reasonable.” 

Exceptions for Promoting Privacy

ONC proposes to exempt from its definition of information blocking practices that are reasonable and necessary to protect the privacy of an individual’s EHI. NAACOS values the work that ensures patient privacy is maintained and appreciates the work of ONC to keep necessary medical information private. Ensuring patient privacy will maintain patients’ confidence in the health system to keep their privacy. But we urge ONC to review this exemption so that it doesn’t cause administrative complexity, unintended consequences, or further exacerbate current problems. 

First, the four sub-exceptions ONC proposes, of which one must be met to be covered by the promoting privacy exception, create a regulatory framework that would create unnecessary administrative complexity and burdens if finalized. This framework should be streamlined and simplified to reduce provider burden. 

Secondly, one specific sub-exception is rife with unintended consequences. ONC proposes to exempt providers, health IT companies, and others from charges of information blocking if they abide by “organizational policies and procedures.” HHS has documented instances where these organizational policies are unduly restrictive and provide inaccurate interpretations of HIPAA. This leads to health data not flowing because of misapplication of well-intended privacy laws. ONC, in this instance, appears to be allowing organizations to block the sharing of health information when HIPAA allows it. In order to promote the proper information sharing while adhering to the HIPAA Privacy Rule, NAACOS urges ONC to strike this sub-exception in the final rule. Allow this sub-exception to stand threatens to undermine ONC’s work to promote information sharing. 

Lastly, the proposed rule appears to create dual and potentially conflicting privacy paradigms, which will be problematic if finalized. HIPAA allows – but does not require – medical records to be shared in most instances. ONC’s proposed rule would provide a different standard for the disclosure of protected health information. ONC even acknowledges this in the preamble when it states, “the information blocking provision may operate to require that actors provide access, exchange, or use of EHI in situations that HIPAA does not.” This potential conflict should be resolved. ACOs would be challenged by having to follow one set of rules for HIPAA and an entirely different set of rules for information blocking. NAACOS urges ONC to deem providers in compliance with the information blocking provisions if they follow the current HIPAA Privacy Rules. 

Definitions of Health Information Network, Health Information Exchange, and Health Care Providers 

Proposals:ONC proposes to define a “health information network” as an entity that oversees, administers, controls, or substantially influences policies, agreements, or technology that enables the access, exchange, or use of EHI between or among two or more unaffiliated individuals or entities. ONC proposes to adopt Section 3000(3) of the Public Health Service Act as the definition of “health care provider” and requests comments on including HIPAA covered entities in their definition. 

Comments:NAACOS appreciates the thought and consideration given to the definitions of the four categories of health IT entities. The 21st Century Cures Act uses those four terms, forcing ONC to define what individuals, organizations, and activities qualify for each one. But the result is a set of scenarios and use cases that are extensive, complex, and at times confusing. 

ONC lays out a potential scenario on pages 7512-7513 in the preamble of the proposed rule in which a health system could be considered both a provider and network for purposes of information blocking; A health system creates a new entity of different individuals or entities that are unaffiliated and administers the new network’s polices and technology that enables, facilitates, or controls the movement of information among providers. The health system would be considered an information network if it uses its control to interfere with the access, exchange, or use of patient information. ONC’s proposed definition of HIE is similar except that it exchanges EHI exclusively within a region or for a limited scope of participants. 

A final rule should simplify definitions so that entities don’t easily fall into multiple categories depending on how they handle patient information. Specifically, NAACOS requests ONC create a regulatory exceptions list to clarify the types of individuals and provider entities that are not included in definitions of HIEs and health information networks for purposes of information blocking. The list should include value-based care entities like ACOs and other provider groups, allowing ONC to keep its proposed definition while removing the complexity of a single entity from falling under multiple categories. We believe it was not Congress’s intent to include single entities in multiple, broad categories. Instead, they wanted to encourage the flow of health information. 

ACOs are defined in §425.20 and include one or more participants working under an agreement to provide coordinated care for a defined set of patients. ACOs could easily fall into ONC’s proposed definition of health information network or HIE, despite being comprised entirely of providers and suppliers. ONC should furthermore adopt the HIPAA Rules’ definition of health care provider in §160.103. It’s broader and more inclusive of innovative, alternative payment entities like ACOs. 

Health Care Providers’ Disincentives for Information Blocking 

Proposals: The 21st Century Cures Act calls for healthcare providers, whom the HHS Inspector General has determined to have committed information blocking, to be subject to “appropriate disincentives.” The proposed rule seeks comment on what those appropriate disincentives should be. 

Comments:While 21st Century Cures sets penalties for information blocking for health information networks, exchanges and developers, it allows HHS to define “appropriate disincentives” for providers. HHS already outlines in §160.404, 160.406, 160.408, and 160.412 civil monetary penalties for providers subject to violations of HIPAA. Those penalties are tiered and increase based on the nature and extent of the violation and harm resulting from the violation. NAACOS recommends ONC mimic HIPAA’s penalty structure; tiered and increasing based on the nature and extent of the violation and resulting harm, in order to lower administrative complexity and redundancy. HIPAA’s penalty structure has proven to balance disincentives with the need to encourage patient access. 

NAACOS reminds ONC that HIPAA covered entities and business associates may assert an affirmative defense to HIPAA civil penalties, except in cases of willful neglect, if the violation is corrected within 30 days. The time period may be extended at the secretary’s discretion. 

We believe that providers should never be subjected to penalties set aside for vendors, HIEs, and health information networks, which can be as high as $1 million per violation. Congress clearly established a separate penalty structure for providers, and as we stated above, ACOs should be treated only as providers. 

Along with a HIPAA-like penalty structure, we strongly recommend that providers be offered an appeals process. 45 CFR Subpart E offers such a process already with HHS actions being appealed to an Administrative Law Judge, the Departmental Appeals Board, and the U.S. Court of Appeals, if requested. 

Definition of Electronic Health Information 

Proposals: ONC’s proposed definition of EHI includes, but is not limited to, electronic protected health information and health information that is created or received by a healthcare provider and those operating on their behalf. EHI identifies the individual and relates to the past, present, or future provision of health care and payment of health care. EHI is not limited to information that is created or received by a healthcare provider, health plan, healthcare clearinghouse, public health authority, employer, life insurer, school, or university. 

Comments:ONC’s proposed definition of EHI is unnecessarily and overly broad and would be administratively complex to meet. Given the stiff penalties and important work to prevent information blocking, creating such a broad definition could have unintended consequences. Declaring EHI as all electronic information related to the past, present, and future provision of health services and payment could result in hundreds, maybe thousands, of records per patient. Furthermore, it would include information and data that would never be used by providers and has little or no impact on patient care. That volume of information would overwhelm providers and harm the health system. 

ONC should alter its proposed definition to include information needed to support value-based care, specifically data captured in the U.S. Core Data for Interoperability (USCDI) data set. We strongly urge ONC to focus on exchange of USCDI data. This approach to clinical data is more consistent with that taken by CMS in its proposed rule on interoperability and patient access. Widespread exchange of a more targeted dataset is aligned with achieving better outcomes for patients and more attainable in the near-term. 

Further, challenges arise because ONC’s proposed definition of EHI exceeds what is contained in HIPAA’s right of access under §164.524. Exceeding what is required under HIPAA becomes unduly complex and will create excessive administrative burden. 

Definition of EHI to include pricing 

Proposal:ONC seeks comment on the parameters and implications of including price information in the definition EHI for purposes of information blocking and, on a broader level, comment on the technical, operational, legal, cultural, environmental, and other challenges to creating price transparency within health care. 

Comments:NAACOS agrees with ONC’s sentiment that additional transparency in healthcare prices and costs would help empower patients to make more informed decisions about their care. The health system is improved when patients become more involved with their care planning, treatment options, and ramifications, including costs. However, we believe including pricing information in a definition of EHI is not the appropriate forum. 

Consumers could benefit from making contract prices publicly available, especially in a time when high-deductible health plans are increasing in popularity, and publicly available data could help identify high-performing providers, which would aide ACOS. But there are unintended consequences as the Federal Trade Commission (FTC) wrote in 2015 in their work on competition in health care.[8] NAACOS believes the issue warrants further study by the FTC, HHS, and others. While including this request for information is appreciated, including it in ONC’s information blocking proposed rule is not the best time or place for this important topic.  


ACOs have been instrumental in the shift to value-based care, and a central part of their success is the ability to send, receive and process patient data. Interoperability remains and elusive, but necessary, goal to improving the quality and efficiency of our health system. ONC’s work with this proposed rule, coupled with the companion rule put forth by CMS, makes progress on the goal of true interoperability. That’s why it’s important for the administration to adopt our recommendations and finalize certain aspects of this rule with necessary changes and proper oversight. Thank you for your consideration of our comments. Should you have any questions about this letter, please contact David Pittman at [email protected]


Clif Gaus, Sc.D.
President and CEO
National Association of ACOs