The U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) released an interim final rule on October 29, 2020, delaying the implementation of the information blocking rule under the 21st Century Cures Act (Information Blocking Rule). In the rule, ONC makes clear that healthcare providers, health IT developers of certified health IT, and health information networks and exchanges will not be subject to the Information Blocking Rule until April 5, 2021.
ONC has extended the compliance date from November 2, 2020, due to the industry need to respond to and manage the COVID-19 pandemic. This delay is a welcome relief for the regulated community and an explicit recognition that flexibility is needed as the industry faces many competing priorities. Yet ONC is clear that it fully intends to secure for patients their access rights to digital data under the 21st Century Cures Act.
Section 4004 of the 21st Century Cures Act defines “information blocking” as a practice by an actor that is unreasonable and likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI). The Information Blocking Rule governs providers, health IT developers, and health information networks and exchanges (referred to as “actors”). ONC outlines five types of practices that serve as examples of conduct that may be likely to interfere with the access, exchange or use of EHI as follows:
- Imposing restrictions on the access, exchange, or use of EHI;
- Imposing limits or restrictions on the interoperability of health IT;
- Impeding innovation and advancements in access, exchange or use of health IT-enabled care delivery;
- Rent seeking and opportunistic pricing practices; and
- Non-standard implementation practices that lead to unnecessary complexity and burden.
The 21st Century Cures Act authorized HHS to identify certain practices that technically meet the definition of information blocking but are reasonable and necessary to further the underlying data sharing goals of the act, a task that HHS delegated to ONC. The ONC final rule published on May 2, 2020 includes the exceptions to the information blocking provisions governing how actors must share EHI.
The ONC final rule had limited the definition of “EHI” for purposes of the Information Blocking Rule to the data elements listed in the U.S. Core Data for Interoperability (USCDI) standard until May 2, 2022. Under the interim final rule, this limited definition of EHI has been extended to apply to October 6, 2022.
Besides ONC’s substantive rule, the regulated community should take stock of the enforcement rule currently under development by the HHS Office of Inspector General (OIG). The OIG is authorized under the 21st Century Cures Act to investigate information blocking claims against actors and to subject health IT developers of certified health IT and health information networks and exchanges to civil monetary penalties (CMPs). If the OIG determines a healthcare provider is engaged in information blocking, the statute requires the OIG to refer the matter to “the appropriate agency to be subject to appropriate disincentives” using such authorities as HHS establishes through notice and comment rulemaking.
In its proposed rule, the OIG states it will limit its enforcement to health IT developers and health information networks and exchanges; enforcement efforts applicable to healthcare providers will be the subject of a separate rulemaking process that has not yet occurred. The OIG also stated it would not impose CMPs against actors for information blocking until that regulation become effective. Thus, OIG has promised that practices occurring after the April 5, 2021, compliance date will not be subject to penalties until 60 days after it finalizes the CMP regulation.
Both ONC and the OIG have stated that enforcement will entail a case-by-case basis assessment of the facts and circumstances to determine whether the conduct meets the definition of information blocking and is not required by law, whether the actor possessed the requisite level of intent, and whether an exception is met. In its proposed rule, OIG says its enforcement priorities will focus on blocking practices that may result in patient harm; impact a provider’s ability to care for patients; are of a long duration; cause financial loss to federal healthcare programs or other government or private entities; or that occur with the defendant’s actual knowledge.
Review of the Information Blocking Exceptions
ONC established eight categories of reasonable and necessary practices that will not be considered information blocking. ONC emphasized that failure to meet an exception does not necessarily mean a practice meets the definition of information blocking. As such, the exceptions operate much like the safe harbors under the federal Anti-Kickback Statute, requiring that the facts and circumstances surrounding information blocking claims be analyzed on a case-by-case basis. Outside the exceptions, the OIG will investigate practices that implicate the information blocking prohibition to determine whether the practice rises to the level of an interference and whether the actor acted with the requisite intent. ONC encouraged actors to voluntarily comply with an exception so that their practices are not subject to information blocking investigations.
ONC divided the exceptions for requests to access, exchange or use of EHI into two categories: those requests that are not fulfilled and procedures for those requests that would be fulfilled.
Exceptions for Requests to Access, Exchange or Use of EHI That Are Not Fulfilled
- Privacy Exception – An actor may decline to fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met. ONC created four privacy sub-exceptions that permit an actor to deny requests on the grounds of protecting individual privacy:
- For actors required to satisfy preconditions required by federal or state privacy laws (e.g., consent) when that precondition has not been satisfied, provided the actor uses reasonable efforts within its control to provide the individual with a consent or authorization form satisfying all applicable requirements or provide other reasonable assistance with respect to deficiencies. The final Privacy Exception moves some of the burden to the individual to provide consent.
- For covered entities and their business associates, following the applicable provisions in the HIPAA Privacy Rule for the unreviewable grounds of a denial of the individual’s access request.
- For health IT developers not regulated by HIPAA, under their privacy policies if certain conditions are met.
- For requested restrictions from an individual not to provide access, exchange or use of EHI, provided certain conditions are met.
- Security Exception – It is not information blocking for an actor to interfere with the access, exchange, or use of EHI to protect the security of EHI, provided certain conditions are met. A key condition of the exception is that the practice must either implement a qualifying security policy or security determination and be:
- Directly related to safeguarding the confidentiality, integrity, and availability of EHI;
- Tailored to the specific security risks; and
- Implemented in a consistent and non-discriminatory manner.
The Security Exception requires actors to adopt a written organizational security policy that follows the HIPAA Security Standards and consensus-based standards such as NIST. Otherwise, the facts and circumstances surrounding the practice will be analyzed under a stricter standard to determine whether the practice is necessary to mitigate the security risk to EHI, and there are no reasonable and appropriate alternatives to the practice.
- Preventing Harm Exception – Under the Preventing Harm Exception, it is not information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met, including:
- The actor reasonably believes the practice will substantially reduce a risk of harm;
- The practice is no broader than necessary;
- The practice satisfies at least one condition from each of the following categories: type of risk, type of harm, and implementation basis; and
- The practice gives patients the right to request review of an individualized determination of risk of harm.
- Infeasibility Exception – It is not information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the request being infeasible, defined to include the following events:
- Uncontrollable events, enumerated to include such events as public health emergencies, internet service disruption, and regulatory acts;
- The inability to unambiguously segment the requested EHI from EHI that cannot be disclosed due to legal restrictions or the individual’s preference; and
- The actor demonstrates with contemporaneous records that it considered the request infeasible under several factors in a consistent and nondiscriminatory fashion.
The Infeasibility Exception requires an actor to provide a written response to the requestor within 10 business days of receipt of the request with the reason(s) why the request is infeasible.
- Health IT Performance Exception – It is not information blocking for an actor to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT, provided certain conditions are met. The Health IT Performance Exception requires that the practice last no longer than necessary and establishes conditions under four different sub-exceptions for maintenance and improvement to health IT, assuring a level of performance when third-party apps impact performance, responding to a risk of harm to a patient or another person subject to the Risk of Harm Exception, and security-related practices subject to the Security Exception.
Exceptions Involving Procedures for Fulfilling Requests to Access, Exchange, or Use of EHI
- Content and Manner Exception – It is not information blocking for an actor to limit the content or manner when fulfilling a request for the access, exchange or use of EHI by meeting both of these conditions.
- Content: Until October 6, 2022, an actor may limit the content of the EHI that fulfills a request to access, exchange or use of EHI to the data elements listed in the U.S. Core Data for Interoperability (USCDI) standard and the limit will not be considered information blocking. On or after that date, an actor must respond to the request with the full scope of data in the EHI definition above.
- Manner: The actor must fulfill the request in the manner requested unless technically unable to do so or the actor and the requestor mutually agree on license terms. If the parties cannot agree on terms, the actor must fulfill the request in an alternative manner based on an order of priority specified by rule, namely, first by using ONC-certified health IT, then federal or ANSI-accredited standards-based content and transport standards that the requestor specified, or finally through a machine-readable format capable of interpreting the data agreed to by the parties.
- Reasonable Fees Exception – Under the Reasonable Fees Exception, it is not information blocking for an actor to charge fees that result in a reasonable profit margin for accessing, exchanging, or using EHI provided certain conditions are met. The exception excludes certain fees and requires that the permissible fees meet uniformly applied objective criteria, be reasonably related to costs not already recovered, and be determined based on a reasonable allocation of costs. Health IT developers must comply with the ONC standards for API technology and further limit fees to healthcare providers and third-party application developers.
- Licensing Exception – It is not information blocking for an actor to refrain from licensing certain of its interoperability elements it controls, such as intellectual property rights, hardware, software, technologies, or services, when the actor fulfills a request for EHI to be accessed, exchanged, or used in an alternative manner. The actor must initiate negotiations with the requestor on the terms for licensing the interoperability elements within 10 business days of receiving the request and finalize the negotiations within 30 business days of receiving the request. Those licensing terms and any royalty must be reasonable and non-discriminatory and meet enumerated conditions under the Licensing Exception.
The Information Blocking Rule will be transformative. The rule promises great benefits, especially the provisions making it easier for patients to access their own health information and share it with consumer apps, and the six-month delay of the compliance deadline provides welcome relief to the regulated community while they seek additional regulatory guidance regarding the appropriate standards of conduct.
Many industry leaders have noted how sharing patient data across the healthcare ecosystem would help contain the spread of COVID-19. Others have noted that the industry is facing severe financial limitations and resource constraints with no clear end in sight. Providers continue to focus on the urgent issues of maintaining the availability of critical clinical staff and supplies, managing surge capacity and elective schedules, and hoping to play a critical role in the roll-out of a vaccine for healthcare workers and the public at large. In view of these competing priorities, many providers, health IT developers, and health information networks are only now beginning to grapple with the dense, technical requirements in the Information Blocking Rule.
While healthcare providers, health IT developers of certified health IT, health information networks, and health information exchanges all should begin to comply with ONC’s information blocking provisions on the compliance date, they should have some peace of mind regarding potential enforcement actions. The OIG, both in the proposed rule and its public statements, has been clear that conduct from now until the effective date of its final rule will not be subject to information blocking civil monetary penalties.
At the same time, however, eligible professionals and hospitals participating in the Centers for Medicare and Medicaid Services (CMS) Promoting Interoperability Programs must continue to make annual attestations that they are not restricting the interoperability of certified EHR technology and are timely responding in good faith to requests to exchange EHI from patients and other providers. And healthcare providers that are covered entities under HIPAA must follow the HIPAA patient information access rules that the HHS Office for Civil Rights is now vigorously enforcing.
Now is the time to focus on the Information Blocking Rule requirements and do the work necessary to establish appropriate practices for advancing interoperability goals safely and securely.