On November 4, 2020, the Office of the National Coordinator for Health Information Technology (ONC) published an Interim Final Rule with Comment Period (IFC) that delays compliance dates necessary to meet certain requirements related to information blocking initially finalized in the ONC Cures Act Final Rule (Final Rule) in March of 2020. The Final Rule implemented health IT provisions enacted under the 21st Century Cures Act (the Cures Act) to achieve ubiquitous interoperability among health IT systems and to improve patient’s ability to access their electronic health information (EHI). Among these provisions is a prohibition of information blocking. This article will define information blocking, provide and explain exceptions to such practice, detail the IFC’s deadline extensions, and highlight key compliance concerns and solutions regarding these reforms.
The term “Information Blocking” is broadly defined by the Cures Act as any practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI when the entity knows (or should know) that it is likely to do so. The Cures Act specifies four types of “actors” that must comply with the information blocking rule:
- Healthcare Providers
- Health information technology companies that have a certified health IT system
- Health information networks (HINs)
- Health information exchanges (HIEs)
To be an information blocker, an entity must recognize that its actions would interfere with EHI use. For example, providers may be information blocking when they deny access to a patient’s data when requested by another provider. Providers may also be information blocking when they deny a patient’s attempts to obtain their personal health information.
The Cures Act’s definition of information blocking has been the source of much discussion since its enactment in 2016. In March of 2020, the ONC finalized implementation of these provisions and provided several exceptions that providers and developers can utilize for protection.
Exceptions to Information Blocking
Information blocking exceptions are defined as reasonable and necessary activities that would guarantee a provider or developer protection from penalties under the Final Rule. The eight exceptions are as follows:
- The Preventing Harm Exception. This exception recognizes that certain situations may arise out of public interest in which information blocking could prevent physical harm to a patient or another person. Most often, this occurs when a physician reasonably believes that disclosure of EHI would endanger life or physical safety. Use of this exception can be appealed by the patient, and must not conflict with related HIPAA regulations concerning right of access.
- The Privacy Exception. This exception seeks to resolve conflict between privacy laws and regulations that prevent disclosure with the Information Blocking rules that require it. Under this exception, no actor is required to disclose EHI is such disclosure is prohibited under state or federal law.
- The Security Exception. This exception dictates that it is not Information Blocking when an actor interferes with access, exchange, or use of EHI to protect the security of EHI, provided the actor meets certain conditions. These conditions require the action to directly relate to safeguarding confidentiality, integrity, and availability of EHI, tailored to the specific security risk being addressed, and implemented in a consistent, non-discriminatory manner. The ONC has expressed attention toward abuse of this exception as a disguise for security policies that are information blocking, so enforcement in this area is likely.
- The Infeasibility Exception. This exception recognizes that some providers may have insufficient technological capabilities to fulfill certain EHI access requests. Unsurprisingly, because these regulations intend to promote technological progress and to create incentives to obtaining stronger technological capabilities, the conditions for meeting this exception are narrow. Actors may utilize this exception if one of the following conditions applies: an uncontrollable event, like a public health emergency or an internet service interruption, prevents performance; the actor cannot unambiguously segment the requested EHI from other EHI that is prohibited from disclosure by law or may be withheld under the Preventing Harm Exception; or performance is otherwise unfeasible under the circumstances, a determination which must be made in written record prior to response to the request.
- The Health IT Performance Exception. This exception dictates that it is not Information Blocking to temporarily make unavailable health IT for updates and other improvements so long as such unavailability is intended to maintain and improve the health IT, consistent with existing service level agreements, intended to prevent harm under the Preventing Harm Exception, or security-related under the Security Exception.
- The Content and Manner Exception. Discussed in detail below, this exception allows actors to restrict the content and manner of access provided within certain parameters for a limited duration after the Final Rule’s publication. Specifically, under the “content condition” actors may choose to provide only data elements in the United States Core Data for Interoperability (USCDI), a standard set of health data classes and constituent data elements for health information exchange, in early stages after implementation of this rule. Under the “manner condition,” actors may respond to EHI requests in alternative manners when the requested manner is technically impossible. Providers should discuss this exception with EHR vendors that may limit access, use, and exchange of patient information under current agreements.
- The Fees Exception. This exception allows actors to charge fees related to providing access of EHI. These fees can result in a reasonable profit so long as certain conditions regarding fee basis and certification are met, and such fees are not within ONC’s provided excluded fees.
- The Licensing Exception. This final exception seeks to protect intellectual property rights by excluding from the definition of Information Blocking the licensing of “interoperability elements” for EHI to be accessed, exchanged, or used so long as certain timing and licensing conditions are met. This exception is more likely to be used by EHR vendors than by providers. An actor must begin license negotiations within 10 business days from receipt of a request and must complete negotiations within 30 business days from such request. “Interoperability elements” include hardware, software, integrated technologies or related licenses, technical information, privileges, rights, intellectual property, upgrades, or services that may be necessary to access, exchange, or use EHI and are controlled by the actor sufficient to grant such a license.
The Final Rule does not supersede state or federal law. While certain actions or circumstances may not fulfill an exception to Information Blocking under the ONC Final Rule, some states may impose specific preconditions for information release (particularly for sensitive information) that work in conjunction with these exceptions. To avoid enforcement actions, actors must satisfy at least one exception and meet all applicable conditions, unless required by law. The process for the public to report claims of information blocking has been established through the Health and Human Services website and the Office of the Inspector General (OIG). The penalties for information blocking vary depending on the actor. For health IT developers of certified technology and HIN/HIEs there are civil monetary penalties (CMPSs) up to $1 million per violation. For providers, the Final Rule states there will be “appropriate disincentives.”
In light of the ongoing COVID-19 public health emergency, the information blocking provisions and requirements compliance date is now April 5, 2021. By this deadline, providers must share EHI with patients, community providers, HIEs and other actors securely with patient authorization. In particular, they must first share United States Core Data for Interoperability (USCDI) data within a 24-month temporary compliance period, and all EHI will be subject to the information blocking rule after this temporary period.
Implementation and Compliance Strategies
The April 5, 2021 deadline represents a huge shift in data management by requiring open access for patients and authorized third parties, rather than guarding patient data. Technical changes are required, but also material operational changes are required to respond to data requests. Providers should update HIPAA and other business agreements and policies and new processes and clinical workflows to ensure that the necessary data is available and is accessible in a timely manner in the method requested. Providers should remember that EHR developers are not required to implement functionality for USCDI currently. Therefore, providers will need to develop their own request response workflows to include all USCDI items.
Affected healthcare stakeholders will need a robust infrastructure and governance standards to attest to and maintain compliance regarding information blocking, including:
- Establishing a governance structure to review requirements and develop an action plan
- Reviewing access policies and revising accordingly to meet the final rule requirements
- Developing a process for evaluating access in regard to the eight exceptions
- Training staff on all policy changes
While reviewing and revising your compliance plan, providers should develop an implementation plan to prepare for the information blocking regulations. The implementation plan should:
- Identify business risks such as current information blocking practices, EHI access/exchange/use, and EHI products and services
- Identify how to mitigate risks, including using HIEs and interoperability frameworks, using standard interfaces/documents, and develop organizational stance on data access and release
- Evaluate any applicable exceptions and establish the necessary documentation processes
- Identify required actions and changes to contracts, agreements, and licenses
- Review and update information governance and release of information policies
- Develop policies and procedures for business/compliance plans
- Develop internal training and internal reporting/processes
Providers should be aware that, despite previous extensions due to the COVID-19 public health emergency, ONC is unlikely delay the compliance date again. Best practice is to ensure compliance with all of the above before April 5, 2021.