The U.S. Department of Health and Human Services' (HHS) Office of the National Coordinator for Health Information Technology (ONC) published its Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing Final Rule (HTI-1 Final Rule) earlier this year. The HTI-1 Final Rule went into effect on March 11, 2024. In this final rule, ONC implements the "EHR Reporting Program" from the 21st Century Cures Act, which requires transparent reporting on certain certified health information technology (health IT) metrics under the new "Insights" Condition and Maintenance of Certification blocking regulations. The HTI-1 Final Rule also updates information blocking regulations in response to feedback from affected parties. In addition, the final rule adopts Version 3 of United States Core Data for Interoperability (USCDI v3) as the baseline USCDI standard as of Jan. 1, 2026. Further, the HTI-1 Final Rule updates the ONC Health IT Certification Program's (Program) standards, criteria and requirements.

Information Blocking

In the HTI-1 Final Rule, ONC updated Information Blocking definitions, added new options to satisfy one of the existing exceptions and established a new exception applicable to certain information sharing requests between parties who have chosen to become part of the Trusted Exchange Framework and Common Agreement (TEFCA). The final rule addresses feedback from interested parties about the intent and application of information blocking regulatory provisions and clarifies established regulatory terms.

Information Blocking Definitions

Offer Health IT: ONC defined what it means to "offer health IT" for purposes of the information blocking regulations. This definition narrows the potential applicability of the "health IT developer of certified health IT" definition through explicit exclusion of certain activities from the "offer health IT" definition.

Specifically, an individual or entity that offers certified health IT will include "any individual or entity that under any arrangement makes certified health IT available for purchase or license." 85 FR 25798. Individuals or entities that otherwise fall into at least one category of actor as defined in 45 CFR 171.102 – such as healthcare providers – and individuals or entities that otherwise would not fit the definition of any category of actor could offer certified health IT that they did not themselves develop or present for certification. As offerors of certified health IT, these individuals or entities could engage in conduct that constitutes information blocking as defined in Section 171.103, such as through contractual terms or practices undertaken in operating and maintaining health IT deployed by or for another individual or entity.

Generally, the finalized definition of "offer health IT" will continue to include providing, supplying or holding out for potential provision or supply, certified health IT under any arrangement or terms, but with explicit exclusions. First, the definition excludes making available funding to obtain or maintain certified health IT, provided the funding is made available without condition(s) limiting the interoperability or use of the technology to access, exchange or use electronic health information for any lawful purpose. With this exclusion, ONC seeks to encourage certain beneficial arrangements under which providers in need can receive subsidies for the cost of obtaining, maintaining or upgrading certified health IT.

Second, the finalized "offer health IT" definition also explicitly codifies that healthcare providers or other health IT users do not "offer health IT" when they engage in certain health IT implementation and use activities, regardless of whether they obtain that health IT from a commercial developer or a reseller or develop it themselves. Here, ONC's purpose is to give healthcare providers (and others) who use certified health IT concrete certainty that implementing certain health IT features and functionalities, as well as engaging in certain practices that are common and beneficial in an electronic health record (EHR)-enabled healthcare environment, will not be considered an offering of certified health IT (regardless of who developed that health IT).

ONC also finalized an exclusion from the ''offer health IT'' definition that applies to certain consulting and legal services. This consulting and legal services exclusion encompasses supplying health IT in complement to the other items, supplies, facilities and services that a consultant handles for a clinician practice or other healthcare provider. The consulting and legal services exclusion from the ''offer health IT'' definition encompasses assistance by health IT consultants with the selection, implementation and use of specific health IT and certain legal services furnished by outside counsel.

The exclusion also, notably, provides an exception when health IT is provided in a comprehensive (turnkey) package of services for administrative or operational management to the extent that the arrangement providing health IT also meets certain conditions. This exception is of particular importance for physician practice management organizations, which are not "actors" except for potential inclusion in the definition of a health IT Developer.

Therefore, "offering health IT" means, unless an exception applies, that an individual or other organization holds out the health IT for sale, resale, license or relicense for deployment by or for other individual(s) or entity(ies); sells, resells, licenses, relicenses the health IT for deployment by or for other individual(s) or entity(ies); or otherwise provides or supplies the health IT for deployment by or for other individual(s) or entity(ies). An exception may apply when the health IT is offered or supplied for:

• donation and subsidized arrangements in which one provider supplies certified health IT through donation or funding subsidy to another provider that is not able to afford the cost of the certified health IT
  • may not be conditioned on limiting the interoperability or use of the technology for any lawful purpose

• implementation and use activities such as:
  • pre-production staging or testing environments
  • uses of health IT for education and improvement activities such as training
  • providing access to furnish, document and bill for care provided by a healthcare provider
  • providing a public health authority employee with access to health IT systems
  • providing access to registries and similar data services
• the selection and implementation of health IT
• consulting and legal services – providing access and use of health IT to outside consultants and attorneys
• operations management services arrangements in which the administrative or operational management organization "stands in the shoes" of the healthcare provider in dealing with the health IT developer and manages the day-to-day operations and administrative duties for health IT as part of a comprehensive package of practice management or other provider administrative or operations management services. Requirements include:
• management entity must act as the agent of the provider in dealing with the health IT vendor
  • management agreement must include other non-IT services and all services must be through the same contract
  • services must include non-IT services
  • nonhealth IT services must represent more than one-half of person hours per year by manager and cost to healthcare provider

Health IT Developer of Certified Health IT: ONC modified the definition of a "health IT developer of certified health IT" so that it is clear that healthcare providers who self-develop certified health IT would continue to be excluded from this definition if they do not offer any certified health IT to others.

Information Blocking: ONC revised the definition for "information blocking" to remove language that was no longer applicable. The language referred to the period of time for which electronic health information (EHI) was limited to the data elements represented in the USCDI v1, which ended on Oct. 5, 2023.

Information Blocking Exceptions

Infeasibility Exception: The Infeasibility Exception includes conditions under which an actor's practice of not fulfilling requests for EHI access, exchange or use due to infeasibility will not be considered information blocking. ONC revised one condition and created two new conditions for the Infeasibility Exception.

ONC revised the "uncontrollable events" condition by replacing the words "due to" with "because of" to further clarify when an actor's practice meets the "uncontrollable events" condition such that it would not be information blocking if an actor does not fulfill a request to access, exchange or use EHI. Specifically, the fact that an uncontrollable event occurred would not be a sufficient basis alone for an actor to meet this condition. Rather, the actor must demonstrate a causal connection between the actor's inability to fulfill access, exchange or use of EHI and the uncontrollable event. The uncontrollable event need not be the only cause of a particular infeasibility, but the actor needs to demonstrate that the uncontrollable event did in fact negatively impact the feasibility of that actor fulfilling access, exchange or use in the specific circumstances where the actor is claiming infeasibility.

ONC added a new "third party seeking modification use" condition, which would apply in certain situations where the actor is asked to provide the ability for a third party (or its technology, such as an app) to modify EHI. This condition applies only where a third party seeks to enable use of EHI in order to modify EHI within the records or systems maintained by the actor, provided the request is not from a healthcare provider requesting such use from an actor that is its business associate. This condition cannot be satisfied where a third party seeks only access or exchange or EHI, even if the actor is certain that the requestor will or may make "modification use" of the EHI once it is in the requestor's possession, custody or control. For example, the condition does not apply to situations where a healthcare provider, or their health IT developer chooses not to accept and process (such as through an EHR's receive and incorporate functions) EHI from a patient's health plan or prior healthcare provider or another of the patient's current health care providers.

ONC added a new "manner exception exhausted" condition, which is applicable when an actor is unable to fulfill a request for access, exchange or use of EHI after having exhausted the renamed Manner Exception. The condition applies only under certain circumstances, including when the actor does not currently provide to a substantial number of individuals or entities, similarly situated to the requestor, the same requested access, exchange or use of the requested EHI.

Manner Exception: ONC renamed the Content and Manner Exception and renumbered its conditions to reflect removal of the "content condition" that was applicable only for the period before Oct. 6, 2022.

TEFCA Manner Exception: ONC established a new "TEFCA Manner Exception" that applies where an actor and requestor are both part of TEFCA. Where the exception is met, fulfilling certain requests for EHI only via TEFCA will not be considered information blocking. Providing an information blocking "safe harbor" through TEFCA is an incentive to review and consider the arrangement.

Compliance Tips

Healthcare providers and other actors should review and update their Information Blocking policies – or adopt Information Blocking policies – that specify how the organization will comply with the Information Blocking rule, including the relevant updates finalized in the HTI-1 Final Rule. Providers should also review and update their organization's Health Insurance Portability and Accountability Act (HIPAA) policies as well as their related Designated Record Set definitional policy and access to and requests for records policies. Information Blocking compliance monitoring should be added to third-party suppliers, including electronic medical record and other health IT. In addition, organizations should review relevant provisions in management service agreements and update as necessary to clarify that providing health IT is only a component of the management services and is not considered offering health IT as defined by the Information Blocking rule. Relevant forms for documenting applicability of Information Blocking exceptions should also be reviewed and updated or prepared, if needed.