On November 4, 2020, the US Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) published an interim final rule with comment period in the Federal Register that extends certain compliance dates included in ONC’s May 1, 2020, final rule implementing the 21st Century Cures Act. Among other things, the ONC interim final rule pushed the compliance date for ONC’s information blocking provisions from November 2, 2020, to April 5, 2021. The interim final rule did not make substantive changes to the information blocking provisions or ONC’s Health IT Certification Program.
On November 4, 2020, the US Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) published an interim final rule with comment period (ONC IFR) in the Federal Register that extends certain compliance dates included in ONC’s final rule published in the Federal Register on May 1, 2020, to implement certain provisions of the 21st Century Cures Act. A key extension is the change of the information blocking prohibition applicability date (formerly, the “compliance date”) from November 2, 2020, to April 5, 2021. ONC also extended deadlines for certain health IT certification requirements included in the ONC final rule.
The ONC IFR did not establish penalties for information blocking by health care providers or make other substantive changes to the information blocking provisions of the ONC final rule or ONC’s Health IT Certification Program. (For more information regarding the substantive requirements of the ONC final rule, see our prior Special Report.) Rather, ONC stated that it is simply providing an extension in response to the unique circumstances of the Coronavirus (COVID-19) pandemic.
ONC recognized that the original compliance date did not allow sufficient time for covered actors, including certified health IT developers, health care providers and health information networks and health information exchanges (HIN/HIEs), to assess whether their arrangements and practices that involve the access, exchange or use of electronic health information (EHI) comply with the information blocking prohibition and, if appropriate, amend existing arrangements and implement new procedures to avoid information blocking, particularly when many covered actors are on the front lines combating COVID-19. ONC also concluded that certified health IT developers needed more time to update their software to address new requirements for application programming interfaces (APIs), EHI export and other capabilities.
Although appreciated, the ONC IFR—which spent more than a month under Office of Management and Budget review—came at the 11th hour, with many certified health IT developers and health care providers already well along the path of implementing their information blocking compliance strategies. Balancing against the need for resources to directly and indirectly combat the COVID-19 pandemic, certified health IT developers and health care providers can use the additional few months to test and refine information blocking prohibition compliance procedures. Specifically, health care providers should consider whether the additional time allows them to test or revisit their release of information practices or any plans for the availability of EHI through their patient portals. Similarly, certified health IT developers should evaluate whether the extension to the health IT certification criteria deadlines affect their software development timelines.
Stakeholders may submit comments to the ONC IFR through 5 pm EST on January 4, 2021.
The following sections discuss the new compliance dates applicable to (1) certified health IT developers, HIN/HIEs and health care providers, and (2) only certified health IT developers under the ONC’s Health IT Certification Program.
Changes to Key Compliance Dates Applicable to Certified Health IT Developers, HIN/HIEs and Health Care Providers
April 5, 2021
- Information Blocking Provisions
ONC extended the applicability date for the information blocking prohibition from November 2, 2020, to April 5, 2021. The information blocking provisions prohibit practices that the actor knows are likely to interfere with access, exchange or use of EHI, unless the practices are required by law or are covered by one of the eight exceptions established by ONC. For health care providers, the provider must also know that the practice is unreasonable for it to constitute prohibited information blocking. For the first 18 months, the information blocking provisions will only apply to EHI identified by the data elements represented in the US Core Data for Interoperability (USCDI).
October 6, 2022
- Scope of Information Blocking Provisions Expands to the Full Electronic Designated Record Set
ONC changed the date on which the scope of the information blocking provisions expands from the data elements represented in the USCDI to the full electronic designated record set as defined in the HIPAA regulations from May 2, 2022, to October 6, 2022.
Changes to Key Dates Applicable Only to Certified Health IT Developers
April 5, 2021
The ONC IFR extended the compliance date for the following health IT certification requirements applicable to certified health IT developers from November 2, 2020, to April 5, 2021.
- Information Blocking Condition of Certification (CoC) requirement
The Information Blocking CoC provides that a certified health IT developer must not engage in practices that constitute information blocking. Thus, in addition to potential civil monetary penalties for information blocking under the Cures Act, a certified health IT developer may jeopardize its products’ certification status if it engages in information blocking. The April 5, 2021, compliance date for the CoC aligns it with the new applicability date for the ONC final rule’s separate information blocking provisions.
- Assurances CoC and Maintenance of Certification (MoC) requirements
The ONC final rule’s Assurances CoC requires certified health IT developers to provide satisfactory assurances that they will not take any action that constitutes information blocking, and will ensure that their health IT conforms to the full scope of the certification criteria. The Assurances MoC requires certified health IT developers to retain all records and information necessary to demonstrate initial and ongoing compliance for 10 years beginning from the date the developer’s health IT is first certified.
- API CoC – compliance for current API criteria
The ONC final rule’s API CoC requires health IT developers that offer certified APIs to allow EHI to be accessed, exchanged and used through the certified API without special effort, and to publish complete business and technical documentation via a publicly accessible hyperlink that allows any person to directly access the information without any preconditions or additional steps. The CoC also establishes specific limitations to fees, terms and conditions that certified health IT developers may apply to their certified APIs.
- Communications CoC/MoC requirements
The Communications CoC provides that a certified health IT developer must not prohibit or restrict communications regarding the usability, interoperability or security of its health IT; the developer’s business practices; or the manner in which someone has used the developer’s health IT. Until developers have revised their contracts with customers and other contractors in accordance with the CoC, the Communications MoC requires developers to issue an annual written notice to the customers and contractors stating that they may make communications on these topics, even if the customer has agreed to contract provisions that contradict the CoC and would otherwise prohibit such communications.
December 15, 2021
- Submission of initial plan for real world testing
The ONC final rule requires certified health IT developers to submit testing plans to their certifying bodies to test a subset of certified health IT functionality in the setting(s) where the certified health IT modules are (or will be) marketed.
April 1, 2022
- Submission of initial attestations
Certified health IT developers are required to attest on a semiannual basis beginning on April 1, 2022, that they are in compliance with applicable CoC and MoC requirements.
December 31, 2022
The ONC IFR extends the deadline for certified health IT developers to update their software to include certain new certified capabilities from May 2, 2022, to December 31, 2022:
- New standardized API functionality
Certified health IT developers with certified APIs are required to make available FHIR-based APIs certified to § 170.315(g)(10) by no later than December 31, 2022.
- 2015 Edition health IT certification criteria updates in the ONC final rule (except for the updated EHI export capability, which is extended until December 31, 2023)
Certified health IT developers must update health IT modules certified to various other 2015 edition certification criteria to address revised standards and specifications established under the ONC final rule.
March 15, 2023
- Submission of initial results of real-world testing
The ONC final rule requires certified health IT developers to submit the results of real-world testing of each of their certified health IT modules to their certifying bodies each calendar year. The ONC IFR provides that the first real-world testing results report is not due until March 15, 2023.
December 31, 2023
- EHI export capability must be made available
The ONC final rule requires certified health IT developers of health IT modules that are part of a product that electronically stores EHI to provide customers with the ability to export EHI from the product in accordance with a new EHI export certification criterion. This criterion includes the ability to export the EHI of both a single patient and the entire patient population.
* * *
In conjunction with the release of the ONC IFR, ONC also issued Frequently Asked Questions on its website. Certified health IT developers and other actors regulated under the ONC final rule should review the Frequently Asked Questions and work with counsel to evaluate whether the guidance affects stakeholders’ approaches to information blocking compliance.