- The 21st Century Cures Act (Cures Act) included several provisions to accelerate the adoption and effective use of health information technology (HIT) and discourage information blocking.
- On March 9, 2020, the Office of the National Coordinator for Health Information Technology (ONC) issued a final rule establishing policies to hold accountable those who restrict the availability of electronic health information.
- Unless the deadline is extended, compliance with the ONC rule's information blocking requirements takes effect on Nov. 2, 2020. The agency extended enforcement discretion for three additional months because of COVID-19, which would make the rule enforceable on Feb. 1, 2021.
The 21st Century Cures Act (Cures Act) included several provisions to accelerate the adoption and effective use of health information technology (HIT) and discourage information blocking. The Secretary of U.S. Department of Health and Human Services (HHS) was authorized to establish reasonable exceptions through rulemaking under the Cures Act, which was signed into law on Dec. 13, 2016.
On March 9, 2020, the Office of the National Coordinator for Health Information Technology (ONC) issued a final rule establishing policies to hold accountable those who restrict the availability of electronic health information. Unless the deadline is extended, compliance with the ONC rule's information blocking requirements takes effect on Nov. 2, 2020. The agency extended enforcement discretion for three additional months because of COVID-19, which would make the rule enforceable on Feb. 1, 2021. A table of enforcement discretion dates and timeframes is available on the ONC website.
The compliance date is rapidly approaching. Even if it is temporarily delayed, now is the time to review policies and processes for sharing electronic health information (EHI). Accordingly, this Holland & Knight alert provides an overview of the key provisions regarding information blocking compliance.
What Is Information Blocking?
According to the Cures Act, it is a "practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information."
Will the Nov. 2 Compliance Deadline Be Pushed Back Because of COVID-19?
Many impacted stakeholders have urged Congress and the White House to extend enforcement discretion to ensure that there is adequate time to prepare and not divide their attention from their continued COVID-19 efforts. Accordingly, the administration plans to delay the compliance deadlines for healthcare information blocking for a second time because of the public health emergency. HHS sent the Office of Management and Budget (OMB) an interim final rule on Sept. 17, 2020, that revises the timelines. The rule has not yet been released, but it implies that the agency will extend dates identified in the information blocking provisions, including the Nov. 2, 2020, compliance deadline.
Who Is Subject to the Information Blocking Policies?
The information blocking provision applies to three types of "actors" – 1) all providers, 2) health IT developers, and 3) health information exchanges and networks (HIEs/HINs).
- Healthcare Providers: ONC used Section 3000(3) of the Public Health Service Act to define a provider. ONC notes that this choice allows the HHS Secretary some latitude in expanding the definition over time. The term "health care provider" includes a hospital, skilled nursing facility, nursing facility, home health entity or other long term care facility, health care clinic, community mental health center, renal dialysis facility, blood center, ambulatory surgical center, emergency medical services provider, federally qualified health center, group practice, a pharmacist, a pharmacy, a laboratory, a physician, a practitioner, a provider operated by, or under contract with, the Indian Health Service or by an Indian tribe, tribal organization, or urban Indian organization, a rural health clinic, a covered entity under Section 340B, a therapist, and any other category of health care facility, entity, practitioner, or clinician determined appropriate by the Secretary.
- Developers of Certified Health IT: ONC finalized its definition to include an individual or entity that develops or offers Certified Health IT – meaning that developers of other, noncertified health technology are not targets of information blocking enforcement. In general, Certified Health IT is health technology, primarily electronic health record (EHR) systems, which meet certain standards adopted by ONC. However, developers of Certified Health IT can be found in violation of information blocking concerning noncertified products as well.
- Health Information Networks and Exchanges (HINs and HIEs): ONC opted to combine these two terms into a single definition and narrowed their scope. An entity is a HIN/HIE if it determines, controls or has the discretion to administer any requirement, policy or agreement that permits, enables or requires the use of any technology or service.
That means all of the aforementioned actors must provide access to EHI either proactively or upon request. Otherwise, they may be accused of information blocking if there are unnecessary barriers to access the requested data.
What Are the Exceptions That Don't Constitute Information Blocking?
Eight exceptions exist to shield an actor if they have a legitimate reason for not sharing patient data. Much like Stark and Anti-Kickback regulations, these exceptions will require substantial documentation and will be evaluated by ONC and the Office of the Inspector General (OIG) on a case-by-case basis. Actors should review their current information-sharing policies and revise them accordingly. Additionally, actors should develop a workflow process to determine if there is a legitimate reason for blocking data, and then identify and document the appropriate exception category. The ONC has provided more detail on the exceptions.
Exceptions that involve not fulfilling requests to access, exchange or use EHI:
- Preventing Harm Exception. It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.
- Privacy Exception. It will not be information blocking if an actor does not fulfill a request to access, exchange or use EHI to protect an individual's privacy, provided certain conditions are met.
- Security Exception. It will not be information blocking for an actor to interfere with the access, exchange or use of EHI to protect the security of EHI, provided certain conditions are met.
- Infeasibility Exception. It will not be information blocking if an actor does not fulfill a request to access, exchange or use EHI due to the infeasibility of the request, provided certain conditions are met.
- Health IT Performance Exception. It will not be information blocking for an actor to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT's performance for the benefit of the overall performance of the health IT, provided certain conditions are met.
Exceptions that involve procedures for fulfilling request to access, exchange or use EHI:
- Content and Manner Exception. It will not be information blocking for an actor to limit the content of its response to a request to access, exchange or use EHI or how it fulfills a request to access, exchange or use EHI, provided certain conditions are met.
- Fees Exception. It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging or using EHI, provided certain conditions are met.
- Licensing Exception. It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged or used, provided certain conditions are met.
What Data Are Covered Under Information Blocking?
The information blocking policies apply to all electronically protected health information (ePHI) as defined in Health Insurance Portability and Accountability Act (HIPAA to the extent that ePHI would be included in a designated record set. This requirement is regardless of whether the records are used or maintained by or for a covered entity as defined under HIPAA. De-identified data are excluded from the definition of EHI. Also, EHI will not include psychotherapy or information compiled in reasonable anticipation of, or for use in, civil, criminal or administrative actions or proceedings.
Initially, ONC will define EHI as the data elements in the United States Core Data for Interoperability (USCDI) standard. Almost all USCDI data elements are already captured in 2015 Edition certified EHRs today – which means that the information blocking policies will apply to the information that is likely available on an actor's system. However, under ONC's rule, the definition of EHI will eventually expand beyond the USCDI. Starting May 2022, the EHI definition will include the full HIPAA electronic designated data set.
Do We Have to Upgrade Our 2015 Edition Certified EHR by Nov. 2, 2020?
Unless delayed, the Nov. 2, 2020, date applies to compliance with the information blocking policies. Providers are not required to upgrade their EHRs to the new 2015 Edition certification criteria at that time. For example, providers do not have to immediately implement an application programming interface (API) that supports Fast Healthcare Interoperability Resources (FHIR) for the purposes of information blocking compliance.
What Are the Penalties?
Enforcement of information blocking civil monetary penalties (CMPs) will not begin until established by future notice and comment rulemaking by the Office of the Inspector General (OIG). As a result, actors would not be subject to penalties until CMP rules are final.
For providers, ONC didn't establish a mechanism for information blocking disincentives. However, providers must agree to the "prevention of information blocking" to meet Promoting Interoperability (PI) reporting requirements under the Merit-based Incentive Payment System (MIPS) of the Quality Payment Program (QPP).
What Are Some Ways to Prepare?
For providers, it is essential that clinicians and staff know what to do when they receive data requests and what is at risk if accused of information blocking. Also, providers are encouraged to revisit documentation regularly as their health IT capabilities advance.