Navigating the challenges posed by the new information blocking rules issued by the Office of the National Coordinator for Health IT (ONC) is not solely the job of IT Departments, outside consultants and software companies. Providers must grapple with these issues too. In an effort to help unpack these complex regulations for the “low to no tech” camp and the more schooled, we will be publishing a series of frequently asked questions (FAQs) designed to assist your organization’s development of an effective compliance strategy before the April 5, 2021 deadline when the first tranche of these rules goes into effect.
In their broadest sense, the ONC’s new rules are designed to assist in the free flow of patient information across the healthcare ecosystem. Difficulties faced by patients in accessing their personal health information has been viewed as a cause of patient frustration, errors in patient care, and waste in the Medicare and Medicaid programs. To help remedy this situation, Congress empowered the U.S. Department of Health and Human Services (HHS) through the 21st Century Cures Act to regulate and curb practices that “interfere with, prevent or materially discourage access, exchange or use of electronic health information.”
HHS is implementing this mandate across its numerous divisions. The Centers for Medicare and Medicaid (CMS) issued a Final Rule to adopt interoperability standards on May 1, 2020 and, more recently, HHS’ Office for Civil Rights (OCR) began its own process to better integrate anti-information blocking principles into HIPAA However, it is the issuance of ONC’s Final Rule on May 1, 2020, that lays out the requirements for health care providers, as well other “actors,” including health information networks, health information exchanges and information technology developers that specifically addresses “information blocking” as a prohibited practice. After initially delaying the rule’s implementation for reasons tied to the pandemic, these same actors now have little more than a month to develop the type of cross-disciplinary response (e.g., evaluating administrative processes, technology needs as well as relevant third-party contracts) that will be necessary to meet the various regulatory requirements.
Accordingly, we hope that you find these Information Blocking FAQs helpful.
- Exactly What is and What is not “Information Blocking”?
“Information blocking” is a practice by a health care provider, health IT developer of certified health IT, or health information network or exchange that, except as required by law or covered by an exception in the ONC’s rules, is likely to interfere with the access, exchange, or use of electronic health information (EHI). Where the actor is a health care provider, the provider must know that such practice is unreasonable and likely to interfere with access, exchange, or use of EHI.
As the definition of “information blocking” is intentionally open-ended, in many ways, “information blocking” is defined by the exceptions that explicitly outline what practices are not “information blocking.” Specifically, the ONC has provided guidance regarding eight reasonable and necessary activities that do not constitute information blocking, provided certain conditions are met. If a practice does not satisfy the conditions of an exception, it will be evaluated on a case-by-case basis to determine whether it constitutes information blocking.
2. What are the Exceptions to the Information Blocking Rule?
The following exceptions involve not fulfilling requests to access, exchange, or use EHI and will not constitute information:
- Preventing harm exception: It is not information blocking to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.
- Privacy exception: It is not information blocking to not fulfill a request to access, exchange or use EHI in order to protect an individual’s privacy, provided certain conditions are met.
- Security exception: It is not information blocking to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.
- Infeasibility exception: It is not information blocking to not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.
- Health IT performance exception: It is not information blocking to take reasonable and necessary measures to make health IT temporarily unavailable for the benefit of the overall performance of the health IT, provided certain conditions are met.
3. Besides the Five Exceptions Listed Above, What Other Actions Will Not Constitute Information Blocking?
In addition to the five exceptions listed above, ONC also published the following 3 exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI:
- Content and manner exception: It is not information blocking to limit the content of a response to a request to access, exchange, or use EHI or the manner in which a request is fulfilled, provided certain conditions are met.
- Fees exception: It is not information blocking to charge fees for accessing, exchange, or using EHI, provided certain conditions are met.
- Licensing exception: It is not information blocking to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.
4. What Data Must Be Made Available to Patients Under the Information Blocking Rules and When?
Patients must have access to their EHI by April 5, 2021. For the first 18 months after the rule goes into effect, EHI refers to the information contained in the data classes set forth in the United States Core Data for Interoperability (USCDI) standard.
USCDI contains a set of 16 data classes:
- Patient Demographics
- Vital Signs
- Allergies and Intolerances
- Smoking Status
- Care Team Members
- Clinical Notes
- Assessment and Plan of Treatment
- Health Concerns
- Unique Device Identifiers (for a patient’s Implantable Device)
- Provenance (i.e. the metadata of the records provided)
Each data class includes specific data elements that must be provided upon patient request. For example, the data class for Clinical Notes includes 8 different types of notes that must be made available to patients: consultation notes; discharge summary notes; history & physical notes; imaging narratives; laboratory report narratives; pathology report narratives; procedure notes; and progress notes.
After October 6, 2022, the scope of EHI under the information blocking rule will expand to include the full electronic designated record set (DRS) as defined in HIPAA. Healthcare providers will be obligated to provide not only the USCDI information listed above, but also DRS data which includes:
- medical & billing records about individuals maintained by or for a covered health care provider;
- enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.
This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.
Separately, as a new Condition of Participation, under the Center for Medicare and Medicaid Services (CMS) interoperability rules hospitals with compliant EHR systems must provide admission, discharge and transfer (ADT) event notifications to all providers primarily responsible for a patient’s care.
Providers should remain aware that the information blocking rules do not limit a patient’s existing rights under HIPAA to their protected health information.