Under the Office of the National Coordinator for Health IT (ONC) 21st Century Cures Act final rule, effective July 1, 2020, health care providers, in their capacities as such, are not subject to civil monetary penalties. However, health systems, hospitals and other health care providers may face civil monetary penalties if they engage in activities that cause them to be a health information technology (IT) developer of certified health IT (Certified Health IT Developer) or health information network or health information exchange (HIN/HIE), and engage in activities that are “likely to interfere” with the access, exchange or use of electronic health information (EHI). This On the Subject discusses whether a health system or provider could be a Certified Health IT Developer, HIN/HIE when it provides access to its electronic health record (EHR) system to unaffiliated community providers, and the potential risk that EHR access terms or practices could subject the health system or provider to civil monetary penalties for information blocking.
IN DEPTH
A hospital or other health care provider is an actor subject to the new information blocking restrictions under the final rule issued by the ONC under the 21st Century Cures Act (Final Rule), but is not subject to civil monetary penalties unless it (1) is a Certified Health IT Developer (including as an offeror of certified health IT), or (2) operates an HIN/HIE in which more than two unaffiliated parties access, exchange or use EHI.
The software license agreements between many certified EHR vendors and their health system or other health care provider customer-licensees (EHR System Licensees) allow the EHR System Licensees to offer EHR system access to non-employed physician practices and other unaffiliated community providers for implementation and use in their physician office locations and other facilities. The EHR System Licensees typically provide access to their EHR systems as part of an agreement structured to meet the Stark Law exception and/or the federal anti-kickback statute safe harbor for EHR items and services, or waivers available under certain accountable care and other value-based care models. When the EHR System Licensee, its affiliated providers and community providers share an instance of the EHR system, they are able to access, exchange and use EHI created by any of the EHR system users, including the unaffiliated community providers. The offering of these EHR access arrangements may cause the EHR System Licensee to meet the definition of a Certified Health IT Developer and/or an HIN/HIE. We discuss this risk below. For more information about the Final Rule, please see our Special Report.
Certified Health IT Developers
The following sections address the Final Rule’s definition of a Certified Health IT Developer and questions that an EHR System Licensee should consider when evaluating whether an EHR access agreement could cause it to be Certified Health IT Developer.
What Is a Certified Health IT Developer?
The Final Rule defines a Certified Health IT Developer as follows:
-
An individual or entity, other than a health care provider that self develops health IT for its own use, that develops or offers health information technology and which has, at the time it engages in a practice that is the subject of an information blocking claim, one or more Health IT Modules certified . . . pursuant to [the] ONC Health IT Certification Program…. (emphasis added)
The Final Rule does not clarify who is an “offeror” or what offeror activities would constitute “information blocking.” The Final Rule also fails to explain what it means for an offeror to “[have], at the time it engages in a practice that is the subject of an information blocking claim, one or more Health IT Modules certified . . . pursuant to [the] ONC Health IT Certification Program.”
An EHR System Licensee that is not the EHR vendor that sought and obtained the certification for the EHR software under the ONC Health IT Certification Program does not seem to “have . . . one or more Health IT Modules certified” and therefore arguably could never meet the definition of a Certified Health IT Developer. However, ONC’s preamble discussion of the definition is not clear on this point, and until ONC resolves the ambiguity, an EHR System Licensee that offers EHR system access to community providers should consider whether any of its EHR access agreement terms or other practices involving the access, exchange or use of EHI with community providers in connection with such agreements could constitute information blocking.
Is the EHR System Licensee a Certified Health IT Developer?
To assess whether an EHR System Licensee could be a Certified Health IT Developer, the EHR System Licensee should consider the following questions related to an offer of access to certified EHR technology to community providers:
-
Does the EHR System Licensee simply make portions of payments to an EHR vendor to enable community providers to license a separate instance of the EHR software (or other certified health IT) directly from an EHR vendor?
-
If so, then the EHR System Licensee may not be considered an “offeror” within the definition of a Certified Health IT Developer since the EHR vendor licenses the software directly to the community providers.
-
-
Does the EHR System Licensee offer to enter into an agreement with community providers under which community provider personnel may access and use the EHR System Licensee’s instance of the EHR system in the community provider’s offices or other facilities?
-
If the EHR System Licensee offers access to its EHR system, then the EHR System Licensee may be considered a Certified Health IT Developer based on the “offer.”
-
HINs and HIEs
The following sections discuss the Final Rule’s definition of an HIN/HIE, and questions that an EHR System Licensee should consider when evaluating whether an EHR access agreement could cause it to be an HIN/HIE.
What Is an HIN/HIE?
The Final Rule combines the definitions for HIN and HIE into one definition as follows:
-
An individual or entity that determines, controls or has the discretion to administer any requirement, policy or agreement that permits, enables or requires the use of any technology or services for access, exchange or use of EHI:
-
Among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other; and
-
That is for a Treatment, Payment or Health Care Operations purpose, as such terms are defined in the HIPAA regulations, regardless of whether such individuals or entities are subject to the HIPAA regulations.
-
An EHR System Licensee should evaluate whether its implementation of EHR access agreements to facilitate the exchange of EHI by or with community providers meets the above definition. For example, EHR System Licensees that provide EHR system access to community providers may implement security safeguards or procedures to control the flow of EHI among the community providers through the EHR system. The exercise of such control, even if to serve a legitimate privacy function that is not information blocking (e.g., preventing a community provider from accessing the EHI of non-patients in violation of HIPAA), could in turn cause the EHR System Licensees to meet the definition of an HIN/HIE.
Is the EHR System Licensee an HIN/HIE?
To assess whether an EHR System Licensee could be considered an HIN/HIE, the EHR System Licensee should consider the following questions:
-
Does the EHR System Licensee administer or control any policy, agreement or requirement that permits, enables or requires the use of technology (e.g., health information exchange functionality) that enables the exchange of EHI among more than two unaffiliated individuals or entities (not counting the EHR System Licensee)?
-
If the EHR System Licensee administers access to technology that enables more than two unaffiliated individuals or entities to exchange EHI, then is the exchange for Treatment, Payment or Health Care Operations (as each term is defined by the HIPAA regulations)?
-
For example, can the unaffiliated entities use the technology to exchange EHI with each other to coordinate the care they provide to a common patient? If yes, then the EHR System Licensee may be considered an HIN/HIE.
-
What Practices in Connection with Health IT Access Arrangements Raise Potential Information Blocking Concerns?
If the EHR System Licensee is a Certified Health IT Developer (as an offeror) or an HIN/HIE, then the EHR System Licensee should structure its agreements with community providers consistent with the information blocking exceptions under the Final Rule to avoid the risk of civil monetary penalties. For example, the EHR System Licensee should consider the following questions:
-
If an EHR System Licensee is a Certified Health IT Developer:
- Does the EHR System Licensee host (in its data center or through a third party) the EHI created by or received on behalf of the community providers?
-
If the EHR System Licensee hosts the EHI, it could be in a position to exercise control over the EHI in ways that could implicate the information blocking prohibition.
-
Even if the EHR vendor hosts the EHR system and EHI, the EHR System Licensee may still be in a position to exercise control over the EHI (e.g., through its control of EHR system configuration settings) in ways that could implicate the information blocking prohibition.
-
-
Does the EHR System Licensee actually exercise control over some or all of the EHI created or received by the community provider in the certified health IT? For example, does the EHR System Licensee control the EHR system configuration settings that determine whether a particular user may access EHI in the EHR system?
-
Under the Final Rule preamble, ONC stated that an offeror could be subject to the information blocking prohibition with respect to EHI it “hold[s] or control[s].” If an EHR vendor holds or controls providers’ EHI, then an EHR System Licensee that is a Certified Health IT Developer because it offers access rights to community providers, but does not hold or control the EHI, would not, under ONC’s preamble discussion, seem to be in a position to engage in information blocking in its capacity as an offeror. Further, under a specific Cures Act provision, the EHR System Licensee would not be responsible for actions taken by the EHR vendor that could constitute information blocking.
-
- Does the EHR System Licensee host (in its data center or through a third party) the EHI created by or received on behalf of the community providers?
-
Does the EHR System Licensee condition access to the EHR system (including, for example, its HIN/HIE functionality) on the community provider’s provision of intellectual property rights?
-
If yes, does the practice comply with the Final Rule’s Content and Manner Exception, Fees Exception or Licensing Exception? Note that under the Licensing Exception, actors may not require licensees or sublicensees (e.g., the community provider) to grant, assign or transfer to the actor any intellectual property of the licensee in return for the license or sublicense.
-
-
Does the EHR System Licensee’s EHR access agreement with a community provider address the disposition of records maintained within the EHR upon termination of the agreement?
-
Termination provisions that limit the community provider’s access, exchange or use of EHI post-termination could implicate the information blocking prohibition. (Likewise, a provision requested by the community provider that limits the EHR System Licensee’s access to the EHI may implicate the information blocking prohibition, since health care providers are subject to the prohibition. However, even if the community provider’s practice constitutes information blocking, it would not subject the community provider to civil monetary penalties because the community provider would be acting as a health care provider and not a Certified Health IT Developer or HIN/HIE.)
-
-
Does the EHR System Licensee control the timing and implementation of bug fixes, upgrades and other software maintenance to the EHR system (including its HIN/HIE functionality)?
-
The Health IT Performance Exception permits actors in certain circumstances to inhibit the access, exchange or use of EHI for a limited period of time to perform planned or unplanned maintenance or updates. To comply with this exception, EHR System Licensees that control the timing and implementation of software maintenance or upgrades that could slow or cut off access to EHI should consider including service level agreement terms that establish a framework for limited planned and unplanned periods of maintenance in the EHR access agreement.
-
These are just some of the questions that health systems, hospitals and other health care providers potentially meeting the definition of a Certified Health IT Developer, HIN/HIE should consider to ensure that they structure their EHR access agreements and conform their related practices in ways that mitigate potential civil monetary penalty exposure under the Final Rule.