While the Office of the National Coordinator for Health Information Technology (ONC) issued the 21st Century Cures Act; Interoperability, Information Blocking, and the ONC Health IT Certification Program (Information Blocking Final Rule) back in May 2020, many entities are still parsing out compliance strategies and seeking additional regulatory guidance to understand how the rule will be enforced. Broadly-speaking, information blocking is a practice that is likely to interfere with, prevent, or discourage access, exchange, or use of electronic health information (EHI). For example, a health system might require patient written consent before sharing the patient’s EHI with unaffiliated providers. Another example of information blocking is that a health IT developer might charge a fee to a health care provider to perform an export of EHI so that the provider can switch to a different health IT platform.
Overview of the Information Blocking Final Rule
As a reminder, those entities covered by the Information Blocking Final Rule are health care providers, health information networks or health information exchanges, and health IT developers of certified health IT (collectively, Information Blocking Actors). Information blocking is defined by the ONC as a practice that is likely to interfere with access, exchange, or use of EHI, unless the practice is covered by an exception or is otherwise required by law. The standard for information blocking for developers, networks or exchanges is if they know, or should know, that such practice is likely to interfere with access, exchange, or use of EHI. For health care providers to engage in practices considered information blocking, the provider would need to know that such practice is unreasonable and is likely to interfere with access, exchange, or use of EHI.
EHI Definition Changes
The ONC provides advisory updates through FAQs to Information Blocking Actors. ONC’s recent FAQ guidance around how Information Blocking Actors should navigate the information blocking rules and other relevant laws highlights the shifting parameters around the sharing of EHI following the release of the Final Rule. Specifically, ONC touched upon the impending change in the definition EHI for the purposes of information blocking.
ONC reminded Information Blocking Actors that until October 6, 2022, EHI as defined in the Final Rule is limited to the subset of EHI represented by data elements in the United States Core Data for Interoperability version 1 (USCDI v1). USCDI v1 data elements include:
Allergies and Intolerances |
Medications |
Assessment and Plan of Treatment |
Patient Demographics |
Care Team Member(s) |
Problems |
Clinical Notes |
Procedures |
Goals |
Provenance |
Health Concerns |
Smoking Status |
Immunizations |
Unique Device Identifier(s) for a Patient’s Implantable Device(s) |
Laboratory tests and results |
Vital Signs |
Beginning on October 6, 2022, the definition of EHI in the context of Information Blocking under the Final Rule will expand beyond USCDI v1. Instead of EHI being limited to the USCDI v1 data elements listed above, the EHI will be defined as electronic protected health information (PHI) to the extent that it would be considered PHI and be included in a designated record set as defined in the HIPAA Privacy Rule. In other words, based on the idea that Information Blocking Actors are already familiar with the process of identifying electronic PHI, the EHI definition going into effect in late 2022 will represent the same electronic PHI that a patient would have the right to request a copy of under to the HIPAA Privacy Rule.
According to the Final Rule, the initial limitation of Information Blocking to the subset of EHI described in USCDI v1 was established to create a transparent, predictable starting point for sharing EHI while actors prepare for the sharing of all EHI.
ONC also encouraged Information Blocking Actors to respond to requests for access, exchange, or use of EHI with as much EHI as possible in order to promote interoperability and to practice applying the exceptions. In comparison to the far narrower set of data elements, this definition of EHI, inclusive of all electronic PHI in a designated record set, is much more extensive from a coverage standpoint for Information Blocking Actors. Though October 6, 2022 is almost a year away, Information Blocking Actors should be phasing these EHI scoping changes into their operations sooner rather than later.
Civil Monetary Penalties for Information Blocking
On April 24, 2020, the Department of Health and Human Services Office of Inspector General (OIG) issued a proposed rule to amend the Civil Monetary Penalty Law (CMP Law) to allow the OIG to impose civil monetary penalties (CMPs) for information blocking. The OIG would be authorized to impose CMPs not to exceed $1 million per violation on Information Blocking Actors that the OIG determines committed information blocking. In making a determination to impose CMPs, the OIG would consider the following factors:
-
The nature and extent of the information blocking;
-
The harm resulting from such information blocking;
-
The number of patients and providers affected; and
-
The number of days the information blocking persisted.
Though the OIG originally intended to finalize these changes in September 2021, the final rule is still pending. During this waiting period, it is worth noting that the proposed rule provided some detail around OIG’s enforcement expectations and coordination with other agencies such as the Office for Civil Rights (OCR). Specifically, the OIG stated that its enforcement priorities would be would target conduct that:
-
resulted in, is causing, or had the potential to cause patient harm;
-
significantly impacted a provider’s ability to care for patients;
-
was of long duration;
-
caused financial loss to Federal health care programs, or other government or private entities; or
-
was performed with actual knowledge.
In regards to working with OCR, the OIG stated in the proposed rule that it may refer an information blocking claim to OCR if a consultation regarding the health privacy and security rules promulgated under HIPAA would resolve an information blocking claim.
Additionally, from a complaint process standpoint, health IT developers should consider that ONC receives Information Blocking complaints against health IT developers through the Information Blocking Portal, though ONC does not receive complaints against any other type of Information Blocking Actor. The ONC shares complaints of information blocking with the OIG so that the OIG can investigate and, once the CMP authorities for information blocking are finalized, determine whether to impose CMPs.
Conclusion
Many Information Blocking Actors have likely needed to make changes to their operations and information access policies during the past few years to comply with the Information Blocking Final Rule. Along with reviewing examples provided in the Information Blocking Final Rule as to what constitutes information blocking from ONC’s perspective, and the eight exceptions to the Information Blocking Rule, Information Blocking Actors should remember to review whether the EHI they access, exchange, or use meets the EHI definition in the Information Blocking Final Rule now and later in 2022, when the definition is expanded to align with the HIPAA Privacy Rule.