Mike Lipinski, Director of the Regulatory and Policy Affairs Division within the Office of the National Coordinator for Health Information Technology, recently shared some guidance for healthcare providers as they prepare for information blocking enforcement, as described in “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule.”
This blog post summarizes some of that guidance, which includes defining information blocking and providing criteria to determine if an action could be considered information blocking. Ultimately, information blocking complaints or instances involving healthcare providers will be evaluated on a case- by-case basis by the Health and Human Services Office of Inspector General (OIG). However, the criteria can help providers determine whether an action could be considered information blocking.
What is information blocking?
Context for the rule
The rule really has two major parts, one of which deals with health IT certification and the other which deals with information blocking. While both are relevant for providers, the first milestone that occurs is enforcement of information blocking.
An action is said to constitute information blocking if it meets all the following:
- It is being demonstrated by an entity defined as an “actor” per the information blocking provision
- It involves electronic health information (EHI)
- It is a practice likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI
- It is undertaken with requisite knowledge by the actor
- It is not required by law
- It is not covered by one of the eight exceptions in the rule
Actor regulated by the information blocking provision
The three main categories of regulated actors are health care providers (as broadly defined in the 21st Century Cures Act and the Public Health Service Act), health IT developers of certified health IT and health information networks (HIN) or health information exchanges (HIE).
One thing to note is that the HIN/HIE definition is functionally defined. For example, if a hospital is found to be information blocking in an action where it is operating according to the HIN/HIE definition, the hospital would be treated like a HIN or HIE in assessing actions and potential consequences, including penalties.
Involves electronic health information (EHI)
EHI means electronic protected health information (ePHI) to the extent that the ePHI is included in a designated record set as defined for HIPAA.
For the purposes of data subject to information blocking, until October 2022, EHI will refer only to the data identified by United States Core Dataset for Interoperability (USCDI). After October 2022, EHI will include ePHI that is part of the designated record set.
Practice is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI
Interference is very broadly defined by Congress and ONC in this rule.
One example of interference could be fees. If an actor charges an individual, their personal representative, or another designated person for electronic access to EHI, that could be considered information blocking.
However, that fee prohibition only applies to electronic access to EHI by the individual, their personal representative, or another person or entity designated by the individual. ONC has included three parts to the definition of “electronic access.” All three parts of the electronic access definition must be met for the fee prohibition to apply.
Electronic access is defined as an internet-based method that makes information immediately available at the time requested with no manual effort. If the information is available to the individual, their personal representative or designee via an internet-based method that makes information immediately available without any manual effort, charging a fee could be information blocking.
However, if any one of the three parts of the “electronic access” definition are not met, the data transfer is not considered electronic access and a fee could be allowed. For example, if a provider is pulling information from various systems to provide access via the internet, this action would not meet the definition of “electronic access” and cost related to that manual effort can be recovered.
Requisite knowledge by the actor
A knowledge standard is used to determine if information blocking has occurred. If the provider “knows that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage the access, exchange or use of electronic health information” the action could meet the element of requisite knowledge.
Not required by law
In order to meet this facet of information blocking, the interference with access, exchange, or use of EHI must not be explicitly required by state or federal law. Note this is different than interferences that may be in pursuant to a privacy law, but which are not “required by law.”
Examples of federal and state law include statutes (e.g., HIPAA), regulations, court orders, and binding administrative decisions or settlements, such as those from the FTC or the Equal Employment Opportunity Commission (EEOC) as well as tribal laws, as applicable.
For example, if an actor interferes with access, exchange or use of EHI because of a federal law, such as HIPAA, the action could be considered required by law and not meeting this criterion for information blocking.
Not covered by an exception
ONC has created exception categories for when interference with access, exchange, or use of EHI could be permissible. These exception categories are nuanced and worth a closer look. The ONC website has in-depth, recorded presentations that provide more detail on information blocking and exceptions.
Exceptions that involve not fulfilling requests to access, exchange, or use EHI
- Preventing harm exception
- Privacy exception
- Security exception
- Infeasibility exception
- Health IT performance exception
Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI
- Content and manner exception
- Fees exception
- Licensing exception
How will information blocking be determined and what is the consequence?
Information blocking complaints or instances involving healthcare providers will be evaluated on a case- by-case basis by the Health and Human Services Office of Inspector General (OIG).
Under the statute, healthcare providers are subject to “appropriate disincentives.” The appropriate disincentives have not yet been further defined. The HHS Secretary must issue a rule making to specify and finalize what those disincentives are. In the interim, there are things like the Promoting Interoperability program, which includes attestations providers must make on whether they are information blocking and there could be consequences for doing so.
Information blocking enforcement is just the first milestone in the “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule.” As providers prepare for this first milestone, we hope they also keep in mind the intention of the Rule—to make health data more readily accessible to improve quality and cost of care.