August 18, 2022
The Honorable Xavier Becerra
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Washington, D.C., 20201
Dear Secretary Becerra:
The undersigned organizations representing stakeholders from across the healthcare community thank you for your work to advance health data exchange and interoperability.
We are diligently working towards full implementation of the 21st Century Cures Act Interoperability and Information Blocking Regulations, and to keep providers, patients, and other entities as well as individuals affected by information blocking informed about how the regulations will affect them and overall care delivery. Our organizations appreciate the resources created thus far by the Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) and Office of Inspector General (OIG). As we move closer to full implementation of the regulations on October 6, 2022—when covered actors will be required to share the full scope of electronic health information (EHI) in most circumstances—we are increasingly concerned about the complexity as well as the lack of a clear and consistent understanding of the information blocking regulations across the community.
Our organizations respectfully request that HHS work with its agencies to deliver more specific and granular guidance on these regulations. We need more guidance in order to appropriately implement and properly comply with these new regulations as well as better empower patients to access their health information. ONC’s work to provide further clarity on provisions in the rules, particularly through the use of frequently asked questions (FAQs), is appreciated by our entire community. This additional information provides much needed assistance as stakeholders assess how the rules intersect with their care delivery practices. However, our community needs further clarity on information blocking to better prepare and advise our organizations on how to implement the provisions. For instance, significant knowledge gaps still exist within the provider community with respect to implementation and enforcement of Information Blocking Regulations. Many independent, small, rural, and solo medical practices are still unaware or underinformed about information blocking requirements. This likely plays a major role in allegations that providers are blocking access to patient data.
Moreover, this sentiment was expressed in the House Departments of Labor, HHS, and Education Fiscal Year (FY) 2023 Appropriations Committee Report (H. Rept. 117-403). We echo the recommendation of the Committee to “provide regulated entities and other affected stakeholders with clear, practical guidance regarding foundational concepts in the rule,” that helps regulated actors evaluate their particular circumstances within the context of the regulations as well as identify and apply the relevant exceptions.
We also want to ensure that HHS fosters an environment of collaboration and education for information blocking, rather than one of enforcement. To help achieve that situation, we recommend that any guidance, FAQs, or other materials that change or illuminate HHS’s interpretation of information blocking carry with it a minimum of a six-month grace period on enforcement. Giving Regulated Actors sufficient time to adapt their technology and compliance programs to meet the Department’s policies will ensure the success of information blocking as a policy as well as contribute to changing the culture and environment of the health ecosystem to one that focuses on information sharing that leads to improvements in care delivery.
Overall, the undersigned organizations want to collaborate across HHS to create a culture of learning on information sharing to ensure that health data is flowing across the entire ecosystem. We support Dr. Micky Tripathi and the work occurring across ONC to embrace the concept of information sharing. Dr. Tripathi’s 2021 blog post encapsulates many of the ideas that the stakeholder community has for information sharing, and we stand ready to work together across HHS. To deliver more specific guidance that helps instill a culture of information sharing, we recommend HHS take the following steps:
Define the foundational concepts behind information sharing
Our organizations are asking for detailed guidance on the foundational concepts underpinning information sharing. Please see the enclosed Appendix for major foundational concepts that HHS should clarify.
This Appendix includes some of the foundational questions our providers, members, clients, and patients are asking to gain clarity on expectations and requirements. We want to work with HHS, ONC, and OIG to define these concepts as well as additional ideas that are raised by stakeholders and ensure that the answers are communicated extensively to the broader community.
Create use case/scenario-based FAQs to augment current guidance
We encourage HHS to provide scenario-based FAQs that give a greater degree of specificity and granularity than is currently covered in the FAQs on ONC’s website. By developing FAQs based on scenarios, individual stakeholders will be able to determine similarities with their own cases and adjust practices accordingly.
Our organizations identified several ambiguities with implementing the Information Blocking Exceptions that would be well-served by scenario-based FAQs. For example, there are instances where multiple exceptions could apply to particular questions, and we need more information to ensure that we are complying with regulatory requirements. Please see the enclosed Appendix for important scenarios that would be well-suited for scenario-based FAQs.
While further clarity and guidance is needed to better prepare stakeholders to comply with these rules, it is important to note that our organizations want to ensure that broader policy changes will only be made via formal rulemaking and notice and comment procedures. Further, as we anticipate these scenario-based FAQs would provide substantive information to fully implement the regulations and educate our organizations about the policy implications, we emphasize the need to build in a sufficient window of time for impacted stakeholders to take ONC’s answers and implement them in their business practices.
When new guidance is issued, regulated actors should have a minimum of six months before any enforcement actions can be brought against them based on the new guidance.
Provide deeper technical assistance to support information blocking compliance efforts
We respectfully request that HHS provide information sharing technical assistance to regulated actors, as well as the wider community, to help the community comply with the regulations. Since 2003, the HHS Office for Civil Rights (OCR) has been using technical assistance to help covered entities and business associates come into compliance with the Health Insurance Portability and Accountability Act (HIPAA) before imposing penalties or requiring corrective action plans (CAPs) to resolve violations of HIPAA.
OCR’s technical assistance focuses on providing remedies to violations while ensuring proper privacy or security infrastructure requirements are met. By creating a culture of education through technical assistance, OCR has prepared covered entities and their business associates to comply with provisions under HIPAA.
Given the complexity of the Information Blocking Rules, we encourage ONC and OIG to provide technical assistance in recognition of good faith information sharing efforts similar to OCR before engaging in enforcement actions. This form of assistance will provide a greater degree of transparency into how HHS is approaching compliance that will increase community-wide understanding of information sharing.
Bolster the communication vehicles for releasing the enhanced guidance
As ONC and OIG release more granular and specific guidance on good information sharing practices and use case/scenario-based FAQs, we encourage HHS to use the full extent of its communications capabilities to publicize this new information. ONC should use its newsletters and blog to notify the public when new information is released and consider a dedicated newsletter focused on implementing information sharing that supplies more information and context about the Information Blocking Exceptions or how HHS is interpreting the actions of regulated actors.
The agencies may also want to consider recurring webinars to discuss these topics with stakeholders similar to Centers for Medicare & Medicaid Services (CMS) Open Door Forums, where ONC and OIG staff could engage in open dialogue with stakeholders, answer questions, and provide clarifications on the regulations or FAQs. Using this model would be a huge step forward for increasing collaboration between the community and HHS, and help all stakeholders understand the positions of parties involved.
HHS may also want to consider applying lessons learned from the organization of the CMS Medicare Learning Network as a model for all the multimedia outreach possibilities that should be considered for use on information blocking guidance. We also urge HHS to create a toll-free support line or interactive live chat—in the spirit of the resources HHS provided for HIPAA implementation in the 1990s and early 2000s—for Regulated Actors to seek assistance from implementation and compliance experts. Moreover, our organizations can help HHS publicize the availability of new information sharing resources, as well as how patients should think about using these new materials and the benefits of taking advantage of wider sharing of health information from these new regulations.
Thank you again for your work to advance health data exchange and interoperability. Our organizations offer ourselves as a trusted resource to help establish a culture of learning around the implementation of Information Blocking Regulations. We would welcome a meeting with you and other HHS leaders to discuss the concerns put forward in this letter and Appendix. Ultimately, our organizations seek assurance that stakeholders have the granular details they need to appropriately implement the new regulations as well as promote greater sharing of health data.
Alliance for Nursing Informatics (ANI)
American Academy of Family Physicians
American Academy of Neurology
American Heart Association
American Health Information Management Association (AHIMA)
American Medical Informatics Association
Civitas Networks for Health
College of Healthcare Information Management Executives (CHIME)
Connected Health Initiative
Consortium for State and Regional Interoperability
CyncHealth, Nebraska & Iowa
Executives for Health Innovation
Healthcare Information and Management Systems Society (HIMSS)
HIMSS Electronic Health Record Association
HIMSS New York State Chapter
Healthcare Leadership Council
Indiana Health Information Exchange
Marshfield Clinic Health System
Medical Group Management Association (MGMA)
Partnership to Empower Physician-Led Care
cc: The Honorable Christi Grimm, Inspector General, Office of Inspector General, U.S. Department of Health and Human Services
Micky Tripathi, PhD, National Coordinator for Health Information Technology, U.S. Department of Health and Human Services
Major foundational concepts that HHS needs to clarify include:
- What are good information sharing practices and how should they be implemented?
- What actions can regulated actors undertake to demonstrate good intent for information sharing?
- What constitutes a “request” for information sharing? What should our organizational processes be for evaluating whether it is a valid request?
- Can ONC and OIG clearly identify the universe of regulated actors and all the organizations that are obligated to share EHI in what circumstances?
- As implementation of the Trusted Exchange Framework and Common Agreement (TEFCA) continues, what impacts and considerations should the community anticipate related to the information blocking regulations?
Important scenarios that would be well-suited for scenario-based FAQs:
- How should a regulated actor approach a situation where they cannot do exactly what is asked of them in an information sharing request but may be able to provide the information in a different format? How do they make a good faith compliance effort? Two potential exceptions may apply (Infeasibility as well as Content and Manner) in this example, but each comes with a different response timeline, and developing documentation under each exception would increase burden on an actor, which are important factors to consider when trying to fulfill a request.
- If an actor does not have technology or technical functionality necessary to fulfill a request for EHI in the manner requested or in an alternative manner, does the denial of the request constitute an interference? ONC has stated that the Information Blocking Regulations do not require actors to purchase new technologies or upgrade old technologies. However, the Content and Manner Exception implies that actors will facilitate the access, exchange or use of EHI in the manner requested or an alternative manner agreed to by the requestor using a predetermined order of priority. There are situations in which an actor may not have the capability to satisfy the EHI request in any manner desired by the requestor.
- For an actor releasing information to a patient portal, when should it be considered a singular request, and when is it a continuous request for health information? Should all EHI continuously be uploaded to a patient’s portal? How should consequential, potentially life-changing test results being uploaded to a patient portal fit into this discussion? When would the Preventing Harm Exception apply?
- Should it be considered interference under the Information Blocking Regulations if an actor limits its data sharing services to only certain types of individuals or organizations? Or only certain permitted purposes? The Regulations do not limit the application to certain kinds of EHI requests or types of EHI requestors. However, many actors only provide EHI-related services to certain types of EHI requestors and only for certain permitted purposes. For example, a community HIE may only support the access, exchange and use of EHI between and among health care providers and health plans for treatment, payment, and limited health care operation purposes. Accordingly, an HIE may limit participation in the HIE to only individuals and entities that can demonstrate their status as a health care provider or health plan, even though this is only a subset of the types of individuals or organizations who might otherwise have the legal authority to access, exchange or use EHI.
- May a single organization that operates multiple business lines designate which of its business lines (and corresponding EHI systems) functionally qualify as a HIN/HIE? Or is it necessary for such organizations to form separate legal entities for the operation of the HIN/HIE? Many organizations operate multiple lines of business or engage in different activities. For example, a single parent company or umbrella company may operate a health care provider group, an HIN/HIE, a payer group, and develop or sublicense heath information technology. ONC has stated that the HIN/HIE actor definition is a functional definition. This has created some uncertainty as to the scope of HIN/HIE Information Blocking Regulations compliance/liability when a non-actor or a provider-actor organization might engage in activities that rise to the level of the HIN/HIE definition, but only with respect to one component of their organization.