Information Blocking Regulations Under the ONC Cures Act Final Rule
The 21st Century Cures Act was enacted in December of 2016 to support medical product development and innovation. It also regulates health care information technology (IT) systems and emphasizes the “patient perspective.” On May 1, 2020, the Office of the National Coordinator for Health IT (ONC) issued a final rule implementing certain interoperability requirements identified in the Cures Act. Specifically, the final rule establishes certification requirements for health IT developers, seeks to promote and improve patient access to electronic health information through standardized apps, and prevents information blocking. Due to the COVID-19 pandemic, compliance dates for certain requirements of the final rule were extended by the ONC in an interim final rule with comment period, including the compliance date related to information blocking. That compliance date came and went on April 5 when the information blocking provisions of the final rule went into effect. In order to help providers navigate these new regulatory requirements, the below Q&A addresses some common questions about information blocking.
What is “Information Blocking”?
If conducted by a health care provider, “information blocking” is defined as a practice that is likely to interfere with, prevent or materially discourage access, exchange or use of electronic health information (EHI) when the provider knows that such practice is unreasonable and is likely to interfere with, prevent or materially discourage access, exchange or use of EHI. Section 4004 of the Cures Act provides the following examples of prohibited information blocking practices:
- Practices that restrict authorized access, exchange or use under applicable state or federal law of such information for treatment and other permitted purposes under such applicable law, including transitions between certified health information technologies (health IT);
- Implementing health IT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging or using EHI;
- Implementing health IT in ways that are likely to:
- Restrict the access, exchange or use of EHI with respect to exporting complete information sets or in transitioning between health IT systems; or
- Lead to fraud, waste or abuse, or impede innovations and advancements in health information access, exchange and use, including care delivery enabled by health IT.
Because the final rule’s definition of information blocking is so broadly defined, the practice may be better understood by what it is not through eight identified exceptions.
What Exceptions are Provided in the Information Blocking Rule?
Of the eight exceptions to what shall be considered information blocking under the final rule, five exceptions involve not fulfilling requests to access, exchange or use EHI. The ONC describes them as:
- Preventing Harm Exception. It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.
- Privacy Exception. It will not be information blocking if an actor does not fulfill a request to access, exchange or use EHI in order to protect an individual’s privacy, provided certain conditions are met.
- Security Exception. It will not be information blocking for an actor to interfere with the access, exchange or use of EHI in order to protect the security of EHI, provided certain conditions are met.
- Infeasibility Exception. It will not be information blocking if an actor does not fulfill a request to access, exchange or use EHI due to the infeasibility of the request, provided certain conditions are met.
- Health IT Performance Exception. It will not be information blocking for an actor to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT's performance for the benefit of the overall performance of the health IT, provided certain conditions are met.
The remaining three exceptions involve procedures for fulfilling requests to access, exchange or use EHI and are described by the ONC as follows:
- Content and Manner Exception. It will not be information blocking for an actor to limit the content of its response to a request to access, exchange or use EHI or the manner in which it fulfills a request to access, exchange or use EHI, provided certain conditions are met.
- Fees Exception. It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging or using EHI, provided certain conditions are met.
- Licensing Exception. It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged or used, provided certain conditions are met.
What Information Must be Made Available to Patients?
As of April 5, patients must have access to the types of EHI identified by the United States Core Data for Interoperability (USCDI) standard. This data includes EHI related to:
- Allergies and Intolerances
- Assessment and Plan of Treatment
- Care Team Member(s)
- Clinical Notes (including consultation notes, discharge summary notes, history and physical data, imaging narratives, laboratory and pathology report narratives, procedure notes, and progress notes)
- Health Concerns
- Laboratory Tests, Values, and Results
- Patient Demographics
- Smoking Status
- Unique Device Identifier(s) for a Patient’s Implantable Device(s)
- Vital Signs
Effective October 6, 2022, the definition of EHI will be expanded to include all EHI found in a “designated record set” as defined by HIPAA. Thus, patients will then have access to:
- The medical records and billing records about individuals maintained by or for a covered health care provider;
- The enrollment, payment, claims adjudication and case or medical management record systems maintained by or for a health plan; and
- Records used, in whole or in part, by or for the covered entity to make decisions about individuals.
Notably, the final rule specifically excludes from this definition psychotherapy notes as well as information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding.
What Happens if I Do Not Comply with the Information Blocking Rule?
While the final rule sets forth clear civil monetary penalties of up to $1 million per violation by certified health IT developers, details pertaining to the repercussions for health providers that fail to comply with the information blocking rule are lacking. The final rule provides that if a provider is investigated for failure to comply, the provider may be “subject to appropriate disincentives.”
As the second effective week of the information blocking rule unfolds, providers should ensure that they have an information blocking policy in place that explains the eight exceptions identified above, and that their personnel have been trained to enforce it. Providers should be prepared to provide patients with access to their EHI without delay, which will be evaluated on a case-by-case basis.
Disclaimer: This alert has been prepared by Eastman & Smith Ltd. for informational purposes only and should not be considered legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney/client relationship.