Updated as of November 4, 2020 to reflect ONC’s Interim Final Rule (officially published in Federal Register on November 4, 2020)
In the midst of the COVID-19 pandemic, the Office of the National Coordinator for Health Information Technology (ONC) published the final Information Blocking Rule. This rule is widely seen as a game-changer that will have far-reaching effects on how electronic health information is accessed, exchanged, and used by patients, providers, and a wide range of participants in the health care industry. As such, it provides both a great deal of opportunity to improve the quality and availability of health care and real risk for those entities that are not fully prepared.
This article kicks off a multi-part Information Blocking Rule client alert series. This first alert will provide an overview of the Information Blocking Rule’s core concepts. The alert also contains introductory details about the ONC’s information blocking exceptions and the pending OIG rules that will govern the enforcement of civil monetary penalties (CMPs). Subsequent alerts will address (1) each exception in more detail, (2) interactions between the Information Blocking Rule and HIPAA, (3) OIG CMP enforcement priorities and considerations, and (4) what you can do now to prepare for the April 5, 2021, applicability date.
The Elements of an Information Blocking Offense
What is Information Blocking? Information blocking is a practice by an Actor that is likely to interfere with (i.e., prevent materially discourage, or otherwise inhibit) access, exchange, or use of electronic health information (EHI).
What is EHI? EHI includes the electronic protected health information (ePHI), as defined by HIPAA to the extent that it would be included in a designated record set. It is important to note that EHI covers ePHI elements regardless of whether they are used or maintained by or for a covered entity. In other words, reach of the rule extends beyond ePHI and HIPAA Covered Entities.
The Scope of EHI is Phased In. Until October 6, 2022, “EHI” is limited to the EHI identified by the data elements represented in the United States Core Data for Interoperability (USCDI) standard adopted in 45 CFR § 170.213.
What is a Practice? A “practice” is an act or an omission by a health care provider, health IT developer of certified health IT, or a health information network/health information exchange (each an “Actor”).
What makes an Individual or an Entity an Actor that is Subject to the Rule? An “Actor” can be either a health care provider, a health IT developer of certified health IT, or a Health Information Network/Health Information Exchange (HIN/HIE):
- A health care provider, as defined in the rule, includes a wide range of providers (See Figure 1, below):
Figure 1: “Health Care Provider” As Defined in 42 U.S.C. 300jj
- A health IT developer of certified health IT means an individual or entity, other than a health care provider that self-develops health IT for its own use, that develops or offers health information technology, and which has, at the time it engages in a practice that is the subject of an information blocking claim, one or more Health IT Modules certified under a program for the voluntary certification of health information technology that is kept or recognized by the National Coordinator pursuant to 42 U.S.C. 300jj-11(c)(5) (ONC Health IT Certification Program).
- HIN/HIE means an individual or entity that determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of electronic health information:
- Among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other; and
- That is for a treatment, payment, or health care operations purpose, as such terms are defined in 45 CFR 164.501 regardless of whether such individuals or entities are subject to the requirements of 45 CFR parts 160 and 164.
Different Actors Are Held to Different Standards
Health care providers. If the Actor is deemed to be a health care provider, an information blocking offense can only have occurred if the provider knew that their practice was unreasonable and likely to interfere with access, exchange, or use of EHI.
Developers of Heath IT and HIN/HIE. If the Actor develops or offers certified health IT or is a health information network/health information exchange (HIN/HIE), an information blocking offense may have occurred if that Actor knew or should have known that their practice is likely to interfere with access, exchange, or use of EHI.
A Health Care Provider Is Not Always Just a Health Care Provider
Actors regulated by the Information Blocking Rule are not regulated based on who they are or what type of entity they are — but rather based on the capacity in which they are acting. An important ramification of this is that a health care provider could be regulated as a health IT developer of certified health IT or as a HIN/HIE based on its practice at issue. Thus, it is critical to understand which “hat” an Actor is wearing, because the capacity in which an Actor is acting can determine the standard that applies (see The Elements of an Information Blocking Offense above) and the applicable penalties for a violation.
Possible Penalties and Enforcement Timelines: Up to $1 Million Per Violation and/or Appropriate Disincentives
As discussed above, there are two different penalty structures — one for violations by health IT developers and HINs/HIEs, and one for violations by health care providers.
- Health IT Developers and HINs/HIEs are subject to civil monetary penalties of up to $1 Million per violation. While compliance with the rule is required on and after April 5, 2021, the date upon which CMP enforcement will commence is subject to the OIG issuing a final rule (the OIG published a proposed rule on April 24, 2020). The OIG indicated in the proposed rule that the enforcement date could be either 60 days after the rule is finalized or a specific date to be established by the final rule.
- Health care providers will be subject to yet-to-be-defined “appropriate disincentives” for violations of the Information Blocking Rule. What those “appropriate disincentives” will be and how they will be determined and assessed are subject to a future rulemaking.
An Introduction to the Information Blocking Exceptions
An Actor’s practice that is covered by one of the eight exceptions in 45 CFR part 171 will not be deemed to be information blocking. In order to qualify for an exception, the Actor must have met all applicable requirements and conditions of an exception at all relevant times. The two categories of exceptions are: (1) exceptions that involve not fulfilling requests to access, exchange, or use EHI; and (2) exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.
As a preview of the next client alert, below you will find a listing of each exception title.
- Exceptions That Involve Not Fulfilling Requests to Access, Exchange, or Use Electronic Health Information
- Preventing harm exception. When will an actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to prevent harm not be considered information blocking?
- Privacy exception. When will an actor's practice of not fulfilling a request to access, exchange, or use electronic health information in order to protect an individual's privacy not be considered information blocking?
- Security exception. When will an actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to protect the security of electronic health information not be considered information blocking?
- Infeasibility exception. When will an actor's practice of not fulfilling a request to access, exchange, or use electronic health information due to the infeasibility of the request not be considered information blocking?
- Health IT performance exception. When will an actor's practice that is implemented to maintain or improve health IT performance and that is likely to interfere with the access, exchange, or use of electronic health information not be considered information blocking?
- Exceptions That Involve Procedures for Fulfilling Requests to Access, Exchange or Use Electronic Health Information
- Content and manner exception. When will an actor's practice of limiting the content of its response to or the manner in which it fulfills a request to access, exchange, or use electronic health information not be considered information blocking?
- Fees exception. When will an actor's practice of charging fees for accessing, exchanging, or using electronic health information not be considered information blocking?
- Licensing exception. When will an actor's practice to license interoperability elements in order for electronic health information to be accessed, exchanged, or used not be considered information blocking?