Healthcare providers focused on COVID-19 may have missed the final interoperability and information blocking rule released May 1, 2020, which comes into effect November 3, 2020. (45 CFR Part 171). The rule implements the 21st Century Cures Act and reinforces government efforts to enable the exchange of electronic health information (“EHI”) to facilitate better outcomes, reduce costs and improve the patient access to information. In general, the rule prohibits covered actors from blocking the flow of EHI; violations may result in significant civil penalties, as noted below.
Application to health care providers. The rule applies to healthcare providers, certified healthcare informatics developers,1 health information exchanges and health information networks (collectively referred to as “actors”). “Healthcare provider” is defined to include almost all entities providing health care, including physicians, practitioners, group practices, hospitals, long-term care facilities, clinics, ambulatory surgery centers and other entities deemed appropriate by HHS.2
Blocking of Prohibited Information. The rule generally prohibits “information blocking”, that is to saya practice that the health professional “knows3…. is unreasonable and is likely to interfere with, prevent or materially discourage the access, exchange or use of electronic health information”4 unless (i) the practice is required by law, or (ii) the practice falls within one of the exceptions listed below. (45 CFR § 171.103(a)). Blocking of information may occur, for example, when a healthcare provider denies, ignores, delays, or imposes unreasonable conditions in response to EHI’s sharing requests, including requests from patients, other providers or payers. (See 85 FR 25811). This can occur when contracts, business associate agreements, licensing terms, or organizational policies unnecessarily restrict data sharing, or when technology is implemented, configured, or disabled in a way that limits the interoperability of the system. (85 FR 82511-12). The rule generally prohibits any practices that increase the cost, complexity, or burdens associated with accessing, exchanging, or using EHI, or that limit the usefulness, effectiveness, or value of the EHI, such as diminished data integrity, quality, completeness, or timeliness. (85 FR 25809). Ultimately, “[a]Any analysis of whether an actor’s practices amount to information blocking will depend on the particular facts and circumstances of the case”, including whether the action rises to the level of impermissible interference, whether the actor acted with the required intent and whether the actor had control of the EHI or the interoperability elements necessary to access, exchange or use the EHI in question. (85 FR 25811 and 25820).5
Information blocking allowed. The Rule does not prohibit the blocking of information in the following circumstances:
1. The practice is required by law, including federal or state laws, regulations, court orders, administrative rulings, etc.. For example, healthcare providers may not share or allow access to EHI in a manner that violates HIPAA or similar state privacy laws. To trigger this information blocking defense, however, the law must require the relevant conduct; actions taken in accordance with applicable laws, but not actually required by them, will not necessarily be protected. (85 FR 25794). As explained by HHS
[we do not require the disclosure of EHI in any way that would not … be permitted under the HIPAA Privacy Rule (or other Federal or State law). However, if an actor is permitted to provide access, exchange, or use of EHI under the HIPAA Privacy Rule (or any other law), then the information blocking provision would require that the actor provide that access, exchange or use of EHI so long as the actor is not prohibited by the law from doing so (assuming that no exception is available to the actor).
(85 FR 25812).
2. The healthcare provider did not know that the practice was “unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” This knowledge/intent element will be an important defense for healthcare providers. The OIG has confirmed that it “will not bring enforcement actions against actors who OIG determined made innocent mistakes (i.e., lack the requisite intent for information blocking).” (85 FR 22984).
3. The provider fits within a regulatory exception. The Rule includes eight exceptions — practices that HHS has determined to be reasonable and necessary even though they may interfere with information sharing. These exceptions function as safe harbors: so long as the healthcare provider’s practice satisfies all of the specific, often technical elements of the relevant exception, the practice will not constitute prohibited information blocking. Failure to satisfy an exception does not necessarily mean that the provider has engaged in information blocking; instead, the provider’s compliance would depend on the facts of the situation. (85 FR 25820). Five of the exceptions apply to the failure or refusal to fulfill requests to access, exchange or use EHI; three of the exceptions apply to situations in which the actor’s conditions on access, exchange or use may interfere with data sharing.
(a) Preventing harm. A healthcare provider may block EHI if he or she has a reasonable belief that the practice will substantially reduce a risk of harm to a patient or other person, e.g., to avoid the risk that corrupt or inaccurate data will be incorporated in the patient’s electronic health record, or upon a determination by a licensed healthcare professional that disclosure is likely to endanger life or physical safety of the patient or others. (See 84 FR 7524). The regulation has specific criteria that must be satisfied when evaluating the reasonableness of the practice and the risk of harm. (45 C.F.R. § 171.201; see 85 FR 25821-44).
(b) Protecting the patient’s privacy. A healthcare provider may block EHI if (i) state or federal privacy laws impose preconditions to access that have not been satisfied; (ii) HIPAA allows the provider to deny access to the individual; or (iii) the patient has requested that her/his information not be shared. In each of these situations, the provider must satisfy additional regulatory conditions. (45 C.F.R. § 171.202; see 85 FR 25844-25859).
(c) Protecting the security of the EHI. A healthcare provider may block EHI if necessary to safeguard the confidentiality, integrity and availability of the EHI consistent with (i) its organizational security policies or (ii) a specific determination that there are no reasonable, less obstructive alternatives to secure the EHI. (45 C.F.R. § 171.203; see 85 FR 25859-65).
(d) Access is infeasible. A healthcare provider may block access to EHI if (i) extraordinary circumstances beyond its control prevent the provider from fulfilling the request; (ii) the provider cannot segregate the requested EHI from other information that is not subject to access; or (iii) the provider demonstrates that responding to the request is not feasible due to, e.g., the type of information, cost, available resources, control of the relevant platform, etc. Within ten (10) days of the request, the provider must notify the requestor in writing of the reason for failing to provide the access requested. (45 C.F.R. § 171.204; see 85 FR 25865-70).
(e) Maintenance and improvement. A healthcare provider may temporarily block access to EHI if necessary for maintenance and improvement of the health IT. (45 C.F.R. § 171.205; see 85 FR 25870-75).
(f) Content and manner. A healthcare provider must generally provide access to the EHI content in the manner requested unless the provider is technically unable to fulfill the request or cannot reach agreeable terms with the requestor to fulfill the terms; however, the limits on fees or licenses described below do not apply. If the provider cannot grant access as requested or agreed, the provider must take reasonable steps to fulfill the request in an alternative manner consistent with specified technical standards. (45 C.F.R. § 171.301; see 85 FR 25875-79).
(g) Fees. A healthcare provider may charge reasonable fees for accessing, exchanging or using EHI so long as they are based on the provider’s costs and applied in a non-discriminatory manner as more fully described in the regulations. (45 C.F.R. § 171.302; see 85 FR 25879-88).
(h) Licensing. A healthcare provider may license interoperability elements so long as the provider begins licensing negotiations within ten days from the request and the license satisfies specified regulatory standards. Among other things, any royalty must be reasonable, and the license terms must be non-discriminatory. (45 C.F.R. § 171.303; see 85 FR 25888-97).
Penalties. On April 24, 2020, the Office of Inspector General (“OIG”) published a proposed rule that would allow the OIG to impose a fine of up to $1,000,000 for information blocking. (85 FR 22979; proposed 42 C.F.R. § 1003.1410). Under the proposed rule, the OIG would consider the following factors in determining the amount of the penalty: (i) the nature and extent of the information blocking; (ii) the resulting harm, including (a) the number of patients affected, (b) the number of providers affected, and (c) the number of days the information blocking persisted. (85 FR 22991; proposed 42 C.F.R. § 1003.1420). In the meantime, persons wishing to submit an information blocking complaint may do so through the HealthIT.gov website at https://www.healthit.gov/topic/information-blocking.
What You Must Do. Although enforcement is likely to be delayed for months, providers should begin now to prepare for the new rule by doing the following:
- Take advantage of the new rule. Providers should determine how the new Rule may benefit them by allowing them to obtain access to previously unavailable patient information. They should identify the information they may need to provide care more effectively and compete more efficiently. Savvy providers may differentiate themselves by being able to collect and utilize the improved flow of information for the benefit of their patients.
- Identify and educate stakeholders. The new Rule may affect many departments within a healthcare organization, including information technology, medical records, marketing, compliance, contracting, and more. Providers should identify and educate those persons and departments that will be responsible for making and responding to requests.
- Review EHI practices. Providers will need to review and update their policies and practices concerning requests for access by patients and third parties to avoid any information blocking issues. Among other things, they should ensure that their policies and practices do not inappropriately delay or impose unreasonable restrictions or roadblocks to information sharing. They should also establish processes for evaluating and responding to requests to access information and appropriate costs or limitations associated with such access. They should identify system capabilities as well as limitations that may justify a denial of a request to share information.
- Review EHI system functionality. Providers should review the functionality of their EHI platforms to ensure that that have not configured or disabled functionality in a way that would constitute information blocking. If necessary, they may need to enable previously unused functionality.Review contracts for offending terms. Providers should review their contracts relevant to EHI to ensure that they do not contain terms that would trigger the information blocking rule, including licensing agreements, software services, business associate agreements, and other EHI contracts. Providers may need to educate and push back vendors who include terms that would prohibit information sharing.
- Respond appropriately to requests for information sharing. When a request to access is made, providers should ensure that the request is directed to the right person—a person who understands the Rule and the EHI system’s functionality—to determine whether and in what manner the Rule would apply, then ensure that a timely and appropriate response is made.
- Watch for more guidance. We anticipate additional guidance as well as the final enforcement rule. Providers should continue to monitor industry association bulletins and other sources for developments concerning the Rule.
1Significantly, “health IT developers” do not include healthcare providers that self-develop health IT for their own use. (45 C.F.R. § 171.102, definition of health IT developer of certified health IT).
2“The term ‘healthcare provider’ includes a hospital, skilled nursing facility, nursing facility, home health entity or other long term care facility, healthcare clinic, community mental health center … , renal dialysis facility, blood center, ambulatory surgical center …, emergency medical services provider, Federally qualified health center, group practice, a pharmacist, a pharmacy, a laboratory, a physician [including MDs, DOs, dentists, podiatrists, optometrists, and chiropractors]a practitioner [including physician assistants, nurse practitioners, clinical nurse specialists, certified registered nurse anesthetists, certified nurse midwives, clinical social workers, clinical psychologists, and registered dieticians], tribal organization, rural health clinic, … outpatient surgical center, … therapist and any other class of health facility, entity, practitioner or clinician deemed appropriate by the Secretary. (42 USC § 300jj; 45 CFR § 171.102).
3For health informatics developers, health information networks, or health information exchanges, information blocking occurs if “that developer, network, or exchange knows, or should know, that such a practice is likely to interfere with, prevent or materially discourage the access, exchange or use of electronic health information. (45 CFR § 171.103(a)(2), italics added).
4“Electronic Health Information” (“EHI”) generally means protected electronic health information to the extent that it would be part of a designated record set as defined in HIPAA, excluding (i ) psychotherapy notes; and (ii) information compiled within a reasonable time or for use in litigation. (45 CFR § 171.102). EHI will not include information that is not individually identifiable or that has otherwise been anonymized. (85 FR 25804). During the transition period until May 2, 2022, EHI includes only the specific data elements represented in the USCDI standard adopted at § 170.213. (45 CFR § 171.103(b)).
5The HHS commentary on the proposed and final rule contains helpful examples of blocking prohibited information. (See, for example84 FR 7518-21 and 85 FR 25811-18).