As of April 5, 2021, health care providers, health information exchanges, health information networks, and certified health IT developers are subject to the 21st Century Cures Act Information Blocking Rule.
The changes necessitated by the Information Blocking Rule are daunting.
Jonathan Klock, South Dakota 2012, is legal counsel with Gundersen Health System in La Crosse, where his health law practice focuses on privacy, sustainability, contracting, and infection control.
A diverse team of stakeholders within the health care space spent the better part of last summer and fall working to develop policies, plans, educational materials, workflows, software adjustments, and patient materials as part of a comprehensive Information Blocking Rule compliance plan. The Nov. 2, 2020, effective date for the 21st Century Cures Act Information Blocking Rule was coming like a freight train and, to the extent possible, it was all-hands-on-deck to be ready by the applicability date.
Many health care systems found themselves bogged down with pandemic related obligations, and combined with scarcity of resources, Information Blocking compliance wasn’t a priority. The Office of the National Coordinator for Health Information Technology (ONC) recognized the strain the pandemic had put on the health care industry and offered a reprieve on the effective date for the Information Blocking Rule until April 5, 2021.
That reprieve is over, and this article offers highlights and tips for health care providers working toward compliance.
About the Information Blocking Rule
In 2016, President Obama signed the 21st Century Cures Act into law. Among many of its goals was to promote health information interoperability, and to dissuade practices blocking health information that otherwise should be disclosed.
The ONC Cures Act Final Rule established what is colloquially known as the Information Blocking Rule. The Information Blocking Rule applies to health care providers, health IT developers of certified health IT, and health information networks or health information exchanges (actors).
The Information Blocking Rule generally prohibits actors from engaging in practices that are likely to interfere with the access, exchange, or use of electronic health information (EHI). Health care providers must know the practice is likely to interfere with the access, exchange, or use of EHI.
The meaning of EHI will change over time to allow for actors to adapt to the changing landscape. Until Oct. 5, 2022, EHI will be limited to the data elements contained in the U.S. Core Data for Interoperability (USCDI).
Exceptions to the Information Blocking Rule
With every rule there are exceptions. The Information Blocking Rule has eight exceptions. For most health care providers, these three exceptions may prove most useful:
1) The Preventing Harm Exception. This exception permits actors (subject to certain requirements) to take narrowly tailored steps that the actor reasonably believes are necessary to substantially reduce a risk of harm to a patient or other person.
The risk of harm must arise from an individual assessment by a health care professional with a current or prior clinical relationship with the patient about whom the EHI relates, or arise from misidentified or mismatched, corrupt, or otherwise erroneous data. The ONC advises that the types of harm giving rise to the applicability of this exception are the same, which may serve as grounds for denial of access under HIPAA (164.524(3)(i)).
Even if the actor genuinely believes the delay or denial of access is in the patient’s best interest, the practice may be impermissible if the practice does not meet an exception. Actors should ensure that health care professionals understand the particulars of the types of harm that justify using this exception.
2) The Privacy Exception. Actors may rely on the privacy exception when an access, exchange, or use of EHI is not fulfilled in order to protect an individual’s privacy. Acceptable reasons for an actor to refuse a request to access, exchange, or use of an individual’s EHI are:
complying with required preconditions to release is contained in federal or state privacy regulations;
permitted denials that align with HIPAA’s unreviewable grounds for denial in 45 CFR 45 CFR 164.524(a)(1) and (2); and
following an individual’s request not to share the information.
Actors should note: ONC guidance indicates that the intent of this exception is not to enable actors to withhold requested access, exchange, or use of EHI that is permitted under applicable privacy laws. Rather, this exception provides actors protection when requested access, exchange, or use of EHI is prohibited by state or federal privacy laws.
3) The Infeasibility Exception. This exception acknowledges that an actor may not be technically or legally able to provide the requested access, exchange, or use of EHI. This exception requires certain conditions to be met, but it is not information-blocking if the actor does not fulfill the request due to practical infeasibility. An actor is required to notify the requester of the reasons why the request is infeasible within 10 business days.
This exception may be particularly useful when evaluating requests for EHI that are comingled with EHI that the actor may not provide, and the permissible EHI cannot be segmented from the impermissible EHI – then the actor cannot fulfil the request.
Information Blocking Rule is not strict liability – meaning, failure to meet an exception does not mean an actor is not in compliance with the rule. The final rule plainly states, “to implicate the information blocking provision is not necessarily to violate it.” The ONC will assess each scenario to determine if the actor has requite intent, and whether the circumstances rise to the level of interference, to determine if the practices violate the rule.
Health care providers are not subject to civil monetary penalties for Information Blocking Rule noncompliance, but the final rule does describe financial disincentives applicable to health care providers. Those disincentives have not yet been finalized. HIN/HIE’s and Certified Health IT Developers are subject to civil monetary penalties up to $1,000,000 per violation.
1) When developing practices aimed at ensuring compliance with the Information Blocking Rule, actors should include stakeholders from a broad spectrum of organizational practice areas. Health information management, compliance, legal, revenue cycle, information systems, and representatives from a multitude of clinical areas are all essential voices to develop and implement effective Information Blocking Rule practices. The initial phase must include educating the stakeholder groups so they are able to highlight the compliance challenges their respective areas will face. Those challenges will form important elements of your compliance plan.
2) Documentation is crucial both from a planning and policymaking perspective as well as at each instance of application of an exception. Every decision point should be documented, especially approved practices that interfere with the access, exchange, or use of EHI. Defining what is approved, why it is approved, the exceptions that apply and the rationale for why the actor believes the exception applies. Documentation strengthens a reasonableness argument and enables actors to provide any required rationale for a denial to affected requestors.
3) To a large degree, compliance is driven by clinicians. Decisions to restrict access, exchange, or use of EHI often must be made when the EHI is created. Education and training about the required elements of an exception is essential. Providing resources for self-education following formal training empowers clinicians to have the resources to make the correct determination when a consult is not possible. Documenting those decision points allows for auditing and process improvement when there is misapplication of rules.
4) Cleary identify roles employees will play. Education may not be about the nuts and bolts of information blocking – it may be as simple as directing staff where to route inquiries to ensure they are processed correctly by staff with indepth knowledge.
Health care providers should not overlook the additional compliance obligations and financial penalties applicable to HIN/HIEs and Certified Health IT Developers. A single entity may meet the definition of more than one category of actor.
Where to Find Out More
ONC’s website, healthit.gov, is extraordinarily helpful. It has highly digestible fact sheets, FAQs that are periodically updated, webinars, and the final rule with comments.
This article was originally published on the State Bar of Wisconsin’s Health Law Blog. Visit the State Bar sections or the Health Law Section web pages to learn more about the benefits of section membership.