Office of the National Coordinator for Health Information Technology Interoperability and Information Blocking Final Rules: Top Concerns for Health Information Technology Companies and Developers | Goodwin
Effective April 5, 2021, health information technology companies and developers are required to comply with the information blocking provisions of the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Technology Coordinator. Health Information (ONC) Information Blocking Final Regulation (âFinal Ruleâ), implementing specific provisions of the 21st Century Cures Act (the âCures Actâ). The objective of the final rule is to (i) promote interoperability and support the access, exchange and use of electronic health information; and (ii) reduce the burdens and costs associated with access to electronic health information and reduce the occurrences of information blocking.
Although compliance with the final rule is required, the enforcement mechanisms continue to evolve and are not yet final. This gives companies and developers of health information technology (âhealth informaticsâ) the time and opportunity to familiarize themselves with the final rule and exceptions outlined by the ONC.
What does the final rule require or prohibit?
The final rule prohibits so-called “actors” from engaging in information blocking practices, such as interfere with, prevent or significantly discourage the use, access and exchange of electronic health information. An âActorâ is any person or entity that is (i) a healthcare provider, (ii) a healthcare IT developer, (iii) a health information network and / or (iv) a exchange of health information. There is no obligation to proactively make electronic health information available, but such entities must not engage in information blocking practices in response to a legal request for electronic health information.
What is information blocking and why is it not recommended? What are the examples of information blocking?
The final rule was enacted by the ONC because Congress expressed concern that healthcare IT companies were knowingly interfering with the free exchange of information. Blocking of information is such a practice and involves all efforts that could materially discourage access, use and / or exchange of electronic information when the entity knows the practice is likely to do so.
The types of behavior that would be considered information blocking include (i) refusing to provide electronic health information or ignoring reasonable requests; (ii) impose unreasonable limitations on the use or requests for access to share electronic health information; (iii) establish contracts, business associate agreements, license conditions and / or policies that would unnecessarily restrict the sharing of electronic health information; and (iv) configure the technology to limit interoperability.
In other words, if an electronic health records platform were to restrict its software so that a user could export electronic health information for their own use at no cost, but any request for transfer or transfer exchange of electronic health information to a competitor’s platform would require a fee, the business of the business would likely be considered improper information blocking under the final rule.
What is electronic health information?
“Electronic health information” includes protected electronic health information (“ePHI”) as defined in HIPAA, if such ePHI is maintained in a set of records designated by HIPAA (“DRS”). However, unlike HIPAA, the new information blocking regulations do not apply to handwritten or verbal health data. Additionally, it is important to note that records do not have to be used or maintained by or for any HIPAA covered entity to fall within the definition of electronic health information.
Which body is responsible for applying the final rule?
The Cures Act empowers the Office of the Inspector General (“OIG”) to investigate any allegation of information blocking. Healthcare information technology companies and developers could face up to $ 1,000,000 in civil monetary penalties per violation. If an OIG’s investigation determines that an actor has engaged in information blocking activities, the OIG will direct the provider to the appropriate agency to address the alleged violation (for example, a life violation private HIPAA would be referred to the Civil Rights Office to remedy the violation). The OIG has published a proposed application rule outlining application priorities and requested comments on the proposed rule. Any behavior prior to the date of entry into force of the OIG rule will not be subject to civil monetary penalties.
How does the final rule impact the health information sharing community and IT companies and enterprises?
Businesses need to ensure that current privacy policies and practices for sharing electronic health information comply with the final rule. Business providers and healthcare IT systems also need to ensure that the information infrastructure simultaneously protects the transfer of electronic health information and facilitates the flow of electronic health information between healthcare IT systems. Businesses should also review current agreements with business partners and consider any updates that may be required to comply with new information blocking regulations.
In addition, companies may also consider implementing a policy and procedure covering the review of all proposed transactions and arrangements, which involve the transfer of electronic health information, to ensure compliance with the final rule. This is especially important for healthcare IT companies to consider as developers and managers of software solutions for vendors and other customers.
As regulators continue to push for accountability in the healthcare IT industry and ultimately improved general patient care, healthcare IT developers and companies must welcome and adopt software and technologies that facilitate compliant sharing of electronic health information.