ONC Releases Final Information Blocking Rule; Compliance Challenges Lie Ahead
On May 1, 2020, the Office of the National Coordinator for Health Information Technology (“ONC”) of the Department of Health and Human Services (“HHS”) published its final rule implementing certain provisions of the 21st Century Cures Act (“Cures Act”). The final rule has two areas of focus—implementing certain certification requirements for health IT developers and establishing reasonable and necessary activities that do not constitute information blocking. The final rule is described by ONC as “historic” and “transformative” and “the most extensive health care data sharing policies the federal government has implemented, requiring both public and private entities to share health information between patients and other parties while keeping that information private and secure.” The final rule has a patient-centered focus eliminating barriers to patient access to health information (either through APIs or directly from providers) or exchange of data between providers for treatment. As a corollary to this final rule, CMS issued a new Condition of Participation for all Medicare and Medicaid Participating Providers requiring participating hospitals to notify another health care facility or community provider when a Medicare or Medicaid beneficiary is admitted so that the provider can reach out to the patient to better coordinate care.
You might be asking—what is information blocking? As defined in the final rule, information blocking means a practice that, unless required by law or fits an exception, is “likely to interfere with access, exchange, or use of electronic health information” and which the health IT developer, health information network or exchange, or health care provider (collectively “Actors”) either knew (in the case of providers) or knew or should know (in the case of the remaining Actors) would likely interfere with or materially discourage access, exchange, or use of electronic health information.
As required by the Cures Act, the final rule defines practices that do not constitute information blocking. The final rule establishes two categories of exceptions (denials based exceptions and procedures based exceptions) and eight total exceptions for an Actor’s conduct that would not be considered information blocking, even though it might otherwise be likely to interfere with the access, exchange or use of electronic health information. While the definition of information blocking is broad, the exceptions are extremely narrow and ensuring that there are proper policies and other documentation to support the practice will be more critical than ever. For example, to rely on the “Security Exception,” a provider will need to show that the practice is directly related to safeguarding the confidentiality, integrity and availability of electronic health information; is tailored to the specific security risk being addressed; is implemented in a consistent and non-discriminatory manner; and either aligns with both written policy and one or more consensus based standards or there is documentation of a case by case determination that the practice is necessary to mitigate a security risk and there is no reasonable and appropriate alternative. As noted in the preamble, “the overarching purpose of the Security Exception is to provide flexibility for reasonable and necessary security practices while screening out practices that purport to promote the security of EHI but that otherwise unreasonably and/or unnecessarily interfere with access, exchange and use of EHI.” While providers have recently faced heightened government scrutiny over information security programs (and criticism for not enough security) as more threats to electronic health information exist than ever before, providers will now have to defend each practice that could be interpreted to interfere with exchange of data as narrowly tailored to address a specific risk.
Other denials based exceptions involve preventing harm, ensuring privacy, infeasibility, and health IT performance. Each are equally nuanced and narrow. Penalties for non-compliance by providers will be in the form of “appropriate disincentives” which is awaiting further rule-making. While it will take some time for the industry to fully understand and implement the final rule, there is not much time to do so—compliance is required by November 2, 2020. One thing is clear—a health care provider’s approach to exchanging health information (with patients, other providers, and third parties) will need to be completely re-evaluated in light of this new rule.