The 21st Century Cures Act (Cures Act) is a law enacted in December 2016 that promotes electronic health information (EHI) interoperability, defines information blocking and prohibits information blocking by “actors,” which are one of the following: health information networks (HINs), health information exchanges (HIEs), health information technology developers of certified health IT and health care providers.

Congress directed the Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC) to identify reasonable and necessary activities that do not constitute information blocking.

The ONC Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (Information Blocking Rule) implements certain provisions of the Cures Act and finalizes eight exceptions that offer actors certainty that when their practices for access, exchange or use of EHI meet the conditions of one or more exceptions, the practices will not be considered information blocking.

An actor’s practice that does not meet an exception does not automatically constitute information blocking but will be evaluated on a case-by-case basis to determine if information blocking has occurred.

Definition:

Information blocking is an action by an actor, a HIN, HIE, health information technology developer of certified health IT, or health care provider that is likely to prevent or materially discourage the access, exchange, or use of electronic health information (EHI) unless required by law or specified by the Secretary HHS as a reasonable and necessary activity.

The term electronic health information (EHI) is defined as the electronic protected health information (ePHI) in a designated record set (as defined by HIPAA) regardless of whether the records are used or maintained by or for a covered entity.  EHI does not include psychotherapy notes or information compiled for legal actions or proceedings

The ONC Cures Act Final Rule (Information Blocking Rule) defines “access,” “exchange,” and “use” as follows:

“Access” is the ability or means necessary to make EHI available for exchange, use, or both.

“Exchange” is the ability for EHI to be transmitted between and among different technologies, systems, platforms, or networks; and is inclusive of all forms of transmission such as bidirectional and network-based transmission.

“Use” is the ability for EHI to be understood and acted upon once accessed or exchanged. “Acted upon” includes the ability to read and write and is also bidirectional.

All actors are subject to ONC’s Information Blocking rules as of April 5, 2021.

The Cures Act specified four types of entities referred to as “Actors” who must comply with information blocking requirements:

  • Health care providers
  • Health IT developer of certified health IT; and
  • Health Information Networks (HINs) or HIEs (HIN and HIE are combined into one defined type in the Final Rule).

All Actors will be subject to ONC’s Information Blocking rules and regulations on April 5, 2021.

Information Blocking and HIPAA Considerations

Under IBR most EHI requests for access or disclosure are required, unless they meet an exception or are prohibited by other law.  This includes HIPAA and other federal or state laws and court orders.

The IBR and HIPAA should be aligned to in policies and procedures on access, uses and exchange of EHI for treatment, payment and health care operations and potential changes to the notice of privacy practices and business associate agreements.

Analysis of Information Blocking:

The analysis of whether blocking occurred depends on facts and circumstances and the answers to the following:

  • Was this an actor?
  • Did the actor have control over the EHI?
  • Was this an impermissible interference?
  • Did the actor have intent?

Examples of Information Blocking:

Practices that could constitute information blocking:

Practices that restrict authorized access, exchange, or use under applicable state or federal law of such information for treatment and other permitted purposes under such applicable law, including transitions between certified health information technologies (health IT);

Implementing health IT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging, or using EHI;

Implementing health IT in ways that are likely to restrict the access, exchange, or use of EHI with respect to exporting complete information sets or in transitioning between health IT systems;

Limiting or restricting the interoperability of health IT, such as disabling or restricting the use of a capability that enables sharing EHI with users of other systems or restricting access to EHI by certain types of persons or purposes that are legally permissible, or refusing to register a software application that enables patient access to their EHI (assuming there is not a legitimate security reason that meets the conditions of the Security Exception, discussed further below);

Implementing health IT in ways that are likely to lead to fraud, waste, or abuse, or impede innovations and advancements in health information access, exchange, and use, including care delivery enabled by health IT.

Acts that lead to fraud, waste, or abuse, or impede innovations and advancements in health information access, exchange, and use, including care delivery enabled by health IT; and

Restrictions on access, exchange, and use, such as may be expressed in contracts, license terms, EHI sharing policies, organizational policies or procedures or other instruments or documents that set forth requirements related to EHI or health IT, such as Business Associate Agreements (BAAs).

Exceptions:

The reasonable and necessary activities identified by ONC that do not constitute information blocking includes two categories of eight exceptions:

Not fulfilling requests to access, exchange, or use EHI

1. Preventing Harm Exception

It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.

2. Privacy Exception

It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.

3. Security Exception

It will not be information blocking for an actor to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.

4. Infeasibility Exception

It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.

5. Health IT Performance Exception

It will not be information blocking for an actor to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT, provided certain conditions are met.

Procedures for fulfilling requests to access, exchange, or use EHI

6. Content and Manner Exception

It will not be information blocking for an actor to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.

7. Fees Exception

It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.

8. Licensing Exception

It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.

Potential Penalties:

The Cures Act defines a potential penalty of up to $1 million per violation for health IT developers and information networks as determined by the Office of the Inspector General to have engaged in information blocking. Physician actors and other healthcare providers, on the other hand, will be referred to CMS if they have made a fraudulent attestation under the MIPS Promoting Interoperability Program or to the Office for Civil Rights if there is a potential HIPAA violation. There may be further regulations from OIG outlining additional penalties for providers violating the information blocking rules.

Information blocking complaints may be submitted through ONC’s online Health IT Feedback Form.

The Cures Act has specified that information blocking claims and any information received by ONC in connection with a claim of information blocking are generally protected from disclosure under the Freedom of Information Act.

Contact HIPAA Associates for more information and assistance with your Information Blocking concerns.