By ROSE WILLIS
In the world of health information technology, “information blocking” generally refers to actions that discourage the interoperability of electronic health information except when necessary to comply with law (e.g. HIPAA). The concept applies to a range of problematic activities from charging patients unreasonable fees for copies of their electronic medical record to a software system’s inability to transfer records to a healthcare provider’s new electronic medical record system. Ultimately, information blocking hinders the desired full interoperability and exchange of electronic healthcare information (EHI).
The Federal Department of Health and Human Services, Office of the National Coordinator for Health Information Technology (ONC) released a Final Rule on May 1, 2020 (the Final Rule), which implements the information blocking provision of the 21st Century Cures Act, enacted in 2016. The information blocking provision applies to health care providers, health IT (HIT) developers and health information exchanges/networks (HIEs).
The Final Rule defines information blocking broadly as any practice that is likely to interfere with, prevent or materially discourage access, exchange or use of EHI when the actor knows it is likely to do so. Under this definition, information blocking is an “intent based” action that can take many forms, such as:
• A healthcare provider charging an unreasonable fee associated with a patient’s access to their EHI (any fee is deemed inherently suspect, as it is determined that there are few reasons to charge an individual for access to their EHI)
• Activities that increase the cost, complexity, or other burdens associated with accessing, exchanging, or using EHI
• Activities that limit the utility, efficacy or value of EHI that is accessed, exchanged or used, such as by diminishing the integrity, quality, completeness, or timeliness of the data
• The exercise of information technology rights by a HIT developer.
The Final Rule sets forth different levels of “knowledge” of when an action is intended as information blocking. HITs and HIEs are held to the highest standard of knowledge covering instances of when they “should have known” even if they did not actually know about information blocking practice. Healthcare providers are held to a somewhat lesser standard of knowledge covering instances of when they “actually” know that their practice constitutes information blocking.
Given the breadth of this definition, the Final Rule sets forth seven exceptions to the information blocking definition that apply to actions which otherwise technically meet the information blocking criteria. The titles of the seven exceptions are set forth below; however, it should be noted that each exception is complex in application and tied to multiple definitions and conditions:
1. Practices that are reasonable and necessary to prevent harm to a patient or another person.
2. Privacy Exception applicable to an actor’s practice of not fulfilling a request to access, exchange, or use EHI in order to protect an individual’s privacy
3. Security Exception applicable to a practice likely to interfere with access, exchange, or use of electronic health information in order to protect the security of EHI
4. Maintaining and improving health IT performance
5. Content and Manner Exception, applicable to an actor’s practice of limiting the content of its response to or the manner in which it fulfills a request to access, exchange, or use EHI
6. Fees Exception, applicable to an actor’s practice of charging fees for accessing, exchanging, or using EHI
7. Licensing Exception, applicable to an actor’s practice to license interoperability elements in order for EHI to be accessed, exchanged, or used
Overall, the Final Rule turns information blocking into an illegal practice subject to a facts and circumstances review and tied to potentially severe penalties for violations, with proffered exceptions acting as safe harbors that are complicated to apply. To move forward with ensuring compliance under the information blocking rule, healthcare providers need to ensure that privacy and security policies and procedures are in effect and update those policies and procedures to conform to the conditions specified in the exceptions listed above. Additionally, healthcare providers should engage a qualified attorney or consultant to assist with conducting a risk analysis of whether and how the information blocking rule and exceptions are applicable to their operations and further update privacy and security policies and procedures to incorporate results of this analysis. Additional helpful information about the information blocking rule can be found on ONC’s website located at https://www.healthit.gov/topic/information-blocking.