The U.S. Department of Health and Human Services (HHS) issued eagerly anticipated and hotly debated companion interoperability and information blocking final rules that are expected to transform the way in which certain health care providers, health information technology (IT) developers, and health plans share patient information. The two rules, issued by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS), implement interoperability and patient access provisions of the 21st Century Cures Act (Cures Act) and support the MyHealthEData initiative, designed to allow patients to access their health claims information electronically through the application of their choosing.
Major provisions of each final rule are highlighted below. Note that the final rules have not yet been formally submitted to the Federal Register, so some of the precise effective dates are still to be determined.
ONC Final Rule
For Providers, Health Information Networks or Exchanges, and Health IT Developers
- Prohibition on Information Blocking. Effective six months following the publication of the final rule, health care providers, health IT developers of certified health IT, and health information exchanges and networks, are banned from “information blocking.” Information blocking is defined in the rule as engaging in a practice that is likely to interfere with, prevent, or materially discourage access, exchange or use of electronic health information (EHI) and, if (a) conducted by a health IT developer or health information network or exchange, such developer, network or exchange knows, or should know – or (b) if conducted by a health care provider, such provider knows – the practice is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI.
- EHI means electronic protected health information (EPHI) as the term is defined for HIPAA, to the extent that it would be included in a designated record set, with certain exceptions, regardless of whether the group of records are used or maintained by or for a HIPAA covered entity. This EHI definition will be effective 24 months after the publication of the final rule. In the interim, for purposes of information blocking, EHI is limited to the EHI identified by the data elements represented in the U.S. Core Data for Interoperability (USCDI) standard.
- Health care providers include health care facilities, entities, practitioners, and clinicians listed in the Public Health Service Act. ONC did not expand the definition of health care provider in the Final Rule to cover all individuals and entities covered by HIPAA. However, the final rule leaves this door open by giving the Secretary of HHS discretion to expand the definition of health care provider to any other category the Secretary deems appropriate by future rulemaking.
- Examples of Information Blocking. According to ONC, information blocking practices could involve, among other things: formal restrictions in contract or licensing terms; limiting or restricting the interoperability of health IT through organizational policies or procedures or other EHI or health IT documentation; information restrictions, such as if an entity simply refuses to exchange or facilitate access to EHI as a general practice or in isolated cases; or use of certain technological measures that limit EHI exchange.
- Information Blocking Exceptions. The final rule identifies eight activities as exceptions to information blocking. According to ONC, the exceptions apply to certain activities that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI, but that would be reasonable and necessary if certain conditions are met. Each exception falls into one of two categories: (i) exceptions that involve not fulfilling requests to access, exchange, or use EHI; and (ii) exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.
- Penalties for Information Blocking. Consistent with the Cures Act, ONC’s information blocking prohibition seeks to deter information blocking through penalties that differ based on the actor. Health IT developers and health information networks and exchanges are subject to civil money penalties capped at $1 million per violation, while health care providers who violate the information blocking provisions may face unspecified disincentives for violations, to be determined by the appropriate HHS department or agency in subsequent rulemaking.