ONC’s Information Blocking Restrictions: What They Are and Where We Stand One Year In
In this article for Legaltech News, attorneys Jordan Cohen, Robert Kantrowitz and Dylan Mason discuss the implications of the Office of the National Coordinator for Health Information Technology's (ONC) interoperability requirements and standardization process for the public to report claims of potential information blocking.
The federal government marches on with its push for more fluid data access and exchange among healthcare providers, their patients, and other industry stakeholders. To this end, regulators are instituting requirements to facilitate the flow of health information, to promote the interoperability of health information systems, and to prohibit the blocking of data transfers in certain circumstances.
The 21st Century Cures Act, passed by Congress in 2016, directed the Office of the National Coordinator for Health Information Technology (ONC) to implement a final rule for interoperability requirements and a standardization process for the public to report claims of potential information blocking, giving the Department of Health and Human Services (HHS) Office of Inspector General (OIG) the power to investigate claims of potential information blocking. The effective date for the final rule promulgated by ONC was April 5, 2021, with enforcement beginning on July 1, 2021.
According to ONC, the final rule was designed to provide patients and healthcare providers secure access to health information with a goal to increase innovation and competition and foster an ecosystem of new applications to allow patients more healthcare choices. The Rule calls on the healthcare industry to adopt standardized application programming interfaces (APIs), allowing individuals to securely and easily access structured electronic health information (EHI) using smartphone applications, and requiring patient access to their EHI, at no cost.
Generally, information blocking is an act by health IT developers of certified health information technology, health information networks, health information exchanges, or healthcare providers that is likely to interfere with access, exchange, or use of EHI. Such information blocking can apply to these actors in myriad contexts. For example, the fees that health IT developers have historically charged to health care providers to transfer EHI to a different health IT platform may now be considered information blocking. Similarly, implementing health IT in ways that substantially increase the complexity or burden of accessing, exchanging or using EHI, or that impede innovations and advancements in health information access, could also constitute information blocking. Another timely example is the failure to engage in the public health reporting of certain diseases to detect outbreaks and reduce spread of disease, such as with the COVID-19 pandemic and specific federal and state reporting requirements.
The rule provides exceptions for “reasonable and necessary activities” that ONC has identified as not constituting information blocking. Although what is “reasonable and necessary” is not specifically defined, the ONC has provided eight categories of activities that it would consider reasonable and necessary, in addition to detailed explanations of what these activities are in the Final Rule. The eight categories of exceptions are divided into two classes, (i) exceptions that involve not fulfilling requests to access, exchange or use EHI, and (ii) exceptions that involve procedures for fulfilling requests to access, exchange or use EHI.
The first class includes the preventing harm, privacy, security, infeasibility, and health IT performance exceptions. Under the security exception, for example, it would not be information blocking for an actor to interfere with the access, exchange or use of EHI in order to protect the security of EHI, provided certain conditions are met. The second class includes the content and manner, fees, and licensing exceptions. Under the fees exception, it would not be information blocking for an actor to charge fees (e.g., fees that result in a reasonable profit margin) for accessing, exchanging or using EHI, provided certain conditions are met.
The broad scope of the rule has been a source of uncertainty for industry players, including what may implicate the rule but still be exempt from enforcement. One area of uncertainty is whether delays may be legitimate and not an interference under the Final Rule. In an effort to clarify ambiguity, ONC has issued subsequent guidance and FAQs to assist stakeholders in interpretation of the key areas of the rule, including how it would view certain delays. For example, ONC explained, though the unique facts and circumstances of each situation would need to be evaluated, it is unlikely to be considered an interference and violate the rule so long as the delay, even a long delay, is no longer than necessary (e.g., to facilitate the full access, exchange, or use of EHI or comply with state law).
Another example is concern over prior agreements, such as business associate agreements (BAAs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) potentially violating the rule. This is because HIPAA not only allows for certain permissible disclosures, but covered entities and business associates under HIPAA have also negotiated terms that may restrict otherwise permissible disclosures under HIPAA. While HIPAA compliance may satisfy the privacy exception, covered entities and business associates may want to review and potentially revise their BAAs to account for the rule and not unnecessarily restrict the flow of PHI.
To enforce the rule, the act created a standardized process for the public to report claims of possible information blocking, with the OIG investigating any such claims. Third parties can report claims on behalf of patients and those regulated by the rule can also submit claims. According to ONC data, since April 2021 the vast majority of information blocking claims have come from patients alleging information blocking by healthcare providers, and we have yet to see significant actions against developers of health IT or health information networks/exchanges.