The compliance date for the federal government’s information blocking provisions of the 21st Century Cures Act final rule is currently set for April 5, 2021. This multifaceted regulation, released by the Office of the National Coordinator for Health Information Technology (ONC), generally prohibits physician practices from interfering with the access, exchange, and use of electronic health information.
Information Blocking was included in the 21st Century Cures Act of 2016. In general, information blocking is an action by a health care provider, health IT developer of certified health IT, health information network (HIN), or health information exchange (HIE) that, except as required by law or specified by HHS as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI).
In the final rule the Office of the National Coordinator for Health Information Technology (ONC) explained that a policy or action that limits timely access to information in an appropriate electronic format creates a reasonably foreseeable likelihood of interfering with the use of the information. The agency noted that whether the risk of interference is reasonably foreseeable will depend on the particular facts and circumstances attending the action at issue.
A medical group may violate the information blocking rule if they knowingly take actions that interfere with exchange, access, and use of EHI, even if no harm is caused. A medical group, for example, may have a policy that restricts access to patient lab results for a certain amount of time to permit review by a clinician. Even if patients are not aware there is a delay, ONC is concerned that an action that is merely “likely” to interfere with the access, use, or exchange of EHI could be considered information blocking. Similarly, a medical group that has the capability to provide a patient same day access to their results, but take several days to respond, could also be considered information blockers.
For the first two years (currently defined as until October 6, 2022), medical groups must respond to a request to access, exchange, or use EHI with, at a minimum, the EHI identified in the United States Core Data for Interoperability Version 1 (USDCI).3
The USCDI data elements include:
- Allergies and Intolerances
- Assessment and Plan of Treatment
- Care Team Members
- Clinical Notes
- Goals
- Health Concerns
- Immunizations
- Laboratory
- Medications
- Patient Demographics
- Problems
- Procedures
- Provenance
- Smoking Status
- Unique Identifier of an Implantable Device
- Vital Signs
Note that medical groups are only required to report the data elements that they have captured.
For example, it would not be considered information blocking if the patient’s “smoking status” were not captured and thus not made available to the requestor. On and after the initial two-year period, a medical group must respond to a request to access, exchange, or use EHI with EHI defined more broadly. This would include medical records, billing records, payment and claims records, case management records, and other records used, in whole or in part, by for a medical group to make decisions about individuals.
EHI does not include:
• Psychotherapy notes
• Information compiled in reasonable anticipation of, or for use in, a civil,
criminal, or administrative action or proceeding.
• De-identified health information
What makes a medical group a potential information blocker? The elements of information
blocking include:
• The medical group is regulated by the information blocking provisions.
• The action involves EHI.
• The action is likely to interfere with, prevent, or materially discourage access, exchange, or use
of EHI.
• Knowledge of the action by the medical group.
• The action is not required by law.
Section 4004 of the Cures Act defined actions that constitute information blocking and authorized.
the HHS Secretary to identify reasonable and necessary activities that do not constitute information blocking (referred to as “exceptions”). There are two categories of exceptions:
- Exceptions that involve not fulfilling requests to access, exchange, or use EHI.
- Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.
Patients are permitted to request that actions make their health information available to a third-party app designated by the patient themselves. There is concern that these apps may not be secure and they could compromise the confidentiality of the health information. In the 2020 final rule, however,
ONC makes it clear that while the medical group can educate the patient and warn them about the potential dangers associated with releasing their health information to a third-party app, they cannot prevent the data from being accessed by the app.
Section 4004 of the Cures Act defines a potential penalty of up to $1 million per violation for
health IT developers and information networks determined by the Office of the Inspector General
to have engaged in information blocking. Physician actions and other healthcare providers, on the other hand, will be referred to CMS if they have made a fraudulent attestation under the MIPS Promoting Interoperability Program or to the Office for Civil Rights if there is a potential HIPAA violation. We are expecting regulations from OIG outlining additional penalties for providers violating the information blocking rules.
We believe the goal is to allow patients access to and the ability to direct sharing of their Protected Health Information (PHI). The concept of interoperability is key to improved patient care. However, this regulation will be challenging for physician organizations to set up the appropriate infrastructure as they are still in the process of dealing with the pandemic.