As of April 5, 2021, health information technology companies and developers are required to comply with the information blocking provisions of the Centers for Medicare and Medicaid Services’ (CMS) and the Office of the National Coordinator for Health Information Technology’s (ONC) Information Blocking Final Regulation (“Final Rule”), implementing specific provisions of the 21st Century Cures Act (the “Cures Act”). The objective of the Final Rule is to (i) promote interoperability and support the access, exchange, and use of electronic health information; and (ii) reduce burdens and costs related to accessing electronic health information and to reduce occurrences of information blocking.
While compliance with the Final Rule is required, enforcement mechanisms are still evolving and are not yet final. This affords health information technology (“Health IT”) companies and developers the time and opportunity to familiarize themselves with the Final Rule and the exceptions outlined by the ONC.
What does the Final Rule require or prohibit?
The Final Rule prohibits so-called “Actors” from engaging in information blocking practices—such as interfering, preventing, or substantially discouraging the use, access, and exchange of electronic health information. An “Actor” is any individual or entity that is a (i) health care provider, (ii) developer of Health IT, (iii) health information network, and/or (iv) health information exchange. There is no duty to proactively make electronic health information available, but these entities must not engage in information blocking practices in response to a legal request for electronic health information.
What is information blocking and why is it discouraged? What are examples of information blocking?
The Final Rule was promulgated by the ONC because Congress expressed concern that Health IT companies were knowingly interfering with the free exchange of information. Information blocking is such a practice, and involves any efforts that are likely to materially discourage the access, use, and/or exchange of electronic information when the entity knows that the practice is likely to do so.
The types of behavior that would be considered information blocking include (i) refusing to provide electronic health information or ignoring reasonable requests; (ii) imposing any unreasonable limitations on the use or requests for access to share electronic health information; (iii) establishing contracts, business associate agreements, licensing terms, and/or policies that would unnecessarily restrict the sharing of electronic health information; and (iv) configuring technology in a way to limit interoperability.
Put another way, if an electronic health record platform were to restrict its software such that a user is able to export electronic health information for its own use without a fee, but any request to transfer or exchange electronic health information to a competitor’s platform would require a fee, the company’s activity would likely be considered inappropriate information blocking under the Final Rule.
What constitutes electronic health information?
“Electronic health information” includes electronic protected health information (“ePHI”) as defined under HIPAA, if such ePHI is maintained in a HIPAA designated record set (“DRS”). However, unlike HIPAA the new information blocking regulations do not apply to hand written or verbal health data. Additionally, it is important to note that records do not have to be used or maintained by or for a HIPAA covered entity to fall within the definition of electronic health information.
What agency is responsible for enforcement of the Final Rule?
The Cures Act authorizes the Office of Inspector General (“OIG”) to investigate any allegations of information blocking. Health IT companies and developers could face up to $1,000,000 in civil monetary penalties per violation. If an OIG’s investigation and determines that an Actor has engaged in information blocking activities, the OIG will refer the provider to the appropriate agency to address the alleged violation (e.g. a HIPAA privacy violation would be referred to the Office for Civil Rights to address the violation). The OIG has issued a proposed rule for enforcement outlining enforcement priorities and has requested input on the proposed rule. Any conduct prior to the effective date of the OIG’s rule will not be subject to civil monetary penalties.
How does the Final Rule impact the health information sharing community and Health IT companies and businesses?
Companies should ensure current privacy policies and practices with respect to sharing electronic health information comply with the Final Rule. Companies’ vendors and Health IT systems should also ensure that the information infrastructure simultaneously protects the transfer electronic health information and facilitates the flow of electronic health information between Health IT systems. Companies should also review current business associate agreements and consider any updates that may be necessary to comply with the new information blocking regulations.
Additionally, companies may also want to consider implementing a policy and procedure that covers the review of all proposed transactions and arrangements, which involve the transfer of electronic health information, to ensure compliance with the Final Rule. This is especially important for Health IT companies to consider as developers and managers of software solutions for providers and other customers.
As regulators continue to push for accountability in the Health IT industry and ultimately the improvement of overall patient care, Health IT developers and businesses must welcome and embrace software and technologies that facilitate compliant sharing of electronic health information.
Follow our blog to receive additional updates and alerts on the Final Rule and the OIG’s proposed final rule. Our health care regulatory team intends to publish more in-depth guidance on the nuances of these regulations for Health IT companies and developers.
The post The Office of the National Coordinator for Health Information Technology Interoperability and Information Blocking Final Regulation: Key Concerns for Health Information Technology Companies and Developers appeared first on Life Sciences Perspectives.