The Information Blocking Rule: What Healthcare Providers Must Know From The 21ST Century Cures Act
JUMP TO THE SECTION
When a patient struggles to gain timely access to their protected health information (PHI), a provider might get accused of information blocking activities. Although enforced under the HIPAA Privacy Rule, an individual's right to access their protected health information (PHI) is being addressed by another government agency.
Information blocking has been named a priority to the Office of the National Coordinator for Health Information Technology (ONC). Whether a reported situation was accidental or intentional, information blocking practices are subject to the ONC's enforcement discretion.
The 21ST Century Cures Act Final Rule Information Blocking Provision became active on April 5th, 2021. A year later, the resulting number of claims or submissions is a staggering amount that should capture the attention of healthcare organizations —Check out the ONC's Quick Stats of Information Blocking Claims.
Healthcare organizations must operate with the information blocking provision in mind and implement any necessary procedures. Here's how you can understand this critical aspect of the Cures Act, facilitate patient access to their electronic health information (EHI), and support the seamless and secure access, exchange, and use of EHI.
Overview of the Information Blocking Provision
So what exactly is information blocking? In the Cures Act Final Rule, ONC defines information blocking as a practice that is likely to interfere with, prevent, or discourage the access, exchange, or use of EHI, unless the action or omission is covered by an exception or otherwise required by law.
The information blocking provision is a push by the ONC to provide patients with more control over their health care information, including allowing patients access to their electronic medical records in a timely fashion, in the form and format requested. For example, patients can choose to use the patient portal of a provider or request access through a smartphone or software app. The goal is to avoid actions or practices that are likely to interfere with information sharing.
Even though information blocking has expressly been prohibited under the Cures Act (with some exceptions) since April 2021, providers are still struggling to update or develop policies and understand how the requirements will be enforced to ensure they comply with the information blocking provision.
Data visualization for information blocking claims was released on the ONC's Quick Stats dashboard. Since April 5th, 2021, when the Information Blocking Final rule was applied, ONC has received 299 information blocking portal submissions (of that total, it deemed 274 to be information blocking claims).
Cures Act Compliance
EHI Definition Changes:
Starting on October 6th, 2022, the definition of electronic health information (EHI) in the Cures Act expands beyond the EHI data classes listed below to include electronic protected health information (ePHI) as defined by HIPAA. In the HIPAA Privacy Rule, PHI is considered any identifiable health information used, maintained, stored, or transmitted by a covered entity. So, instead of being limited to the EHI data classes below, the definition of EHI will include information in a designated record set. In other words, EHI will consist of medical and payment records about a patient and any information used by providers to make decisions about patients.
EHI Definition Minimum Requirements:
As of April 2021, the definition of EHI includes data elements under the well-understood United States Core Data for Interoperability (USCDI v1) data classes. EHI must be made available to patients upon request. These are the minimum requirements under the Act and include:
- Allergies and Intolerances
- Assessment and Plan of Treatment
- Care Team Members
- Clinical Notes
- Health Concerns
- Laboratory Tests and Values/Results
- Patient Demographics
- Smoking Status
- Unique Device Identifier(s) for a Patient's Implantable Device(s)
- Vital Signs
Exceptions to Information Blocking
The information blocking provision includes two different categories of eight total exceptions. They include:
Reasons for not fulfilling a request (delaying, restricting, or denying access, exchange, or use)
Processes or procedures for fulfilling a request (access, exchange, or use of EHI)
1. Infeasibility Exception
2. Preventing Harm Exception
3. Privacy Exception
4. Security Exception
5. Health IT Performance Exception
6. Content and Manner Exception
7. Fees Exception
8. Licensing Exception
These exceptions are meant to offer assurance to health care providers that when a reasonable and necessary practice is covered by an exception, it will not be considered information blocking.
Penalties for Information Blocking
The Cures Act includes penalties for providers who engage in information blocking if the provider knows that the practice they are engaged in is unreasonable and likely to interfere with the access, exchange, or use of EHI. These anti-information blocking provisions are now binding, and penalties are possible, but enforcement is not yet active. In addition, penalties for providers have not yet been defined in the Cures Act. Specifics on penalties that will apply to providers who engage in information blocking are expected later this year. For now, we know that "appropriate disincentives" will be applied to those providers. However, health care providers will not be penalized if a health IT developer does not ensure that the technology they've developed meets the requirements under the Cures Act.
It is important to note that not meeting all the requirements of an exception does not necessarily mean the practice constitutes information blocking. It just means that the provider would not have guaranteed protection from appropriate disincentives or civil monetary penalties (CMP). Instead, the provider would be evaluated on a case-by-case basis to determine if information blocking occurred based on specific facts and circumstances. For example, if a provider didn't intentionally block the sharing of information, that incident may not rise to the level of interference.
When the ONC receives an information blocking claim, it will share the complaints with the HHS OIG. The OIG may then investigate any claim that a health care provider engaged in information blocking. Further, the OIG will work with the Office for Civil Rights (OCR) if an information blocking claim can be resolved under the HIPAA Privacy and Security Rules. As such, it is possible that CMP would apply to some information blocking provisions even now.
Key Takeaways about Information Blocking Compliance
Information blocking activities are becoming an increasing compliance risk to health care operations. Here are three primary takeaways that healthcare providers must know:
1. Why Protect Against Information Blocking Activities
- The Information Blocking Provision under the Cures Act (having been in effect for over a year) means that non-compliance penalties are possible for health care providers and up to ONC's enforcement discretion.
- Information Blocking Definition Matching HIPAA: Starting on October 6th, 2022, information blocking will cover all EHI that would typically be included in a designated record set under HIPAA.
- In addition, providers will be penalized with appropriate disincentives, and HIPAA CMP can also be applied to information blocking practices if they would generally fall under HIPAA anyway.
2. Recommendations on Avoiding Information Blocking:
- Providers are recommended to start this process now: Begin developing information-sharing policies to prepare for October 6th.
- By sharing more EHI than is specifically required, practices will be prepared for the upcoming changes on October 6th (when the EHI definition becomes standard).
- Less than five months might not be long enough for a practice to quickly catch up and make compliance with the Cures Act a priority.
3. How to Manage Your Organization's Compliance Program
- Keeping up to date with any new information released is critical to ensure providers maintain compliance, and HCP can help.
- Clients stay consistently informed about regulatory updates and manage their compliance program through the all-in-one software platform within the HCP Portal (powered by compliance experts).
- As more information about the Information Blocking Provision is released, we will update our resources and provide the additional support needed to ensure you feel comfortable complying with these requirements.
Already an HCP client? Login to the HCP Portal for access to your compliance resources.
Schedule a free online consultation to gain access to the HCP portal, workforce training modules, and up to $1 Million Assurance Package as audit protection.