Passed four years ago, the 21st Century Cures Act (Cures Act) included a definition of “information blocking.” On behalf of the HHS Secretary, the Office of the National Coordinator for Health Information Technology (ONC) was tasked with implementing this definition and its “exceptions.” The new regulation (also a “law”) published in the Federal Register this past May by ONC identified three types of participants in health care that are covered under information blocking: 1) health care providers, 2) health IT developers of certified health IT, and 3) health information networks (HINs)/health information exchanges (HIEs). We call them “actors” for short.
Through the Cures Act, Congress defined information blocking and established penalties for those who engage in information blocking. In general, actors can no longer engage in practices that interfere with the access, exchange, or use of electronic health information unless the practices are required by applicable law(s) or if an actor meets an “exception” established by the HHS Secretary. My companion blog post “To share or not to share, what’s an exception (to information blocking)?” unpacks the exceptions we established in the Cures Act Final Rule to address privacy, security, and a host of other issues.
We recently issued an interim final rule with comment period that extended the deadline for when the information blocking regulation applies to “actors” to April 5, 2021. The details and legal nuances associated with the information blocking law can be a lot to take in. So, here’s a different way to think about the law, especially if you’re one of the “actors.”
In health care and except for limited circumstances, an actor cannot engage in a practice that would be considered information blocking, unless required by law or an exception is met.
Four Information Blocking Basics
#1: Congress made the law “about the data” – electronic health information (EHI) to be specific. The law does not distinguish between ONC-certified and other health IT when it comes to EHI. In other words, the law applies to the access, exchange, and use of EHI no matter what technology is used by actors. This fact sheet identifies the differences between the proposed rule and final rule and includes summaries of the EHI definition as well as the definitions for “access,” “exchange,” and “use.”
#2: Don’t forget state and other laws. For example, if an actor is prohibited under state law from sharing certain EHI, they are not caught in a catch-22. The state law applies and, therefore, the actor does not need to also meet a regulatory exception to information blocking for the EHI that the state law prohibits sharing.
#3: Information block!? Who…me? The information blocking law applies expansively to the three types of actors. I’ll briefly unpack who they are and how (here’s a fact sheet for all three).
- Who’s a “health care provider” when it comes to information blocking?
There are many definitions for “health care provider” that are specific to the law in which the term is referenced. In the case of information blocking, Congress amended Title XXX of the Public Health Service Act (PHSA). As such, the PHSA definition applies. The “health care provider” definition that’s part of Title XXX of the PHSA includes a wide range of providers of care throughout the health care system—from hospitals to renal dialysis facilities to laboratories to pharmacies. Here’s a link to the full fact sheet on the definition.
- Who’s a “health IT developer of certified health IT” when it comes to information blocking?
This one’s “easy” to point out, but there is some added detail to keep in mind. Any health IT developer with one or more Health IT Modules certified under the ONC Health IT Certification Program is covered by the information blocking law. But that’s not all. Someone who does not initially develop but does offer one or more certified Health IT Modules to others, such as by resale or other arrangement potentially including donation of software or services, is also a “health IT developer of certified health IT.”
Notably, the information blocking rules apply to a health IT developer of certified health IT across the developer’s entire business and product line(s). This means that such developers are accountable for their information blocking practices associated with all of their technology offerings, including those products that are not ONC-certified.
- Who’s an HIN/HIE when it comes to information blocking?
Besides naming HINs/HIEs as covered by the information blocking law, Congress did not provide additional direction about who these actors were or could be. As a result, and to implement the law, we included a definition for HIN/HIE in the ONC Cures Act Final Rule that focused on the functions performed by an individual or entity with EHI that would make them an HIN/HIE. This means that there isn’t an explicitly named set of HINs/HIEs. Rather, the HIN/HIE definition accommodates different business models, business descriptions, and information sharing arrangements.
#4: Penalties identified and established for information blocking vary by actor.
- In the information blocking law, Congress established that health IT developers of certified health IT and HINs/HIEs would be subject to penalties of up to $1M per violation for engaging in information blocking. It’s also worth noting that health IT developers of certified health IT are subject to an “information blocking” Condition of Certification under the ONC Health IT Certification Program.
- Health care providers are treated differently under the law. A health care provider who engages in information blocking may be subject to “appropriate disincentives,” as set forth by the HHS Secretary. Regulations (not yet issued) are required to implement HHS’ approach to these disincentives.
For a more focused discussion of the “exceptions” to information blocking, please check out this companion blog post “To share or not to share, what’s an exception (to information blocking)?”
More information on all of these basics is available on our Cures Act Final Rule webpage, including fact sheets, frequently asked questions, and recorded webinars. Please note that the summary provided in this blog post is based on the provisions contained in 45 CFR Parts 170 and 171. While every effort has been made to ensure relevant excerpts are summarized accurately, this blog post is not a substitute for the regulations.
This post was originally published on the Health IT Buzz and is syndicated here with permission.