Through Section 4004 of the 21st Century Cures Act, Congress sought to prohibit health care industry practices that impede the useful exchange of health care information and that could slow the development of a more connected health care system, by broadly defining and prohibiting “information blocking.” Recognizing that its broad definition could inadvertently capture innocuous and even beneficial practices, however, Congress also allowed the U.S. Department of Health and Human Services to define exceptions to the information blocking prohibition in regulations.
The Office of the National Coordinator for Health Information Technology (“ONC”), within DHHS, has promulgated a new Information Blocking Rule, as required by the 21st Century Cures Act. ONC has published both a Final Rule (85 Fed. Reg. 25,642 (May 1, 2020)),1 and an Interim Final Rule extending the compliance date to April 5, 2021 (85 Fed. Reg. 70,064 (Nov. 4, 2020)).2
The Information Blocking Rule, once effective, will be codified as 45 C.F.R. Part 171. It applies to “health care providers, health IT developers of certified health IT, health information exchanges, and health information networks,” id., § 171.101(a), and uses the term “actor” to include all of those categories. Id., § 171.102. As applied to health care providers, the rule defines “information blocking” to mean “a practice that . . . [i]f conducted by a health care provider, such provider knows that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” 45 C.F.R. § 171.103(a)(3).
The rule establishes “exceptions for reasonable and necessary activities that do not constitute information blocking” prohibited by the 21st Century Cures Act. Id., § 171.100(b). The exceptions each have detailed requirements, which should be reviewed carefully:
Preventing harm. (45 C.F.R. § 171.201) This exception permits limits on information access, as needed to prevent a risk of harm to an individual. It is generally consistent with the provisions of the HIPAA Privacy Rule that permit denial of access on that basis.
Privacy. (45 C.F.R. § 171.202) This exception permits limits on information access, as needed to maintain privacy and confidentiality of health information. It is generally consistent with the provisions of the HIPAA Privacy Rule governing authorizations for disclosure and individual requests not to share information.
Security. (45 C.F.R. § 171.203) This exception permits practices that are “directly related to safeguarding the confidentiality, integrity, and availability of electronic health information” and “tailored to the specific security risk being addressed.” The practices must be based either on an organizational security policy, or on an individualized determination.
Infeasibility. (45 C.F.R. § 171.204) This exception permits limits on information access if it is infeasible to provide access due to “uncontrollable events,” inability to segment the information to protect against disclosure of information protected by law or by the individual’s preferences, or other specific circumstances. A written explanation must be provided as to why the requested access is infeasible.
Health IT performance. (45 C.F.R. § 171.205) This exception permits limits on information access based on the temporary unavailability or degraded performance of health IT due to maintenance or improvements, or on the presence of a third-party application that negatively affects health IT performance.
Content and manner. (45 C.F.R. § 171.301) The content of electronic health information for which access is sought must conform to applicable technical standards, and the information must be disclosed in the manner requested, or in a reasonable alternative manner agreed by the parties.
Fees. (45 C.F.R. § 171.302) Fees for access to electronic health information must be reasonable and non-discriminatory.
Licenses. (45 C.F.R. § 171.303) A health care provider may require that the party seeking access to electronic health information license any “interoperability elements” needed to support the access, but if so, the license terms must be negotiated promptly, and must be reasonable and non-discriminatory.
To prepare for the April 5 compliance date, health care providers should review their health IT systems, as well as their health information policies and practices, to determine whether the new information blocking rule will affect current practices and work flows. However, as the rule is reasonably well aligned with the counterpart provisions of the HIPAA Privacy Rule (at least in key aspects affecting health care providers), its implementation appears unlikely to cause major difficulties.
We are happy to assist our health care clients in complying with the new information blocking rule. Should you have questions, please contact Ben Townsend at (207) 621-4390, or via email at btownsend@kozakgayer.com.
_________________________________
1 Available online at: https://www.govinfo.gov/content/pkg/FR-2020-05-01/pdf/2020-07419.pdf.
2 Available online at: https://www.govinfo.gov/content/pkg/FR-2020-11-04/pdf/2020-24376.pdf. Other minor corrections to the Final Rule have also been published separately.
Comments