The 21st Century Cures Act includes provisions to enhance the interoperability of electronic health information (EHI) and prohibit information blocking. Generally, interoperability fosters the sharing of EHI, while the prohibition on information blocking penalizes health-care providers and health tech companies for knowingly and unreasonably interfering with the exchange of EHI.
Examples of information blocking include inappropriately citing the Health Insurance Portability and Accountability Act (HIPAA) as a reason for not sharing EHI, including contractual provisions preventing the sharing of EHI in vendor agreements, and designing technology in ways that lessen the ability to share EHI.
The information blocking regulations took effect April 5. It is more than time for health tech companies to assess their compliance with the new rules if they have not yet.
Of note for health tech companies, compliance with HIPAA’s use and disclosure rules, as discussed below, is not enough to avoid the prohibition on information blocking. The goal of the information blocking prohibition is to foster patient and provider access to EHI to improve health outcomes, foster research into new treatments and cures, and lower the cost of health care (by, for example, avoiding duplicative medical procedures).
Who is Subject to the Information Blocking Prohibition?
The information blocking rules apply to developers of certified health IT (such as electronic health records), health information networks (HINs) and health information exchanges (HIEs) (such as regional health information exchanges that facilitate the transfer of clinical information between disparate systems), and health-care providers. These rules help to prevent data from being siloed.
EHI is broadly defined as the electronic protected health information (ePHI) in a designated record set (as defined by HIPAA) regardless of whether the records are maintained by an entity governed by HIPAA. For the first 18 months after the rule goes into effect, however, EHI refers only to the information set forth in the United States Core Data for Interoperability (USCDI) standard.
Information blocking practices may include restricting authorized access, exchange, or use of EHI for treatment and other permitted purposes under applicable law; inserting roadblocks in the transition of EHI from one certified health IT technology to another; limiting the export of complete EHI data sets; and implementing health IT in nonstandard ways likely to substantially increase the complexity of accessing, exchanging, or using EHI.
What Exceptions Apply?
The rules establish eight categories of practices that do not constitute information blocking:
- Preventing Harm Exception: Blocking information is acceptable to prevent harm to a patient or another person that would otherwise arise from the access, exchange, or use of electronic health information.
- Privacy Exception: An entity is not required to use or disclose EHI in a way that is prohibited under state or federal privacy laws.
- Security Exceptions: Blocking is permitted to protect the security of EHI.
- Infeasibility Exception: Legitimate practical challenges may limit an entity’s ability to fulfill a request to access, exchange, or use EHI.
- Health IT Performance Exception: An entity may take reasonable and necessary measures to make health IT temporarily unavailable for the benefit of the overall performance of the health IT.
- Content and Manner Exception: When fulfilling requests for EHI, an entity may limit the content of its responses to required content and may, under certain circumstances, fulfill the request in an alternative manner.
- Fees Exception: An entity may charge reasonable fees with an expectation of profit if it is transparent and consistently levied. Licensing Exception: An entity may license interoperability elements for EHI to be accessed, exchanged, or used.
- Licensing Exception: An entity may license interoperability elements for EHI to be accessed, exchanged, or used.
What Are the Penalties for Failing to Comply?
If a health tech company violates the prohibition on information blocking, under another set of regulations that are still proposed, it may be charged with a civil monetary penalty of up to $1 million per violation.
While the HHS Office of Inspector General is currently engaged in rulemaking regarding its enforcement efforts, it has already identified patient harm, the duration of alleged information blocking, financial harm to health-care programs, and actual knowledge as areas of particular concern. Health tech companies need to carefully consider their compliance with these information blocking rules to, among other things, avoid potentially large penalties.
What if a Company Is Subject to Blocking Rules and HIPAA?
The information blocking regime is seemingly at odds with HIPAA’s permissive regime regarding the disclosure of health information, which creates tension for health tech companies subject to the prohibition on information blocking and HIPAA—such as certain health app providers, electronic medical record vendors, and state-wide health information exchanges.
HIPAA only has two required disclosures: (1) to the individual when they request a copy of their medical information and (2) to HHS during an investigation. The remaining uses and disclosures under HIPAA are all permissive and allow discretion, whereas the information blocking rules affirmatively require entities to disclose EHI unless an exception applies.
Currently, there are proposed HIPAA regulations that would more closely align to the information blocking rules. For now, however, compliance with HIPAA does not ensure compliance with the prohibition on information blocking.
How to Comply With Blocking Rules and HIPAA
The information blocking rules represent a seismic shift in health data management by defaulting to a rule requiring the sharing of EHI rather than merely permitting the sharing of EHI (with appropriate notice or patient authorization as needed). They require health tech companies to undertake technical changes as well as operational changes to adequately respond to data requests and avoid regulatory scrutiny by the OIG.
We recommend that health tech companies immediately, if they have not already, create a compliance and implementation plan.They should begin by determining whether they are covered by the prohibition on information blocking and, if covered, understand the types of requests that are subject to these regulations.
Regarding HIPAA, health tech companies should understand how data subject to HIPAA may also be subject to the prohibition on information blocking and update their HIPAA policies and business associate agreements to ensure compliance.
Lastly, health tech companies must know the exceptions to information blocking and apply them consistently across patients and clients.
By taking proactive steps today to address the information blocking rules, health tech companies can avoid fines and other regulatory burdens on the back end.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Thora Johnson is a partner in Orrick’s Cyber, Privacy & Data Innovation practice in Washington, D.C., specializing in advising clients in health data-related privacy and cybersecurity issues, including compliance with HIPAA and the 21st Century Cures Act.
Heather Sussman heads Orrick’s global Cyber, Privacy & Data Innovation practice, based in Boston. She advises clients on cyber, privacy, and information management challenges, including compliance with privacy regulations such as GDPR and CCPA.
Ryan McKenney is an associate in Orrick’s cyber and privacy practice in New York.