Information Blocking: Eight Regulatory Reminders for October 6th
Steven Posnack | September 30, 2022
On October 6, 2022, we reach the end of the more than two-year glide path laid out for the information blocking regulations. Moving forward, expect to see periodic, experience-driven regulatory updates as well as continued work on education, outreach, and oversight, including the establishment of disincentives for health care providers. There may also be the possibility of information blocking advisory opinions if Congress grants the Secretary such authority.
This blog post covers a few information blocking (IB) reminders, including the significance of October 6, 2022. To help “IB actors” and the community as a whole, we’ve launched a new, dedicated information blocking webpage that contains links to everything from basic regulatory information, fact sheets, frequently asked questions, and blog posts like this. I’d especially like to call your attention to two upcoming virtual office hours that our team is holding on October 6th and October 27th – click here for more information.
Reminder #1 – The information blocking definition’s limitation on the scope of electronic health information (EHI) is lifted as of October 6, 2022.
As of October 6, 2022, EHI as it was defined under the information blocking regulations will be applicable to practices associated with its access, exchange, and use. The main difference between October 5th and October 6th is that the definition of “information blocking” in 45 CFR 171.103 no longer limits what’s considered EHI to the data elements represented in the United States Core Data for Interoperability version 1 (USCDI v1).
Since the 21st Century Cures Act (Cures Act) became law in late 2016 and we completed our major rulemaking activities in 2020, we have sought to make sure that IB actors had ample time to evaluate and revise their practices related to EHI and making it available for access, exchange, and use. This includes delaying the information blocking regulations applicability date by almost a year by first setting a November 2, 2020 applicability date, then extending that date to April 5, 2021. Additionally, we limited the scope of EHI for another 18 months from the applicability date via the information blocking definition (45 CFR 171.103) and the Content and Manner Exception (45 CFR 171.301).
While the facts and circumstances that an IB actor may face with respect to the scope of EHI has changed, an IB actor’s approach to meeting an information blocking exception generally remains the same as it was when the information blocking regulations became applicable on April 5, 2021.
Reminder #2 – IB actors’ practices include acts and omissions.
While short and sweet, it’s particularly important to keep this point in mind. Even though technology related practices may come up as a top-of-mind example, information blocking practices are inclusive of but not solely limited to them. Other acts (e.g., contract negotiations and terms) and omissions could prevent, materially discourage, or otherwise inhibit the access, exchange, and use of EHI. As an example of an omission, many states legally require reporting of certain diseases and conditions to detect outbreaks and reduce the spread of disease. Should an actor that is required to comply with such a law fail to report, the failure could be an interference with access, exchange, or use of EHI under the information blocking regulations (please see applicable FAQ).
Reminder #3 – The information blocking regulations’ exceptions are not solely “one size fits all” and address the facts and circumstances of the situation at hand.
The Cures Act required the Secretary to identify reasonable and necessary activities that do not constitute information blocking. The information blocking regulations, including the exceptions, implement this statutory direction. The exceptions are designed to address the fact that not all actors are similarly situated, such as hospitals that participate in the CMS Promoting Interoperability Program and laboratories or other health care providers that may not have adopted certified health IT. The Infeasibility Exception is a good example in that it’s applicable to a specific IB actor’s circumstances at the time access, exchange, or use of EHI may be in question. What’s infeasible for an IB actor in October 2022, may not be a year later.
We identified eight exceptions in 45 CFR part 171 subparts B and C that recognize the complexity and heterogeneity of health care delivery across the country. We encourage everyone, especially IB actors, to become familiar with each of the exceptions and the contexts in which they can be met.
Reminder #4 – Not all health information that’s electronic is EHI under the regulatory definition. And if such information is not EHI, then it’s not covered by the information blocking regulations.
The good news is that the EHI definition as of October 6th is something with which most IB actors have had 20 years of familiarity – the Designated Record Set (DRS) as defined under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Because nearly all IB actors are HIPAA-covered entities or business associates, the DRS is a keystone shared between the information blocking regulations and HIPAA Privacy Rule. To put it simply, the same electronic protected health information (ePHI) that an individual has a right to access (and request an amendment to) under the HIPAA Privacy Rule is the same ePHI that IB actors can’t “block.”
Importantly, the information blocking regulations apply not only to practices associated with individuals seeking access to their own EHI, but also an IB actor’s practices associated with its business-to-business (B2B) relationships such as those to support treatment, payment, and health care operations.
An IB actor’s existing efforts to meet HIPAA Privacy Rule requirements puts them on solid ground when it comes to understanding what EHI is, where it may reside, and whether and how complicated it may be to make it available for access, exchange, or use for purposes of the information blocking regulations. For health care providers, in particular larger enterprises, we recognize that what’s included within your DRS may be spread out across different systems (certified or not). However, it’s important to remember that your ongoing efforts to meet HIPAA Privacy Rule requirements drives what’s considered EHI. One point that we’ve emphasized to health care providers is that “the ePHI in your DRS constitutes your EHI” for the purposes of the information blocking regulations. Within the bounds of the definition, the HIPAA Privacy Rule allows for each HIPAA covered entity to scope their DRS in a way that meets their business needs. This means it’s entirely possible, for example, for hospital A to have a slightly different DRS than hospital B.
Reminder #5 – How IB actors make EHI available for access, exchange, and use can and will vary based on who the IB actor is, their technological sophistication, and who it is that is seeking to access, exchange or use an IB actor’s EHI.
The information blocking regulations do not require IB actors to adopt or use certain technologies or platforms. IB actors may use “patient portals,” other web interfaces, application programming interfaces (APIs), and a multitude of technologies and platforms to make EHI available for access, exchange, or use. The information blocking regulations focus on practices that are likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI. For example, while the information blocking regulations don’t prescribe specific technologies, how IB actors design, implement, use, or limit technologies in relation to the access, exchange, or use of EHI could implicate the information blocking regulations.
Reminder #6 – Information blocking is about “the data” (i.e., EHI) regardless of whether ONC-certified health IT is involved.
As we’ve stated before and in the reminder above, the Cures Act’s information blocking provision applies to the access, exchange, and use of EHI no matter what technology is used by IB actors. A common misconception we’ve heard with respect to the information blocking regulations is that they’re dependent on health IT that is certified through the ONC Health IT Certification Program. To the contrary, there are only limited connections between the information blocking regulations and ONC’s certification regulations.
First, the Cures Act authorized information blocking penalties against developers and offerors of certified health IT. However, we often remind stakeholders that developers and offerors of certified health IT are subject to information blocking for all of their practices involving EHI, including those related to non-ONC-certified health IT. Thus, it’s entirely possible for a developer of certified health IT to have engaged in information blocking without its practice being connected to any ONC-certified health IT.
Second, only a subset of IB actors – in fact, a subset of health care providers – are the ones who directly use ONC-certified health IT. Health information networks/health information exchanges as well as health care providers covered by the information blocking regulations (such as laboratories, pharmacies, renal dialysis facilities, blood centers) may be unlikely to have or use ONC-certified health IT for a variety of reasons. Again, this reinforces the point for health care providers that the information blocking regulations do not focus just on your EHI practices with ONC-certified health IT.
Third, we’d highlight two exceptions that consider the technology available to an actor. As part of the “alternative manner” condition of the Content and Manner Exception, priority is given to making EHI available for access, exchange, or use with certified health IT. Additionally, the type of technology available to an actor would be a consideration under the “infeasible under the circumstances” condition of the Infeasibility Exception, including whether the EHI could have been made available under the Content and Manner Exception.
Reminder #7 – Use of certain information blocking exceptions by actors will provide clear notification to requestors whether their request to access, exchange, or use EHI is delayed or denied.
While certain information blocking exceptions simply need to be met (“followed”) by an IB actor in order for them to receive the benefit of the exception (e.g., Health IT Performance Exception) there are three exceptions that require an IB actor to explain to the other party seeking to access, exchange, or use EHI why a request for access, exchange, or use is not fulfilled.
- The Licensing Exception – The information blocking regulations accommodate that in certain cases, a license to access, exchange, or use EHI may be necessary for certain interoperability elements to be used. In such instances, upon “receiving a request to license an interoperability element for the access, exchange, or use of electronic health information, the actor must – (1) Begin license negotiations with the requestor within 10 business days from receipt of the request; and (2) Negotiate a license with the requestor, subject to the licensing conditions in paragraph (b) of this section, within 30 business days from receipt of the request.” Accordingly, these dates set boundary conditions for another party to monitor insofar as they are exceeded, which would remove an IB actor’s ability to meet this exception and could increase the likelihood that information blocking practices had occurred.
- The Infeasibility Exception – If an IB actor seeks to meet this exception, “the actor must, within ten business days of receipt of a request, provide to the requestor in writing the reason(s) why the request is infeasible.” As a result, any engagement with an IB actor that leads to the IB actor claiming to have met the Infeasibility Exception will generate a written response to the requestor as to the reason(s) why. At that point, the requestor could determine they wish to submit an information blocking claim to ONC. (Please see our Information Blocking FAQs for more information about how any claim of information blocking would be evaluated.)
- The Content and Manner Exception – This exception first recognizes that two parties are free to reach agreement, on their own terms, with respect to a request for access, exchange, and use of EHI. However, if no agreement can be reached, the Content and Manner Exception provides a specific set of steps for an IB actor to follow with respect to the requestor with whom it interacts. Ultimately, if an IB actor cannot meet the Content and Manner Exception, it may turn to the Infeasibility Exception, which per the bullet above, will result in a written response stating the reasons why the IB actor was unable to provide for the access, exchange, or use of EHI.
Reminder #8 – Information blocking claims are confidential and restricted from public disclosure.
The Cures Act prohibits ONC from disclosing information blocking claims or information that could reasonably be used to identify the source of the information, except as may be necessary to carry out the purpose of the information blocking statue (e.g., sharing with HHS Office of Inspector General (OIG)), and exempts these claims and information from mandatory disclosure under the Freedom of Information Act (FOIA). Once received, information blocking claims go through a review process and are shared with the OIG, which is responsible for conducting investigations and determining whether information blocking occurred.
Remember, information blocking is more than just an individual’s access to EHI issue, it could involve a practice between a hospital and clinician practice, two hospitals, a doctor and a lab, a developer of certified health IT and a health information network, or a practice involving other actors and entities. If you believe that information blocking has occurred, please submit a claim via our web portal.
With your feedback we can best assess the frequency, types, and nature of the difficulties experienced with respect to the access, exchange, and use of EHI. This feedback may also help us assess whether any regulatory changes could be needed or where additional education and outreach on specific topics would help better explain the information blocking regulations. If you’d like to keep tabs on trends in the claims of information blocking ONC receives, we update information blocking stats on a monthly basis.