Information Sharing After the 21st Century Cures Act
Steven Posnack | November 16, 2021
When President Obama signed the bipartisan 21st Century Cures Act (Cures Act) into law in 2016, it marked a significant shift in health policy and health law. Not since the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has there been a more noteworthy change in how electronic health information (EHI) is approached under United States federal law. Importantly, the Cures Act’s information blocking provision should always be considered in the context of other laws that speak to how EHI is shared in health care.
The Cures Act’s information blocking provision requires new thinking, new practices, and adjustments to prior norms. It also potentially makes the “starting line” for evaluating whether a given practice might be considered information blocking different depending on the fact pattern and the actor(s) involved (health care providers, health IT developers of certified health IT, and health information networks or health information exchanges, as defined in the information blocking regulations). As a result, understanding how the information blocking provision may apply to particular practices must account for case-by-case details, including whether a regulatory exception has been met, what an actor’s intent was, and whether an interference in the access, exchange, or use of EHI has occurred.
When it comes to the information blocking provision and its intersection with other laws, we suggest keeping in mind how other laws align and interact with three main concepts set forth in the information blocking regulations: 1) “required by law,” 2) the definition of “interference,” and 3) information blocking “exceptions.”
“Required by Law”
The information blocking definition provided in the Cures Act did not include practices that were likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI when the practice was “required by law.” ONC’s regulatory definition of information blocking substantially mirrors the statute, and ONC currently interprets “required by law” to include federal and state law, and tribal laws, as applicable. More specifically, ONC interprets “required by law” to include federal and state statutes, regulations, court orders, and binding administrative decisions or settlements, such as (at the federal level) those from the Federal Trade Commission or the Equal Employment Opportunity Commission. To illustrate the relevancy of this interpretation, consider the following examples: it likely would not be information blocking if an actor abided by a state court order that restricted or prohibited disclosure of certain EHI in a closed adoption, or abided by a state law that prohibits disclosure of certain parts of an adolescent’s EHI to the adolescent’s parent.
An interference is any practice (an act or omission) that is likely to interfere with, materially discourage, or prevent access, exchange, or use of EHI. In contrast to practices required by law, if a state or federal law allows a particular interference to occur without violating that law, then an actor covered by the information blocking regulations could not solely rely on that law as justification for unnecessarily delaying or otherwise interfering with legally permissible access, exchange, or use of EHI. Interference in the form of delays that may be allowed but that are not required by other laws is not automatically exempted from implicating the information blocking definition (see IB.FAQ26). Actors should examine their practices that may have been set up with an eye toward laws that allow particular periods of delay before information is shared (especially if those practices were established prior to April 5th, 2021), as these once permitted practices may now interfere with EHI access, exchange, or use in a way that could constitute “information blocking” (see also IB.FAQ22).
Information blocking “exceptions” are reasonable and necessary activities that do not constitute information blocking. There are eight regulatory exceptions for the information blocking definition. When it comes to other laws that may place preconditions on the permissibility of sharing EHI, or to situations that an actor believes call for the actor to do things that may constitute an interference, actors should particularly consider reviewing the Privacy and Preventing Harm Exceptions (45 CFR 171.202 and 45 CFR 171.201, respectively). For example, one aspect of the Privacy Exception focuses on fulfilling pre-conditions of federal and/or state law before providing access, exchange, or use of EHI as well as giving consideration to situations where an actor’s operations are subject to multiple state privacy laws with inconsistent preconditions. Another aspect of the Privacy Exception focuses on situations where it may be reasonable and necessary to restrict access to a patient’s EHI, such as honoring an individual’s request to limit sharing of their information.
The Preventing Harm Exception, relying on similar types of harm as recognized by the HIPAA Privacy Rule for denying an individual’s right of access to their own information, covers interference with a patient’s access, exchange, or use of their own EHI in order to reduce a risk of physical harm to the patient or other(s). Still relying on similar types of harms identified by the HIPAA Privacy Rule, the Preventing Harm Exception also covers interference with access, exchange, or use of an individual’s EHI by the patient’s representative — like a pediatric patient’s parent — in order to reduce a risk of substantial physical, psychological, or emotional harm to the patient or to another person (see Information Blocking FAQs). We encourage actors to review the exception if they are concerned about some form of harm coming from the release of EHI in fulfilment of the individual’s right of access under the HIPAA Privacy Rule.
We are always interested in feedback from the public, including “on-the-ground” implementation issues that actors are encountering. Are there any state or other laws that you think require an actor to deny access, exchange, or use of EHI; or require practices that may rise to the level of an interference depending on how the law is met by the actor? Feel free to let us know through the Health IT Feedback Portal.
For more resources and information associated with the Cures Act, the Cures Act Final Rule, and information blocking, please go to healthit.gov/informationblocking.
For more information on the HIPAA Privacy Rule, individual right of access, and grounds for denial of the individual right of access, please go to the Health Information Privacy section of HHS.gov.