Healthcare providers and other regulated entities should take note of proposed changes to the Information Blocking Rule. If enacted, the revised regulations would mark the first substantive update to the rule since it went into effect on April 5, 2020.
Recap of the Information Blocking Rule
The Information Blocking Rule is a complex set of regulations that aims to promote the efficient exchange of electronic health information among providers, patients, and other industry stakeholders. The ultimate goal is to improve patient outcomes by making it easier to share electronic health information across different systems, technologies, and EHRs.
In contrast to HIPAA’s emphasis on privacy, the Information Blocking Rule seeks to remove barriers that stand in the way of sharing electronic health information. More specifically, the rule prohibits activities that prevent or interfere with the access, exchange, or use of electronic health information, except as required by law or covered by a regulatory exception.
Healthcare providers are one of three categories of individuals and entities (a.k.a. “actors”) that are required to comply with the Information Blocking Rule. Rulemaking has not yet established penalties for healthcare providers who violate the Information Blocking Rule, leading to uncertainty about how the law will be enforced.
While enforcement has not yet ramped up, the ONC is already collecting and tracking complaints alleging violations of the Information Blocking Rule. Any member of the public can submit a complaint through the ONC’s online portal. To date, the vast majority of complaints have been directed toward healthcare providers.
Summary of Proposed Information Blocking Rule Amendments
Narrower definition of “Health IT developer of certified health IT”
- “Health IT developer of certified health IT” is one of the three defined categories that must comply with the Information Blocking Rule and includes those who offer health IT. Entities that meet this definition may be subject to civil monetary penalties of up to $1 million per violation.
- The proposed Rule seeks to narrow this definition by carving out specific exclusions. For example, the revisions exclude certain arrangements in which donors provide subsidies to providers in need for the cost of obtaining, maintaining, or upgrading certified health IT. Certain consulting and legal services that involve the provision of health IT are also excluded.
- Finally, the revisions exclude certain common practices among healthcare providers who offer certified health IT to third parties. For example, providers implementing portals for clinicians or patients would not trigger the definition of “health IT developer of certified health IT”. The definition would also exclude hospitals issuing EHR login credentials to providers at independent practices for documenting care provided at the hospitals.
Revisions to the Infeasibility Exception
- The infeasibility exception recognizes that practical challenges may limit an actor’s ability to comply with requests for access, exchange, or use of EHI. These challenges may relate to technological capabilities, legal rights, or other obstacles.
- Uncontrollable events: The proposed changes seek to clarify the “uncontrollable events” condition of the infeasibility exception. This condition allows actors to engage in information blocking activities during natural or human-made disasters, public health emergencies, public safety incidents, war, terrorist attacks, and similar situations. The updates clarify that there must be a causal connection between not providing access, use, or exchange of electronic health information and the uncontrollable event. According to the ONC, the fact that an uncontrollable event occurred is not a sufficient basis alone for an actor to engage in information blocking activities.
- Third party seeking modification use: The revisions add a new condition to the infeasibility exception that would apply to third-party requests to create or delete electronic health information held by or for a healthcare provider. According to the ONC, the goal of this change is to reduce the compliance burden and alleviate uncertainty about declining certain requests from third parties to modify electronic health information. The ONC advises that the proposed changes may protect healthcare providers concerned about the accuracy or reliability of data that a third-party would like to add to a record set maintained by that healthcare provider. The healthcare provider may be able to use the new condition to the infeasibility exception to deny all or part of the third-party’s request without violating the Information Blocking Rule.
- Manner exception exhausted: The revisions add a new condition to the infeasibility exception that would work in tandem with the content and manner exception (renamed the “manner exception” in the proposed rule). The condition is designed to give actors another avenue for seeking protection under the infeasibility exception when the actor is unable to fulfill a request of electronic health information in an alternative format.
Content and Manner Exception
- The “content and manner” exception will be renamed the “manner” exception.
- The revisions would add a new, narrow condition to the Content and Manner Exception that applies to certain actors subject to TEFCA (Trusted Exchange Framework and Common Agreement). TEFCA outlines a common set of principles, terms, and conditions to support the development of nationwide exchange of electronic health information across disparate health information networks.
Big Picture Takeaways
- The proposed changes are technical in nature and do not substantially change the core concepts of the Information Blocking Rule. If enacted, healthcare providers and other regulated entities should update their internal policies on information blocking to reflect these changes, as appropriate.
- The proposed updates highlight the complex and technical structure of the Information Blocking Rule. The comments to the proposed rule provide insight on how the ONC interprets existing requirements, which could prove useful as entities review their compliance and internal practices.
- The legal landscape related to electronic health information continues to change at a rapid pace. Protecting the privacy and security of patient information remains a key challenge for healthcare providers and other regulated entities. However, as technology evolves, regulators are placing more emphasis on fostering the efficient exchange of electronic health information.