September 25, 2020

Volume X, Number 269

September 25, 2020

Subscribe to Latest Legal News and Analysis

September 24, 2020

Subscribe to Latest Legal News and Analysis

September 23, 2020

Subscribe to Latest Legal News and Analysis

September 22, 2020

Subscribe to Latest Legal News and Analysis

ONC Publishes Game-Changing Information Blocking Rule: Introduction and Overview

In the midst of the COVID-19 pandemic, the Office of the National Coordinator for Health Information Technology (ONC) published the final Information Blocking Rule. This rule is widely seen as a game-changer that will have far-reaching effects on how electronic health information is accessed, exchanged, and used by patients, providers, and a wide range of participants in the health care industry. As such, it provides both a great deal of opportunity to improve the quality and availability of health care and real risk for those entities that are not fully prepared. 

This article kicks off a multi-part Information Blocking Rule client alert series. This first alert will provide an overview of the Information Blocking Rule’s core concepts. The alert also contains introductory details about the ONC’s information blocking exceptions and the pending OIG rules that will govern the enforcement of civil monetary penalties (CMPs). Subsequent alerts will address (1) each exception in more detail, (2) interactions between the Information Blocking Rule and HIPAA, (3) OIG CMP enforcement priorities and considerations, and (4) what you can do now to prepare for the November 2, 2020, compliance date.

The Elements of an Information Blocking Offense

What is Information Blocking? Information blocking is a practice by an Actor that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI).

What is EHI?  EHI includes the electronic protected health information (ePHI), as defined by HIPAA to the extent that it would be included in a designated record set. It is important to note that EHI covers ePHI elements regardless of whether they are used or maintained by or for a covered entity. In other words, reach of the rule extends beyond ePHI and HIPAA Covered Entities.

The Scope of EHI is Phased In. Until May 2, 2022, “EHI” is limited to the EHI identified by the data elements represented in the United States Core Data for Interoperability (USCDI), Version 1 standard.

What is a Practice?  A “practice” is an act or an omission by a health care provider, health IT developer of certified health IT, or a health information network/health information exchange (each an “Actor”).

What makes an Individual or an Entity an Actor that is Subject to the Rule? An “Actor” can be either a health care provider, a health IT developer of certified health IT, or a Health Information Network/Health Information Exchange (HIN/HIE):

  • A health care provider, as defined in the rule, includes a wide range of providers (See Figure 1, below):

Figure 1: “Health Care Provider” As Defined in 42 U.S.C.300jj 

  • hospital

  • skilled nursing facility

  • nursing facility

  • home health entity or other long term care facility 

  • health care clinic

  • community mental health center

  • renal dialysis facility

  • blood center

  • ambulatory surgical center

  • emergency medical services provider

  • Federally qualified health center

  • group practice

  • pharmacist

  • pharmacy

  • laboratory

  • physician

  • practitioner

  • provider operated by, or under contract with, the Indian Health Service or by an Indian tribe, tribal organization, or urban Indian organization

  • rural health clinic

  • covered entity under section 256b of Title 42

  • therapist

  • any other category of health care facility, entity, practitioner, or clinician determined appropriate by the Secretary.

  • A health IT developer of certified health IT means an individual or entity, other than a health care provider that self-develops health IT for its own use, that develops or offers health information technology, and which has, at the time it engages in a practice that is the subject of an information blocking claim, one or more Health IT Modules certified under a program for the voluntary certification of health information technology that is kept or recognized by the National Coordinator pursuant to 42 U.S.C. 300jj-11(c)(5) (ONC Health IT Certification Program).

  • HIN/HIE means an individual or entity that determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of electronic health information:

    • Among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other; and

    • That is for a treatment, payment, or health care operations purpose, as such terms are defined in 45 CFR 164.501 regardless of whether such individuals or entities are subject to the requirements of 45 CFR parts 160 and 164.

Different Actors Are Held to Different Standards

Health care providers. If the Actor is deemed to be a health care provider, an information blocking offense can only have occurred if the provider knew that their practice was unreasonable and likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI.

Developers of Heath IT and HIN/HIE. If the Actor develops or offers certified health IT or is a health information network/health information exchange (HIN/HIE), an information blocking offense may have occurred if that Actor knew or should have known that their practice is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI.

A Health Care Provider Is Not Always Just a Health Care Provider

Actors regulated by the Information Blocking Rule are not regulated based on who they are or what type of entity they are — but rather based on the capacity in which they are acting. An important ramification of this is that a health care provider could be regulated as a health IT developer of certified health IT or as a HIN/HIE based on its practice at issue. Thus, it is critical to understand which “hat” an Actor is wearing, because the capacity in which an Actor is acting can determine the standard that applies (see The Elements of an Information Blocking Offense above) and the applicable penalties for a violation.

Possible Penalties and Enforcement Timelines: Up to $1 Million Per Violation and/or Appropriate Disincentives

As discussed above, there are two different penalty structures — one for violations by health IT developers and HINs/HIEs, and one for violations by health care providers. 

  • Health IT Developers and HINs/HIEs are subject to civil monetary penalties of up to $1 Million per violation. While compliance with the rule is required on and after November 2, 2020, the date upon which CMP enforcement will commence is subject to the OIG issuing a final rule (the OIG published a proposed rule on April 24, 2020). The OIG indicated in the proposed rule that the enforcement date could be either 60 days after the rule is finalized or a specific date to be established by the final rule.

  • Health care providers will be subject to yet-to-be-defined “appropriate disincentives” for violations of the Information Blocking Rule. What those “appropriate disincentives” will be and how they will be determined and assessed are subject to a future rulemaking.

An Introduction to the Information Blocking Exceptions

An Actor’s practice that is covered by one of the eight exceptions in 45 CFR part 171 will not be deemed to be information blocking. In order to qualify for an exception, the Actor must have met all applicable requirements and conditions of an exception at all relevant times. The two categories of exceptions are: (1) exceptions that involve not fulfilling requests to access, exchange, or use EHI; and (2) exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.

As a preview of the next client alert, below you will find a listing of each exception title.

  • Exceptions That Involve Not Fulfilling Requests to Access, Exchange, or Use Electronic Health Information

    • Preventing harm exception. When will an actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to prevent harm not be considered information blocking?

    • Privacy exception. When will an actor's practice of not fulfilling a request to access, exchange, or use electronic health information in order to protect an individual's privacy not be considered information blocking?

    • Security exception. When will an actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to protect the security of electronic health information not be considered information blocking?

    • Infeasibility exception. When will an actor's practice of not fulfilling a request to access, exchange, or use electronic health information due to the infeasibility of the request not be considered information blocking?

    • Health IT performance exception. When will an actor's practice that is implemented to maintain or improve health IT performance and that is likely to interfere with the access, exchange, or use of electronic health information not be considered information blocking? 

  • Exceptions That Involve Procedures for Fulfilling Requests to Access, Exchange or Use Electronic Health Information

    • Content and manner exception. When will an actor's practice of limiting the content of its response to or the manner in which it fulfills a request to access, exchange, or use electronic health information not be considered information blocking?

    • Fees exception. When will an actor's practice of charging fees for accessing, exchanging, or using electronic health information not be considered information blocking?

    • Licensing exception. When will an actor's practice to license interoperability elements in order for electronic health information to be accessed, exchanged, or used not be considered information blocking?

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume X, Number 255

TRENDING LEGAL ANALYSIS


About this Author

Doriann Cain Privacy Lawyer Faegre Drinker Law Firm
Associate

Doriann Cain works with clients to enhance their privacy and cybersecurity practices from compliance to incident response.

Doriann’s experience includes advising clients on a variety of privacy and security laws, including the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and state breach notification statutes.

317 569 4837
Jeffrey Ganiban, Healthcare Lawyer, Drinker Biddle
Partner

Jeffrey T. Ganiban represents hospitals, health systems, academic medical centers, health maintenance organizations and integrated delivery networks in technology, information system and capital equipment procurement and contracting. He has extensive experience regarding inpatient and ambulatory electronic medical record systems, clinical information systems, financial systems, claim processing and payment systems, and multi-modality purchase and service agreements for diagnostic and biomedical equipment.

Jeff also advises clients on matters related to meaningful use, interoperability, and the development and implementation of strategies to better integrate and align hospitals and community providers. These initiatives include Health Information Exchanges, ambulatory EMR programs, and other initiatives.

202-230-5150
Alex Eschenroeder Health Care Attorney Faegre Drinker Biddle & Reath Minneapolis, MN
Associate

Alex Eschenroeder partners with health care stakeholders to manage the legal, regulatory and policy issues that impact their organization. A research consultant for federal clients at a health care consulting firm based in the Washington, D.C., area before entering law school, Alex brings a strong understanding of the health care regulatory and policy landscape to every client engagement.

While earning his J.D. at the University of Minnesota Law School, Alex served as co-president of the Health Law & Bioethics Student Association, note and comment editor for the Minnesota...

612-766-6892