ONC’s New Information Blocking Prohibition Affects Health Care Providers, Health IT Developers, Health Information Exchanges, and Health Information Networks
On March 9, 2020, the Office of the National Coordinator for Health Information Technology (“ONC”) and the Center for Medicare and Medicaid Services (“CMS”) published their long-awaited final rules that seeks to promote interoperability. Market participants waited longer than usual for this rule due to the Department of Health and Human Services (“HHS”) extending the comment period at the request of a variety of stakeholders.
The ONC’s rule (the “Final Rule”) supports interoperability by prohibiting “information blocking”. Affected organizations (see below) will want to be considering the impact on contracts and developing compliance policies that reflect the requirements of the Final Rule. One aspect of needed compliance relates to the Final Rule’s exceptions to information blocking including a newly-added “content and manner” exception.
Generally, information blocking is defined as an action by an actor interfering with, preventing, or materially discouraging access, exchange, or use of electronic health information (“EHI”). Actors include health care providers, health IT developers, health information exchanges, or health information network. In the proposed rule, the ONC proposed seven exceptions to conduct that might otherwise be deemed information blocking. However, in the Final Rule, ONC created eight exceptions. Further, the ONC defined two categories of exceptions: (1) Exceptions that involve not fulfilling requests to access, exchange, or use EHI and (2) Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI. Each of the eight enumerated exceptions are categorized as follows:
Exceptions that involve not fulfilling requests to access, exchange, or use EHI include the following: (1) preventing harm to a patient or another person; (2) protecting an individual’s privacy; (3) protecting the security of EHI; (4) not fulfilling a request due to infeasibility; and (5) to make health IT temporarily unavailable or to scale down the health IT’s performance for the benefit of the overall performance of the health IT. All exceptions include enumerated conditions that must be met in order to qualify for the exception.
Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI include the following: (6) limiting the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI; (7) charging fees, including fees that result in a reasonable profit margin; and (8) licensing interoperability elements for EHI to be accessed, exchanged, or used. The “content and manner” exception was added as the eighth exception in the Final Rule to accommodate stakeholder comments expressing concern regarding flexibility in the implementation of the information blocking prohibition, as well as comments requesting clarification regarding reasonable alternatives to provide access. As above, all exceptions include enumerated conditions that must be met in order to qualify for the exception.
It is important to note that a failure to fall within an exception does not necessarily mean that a practice constitutes information blocking. Each practice that may violate the information blocking prohibition will be analyzed on a case-by-case basis through investigation by the Office of Inspector General and/or ONC.
 EHI is finalized in the final rule to mean electronic protected health information (ePHI) as the term is defined for HIPAA in 45 CFR 160.103. Until 24 months after the publication date of the final rule, EHI for purposes of the information blocking definition is limited to the EHI identified by the data elements represented in the USCDI standard adopted in § 170.213.