Compliance Dates Delayed for Information Blocking and Other Health IT Requirements Under the 21st Century Cures Act

On October 29, 2020, the United States Department of Health and Human Services (“HHS”) Office of the National Coordinator for Health Information Technology (“ONC”) released an interim final rule with comment period (“IFC”) that delays compliance dates for information blocking and other health information technology (“IT”) requirements under the 21st Century Cures Act (“Cures Act”) due to the COVID-19 Public Health Emergency (“PHE”). ONC had implemented these requirements in a final rule issued on May 1, 2020 (“ONC Cures Act Final Rule”).¹

Health IT developers of certified health IT, health care providers, health information exchanges (“HIEs”), and health information networks (“HINs”) will now have until April 5, 2021 to comply with the ONC Cures Act Final Rule’s information blocking provisions. Health IT developers of certified health IT will also have additional time to comply with other requirements introduced in the ONC Cures Act Final Rule. ONC issued the IFC “to offer the health care system additional flexibilities in furnishing services to combat the COVID-19 pandemic . . . while still maintaining a trajectory that will advance patients’ access to their health information, reduce the cost of care, and improve the quality of care.”

This Alert summarizes key provisions of the IFC with respect to information blocking. The IFC also delays compliance dates for other requirements introduced in the ONC Cures Act Final Rule, including Conditions and Maintenance of Certification Requirements for developers and new and updated 2015 Edition health IT certification criteria. The IFC includes tables to summarize the new compliance dates for these requirements (which are reproduced here).

The IFC, titled “Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency,” builds upon ONC’s prior announcement of enforcement discretion that delayed enforcement dates for many of the requirements in the ONC Cures Act Final Rule by three months. Unlike ONC’s prior enforcement discretion, the IFC codifies new compliance dates in federal regulations, which provides clarity and consistency across affected individuals and entities.

Information Blocking Statutory Background

In order to facilitate access to electronic health information (“EHI”) when and where it is needed, the Cures Act authorizes the HHS Office of Inspector General (“OIG”) to investigate any claim that a health IT developer of certified health IT, health care provider, HIE, or HIN (collectively, “Actors”) engaged in information blocking.² Health IT developers of certified health IT, HIEs, and HINs may be subject to civil monetary penalties of up to $1 million per information blocking violation, and health care providers may be “referred to the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary [of HHS] sets forth through notice and comment rulemaking.”³ In addition, the Cures Act directs the Secretary of HHS to establish a prohibition on any action that constitutes information blocking as a requirement for obtaining and maintaining health IT certification under the ONC Health IT Certification Program.⁴

ONC Cures Act Final Rule Information Blocking Provisions

The ONC Cures Act Final Rule codified a definition of information blocking, as well as eight exceptions to the information blocking prohibition, with a compliance date of November 2, 2020 (which the IFC changed to April 5, 2021).

Any practice that, except as required by law or covered by an exception, is likely to interfere with access, exchange, or use of EHI may be considered information blocking. However, there are two different intent standards: one applicable to health IT developers of certified health IT, HIEs, and HINs, and another applicable to health care providers: 

• Health IT developers of certified health IT, HIEs, and HINs engage in information blocking when they know, or should know, that the practice is likely to interfere with access, exchange, or use of EHI. 
• Health care providers engage in information blocking only when they know that the practice is unreasonable and is likely to interfere with access, exchange, or use of EHI. 

The ONC Cures Act Final Rule also defined EHI as electronic protected health information (as defined under the Health Insurance Portability and Accountability Act of 1996, and its implementing regulations, as amended (“HIPAA”)) to the extent that it would be
included in a designated record set (as defined under HIPAA), regardless of whether the group of records are used or maintained by or for a HIPAA covered entity. EHI specifically excludes psychotherapy notes (as defined under HIPAA) as well as information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. Moreover, the ONC Cures Act Final Rule further limited the definition of EHI to data elements contained in the United States Core Data for Interoperability (“USCDI”) standard until May 2, 2022.⁵ The IFC delays this transition date for the definition of EHI to October 6, 2022.

In addition to defining information blocking and EHI, the ONC Cures Act Final Rule established two categories of information blocking exceptions, as follows: 

• Exceptions that involve not fulfilling requests to access, exchange, or use EHI
1. Preventing Harm Exception;
2. Privacy Exception;
3. Security Exception; 
4. Infeasibility Exception; and 
5. Health IT Performance Exception. 
• Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI
1. Content and Manner Exception;
2. Fees Exception;
3. and Licensing Exception. 

Actors’ practices that comply with all applicable requirements of an exception are not considered information blocking.

Information Blocking Enforcement Mechanisms

Pursuant to the Cures Act, there are three enforcement mechanisms available for information blocking:

1. Condition and Maintenance of Certification Requirement enforced by ONC (applicable to health IT developers of certified health IT);
2. Civil monetary penalties of up to $1 million per violation imposed by OIG (applicable to health IT developers of certified health IT, HIEs, and HINs); and
3. Appropriate government agency disincentives, to be defined through future notice-and-comment rulemaking (applicable to health care providers).

The ONC Cures Act Final Rule introduced the Information Blocking Condition and Maintenance of Certification Requirement with a compliance date of November 2, 2020. The IFC delays this date to April 5, 2021. After the compliance date, ONC may terminate the certification of health IT developed by developers that engage in information blocking and may bar such developers from obtaining new health IT certification under the ONC Health IT Certification Program. 

OIG introduced a proposed rule regarding information blocking civil monetary penalties on April 24, 2020.⁶ OIG stated in its proposed rule that it would establish the effective date for information blocking civil monetary penalties in a final rule; however, OIG has not issued a final rule to date. Nevertheless, OIG emphasized in its proposed rule that it would “closely coordinate” with ONC on information blocking enforcement, which may suggest that a future final rule will adopt the same April 5, 2021 compliance date specified in the IFC.

Although ONC solicited comments on what should constitute “appropriate disincentives” for health care providers, the agency declined to establish any such disincentives in the ONC Cures Act Final Rule. ONC noted that appropriate disincentives for health care providers would be established through future HHS rulemaking.

Information Blocking Compliance Considerations

Although the IFC provides Actors with five additional months to prepare for information blocking compliance, ONC has emphasized its commitment to information blocking enforcement beginning April 5, 2021. ONC believes that the five month delay “appropriately balances the additional flexibility necessary due to the PHE with ONC’s sense of urgency in addressing information blocking.” ONC additionally explains that “[i]mplementation of the information blocking provisions in the ONC Cures Act Final Rule will increase information sharing, improve patient care, and ensure that a patient’s health information follows the patient – all of which are urgent goals, particularly during a PHE.”

Neither the ONC Cures Act Final Rule nor the IFC establishes specific steps that Actors must take to ensure information blocking compliance. However, Actors might consider the following:

• Information Blocking Actor Classification. Review the definitions of Actors subject to information blocking requirements to determine which Actor type(s) apply. Importantly, the definitions of health IT developer of certified health IT, HIE, and HIN may apply to hospitals and other health care providers that sublicense certified health IT to or facilitate EHI access among external individuals and entities.
• EHI Inventory. Conduct an inventory as to how EHI is stored and transmitted, including EHI that is documented directly in the Actor’s health IT and EHI received from external sources.
• Operational and Technology Review. Review technological capabilities and operational mechanisms for providing EHI to providers, patients, third-party apps, health IT vendors, and others, including application programming interfaces designed to comply with the HL7 FHIR standard. In particular, Actors may consider reviewing their procedures for releasing EHI, including laboratory test results, to a patient portal, to ensure compliance with information blocking requirements.
• Agreement and Forms Review. Review agreements and forms governing the sharing of EHI, including data use agreements, business associate agreements, interface licensing agreements, and patient release of information request and authorization forms to ensure compliance with applicable information blocking exceptions, where possible.
• Data Privacy and Security Policy Review. Review data privacy and security policies and procedures to ensure compliance with applicable information blocking exceptions, where possible.
• Information Blocking Policies, Procedures, and Training. Adopt written policies and procedures and develop workforce training on the steps the Actor will take to comply with information blocking requirements.

Actors should take advantage of the additional time that the IFC affords them by reviewing their operations and technological capabilities for information blocking compliance.

***

Interested parties may submit comments to the IFC within sixty days of its publication in the Federal Register.