Expanded information-blocking rules under the 21st Century Cures Act are here
HHS has not heeded a late plea from provider advocacy groups to postpone implementation of the expanded provisions.
Hospitals and health systems are among the healthcare industry stakeholders that will be affected when expanded rules on information blocking take effect Oct. 6.
As defined in 2016 legislation known as the 21st Century Cures Act, information blocking refers to practices that interfere with access to, exchange of, or use of electronic health information (EHI). Among the goals of the legislation are to enhance patient access to health data and improve interoperability.
Since April 2021, EHI in the context of the regulations has been limited to elements contained in the United States Core Data for Interoperability (version 1). But going forward, EHI can mean any electronic protected health information (ePHI) included in the HIPAA definition of a designated record set (DRS), such as billing records, claims and case management records.
“One point that we’ve emphasized to healthcare providers is that ‘the ePHI in your DRS constitutes your EHI’ for the purposes of the information-blocking regulations,” Steven Posnack, deputy national coordinator for health information technology, wrote in a recent blog post.
There are eight categories of exceptions that establish circumstances where information blocking continues to be permitted. Providers have expressed confusion over how some of the exceptions apply in practice.
Other frequently asked questions have pertained to the level of technology that may be required to fully comply.
“The information-blocking [IB] regulations do not require IB actors to adopt or use certain technologies or platforms,” Posnack wrote. “IB actors may use ‘patient portals,’ other web interfaces, application programming interfaces, and a multitude of technologies and platforms to make EHI available for access, exchange or use.” Nor does compliance require use of officially certified health IT, he added.
Penalties for providers remain unclear
Enforcement is another area of ambiguity. The U.S. Department of Health and Human Services (HHS) still has not announced the penalties for providers that violate information-blocking rules. For health information networks, health information exchanges (HIEs) and developers of certified health IT, the proposed maximum penalty is $1 million per violation. That penalty has yet to be finalized in published regulations, and regardless, it’s expected that potential penalties for providers won’t be as steep.
Based on the applicable knowledge standard for assessing violations, there also may be more wiggle room for providers to plead ignorance to an alleged violation than there is for developers and HIEs. The latter groups can be penalized for circumstances in which they “should know” that a violation would occur, whereas for providers, it has to be evident that they knew they were engaging in impermissible information blocking. HHS and the Office of the National Coordinator for Health Information Technology (ONC) have emphasized that it will be necessary to adjudicate potential violations on a case-by-case basis.
ONC reported that between April 2021 and August 2022, there were 487 claims of information blocking submitted through a designated portal. Of those, 452 were deemed to have been possible instances of information blocking, thus triggering a review. Of the 487 submissions, 371 were brought against providers.
Asking for more time
In late September, the College of Healthcare Information Management Executives and nine other provider advocacy groups wrote to HHS requesting that implementation of the rules be delayed by another year, but the department appears intent on proceeding as scheduled. The groups also recommend that provider violations be addressed via “corrective action warning communications” before penalties are levied or a formal investigation is launched.
“A chief factor limiting compliance readiness is the widespread inability to support access, exchange, and use of EHI. There is no clear definition of EHI and there is a lack of a technical infrastructure to support its secure exchange,” the groups wrote.
They noted that smaller providers, especially, may need to rely on their vendors to ensure compliance, and “vendor readiness is lagging.” Vendors also have until Dec. 31 to install necessary upgrades, and that’s nearly three months after the expanded compliance deadline for providers.
The groups also raised a concern about conflicts between the information-blocking rules and the Medicare and Medicaid Promoting Interoperability programs. Compliance in those programs requires a provider to attest that it is not engaging in information blocking.
“These statements will take on new meaning once Oct. 6 arrives, creating fear that they will attest to something they are not sure they have met,” the groups wrote. “For providers/clinicians outside of the PI program, the burden of compliance could be even greater, especially if they are not using a certified EHR technology.”
HHS and its sub-agencies should “engage in more education targeted to the provider/clinician community with a particular focus on small, medium and lesser-resourced organizations,” they wrote.