INSIGHT: Complying With Final HHS Information Blocking Rule

The Department of Health and Human Services Office of the National Coordinator’s (ONC) information blocking compliance date is Nov. 2, 2020. The rule prohibits practices by health-care providers, health IT developers, and health information networks or exchanges that are unreasonable and likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI).

Actors need to consider how the rule impacts their release of information and contracting practices, review their interfaces and interoperability tools and data sharing strategies, and update their procedures and documentation into 2021 and beyond.

When Is Refusing to Share EHI ‘Information Blocking’?

The ONC identified finalized eight categories of reasonable and necessary practices that will not be considered information blocking. While failure to meet an exception does not necessarily mean the practice is illegal, the ONC encourages actors to follow the exceptions to avoid information blocking investigations. Clear understanding of your EHI flows and the purposes for its disclosure help to determine whether interference is likely, non-disclosure is required by law, and which exception provides the most immediate relief from an information blocking claim.

Actors should consider their data sharing and release of information processes to follow the conditions of one of the five following exceptions before denying a request for EHI:

1. Privacy exception: An actor may decline to fulfill a request to protect an individual’s privacy if the privacy conditions are met.

2. Security exception: An actor may refuse a request to access, exchange, or use EHI to protect the security of EHI if the security conditions are met.

3. Preventing harm exception: An actor may decline to fulfill a request to engage in reasonable and necessary practices to prevent harm to a patient or another if the preventing harm conditions are met.

4. Infeasibility exception: An actor may refuse a request within 10 business days with consistent and nondiscriminatory documentation of the infeasibility of the request.

5. Health IT performance exception: An actor may take temporary measures to maintain or improve health IT performance that are reasonable and necessary.

Consider the following three exceptions that provide implementation procedures for properly fulfilling a request to access, exchange, or use EHI

1. Content and manner exception: An actor may limit the content or manner when fulfilling a request for EHI by meeting two conditions:

• Content: Until May 2, 2022, an actor may limit the content of the EHI to the data elements listed in the U.S. Core Data for Interoperability (USCDI) standard. On or after that date, an actor must respond to the request with the full scope of data in the EHI definition.
• Manner: An actor must fulfill the request in the manner requested unless technically unable to do so or the actor and the requestor mutually agree on license terms. If the parties cannot agree on terms, the actor must fulfill the request in an alternative manner based on a priority order specified by rule.

2. Reasonable fees exception: An actor may charge fees that result in a reasonable profit margin for accessing, exchanging, or using EHI provided certain conditions are met.

3. Licensing exception: Actors who limit the licensing of certain interoperability elements they control, such as IP rights, hardware, software, technologies, or services, must offer a reasonable license within 10 business days and finalize terms within 30 business days.

Revise Release of Information Procedures

The information blocking rule will turn HIPAA on its head by requiring health-care providers and their business associates to share data in most instances where HIPAA permits, but does not require, the disclosure. Covered entities and their business associates should update their privacy and security policies and modify their release of information and data-sharing practices that prohibit or delay that data sharing. If delay or denial of information may be considered interference, compliance with an exception may be necessary to avoid information blocking claims.

Update Technology Contracting and BAAs to Avoid an impasse

The information blocking rule will place pressure on all actors to streamline their technology and data contracting protocols for technology tools and data sharing projects involving EHI. Data-sharing projects will be particularly reliant on the content and manner exception to fulfill data requests, certainly from patients and third parties acting on their behalf as well as the actor’s competitors. Having the ability to transmit the USCDI data elements by standard interfaces such as APIs, will be at a premium to take advantage of this useful exception. To the extent the negotiation strategy instead requires reliance on the licensing or fee exceptions, consider reasonable licensing terms and allowable fees in advance to streamline your time frames for negotiating license conditions on non-discriminatory terms.

HIPAA historically required business associate agreements to establish permissible uses and disclosures of PHI and to prohibit uses and disclosures not permitted or required by law. Now, when the law permits the access to or exchange of EHI, disclosure often will be required. Although the ONC notes that the information blocking rule does not itself require actors to violate their business associate agreements and associated service level agreements, actors cannot use these agreements to limit EHI disclosures in an arbitrary manner.

Here is a summary timeline of the new policies taking effect to account for the compliance date delays due to the Covid-19 pandemic:

• Information blocking rule compliance date—Nov. 2, 2020
• Hospital ADT notifications—effective May 2, 2021
• Payor APIs for patient access—effective July 1, 2021
• Provider directory API—effective July 1, 2021
• Payer exchange networks—effective Jan. 1, 2022

Part 2 of this series will cover additional considerations for hospitals and CMS-regulated plans under the CMS interoperability and patient access rule.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Amy Leopard is a partner in Bradley’s Healthcare Practice Group and co-chairs the firm’s Cybersecurity and Privacy team. She advises health-care providers, health IT companies, and service providers on legal strategies at the intersection of health law, policy and information technology. She is a fellow in HIMSS and certified information privacy professional (CIPP/US).

Elliot Bertasi is a member of Bradley’s Healthcare Practice Group, as well as the Cybersecurity and Privacy team. Elliot serves clients in the health-care industry on transactional, operational and regulatory matters, including mergers and acquisitions and privacy and data security compliance matters.

Jordan Stivers Luke is a member of Bradley’s Healthcare Practice Group, where she assists clients in the health-care industry with regulatory, operational, and transactional matters. She advises health-care providers on HIPAA and HITECH compliance, day-to-day privacy and security operational issues, and data breach response. She is a certified information privacy professional (CIPP/US).