INFORMATION BLOCKING RULE EFFECTIVE APRIL 5, 2021: ARE PROVIDERS READY?

By Kathie McDonald-McClure and Margaret Young Levi

The Information Blocking Final Rule, a provision of the 21st Century Cures Act geared towards ensuring access, exchange and use of electronic health information (EHI), was published on May 1, 2020, and became effective on June 20, 2020.  However, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) extended the compliance effective dates for the Final Rule several times over the last year—and most providers were hopeful that it would be extended once again—but there are no more delays.  Information Blocking compliance is now effective, as of April 5, 2021.  Health care providers should take immediate steps to ensure compliance.

What Is Information Blocking?

The Information Blocking Final Rule aims to improve patient access to EHI by prohibiting practices that are “likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” A health care provider can run afoul of the Information Blocking Rule if the “provider knows that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.”   45 C.F.R. 171.103.

Information blocking can take many forms.  The Final Rule did not provide an exhaustive list or comprehensive description of practices that may implicate the information blocking prohibition, but does provide some examples, such as imposing unreasonable fees that would prevent patients from accessing their health information.  The Rule’s several exceptions to information blocking also implicate practices that could constitute information blocking.  See our further discussion of the exceptions below.

Who Must Comply?

The Information Blocking Rule regulates three categories of “actors”:  (1) health information networks (HINs) and health information exchanges (HIEs), (2) Health IT Developer of Certified Health IT, and (3) health care providers.  This article focuses on health care providers.  The definition of “health care provider” incorporated into the Information Blocking Rule (45 CFR 171.102) is the same as listed in the definition of health care provider set forth in the Public Health Service Act at 42 U.S.C. 300jj. 

Accordingly, a “health care provider” subject to the Information Blocking Rule includes the following:

Hospital; skilled nursing facility; nursing facility; home health entity or other long term care facility; health care clinic; community mental health center; renal dialysis facility; blood center; ambulatory surgical center; emergency medical services provider; federally qualified health center; group practice; pharmacist; pharmacy; laboratory; physician; practitioner; provider operated by or under contract with the Indian Health Service or by an Indian tribe, tribal organization, or urban Indian organization; rural health clinic; covered entity under 42 U.S.C. 256b; ambulatory surgical center; therapist; any other category of health care facility, entity, practitioner, or clinician determined appropriate by the HHS Secretary.   

Importantly, per the ONC, a provider is subject to the Information Blocking Rule regardless of whether the provider uses EHI that is certified under the ONC Health IT Certification Program.

Are There Exceptions To The Information Blocking Rule?

ONC has identified eight reasonable and necessary activities that do not constitute information blocking.  These exceptions apply to certain activities that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI, but that would be reasonable and necessary if certain conditions are met. The eight exceptions are:

  • Preventing Harm Exception
  • Privacy Exception
  • Security Exception
  • Infeasibility Exception
  • Health IT Performance Exception
  • Content and Manner Exception
  • Fees Exception
  • Licensing Exception

These exceptions come with qualifiers and caveats and deserve close study before relying on one. For example, the Infeasibility Exception, despite what one might think on the face of it, does not give a provider an excuse not to comply with the requirement to include certain EHI data elements from the United States Core Data for Interoperability (USCDI) standards in the provider’s response to the EHI request on the basis that it’s “infeasible”. Instead, a provider having difficulty with the form and content for responding to a request for EHI should look to the Content and Manner Exception.

Blanket Delay in Release of Test Results.  One exception to information blocking that has engendered much discussion is the patient harm exception and whether providers may delay the release of electronic laboratory and other test results to patients in order to allow the clinician an opportunity to review the results first and communicate the results directly with the patient.  Some providers have a policy of automatically holding test results for a period of time, such as two hours or two days, before releasing them to the patient electronically, such as through a patient portal. ONC has indicated that such blanket delays could be information blocking but may still permit delays on a case-by-case basis if there is a risk of harm to the patient.  ONC stresses:

“Deference should generally be afforded to patients’ right to choose whether to access their data as soon as it is available or wait for the provider to contact them to discuss their results. Only in specific circumstances do we believe delaying patients’ access to their health information so that providers retain full control over when and how it is communicated could be both necessary and reasonable for purposes of substantially reducing a risk of harm.” 

In practice, this could mean a patient would be able to access test results electronically in parallel to the availability of the test results to the ordering clinician—unless the patient consents to permitting the physician time to review the results first.

What Are The Penalties for Noncompliance?

Per the ONC, enforcement of violations of the Information Blocking Final Rule will not begin until the United States Office of Inspector General (OIG) establishes civil monetary penalties (CMPs) through future rulemaking.  Accordingly, providers will not be subject to penalties until the OIG’s CMP rule is final.  In the interim, ONC states that it will not exercise its discretion to impose CMPs for noncompliance that occurs before the CMP rule is final. 

On April 5, 2021, in a HealthITBuzz blog post,A New Day for Interoperability—The Information Blocking Regulations Start Now,” the ONC stated: “ONC will continue to release education materials and communicate with stakeholders about the information blocking regulations. We remain closely partnered with the HHS Office of Inspector General with respect to information blocking investigations and civil monetary penalties (for which a final rule is still pending) as well as HHS broadly when it comes to disincentives for health care providers.”

Meanwhile, the ONC has activated its information blocking complaint submission process via a link to Report Information Blocking on its HealthIT Feedback and Inquiry Portal.  Within the complaint dialogue box, the ONC suggests that complainant include the type of EHI requested (e.g., lab result, medical history, diagnostic images), the type or purpose of the EHI request (e.g., patient request to access his/her records, healthcare provider request to export patient records from a different healthcare provider) and the health IT being used by the requestor and by the person or entity that failed to satisfy the request (e.g., system and version).  The ONC states that, per the Cures Act, the complaint is not subject to disclosure under the Freedom of Information Act.  Finally, if the complainant believes the person or entity blocking access to the information is a HIPAA covered entity or business associate, the complaint portal provides a direct link to the HHS Office for Civil Rights website for filing a HIPAA complaint.

Is There Governmental Compliance Guidance?

Yes.  The navigation bar at the top of the ONC Information Blocking home page provides a dropdown list of “Resources,” including Fact Sheets, Frequently Asked Questions (FAQs), and webinars among other resources.  Notably, ONC recently updated its FAQs with further guidance and clarifications on how to comply with the Final Rule. Providers who have not recently reviewed the FAQs are encouraged to do so.  The updated FAQs are flagged with an asterisk (*) and one of two dates: 1/15/2021 and 3/19/2021. 

Among the updated FAQs is ONC’s further guidance on how to fulfill a request with the EHI data elements represented in the USCDI standardsImportantly, on and after April 5, 2021, providers must respond to a request to access, exchange, or use EHI with, at a minimum, all requested EHI identified by the data elements represented in the USCDI standard.  Providers can register for an account with ONC and submit comments to the USCDI standards, including suggestions on improving the clarity, functionality and applicability of the USCDI standards to meet the needs of providers in specific care settings. 

Providers also can submit specific questions or feedback about compliance with the Information Blocking Rule by clicking on the box for ONC Cures Act Final Rule on the ONC’s HealthIT Feedback and Inquiry Portal.

Compliance Tips

Health care providers should review their contracts, policies and practices to ensure that they are not likely to interfere with access, exchange, or use of EHI.  Revisions to those provisions of a provider’s medical records policies dealing with access may be in order.  In addition, it’s advisable to have a separate policy dealing with information blocking compliance given the complexity of the eight exceptions and the specific requirements related to how to produce EHI in compliance with the USCDI standards. 

Additionally, it’s imperative that providers talk to their EHI vendor to ensure any automatic hold on test results that may have been built into their system is dealt with in a way that ensures compliance with the Information Blocking Rule that prohibits EHI access delays.  Likewise, providers with patient portals should review how they respond to patient requests for information as well as how decisions are made to connect with a patient’s third-party app to ensure that unreasonable delays that do not meet an information blocking exception are dealt with properly.

Any contract with a vendor supplying EHI software, including vendors who host EHI from a legacy Electronic Health Record (EHR) system, should be reviewed and updated if possible to ensure the vendor’s practices, or the contract itself, does not create an obstacle to the provider’s compliance with the Information Blocking Rule.  Even a provider’s standard HIPAA Business Associate Agreement (BAA) form may need to be revised to incorporate compliance with the Information Blocking Final Rule when the BAA is used with vendors of EHI to add a specific requirement to comply with the Information Blocking Rule since this Rule is not part of HIPAA.  Merely complying with HIPAA’s right of access regulation will not meet the requirement of the Information Blocking Rule.

If you need additional information, please contact:

Kathie McDonald-McClure, Partner

Phone: 502.562.7526 

Email: kmcclure@wyattfirm.com

Margaret Young Levi

Phone: 859.288.7469

Email: mlevi@wyattfirm.com

The EPCS Mandate: Kentucky Requires Electronic Prescribing Of Controlled Substances

by Lindsay K. Scott

In an ongoing effort to battle the opioid crisis, Kentucky House Bill 342 was signed into law on March 26, 2019.  This bill created a new statute, KRS 218A.182, to require that all prescriptions for controlled substances be submitted electronically, unless certain exceptions apply (the “EPCS Mandate”).  Effective January 1, 2021, practitioners who prescribe controlled substances to be dispensed by a Kentucky pharmacy must issue the prescription electronically (“e-prescribe”) directly to the pharmacy unless an exception applies. Continue reading

U.S. Department of Homeland Security Issues SAP Critical Vulnerability Alert

Written by:  Kathie McDonald-McClure

On Monday, July 13, 2020, the Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued a SAP cybersecurity alert, No. AA20-195A, regarding a critical vulnerability that an unauthenticated attacker could exploit through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications. CISA strongly recommends that organizations immediately apply patches, prioritizing internet-facing systems and then internal systems.  At least 15 SAP Java-based solutions are affected, including the SAP Supply Chain Management, the SAP Enterprise Portal, Central Process Scheduling and other widely used SAP applications.  See the Alert for the list of 15 affected SAP applications.

CISA/NCSC Joint Alert Warns of APT Groups Targeting Healthcare and Essential Services

by Margaret Young Levi and Kathie McDonald-McClure

On May 5, 2020, the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert warning of techniques that advanced persistent threat (APT) groups are using to exploit the COVID-19 pandemic.

APT groups target and exploit organizations responding to COVID-19, such as healthcare organizations, pharmaceutical companies, universities, medical research organizations, and local governments. These groups seek to steal “bulk personal information, intellectual property, and intelligence that aligns with national priorities.” For example, pharmaceutical companies, medical research organizations, and universities have been targeted in order to steal sensitive research into COVID-19-related medicine for both commercial and governmental benefit.

These cybercriminals employ a variety of techniques to steal data.

Continue reading

Kentucky Medicaid Further Expands Telehealth Coverage

By Lindsay K. Scott

Following expansion by the Department of Human Health Services’ Office for Civil Rights (“OCR”) and the Centers for Medicare and Medicaid Services (“CMS”) of federal telehealth services and relaxation of certain requirements, Kentucky Medicaid is following suit.

On March 17, 2020, the Centers for Medicare and Medicaid Services published guidance expanding the use of telehealth and relaxing restrictions on its use. The Office for Civil Rights, the agency responsible for enforcement of HIPAA, followed up with guidance making it clear that it will not enforce penalties for the use of technology that is not HIPAA compliant, when used in the good faith provision of telehealth services:

Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

Continue reading