In March 2020, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) finalized two rules which established extensive healthcare data sharing policies related to the 21st Century Cures Act’s information blocking provision and adopted new health information technology certification requirements to enhance patients’ access to their health information.
Largely in response to the COVID-19 public health emergency, in October 2020, HHS released an interim rule which provides healthcare systems some flexibility and time to adapt to pandemic-related challenges. The interim rule extends the compliance dates and timeframes necessary to meet specific requirements related to information blocking and Conditions and Maintenance of Certification (CoC/MoC). The interim final rule also adopts updated standards and makes technical corrections and clarifications to the ONC Cures Act Final Rule.
In Case You Missed It: Below is a summary of the significant portions of the Cures Act Final Rule.
Information Blocking Generally: According to the HHS, information blocking is a practice by a healthcare professional or healthcare system that is likely to interfere with access, exchange, or use of electronic health information (EHI).
Who/What is Regulated: The Cures Act regulates information blocking of health IT developers of certified health IT, health information networks, health information exchanges, and healthcare providers.
Examples of information blocking include:
- Practices that restrict authorized access, exchange, or use (under applicable state or federal law) of information for treatment and other permitted purposes, including transitions between certified health information technologies
- Implementing health IT in nonstandard ways that are substantially likely to increase the burden of accessing, exchanging, or using EHI
- Implementing health IT in ways that are likely to:
- Restrict the access of EHI with respect to exporting complete information sets, or in transitioning between health IT systems, or
- Lead to fraud, waste, or abuse, or impede innovations and advancements in health information access, exchange, and use.
Information Blocking Exceptions: Section 4004 of the Cures Act authorizes the HHS Secretary to identify reasonable and necessary activities that do not constitute information blocking. So far, the HHS has identified eight information blocking exceptions. These exceptions are subdivided into two broad categories: (i) exceptions that involve not fulfilling requests to access, exchange or use EHI; and (ii) exceptions that involve procedures for fulfilling requests to access, exchange or use EHI.
Exceptions that Involve Not Fulfilling Requests to Access, Exchange, or Use EHI:
- Preventing Harm Exception – It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.
- Privacy Exception – It will not be information blocking if an actor does not fulfill a request to access, exchange or use EHI to protect an individual’s privacy, provided certain conditions are met.
- Security Exception – It will not be information blocking if an actor does not fulfill a request to access, exchange or use EHI to protect the security of EHI, provided certain conditions are met.
- Infeasibility Exception – It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.
- Health IT Performance Exception – It will not be information blocking for an actor to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT, provided certain conditions are met.
Exceptions that Involve Procedures for Fulfilling Requests to Access, Exchange, or Use EHI:
- Licensing Exception – It will not be information blocking for an actor to limit the content of its response to request to access, exchange or use, EHI or the manner in which it fulfills a request to access, exchange, or use, EHI, provided certain conditions are met.
- Fees Exception – It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.
- Content and Manner Exception – It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.
CoC/MoC Generally: There are six Cures Act regulatory subject areas which participants (generally Health IT developers) in the ONC Health IT Certification Program are responsible for continuously satisfying Conditions of Certification (CoC), to achieve certification. All but the first of these areas of regulation also require participants to satisfy specific Maintenance of Certification (MoC) conditions following initial certification to maintain their certifications. These areas are: 1) Information Blocking, 2) Assurances, 3) Communications, 4) Application Programming Interfaces (APIs), 5) Real World Testing, and 6) Attestation. See a few example summaries below.
Who/What is Regulated: These Conditions of Certification and Maintenance regulate participants in the Health IT Certification Program offered by the Office of the National Coordinator for Health Information Technology.
Examples of CoC/MoC:
- Information Blocking
- CoC – Take no actions defined as “information blocking” under § 3022(a) of the Public Health Service Act (PHSA).
- MoC – Comply with CoC.
- Attestation
- CoC – The participant must attest that it complies with the CoC’s and MoC’s for the prior six areas.
- MoC – Such attestations shall be continuously submitted in six-month intervals, starting April 1, 2022.
*The Cures Act’s added rules are robust and require deft navigation. For specific questions on these rules and how to comply with them, please contact a member of Taft’s Privacy and Data Security Group. We are eager to assist you in understanding this complex topic.