Status, Challenges of Information Blocking Rule Compliance

November 16, 2021 - The Office of the National Coordinator for Health Information Technology (ONC) published its Information Blocking Final Rule in May 2020. Part of the 21st Century Cures Act, the rule defines information blocking as any practice that interferes with the access, exchange, or use of electronic health information (EHI).

The rule went into full effect on April 5, 2021, requiring providers, vendors, and any actor in the healthcare sector that takes part in health information exchanges to comply. Save for eight official exceptions to the information blocking provision, everyone who is subject to the rule is required to quickly respond to any legitimate request to exchange EHI and eliminate known barriers to EHI exchange.

More than six months have passed since the Information Blocking Rule compliance deadline, and providers are still figuring out how to navigate the rule. CMS has not yet provided clarity about the potential penalties that could be imposed on providers for noncompliance, and the Office of Inspector General (OIG) has not finalized its proposed penalties for certified EHR vendors and health information exchanges.

Many providers have embraced the change and implemented updated APIs for controlling the flow of patient data, explained Deven McGraw, co-founder and chief regulatory officer at Ciitizen and former deputy director of health information privacy at HHS.

However, others are still working to adapt and update their data-sharing practices to ensure compliance and timely patient data access.

“As best practices are developing and as entities are understanding more about what their obligations are, it's still very rocky out there,” McGraw told HealthITSecurity.

The healthcare community is awaiting the announcement of information blocking enforcement mechanisms by regulatory agencies. Meanwhile, compliance challenges and misconceptions continue to impede progress in some cases. Nonetheless, the rule will set higher standards and expectations for healthcare providers and vendors when it comes to sharing electronic health information.

How does the information blocking rule change the nature of health data sharing?

“The idea behind the Information Blocking Rule is that, if you are permitted under law to share that information, then you need to be sharing it, unless you have a really good reason for not sharing it,” McGraw explained. “That includes making it easy and not creating obstacles for people to share data.”

Working alongside HIPAA, the Information Blocking Rule provides an added line of defense against healthcare actors who are creating obstacles to patients getting access to their electronic health information.

“You can immediately start to think that some of the what the challenges are,” McGraw remarked.

“It's creating a penalty infrastructure for not sharing that frankly was never there before, except in the case of patients, because that was a required disclosure under HIPAA. In information blocking, it doesn't turn all disclosures into required disclosures, but it turns them into expectations.”

The Information Blocking Rule essentially strengthens the rights that patients have in terms of obtaining their electronic health data in the modern health IT environment. It also holds EHR vendors accountable for ensuring that health information is accessible. 

There are eight approved exceptions to the Information Blocking Rule, as defined by ONC. The first five of the exceptions involve not fulfilling requests to access, exchange, or use EHI, while the final three exceptions involve procedures for fulfilling requests to access, exchange, or use EHI:

Preventing Harm Exception: It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.

Privacy Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.

Security Exception: It will not be information blocking for an actor to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.

Infeasibility Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.

Health IT Performance Exception: It will not be information blocking for an actor to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT's performance for the benefit of the overall performance of the health IT, provided certain conditions are met.

Content and Manner Exception: It will not be information blocking for an actor to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.

Fees Exception: It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.

Licensing Exception: It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.

The rules are slightly different for health IT developers versus providers. It is assumed that health IT developers and health information networks (HIEs) should know if a practice is likely to prevent the exchange or use of EHI. However, a healthcare provider would have to be knowingly engaging in such a practice in order to be considered an information blocker.

With this rule, there is a new expectation that providers can and should provide patients with any request EHI without significant obstacles, McGraw emphasized. Electronic data access is essential to a patient’s participation in their own care journey and allows them to make educated decisions about their own health.

6+ months in, Compliance Challenges and Misconceptions Persist

“It’s been a bit of a mixed bag. There are definitely some healthcare providers that have done a really good job of updating their portals so that patients can automatically see test results and notes,” McGraw said in regard to the current state of Information Blocking Rule compliance.

“If that’s their choice as a patient, they don’t have to wait to see if a provider has viewed the data. I’m seeing a number of healthcare organizations that have stepped up and have done that. On the other hand, you still see some folks who are not as aware of the rules.”

Many physicians may be reluctant to provide test results to patients before getting the chance to speak with them first, especially if the results have negative health implications for the patient. However, patients have a right to view the results if they request to, and preventing them from viewing the data may be considered information blocking.

“There's been a lot of dialogue between patient advocates and physicians around whether it's harmful or helpful when patients get these results right away,” McGraw added. “Patients can now get a cancer diagnosis in the privacy of their home or maybe even at work as they're checking their portals, versus having a chance to talk to an oncologist about what the lab test results mean.”

Other providers may be confused about where information blocking responsibilities lie and may look to their EHR vendors for updated APIs, McGraw continued, which presents another compliance obstacle.

“Whether your APIs have been updated or not, you still have an obligation as a healthcare provider to respond to these requests much more rapidly without the obstacles that have traditionally been put in the way of patients.”

Although the rule went into effect in April, healthcare organizations are not required to migrate to Fast Healthcare Interoperability Resources (FHIR) v4 APIs until December 31, 2022. The delayed timeline is meant to promote interoperability and give developers and providers enough time to comply and activate the updates.

Some providers may already have upgraded to FHIR v4 but are under the impression that since they do not have to actually activate the updates until 2022, they are off the hook when it comes to certain information blocking practices.

“Providers still have to make that information available to the patient in a way that doesn’t create interference or obstacles,” McGraw clarified.

“If you’re not going to turn it on at the API level, you still have to use the rest of your systems to gather the data.”

In addition to technology gaps and misconceptions about the Information Blocking Rule, McGraw explained that traditional information management offices are often not looped into the rule changes quickly enough. These offices now have to consider information blocking fee provisions along with the faster timeline for the release of electronic information compared to traditional HIPAA rules regarding patient right of access.

While HIPAA has similar rules in terms of providing timely and cost-effective access to data, the Information Blocking Rule sets higher standards and accelerated timelines for EHI.

As compliance challenges persist, providers and health IT developers will be looking to regulatory agencies to provide clarity, guidance, and enforcement actions surrounding the Information Blocking Rule.

The future of the information blocking rule: what providers should watch for

As the FHIR v4 API deadline approaches, health IT vendors and providers will have to make decisions about how to operate from a clinical perspective while staying in line with the Information Blocking Rule. Certified EHR vendors will likely face pushback from providers surrounding the practice of making data available to patients before the physician has had a chance to see it or speak to the patient.

“We will also hopefully hear more from the regulators about penalties,” McGraw suggested.

OIG released a proposed enforcement rule in April 2020 and a final rule is expected in the near future. OIG is expected to provide enforcement guidelines for EHR vendors, while CMS will play a part in determining the penalties for providers.  

“And there has not really been much that's been said about what those penalties will look like for a potential False Claims Act violation if they attested to not information blocking when they submitted their reimbursement to CMS, but then it turns out that they were intentionally blocking information after all,” McGraw pointed out.

“Finalization of some of those enforcement aspects and a lot more clarity is absolutely essential.”

In the meantime, healthcare providers should focus on improving compliance efforts by working with their EHR vendors and responding to EHI requests in a timely manner.

“There is a decision to be made by regulators about how they are actually going to interpret the 21st Century Cures Act,” McGraw observed.

“We're at this point where the agencies could go one way or the other—interpret it very narrowly and allow the industry to basically behave the way it has been as long as they're not being blatantly anti-competitive—or take a broader approach and say that the 21st Century Cures Act was meant to be a sea-change and we're going to interpret the law accordingly.”

At the root of the Information Blocking Rule is the desire to make electronic health data more accessible for patients or other entities as permitted by HIPAA.

“It's time for us to get the bang for our buck in terms of having this data more available for purposes for which we need it: for treatment, public health, population health, and analytics. It's time to break down some of these data siloes. Data holders have to step up to the plate and make this data available for a broader range of purposes than has been the case in the past,” McGraw concluded.

“And I hope ultimately that's where the Information Blocking Rule will lead us.”