A pair of final rules were published May 1, 2020, by HHS. The first rule issued by the Office of the National Coordinator for Health IT (“ONC”) relates to the 21st Century Cures Act information blocking provisions and the ONC Health IT certification program (“Info Blocking Regulations”). The second rule issued by CMS relates to interoperability of health information technology and patient access. This article focuses on the impact of these two regulations on health care providers.
The 21st Century Cures Act (the “Act”) contained provisions prohibiting information blocking. The Act directed the Secretary of Health and Human Services to adopt regulations that identify reasonable and necessary activities that do not constitute information blocking. ONC’s regulations not only adopt activities that do not constitute information blocking but also impose obligations upon developers of certified health IT to provide application programming interfaces (“APIs”) for accessing their software.
These regulations are important to health care providers because they obligate the health care providers to make the electronic health information available to third parties via an API upon such third party’s request, and because they establish a framework within which health care providers, health information exchanges and licensors of such technologies must operate to protect patient privacy and facilitate the exchange and use of APIs.
In addition to the ONC regulations, the CMS regulations create a new Medicare Condition of Participation requiring that hospitals, including psychiatric hospitals and critical access hospitals, send electronic patient event notifications for admissions, discharges and or transfer (“ADT”) to another health care facility (“ADT CoP”).
Due to the COVID-19 National Emergency, ONC and CMS have adjusted the compliance dates for these regulations. The compliance date for ONC required APIs using the limited set of data set forth in the USCDI (discussed below) will be February 2, 2021, and APIs for all electronic health information (“EHI”) will be August 2, 2022. The compliance date for the ADT CoP will be May 2, 2021.
Key Takeaways
It will be important for health care providers to begin considering their approaches to complying with these new requirements soon. Upgrades to software making these APIs and ADT notifications possible must be installed prior to the compliance dates. Additionally, health care providers should consider the adoption of policies and procedures with respect to the APIs to ensure consistent approaches in order to avoid claims of information blocking. The policies and procedures should take into account the chosen means for making APIs available and processes for granting API access, as well as, approaches for claiming any of the exceptions discussed further below.
What Is Information Blocking?
Similar in structure to the Anti-Kickback Statute, the Info Blocking Regulations establish a broad general prohibition on any activities that appear to discourage the access, exchange or use of EHI, and then provide a set of exceptions, which if fully complied with provide a defense from violation of the broad general prohibition. Section 3022(a)(1) of the Cures Act defines information blocking as a practice that is likely to interfere with, prevent or materially discourage access, exchange or use of EHI. The regulations elaborate on this definition by defining a “knowledge” requirement that the activity would discourage access exchange or use of EHI. Health information technology developers, health information networks or health information exchanges are held to a somewhat higher standard of knowledge “knows, or should know” while Providers are held to the lower standard of actual knowledge.
Who Must Comply?
The Info Blocking Regulations apply to (1) health care providers; (2) entities that license software or provide services subject to the ONC Health IT Certification program; and (3) entities that facilitate the exchange of EHI for treatment, payment or health care operations purposes or control or have any discretion over such entities (“Actors”).
Health Care Provider has the same meaning as ‘‘health care provider’’ in 42 U.S.C. 300jj, which is a provider of health care, including hospitals, skilled nursing facilities, nursing facilities, home health entities or other long term care facilities, health care clinics, community mental health centers, renal dialysis facilities, blood centers, ambulatory surgical centers, emergency medical services providers, Federally qualified health centers, group practices, pharmacists, pharmacies, laboratories and physicians.
Health Information Technology Developer of Certified Health IT means an individual or entity, that at the time it engages in a practice that is the subject of an information blocking claim has one or more Health IT Modules certified under a program for the voluntary certification of health information technology (“CHERT”) that is kept or recognized by the ONC.
Health Information Network or Health Information Exchanges means an entity (or has control or discretion over an entity) that facilitates the exchange of EHI among two or more unaffiliated providers for a treatment, payment or health care operations purpose.
What Are the Exceptions?
The ONC regulations set forth eight exceptions to the information blocking prohibition. Much like the Anti-Kickback Statute’s safe harbors, the ONC provided exceptions to the broad prohibitions of the regulations. Failure to meet all of the requirements of an exception does not mean that the Actor has engaged in information blocking but rather means the alleged information blocking will be dealt with on its facts and whether it meets the definition of information blocking in order to avoid the civil monetary penalties.
The exceptions are broken down into two groups: (i) exceptions that involve not fulfilling requests to access, exchange or use EHI; and (ii) exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.
Exceptions that involve not fulfilling request to access, exchange or use EHI:
Preventing Harm Exception. This exception applies if the Actor reasonably believes that the alleged practice will substantially reduce the risk of harm to a patient or another person. In utilizing this exception, the Actor must limit its use to be no broader than necessary to substantially reduce the risk of harm. The risks to be addressed by this exception are case-by-case determinations by a licensed health care professional with a current or prior clinical relationship with the patient, and data errors. Any determination of risk by a health care provider is subject to review and must be based on an organizational policy or a determination specific to the facts or circumstances.
Privacy Exception. This exception applies where providing the access, exchange or use of the EHI would violate a state or federal privacy law. In order to utilize this exception, one of four preconditions must be satisfied: (1) the Actor or the patient have not met a precondition for release set forth in the applicable privacy law; (2) if the Actor is a Health IT Developer of Certified Health IT not subject to HIPAA, the practice promoting privacy must be set forth in a privacy notice provided to the individual before using the technology and comply with applicable laws; (3) the access request is denied pursuant to HIPAA regulations; or (4) the request is denied due to an individual’s request that the individual’s information not be shared.
Security Exception. This exception applies when access, exchange or use is denied due to a legitimate security concern of the Actor. The practice must: (1) directly relate to safeguarding the confidentiality, integrity and availability of EHI; (2) be tailored to specific security risks; and (3) be implemented in a consistent and non-discriminatory manner. Additionally, the practice must either implement a qualifying organizational security policy or implement a qualifying security determination.
Infeasibility Exception. This exception applies when legitimate practical challenges limit an Actor’s ability to comply with a request because the Actor was unable to obtain the requisite technological capabilities, legal rights or other means necessary to enable access, exchange or use. For a circumstance to be infeasible one of the following must exist: (1) the request cannot be fulfilled due to a natural or human-made disaster, public health emergency, public safety incident, war, terrorist attack, civil insurrection, strike or other labor unrest, telecommunication or internet service interruption, or act of military civil or regulatory authority; (2) the information requested cannot be unambiguously separated from other EHI that cannot be released; or (3) the actor can demonstrate through a contemporaneous written record its consistent and non-discriminatory consideration of the factors leading to the infeasible circumstance.
Health IT Performance Exception. This exception applies to poorly performing health IT that must be maintained or improved requiring the health IT be taken offline temporarily. This practice must be implemented for a period of time that is no longer than necessary, be implemented in a consistent and non-discriminatory manner, and is consistent with service level commitments related to health IT. Additionally, these regulations give health care providers a cause of action against Health IT Developers of Certified Health IT for failing to meet service level commitments.
Exceptions that involve procedures for fulfilling requests to access, exchange or use EHI:
Content and Manner Exception. This exception gives Actors clarity and flexibility with respect to the content and manner of access, exchange or use of EHI. The content that the Actor must provide prior to May 2022 is limited to the data elements in the United States Core Data for Interoperability (“USCDI”) standard. As of May 2, 2022, the Actor must respond to requests with all EHI. If the Actor cannot technically fulfill the request as requested, or cannot reach agreeable terms with the requestor for the manner of fulfillment, the Actor must fulfill the request without unnecessary delay in the first of the following that is technically feasible: (i) using certified technology as specified by the requestor; (ii) using a content and transport standard that has been published by the federal government, or an ANSI accredited standard organization; or (iii) using an alternative machine-readable format agreed upon with the requestor.
Fees Exception. This exception permits the Actor to charge fees that are not opportunistic (not including reasonable profits) or exclusionary practices interfering with access, exchange or use of EHI. Any fees that are assessed by the Actor must be based on objective and verifiable criteria that are uniformly applied for all similarly situated Requestors and must be reasonably related to the Actor’s cost of providing the access, use or exchange. Finally the foregoing costs must be reasonably allocated among all similarly situated persons to whom the technology or service is supplied. Additionally, the fee cannot be based upon: (i) the competitive nature of the Requestor; (ii) the sales, profits, revenues or other value the Requestor derives from the use, access or exchange of EHI; (iii) costs the Actor incurred in designing or implementing the health IT in a non-standard way; (iv) intangible asset costs other than actual development or acquisition costs; (v) opportunity costs unrelated to the access, exchange or use of the EHI; and (vi) any costs that led to the creation of intellectual property if the Actor charged a royalty for the intellectual property under the Licensing Exception below to recoup such costs.
Licensing Exception. This exception permits an Actor to protect the value of their innovations and charge a reasonable royalty to earn a return on the investment they have made to develop, maintain and update the innovations. When a Requestor requires an interoperability element to access, exchange or use EHI and make a request to an Actor, the Actor must within 10 business days of receiving the request, begin negotiations for a license and within 30 business days from receiving the request negotiate a license. Any royalty charged by the Actor for the interoperability element must be non-discriminatory and based upon the independent value of the Actor’s technology to the Requestor’s product. In addition, an Actor cannot, as part of the license, require the Requestor to: (i) not compete with the Actor; (ii) deal exclusively with the Actor; (iii) to acquire unrelated products or services; or (iv) license or transfer any intellectual property to the Actor.
If you have any questions or would like additional information about this topic, please contact:
- Jeff Short at (317) 977-1413 or jshort@wp.hallrender.com;
- Mike Batt at (317) 977-1417 or mbatt@wp.hallrender.com; or
- Your regular Hall Render attorney.
For more information on Hall Render’s Health Information Technology services, click here.
Hall Render’s attorneys and professionals continue to maintain the most up-to-date information and resources at our COVID-19 Resource page, through our 24/7 COVID‑19 Hotline at (317) 429-3900 or by contacting your regular Hall Render attorney.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.
