In a nod to our increasingly digital world, a whole host of individuals and entities operating in the health care space were required to begin complying with the 21st Century Cures Act’s (Cures Act) Information Blocking Rule on April 5, 2021. The Information Blocking Rule, along with the Cures Act’s Interoperability Rule, is intended to help facilitate the access, exchange, and use of electronic health information (EHI).
The Information Blocking Rule applies to “actors,” which is defined to include health care providers, health information technology (health IT) developers of certified health IT, health information exchanges (HIEs), and health information networks (HINs).i Importantly, nearly all types of health care providers are subject to the rule, which reaches far beyond the covered entities subject to HIPAA’s Privacy Rule. For example, psychologists and dental specialists who do not participate with health insurance payors and only accept private pay patients do not meet the definition of “covered entity” under HIPAA, but do meet the definition of actors under the Information Blocking Rule.
What Is Information Blocking?
According to the rule, actors are barred from engaging in information blocking. Information blocking is defined as a practice that, except as required by law or covered by an exception:
- Is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI and
- If conducted by a health care provider, the provider knows that the practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI or
- If conducted by a health IT developer of certified health IT, a HIN, or a HIE, the developer, network, or exchange knows, or should know, that the practice is likely to interfere with access, exchange, or use of EHIii
Importantly, the Information Blocking Rule does not preempt state laws and regulations governing patient privacy and consent, for example. Moreover, the rule does not require actors to make EHI available to patients or others who have not requested the information. But, when information is requested, the actor must, in most cases, provide it without delay.
Under the Information Blocking Rule, actors are required to give patients electronic access to their EHI. Compliance with the rule will require actors to have adequate procedures in place to document and respond to requests to access, exchange, or use EHI. EHI is defined as “electronic protected health information as defined in [the HIPAA Privacy Rule] to the extent that it would be included in a designated record set . . . , regardless of whether the group of records are used or maintained by or for a covered entity.”iii In other words, EHI represents essentially the same electronic protected health information that a patient would have the right to request a copy of pursuant to the HIPAA Privacy Rule.
Are There Any Exceptions or Exemptions?
Importantly, two types of information are explicitly exempted from the definition of EHI; thus, they need not be made electronically accessible to patients. These types of information include psychotherapy notes and information compiled in reasonable anticipation of, or use in, litigation. Additionally, health information that is de-identified consistent with HIPAA requirements is not included in the definition of EHI.
In addition to the types of information that are exempted from the definition of EHI, there are eight exceptions to the Information Blocking Rule, which correspond with activities that are likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI, but that would be reasonable and necessary if certain specified conditions are met. These eight exceptions are divided into two categories: (1) exceptions that involve not fulfilling a request to access, exchange, or use of EHI and (2) exceptions that involve procedures for fulfilling requests to access, exchange, or use of EHI. According to the United States Department of Health and Human Services, if the conditions for one of these exceptions are met, the actor will not be considered to be information blocking.iv
Impact on Health Care Providers
To comply with the Information Blocking Rule, health care providers will need to ensure that they are responding to patient requests for EHI in a way that would not be considered information blocking. This will require, for example, updates to policies and procedures to ensure that they align with the Information Blocking Rule’s requirements. Providers will also need to review their contracts with vendors and subcontractors to ensure that contract provisions do not lead to a risk of information blocking.
Impact on Health IT Developers
The Information Blocking Rule and its companion, the Interoperability Rule, impose a substantial amount of new requirements on health IT developers. However, these new requirements only apply to developers of health IT which are certified by the Centers for Medicare and Medicare Services (CMS). Health IT developers of certified health IT should become familiar with these new interoperability requirements and standards, as well as the changes to the CMS certification process, to ensure that any health IT developed meets the obligations of the rules.
Impact on HIEs and HINs
The Information Blocking Rule provides that HIEs and HINs include, but are not limited to, “regional health information organizations (RHIOs), state health information exchanges (state HIEs), and other types of organizations, entities, or arrangements that enable EHI to be accessed, exchanged, or used between or among particular types of parties or for particular purposes.”v As noted above, the Information Blocking Rule does not preempt state laws and regulations. So, for example, RHIOs, which are certified as qualified entities (QEs) under the New York State Regulations relating to the Statewide Health Information Network for New York (SHIN-NY), need to be aware of New York State policies applicable to a QE and its participants. Under the Information Blocking Rule, it is possible that an entity can be more than one type of actor depending on what role it has. The rule makes clear, however, that an entity is treated as an actor only in situations that involve the actor’s conduct in that specific role.
We understand the impact that Cures Act and the Information Blocking Rule have on our clients and the health care industry at large. We see the Information Blocking Rule as a new pair of glasses through which an organization in the health care space needs to look at nearly all that it does and plans to do in order to comply. As such, Barclay Damon’s Health Care & Human Services Practice Area has assembled a team of attorneys to track related regulatory and legislative developments, as well as guidance from various state and federal agencies, in order to provide advice and counsel on what they mean to our clients.
If you have any questions regarding the content of this alert, please contact Herb Glose, partner, at hglose@barclaydamon.com; Fran Ciardullo, special counsel, at fciardullo@barclaydamon.com; Bridget Steele, associate, at bsteele@barclaydamon.com; Dena DeFazio, associate, at ddefazio@barclaydamon.com; or another member of the firm’s Health & Human Services Providers Practice Area.
i See 45 CFR § 171.102 (defining “actors”).
ii See 45 CFR § 171.103 (defining “information blocking”).
iii See 45 CFR § 171.102 (defining “electronic health information”).
iv See 45 CFR §§ 171.200 – 171.303.
v See 85 Fed. Reg. at 25801. Note that there are specific provisions regarding health information exchanges contained in the PHSA. See, e.g., 42 USC § 300jj-19(c)(3) (“In carrying out paragraph (1), the Secretary, in coordination with the Office for Civil Rights, shall issue guidance to health information exchanges related to best practices to ensure that the [EHI] provided to patients is – (A) private and secure; (B) accurate; (C) verifiable; and (D) where a patient’s authorization to exchange information is required by law, easily exchanged pursuant to such authorization.”).