Adam H. Greene (email@example.com) is a Partner in the Washington, DC, office of Davis Wright Tremaine LLP and cochair of its Health Information Practice Group.
On April 5, 2021, the 21st Century Cures Act Information Blocking Rule will become applicable. In practice, this means that information-blocking actors—healthcare providers, health information technology (IT) developers of certified health IT (health IT developers), and health information networks and health information exchanges (HIN/HIEs)—are required to assess and revise longstanding information practices in order to appropriately free up electronic health information (EHI). While the applicability date is fast approaching, many questions remain. When will enforcement begin? What are the proactive obligations for compliance? What practices that do not fall under exceptions nevertheless qualify as “reasonable”? This article will identify some of the most vexing questions surrounding the Information Blocking Rule and offer strategies for compliance among this uncertainty.
In December 2016, Congress enacted the 21st Century Cures Act (the Act). Section 4004 of the Act prohibits healthcare providers, health IT developers, and HIN/HIEs (collectively, actors) from engaging in information blocking. In short, the Act provides that, except as required by law or specified in a regulatory exception, an actor may not engage in a practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI.
The statute includes different knowledge standards for different types of actors: a healthcare provider is only engaged in information blocking if they know the practice to be unreasonable, whereas the knowledge standard for health IT developers and HIN/HIEs does not include such a reasonableness component.
The Act’s information-blocking prohibition is independent of the information-blocking prohibition in the Medicare Access and CHIP Reauthorization Act of 2015, which is currently in effect through attestation requirements of the Promoting Interoperability Programs (also known as the “Meaningful Use” programs) and is limited to healthcare providers participating in those programs.
The U.S. Department of Health & Human Services (HHS), through its Office of the National Coordinator for Health Information Technology (ONC), promulgated final regulations (the Information Blocking Rule, or the Rule) implementing Section 4004 of the Act on May 1, 2020. The Information Blocking Rule includes eight exceptions setting forth practices that will not qualify as information blocking (such as to prevent harm, protect the privacy or security of the information, or because of infeasibility). That being said, a practice does not necessarily constitute information blocking merely because it does not fall under an exception. The Rule originally had an applicability date of November 2, 2020. In response to the challenges of the COVID-19 pandemic, the HHS delayed the applicability date until April 5, 2021.
When is compliance required?
The Act provides that the HHS Office of Inspector General (OIG) may impose penalties of up to $1 million per violation on health IT developers and HIN/HIEs. OIG issued a proposed enforcement rule in April 2020 but has not yet published a final rule. Accordingly, we do not yet know the enforcement date for health IT developers and HIN/HIEs. While the applicability date is April 5, 2021, the OIG has indicated that it does not intend to penalize conduct that occurs prior to 60 days after publication of the OIG’s final enforcement rule, which is likely to be some time after April 5.
There is even greater uncertainty with respect to enforcement and healthcare providers. The Act provides that the OIG should refer healthcare providers who commit information blocking to the “appropriate agency” for “appropriate disincentives” that fall under existing authority. We do not yet know which agency will be responsible for enforcement against healthcare providers. Possibilities include, but are not limited to, the ONC, the HHS Office for Civil Rights, or the Centers for Medicare & Medicaid Services. We do not know what the “appropriate disincentives” may be that exist under existing federal authority. And we do not know the potential enforcement date for healthcare providers, as we are awaiting a notice of proposed rulemaking and then a final enforcement rule. This leaves open the question of whether healthcare providers’ conduct occurring after April 5, 2021, will be subject to future penalties, or whether conduct will not be penalized until the effective date of a future enforcement rule for healthcare providers.
Based on this, the conservative position is to seek full compliance by the applicability date of April 5, 2021. That being said, if an actor is not able to achieve full compliance by that time, the risk of liability is likely low until a final enforcement rule applicable to the actor is published. Healthcare providers that participate in the Promoting Interoperability Program, though, should continue to ensure that they are able to attest that they are not engaged in prohibited information blocking under the Medicare Access and CHIP Reauthorization Act of 2015 (which has different requirements than the Information Blocking Rule).