Adam H. Greene (firstname.lastname@example.org) is a Partner in the Washington, DC, office of Davis Wright Tremaine LLP and cochair of its Health Information Practice Group.
On April 5, 2021, the 21st Century Cures Act Information Blocking Rule will become applicable. In practice, this means that information-blocking actors—healthcare providers, health information technology (IT) developers of certified health IT (health IT developers), and health information networks and health information exchanges (HIN/HIEs)—are required to assess and revise longstanding information practices in order to appropriately free up electronic health information (EHI). While the applicability date is fast approaching, many questions remain. When will enforcement begin? What are the proactive obligations for compliance? What practices that do not fall under exceptions nevertheless qualify as “reasonable”? This article will identify some of the most vexing questions surrounding the Information Blocking Rule and offer strategies for compliance among this uncertainty.
In December 2016, Congress enacted the 21st Century Cures Act (the Act). Section 4004 of the Act prohibits healthcare providers, health IT developers, and HIN/HIEs (collectively, actors) from engaging in information blocking. In short, the Act provides that, except as required by law or specified in a regulatory exception, an actor may not engage in a practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI.
The statute includes different knowledge standards for different types of actors: a healthcare provider is only engaged in information blocking if they know the practice to be unreasonable, whereas the knowledge standard for health IT developers and HIN/HIEs does not include such a reasonableness component.
The Act’s information-blocking prohibition is independent of the information-blocking prohibition in the Medicare Access and CHIP Reauthorization Act of 2015, which is currently in effect through attestation requirements of the Promoting Interoperability Programs (also known as the “Meaningful Use” programs) and is limited to healthcare providers participating in those programs.
The U.S. Department of Health & Human Services (HHS), through its Office of the National Coordinator for Health Information Technology (ONC), promulgated final regulations (the Information Blocking Rule, or the Rule) implementing Section 4004 of the Act on May 1, 2020. The Information Blocking Rule includes eight exceptions setting forth practices that will not qualify as information blocking (such as to prevent harm, protect the privacy or security of the information, or because of infeasibility). That being said, a practice does not necessarily constitute information blocking merely because it does not fall under an exception. The Rule originally had an applicability date of November 2, 2020. In response to the challenges of the COVID-19 pandemic, the HHS delayed the applicability date until April 5, 2021.
When is compliance required?
The Act provides that the HHS Office of Inspector General (OIG) may impose penalties of up to $1 million per violation on health IT developers and HIN/HIEs. OIG issued a proposed enforcement rule in April 2020 but has not yet published a final rule. Accordingly, we do not yet know the enforcement date for health IT developers and HIN/HIEs. While the applicability date is April 5, 2021, the OIG has indicated that it does not intend to penalize conduct that occurs prior to 60 days after publication of the OIG’s final enforcement rule, which is likely to be some time after April 5.
There is even greater uncertainty with respect to enforcement and healthcare providers. The Act provides that the OIG should refer healthcare providers who commit information blocking to the “appropriate agency” for “appropriate disincentives” that fall under existing authority. We do not yet know which agency will be responsible for enforcement against healthcare providers. Possibilities include, but are not limited to, the ONC, the HHS Office for Civil Rights, or the Centers for Medicare & Medicaid Services. We do not know what the “appropriate disincentives” may be that exist under existing federal authority. And we do not know the potential enforcement date for healthcare providers, as we are awaiting a notice of proposed rulemaking and then a final enforcement rule. This leaves open the question of whether healthcare providers’ conduct occurring after April 5, 2021, will be subject to future penalties, or whether conduct will not be penalized until the effective date of a future enforcement rule for healthcare providers.
Based on this, the conservative position is to seek full compliance by the applicability date of April 5, 2021. That being said, if an actor is not able to achieve full compliance by that time, the risk of liability is likely low until a final enforcement rule applicable to the actor is published. Healthcare providers that participate in the Promoting Interoperability Program, though, should continue to ensure that they are able to attest that they are not engaged in prohibited information blocking under the Medicare Access and CHIP Reauthorization Act of 2015 (which has different requirements than the Information Blocking Rule).
Does the Rule require proactive publishing of EHI?
The publication of the Information Blocking Rule has left many healthcare providers scrambling to post more EHI to their patient portals. It has created challenging questions, such as whether historic EHI, where treating providers may have retired or moved elsewhere, should be posted to the portal without the originating providers’ review or involvement. Or whether minors’ records should be posted to the portal for age ranges where the minors can consent to certain healthcare services (since it may not be permissible to provide parents with access to EHI related to such healthcare services).
What may have been the most fundamental and vexing question of the Information Blocking Rule was whether it required proactive publication of EHI, such as through the patient portal. The Information Blocking Rule generally prohibits practices that interfere with access, exchange, or use of EHI. But is this request-driven, where an actor only must make EHI available for access, exchange, and use upon request? Or is it a proactive requirement, where actors must proactively post all EHI?
We have received further clarification from the ONC that the Rule is not a proactive obligation:
Q: Do the information blocking regulations ( 45 CFR Part 171 ) require actors to proactively make electronic health information (EHI) available through “patient portals,” application programming interfaces (API), or other health information technology? *1/15/2021*
No. There is no requirement under the information blocking regulations to proactively make available any EHI to patients or others who have not requested the EHI. We note, however, that a delay in the release or availability of EHI in response to a request for legally permissible access, exchange, or use of EHI may be an interference under the information blocking regulations [21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 85 Fed. Reg. 25,813, 25,878 ]. If the delay were to constitute an interference under the information blocking regulations, an actor’s practice or actions may still satisfy the conditions of an exception under the information blocking regulations [ 45 C.F.R. §§ 171.200–303 ].
Accordingly, actors are not required to proactively post EHI to their patient portals or proactively release lab results. Rather, a practice only is potentially information blocking if there is a request for access, exchange, or use of EHI. This alleviates much of the burden that many were associating with the Rule.
When can a healthcare provider rely on a practice as reasonable?
As referenced in the earlier “Background” section, the Information Blocking Rule has a different knowledge requirement for healthcare providers as compared to other actors, providing that a practice is only information blocking if a healthcare provider knows it to be unreasonable. Many of the concerns that have been raised about the Information Blocking Rule revolve around the breadth of practices that potentially become information blocking because they do not fit within the regulatory exceptions. For example, the preventing-harm exception sets a high bar as to what constitutes a harm that falls under the exception, in most circumstances requiring a determination that the access, exchange, or use of EHI would endanger the life or physical safety of the individual or another person (there is a lesser standard if the EHI references another person or the request is from a personal representative). This has left healthcare providers concerned that they cannot delay a patient’s test results, for example, where the treating provider believes it would be in the patient’s best interest to first discuss the test results with the patient.
HHS states that, “[w]hile we recognize the importance of effective clinician-patient relationships and patient communications, we are not persuaded that routinely time-delaying the availability of broad classes of EHI should be recognized as excepted from the information blocking definition under this exception.” But the fact that a practice does not fall within an exception does not mean that it is information blocking. Under the text of the Rule, a healthcare provider’s delay of lab results, for example, is only information blocking if the healthcare provider knows the practice to be unreasonable.
This leaves the question of when a healthcare provider can determine that a practice is reasonable, and whether such a judgment will be second-guessed by a regulator.
Where a practice interferes with access, exchange, or use of EHI and does not fall under a regulatory exception, a healthcare provider may wish to consider the likelihood that the practice would be considered unreasonable. For example, a healthcare provider who provides access to EHI in a discriminatory manner, disfavoring competitors, can claim that it did not know the practice to be unreasonable, but a regulator is likely to be skeptical of such a claim. A healthcare provider who routinely delays all responses to requests for test results for 20 days likewise can claim that it did not know the practice to be unreasonable, but a regulator may have some skepticism. In contrast, a healthcare provider who uniformly delays release of a category of sensitive test results for three days to afford the ordering physician an opportunity to contact the patient likely will not fall within the preventing-harm exception but may have a strong argument that it believed the practice to be reasonable.
Healthcare providers may wish to identify any practices that interfere with access, exchange, or use of EHI and that do not fall within regulatory exceptions, assess whether the practice is reasonable, and (if proceeding with the practice) document the basis for why the practice is reasonable. While the fact that the healthcare provider believed the practice to be reasonable is a strong defense, this analysis should be done with an eye toward how a regulator would view the determination.
What contractual restrictions are permissible?
A final question that we will analyze is where the Information Blocking Rule leaves contractual restrictions, such as those found in business associate agreements (BAAs) or data use agreements. In the commentary to the Rule, HHS mentions several times that contractual restrictions may constitute information blocking. The commentary clarifies that a Health Insurance Portability and Accountability Act (HIPAA) business associate is not information blocking by complying with its BAA if the BAA is not used in a discriminatory manner. But it is less clear whether the upstream entity, such as a HIPAA covered entity entering into a BAA with a business associate, may be information blocking by including restrictions on EHI beyond those that are required by law.
Contracts raise some of the same information-blocking questions identified earlier. For example, is there a proactive requirement to amend contracts to eliminate any restrictions on access, exchange, or use of EHI? Or is the Rule only implicated if a party requests a right to access, exchange, or use EHI? Based on the ONC guidance quoted above, we now know that the Rule is not a proactive requirement. Accordingly, it seems that an actor does not need to proactively remove restrictions from contracts. Rather, the Rule is implicated if the other party during a contractual negotiation requests authority to access, exchange, or use an actor’s EHI.
Additionally, contracts raise the question of what is reasonable under the Rule. Healthcare providers may decide to rely heavily on the reasonableness standard—interpreting that any contractual provisions are permissible if the healthcare provider believes them to be reasonable. Discriminatory contractual provisions should be avoided, such as contracting with similarly situated parties differently based on whether the other party is a competitor. But a healthcare provider can take the position that it is reasonable to enter into: (1) data use agreements that restrict recipients to the purpose of the intended activity that gave rise to the relationship; and (2) BAAs that restrict the business associate to only use or disclose protected health information for the agreed-upon services. When a party requests authority to access, exchange, or use EHI during a contract negotiation, a healthcare provider may wish to document the basis for determining that denying the request is reasonable. For example, if a business associate requests permission in its BAA to use protected health information to create de-identified information, the healthcare provider may wish to document why it determined the request to be unreasonable (e.g., the practice is outside the scope of the requested services and creates risks for the healthcare provider without corresponding benefits). Some questions will be more difficult, though, such as if a business associate requests a healthcare provider’s permission in the BAA to disclose EHI to public health authorities. Can a healthcare provider document that it is reasonable to deny such a request?
While the April 5 applicability date is upon us, many information-blocking questions remain. ONC has provided guidance on one of the biggest issues, confirming that the Rule does not create proactive requirements. Questions surrounding enforcement, what is reasonable, and what contractual provisions are permissible all create challenges for actors’ compliance. Healthcare providers and other actors should weigh the competing interpretations, be on the lookout for additional ONC guidance, assess their organization’s risk appetite, and consider their long-term objectives with respect to sharing information. This may lead to some organizations proactively making all their EHI available through their patient portal in 2021, while others limit compliance efforts to focusing on eliminating responses to requests for EHI that are patently unreasonable. While April 5 marks the beginning of the Rule’s applicability, we likely have a long and windy road ahead as we all learn how to comply with this complex new regulation.
The 21st Century Cures Act Information Blocking Rule becomes effective April 5, 2021.
The enforcement dates of the Rule remain unknown.
The Office of the National Coordinator for Health Information Technology has provided guidance that the Rule does not require proactive disclosure of all electronic health information through a patient portal.
Even if a healthcare provider’s practice does not fall within a regulatory exception, it is only information blocking if the provider knows it to be unreasonable.
Healthcare providers should consider contractual restrictions and whether they are reasonable, potentially documenting justification for any restrictions.