Exceptions to Information Blocking Defined in Proposed Rule: Here’s What You Need to Know
The Office of the National Coordinator for Health Information Technology (ONC) recently released a proposed rule to implement provisions in the 21st Century Cures Act. The Cures Act was signed into law in December 2016 and introduced sweeping healthcare legislation and funding for medical research, drug development, and medical device innovation. Additionally, the Cures Act was groundbreaking in its promotion of interoperability and prohibition of information blocking. The ONC’s long-awaited proposed rule ushers in the next phase of the Cures Act by adding substance to these provisions.
The proposed rule was released in March 2019 and provides for a public comment period that expires on June 3, 2019. Following the public comment period, ONC will review feedback and eventually release the final rule, which could take another one to two years. According to the U.S. Department of Health and Human Services (HHS), the proposed rule “is designed to increase innovation and competition by giving patients and their healthcare providers secure access to health information and new tools, allowing for more choice in care and treatment.” In its promotion of access, exchange, and use of electronic health information (EHI), the proposed rule outlines seven exceptions to information blocking. It’s important for healthcare providers, healthcare systems, and vendors that are interested in promoting information sharing to review these exceptions during the public comment period to help ensure that they are sufficiently restrictive in the final rule.
Why Must Information Blocking Be Stopped?
The introduction of the Health Information Technology for Economic and Clinical Health (HITECH) HITECH Act, provided federal subsidies for the adoption of EHRs. Although the legislation required that EHRs have interoperability functionality, it was less successful in promoting interoperability in practice. Further, the HITECH Act did not anticipate the extent to which widespread information blocking practices would limit interoperability. Now that most healthcare organizations have adopted EHRs, much of this information is siloed and it can be difficult to get the right information at the point of care. Siloed information also inhibits the ability to analyze data that can improve care delivery and financial and operational processes. The promise of vast amounts of health information can’t be realized until interoperability improves.
One reason better interoperability does not exist is simply that it can be difficult to get different systems to communicate with one another effectively. However, this is also due to information blocking practices. Information blocking practices may be based on organizational policy or they may be technical. Examples of organizational policy are:
- Taking the position that data models or schemas are proprietary, even though it has been long established that data compilations are not protected by copyright or other intellectual property laws.
- Claiming that sharing EHI for treatment with a third-party provider is prohibited by HIPAA, when it is not.
An example of technical information blocking is not making application programming interfaces (APIs) readily available. Whether intentional or not, information blocking practices can inhibit the sharing of critical healthcare information, with a range of negative consequences, including failure to coordinate care, unavailability of important clinical values at the point of care, and lack of the rich data needed to fully utilize analytic tools, benchmarking, and machine learning techniques.
The Seven Proposed Exceptions to Limiting Information Blocking
Following from the definition in the Cures Act, the proposed rule defines “information blocking” as “a practice that, except as required by law or covered by an exception…is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.”
The Cures Act stipulates fines for information blocking up to $1,000,000 per violation. The proposed rule includes seven proposed exceptions to information blocking which, if the required elements of the relevant exception are met would exempt the practice from enforcement. These seven exceptions are briefly outlined below.
- Preventing Harm – An organization may engage in a practice that is reasonable and necessary to prevent physical harm to a patient or other person. The organization must have a reasonable basis to believe that its practice will directly and substantially reduce the likelihood of harm to a patient. The organization must have adopted a policy that addresses patient harm or make case by case findings that a disclosure of EHI could result in patient harm.
- Promoting the Privacy of EHI – An organization may engage in a practice to protect the privacy of EHI. The organization must demonstrate a basis for its actions in HIPAA and other privacy laws.
- Promoting the Security of EHI – An organization may implement measures to protect the security of EHI. The practices must be narrowly tailored to the measures necessary to protect security.
- Recovering Costs Reasonably Incurred – An organization is permitted to require payment for the reasonable costs incurred in making EHI available.
- Responding to Request that are Infeasible – An organization is permitted to decline a request for EHI access if it determines, using objective and verifiable criteria consistently applied, that the request is infeasible.
- Licensing of Interoperability Elements on Reasonable and Non-discriminatory Terms – An organization may claim that its technology or processes are protected by IP law, however, the organization has an obligation to offer a license to the technology or processes on reasonable and non-discriminatory terms.
- Maintaining and Improving Health IT Performance – Allows for downtime that may make health IT and EHI temporarily unavailable in order to perform maintenance or upgrades.
A consistent theme that runs through the exceptions that the organization’s practices must be reasonable and non-discriminatory and must be consistently applied. Health Catalyst generally views each of these exceptions to be well-defined and sufficiently narrow. However, there are some aspects of the exceptions that should be modified to ensure that there are no major loopholes that would continue to encourage information blocking practices.
Licensing of Interoperability Elements on Reasonable and Non-discriminatory Terms: This exception addresses a problem that many data and analytics vendors encounter when working with some vendors or healthcare providers. When asked for access to a database, a vendor or healthcare provider may claim that providing access to data will infringe its intellectual property rights. The exception would create an obligation for the party receiving the request to respond to the requestor within 10 business days, and to offer a license to any technology or processes (such as databases, interface protocols) on reasonable and non-discriminatory terms, and at a reasonable cost. The language on reasonable cost is helpful because it could help to limit the practice of vendors charging prohibitive fees for access.
What to Watch Out For
An organization could use one or more of the exceptions to justify information blocking practices, and it could be difficult to challenge this use of the exceptions. These exceptions include:
Privacy and Security Exceptions – These exceptions are drafted quite broadly. A healthcare provider or vendor could claim that it does not intend to share EHI in order to comply with the HIPAA privacy or security standards. While the claim must be backed up, in practice it may be very difficult to challenge this position. Attempts to “litigate” the issue, whether in the figurative sense of challenging the basis for an unreasonable determination, or filing an information blocking complaint, may be too time-consuming, costly, and ultimately may be ineffective.
There is also the possibility that an organization would “comply” with the rule by delivering low quality information to providers, and this type of behavior could also be very difficult to challenge.
Responding to Requests That Are Infeasible – This is another exception that could be misused because of its potentially broad scope. The exception states, “an actor must demonstrate that complying with a request to access, exchange, or use EHI would impose a substantial burden on the actor that is unreasonable under the circumstances.” Although proving that a request poses a substantial burden takes into account several factors, such as the cost to comply, the type of information, financial and technical resources, these findings may prove very difficult to challenge, opening the door to misuse and continued information blocking. One of these factors is that the party must provide “comparable access,” but this could open the door to providing access that on its face appears comparable but in practice lacks the granularity, speed, or other attributes that would make the EHI useful.
In addition to these exceptions, there is a possibility that the reasonable cost provisions could be watered down in the final rule, opening the door for continued prohibitive charges for access.
Why This Matters
Overall, the proposed rule is a very positive development for promoting interoperability, with strong, narrowly defined exceptions to limit information blocking practices. If the proposed rule is implemented substantially in its current form, it should reduce information blocking and promote interoperability. However, there is still a risk that industry groups will try to delay or dilute the proposed rule. The proposed rule has already been delayed–more than two years–and it will still take another one to two years for the final rule to go into effect. Healthcare providers, healthcare systems, and healthcare IT vendors should all care about this rule being implemented in its strongest possible form.
Reducing information blocking will help healthcare providers and systems leverage technology and services to improve processes and patient care, and financial and operational processes, and it will help healthcare IT vendors by allowing them to innovate in faster cycles to develop and deploy those technologies and services. Some vendors have profited from information blocking and siloed data in order to gain market share and increase the barrier of entry to others, but these practices ultimately harm the healthcare system and patient care.