On December 13, the Office of the National Coordinator for Health Information Technology (ONC), which is part of the Department of Health and Human Services (HHS), finalized changes to the information blocking rules by issuing its Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) rule (the Final Rule). The Final Rule, which seeks to advance goals of patient access and interoperability, refines certain definitions and exceptions in the information blocking rules to support information sharing and adds a new exception to encourage secure, efficient, standards-based exchange of electronic health information (EHI) under the Trusted Exchange Framework and Common Agreement (TEFCA). The Final Rule will be submitted to the Federal Register in the coming days. A summary of certain key changes made by the Final Rule to the information blocking rules are described below.

Enhancements to the Infeasibility Exception

The Final Rule revises the infeasibility exception at 45 CFR 171.204, which sets forth criteria for not fulfilling a request for EHI based on the request being infeasible. The Final Rule makes the following changes to the exception:

  • Uncontrollable events condition. The Final Rule revises the “uncontrollable events” condition of the exception to clarify that an uncontrollable event must in fact have affected the actor’s ability to fulfill requests for access, exchange, or use of EHI (in addition to the preexisting requirements under the exception).
  • Third party seeking modification use condition. The Final Rule creates a new condition that may be relied upon when an actor is asked to provide the ability for a third party (or its technology, such as an application) to modify EHI that is maintained by or for an entity that has deployed health information technology. This condition does not apply to requests by a health care provider to its business associate. For example, this exception could apply to situations where an actor may be concerned about the accuracy or reliability of data that a third party would like to add to an individual’s designated record set maintained by the actor.
  • Manner exception exhausted condition. The Final Rule creates another condition to the infeasibility exception that applies in scenarios where an actor remains unable to fulfill a request for access, exchange, or use of EHI after having exhausted the manner exception in 45 CFR 171.301. The condition requires, among other things, for the actor to offer all alternative manners in accordance with the manner exception, and the actor must not currently provide to a substantial number of individuals or entities similarly situated to the requestor the same requested access, exchange or use of the requested EHI. ONC declined to further define the term “substantial number,” granting flexibility for all actor types, who may have very different numbers of requestors, to satisfy this condition based on what number of requestors is substantial for that actor. This new condition makes it easier for an actor who offers to provide EHI in alternative manners that are consistent with ONC operability standards to avoid investing substantial resources into responding to atypical requests while complying with the infeasibility exception.

As is the case with all conditions under the infeasibility exception, each of the above conditions also requires the actor to provide the requestor a written statement of the reasons why the request is infeasible within ten business days of receipt of the request.

Addition of the TEFCA Manner Exception

The Final Rule creates a new exception involving practices related to an actor’s participation in TEFCA, a federally-created infrastructure that enables data sharing between health information networks. The exception is intended to encourage the exchange of information via TEFCA, although ONC recognizes that not all entities will be ready, willing, or able to join TEFCA right away. Accordingly, an actor’s practice of not fulfilling a request to access, exchange, or use EHI in a manner other than via TEFCA will not be considered information blocking when the following conditions are met:

  • The actor and requestor are both part of TEFCA;
  • The requestor is capable of such access, exchange, or use of the requested EHI from the actor via TEFCA;
  • The request for access, exchange, or use of EHI is not via the API standards adopted by 45 CFR 170.215. Note that this means the exception is not available when the requestor has requested access, exchange, or use via FHIR-based APIs;
  • Any fees charged by the actor in relation to fulfilling the request satisfy the fees exception in 45 CFR 171.302; and
  • Any license of interoperability elements granted by the actor in relation to fulfilling the request satisfies the license exception in 171.303.

Revisions of the Definition of “Health IT Developer of Certified Health IT”

The Final Rule clarifies what constitutes a health IT developer of certified health IT (HIT Developer) through several noteworthy modifications:

  • The preexisting definition of “health IT developer of certified health IT” included certain individuals or entities that develop or offer health information technology. The Final Rule defines “offer health information technology” (offer health IT) in a manner that narrows the types of activities that may result in an entity being considered a HIT Developer. The new definition explicitly excludes certain kinds of activities and arrangements, including arrangements falling under the following general categories (each of which includes additional requirements that go beyond the scope of this article), so that the following do not constitute offering health IT:
    • Donation and subsidized supply arrangements (e.g., a health system paying 85% of the cost of any contract for the use of a (developer hosted) EHR product suite by other healthcare providers consistent with the Stark Law exception and federal Anti-Kickback Statute safe harbor for electronic health record donations).
    • Implementation and use activities (e.g., issuing login credentials or user accounts for an entity’s testing environments for public health authorities).
    • Consulting and legal services arrangements (e.g., certain legal services provided by outside counsel related to certified health IT).
  • Moreover, the Final Rule modifies the HIT Developer definition so that it is clear that the healthcare providers who self-develop certified health IT will continue to be excluded from this definition if they do not engage in activities falling within the “offer health IT” definition above.

Technical Updates for Clarity

The Final Rule also implements various necessary technical edits for clarity. For example, the Final Rule removes a provision from the information blocking rules that had limited the definition of EHI to a certain subset of information identified by the data elements represented in the USCDI standard. This provision was only applicable through October 5, 2022, so the Final Rule removes it from the regulation.

If you have any questions regarding the Final Rule, please contact the authors.