On March 9, 2020, the U.S. Department of Health and Human Services (HHS) published final rules to implement the information blocking prohibitions of the 21st Century Cures Act (Information Blocking Rules). The Information Blocking Rules take effect on June 30, 2020, although compliance becomes mandatory, in part, beginning November 2, 2020. After May 2, 2022, the rules go fully into effect (until May 3, 2022, the rules apply to a more narrow, but still broad, category of information).
While the new rules affect a variety of entities across the healthcare landscape, this alert highlights some of the important issues specific to healthcare providers when acting as providers. Healthcare providers can also act as developers, health information networks and other entities subject to the Information Blocking Rules, but this alert only addresses their role as providers.
Overview of the Information Blocking Rules
The Information Blocking Rules broadly define information blocking as “practices likely to interfere with, prevent or materially discourage access, exchange or use of electronic health information.” The Information Blocking Rules apply to electronic health information (EHI). EHI means “electronic protected health information” that is included in a “designated record set” (as both terms are defined under HIPAA), regardless of whether the group of records is used or maintained by or for a HIPAA covered entity.
The rules establish eight categories of exceptions that are deemed to not constitute information blocking, effectively serving as safe harbors. If a provider’s actions do not meet the conditions of an exception, the actions will not automatically constitute information blocking, but such actions will be evaluated on a case-by-case basis to determine whether information blocking has occurred.
The exceptions fall into the following two categories:
- Exceptions involving not fulfilling requests for EHI (such as denials to prevent harm, protect patient privacy or data security or due to infeasibility).
- Procedural exceptions (such as allowing providers to charge reasonable fees or limit the scope of a response to a request).
For more information regarding these exceptions, please review the Information Blocking Exceptions Fact Sheet issued by the Office of the National Coordinator for Health IT (ONC), the entity within HHS responsible for implementing the Information Blocking Rules and other key provisions of the 21st Century Cures Act.
7 Things for Healthcare Providers to Know About the Information Blocking Rules
In support of the Information Blocking Rules’ implementation, HHS Secretary Alex Azar stated, “Patients should have control of their records, period.” Implementing the requirements of the rules from a practical standpoint will introduce new obstacles for healthcare providers. Here are some key takeaways that providers should know regarding the Information Blocking Rules:
1. The Information Blocking Rules fundamentally change how providers respond to requests from third parties for EHI (and their customary approach for complying with HIPAA). There is an inherent tension between the Information Blocking Rules’ promotion of information exchange and the HIPAA rules’ strict standards to protect the privacy and security of protected health information (PHI). Whereas the HIPAA rules permit providers to exchange PHI for certain purposes, the Information Blocking Rules now require them to do so unless an exception applies. In other words, the Information Blocking Rules flip a provider’s analysis regarding access requests from “the provider may deny requests for EHI unless required to disclose by law,” to “the provider must disclose requested EHI unless an exception applies.”
HIPAA has always permitted providers to err on the side of caution when disclosing PHI. Taking a conservative position did not create compliance risks. Now, choosing to withhold EHI due to HIPAA or state privacy law concerns may violate the Information Blocking Rules. At the same time, providers continue to face liability if they make the wrong decision under HIPAA or state law to disclose EHI. For instance, some providers may be uneasy about disclosing EHI to a health IT developer that is not subject to HIPAA, fearing PR damage, patient mistrust, and other harms stemming from the health IT developer using EHI in ways HIPAA would otherwise prohibit. As another example, providers may desire to reject a request for EHI from a researcher due to concerns about the benefit of the research project or the ability of the researcher to protect and appropriately use the data. Nevertheless, if disclosure is permitted by HIPAA and other applicable laws, providers may be liable if they deny such requests for EHI unless an information blocking exception applies. ONC states that providers can “engage in reasonable and necessary practices that advance the privacy interests of individuals,” but also states that actors “may not inappropriately seek to use state or federal laws as a shield against disclosing EHI.”
2. Providers need to update and revise their HIPAA policies. Providers will need to update their HIPAA policies to facilitate compliance with the Information Blocking Rules. Most providers’ existing policies likely describe when disclosures are permitted under HIPAA; however, under the Information Blocking Rules, such permitted disclosures are now required unless an exception applies. Providers should update their policies to reflect this foundational change of perspective and confirm their policies are not too stringent. ONC has advised that information blocking may exist where policies impose onerous privacy requirements for obtaining EHI beyond what is required by law.
Moreover, providers need to update their policies to help them qualify for applicable exceptions to the Information Blocking Rules. The exceptions are not easy to meet. For example, while the rules contain an exception for disclosures not permitted by HIPAA (the Privacy Exception), the exception contains detailed requirements. When denying a request for EHI due to HIPAA restrictions, providers must do so based on written policies that specify criteria to be used to evaluate the request as well as the steps the provider will take to make that determination. Policies that merely describe when HIPAA permits disclosure will not suffice. If policies with procedural detail are not in place, providers must document detailed case-by-case determinations, including specifying how the denial is tailored to criteria directly relevant to meeting a HIPAA exception or other privacy law restriction. In other situations, such as the exception that allows providers to deny patients access to their records to prevent harm, the Information Blocking Rules contain requirements that are similar but not entirely consistent with HIPAA and will require policy updates to ensure compliance with both regulatory structures.
3. Providers should review existing business associate agreements and other agreements to confirm they are consistent with the Information Blocking Rules. The Information Blocking Rules do not explicitly require providers to amend existing business associate agreements (BAAs) or other contracts restricting how EHI is used by or disclosed to third parties. However, providers should review their BAA templates, existing BAAs and other contracts to determine whether they contain onerous provisions that risk implicating the Information Blocking Rules. ONC indicates that information blocking may exist when providers insist on terms or conditions that are “so objectively unreasonable” that they amount to the refusal to provide EHI. Providers that historically have required contractual assurances going beyond what HIPAA and other laws mandate as a condition of disclosing EHI to vendors and other third parties will need to reevaluate these positions in light of their risk tolerance under the Information Blocking Rules. Risk under the Information Blocking Rules likely will shift over time since what is overly onerous will depend in part on industry practices that are subject to change, especially as providers become more accustomed to implementing the rules.
Providers should consider the requirements of the Health IT Performance Exception and Licensing Exception when entering into contracts with third parties. When applicable, the exceptions contain requirements that impact contract terms and negotiation (such as specifying downtimes to the extent a provider is licensing EHI). Providers should reassess their license structures, contracting policies and templates to support compliance with the exceptions.
4. Providers must be more proactive in responding to requests for EHI. Under the Privacy Exception, a provider may deny a request for EHI if HIPAA or state law requires an authorization and the provider has not received a fully compliant form. However, the exception requires the provider to make “reasonable efforts” to provide a compliant form or assist the individual to satisfy the applicable requirement. Although ONC states that the provider does not have to “chase” the patient to sign the authorization, the provider is subject to hindsight and second-guessing on whether its efforts were reasonable and whether its interpretation of HIPAA, state or other applicable privacy law is correct. Further, information blocking may be implied from a provider’s actions, such as ignoring a request for EHI or giving implausible reasons for not exchanging the data. The level of required organizational vigilance is unclear, but ONC indicates it expects “good faith efforts” to work through challenges to enable requestors to obtain EHI “as quickly and efficiently as possible.”
5. Having a robust security risk assessment is now even more important. Providers have been counseled for years on the importance of having a robust, up-to-date security risk assessment to remain compliant with the HIPAA security rule and reduce the risk of HIPAA penalties in the event of a breach. Under the Security Exception to the Information Blocking Rules, providers may deny requests for EHI to the extent they follow a non-discriminatory written security policy prepared in response to particular security risks assessed by the provider (e., by a security risk assessment), based on objective standards (e.g., NIST cybersecurity framework). Although the exception could also be met through a more onerous case-by-case determination process, performing routine, thorough security risk assessments is a key tool for providers when denying requests for EHI due to security concerns. A robust security risk assessment is especially crucial for providers who have adopted industry-leading security safeguards to be able to demonstrate the reasonableness of their security requirements and avoid being characterized as interfering with the exchange of EHI.
6. Any fees associated with the exchange of EHI may constitute information blocking unless an exception applies. The Information Blocking Rules broadly prohibit “any fee” likely to interfere with access to or exchange or use of EHI, including commercially unreasonable licensing terms and discriminatory fees practices. Although narrow exceptions permit certain commercially reasonable fees and licensing structures, they do not permit opportunistic pricing practices (such as charging vendors variable prices based on preexisting business relationships) or basing fees on the profit the recipient may derive from the use of the EHI. Fees charged to patients for accessing their own EHI are “inherently suspect,” but are permitted when compliant with the HIPAA patient access rules (g., fees based on costs incurred by supplying EHI on physical media such as CD or flash drive). Providers should maintain cost records and documentation of the objective criteria justifying fees charged in connection with providing EHI to defend against allegations of information blocking.
7. Penalties are not currently defined, but they could potentially start small and increase over time. The Information Blocking Rules do not define penalties for failure to comply. On April 24, 2020, the Office of Inspector General (OIG) proposed rules to authorize civil monetary penalties (CMPs) for certain violations of the Information Blocking Rules, but these would not apply to healthcare providers acting in their capacities as providers (although they would apply to providers acting in their capacities as health information networks or health information exchanges). To the extent OIG determines a provider has been involved in information blocking, it will refer such provider to the appropriate agency for disincentives. Penalties may start small and increase over time as providers’ expected level of competence increases, mirroring the trend demonstrated by settlements and fines for HIPAA violations.
The Information Blocking Rules establish a new regulatory structure that upsets traditional methods for addressing requests for EHI. It remains unclear whether regulators enforcing the Information Blocking Rules will generously interpret good-faith efforts to comply or stringently second-guess determinations with the benefit of hindsight. Taking proactive steps now to address the requirements of the rules, including documenting processes to promote meeting exceptions and training employees on new and revised policies, should pay dividends as compliance with the rules becomes mandatory. If you have any questions regarding these new rules, please contact the authors.