Compliance with ONC’s Interoperability Regulation Information Blocking Provisions Required Beginning April 5, 2021

Implementation of the health information technology (IT) provisions of the 21st Century Cures Act is fully under way, and April 5, 2021, is the deadline for regulated actors to comply with the information blocking provisions of the Office of the National Coordinator for Health IT (ONC) Interoperability and Information Blocking Final Regulation.

Though compliance with these provisions is required by April 5, enforcement mechanisms around information blocking are still evolving and have not yet been finalized. 

ONC’s Final Regulation focuses on advancing interoperability; supporting the access, exchange and use of electronic health information (EHI); and addressing occurrences of information blocking. ONC’s regulation also establishes application programming interface (API) requirements using the Fast Healthcare Interoperability Resources (FHIR®) standard, including for patients to use APIs to be able to electronically access all of their EHI, structured and/or unstructured, at no cost.

The overarching focus of ONC’s Regulation is on empowering patients with control of their EHI as a part of a modern health IT economy.

The Final Regulation also includes Conditions and Maintenance of Certification requirements for health IT developers under the ONC Health IT Certification Program. As of April 5, health IT developers, as part of their Conditions of Certification, must not take any action that constitutes information blocking, and they must provide assurances to ONC that they will not take actions that may inhibit the appropriate exchange, access and use of EHI.

There are also new API Conditions of Certification that require developers to minimize the “special effort” necessary to access, exchange and use EHI via certified API technology.

About Information Blocking

Information blocking is defined as a practice by regulated actors—health IT developers of certified health IT, health information networks (HINs), health information exchanges (HIEs), and healthcare providers — that is likely to interfere with the access, exchange or use of EHI.

The 21st Century Cures Act authorizes the identification of reasonable and necessary activities that do not constitute information blocking. ONC used its Final Regulation to identify eight categories of reasonable and necessary activities that do not constitute information blocking, if certain conditions are met. These exceptions provide a level of certainty to the regulated actors that practices that meet the conditions of an exception will not be considered information blocking. However, each practice would be evaluated on a case-by-case basis to determine whether information blocking has occurred.

The compliance or applicability date for the information blocking provisions was changed in the ONC Interim Final Rule to April 5. How EHI is defined was also adjusted: between April 5, 2021, and Oct. 5, 2022, EHI for the purposes of the information blocking definition is limited to the data elements represented in the United States Core Data for Interoperability (USCDI) standard. Beginning Oct. 6, 2022, the EHI definition is expanded and represents the same electronic protected health information (ePHI) that a patient would have the right to request a copy of pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Regulation. 

ONC is working with the HHS Office of Inspector General (OIG) to implement the information blocking provisions. HHS OIG is charged with the enforcement of information blocking, and health IT developers, HINs or HIEs that are found to be blocking information could be subject to a $1 million civil money penalty (CMP) per violation. However, HHS OIG has not concluded the regulatory process around CMPs, so there is currently no enforcement mechanism in place to impose CMPs when information blocking is determined to have occurred. HHS OIG has issued a Proposed Regulation but has not yet finalized it, so enforcement will not begin until it is final (and OIG proposed that the effective date of the CMP regulation would be 60 days from the date of publication of its Final Regulation).

It is important to note that OIG’s CMP authority does not extend to healthcare providers—if the agency determines that a healthcare provider has committed information blocking, OIG will refer that healthcare provider to the appropriate agency for appropriate disincentives. HHS OIG has not yet begun the regulatory process around defining “appropriate disincentives.”

Overall, HHS OIG is using the period between ONC’s April 5 compliance date and the start of information blocking enforcement as an opportunity to provide regulated actors with time to come into compliance with the information blocking provisions along with the added certainty that practices during that period will not be subject to penalties.

There are many dynamics at play as the information blocking provisions are implemented.  Issues to watch include:

Regulated Actors Have Different Threshold Levels to Meet for Practices that Involve Information Blocking

If a health IT developer, HIN or HIE knows, or should know, that a practice is likely to prevent, materially discourage or otherwise interfere with access, exchange or use of EHI, that actor could be considered an information blocker. However, a healthcare provider has to know a practice is unreasonable and likely to interfere with the access, exchange or use of EHI in order to be found to have engaged in information blocking. These different thresholds are important to consider when a regulated actor is looking at how information blocking applies to their practices.

Intent to Block Information is Critical When Considering Potential Enforcement Actions

In its CMP Regulation, OIG proposed to use its discretion to choose which information blocking complaints to investigate and only select cases for investigation that are consistent with its enforcement priorities. Based on its current expectations, OIG’s enforcement priorities would include conduct that:

• Resulted in, is causing or had the potential to cause patient harm
• Significantly impacted a provider’s ability to care for patients
• Was of long duration
• Caused financial loss to Federal healthcare programs or other government or private entities
• Was performed with actual knowledge

OIG expects these priorities will evolve as it gains more experience investigating information blocking. In addition, the agency emphasized that information blocking as defined in the statute includes an element of intent. As a result, OIG believes it lacks the authority to pursue information blocking CMPs against actors who it concludes did not have the requisite intent. Consequently, OIG is not planning to bring enforcement actions against actors who it determines made innocent mistakes. As the discretion that OIG discusses is still only included in a proposed regulation, this point will be one to watch as the regulation moves to final.  

Information Blocking Portal is Currently Open for Submitting Claims

One of the key parts of the information blocking provisions is the ability for an individual or entity that requested access, exchange or use EHI from another entity to file a claim with ONC if that request is denied or not acted upon. ONC’s portal to report these claims is available and open. Once enforcement mechanisms are in place, ONC will work with OIG to investigate submitted claims based on the priorities outlined above. 

Use this Time to Refine Internal Processes and Prepare for Enforcement Stage

As the OIG regulatory pieces of information blocking enforcement move to their final stage, regulated actors should use the April 5 compliance deadline as an opportunity to continue to refine their internal policies and processes to ensure that they are meeting the relevant requirements. Continued education of staff should also be a critical undertaking so that the community fully understands the breadth and reach of the new regulations and how they should approach opportunities to broadly share patient-level information. There is also a patient education component, so that patients understand how the new regulations apply to them, what their rights are and the privacy and security considerations when they take control of their personal health information. 

ONC has created a webpage with many resources that describe all the health IT-related pieces of implementation of the 21st Century Cures Act. The agency describes what the regulation means for different health system stakeholders, including patients,  clinicians and developers.