Recently, MRO hosted a webinar series on the 21st Century Cures Act focusing on the Information Blocking Rule and Interoperability. I joined other industry experts to provide highlights of the rule, take a closer look at the technical requirements, and analyze the impacts on HIPAA.
While the series has come to an end, the recorded playbacks of each session are still available for download, and to earn 1 CEU per session. For those who did attend, this blog is a recap of the entire series. And for those who did not attend, below is a sneak peek at the information you can learn from the recordings. Our goal is to help clear up some of the current confusion related to the rules.
How did we get here?
In order to understand where the rule originated, we must first look at the history of information blocking according to the Office of the National Coordinator (ONC). Complaints received at health IT developers included fees for sending, receiving or exporting electronic health information (EHI), charging for common interfaces and pricing designed to deter connectivity, to name a few. On the other side, complaints against providers included instances of controlling referrals to enhance market dominance, and the reference of HIPAA to deny the exchange of EHI.
Due to these unsolicited complaints, the ONC decided to release key recommendations in April 2015. These recommendations included the following:
- Constrain standards and implementation specifications
- Ensure greater transparency in certified health IT products and services
- Provide governance rules that deter information blocking
- Improve understanding of HIPAA privacy rule and security standards related to information sharing
- Work with CMS to coordinate healthcare payment initiatives and leverage other market drivers that reward interoperability and discourage information blocking
- Promote competition and innovation in health IT and healthcare
As a result, the 21st Century Cures Act was created. The key objectives include accelerating drug and medical device development, addressing the opioid crisis, improving mental health service delivery and enhancing nationwide interoperability of EHRs.
To download our infographic explaining the rule, click here.
Information Blocking Rule Details
While this rule does impact healthcare providers, health IT developers of certified health IT and health information networks/health information exchanges, it does not necessarily impact business associates. It is imperative that business associates determine whether they are considered an “actor” and required to comply. Impacted entities must certify that they:
- Do not engage in information blocking
- Provide assurances that developer or entity will not engage in information blocking
- Do not prohibit or restrict certain communications
- Publish APIs and allow health information to be accessed, used and exchanged without special effort through the use of APIs
- Conduct real world testing
- Ensure attestation is completed
As defined by the rule, the above applies to electronic health information (EHI)—all electronic information regarding the patient’s health information as defined in the facility-specific electronic designated record set (DRS). The definition of EHI is based on how an organization defines their DRS. If it’s not properly defined, the definition is left open to interpretation.
Defining the DRS is a requirement under HIPAA and is a key component to ensuring the patient has appropriate access to their healthcare. Beginning in 2022, the scope of EHI will be broadened so it’s important to understand the rule and its requirements.
The rule did finalize eight exceptions, divided into two categories. The first category involves not fulfilling requests to access, exchange or use EHI, and includes:
- Preventing harm – aligns with HIPAA’s harm exception but must be consistent with organizational policy
- Privacy – protecting an individual’s privacy
- Security – protecting the security of EHI
- Infeasibility – meeting one of the requirements noted in the rule with a response provided to the requester within 10 business days of request receipt specifying the infeasibility exception
- Health IT performance – scheduled maintenance or downtime due to a security risk
The second category involves fulfilling requests to access, exchange or use EHI, and includes:
- Content and manner – fulfilling a request in an alternative manner if unable to fulfill as requested
- Fees exception – charging fees related to costs, which is not to be based on competition with another actor, but instead based on objective and verifiable data uniformly applied
- Licensing – actors protecting the value of their innovations and charge reasonable royalties in order to earn returns on the investments they have made to develop, maintain and update those innovations
Actions to Consider
Now that the rule is final and the first pieces of compliance are approaching in November 2020, organizations must consider the best course of action forward. A great resource that I highly recommend is The Sequoia Project, which is continually updating its resources page for the HealthIT community. They are providing additional webinars, toolkits and reports.
MRO will also continue to publish relevant content around the information blocking rule and interoperability. My colleague Rita Bowen will present Information Blocking Rule: The Impact to HIM later this year on November 18, 2020. Be sure to mark your calendar!
Above all else, remember the basics for creating or updating a compliance program. Begin with the end in mind. What are your goals? Determine whether your organization is considered an actor. Review your current program and determine what modifications or new items are needed to remain ahead of the game. Make the changes and implement them through education and training.
To learn more about the information blocking rule from our panel of industry experts, complete the form below to request playback for the entire series.