Health Data, Regulatory and Health Industry
10 Things Every HI Professional Needs to Know about Information Blocking
As federal regulations around information blocking continue to roll out, experts say it’s critical that health information (HI) professionals understand how the rules apply to them and the steps necessary to maintain compliance.
Information blocking is defined as any practice that’s likely to interfere with the access, exchange, or use of electronic health information (EHI). Prohibitions against information blocking first entered the scene as part of The 21st Century Cures Act, a 2016 law aimed at accelerating medical research and innovation while improving the flow and exchange of EHI.
In 2020, the Office of the National Coordinator for Health Information Technology (ONC) finalized regulations to define data access and interoperability set forth in the Cures Act, which included provisions about information blocking. In June 2023, the US Department of Health and Human Services Office of Inspector General (OIG) posted its final rule implementing information blocking penalties for certain actors. Additional pieces to the information blocking regulations are under development.
The information blocking rule is complex and its language extremely legalistic, says Chantal Worzala, PhD, principal at Alazro Consulting LLC, a consulting firm that offers public policy analysis, research, and strategy. That’s why learning the nuances now may spare HI professionals federal scrutiny later.
Here are 10 things HI professionals should know about information blocking:
1.The legislation is broad and casts a wide umbrella.
The information blocking provisions apply to three types of organizations called “actors,” and each category covers a wide range of professionals, says Steve Gravely, JD, MHA, founder of Gravely Group, a consulting firm that provides eHealth, legal, and policy resources to healthcare providers and vendors. The first category is health providers, which include hospitals, physicians, pharmacies, durable medical equipment suppliers, home health providers, and individual clinicians, among others.
The second group is health information technology (IT) developers of certified health IT, and the third is health information exchanges (HIEs)/health information networks (HINs).
“A lot of provider organizations don't realize that they're subject to the information blocking provisions, and they are,” Gravely says. “And some HI professionals are starting to work for developers now, and they think, ‘Well, this only applies to the big boys,’ and that's not true.”
2. Actions taken — and not taken — could be penalized.
When it comes to what deems an information blocking violation, the law is similarly sweeping, says Gravely.
“It regulates practices, [which are] defined as something that an actor either does or fails to do,” he says. “Literally, anything that an actor does that might interfere with someone else having access to [EHI] or the ability to use [EHI] or exchange [EHI], those are all subject to information block and violations.”
For healthcare providers, a breach is based on whether they know or knew a practice was unreasonable and was likely to interfere with the access, exchange, or use of EHI. For health IT developers of certified health IT and HIEs/HINs, a violation centers on whether they know or should have known that a practice was likely to interfere with the access, exchange, or use of EHI.
3. Your organization could be information blocking now without realizing it.
It’s not uncommon for providers to have policies that withhold lab results or other information from patient portals for a certain period until clinicians first speak to patients about the information. These holds usually pertain to sensitive information that physicians want to explain before patients see it.
ONC, however, has specified that such types of blanket holds on EHI violate the information blocking law, says Gravely.
The agency has also raised concerns about entities that require third-party apps to be “vetted” by them before allowing patients to use them. For example, patient-facing apps that allow patients to receive EHI through application programming interface (API) technology. In a recent FAQ, ONC concluded such vetting is likely information blocking.
4. Certain exceptions provide safeguards.
The rule contains a number of exceptions that protect actors from information blocking violations. For instance, if privacy rules at the state level require that organizations not share certain information or if the sharing could be harmful to a patient or someone else, says Worzala.
“For example, think about records that include information about both a mother and an infant,” she says. “You have to think about both individuals when sharing that information. But that is a determination that needs to be made by a clinician based on the individual circumstances.”
Technical reasons can also fall under the exceptions, Worzala adds. For instance, if a clinic or provider doesn’t have the technical ability to separate the requested data out or is unable to provide data in the manner it’s requested.
5. HIPAA does not trump the information blocking rule.
A common misconception is that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is dominant and overrides the information blocking regulations, Gravely says.
But ONC has repeatedly said the two laws are not in conflict and that they work together, he explains. Organizations can be subject to HIPAA as a covered entity and also subject to information blocking.
“They exist side by side,” he says. “Just because HIPAA allows a provider to not share information, information blocking probably does require you to share that information. And HIPAA is not going to protect you if you refuse to do it.”
6. Overlapping laws can pose obstacles.
While HIPAA does not supersede information blocking rules, other recent regulations intersect with the law and may present challenges.
The HHS Office for Civil Rights, for example, recently finalized changes to the HIPAA privacy rules that prohibit the sharing of patients’ reproductive health records for certain prohibited purposes. The changes restrict the use or disclosure of protected health information (PHI) when it’s sought to investigate or impose liability on patients or healthcare providers who obtain, provide, or facilitate lawful reproductive healthcare.
In some cases, an attestation from a requester may be needed that affirms the information will not be used for the purposes under the new prohibitions, says Zoe Barber, policy director for the Sequoia Project, a nonprofit that focuses on nationwide health information exchange.
“This could certainly impose an obstacle,” she says. “But it becomes a case-by-case determination of interpreting the applicable law that applies to you as an organization, wherever you are located.”
7. Penalties for violations are steep.
If OIG determines that an individual or entity has committed information blocking, they are subject to penalty of up to $1 million per violation. Right now, the penalties only apply to health IT developers of certified health IT, entities offering certified health IT, HIEs, and HINs.
In late 2023, HHS released a proposed rule for public comment that will establish disincentives for healthcare providers found to have committed information blocking. The rule has not yet been finalized.
“Most HI professionals have never dealt with OIG before because the OIG, up until now, has dealt with fraud and abuse, Anti-kickback [Law], Stark [Law], overpayment, and over-billing,” Gravely says. “The OIG has thousands of investigators, and they have very broad powers. They can subpoena records from you and if you don't provide them, you can be charged with obstruction of justice. People who haven't worked in this space don't understand just how much power OIG has. It’s going to be a rude awakening, I'm afraid.”
8. Make compliance a team effort.
Complying with the information blocking rule should really be a team sport, says Worzala. HI professionals are a core part of the team, but an organization’s compliance, legal, and clinical teams also need to be engaged in the efforts, she emphasizes.
“Health information professionals need to be a key player in how their organizations address information blocking,” she says. “They should really take it upon themselves to make sure they understand it and [are] part of the solution in their own organizations.”
Communication among teams is also vital to ensure all staff know the different ways an information request may come into an organization and which department to contact to ensure the request is logged and tracked, she adds.
9. Documentation is key.
To help defend any information blocking claims that could arise, it’s essential to explain in writing any policies in place that could limit information access, exchange, or EHI use, Gravely advises. Detail why the limitations are in place and make sure policies are as narrow as possible, he says.
This includes documenting any unexpected reasons that prevent information access. If a system outage occurs, for example, it could be a reason for not fulfilling an information request, he says. Likewise, if organizations are developing new policies, HI professionals should be part of the committees developing those policies and ensuring documentation is happening every step of the way.
10. Stay updated.
Keep in mind, some regulations impacting information blocking are still being refined, and it’s important that HI professionals stay updated, advises Barber. In addition to ONC’s final rule on disincentives for providers, the agency is also working on its Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability Proposed Rule (HTI-2), which will include some additional regulations concerning information blocking. A previous update to the information blocking rules was included in ONC’s Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) rule.
“The biggest thing to keep in mind is that the regulations are still evolving,” Barber says. “There has been a number of new regulations that have come out just even in the past year and more on the docket to come out, all of which intersect with information blocking. There's always a need to stay up to speed.”
Alicia Gallegos is a freelance healthcare journalist based in the Midwest.