The Compliance Clock is Ticking on ONC’s 21st Century Cures Act Regulations

[Editor's Note: This article was updated on February 19, 2021.]

April 5 is compliance day for the Office of the National Coordinator (ONC) for Health Information Technology's final rule on  information blocking. (The compliance timeline can be accessed here).

The ONC’s 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, as well as CMS’ companion Interoperability and Patient Access final rules will impact virtually every healthcare organization with access to electronic health information (EHI) and empower patients and caregivers with greater access to and control over their health information.

Starting with information blocking, this article will focus on the structure of the final rules, which stakeholders will be affected, and how to comply with the regulations.

Information Blocking

With eight defined exceptions (see Fig. 1), the information blocking final rule prohibits health providers, technology vendors, health information exchanges, and health information networks from practices that inhibit the exchange, use, or access of EHI.

The rule also standardizes criteria for application programming interface (API) development. It also establishes eight exceptions to the 21st Century Cures Act’s ban on interfering with access, exchange, and use of EHI.

For the final rule’s first two years, EHI access, exchange, and use is restricted to the US Core Data for Interoperability (USCDI), a standardized set of health data classes and constituent data elements for nationwide interoperable health information exchange.

It is important to review the definition of information blocking as defined in 45 CFR §171.103.

Information blocking means a practice that:

• Except as required by law or covered by an exception, is likely to interfere with access, exchange, or use of electronic health information
• If conducted by a health information technology developer, health information network, or health information exchange, such developer, network, or exchange knows, or should know, that such practices is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information
• If conducted by a healthcare provider, such provider knows that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.

ONC defines eight exceptions where practices will not be considered information blocking.

Fig. 1: The Eight Defined Exceptions to the Information Blocking Final Rule

Source: Office of the National Coordinator for Health IT. “Information Blocking.” https://www.healthit.gov/curesrule/final-rule-policy/information-blocking.

Affected Information

Through October 5, 2022, EHI is limited to the data elements represented in the US Core Data for Interoperability (USCDI), a standardized set of health data classes and constituent data elements for nationwide interoperable health information exchange. These data elements include allergies and intolerances, assessment and plan of treatment, care team members, clinic notes, goals, health concerns, immunizations, laboratory, medications, patient demographics, problems, procedures, provenance, smoking status, unique device IDs for implantable devices, and vital signs.

After October 5, the standard narrows to electronic protected health information (ePHI) in a designated record set, excluding psychotherapy notes and information gathered for use in a civil, criminal, or administrative action.

Who Must Comply?

Three entities were identified as actors and must comply with the information blocking requirements:

• Healthcare providers
• Health IT developers of certified health IT
• Health information networks (HINs) or health information exchanges (HIEs)

Healthcare provider, as defined by 42 U.S.C. 300jj, means a “hospital; skilled nursing facility; nursing facility; home health entity or other long term care facility; health care clinic; community mental health center; renal dialysis facility; blood center; ambulatory surgical center; emergency medical services provider; federally qualified health center; group practice; pharmacist; pharmacy; laboratory; physician; practitioner; provider operated by or under contract with the Indian Health Service or by an Indian tribe, tribal organization, or urban Indian organization; rural health clinic; covered entity under 42 U.S.C. 256b; ambulatory surgical center; therapist; and any other category of health care facility, entity, practitioner, or clinician determined appropriate by the HHS Secretary.”

Health IT developer of certified health IT means an individual or entity, other than a healthcare provider that self-develops health IT for its own use, that develops or offers health information technology (as that term is defined in 42 U.S.C. 300jj(5)) and which has, at the time it engages in a practice that is the subject of an information blocking claim, one or more health IT modules certified under a program for the voluntary certification of health information technology that is kept or recognized by the National Coordinator pursuant to 42 U.S.C. 300jj-11(c)(5) (ONC Health IT Certification Program).

HIN or HIE means an individual or entity that determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables or requires the use of any technology or services for access, exchange, or use of EHI:

1. Among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other
2. That is for a treatment, payment, or healthcare operations purpose, as such terms are defined in 45 CFR 164.501 regardless of whether such individuals or entities are subject to the requirements of 45 CFR parts 160 and 164.

The CMS Interoperability and Patient Access Final Rule

The Interoperability and Patient Access final rule is the result of MyHealthEData, a 2018 Trump administration initiative designed, according to CMS, “to empower patients by giving them control of their healthcare data, and allowing it to follow them through their healthcare journey.”

The CMS final rule on interoperability and patient access requires insurers participating in any CMS-regulated health plans, including Medicare, Medicaid, the Children’s Health Insurance Program, and Qualified Health Plans on federally facilitated exchanges, to provide members with electronic access to their claims and encounter data.

While the goal is to make patient information easily transferable for patients, data must be protected by robust security protocols. CMS announced it will exercise enforcement discretion for a period of six months, until July 1, 2021.

The rule includes two compliance standards, which go into effect January 1, 2021, aimed at empowering patients with information to coordinate their own care—the patient access application programming interface (API) and the provider directory API.

The patient access API gives patients access to clinical and cost information related to medical visits, including adjudicated claims; encounters with capitated providers; and clinical data, including laboratory results (when maintained by the impacted payer). Data must be made available no later than one business day after a claim is adjudicated or encounter data are received. Patients have been empowered by the final rule to access their data through a third-party application of their choosing to connect to the API and better integrate a health plan’s information to a patient’s EHR.

The provider directory API requires that payers create and make publicly available a FHIR API-based list of in-network providers. Standardized information includes provider names, addresses, phone numbers, and specialties.

Condition of Participation and Payer-to-Payer Data Exchange

The final rule also establishes a new condition of participation (CoP) for all Medicare and Medicaid participating hospitals, requiring them to send electronic event notifications regarding treatment status, care coordination, and quality improvement to another healthcare facility or community provider or practitioner when a patient is admitted, discharged, or transferred (ADT) to providers with whom patients’ have established care relationship.

This provision goes into effect May 1, 2021, and largely affects only those organizations with an electronic health record (EHR) able to generate electronic patient event notifications. CMS has not specified a standard for the content, format, or delivery of the electronic event notifications.

On January 1, 2022, payers are expected to comply with the payer-to-payer data exchange provision, which empowers patients to submit information requests to payers up to five years after their plan coverage expires.

Final Rule Compliance Roadmap

Affected healthcare stakeholders will need a robust infrastructure and governance standards to attest to and maintain compliance with the final rules, including:

• Establishing a governance structure to review the requirements and develop an action plan—the committee should include compliance staff
• Identifying the category to which an actor(s) belongs
• Reviewing access policies and revising to meet the expectations of the final rule
• Developing a process for evaluating access against the eight exceptions
• Train staff on any policy changes
• Evaluate your systems to understand any limitations

Health information professionals seeking to learn more about compliance can access a free on-demand AHIMA webinar that breaks down the provisions and certification and compliance requirements of the recently finalized rules on information blocking and interoperability.

21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule is presented by Elise Sweeney Anthony, executive director, and Elisabeth Myers, deputy director, office of policy at the Office of the National Coordinator (ONC) for Health IT.

The webinar’s objectives include:

• Updates to the 2015 edition certification criteria
• Conditions and maintenance of certification requirements
• Information blocking provisions

Stay connected with AHIMA as we provide tools and resources to help HIM professionals and their industry partners better understand and interpret the rules for effective compliance across the healthcare enterprise.

DeAnn Tucker, MHA, RHIA, CHPS, CCS, (dtucker@cokergroup.com) is senior manager of the Coker Group.

AHIMA's Information Blocking Resource Page

Bookmark AHIMA's Information Blocking Resource Page, curated with evidence-based guidance to prepare HIM professionals and other healthcare stakeholders to comply with the final rule. Case studies, interviews, news, podcasts, and more will be added weekly! Book the page here.