By Debra Primeau, MA, RHIA, FAHIMA, and Jaime James, MHA, RHIA

The Office of the National Coordinator (ONC) for Health IT’s information blocking Final Rule, part of the 21st Century Cures Act (Cures Act), was published in the Federal Register on May 1.

While the initial compliance date was set for November 2, 2020, the COVID-19 public health emergency and its attendant disruptions to health system operations compelled the ONC to issue an interim Final Rule on October 29 that extends the compliance deadline to April 5, 2021.

This extension affords health information management (HIM) extra time to get a better understanding of the Final Rule’s provisions and better prepare their organizations for compliance.

This article will explain the Final Rule’s key concepts, including the purpose of the Cures Act and its relationship to interoperability. We will also provide an overview of the certification provisions and take a deeper dive into the information blocking provisions.

We also include critical considerations that HIM professionals can use to facilitate discussions within their organizations and create their own implementation checklist.

The Cures Act, Explained

Understanding the information blocking Final Rule requires an understanding of the Cures Act.

The Cures Act, passed by Congress in December 2016, authorized funding for and regulations of numerous healthcare issues, including modifications to drug and device approval processes, funding for mental health and substance abuse resources, and curtailing practices that prevent the access to and exchange and use of electronic health information (EHI), known as information blocking.

The ONC was tasked with creating provisions for this last part.

It is important to understand that the Final Rule pertains exclusively to EHI and the electronic data access and exchange. This sets it apart from HIPAA, which covers paper, electronic, and verbal data as protected health information (PHI).

However, all the rules for HIPAA remain in place. The difference is in the approach. Where HIPAA takes an authorization or directive approach (you “shall,” if so authorized), interoperability implies that you “must” share information as required.

A Patient-Centered Approach

The Final Rule makes it explicit that when it comes to control of their health records and healthcare decisions, the patient is firmly in the driver’s seat.

“Patients need and deserve control over their records” said HHS Secretary Alex M. Azar II. “Patients should be able to access their electronic medical record at no cost, period.”

The Final Rule provides patients access to their EHI with third-party apps installed on their personal devices.

Additionally, the Final Rule continues to protect patient privacy and security by enabling patients to use apps they authorize to receive their data and by supporting secure access through authentication tools similar to what the banking and travel industries use.

The Final Rule also means that patients will have the ability to shop for care and manage costs, because it sets the foundation for increased data availability and transparency, providing patients with the information needed to expand their choice of payers and providers.

ONC Final Rule Provisions

The ONC Final Rule implements or updates five key provisions related to interoperability:

  • ONC health IT certification
  • Health IT for the care continuum
  • Conditions and maintenance of certification requirements
  • Certification criteria
  • Information blocking

These provisions—along with suggested HIM discussion and action items—are discussed below in further detail.

HIM professionals can use these action items to lead discussions within their organizations. As the healthcare industry is continuing to learn and understand these new rules, any recommendations should be discussed with appropriate legal counsel.

ONC Health IT Certification Program

The first four provisions cover requirements for certifying health IT. While these provisions pertain mainly to IT developers of certified health IT, it is important for provider organizations to understand these provisions, as they are intended to improve and expand interoperability.

There are certain aspects of the certification provisions with which HIM professionals should become familiar.

Certification of health IT is voluntary. The question then becomes, would non-certified products be following the standards that certification brings to the table?

For instance, would the certification privacy and security standards be followed by non-certified products, such as third-party software applications used by patients to access their information? This in turn raises the question, how do we as HIM professionals balance the need to protect a patient’s privacy and security and complying with increased interoperability requirements?

The Final Rule is clear that provider organizations can and are encouraged to educate their patients on the use of third-party applications and the risks associated with sharing or providing access to EHI.

There are specific parameters outlined in the Final Rule that state this education must be consistent, accurate, unbiased, and objective. Education should include advantages, disadvantages, and the associated risk with sharing EHI.

[box] Critical Considerations

  • Does your organization’s privacy practice notification need to be updated?
  • How will you educate patients on their abilities to access their EHI and the risks involved in using third-party apps?

[/box]

Health IT for the Care Continuum

The intent of this provision is to further support patient care when and where it is needed by addressing health IT across the continuum of care.

This provision includes specialized areas in healthcare, such as pediatric health IT. It establishes criteria for the voluntary certification of pediatric health IT.

Ten recommendations and realigned certification criteria were confirmed in the Final Rule to support the health IT needs of pediatric health providers. This is a first step in building a health IT infrastructure that supports pediatric care, as well as other specialty care areas across the continuum.

Conditions and Maintenance of Certification Requirements

This provision requires the use of standardized APIs through the use of Fast Healthcare Interoperability Resources (FHIR) over the next two years.

Created by healthcare standards organization Health Level Seven International (HL7), FHIR is a standard describing data formats and elements, and an application programming interface for exchanging electronic health records (EHRs).

APIs allow apps to be developed for use on smartphones and will help patients connect to, access, store, and exchange their health data through the app of their choice. EHR vendors are responsible for building the authorization scopes that enable the secure data access through third-party apps, including verification and correct data access.

[box] Critical Considerations

  • HIM professionals need to understand their organization’s app strategy and develop processes to mitigate possible challenges. For example, what process will be put in place if a patient requests their EHI via an app not connected with the organization?

[/box]

Certification Criteria

The fourth provision relates to the certification criteria requirements for health IT, which were updated in the Final Rule.

One of the changes is that the data requirement for the following certification criteria is transitioning from the current Common Clinical Data Set (CCDS) to the new United States Core Data for Interoperability (USCDI).

By December 31, 2022, the USCDI data set must be used for these criteria, which is applicable in many of the Meaningful Use/Promoting Interoperability incentive programs:

  • View, download, transmit to third parties
  • Transition of care
  • Transmission to public health agencies
  • Consolidated Clinical Documentation Architecture (CDA) creation performance
  • Application access—all data request

[box] Critical Considerations

  • If you are involved in any of these incentive payment programs, be sure to understand the timeline for this change within your organization.

[/box]

Information Blocking

Information blocking has the most significant impact on HIM. HIM leaders need a clear understanding of the compliance dates and action items needed for implementing the information blocking provisions.

Understanding the definitions related to information blocking and the decision points around these definitions, along with the information blocking exceptions, will help to create the action items needed for discussion within an organization.

Compliance Deadlines, Definitions, and Enforcement

On October 29, ONC issued an Interim Final Rule extending the compliance dates for the agency’s Cures Act Final Rule. Click here for a printable table of the original and revised compliance dates.

The next section explains the Final Rule’s key definitions and enforcement mechanisms.

Final Rule Key Definitions

Information Blocking: Practices by an actor that likely interfere with, prevent, or materially discourage the access, exchange, or use of EHI, except as required by law or covered by an exception.

Actor: Three groups of actors are defined as required to abide by the information blocking rules:

  • Healthcare providers, a broad term encompassing a long list of provider types, each of whom are regulated without regard to whether they are covered entities under HIPAA
  • Developers of Certified Health IT will be regulated by ONC. Affected vendors include those whose health IT has one or more modules certified under ONC’s Health IT Certification program. The definition excludes healthcare providers that self-develop health IT for their own internal use, but not when they offer certified health IT for other entities to use in their own independent operations
  • Health information networks (HINs)/health information exchanges (HIEs) are now consolidated under the Cures Act. HINs and HIEs subject to information blocking claims are those that determine, control, or have the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of EHI among more than two unaffiliated individuals or entities.

Business associates (BAs) are not defined as an actor. However, based on a BA’s specific line of business, that service may qualify the BA as an actor under one of the definitions.

[box] Critical Considerations

  • BAs and BA agreements should be evaluated according to the definitions provided in the Cures Act to determine any impact related to information blocking on the organization.

[/box]

Access, Exchange, Use:

  • Access: The ability or means necessary to make EHI available for exchange, use or both
  • Exchange: The ability for EHI to be transmitted between and among different technologies, systems, platforms, or networks
  • Use: The ability for EHI, once accessed or exchanged, to be understood and acted upon

[box] Critical Considerations

  • Transmitted: Transmitted is described as bidirectional in the Final Rule. What are the implications of bidirectional transmission within your organization? What are your current processes for patients to transmit information into your organization’s EHR?
  • Understood: Per the Final Rule, this does not mean an organization has to describe the clinical significance or relevance of the EHI.
    • Given the expanded amount of information that will be available electronically for patients, should or how will the process be communicated to patients if they have questions regarding their EHI?
    • Will providers receive additional calls based on the increased information available for access?
    • If so, what messaging might be needed for both the providers and patients?
    • Will amendment requests increase?
  • Acted Upon: What does the ability to write, modify, manipulate, or apply the information (all words used in the Final Rule) mean for your organization?

[/box]

Electronic Health Information (EHI): EHI is ePHI, as defined by HIPAA, to the extent ePHI is included in the designated record set (DRS). Excludes: Psychotherapy notes; information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding; and deidentified information.

[box] Critical Considerations

  • How is your organization progressing with making the USCDI available for access, exchange, and use as of April 5, 2021?
  • How will the USCDI information be available for patients? Through your organization’s patient portal? What if your organization does not have a patient portal or is on an older EHR vendor version that cannot accommodate the USCDI expansion?
  • When will discussions begin on the access, exchange, and use of the full EHI?

[/box]

Designated Record Set §164.501:

  1. A group of records maintained by or for a covered entity that is:
  2. The medical records and billing records about individuals maintained by or for a covered healthcare provider;
  3. The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Used, in whole or in part, by or for the covered entity to make decisions about individuals
  1. For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information (PHI) and is maintained, collected, used, or disseminated by or for a covered entity

[box] Critical Considerations

  • Re-review the DRS definition for your organization. Consider outside records processes where the records may be used to make decisions about the patient. Also review the billing records included as part of the DRS.
  • Legal health record definition: This definition can be reviewed, but the Final Rule does not include legal health record language. For instance, an organization’s legal health record definition most likely does not include billing records.
  • Review policies and procedures including, but not limited to, amendments, master patient index (MPI) integrity, retention, proxy, sensitive information, privacy and security, and many more.
  • Consider an assessment of your information governance program and activities.

[/box]

USCDI: The USCDI is a set of health data classes and elements that allows for data sets beyond clinical data (see Table 1). The USCDI will continue to be updated which reflects how the Final Rule intends to provide more data availability and transparency and establishes the foundation for the broader sharing of EHI.

Table 1: United States Core Data for Interoperability (USCDI v1)
Data Classes Data Elements
Patient Demographics First, middle and last name

Previous name

Suffix

Birth sex

Date of birth

Race

Ethnicity

Preferred language

Current address*

Previous address*

Phone number*

Phone number type*

Email address*
Care team members
Assessment and plan of treatment
Goals Patient goals
Problems
Procedures
Clinical Notes* Consultation notes

Discharge summary note

History and physical

Imaging narrative

Lab report narrative

Path report narrative

Procedure notes

Progress notes
Health Concerns
Immunizations
Laboratory Tests

Value/results
Medications Medications

Medication allergies
Allergies and Intolerance Substance (medication)

Substance (drug class)

Reaction
Provenance (place of origin)* Author time stamp

Author organization
Smoking Status
Unique Device Identifier(s) – Implantable Devices
Vital Signs Diastolic BP

Systolic BP

Body height

Body weight

Heart rate

Respiratory rate

Body temperature

Pulse oximetry

Inhaled O2 concentration

BMI percentile (2-20 yrs)*

Weight-for-length percentile (birth-36m)*

Head occipital-frontal circumference percentile (birth-36m)*

Reference range/scale or growth curve, as appropriate*

*changes from CCDS

[box] Critical Considerations

As you review the USCDI for electronic access, exchange, and use as of April 5, 2021, within your organizations, consider the following:

  • Determine the source of each data element and specific document types that should be included as part of each data element. For instance, for clinical notes, how does your organization interpret the Final Rule for the types of progress notes that need to be made available. This includes not only physician progress notes but also nursing, case management, social work notes, etc.
  • Discuss the timeliness of the data being made available for access, exchange, and use in light of incomplete and unsigned documents or lab and test results that need to have physician review prior to access. The Final Rule does not establish a set timeframe for what timely access means. The Final Rule does state that processes that create unnecessary delays or response times or limits the timeliness, could implicate information blocking (HHS 2020, 25812).
  • Discuss how far back previous visit information will be made available for access. Do you have legacy systems? Will that information be made available?
  • If any of the USCDI data elements will not be available as of April 5, 2021, how will the information blocking exceptions apply? Who will have ownership to document the exceptions?
  • Document all decisions and the rationale for those decisions.

[/box]

Information Blocking Exceptions

How do actors stay out of information blocking hot water? First and foremost, actors should not engage in activities that interfere with:

  • Patient access, exchange, and use of EHI
  • Providers and other authorized individuals having EHI when and where they need it
  • Payers and others that purchase healthcare obtaining the information they need
  • Healthcare providers access, exchange, and use of EHI for quality improvement
  • Population health management and public health and patient safety needs

Between the proposed and Final Rule there are 40-plus illustrative examples of practices that could implicate information blocking.

However, in recognition of healthcare operation complexities, instead of further expanding on these examples, the ONC defines eight information blocking exceptions that when certain conditions are met will likely not constitute information blocking.

HHS describes these exceptions and the conditions. The eight exceptions include five exceptions that involve not fulfilling requests—preventing harm, privacy, security, infeasibility, and health IT performance—and three exceptions that involve procedures for fulfilling requests—content and manner, fees, and licensing.

HIM professionals need to become familiar with these exceptions and the conditions that must be met in order to lead discussions on how these will be operationalized within an organization—especially related to HIM. When addressing the exceptions, they may work hand-in-hand.

For instance, if a request cannot be fulfilled in the manner requested, the request may be fulfilled in an alternative manner (content and manner). If that is not possible, it might be infeasible to fulfill the request (infeasibility).

A high-level description of several exceptions, including HIM action items to consider, are described below. These exceptions are particularly applicable to HIM professionals. (Please note, not all exceptions are discussed so this is not an exhaustive list.)

Preventing Harm: This exception relates to not fulfilling requests that are reasonable and necessary to prevent harm to a patient or another person, provided four conditions are met.

This exception is cross-referenced to the HIPAA Privacy Rule, and similar to HIPAA, this exception relates to life or physical safety and does not relate to emotional or psychological harm.

Under the harm exception, the Final Rule recognizes that specific information may not be appropriate to disclose or exchange until finalized (such as test results).

However, the Final Rule also discusses that, unless applicable by law, the patient should choose whether they want access to their information as soon as it is available or wait for a provider to contact them, such as review of final test results by a provider prior to patient availability. Harm due to patient mismatches is also included in this exception.

[box] Critical Considerations

  • How will this exception be incorporated into existing HIPAA processes related to preventing harm such as sensitive and behavioral health information?
  • Discuss the appropriate use of this exception related to the timeliness of information for pending results, incomplete records, or current processes where results are reviewed by a provider before being made available to a patient.
  • Review your patient matching/overlay processes and determine the impact of this exception.

[/box]

Privacy: This exception relates to not fulfilling requests in order to protect an individual’s privacy, provided one of four sub-exceptions and the associated sub-exception conditions are met.

This exception states that an actor will not be required to disclose EHI that is prohibited under state or federal privacy laws and operates in a manner consistent within the framework of the HIPAA Privacy Rule.

It is important to remember that while the HIPAA Privacy Rule permits, but does not require covered entities to disclose ePHI in most circumstances, the information blocking provision, on the other hand, requires an actor to provide access, exchange, or use of EHI unless prohibited by law, or one of the exceptions.

[box] Critical Considerations

  • How will the information blocking privacy exception be operationalized in conjunction with any current privacy processes within your organization?
  • What actions from a cultural, educational, or procedural perspective might be needed with regard to HIPAA permitting, but not requiring disclosure when information blocking requires access, exchange, and use?

[/box]

Infeasibility: If a request cannot be fulfilled because it is truly infeasible to fulfill the request, one of three conditions must be met and the actor must provide a written response within 10 business days stating the reason why.

The ability/inability for EHRs to segment data so that certain information that can be disclosed versus information that should not be disclosed is also included in this exception.

[box] Critical Considerations

  • What situations may occur where it is infeasible to provide a requestor their electronic request for information and a response must be given within 10 business days?
  • If the requestor is the patient and the request is infeasible, how would HIM be involved?
  • What are the data segmentation capabilities of your existing EHR system and how will that impact the access, exchange, and use of the EHI?

[/box]

Content and Manner: For the content exception, it will not be information blocking when an actor limits the content of its response, if certain conditions are met. This is the exception that allows actors to respond to requests with the USDCI data set for the first 24 months post publication date (plus the extension). After 24 months (plus the extension), the full EHI must be available for access, exchange, and use.

The manner exception provides an actor the ability to fulfill a request in an alternative manner when certain conditions are met.

[box] Critical Considerations

  • Similar to the discussion points under the USCDI definition above, if the complete set of USCDI is not available electronically, what procedures need to be in place to consider providing the requested information in an alternative manner?
  • Conduct an inventory and develop an intake/tracking process for the type of requests that would relate to information blocking including who is receiving these requests, how will they be processed, when the exceptions will need to be applied, and what documentation is needed if an exception is used. Documentation of all exceptions is critical.

[/box]

Fees: The fees exception allows for the charging of certain fees that would not constitute information blocking when specific conditions are met. These fees relate to the development of technologies and provision of services that enhance interoperability. This exception does not protect fees related to rent-seeking, opportunistic fees, and exclusionary practices that interfere with access, exchange, and use of EHI.

One exclusionary practice is charging a fee based in any part on the electronic access by an individual, their personal representative, or another person or entity designated by the individual to access the individual’s EHI. The Final Rule defines electronic access as an Internet-based method that makes EHI available at the time the EHI is requested where no manual effort is required to fulfill the request. Examples include access via a patient portal, apps, or other internet-based means.

The Final Rule also states, “Consistent with the HIPAA Privacy Rule’s individual access fee implementation specification, an Actor can charge a reasonable, cost-based fee related to certain costs, if a patient requests a copy of her record” (HHS 2020, 25885-25886).

The Final Rule clarifies that if a fee is charged when the EHI is provided in some form of physical media, such as paper copies or copied on to a CD, this would not be a practice that implicates information blocking (providing the fees comply with the HIPAA Privacy Rule—45 CFR 164.524 (c)(4)).

[box] Critical Considerations

  • Discuss this exception as it relates to current release of information processes. Will this change any processes? Many in the industry interpret this language to mean that general release of information processes will not change and current fees may be charged.
  • How will your organization define electronic access with no manual access and be sure to confirm the definition of personal representative under information blocking is the same as HIPAA?

[/box]

Information Blocking Enforcement

To avoid enforcement actions, actors must satisfy at least one exception and meet all applicable conditions, unless required by law. The process for the public to report claims of information blocking has been established through the HHS website and the Office of Inspector General (OIG) has been authorized to investigate claims.

The penalties for information blocking vary depending on the actor.

For health IT developers of certified technology and HIN/HIEs there are civil monetary penalties (CMPs) up to $1 million per violation. A proposed rule on these CMPs was published for comment in April of this year. For providers, the Final Rule states there will be appropriate disincentives.

Penalties for providers will not be imposed by the OIG until further notice and comment rulemaking occur. At this time, no further rulemaking has occurred with regard to these disincentives. What is important to remember is that even though enforcement is still subject to comment and rulemaking, the compliance dates as outlined above are still in force.

In summary, the Cures Act presents an amazing opportunity for HIM professionals to assist their organizations with compliance challenges.

The leadership health information professionals can provide include readiness assessments, development of project plans, review, and revision of policies and procedures, as well as the sharing of our expansive knowledge of HIPAA.

The Final Rule is transformative with the intention of advancing the digital age of health information sharing. The information blocking and interoperability rules are dense and technical and impact both internal and external stakeholders. They require organizations to establish new practices for advancing interoperability goals safely and securely. Let’s not waste this opportunity to lead.

 

Debra Primeau (dprimeau@primeauconsultinggroup.com) is president of Primeau Consulting Group.

Jaime James (jjames@mrview.com) is senior HIM consultant of legislative policy and compliance, MMRA.

Further Reading

The October 2020 issue of the Journal of AHIMA featured a collection of articles that discussed implementing the information blocking and interoperability Final Rules.