ONC Finalizes Rule on Information Blocking

ONC Finalizes Rule on Information Blocking

By Matt Schlossberg

The Office of the National Coordinator (ONC) for Health IT this morning finalized its long-awaited rule on information blocking.

The final rule solidifies the information blocking provisions in the 21st Century Cures Act. Enforcement of the final rule and the civil monetary penalties for non-compliance will be subject to further rule-making from ONC and the Office of the Inspector General (OIG).

According to ONC, healthcare providers, developers of certified health IT, health information exchanges, and health information networks will need to comply with the information blocking provision six months after publication of the interim final rule in the Federal Register. The rule’s publication date was not confirmed.

“We look forward to reviewing the final rule in greater detail. We support the intent of the Cures Act to eradicate practices that unreasonably limit the access, exchange and use of electronic health,” said AHIMA CEO Wylecia Wiggs Harris, PhD, CAE. “However, given that the rule introduces a number of new definitions and terminologies and the significant economic impact of this rule, we are disappointed that ONC did not heed stakeholders’ calls to issue an interim final rule.”

An interim final rule would give ONC the flexibility to make revisions to the rule within a certain period of time during implementation. A final rule on its own requires a law from Congress or a new notice of proposed rule-making (NPRM) to make changes.

Final Rule at a Glance

The ONC final rule has several implications for health information management (HIM) professionals—how they protect, exchange, and collect data, and bring their organization into compliance with the rule.

The information blocking rule, with defined exceptions, prohibits health providers, technology vendors, health information exchanges and health information networks from practices that inhibit the exchange, use, or access of electronic health information (EHI).

The rule also standardizes criteria for application programming interface (API) development. It also establishes eight exceptions to the 21st Century Cures Act’s ban on interfering with access, exchange, and use of EHI.


Credit: Office of the National Coordinator for Health IT


For the final rule’s first two years, EHI access, exchange, and use is restricted to the US Core Data for Interoperability (USCDI), a standardized set of health data classes and constituent data elements for nationwide, interoperable health information exchange.

AHIMA has recommended that as ONC expanded the USCDI to include additional data classes and elements, the definition of EHI should expand with it. This will provide a degree of certainty as to what information must be provided in accordance with the information blocking provision.

In the final rule, ONC clarified that actors will have to share EHI limited to the USCDI for purposes of the information blocking definition. Beginning in 2022, the scope of EHI will be broadened to mean electronic protected health (ePHI) as defined in HIPAA to the extent that it would be included in a designated record set. This requirement is regardless of whether the records are used or maintained by or for a covered entity as defined under HIPAA.

Questions Remain on Compliance, Penalties, and Privacy

This morning’s high-level press conference with HHS Sec. Alex M. Azar II, National Coordinator Donald Rucker, and Seema Verma, Administrator for the Centers of Medicare and Medicaid Services, provided few details on important aspects of the final rule, including privacy provisions, compliance, and penalties.

According to ONC, penalties for non-compliance with the information blocking rule will require additional rule-making from the ONC and the Office of the Inspector General.

In September 2019, AHIMA co-signed a letter to the chair and ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee calling on HHS to “use discretion in its initial enforcement of the data blocking provisions of the regulation, prioritizing education and corrective action plans over monetary penalties.”

AHIMA has also encouraged the HELP Committee “to continue its oversight of privacy and security issues that fall outside of the HIPAA regulatory framework.”


Credit: Office of the National Coordinator for Health IT


Preparing for Compliance

AHIMA and other stakeholder groups will offer resources to help member organizations. The Sequoia Project, a non-profit, public-private collaborative chartered to advance implementation of secure, interoperable nationwide health information exchange, has formed a work group to interpret the rules and help healthcare organizations prepare for compliance. The organization recently published guidance on the information blocking rule.

“It’s important to remember these rules are meant to improve interoperability and health information sharing in our communities,” says Mariann Yeager, CEO of the Sequoia Project. “Organization should get involved in the community. There are many opportunities for organizations to participate in the webinars and meetings.”

According to Lauren Riplinger, JD, vice president, policy and government affairs at AHIMA, the organization and Sequoia have been collaborating on the development of an operational checklist to help organizations prepare for compliance.

Compliance and integration of these rules will require collaboration between HIM departments and IT within healthcare organizations. “I think a starting point is identifying who’s going to serve on this operational team across health IT and HIM to make sure they identify the things that need to happen to make sure they’re in compliance,” says Riplinger.


Matt Schlossberg (matt.schlossberg@ahima.org) is editor at the Journal of AHIMA.