Interim Final Rule Issued for 21st Century Cures Act
Interim Final Rule Issued for 21st Century Cures Act

Last week, on October 29, 2020, the Office of the National Coordinator for Health Information Technology (“ONC”) released an interim final rule that delays compliance dates for information blocking and other health information technology (“HIT”) requirements set forth in the 21st Century Cures Act (“Cures Act”). The ONC’s stated reason for this delay is the COVID-19 Public Health Emergency, as the ONC previously had implemented the requirements in a final rule issued on May 1, 2020 (“Final Rule”).

Developers of certified HIT, health care providers, health information exchanges, and health information networks will now have until April 5, 2021 to comply with the Final Rule’s information blocking provisions. Developers of certified HIT will also have additional time to comply with other requirements introduced in the Final Rule. The ONC issued the interim rule “to offer the health care system additional flexibilities in furnishing services to combat the COVID-19 pandemic … while still maintaining a trajectory that will advance patients’ access to their health information, reduce the cost of care, and improve the quality of care.”

The interim final rule is titled “Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency.” It seeks to build upon the ONC’s prior announcement of enforcement discretion that delayed enforcement dates for many of the requirements in the earlier Final Rule by three months. Unlike the ONC’s prior enforcement discretion, however, this interim final rule codifies new compliance dates into federal regulations, hopefully providing for better clarity and consistency across the health care industry.

In announcing the extension of the Final Rule’s deadlines, the ONC thanked Congress for the passage of the Cures Act and said it looked forward to implementing the Final Rule, which will promote patient access to their electronic health information (“EHI”), supports provider needs, advances innovation, and addresses industry-wide information blocking practices. Once in place, the Final Rule will seek to support the use of modern technology to meet the needs of both patients and providers. It also establishes new provisions for certified HIT developers, who will be required to establish more secure application programming interfaces and use better privacy and security protocols in the support of patients’ access to data within their electronic health record (“EHR”).

For many years, there has been a shift within health care models toward patient-centered care, including a greater emphasis on patient decision-making and patient experience. The ONC resides at the center of these efforts, and this new Final Rule continues to advance the agency’s goals, including those that would allow patients to securely and easily obtain their EHI at no additional cost when electronically accessed. In order to facilitate access to EHI when and where it is needed, the Cures Act authorizes the Office of Inspector General to investigate any claim that a HIT developer, health care provider, health information exchange, or health information network engaged in “information blocking.”

The government defines “information blocking” as any practice by an HIT developer (of certified health IT), a health information network, a health information exchange, or a health care provider that, “except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI).” The website provides specific examples of practices that could constitute information blocking, as set forth in the Cures Act. These examples include:

  • Practices that restrict authorized access, exchange, or use under applicable state or federal law of such information for treatment and other permitted purposes under such applicable law, including transitions between certified health information technologies (health IT);
  • Implementing health IT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging, or using EHI; or
  • Implementing health IT in ways that are likely to:
    • Restrict the access, exchange, or use of EHI with respect to exporting complete information sets or in transitioning between health IT systems; or
    • Lead to fraud, waste, or abuse, or impede innovations and advancements in health information access, exchange, and use, including care delivery enabled by health IT.

The extension of these provisions is noteworthy because HIT developers, health information exchanges, and health information networks may be subject to civil monetary penalties of up to $1 million per information blocking violation, while health care providers may be “referred to the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary sets forth through notice and comment rulemaking.” Additionally, the Cures Act directs the Secretary of HHS to establish a prohibition on any action that constitutes information blocking as a requirement for obtaining and maintaining HIT certification under the ONC HIT Certification Program.

The Final Rule also defined EHI as electronic protected health information (“PHI”), as defined under the Health Insurance Portability and Accountability Act of 1996, and its implementing regulations (“HIPAA”), to the extent that it would be included in a designated record set (as defined under HIPAA), regardless of whether the group of records are used or maintained by or for a HIPAA-covered entity.

It is important to note that the definition of EHI specifically excludes psychotherapy notes (as defined under HIPAA), as well as information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. Further, while the Final Rule limited the definition of EHI to data elements contained in the United States Core Data for Interoperability (“USCDI”) standard until May 2, 2022, the interim final rule delays this transition date for the definition of EHI to October 6, 2022. The USCDI standard sets a new baseline for interoperability and includes “clinical notes” among other data important for clinical care. The ONC believes the adoption of the USCDI will “help to improve the flow of EHI and help ensure that the information can be effectively understood when it is received. Over time, it will be updated to expand the baseline set of interoperable data available nationwide.”

The Final Rule initially introduced the Information Blocking Condition and Maintenance of Certification Requirement with a compliance date of November 2, 2020, the interim rule delays this compliance date to April 5, 2021.

While the interim final rule provides health care entities with additional months to prepare for information blocking compliance, those entities should not expect a soft rollout of the enforcement provisions. The ONC emphasized its commitment to information blocking enforcement beginning April 5, 2021, and it stated its belief that the delay “appropriately balances” the additional flexibility necessary due to the COVID-19 public health emergency with “ONC’s sense of urgency in addressing information blocking.” Health care entities should act quickly to take advantage of the additional time that the interim final rule provides by reviewing operations and technological capabilities for information blocking compliance.

The Final Rule is seen as a step forward for patients while also advancing the needs of health care providers by accelerate HIT innovation and competition. The hope is that the rule will help deter the information blocking that many providers face when attempting to provide informed care for their patients. As part of bringing the information blocking provision to life, the ONC says it finalized “eight common sense exceptions that are responsive to public comment and that identify reasonable and necessary activities that do not constitute information blocking.” The specific exceptions were grouped under two general categories of information blocking exceptions. The first category involves not fulfilling requests to access, exchange, or use EHI. These include the following exceptions:

  1. Preventing Harm Exception;
  2. Privacy Exception;
  3. Security Exception;
  4. Infeasibility Exception; and
  5. Health IT Performance Exception.

The second category involves procedures for fulfilling requests to access, exchange, or use EHI and includes:

  1. Content and Manner Exception;
  2. Fees Exception; and
  3. Licensing Exception. 

If an entity’s practices comply with all applicable requirements of an exception, the practice is not considered information blocking.

The ONC received more than 2,000 comment submissions on the proposed Final Rule, which will implement provisions containing far-reaching HIT provisions enacted in the Cures Act, all with the goals of achieving widespread interoperability among HIT systems and improving patients’ access to their medical information. If you need any assistance in trying to navigate the Cures Act, you should know that Bowles Rice LLP maintains an experienced Health Care Group that can assist with your needs.