Tech & Innovation in Healthcare

Be aware of exceptions and penalties to stay compliant.

Get to know the latest Cures Act final rule and the punishments for noncompliance.

Background: On Dec. 13, 2016, Congress signed into law the 21st Century Cures Act to accelerate the electronic access to, use, and exchange of health information. The Cures Act applies to healthcare providers, health IT developers of certified health IT, health information exchanges (HIEs) and health information networks (HINs).

The law defines information blocking and “knowledge” standards for healthcare entities:

• Healthcare providers are in violation if they know that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI).
• Health IT developers of certified health IT, HINs or HIEs are in violation if they know, or should know, that such practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI.

Since 2016, many provisions of the Cures Act have been implemented including major rulemaking activities to facilitate data sharing across different types of providers, and to expressly promote patient control over their own health information. To further achieve these goals, the Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) established the information blocking regulations of the law with its 2020 Cures Act Final Rule.

The final rule went into effect Oct. 6, 2022. The regulation is intended to prevent interference with the access, exchange, or use of EHI for almost all healthcare providers including stalling the release of or preventing access to EHI.

The rule also expanded the EHI definition to include all electronic Protected Health Information (ePHI) under the Health Insurance Portability and Accountability Act (HIPAA) and made it easier to access this data, with only a few exceptions, which include:

1. Preventing Harm Exception — to prevent harm to a patient or another person;
2. Privacy Exception — to protect an individual’s privacy;
3. Security Exception — to protect the security of electronic health information;
4. Infeasibility Exception — challenges that limit the ability to comply with a request;
5. Health IT Performance Exception — situations that necessitate making health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT;
6. Content and Manner Exception — circumstances that limit the content of a response or the manner in which a request is fulfilled;
7. Fees Exception — requests that require charging a fee; and
8. Licensing Exception — requests that require a license for EHI interoperability elements.

Providers that do not meet all the conditions of an exception will not automatically be considered to be participating in information blocking but will be evaluated on a case-by-case basis to determine whether blocking actually occurred.

On June 27, 2023, the HHS Office of Inspector General (OIG) issued a final rule that implements penalties for information blocking. The rule does not impose any new requirements, but incorporates regulations published by the ONC for blocking enforcement.

OIG’s Civil Monetary Penalty Looms

Under the OIG’s rule, if it determines that an individual or entity has committed a blocking infraction, the party may be subject to up to a $1 million penalty per violation. Penalties begin Sept. 1, 2023.

But providers can breathe easy for the moment. The OIG rule subjects only certain entities to penalties: health IT developers of certified health IT; entities offering certified health IT; HIEs; and HINs.

On the horizon: The OIG’s rule does not establish healthcare provider disincentives. A separate rule to establish provider penalties is being developed by HHS. Look for it soon as HHS has a workgroup actively working on it now.

Resource: To determine if you are subject to penalties under the OIG final rule, review the definition of healthcare entities.

Take These 7 Steps While You Wait

You are under no obligation to proactively provide EHI. But under the law, once a request to access, exchange, or use EHI is made, you must respond to the request in a timely manner.

That means now is the time to ensure your processes surrounding health information requests and how you respond to them are aligned with information blocking regulations. You should also ensure that you have standards in your compliance plan to safeguard against blocking claims.

Confer with legal counsel when needed and look to take the following steps:

1. Review the information blocking rule, especially the examples in the proposed rule.
2. Evaluate and assess patient health records including electronic medical records (EMRs) to identify information risks.
3. Review and revise all policies and procedures related to responding to information requests, including HIPAA policies and those governing confidential or sensitive information. Also develop a process for documenting exceptions to requests.
4. Train staff regarding information blocking and your policies and procedures.
5. If you use one, evaluate patient portal functionality. Determine if features are working properly and ensure there are no operational breaks/delays. Update portal terms of use, as necessary.
6. Review and revise business associate agreements (BAAs) to ensure language complies with blocking regulations.
7. Determine how you access, exchange, or use EHI and check with vendors to review their compliance with the rule.