skip to main content

ONC Interoperability Final Rule: Impact on Health Care Providers

The Office of the National Coordinator for Health IT (ONC) published a final rule on May 1, 2020 implementing the interoperability and information blocking requirements of the 21st Century Cures Act (“Cures Act”). See ONC, 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 85 Fed. Reg. 25642 (May 1, 2020) (“ONC Final Rule”). “Interoperability” in this context refers to the ability of different health information systems, devices, and applications, to access, exchange, integrate, and cooperatively use data in a coordinated manner across organizational boundaries. The ONC Final Rule, along with a companion final rule published by CMS,1 are the latest government efforts to drive the electronic access, exchange, and use of health information across care settings, which, despite years of regulatory action pursuant to the HITECH Act, has to date not been achieved due to barriers to information exchange in the U.S. health care system.   

The ONC Final Rule will significantly impact healthcare providers by prohibiting “information blocking” and by requiring health care providers to provide third party smart phone applications (“apps”) with access to their patients’ health information upon the patients’ request. Below, we describe the background to the ONC Final Rule and the information blocking provisions most relevant to health care providers, and set forth next steps for providers preparing to come into compliance with the rule.

Background

In 2016, Congress passed the bi-partisan Cures Act, which called for all electronically accessible health information to be accessed, exchanged, and used “without special effort on the part of the user.”2 The Cures Act was passed in part to respond to evidence that despite the government’s efforts over the past ten years to compel health care providers through regulation and financial incentives to adopt electronic health records (EHR), the EHR systems that had been adopted were largely not compatible across health care systems and care settings. ONC’s 2015 “Report on Health Information Blocking” indicated that economic and market conditions were creating incentives for some persons and entities to exercise control of electronic health information in ways that unreasonably limited its availability and use.3 The report found that such control is exercised by some EHR vendors, which developed health IT in non-standard ways so that health information could not be transferred between health systems that used different IT vendors, often with anti-competitive purpose. The report also found that hospitals and health care systems were unreasonably controlling electronic health information by engaging in practices that restricted the exchange of electronic health information to other systems or providers to control referrals and enhance market dominance. ONC concluded that these practices thwarted interoperability efforts and resulted in added costs to providers to achieve even minimum interoperability.

In service of the goal of furthering EHR interoperability, the Cures Act prohibited “information blocking,” which it defined, in pertinent part, as a practice that is “likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information . . .” and, which “if conducted by a health care provider, such provider knows that such practice is unreasonable and likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.4  

Some examples of practices that may implicate the information blocking prohibition are:5

  • A health care provider organization refuses to share core clinical information with a rival ACO, or shares information only by a way that is expensive and inefficient for the rival ACO (e.g., by fax);
  • A health care provider maintains an overbroad Privacy Policy (e.g., refuses to share treatment records without a patient’s consent, despite the fact that HIPAA does not require consent to share treatment records, or refuses to share mental health records across state lines, even where the patient has consented and no law prohibits such sharing);
  • A health care provider notifies its EHR developer of its intent to switch to another EHR system and requests a complete export of its electronic health information (“EHI”). The developer will only provide the EHI in a PDF format, even though it already can and does produce the data in a commercially reasonable structured format;
  • A health care provider licenses EHR software from a vendor. A billing dispute turns into litigation and the vendor activates a “kill switch” that renders data maintained by the vendor inaccessible to the provider and its patient;  
  • A small health care provider frequently orders tests from a local lab operated by a national laboratory chain, which licenses EHR technology that makes it easy to exchange lab orders and results electronically. The lab has a policy not to enable interfaces from its EHR technology to any labs operated by a competing national laboratory chain.

The CURES Act directed ONC to issue regulations specifying reasonable and necessary activities that are excluded from this definition.

ONC Final Rule

The ONC Final Rule implements the Cures Act interoperability and information blocking rules in several key ways. First, it specifies a standardized core clinical data class set (by adopting the United States Core Data for Interoperability (“USCDI”) standard), which must be used by certified health IT developers. Second, it requires the health care industry to adopt standardized application programming interfaces (“APIs”),6 a type of technology that is the foundation of smartphone applications (“apps”), and which has enabled seamless, user-friendly data exchange via apps in the online banking and travel-booking industries. The mandated combination of standardized APIs and USCDI is intended to create compatibility regarding what data EHR systems must be able to exchange, and how they must do so. While these particular provisions impact health IT developers more than providers, they will ultimately affect health care providers by creating an environment in which secure and easily accessible structured electronic health information can be more easily exchanged across care settings and accessed by individual patients for free using smartphone apps.  

The ONC Final Rule implements the information blocking provisions of the Cures Act by outlining eight exceptions to the definition of information blocking. “Actors” subject to the information blocking rule (including health care providers) 7 must refrain from engaging in any practice which is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI”,8 unless it falls within an exception set forth below.

Exception to Information Blocking

Description

Preventing Harms

Actors may engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.

Privacy

An actor may decline to fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.

Specifically, actors are not required to provide access to EHI where the HIPAA Privacy Rule would prohibit access. Importantly, the information blocking rule may require that providers provide access to EHI in situations where HIPAA would permit, but not require access.

Security

An actor may interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.

Infeasibility

An actor may decline to fulfill a request to access, exchange, or use EHI due to the infeasibility of the request (e.g., where the actor lacks the technological capabilities, legal rights, financial resources, or other means necessary to provide a particular form of access), provided certain conditions are met.

Health IT Performance

An actor may take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the system’s overall performance, provided certain conditions are met.

Content and Manner

An actor may limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.

Licensing

An actor may license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.

Fees

An actor may charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.

 

The information blocking rule and exceptions will require health care providers to re-evaluate their contracts, privacy practices, and other policies and procedures to ensure that they are not unreasonably interfering with a patient’s access or use of their EHI.

This may include analyzing:

  • How requests for EHI from health care providers and others are handled;
  • Whether fees charged in relation to access, exchange, or use of EHI satisfy the conditions of the “Fees Exception”;
  • How existing EHR vendor contracts, data-use agreements and other information sharing arrangements function.

Health care providers should also be aware that EHR vendors that are certified Health IT developers are also subject to the rule, and that health care providers are not required to agree with contractual terms that enable EHR vendors to engage in information blocking. To the contrary, it is imperative that health care providers insist on terms that enable and encourage interoperability and clearly prohibit vendor blocking.

Privacy Concerns

The ONC Final Rule will require a new orientation for health care providers with respect to patient privacy. In the preamble, ONC emphasized that its intent in implementing the information blocking rule is not to conflict with the HIPAA Privacy Rule. Thus, in those contexts where HIPAA would prohibit a health care provider from disclosing PHI, the ONC Final Rule does not require a health care provider to provide access. However, the information blocking rule may require health care providers to provide access to EHI in certain situations where HIPAA would permit, but not require, disclosure.

More troubling for health care providers will be the elevation of patient-facing third party health apps that lies at the heart of the ONC Final Rule. Commentators to the Proposed Rule had expressed concern that the information blocking proposals would open the door for third party apps to access, exchange, and use patient data without providing patients with clear terms of use.  85 Fed. Reg. at 25815. Third-party apps are not subject to the HIPAA Privacy Rule, and may share information obtained by a hospital or other provider in ways the HIPAA Rules would not permit, including selling the information. Apps are also not subject to the HIPAA Security Rule, leaving health care data potentially vulnerable to cybersecurity risks. In response to these concerns, ONC acknowledged that HIPAA does not apply to app developers, but advised that the FTC has authority under the FTC Act to enforce the FTC Act’s prohibition on deceptive trade practices, which would enable the FTC to regulate whether apps are complying with their own privacy and security policies. In addition, state law – particularly the recent California Consumer Data Protect Act – may impact health app developers to the extent they intend to do business in California. As a policy matter, the Final Rule states that it supports an individual’s ability to choose which third-party developer and apps are best for receiving all or part of their EHI from a health care provider. Health care providers are permitted to provide factually accurate, objective, unbiased, fair, and non-discriminatory information about the third party or third-party app to patients. Health care providers will need to consider whether to educate patients on the risks of sharing health data with third-party apps, and ensure that any efforts to do so are accurate, non-biased, and done consistently, otherwise they may be viewed as information-blocking.  

Timeline for Compliance

The ONC Final Rule effective date is June 30, 2020, although ONC has stated that it will not enforce certain compliance dates and timelines for three months.9  However, enforcement against health care providers of the information blocking provisions is likely to be further delayed,10 given that the Cures Act directs OIG to refer provider violations to “the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary sets forth through notice and comment rulemaking.”11  HHS has yet to identify the agency that will handle information blocking referrals or the “disincentive” that will apply to providers engaging in information blocking.


Footnotes:


1 See CMS, Medicare and Medicaid Programs Patient Protection and Affordable Care act; Interoperability and Patient Access for Medicare Advantage Organization and Medicaid managed Care Plans, State Medicaid Agencies, CHIP Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans on the Federally-Facilitated Exchanges, and Health Care Providers, 85 Fed. Reg. 25510 (May 1, 2020) (CMS Final Rule).

2 42 U.S.C. 300jj(9).

3 https://www.healthit.gov/sites/default/files/reports/info_blocking_040915.pdf

4 42 U.S.C. 300jj-52(a)(1)(B)(ii). Under the Cures Act, health information technology developers, exchanges, or networks are also subject to information blocking prohibitions. See 42 U.S.C. 300jj-52(a)(1)(B)(i).

5 These examples come from ONC’s “Report on Health Information Blocking,” at Appendix A (2015), available at https://www.healthit.gov/sites/default/files/reports/info_blocking_040915.pdf and ONC, 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 84 Fed. Reg. 7424 (Proposed March 4, 2019)

6 An API can be thought of as a set of commands, functions, protocols, or tools published by one software developer (‘‘A’’) that enable other software developers to create programs (applications or ‘‘apps’’) that can interact with A’s software without needing to know the internal workings of A’s software, all while maintaining consumer privacy data standards. See CMS Final Rule, 85 Fed. Reg. 25515.

7 The ONC Final Rule identifies three categories of “actors” who are subject to the information blocking rule: (i) health care providers; (ii) health information networks; and (iii) health IT developers of certified health IT.

8 The data classes in USCDI v.1 will define EHI during the initial 24-month period after implementation of the information blocking provisions. 85 Fed. Reg. at 25795. Thereafter, the ONC Final Rule uses HIPAA’s definition of electronic protected health information (ePHI) to define EHI. 45 CFR 171.102. 85 Fed. Reg. 25803.

See ONC, Cures Act Final Rule, “Enforcement Discretion,” https://www.healthit.gov/curesrule/resources/enforcement-discretion (last visited May 20, 2020).

10 The Cures Act gives OIG authority to impose CMPs not exceeding $1 million per violation for information blocking violations committed by health IT developers, health information exchanges, and health information networks. 42 U.S.C. 300jj-52(b)(2)(A). The OIG published a Proposed Rule regarding enforcement against such actors on April 24, 2020. HHS OIG, Grants, Contracts, and Other Agreements; Fraud and Abuse; Information Blocking; Office of Inspector General’s Civil Money Penalty Rules, 85 Fed. Reg. 22979 (April 24, 2020).

11 42 U.S.C. 300jj-52(b)(2)(B)

About the Authors

Elizabeth M. Hein is a Principal in the Firm’s Health Care Practice Group, providing legal services to the Firm’s health care clients in litigation, regulatory, and compliance matters.

Read more >

Cynthia A. Haines is a Principal in the Firm's Health Care Practice Group and Co-Chair of its Information Privacy & Security Practice Group. She counsels and represents clients on state and federal health law and related regulatory and compliance issues, including: surveys; licensure; Medicare/Medicaid; compliance; audits; accreditation; payment matters; HIPAA security and privacy compliance; insurer compliance with federal, state and local laws, regulations and policies; and voluntary disclosures.

Read more >