Coming into compliance with the Information Blocking Rule

By Adam H. Greene

Adam H. Greene (adamgreene@dwt.com) is a Partner in the Washington, DC, office of Davis Wright Tremaine LLP and cochair of its Health Information Practice Group.

On April 5, 2021, the 21st Century Cures Act Information Blocking Rule will become applicable.[1] In practice, this means that information-blocking actors—healthcare providers, health information technology (IT) developers of certified health IT (health IT developers), and health information networks and health information exchanges (HIN/HIEs)—are required to assess and revise longstanding information practices in order to appropriately free up electronic health information (EHI). While the applicability date is fast approaching, many questions remain. When will enforcement begin? What are the proactive obligations for compliance? What practices that do not fall under exceptions nevertheless qualify as “reasonable”? This article will identify some of the most vexing questions surrounding the Information Blocking Rule and offer strategies for compliance among this uncertainty.

Background

In December 2016, Congress enacted the 21st Century Cures Act (the Act).[2] Section 4004 of the Act prohibits healthcare providers, health IT developers, and HIN/HIEs (collectively, actors) from engaging in information blocking.[3] In short, the Act provides that, except as required by law or specified in a regulatory exception, an actor may not engage in a practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI.

The statute includes different knowledge standards for different types of actors: a healthcare provider is only engaged in information blocking if they know the practice to be unreasonable, whereas the knowledge standard for health IT developers and HIN/HIEs does not include such a reasonableness component.[4]

The Act’s information-blocking prohibition is independent of the information-blocking prohibition in the Medicare Access and CHIP Reauthorization Act of 2015,[5] which is currently in effect through attestation requirements of the Promoting Interoperability Programs (also known as the “Meaningful Use” programs) and is limited to healthcare providers participating in those programs.[6]

The U.S. Department of Health & Human Services (HHS), through its Office of the National Coordinator for Health Information Technology (ONC), promulgated final regulations (the Information Blocking Rule, or the Rule) implementing Section 4004 of the Act on May 1, 2020.[7] The Information Blocking Rule includes eight exceptions setting forth practices that will not qualify as information blocking (such as to prevent harm, protect the privacy or security of the information, or because of infeasibility).[8] That being said, a practice does not necessarily constitute information blocking merely because it does not fall under an exception. The Rule originally had an applicability date of November 2, 2020. In response to the challenges of the COVID-19 pandemic, the HHS delayed the applicability date until April 5, 2021.[9]

When is compliance required?

The Act provides that the HHS Office of Inspector General (OIG) may impose penalties of up to $1 million per violation on health IT developers and HIN/HIEs.[10] OIG issued a proposed enforcement rule in April 2020 but has not yet published a final rule.[11] Accordingly, we do not yet know the enforcement date for health IT developers and HIN/HIEs. While the applicability date is April 5, 2021, the OIG has indicated that it does not intend to penalize conduct that occurs prior to 60 days after publication of the OIG’s final enforcement rule, which is likely to be some time after April 5.[12]

There is even greater uncertainty with respect to enforcement and healthcare providers. The Act provides that the OIG should refer healthcare providers who commit information blocking to the “appropriate agency” for “appropriate disincentives” that fall under existing authority.[13] We do not yet know which agency will be responsible for enforcement against healthcare providers. Possibilities include, but are not limited to, the ONC, the HHS Office for Civil Rights, or the Centers for Medicare & Medicaid Services. We do not know what the “appropriate disincentives” may be that exist under existing federal authority. And we do not know the potential enforcement date for healthcare providers, as we are awaiting a notice of proposed rulemaking and then a final enforcement rule. This leaves open the question of whether healthcare providers’ conduct occurring after April 5, 2021, will be subject to future penalties, or whether conduct will not be penalized until the effective date of a future enforcement rule for healthcare providers.

Based on this, the conservative position is to seek full compliance by the applicability date of April 5, 2021. That being said, if an actor is not able to achieve full compliance by that time, the risk of liability is likely low until a final enforcement rule applicable to the actor is published. Healthcare providers that participate in the Promoting Interoperability Program, though, should continue to ensure that they are able to attest that they are not engaged in prohibited information blocking under the Medicare Access and CHIP Reauthorization Act of 2015 (which has different requirements than the Information Blocking Rule).

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings