Josh D. Mast (josh.mast@cerner.com) is Lead Regulatory Strategist at Cerner Corporation in Shawnee, KS, and Cheri Whalen (cwhalen@ntst.com) is Regulatory Strategist at Netsmart in Overland Park, KS.
While information blocking was solidified as a legally defined term and compliance effort in the 21st Century Cures Act of 2016,[1] it wasn’t until the Office of the National Coordinator for Health Information Technology (ONC) released the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program final rule that the industry received a framework on which to base compliance efforts.[2] Currently, compliance dates are April 5, 2021, for requests related to data elements in the U.S. Core Data for Interoperability (USCDI) version 1 and October 6, 2022, for all electronic health information (EHI).[3]
The information-blocking framework (IBF) may shift as the U.S. Department of Health & Human Services Office of Inspector General (OIG), which has enforcement authority over the IBF,[4] begins investigating cases and releasing its findings. OIG has not yet released its final rule on civil monetary penalties, which will dictate the enforcement date for information blocking. The enforcement date and compliance dates may be different.
Understanding the IBF is not completely settled; we present the top ten compliance concerns, in no particular order, for all actors (healthcare providers, health information technology developers, and health information networks/health information exchanges)[5] subject to the IBF.
Extensive scope of the IBF
Regardless of which actor definition you meet, or if you meet multiple, the IBF is expansive in nature and covers any EHI the actor may store/maintain or transmit in any platform or product the actor may be using to store/maintain or transmit the EHI. Actors must understand the impact of the IBF across their organization to determine the best manners through which to respond to and track requests and provide education across the organization. All actors within the IBF differ in size, services offered, and actor roles met within the IBF and the EHI they store/maintain or transmit; however, scoping compliance efforts to your organization’s situation is an activity that must be addressed from the beginning.
This can be done through the creation of a group of individuals representing relevant areas across the organization that meet on a regular basis. This group will vary in size and representation based on the size of the organization and what actor types the organization meets. However, this group and/or discussion from the areas across the organization will be key to understanding impact to the organization, needs of the organization, and to assist in identifying next steps for the organization to move toward and maintain compliance. Generally, the group should consist of legal and/or compliance representation, release of information/privacy representation, information technology and/or security representation, and, ideally, those within the organization that can assist with training and process improvement.
Tracking requests for EHI
The IBF is structured to create a need to monitor and review requests to access, exchange, or use USCDI/EHI. The IBF itself does not create new rights of access or requirements to share information and is instead built upon currently existing rights of access to USCDI/EHI and preexisting requirements to share information. Nothing codified in the IBF requires actors to proactively push out USCDI/EHI.[6] However, there are other regulatory requirements to proactively share data and information that may create unique information-blocking complexities, including:
-
Centers for Medicare & Medicaid Services conditions of participation requirements to share admission, discharge, or transfer notifications,[7] and
-
Centers for Medicare & Medicaid Services promoting interoperability program requirements[8] to share required sets of information.[9]
The IBF requires actors to handle and respond to requests for access, exchange, or use of USCDI/EHI within its set guidelines. This requires actors to track requests for access, exchange, or use of USCDI/EHI that are received by the actor and how the actor responds to the request to ensure compliance. The IBF does not distinguish requests received through formalized processes and procedures vs. requests received informally. This makes compliance with the IBF an administrative and operational task that can be difficult to tackle for any organization or actor type and can become increasingly difficult to track as the organization becomes larger and meets more actor types.
Ideally, organizations can identify methods already in use today related to release of information requests that can be modified as necessary to incorporate IBF considerations. Some organizations are also looking to proactively push the USCDI information out, such as a patient portal or health information exchange, in order to avoid receiving additional requests for the USCDI data elements once IBF compliance begins. Either way, the IBF creates additional work to track requests received, ensure any requests that are denied are done so within the allowances of the IBF, and any requests fulfilled are done so within the allowance of the IBF to the extent possible by the actor.
