In part one of our blog series, we introduced information regarding the 21st Century Cures Act. Many of our customers have asked us to continue to share what we know, and this is part two in a series to cover the latest information being communicated on this topic.
As we approach April 5, 2021, the compliance date for information blocking provisions of the 21st Century Cures Act to take effect, we hear a lot of questions from across the healthcare ecosystem: Who can be a blocker? How is information blocking defined? What are the exceptions to blocking? How can your organization avoid penalties for blocking?
It’s important to understand that while certified health IT is not required to implement the full United States Core Data for Interoperability (USCDI) specified standards until December 31, 2022, the data elements in the USCDI (but not the specific codes and standards) are in force for information blocking starting six months after publication. So, for the next 24 months, information blocking is limited in scope to USCDI data elements only, but after that, it’s any information that relates to the individual.
The first step is to understand if your organization is in the position to be a potential blocker, and how information blocking is defined in the statute. If you are a potential blocker, it will be important for you to understand the exceptions to the blocking provision and how to plan to avoid penalties for blocking.
Who can be a blocker?
The Cures Act defines three categories of “actors” who can block information: health care providers, HIT developers of certified HIT, and health information networks or health information exchanges. These are broad categories, each of which includes a long list of specific actors, so it’s a good idea to review those detailed lists here.
One note: there is consensus that release of information (ROI) providers, such as Sharecare, are not considered “actors,” but rather “business associates,” under the Cures Act definitions; business associates are not potential blockers.
Take away: Review the detailed list of actors and determine if your organization is an actor.
What is information blocking?
Under the Cures Act, information blocking is defined as any practices known by the provider to be unreasonable and “likely to interfere with or materially discourage, access, exchange, or use of [electronic health information (EHI)].” Intent is the key: the mere presence of practices that have a likelihood of interfering with the access, use, exchange, or disclosure of EHI is considered blocking.
What this means is that information blocking is centered around practices, which are defined as an act or an omission, and so can include both an action and a failure to act. It includes restricting authorized access, but also includes implementing HIT in non-standard ways, or in ways that might lead to fraud, waste, or abuse, or impede innovation or advancements in access, exchange, and use.
Clearly, the language here is broad, and somewhat vague; the healthcare ecosystem is seeking clarification and more exact definitions, but in the meantime, we will need to proceed carefully.
Take away: If your organization is an actor under the statute, you need to thoroughly review your practices and procedures with an eye to likely sources of interference with EHI exchange.
What are the exceptions to the information blocking rule?
Currently, there are eight exceptions to the information blocking rule. The failure to release information in these circumstances is not subject to penalty. These exceptions shield an actor if they have a legitimate reason for not sharing requested information. All actors should have a workflow process in place to determine if there is a legitimate reason for blocking data, and then identify and document the appropriate exception category. For each exception, conditions must be met to qualify. For more information, you can review the fact sheet on HealthIT.Gov
1. Preventing Harm: Blocking information is acceptable to prevent harm to a patient or another person.
2. Privacy: An actor is not required to use or disclose EHI in a way that is prohibited under state or federal privacy laws.
3. Security: Blocking is permitted to protect the security of EHI.
4. Infeasibility: Legitimate practical challenges may limit an actor’s ability to comply with requests for access, exchange, or use of EHI.
5. Performance: If an app is “hammering the database” or “disrupting others,” it’s okay to deny access and it’s also okay to take scheduled downtimes.
6. Content and Manner: These are new exceptions enumerated in the final ONC rule. According to ONC, this exception supports innovation and competition by allowing actors to first attempt to reach and maintain market-negotiated terms for the access, exchange, and use of EHI. For content, USCDI is acceptable for 24 months, then an actor must respond to a request to access, exchange, or use EHI. Regarding manner, it is acceptable to fulfill requests in a manner different from what was requested if there is technical incompatibility or agreeable terms cannot be achieved with the requester. If specific data elements are not included in the EHI controlled by the actor, the Content and Manner exception may be the appropriate exception to use if the request includes the full USCDI definition.
7. Fees: You can charge reasonable fees with the expectation that you can make a profit if it’s transparent and applied consistently across the board.
8. Licensing: An API provider can require licensing of API elements provided it is done in a reasonable and non-discriminatory way.
Take away: If your review reveals areas where you have concern about potential blocking, review these exceptions carefully to understand if they apply.
How do you avoid information blocking?
If you are an actor, you are responsible for tracking all requests for electronic health information and documenting how you respond. To avoid information blocking, you’ll have to be prepared to intake, track, and respond to each request to either: 1) honor the request as asked, or 2) qualify under an applicable information blocking exception, such as by providing an agreed-upon alternative method to access the information.
Think of the rule as similar in scale to HIPAA or Meaningful Use. It applies to any electronic health information you maintain. Your compliance approach should consider all your systems, such as a blood bank or document management system, in addition to your EHR system.
Take away: Compliance will require a big-picture, process-oriented approach taking all your systems into account.
What are the penalties for information blocking?
While the rules will not be enforced for the first six months the Cures Act is in effect, certain actors who engage in information blocking are subject to penalties of up to 1 million per violation. Consequences have not been established for providers.
Take away: Given the uncertainty around penalties, avoiding information blocking is the surest route.
How can Sharecare help my organization to avoid information blocking?
As an innovative healthcare technology company, Sharecare is dedicated to understanding how the 21st Century Cures Act impacts our customers and partners. As a business associate that provides records electronically, we help to enable data integration through our affiliations with over 800 health systems and are connected via APIs to 100+ EHR system vendors. We will continue to provide records via our HIPAA-compliant e-delivery services.
What Are Some Ways to Prepare?
For providers, it is essential that clinicians and staff know what to do when they receive requests and what is at risk if your organization is accused of information blocking. Also, providers are encouraged to revisit documentation regularly as their health IT capabilities advance.
You need a plan!
The biggest takeaway from all of this is that to avoid the penalties that can result from information blocking, you will need a detailed plan. We’ll tackle that subject next month in the third blog that will focus on planning for compliance.
Find out more about Sharecare and how we can help!