HHS Information Blocking and Interoperability Regulations Now in Effect

The new information blocking and interoperability regulations developed by the Department of Health and Human Services as part of the 21st Century Cures Act took effect on Monday this week. It has been over a year since the final rule was released, and now the benefits of the information blocking and interoperability provisions can now be realized.

The final rule defines information blocking and stipulates the penalties for providers that engage in activities that interfere with access, exchange, and use of electronic health information (EHI). The final rule also gives patients new rights over their healthcare data and allows them to request it be sent to the application of their choosing.

The compliance date was April 5, 2021, after which healthcare providers, certified health IT developers, and health information exchanges must comply with the provisions of the final rule. For the first 18 months from April 5, 2021, the information blocking provision only applies to a subset of EHI detailed in the US Core Data for Interoperability (v1). Core EHI includes clinical notes, immunization records, lab test results, medications, and other EHI. The initial 18-month period is intended to help the regulated community get used to the information blocking regulation before the full scope of the regulation’s definition of EHI comes into effect on October 5, 2022. Covered entities and business associates are encouraged to share all EHI if possible, and not restrict sharing to the data represented by the USCDI until the final compliance date in 18 months.

Under the final rule, the deadline for data sharing has been changed from 30 days from the request being received to “without unnecessary delay.” There is an expectation to make EHI immediately available via the platform of the connected covered entity to allow that information to be downloaded. It is important for policies and procedures to be reviewed and updated to ensure that EHI can be obtained as soon as possible, and not to continue to operate on the 30-day deadline, which could now be viewed as information blocking.

The final rule also gives patients further rights over their healthcare data and requires covered entities and business associates to provide patients with their electronic health information, on request, to an application of the patient’s choosing. Patient health information can be sent to these applications without much manual effort by clinicians through secure, standardized application programming interfaces (APIs). As with requests from other healthcare providers, for the first 18 months it is not necessary to provide full records to patients’ chosen applications, only data represented by the USCDI.

Under the HHS HIPAA Right of Access enforcement initiative, the HHS has imposed 18 penalties for failures to provide patients with a copy of their requested medical records in a timely manner. The HHS may well start enforcing compliance with the requirements of the final rule to allow patients to have their EHI send to a health application with similar vigor.  The HHS Office for the National Coordinator for Health IT (ONC) will be working with the HHS Office of Inspector General to enforce compliance with the information blocking provisions, although the final enforcement rule is still pending.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.