What is Information Blocking in Healthcare?
Information blocking in healthcare is any practice by a healthcare provider, certified health IT developer, or Health Information Network (collectively “actors” ) that prevents or materially discourages access to, exchange of, or use of Electronic Health Information (EHI). Actors responsible for information blocking can face significant sanctions.
In 2016, §4004 of the 21st Century Cures Act added a new section to the Public Health Service Act to prohibit the practice of information blocking in healthcare. The new section describes some of the most common information blocking practices, and instructs the Secretary of Health and Human Services (HHS) to identify exceptions when information blocking in healthcare is permissible.
The new section also authorizes HHS’ Office of Inspector General (HHS OIG) and the Office of the National Coordinator for Health Information Technology (ONC) to sanction “actors” found responsible for information blocking. Sanctions for information blocking in healthcare include civil money penalties, reductions in incentive payments, and/or removal from the ONC’s Health IT Certification Program.
What is Electronic Health Information?
The term Electronic Health Information (EHI) refers to health information maintained electronically in a designated record set by a covered actor. The term almost has the same meaning as electronic Protected Health Information (ePHI) except that psychotherapy notes and health information prepared for use in a civil, criminal, or administrative proceeding are excluded from the definition of EHI.
It is also the case the term ePHI only applies to healthcare providers that qualify as HIPAA covered entities. In the information blocking provisions, the term EHI applies to all healthcare providers and Health Information Networks/Exchanges regardless of their HIPAA status. The provisions also apply to health IT developers that qualify as certified developers of health IT under the ONC’s certification program.
Common Information Blocking Practices
To date, ONC has received 1,104 complaints about information blocking in healthcare – the most common (~85%) being complaints against healthcare providers for allegedly blocking the exchange of information with other healthcare providers or with payers (health plans, Medicare, etc.). Some complaints also relate to patients being denied their HIPAA rights when requesting access to PHI.
Less common information blocking complaints relate to developing or implementing health IT in nonstandard ways that are likely to restrict or increase the complexity of accessing, exchanging, or using EHI – either in individual designated record sets (i.e., to a payer) or as complete information sets (i.e., when a patient transfers to a new healthcare provider). These complaints account for about 10% of the total.
Eight Exceptions Permitted by HHS OIG/ONC
HHS OIG and ONC have defined eight exceptions to the information blocking legislation. The exceptions are subject to specific conditions being fulfilled and are divided into two categories – exceptions that involve not fulfilling requests to access, exchange, or use EHI (Category 1), and exceptions that involve procedures for fulfilling requests to access, exchange or use EHI (Category 2).
Category 1
Preventing Harm Exception
Actors can refuse a request to access, exchange, or use EHI if it is reasonably believed that the access, exchange, or use of EHI could cause harm to a patient or another person.
Privacy Exception
This exception accommodates standards restricting disclosures of health information without a patient’s consent, or when a patient has requested privacy protection (§164.522).
Security Exception
The Security Exception applies when access to exchange of, or use of EHI presents a threat to the confidentiality, integrity, or availability of EHI or the system on which EHI is stored.
Infeasibility Exception
This exception covers external events such as natural disasters, public health emergencies, and other practical reasons why an actor may not be able to accommodate a request.
Health IT Performance Exception
The Health IT Performance Exception can be used as a temporary exception when – for example – health IT systems are offline or unavailable (i.e., in response to a cyberattack).
Category 2
Manner Exception
The Manner Exception applies when an actor is unable to fulfill a request in the manner requested and cannot reach an agreement with the requestor about a suitable alternative.
Fees Exception
This exception is an exception to the “reasonable fee” provisions of HIPAA when the fees relate to the development of technologies or services that enhance interoperability.
Licensing Exception
This exception is similar to the fees exception inasmuch as it permits actors to license interoperability elements in order to protect the value of innovation.
When an actor exercises an exception, the reason must be documented and explained to the requestor in writing, who has the right to appeal the decision or complaint to ONC. An actor’s practice that does not meet the conditions of an exception will not automatically constitute information blocking. Instead, complaints relating to such practices will be evaluated on a case-by-case basis to determine whether information blocking has occurred.
Sanctions for Information Blocking in Healthcare
Complaints about information blocking in healthcare are made to ONC via a Reporting Portal. The ONC investigates complaints made against certified IT health developers. All other complaints are forwarded to HHS’ OIG, who may forward some to the Centers for Medicare and Medicaid Services (HHS’ CMS) or the Office for Civil Rights (HHS’ OCR) depending on the nature of the complaint.
If the ONC finds a certified IT health developer is responsible for information blocking, it has the authority to issue a Notice of Non-Conformity, enforce a Corrective Action Plan, and/or suspend (or terminate) the developer’s certification. Should a certification be suspended (or terminated), the developer will be ineligible to supply health IT to healthcare organizations in the Promoting Interoperability program.
If HHS’ OIG finds a Health Information Network of certified IT vendor responsible for information blocking in healthcare, the agency has the authority to issue civil monetary penalties of up to $1 million per violation. In addition, any information blocking practices that leads to fraud, waste, and abuse can be subject to further financial penalties and possible exclusion from federal health programs.
Healthcare providers found responsible for information blocking will be subject to reduced annual incentive payments in CMS healthcare programs. However, if a failure to respond to a request to access EHI violates the patients’ rights requirements of HIPAA, the complaint will also be subject to OCR enforcement action. Consequently, healthcare providers are advised to review their healthcare compliance programs to identify any potential information blocking practices.
