ONC Proposes Updates to Information Blocking Regulations

The U.S. Department of Health and Human Services' (HHS) Office of the National Coordinator for Health Information Technology (ONC) on April 11, 2023, released a Notice of Proposed Rule Making called the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Proposed Rule (HTI-1 Proposed Rule).

According to ONC, the HTI-1 Proposed Rule will modify and expand exceptions in the information blocking regulations to support information sharing, as well as implement other provisions related to health information technology (health IT) and certification.

Background

Signed into law on Dec. 13, 2016, the 21st Century Cures Act includes several provisions to encourage the adoption and effective use of health IT and support access to and exchange of electronic health information (EHI) between patients, healthcare providers and others in a convenient form by discouraging information blocking. In March 2020, ONC issued the Cures Act Final Rule, outlining information blocking policies aimed at holding accountable those who restrict the availability of EHI and establishing reasonable exceptions. Penalties were to be established through future notice and comment rulemaking by the Office of the Inspector General (OIG). Although compliance with the Cures Act Final Rule was initially set for Nov. 2, 2020, the applicability date was postponed until April 5, 2021, under an interim final rule revising the compliance timeline. Even then, the full scope of EHI subject to the prohibition was temporarily narrowed to allow actors subject to the prohibition to have ample time to bring their policies and practices into compliance. On Oct. 6, 2022, EHI subject to the information blocking prohibition expanded to its fully defined scope under the Cures Act Final Rule. The new HTI-1 Proposed Rule recommends additional enhancements to further advance interoperability, improve transparency, and support the access, exchange and use of EHI.

What's Inside the HTI-1 Proposed Rule

Key elements of the HTI-1 Proposed Rule include:

• implementing the Electronic Health Record Reporting Program as a new Condition of Certification for developers of certified health IT under the ONC Health IT Certification Program (Certification Program)
• modifying and expanding exceptions in the information blocking regulations to support information sharing
• revising several Certification Program criteria, including existing criteria for clinical decision support (CDS), patient demographics and observations, electronic case reporting, and application programming interfaces for patient and population services
• adopting the United States Core Data for Interoperability (USCDI) Version 3 as a standard within the Certification Program and establishing an expiration date for USCDI Version 1 as an adopted standard
• updating standards and implementation specifications adopted under the Certification Program to advance interoperability, support enhanced health IT functionality, and reduce burden and costs

Information blocking is just one component of the Cures Act's larger efforts focused on fostering health data interoperability to improve population health and patient experience. Overviews of the proposals affecting information blocking polices and compliance follow, with a focus on provisions relevant to healthcare providers.

Information Blocking Enhancements

Information blocking enhancements in the HTI-1 Proposed Rule include additions and revisions to several definitions and exceptions in the original Cures Act Final Rule intended to provide clarity and enhance compliance with the regulations.

First, the HTI-1 Proposed Rule would codify what it means to offer "health IT." The current regulation, which includes "an individual or entity that under any arrangement makes certified health IT available for purchase or license," does not specifically define this category of actor and appears to pull into its radius healthcare providers acting in the ordinary course and others providing health IT under arrangements not intended to resell, sublicense or otherwise supply health IT for profit.

Following issuance of the 2020 regulations, interested parties expressed concern regarding lack of clarity and breadth of this category. In the proposed definition, ONC seeks to provide clarity by excluding healthcare providers or other health IT users who are engaging in certain customary and common activities. Activities expressly excluded from the proposed definition are: 1) arrangements structured for the purposes of subsidizing health IT for providers in need, such as a health system supplying an EMR to a safety-net provider; 2) issuing login credentials to employees, supplying API technology, online portals or issuing public health authorities with login credentials and providing login credentials to independent providers for treatment purposes at healthcare facilities; and 3) entities providing comprehensive administrative or operational management consultant services involving health IT. This last exception would exclude from the definition traditional forms of management services agreements, the majority of which are administrative, credentialing and other business services for the healthcare recipient of health IT, subject to some conditions. The proposed rule changes also clarify that such self-developing healthcare providers are not considered a Health IT Developer of Certified Health IT for purposes of information blocking when they do not offer health IT under this modified definition.

Next, ONC proposes changes to the Infeasibility Exception by revising one condition and proposing two new conditions. First, ONC proposes to revise the uncontrollable events condition to further clarify when an actor's practice of not fulfilling a request for access, exchange or use of EHI meets the revised condition. Under the proposed revision, the actor must demonstrate a causal connection between not providing access, exchange or use of EHI and the uncontrollable event (i.e., natural/human-made disaster, public health emergency (PHE) or war). Second, ONC proposes to add two new conditions to the infeasible under the circumstances condition. The first new infeasibility condition, "third party seeking modification use," would apply to an actor's practice of denying a third party's request to enable use of EHI in order to modify EHI and particularly requests to create or delete EHI. For example, if a healthcare provider is legitimately concerned with the reliability of data from a third party that would be added to a patient's designated record set, then this exception may be used instead of the more complicated process of assessing and documenting the Preventing Harm exception. The second new infeasibility condition, "manner exception exhausted," would apply where an actor is technically unable to fulfill the request or cannot reach agreeable terms with the requestor, an alternative manner was offered but no agreement reached, and the actor does not provide access, exchange or use to others similarly situated. To encourage alternative solutions, ONC proposes to exclude from information blocking fees charged by the actor and license of interoperability elements, without requiring compliance with the Fees and License exception.

In addition, the Content and Manner Exception is renamed the Manner Exception. Further, ONC is proposing an additional condition for a Qualified Health Information Network (QHIN), Participant or Subparticipant to Trusted Exchange Framework and Common Agreement (TEFCA) to encourage participation in this common framework for network-to-network exchange of information. Under the current regulation, certain practices that are necessary to comply with the requirements of the Common Agreement framework may be deemed information blocking if the practice is not otherwise required by law. The proposed new condition offers actors certainty that qualified practices are covered by the Manner Exception if the elements are met. This aligns with a foundational policy construct underpinning the Manner Exception in that it facilitates an actor reaching agreeable terms with a requestor to fulfill an EHI request and acknowledges that certain agreements have been reached between these parties for the access, exchange and use of EHI.

Finally, under the HTI-1 Proposed Rule, language from the initial ONC Cures Act Final Rule relating to certain time frames which have already passed would be removed. Specifically, text regarding the temporarily narrowed scope of EHI would be removed as no longer necessary because the time frame has passed. As a result, the information blocking definition would be revised.

HIPAA Implications

Health IT limitations related to data segmentation and patient preferences related to both access and disclosure, specifically a patient's right to request restrictions pursuant to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule at 45 CFR 164.522, were also addressed in the HTI-1 Proposed Rule. ONC recognized a healthcare provider's desire to grant a patient's request for release of information to the patient or others and the difficulties arising from limited data segmentation functionality. ONC set out specific non-exclusive examples of when this may occur and requested comments on capabilities of health IT to segment data to support granting of such requests.

The HTI-1 Proposed Rule also recommends revisions to a new certification criterion specifically focused on supporting patient preferences related to their right to request a restriction on certain uses and disclosures of their personal health information (PHI) under the HIPAA Privacy Rule. This proposed functionality is focused specifically on supporting one health IT enabled mechanism for a patient to request a restriction on disclosure and for a covered entity to honor that restriction using a certified Health IT Module.

Following implementation of the information blocking regulations in the ONC Cures Act Final Rule, many actors had to determine how the provisions worked together with HIPAA Privacy, Security, and Breach Notification Rules, and other health information privacy laws. According to ONC, the information blocking regulations were designed with the understanding that many actors would be required to continue complying with HIPAA. On April 12, 2023, HHS' Office for Civil Rights (OCR) published a proposed rule detailing potential changes to the HIPAA Privacy Rule. ONC issued additional FAQs highlighting how HIPAA and the proposed HIPAA amended regulations work in concert under three scenarios:

• an actor does not disclose an individual's EHI based on the individual's request that the actor's EHI not be disclosed (FAQ47.1.2023APR)
• an actor does not fulfill a request to access, exchange or use EHI in order to comply with federal privacy laws that require certain conditions to have been met prior to disclosure (FAQ48.1.2023APR)
• an actor, such as a healthcare provider, that operates in more than one state implements practices to uniformly follow the state law that is the most privacy protective across all the other states in which the actor operates (FAQ49.1.2023APR)

For more details on the HIPAA proposed rule, please see Holland & Knight's previous alert, "HHS Proposes HIPAA Changes to Protect Reproductive Health Information," April 14, 2023.

For more information on information blocking compliance or questions regarding how the HTI-1 Proposed Rule may impact your business, please contact the authors or another member of Holland & Knight's HIPAA and Healthcare Privacy Team.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.