The 21st Century Cures Act tasked the Office of the National Coordinator for Health IT with identifying the categories of reasonable and necessary practices that do not constitute information blocking. So the ONC came up with seven of them.
That’s the idea behind its Feb. 11 proposed rule to implement certain Cures Act provisions. Along with information-blocking exceptions, the rule would also implement information-blocking policies that support patient electronic access to their health information at no cost.
Information blocking according to the Public Health Service Act is a practice that “is likely to interfere with, prevent or materially discourage access, exchange or use of electronic health information.” It’s broken into two groups of actors: information blocking conducted by certified health IT developers, health information exchanges or health information networks; and information blocking conducted by health care providers.
After many meetings led by ONC National Coordinate for Health IT Dr. Don Rucker, and whiteboarding and stakeholder sessions with the Office of the Inspector General (the enforcing body), ONC learned of many of the information-blocking situations seen in the health care space.
“One of the things that I think we noticed through all of those meetings and all of that engagement was that information blocking happens in a lot of different ways,” said Elise Sweeney Anthony, executive director of policy at ONC, in a Feb. 12 panel at the Healthcare Information and Management Systems Society conference in Orlando, Florida.
Anthony said ONC thought about a case-by-case analysis, an “individualized approach,” she called it, with guardrails and exceptions to make sure that the health care industry knew what it was expected to do.
“Those exceptions are kind of built into our thinking of what is information blocking,” Anthony said. "You are an information blocker unless . . . required by law, or unless you fall into one of these exceptions."
(It’s important to note that information blocking relates to electronic health information and the movement thereof, and that these exceptions — which fall under a narrow case-by-case basis analysis — are based on the presumption that information is being shared.)
Preventing Harm
This relates to safety. “If there is a reasonable and necessary belief that you will prevent the physical harm of the patient, then this is where that exception would come into place,” Anthony said.
Promoting the Privacy of Electronic Health Information
This exception aligns with the Health Insurance Portability and Accountability Act (HIPAA) and doesn’t just mean meeting the overarching exception. There will be further assessment.
“What we need to provide is specificity so that not only are the actors, who are subject to this provision, understand what they're being held to, but also so that there’s clarity, that this is not designed for privacy to be used as a reason to block information, but also that we do want to protect the patient privacy and the overall system operation,” Anthony said.
ONC identified four specific risk categories: satisfying preconditions prescribed in privacy laws, practices not regulated by HIPAA but implement documented and transparent policy practices, denial of access practices under HIPAA, and patient preferences.
Promoting Security of Electronic Health Information
To claim this exception, it has to be related to confidentiality, integrity and availability of electronic health information. The practice also must implement an organizational security policy.
Recovering Costs Reasonably Incurred
ONC discovered there were situations where cost was being used as a way to block the flow of information, directly or as it relates to various interfaces. “What we don’t want to do is say all costs are not allowed because there could be situations where there is a reasonable cost that is incurred and we don’t want to stifle innovation or stifle innovative development that can happen,” Anthony said. ONC identified some of those cost structures.
Responding to Requests that are Infeasible
There could be scenarios where, depending on the way the information is being requested, the request itself is infeasible. “But the analysis wouldn’t stop there,” Anthony said, “that wouldn’t get you an exception.” There will be a consideration of whether reasonable alternative means were taken to try to get the information where it needed to go.
Licensing of Interoperability Elements on RAND Terms
There could be a situation where a health entity is using a specific innovation that allows for the ease of information to flow, and ONC isn’t requiring that to be free, but it can be licensed under Reasonable and Non-Discriminatory Terms.”We don’t want to create an environment where we are stifling the industry, or we’re not allowing for costs that really do occur in the movement of information, but where that’s happening, you need to figure out ways to make sure that those costs are reasonable,” Anthony said, or that the interoperability elements are being licensed under RAND terms. There are a list of conditions and steps to ensure this exception is suitable.
Maintaining and Improving Health IT Performance
There are situations where a health IT or developer system has to be taken down for safety reasons to correct or fix a bug, or to implement updates. In this case, patient-requested information may be delayed or stalled.
ONC’s proposed rule will be open to comments, and Anthony said ONC is also requesting information on additional exceptions.
“We need to hear from you" to ensure these seven exceptions and related components encompass the various situations possible, or if they’re too broad or narrow, said Anthony.
