ONC officials describe requirements of new API, information blocking rules
The long-awaited interoperability and information blocking final rules published by the Office of the National Coordinator for Health IT on Monday will require some big changes to the ways healthcare organizations – specifically providers, certified health IT developers and health information networks and exchanges – have been used to doing things.
The sweeping new regs – which update software certification requirements, mandate APIs usable "without special effort" and put rules in place to combat information blocking and anti-competitive practices – will require some significant cultural adjustments and material investments from healthcare orgs hoping to stay compliant with the law.
The good news, according to ONC, is that the enforcement of the law won't be immediate, and there will be a two-year phase-in period allowing these organizations to acclimate and get up to speed with the new requirements.
"Those rules won't be enforced at all for the first six months, and in fact we are still working on the rule work of how they'll be enforced, and what the disincentives will be," said National Coordinator for Health IT Dr. Donald Rucker in a press call on Monday.
"When when the rule is officially published, that will be the real starting line for the industry," said Deputy National Coordinator Steve Posnack.
That pub date is not yet official – it's up to the Office of the Federal Register – but could be within the next few days. From there, "the first six months under information blocking will be a delayed compliance applicability for the rule," Posnack explained.
"No enforcement will be rendered on anything related to information blocking," he said. "It's an opportunity for stakeholders and those covered by the rules to educate themselves, prepare themselves and start to change their operating procedures to be in compliance with the rules."
'Phased in, gradual approach'
But once compliance for info blocking and API requirements begins in six months – and for 24 months thereafter – covered healthcare organizations will be required to share electronic health information defined by ONC in its United States Core Data for Interoperability set.
"Any data outside of the USCDI for the first 24 months will not be within scope from an enforcement perspective," said Posnack.
Then, "when you hit two years, that's when the full electronic health information definition kicks in." That's definition, he said, is linked to the broader HIPAA-designated record set definition for electronic protected health information.
"The easiest way to think about it," Posnack explained, is that "all of the data that you have the ability to access under the HIPAA Right of Access rule, that is data that's part of the designated record set and cannot be blocked."
The timeline is meant to enable a "phased in, gradual approach to the full scope of electronic health information over a period of two years," he said.
Balancing stakeholder demands
In the meantime, there are plenty of other implications of the new info blocking rules that providers, vendors and HIEs will need to understand.
There are more than 1,200 pages of the ONC rule – which was drafted in response to more than 2,000 public comments received since the proposed rules were issued a year ago.
Since then, the potential regulations have sparked plenty of controversy among the various, very different stakeholders across the healthcare ecosystem: veteran health IT vendors, consumer-facing tech startups, hospitals and health systems, privacy experts, patient advocates and others.
"The length of the rule is largely responses to the comments and our rationale for the various items in the rule," said Rucker. "Hopefully you'll see the reflection we did on the large number of comments. In particular, we've adjusted some of the timelines, and the scope of data with the USCDI."
ONC has also "refined some of the conditions on screenshotting," he said – referring to new rules around vendor gag clause provisions that allow doctors, nurses and hospitals to document challenges with their IT systems' usability, patient safety, usability, security, and interoperability using computer screen shots and, in certain cases, video.
Specifically, the final rules seek to prevent vendors from stifling these methods of documentation – while also allowing them certain latitude to "restrict communications that involve intellectual property," according to an ONC fact sheet.
"We've tried to get the balance that was envisioned by Congress into that section," said Rucker.
Content and Manner Exception
One of the biggest differences between the proposed and final rules are the exceptions where info blocking is in fact permissible.
"We started with seven exceptions and we finished with eight," said Posnack.
It's known as the "Content and Manner Exception" and it holds that "it will not be information blocking for an actor to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met."
The goal, according to ONC, is to enable "innovation and competition by allowing actors to first attempt to reach and maintain market negotiated terms for the access, exchange, and, use of EHI."
"Based on feedback from industry and and other comments we received, we've approached a balance dynamic where we give stakeholders in the market an opportunity to negotiate, in the open market, the ability to make available or electronic health information or access, exchange or use," Posnack explained.
"So if I'm a requester and you happen to be one of those information blocking covered actors, you and I would be able to engage in an open market negotiation and come to terms.
"If we're able to do that, then both parties, it's a win-win for both parties," he said. If we're unable to do that, per the statute, we still have an obligation to make sure that electronic health information is made available for access, exchange and use.
"Then there would be a subsequent approach, which we call alternative manner, which then creates some guidelines and guardrails and boundaries around which those negotiations need to occur – with a focus on using standards that are part of our certification program, then using nationally available standards."
The aim, said Posnack, is to "give a market opportunity for stakeholders to negotiate freely. And if those negotiations don't work out, then we have introduced a set of guidelines and guardrails for them to follow."
FHIR v4, privacy and security
With respect to privacy and security, he noted that the final rules specify the newest FHIR version 4 as the spec around which the industry must coalesce, and have included "additional accompanying implementation specifications for how app developers securely connect to those APIs, as well as the patient choices that would need to be made technically available to them," said Posnack.
"If I select an app to connect to my healthcare provider's FHIR-based API, I'll first need to log in and give them my credentials, authenticate myself and then I will also have the ability to choose which data is within the USCDI that I would like to authorize the app I've chosen to receive," he said.
"It's a very important pro-consumer, pro-choice ability for consumers to dictate and be in charge of what health data they use to share with applications."
Posnack noted that the covered actors under the new regs – developers of certified health IT, health information exchanges and networks and healthcare providers – should avail themselves of the many fact sheets put together by ONC, which offer high-level overviews of the the many complex aspects of the final rules.