ONC officials offer update on information blocking rules compliance
At the Cerner Health Conference on Wednesday, two representatives from the Office of the National Coordinator for Health IT offered some updates on the compliance requirements of its 21st Century Cures information blocking rules published in March.
First, Deputy National Coordinator for Health IT Steven Posnack noted that, with an interim final rule under review at the U.S. Office of Management and Budget, those covered should keep their eyes peeled for some potential reshuffling of compliance dates due to the demands of the ongoing COVID-19 pandemic.
"We do have an interim final rule under review [at OMB] that will adjust certain timelines associated with the certification program and information blocking, so please be on the lookout for that," said Posnack. "You can expect certain adjustments to our timing and compliance requirements."
As of now, the start date for requiring adherence to the info blocking rules is November 2.
Wherever the new date might be moved, it will eventually arrive. In the meantime, those covered by the rules – healthcare providers, developers of certified health IT, health information networks and health information exchanges – should continue to prepare, he said.
The obligations under the law for each group may be unique, and "each of these actors are uniquely and individually accountable for their own conduct," he said.
But the ability of each to maintain compliance will have impact on other organizations across the ecosystem when it comes to information blocking. For instance, vendors such as Cerner are no longer just judged by ONC on the ability of their software to meet rigorous certification requirements.
With the 21st Century Cures Act, "Congress said, 'Not only do you need to look at the software itself, but you also need to evaluate the business practices and overall corporate compliance of health IT developers,'" said Posnack.
"And under our statutory requirements now, ONC would have to pursue oversight-related activities to correct that health IT developer's behavior."
Likewise, "if you're a healthcare provider and you're engaged in something that ultimately our Office of the Inspector General, who does enforcement on information blocking, sees that you have been inappropriately restricting information exchange, that could be subject to information blocking-related enforcement in the future."
At the same time, ONC has built in significant leeway with its rulemaking, establishing eight exceptions meant to offer covered entities "certainty that, when their practices with respect to accessing, exchanging, or using electronic health information meet the conditions of one or more exceptions, such practices will not be considered information blocking."
Five of them involve reasons for not fulfilling requests to access, exchange or use electronic health information:
- Preventing harm exception.
- Privacy exception.
- Security exception.
- Infeasibility exception.
- Health IT performance exception.
Three of them have to do with procedures around fulfilling requests to access, exchange or use EHI:
- Content and manner exception.
- Fees exception.
- Licensing exception.
At the Cerner conference, Rachel Nelson, branch chief for policy analysis and implementation in ONC's Regulatory Affairs Division, spent some time unpacking the content and manner exception, which has caused some confusion among various stakeholders.
"The content and manner exception is available where, let's say, an actor receives a request for electronic health information that they can legally and appropriately share – but they don't have the technical capability to facilitate this exchange or use of that electronic health information in the manner requested," said Nelson.
The exception's two main conditions, the content ("which I like to think of as the 'what,'" she explained) and the manner (the "how") must both be met to satisfy the exception, according to ONC.
Content, for these purposes – the "what" – is defined by ONC's United States Core Data for Interoperability, or USCDI, as a defined set of shareable health data classes and elements. Whereas for IT developers USCDI is simply a standard that must be met for certification, Nelson emphasized, for providers it "describes what information is within the scope of information blocking definition and is the scope of required content – what you would have to share."
As for the "how," the manner exception, it "offers a framework for working through alternative manners for sharing electronic health information when perhaps you can't meet the exact manner that was originally requested," she explained. "It offers a fairly wide array of options for how to make the electronic health information available and still be covered by this exception."
The exception "can be met even if you do not have all of the requested electronic health information," said Nelson. "And even if, for whatever reason that is appropriate, you cannot share all of the electronic health information that you do have.
"Perhaps a particular few pieces of information are covered by a state law that would prohibit you disclosing it in response to a particular request. You can still meet content and matter exception in that sort of a circumstance, as long as you meet the full conditions of the exception," she explained
"We encourage people to take advantage of the certainty they offer, that if your practices in responding to requests for access, exchange and use of electronic health information are consistent with the conditions of one or more exceptions, that those practices are not information blocking."
As Posnack explained earlier this year, the goal of the Content and Manner Exception is to "give stakeholders ... an opportunity to negotiate, in the open market, the ability to make available or electronic health information or access, exchange or use.
"So if I'm a requester and you happen to be one of those information blocking-covered actors, you and I would be able to engage in an open market negotiation and come to terms," he explained. "If we're able to do that, then both parties, it's a win-win for both parties. If we're unable to do that, per the statute, we still have an obligation to make sure that electronic health information is made available."