What is the information blocking rule?
The rule prohibits specified “actors” from interfering with the access, exchange, and use of electronic health information with some exceptions.
What is the effective date of the rule?
The rule became effective April 5, 2021, but the compliance schedule has been extended because of the pandemic.
Who must comply with the rule?
All health care providers who hold electronic health information, including those that do not use certified health information technology (IT) or are not HIPAA-covered entities, are required to comply with the rule. The rule also applies to developers of certified health IT, health information networks, and health information exchanges. The rule does not apply to healthcare providers who only use paper records.
Why is there an information blocking rule?
The rule is a part of the 21st Century Cures Act, which became law in December 2016. A major focus of the act is the acceleration of research in the prevention and treatment of serious illness and of drug and medical device development. It includes provisions that push for greater interoperability and the adoption of electronic health records. A key principle of the act is to ensure patients have the information they need to make their own health care choices as the country moves toward a value-based health care system. The vision is that patients will be able to access their own health information simply and inexpensively by using applications that interface with health care providers’ systems.
Additionally, the 21st Century Cures Act implements interoperability rules for certified health IT. Greater interoperability, where different electronic health systems securely and reliably exchange patient information, should improve efficiency, decrease unnecessary diagnostic testing and improve communications between different entities involved in inpatient care. Patient safety issues also should be more apparent within health IT in the future.
What types of data does the rule cover?
The 21st Century Cures Act requires the use of a standardized set of health data classes and constituent data elements known as the U.S. Core Data for Interoperability (USCDI). The data set includes patient demographics, clinical notes, vital signs, patient goals, and much more. The USCDI establishes the baseline of information necessary for interoperability and electronic health information exchange. The information blocking rule initially prohibits actors from interfering with the access, exchange, and use of USCDI data, with some exceptions. The current version of the USCDI is here.
Beginning Oct. 6, 2022, the data covered by the rule will also include any information that a patient has the right to request copies of under HIPAA.
What are exceptions to the rule?
Eight categories of reasonable and necessary activities have been identified as activities that do not constitute information blocking as long as specified conditions are met. These are:
- Preventing harm – An actor must hold a reasonable belief that blocking information will reduce the risk of harm, such as, for example, releasing a child’s information to a parent who is under suspicion for abuse.
- Privacy – A precondition is not satisfied, a denial for access follows HIPAA rule or an actor is complying with an individual request not to provide access, exchange, or use of their information.
- Security – Blocking information must be directly related to safeguarding the confidentiality, integrity, and availability of information.
- Infeasibility – Information is blocked due to an uncontrollable event, such as a natural disaster, or because the information cannot be segmented or is infeasible due to the circumstances.
- Health IT performance – Activity is time-limited and is solely for the purpose of maintenance or improvement to the system, or a third-party app is blocked because the app is negatively impacting the actor’s health IT performance, under specified conditions.
- Content and manner – Under certain conditions, an actor may limit the content and manner of its response to a request to access, exchange or use electronic health information.
- Fees – Under certain conditions, an actor may charge fees for providing access to, exchanging, or using electronic health information.
- Licensing – Under certain conditions, an actor may license interoperability elements for electronic health information to be accessed, exchanged, or used.
For full descriptions of the exceptions, including explanations of specified conditions, see this document from the Office of the National Coordinator for Health IT (ONC).
Does the Cures Act require health care providers such as dentists to use certified health IT?
No, it does not. Financial disincentives are applied when a health care provider who participates in Medicare/Medicaid does not use certified health IT.
Does the Cures Act require health care providers to establish a patient portal?
If a health care provider’s health information software/system has the capability to have a patient portal, that function must be enabled.
How does the rule impact how a dental practice responds to a patient’s request to obtain a copy of their record?
Dental practices that require a patient to submit a written request or to present in person will have to change their policies and procedures. Once patient identity is verified at the time of the request, a practice should comply with a patient’s request to the extent feasible or reach an agreement with the patient on an acceptable format for the copy. A dental practice may charge a fee to transfer information onto electronic media not to exceed the cost of labor and supply, and postage if applicable. No fee may be charged when a patient accesses their electronic information through the use of a portal or application program interface.
Who enforces the information blocking rule?
Although the ONC coordinates the adoption of both the information blocking rule and the interoperability standards, the Department of Health and Human Services Office of the Inspector General (OIG) will enforce the rule once a separate enforcement rule is finalized.
Why do dentists need to know about the information blocking rule?
Dentists need to know about this rule so they do not implement policies and procedures that constitute information blocking. Although most dental electronic health record systems currently do not have the capability to permit application program interfaces (APIs) access to the data they hold, this situation is likely to change in the next several years.
HealthIT.gov summary - https://www.healthit.gov/topic/information-blocking
HealthIT.gov FAQ - https://www.healthit.gov/curesrule/resources/information-blocking-faqs
Information Blocking Exceptions - https://www.healthit.gov/sites/default/files/cures/2020-03/InformationBlockingExceptions.pdf
What Healthcare Providers Need to Know About Information Sharing & the Information Blocking Regulation Webinar - https://www.healthit.gov/curesrule/resources/webinars