Information Blocking: What Vendors and Programmers Need to Know | White and Williams LLP


Federal application of 21st The Century Cures Act (the Cures Act) prohibitions on the abusive blocking of electronic health information are intensifying. The Cures Act Already Targets Tech Developers and Health Information Networks for Sanctions; now, enforcement is underway against healthcare providers who improperly block the exchange of information.


The 21st The Century Cures Act was signed in December 2016 by President Obama to accelerate medical product development and healthcare innovations. By removing barriers to the necessary and effective sharing of electronic health information (EHI), the final rule released by the Office of the National Coordinator of Health Information Technology (ONC) gives patients access to essential data of their own electronic health record. Until October 5, 2022, for purposes of the information blocking definition, EHI is limited to a specific federal dataset that includes eight types of clinical notes that must be shared upon request. After October 5, 2022, health information providers and networks must make available everything asked for the electronic health information they have. (Psychotherapy notes are excluded from the definition of EHI for information blocking purposes.)

Examples of information blocking may include:

• Require written patient consent before sharing patient EHI with unaffiliated providers;

• Charging excessive fees that make the exchange of electronic health information prohibitive;

• Adopt policies or contractual arrangements that restrict or prevent the sharing of information with patients or their healthcare providers;

• Falsely citing the HIPAA Privacy Policy as a basis for refusing to share information;

• Healthcare providers or IT vendors who limit or discourage the sharing of information with other providers or with users of other IT systems;

• Erect technological barriers that decrease the portability of EHI with different computer systems, services or applications that follow nationally recognized standards;

• “Lock” patients or providers to a particular technology or healthcare network because their electronic health information is not portable.

The 21st The Century Cures Act provides eight categories of “safe harbor” exceptions under which it may be appropriate to restrict or block the transmission of electronic health information. When specific preconditions are met, five exceptions allow the outright blocking of information to prevent harm, to protect an individual’s privacy, to protect the security of electronic data, for periods necessary for upgrades to the system and when the sharing of information is technically impossible. The remaining three safe harbors focus on what and how data is shared, fees charged for data sharing, and developer licenses for electronic health information interoperability elements.


The anti-information blocking part of the 21st Century Cures Act targeted software developers who incorporated technology into their platforms that prevented users from sharing medical information with other developers’ platforms. Originally, these practices were sometimes touted as necessary to comply with HIPAA, but they had the practical effect of protecting a programmer’s or firm’s proprietary ownership of patient health information. The 21st The Century Cures Act empowers the HHS Office of Inspector General (OIG) to impose civil monetary penalties of up to $1 million against software developers, networks, or exchanges that interfere with the proper exchange of information. electronic health information.

During his visit, on the 21st Century Cures Act omitted specific penalties for health care providers who inappropriately withheld information; it focused more on programmers and networking. Yet as software developers and networks comply with the Cures Act, more than 75% of complaints about information blocking in the past year have focused on vendors who allegedly blocked the right stream. information. Patients and providers cited alleged inappropriate behavior by hospitals, health care facilities, physicians, and other providers. Filing a complaint is easy – those who are frustrated with the blocking of information can file complaints with the Office of the National Coordinator. The Cures Act authorizes the HHS Inspector General’s Office to investigate any information blocking allegations. The identity of the complainants is protected from disclosure under the Cures Act.

In public comments at the March 2022 Global Health Conference of HIMSS (the non-profit Healthcare Information and Management Systems Society) and again at an annual meeting of the ONC in April 2022, HHS Secretary Xavier Becerra announced that enforcement plans for cures against health care providers who inappropriately block information are a “top priority.” Blocking information, Secretary Beccera said, causes stress for patients and families, as well as frustration for staff. Becerra criticized a case where a patient was told to wait weeks for access to test results while his doctor was on vacation. “This is not the kind of customer experience any of us should expect, certainly not in the 21st century, from our healthcare system.”

HHS plans to announce a specific civil monetary penalty enforcement regime by the end of 2022. Similarly, the Centers for Medicare and Medicaid Services (CMS), the largest payer and regulator of medical practices, announced their interest in imposing civil monetary penalties on claimants. that unduly block the sharing of electronic health information.

practice pointers

Healthcare systems, hospitals, practitioners and private practices will want to anticipate upcoming sanctions announcements with a careful focus on compliance with 21st Century Cures Act and its regulations. Organizations shouldn’t just assume that their electronic medical records provider takes care of everything.

Both to comply with the law and to defend against future allegations of impropriety, organizations will want to establish a precise, clear and codified process for evaluating requests for information. It is essential that the necessary personnel know where the safe harbors are — and where they are not.

Likewise, vendors should create careful and accurate documentation of any instances in which they refuse to share requested information. Some organizations develop checklists or logs that record who requested what information, the organization’s assessment of the request, and its response. By developing a thoughtful compliance process to assess each specific claim, healthcare organizations will be well prepared to defend themselves against unwarranted complaints filed with the ONC by frustrated record claimants.

[View source.]


Comments are closed.