The Office of National Coordinator (ONC) of the Department of Health and Human Services (HHS) has issued a Final Rule covering the 21st Century Cures Act. This Final Rule, published in the Federal Register, specifically covers the penalties for entities subject to the Act who engage in information-blocking practices. The original information blocking compliance date was September 1, 2023. The effective date of this Final Rule is July 31, 2024.
In this Article …
- What is the Rationale for the 21st Century Cures Act?
- Who is Subject to the 21st Century Cures Act Disincentives for Information-Blocking?
- What are Information-Blocking Practices?
- What are the Exceptions to the Information-Blocking Provisions?
- What are the Specific Disincentives for Violating the Information-Blocking Provisions?
Before we get to the penalties, we should briefly review the rationale for, and main provisions of, the 21st Century Cures Act.
What is the Rationale for the 21st Century Cures Act?
In passing the 21st Century Cures Act in 2016, Congress was responding to concerns about the lack of response to patient requests for copies of medical records. The goals of the Act included:
- Giving patients more control of their electronic health record, and enabling patient use of smartphone applications;
- Fostering the exchange of electronic health information to affect affordability and quality of patient care;
- Promoting transparency through technology, enabling patient comparisons based on costs and quality. This technology includes applications (APIs) developed by third-party developers for use by patients to access and utilize their medical record information.
And there were sticks (though no carrots) for providers and other compilers of health information in the form of penalties for information blocking.
Who is Subject to the 21st Century Cures Act Disincentives for Information-Blocking?
Health Care providers of all types are subject to the information-blocking provisions of the 21st Century Cures Act. These range from hospitals and all types of institutional health care providers in the health care system to physicians and any other category of practitioners or clinicians.
Accountable Care Organizations (ACOs) are also subject to appropriate disincentives for violating information-blocking regulations. And the disincentives can apply to both the ACO as a whole, and to individual health care provider participants in the ACO.
What are Information-Blocking Practices?
Information Blocking regulations include the following definitions:
- Information blocking means a practice that, except as required by law or covered by an exception, is likely to interfere with access, exchange, or use of electronic health information (EHI); and
- If conducted by:
- A health information technology developer, health information network, or health information exchange, such developer, network, or exchange knows, or should know, that such practice is likely to interfere with access, exchange, or use of EHI; or
- A health care provider, such provider knows that such practice is unreasonable and is likely to interfere with the access, exchange, or use of EHI.
All of the entities covered by the 21st Century Cures Act are referred to as “actors“.
So while the 21st Century Cures Act applies to a broad range of actors including health information networks and health information exchanges, the penalties for violating information blocking provisions only apply to health care providers and ACOs who participate in Medicare – for now.
What are the Exceptions to the Information-Blocking Provisions?
There are eight exceptions for health care providers and health information technology vendors to information blocking requirements acknowledged by the National Coordinator in the Final Rule. There is a ninth exception involving actors participating in the Trusted Exchange Framework and Common Agreement (TEFCA). All have conditions to the exceptions. Naturally, the conditions are subject to interpretation.
- Preventing Harm Exception: It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met. One important condition is the requirement to consider the risk of harm on a case-by-case basis. For instance, it is not acceptable for a physician to refuse to provide patients with access to laboratory results until the physician has reviewed them on the basis that some patients might be harmed if they do not receive results directly from the physician vs. available in a patient portal.
- Privacy Exception: It will not be considered information-blocking if an actor does not fulfill a request to access, exchange, or use EHI to protect an individual’s privacy. Conditions to this privacy exception mainly revolve around provisions of the Health Insurance Portability and Accountability Act (HIPAA) that restrict or facilitate access to EHI.
- Security Exception: It will not be information blocking for an actor to interfere with the access, exchange, or use of EHI to protect the security of EHI. One important condition here is that an actor must either implement a qualifying organizational security policy or implement a qualifying security determination.
- Infeasibility Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request. There is a long list of conditions to this exception, including the requirement for actors to provide a written response to the requestor within ten (10) business days of receipt. The response must also include reasons why the request is infeasible.
- Health IT Performance Exception: It will not be information blocking for an actor to take reasonable and necessary measures to make health It temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT. One of the key exceptions is the ability of an actor to take action against a third-party app that is negatively impacting the health IT’s performance.
- Manner Exception: It will not be information blocking for an actor to limit how it fulfills a request to access, exchange, or use EHI. Conditions include fulfilling a request in an alternative manner when the actor is technically unable to fulfill the request in the manner requested.
- Fees Exception: It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI. One of the key conditions is that the fee cannot be based on whether the requestor is a competitor or a potential competitor.
- Licensing Exception: It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or used. The key conditions here include negotiating timely with requestors on specific issues such as reasonable royalties.
- TEFCA Manner Exception: It will not be considered information blocking for an actor to fulfill certain requests for access, exchange, or use of EHI only via TEFCA. Some of the key conditions to this exception include the requirement that both the actor and the requestor are part of TEFCA, and the requested EHI can be supported via TEFCA for both the actor and requestor.
As you can imagine, it may take years, and probably some lawsuits, for actors to understand how investigations by the HHS Office of Inspector General (OIG) will add to the interpretation of the information blocking exceptions over time.
What are the Specific Disincentives for Violating the Information-Blocking Provisions?
As noted above, disincentives (or penalties) for information-blocking practices initially apply only to health care providers who participate in the Medicare program. In future rulemaking, the HHS Secretary may come up with disincentives for other entities such as IT developers, who are subject to the 21st Century Cures Act.
- Medicare Promoting Interoperability Program (MIPS): Eligible hospitals and critical access hospitals (CAHS) will not be considered a meaningful user of electronic health records (EHR) in the reporting period where the information blocking took place. Eligible hospitals will see a reduction of three-fourths of the annual market basket update. CAHs will receive only 100 percent of their reasonable costs, instead of 101 percent.
- Quality Payment Program: MIPS Eligible clinicians will not be considered meaningful users of EHR, receiving a zero score on Promoting Interoperability in the MIPS scoring system. In a group practice setting, the referral to the OIG may only concern an individual physician, depending on the facts and circumstances of the information-blocking event.
- Medicare Shared Savings Program: ACOs, ACO participants, or ACO providers/suppliers may be deemed ineligible to participate in the ACO for at least one year. Such a finding may even impact the ability of the ACO to participate in the Shared Savings Program.
CMS says the OIG will not investigate any conduct by health care providers that took place before the effective date of the Final Rule. It will also not impose any disincentives imposed on participants in the Shared Savings Program until after January 1, 2025.
So at least for health care providers, this is the other shoe-dropping on the 21st Century Cure Act. OIG has received over 1,000 complaints related to information blocking as of June 30, 2024, the vast majority of them from patients about health care providers.
If you have not already updated your policies and procedures for information-blocking regulations and thought about how exceptions may affect your ability to deny requests, now is the time to get started!