Global Health, Fitness and Medical Issues

The information blocking provisions of the 21st Century Cures Act officially went into effect this week, putting into focus the Department of Health and Human Services’ regulatory and compliance effort around HIPAA-required data sharing between applicable healthcare entities. 

 

Enacted by the 21st Century Cures Act in 2017 and implemented by a final rule in 2020, Congress defined information blocking and established penalties for providers that engage in practices that interfere with the access, exchange, and use of electronic health information.

 

The long-awaited info blocking provision established rules and penalties for non-compliance. The law carves out exclusions for providers if they meet an exception established by the HHS Secretary, or for other applicable reasons.

 

Starting April 5, relevant covered entities and business associates must comply. The Office for the National Coordinator recently released insights on just what the law’s enactment means for those relevant providers, as well as the areas HHS will focus on in the next 18 months.

 

For now, a smaller subset of electronic health data is in scope.

“Specifically, the electronic health information that cannot be blocked is limited to the data elements represented in the US Core Data for Interoperability,” ONC officials explained.

 

“This initial 18-month period and limited scope gives the regulated community time to grow more experienced with the information blocking regulation, including when and how to meet an exception, before the full scope of the regulation’s EHI definition comes into effect.” 

 

“Of course, those who are able to share more EHI than is represented by the USCDI need not wait to begin doing so,” they added. “Similarly, as a way to prepare for October 2022, we strongly encourage the regulated community to make all EHI available as if the scope of EHI were not currently limited.”

As the US surpasses its one-year milestone of the COVID-19 national emergency and subsequent Department of Health and Human Services’ HIPAA liability waivers, it’s the ideal time for providers to assess the health of their privacy governance and compliance programs.

INFORMATION BLOCKING PROVISIONS

To Sean Sullivan, a senior associate attorney with the Health Care Group of Alston & Bird, the industry should consider this period as breathing room: the enforcement arm of the rule hasn’t been fully enacted and the HHS liability waivers put into place for COVID-19 remain intact -- for now.

 

The info blocking provisions signal a sea of change for the industry, he explained. Providers had the last year to prepare for these drastic changes, and now ONC has stressed it will be focusing on this compliance area moving forward.

 

While the rules won’t immediately change things, it does provide new rights to accessing data between providers and other covered entities through authorized requests.

 

Sullivan stressed that it overlays HIPAA’s information sharing requirements that merely suggested providers may share data with other covered entities.

 

The new provisions make data sharing a requirement, or those efforts could be considered info blocking and a direct violation of the provisions. 

 

The timeline for data sharing has also changed from the previous 30-day requirement to “on a timely basis and without necessary delay.” There’s no strict deadline, rather an expectation that the data be immediately available, he explained.

 

The idea is to allow other healthcare providers to use their EHR or the platform of the connected covered entity to download the needed information.

 

“The expectation is that now data should be instantaneously available as long as it’s electronic,” Sullivan said. “And a lot of providers who miss those new timeframes are going to continue to fall back on that 30-day timeline. It’s a mistake.”

 

Instead, providers need to review their policies and procedures for all electronic data within their possession and determine whether the tech in place is capable of adhering to the provisions. They will also need to assess how to provide electronic data on a timely basis, via the EHR or even a patient portal.

 

“Frankly, the government has been struggling with [data sharing and info blocking] for some time,” Sullivan said. “But the financial services industry figured it out years ago.”

 

Sullivan also mused that providers, insurers, and specialists are operating within similar environments, but still the data sharing process has remained stagnant -- with the healthcare industry, as a whole, reluctant to change.

 

Previous arguments have stressed the sensitive nature of the data, while others have pointed to a lack of resources to invest in needed tech. There’s also an anti-competitive factor, where some providers worry that its patients may shop around at a competitor’s care site.