Part of Office of National Coordinators 21st Century Cures Act

The patient is at the center of the Office of National Coordinator (ONC) 21st Century Cures Act. Putting patients in charge of their health records is a key piece of patient control in health care, and patient control is at the center of HHS' work toward a value-based health care system. The ONC Cures Act Final Rule implements interoperability requirements outlined in the Cures Act. Patients need more power in their health care, and access to information is key to making that happen.  

Orion Health created a Standards workgroup in 2020 to address the U.S. requirements around the Office of National Coordinator (ONC) 21st Century Cures Act.  This workgroup has been diligently working to ensure the Orion Health Suite of Products comply with this requirement for our US HIE Clients. 

Part of the Cures Act includes requirements regarding information blocking which has an applicability date of 4/5/21.  Information Blocking “is a practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI).

What are examples of practices that could constitute information blocking?

Section 4004 of the Cures Act specifies certain practices that could constitute information blocking:

  • Practices that restrict authorized access, exchange, or use under applicable state or federal law of such information for treatment and other permitted purposes under such applicable law, including transitions between certified health information technologies (health IT);
  • Implementing health IT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging, or using EHI;
  • Implementing health IT in ways that are likely to— 
  • Restrict the access, exchange, or use of EHI with respect to exporting complete information sets or in transitioning between health IT systems; or
  • Lead to fraud, waste, or abuse, or impede innovations and advancements in health information access, exchange, and use, including care delivery enabled by health IT.

Additional examples of practices that could constitute information blocking can be found in ONC’s Cures Act Final Rule.

Eight exceptions of information blocking rule:

The first five exceptions involve not fulfilling requests to access, exchange, or use EHI. The final three exceptions involve procedures for fulfilling requests to access, exchange, or use EHI.

  1. Preventing Harm

According to ONC, this exception “recognizes that the public interest in protecting patients and other persons against unreasonable risks of harm can justify practices that are likely to interfere with access, exchange, or use of EHI.” In short, organizations can deny EHI requests to protect patients and other consumers from harm. However, the potential risk and harm that would trigger the exception must be appropriately documented.

Is the responding organization able to segment sensitive records, such as those pertaining to behavioral health or substance abuse, for adults who have requested their information that providers believe may harm the patient or family member? Is the organization able to segment sensitive health records of minors, as protected by state and federal regulations, so parents do not have access to information they are not authorized to receive?

  1. Privacy

The information blocking provisions compels healthcare organizations to broaden EHI access to consumers, but it does not render existing federal and state privacy laws obsolete. Under this exception, organizations would not be required to disclose EHI in a way that is prohibited under applicable laws.

  1. Security

This exception covers risks to the integrity and security of the information and EHI systems. However, this exception is not to be used as a broad brush for request denials. To trigger this exception, healthcare organizations need to demonstrate that the denial is “directly related to safeguarding the confidentiality, integrity, and availability of EHI; tailored to specific security risks; and implemented in a consistent and non-discriminatory manner.” Provider organizations should update relevant privacy and security policies or implement new policies to mitigate practices that prohibit or delay data sharing.

  1. Infeasibility

This exception speaks to the reasonability to fulfilling requests. ONC defines several instances where practical fulfilment of EHI requests is severely limited, such as natural or man-made disasters, public health emergencies, technological limitations, or the inability to “unambiguously” segment requested EHI.

  1. Health IT performance

This exception acknowledges that health IT may be temporarily offline for maintenance, improvements, or a cause beyond the control of the healthcare organization. With the exception, ONC makes clear that EHI requests do not take precedence over health IT performance. Organizations should review historical information or scanned records that are not immediately being shared to include legacy systems. Is the organization able to meet the requirement for making the information available?

  1. Content and manner

This exception provides clarity and flexibility to organizations concerning the scope of a request to access, exchange, or use EHI. For the next 24 months, the data requests that fall under the information blocking final rule include those identified by the data elements represented in the United States Core Data for Interoperability (USCDI) standard.

This exception also supports innovation and competition by allowing actors to first attempt to reach and maintain market negotiated terms for the access, exchange, and use of EHI. Is your organization able to fulfill requests according to the USCDI definition and scale to meet expanded elements after the 24-month period? Are you technically able to provide the information and reach agreeable terms with the patient?

  1. Fees

The Cures Act final rule carved out an exception to permit healthcare organizations to charge fees for record requests to assist in the development of technologies and provision of services that enhance interoperability. However, fees must be based on objective and verifiable criteria and be reasonably related to the costs of access to or exchange or use of EHI.

  1. Licensing

This exception protects the investments organization make in innovation by permitting them to charge “reasonable royalties” to develop, maintain, and update those innovations. According to ONC, “an actor must begin license negotiations with the requestor within 10 business days from receipt of the request and negotiate a license within 30 business days from receipt of the request.”