Taking Health IT to the Next Level – Interoperability and Information Blocking

Interoperability

In 2015, ONC published a Report to Congress on Health Information Blocking.⁴ ONC reported that despite $28 billion in federal subsidies since enactment of the HITECH Act in 2009,⁵ there were still obstacles to a fully interoperable health system. While the federal government had been largelay successful in enticing the healthcare industry to adopt CHIT, there were still barriers to interoperability. ONC recommended congressional action addressing inappropriate information blocking.⁶ ONC noted that most of the unsolicited complaints of information blocking were directed at IT developers of CHIT. Those complaints included such practices as charging cost-prohibitive fees to send, receive, or export data, to develop software interfaces in support of interoperability, or to use third-party health IT modules.⁷  ONC also cited other examples of information blocking in the Report, such as Healthcare Providers inappropriately citing the HIPAA Privacy Rule⁸ as a reason for denying access to electronic health information (EHI) for treatment purposes and Healthcare Providers restricting access to EHI when requested by competitors or unaffiliated Healthcare Providers.

Without a great deal of fanfare, Congress passed the 21^st Century Cures Act⁹ (Cures Act) with overwhelming, bipartisan support. Section 4004 of the Cures Act defined “information blocking” and provided HHS with broad rulemaking authority regarding it.

On March 4, 2019, ONC published proposed regulations for comment.¹⁰ On May 1, 2020, ONC published its Final Rule.¹¹ Unfortunately, by then the unprecedented COVID-19 crisis had reached the United States. In response, ONC issued an interim final rule on November 4, 2020 extending various compliance deadlines.¹²

The Final Rule is complex for at least four reasons. First, there are actually two sets of regulations. The first set of regulations relates to interoperability and is codified at 45 C.F.R. Part 170. Broadly speaking, these regulations set technical standards for how CHIT systems must speak and relate to each other to be certified by ONC. The second set relates to information blocking and is codified at 45 C.F.R. Part 171. Second, the Final Rule defines and relates to three different “Actors” - Healthcare Providers, IT Developers, and HINs/HIEs.¹³ Third, although ONC was careful to make the Final Rule consistent with HIPAA, the Final Rule overlaps and cross-references technical and important provisions of the HIPAA Privacy Rule. Fourth, the Final Rule also overlaps with other state and federal privacy laws with which Healthcare Providers must comply, such as laws governing the disclosure of mental health records and substance use disorder records. 

Information Blocking

Congress defined “information blocking” in the Cures Act as “a practice that … is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.”¹⁴ Importantly, for purposes of the information blocking regulations, EHI does not include psychotherapy notes (as defined in HIPAA)¹⁵ or information compiled in reasonable anticipation of litigation.  Moreover, with respect to EHI, through May 2, 2022 EHI includes only those data fields set forth in the United States Core Data for Interoperability (USCDI) standards, which includes, among many other things, discharge summary notes, history & physical notes, progress notes, consultation notes, radiology reports, laboratory reports, pathology reports, and procedure or operative reports.¹⁶

To constitute information blocking, Healthcare Providers have to know that a practice is unreasonable and is likely to lead to information blocking. All other Actors (i.e., IT Developers, HINs, and HIEs), have to know or should know that such a practice will lead to information blocking.¹⁷ Congress gave HHS broad regulatory authority to identify activities that do not constitute information blocking.¹⁸

The language agreed upon by Congress in the Cures Act suggests particular concern with IT developers engaging in information blocking as is evidenced by the difference in the intent standard in the definition of information blocking itself. In addition, the Cures Act states that the “term ‘information blocking,’ with respect to an individual or entity, shall not include an act or practice other than an act or practice committed by such individual or entity.”¹⁹  For example, Healthcare Providers will not be penalized for the failure of developers of health information technology to meet the certification requirements in the Cures Act and Final Rule.²⁰ It appears that Congress wanted to avoid imposing liability on Healthcare Providers for information blocking committed by IT Developers.

In addition, ONC created a regulatory “long-arm” to reach non-certified technology produced by IT Developers to ensure that IT Developers cannot engage in information blocking even through non-certified technology. Section 45 C.F.R. 170.401 prohibits an IT Developer from taking any action that constitutes information blocking. ONC has made it clear that this requirement relates to all products and services of the IT Developer, not just its certified items.²¹ Thus, if an IT Developer creates an electronic health record system that consists of some modules that are certified and some that are not (a radiology imaging component, for example), the information blocking prohibition will relate to all of the modules (including the radiology component).

The 2019 proposed rule provided numerous examples of information blocking.²²  As it relates to Healthcare Providers, many of these examples focused on anti-competitive practices. For example, a hospital may engage in information blocking if it directs its electronic health record developer to configure technology so that users cannot easily send electronic patient referral and associated EHI to unaffiliated providers.  Although not anti-competitive, the proposed rule also stated that a Healthcare Provider may engage in information blocking if the Healthcare Provider has the ability to provide same-day access to EHI to a patient in the form and format requested by the patient, but takes several days to respond. Since publishing the Final Rule, ONC has also hosted several webinars and published Frequently Asked Questions²³ that provide further examples of information blocking. Despite these examples, the analysis of whether an Actor engaged in information blocking is extremely fact-sensitive and will need to be analyzed on a case-by-case basis. 

Exceptions to Information Blocking

ONC adopted eight exceptions to the general prohibition on information blocking in two separate categories. The first category includes five exceptions that result in the denial of requests to access, exchange, or use EHI. The second category includes three exceptions that relate to procedures for fulfilling requests to access, exchange, or use EHI.  When an Actor relies on an exception, it must ensure that it satisfies all elements of the exception at all relevant times and applies the exception in a consistent and non-discriminatory manner. 

Denials of Requests

Preventing Harm Exception

A Healthcare Provider may prevent access, exchange, or use of EHI to prevent harm under limited circumstances. ONC intended to make the Preventing Harm exception consistent with Section 164.524(a)(3) of the HIPAA Privacy Rule relating to the ability of a Healthcare Provider to deny individuals access to their protected health information to prevent harm. The provisions of ONC’s exception and the Privacy Rule are consistent.  However, Healthcare Providers should carefully review similar state law provisions to ensure consistency or understand the differences.  For example, in Indiana, the standard for how to withhold mental health records in order to prevent harm differs slightly from the standard under both HIPAA and the Information Blocking Rules.²⁴

The Preventing Harm exception requires the Actor to hold a reasonable belief that blocking access to the records will substantially reduce a risk of harm to a patient or another individual and the practice must be no broader than necessary to substantially reduce such harm. The nature of the harm to be prevented depends upon whose access is being blocked. If the patient is personally requesting the records, the harm to be avoided must be a reasonable likelihood of danger to the patient’s life or physical safety.²⁵ If a legal representative is requesting records, the harm must be a substantial harm. If the patient or the patient’s legal representative is requesting records that reference another natural person, the harm to be avoided must be substantial harm.

In each case, the risk of harm must be (1) determined on an individualized basis, (2) in the exercise of professional judgment, (3) by a licensed healthcare professional, (4) who has or had a clinician-patient relationship with the patient. The Actor must establish any practice that limits access to prevent harm in a manner consistent with the HIPAA Privacy Rule that provides patients a right to have the determination reviewed.

An Actor may also withhold access to records to prevent harm if the Actor reasonably suspects that the records have become misidentified, mismatched, or corrupted due to technical failure or otherwise. In such circumstances, the risk of harm need not be determined by a licensed healthcare professional who has or had a clinician-patient relationship with the patient. However, the risk of harm must still be (1) substantial or (2) reasonably likely to endanger the life or physical safety of the patient, depending upon who is requesting the records.

The withholding of access to records to prevent harm must be pursuant to a written organizational policy that is based upon relevant clinical, technical, and other appropriate expertise. In the absence of a written policy, the blocking of access must be based on expertise that leads the Actor to reasonably believe withholding the information will substantially reduce a risk of harm and that the practice is no broader than necessary to reduce such harm.

The Preventing Harm exception has implications for several areas that Healthcare Providers may face in their everyday practice, such as the disclosure of sensitive lab results and the disclosure of records to parents of a minor.  For example, as it relates to lab results, a Healthcare Provider cannot utilize a blanket delay of several days so that the ordering clinician can evaluate each result for a potential risk of harm associated with the release of the lab results.  Instead, if a patient requests the lab results, the Healthcare Provider must provide them without any unnecessary delay. In practice this means (and ONC’s intent appears to be) that patients may receive lab results at the same time or prior to the ordering clinician.  In addition, ONC has specifically stated that as it relates to lab results, a clinician typically orders those in the context of a physician-patient relationship. The physician can proactively determine whether the release of lab results without first consulting with the patient would cause harm and, if so, ensure that all elements of the Preventing Harm exception are met.  Given the elements of the Preventing Harm exception, this will likely only be applied to withholding lab results in unusual and extreme circumstances, all of which must be based on an individualized analysis.²⁶

Privacy Exception 

An Actor may prevent access, exchange, or use of EHI to protect an individual’s privacy in certain circumstances. The Privacy exception appears at 45 C.F.R. 171.202. ONC created three different sub-exceptions related to the Privacy exception. The first relates to situations where the person requesting access has failed to satisfy a precondition to gain access (such as provision of a proper consent). The second relates to IT Developers who are not subject to the HIPAA Privacy Rule but who are acting to protect the privacy of a person. The third sub-exception relates to situations in which the patient restricts access.

An Actor may block access to health information if all of the preconditions for access have not been met. When those preconditions are based on state or federal law, the Actor’s practice must be tailored to the applicable precondition that is not satisfied and must be implemented in a consistent and non-discriminatory manner. In addition, the practice must be based on a written organizational policy setting forth the criteria for denying such requests which is implemented by the Actor and with respect to which the Actor has trained its work force. If the practice is implemented without a written policy, specific denials must be documented on a case-by-case basis, identifying the criteria that were applied and the reasons why the criteria were not met.²⁷

If the precondition at issue relates to a consent or authorization form (perhaps the most likely scenario) and the Actor has received a form that does not satisfy its requirements, the Actor must take reasonable steps to assist the individual requesting access to submit a valid form and must not improperly encourage the individual to withhold consent or authorization. Presumably, the rejection of an invalid patient authorization form, without more, would not satisfy the exception and could, therefore, constitute information blocking.

If the Actor declining to fulfill a request is an IT Developer that is not covered by the HIPAA Privacy Rule, the practice must promote the privacy interests of an individual and must be pursuant to an organizational privacy policy disclosed in advance to the individual and entities that use the product or service. The privacy policy must comply with applicable law, be tailored to address the specific privacy risk or interest being addressed, and be implemented in a consistent, non-discriminatory manner.²⁸

Actors may decline to fulfill requests for EHI where the individual who is the subject of the information has requested that it not be shared so long as the request was made without any improper encouragement or inducement by the Actor. The Actor must document any such request to restrict access within a reasonable time that the request was made. Additionally, the Actor’s practice of restricting access, where the patient requests it, must be applied consistently and in a non-discriminatory manner. The Actor may terminate the patient’s request under specific circumstances set forth in the exception.²⁹

Security Exeption

An Actor may elect not to fulfill a request for EHI to protect the security of EHI in certain circumstances. The Security exception appears at 45 C.F.R. 171.203. To satisfy the exception, the practice must be (1) directly related to safeguarding the confidentiality, integrity, and availability of EHI, (2) tailored to the specific security risk being addressed, and (3) implemented in a consistent and non-discriminatory manner.

If the practice implements an organizational policy, the policy must be written,  must be based upon and directly responsive to identified security risks, must align with “one or more applicable consensus-based standards or best practices”³⁰ and must provide objective timeframes and other parameters for identifying, responding to and addressing security incidents. If the practice is not pursuant to an organizational policy, the Actor must have made a determination in each case, based on particularized facts and circumstances that the practice is necessary to mitigate the risk and that there are no reasonable and appropriate alternatives to the practice.³¹

Infeasibility Exception

An Actor may prevent access, exchange, or use of EHI due to the infeasibility of the request. The Infeasibility exception appears at 45 C.F.R. 171.203. ONC provided for three types of infeasibility in the exception: (1) uncontrollable events; (2) data segmentation issues; and (3) infeasibility under the circumstances.

Uncontrollable events include all of the usual force majeure suspects: natural or human-made disaster, public health emergency, public safety incident, war, terrorist attack, civil insurrection, strike or other labor unrest, telecommunication or internet service interruption, or act of military, civil or regulatory authority. Section 45 C.F.R. 171.200 states that a practice will not be considered information blocking if all applicable requirements of the exception are met “at all relevant times.”³² Thus, once the uncontrollable event has passed or subsided, the exception would no longer exist.

If a patient’s medical information is commingled with another patient’s information and the Actor “cannot unambiguously segment the requested EHI,”³³ the Actor may refuse to fulfill the request if the other individual’s information cannot be legally disclosed. This situation can arise when patients share identification cards or insurance cards and the electronic medical record contains commingled information that is not easily separable.

Finally, an Actor may decline to fulfill a request if the Actor can demonstrate that its decision was based upon its consistent and non-discriminatory consideration of the following factors: (1) the type of EHI and the purposes for which it may be needed; (2) the cost to the Actor of complying with the request in the manner requested; (3) the financial and technical resources available to the Actor; (4) whether the Actor's practice is non-discriminatory and whether the Actor provides the same access, exchange, or use of EHI to its companies or to its customers, suppliers, partners, and other persons with whom it has a business relationship; (5) whether the Actor owns or has control over a predominant technology, platform, HIE, or HIN through which EHI is accessed or exchanged; and (6) why the Actor was unable to provide access, exchange, or use of EHI consistent with the content and manner exception at § 171.301 and discussed below. The Actor may not consider whether fulfilling the request would facilitate competition with the Actor or prevent the Actor from charging a fee or from charging its full fees.

If that were not enough, if the Actor declines to fulfill a request under the Infeasibility exception, it must provide the requester the reasons for its decision, in writing, and within 10 business days.

Health IT Performance Exception

ONC anticipates patients and consumers accessing their EHI in much the same way customers access their electronic banking information. With the Final Rule’s focus on application programming interfaces³⁴ and the restrictions on IT Developers’ fees and royalties, ONC looks forward to the development of consumer apps that will access health IT systems. As such, an exception to the prohibition on information blocking for temporary maintenance and upgrades of IT systems is necessary.

ONC included the Health IT Performance exception at 45 C.F.R. 171.205. In general terms, the exception provides for both planned and unplanned network downtime (which includes network degradation). The exception generally requires that the downtime be no longer than necessary and implemented in a consistent and non-discriminatory manner. If the downtime is triggered by an IT Developer, the downtime must be consistent with applicable service level agreements.

A second type of activity contemplated by ONC and permitted by the exception relates to restrictions on third-party applications that may be negatively affecting the performance of a health IT network. The Actor may restrict access to the third-party application while it attempts to resolve the negative impacts of the app and if it applies its policy consistently and in a non-discriminatory manner. 

Fullfilling Requests

The second broad category of information blocking exceptions are those that relate to fulfilling requests. They include the Content and Manner exception, the Fees exception, and the Licensing exception.

Content and Manner Exception

The information blocking rules dramatically change the way that Actors provide access to EHI by patients and access in other circumstances, such as an export of EHI from one electronic health record to another electronic health record.  The Content and Manner exception appears at 45 C.F.R. 171.301.

First, although HIPAA allows a Healthcare Provider 30 days to respond to a request for access, the information blocking regulations require that a Healthcare Provider respond without unnecessary delay. Therefore, if the Healthcare Provider has the ability to immediately transmit EHI to the patient through a portal, for example, the Healthcare Provider should not wait to do so.  Importantly, however, although EHI must be transmitted to the patient as soon as it is available once a request has been made, the information blocking regulations do not require Healthcare Providers to proactively make EHI available through patient portals if no request has been made by the patient.³⁵

Second, an Actor must fulfill a request for EHI in any manner requested, unless the Actor is technically unable to fulfill the request or cannot reach agreeable terms with the person requesting the information. If the request is unique and will require additional costs to the Actor, the Actor may negotiate fees or licensing arrangements without engaging in information blocking.

If an Actor is technically unable to fulfill the request or cannot reach agreeable terms with the requestor, the Actor must fulfill the request without unnecessary delay in the following order of priority:

(A) Using technology certified to standard(s) set forth in the Final Rule and specified by the requestor;

(B) Using content and transport standards specified by the requestor and published by the federal government or a standards developing organization accredited by the American National Standards Institute; or

(C) Using an alternative machine-readable format, including the means to interpret the EHI, agreed upon with the requestor.

If the Actor cannot agree on the fees charged, then the fee and licensing provisions in the applicable exceptions will apply.

The Final Rule mandates an export feature in CHIT systems. Section 45 C.F.R. 170.315(b)(10) relates to “EHI Export.” In order for health IT to be certified, it must be able to export all of a patient’s EHI in an electronic, computable format with documentation that allows it to be imported into a subsequent electronic health record system. The technology must enable the Healthcare Provider to perform a single-patient export without the IT Developer’s assistance. In addition, the EHI Export function must permit the export of an entire patient population in an electronic, computable format which would enable the provider to migrate to competing systems. If portions of the patient’s EHI are stored on certified technology and other portions are stored on non-certified technology, all of the EHI must be exportable to meet the EHI Export criteria.³⁶

Fees Exception

An Actor's practice of charging fees for accessing, exchanging, or using EHI will fall within the Fees exception when the fees are reasonably related to the costs of providing the access and uniformly applied.

The exception does not exempt fees from information blocking in two important areas. First, in the consumer context, any fees that are based on the electronic access of an individual’s EHI by the individual or another person designated by the individual are not excepted from the definition of information blocking.³⁷  On this particular point, ONC emphasized that “an Actor's practice of charging an individual, their personal representative, or another person or entity designated by the individual for electronic access to the individual's EHI would be inherently suspect under an information blocking review.”³⁸  Therefore, if a patient has the ability to access EHI on a patient portal provided by the Healthcare Provider, the Healthcare Provider cannot charge for that electronic access.  Second, “special” fees for competitors or fees based upon the value of the access to the requestor do not fall within the exception.

Licensing Exception

This exception appears to be focused squarely on IT Developers. The practice of requiring a license for “interoperability elements” in order to access, exchange, or use EHI will not be considered information blocking if each of the conditions contained in 45 C.F.R. 171.303 is met.

“Interoperability elements” is defined at 45 C.F.R. 171.101 and means the “hardware, software, integrated technologies or related licenses, technical information, privileges, rights, intellectual property, upgrades, or services” controlled by the Actor and needed to access, exchange, or use EHI. The software that allows patients to access their physician’s patient portal from their personal computer would be an example of an interoperability element.

The exception requires the owner of an interoperability element to commence negotiations with anyone who requests a license within 10 business days of the request and to complete the negotiations within 30 days. The exception dictates the scope of rights which must be contained in the license as well as the factors that may be considered with respect to any royalty relating to the license. In addition, the license agreement may not contain discriminatory or anti-competitive provisions or unreasonable non-disclosure provisions, which are more fully set out in the Final Rule.

Penalties and Enforcement

The general prohibition on information blocking and the exceptions became effective April 5, 2021. Congress charged the Office of Inspector General of HHS (OIG) with investigating claims of information blocking. Congress provided that IT Developers, HIEs, and HINs are subject to civil monetary penalties of up to $1 million per violation for information blocking. Congress directed the OIG to refer Healthcare Providers who have committed information blocking to the appropriate federal agency to be subject to appropriate disincentives.³⁹

ONC stated in the Final Rule that it is coordinating enforcement efforts with the OIG and that enforcement of information blocking civil monetary penalties (CMPs) will not begin until established by future notice and comment rulemaking by the OIG. As a result, Actors would not be subject to penalties until those CMP rules are final. The OIG published proposed regulations on April 4, 2020.⁴⁰ It has not yet issued a final rule.

In addition to CMPs instituted by the OIG, ONC has the authority to impose a certification ban on IT Developers.⁴¹ Decertification for an IT Developer could be a severe penalty for information blocking.

Congress set forth different penalties in the Cures Act, depending upon the nature of the Actor. IT Developers, HINs, and HIEs are subject to CMPs imposed by the OIG. Healthcare Providers are not subject to CMPs under the Cures Act for information blocking. Instead, Congress specified that the OIG should refer Healthcare Providers to the appropriate federal agency for appropriate sanctions.⁴² There have been no regulations, to date, relating to how the OIG will refer Healthcare Providers to the appropriate federal agency or what the appropriate sanctions will be imposed by such federal agency for a Healthcare Provider that has engaged in information blocking. 

Anticipating Client Needs

Each of the three types of Actors (Healthcare Providers, IT Developers, and HINs/HIEs) will need the advice of counsel to help them navigate the complexities and nuances of the Final Rule. They will need to revise privacy policies related to the protection and dissemination of EHI and will need the assistance of counsel to help tailor policies to specific state law issues that might arise.⁴³ It is likely that most Actors will have HIPAA policies, which would be the best place to begin.

Actors and their attorneys will need to assess the Actor’s sources of EHI and the systems in which it resides. Healthcare Providers will need to understand the technical capabilities that their systems likely already possess and will need to work with their electronic health record vendors so that they can timely respond to patient requests to access EHI electronically. IT Developers and Healthcare Providers will need to collaborate to create workflows related to responses to requests for EHI. Actors may also need assistance updating terms of use for such things as patient portals.

HIEs/HINs may need to consider updating membership or participation agreements and business associate agreements in light of the Final Rule. They may also need to update their internal operating policies and procedures to ensure compliance with the Final Rule. They may need to review their existing member agreements and any licensing agreements in place.

IT Developers may need assistance navigating the Final Rule. They likely have existing business associate agreements and customer agreements that could be potentially problematic. Particular attention should be directed to licensing practices, confidentiality provisions, and terms that could have anti-competitive effects.

The ONC website, HealthIT.gov, provides substantial resources on the interoperability rules and the information blocking rules. ONC has provided online webinars and FAQs that could be of interest to Actors and the attorneys that advise them.

Conclusion

The Final Rule represents an important development in the evolving federal policy promoting the use of electronic health record technology. The Final Rule imposes new obligations on each of the Actors defined therein. The Final Rule and its requirements are complex and largely untested. Whether an Actor has engaged in information blocking or whether a particular exception applied or applies will depend on particular facts and circumstances. Actors will need competent counsel who understand the intricacies of the Final Rule to counsel them on compliance with the rules and advocate on their behalf if they should be accused of information blocking.

1. 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 85 Fed. Reg. 25642 (May 1, 2020).
2. 21^st Century Cures Act, P.L. 114-255, 130 Stat. 1033 (Dec. 13, 2016).
3. The Centers for Medicare & Medicaid Services (CMS) simultaneously published its final rule relating to interoperability and patient access with respect to the Medicare and Medicaid Programs. See 85 Fed. Reg. 25510 (May 1, 2020). While the CMS final rule is consistent with ONC’s Final Rule, the CMS final rule is beyond the scope of this article.
4. Report to Congress, Report on Health Information Blocking, Office of the National Coordinator for Health Information Technology, Department of Health and Human Services (April 2015).
5. The Health Information Technology for Economic and Clinical Health Act or “HITECH Act” is contained in Title XIII of the broader American Recovery and Reinvestment Act of 2009, P.L. 111-5 (Feb. 17, 2009), 123 Stat. 115, 226. Among other things, in Section 4101 (123 Stat 467) it provided a program of incentives for the adoption and “meaningful use” of “certified” electronic health record technology, granting to HHS regulatory authority to define through notice and rulemaking definitions for “certified” and “meaningful use.” Congress provided for direct federal grants as well as enhanced reimbursement for services provided to beneficiaries of federal healthcare programs by certain Healthcare Providers who adopted certified electronic health record technology and put it to meaningful use. The program gave HHS substantial policy making control over the technological capabilities of certified electronic health record systems as well as how Healthcare Providers would implement them. HHS responded by issuing three stages of regulations providing for increasingly sophisticated systems and uses. HHS published its “Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Final Rule” (Stage 1) July 28, 2010, 75 Fed. Reg. 44314; “Health Information Technology: Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, 2014 Edition; Revisions to the Permanent Certification Program for Health Information Technology” (Stage 2) on September 4, 2012, 77 Fed. Reg. 53968; and “Medicare and Medicaid Programs; Electronic Health Record Incentive Program—Stage 3 and Modifications to Meaningful Use in 2015 Through 2017” (Stage 3) on October 16, 2015 80 Fed. Reg. 62762. The Final Rule changed the name of the incentive program from “Meaningful Use” to “Promoting Interoperability.”
6.  Report to Congress supra n. 4 at 33. Interestingly, while ONC found evidence of information blocking by some Healthcare Providers, it wrote to Congress that “[m]ost complaints of information blocking are directed at health IT developers.” Report to Congress at 15.
7. Id.  at 15.
8. See 45 C.F.R. Part 160 and Part 164.
9. 21^st Century Cures Act, P.L. 114-255 (Dec. 13, 2016), 130 Stat. 1033. The law contained many popular provisions ranging from innovative responses to the opioid crisis (Section 1001) to increased funding for mental health programs (Section 14001). The House approved it 392-26 followed by Senate approval 94-5.
10. 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 84 Fed. Reg. 7424 (Mar. 4, 2019).
11. ONC’s effort had been underway for years and ONC could not have anticipated that Healthcare Providers would be reacting to an international health crisis on the planned publication date. Provisions of the Final Rule are phased in for Healthcare Providers and ONC delayed the implementation date after publication of the Final Rule. See ONC’s Interim Final Rule, Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID–19 Public Health Emergency, which extended the Final Rule’s applicability date from November 2, 2020 to April 5, 2021. 85 Fed. Reg. 70064 (Nov. 4, 2020).
12. Id.  
13. 45 C.F.R. 171.102.
14. 42 U.S.C § 300jj-52(a)(1).
15. The HIPAA Privacy Rule defines “psychotherapy notes” as “notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.” 45 C.F.R. 164.501.
16. 45 C.F.R. 171.301(a). However, covered entities must still comply with the HIPAA Privacy Rule’s access provision at 45 C.F.R. 164.524 which states that individuals have a right of access to their protected health information in a designated record set.
17. Id. Interestingly, depending upon the facts and circumstances, a Healthcare Provider could conceivably become an HIN or HIE, depending upon the configuration of its system with other systems. See 45 C.F.R. 171.102. The Final Rule does not specify which knowledge standard ONC might hold an Actor to when it meets more than one definition of “Actor.” Presumably, the knowledge standard applicable to a particular type of Actor would apply when the entity is acting in that corresponding capacity.
18. 42 U.S.C. §300jj-52(a)(3).
19. Id. at (a)(6).
20. Id. at (a)(7).
21. 85 Fed. Reg. 25642, 25718 “For the ‘information blocking’ and ‘assurances’ Conditions and Maintenance of Certification requirements … a health IT developer is also responsible to ensure that all of its health IT and related actions and behaviors do not constitute information blocking or inhibit the appropriate access, exchange, and use of electronic health information (EHI).”
22. See 21st Century Cures Act supra n. 2.
23. Information Blocking FAQs, https://www.healthit.gov/curesrule/resources/information-blocking-faqs (last visited May 14, 2021).
24. See Indiana Code 16-39-2-4.
25. 45 C.F.R. 171.201(d).
26. See Information Blocking FAQs, Q: Would the Preventing Harm Exception cover a “blanket” several day delay on the release of laboratory or other test results to patients so an ordering clinician can evaluate each result for potential risk of harm associated with the release, https://www.healthit.gov/curesrule/resources/information-blocking-faqs (last visited May 14, 2021).  See also ONC Information Blocking: Answers to Frequently Asked Questions, Slide 12, https://www.healthit.gov/sites/default/files/2021-02/IB%20FAQs%20Webinar_02-02-2021_FINAL.pdf (last visited May 14, 2021).
27. 45 C.F.R. 171.202(b).
28. 45 C.F.R. 171.202(c).
29. 45 C.F.R. 171.203(e)(4). An Actor may terminate an individual’s request to restrict access, exchange, or use of the individual’s EHI only if “(i) the individual agrees to the termination in writing or requests the termination in writing; (ii) The individual orally agrees to the termination and the oral agreement is documented by the actor; or (iii) The actor informs the individual that it is terminating its agreement to not provide such access, exchange, or use of the individual's electronic health information except that such termination is: (A) Not effective to the extent prohibited by applicable Federal or State law; and (B) Only applicable to electronic health information created or received after the actor has so informed the individual of the termination.”
30. 45 C.F.R. 171.203(d)(3).
31. 45 C.F.R. 171.203(e).
32. 45 C.F.R. 171.200.
33. 45 C.F.R. 171.204(a)(2)(i).
34. See 45 C.F.R. 170.215 which provides for standards and associated implementation specifications for application programming interfaces (APIs). See also 45 CFR 170.404 which sets forth maintenance and certification requirements for certified API developers.
35. ONC Information Blocking: Answers to Frequently Asked Questions, Slide 11, https://www.healthit.gov/sites/default/files/2021-02/IB%20FAQs%20Webinar_02-02-2021_FINAL.pdf (last visited May 28, 2021).
36. 85 Fed. Reg. 25642, 25693.
37. The language is contorted here because the exceptions are really safe harbors. By “exception” we mean an exclusive carve-out of a general prohibition. All conditions of the exception must be met to obtain relief from the general prohibition. Safe harbors are not exclusive. Satisfying the conditions of a safe harbor will provide protection from the general prohibition, but the failure to satisfy the technical requirements of a safe harbor do not necessarily mean that the general prohibition has been violated. ONC has left open the possibility that a practice that results in an Actor failing to fulfill a request for electronic protected health information might not constitute information blocking even if it does not technically satisfy an exception. See supra n. 1 at 25649. In our view, the exceptions enumerated by ONC constitute non-exclusive safe harbors.
38. See supra n. 1 at 25792.
39. Section 4004 of the Cures Act, supra n. 2 added a new section to the Public Health Service Act relating to information blocking. See 42 U.S.C. 300jj-52(b).
40. Grants, Contracts, and Other Agreements: Fraud and Abuse; Information Blocking; Office of Inspector General’s Civil Money Penalty Rules, 85 Fed. Reg. 22979 (Apr. 24, 2020).
41. 45 C.F.R. 170.581.
42. Cures Act, supra, n. 2, Section 3022(b)(2).
43. For example, some states prohibit pushing certain types of test results to patients before the clinician has an opportunity to discuss them with the patient. Providers will need advice to integrate state provisions into their information blocking policies. Clinicians engaged in substance use disorder treatment and the mental health treatment of minors may also need advice regarding the Final Rule.

About the Authors

Robert Anderson is a partner with the law firm of Krieg DeVault, practicing in Indiana and the Greater Chicago Area. He regularly advises hospitals, medical groups, and other healthcare providers in a broad array of compliance, regulatory, and litigation matters. He counsels clients on the use of electronic health record systems, meaningful use of certified technology, and issues associated with information blocking. Mr. Anderson serves on the firm’s Executive, Innovation, and Information Technology Committees.  He may be reached at [email protected].

Stephanie Eckerle is a partner with Krieg DeVault and practices in the fields of healthcare, corporate law, and real estate. Within the healthcare field, she focuses her practice on providing regulatory, compliance, and corporate advice to physician practice groups, hospitals, pharmacies, on-site employer health clinics, health IT companies, telehealth providers, and health plans.  Ms. Eckerle also serves on the National Association of Worksite Health Center’s Board of Directors and Krieg DeVault’s Diversity, Equity and Inclusion Committee.  She may be reached at [email protected].