Editor’s Note: The information blocking rule—now moved to the Office of Management and Budget (OMB), the last step before a rule is promulgated—is significant because it reverses the typical framework governing the privacy of health information. Under the information blocking rule, a requested disclosure of information is no longer optional, as it had been under previous privacy requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) privacy rule. Instead, disclosure of information must be made unless an information blocking exception applies. The goal is to address years of concern about the lack of interoperability in the healthcare system and the belief that some players wrongfully fail to disclose information to competitors even when doing so is in the best interest of patients.
Changing the nation’s health information disclosure framework, however, is not an easy task. In a recent article in Law360, summarized below, Manatt Health addresses seven key questions the proposed rule raises. Click here to read the full article. (To learn more about how to comply with the information blocking rule, click here to see our previous article. To view our recent webinar “Preparing for the ONC/HHS Information Blocking Rule,” click here).
1. Exactly what information will be subject to the information blocking rule? Will it include price information?
Under the proposed rule, the Office of the National Coordinator (ONC) contemplates a definition of electronic health information (EHI) that is broader than the definition of Protected Health Information (PHI), as defined under HIPAA. PHI is data about patients, such as their diagnoses or the types of procedures they received. But ONC is considering including price information that is not tied to any particular patient within the definition of EHI. The aim of the change is to provide transparency in healthcare prices. But providers have sounded the alarm about such an expansive definition of EHI, expressing concern about the impact on competition.
2. Will actors ever be permitted to require a patient’s consent for PHI disclosures in cases where the law doesn’t require consent?
There are many cases where federal and state healthcare laws do not require a patient’s consent for a healthcare provider to disclose the patient’s PHI. Nevertheless, providers sometimes require a patient’s written consent for disclosure of that patient’s PHI, with the goal of ensuring that disclosures are only made in accordance with the patient’s wishes. The information blocking rule could render this type of practice illegal. In the proposed rule, ONC suggested that requiring consent in any case where the law does not require it could be information blocking. (ONC did suggest that it would consider allowing for a consent requirement if a provider operates in multiple states, some of which require consent and some of which do not.)
3. How far must an actor go in order to obtain a patient’s consent where consent is required?
Under the privacy exception, an actor may decline to disclose EHI if applicable law requires patient consent and the actor “[d]id all things reasonably necessary within its control to provide the individual with a meaningful opportunity to provide the consent or authorization.” If the EHI includes sensitive information such as substance use disorder data or mental health information, patient consent for disclosure often will be required under a state or federal privacy law. Therefore, actors will often be required to do everything “reasonably necessary” to ask for consent.
4. Can health information exchanges (HIEs) continue to limit who participates in their networks?
HIEs typically allow for the exchange of EHI in their networks only between those entities that signed participation agreements with the HIE. Participation agreements typically require the participants to abide by certain privacy and security requirements and may impose additional rules. The proposed rule suggests that this type of arrangement could be considered information blocking under certain circumstances.
5. Will ONC adopt any additional information blocking exceptions?
In the proposed rule, ONC proposes seven exceptions to information blocking, which consist of (1) preventing harm, (2) promoting privacy, (3) promoting security, (4) recovering costs reasonably incurred, (5) responding to infeasible requests, (6) licensing on reasonable and nondiscriminatory terms, and (7) maintaining and improving health IT performance. (For more information on the seven exceptions, see our article in last month’s “Health Update.”) ONC has expressed willingness to consider other exceptions.
6. How strict will ONC be when it comes to the security exception?
The proposed security exception would impose several somewhat strict requirements. For example, in order to qualify for the exception, the practice “must be tailored to the specific security risk being addressed,” should have been “prepared on the basis of, and directly respond to, security risks identified and assessed by or on behalf of the actor,” and must “[a]lign with one or more applicable consensus-based standards or best practice guidance.”
7. How will the information blocking rule be enforced?
Actors that fail to comply with the information blocking rule can be subject to penalties, including civil monetary penalties imposed by the Office of Inspector General of the United States Department of Health & Human Services (OIG). But some aspects of the enforcement mechanics, such as the complaint process, are unclear. Some commentators have suggested that ONC or OIG provide an advisory opinion process or regular detailed guidance on how the rules should be operationalized.
ONC also suggests in the proposed rule that the information blocking exceptions must be strictly followed. But will the government require strict compliance in practice? ONC and OIG, for example, could decline to enforce the rules in cases where an actor makes a good faith effort to comply with an information exception, but does not qualify for all aspects of an exception. Alternatively, ONC and OIG could provide a grace period under which the agencies will enforce the rule only in regard to the most egregious cases in order to provide actors with sufficient time to understand the rules and come into compliance.