Today the U.S. Department of Health and Human Services (HHS) announced that it would extend until June 3, 2019 the comment periods for the Centers for Medicare & Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC) proposed interoperability and information blocking rules. CMS also announced that as a result of public comments, it “will adjust the effective dates of our policies to allow for adequate implementation timelines as appropriate.”

In related developments, the ONC also released the second draft of the Trusted Exchange Framework and Common Agreement, along with a related Notice of Funding Opportunity. In addition, HHS released a set of frequently asked questions (FAQs) from the Office for Civil Rights (OCR), addressing HIPAA’s right of access as related to apps designated by individual patients and application programming interfaces (APIs) used by a healthcare provider’s electronic health record (EHR) system. The FAQs clarify, among other things, that once protected health information (PHI) has been shared by a HIPAA covered entity with a third-party app, as directed by the individual, the covered entity will not be liable under HIPAA for subsequent use or disclosure of electronic PHI, provided the app developer is not itself a business associate of a covered entity or other business associate.

Background on the ONC and CMS Proposed Rules

In March 2019, the ONC published a sweeping proposed rule to implement statutory provisions intended to advance the exchange of electronic health information (EHI). Notably, the proposed rule targets “information blocking” practices that unreasonably limit the availability, disclosure, and use of EHI. The proposed rule would define impermissible information blocking practices by health care providers, health information technology (HIT) developers of certified HIT, networks, and exchanges that could trigger penalties.

ONC believes the information blocking provision will almost always be implicated when a practice interferes with access, exchange, or use of EHI needed to ensure that health care professionals “have the EHI they need, when and where they need it, to make treatment decisions and effectively coordinate and manage patient care and can use the EHI they may receive from other sources.” Such information blocking practices could involve, among other things: formal restrictions in contract or license terms, EHI sharing policies, organizational policies or procedures, or other EHI or HIT documentation; informal restrictions, such as if an entity simply refuses to exchange or facilitate access to EHI as a general practice or in isolated cases; or use of certain technological measures that limit EHI exchange. ONC proposes seven exceptions to the definition of information blocking for certain “reasonable and necessary activities,” such as preventing harm to patients, promoting the privacy and security of EHI, or allowing IT system maintenance, subject to specific limitations.

In a companion rulemaking, CMS proposes to publicly report providers that participate in information blocking practices. The rule also would require health care providers and plans to implement open data sharing technologies to support transitions and coordination of care as patients move between health plans.

As currently drafted, the ONC and CMS rules will likely require changes to stakeholders’ HIPAA policies and contractual arrangements, and encourage partnerships with new technology vendors who offer compliant technology services. The extension of the proposed rule public comment periods and CMS’s stated plans to extend the implementation timeline appear to be an acknowledgement of the complexities of these policies.