The U.S. Department of Health and Human Services (HHS) issued eagerly anticipated and hotly debated companion interoperability and information blocking final rules that are expected to transform the way in which certain health care providers, health information technology (IT) developers, and health plans share patient information. The two rules, issued by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS), implement interoperability and patient access provisions of the 21st Century Cures Act (Cures Act) and support the MyHealthEData initiative, designed to allow patients to access their health claims information electronically through the application of their choosing.

Major provisions of each final rule are highlighted below. Note that the final rules have not yet been formally submitted to the Federal Register, so some of the precise effective dates are still to be determined.

ONC Final Rule

For Providers, Health Information Networks or Exchanges, and Health IT Developers

  • Prohibition on Information Blocking. Effective six months following the publication of the final rule, health care providers, health IT developers of certified health IT, and health information exchanges and networks, are banned from “information blocking.” Information blocking is defined in the rule as engaging in a practice that is likely to interfere with, prevent, or materially discourage access, exchange or use of electronic health information (EHI) and, if (a) conducted by a health IT developer or health information network or exchange, such developer, network or exchange knows, or should know or (b) if conducted be a health care provider, such provider knows – the practice is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI.
    • EHI means electronic protected health information (EPHI) as the term is defined for HIPAA, to the extent that it would be included in a designated record set, with certain exceptions, regardless of whether the group of records are used or maintained by or for a HIPAA covered entity. This EHI definition will be effective 24 months after the publication of the final rule. In the interim, for purposes of information blocking, EHI is limited to the EHI identified by the data elements represented in the U.S. Core Data for Interoperability (USCDI) standard.
    • Health care providers include health care facilities, entities, practitioners, and clinicians listed in the Public Health Service Act. ONC did not expand the definition of health care provider in the Final Rule to cover all individuals and entities covered by HIPAA. However, the final rule leaves this door open by giving the Secretary of HHS discretion to expand the definition of health care provider to any other category the Secretary deems appropriate by future rulemaking.
  • Examples of Information Blocking. According to ONC, information blocking practices could involve, among other things: formal restrictions in contract or licensing terms; limiting or restricting the interoperability of health IT through organizational policies or procedures or other EHI or health IT documentation; information restrictions, such as if an entity simply refuses to exchange or facilitate access to EHI as a general practice or in isolated cases; or use of certain technological measures that limit EHI exchange.
  • Information Blocking Exceptions. The final rule identifies eight activities as exceptions to information blocking. According to ONC, the exceptions apply to certain activities that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI, but that would be reasonable and necessary if certain conditions are met. Each exception falls into one of two categories: (i) exceptions that involve not fulfilling requests to access, exchange, or use EHI; and (ii) exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.
  • Penalties for Information Blocking. Consistent with the Cures Act, ONC’s information blocking prohibition seeks to deter information blocking through penalties that differ based on the actor. Health IT developers and health information networks and exchanges are subject to civil money penalties capped at $1 million per violation, while health care providers who violate the information blocking provisions may face unspecified disincentives for violations, to be determined by the appropriate HHS department or agency in subsequent rulemaking.

For Health IT Developers Only

  • Modifications to Conditions of Certification. Among other things, the final rule adopts a prohibition on, and assurance against, certified health IT developers engaging in information blocking. It also requires the use of secure, standardized application programming interfaces (APIs) for patient data exchange.
  • Privacy and Security Transparency Attestations. The final rule requires developers of certified health IT to attest to their level of privacy and security transparency. According to ONC, the attestations will serve to identify whether or not health IT developers support encrypting authentication credentials and/or multi-factor authentication.

CMS Final Rule

For Providers

  • Admission, Discharge, and Transfer Event Notifications. Effective six months after publication of the final rule, CMS’s Conditions of Participation are modified to require enrolled hospitals, including psychiatric hospitals and critical access hospitals (CAHs), to send electronic patient event notifications of a patient’s admission, discharge, and/or transfer to another healthcare facility or to another community provider or practitioner.
  • Public Reporting and Prevention of Information Blocking. Later this year, CMS will publically report (i) eligible clinicians, hospitals, and CAHs that may be engaging in information blocking based on how they attested to certain Promoting Interoperability Program requirements; and (ii) those providers who do not list or update their digital contact information in the National Plan and Provider Enumeration System.

For Health App Developers

  • Patient Access API. The final rule requires CMS-regulated payers to permit third-party applications to retrieve, with the approval and at the direction of the patient, certain patient information.
  • App Developer Attestation. The final rule allows CMS-regulated payers to ask third-party application developers to attest to certain privacy provisions, such as whether their privacy policy specifies secondary data uses, and inform patients about those attestations.

For Payers

  • Payer-to-Payer Data Exchange. Beginning January 1, 2022, CMS-regulated payers must exchange certain patient clinical data (specifically the USCDI version 1 data set) at the patient’s request. This will allow patients to take their information with them as they move from payer to payer over time to help create a cumulative health record.
  • Patient Access API. By January 1, 2021, certain CMS-regulated payers must implement and maintain a secure, standards-based API (consistent with that API identified in the ONC final rule) that allows patients to easily access their claims and encounter information, including cost, as well as a defined sub-set of their clinical information through third-party applications of their choice.
  • Provide Directory API. By January 1, 2021, most CMS-regulated payers must make provider directory information publicly available via a standards-based API.

According to CMS, together, these final rules mark the most extensive healthcare data sharing policies the federal government has implemented, requiring both public and private entities to share health information between patients and other parties while keeping that information private and secure.