What is Information Blocking and What is it not?
On June 24, the Department of Health and Human Services issued a final rule detailing information-blocking disincentives. Learn more about what information blocking is and how your practice may be affected below.
What is Information Blocking?
Information blocking occurs when an actor, such as a healthcare provider, health IT developer, health information exchange (HIE)/health information network (HIN), or health plan, engages in a practice that is likely to interfere with the access, exchange, or use of electronic health information except as required by law. Basically, it is when health care information is unlawfully restricted.
How is Information Blocking Determined?
The 21st Century Cures Act established two knowledge standards for determining the lawfulness of information blocking and meeting the “likely” criteria:
HIEs/HINs – The law applies the standard to whether they know or should know that the practice is likely to interfere with the access, exchange, or use of health information.
Healthcare providers – The law applies the standard to whether they know that the practice is likely to interfere with the access, exchange, or use of health information. This makes the criteria for determining that a provider engaged in information blocking to be harder compared to other entities.
Another criterion for determining lawfulness is whether the restriction of information was “reasonable.” This standard is vaguer and more open to interpretation based on the facts of any given case.
How do Rules about Information Blocking Interact with HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is mostly concerned with “permissible disclosures,” as in what health information is allowed to be shared. The two required disclosures under HIPAA are when a patient asks for their own health information, or when the government asks for health information. Information blocking rules and disincentives ensure that nobody can get in the way of this information going to the patient or to the government in a timely manner. Information blocking rules in specific contexts turn “permissible disclosures” under HIPAA into required disclosures, such that you cannot get in the way of the information transfer.
What Enforcement Mechanisms are in Place?
Investigations are triggered by a referral to the HHS Office of the Inspector General (OIG), which can be submitted by anyone. The OIG will then refer the investigation to any relevant agencies and consider facts of the case as to whether:
Was there harm or potential harm to patients?
Did it significantly affect providers’ ability to care for patients?
How long was the information blocking occurring?
Was there financial loss to federal or private healthcare programs?
The ONC will maintain a publicly accessible list of actors that commit information blocking, causing potential reputational harm.
In terms of disincentives, the July 2024 rule sets out the following:
Medicare Promoting Interoperability Program: Hospitals and critical access hospitals (CAHs) that commit information blocking will have their payments reduced. Specifically, hospitals will see a reduction of three quarters of the annual market basket update; for CAHs, payment will be reduced to 100% of reasonable costs instead of 101%.
Quality Payment Program: Merit-based Incentive Payment System (MIPS) eligible clinicians that commit information blocking will receive a zero score in the Promoting Interoperability performance category, which can account for a quarter of a year’s total MIPS score.
Medicare Shared Savings Program (MSSP): ACO participants or providers who commit information blocking can be deemed ineligible to participate in the program for a minimum of a year. ACOs can also be restricted from participating in MSSP, thus losing revenue from the program.
What Exceptions are Allowed?
It will not be information blocking for/if:
Preventing Harm: an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.
Privacy: an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.
Security: an actor to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.
Infeasibility: an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.
Health IT Performance: an actor to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT's performance for the benefit of the overall performance of the health IT, provided certain conditions are met.
Licensing: an actor to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.
Fees: an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.
Manner: an actor to limit how it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.
TEFCA Manner Exception: an actor to fulfill certain requests for access, exchange, or use of EHI only via TEFCA, provided certain conditions are met.
Learn more with this resource from the Office of the National Coordinator for Health Information Technology (ONC): https://www.healthit.gov/sites/default/files/2024-04/IB_Exceptions_Fact_Sheet_508_0.pdf. The ONC notes that “An actor’s practice that does not meet the conditions of an exception will not automatically constitute information blocking. Instead such practices will be evaluated on a case-by-case basis to determine whether information blocking has occurred.”
What About AI?
Potential information blocking violations are always evaluated on a case-by-case basis. Should an AI system like integrated into an EHR cause a potential instance of information blocking, investigators might look to broader organizational practices to see whether it is an isolated incident or evidence of a broader, systematic failure. This has yet to be tested in the courts. CTeL recommends close monitoring and documentation of AI systems in any healthcare context.
CTeL’s AI Blue Ribbon Collaborative is structured to address issues such as information blocking. Interested in finding out more? Visit our AIBRC page today.