The 21st Century Cures Act Information Blocking Rule, codified at 45 CFR Part 171, is intended to enhance access to, exchange or use of electronic health information (EHI), and generally prohibits “actors” from knowingly interfering with such access, exchange or use, except as required by law or specified in an information blocking exception. An “actor” is defined as a healthcare provider, health information technology (IT) developer of certified health IT or health information exchange (HIE)/health information network (HIN). Presently, the scope of EHI subject to the Information Blocking Rule is limited to the data elements listed in the United States Core Data for Interoperability (USCDI v1) data classes. Such data includes, but is not limited to, patient demographics, assessment and plan of treatment, clinical notes, health concerns, laboratory tests and results, medications and procedures.
Beginning Oct. 6, 2022, EHI covered under the Information Blocking Rule will expand beyond the USCDI v1 to all electronic protected health information (ePHI) to the extent that such information would be included in a designated record set, regardless of whether the records are used, or maintained by, or for a covered entity as defined by the Health Insurance Portability and Accountability Act (HIPAA). Thus, ePHI generally used, maintained, stored, created and disclosed by covered entities and business associates under HIPAA will now be subject to the information blocking prohibitions. Such information will include the following electronic records: medical, billing, enrollment, payment, claims adjudication, case or medical management, and any other records used, in whole or in part, to make decisions about individuals. Information that is not considered EHI for purposes of the Information Blocking Rule include psychotherapy notes; information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding; employment records; education records; records regarding a person who has been deceased for more than 50 years; and de-identified data.
As the scope of the Information Blocking Rule is set to expand, it will be important for healthcare providers, health IT developers of certified health IT and HIEs/HINs to ensure that they are not engaging in practices that may inhibit the appropriate exchange, access and use of EHI. In so doing, it should be noted that there are two different knowledge standards for actors to be at risk of enforcement action. Healthcare providers meet the knowledge standard if they know the practice is unreasonable and is likely to interfere with the access, exchange or use of EHI. Health IT developers of certified health IT and HIEs/HINs meet the knowledge standard if they know, or should know, that a practice is likely to interfere with the access, exchange or use of EHI. A process for evaluating EHI requests and ensuring employees are informed about the Rule and its exception should facilitate compliance for all actors.