Created by the Department of Health and Human Services as part of the 21st Century Cures Act, the information blocking regulations are now in effect and are enforceable.
The final rule described information blocking and introduced penalties for providers and certified health IT vendors who participate in activities that interfere with the access, transfer, and use of electronic health information (EHI). The final rule also established new rights for patients in relation to their healthcare data and permits them to request it be sent to the application of their choice.
The actual compliance date was established as April 5, 2021, after which healthcare providers, certified health IT developers, and health information exchanges are obliged to adhere with the provisions of the final rule. For the initial 18 months from April 5, 2021, the information blocking provisions only apply to a small subset of EHI listed in the US Core Data for Interoperability (v1). Core EHI includes clinical notes, immunization records, lab test results, medications, and other EHI. This period of time is intended to assist the regulated community get used to the information blocking regulation before the full range of the regulation’s definition of EHI comes into effect on October 5, 2022. Covered entities and business associates are asked to share all EHI if they can, and not limit sharing to the data represented by the USCDI until the final compliance date in 18 months time.
As per the final rule, the deadline for data sharing has been amended to 30 days from the request being submitted to “without unnecessary delay.” There is an expectation to make EHI quickly available through the platform of the connected covered entity to permit that information to be shared. It is crucial for policies and procedures to be reviewed and updated to see to it that EHI can be obtained as quickly as possible, and not to persist with the 30-day deadline, which could now be thought of as information blocking.
The final rule also allows patients additional permissions in relation to healthcare data and requires covered entities and business associates to supply patients with their electronic health information, on request, to an application of the patient’s choice. Patient health information can be sent to these applications with minimal manual effort by clinicians through secure, standardized application programming interfaces (APIs). As with requests from other healthcare suppliers, for the first 18 months it is not a requirement to provide full records to patients’ chosen applications, only core data detailed in the USCDI.
As per the HHS HIPAA Right of Access enforcement initiative, the HHS has sanctioned 18 penalties for failures to supply patients with a copy of their requested medical records in a timely fashion. The HHS may well begin policing compliance with the requirements of the final rule just as aggressively. The HHS Office for the National Coordinator for Health IT (ONC) will be working closely with the HHS Office of Inspector General on finalizing enforcement and penalties.