Earlier this month, the Office of the National Coordinator (ONC) finalized the long-awaited information blocking rule in the 21st Century Cures Act. 

While we at the American Health Information Management Association (AHIMA) continue to review the specifics of the rule, it's important to note that we support the intent of the Cures Act and the ONC Information Blocking rule. That intent is to put patients at the center of care and to enhance the ability of patients to have access to their health information.

When the rule was proposed, we expressed concern about the lack of clarity and predictability around the definition of "electronic health information" (EHI), as well as the feasibility of operationalizing such a definition. We are pleased that in the final rule, ONC limits the definition of EHI to the US Core for Data Interoperability (USCDI v1) standard for the first 24 months after the publication date of the final rule. The USCDI standard, a modest expansion of the Common Clinical Data Set (CCDS), is a set of data classes and constituent data elements that are required to be exchanged under the rule.   

We are also pleased ONC listened to stakeholders and that the finalized rule stipulates that beginning in 2022, the scope of EHI will be broadened to mean electronic protected health information (ePHI) as defined under HIPAA to the extent it is included in the designated record set. In other words, the definition of EHI represents the same ePHI that a patient would have the right to request a copy of pursuant to the HIPAA Privacy Rule. This is a definition that many health information management (HIM) professionals are familiar with and have experience in managing. 

Under the proposed rule, we also expressed concern that the rule did not include sufficient guardrails around HIPAA non-covered entities to protect the privacy and security of a patient's health information. Patients may be unaware that once they authorize a covered entity to push their electronic health information to a third-party app and such an entity is a HIPAA non-covered entity, the rights afforded under HIPAA no longer apply. 

Additionally, patients could be unaware of how an app intends to use their health information, leaving them to the mercy of the app developer's terms of service and/or privacy policy unless an act on the part of an app developer meets the "unfair or deceptive acts or practices" standard under the Federal Trade Commission (FTC) Act. Failure to provide appropriate and transparent privacy and security safeguards could invite opportunities for "bad actors" to enter the market and potentially use such sensitive data for nefarious activities. 

In the final rule, ONC has taken steps to address some of these concerns including clarifying that an actor educating patients about the privacy and security risks posed by a third-party app is not considered information blocking-as long as the actor provides accurate, objective, unbiased, fair, and non-discriminatory information about the third party developer or app that the patient chooses to use to receive EHI on their behalf. ONC also recommends a minimum set of best practices that all third-party apps' privacy policies and practices should adhere to.

Nevertheless, these additional safeguards fail to entirely address the protection of a consumers' sensitive health data once their data is pushed to a HIPAA non-covered entity. Consumers not only have the right to access their data but the right for their data to be kept private and secure. Congressional action may be required to enhance the protection of consumers' data once it is no longer covered by HIPAA. 

In September 2019, AHIMA and other provider groups sent a letter to Capitol Hill calling for HHS to exercise its discretion in its initial enforcement of the information blocking rule. The final rule stipulates that actors will have six months after publication of the rule in the Federal Register before they must comply with the information blocking rules. 

However, it's important to keep in mind that the Cures Act gives enforcement authority of the rule to the HHS Office of Inspector General (OIG.) Under the 21st Century Cures Act, OIG is tasked with issuing civil monetary penalties of $1 million per violation to developers, health information exchanges, and health information networks found to be engaging in information blocking. OIG is also tasked with referring providers to the appropriate agency to be subject to "appropriate disincentives" under the law. Enforcement of these penalties will not begin until OIG undertakes a formal notice and comment rulemaking. Until then, actors will not be subject to enforcement penalties. 

HIM professionals have an important role to play by bringing their facility into compliance with the information blocking rule. They should start the conversation now with their C-suite, IT department, and compliance teams to ensure they are ready when the rule goes into effect. HIM professionals should be prepared to use their expertise in this area to help bring their facilities into compliance under the rule. 

By Lauren Riplinger, JD
Vice President, Policy & Government Affairs | Policy & Government Affairs