On Monday, March 11, 2024, the Office of the National Coordinator for Health Information Technology’s (ONC) Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule went into effect. Among several elements of HTI-1, ONC promulgated “information blocking enhancements” which include new and updated definitions, as well as new and updated information blocking exceptions. Other sections of HTI-1 introduce algorithm transparency and replace “clinical decision support” with the “decision support intervention” certification and maintenance of certification criterion.
In this blog post, we discuss the information blocking enhancements and exceptions. In our next blog post, we will discuss ONC’s efforts to address the responsible use of AI in health care by promoting algorithm transparency.
New and Updated Definitions
Offer Health IT (New)
In an effort to provide clarity about certain use cases, ONC codified a new definition for what it means to “offer health IT.” Under this new definition, “offer health IT” generally means providing or supplying, or offering to provide or supply, certified health IT for deployment by or for other individuals or entities under any arrangement or terms. Importantly, this new definition excludes the following activities from the definition of “offer health IT”:
- Donating or subsidizing the costs of a health care provider's acquisition, augmentation, or upkeep of health IT provided that such donation or subsidization contains no conditions that limit the interoperability or use of the technology to access, exchange or use EHI for any lawful purpose (g., a health system arranges with a health IT developer to subsidize the cost of any contract for use of a (developer hosted) EHR product suite by any health care provider that gives the developer a particular code that was supplied to the health care provider by the health system. Subsequently, the health system gives the code to independent safety net providers in its service area as a means of making funding available to the safety net providers to cover part of the safety net providers’ cost to obtain and maintain use of an EHR product suite.);
- Certain implementation and use activities such as issuing user accounts or login credentials to individuals and entities for appropriate access, exchange, or use of EHI (g., production instances of API technology supporting patient access or other legally permissible access, exchange, or use of EHI that the individual or entity has in its possession, custody, control, or ability to query from/across a HIN/ HIE); and
- Certain consulting and legal services which either require or pertain to the selection, implementation, or use of health IT in the course of such consulting or legal services (g., health IT expert consultants’ services engaged to help a health care provider define their business needs and/or evaluate, select, negotiate for or oversee configuration, implementation, and/or operation of a health IT product that the consultant does not sell/resell, license/relicense, or otherwise supply to the customer).
ONC hopes that this new definition provides additional clarity to the industry. For instance, ONC hopes that this clarity encourages beneficial arrangements under which health care providers can receive subsidies for the cost of obtaining, maintaining, or upgrading certified health IT by giving funding sources certainty that making funding available does not make them an offeror of health IT. Additionally, this definition is meant to give health care providers certainty that implementing certain health IT features or enabling certain uses of the health IT they deploy will not make health care providers offerors of health IT within the meaning of the information blocking regulations. Additionally, ONC hopes that this definition establishes certainty for outside counsel that neither representing a client in negotiations or other matters with health IT vendors nor facilitating use of a client’s health IT for legal discovery purposes is considered to be an “offer of health IT” within the meaning of the information blocking regulations.
Health IT Developer of Certified Health IT (Updated)
The original definition for “health IT developer of certified health IT” excluded those who self-develop certified health IT “for their own use.” However, informed by ONC’s decision to define “offer health IT,” ONC modified the definition of “health IT developer of certified health IT” to make clear on the face of the information blocking regulations’ text that ONC put all health care providers engaged in one of the enumerated excluded activities from the definition of “offer health IT” (discussed above) on the same footing regardless of who develops the health IT involved. Accordingly, ONC revised the definition in 45 C.F.R. § 171.102 to replace the phrase “other than a health care provider that self-develops health IT for its own use” with the phrase “other than a health care provider that self-develops health IT not offered to others.”
Information Blocking (Updated)
Originally, the definition of “information blocking” was limited to a subset of EHI that was narrower than the EHI definition finalized in the ONC Cures Act Final Rule. Specifically, the narrower subset was limited to EHI identified by the data elements represented in the United States Core Data for Interoperability (USCDI) until May 2, 2022. ONC’s Cures Act Interim Final Rule had the effect of extending the limitation to USCDI data elements from May 2, 2022 to October 6, 2022. Accordingly, because October 6, 2022, has passed, ONC removed from the definition of information blocking the reference to USCDI and the new definition of information blocking refers simply to EHI. As a result, information blocking now pertains to EHI as defined in 45 C.F.R. 171.102, which is “electronic protected health information as defined in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of records are used or maintained by or for a covered entity as defined in 45 CFR 160.103.” The definition of EHI also excludes psychotherapy notes as defined in 45 CFR 164.501 and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
Business Associate (New)
For purposes of revisions to the Infeasibility Exception discussed below, ONC created a new definition for “business associate.” Specifically, ONC adopted, by reference, the definition of “business associate” as used by the HIPAA Rules.
New and Updated Information Blocking Exceptions
Content and Manner Exception (Updated and Renamed to “Manner Exception”)
For the same reasons as for the revision to the “information blocking” definition discussed above, ONC revised the Content and Manner Exception to remove the references to USCDI and renamed the exception to the “Manner Exception.” This is, again, meant to reflect that EHI is no longer limited to USCDI data elements.
Infeasibility Exception (Updated)
ONC made substantive changes to one condition of the Infeasibility Exception and added two new conditions.
First, ONC revised the language of the Uncontrollable Events Condition (45 C.F.R. § 171.204(a)(1)). Specifically, ONC revised the condition to make clear that the fact that an uncontrollable event is not, by itself, sufficient to meet the uncontrollable events condition of the Infeasibility Exception. Rather, the actor must demonstrate that the uncontrollable event had a negative impact on the actor’s ability to fulfill the request for access, exchange, or use of EHI.
Second, ONC added the “Third Party Seeking Modification Use” condition (45 C.F.R. § 171.204(a)(3)) to the Infeasibility Exception. This condition applies in situations where the actor is asked to provide the ability for a third party to modify EHI that is maintained by or for an entity that has deployed health IT and maintains EHI through such health IT. This condition does not apply when a health care provider is requesting such modification from an actor that is the provider’s business associate (as defined within ONC’s new definition discussed above). ONC noted that this condition “does not operate to change a business associate’s rights or responsibilities under their business associate agreement (BAA) with any HIPAA covered entity” nor do the information blocking regulations “require actors to violate BAAs or associated service level agreements.” 89 Fed. Reg. 1192, 1376 (January 9, 2024).
Third, ONC added the “Manner Exception Exhausted” condition to the Infeasibility Exception. Specifically, this condition applies if the actor: (1) could not reach agreement with a requestor or was technically unable to fulfill a request for EHI in the manner requested; (2) offered at least two alternative manners, one of which must either be certified health IT or via published content and transport standards; and (3) does not provide the same access, exchange, or use of the requested EHI to a substantial number of individuals or entities that are similarly situated to the requestor. ONC stated that this change was meant to address uncertainty expressed by actors regarding whether they have sufficiently met the “infeasibility under the circumstances” condition. Also, this new condition is meant to reduce inappropriate or unnecessary diversion of actor resources such that actors could reasonably allocate their resources towards interoperable, standards-based manners.
TEFCA Manner Exception (New)
ONC codified a new subpart to the information blocking exceptions, Subpart D, “Exceptions that Involved Practices Related to Actors’ Participation in the Trusted Exchange Framework and Common Agreement (TEFCA).” Within the new Subpart D, ONC codified a TEFCA Manner Exception (45 C.F.R. § 171.403) which provides that an actor’s practice of limiting the manner in which it fulfills a request to providing access, exchange, or use of EHI only via TEFCA will not be considered information blocking. In order to satisfy the TEFCA Manner Exception, the practice must meet these conditions: the actor and requestor are both part of TEFCA; the requestor is capable of access, exchange, or use of the requested EHI from the actor via TEFCA; the request is not via the API Standards (45 C.F.R. § 170.215) or another version of those standards approved pursuant to the Standards Version Advancement process (45 C.F.R. § 170.405(b)(8)) under the ONC Health IT Certification Program; and any fees charged by the actors and licensing terms granted by the actor meet the Fees Exception (45 C.F.R. § 171.302) and Licensing Exception (45 C.F.R. § 171.303). This exception is intended to provide a clear, efficient process for actors participating in TEFCA to prioritize the use of TEFCA as a means for fulfilling requests for access, exchange, and use of EHI from other TEFCA entities. Notably, ONC has reserved other aspects of Subpart D for future rulemaking.
Looking Forward
The information blocking enhancements in HTI-1 are only the latest development in the U.S. Department of Health and Human Services’ efforts to implement the information blocking provisions of the 21st Century Cures Act. For example, last year, HHS’ Office of Inspector General (OIG) issued a Final Rule which codified the statutory penalties for information blocking created by the 21st Century Cures Act, and HHS – through the Centers for Medicare & Medicaid Services (CMS) and ONC – published a proposed rule establishing disincentives for certain health care providers that OIG determines have committed information blocking. Accordingly, health care providers, health IT developers of certified health IT, health information exchanges, and health information networks would do well to stay abreast of these developments and take proactive steps to comply with the information blocking regulations. In fact, on a March 12, 2024 blog post, National Coordinator for Health IT Micky Tripathi previewed new provisions that would be proposed in HTI-2, stating “We expect to propose new provisions to support information sharing by deterring the occurrence of information blocking. Any proposals would be responsive to what we are seeing across the care landscape and responsive to the evolution of information sharing since the Cures Act Final Rule was released, which finalized ONC’s information blocking framework to implement Section 4004 of the 21st Century Cures Act.”
We will continue to monitor developments with the information blocking regulations.
Blog Editors
Authors
Member of the Firm
Senior Counsel
Senior Counsel
