On August 5, 2024, the US Department of Health and Human Services (HHS) Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP) published the Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability (HTI-2) Proposed Rule in the Federal Register to update its Health IT Certification Program (Certification Program) requirements and amend the information blocking regulations that ASTP issued under the 21st Century Cures Act.

This On the Subject discusses the proposed changes to the information blocking regulations, which include new exceptions intended to offer regulated actors certainty that they can restrict information sharing in certain circumstances where the restrictions would protect patients’ access to care or honor an information sharing partner’s preferences for how much electronic health information (EHI) is made available to the partner, when and under what circumstances. ASTP also proposed adoption of certain certification criteria and standards for payer-focused application programing interfaces (APIs).

The deadline for submitting comments to ASTP regarding the proposed rule is October 4, 2024, at 5:00 pm EDT.

For more background on these issues, see our previous articles:

• A Special Report on ASTP’s final information blocking regulations adopted in 2020.
• An On the Subject about ASTP’s amendments to those regulations as part of the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) final rule.

In Depth

KEY PROPOSED CHANGES TO THE INFORMATION BLOCKING REGULATIONS

• The proposed rule would codify examples of certain practices that ASTP believes constitute an interference with EHI and may need to meet an exception to the information blocking prohibition.

• The proposed new protecting care access exception would allow actors meeting certain conditions to limit EHI sharing to reduce a risk of exposing patients, providers or persons who facilitate reproductive health care to legal action based on the mere fact that they sought, obtained, provided or facilitated lawful reproductive health care.

• The proposed new requestor preferences exception would permit an actor to tailor access, exchange or use of EHI to a requestor’s preference if the practice meets certain conditions.

INFORMATION BLOCKING PROHIBITION

Under the current regulations, information blocking means a practice by a health IT developer of certified health IT (certified health IT developer), health information network or health information exchange (HIN/HIE), or health care provider (collectively, actors) that, except as required by law or covered by an exception adopted by ASTP, is likely to interfere with access, exchange or use of EHI, and:

• If conducted by a certified health IT developer or HIN/HIE, is a practice that such certified health IT developer or HIN/HIE knows, or should know, is likely tointerfere with, prevent or materially discourage access, exchange or use of EHI.

• If conducted by a health care provider, is a practice that the provider knows is unreasonable and is likely to interfere with, prevent or materially discourage access, exchange or use of EHI.

INTERFERENCE

The current information blocking regulations define “interfere with” or “interference” to mean “to prevent, materially discourage, or otherwise inhibit.” The proposed rule would add a new section to codify a nonexclusive list of specific practices that ASTP believes constitute interference for purposes of the information blocking prohibition. ASTP has previously identified practices that it believes may interfere with access, exchange or use of EHI in the form of Frequently Asked Questions.

ASTP proposes to codify the following practices as interference:

• Delay on new access. Delaying patient access to new EHI, such as diagnostic test results, so the actor’s clinicians or other representatives can review the EHI.

• Portal access. Delaying patient access to EHI in a portal when the actor has the EHI and the actor’s system has the technical capability to support automated access, exchange or use of the EHI via the portal.

• API access. Delaying the access, exchange or use of EHI to or by a third-party app designated and authorized by the patient, when there is a deployed API able to support the access, exchange or use of the EHI.

• Non-standard implementation. Implementing health information technology in ways that are likely to restrict access, exchange or use of EHI with respect to exporting EHI, including exports for transitioning between health IT systems.

• Contract provisions. Negotiating or enforcing a contract provision that restricts or limits otherwise lawful access, exchange or use of EHI.

• Noncompete provisions in agreements. Negotiating or enforcing a clause in any agreement that prevents or restricts an employee (other than the actor’s employees), a contractor or a contractor’s employee who accesses, exchanges or uses the EHI in the actor’s health IT from accessing, exchanging or using EHI in other health IT in order to design, develop or upgrade such other health IT. This proposal is intended to address conditions on access to EHI in an actor’s health IT that are unrelated to security or privacy laws and are anticompetitive.

• Manner or content requested. Improperly encouraging or inducing requestors to limit the scope, manner or timing of EHI requested for access, exchange or use.

• Medical images. Requiring that access, exchange or use of any medical images (e.g., x-rays) occur by exchanging physical copies or copies on physical media (e.g., thumb drive) when the actor and the requestor possess the technical capability to access, exchange or use the images through fully electronic means.

• Omissions:
  • Not exchanging EHI under circumstances in which such exchange is lawful.
  • Not making EHI available for lawful use.
  • Not complying with another valid law enforceable against the actor that requires access, exchange or use of EHI.
  • A certified API developer (as defined in the certification program regulations) failing to publish API discovery details as required by the maintenance of certification requirements.
  • A health care provider or other API information source (as defined in the certification program regulations) failing to disclose to the certified API developer the information necessary for the certified API developer to publish the API discovery details required by the certification program regulations.

ASTP also identifies practices that it believes are unlikely to interfere with the access, exchange and use of EHI in the proposed rule preamble, but not in its proposed amendments to the information blocking regulations. For example, ASTP states that it would unlikely be an interference for qualified health information networks, participants or sub-participants to comply with required provisions of the common agreement and the incorporated terms of participation and standard operating procedures, respectively.

AMENDED INFORMATION BLOCKING EXCEPTIONS

ASTP proposes to revise certain existing information blocking exceptions.

Privacy Exception

The privacy exception under the current information blocking regulations provides that an actor’s denial of a request to access, exchange or use EHI to protect an individual’s privacy is not information blocking when the denial satisfies at least one of the privacy exception’s sub-exceptions. ASTP proposes to amend certain of the sub-exceptions:

• Unreviewable Grounds Sub-Exception. One sub-exception allows denial of an individual’s request for EHI consistent with the “unreviewable grounds” for denial of access under the HIPAA Privacy Rule’s right to access protected health information in a designated record set. The unreviewable grounds are intended to address certain public policy objectives separate from privacy, such as when a health care provider provides treatment in the course of clinical research. ASTP proposes to broaden the applicability of the sub-exception so that it is available to any actor responding to a request for EHI where the circumstances for unreviewable grounds apply, and not just to actors that are also HIPAA covered entities or business associates.

• Individual’s Request Not to Share EHI Sub-Exception. Another sub-exception permits an actor to deny a request for access, exchange or use of EHI to respect an individual’s request not to share EHI if certain requirements are met. ASTP proposes to amend the existing sub-exception so that any practice that meets the requirements of the sub-exception would not be considered information blocking even if no law requires the actor to disclose EHI against the individual’s expressed wishes.

Infeasibility Exception

The current information blocking regulations’ infeasibility exception provides that a denial of a request to access, exchange or use EHI due to the infeasibility of the request is not information blocking when the denial meets one of the exception’s infeasibility conditions. The denial also must meet the timeframe of the exception’s responding to requests condition, which requires the actor to respond to the requestor in writing with the reasons why the request is infeasible within 10 business days of receipt of the request.

ASTP proposes to revise certain infeasibility conditions and to make the responding to requests condition more flexible:

• Segmentation Condition. The segmentation condition of the infeasibility exception allows an actor to deny a request to access, exchange or use EHI because the actor cannot unambiguously segment the requested EHI from other EHI that cannot be made available because of an individual’s preference, because the EHI cannot be made available by law or because the EHI may be withheld under the preventing harm exception to the information blocking prohibition. ASTP proposes to expand the segmentation condition to allow for denial of access when EHI cannot be segmented from EHI that may be withheld under the privacy exception or the proposed protecting care access exception discussed below.

• Third Party Seeking Modification Use Condition. One of the current infeasibility exception conditions allows an actor to deny a request if the request is to enable use of EHI to modify EHI, provided that the request is not from a health care provider requesting such use from an actor that is its business associate. ASTP proposes to revise the condition so that it is unavailable to requests by any HIPAA covered entity (and not only HIPAA-covered health care providers) requesting a modification use from an actor that is its business associate. ASTP also proposes to extend the exclusion so that the third party seeking modification use condition would not apply where a health care provider that is not a HIPAA covered entity requests modification use from an actor that would be the provider’s business associate if the provider were a HIPAA covered entity.

• Responding to Requests Condition. ASTP proposes to revise the responding to requests condition to offer actors a more flexible response timeframe where the reasons for infeasibility are consistent with the infeasibility exception’s manner exception exhausted or infeasible under the circumstances conditions. Under the proposal, the actor could satisfy the responding to requests condition by:
  • Determining, without unnecessary delay and based on a reasonable assessment of the facts, that the requested access, exchange or use cannot be provided in accordance with the manner exception or is infeasible under the circumstances; and
  • Informing the requestor with a written response indicating the reason for infeasibility within 10 business days of the actor’s determination.

According to ASTP, the revised condition would allow the actor, within 10 days of receiving a request, to initiate good-faith collaborative engagement with the requestor to discuss the potential infeasibility of the request as received and potentially feasible alternative ways to achieve EHI sharing. When discussions and negotiations reach a result other than successful fulfillment of access, exchange or use of EHI for the requestor, the revised condition would require the actor to provide the requestor with a written response indicating the reason for infeasibility within 10 business days of the actor’s determination of infeasibility or the discontinuation of discussions.

PROPOSED NEW INFORMATION BLOCKING EXCEPTIONS

The proposed rule includes two new information blocking exceptions.

Protecting Care Access

The proposed protecting care access exception would, under specified conditions, allow actors to limit EHI sharing to reduce a risk of potentially exposing patients, providers or persons who facilitate care to legal action based on the mere fact that they sought, obtained, provided or facilitated lawful reproductive health care. The proposed exception is intended to address the changed legal landscape for patients seeking, and for health care providers providing, reproductive health care, resulting from the US Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.

Under the proposed exception, an actor’s practice to reduce potential exposure to legal action would not be information blocking when the practice satisfies the exception’s threshold condition and also satisfies either the exception’s patient protection condition or the care access condition.

• Threshold Condition. To meet the threshold condition, a practice must meet the following requirements:
  • Good Faith Belief. The practice is undertaken based on the actor’s good faith belief that persons seeking, obtaining, providing or facilitating reproductive health care are at risk of being potentially exposed to legal action that could arise as a consequence of particular access, exchange or use of specific EHI, and that specific practices likely to interfere with such access, exchange or use of such EHI could reduce that risk.
  • Tailoring. The practice is no broader than necessary to reduce the risk of potential exposure to legal action that the actor in good faith believes could arise from the particular access, exchange or use of the specific EHI.
  • Implementation. The practice is implemented either consistent with an organizational policy or pursuant to a case-by-case determination meeting certain requirements.

• Patient Protection Condition. When an actor implements a practice to reduce the patient’s risk of potential exposure to legal action, the practice must:
  • Affect only the access, exchange or use of specific EHI the actor in good faith believes could expose the patient to legal action because the EHI shows, or would carry a substantial risk of supporting a reasonable inference, that the patient obtained reproductive health care; inquired about or expressed an interest in seeking reproductive health care; or has any health conditions or history for which reproductive health care is often sought, obtained or medically indicated.
  • Be subject to nullification by an explicit request or directive from the patient that the access, exchange or use of the specific EHI occur despite the risks to the patient that the actor has identified.

• Care Access Condition. When implemented to reduce the risk of potential exposure to legal action for one or more licensed health care professionals, other health care providers, or other persons involved in providing or facilitating reproductive health care that is lawful under the circumstances in which such health care is provided, the practice must affect only access, exchange or use of specific EHI that the actor believes could expose care providers and facilitators to legal action because the information shows, or would carry a substantial risk of supporting a reasonable inference, that they provide or facilitate, or have provided or facilitated, reproductive health care.

Requestor Preferences Exception

The proposed requestor preferences exception permits an actor to tailor access, exchange or use of EHI to a requestor’s preference if the practice meets the following conditions:

• Request. A requestor, without any improper encouragement or inducement by the actor, requests in writing that the actor:
  • Limit the scope of EHI made available for access, exchange or use by the requestor;
  • Delay provision of access, exchange or use by the requestor of particular EHI health information until a condition specified by the requestor (such as passage of a particular event or completion of an action) has been met; or
  • Delay provision of access, exchange or use by the requestor of particular EHI for a specified period of time.

• Implementation. The actor’s practice must be tailored to the specific request and implemented in a consistent and nondiscriminatory manner.

• Transparency. The actor must explain to the requestor in plain language, verbally or in writing, what tailoring the actor will implement. The actor also must notify, verbally or in writing, any requestors of changes in the actor’s ability to maintain tailoring. To satisfy this condition, the actor must, at a minimum:
  • Explain to the requestor what tailoring the actor will implement and how that will impact what EHI will be available to the requestor and when, or under what conditions EHI will be available to the requestor;
  • Upon experiencing any change in operational status, technical capabilities or other circumstances affecting the actor’s ability or willingness to maintain particular tailoring of EHI, make reasonable efforts to promptly notify each requestor for which the actor had implemented the affected tailoring; and
  • Contemporaneously document in writing any verbal explanation or notice to the requestor.

• Reduction or Removal. An actor must act on any subsequent request from the requestor who previously requested scope, condition or timing tailoring of the requestor’s EHI access, exchange or use to reduce or remove restrictions as promptly as feasible.

[View source.]