The finalization of information blocking exceptions were announced just in the "St. Nick" of time by the U.S. Department of Health and Human Services (HHS) Assistant Secretary for Technology Policy (ASTP), formerly known as the Office of National Coordinator of Health Information Technology (ONC). The new Protecting Care Access exception (45 CFR §171.206) was finalized nearly on the eve of the Health Insurance Portability and Accountability Act (HIPAA) reproductive health information amendment implementation deadline of Dec. 23, 2024. With healthcare providers scrambling to implement this HIPAA requirement in compliance with information blocking, this final rule provides some relief.
Earlier this year, ASTP proposed a lengthy HTI-2 rule addressing changes in Health IT certification requirements and specific new information blocking exemptions, including the Protecting Care Access privacy exception and Trusted Exchange Framework and Common Agreement (TEFCA) exception (45 CFR § 171.403) The TEFCA exception, finalized earlier this year, was updated on Dec. 11. ASTP quickly announced two rules finalizing these exceptions. Both are intended to ease compliance by providers with the Information Blocking regulations.
TEFCA Manner Exception
Actors are required to provide access, use and exchange of electronic health information (EHI) in the manner requested by a permitted recipient unless one of the Manner exceptions apply (45 CFR § 171.301). HHS previously adopted an exception for TEFCA participants, "Exceptions that Involve Practices Related to Actors' Participation in The Trusted Exchange Framework and Common Agreement (TEFCA)" (45 CFR §§ 171.400-.403) as a variation of the Manner exception. The TEFCA exception allows Actors that participate in TEFCA to limit exchange of EHI to TEFCA when the exchange is with other TEFCA members.
TEFCA, initially released in January 2022, is intended to facilitate the exchange of EHI through common interoperability, policy and security standards within a health information network environment centered on trust through transparency and simplified interoperability standards. This private agreement structure between providers, health IT vendors and qualified health information networks (QHIN) is in its implementation stage, with onboarding and testing to continue through 2025 and full implementation targeted for late 2025 into 2026. The TEFCA exchange process provides for standardized consent processes, standard policies, required compliance with federal and state privacy laws to protect patient rights, and greater transparency between patients and providers. The final HTI-2 Rule finalized definitions previously proposed to further implement the Cures Act and provide greater transparency.
HTI-3 Final Rule
The HTI-3 final rule finalized revisions to the Privacy exception (45 CFR § 171.202) to address the conflict between the subexception related to an individual's request to restrict disclosure (45 CFR § 171.202(e)) and state laws mandating exchange, and revisions to the Infeasibility exception segmentation condition (45 CFR § 171.204(a)(2)) that expand this exception to all subexceptions under the Privacy exception and the new Protecting Care Access exception. Actors who are not able to unambiguously segment EHI that may be withheld under the Privacy or Protecting Care Access exceptions may restrict disclosure of EHI through this condition in the Infeasibility Exception.
The long-awaited Protecting Care Access exception has now been finalized to protect Actors against claims of information blocking when there is a delay or denial in the exchange of EHI that includes reproductive health information. With the Dec. 23, 2024, implementation deadline for the HIPAA amendment, the ASTP release should provide some relief to providers.
Protecting Care Access
The Protecting Care Access exception permits restriction of access, use or exchange of reproductive health information, addresses the inevitable delay associated with obtaining and verifying attestations required by HIPAA (45 CFR § 164.509) and reduces the risk of legal action against individuals seeking, obtaining, providing or facilitating lawful reproductive healthcare. HHS/ASTP adopted a definition of reproductive healthcare aligned with HIPAA's definition (45 CFR §160.103). This definition is impressively comprehensive, may include men as well as women and is not limited to providers that deliver reproductive health services. See Holland & Knight's previous alert, "Reproductive Healthcare Privacy Rule Brings New Requirements for All Providers," May 10, 2024.
The exception is based on a good faith standard. Actors who in good faith believe that sharing EHI containing reproductive healthcare information creates a risk of legal action against persons seeking, obtaining, providing or facilitating reproductive healthcare may rely on this exception to avoid claims of information blocking. HHS, in its Fact Sheet, has stated that the good faith standard is subjective and does not need to be accurate. In addition, good faith does not require any demonstration that an Actor has conducted tracking, analysis or legal research to support its good faith conclusion. The good faith standard should provide some administrative relief for overburdened healthcare providers who receive requests for EHI on Dec. 23, 2024, or thereafter.
Suggested Next Steps for Healthcare Providers
TEFCA Implementation
- Conduct a Readiness Assessment: Evaluate your current health IT infrastructure and processes to determine readiness for TEFCA implementation.
- Engage Stakeholders: Involve key stakeholders, including IT vendors, IT staff, legal counsel and clinical leaders in planning and decision-making processes.
- Develop an Implementation Plan: Create a detailed plan outlining the steps needed to integrate TEFCA standards, including timelines, resources and responsibilities.
- Invest in Training and Education: Provide training for staff on TEFCA requirements and the new workflows and systems that will be implemented.
- Enhance Data Privacy and Security Measures: Strengthen data privacy and security protocols to ensure compliance with TEFCA and protect patient information.
- Monitor and Evaluate: Continuously monitor the implementation process and evaluate the effectiveness of the new systems and workflows, making adjustments as needed.
Protecting Care Access Exception
- Stay Current: Update Information Blocking policies and exception documentation to add this new exception.
- Prepare Staff: Train healthcare information management, IT staff and others responsible for providing access and exchange of EHI on this new exception.
- Coordinate: Align with the HIPAA Reproductive Health Information policy.
- Track: Maintain documentation of circumstances on which the exception is relied.