“Information Blocking”: Defined by the 21st Century Cures Act and Enforcement Delayed by COVID-19

The week of November 2, 2020 was notable for reasons beyond the electoral college map plastered on every news network. The healthcare industry was battling another large wave of COVID-19 infections, navigating unprecedented cybersecurity attacks, and anxiously awaiting word from Health and Human Services (HHS) and the Office of the National Coordinator for Health IT (ONC) about the updated compliance deadline for the information blocking provisions outlined in the 21st Century Cures Act (“Cures Act”).

In 2016, Congress passed the bipartisan Cures Act, which became Public Law after President Obama signed it into law on December 13, 2016. Among its many provisions, the Cures Act defined information blocking and delegated rulemaking authority to the Secretary of HHS, allowing the Secretary to establish “reasonable and necessary activities that do not constitute information blocking” activities.

In a section amended by the Cures Act, the Public Health Service Act defines information blocking broadly. Information blocking includes any practice that is “likely to interfere with, prevent, or materially discourage access, exchange, or use” of electronic health information (EHI). It also defines the requisite intent for health care providers and health information technology (HIT) developers, exchanges, and networks that engage in information blocking practices. If a health care provider “knows” that a practice “is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use” of EHI, the provider has engaged in information blocking practices. Similarly, if a HIT developer, exchange, or network “knows, or should know, that such practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use” of EHI, they have committed information blocking.

While the amendment to the Public Health Service Act does not provide a comprehensive list of practices that constitute information blocking, it does specify that information blocking encompasses any practice which: 

1. restricts the “authorized access, exchange, or use” of information used in the treatment of patients;
2. uses HIT “in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging, or using” EHI;
3. utilizes HIT in ways that will likely restrict the exportation of “complete information sets” or the transmission of patient information between HIT systems; and 
4. uses HIT in a way that “lead[s] to fraud, waste, or abuse, or impede[s] innovations and advancements in health information access, exchange, and use.”

If this definition still seems unclear, it is because information blocking “presents significant definitional challenges.” Research on the topic is often limited to anecdotal evidence, making it difficult to generalize and requiring more of an “I know it when I see it” approach. On the one hand, information blocking is sometimes motivated by genuine concern for patient safety and privacy reasons. For example, a health care provider may promise they will not share any mental health information without the patient’s consent to encourage honest conversation. On the other hand, the characteristics of the HIT market create financial incentives for health care actors to control the use and availability of health information, as this technology is often expensive and proprietary. Intuitively, one of these seems like information blocking while the other seems like a legitimate reason to withhold health information.

Recognizing these challenges, the 2015 ONC “Report on Health Information Blocking” outlined three basic criteria for information blocking practices. First, the practice must actually “interfere[ ] with the ability of authorized persons or entities to access, exchange, or use electronic health information.” Second, the decision must be made “knowingly,” meaning the decision was made notwithstanding the fact that it would likely “interfere with the exchange or use of electronic health information.” Finally, the information blocking label should be “reserved for conduct that is objectively unreasonable in light of public policy.” A decision that blocks information to protect patient privacy laws or advance other important policy interests is not unreasonable.

While the implementation of complex policy is understandably burdensome in the midst of a pandemic, utilizing technology in a way that furthers the free exchange of health information may be one of the best tools for fighting COVID-19—or any future outbreaks of novel diseases.

To further help the healthcare industry navigate this fine line, HHS and ONC released the much anticipated 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule on March 9, 2020. According to ONC, the rule reportedly “promotes patient access to their electronic health information, supports provider needs, advances innovation, and addresses industry-wide information blocking practices.” More specifically, it allows patients to access their healthcare data free of charge and outlines eight information blocking exceptions, including exceptions that align the information blocking provisions with the privacy protections in the Health Insurance Portability and Accountability Act (“HIPAA”) and its implementing regulations.

Originally, the compliance deadline for the information blocking provisions was set for November 2, 2020. However, on September 17, HHS sent the Office of Management and Budget an interim final rule to extend the information blocking compliance date. Hospitals anxiously awaited news about the new deadline, as they could face fines for any violations once the compliance started ticking. The American Hospital Association, in a letter to HHS and ONC, explained that “the COVID-19 pandemic continues to monopolize our members’ time and attention, and has strained resources, drastically limiting our members’ ability to prepare for the November 2nd information blocking deadline.” Finally, on October 29, ONC released an interim final rule, which postponed the compliance deadline to April 5, 2021 to give “health IT developers and health care providers [the] flexibilit[y] to effectively respond to the public health threats posed by the spread of the coronavirus disease.”

While the implementation of complex policy is understandably burdensome in the midst of a pandemic, utilizing technology in a way that furthers the free exchange of health information may be one of the best tools for fighting COVID-19—or any future outbreaks of novel diseases. Thus, the information blocking provisions, implemented in a manner consistent with HIPAA’s privacy protections, should ultimately advance our ability to respond to a public health emergency in a timely and effective manner without sacrificing individual health privacy concerns.

Terrill Harris and Caroline Pope