Devised by the Department of Health and Human Services as part of the 21st Century Cures Act, the information blocking and interoperability regulations became enforceable on April 5, 2021.
These new regulations set out what information blocking entails and states that penalties can be imposed when providers engage in practices that disrupt access, exchange, and the use of electronic health information (EHI). The final rule also gave patients additional rights in relation to their healthcare data and permits them to ask for it to be transferred to any application of their choosing.
For the next 18 months from April 5, 2021, the information blocking provision only applies to a restricted set of EHI listed in the US Core Data for Interoperability (v1). Core EHI incorporates clinical notes, immunization details, laboratory test results, medications, and other EHI. The initial 18-month grace period will help the regulated community familiarize themselves with the information blocking regulation before the full extent of the regulation’s definition of EHI comes into effect on October 5, 2022. Covered entities and business associates are urged to share all EHI if they are in a position to do so, and not limit sharing to the data represented by the USCDI until the final compliance date in 18 months.
As per the final rule, the deadline for data sharing has been amended from 30 days from the request being received to “without unnecessary delay.” There is an expectation to make EHI immediately available using the platform of the linked covered entity to allow that information to be downloaded. It is crucial for policies and procedures to be reviewed and updated to see to it that EHI can be obtained as quickly as possible, and not to go on operating with the 30-day deadline, which could now be classified as information blocking.
The final rule also grants patients the right to have their PHI sent to a mobile application. Covered entities and business associates can supply patients with their electronic health information, on request, with little manual effort via secure, standardized application programming interfaces (APIs). As with requests from other healthcare groups, for the first 18 months it is not a requirement to hand over complete records to patients’ chosen applications, only data represented by the USCDI.
As per the HHS HIPAA Right of Access enforcement initiative, the HHS has sanctioned 18 penalties for failures to supply patients with copies of their requested medical records in a timely fashion. The HHS may well begin enforcing compliance with the requirements of the final rule in a similar fashion.
The HHS’ Office for the National Coordinator for Health IT (ONC) will be working closely with the HHS’ Office of Inspector General over the coming weeks to implement the final enforcement rule, after which financial penalties can be sanctioned retrospective to the April 5, 2021 compliance deadline.