21st Century Cures Act

The Office of the National Coordinator: Interoperability and Information Blocking Final Rule Overview for Psychiatrists

When Congress passed the 21st Century Cures Act in 2016, it included in it Section 4004, which specifies certain practices that could constitute information blocking. From the Office of the National Coordinator for Health Information Technology (ONC) web site, these include:

  • Practices that restrict authorized access, exchange, or use under applicable state or federal law of such information for treatment and other permitted purposes under such applicable law, including transitions between certified health information technologies (health IT);
  • Implementing health IT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging, or using Electronic Health Information;
  • Implementing health IT in ways that are likely to—
    • Restrict the access, exchange, or use of EHI with respect to exporting complete information sets or in transitioning between health IT systems; or
    • Lead to fraud, waste, or abuse, or impede innovations and advancements in health information access, exchange, and use, including care delivery enabled by health IT.

In 2019, ONC released a 1,200+ page proposed rule outlining how these provisions within 21st Century Cures were to be enforced. While there are facets of the rule that will ultimately be beneficial to psychiatrists and patients alike, APA submitted a letter to the Administration detailing a number of concerns, especially around the new definition of electronic health information ("EHI") and the various information blocking provisions and their exceptions.

In May 2020, the ONC released its Final Rule for 21st Century Cures. An overview of the Rule, its complete text, and various Fact Sheets can be accessed here.

Who Does it Affect?

The Final Rule affects those who the ONC defines as "actors." These include healthcare providers, Health IT developers of Certified Health IT, and Health Information Exchanges (HIEs) and Health Information Networks (HINs). Naturally, as physicians, psychiatrists are included in the definition of healthcare provider; however, you can view a full list of healthcare providers and their operational definitions here.

The Final Rule: Key Takeaways

In the Final Rule, ONC defines some key terms, including "electronic health information," (EHI) which updates the general definition of "protected health information" (PHI) under HIPAA. The rule outlines "information blocking," or those activities that are considered likely to interfere with the access, exchange, or use of EHI, by actors.

For developers of EHRs, the Rule also provides guidance on how they must comply with these information blocking provisions as a "Condition of Certification" for their health IT software (as well as guidance on how to maintain that certification). Additionally, the Rule also modifies guidance on health IT developer product development and testing, and imposes limitations on business practices, including contracts and fees that they charge when clients request their data (e.g., when a doctor wants to migrate their patient records to a new EHR system).

Finally, HHS also creates eight exceptions to information blocking (detailed below) for when actors cannot or should not exchange EHI with other actors or with patients.

What is "Electronic Health Information" (EHI)?

HHS defines electronic health information, or EHI, to mean electronic protected health information (ePHI) as defined in HIPAA, to the extent that ePHI would be included in a designated record set (see below on what will be required to be shared). Like in HIPAA, the definition of ePHI in this record set provides certain exceptions, including psychotherapy notes, as well as information that is assembled or collected for litigation. Deidentified data (e.g., such as de-identified patient data collected for research purposes) is excluded from the definition of EHI.

What is required to be shared?

For the first 6 - 24 months after the publication of the Rule in the Federal Register (May 2020), developers and other "actors" are required to share data included within the United States Core Data for Interoperability (USCDI v1.0) standard, which replaces the well-known Common Clinical Data Set (CCDS) that is embedded within many electronic health record systems, but most notably those that are Certified Electronic Health Record Technology (CEHRT) by the ONC. You can find a complete list of these in the Certified Health IT Products List (CHPL). If you participate in CMS' Merit-Based Incentive Payment System and use a CEHRT, chances are, you are already using a system that will be adopting USCDI as developers comply with the Rule.

For the first 24 months, the USCDI alone is considered to be EHI, as defined above, under the Final Rule. After the first 24 months, "EHI" will be considered ePHI, or electronic protected health information (ePHI) as the term is defined for HIPAA, regardless of whether the records are used or maintained by or for a covered entity. So, health data shared via third party data-collecting services, such as those shared via mobile apps into the EHR, will be considered ePHI by May 2022.

What is included in the USCDI?

You can view a complete listing of data captured within the USCDI here. Note that, under the HIPAA Privacy Rule, the patient has always had the right to inspect or request their record. With respect to ePHI and the Final Rule, all of the data elements listed under the USCDI is now required to be shared (within a certain timeframe, and with certain exceptions—detailed below), upon request. This includes progress notes, but not psychotherapy notes. Psychotherapy notes should be stored separately (electronically in a designated "psychotherapy notes" section of EHR and/or physically) from the rest of the medical record. If you are uncertain as to what information, per the definition of HHS, should be included within progress versus psychotherapy notes, you can read more about that here.

What are the Exceptions to Information Blocking?

There are eight exceptions to information blocking in the final rule, which are divided into two categories: (1) exceptions that involve not fulfilling requests to access, exchange, or use EHI, and (2) exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI. The full Fact Sheet can be read here, but in sum, the eight exceptions are:

Exceptions that involve not fulfilling requests to access, exchange, or use EHI

Preventing Harm Exception: It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.

Privacy Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual's privacy, provided certain conditions are met. For example: abiding by 42 CFR Part 2 the law and regulations governing the confidentiality of substance use disorder patient records.

Security Exception: It will not be information blocking for an actor to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.

Infeasibility Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.

Health IT Performance Exception: It will not be information blocking for an actor to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT's performance for the benefit of the overall performance of the health IT, provided certain conditions are met.

Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI

Content and Manner Exception: It will not be information blocking for an actor to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.

Fees Exception: It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.

Licensing Exception: It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.

While the exceptions seem straightforward, there are a number of key conditions within each exception that must be met in order for the actor using them to qualify for that exception. Again, refer to the Fact Sheet for more information on these key conditions. Also note that ONC intends to handle these exceptions on a case-by-case basis.

What is the Timeline for Compliance?

Currently, there is a staggered timeline around implementation of the Final Rule. You can view the high level and complete timelines here. The first deadline is technically November 2nd, which focuses on actors being required to share information with those who request it, without engaging in "information blocking." Because of the COVID-19 public health emergency, the ONC released an interim Final Rule on October 29, 2020, stating that it has pushed back the compliance timeline around information blocking to April 5, 2021. More information can be found here .

Many compliance dates with respect to using new technology to comply with the Rule are as far out as 24 and 36 months into the future. These dates reflect developers' programming new technology so that the software has the ability to export full EHI, and for systems to be able to use open "application programming interfaces," or APIs, which is how, for example, mobile apps share health data with doctors through the EHR.

Additionally, the Office of the Inspector General (OIG) has indicated that it will not enforce the information blocking requirements in the ONC Final Rule until the OIG itself issues a final rule about civil monetary penalties (CMPs) with respect to information blocking. Furthermore, OIG has further indicated that the forthcoming rule will around CMPs will only apply to certified health IT developers and not healthcare providers; instead, a separate rule will be issued sometime in late 2021 around what penalties may look like for healthcare providers who engage in information blocking.

Healthcare providers should also note that some of the exceptions to information blocking may help them with compliance. For example, the Infeasibility Exception to information blocking includes the following condition of use: Uncontrollable events: The actor cannot fulfill the request for access, exchange, or use of electronic health information due to a natural or human-made disaster, public health emergency, public safety incident, war, terrorist attack, civil insurrection, strike or other labor unrest, telecommunication or internet service interruption, or act of military, civil or regulatory authority. Thus, it stands to reason that for the duration of the PHE declared by HHS, a healthcare provider could use this exception to information blocking—but note that APA does not necessarily recommend this course of action, and each provider should make the determination on a case-by-case basis for each request.

Another exception, the Content and Manner Exception, might also be used when contemplating the compliance timeline. The Manner condition to be met, per the ONC, is: An actor may need to fulfill a request in an alternative manner when the actor is (1) technically unable to fulfill a request in any manner requested or (2) cannot reach agreeable terms with the requestor to fulfill the request. So, if someone requests data contained within the USCDI using technology that's incompatible with the physician's ability to fulfill the request, this might meet the condition of this exception (but the physician would still have to find an alternative way to fulfill the request). Again, APA is not recommending or endorsing this course of action, and each physician must make their own determination on a case-by-case basis for each request.

Note that the above information is a very broad summary of the key elements of the Final Rule. The Rule itself is very complex, and APA will be advocating on behalf of the needs of its members for whom complying with the Rule may result in significant administrative and financial burden. If you have any questions, please contact practicemanagement@psych.org.

Additional Resources

CHIME Interoperability Toolkit