On December 13, 2023, the US Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) issued the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) final rule to update ONC Health IT Certification Program requirements and amend the information blocking regulations that ONC issued under the 21st Century Cures Act (Cures Act). The HTI-1 final rule substantially finalizes policies that ONC proposed in the HTI-1 proposed rule. This On the Subject discusses the final rule’s information blocking provisions, which are intended to support the sharing of electronic health information (EHI), but also include new and expanded exceptions to the information blocking prohibition applicable to health IT developers of certified health IT (certified health IT developers), health information network or health information exchanges (HIN/HIEs) and health care providers (collectively, actors). The HTI-1 final rule becomes effective 30 days after publication of the final rule in the Federal Register.
We will release separate publications discussing ONC’s changes to the certification criteria and standards. For more information about ONC’s final information blocking regulations adopted in 2020, see our Special Report.
KEY CHANGES TO THE INFORMATION BLOCKING REGULATIONS
INFORMATION BLOCKING PROHIBITION
Under the regulations adopted by ONC in 2020, information blocking means a practice that, except as required by law or covered by an exception adopted by ONC, is likely to interfere with access, exchange or use of EHI and meets one of the following criteria:
For an initial period (before October 6, 2022), the EHI within the definition of information blocking was limited to the data elements represented in the US Core Data for Interoperability version 1 standard. Since October 6, 2022, EHI for purposes of the information blocking definition has meant all protected health information to the extent it would be included in an electronic designated record set as such terms are defined by the Health Insurance Portability and Accountability Act (HIPAA). The HTI-1 final rule did not change the current definition but did remove the now-obsolete language that applied prior to October 6, 2022.
DEFINITIONS OF “CERTIFIED HEALTH IT DEVELOPER” AND “OFFER HEALTH IT”
The certified health IT developer category of actors includes individuals or entities that “offer” certified health IT, but do not themselves develop certified health IT or take responsibility for the certification of health IT under the Health IT Certification Program.
The HTI-1 proposed rule included a proposed definition of “offer health IT” to clarify what arrangements would cause an individual or entity to become a certified health IT developer. The HTI-1 final rule adopts substantially the same definition as proposed but with wording changes intended to improve clarity. As finalized, offer health IT means to hold out for sale, resale, license, or relicense or to sell, resell, license, relicense or otherwise provide or supply health IT that includes one or more certified health IT modules for deployment by or for other individuals or entities except for certain excluded arrangements.
The excluded arrangements that would not constitute an offer are certain:
The exclusion for health IT donation and funding subsidy arrangements is potentially valuable for health systems and other health care providers that subsidize independent physician practices’ and hospitals’ purchase or license of certified EHRs under the Stark Law’s EHR donation exception and the Anti-Kickback Statute’s EHR donation safe harbor. However, ONC states in the preamble that the exclusion from the offer health IT definition would not apply when an actor licenses or otherwise provides a health IT item or service itself to a recipient.
The scope of the definition (including its exclusions) is important for health systems and other health care delivery organizations that may operate as a health care provider category of actor in most cases, but potentially act as a certified health IT developer actor in other instances by offering health IT to third parties. The category of actor impacts the knowledge standard under the information definition and the potential liability for information blocking violations. If the subsidizing providers are deemed to be certified health IT developers as offerors, they can be held liable for civil monetary penalties for any information blocking under the Cures Act. For more information about the final rule implementing the Cures Act provisions authorizing the HHS Office of Inspector General to impose civil monetary penalties for information blocking violations, see our Special Report. If the subsidizing providers are instead health care provider actors, they can be held liable for appropriate disincentives after HHS finalizes its appropriate disincentives proposed rule. For more information about HHS’s appropriate disincentives proposed rule, see our On the Subject.
EXPANSION OF THE INFEASIBILITY EXCEPTION
The information blocking regulations include the infeasibility exception to allow an actor’s practice of denying a request to access, exchange or use EHI due to the infeasibility of the request, provided that both of the following apply:
The final rule amends the uncontrollable events condition in the infeasibility exception and adds two new conditions: one to allow an actor to deny a third party seeking modification use of EHI; and a second to allow an offer to deny a request for access, exchange or use after exhausting alternative manners offered under the manner exception. The final rule does not change the previously finalized conditions for segmentation and infeasibility under the circumstances.
Uncontrollable Events Condition
The uncontrollable events condition permits an actor’s practice of not fulfilling a request to access, exchange or use EHI that is infeasible for the actor to fulfill as a result of an event (e.g., a disaster or public health emergency) listed in the condition. The final rule revises the text of the condition to clarify that the mere fact that an uncontrollable event occurred is not sufficient for an actor to meet the condition. Instead, there must be a causal connection between the actor’s inability to fulfill a request and the uncontrollable event.
Third Party Seeking a Modification Use Condition
ONC finalized a new infeasibility condition that allows an actor to deny a request to provide the ability for a third party (or its application or other technology) to modify (e.g., create, write or delete) EHI maintained by or for a health care provider or other entity that has deployed health IT, provided that the request is not from a health care provider requesting such use from an actor that is its business associate (as defined by HIPAA). The final condition is the same as ONC’s proposed condition except for a non-substantive editorial change to shorten the text. The new condition addresses concerns by some certified health IT developers and other actors that there are not established standards for data modification use cases and that the modification of EHI by third parties may cause data integrity and security issues.
Manner Exception Exhausted Condition
ONC finalized a new manner exception exhausted condition under the infeasibility exception that permits an actor to deny a request for access, exchange or use of EHI after offering at least two alternative manners in accordance with the Content and Manner Exception (which ONC renamed the “Manner Exception” and to which ONC made technical amendments). According to the HTI-1 final rule preamble, ONC intends for the new condition to address some actors’ concerns about requests that require an actor to divert substantial technical, human or financial resources toward “new, unique or unusual manners of supporting access, exchange or use of EHI” and away from scalable, consensus standards-based solutions.
On the other hand, ONC appears less receptive to concerns of third-party application developers and software-enabled or data-enabled service providers that some actors unfairly make available nonstandard application programming interfaces (APIs) and other interoperability elements to preferred requestors while denying substantially the same interoperability element to requestors that have developed competitive products or are otherwise disfavored.
To satisfy the new manner exception exhausted condition, the actor must be unable to fulfill a request based on the following three factors:
The manner exception exhausted condition also provides that in determining whether a requestor is similarly situated for purposes of the condition, an actor must not discriminate based on the following criteria:
The prohibition on delineating entities based on size and type contrasts with the fees and licensing exceptions frameworks, which would permit groupings of similarly situated customers based on size and type for purposes of administering costs and licensing terms.
TEFCA EXCEPTION
The HTI-1 final rule includes a new TEFCA manner exception that allows an actor to limit the manner in which it fulfills a request to access, exchange or use EHI to only via TEFCA. The final exception is a standalone exception instead of the proposed rule’s proposed manner condition to the manner exception and includes some substantive changes in response to comments to the proposed rule.
TEFCA originates from Section 4003 of the Cures Act, which required ONC to convene stakeholders to develop or support a national trusted exchange framework and common agreement for the exchange of health information between health information networks. Over the last several years, ONC has worked with stakeholders and its recognized coordinating entity, the Sequoia Project, to develop the Common Agreement for Nationwide Interoperability, the Qualified Health Information Network Technical Framework and other framework documents. Through its framework documents, TEFCA outlines a common set of principles, terms and conditions to enable nationwide exchange of EHI. On December 12, 2023, the first Qualified Health Information Networks (QHINs) were designated by The Sequoia Project on behalf of ONC, marking the start of information exchange via TEFCA.
Under the TEFCA manner exception, an actor’s practice of limiting the manner in which it fulfills a request for access, exchange or use of EHI to only via TEFCA will not be considered information blocking when the practice meets the following conditions:
ACTION ITEMS
The HTI-1 final rule will have a significant impact on the information sharing activities of a broad cross-section of the health care industry. Impacted organizations should consider taking the following steps in response to the final rule:
All Actors (Health Care Providers, Certified Health IT Developers, HIN/HIEs)
Certified Health IT Developers and HIN/HIEs
Health Care Providers
If you have questions about how the final rule affects your organization, please contact: Kristen O’Brien, Rachel Stauffer, Daniel F. Gottlieb (McDermott Will & Emery–Partner), James A. Cannatti III (McDermott Will & Emery–Partner), Karen S. Sealander (McDermott Will & Emery–Counsel), Alya Sulaiman (McDermott Will & Emery–Partner) or Scott A. Weinstein (McDermott Will & Emery–Partner).