There seems to be a lot of confusion about who is subject to the prohibition on engaging in Information Blocking. Does it apply to everyone who is involved in the healthcare industry in any way? Is it only applicable to healthcare providers like physicians and hospitals? What about health insurance companies? We are being asked by a wide variety of individuals and organizations whether they are “covered” by the Information Blocking provisions. This post will try to provide clarity as to who is subject to this new regulation.
The Information Blocking Final Rule (the “Final Rule”)[1] makes clear that it regulates “Actors,” as that term is defined in the Final Rule. There are three broad categories of Actors: healthcare providers; health information networks (HINs); and developers of certified health IT. Let’s unpack these categories to see who is included.
Healthcare Providers
This one is pretty straightforward; a healthcare provider means anyone defined as a provider under the United States Public Health Services Act, 42 USC sections 300jj(3) (the “PHSA”). The list is far too long to include in this article, but it includes those that you would expect to be included, such as: hospitals, physicians, medical group practices, and long-term care facilities. However, the PHSA definition of a healthcare provider is much broader and includes some individuals/entities that might surprise you, including: EMS, blood centers, and therapists. The PHSA also expressly allows the HHS Secretary to expand the definition of a healthcare provider to add more categories individuals or organizations. The take-away is this: If you or your organization is involved in the delivery of healthcare services in any manner, you should assume that you are an Actor for Information Blocking purposes unless and until you can consult with knowledgeable legal counsel and determine that you are not an Actor.
(1) Among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other; and
(2) That is for a treatment, payment, or health care operations purpose, as such terms are defined in 45 CFR 164.501 regardless of whether such individuals or entities are subject to the requirements of 45 CFR parts 160 and 164.[2]
The emphasis is on whether an organization has the ability to exercise some control over how technology is used to access, exchange, or use EHI. It does not matter what the organization calls itself, how it is legally structured, or even how it markets itself to the world. ONC does impose some limits on this very broad definition by requiring that an organization must be involved in access, exchange, or use of EHI among more than two unaffiliated individuals or entities that can exchange with each other. This means that an organization that simply pushes out EHI to others is unlikely to be considered an HIN for Information Blocking purposes. Also, the organization must be exchanging EHI for “treatment, payment, or healthcare operations” as defined by HIPAA, which further limits who will be considered an HIN.[3] Even with these restrictions, the Final Rule’s definition of HIN/HIE is extremely broad and can implicate organizations that do not think of themselves as HINs/HIEs.
It is also important to recognize that an HIN/HIE does not have to be a separate legal entity because the definition is a functional one. Consider this: A hospital operates a data exchange network to help clinicians have better access to timely electronic information for their patients by supporting electronic health information exchange. This network will almost certainly be considered to be a HIN/HIE for Information Blocking purposes in addition to the fact that the hospital is a healthcare provider. Why does this matter? HINs/HIEs are subject to Civil Money Penalties (“CMPs”) of up to $1M per Information Blocking violation, but healthcare providers are not subject to CMPs. So, the hospital may be surprised that its functioning as an HIN/HIE has exposed it to CMP liability.
Developers of Certified Health IT
The last category of Actors that are subject to the Information Blocking Final Rule is more straightforward. It applies to an individual or entity that develops or offers certified health information technology. Here is the definition of a developer from the Final Rule:
The key to this definition is that at least one product, or module, that the developer develops or offers must be certified by ONC. This is enough to make the developer an Actor and, importantly, the Information Blocking Rule will apply to all of the developer’s health IT products, even those that are not certified by ONC. This could come as a very unwelcome surprise for some developers. Another important thing to note is that an organization can be an Actor under this definition even if it only offers certified health IT. This means that an organization may be an Actor under the Final Rule because it merely offers a certified health IT product that another organization developed. This is part of the Information Blocking Final Rule that would definitely benefit from additional clarification by ONC. For now, if you are involved in offering any certified health IT, you should consider yourself to be an Actor unless/until you can rule that out.
[1] 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health Certification Program, 85 Fed. Reg. 25642 (May 1, 2020), available at: https://www.federalregister.gov/d/2020-07419.
[2] Final Rule at 25955-56.
[3] Although the HIN must exchange EHI for treatment, payment, or healthcare operations as defined under HIPAA, such exchange is merely a threshold requirement to meet the definition of an HIN/HIE for purposes of being an Actor. If an organization meets this definition of an HIN, then the Information Blocking prohibitions apply to the access, exchange, or use of EHI for any purpose.
[4] Final Rule at 25956.