There seems to be a lot of confusion about who is subject to the prohibition on engaging in Information Blocking. Does it apply to everyone who is involved in the healthcare industry in any way? Is it only applicable to healthcare providers like physicians and hospitals? What about health insurance companies? We are being asked by a wide variety of individuals and organizations whether they are “covered” by the Information Blocking provisions. This post will try to provide clarity as to who is subject to this new regulation.

The Information Blocking Final Rule (the “Final Rule”)[1] makes clear that it regulates “Actors,” as that term is defined in the Final Rule. There are three broad categories of Actors: healthcare providers; health information networks (HINs); and developers of certified health IT. Let’s unpack these categories to see who is included.

Healthcare Providers
This one is pretty straightforward; a healthcare provider means anyone defined as a provider under the United States Public Health Services Act, 42 USC sections 300jj(3) (the “PHSA”). The list is far too long to include in this article, but it includes those that you would expect to be included, such as: hospitals, physicians, medical group practices, and long-term care facilities. However, the PHSA definition of a healthcare provider is much broader and includes some individuals/entities that might surprise you, including: EMS, blood centers, and therapists. The PHSA also expressly allows the HHS Secretary to expand the definition of a healthcare provider to add more categories individuals or organizations. The take-away is this: If you or your organization is involved in the delivery of healthcare services in any manner, you should assume that you are an Actor for Information Blocking purposes unless and until you can consult with knowledgeable legal counsel and determine that you are not an Actor.

Health Information Networks
We have seen an explosion of data sharing networks in the U.S. over the past 15 years. Nearly 100% of U.S. hospitals and the vast majority of medical practices have Electronic Medical Records (EMRs). The federal government has also invested hundreds of millions of dollars to develop data sharing networks and incentivize their use by healthcare providers. These networks are generically referred to as health information networks (HINs) or health information exchanges (HIEs), but there is tremendous diversity in how these networks are organized and operated. The HHS Office of the National Coordinator for Health Information Technology (ONC) recognizes this diversity in the Final Rule by adopting what ONC calls a “functional definition” of HINs and HIEs. In other words, ONC decided to focus on what an organization actually does with EHI rather than what the organization calls itself. The Final Rule defines an HIN/HIE as:

[A]n individual or entity that determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of electronic health information:

(1) Among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other; and

(2) That is for a treatment, payment, or health care operations purpose, as such terms are defined in 45 CFR 164.501 regardless of whether such individuals or entities are subject to the requirements of 45 CFR parts 160 and 164.[2]

The emphasis is on whether an organization has the ability to exercise some control over how technology is used to access, exchange, or use EHI. It does not matter what the organization calls itself, how it is legally structured, or even how it markets itself to the world. ONC does impose some limits on this very broad definition by requiring that an organization must be involved in access, exchange, or use of EHI among more than two unaffiliated individuals or entities that can exchange with each other. This means that an organization that simply pushes out EHI to others is unlikely to be considered an HIN for Information Blocking purposes. Also, the organization must be exchanging EHI for “treatment, payment, or healthcare operations” as defined by HIPAA, which further limits who will be considered an HIN.[3] Even with these restrictions, the Final Rule’s definition of HIN/HIE is extremely broad and can implicate organizations that do not think of themselves as HINs/HIEs.

It is also important to recognize that an HIN/HIE does not have to be a separate legal entity because the definition is a functional one. Consider this: A hospital operates a data exchange network to help clinicians have better access to timely electronic information for their patients by supporting electronic health information exchange. This network will almost certainly be considered to be a HIN/HIE for Information Blocking purposes in addition to the fact that the hospital is a healthcare provider. Why does this matter? HINs/HIEs are subject to Civil Money Penalties (“CMPs”) of up to $1M per Information Blocking violation, but healthcare providers are not subject to CMPs. So, the hospital may be surprised that its functioning as an HIN/HIE has exposed it to CMP liability.

Developers of Certified Health IT
The last category of Actors that are subject to the Information Blocking Final Rule is more straightforward. It applies to an individual or entity that develops or offers certified health information technology. Here is the definition of a developer from the Final Rule:

[A]n an individual or entity, other than a health care provider that self-develops health IT for its own use, that develops or offers health information technology (as that term is defined in 42 U.S.C. 300jj(5)) and which has, at the time it engages in a practice that is the subject of an information blocking claim, one or more Health IT Modules certified under a program for the voluntary certification of health information technology that is kept or recognized by the National Coordinator pursuant to 42 U.S.C. 300jj-11(c)(5) (ONC Health IT Certification Program).[4]

The key to this definition is that at least one product, or module, that the developer develops or offers must be certified by ONC. This is enough to make the developer an Actor and, importantly, the Information Blocking Rule will apply to all of the developer’s health IT products, even those that are not certified by ONC. This could come as a very unwelcome surprise for some developers. Another important thing to note is that an organization can be an Actor under this definition even if it only offers certified health IT. This means that an organization may be an Actor under the Final Rule because it merely offers a certified health IT product that another organization developed. This is part of the Information Blocking Final Rule that would definitely benefit from additional clarification by ONC. For now, if you are involved in offering any certified health IT, you should consider yourself to be an Actor unless/until you can rule that out.

Conclusion
The Information Blocking Rule does not apply to everyone, but its scope is very broad. Healthcare providers are almost guaranteed to be Actors. Organizations that are involved in the exchange, access, or use of EHI among more than two unaffiliated entities should assume that they are HIN/HIE Actors until they can definitively rule out that they are not an Actor. If your organization develops or offers any certified health IT, then your organization is an Actor. Given the significant penalties that Actors face, you should assume that you are an Actor unless you can definitively rule out being an Actor with the assistance of qualified legal counsel.

Download a copy of this post


[1] 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health Certification Program, 85 Fed. Reg. 25642 (May 1, 2020), available at: https://www.federalregister.gov/d/2020-07419.
[2] Final Rule at 25955-56.
[3] Although the HIN must exchange EHI for treatment, payment, or healthcare operations as defined under HIPAA, such exchange is merely a threshold requirement to meet the definition of an HIN/HIE for purposes of being an Actor. If an organization meets this definition of an HIN, then the Information Blocking prohibitions apply to the access, exchange, or use of EHI for any purpose.
[4] Final Rule at 25956.