The impact of the Cures Act's new information blocking regulations

As many in the health care community are still grappling with the COVID-19 pandemic, and many have been operating under current Health Insurance Portability and Accountability Act (“HIPAA”) liability waivers and national emergency exceptions to current regulations, compliance with privacy regulations with respect to health information may seem inconsequential. However, as patient care and well-being is at the forefront, now is a good time to review your current privacy practices and information security policies to ensure that you are in compliance with those certain provisions of the information blocking regulations that went into effect on April 5, 2021. The full information blocking regulations set forth in Title IV of the 21st Century Cures Act (the “Cures Act”), issued by the Office of National Coordinator for Health IT (“ONC”) are set to go into effect in October 2022. As of April 5, 2021, the information blocking regulations prohibit “actors” from engaging in information blocking practices—interfering, preventing, or substantially discouraging the use, access, and exchange of electronic health information (“EHI”).

As defined in the information blocking regulations, an “actor” is any individual or entity that is a (i) health care provider, (ii) developer of health IT, (iii) health information network, and/or (iv) health information exchange. There is no duty for “actors” to proactively make EHI available, but actors must not engage in information blocking practices in response to a legal request for EHI. EHI includes electronic protected health information (“ePHI”) as defined in HIPAA, if such ePHI is maintained in a HIPAA designated record set (“DRS”). However, unlike HIPAA the new information blocking regulations do not apply to hand written or verbal health data.

For now, EHI subject to the information blocking rules has been limited to data classes and elements specified within version 1 of the U.S. Core Data for Interoperability. Once the full regulation goes into effect in October 2022, EHI will include the entire DRS. ONC officials have expressed their hope that this 18-month grace period would allow Actors to get accustom to the new information blocking regulations as well as understand the exceptions outlined in the regulations. There are several exceptions to the information blocking regulations, that an actor may rely on if such actor chooses not to respond to a legal request for access, use, or exchange of EHI, provided that certain conditions and elements for each exception are met.

The Office of Inspector General (“OIG”) is the body that will investigate any claims of information blocking. Developers of health IT, health information networks, and health information exchanges could face up to $1,000,000 in penalties per violation. Penalties for health care providers remain unclear as the Department of Health and Human Services (“HHS”) is set to propose “disincentives” to prevent health care providers from engaging in information blocking practices.

In addition to reviewing current privacy policies and practices with respect to sharing EHI, actors may also want to consider reviewing your current list of vendors and health information technology systems to ensure that your information infrastructure will allow the easy flow of EHI as well as protect the transfer of such data.

As a health care provider in particular, you should be reviewing your current business associate agreements and making any necessary amendments to comply with these new regulations. As regulators continue to press for the improvement of overall patient care, providers and others in the health care space will have to continue to embrace health care technologies that make the legal sharing of EHI less burdensome. There should also be a renewed interest in cybersecurity and insuring that your current risk management systems and practices have the necessary safeguards in place, as cyberattacks against those with access to private health care information over the past few years have been on the rise.

For a full summary overview of the new information blocking regulations, please click here.