March 12, 2020

ONC and CMS Release Final Rules on Interoperability, Info-Blocking

On March 9, 2020, the U.S. Department of Health and Human Services (HHS) released two final rules to implement the interoperability-related provisions of the 21st Century Cures Act (Cures) and related policies including the American College of Radiology® (ACR®)-supported expansion of HHS Office of Inspector General (OIG) authority to investigate and penalize anticompetitive, information-blocking behaviors.

CMS Final Rule

The final rule by the Centers for Medicare and Medicaid Services (CMS) focuses on requirements for CMS-regulated payers to make various payer-managed data accessible to patients via standards-based, application programming interfaces. CMS’s objective is to enable patients to use third-party apps to access their relevant cost data, in-network provider directories and certain other information collected or maintained by these payers.

CMS’s rule also establishes these public reporting and notification requirements:

  • A public listing of those providers who do not have up-to-date digital contact information in the National Plan and Provider Enumeration System;
  • Public reporting of providers with negative information-blocking attestations in CMS’s Promoting Interoperability programs;
  • New requirements for hospitals to send electronic patient event notifications of a patient’s admission, discharge or transfer to another provider; and
  • Other secondary requirements.

ONC Final Rule

 The final rule by the HHS Office of the National Coordinator for Health IT (ONC) makes several modifications to its Health IT Certification Program, including updates to the 2015 Edition Certification Criteria and implementation of Conditions and Maintenance of Certification requirements for developers of certified health IT modules. Most importantly, the ONC’s final rule implements components of the “information-blocking” mandate from the Cures Act including key definitions and conditions for exceptions.

The information-blocking prohibitions are designed to deter behaviors by providers, developers of certified health IT and health information networks/exchanges (HINs/HIEs) that are likely to interfere with, prevent or materially discourage the access, exchange or use of electronic health information (EHI) for treatments or other permitted purposes.

The scope of EHI will initially be limited for a 24-month transition period to minimal data elements included in the U.S. Core Data for Interoperability.

EHI’s scope would then expand to include all electronic Protected Health Information included in the designated record set as defined by HIPAA rules. The ONC defined the conditions and criteria for the following eight reasonable and necessary “exceptions” to behaviors that could otherwise constitute information blocking, provided certain conditions specified in the rule are met:

  • Preventing Harm Exception: Preventing harm to a patient or another person
  • Privacy Exception: Protecting an individual’s privacy
  • Security Exception: Protecting the security of EHI
  • Infeasibility Exception: The request to access, exchange or use EHI is infeasible
  • Health IT Performance Exception: Measures to make health IT temporarily unavailable or to degrade the health IT's performance for the benefit of the overall performance of the health IT (e.g., during maintenance or when a third-party app is negatively impacting performance)
  • Content and Manner Exception: Limiting the content of response to a request to access, exchange or use EHI or the manner in which it fulfills a request to access, exchange or use EHI
  • Fees Exception: The exception provides specifications and conditions around acceptable fees for the access, exchange or use of EHI
  • Licensing Exception: This exception provides specifications and conditions around acceptable practices for licensing interoperability elements that enable EHI to be accessed, exchanged or used

Moving forward, the HHS OIG will initiate a rulemaking soon to establish the enforcement paradigm and implement the associated civil monetary penalties for developers of certified health IT and HINs/HIEs. Investigations and penalties for developers of certified health IT will not be limited to conduct specific to their certified products.

Providers’ information-blocking disincentives will be handled differently, using authorities under applicable federal law (e.g., through existing HHS programs).

The ACR will follow up with additional information. ACR members with questions about these rules or the resources linked below should contact Michael Peters, ACR director of legislative and regulatory affairs.

CMS Resources

ONC Resources