What is electronic health information (EHI)?

The information subject to the information blocking rule will change over time as the industry prepares for full compliance.

USCDI

Until Oct. 5, 2022, EHI is limited to the data elements included in the U.S. Core Data Interoperability (USCDI) standard, version 1. The USCDI differs from and replaces the Common Clinical Data Set (CCDS) standard – most notably through the addition of clinical notes – that is referenced in ONC’s existing certification criteria for certified health IT.

EHI

As of Oct. 6, 2022, EHI is defined as electronic protected health information (ePHI) included in a designated record set – in other words, ePHI to which a patient has a right of access. Although this definition draws upon key concepts and definitions from HIPAA, it applies regardless of whether HIPAA applies.

What are the exceptions?

There are eight exceptions to the information blocking rule, which can be broken down into two categories: (1) exceptions that involve not fulfilling requests to access, exchange, or use EHI and (2) exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.

Must regulated actors license their intellectual property to requestors of EHI?

No, but operationalizing a compliance strategy that protects investments in health IT will require advance planning and discipline. Regulated actors cannot assert ownership rights to the EHI itself, which belongs to the patient. Furthermore, licenses to interoperability elements—proprietary data formats, processing mechanisms, and exchanges—must be offered on nondiscriminatory and competitively neutral terms. In other words, these terms must be based on objective and verifiable criteria that are uniformly applied and not related to the requestor’s intended use of the EHI.

How will the information blocking rule be enforced?

Enforcement of the rule will depend on the type of regulated actor, and many of the details are yet to be finalized.

Health care providers could be subject to appropriate disincentives to be determined in future rulemaking by the Department of Health and Human Services (HHS). Additionally, the Centers for Medicare & Medicaid Services (CMS) will publicly report eligible clinicians, hospitals, and critical access hospitals that may be information blocking based on their attestation to certain Merit-based Incentive Payment System (MIPS) and Promoting Interoperability Program requirements, starting with 2019 performance year data.

Developers of certified health IT, HINs, and HIEs could be subject to civil monetary penalties (CMPs) up to $1 million per violation levied by the HHS Office of Inspector General (OIG), as well as separate enforcement by ONC related specifically to certified health IT.

OIG is scheduled to publish its final rule implementing information blocking CMPs in August 2021. Enforcement of information blocking CMPs will not begin until the CMP rule is final. Further, the OIG will exercise enforcement discretion such that conduct occurring before the CMP rule is final will not be subject to information blocking CMPs.

About the authors

Nancy Bonifant Halstead is a partner in the firm’s Life Sciences Healthy Industry Group. She focuses her practice on the intersection of health care and technology, in particular on digital health compliance, privacy, and interoperability strategies.

Vicki J. Tankle is an associate in the firm’s Life Sciences Health Industry Group. Her practice focuses on advising health industry clients on regulatory, enforcement and transactional matters, with a focus on health information, privacy, tech, and data.

Lauren M. Bentlage is an associate in the firm’s Life Sciences Health Industry Group. She advises clients in the health care industry on regulatory compliance, enforcement, and privacy issues and, more recently, has focused on the interoperability and information blocking rules.