The U.S. Department of Health and Human Services (HHS) recently proposed a new rule to support the access, exchange, and use of electronic health information (EHI). The proposed rule encourages the adoption of standardized application programming interfaces (APIs), which will help allow individuals to securely and easily access structured EHI using smartphone applications. This facilitates a patient's ability to access their health information by requiring that patients be able to electronically access all of their EHI for free. It also implements the information blocking provisions of the Cures Act.
The rule gives seven exceptions to the definition of information blocking (proposed at 45 CFR 171.201–207). If an actor (a healthcare provider, HIT developer, or HIE or network) satisfies one or more exception, their actions would not be treated as information blocking and they would not be subject to civil penalties and other disincentives under the law. These seven exceptions are outlined below (this information based on the CMS fact sheet found here).
1. Preventing Harm (§ 171.201)
An actor may do what is reasonable and necessary to prevent physical harm to a patient or someone else, if they have a reasonable belief that the action will directly and substantially reduce the likelihood of physical harm. In each case, the practice must implement an organizational policy that meets certain requirements or must be based on an individualized assessment of the risk.
2. Promoting the Privacy of EHI (§ 171.202)
An actor may act to protect the privacy of EHI, but only if satisfying one of the following four sub-exceptions:
- practices that satisfy preconditions prescribed by privacy laws
- certain practices not regulated by HIPAA but which implement documented and transparent privacy policies
- practices that are specifically permitted under HIPAA
- practices that give effect to an individual's privacy preferences.
Actors are not required to provide access, exchange, or use of EHI in a manner that is not permitted under the HIPAA Privacy Rule. General conditions apply to ensure that practices are tailored to the specific privacy risk or interest being addressed and implemented in a consistent and non-discriminatory manner.
3. Promoting the Security of EHI (§ 171.203)
An actor may implement measures to promote the security of EHI, but only if the action is directly related to safeguarding the confidentiality, integrity, and availability of EHI. An action falling under this exception must be tailored to specific security risks and must be implemented in a consistent and non-discriminatory manner. It must implement an organizational security policy that meets certain requirements or must be based on an individualized determination regarding the risk and response in each case.
4. Recovering Costs Reasonably Incurred (§ 171.204)
An actor may recover costs reasonably incurred, in providing access, exchange, or use of EHI. Fees must be:
- charged on the basis of objective and verifiable criteria uniformly applied to all similarly situated persons and requests
- related to the costs of providing access, exchange, or use
- reasonably allocated among all customers that use the product/service
Fees must not be based on anti-competitive or other impermissible criteria. Certain costs would be specifically excluded from coverage under this exception, such as costs that are speculative or subjective, or costs associated with electronic access by an individual to their EHI.
5. Responding to Requests that are Infeasible (§ 171.205)
An actor may decline to provide access, exchange, or use of EHI in a manner that is infeasible. This exception is only satisfied if complying with the request must impose a substantial burdenthat is unreasonable under the circumstances (taking into account size, resources, etc.). The actor must respond in a timely way to infeasible requests and work with requestors to provide a reasonable alternative means of accessing the EHI.
6. Licensing of Interoperability Elements on Reasonable and Non-discriminatory Terms (§ 171.206)
An actor that controls technologies or other interoperability elements that are necessary to enable access to EHI will not be information blocking so long as it licenses such elements on reasonable and non-discriminatory terms. The license can impose a reasonable royalty but must include appropriate rights so that the licensee can develop, market, and/or enable the use of interoperable products and services. The terms of the license must be based on objective and verifiable criteria that are uniformly applied and must not be based on impermissible criteria.
7. Maintaining and Improving Health IT Performance (§ 171.207)
An actor may make health IT under its control temporarily unavailable in order to perform maintenance or improvements. The health IT may only be unavailable as long as is necessary to achieve the maintenance or improvements. In circumstances when health IT is supplied to an individual or entity, the individual or entity (customer) must agree to the unavailability of the health IT.
The public comment period is recently closed for this proposed rule. Any updates based on comments received will be published with the final rule in the Federal Register. If you still have questions about MIPS and/or the QPP, check out our free Resource Library, or subscribe to weekly blog posts (featuring tons of helpful content like this) from the Healthmonix Advisor!