ONC’s Proposed Info-Blocking Rule Includes Broad Exceptions

February 20, 2019 | Eric D. Fader | Electronic Health Records | HIPAA | Hospitals | Legislation and Public Policy

The Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services both recently released proposed rules regulating so-called information blocking, the practice of interfering with the exchange of electronic health information (EHI). Information blocking, a violation of HIPAA, occurs most commonly when a healthcare provider terminates its relationship with an electronic health records vendor or when a provider does not share requested patient information with the patient or another provider in a timely manner.

The ONC first drew attention to the practice in a 2015 report and describes it on the healthit.gov website. The ONC’s new 724-page proposed rule, issued to encourage interoperability and support the prohibition on information blocking in 2016’s 21st Century Cures Act, provides for substantial fines for violations of the prohibition. Some industry commentators, however, have questioned whether the rule’s proposed exceptions are overly broad.

While the rule encourages freer disclosure of EHI, the exceptions recognize that there must still be some flexibility when the keeper of the EHI believes, in good faith, that the information should be withheld for HIPAA or other reasons. Since the rule cannot specifically describe all possible scenarios, some of the proposed exceptions (in particular, the exception for “infeasibility”) appear broad or vague as written. However, the language of the exceptions will likely be revised somewhat in response to public comments, and the ONC will undoubtedly issue further interpretive guidance and FAQs in the future as it deems necessary.

Providers and vendors should be aware that although the proposed rule creates a presumption that EHI must be shared, the underlying privacy and security protections mandated by HIPAA remain. Parties will still be required to conduct risk assessments to identify risks and vulnerabilities related to proposed releases of EHI.

Share this article:
show more

Get legal updates and news delivered to your inbox