The Cures Act and information blocking: Is your healthcare organization compliant?

The information blocking component of the 21st Century Cures Act took effect April 5 of this year. The rule prohibits information blocking and promotes health information interoperability and patient access to records. Healthcare providers and health IT developers of certified health IT and information networks are among the entities, referred to as “actors,” that must comply with the information blocking requirements.

Information blocking defined

Information blocking refers to practices that prevent access, exchange, or use of electronic health information (EHI). Eight exceptions to the rule exist, include:

1. Preventing harm
2. Privacy
3. Security
4. Infeasibility
5. Health IT performance
6. Content and manner
7. Fees
8. Licensing

For instance, an organization can limit the content of information in fulfilling a request to exchange EHI and can charge fees to access EHI, and these wouldn’t necessarily be considered information blocking.

What to know about the information blocking rule

Healthcare organizations should understand which of their team members has ownership for compliance around this regulation, evaluate activities that have occurred to become compliant with the rule, and inquire about actions planned for ongoing compliance. Legal, IT, and information privacy staff from across the organization should take part in these discussions.

Organizations should also review policies that address requests for access, exchange, or use of patient medical information. This is particularly important for situations where patients or their nonclinical caregivers are requesting electronic information.

Internal audit and compliance leaders should consider testing for compliance or consider including auditing these factors on audit plans.

Penalties for noncompliance with the information blocking rule

Actors may be investigated by the Department of Health and Human Services Office of Inspector General if they’re the subject of an information blocking claim. Penalties for noncompliance can be costly:

• Health IT developers of certified health IT, health information networks, and health information exchanges may be subject to civil monetary penalties up to $1 million per violation.
• Healthcare providers may be subject to disincentives, to be established by the government.

Conclusion

The information blocking rule is in effect and comes with potential costly penalties for noncompliance. Various electronic medical/health record companies used by many health systems and medical groups have adjusted system configurations and processes to support compliance. Even with the support of technology companies, healthcare organizations should understand what’s been done to comply with the rule and develop actions needed around any remaining gaps.