On December 13, 2023, the Office of the National Coordinator for Health Information Technology (ONC) issued its final rule entitled “Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing” and known as “HTI-1” (Final Rule). Among other issues addressed in the Final Rule, ONC revised the information blocking rules to add clarity and to create a new information blocking exception. We outline these changes in further detail below. The information blocking provisions of the Final Rule will be effective 30 days after it is published in the Federal Register.

1. Definition of “Offer Health IT”

Under the information blocking regulatory framework, health IT developers of certified health IT are held to a higher standard with respect to information blocking and are subjected to higher potential penalties for information blocking than health care providers. As set forth in current regulations, the term “health IT developer of certified health IT” is defined to include individuals or entities that offer certified health IT, which ONC previously explained includes making such certified health IT available for purchase or license. As a result of this definition and interpretation, many health care providers (e.g., large hospitals) that make their ONC-certified electronic health record (EHR) system available to community physicians may be health IT developers of certified health IT for purposes of the information blocking regulations, and thus subjected to higher potential penalties for information blocking violations.

In the Final Rule, ONC adds a regulatory definition to the terms “offers health information technology” and “offers health IT,” and further described scenarios in which an individual or entity will not be deemed to offer health IT. The new definition provides that to offer health IT means:

“to hold out for sale, resale, license, or relicense; or to sell, resell, license, relicense, or otherwise provide or supply [ONC-certified health IT] for deployment by or for other individual(s) or entity(ies) under any arrangement [except as provided below].”

The definition goes on to specifically describe three categories of activities that are excluded from the definition. First are arrangements where an individual or entity donates or subsidizes the funding for a health care provider’s acquisition, augmentation, or upkeep of health IT. In its commentary, ONC draws a distinction between these funding arrangements (which will not meet the definition of offer health IT), and arrangements where an individual or entity re-licenses or otherwise makes available the health IT itself to a health care provider, which would meet the definition. This distinction means that many EHR donation arrangements between hospitals and physicians will continue to result in the donating hospital being deemed a health IT developer of certified health IT for purposes of the information blocking regulations.

The second category of excluded activities include issuing log-in credentials to an entity’s employees, health care providers performing services at the entity, and to public health authorities; implementing production instances of APIs to support access, exchange, and use of electronic health information (EHI); and implementing online portals for patients, clinicians, and certain other individuals to access, exchange, and use EHI.

Third and finally, certain consulting and legal services will be excluded from the definition of offer health IT.

2. New TEFCA Manner Exception

In general, the information blocking exceptions provide conditions that must be met for certain conduct by an actor (as defined under the information blocking regulations) to not be considered information blocking. Under the Final Rule, a new exception is added that applies when an actor will only fulfill requests for access, use, or exchange of EHI by way of the Trusted Exchange Framework and Common Agreement (TEFCA). To satisfy this TEFCA Manner Exception, both the actor and requestor must be part of TEFCA and the requestor must be able to access, use, or exchange EHI via TEFCA. Furthermore, the request for access, exchange or use is not via API standards certified by ONC, and to the extent fees are charged or interoperability elements licensed, the actor must comply with the Fees Exception and Licensing Exception, as applicable.

3.  Modifications to the Infeasibility Exception

The Final Rule adds two new conditions and modifies an existing condition to the Infeasibility Exception. The first new condition (entitled “Third Party Seeking Modification Use”) allows an actor to refuse a request by a third party to use EHI in order to modify it unless the request for modification is from a health care provider to its business associate.

The second condition (entitled “Manner Exception Exhausted”) permits an actor to not fulfill a request to access, exchange or use EHI where each of the following are met: (a) the actor could not come to an agreement with the requestor as provided in the Content and Manner Exception (renamed under this Final Rule as the “Manner Exception”) or was technically unable to fulfill the request; (b) the actor offered two alternative manners of access, use, or exchange as provided in the Manner Exception, one of which must be either the use of ONC-certified technology or content and transport standards published by the federal government or an ANSI-accredited organization; and (c) the actor does not provide the requested access, use or exchange to a “substantial number” of third parties that are similarly situated to the requestor. Further, the actor must not discriminate by health care provider type and size, based on whether the requestor is an individual or whether the requestor is a competitor.

Currently, an actor may decline to fulfill a request to access, use, or exchange EHI if it cannot do so “due to” certain uncontrollable events beyond its control, such as a natural disaster or public health emergency (and the other applicable conditions of the exception are met). ONC modifies this condition to clarify that the uncontrollable event must in fact negatively impact the actor’s ability to fulfill the request for access, use, or exchange of EHI. ONC explains that the mere occurrence of, for example, a public health emergency would not allow an actor to satisfy this exception; instead, the particular uncontrollable event would need to be the cause of the actor’s inability to fulfill the request.

4. Modifications to the Content and Manner Exception

The current Content and Manner Exception includes a provision permitting actors to respond to requests for access, use, or exchange of EHI with the USCDI v1 data elements; however, this provision applied only to requests prior to October 6, 2022. Accordingly, ONC revises this exception to remove this obsolete provision and renames the exception the “Manner Exception.”

Conclusion

The Final Rule makes several other conforming changes to the information blocking rules, including removal of other references to the USCDI v1 data elements. Beyond information blocking, the Final Rule implements a number of other provisions of the 21st Century Cures Act and addresses issues such as algorithm transparency for predictive artificial intelligence, updates to ONC’s certification standards for health information technology, and creates an “Insights Condition” as a condition of certification for developers of certified health information technology.

Members of the health care community would be well-served by reviewing the updated information blocking rules, as well as other relevant portions of the Final Rule to determine whether they need to undertake any actions to comply with the Final Rule.

This post was authored by Nathaniel Arden and is also being shared on our Health Law Diagnosis blog. If you’re interested in getting updates on developments affecting health information privacy and HIPAA related topics, we invite you to subscribe to the blog.