In Part 2 of eHealth Legal Pulse's Information Blocking Series, Steve explains how an actor can violate the Information Blocking Rule. In Part 1, Steve covered the definition of information blocking and who exactly is considered to be an actor under the Rule. Now, he shifts into what actors need to be concerned about, as well as exceptions to the Rule.
In Part 2 of eHealth Legal Pulse's Information Blocking Series, Steve explains how an actor can violate the Information Blocking Rule. In Part 1, Steve covered the definition of information blocking and who exactly is considered to be an actor under the Rule. Now, he shifts into what actors need to be concerned about, as well as exceptions to the Rule.
00:05
Hello, and welcome to Ehealth Legal Pulse, where we talk about the intersection of law and policy in the digital healthcare space. I'm your host, Steve Gravely. Today's discussion is part two of our information blocking series.
00:27
Hello, everybody. We're back. So today we're going to focus on the information blocking definition of practices. In other words, how does an actor violate the information blocking rule? As a practical matter, previously we've talked about what's the definition of information blocking? We've talked about who the actors are. And so now we're going to shift into, okay, so you're an actor. What do you have to worry about? What do you have to be concerned about? And that takes us right into this concept of practices. It's a common word, but a strange term in this context because the information blocking final rule really regulates practices. So the final rule defines a practice as anything that an actor does or fails to do. Not very helpful, right? Yeah, I agree. It's an omission or a commission. So a commission under the law is something that someone actually does.
01:51
You commit a crime, you commit an action. An omission is something that you fail to do. And so ONC says you can violate the information blocking rule by either affirmatively doing something or failing to do something that you should have. So, okay, that's very broad. Let's drill down on that a little bit. And in the proposed rule, ONC actually gave us about 42 different examples of things that it was worried about might be an information blocking practice. Before we sort of get into talking about some of those, let's sort of step back and see what else ONC has said about practices that might create problems under information blocking. And just a little bit of shorthand. When we talk about practices that might create a problem under information blocking, I like to use the term implicit. And so we'll talk about people will often ask me questions, well, does X, Y, and Z constitute an information blocking violation?
03:23
And my answer usually is, well, X, Y, and Z certainly implicate information blocking, but let's talk through whether that might be considered a violation, and we'll do some of that later in a future podcast. But for now, I want to talk about the X, Y, and Z, if you will. So any practice and just remember always a practice can be something that an actor actually does, a commission, or something they fail to do. So any practice that restricts authorized access, exchange, or use under applicable state or federal law for either treatment or other permitted purposes, that should be a violation. In other words, it would implicate information blocking. And so one way to think about this is if you have a policy or procedure that restricts authorized individuals from either getting access to Ehi, exchanging or sharing Ehi or using Ehi consistent with applicable law, either for treatment or some other permitted purpose under applicable law, then that might implicate information blocking.
05:03
So I think it's important to note that the focus really is on building barriers to individuals who have the proper authorization. Maybe it's the patient that wants access to their record, maybe it's a qualified representative of the patient that wants access to their information. Maybe it's another healthcare provider that has a relationship with the patient and that provider needs access to their information for treatment. And so it should be really anyone that has the appropriate permission to have access to an individual's Ehi. Because remember, the information blockchain final rule regulates Ehi, and we talked about that in a previous podcast. So interfering or preventing access, exchange or use, let's unpack that. Well, access just means that you can actually have the ability to see the Ehi. Remember, we're talking about electronic information here, so we're not talking about going in and sitting down in a cubicle and opening a folder, everything's virtual.
06:35
So we're talking about access to electronic information. But if you can't open a file, or if you can't even get a link to a file, or if the actor won't provide you with a PDF or with access to a portal, then you have no access. All right? So access literally means that you have the ability to get to the Ehi that you're seeking. Exchange is a sharing, information sharing, plain and simple. Perhaps you're not actually trying to open up and see all of my Ehi. Perhaps your role in the process is that you're requesting that the actor share the information with you so that you can pass it on to your end users. This is where ha n come in, or health data utilities come in, or other third parties, maybe an app where the app itself is just the conduit. Well, that's exchange, right?
07:51
And that's covered by information blocking use of Ehi. Now, use is defined pretty broad. You might think, well, use, all that means is reading it is reading the Ehi or consuming it, if you want to use that metaphor. But no, the information blocking rule defines use to specifically include the ability to modify the Ehi, to delete the Ehi, or to create new Ehi. So when you think about use under Ehi, you have to kind of really stretch your mind and realize that use is a very broad term itself. So anything that interferes with or prevents and the way I'd like to say is prevention. If you prevent someone from accessing Ehi, that's the most severe form of interference. You've literally blocked them from having access to the Ehi. So if you think about interference on a spectrum from just making it a little bit hard one end all the way up to denial on the other, denial is definitely sort of at the far extreme of interference.
09:21
But if you interfere with or prevent someone who has permission from accessing, exchanging or using Ehi, well then that is going to implicate ehi. Now, so far we've really focused on sort of traditional approaches to the information blocking definition. But remember that one category of actor under information blocking are software developers of certified, certified health It and those that offer certified health It. Another group of practices is aimed directly at those developers and it talks about developing health It in nonstandard ways because that can be a practice in and of itself. Why? Well, because if you develop health it and you design it so that it's non standard, it's not using accepted industry standards, then that means that whoever wants to interface with your health it system is probably going to have to do some special effort, either some custom programming or maybe purchase that from you for a price or jump through some other hoops in order for their system to be able to get the Ehi from your system.
11:08
If they develop or use their Health It in non standard ways, that's a practice which could interfere with or prevent access, exchange, or use of Ehi. That doesn't mean it's automatically a violation, but we have to talk about the rest of the definition, what's the intent, is it required by law and does it meet one of the exceptions? But we'll get to that later. Right now we're focusing on do you meet the threshold test on whether this is a practice? And even if your health It is standard, in other words, it complies with the generally accepted standards in the industry. You might still implement that It in ways that still implicate information blocking. For example, you might decide to restrict the way in which you export Ehi. And exporting of Ehi is a hot topic because we know that healthcare providers and other customers change vendors with some regularity.
12:28
And as they transition from one vendor to the next, they want all of their accumulated electronic information that's in their old system to be exported out to their new system. And if the old vendor makes that difficult, that implicates information blocking. Again, I'm not saying it's an automatic violation, but it certainly implicates information blocking. So that's the idea of a practice. Now, as I said in the proposed rule, ONC listed 42 different things that could be a practice. And in the final rule, they didn't take any of those out. They actually added a couple. And we're not going to walk through all 42 of them. I mean, you can find them yourself. They're on the ONC website on the Gravely Group website. Under our Information Blockchain Resources, we actually have them listed as part of our White Paper series. And so you can find them.
13:41
But the point I want to make here in this podcast is just how broad the list is. For example, they talk about contracts that a developer might have with its customer that imposes restrictions on how that customer uses the system. They talk about contracts that provider actors have with their vendors that might try to prevent a vendor from cooperating with other vendors to make information transmissible for an individual patient. They talk about contract that provider actors or developer actors might have with app developers that attempt to extort fees from those app developers for access to the provider's systems. They talk about, within actor organizations policies and procedures that are maybe not intended to, but they have the effect of interfering with access, exchange, or use of Ehi. Policies and procedures absolutely can create barriers to access, exchange, or use of Ehi. And if they do, then they have to be carefully evaluated to determine are they required by law?
15:15
Do they meet one of the exceptions? If not, then you may have to change those policies and procedures. Now, you and I know that today modern healthcare organizations have thousands of policies and procedures, and not all of them are going to implicit information blocking because not all of them deal with access, exchange, or use of Ehi, but many of them do. ONC also talks about charging fees for access, exchange, and use of Ehi and how those fees could implicate information blocking. Now, there is a fees exception, but just because there's a fees exception, that doesn't mean that everyone's fees are okay. The exception doesn't say that, we'll talk about that later, but don't fall into the trap of thinking, well, I can charge whatever I want, any way I want because there's a fees exception. No, the fees exception is very rigorous. So fees are a practice.
16:27
Licensing terms are a practice. You may have software, and in order for someone else to access, exchange, or use Ehi that's in your system, you may require that they agree to end user terms or an end user licensing agreement at Eula or some other type of terms. And those licensing terms that you require them to agree to as a precondition to access, exchange, or use Ehi, those are absolutely practices that implicate the information blocking rule. Are they a violation? Can't say that right out of the box. They're not per se illegal, but they might be improper if they interfere with or prevent access, exchange, or use of VHI. And that was actually your intent. And the licensing terms are not required by law or they don't meet the licensing exception. So I think hopefully you're starting to get a picture of how this works. Some people, when I talk to them, some people throw up their hands and say, well, you're telling me that everything I do is a violation.
17:48
I say, well no. So let me try again, because that's not what I said, and I'm sorry that's what you heard. Not everything you do is an information blocking violation. We're only talking about practices, specific actions or inactions that interfere with or prevent access, exchange, or use of Ehi. Are there a large number of them? Sure. But is it everything that you do? No, of course not. Now, this sort of gets us into the topic of intent. And I do want to speak to that because it's very closely aligned with this notion of practices. The information blocking statute that was passed by Congress as part of the 21st Century Cures Act and the information blocking final rule promulgated by ONC both make it clear that information blocking is an intent based statute. In other words, you're not going to accidentally violate the information blocking rule.
19:07
You have to have the intent. Now, that's really important because that means that you may in fact be engaging in a practice. In fact, I would dare say, if you're listening to this podcast and you are an actor, ODS are pretty good that today your organization is in fact engaged in a practice, either an act or a mission, that interferes with access, exchange, or use of Ehi. That doesn't mean, though, that you've automatically violated the rule because it's not a per se rule, it's an intent based rule. And so what your knowledge was at the time is going to be critical. Now, since nothing is ever easy in healthcare, we have a couple of different knowledge standards. If you are a developer type of actor, or if you are an HIE Hi N type of actor, then you should violate the information blocking rule. If you either knew or you should have known using reasonable care, that your practice was likely to interfere with the access, exchange, or use of Ehi by whoever it is that's requesting it.
20:53
Again, it could be a patient, it could be an attorney, it could be another provider. That doesn't really matter. So knew or should have known. Now, what does that mean? Well, for us lawyers, it means a lot. It means not only actual knowledge, but imputed knowledge. In other words, the OIG investigating the complaint doesn't have to show that you, as the actor, intentionally implemented a practice that would interfere, or is likely to interfere with access, exchange, or use of VHI. Certainly, if they find that evidence, then yeah, that's a probable violation. But they don't have to do that. They only have to show that you should have known that what you were doing was likely to interfere with access, exchange, or use of Ehi. Should have known is a much lower bar for the government to prove. In trying to prove that the government can look at what do other actors in the industry do?
22:10
Are there standards that are published? Are there FHQs that ONC has published? Are there prior enforcement actions that the OIG has taken that have been published that would have put you on notice about what is or isn't information blocking? All of that goes into the analysis of what should enact or have known using reasonable care. Now, healthcare providers get, I think, a pretty big break here. If you're a provider actor, the intent standard is different. The standard is that the provider actually knew actual knowledge that its practice was both unreasonable and likely to interfere with access, exchange, or use of Ehi. Now, that's a totally different standard. Let's break that down real fast. You had actual knowledge. In other words, the government has evidence that you understood that what you were doing or failing to do the practice was going to have an effect, a negative effect.
23:31
Now, the evidence for that could be anything. It should be meeting minutes. It should be notes, memorandum. It should be emails. It should be voicemails that have been preserved in the digital age. Nothing's ever lost, right? So, there's lots of ways to show what an actor actually knew. And I caution clients to not rely upon that as a defense. But the healthcare provider has to actually know that what they're doing is both unreasonable and likely to interfere, and the whole unreasonableness gets to what's the industry doing. And did you know that you were being an outlier? It's a pretty high bar for the government, I think, and it gives provider actors the ability to defend their actions, I think, on multiple fronts. You can say, well, I never did that in the first place, or, here's my documentation as to why I did it. That proves that I thought it was fair and reasonable.
24:43
Here are my reasons for doing it. I did not think that it was likely to interfere with access, exchange, or use of Ehi. All that evidence would be very relevant to present to the OIG to argue that, hey, I didn't have the requisite intent. If you're a provider actor, so I think it's often overlooked but is vitally important for every actor doesn't matter what kind you are for every actor to take the time to review their practices and ask the question, why are we doing this? And, Memorialize, why are we doing this? Because you may be able to create a record that would prove that you did not have the intent to engage information blocking. And if you can document that now before you're under investigation, that could be very compelling evidence to the OIG and ONC that you simply didn't have the intent that would constitute an information blocking violation.
25:57
Now, maybe ONC and OIG would tell you that's not really what you should be doing, okay? But if they can't prove that you had the requisite intent, then you shouldn't have to worry about the civil monetary penalties or whatever disincentives ultimately get adopted for providers. So this idea of practices and intent really important. It's often overlooked. People tend to want to jump to, hey, which exception can I use? Always tell them, hey, slow down. Take a minute, and let's talk about is what you're doing even a practice? And if it is, and it probably is, then what was your intent in doing that? All right. Hope you enjoyed this, and look forward to seeing you next time.
26:53
This is Steve Gravely, and you have been listening to Ehealth legal Pulse. You can subscribe to this podcast on our website, Gravely Group or on Spotify, follow us on LinkedIn, and be sure to share this podcast.
27:13
Thank you.