.jpg)
eHealth Legal Pulse
In this captivating podcast series, "eHealth Legal Pulse," Steve Gravely, JD, MHA, a legal expert with three decades of experience advising healthcare organizations, leads thought-provoking discussions that explore the evolving landscape of healthcare data management in our swiftly transforming digital era.
Join Steve as he features a roster of industry experts from across the healthcare spectrum, each sharing their valuable insights and perspectives on a wide range of topics. Among these esteemed guests, Steve's son, Jon Gravely, MPH, Epidemiology, with his background in epidemiology and public health, occasionally joins the conversation as a special guest, offering a unique generational and professional perspective on select episodes.
Together, Steve and his guests offer a fresh and insightful take on the ethical considerations and best practices that underpin the responsible handling of healthcare data. Join us on this journey to navigate the complex intersection of law, ethics, technology, and public health in the world of eHealth.
eHealth Legal Pulse
Episode 1.2 - Information Blocking (Part 1)
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Episode 2 is all about information blocking and, more specifically, the federal law that now makes it illegal to engage in information blocking. Steve Gravely walks you through this highly complex topic. This is the first in a series, and this episode begins with a very basic introduction and sets the playing field for future discussions about information blocking.
00:05
Hello, everyone, and welcome to another episode of E Health Legal Pulse. I'm Steve Gravely. Nice to be with you again. So today we're going to begin to talk about information blocking, more specifically, the federal law that now makes it illegal to engage information blocking. I'll tell you what they all said. This is a very complicated topic, and we're going to have a large number of podcast sessions talking about information blocking, and we'll spread those out over the course of the near future. But today, we're going to begin with just a really basic introduction and level set. So the legal foundation for what folks refer to as the information blocking prohibition is found in the 21st century. Cures. C-U-R-E-S cures act that was passed by Congress and signed by then President Barack Obama in late 2016, just before President Obama left office. And Cures, as it's called, was a bipartisan bill, maybe one of the last truly bipartisan pieces of federal legislation that dealt with health care, certainly.
01:57
And it consolidated over a hundred different initiatives that all addressed health care and public health in America into a single bill. And part of Cures was prohibiting certain types of organizations from engaging information blocking practices. Now, this part of the Cures Act really came to light as a result of a 2015 report to Congress provided by the Office of the National Coordinator for Health Information Technology that is commonly referred to as ONC. The Health Information Technology part is left off because when folks, you started calling it On, C-H-I-T On Shit for those of us who speak less precisely than others, and I fall into that category sometimes, that came out as a profanity. So that name was pretty rapidly shortened to ONC, which is safe for everybody. And so, ONC was commissioned by Congress with doing a study of whether or not health information was being hoarded by healthcare providers, developers of health It, and health information networks.
03:55
And we'll unpack all of that, whether the information was being hoarded and used for proprietary or other self serving purposes. And that behavior became known as information blocking. So ONC did a study and reported to Congress in 2015. And you can easily Google that report and find it and read it, and it's a pretty serious indictment of the US. Healthcare system. And ONC found that there was compelling evidence that health information was not being shared in a way that at least ONC felt was appropriate in order to advance healthcare delivery and public health. So based upon that report, Congress then decided to intervene and make it clear that not sharing health information appropriately was against public policy of the United States and would, in fact, be considered illegal. Now, it's not a crime. Congress did not criminalize information blocking, but they did pass a law that says you shall not engage in practices that result information blocking.
05:42
And if you do, you will face some pretty serious penalties. But let's not get ahead of ourselves. So the legal basis for what we now call information blocking can be found in the 21st Century Cures Act. Okay? So then, pursuant to that law, congress directed the secretary of health and human services to develop regulations that would further clarify what is prohibited, as well as and this is really interesting as well as identify specific examples of information blocking that, while they clearly violate the law, they also serve a larger public purpose, and therefore, they are permitted. And these practices have come to be known as the information blocking exceptions. And it's always dwell on this, it seems maybe a little bit arcane, but when I teach classes and do webinars, I always remind the audience that these exceptions were first of all mandated by Congress, but more importantly, the exceptions.
07:21
And there are eight of them right now as of September 2023. There may be more in the future, we do not know. But all eight of these practices are activities that violate the information blocking prohibition. So on their face, they are information blocking. However, HHS has determined that they serve a greater public purpose and therefore they will not subject anyone who engages in them to penalties. I think that's an important framing and we'll touch on that as we move through in future podcasts each of the eight exceptions and their subparts. Okay, so what's information blocking? How is it defined? Well, it's defined really broadly and it's defined as a practice, and I'm using air quotes, although you can't see it. The word practice is in air quotes, a practice that interferes with the access, the exchange, or the use of electronic health information. That is the textbook definition of information blocking.
09:03
And then to build on that unless that practice is either required by law or fits within one of the eight exceptions. So let's unpack this because it's a really dense definition, but every part of it is really important. And so you may have sat through webinars, maybe ones that I've done, where we put the slide up on the screen and it's very text heavy and you've heard me say I know this is a lot of words, but this is one of those rare instances where every word is important. So I want to spend some time walking through this definition. So let's start and we're not going to go in from the top to the bottom in strict order because that actually isn't the best way to do it. Let's start with electronic health information Ehi. What in the heck is that? Well, that's what information blocking or the information blocking rule protects.
10:26
So Ehi is simply I say simply, it may not be simple to you. For those of us who live in this space, it is, but Ehi is defined as electronic protected health information ePHI, that is or would be included in a designated record set some of you will instantly understand what I'm talking about. Many of you may not. So protected health information is a HIPAA term. Protected health information is defined under HIPAA as any information that is individually identifiable. In other words, it can be linked to a particular individual. And so it is individually identifiable information that deals with or discloses a past, present, or future medical condition, medical diagnosis, medical test, hospitalization, pretty much anything. And so, phi is the information that HIPAA Health Insurance Portability Accountability Act regulates. And that's been around since the early 2000s when the HIPAA Privacy and the HIPAA Security Rule were promulgated.
12:06
I'm sure you're all familiar with HIPAA. So ePHI electronic Phi is that term was adopted 15 years ago, maybe because of the advent of digital health information systems, electronic medical records, electronic health records, whatever your preference is for that label. And because of these electronic systems, now we started to have Phi in digital format, and therefore we had the creation of ePHI. And today, in 2023, most Phi is digital. It's ePHI. There's still paper phi around, those records still exist, and they'll probably exist for quite a while because it's very expensive to go back and scan all those paper records into a digital format. Eventually, maybe many years from now, we won't have paper phi, but probably for all intents and purposes, we'll have both for a long time. But importantly, information blockchain applies to ePHI electronic phi, so it doesn't apply to paper records.
13:34
Now, the gotcha there is that a PDF, which is a file format I'm sure you're all familiar with that a PDF is digital, and therefore, even though we all print out PDFs and treat them like paper, they are digital documents. So information blocking does apply to PDFs. Anyway, moving on. So ePHI is what information blocking applies to, but it's ePHI that is or would be maintained in a designated record set. A designated record set is another HIPAA term, and it refers to a certain collection of information that is used by a healthcare provider to treat a patient to manage their care or to bill for services that the healthcare provider delivered. So it's a term of art that all of my health information management friends are very familiar with. Others of you might not be that familiar with it. So Ehi is defined as electronic phi that is included in a designated record set.
15:05
So that means that it's not all ePHI. I mean, there will be some information that wouldn't normally be included in designated record set. And that becomes really complicated because HIPA doesn't have a it's not like HIPA has a formula for what is in a designated record set. It's left up to each HIPAA covered entity, each hospital, each physician, each lab, each type of covered entity. And therefore you've got different definitions of designated record set from one hospital to another. They all share some commonality, but they're all different. So what that means is that if you're a hospital or a healthcare provider and you're subject to the information blocking rule, you're going to have to identify what ePHI do you have in a designated record set. And that's what the information blocking rule is going to apply to. That's what information blocking regulates. Ehi, electronic health information.
16:27
Well, who's subject to this? So the types of organizations that are subject to the information blocking prohibition, in other words, we've talked about what's regulated that's ehi. So who is regulated under information blocking? Well, there are three categories, and they're called actors. Capital. A-C-T-O-R-S. Actors. The first one is pretty simple healthcare providers. And it's healthcare providers that are defined by the Public Health Services Act, which is a federal law. And that's a very long list and it might surprise you. Hospitals, sure. Physicians? Yeah, of course everybody would think about that. But the list of providers under the Public Health Services Act goes way beyond that. It includes pharmacies, it includes laboratories, it includes long term care facilities, it includes dialysis centers, ambulatory surgery centers, home health agencies, dialysis facilities, and on and on. I'm not going to read to you in this podcast the whole list from the Public Health Services Act.
17:58
What I will say though is if you're listening to this and you were involved in any way, shape, or form with the provision of healthcare services, then you should assume that you are covered. You're an actor under information blocking. And if you want to take the position that you're not, I urge you to go read the Public Health Services Act and make certain that you aren't on that list because ODS are, you probably are. So that's the first group of actors, and it's very broad and there are hundreds of thousands of these actors in the US. The next category is a bit more complicated, but still pretty cut and dried. Developers of health information technology short formed as developers. So health information technology is software, okay? And if you're involved in developing that software, writing the code, or purchasing someone else's code and combining it into a system, then you're a developer.
19:20
Now, not every developer is subject to information blocking. It's only developers of certified health information technology. What does that mean? Well certified by ONC the office of the National Coordinator. So if you're going to sell health It into the healthcare marketplace in the US. Then you're going to be certified. Because if you're not, then your customers don't qualify for the various incentives that the federal government offers for using certified health information technology. And this would include the promoting interoperability. What used to be called meaningful use is now called promoting interoperability or the MIPS. And I'm not going to dive into all of the nuances of what those programs are. They're administered by CMS, you can find them for yourself. The point here is that in order for a software developer's customers, which would be hospitals, physicians and others, in order for them to qualify for these important benefits, they have to use certified health it.
20:50
And therefore, ONC knows that the vast majority of developers go on and become certified under the ONC certification program that's who's subject to the information blockchain provisions, developers of certified health it. Now, here's a tricky part. If you're a developer and you have even one module that's certified by ONC, then you're a developer for purposes of information blocking. And you can get in trouble if you violate the information blocking rules, even for your non certified products. So if you're a developer, you need to pay real attention to this and know that even if one of your software modules is certified, then you have compliance risk under information blocking. There's another very important nuance to developers because the final rule, the information blockchain final rule, actually talks about developers or offerers of certified health it. Well, what in the world does that mean? Well, that means that you may not actually be a developer.
22:23
In other words, you may not have folks who sit down and write computer code, but you might be a repurchaser or a reseller of that health it. And that makes you a developer for purposes of this rule because you're offering that certified health it in commerce. So, as you might imagine, that created a lot of consternation when the final rule was published. And actually, interestingly enough, ONC has gotten so much pushback about the fact that this offering of certified health, it is too vague that earlier this year, in 2023, ONC published a notice of proposed rulemaking NPRM that would make a whole bunch of changes to the information blocking final rule, one of which had to do with what does it mean to offer health? It. And to simplify this, ONC is proposing to narrow the definition of what it means to offer health it.
23:41
Now, this rule is not final. It's only been released in the NPRM phase. The comment window closed months ago, and I don't know if ONC will publish a final rule or maybe they'll publish a revised proposed rule for comment. It's hard to say. However, if you are either a developer that works with third parties or you are an offerer, you need to pay attention to that in PRM. So I'm not going to linger on that. We may talk about that more in the future once that becomes final, but right now I think it's premature. All right. So now we've talked about two categories of actors healthcare providers and developers or offerers of certified health it. Now we come to the third category, which is probably the hardest one to talk about. If you are a health information network or a health information exchange, then you may also be an actor under information blocking.
25:00
What does that mean? Well, in the proposed rule that was published, three or four years ago. Now, ONC actually had this as two definitions and then in the final rule, ONC decided to simply consolidate it into one category of actor, but they still kept both names Hi NHIE. I think they wanted to be sure that they didn't miss anybody. And so it's one category of actor and it's defined now as Health Informationnetwork, health Information Exchange or Hi NHIE. Okay, what makes this tricky is that the definition that ONC settled on is what I call a functional definition. So it doesn't really matter how you're organized what you call yourself, what your legal structure is. What matters is what does this organization actually do? And to boil it down, I'm not going to sit here and read you definitions out of the regulations. You can do that for yourself.
26:20
To boil it down, it all comes down to how much control does an entity have over the way ePHI is accessed, shared, used, configured? And if the organization has meaningful control over any of that, then it's probably going to be an Hi N or an HIE. Now you're probably thinking, well, holy moly, that could be anybody. And you'd be right, it could be anybody. There are plenty of organizations, including many of my clients, that their entire business is functioning as an Hi N or an HIE. I've watched that part of the industry grow up from nothing. I started working on early generation, first generation Hi NS back in around 2005, and they were called different stuff. They were really called Rios Regional Health Information Organizations Rhios. You hardly see that term anymore. Now they were called Data Warehouses, which was a very clunky sort of label.
27:54
You don't really see that anymore either. But these have been around for a long time and now these days they're known as Hi NS and HIES, although there's a brand new term that's been around for a couple of years, health Data Utility, which is sort of the newest iteration of these types of organizations. However, it doesn't matter what you call yourself. It matters whether you are controlling how ePHI is accessed, used, exchanged, stored, et cetera. And if you have a sufficient amount of control, then you're going to be deemed to be an actor for information blocking purposes. There is a lot to talk about.
28:44
On this topic of information blocking. This was only part one of our what will be a multi part series talking about the information blocking rule and information blocking in general. So be sure that you tune in for future episodes of this podcast where we're going to get into other aspects of information blocking, such as what are practices, what are things you might do or not do that get you in trouble under information blocking? What about your intent? How does that play into information blocking? What are these exceptions that everybody keeps talking about and some other issues? So in this podcast, we're going to be talking about all things digital healthcare, and that has become a really large area. We'll be covering all sorts of things, and a big part of that, at least initially, certainly will be information blocking.
29:57
But we're also going to be talking.
29:59
About artificial intelligence and how that is rapidly affecting healthcare delivery and healthcare operations, and how I at least think that AI is going to fundamentally reshape healthcare. We'll be talking about data privacy issues and how HIPAA may be updated in the future. We'll be talking about some public health issues, not just pandemic, but public health and health equity in general. So we'll be talking about a lot of topics. So I'm happy you found us and I look forward to you becoming a regular listener.