.jpg)
eHealth Legal Pulse
In this captivating podcast series, "eHealth Legal Pulse," Steve Gravely, JD, MHA, a legal expert with three decades of experience advising healthcare organizations, leads thought-provoking discussions that explore the evolving landscape of healthcare data management in our swiftly transforming digital era.
Join Steve as he features a roster of industry experts from across the healthcare spectrum, each sharing their valuable insights and perspectives on a wide range of topics. Among these esteemed guests, Steve's son, Jon Gravely, MPH, Epidemiology, with his background in epidemiology and public health, occasionally joins the conversation as a special guest, offering a unique generational and professional perspective on select episodes.
Together, Steve and his guests offer a fresh and insightful take on the ethical considerations and best practices that underpin the responsible handling of healthcare data. Join us on this journey to navigate the complex intersection of law, ethics, technology, and public health in the world of eHealth.
eHealth Legal Pulse
Episode 1.4 - Information Blocking: The Exceptions (Part 3)
In Part 3 of our Information Blocking Series, Steve Gravely covers the topic of information blocking rule exceptions. This is a must-listen for anyone concerned about the rule, the enforcement, the penalties, or the risks, and is wondering how an organization might be able to use the exceptions to defend itself against information blocking claims.
00:05
Hello, everyone, and welcome to another episode of E Health legal Pulse. I'm your host, Steve Gravely, founder and CEO of the Gravely Group, and I'm excited to talk to you today to begin the discussion today on the information blocking rule exceptions. Now, this is a complicated topic, and it's one that we're going to devote several future podcasts to, and I think you'll appreciate that a little more as I get into them. Anyone that is following information blocking the rule, the enforcement, the penalties, or the risks, anyone in that space is already familiar with this concept of exceptions, and they are probably confused about them to some extent and maybe worried about how their organization might be able to use the exceptions to defend itself against information blocking claims.
01:35
But let's start at the top and start by talking about what are exceptions and why do they matter? So, in the 20th 1st Century Cures Act, congress at the same time that it prohibited healthcare providers, software developers of certified health It, or Hi, and HIES from engaging information blocking. At the same time that Congress prohibited information blocking by those actors, congress also directed the Secretary of Health and Human Services to identify specific practices, specific activities that, even though they would probably constitute information blocking the way that Congress had defined it, they were still going to be permissible because they served a broader public purpose.
02:55
So Congress recognized that in some instances, there will be situations in which actors are required to engage in practices that may very well interfere with the access, exchange, or use of Ehi, but those practices are going to be permitted because they serve a greater public purpose. Now, I think this will probably become more clear to you as we dive down into some of the exceptions and we begin to unpack some of the details around these, because at first blush, admittedly, it all seems kind of contradictory. In other words, you're saying, well, information blocking prohibits actors from doing something or failing to do something that they should have done. That's a practice. If that interferes with access, exchange, or use of VHI, that's actually the textbook definition of a violation.
04:19
But now you're saying that there are certain practices that absolutely interfere with access, exchange, or use of Ehi, but those are okay because somehow they're being carved out. And the answer is, yeah, that's exactly right. That's exactly what I'm saying. If these particular practices were not identified by the Secretary of HHS in the information blocking final rule as an exception, then they would be prohibited. And if an actor did any of them, they would be liable for potentially liable for damages under the information blocking rule. Now, again, don't ever forget, don't lose sight of the fact that the government also has to show that the actor had the requisite intent. Don't ever forget that information blocking is an intent based statute. And the intent, as we talked about in previous podcasts varies depending on what type of actor you are.
05:42
And I'm not going to rehash that. But it's important that folks remember always that your intent when you engage in practices is vital and that's why documentation are so important in order to have evidence that would be admissible during an investigation as to what your intent was. In other words, why were you doing what you were doing? All right, enough of that sidebar. So let's get back to exceptions. Now, in the proposed rule that the Office of the National Coordinator ONC published, they listed seven exceptions in the final rule, which is really the one that is applicable. There are eight. ONC added an 8th, and we'll talk about all of these in future podcasts. We'll probably have a session for each exception, and maybe for some of them we'll even have two sessions because they're so detailed.
06:52
But for now, in this session, we're going to do an overview sort of to orient you to this whole concept of exceptions. So then why are these important? Well, they're important because exceptions are affirmative defenses to an allegation that an actor engaged information blocking. Okay, well, what's an affirmative defense? That sounds like a legal term. It is, right? An affirmative defense is something that an actor can assert is being investigated by the Office of Inspector General for HHS, or by ONC, for that matter. Let's say that you are a developer of certified health it. And one of the many requirements of being certified is that the developer promises that it will not engage information blocking, either in the way it designs its software or in the way it operates its health it.
08:10
And in fact, developers have to make this promise in the form of a written attestation to ONC every six months. And so that's actually a very high bar. And so whether you're defending yourself against an investigation by the OIG or by ONC, these exceptions are affirmative defenses. You can say to the government, okay, look, I did engage in the practice that you are accusing me of. However, that practice falls under one of these eight exceptions. And of course, you'll have to identify which of the eight, or maybe there are more than one, that you are asserting and show that you meet all of the criteria for that exception. That's what an affirmative defense is. You say, yes, I did what you're accusing me of, or what someone else has accused me of.
09:16
However, that's not a violation of this law because it's one of the eight exceptions that ONC put into the information blocking final rule. Now, here's another important couple of important points. In order to successfully assert an exception, the actor has to show that it meets each and every requirement of that exception. And as we go through in future podcasts and we're talking about the various components of an exception, it's important that you remember, and I will remind you that if there are seven requirements, I'm just picking that at random. If there are seven requirements within one of the exceptions and you meet five of them, but you don't meet two of them, then you don't meet that exception. It's all or none. You might think, wow, that's really harsh. Well, yeah, it is. And the reason it's harsh is because exceptions are affirmative defenses.
10:35
They stop an investigation, they protect you from any liability, and therefore the government says, well, if you're going to get that protection, then you're going to have to show that you meet all of the requirements for this exception. That probably makes sense. So what happens if you can't? Does that mean that you're automatically guilty of information blocking and you pull out your checkbook and start writing multimillion dollar checks? No, of course not. If you fail to meet the conditions of an exception, it doesn't mean that what you've engaged in is information blocking. Just because someone has accused you of engaging information blocking, that doesn't mean that you actually did it. Even if you aren't within one of the eight exceptions.
11:36
The OIG has made very clear and reaffirmed in its final enforcement rule that was published in July of 2023 and became effective on September 1, 2023. That it's going to investigate allegations on a case by case basis, and that it will look at what did the actor actually do, what practices was it engaged in? Were those practices required by law, and what was their intent? And so, even if you do not meet any of the eight exceptions, don't lose track of the fact that you may still have a defense to an allegation of information blocking, because what you did was required by federal law. Maybe more likely it would be state law or even a local ordinance, or perhaps tribal law, or perhaps international law.
12:56
In other words, what you did, you were doing because you were required to do that by law, or even if you weren't required to do it by law. In doing and engaging in the practice, your intent was not to interfere with access, exchange, or use of Ehi. Sure, there might have been some incidental interference, but that was not your intent and that was not the main result of whatever it is you did or failed to do. I hope that makes sense, because some people are really worried that the only thing they can say in response to an allegation of information blocking is to find cover under one of the eight exceptions. And that's simply not correct. Just because you can't put your practice under one of the eight exceptions, that does not mean that you have automatically violated the information blocking rule.
14:06
You still have to look at whether what you did was required by law, what your intent was, and whether there was a likelihood of interference. Okay, let's move on then, to begin to set the stage for these exceptions. As I said, there are eight of them now and those have been out for several years now, ever since ONC published its final rule. In fact, ONC has already published a proposed rule earlier in 2023 that would make some changes to some of these exceptions that's not yet final. So we're not going to spend a whole lot of time talking about that right now. All right, but so as I said, there are eight exceptions and they're broken down. ONC breaks them down into two major categories.
15:13
The first category is practices that result in the actor not fulfilling a request by someone to access, exchange, or use the Hi. I tell clients and there are five exceptions that are in this first bucket. I tell clients, think about this way, if someone comes to you and says, hey, I want the following electronic health information, if your answer is no, I'm not going to give that to you, then that's what's in this first bucket. You as an actor are not fulfilling the request to access, exchange, or use the Hi. You're simply saying no. And there are five exceptions that fall under that category or that bucket. Those are, number one, the preventing harm exception. Number two, the privacy exception. Number three, the security exception. Number four, the infeasability exception. Number five, the health it performance exception.
16:39
And again we'll be talking about these in future podcasts in a lot of detail. So then there's a second category or bucket where the other three exceptions live and that bucket ONC calls those exceptions deal with how the actor fulfills a request for access, exchange, or use of ehi. So it's not that the actors say no. I say to my clients, I say, okay, so you understand the first bucket, someone comes to you, they want information, your answer is no. The second bucket, someone comes to you, they want ehi, your answer is okay, but okay, but that's what the second bucket really means and there are three exceptions under this second. Okay, but bucket one, the content and manner exception. Two, the fees exception, and three, the licensing exception.
17:52
So there are five under the first bucket, the no, I'm not going to give you what you want bucket. And then there are three under the second. Sure, I might give it to you, but there are conditions attached. And so you pull that together and you have your eight exceptions. Now, I don't want you to think that you should only assert one of these. In fact, you may be able to assert more than one and that's important to remember. So it's not as if, okay, I better find one of these eight that I can come in under so that I have an affirmative defense to these allegations. Perhaps there'll be more than one. And as I said before and as we'll get into in future podcasts, the requirements for these exceptions are very detailed.
18:53
And what I'll say to you now and what I will continue to repeat the analysis of whether you meet all these conditions and then the documentation to prove that you meet the conditions, that's not going to happen overnight. So what I tell clients is, look, even if you are a healthcare provider actor and we all know that you are not liable under the information blocking rule for civil money penalties, we all know that you are going to be liable for additional disincentives, but that those have not been published even in draft form yet. Even if you're a healthcare provider actor and today you're not facing the possibility of an OIG or an ONC investigation and penalties, that doesn't mean that you can just forget about this.
20:03
Because getting your organization ready to effectively assert one or more of the information blocks and exceptions is going to take time and effort by a lot of people within your organization. Another way to say that is that the effective use of the information blocking exceptions really requires a plan, very extensive documentation, coordination and accountability. Now, those don't happen automatically. Even the best of organizations that are totally compliance centric, those things don't happen accidentally. They happen because the organization has set up processes and teams to implement them. And one of the challenges with information blocking is that Ehi is going to permeate an actor's organization.
21:19
There will be many different teams, many different departments, many different personnel that will have some involvement in the way that Ehi is created, stored, accessed by others, shared or exchanged with others, and then used either within the organization or with third parties. This is not as if there are only two people in a health system that are involved in this. There are perhaps dozens, perhaps hundreds, depending on the size of the organization. And because of that, the compliance team for information blocking has to be diverse and it has to be sure touch all the different team members across different departments within your organization. And I think this will become clear as we move through a more discussion. But for example, one of the exceptions under the okay bot category, one of them is a fees exception.
22:36
And just in a real nutshell, the fees exception allows an actor to charge a requester, a fee to have access to the Ehi. And that's great. However, the requirements are really complicated. And so you may have folks from your finance department, your It department, certainly your legal department, either in house or outhouse and probably others that would have important input on the fees exception and whether or not you can successfully assert that in response to a request for Ehi. Now, the other thing to know about exceptions is that some of them, particularly the infeasability exception, have to be acted on very rapidly. In other words, they have a time clock and we'll unpack this more when we do infeasibility. But just to give you a preview if you're planning to assert infeasibility as an exception.
23:57
In other words, you're not going to fulfill the request that's one of those no in the no category. You're not going to fulfill the request for Ehi because it is technically infeasible for you to do that given your It systems. You have to make that assertion within ten business days of receiving the request. And I'm sure you can already think about, well, that's impossible. First of all, who's going to receive the request? Will they even know that the answer is no? If they do, will they understand that when they say no, they have to give a reason and the reason is technical and feasibility and will they do that within ten days? Ten business days?
24:51
So we'll unpack this more and more, but I want to give you a flavor for the fact that they're wonderful tool and it's very important that ONC put them in the final rule. However, using them is a bit of a challenge and using them effectively isn't going to happen by accident, it's going to happen with planning, in house education and documentation. So with that, I look forward to talking with you in another podcast about each of these exceptions. I will probably spend a podcast on each one, but some of them may spill over. Thank you for your time and we'll talk to you again sooner.