Policy Against Information Blocking of Electronic Health Information

The Office of the National Coordinator for Health Information Technology (ONC), located in the United States Department of Health and Human Services (HHS), is the principal federal entity charged with coordination of nationwide efforts to implement and use the most advanced health information technology (HIT) and the electronic exchange of health information. The position of National Coordinator was created in 2004 through an Executive Order, and legislatively mandated in the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009. Title XXX (Health Information Technology and Quality) of the HITECH Act was added to the Public Health Service (PHS) Act.

On December 13, 2016, the 21st Century Cures Act (Cures Act) was signed into law and made changes to the PHS Act related to health IT. On May 1, 2020, ONC issued the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (Final Rule), which implements provisions of the Cures Act that are designed to advance interoperability; support the seamless exchange, access, and use of electronic health information (EHI); and to address information blocking. The Cures Act also gives the HHS Office of Inspector General (OIG) authority to investigate claims of information blocking and assess civil monetary penalties against certain actors that engage in information blocking. The information blocking compliance effective date originally set for November 2, 2020 was extended to April 5, 2021. While some of the relevant regulators have announced enforcement discretion for an additional period of time, New York University intends to comply with applicable law as required.

On September 1, 2023, enforcement of information blocking penalties for health IT entities went into effect, increasing penalties of up to $1 million per violation. The OIG will consider complaints of information blocking conduct that occur on that date or later, per the rule. Four types of entities are subject to a penalty: health IT developers of certified health IT, entities offering certified health IT, health information exchanges, and health information networks. HHS is developing a separate rule to establish specific disincentives for healthcare providers that do not meet the four types of entities subject to the September 1st enforcement.

New York University and its HIPAA-covered components are committed to making EHI available and usable for authorized and permitted purposes in accordance with applicable law. This Policy focuses on placing patients at the center of their healthcare through provisions that remove the obstacles they encounter when trying to access their own EHI. This Policy will help deter the information blocking often faced by healthcare providers when attempting to provide informed care for patients. Specifically, this Policy focuses on information blocking and the eight (8) exceptions that identify reasonable and necessary practices and activities that do not constitute information blocking and that are to be followed by NYU’s covered components to the extent possible.  For context, the information blocking prohibition and other requirements discussed in this Policy derive from a legal regime similar to, but distinct from, HIPAA. As such, NYU is putting in place separate policies and implementing distinct compliance initiatives.

This Policy applies to New York University’s HIPAA-covered components that may be designated by the University from time-to-time.

The Final Rule defines and provides examples of information blocking. In addition, it outlines eight (8) detailed practices and activities that would not constitute information blocking even if they do in fact interfere with the access, exchange, or use of EHI. The Final Rule deems these practices and activities reasonable and necessary to further the Act’s goals, and refers to them as “exceptions.”

• The eight exceptions to information blocking fall into two categories, for each of which the ONC provides extensive descriptive material about requirements, standards, risks, and other illustrative information: 1) exceptions that involve not fulfilling requests to access, exchange, or use EHI and 2) exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.
• A practice that does not meet the conditions of an exception will not automatically constitute information blocking; such practices will be evaluated by the ONC on a case-by-case basis to determine whether information blocking has occurred.

The HIPAA Privacy Rule provides a federal floor of privacy protections for individually identifiable health information held by a covered component or by a business associate of a covered component. Some states have implemented laws that expand patient rights and access to their health information and, therefore, are more stringent than HIPAA.  Such state laws, although contrary to the Privacy Rule, are not superseded by Federal regulations.¹

Below are the information blocking exceptions and their definitions, grouped in their two exceptions categories. Practices or activities that satisfy one or more of these eight exceptions, as applicable, will not be considered information blocking if all the criteria of the applicable exception(s) are strictly met. The requirements for each exception are detailed and comprehensive, and all requirements must be met for the applicable exception(s) to apply.

A more detailed explanation of the information blocking exceptions and their requirements is located here: Final Rule, 85 Fed Reg. 25642 Section VIII(D), pages 25820-25900.

Five (5) exceptions allow not fulfilling requests to access, exchange, or use EHI: It is not considered information blocking if…

1. Preventing harm exception: a covered component engages in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met (45 CFR § 171.201).
2. Privacy exception: a covered component does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met (45 CFR § 171.202).
3. Security exception: a covered component interferes with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met (45 CFR § 171.203).
4. Infeasibility exception: a covered component does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met (45 CFR § 171.204).
5. Health IT performance exception: a covered component takes reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT, provided certain conditions are met (45 CFR § 171.205).

Three (3) exceptions involve procedures for fulfilling requests to access, exchange, or use EHI: It is not considered information blocking if…

1. Content and manner exception: a covered component fulfills a request to access, exchange, or use EHI in any manner requested or in an alternative manner, provided certain conditions are met, using (i) certified health IT specified by the requestor; (ii) content and transport standards specified by the requestor and published by the federal government or a standards-developing organization accredited by the American National Standards Institute; or (iii) an alternative machine-readable format, including the means to interpret the EHI, agreed upon with the requestor (45 CFR §171.301).  This exception both establishes the content a covered component must provide in response to a request to access, exchange, or use EHI in order to satisfy the exception, and establishes the manner in which a covered component must fulfill a request to access, exchange, or use EHI in order to satisfy this exception.
2. Fees exception: a covered component charges fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met (45 CFR §171.302).
3. Licensing exception: a covered component licenses interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met (45 CFR §171.303).

The covered component will satisfy each instance covered by this Policy through the following operational requirements:

1. The covered component will implement this Policy and appropriate specifications and procedures in accordance with its organizational process for Policy implementation, and will be particularly aware of the documentation requirements concerning time limits, availability, and review.
2. The covered component will inform its workforce members about this Policy as it applies to New York University generally, to the appropriate covered component, and to the workforce members in their individual roles.
3. The covered component will review existing policies and procedures for receiving, processing, and responding to requests to access, exchange, or use EHI and revise them as necessary to ensure compliance with federal information blocking requirements. Implementing this policy may require:
   1. Coordination with health IT vendors to identify and implement (if not already in place) health IT solutions that the covered component uses or could use to support responses to access requests or otherwise comply with information blocking requirements;
   2. Not charging fees to individuals (or persons or entities that they designate) who request electronic access to their EHI through internet-based methods, such as personal health apps, standalone/untethered personal health records, and email;
   3. Ensuring that for fees charged to individuals (or persons or entities that they designate) who request their EHI in physical media (such as paper copies), CD, or flash drive formats, such fees comply with the requirements for reasonable, cost-based fees under HIPAA;²
   4. Review of any other fees charged for EHI access, exchange or use to ensure compliance with information blocking requirements;
   5. Review of data use and other agreements governing the sharing of EHI to ensure compliance with information blocking requirements;
   6. Conducting an inventory of how the covered component’s EHI is stored and transmitted; and
   7. Developing policies and procedures for responding to requests for EHI from patients, providers, third-party apps, health IT vendors, and others.  This may include creating forms for receiving, processing, and responding to such requests and procedures specifying how access to EHI may be provided.
4. If this Policy requires an action, activity, or assessment to be documented, the applicable covered component will maintain a written record of the action, activity, or assessment and will retain such documentation for six (6) years from the date of its creation or the date when it was last in effect, whichever is later.
5. The covered component will make such documentation available as appropriate to workforce members who are responsible for implementing the procedures to which the documentation pertains.

DEFINITIONS³

Electronic access:
“Electronic access” means an internet-based method that makes EHI available at the time the EHI is requested and where no manual effort is required to fulfill the request.⁴

Electronic health information:
In the Final Rule, the ONC sought to align the definition of EHI with HIPAA’s electronic protected health information (EPHI) that would be included in a designated record set.  Thus, electronic health information (EHI) means EPHI as defined in 45 CFR § 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR § 164.501, regardless of whether the group of records are used or maintained by or for a covered entity as defined in 45 CFR § 160.103. However, EHI shall not include:

1. Psychotherapy notes as defined in 45 CFR § 164.501 (i.e., notes recorded in any medium) by a healthcare provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical record); or
2. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.⁵

Initially, until May 2, 2022, EHI was limited to the EHI identified by the data elements represented in the United States Core Data for Interoperability (USCDI) standard adopted in 45 CFR § 170.213.⁶ When the compliance effective date was changed, the EHI definition also was adjusted: between April 5, 2021, and October 5, 2022, EHI for the purposes of the information blocking definition is limited to the data elements represented in the USCDI standard. Beginning October 6, 2022, the EHI definition is expanded and represents the same EPHI that a patient would have the right to request a copy of pursuant to the HIPAA Privacy Regulation.⁷

Healthcare provider:
The Final Rule generally speaks in terms of “actors,” of which one type is a healthcare provider. Thus, this Policy uses the term healthcare providers for clarity.  As can be seen in the definition below, the ONC finalized the very broad definition of healthcare provider established under the HITECH Act under section 3000(3) of the PHSA, which is distinct and generally broader than the HIPAA definition. The term “healthcare provider” includes a hospital, skilled nursing facility, nursing facility, home health entity or other long term care facility, healthcare clinic, community mental health center, renal dialysis facility, blood center, ambulatory surgical center, emergency medical services provider, Federally qualified health center, group practice, a pharmacist, a pharmacy, a laboratory, a physician, a practitioner, a provider operated by, or under contract with, the Indian Health Service or by an Indian tribe, tribal organization, or urban Indian organization, a rural health clinic, a covered entity under the 340B Drug Pricing Program, an ambulatory surgical center, and a therapist.⁸

Information blocking:
“Information blocking” by a healthcare provider means a practice that (i) except as required by law or covered by an exception set forth in federal regulations, is likely to interfere with access, exchange, or use of EHI; and (ii) the provider knows is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI.

“Information blocking” by a health IT developer, health information network or health information exchange means a practice that (i) except as required by law or covered by an exception set forth in federal regulations, is likely to interfere with access, exchange, or use of EHI; and (ii) the developer, network or exchange knows, or should know, is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI.⁹

Interoperability:
“Interoperability,” with respect to health IT, means health IT that:

1. enables the secure exchange of EHI with, and use of EHI from, other health IT without special effort on the part of the user;
2. allows for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law; and
3. does not constitute information blocking.¹⁰

Interoperability element:
“Interoperability element” means hardware, software, integrated technologies or related licenses, technical information, privileges, rights, intellectual property, upgrades, or services that: (1) may be necessary to access, exchange, or use EHI; and (2) is/are controlled by the covered component, which includes the ability to confer all rights and authorizations necessary to use the element to enable the access, exchange, or use of EHI.¹¹

¹ See Public Law 104-191, § 264(c).
² See 45 CFR § 164.524(c)(4).
³ Note:  Definitions have been updated in accordance with the Final Rule’s provisions where applicable.
⁴ See 45 CFR § 171.302(d).
⁵ See 45 CFR § 171.102.
⁶ See 45 CFR § 171.103.
⁷ See healthit.gov/isa/united-states-core-data-interoperability-uscdi
⁸ See 45 CFR § 171.102; 42 U.S.C. § 300jj.
⁹ See 45 CFR § 171.103.
¹⁰ See 42 U.S.C. § 300jj.
11 See 45 CFR § 171.102.