What's the Anti-Information Blocking Rule?

If doctors can get a patient’s records, then the patient should be able to obtain those records in the same way. Right? That’s the thinking behind the Anti-Information Blocking Rule, a new nationwide regulation which prohibits healthcare organizations from making patient data digitally inaccessible.

What is Information Blocking?

Information blocking occurs when healthcare platforms or providers knowingly interfere with, or discourage, a patient’s access to their electronic health information (EHI).

It’s widely accepted that patients have the right to obtain their own health data. However, many systems that process EHI have a two-tiered system for access. 

These systems allow healthcare organizations to seamlessly tap into complete patient data - like clinical records, billing information, and other increasingly useful data points - while patients must wait for administrative staff to generate an incomplete and unwieldy clinical data handoff. Records requests from patients reach the patient in obsolete formats, like paper or CDs, more often than not.

If a healthcare professional can access a patient’s records by digital means like a FHIR API, but the patient has to use a different method, then information blocking may be taking place.

Generally speaking, information blocking occurs if a platform puts up artificial barriers between patients and the information that it can deliver. If a platform delays, redacts, or transforms those records - or tells the patient to seek them elsewhere - then it’s probably engaged in information blocking.

Why is Information Sharing Important?

Widespread EHI exchange will vastly accelerate the development and availability of effective, consumer-directed health tech tools.

Conversely, information blocking can have negative consequences for patients. Whether they’re examining their own records or sharing them with other interested parties, patients need their EHI to take responsibility for their care.

Information blocking between healthcare providers - like tools that make it difficult to transfer their patient’s data to another platform - can directly impact patient care as well.

What is the Anti-Information Blocking Rule?

The actual Anti-Information Blocking Rule, in legalese, is published in the Federal Register.

In plain English, it says that any practice which is “likely to interfere with access, exchange, or use of electronic health information” counts as information blocking. It applies to several “actors”, or typical sources of patient data - namely healthcare providers, developers of ONC-certified health IT, and health information networks. 

The Anti-Information Blocking Rule is already in effect, meaning that information blocking (with a few small exceptions) is no longer acceptable.

The Anti-Information Blocking Rule has a convoluted history. Patients have had the legal right to access their own health records for a long time. Meanwhile, healthcare has seen increasing digitization for generations, with a particular surge over the past two decades in the “meaningful use” of electronic health records. 

These two trends were yoked together by the bipartisan 21st Century Cures Act. This bipartisan law directed the federal Department of Health and Human Services (HHS) to come up with specific information blocking regulations, way back in 2016. HHS worked with its technology oversight department (ONC) to codify those regulations as the 320-page Cures Act Final Rule, which includes the Anti-Information Blocking Rule, completing the rule in 2020. Later, the deadline for full anti-info blocking compliance was pushed back several times. Finally, the rule took full effect in October 2022. 

If you’re just tuning in to digital health, you can take Particle’s word that there’s a lot of momentum behind this change. Thanks to the Anti-Information Blocking Rule, we expect to see info blocking disappear over time as health tech platforms adjust to this change.

So, ALL Electronic Health Information Has to Be Shared?

Yup. EHI encompasses a patient’s designated record set, which is the term for all the health information used to inform an individual’s care. This is a well-known standard that’s also part of HIPAA. 

Medical records, billing details, care plans, genetic data, and anything else that a record holder uses to make care decisions about a particular patient are part of that patient’s designated record set.

During a transition period from 2021 to 2022, only common USCDI elements had to be shareable.

Note that entities covered by the Anti-Information Blocking Rule will not have to share psychotherapy notes, nor information assembled in reasonable anticipation of a court case or similar administrative proceeding (more info from ONC here).

What Are Some Examples of Information Blocking?

Regulations prevent ONC from giving binding opinions as to whether a proposed practice would count as information blocking. Instead, potential actors must determine for themselves if their action would cross the line.

ONC and HHS representatives have however presented generalized examples as to whether or not information blocking would occur.

Information blocking would likely take place if:

• A healthcare provider’s patient portal could export patient data, but the provider declines to enable this functionality
• A provider chooses to share certain types of data, instead of all available EHI
• A provider or platform charges patients a fee to receive or share their data via an internet-based method
• A platform could allow a patient’s apps to connect to their EHI, but the provider fails to share technical details on how to do so
• A provider could give patients same-day access to their EHI, but waits for a few days to respond instead
• An organization institutes a policy requiring clinicians to review EHI by default before EHI is shared with patients
• A provider requests that their health IT vendor create impediments to export data to other physicians
• A health IT developer prevents an application from accessing their product due to the competitive functionality of that application
• An organization signs a business agreement that inhibits the use of a patient’s EHI by other providers, or cites a business agreement to limit data sharing that would otherwise be permitted by law

Information blocking would likely not occur if:

• A healthcare organization gives patients an unbiased warning about privacy and security risks before it shares EHI
• An adolescent declined to consent to the release of sensitive information, and their healthcare provider subsequently declined to send any EHI to their guardian due to the interrelated nature of medical records
• An entity that is not a healthcare provider, HIN/HIE, or vendor of ONC-certified health IT fails to share EHI

Who Is Subject to the Anti-Information Blocking Rule?

The “actors” which are required to adhere to the Anti-Information Blocking Rule include:

• Healthcare providers
• Health information networks and health information exchanges
• Developers of Certified Health IT

ONC describes these actors in greater detail.

What Are the Penalties for Information Blocking?

By law, the HHS Office of the Inspector General (OIG) is empowered to issue civil monetary penalties of up to $1 million per information blocking violation. OIG has extensive experience with this enforcement mechanism for issues like false claims and misconduct, and will be adding information blocking to its rulebook.

To be clear - OIG will be policing this rule, but there haven’t been any penalties yet. Even though the Anti-Information Blocking Rule has been finalized, the enforcement guidelines are still pending. OIG cannot issue penalties until these guidelines are in place. 

Based on draft rules and similar procedures, we can expect that OIG will both act on tips and investigate on its own. ONC has discretion as to whether or not to bring penalties, and can determine if mitigating conduct exists. They will likely send warning letters before escalating to fines in most cases. Generally speaking, an instance of information blocking that caused far-reaching potential harm or directly affected patients would be treated more severely than a denied records request.

Additionally, regulators are not allowed to bring enforcement actions against actors who clearly made mistakes, or against actors that unintentionally caused information blocking. 

As of November 2022, ONC had already collected 567 reports of information blocking, many of which it will forward to OIG for further investigation.

What Are the Exceptions to the Anti-Information Blocking Rule?

There are eight exceptions to the Anti-Information Blocking Rule, which either fall under the category of not fulfilling requests for EHI or involve procedures that block the receipt of EHI. 

We won’t dive into this here, as ONC has again created an comprehensive guide, but these exceptions are very narrowly tailored. They generally involve preventing very clear (not speculative) problems, not superseding existing laws, or resolving technical issues. They must be no more expansive than necessary.

Policy experts are already celebrating October 6, the date that the Anti-Information Blocking Rule first took effect, as Data Liberation Day. Each year, we can expect to see more and more neat applications for medical data take effect thanks to this rule.