21st Century Cures Act: Recent appearances in HHS-OIG guidance and a final rule

© blackdiamond67 - stock.adobe.com

At the outset of 2024, there are crucial 21st Century Cures Act (and information blocking in particular) items to consider.

In November 2023, the U.S. Department of Health and Human Services Office of the Inspector General (“HHS-OIG”) released its latest guidance document (hereinafter “Guidance”). To reiterate, while the guidance is not legally binding, the laws and regulations that are referenced throughout require adherence. For the first time, information blocking makes it way into the mix. The definition of information blocking is found in Section 4004 of the 21st Century Cures Act, 42 U.S.C. §300jj-52. There are also exceptions. As for the Guidance, here are the key take-aways:

• HHS-OIG has the authority to investigate both information technology developers and health care providers (NOTE: see below because the term “business associate” has been incorporated) for violations of information blocking;
• “A health IT developer of certified health IT and health information exchanges and networks commit information blocking when they engage in a practice that is likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information (EHI)and they know, or should know, the practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI.”
• “A health care provider commits information when the provider engages in a practice that is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI, and the provider knows the practice is unreasonable and is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI.”

In December 2023, the Office of the National Coordinator for Health Information Technology (ONC), Department of Health and Human Services (HHS), announced the release of Final Rule Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) rule (hereinafter “HTI-1 Rule”), which is 916 pages. Here is a sampling of some of the notable items:

1. P. 30 – “We have finalized revisions to the text of §171.103, which defines “information blocking” for purposes of 45 CFR part 171, to remove paragraph (b) that established a period of time during which electronic health information (EHI) for purposes of the information blocking provision (§171.103) was limited to a subset of EHI that was identified by the data elements represents in the USCDI standard adopted in §170.213. As established in the ONC Cures Act Final Rule (85 FR 25793, 85 FR 25876, and 85 FR 25956), that period of time ended on May 2, 2022. The end date of that period of time was extended to October 5, 2022, in the subsequent interim final rule with comment titled “Information Blocking and the ONC Health IT Certification Program: Extension of the Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency” (85 FR 70064). On or after October 6, 2022, the scope of EHI for the purpose of the “information blocking” definitions (§171.103) is EHI as defined in § 171.102 (88 FR 23754, see also 85 FR 25793, 25876, 70069, and 70085). October 5, 2022, has passed. Therefore, the paragraph (which had been designated paragraph (b), as codified) limiting the “information blocking” definition to the subset of EHI for the specified time period is no longer needed. We have re-designated remaining paragraphs of § 171.103 as discussed in section IV.B.3 and as shown in updated text we have finalized in §171.103 (see Regulation Text, see also discussion in section IV.B.3).
2. P. 31 – “As explained in section IV.C.1, we have finalized revisions to the Infeasibility Exception codified in 45 CFR 171.204 both by adding two new conditions and by revising one existing condition for improved clarity. First, we have finalized revisions to the uncontrollable events condition. Our finalized revision to §171.204(a), the uncontrollable events condition of the Infeasibility Exception, is discussed in Section IV.C.1.a. Second, we have added two new conditions to be codified as subparagraphs (a)(3) and (a)(4) and have, therefore, redesignated the infeasible under the circumstances condition as subparagraph (a)(5). The infeasible under the circumstances condition was previously designated as subparagraph (a)(3) of §171.204.” (emphasis added).
3. P. 32 – “In support of this new condition, we have finalized as proposed a definition of “business associate” in §171.102. That definition is, by cross-reference to 45 CFR 160.103, the HIPAA Privacy Rule’s definition of “business associate.” (emphasis added).
4. P. 32 – “The second new infeasibility condition in §171.204(a)(4), discussed in Section IV.C.1.c, will apply where an actor has exhausted the Manner Exception in §171.301, including offering at least two alternative manners in accordance with §171.301(b), including one manner that uses either technology certified to standard(s) adopted in 45 CFR part 170 that is specified by the requestor (§171.301(b)(1)(i)) or published content and transport standards consistent with §171.301(b)(1)(ii). The actor cannot meet this new condition if the actor currently provides a substantial number of individuals or entities similarly situated to the requestor with the same requested access, exchange, or use of the requested EHI.”
5. P. 425 – “We also agree with commenters that the revisions to the criterion in §170.315(e)(1) for use of the USCDI v3 are finalized to occur at the same time as the revisions to the criterion in §170.315(e)(1) described in this section. We have finalized that these revisions to the criterion in § 170.315(e)(1) align with the updates made to USCDI, as discussed in section III.C.1 of this final rule, so that the functionality is synchronized with USCDI v3 including any new or updated data elements.” Compliance date of January 1, 2026 is expressly stated.

Appreciating the requirements that need to be met by both developers and providers, as well as the cross-reference of terms that tie back to HIPAA, the HITECH Act and the related HIPAA Privacy Rule and Security Rule is critical for mitigating the risk of an adverse OIG investigation or OCR investigation. Covered entities, business associates and developers alike should incorporate the aforementioned items into their fraud, waste and abuse and HIPAA trainings, as well as policies & procedures when appropriate.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.