21st Century Cures Interoperability & Information Blocking Rules FAQs

CAST | April 30, 2021 | by Majd Alwan

Learn more about the CMS interoperability rule now.

Q: In brief, what are the purposes of CMS’ Interoperability Rule and the ONC’s Information Blocking Final Rule stemming from the 21st Century Cures Act?

A: The Interoperability and Patient Access Final Rule (CMS-9115-F) put patients first by giving them access to their health information when they need it most, and in a way they can best use it. This final rule focused on driving interoperability and patient access to health information by liberating patient data using CMS authority to regulate Medicare Advantage (MA), Medicaid, Children's Health Insurance Program (CHIP), and Qualified Health Plan (QHP) issuers on the Federally Facilitated Exchanges (FFEs). This rule applies to health plans and other payers regulated by CMS, including Special Needs Plans (SNPs) like iSNPs, cSNPs, etc.

ONC’s Information Blocking Final Rule supports seamless and secure access, exchange, and use of electronic health information. The rule is designed to give patients and their health care providers secure access to health information. It also aims to increase innovation and competition by fostering an ecosystem of new applications to provide patients with more choices in their health care. It calls on the health care industry to adopt standardized application programming interfaces (APIs), which will help allow individuals to securely and easily access structured electronic health information using smartphone applications. The rule includes a provision requiring that patients can electronically access all of their electronic health information (EHI), structured and/or unstructured, at no cost. Finally, to further support access and exchange of EHI, the rule implements the information blocking provisions of the Cures Act. The rule outlines eight exceptions to the definition of information blocking. This rule applies to health care providers, IT developers, and health information exchange networks and entities.

Q: Which LeadingAge member provider types do the rule apply to?

A: Members that are considered health care providers. “A health care provider is a: hospital; skilled nursing facility; nursing facility; home health entity or other long-term care facility; health care clinic; community mental health center; renal dialysis facility; blood center; ambulatory surgical center; emergency medical services provider; federally qualified health center; group practice; pharmacist; pharmacy; laboratory; physician; practitioner; provider operated by or under contract with the Indian Health Service or by an Indian tribe, tribal organization, or urban Indian organization; rural health clinic; covered entity under 42 U.S.C. 256b; ambulatory surgical center; therapist; and any other category of health care facility, entity, practitioner, or clinician determined appropriate by the HHS Secretary.”

For more details please see: https://www.healthit.gov/cures/sites/default/files/cures/2020-08/Health_Care_Provider_Definitions_v3.pdf

Q: What is the effective date of the rule?

A: April 5, 2021.

Q: How do I comply if I don’t have the IT infrastructure and connections to other providers that the rule requires?

A: Providers must comply with requests for only the information content that they have in a manner that is feasible to them at the time of request, regardless of the IT infrastructure, health IT systems they use (or not), etc., unless they meet one of the following exemptions/exceptions, listed under the two categories below:

      • Exceptions that involve not fulfilling requests to access, exchange, or use electronic health information (EHI)
        • Preventing Harm Exception: It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.
        • Privacy Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.
        • Security Exception: It will not be information blocking for an actor to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.
        • Infeasibility Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.
        • Health IT Performance Exception: It will not be information blocking for an actor to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT's performance for the benefit of the overall performance of the health IT, provided certain conditions are met.
      • Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI
        • Content and Manner Exception: It will not be information blocking for an actor to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.
        • Fees Exception: It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.
        • Licensing Exception: It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.

Q: Am I required to go out and purchase new technology to comply with this rule?

A: No! To the best of our knowledge, LeadingAge members and other long-term and post-acute care providers who did not receive Health IT Adoption Incentives through the HITECH Act are not required to purchase new technology or upgrade their existing technology to comply. You just need to make a best effort to comply with requests providing the information you have, if/when permissible, in the format that you currently have it, and in a manner that is feasible within your current information systems’ capabilities.

Q: What is unclear about this rule?

A: The rule is not clear on enforcement date, enforcement mechanism, and whether it applies to certain provider types, such as assisted living (especially medical model), hospice, etc. On the provider types question, specificity from a facilities' point of view for hospice or assisted living is more difficult because of variations in the organizational structure which may also be impacted by other laws such as state licensing requirements.  However, if a facility or an individual care provider within that facility is a HIPAA covered entity, the organization or the individual is a health care provider under the information blocking provisions.  

Q: What is LeadingAge doing to seek clarity?

A: We have requested speakers from ONC and CMS to present to aging services providers on the rules, their implications on our providers, and to provide much-needed clarity. We are also working with our partners at the LTPAC Health IT Collaborative to advocate for members to get the resources they need to participate more actively in electronic information sharing.

Q: But the compliance deadline is April 5, 2021. What should I do to comply?

A: By actively responding to information requests and offering to provide only the information content requested that you currently have, in a format and manner that is available and feasible to you at the time without delay, unless the request meets any of the above-mentioned exemptions or exceptions.

Q: How does this rule change what is required of providers under HIPAA?

A: Providers must comply with permissible information requests and respond to them “without delay,” regardless of HIPAA’s applicable “no later than” compliance date!

Q: What kind of information is shared under this rule? Are any types of information or records exempt?

A: Any requested health information unless it meets one of the exemptions/exceptions.

Q: Are there exemptions/exceptions to the rule?

A: Yes.

      • Exceptions that involve not fulfilling requests to access, exchange, or use electronic health information (EHI)
        • Preventing Harm Exception: It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.
        • Privacy Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.
        • Security Exception: It will not be information blocking for an actor to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.
        • Infeasibility Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.
        • Health IT Performance Exception: It will not be information blocking for an actor to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT's performance for the benefit of the overall performance of the health IT, provided certain conditions are met.
      • Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI
        • Content and Manner Exception: It will not be information blocking for an actor to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.
        • Fees Exception: It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.
        • Licensing Exception: It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.

Q: Does this rule assure that I will receive information from other providers, such as discharge records from hospitals?

A: This is one of the intents of this rule! You can request information on behalf of your patients/residents from other providers, and you can file information blocking complaints if they don’t comply.

Q: How will HHS enforce this rule? What are the penalties for non-compliance?

A: The Office of Inspector General (OIG) is working on rulemaking for enforcements and penalties for Health IT developers and will do the same for care providers afterward.

Q: How do we provide access to parts of an EHR for guardians and residents?

A: When information is requested, you should provide the information in whatever means or capabilities are available to you, like patient/family portals, available API’s, personal health record apps, send as encrypted email attachments, etc.

Q: How do I know if my organization falls under the Open Notes Mandate?

A: OpenNotes is an industry-led coalition that is focused on a set of principals they have defined which include certain technical approaches. The ONC rule does not reference or endorse that organization or any such principals. Clinical notes are one of the types of information included under both the United States Core Data for Interoperability (USCDI) and the broader definition of electronic health information (EHI). Clinical notes may already be considered protected health information under HIPAA’s definition of a designated record set and therefore are already subject to a patient’s right of access. In addition, the information blocking provisions do not set any specific requirements around the technology or standards required for EHI, including clinical notes.

Q: Is it accurate that the electronic requirement isn’t effective until October 2022, but the records disclosure is effective as of April 5, 2021? It’s not clear how these fit together.

A: No! The rule is effective April 5, 2021, but the enforcement mechanism and penalties are not defined yet.

For more information please see: