The Trump administration gave healthcare providers some relief as they eliminate any policies or technical challenges preventing data exchange with other groups.
HHS' Office of the National Coordinator for Health Information Technology included a "phased-in" approach for information-blocking regulations released Monday, giving providers and technology developers up to two years before they must share a patient's full set of electronic health information. The original proposal did not specify a grace period.
The new timeline will ideally allow "all of these different stakeholders time to figure out how they can go about meeting the requirements around information-blocking," said Tom Leary, the Healthcare Information and Management Systems Society's vice president of government relations.
According to the final rule, healthcare providers, developers of certified health IT and health information exchanges will have six months after the ONC publishes its final rule in the Federal Register to comply with the first phase of provisions related to information-blocking.
In the first round, organizations will be required to share data included in the ONC's U.S. Core Data for Interoperability—a standardized, but limited, set of data elements—with patients if requested. The next phase kicks in two years after the rule's official publication, at which point they will have to share a broader set of health data.
"This six-month delayed compliance date was established to provide actors with time to thoroughly read and understand the final rule and educate their workforce in order to apply the exceptions in an appropriate manner," the rule reads. It has yet to be published in the Federal Register.
The two-year delay represents a balance between competing demands: the public's desire for data access as soon as possible and industry concerns over the time it takes to develop and implement new technical capabilities, said Dr. Jacob Reider, CEO of the Alliance for Better Health and a former deputy national coordinator for health IT at ONC.
"I think 24 months is actually a really good place to land," Reider said. "I think if it was three years it would be too long, and if it was one year it would be unreasonable."
Provider groups last year had requested that the ONC outline a longer schedule for implementing its information-blocking provisions, rather than having them go into effect when the rule was published. The American Hospital Association wrote to the ONC suggesting at minimum 18 months between the final rule's publication and implementation of the information-blocking provisions. The American Medical Association had requested the ONC extend its effective date for the final rule by at least six months.
The six-month and two-year implementation period seems like a reasonable timeline for healthcare organizations to familiarize themselves with the new regulations and figure out compliance, said Jeff Smith, vice president of public policy at the American Medical Informatics Association.
"A two-year time horizon for … looking at, with a very serious eye, information-blocking is the right way to go," he said.
But some healthcare advocates see the delay as too much.
Cynthia Fisher, a patient advocate and founder of PatientRightsAdvocate.org, was disappointed to see the two-year implementation period, particularly given the pared down definition of electronic health information that the ONC outlined in the rule.
In its proposal last year, the ONC had suggested including price information under the broader umbrella of electronic health information that providers would be required to share with patients. Healthcare groups strongly opposed the suggestion, arguing it would extend past the goals outlined by Congress in the 21st Century Cures Act , which had mandated the ONC's information-blocking regulations.
The ONC in its final rule scaled back the data included to match HIPAA's definition of electronic protected health information.
Fisher said healthcare organizations have had more than three years to begin preparing for the regulations, since the Cures Act was signed in 2016.
"They have had full awareness that this is a problem," she said of organizations implicated in the regulations. "Any further delay only hurts patients."
Mark Savage, director of health policy at UCSF's Center for Digital Health Innovation, said he understood it takes time to adjust to new regulations, but had hoped to see the ONC include incentives for those that implement the requirements early to encourage quicker adoption. He added that allowing organizations to continue to withhold data that's outside the scope of the U.S. Core Data for Interoperability, which includes only a few dozen types of data, for 24 months is "a bit of a concern."
The rule's enforcement could be delayed by additional rulemaking, as HHS' Office of Inspector General needs to issue another rule before HHS can begin enforcing civil monetary penalties on those that engage in information-blocking. The ONC is currently working with the OIG and other HHS agencies on that rule.
"That will be coming out very soon," said Steve Posnack, the ONC's deputy national coordinator for health IT, on a call with reporters Monday.
Incorporating the new information-blocking regulations will require a "paradigm shift" within hospitals' compliance departments, said Bob Belfort, a lawyer with law firm Manatt, Phelps & Phillips' healthcare practice. When in doubt, healthcare organizations have tended to withhold information on account of HIPAA concerns.
"The feeling was: You don't get in trouble by withholding information. You only get in trouble by improperly disclosing information," Belfort said.
Providers are required to give their patients requested medical records within 30 days under HIPAA, but enforcement of that mandate has typically not been as common as for violations that involve breaches of patient data.
In response to the information-blocking regulations, healthcare organizations will need to re-evaluate their data-sharing policies. That means developing policies that align with the eight exceptions the ONC details for when information-blocking is acceptable, such as withholding information to prevent patient harm or protect patient privacy.
"2022 seems a long way off right now—it's not," said Andy Truscott, managing director and technology consulting lead in Accenture's health practice. "Organizations are going to have to lay those plans out and start executing to them sooner rather than later."