The Office of the National Coordinator for Health Information Technology (ONC) has enacted legislation titled the Cures Act Final Rule implementing patient record access and information blocking measures. The new rule affects providers, patients, and health IT developers across all specialties, with the core focus centered on the use of open APIs (advanced programming interfaces) to widen access to patient records while protecting privacy. We discuss what you need to know.
The rule stipulates that a patient should be able to choose an app to access their health data. Specifically, the app should use a secure protocol called OAuth 2 to access information from the patient medical record and display it for patient use. The goal of these criteria is to enable patients to access records from smartphones or tablets with an application of their choosing. Previously, individual provider policies or health IT developer preferences determined how records could be distributed. The intent of the below certification updates and information blocking penalties is to increase patient choice and control over records.
The 2015 Edition Cures Update modifies the criteria for health technology to be considered officially certified for use by ONC as part of the final rule. Two new certification criteria have been introduced; electronic health information export and standardized API for patient and population services. Additionally, developers must submit transparency attestations for multifactor authentication and encrypting authentication credentials for privacy and security purposes.
Furthermore, the Common Clinical Data Set is no longer the official standard for certification. It has been replaced by the United States Core Data for Interoperability, which includes a set of classes and elements required to be exchanged in support of national interoperability. Finally, several criteria have been removed or are now time-limited since they do not support the most recent versions of the Medicare and Medicaid Promoting Interoperability programs.
An official definition of information blocking has been released after months of stakeholder debate. Paraphrased, information blocking is defined as a practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information. Civil monetary penalties for health IT developers can be levied if found guilty of information blocking. These penalties cannot exceed $1,000,000.00 per violation. Providers found guilty of information blocking will be referred to other agencies for penalties.
The final rule identifies 8 categories of exceptions to information blocking. These categories are considered reasonable and necessary reasons to not fulfill a request. They include instances to prevent harm to a patient or others, protecting individual privacy or security of data, or general infeasibility of a request. Further exceptions cover real-time procedures for fulfilling a request, such as maintenance of the health IT network itself or charging a reasonable fee for record requests.
Finally, a content and manner exception was added by stakeholder request. The exception states t is not considered information blocking for an actor to limit the content of its response to a request for access, or the manner in which it fulfills a request for access. The intent of this exception is to allow for health IT developers and requesters to engage in open-market negotiation for record access. Then if no agreement can be reached, the other exceptions will provide guidelines and penalities.