Prostock-studio - stock.adobe.co

What Providers Should Know About the ONC Interoperability Rule

Per the ONC interoperability rule, healthcare providers must share all electronic health information (EHI) by October 6, 2022.

The ONC interoperability rule aims to enhance the exchange of electronic health information (EHI) to benefit patients and clinicians alike.

In 2016, Congress passed the 21st Century Cures Act to drive the electronic access, exchange, and use of health data. The ONC Cures Act Final Rule, published in 2020, implements the interoperability provisions of the Cures Act to promote patient control over health information through standards-based application programming interface (API) adoption.

These tools make it easier for patients to use smartphones, tablets, and desktop apps to access their personal health information from certified EHR systems.

ONC officials noted that the final rule will help ensure these certified APIs are made available in a safe, secure, and affordable way.

The rule prohibits information blocking and defines practices that are considered reasonable and necessary activities that would not constitute information blocking. 

ONC's Cures Act Final Rule also establishes exceptions to allow healthcare organizations and providers common-sense operational flexibility, including protecting patient security and handling situations where exchanging data is technically infeasible.

Ultimately, the final rule aims to create a "thoughtful balance between patient and clinician needs," according to ONC officials.

For instance, it encourages transparency around patient safety issues within health IT, while also attempting to protect the intellectual property rights of health IT vendors who have made significant investments in creating user interfaces and workflows.

With provisions for the interoperability rule coming into effect starting October 6, 2022, healthcare organizations should assess what the rule means for them, which parts they still need to fulfill, and how to do so.

What The Rule Means for Providers

According to ONC, the final rule will make responses to patient data requests easy and inexpensive.

"Patients will be able to access their health information from EHRs using an app of their choice in an automated fashion without any additional action on the part of the provider other than the initial effort to enable the technical capabilities," officials noted in an ONC fact sheet.

Providers will be able to choose software offerings that help them provide better care.

"Providers should be allowed to benefit from a vibrant, competitive marketplace where the choice of software services lies with them and not a health IT developer," the officials pointed out.

The final rule provisions will also help improve patient safety by recognizing practices that prevent the sharing of health information that may cause harm through the Preventing Harm Exception for information blocking.

Additionally, the final rule should improve patient safety by supporting patient matching through the exchange of the United States Core Data for Interoperability (USCDI) and its patient demographic data elements.

Upcoming Compliance Dates

Only some of the information blocking regulations have been in effect since April 5, 2021. Currently, the information blocking definition applies only to a subset of EHI represented by data elements identified by the USCDI V1.

However, starting on October 6, 2022, stakeholders will be expected to share all EHI, including unstructured data.

"Expanding the aperture of interoperability to include as much electronic information as possible will provide richer information to inform patient care and reduce the burden on patients of having to manually gather and lug reams of paper records from provider to provider," Micky Tripathi, PhD, MPP, national coordinator for health IT, wrote in a Health Affairs article.

"It will also open new horizons for modernization across the entire healthcare continuum," he added.

HIPAA Implications for the ONC Interoperability Rule

While HIPAA permits access to health data, the interoperability rule will require such data sharing.  For example, if a provider requests access to patient records, HIPAA only says that a healthcare organization may provide such access. However, under the ONC interoperability rule, such data exchange must be allowed, or the provider will be guilty of information blocking.

What Data Applies to the Information Blocking Rule

Understanding ONC information blocking rule compliance depends upon a clear understanding of HIPAA-defined terms related to patient health information, according to a HealthITBuzz blog post written by ONC's Kathryn Marchesini and Michael Lipinski.

"EHI is defined as electronic protected health information (ePHI)  to the extent that it would be included in a designated record set (DRS), regardless of whether the group of records are used or maintained by or for a covered entity," Marchesini and Lipinski wrote. "The EHI definition incorporates terms (ePHI and DRS) defined by the regulations issued under HIPAA."

However, the definition of EHI excludes psychotherapy notes and information compiled in anticipation of legal proceedings as defined in HIPAA.  

EHI relies on the electronic part of what the HIPAA Rules define as the DRS.

"It's important to note that certain healthcare providers subject to the information blocking regulations (and any other actor that supports them) may not be covered entities or business associates under the HIPAA Rules," the ONC officials noted.

"These actors will need to familiarize themselves with the HIPAA-defined terms and assess what information they have that would be records that align with those included in the DRS (ie, used for making decisions about individuals)," Marchesini and Lipinski continued.  

However, they pointed out that most actors subject to the information blocking regulations are covered entities or business associates under HIPAA, so stakeholders must understand how the EHI definition aligns with HIPAA-defined terms.

The information must first meet the definition of ePHI. Protected health information (PHI), as defined in HIPAA, is health information that identifies or reasonably could be used to identify a patient.

Such information not only identifies the individual, but also relates to the past, present, or future physical or mental health of an individual; the provision of healthcare to an individual; or payment for care.

PHI may be maintained or transmitted in any form or medium. Any PHI that is held or transferred in electronic form is ePHI, ONC officials said.

For example, social determinants of health (SDOH) information becomes PHI when a covered entity collects it to inform an individual's treatment decisions. If this information is maintained or transmitted electronically, it is ePHI.

In order to be considered ePHI, information must also meet the definition of a DRS. HIPAA gives patients a legal right to access their health information maintained in an entity's DRS. The DRS may include paper and electronic records, but EHI, held by a HIPAA covered entity or business associate, is only the electronic subset.

"Thus, the information held by a HIPAA covered entity or business associate to which the information blocking regulations apply is the same information that patients already have a legal right to access," the blog authors wrote. "If an organization is an actor but not subject to HIPAA, the actor must now determine which information that they hold would qualify as EHI."

A record is any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a HIPAA covered entity or business associate.

A HIPAA DRS is a group of records maintained by or for a covered entity that is: the medical records and billing records about individuals maintained by or for a covered health care provider; the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or used by or for the covered entity to make decisions about individuals.

"A HIPAA covered entity or business associate that is also an actor may have ePHI that is not part of the DRS, and thus not EHI, because the information is not used to make decisions about individual patients," the ONC officials said.

Examples of ePHI that are not part of the DRS include electronic peer review files, provider performance evaluations, and management records used solely for business decision-making.

"The HIPAA Rules identify certain types of records that are always part of a covered entity's DRS," Marchesini and Lipinski wrote. "However, the HIPAA Rules do not specify the particular information that would make up a DRS."

For HIPAA-regulated entities, EHI is simply the part of the DRS that is ePHI.

Therefore, since the definition of DRS is not specific to particular technology platforms where an organization maintains the information, neither is the definition of EHI, ONC officials noted.

For instance, EHI is not limited to what's in a certified EHR.

"If actors maintain information that would be ePHI in a DRS and they were a HIPAA covered entity or business associate, then the information is EHI and subject to the information blocking regulations," the blog authors wrote.

As the digital health transformation progresses, seamless exchange of patient data will be crucial in advancing patient-centered care, value-based care, and precision medicine.

Next Steps

Dig Deeper on Interoperability in healthcare