Key Takeaways on Complying With the New ONC Final Rule | MHA Webinar

19 October 2020 Health Care Law Today Blog
Authors: Chanley T. Howell

On October 8th, the Massachusetts Health & Hospital Association (MHA) held a webinar regarding the information blocking aspects of the Office of the National Coordinator for Health Information Technology (ONC) Final Rule under the 21st Century Cures Act. The Cures Act required ONC to develop regulations to improve interoperability and patient access to electronic health information, and deter information blocking. Information blocking is a practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI).

The presentation, which was given by Foley Partner Chanley Howell, focused on aspects of ONC’s Final Rule specific to health care providers and steps practices should take in order to comply. Below are some key takeaways from the presentation:

  1. While the Office of Management and Budget (OMB) is currently reviewing further extensions from the current compliance deadline of November 2, 2020, it is important to keep in mind that the Office of Inspector General (OIG) is working on civil monetary penalties (CMPs) up to $1 million and “appropriate disincentives.” However, these penalties will not begin until the OIG has had the opportunity for notice and comment rulemaking on what may constitute “appropriate disincentives.” There will also be a three-month enforcement discretion period from ONC until February 2, 2021 to allow health care providers to focus on other priorities during the COVID-19.


  2. While HIPAA historically has required business associate agreements to establish permissible uses and disclosures of PHI—and prohibit uses and disclosures not permitted or required by law—the new rule now requires the sharing of data where HIPAA permits, but does not require, the disclosure. Additionally, when the law permits the access to or exchange of EHI, a disclosure will often be required.


  3. The new rule requires that the policies be implemented in a consistent and non-discriminatory manner to put pressure on providers or health IT developers to streamline their data contracting protocols. If delay or denial of information may be considered interference, compliance with an exception may be necessary to avoid information blocking claims.


  4. Covered entities and their business associates should update their privacy and security policies, as well as modify their release of information and data-sharing practices. In some places, the rule requires that organizational policies be in writing (such as in the Preventing Harm, Privacy and Security Exceptions).


  5. Although the ONC notes that the information blocking rule does not itself require providers or health IT developers to violate their Business Associate Agreements (BAAs), they cannot use these agreements to limit EHI disclosures, so it is highly encouraged to consider the applicability of BAA language regarding modifications to the law.

You can view the recording of the presentation on demand by clicking here and download the slides from this presentation by clicking here.

For more information on telemedicine, telehealth, virtual care, remote patient monitoring, digital health, and other health innovations, including the team, publications, and representative experience, visit Foley’s Telemedicine & Digital Health Industry Team.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.