- Under the IBR, an HIN/HIN Actor is one that “determines,” “controls,” or has the “discretion to administer” access, exchange or use of EHI between two or more unaffiliated entities.
- A separate entity is not necessary to trigger the IBR HIN/HIE definition of an Actor.
- A provider could wear two IBR Actor hats: (1) as a health care provider, and (2) as a HIN/HIE
Subscribe to HERE to Legal HIE’s compliance library to gain access to sample policies, documents and tools for compliance with the Information Blocking Rule, HIPAA, 42 CFR Part 2, Breach Notification.
Section § 171.102 of the Information Blocking Rule (IBR) defines an “actor” as: (1) a health care provider, (2) a health IT developer of certified health IT, or (3) a health information network (HIN) or health information exchange (HIE). Although each of these three terms has its own specific definition under the IBR, an organization is not necessarily limited to being just one “type” of IBR actor. For example, a hospital would clearly fall within the IBR’s legal definition of a “health care provider” type actor, however if it also engages in certain types of activities it might also meet the legal test to qualify as an HIN/HIE actor for purposes of the IBR. One reason why this distinction is so important if because entities that qualify as a HIN or HIE under the IBR’s definitional tests are subject to potential civil monetary penalties (CMPs) for engaging in impermissible information blocking practices.
The final rule defines a “health information network” or “health information exchange” as:
“an individual or entity that determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of electronic health information (EHI):
(1) Among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other; and
(2) That is for a treatment, payment, or health care operations purpose, as such terms are defined in 45 CFR 164.501 regardless of whether such individuals or entities are subject to the requirements of 45 CFR parts 160 and 164.”
Although there are many parts to this definition that would need to be analyzed in order to fully evaluate and ascertain if a particular entity qualifies as an HIN or HIE under the IBR, for purposes of this post I am going to focus in only on how ONC views whether an entity has the ability to “determine,” “control,” or “discretion to administer” the exchange of EHI. In its Preamble to the Proposed and Final Information Blocking Rules, ONC offers several examples of situations where it might find that an entity has met this part of the test.
The first example ONC discusses is when a separate legal entity is established for the purpose of improving the movement of EHI between the health care providers, and such entity identifies standards relating to security and offers terms and conditions to be entered into by health care providers wishing to participate in the network. ONC explains that such entity offering (and then overseeing and administering) the terms and conditions for participation in the network would be considered a HIN for the purpose of the IBR. See 85 Fed Reg. 25642, 25801 (May 1, 2020).
However, ONC also notes that a separate entity is not necessary for certain activities to trigger the IBR’s HIE/HIN definition. In a second example, ONC explained that a health system that ‘‘administers’’ business and operational agreements for facilitating the exchange of EHI that are adhered to by unaffiliated physician practices and specialist clinicians in order to streamline referrals between those practices and specialists would, under such circumstances, likely be considered a HIN.
Finally, ONC points out that the HIE/HIN definition “also encompasses an entity that does not directly enable, facilitate, or control the movement of EHI, but nonetheless exercises ‘control’ or ‘substantial influence’ over the policies, technology, or services of a network.” In particular, ONC recognized that there could be an entity that relies on another entity—such as an entity specifically created for the purpose of managing a network—for policies and technology, but nevertheless dictates the movement of EHI over that network and so itself would meet the definition of an HIN. To illustrate, ONC explains:
“a large health care provider could decide to lead an effort to establish a network that facilitates the movement of EHI between a group of smaller health care providers (as well as the large health care provider) and through the technology of health IT developers. To achieve this outcome, the large health care provider, together with some of the participants, could create a new entity that administers the network’s policies and technology. The large health care provider would come within the functional definition of a HIN and could be held accountable for the conduct of the network if the large health care provider used its control or substantial influence over the new entity—either in a legal sense, such as via its control over the governance or management of the entity, or in a less formal sense, such as if the large health care provider prescribed a policy to be adopted—to interfere with the access, exchange, or use of EHI.”
Therefore, with this example, ONC specifically tells us that a health care provider could wear two hats. For purposes of information blocking and the IBR, the large health care provider in ONC’s example would be treated as a health care provider when utilizing the network to move EHI via the network’s policies, technology, or services, but would be considered a HIN in connection with the practices of the network over which the large health care provider exercises control or substantial influence. See 85 Fed Reg. at 25802.
This presents a unique challenge for these types of health care providers (e.g., hospitals and health care systems) that have not historically viewed themselves as “operating” an HIN/HIE, and might have not fully considered the impact of retaining authority to “determine,” “control,” or “discretion to administer” any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of EHI for treatment, payment or health care operations. Moreover, by default, health care providers that are HIPAA covered entities arguably always retain the authority to determine how their protected health information (PHI)/EHI may be used and disclosed by their contracted HIPAA BA which is otherwise “administering” activities related to access, use and exchange of EHI between two or more unaffiliated parties. Therefore, health care providers continuing to work through their compliance with the IBR should add this to their checklist if they are exerting any control or substantial influence over decisions that allow the access, exchange or use of EHI between two or more unaffiliated entities. If the answer is “yes,” it could be necessary for such providers to also look at their activities through the IBR lens as a HIN/HIE.
Subscribe HERE to Legal HIE’s compliance library to gain access to sample policies, documents and tools for compliance with the Information Blocking Rule. Review our Table of Contents here.