December 9, 2023
How The Cures Act Information Blocking Rule Could Impact Research

Health care providers collect vast amounts of electronic health information (EHI) that hold enormous potential for advancing science. However, that potential has been limited by a lack of incentives, imperatives, and standardized means to share EHI with researchers. Federal law sets conditions for sharing identifiable data for research through regulations under HIPAA and the Common Rule. But those regulations do not mandate that EHI be shared in the first place. The result is that entities producing EHI have had broad discretion over researcher access.

The 21st Century Cures Act and its companion Cures Act Final Rule, finalized by the Office of the National Coordinator of Health Information Technology in 2020 and effective since April 5, 2021, may limit that discretion—in particular, a set of provisions designed to prevent the practice of “information blocking” (hereafter referred to as the IB Rule). Information blocking is broadly defined as any practice likely to interfere with the access, exchange, or use of EHI otherwise permitted by law. The IB Rule applies to several entities including health care providers (individuals or institutions), developers of certified health information technology (electronic health record vendors), and health information networks and exchanges. The IB Rule only covers EHI—not paper records—and is limited to a highly circumscribed set of data until October 5, 2022, when it expands to include the full designated record set as defined in the HIPAA Privacy Rule.

The IB Rule does not create data-sharing requirements—instead, it creates a presumption that EHI will be shared in circumstances where it is lawful to do so. As a consequence, failure to share EHI—or placing conditions on such sharing beyond what is required by law—could result in monetary penalties or financial disincentives, such as reduced payments from Medicare or Medicaid.

The IB Rule applies to data sharing for research purposes but leaves several unanswered questions on how institutions should negotiate the Rule in the context of existing regulations and privacy practices. Federal guidance is needed on IB Rule implementation for research data sharing.

The Information Blocking Rule For Research

While the IB Rule may not have been written with research in mind, it nonetheless has implications for how an institution responds to a request for EHI for research purposes. At present, institutions often impose conditions on access to data for research purposes in the service of protecting patients and the security of their data, assuring the ethical conduct of research or maintaining competitive advantage. Under the IB Rule, it is unclear whether institutions may continue to impose these conditions beyond what is minimally required by law. By setting an expectation that institutions share data with researchers, provided it is otherwise legal to do so, the IB Rule will put a thumb on the scale in favor of sharing EHI.

Exceptions To The Information Blocking Rule

Data requests can be denied (or conditions to data access imposed) if they meet an explicit exception. These exceptions fall into two categories: reasons for not fulfilling requests to access, exchange, or use of EHI (privacy, preventing harm, security, infeasibility, and health IT performance exceptions) and procedures for fulfilling requests to access, exchange, or use EHI (content and manner, fees, and licensing exceptions). The IB Rule’s exceptions were deliberately made narrow and do not necessarily cover some of the customary conditions placed on research access.

Ambiguities For Research Data Sharing

Institutions can, and often must, still take action to comply with specific legal requirements for research data access without being considered to be “interfering” with access to EHI. For example, institutions must require institutional review board (IRB) approval for research covered by the Common Rule, IRB, or Privacy Board approval of waivers of informed consent or authorization requirements for research covered by HIPAA, or a data use agreement for disclosure of a HIPAA-limited data set.

However, providers placing conditions on research access that go beyond what is expressly required to comply with law may be scrutinized and penalized by the Centers for Medicare and Medicaid Services. For example, for multi-institutional research not covered by the National Institutes of Health (NIH) “single IRB in multi-site research” policy, institutions often require home IRB approval—that is, review and approval from their own institution’s IRB—instead of ceding review to the primary site’s IRB. But if a “requestor” of EHI data for research purposes already obtained approval for use of the requested data from an external or independent IRB, the legal requirement for IRB review might arguably be satisfied. Institutions covered by the IB Rule who mandate home IRB approval as a condition of sharing this requested data could potentially be suspect under the IB Rule, especially if it causes delay or denial of the research, because it imposes a condition beyond what is required by law.

Dueling IRB determinations—for example, if the home IRB of the institution from whom data are requested does not find that the requestors’ data security plan is sufficient or disagrees with the waiver determination made by the requestor’s IRB—also present a dilemma under the IB Rule, if the home IRB’s determination imposes more stringent criteria without a clear justification and consistent with that IRB’s past determinations. IRBs are not covered by the IB Rule, and research rules expect that IRBs will make decisions independent of the institutions they serve. Does the IB Rule change that dynamic, subjecting an institution to the risk of an IB Rule violation if it insists on following only the decisions of its home IRB? Or does the IB Rule potentially create a new expectation of reliance on the outside board?

The IB Rule calls into question whether institutions can impose other conditions beyond legal requirements. Measures protecting data that go beyond express legal requirements include adding conditions that are not required by HIPAA to data use agreements, or only allowing data access via a portal to data behind a firewall, or only giving data to organizations with, for example, a HITRUST certified environment. Do these measures, which can place obstacles to research access, raise penalty risks for institutions under the IB Rule? It’s clear from the IB Rule that differentially granting access to EHI based on whether the requestor is a competitor would violate the IB Rule, but further guidance from regulators is needed on whether other discretionary conditions on research—and insisting on reliance only on home IRB review—are acceptable.

Unintended Consequences

Paradoxically, efforts to comply with the IB Rule could increase risks to privacy and data security. Currently, research often takes place with de-identified health information because such data are not constrained by HIPAA or the Common Rule. However, de-identified data are not covered by the IB Rule because they don’t meet the definition of EHI. Access to de-identified data would remain under the full discretion of institutions, but the IB Rule could increase the demand for, and use of, identifiable EHI for research purposes, shifting away from research that could have been conducted with de-identified data.

Supporting A Learning Health Care System

While the IB Rule is technically in effect, it is not yet being enforced. It is also unclear whether research will be a priority use case for enforcement. Nevertheless, clarity on the IB Rule is needed to help the research community negotiate existing rules regulating data sharing for research. The lack of guidance regarding IB Rule implementation in research contexts could create a barrier to the pursuit of penalties against egregious actors who may try to exploit preexisting rules to justify information blocking, limiting the law’s effectiveness. At the same time, the IB Rule’s broad scope could unnecessarily undermine practices and policies that preserve patient privacy and data security. Notwithstanding these challenges, the IB Rule could ultimately spearhead improvements in the availability of EHI for research purposes by overcoming a lack of motivation to share data. It is critical for the IB Rule to be implemented in a way that moves us toward an interconnected health care system suitable for research at scale that also remains protective of patient data and consistent with ethical protections for human subjects.

Authors’ NoteDeven McGraw received salary from, and owns minority shares in, Invitae, and is on the institutional review board for the federal All of Us Research Program.