Guidance Needed on Information Blocking Rule Research Implications

Federal guidance is needed on information blocking rule implementation for research data sharing, according to a Health Affairs article.

While electronic health information (EHI) holds the potential to advance clinical research, a lack of incentives and standardized procedures to share EHI with researchers has hampered this progress, the authors wrote.

While HIPAA and the Common Rule set conditions for sharing identifiable data for research, those regulations do not mandate that EHI be shared, giving entities that produce EHI broad discretion over researcher access.

However, the information blocking (IB) provision of the 21st Century Cures Act may limit that discretion. Information blocking is defined as any practice likely to interfere with the access, sharing, or use of EHI otherwise permitted by law.

The rule applies to healthcare providers, certified health IT developers, health information exchanges (HIEs), and networks.

While the information blocking does not create data sharing requirements, it presumes that organizations will share EHI when it is lawful to do so. Failure to exchange EHI could result in penalties such as reduced payments from Medicare or Medicaid.

“The IB Rule applies to data sharing for research purposes but leaves several unanswered questions on how institutions should negotiate the Rule in the context of existing regulations and privacy practices,” the authors wrote. “Federal guidance is needed on IB Rule implementation for research data sharing.”

While ONC may not have written the rule with research in mind, it has implications for how an organization responds to an EHI request for clinical research.

The authors explained that institutions often place conditions on data access for research purposes in the interest of protecting data security, assuring the ethical conduct of research, or preserving competitive advantage.  

“Under the IB Rule, it is unclear whether institutions may continue to impose these conditions beyond what is minimally required by law,” they wrote. “By setting an expectation that institutions share data with researchers, provided it is otherwise legal to do so, the IB Rule will put a thumb on the scale in favor of sharing EHI.”

Organizations can deny data requests if they meet an explicit exception that falls into two categories: reasons for not fulfilling requests to access, exchange, or use of EHI (privacy, preventing harm, security, infeasibility, and health IT performance exceptions) and procedures for fulfilling requests to access, exchange, or use EHI (content and manner, fees, and licensing exceptions).

Institutions can, and often must, take action to comply with specific legal requirements for research data access without “interfering” with EHI access.

“For example, institutions must require institutional review board (IRB) approval for research covered by the Common Rule, IRB, or Privacy Board approval of waivers of informed consent or authorization requirements for research covered by HIPAA, or a data use agreement for disclosure of a HIPAA-limited data set,” the authors wrote.

However, providers that place conditions on research access beyond what is required by law may be scrutinized and penalized by the Centers for Medicare and Medicaid Services.

For instance, for multi-institutional research not covered by the National Institutes of Health (NIH) “single IRB in multi-site research” policy, institutions often require review and approval from their own institution’s IRB instead of ceding review to the primary site’s IRB.

Nevertheless, if a “requestor” of EHI data for clinical research purposes obtained approval for the use of requested data from an external or independent IRB, the legal requirement for IRB review might arguably be fulfilled.

“Institutions covered by the IB Rule who mandate home IRB approval as a condition of sharing this requested data could potentially be suspect under the IB Rule, especially if it causes delay or denial of the research because it imposes a condition beyond what is required by law,” the authors pointed out.

They noted that while the IB rule is technically in effect, it is not yet enforced. Additionally, it is unclear whether research will be a priority use case for enforcement. Still, clarity on the rule is needed to help the research community navigate existing laws regulating data sharing for research.

“The lack of guidance regarding IB Rule implementation in research contexts could create a barrier to the pursuit of penalties against egregious actors who may try to exploit preexisting rules to justify information blocking, limiting the law’s effectiveness,” the authors wrote. “At the same time, the IB Rule’s broad scope could unnecessarily undermine practices and policies that preserve patient privacy and data security.”

Despite these challenges, they suggested the rule could ultimately drive improvements in the availability of EHI for clinical research by overcoming a lack of motivation to share data.