By Bob Anderson, JD, and Stephanie Eckerle, JD
Krieg DeVault LLP
Health care providers need to be prepared to comply with the new information blocking rules found in the 21st Century Cures Act (the Cures Act). With the Cures Act, Congress intended to take electronic medical records to the next level by focusing on interoperability and information blocking. Now that electronic medical record systems have been widely adopted in the industry, Congress desires smoother and more efficient electronic communication between systems (interoperability) and more efficient electronic access by patients and their designees (prohibitions on information blocking).
Congress left many of the details of implementation to the Department of Health and Human Services (HHS). The Office of the National Coordinator (ONC) of HHS promulgated final rules relating to information blocking and interoperability which begin becoming effective on April 5, 2021. ONC designed the rules to require electronic medical record systems to communicate with each other and to allow patients to access records on mobile phone apps, among other methods. The rules contain provisions relating to medical record software developers, health care providers and health information networks and exchanges.
The information blocking prohibitions relate to all health care providers. There are three key things that health care providers should do to comply with the information blocking rules by the time they become effective:
- Implement an information blocking and exceptions policy.
- Train their workforce members on information blocking.
- Ensure prompt patient access to electronic health information (EHI).
Information blocking is what it sounds like: It is any practice that is likely to interfere with access, exchange or use of EHI and, with respect to a health care provider, the provider knows that such practice is unreasonable and is likely to interfere with, prevent or materially discourage access, exchange or use of EHI. There are, of course, exceptions or safe harbors. In fact, there are eight of them enumerated by ONC. Five of them relate to whether a provider should provide any information at all, and three of them relate to procedures for access.
Information blocking and exceptions policy
All health care providers should draft an information blocking and exceptions policy to ensure that they are fully compliant with the information blocking rules. Many health care providers are choosing to include this new policy as an addendum to their current HIPAA policies and procedures, given the overlap in issues. The information blocking and exceptions policy should incorporate the following key concepts:
- Applicability to EHI: The policy should apply to all EHI that would be considered part of a designated record set as defined in HIPAA, excluding psychotherapy notes and information compiled in anticipation of litigation. Note, there is no exception for private notes or physician only notes. If a note is in the patient’s chart, it will likely be considered part of the EHI. If mental health professionals maintain psychotherapy notes, they should ensure that the notes are from a counseling session and that they are kept separate from the individual’s medical record so that they meet the definition of psychotherapy notes under both HIPAA and the information blocking rules.
- Prohibiting information blocking: The policy should specifically state that a provider undertakes information blocking if the provider knows that such practice is unreasonable and is likely to prevent or materially discourage access, exchange or use of electronic health information. Further real-life examples of information blocking should be included in the policy or discussed during workforce training. Existing policies that might constitute information blocking in the future would include charging unreasonable fees for records, unreasonably delaying responses to requests, insisting that records may only be delivered in person or by fax machine or inappropriately citing HIPAA as a reason why EHI may not be accessed or shared.
- Exceptions: The policy should specifically describe the eight exceptions to information blocking and have a checklist or procedure that the workforce will follow to determine if denying or limiting access to EHI falls within one of the exceptions. This is especially important since most exceptions require an organizational policy and require that any denial of access to EHI be consistent with that organizational policy.
Although all exceptions to information blocking should be included in the policy, there are several that a health care provider will likely deal with on a more recurrent basis. First, a health care provider’s denial of access to electronic health information will not be considered information blocking if it is done to prevent harm. Although ONC lists this exception first, outside of a mental health practice, it will likely apply only rarely. The health care provider must have a reasonable belief that not allowing access will substantially reduce harm to the patient or another person. In addition, the risk of harm must be determined on a case-by-case basis in the exercise of professional judgment of a licensed health care provider who has a current or past relationship with the patient. The determination must also be made consistently with HIPAA’s right to deny access due to risk of harm found in 45 C.F.R. 164.524(a)(3) and must also comply with Indiana’s requirements for withholding of health records found in Indiana Code 16-39.
A second exception exists for denying requests that do not comply with privacy laws, such as HIPAA or state law. For example, a health care provider will not be deemed to engage in information blocking if it denies access to EHI because the patient or party requesting the information has not provided the provider with a HIPAA compliant authorization. However, under the information blocking rules, the health care provider must use reasonable efforts to provide the individual with a HIPAA compliant authorization if required. A good summary of all the information blocking exceptions can be found here, although health care providers should ensure that any policy that details the exceptions includes all regulatory requirements found at 45 C.F.R. 171.
- Privacy officer: If a health care provider relies on an information blocking exception as a reason to deny access, the health care provider should require the involvement of the privacy officer or another designee to review the exception, given the strict compliance requirements.
- Manner of access: The information blocking policy should govern the manner in which access is given to electronic health information and how associated fees are to be handled. A health care provider must fulfill the request in any manner that is requested by the patient, unless the health care provider is technically unable to fulfill the request in that manner. For example, if a patient requests that their records are printed and provided in paper form, then the health care provider must comply with this request.
- Health IT contracts:The information blocking policy should take into account the type of licensing arrangements and business associate contracts that are required under both HIPAA and the information blocking rules. For example, if a health care provider has a contract that limits sharing of EHI to only certain affiliated providers, this must be amended so that there is not a prohibition on sharing EHI for treatment purposes with any provider. In addition, under the information blocking rules, health care providers are offered substantial protections when it comes to exporting and migrating electronic health information from one EHR platform to another. Health care providers and their IT team should understand the implication of the information blocking rules on health IT developers, to ensure that their own electronic medical record and health IT platforms are compliant. The ONC rules relate directly to electronic medical record developers who should be in communication with health care providers about modifications and updates to software to comply with the new rules. Health care providers will need to stay abreast of the electronic capabilities of their systems. The refusal to accommodate electronic access requests, when the system is fully capable of doing so, could constitute information blocking. ONC has specifically stated that it envisions patients accessing their medical records on smartphones and other apps, much the same way that they access their private banking information.
Training of workforce
Health care providers must educate and train their workforce on what constitutes information blocking. HHS specifically stated that the extension of the compliance date to April 5, 2021 was to allow more time for this type of training.
Any training given to the workforce should not only review the new information blocking policy of the organization but should provide specific examples of actions that constitute information blocking. For example, in a 2015 report to Congress by ONC, ONC listed examples of information blocking undertaken by health care providers. These examples include when health care providers (a) limit access to EHI in order to control referrals and enhance market dominance; (b) cite privacy and security laws as a reason why EHI should not be shared, when in fact the law at issue, such as HIPAA, does not actually require such restriction; or (c) refuse to provide EHI for treatment purposes to unaffiliated providers.
In addition to examples of information blocking, examples of when exceptions are satisfied or not satisfied should also be given during training. For example, ONC lists multiple examples of how the preventing harm exception can impact the right to access a minor’s records, which should be reviewed if records requests for minors are commonplace in your organization. In addition to providing specific examples of information blocking, the training should also take into account any special scenarios due to special health information that a provider deals with, such as the impact of drug and alcohol abuse records governed by 42 CFR Part 2 or mental health records.
Implementation of patient access to EHI
The goal of the information blocking rules is to ensure that patients have access to their own electronic health information. A health care provider’s HIPAA policies, information blocking policy, contractual agreements and conduct must all meet this goal. Otherwise, a provider may face penalties under HIPAA, the Cures Act and other types of third party lawsuits brought in state or federal court. Even prior to the information blocking rules becoming enforceable, HHS has been very active in enforcing a patient’s right to access of records. For example, on Jan. 12, 2021, HHS settled its 14th investigation in its HIPAA Right of Access Initiative against a health system. In that case, the health system received a records request in December 2017 but did not respond to the request until May 2018. OCR ruled that this was a violation of HIPAA’s right of access standard. After April 5, 2021, health care providers that engage in such conduct may not only face HIPAA violations, but also face penalties under the Cures Act.
In conclusion, the information blocking rules found in the Cures Act add an additional layer of compliance and complexity to a health care provider’s obligations related to electronic health information. However, health care providers can efficiently manage this compliance obligation and associated risks by policies, procedures and training that take into account the technical capabilities of their electronic medical record systems and the overlap of HIPAA, information blocking rules and other applicable state and federal laws. This can be managed by understanding when a patient or their legal representatives have the right to access EHI, how EHI can be accessed, and when EHI can be shared for other purposes, such as treatment. In addition, it can also be managed by a detailed understanding of the eight information blocking exceptions.