Birmingham Medical News:
Five Information Blocking Takeaways

Articles / Publications

Reprinted with permission from the Birmingham Medical News. This article originally appeared on www.birminghammedicalnews.com.

On April 5th, the final information blocking rules issued by the Office of National Coordinator ("ONC") took effect, leaving providers with numerous questions regarding what information has to be released, to whom, and how quickly.

The information blocking rules, enacted as part of the 21st Century Cures Act, prohibit a healthcare provider, among other "actors" as defined in the rules, from taking any action that is likely to interfere with the access, exchange, or use of electronic health information contained in a designated record set ("EHI"), unless the action is required by law or an applicable exception is met. An action is likely to interfere with the access, exchange, or use of EHI if there is a reasonably foreseeable risk that the action will interfere with the access, exchange, or use of EHI. What is reasonable depends on the facts and circumstances.

While these rules are complicated and additional guidance is certainly necessary, below are my five takeaways with respect to the new information blocking rules.

  1. The information blocking rules are not limited to patient access to EHI through a patient portal. The information blocking rules apply to any request for EHI from any requestor, not just a request to access information from patients. For example, the rules can be triggered when responding to a request for information from another treating provider.
  2. Compliance with HIPAA timeframes (or other state law timeframes) is not always sufficient. HIPAA currently allows a healthcare provider thirty days to respond to a patient's request for access, although the proposed changes to HIPAA, if implemented, would shorten that time period to fifteen days. ONC has stated that simply because a healthcare provider satisfies the HIPAA timeframes for access (e., 30 days), that does not necessarily prevent a violation of the information blocking rules. In other words, a provider can comply with HIPAA, yet still, run afoul of information blocking requirements. Unfortunately, the information blocking rules do not set forth a specific timeframe that would be compliant, deferring to a facts and circumstances analysis.
  3. The exceptions are complex and contain several factors that must be met. There are eight exceptions to the information blocking rules. If an exception is satisfied, the action will not be considered to be information blocking. Each exception to the information blocking prohibition is complex and contains a number of factors that must be met in order to qualify for the exception, a discussion of which is beyond the scope of this article. Thus, if you are relying on an exception to prevent the access, exchange, or use of electronic health information, each exception must be carefully reviewed. Any provider utilizing an exception should document the use of the exception and how the exception was satisfied. The eight exceptions to the information blocking rules are as follows:
  • Preventing Harm Exception—It will not be considered information blocking to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, as long as certain conditions are met.
  • Privacy Exception—It will not be considered information blocking if the action is designed to protect an individual's privacy (g., by complying with state or federal privacy laws), as long as certain conditions are met.
  • Security Exception—It will not be considered information blocking if the action is designed to protect the security of the EHI, as long as certain conditions are met.
  • Infeasibility Exception—It will not be considered information blocking if the denial of access, exchange, or use is due to the infeasibility of the request (g., lacking the requisite technological capabilities), as long as certain conditions are met.
  • Health IT Performance Exception—It will not be considered information blocking if you take reasonable and necessary measures to temporarily suspend access to information through health IT in order to benefit the overall performance of the health IT, as long as certain conditions are met.
  • Licensing Exception—It will not be considered information blocking if you license interoperability elements for EHI to be accessed, exchanged, or used, as long as certain conditions are met.
  • Fees Exception—It will not be considered information blocking if you charge a reasonable fee for accessing, exchanging, or using EHI, as long as certain conditions are met.
  • Content and Manner Exception—It will not be considered information blocking to limit the content or manner of response for a request for access, exchange, or use, as long as certain conditions are met.
  1. Routine delays in the delivery of information, including test results, would be considered information blocking. Many providers have established policies and procedures that delay certain test results for a period of time before the results are released to the patient portal, allowing time for the physician to review the results and, if necessary, contact the patient directly. ONC has stated that a wide-sweeping practice of this nature would be in violation of the information blocking rules. In other words, unless an exception is satisfied, test results should be released to the portal immediately, without delay, which may mean that the results are seen by the patient before they are reviewed by the physician.
  2. Information blocking rules can be violated even if there is no harm. Because the information blocking rules contain a "likely to interfere" standard, the rules can be violated without any corresponding harm if an action is "likely" to interfere with the access, use, or exchange of EHI.

The information blocking rules are enforced by the Health & Human Services Office of Inspector General. Specific penalties against providers for violations of the information blocking rules are currently unknown but are expected to be released in future rule-making. Nonetheless, providers should pay close attention to these new rules and the impact they may have on existing policies and procedures related to the release of EHI.

Burr
Jump to Page

Contact Us

About Burr & Forman Cybersecurity & Data Privacy Law

Burr & Forman's experienced team helps clients navigate the complex cybersecurity and data privacy landscape with strategies designed to assess current risks, develop a corrective action plan, implement best practices, and provide immediate and appropriate responses to a cybersecurity breach.

We use cookies to improve your website experience, provide additional security, and remember you when you return to the website. This website does not respond to "Do Not Track" signals. By clicking "Accept," you agree to our use of cookies. To learn more about how we use cookies, please see our Privacy Policy.

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.


Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.