Five Exceptions for Not Fulfilling Requests
Preventing harm. Under this exception, providers are permitted to engage in practices that are reasonable and necessary to prevent or reduce the risk of harm to a patient or another person. This exception recognizes the importance of a provider’s clinical judgment relating to patient treatment to determine when, for example, patient test results and related clinical notes should be delayed based on the sensitivity of a diagnosis and the need to discuss results with a patient before giving access to the information. ONC guidance indicates that a blanket three-day delay in test results may not be appropriate under this exception; providers must make individualized patient determinations.
Explore This Issue
June 2021Privacy. When this exception applies, a provider doesn’t have to fulfill a request to access, exchange, or use EHI. The purpose of this exception is to protect an individual’s privacy and ensure that providers don’t use or disclose EHI in a manner prohibited by state or federal privacy laws. For this exception to apply, the provider’s privacy practices must satisfy at least one of four subexceptions: 1) a precondition is not satisfied; 2) a health IT developer of certified health IT is not covered by HIPAA; 3) the denial of an individual’s request for their EHI; and 4) respecting an individual’s request to not share information.
Of particular importance to healthcare providers is the first subexception. Under this subexception, a provider may choose to not provide access to, exchange of, or use of EHI if, for example, statutorily required patient consent or authorization has not yet been given. Under the third and fourth subexceptions, providers may deny an individual’s request for access to EHI as permitted under 45 C.F.R. 164.524 of the HIPAA Privacy Rule (www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html) or may choose to not provide access to, exchange of, or use of EHI if the individual has requested that the information not be shared.
Security. When this exception applies, a provider may interfere with the access to, exchange of, or use of EHI in order to protect EHI security. The exception doesn’t specify a maximum level of security or dictate a permitted approach. Instead, the security practice must be directly related to safeguarding the confidentiality, integrity, and availability of the EHI, tailored to specific security risks, and implemented in a consistent and nondiscriminatory manner.
Infeasibility. This exception applies when legitimate practical challenges may limit the ability to comply with requests for access to, exchange of, or use of EHI. If a provider lacks the required technology, legal rights, or other means necessary to enable EHI access, exchange, or use, they aren’t required to fulfill the request. For this exception to apply, however, the provider must meet one of the following conditions: 1) uncontrollable events prevent the provider from fulfilling a request, including, but not limited to, a natural disaster, public health emergency, or public safety incident; 2) the provider cannot segment the requested EHI; or 3) the provider demonstrates with a written record or documentation that certain factors led to the determination that complying with the request was infeasible under the circumstances. A provider must provide a written response within 10 business days for why fulfilling a request is infeasible.
Health IT performance. Reasonable and necessary measures that are limited in scope may be taken to make health IT temporarily unavailable or to degrade health IT’s performance for an overall benefit, and these will not be considered information blocking. This exception recognizes that to properly secure EHI, health IT must occasionally be improved, which may require taking IT temporarily offline. A provider may take action against a third-party app that negatively impacts their health IT. If IT unavailability is in response to risk of harm or a security risk, the provider must comply only with the preventing harm or security exceptions, as applicable.