© Khakimullin Aleksandr / shutterstock.com
The 21st Century Cures Act (Cures Act), which became law on Dec. 13, 2016, emphasized interoperability in the exchange of healthcare information among healthcare providers, health information entities, and patients. The Cures Act underscored unimpeded access to patient electronic health information (EHI) upon request, in a manner that’s secure, is updated automatically, and prohibits healthcare providers, health IT developers, health information networks, and health information exchanges from engaging in unreasonable or unnecessary blocking of EHI information.
Explore This Issue
June 2021On March 9, 2020, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health Information Technology (ONC) issued a final rule that created eight exceptions to the Cures Act information-blocking prohibition. Below, we discuss information blocking, the exceptions created by the final rule, and the steps providers need to take to ensure that they’re in compliance with the rule, which became effective on April 5, 2021.
The Information Blocking Rule
Physicians can experience information blocking when trying to access patient EHI from other providers, when connecting their electronic health record (EHR) systems to local health information exchanges, or when migrating from one EHR to another. Physicians may run afoul of the information blocking prohibition in response to a request for access to, exchange of, or use of EHI. Physicians may also violate the information blocking rule if they knowingly take actions that unreasonably or unnecessarily interfere with access to, exchange of, or use of EHI, even if no patient harm occurs.
Common examples of information blocking include unnecessary delays in the provision of patient test results, policies requiring staff to obtain written consent from a patient before sharing EHI with unaffiliated providers for treatment, or interference with an EHR that would generally enable EHI to be shared with other providers or patients.
Providers and their workforce should participate in any training programs necessary to comply with the information-blocking framework.
The ONC provides eight exceptions to information blocking that may offer healthcare providers protection for certain actions in response to requests to access, exchange, or use EHI. Providers must satisfy all conditions and elements of an exception, or their actions may be considered information blocking and be subject to enforcement. Providers should note that adequate documentation is necessary to demonstrate compliance with an applicable exception.
The information blocking exceptions are summarized below under two categories: exceptions for not fulfilling a request and procedural exceptions.
Five Exceptions for Not Fulfilling Requests
Preventing harm. Under this exception, providers are permitted to engage in practices that are reasonable and necessary to prevent or reduce the risk of harm to a patient or another person. This exception recognizes the importance of a provider’s clinical judgment relating to patient treatment to determine when, for example, patient test results and related clinical notes should be delayed based on the sensitivity of a diagnosis and the need to discuss results with a patient before giving access to the information. ONC guidance indicates that a blanket three-day delay in test results may not be appropriate under this exception; providers must make individualized patient determinations.
Privacy. When this exception applies, a provider doesn’t have to fulfill a request to access, exchange, or use EHI. The purpose of this exception is to protect an individual’s privacy and ensure that providers don’t use or disclose EHI in a manner prohibited by state or federal privacy laws. For this exception to apply, the provider’s privacy practices must satisfy at least one of four subexceptions: 1) a precondition is not satisfied; 2) a health IT developer of certified health IT is not covered by HIPAA; 3) the denial of an individual’s request for their EHI; and 4) respecting an individual’s request to not share information.
Of particular importance to healthcare providers is the first subexception. Under this subexception, a provider may choose to not provide access to, exchange of, or use of EHI if, for example, statutorily required patient consent or authorization has not yet been given. Under the third and fourth subexceptions, providers may deny an individual’s request for access to EHI as permitted under 45 C.F.R. 164.524 of the HIPAA Privacy Rule (www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html) or may choose to not provide access to, exchange of, or use of EHI if the individual has requested that the information not be shared.
Security. When this exception applies, a provider may interfere with the access to, exchange of, or use of EHI in order to protect EHI security. The exception doesn’t specify a maximum level of security or dictate a permitted approach. Instead, the security practice must be directly related to safeguarding the confidentiality, integrity, and availability of the EHI, tailored to specific security risks, and implemented in a consistent and nondiscriminatory manner.
Infeasibility. This exception applies when legitimate practical challenges may limit the ability to comply with requests for access to, exchange of, or use of EHI. If a provider lacks the required technology, legal rights, or other means necessary to enable EHI access, exchange, or use, they aren’t required to fulfill the request. For this exception to apply, however, the provider must meet one of the following conditions: 1) uncontrollable events prevent the provider from fulfilling a request, including, but not limited to, a natural disaster, public health emergency, or public safety incident; 2) the provider cannot segment the requested EHI; or 3) the provider demonstrates with a written record or documentation that certain factors led to the determination that complying with the request was infeasible under the circumstances. A provider must provide a written response within 10 business days for why fulfilling a request is infeasible.
Health IT performance. Reasonable and necessary measures that are limited in scope may be taken to make health IT temporarily unavailable or to degrade health IT’s performance for an overall benefit, and these will not be considered information blocking. This exception recognizes that to properly secure EHI, health IT must occasionally be improved, which may require taking IT temporarily offline. A provider may take action against a third-party app that negatively impacts their health IT. If IT unavailability is in response to risk of harm or a security risk, the provider must comply only with the preventing harm or security exceptions, as applicable.
Three Procedural Exceptions
Content and manner. A provider can limit the content of a response to a request to access, exchange, or use EHI, or the manner in which it fulfills a request, subject to certain conditions. The purpose of this exception is to provide flexibility for providers concerning the scope of EHI to be included in the provider’s response and the manner in which the request is fulfilled. If a request is fulfilled in an alternative manner it must comply with a priority order and satisfy the fees and licensing exceptions, as applicable.
Fees. A provider can charge fees, including fees that result in a reasonable profit, for accessing, exchanging, or using EHI. Fees should relate to the development of technologies and the provision of services that enhance the technology and interoperability. Notably, this exception doesn’t protect rent-seeking or opportunistic fees, or exclusionary practices that interfere with access to, exchange of, or use of EHI.
Licensing. Under this exception, a provider can license interoperability for EHI to be accessed, exchanged, or used. This enables a provider to protect the value of their innovations and earn returns on investments they have made to develop, maintain, and improve those innovations. This exception is more likely to be used by health IT entities rather than healthcare providers.
Common examples of information blocking include unnecessary delays in the provision of patient test results … or interfering with an electronic health record that would generally enable electronic health information to be shared with other providers or patients.
Enforcement and Compliance
A provider’s act of interfering with or delaying the release of EHI that doesn’t satisfy one of the above exceptions will not automatically constitute information blocking, and any suspect practices will be evaluated on a case-by-case, facts-and-circumstances basis to determine whether information blocking has occurred. The Office of the Inspector General will investigate allegations of information blocking to determine whether a violation has occurred.
The HHS is currently engaged in rulemaking to establish enforcement disincentives for providers. Providers should consult with healthcare counsel and compliance officers regarding information blocking practices and exceptions. Improper information blocking conduct can be reported through the ONC’s Information Blocking Portal.
As a threshold, providers should review the information blocking definition, examples, and applicable exceptions set forth in the Cures Act and associated guidance and commentary released by the HHS and, if necessary, revise current policies, procedures, and forms regarding the release of patient EHI. It’s recommended that providers review their EHR contracts to determine any compliance barriers that may exist. Providers should also contact laboratory and imaging providers to determine appropriate time frames for access to patient results.
Finally, providers and their workforce should participate in any training programs necessary to comply with the information blocking framework. Practice managers may consider creating a reference sheet and talking points for staff to use when responding to patient or other provider requests for access to, exchange of, or use of EHI.
Steven M. Harris, Esq., is a nationally recognized healthcare attorney with McDonald Hopkins LLC. Contact him at sharris@mcdonaldhopkins.com.
Key Definitions
Electronic health information (EHI)—Electronic protected health information in a designated record set, regardless of whether records are used or maintained by or for a covered entity. EHI does not include psychotherapy notes or information compiled in reasonable anticipation of, or for use in, civil, criminal, or administrative actions or proceedings.
Information blocking—Business, technical, and organizational practices that prevent or materially discourage the access to, exchange of, or use of EHI when a provider knows, or should know, these practices are likely to interfere with access to, exchange of, or use of EHI. If conducted by a healthcare provider, there must also be knowledge that such practice is unreasonable and likely to interfere with, prevent, or materially discourage access to, exchange of, or use of EHI.