The U.S. Department of Health and Human Services (HHS) recently finalized transformative rules that will give patients unprecedented safe, secure access to their health data. The rules are issued by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS) to implement interoperability and patient access provisions of the bipartisan 21st Century Cures Act (Cures Act).  These final rules mark the most extensive healthcare data sharing policies the federal government has implemented, requiring both public and private entities to share health information between patients and other parties while keeping that information private and secure. These final rules became effective as of June 30, 2020. NOTE: Due to the COVID-19 public health emergency, HHS has delayed enforcement until future dates.

While the rules largely affect interoperability and system across a broad spectrum of the healthcare landscape, this post focuses discusses the aspects of the ONC Final Rule addressing information blocking (Information Blocking Rule) and how it applies to healthcare providers. Finally, we provide practical takeaways discussing actions healthcare providers should take to ensure they comply with the Information Blocking Rule. Hospital executives, practice administrators and health information management directors should be familiar with these rules and tasked with implementing compliance.

What is information blocking?

In general, “information blocking” is a practice by healthcare providers, developers of certified health IT, health information exchanges, and health information networks that, except as required by law or specified by HHS as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI).  Overzealous compliance with Health Insurance Portability and Accountability Act (HIPAA) has inadvertently lead to healthcare providers engaging in information blocking. While sharing EHI was permissible under HIPAA, it was not required and many healthcare providers took very aggressive and conservative stances on sharing patient information. This rule clarifies permissible uses of data and will ensure that patient’s healthcare information is readily available to all of the patient’s healthcare providers regardless of affiliation or IT platform.

What are some examples of information blocking in practice?

  • A health system’s internal policies or procedures require staff to get an individual’s written consent before sharing any of a patient’s EHI with unaffiliated providers for treatment purposes even though obtaining an individual’s consent is not required by state or federal law.
  • A health care provider incorrectly claims that HIPAA regulations preclude it from exchanging EHI with unaffiliated providers.
  • A health care provider has the capability to provide same-day access to EHI in a form and format requested by a patient or a patient’s health care provider, but takes several days to respond.
  • A health care provider charges unnecessary and unsubstantiated fees for access to EHI.

What are the exceptions to the Information Blocking Rule?

The rules establish eight categories of exceptions that are deemed to not constitute information blocking, thereby effectively serving as safe harbors to the rule. Failure to not technically meet the conditions of an exception does not mean the actions automatically constitute information blocking, but such actions will be evaluated on a case-by-case basis to determine whether information blocking has occurred.

The exceptions fall into the following two categories:

  • Exceptions involving not fulfilling requests for EHI (such as denials to prevent harm, protect patient privacy or data security or due to infeasibility).
  • Procedural exceptions (such as allowing providers to charge reasonable fees or limit the scope of a response to a request).

Providers looking for more detail on these exceptions should review the Information Blocking Exceptions Fact Sheet issued by the Office of the National Coordinator for Health IT (ONC), the entity within HHS responsible for implementing the Information Blocking Rules and other key provisions of the 21st Century Cures Act.

What are the penalties?

Penalties for violations of the Information Blocking Rule are still unclear. The Office of the Inspector General (OIG) did propose a rule authorizing civil monetary penalties (CMPs) for information blocking; however, these CMPs would not apply to health care providers acting in their capacity as a health care provider. If a provider also acts as a Health Information Network (HIN) or Health Information Exchange (HIE), they could be subject to CMPs in that capacity.

What are the next steps?

While enforcement with the Information Blocking Rule has been put on a hiatus due to COVID-19, compliance requirements are still technically active. Entities not already in compliance should take proactive steps in order to avoid penalties after the enforcement discretion policies are lifted. Here are a few action items entities can do to start moving towards compliance:

  1. Review and revise all privacy, security, information sharing (internally and with third parties), HIPPA-compliance, and other relevant policies and procedures to ensure compliance with the information blocking rules.
  2. Review and revise policies and procedures for patient requests for EHI.
  3. Review and revise policies regarding fees for patient records. Charging fees to a patient for their own information is inherently suspect. Be sure fees are justifiable and well documented.
  4. Review and revise HIPAA training for employees to ensure compliance with the new ONC rule and ensure you are not engaging in information blocking.
  5. Review your business associate agreements for information blocking risks (for both you and your business associate).
  6. Perform and document security risk assessments.
  7. Audit your health information management/medical record department for release of records and associated work flows to ensure timely release of patient information.