The 21st Century Cures Act (Cures Act) became law on Dec. 13, 2016, and emphasized interoperability in the exchange of healthcare information between healthcare providers, health information entities and patients. The Cures Act underscored unimpeded access to patient electronic health information (EHI) upon request, in a manner that is secure and updated automatically, and prohibits actors (i.e., healthcare providers, health information technology (IT) developers, health information networks and health information exchanges) from engaging in unreasonable or unnecessary information blocking of EHI.
On March 9, 2020, the U.S. Department of Health & Human Services’ (HHS) Office of the National Coordinator for Health Information Technology (ONC) issued a final rule that created eight exceptions to the Cures Act information-blocking prohibition. Here, we discuss information blocking, the exceptions created by the final rule and steps providers can take to prepare for the rule’s enforcement, effective April 5, 2021.
When Does Information Blocking Occur?
Physicians can experience information blocking when trying to access patient EHI from other providers, when connecting their electronic health record (EHR) systems to local health information exchanges or when migrating from one EHR to another. Physicians may run afoul of the information-blocking prohibition in response to a request for access, exchange or use of EHI. Physicians may also violate the information-blocking rule if they knowingly take actions that unreasonably or unnecessarily interfere with access, exchange or use of EHI, even if no patient harm occurs.
Common examples of information blocking include unnecessary delays in the provision of patient test results, policies requiring staff to obtain written consent from a patient before sharing EHI with unaffiliated providers for treatment or interfering with an EHR that would generally enable EHI to be shared with other providers or patients.
Exceptions
The ONC provides eight exceptions to the information-blocking rule that may offer healthcare providers protection for certain actions in response to requests to access, exchange or use EHI. Providers must satisfy all conditions and elements of an exception or their actions may be considered information blocking subject to enforcement. Providers should note that adequate documentation is necessary to demonstrate compliance with an applicable exception.
The information-blocking exceptions are summarized below under two categories:
5 exceptions for not fulfilling requests
1. Preventing harm: Under this exception, providers are permitted to engage in practices that are reasonable and necessary to prevent or reduce the risk of harm to a patient or another person. This exception recognizes the importance of a provider’s clinical judgment relating to patient treatment to determine when, for example, patient test results and related clinical notes should be delayed based on the sensitivity of a diagnosis and the need to discuss results with a patient before giving access to the information. ONC guidance indicates that a blanket three-day delay in test results may not be appropriate under this exception; providers must make individualized patient determinations.
2. Privacy: When this exception applies, a provider does not have to fulfill a request to access, exchange or use EHI. The purpose of this exception is to protect an individual’s privacy and ensure providers don’t use or disclose EHI in a manner prohibited by state or federal privacy laws. For this exception to apply, the actor’s privacy practices must satisfy at least one of four sub-exceptions: i) a precondition to disclosure is not satisfied, such as obtaining patient consent or authorization where required by state or federal law; ii) the actor is a developer of certified health information technology (IT) that is not required to comply with the HIPAA Privacy Rule; iii) the actor is permitted to deny the individual’s request for their EHI consistent with 45 CFR 164.524(a)(1) and (2) of the HIPAA Privacy Rule; or iv) the actor chooses not to provide access, exchange or use of the individual’s EHI if the individual requests the information not be shared, provided certain conditions are satisfied.
Of particular importance to healthcare providers, under the first sub-exception, an actor may choose not to provide access, exchange or use of EHI if, for example, statutorily required patient consent or authorization has not yet been given. Under the third and fourth sub-exceptions, actors may deny an individual’s request for access to EHI as permitted under 45 C.F.R. 164.524 of the HIPAA Privacy Rule or may choose not to provide access, exchange or use of EHI if the individual has requested the information not be shared.
3. Security: The security exception covers risks to the integrity and security of the EHI and the system/software in which it is stored. It is intended to cover all legitimate security practices by actors, but does not prescribe a maximum level of security or dictate a one-size-fits-all approach. The denial of access must be directly related to safeguarding the confidentiality, integrity and availability of EHI; tailored to specific security risks; and implemented in a consistent and non-discriminatory manner. Examples of when a denial would be appropriate include a situation in which there is an active or known virus or ransomware attack; the individual requesting the EHI can’t prove their identity; or the request for EHI is received from a patient-facing application or website that the actor’s system identifies as potentially malicious software.
4. Infeasibility: This exception applies when legitimate practical challenges limit the ability to comply with requests for access, exchange or use of EHI. If a provider lacks the required technology, legal rights or other means necessary to enable EHI access, exchange or use, they are not required to fulfill the request. For this exception to apply, the provider must meet one of the following conditions: i) uncontrollable events prevent the actor from fulfilling a request, including but not limited to natural disaster, public health emergency or public safety incident; ii) the actor cannot divide the requested EHI; or 3) the actor demonstrates, with a written record or documentation that certain factors led to the determination, that complying with the request is infeasible under the circumstances.