Dilok Klaisataporn / shutterstock.com
The 21st Century Cures Act (Cures Act) became law on Dec. 13, 2016, and emphasized interoperability in the exchange of healthcare information between healthcare providers, health information entities and patients. The Cures Act underscored unimpeded access to patient electronic health information (EHI) upon request, in a manner that is secure and updated automatically, and prohibits actors (i.e., healthcare providers, health information technology (IT) developers, health information networks and health information exchanges) from engaging in unreasonable or unnecessary information blocking of EHI.
On March 9, 2020, the U.S. Department of Health & Human Services’ (HHS) Office of the National Coordinator for Health Information Technology (ONC) issued a final rule that created eight exceptions to the Cures Act information-blocking prohibition. Here, we discuss information blocking, the exceptions created by the final rule and steps providers can take to prepare for the rule’s enforcement, effective April 5, 2021.
Exceptions
The ONC provides eight exceptions to the information-blocking rule that may offer healthcare providers protection for certain actions in response to requests to access, exchange or use EHI. Providers must satisfy all conditions and elements of an exception or their actions may be considered information blocking subject to enforcement. Providers should note that adequate documentation is necessary to demonstrate compliance with an applicable exception.
The information-blocking exceptions are summarized below under two categories:
5 exceptions for not fulfilling requests
1. Preventing harm: Under this exception, providers are permitted to engage in practices that are reasonable and necessary to prevent or reduce the risk of harm to a patient or another person. This exception recognizes the importance of a provider’s clinical judgment relating to patient treatment to determine when, for example, patient test results and related clinical notes should be delayed based on the sensitivity of a diagnosis and the need to discuss results with a patient before giving access to the information. ONC guidance indicates that a blanket three-day delay in test results may not be appropriate under this exception; providers must make individualized patient determinations.
2. Privacy: When this exception applies, a provider does not have to fulfill a request to access, exchange or use EHI. The purpose of this exception is to protect an individual’s privacy and ensure providers don’t use or disclose EHI in a manner prohibited by state or federal privacy laws. For this exception to apply, the actor’s privacy practices must satisfy at least one of four sub-exceptions: i) a precondition to disclosure is not satisfied, such as obtaining patient consent or authorization where required by state or federal law; ii) the actor is a developer of certified health information technology (IT) that is not required to comply with the HIPAA Privacy Rule; iii) the actor is permitted to deny the individual’s request for their EHI consistent with 45 CFR 164.524(a)(1) and (2) of the HIPAA Privacy Rule; or iv) the actor chooses not to provide access, exchange or use of the individual’s EHI if the individual requests the information not be shared, provided certain conditions are satisfied.
Of particular importance to healthcare providers, under the first sub-exception, an actor may choose not to provide access, exchange or use of EHI if, for example, statutorily required patient consent or authorization has not yet been given. Under the third and fourth sub-exceptions, actors may deny an individual’s request for access to EHI as permitted under 45 C.F.R. 164.524 of the HIPAA Privacy Rule or may choose not to provide access, exchange or use of EHI if the individual has requested the information not be shared.
3. Security: The security exception covers risks to the integrity and security of the EHI and the system/software in which it is stored. It is intended to cover all legitimate security practices by actors, but does not prescribe a maximum level of security or dictate a one-size-fits-all approach. The denial of access must be directly related to safeguarding the confidentiality, integrity and availability of EHI; tailored to specific security risks; and implemented in a consistent and non-discriminatory manner. Examples of when a denial would be appropriate include a situation in which there is an active or known virus or ransomware attack; the individual requesting the EHI can’t prove their identity; or the request for EHI is received from a patient-facing application or website that the actor’s system identifies as potentially malicious software.
4. Infeasibility: This exception applies when legitimate practical challenges limit the ability to comply with requests for access, exchange or use of EHI. If a provider lacks the required technology, legal rights or other means necessary to enable EHI access, exchange or use, they are not required to fulfill the request. For this exception to apply, the provider must meet one of the following conditions: i) uncontrollable events prevent the actor from fulfilling a request, including but not limited to natural disaster, public health emergency or public safety incident; ii) the actor cannot divide the requested EHI; or 3) the actor demonstrates, with a written record or documentation that certain factors led to the determination, that complying with the request is infeasible under the circumstances.
Common examples of information blocking include unnecessary delays in the provision of patient test results, policies requiring staff to obtain written consent from a patient before sharing EHI with unaffiliated providers for treatment or interfering with an EHR that would generally enable EHI to be shared with other providers or patients.
A provider must provide a written response within 10 business days for why fulfilling a request is infeasible.
5. Health IT performance: Reasonable and necessary measures that are limited in scope that may be taken to make health IT temporarily unavailable or to degrade health IT’s performance for an overall benefit will not be considered information blocking. This exception recognizes that to properly secure EHI, health IT must occasionally be improved, which may require taking IT temporarily offline. An actor may take action against a third-party app that negatively impacts their health IT. If IT unavailability is in response to risk of harm or a security risk, the actor must comply only with the preventing harm or security exceptions, as applicable.
3 procedural exceptions
- Content and manner: An actor can limit the content of a response to a request to access, exchange or use EHI, or the manner in which it fulfills a request, subject to certain conditions. The purpose of this exception is to provide flexibility for actors concerning the scope of EHI to be included in the actor’s response and the manner in which the request is fulfilled. If a request is fulfilled in an alternative manner it must comply with a priority order and satisfy the fees and licensing exceptions, as applicable.
- Fees: An actor can charge fees, including fees that result in a reasonable profit, for accessing, exchanging or using EHI. Fees should relate to the development of technologies and the provision of services that enhance the technology and interoperability. Notably, this exception does not protect rent-seeking or opportunistic fees, or exclusionary practices that interfere with access, exchange or use of EHI.
- Licensing: Under this exception, an actor can license interoperability for EHI to be accessed, exchanged or used. This enables an actor to protect the value of their innovations and earn returns on investments they have made to develop, maintain and improve those innovations. This exception is more likely to be used by health IT entities rather than providers.
Enforcement
A provider’s act of interfering or delaying the release of EHI that does not satisfy an exception will not automatically constitute information blocking, and any suspect practices will be evaluated on a case-by-case, facts-and-circumstances basis to determine whether information blocking has occurred. The Office of the Inspector General will investigate allegations of information blocking to determine whether a violation has occurred.
The HHS is currently engaged in rulemaking to establish enforcement disincentives for providers. Providers should consult with healthcare counsel and compliance officers regarding information blocking practices and exceptions. Improper information blocking conduct can be reported through the ONC’s Information Blocking Portal.
Ensuring Compliance
As a threshold, providers should review the information blocking definition, examples and applicable exceptions set forth in the Cures Act and associated guidance and commentary released by the HHS. They should review and, if necessary, revise current policies, procedures and forms regarding the release of patient EHI. It is recommended providers review their EHR contracts to determine any compliance barriers that may exist. Providers should contact laboratory and imaging providers to determine appropriate time frames for access to patient results. Finally, providers and their workforce should participate in any training programs necessary to comply with the information-blocking framework.
Practice managers may consider creating a reference sheet and talking points for staff to use when responding to patient or other provider requests for access, exchange or use of EHI.
Steven M. Harris, Esq., is a nationally recognized healthcare attorney with McDonald Hopkins LLC. Contact him at [email protected].
