On May 1, 2020, the Office of the National Coordinator of Health Information Technology (“ONC”) released its final rule, commonly referred to as the “information blocking rule”, implementing certain provisions of the 21st Century Cures Act which aim to support the access, exchange and use of electronic health information (“EHI”) and prohibit the blocking of information. The information blocking rule went into effect on April 5, 2021, after a delay due to the COVID-19 pandemic. It applies to any individual or entity that meets the definition of at least one category of “actor” – a healthcare provider, a healthcare IT developer of a certified healthcare IT, or a healthcare network. health information (“HIN”) or health information exchange (“HIE”). “) – and generally prohibits any practice which is not required by law or authorized by an applicable exception (discussed below) which” is likely to interfere with the access, exchange or use of [EHI]When the applicable knowledge standard is met (the terms “access”, “exchange” and “use” are defined terms in the information blocking rule). Although the information blocking rule applies to various types of actors, this summary provides a high-level overview of considerations relevant specifically to healthcare providers.
A healthcare provider meets the knowledge standard under the information blocking rule when the provider “knows that such a practice is unreasonable and is likely interfere with the access, exchange or use of [EHI]. (Emphasis added). In addition to a healthcare provider’s refusal to provide patients with access to their EHI on demand, certain unnecessary delays in patient access to their EHI could potentially constitute an information block if the knowledge standard required is met. Examples include:
- A healthcare provider establishing an organizational policy that imposes delays in the release of a patient’s lab results for any period of time in order to allow an ordering provider to review the results or in order to personally inform the patient of the results before the patient is able to electronically access the results;
- A delay in providing access, exchange, or use occurs after a patient logs into a patient portal to access the EHI available to a healthcare provider (including, by example, laboratory results) and that this EHI is not available, for a period of time – through the portal; and
- A delay in providing a patient’s EHI through an application programming interface to an application that the patient has authorized to receive their EHI.
According to the ONC, this could mean “that a patient would be able to access the EHI, such as test results, alongside the availability of test results to the ordering clinician.”
Fortunately, there are eight exceptions to the information blocking rule which are divided into two categories: exceptions involving non-compliance with requests for access, exchange or use of the EHI and exceptions involving procedures. to respond to requests for access, exchange or use of the EHI. Practices that satisfy one or more of the exceptions below will not constitute information blocking. A practice that does not meet all the conditions for an applicable exception will not necessarily constitute an information block. These practices will be assessed on a case-by-case basis to determine whether the practice violates the information blocking rule. The available exceptions are summarized below for reference:
|Category||Exception||Terms & Conditions|
|Exceptions that involve not responding to requests for access, exchange or use of the EHI||Prevention of the prejudice exception: It will not be a question of blocking the information so that the provider engages in reasonable and necessary practices to avoid harming a patient or another person, if certain conditions are met.||The supplier must reasonably believe that the practice will significantly reduce a risk of harm;
The practice should not be broader than necessary;
The practice must satisfy at least one condition from each of the following categories: type of risk, type of damage and basis for implementation; and
The practice must meet the condition of the patient’s right to request a review of an individualized determination of risk of harm.
|Confidentiality exception: It will not be an information block if the provider does not respond to a request to access, exchange or use the EHI in order to protect an individual’s privacy, provided certain conditions are met.||The privacy practice of the provider must respect at least a the following sub-exceptions:
If the provider is required by law to meet a prerequisite (for example, patient consent or authorization) before providing access, exchange or use of EHI, the provider may choose not to not provide access, exchange or use of this EHI if the prerequisite has not been met under certain circumstances.
The provider may deny an individual’s request for access to their EHI under the circumstances provided for by the HIPAA privacy rule at 45 CFR 164.524 (a) (1) and (2) (eg, psychotherapy notes).
The provider may choose not to provide access, exchange or use of an individual’s EHI if this meets the individual’s wishes, provided certain conditions are met.
|Security exception: Supplier will not interfere with accessing, exchanging or using EHI in order to protect the security of EHI, provided certain conditions are met.||The practice should be: directly related to protecting the confidentiality, integrity and availability of the EHI; adapted to specific security risks; and implemented in a consistent and non-discriminatory manner.
In addition, the practice must either implement an allowable organizational security policy or implement a permissible security determination.
|Exception of infeasibility: This will not block information if the provider does not respond to a request to access, exchange or use EHI due to the impossibility of the request, provided certain conditions are met.||The practice must either be due to uncontrollable events (eg natural disaster, public health emergency, civil insurgency); inability to segment the requested EHI; or infeasibility in the circumstances depending on certain factors.
The supplier must provide a written response to the requester within 10 working days of receipt of the request with the reasons why the request is unworkable.
|Health IT performance exception: It will not be a blocking of information for the supplier to take the reasonable and necessary measures to temporarily make healthcare IT unavailable or to degrade the performance of healthcare IT for the benefit of the overall performance of the healthcare provider. health informatics, provided certain conditions are met.||The practice should:
Be implemented for a period that does not exceed the period necessary to carry out the maintenance or improvements for which the healthcare IT has been made unavailable or the performance of the healthcare IT degraded;
Be implemented in a consistent and non-discriminatory manner; and
Meet certain requirements if the downtime or degradation is initiated by an IT, HIE, or HIN certified healthcare IT developer.
Certain other conditions apply to the provider’s actions against a third-party application that negatively impacts the performance of the healthcare IT department.
|Exceptions involving procedures for responding to requests for access, exchange or use of the EHI||Exception relating to content and manner: It will not be a blocking of information for an actor to limit the content of his response to a request for access, exchange or use of EHI or the way in which he responds to a request access, exchange or use of EHI, provided certain conditions are met.||The supplier must respond to a request to access, exchange or use EHI with EHI as defined in the applicable regulations.
The supplier may need to meet a request in an alternate manner when the supplier is technically unable to meet the demand in the requested manner; or cannot reach acceptable terms with the requester to meet the request.
|Exception of fees: It will not be a blocking of information for the provider to charge a fee, including a fee that results in a reasonable profit margin, for accessing, exchanging or using the EHI, provided that certain conditions are met.||The practice must meet the basic condition of fees (for example, fees must be based on objective and verifiable criteria that are uniformly applied for all categories of persons or entities in a similar situation and claims).
The practice should not be specifically excluded (for example, a charge based in part on electronic access by an individual, his or her personal representative or other person or entity designated by the individual to access the EHI of the individual).
|License exception: This will not be a blocking of information for the license provider for the interoperability elements for accessing, exchanging or using EHI, provided certain conditions are met.||The practice should meet the conditions for negotiating a license (for example, the supplier should start license negotiations with the applicant within 10 business days of receiving the request and negotiate a license within 30 business days of receiving the request. receipt of the request) and regarding license conditions (e.g. scope of rights, reasonable royalties, non-discriminatory terms, warranty terms, nondisclosure agreement).|
Healthcare providers looking to implement the information blocking rule into their existing compliance programs should consider:
- Review and revise their existing HIPAA policies and procedures, particularly those relating to individual access and staff training in this regard.
- Evaluate the healthcare provider’s use of EMR and Patient Portal functionality (eg, Does the EMR include unnecessary delays that should be corrected?).
- Update of the conditions of use of the patient portal.
- Review and revise business partner agreements to ensure terms comply with information blocking rules.
- Consult with vendors to determine how vendors plan to comply with the information blocking rule.
Violation of the information blocking rule by health care providers may result in “appropriate deterrents” (ie penalties), which have not yet been established and will be set out in a future regulation by the Office of the Inspector General. We recommend that healthcare providers ensure that their practices for responding to EHI inquiries are appropriate given the information blocking rule and implement standards that protect against blocking of information. information in their ongoing compliance efforts.