On May 1, 2020, the Office of the National Coordinator of Health Information Technologies (“ONC”) published its final standard, commonly known as the “Information Blocking Rule,” which implements some provisions of the 21st Century Cures Act which are designed to support the access, exchange and use of electronic health information (“EHI”) and prohibit the blocking of information. The Information Blocking Rule became effective on April 5, 2021, following a delay due to the COVID-19 pandemic. It applies to any person or entity that meets the definition of at least one category of “actor”: a health care provider, health-certified IT developer, or health information network (HIN ”) Or exchange of health information (“ HIE ”)”) – and generally prohibits any practice that is not required by law or permitted by an applicable exception (described below) that “is likely to interfere with access, the exchange or use of [EHI]”When the applicable knowledge standard is met (the terms ‘access’, ‘exchange’ and ‘use’ are terms defined in the information blocking rule). Although the information blocking rule applies to various types of actors, this summary provides a high-level overview of considerations relevant specifically to health care providers.
A healthcare provider meets the standard of knowledge of the information blocking rule when the provider “knows that this practice is unreasonable and is likely to interfere with the access, exchange, or use of [EHI]”. (emphasis added). In addition to a health care provider’s refusal to provide patients with access to their EHI upon request, certain unnecessary delays in providing patients with access to their EHI could constitute a blockage of information if the required standard of knowledge is met.Some examples include:
- A healthcare provider that establishes an organizational policy that imposes delays in the release of a patient’s lab results for any period of time to allow a provider to review the results or to personally inform the patient of the results beforehand. that the patient is able to access the results electronically;
- A delay in providing access, exchange, or use occurs after a patient has logged in to a patient portal to access the EHI that a healthcare provider has (including, for example, lab results) and that this EHI is not available for any period of time —Through the portal; i
- A delay in providing a patient’s EHI through an application programming interface to an application that the patient has authorized to receive their EHI.
According to the ONC, this could potentially mean that “a patient could access the EHI, such as test results, in parallel with the availability of test results for the doctor in charge.”
Fortunately, there are eight exceptions to the information blocking rule that fall into two categories: exceptions that involve not attending to requests for access, exchange, or use of EHI, and exceptions that involve procedures for complying with requests. of access, exchange or use of EHI. Practices that comply with one or more of the following exceptions will not constitute a blockade of information. A practice that does not meet all the conditions of an applicable exception will not necessarily constitute a blockade of information. These practices will be evaluated on a case-by-case basis to determine if the practice violates the information blocking rule. The available exceptions are summarized below for reference:
|Exceptions that involve not attending to requests for access, exchange, or use of EHI||Avoid the exception of damages: The provider will not block the information to practice reasonable and necessary to avoid harm to a patient or another person, if certain conditions are met.||The provider must reasonably believe that the practice will substantially reduce the risk of harm;
The practice should not be broader than necessary;
The practice must meet at least one condition of each of the following categories: type of risk, type of damage, and basis of implementation; i
The practice must meet the condition relating to a patient’s right to request the review of an individualized determination of the risk of harm.
|Privacy exception: The information will not be blocked if the provider does not comply with a request for access, exchange or use of EHI to protect a person’s privacy, provided certain conditions are met.||The practice of protecting the privacy of the provider must comply at least a of the following sub-exceptions:
If the law requires the provider to meet a prerequisite (e.g., patient consent or authorization) before providing access, exchange, or use of the EHI, the provider may choose not to provide access, exchange, or use of that EHI. if the precondition has not been met in certain circumstances.
The provider may choose not to provide access, exchange or use of a person’s EHI if it does so meets the person’s wishes, provided certain conditions are met.
|Security exception: It will not be a blockage of information for the provider to interfere with the access, exchange or use of EHI to protect the security of EHI, provided that certain conditions are met.||The practice must be: directly related to safeguarding the confidentiality, integrity and availability of EHI; adapted to specific security risks; and implemented in a consistent and non-discriminatory manner.
In addition, the practice must implement a qualifying organizational security policy or implement a qualifying security determination.
|Feasibility exception: It will not be a block of information if the provider does not comply with a request for access, exchange or use of EHI due to the unfeasibility of the request, provided that certain conditions are met.||The practice must be due to uncontrollable events (e.g., natural disasters, public health emergencies, civil insurrection); inability to segment the requested EHI; or unfeasibility in circumstances based on certain factors.
The provider must provide a written response to the applicant within ten working days of receipt of the request on the grounds that the request is unfeasible.
|Health IT performance exception: It will not be a blockade of information for the provider to take reasonable and necessary measures to make healthcare IT temporarily unavailable or to degrade healthcare IT performance to the benefit of healthcare IT overall performance, as long as they are met some conditions.||The practice must:
It must be implemented for a period of time not longer than necessary to achieve the maintenance or improvements for which healthcare IT has become unavailable or healthcare IT performance has deteriorated;
Be implemented in a consistent and non-discriminatory manner; i
It meets some requirements if the unavailability or degradation is initiated by a certified IT IT developer, HIE or HIN.
Some other conditions apply to vendor actions against a third-party application that adversely affects health IT performance.
|Exceptions involving procedures for dealing with requests for access, exchange or use of the EHI||Exception of content and manners: Information will not be blocked for an actor to limit the content of their response to a request for access, exchange or use of EHI or the manner in which they comply with a request for access, exchange or use of EHI , provided that certain conditions are met. met.||The provider must respond to a request for access, exchange or use of EHI with EHI as defined in the applicable regulations.
The provider may have to fulfill a request in an alternative way when the provider is not technically able to fulfill the request in any requested way; or you cannot come to pleasant terms with the applicant to comply with the application.
|Tax exception: The provider will not block information to charge commissions, including commissions that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.||The practice must meet the basis of the fee condition (for example, fees must be based on objective and verifiable criteria that apply uniformly to all classes of persons or entities and applications located in a similar manner. ).
The practice should not be specifically excluded (for example, a fee based in part on the electronic access of an individual, their personal representative or another person or entity designated by the individual to access the EHI of the individual).
|Exception of licenses: It will not be a blockade of information for the provider to license interoperability items to access, exchange, or use EHI, provided certain conditions are met.||The internship must meet the conditions related to the negotiation of a license (for example, the provider must begin license negotiations with the applicant within 10 business days of receipt of the application and negotiate a license within 30 business days of receipt of the application) and on the conditions of the license (e.g., scope of rights, reasonable royalties, non-discriminatory terms, collateral terms, disclosure).|
Healthcare providers who want to apply the information blocking rule to their existing compliance programs should consider:
- Review and review its existing HIPAA policies and procedures, specifically those related to individual access and staff training on them.
- Evaluate the healthcare provider’s use of EMR portal and patient functionality (e.g., does it include an unnecessary delay that should be corrected?).
- Update of the conditions of use of the patient portal.
- Review and review business partner agreements to ensure that the terms comply with the information blocking rules.
- Check with suppliers to determine how they plan to comply with the information blocking rule.
Violation of the information blocking rule by health care providers may result in “appropriate disincentives” (i.e., sanctions), which have not yet been established and will be established in future legislation. by the Office of Inspector General. We recommend that health care providers ensure that their practices for responding to EHI requests are appropriate in light of the information blocking rule and implement rules that protect information blocking in their efforts to continuous compliance.