All

Patient Health Information Blocking – 21st Century Cures Act

21st century cures act featured image

Patient Health Information Blocking – 21st Century Cures Act

Patient Health Information Blocking – 21st Century Cures Act

On December 13, 2016, the 21st Century Cures Act was adopted into law.  It includes a wide range of improvements to the healthcare system.  In May 2020, the ONC issued regulations implementing provisions of the Cures Act, including a prohibition on “information blocking.”  The information-blocking regulations went into effect on April 5, 2021.

Question: What is “information Blocking”?

Answer: Information blocking is the practice of interfering with the access, exchange, or use of electronic health information (EHI).  Once a request is made, patients should be granted access to their EHI without unreasonable delay.

Question: Are there any exceptions to the information-blocking provisions?

Answer: Yes. There are eight exceptions to the information-blocking provision.  The Exceptions are divided into two classes

8 exceptions to the information blocking provisionResource: The office of the National Coordinator for Health Information Technology (ONC). (2021). [information blocking exceptions]. HealthIT.gov. https://www.healthit.gov/topic/information-blocking

Exceptions that involve NOT fulfilling requests to access, exchange, or use EHI:

1. Preventing Harm Exception
Example: An EHI request may be denied if the organization feels that denying the request will prevent harm from coming to a patient or their family member.  An actor may choose to segment sensitive records about behavioral health or substance abuse.  If an EHI request is denied or segmented, there must be appropriate documentation to justify the denial.

2. Privacy Exception:
Example: Organizations will not be required to disclose EHI in a way that is a privacy violation of an applicable State or Federal privacy law that is already in existence. An example of a privacy law that is already in existence is The HIPAA Privacy Rule: 45 CFR 164.524 (a)(1) and (2).  (https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html)

3. Security Exception:
Example: This exception is designed to cover all legitimate security practices by actors. To implement this exception, the actor must demonstrate that the denial of access to EHI is “directly related to safeguarding the confidentiality, integrity, and availability of EHI; tailored to specific security risks; and implemented in a consistent and non-discriminatory manner.” Organizations should consider updating their organizational privacy and security policies to ensure compliance with the provisions for blocking information.

4. Infeasibility Exception:
Example: It will not be considered information blocking if a request for EHI cannot be fulfilled due to natural or human-made disasters, public health emergencies, public safety incidents, war, terrorist attacks, civil insurrection, or the inability to “unambiguously” segment the requested PHI.

5. Health IT Performance Exception:
Example: It will not be considered information blocking if a request for access to EHI is denied temporarily because the Health IT is offline for routine maintenance and improvements. The Health IT should not be offline longer than necessary to perform the enhancements.

Exceptions that involve procedures for FULFILLING requests to access, exchange, or use EHI:

6. Content and Manner Exception
Content Exception Example: In some instances, it is acceptable for an actor to limit the content of their response for a request to access EHI. This exception provides clarity and flexibility to organizations concerning the scope of a request for PHI. For up to 24 months after the publication of the Cures Act final rule, data requests that include EHI should, at a minimum, include the EHI data elements represented in the United States Core Data for Interoperability (USCDI standard). This exception promotes innovation and healthy competition, allowing actors to establish and maintain market-negotiated terms for access, use, and exchange of EHI.

Manner Exception Example: In some instances, an actor may need to alternatively fulfill a request for EHI. This exception applies if the actor is technically unable to meet the request in any manner requested or if agreeable terms cannot be reached with the requestor to satisfy the request.

7. Fees Exception
Example: It will not be information blocking for an actor to charge fees related to developing technologies and delivering services that will improve interoperability. This includes costs for a reasonable profit margin for accessing, exchanging, or using EHI.

8. Licensing Exception:
Example: It will not be considered information blocking for actors to license interoperability elements for EHI to be accessed, exchanged, or used. This exception allows actors to protect the value of their innovations and charge reasonable royalties.

Question: Do information blocking provisions require actors to have certified health IT or upgrade their current certified health IT?

Answer: No. Information blocking regulations do not require actors to have or use certified health IT.  As of April 5, 2021, actors are not required to upgrade their current certified health IT immediately.

Question: Are healthcare providers subject to the information-blocking regulations even if they do not use certified health IT?

Answer: Yes. The information blocking regulations apply to healthcare providers regardless of whether any health IT they use is certified under the ONC Health IT Certification Program. Regarding EHI, the law does not distinguish between certified and non-certified health IT systems.

Question: Are actors required to proactively make all electronic health information (EHI) available through patient portals?

Answer: No. The information blocking regulations do not require actors to proactively make EHI available to patients who have not requested it. However, once patients request access, their EHI must be available immediately.

Question: Are actors such as healthcare providers expected to release test results to the patient portal or application programming interface (API) as soon as the results become available to the ordering clinician?

Answer: Actors are not required to make electronic health information available proactively. However, once a request to access is made, actors must TIMELY respond. A delay or unnecessary impediment could implicate information-blocking provisions.

Question: Are clinical notes from nursing, pharmacy, or other professions included in the definition of “electronic health information”?

Answer: Yes. Electronic health information does not explicitly include or exclude notes or other clinical observations based on the type or specialty of the professional who authors them.

Question: What are the penalties for an actor blocking information?

Answer: As of April 5, 2021, health IT developers of health IT and HINs/HIEs will be subject to penalties of up to $1M per violation. Healthcare providers are treated differently under the law. They may face “appropriate disincentives” that are yet to be set forth by the HHS Secretary.