On May 1, 2020, the Office of the National Coordinator of Health Information Technology (“ONC”) published its final rule, commonly referred to as the “Information Blocking Rule,” which implements certain provisions of the 21st Century Therapeutic Products Act designed to aid access, des Exchange and use of electronic health information (“EHI”) and prohibition of blocking of information. The information blocking rule went into effect on April 5, 2021 after a delay due to the COVID-19 pandemic. It applies to any person or organization that meets the definition of at least one category of “actors” – a health care provider, a health IT developer of a certified health IT or health information network (“HIN”) or a health information exchange (“HIE”) ) ”) – and generally prohibits any practice that is not required by law or permitted by an applicable exception (see below) that“ is likely to interfere with the access, exchange or use of [EHI]”If the applicable knowledge standard is met (the terms” access “,” exchange “and” use “are defined terms according to the information retention rule). While the information retention rule applies to different types of actors, this summary provides a general overview of relevant considerations specific to Health care provider.
A health care provider fulfills the knowledge standard according to the information blocking rule if the service provider “White that is such a practice unreasonable and is probably disrupt the access, exchange or use of [EHI]. ”(Emphasis added). In addition to a healthcare provider’s refusal to allow patients to access their EHI on request, certain unnecessary delays in patient access to their EHI can potentially block information if the required standard of knowledge is met. Examples include:
- A healthcare provider who establishes an organizational policy that delays the publication of a patient’s laboratory results for any period of time so that an ordering provider can review the results or personally notify the patient of the results before the patient can electronically access the results;
- A delay in providing access, sharing, or use occurs after a patient logs into a patient portal to access EHI that a healthcare provider has (including, for example, laboratory results) and such EHI for a period of time is not available – through the portal; and
- A delay in providing a patient’s EHI through an application programming interface to an application that the patient has authorized to receive their EHI.
According to the ONC, this could possibly mean that “a patient can access EHI like test results in parallel with the availability of test results for the ordering clinician”.
Fortunately, there are eight exceptions to the information blocking rule, divided into two categories: exceptions where requirements to access, exchange, or use EHI are not met, and exceptions where procedures are used to meet requirements for the Access, exchange, or use of EHI is required. Practices that meet one or more of the following exceptions do not constitute an information block. A practice that does not meet all of the conditions of an applicable exception does not necessarily constitute an information block. Such practices are evaluated on a case-by-case basis to determine whether the practice Violates the information lock rule. The available exceptions are summarized below for reference:
|Exceptions where requirements to access, exchange, or use EHI are not met||Prevent damage exception: It is not an information blockade for the provider to carry out practices that are appropriate and necessary to prevent harm to a patient or another person when certain conditions are met.||The provider must reasonably assume that the practice significantly reduces the risk of damage.
The practice cannot be wider than necessary;
The practice must meet at least one condition from each of the following categories: type of risk, type of damage and basis for implementation; and
The practice must meet the condition that a patient has the right to request a review of an individualized determination of the risk of harm.
|Data protection exception: There will not be an information block if the provider does not meet a request to access, share or use EHI to protect an individual’s privacy, provided certain conditions are met.||The provider’s data protection practice must at least be complied with one of the following sub-exceptions:
If the provider is required by law to meet a precondition (e.g. patient consent or approval) before granting access, exchange or use of EHI, the provider may choose not to provide access, exchange or use of such EHI, if this is the case, it was not satisfied under certain circumstances.
The provider may choose not to provide access, exchange, or use of a person’s EHI if that is what the person desires, provided certain conditions are met.
|Security exception: There is no information barrier for the provider to interfere with the access, exchange or use of EHI in order to protect the security of EHI, provided certain conditions are met.||The practice must: be directly related to maintaining the confidentiality, integrity and availability of EHI; tailored to specific security risks; and implemented in a consistent and non-discriminatory manner.
In addition, the practice must implement either a qualifying organizational security policy or a qualifying security provision.
|Impossibility exception: There will be no information block if the provider does not fulfill a request to access, exchange or use EHI due to the impossibility of the request, provided certain conditions are met.||The practice must either result from uncontrollable events (e.g. natural disasters, public health emergencies, civil uprisings); Inability to segment the requested EHI; or impossibility in the circumstances due to certain factors.
The provider must give the applicant a written response within 10 working days of receipt of the request with the reason (s) why the request is not feasible.
|Exception for the health IT service: It is not an information blockade for the provider to take appropriate and necessary measures to make the healthcare IT temporarily unavailable or to impair the performance of the healthcare IT for the benefit of the overall performance of the healthcare IT, provided certain conditions are met.||The practice must:
They must be implemented for a period of time no longer than is necessary to achieve the maintenance or improvements for which the healthcare IT has not been made available or the performance of the healthcare IT has been adversely affected.
Implemented consistently and without discrimination; and
Meet certain requirements if the unavailability or deterioration is initiated by a Health-IT Developer of Certified Health-IT, HIE or HIN.
Certain other terms apply to the vendor’s actions against a third-party app that negatively impact healthcare IT performance.
|Exceptions that include procedures to meet requirements to access, exchange, or use EHI||Content and type of exception: It is not an information blockade for an actor to limit the content of his response to a request to access, exchange or use EHI or the way in which he fulfills a request to access, exchange or use EHI, provided certain conditions are met.||The provider must respond to a request to access, exchange, or use EHI with EHI in accordance with applicable regulations.
The provider may need to fulfill a request in an alternative manner if the provider is technically unable to fulfill the request in some requested way. or cannot achieve acceptable conditions with the applicant to fulfill the application.
|Exception fees: It is not a barrier to information for the provider to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging or using EHI, provided certain conditions are met.||Practice must meet the basis for the fee condition (e.g. fees must be based on objective and verifiable criteria that apply consistently to all equated person or corporate classes and requests).
The practice shall not be specifically excluded (e.g. a fee based in any part on electronic access by an individual, their personal representative, or any other person or organization designated by the individual for access to the individual’s EHI ).
|License exemption: It is not an information block for the provider to license interoperability elements to access, exchange or use EHI, provided certain conditions are met.||The practice must meet the conditions for negotiating a license (e.g. the provider must start license negotiations with the applicant within 10 working days of receiving the request and negotiate a license within 30 working days of receiving the request) and the license terms (e.g. , Scope of rights, reasonable license fees, non-discriminatory terms, terms of collateral, non-disclosure agreement).|
Healthcare providers looking to implement the information blocking rule into their existing compliance programs should consider the following:
- Review and revise existing HIPAA policies and procedures, particularly those related to individual access, and train staff in relation to them.
- Assessment of the use of EMR and patient portal features by the healthcare provider (e.g. does the EMR contain unnecessary delays that should be corrected?).
- Review and revision of business partner agreements to ensure that the conditions comply with the rules for blocking information.
- Consultation with vendors to determine how vendors intend to comply with the information blocking rule.
Breaches of the information-blocking rule by health care providers can result in “reasonable disincentives” (ie penalties) that have yet to be determined and will be set out in future Inspector General legislation. We encourage healthcare providers to ensure that their practices for responding to requests for EHI are appropriate, taking into account the information blocking rule, and to implement standards that protect against information blocking into their ongoing compliance efforts.