An individual's right to access their protected health information is not new. It has been a patient's right under the HIPAA Privacy Rule since 2003. In fact, the Office for Civil Rights (OCR) has made it a high priority with their Right of Access Initiative, which began in the fall of 2019. Since that time, the OCR has settled eighteen cases, totaling over 1.1 million dollars, with healthcare organizations that were not providing patients or their personal representatives' timely access to health information.
What is new in this arena is the addition of the 21st Century Cures Act and its Information Blocking (IB) provisions. Beginning April 5, 2021, healthcare providers must "respond to a request to access, exchange, or use EHI with, at a minimum, all requested EHI identified by the data elements represented in the United States Core Data for Interoperability (USCDI) standard." This is a very technical way to say that if a patient or the patient's personal representative requests access to their medical information, you must provide it to them in a timely fashion, in the form and format requested.
For most healthcare providers and their business associates, requests from patients are expected to be the same as they have been over the past several years. We do not anticipate that patients will immediately make highly technical requests for access or exchange of their EHI beginning with the compliance date of April 5. However, your organization does need to understand the Rule's requirements as well as the exceptions.
To help our clients, we have developed a learning module that further defines activities that can be considered information blocking, the data elements included in the USCDI, and the eight exceptions that would not be considered information blocking if certain conditions are met.
Here are some of the most common examples of activities that could be considered information blocking by healthcare organizations:
- Having a policy that requires a patient to provide written consent before sharing information with another healthcare provider for treatment purposes, when it is not required by state or federal law, could be considered IB. Remember, HIPAA does not require written consent or an authorization to share information for treatment purposes.
- Having the ability to provide same-day access to a patient or a patient's healthcare provider but taking several days to respond could be considered IB.
- Any action that restricts authorized access for treatment and other permitted uses and disclosures under HIPAA could be considered not only a HIPAA violation but also information blocking.
Other items in the Rule that can be helpful to healthcare providers:
- An electronic health record vendor cannot charge excessive fees to create the interfaces needed to connect with other health information technology, like a health information exchange.
- There cannot be restrictive or unfair contractual limitations on the use and exchange of medical information. For example, an EHR vendor charging an excessive fee to access or transfer medical records after a healthcare provider changes vendors.
It is important to note that healthcare providers are at the highest risk of information blocking when they know their actions would likely interfere, prevent, or materially discourage access, exchange, or use of EHI. Examples are denying access to patients of their own EHI, denying access for treatment purposes, disabling patient portal capabilities, and simply taking too long to provide access.
The Rule has a total of eight exceptions that will not be considered information blocking if specific criteria are met. The exceptions fall into two categories. The categories pertain to not fulfilling a request and the procedures for fulfilling the request.
1. Not fulfilling requests to access, exchange or use EHI
- Preventing harm
- Health IT performance
2. Procedures for fulfilling requests to access, exchange, or use EHI
- Content and manner
The Information Blocking regulations and the exceptions can be somewhat daunting to apply to your organization's day-to-day operations. Remember that as an HCP client, you have access to compliance experts who can help you navigate through these new requirements.
If you have questions about a particular activity in your organization and whether it would be considered information blocking or if it would meet an exception, please reach out to your HCP Support Team.
Have questions about HIPAA rules, or need to implement a HIPAA Compliance Program in your organization? Schedule a Free Consultation today.