Health Center Information Blocking Avenger

24789

HITEQ Center post on Tuesday, April 13, 2021

| Categories: Health Information Exchange, Implementation of HIE, HIPAA

A HITEQ Center Training Badge

Loading 50%

21st Century Cures Act

Understanding and Using Information Blocking Rule

Reference and Guidance for Health Centers

Information Blocking final rule is in effect as of April 5, 2021.

In March 2019, the Office of the National Coordinator for Health Information Technology (ONC) issued a Proposed Rule, 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program. ONC released a final rule in March 2020, published in the Federal Register on May 1, 2020. The Final Rule prohibits actors from blocking the exchange of electronic health information and seeks to increase the ease and choices available for patients to access their data. Read on for more details.

Helpful Overviews of Information Blocking

If Information Blocking is all new to you, review these resources first to set yourself up for success.

Relationship between Information Blocking and Other Privacy and Access Laws

Information Blocking, HIPAA, 42 CFR Part 2, and State Laws

Information blocking is different from HIPAA and other existing rules in that it defines the only situations in which electronic health information (EHI) is not to be shared, with the implicit requirement that EHI be shared in all other situations. The information blocking rule only provides eight exceptions or situations in which an actor is permitted to 'block' sharing of information.

Beginning in April 2021 through October 2022, only electronic health information (EHI) that is part of the US Core Data for Interoperability V1 is required to be shared. Beginning in Oct. 2022, all EHI will be required to be shared in all situations outlined with only the eight exceptions spelled out.

ONC offers a the below graphic of the key dates:

Additionally, while HIPAA applies to protected health information (PHI), the ONC Information Blocking final rule applies to all EHI. Generally, EHI is defined as electronic health information to the extent that it would be included in a designated record set, regardless of whether the group of records are used or maintained for or on behalf of a covered entity.

One key note is that each regulation - Information Blocking, HIPAA, and 42 CFR Part 2 - applies only to specific types of entities who meet the definitions set forth in each.
Read on for more on these definitions.

HIPAA applies to covered entities, which are health plans, clearinghouses, health care providers and their business associates. This flowchart helps answer whether an organization is a covered entity.

Information Blocking rules apply to anyone or any entity that is an actor, defined as health care provider, health information network/ HIE, or Health IT developer.

Based on these criteria, health centers and health center health care providers are covered entities as defined by HIPAA and actors as defined in the Information Blocking rule.

42 CFR Part 2 applies to Substance Use Disorder (SUD) programs that meet the definition of 'Part 2 program' which is defined as an individual or entity (or a unit in a general medical care facility) that holds itself out as providing and does provide SUD treatment, diagnosis, or referral for treatment; or medical personnel or staff in a general medical facility whose primary function is the provision of SUD services and who are identified as SUD providers; and is federally "assisted" (with the exception of some Veterans' Administration Services). This flowchart helps health centers answer 'I Provide SUD Services in an FQHC: Does Part 2 Apply to Me?'

Other important notes:

Patients are not beholden to the Information Blocking rule, as they are not an ‘actor’. Therefore, a patient can choose not to share information.

Information Blocking rules don’t supersede existing rules such as prohibitions in place under 42 CFR Part 2 for SUD programs and state laws that require additional specific consent for sharing of HIV related information. The Final Rule spells this out in greater detail in this paragraph.

Under the Information Blocking final rule, actors are not required to violate Business Associate Agreements (BAAs) or service level agreements required under HIPAA, however, these contracts cannot be used in a discriminatory manner by an actor to forbid or limit disclosures that would otherwise be permitted under the rule. Meaning, that it can’t say that you and I will share information, but you are broadly prohibited from further sharing, for example.

The Information Blocking rules do allow for verifying the identity or authority of a person or entity requesting access to EHI as required by law or specified in an existing statute. The Information Blocking Final Rule spells this out here.

Areas of Concern for Health Centers

Anticipating potential pain points as health centers work to comply with the Information Blocking final rule.

What are Examples of Information Blocking?

Several helpful examples from the HITEQ Information Blocking Webinar are listed below for health centers to consider. To begin, it could be considered information blocking to interfere with...

...Patients who seek to access their own EHI

...Other providers who seek EHI for treatment or quality improvement

...Payers who seek EHI to confirm a clinical value

...Patient safety and public health

The following also may be considered information blocking if they restrict or delay the access, exchange, or use of EHI:

Overly Restrictive Policies:

Example: Requiring a physical (“wet”) signature for patient consent before sharing any EHI with unaffiliated providers who are requesting information for treatment purposes.

Limiting technology that would otherwise enable information sharing:

Example: Disabling the use of an EHR capability that would enable staff to share EHI with users in other systems, including patient portals.

Unreasonable delays:

Example: Taking several days to respond, despite having the capability to provide same-day EHI access in a format requested by patient or an unaffiliated provider.

ONC notes that it will evaluate information blocking complaints and exceptions on a case-by-case basis, so it is critically important to document EHI requests, responses, and the application of any exception needs to be fully document for each case.

Care and Information of Minors

How do we handle information blocking rules for patients who are minors and may not want information shared with parents or caregivers?

The American Academy of Pediatrics has shared an article entitled Implications of the 21st Century Cures Act in Pediatrics that is a very good overview of considerations for health care providers and other actors serving pediatric patients.

Read AAP Article about Implications of 21st Century Cures Act

Each state has rules or regulations as to which health decisions the minor can make on their own. Generally, if the minor is legally empowered to make their own decision for treatment, then they have the right to keep it private from their parents/caregivers. For example, this is a list of reproductive health services that adolescents can consent to and therefore can presumably request not to share the information (though check with your legal team!).

Read about State Consent Laws around Reproductive Health Services

ONC has answered several questions related to the sharing of minor’s information in their Information Blocking FAQs (healthit.gov), which are excerpted below.

Question from Jan. 2021: Where the patient is a minor and to avoid breaching the patient’s confidentiality and trust with the provider, will the Preventing Harm Exception cover an actor’s practices that interfere with a parent or legal representative’s access, exchange, or use of the minor’s EHI?

ONC Answer: No. Unless an actor reasonably believes a practice that interferes with a parent or other legal representative’s requested access, exchange, or use of the minor’s EHI will substantially reduce a risk of at least substantial harm to the patient or another person, the Preventing Harm Exception is not designed to cover that practice.

The Privacy Exception contains a sub-exception (45 CFR 171.202(e)) that covers practices respecting an individual’s request not to share information, subject to certain conditions.

Question from Jan 2021: Where the patient is a minor and to reduce a risk of harm other than physical abuse, will the Preventing Harm Exception cover an actor’s practices that interfere with a parent or legal guardian’s access, exchange, or use of the minor’s EHI?

ONC Answer: Yes, where the risk of harm has been determined on an individualized basis and all other conditions of the Preventing Harm Exception are met. For example, the practice must be no broader than necessary and the actor must reasonably believe the practice will substantially reduce the risk of harm. (For all the conditions of the Preventing Harm Exception, please see 45 CFR 171.201.)

For purposes of the Preventing Harm Exception, a parent or legal guardian would be considered a patient’s legal representative. The Preventing Harm Exception’s type of harm condition applies a “substantial harm” standard for practices interfering with a patient’s representative’s requested access, exchange, or use of the patient’s EHI. (See 45 CFR 171.201(d)(1)).

The type of harm conditions for Preventing Harm Exception coverage of practices interfering with patients’ and their representatives’ access to EHI on the basis of an individualized determination of risk are specifically aligned with the HIPAA Privacy Rule’s grounds for reviewable denial of an individual’s right of access under the Privacy Rule. (See also ONC Cures Act Final Rule preamble discussion and Table 3—Mapping of Circumstances Under § 171.201(d) to Applicable Harm Standards).

Experts agree that there is a fine line to walk in facilitating access to minors' records while also protecting their privacy. This legal blog post discusses several considerations:

During the ages in which minors can consent to certain healthcare services (such as reproductive health services), parents have a right to access some of a child's medical information but generally not that for which the child consents on his or her own. Providing just the right amount of access—no more and no less—has long proven difficult, and is now all the more imperative.

Providers have historically often addressed this by entirely excluding medical records of such minors from patient portals. However, to knowingly interfere with a parent's access to EHI of a minor (other than the few services to which the minor may consent) may constitute information blocking under the final rule.

Overly broad policies blocking access likely will not comply with Information Blocking Final Rule. If a health center provider cannot segment out the confidential information, then the provider may need to rely on the infeasibility exception—which requires a response within 10 days explaining why it is infeasible to segment out the data. If explaining the basis of infeasibility would expose that the minor sought confidential services, then an individualized determination to withhold information to prevent harm to the minor may be an alternative. It’s important to understand that this exception must be individually applied, and thus cannot be applied broadly to all minors. As such, as ONC mentions in their response to frequently asked questions, the privacy exception, which contains a sub-exception that covers practices respecting an individual’s request not to share information, subject to certain conditions, is likely the best path forward. This requires that minors request that their information not be shared and document that request with the clinic.

How do we move into compliance with the information blocking final rule?

Assessing and addressing any changes needed in your health center as a result of the Information Blocking final rule.

The Journal of AHIMA has published an article that offers a checklist of strategies that can help with internal planning:

MGMA has published an Information Blocking Toolkit that has a step-by-step process to follow on Pages 18-19:

Get the Step-by-Step Guidance for Practices

The information presented here is for education purposes only and not intended to be legal advice. All primary sources should be reviewed to keep up with any and all changes and clarifications.

The HITEQ Center is a HRSA-funded National Training and Technical Assistance Partner operated by JSI and Westat.

This publication is supported by the Health Resources and Services Administration (HRSA) of the U.S. Department of Health and Human Services (HHS) as part of an award totaling $768,000 with 0 percentage financed with nongovernmental sources. The contents are those of the author(s) and do not necessarily represent the official views of, nor an endorsement, by HRSA, HHS or the U.S. Government.

Tags: health information exchange HIE information blocking badge USCDI

HITEQ Resources