By Sharon Slivochka, RHIA, and Diana Warner, MS, RHIA, CHPS, CPHI, FAHIMA
The Office of the National Coordinator (ONC) for Health IT’s information blocking final rule, part of the 21st Century Cures Act (Cures Act), goes into effect April 5, 2021.
At a high level, the final rule prohibits health providers, technology vendors, health information exchanges, and health information networks from preventing the exchange, use, or access of electronic health information (EHI).
Embedded within the rules are eight exceptions that empower providers to deny EHI requests without being tagged as information blockers.
As a result, provider organizations need well-defined processes to evaluate and review requests; maintain documentation for compliance purposes; and determine how denials are consistently tailored to one or more of the information blocking exceptions.
The Eight Exceptions
The first five exceptions involve not fulfilling requests to access, exchange, or use EHI. The final three exceptions involve procedures for fulfilling requests to access, exchange, or use EHI.
Following are the exceptions and the general definitions of each.
1. Preventing Harm
According to ONC, this exception “recognizes that the public interest in protecting patients and other persons against unreasonable risks of harm can justify practices that are likely to interfere with access, exchange, or use of EHI.” In short, organizations can deny EHI requests to protect patients and other consumers from harm. However, the potential risk and harm that would trigger the exception must be appropriately documented.
Is the responding organization able to segment sensitive records, such as those pertaining to behavioral health or substance abuse, for adults who have requested their information that providers believe may harm the patient or family member? Is the organization able to segment sensitive health records of minors, as protected by state and federal regulations, so parents do not have access to information they are not authorized to receive?
The information blocking provisions compels healthcare organizations to broaden EHI access to consumers, but it does not render existing federal and state privacy laws obsolete. Under this exception, organizations would not be required to disclose EHI in a way that is prohibited under applicable laws.
This exception covers risks to the integrity and security of the information and EHI systems. However, this exception is not to be used as a broad brush for request denials. To trigger this exception, healthcare organizations need to demonstrate that the denial is “directly related to safeguarding the confidentiality, integrity, and availability of EHI; tailored to specific security risks; and implemented in a consistent and non-discriminatory manner.” Provider organizations should update relevant privacy and security policies or implement new policies to mitigate practices that prohibit or delay data sharing.
This exception speaks to the reasonability to fulfilling requests. ONC defines several instances where practical fulfillment of EHI requests is severely limited, such as natural or man-made disasters, public health emergencies, technological limitations, or the inability to “unambiguously” segment requested EHI.
5. Health IT performance
This exception acknowledges that health IT may be temporarily offline for maintenance, improvements, or a cause beyond the control of the healthcare organization. With the exception, ONC makes clear that EHI requests do not take precedence over health IT performance. Organizations should review historical information or scanned records that are not immediately being shared to include legacy systems. Is the organization able to meet the requirement for making the information available?
6. Content and manner
This exception provides clarity and flexibility to organizations concerning the scope of a request to access, exchange, or use EHI. For the next 24 months, the data requests that fall under the information blocking final rule include those identified by the data elements represented in the United States Core Data for Interoperability (USCDI) standard.
This exception also supports innovation and competition by allowing actors to first attempt to reach and maintain market negotiated terms for the access, exchange, and use of EHI. Is your organization able to fulfill requests according to the USCDI definition and scale to meet expanded elements after the 24-month period? Are you technically able to provide the information and reach agreeable terms with the patient?
The Cures Act final rule carved out an exception to permit healthcare organizations to charge fees for record requests to assist in the development of technologies and provision of services that enhance interoperability. However, fees must be based on objective and verifiable criteria and be reasonably related to the costs of access to or exchange or use of EHI.
This exception protects the investments organization make in innovation by permitting them to charge “reasonable royalties” to develop, maintain, and update those innovations. According to ONC, “an actor must begin license negotiations with the requestor within 10 business days from receipt of the request and negotiate a license within 30 business days from receipt of the request.”
While compliance with the overall final rule can be complex and a bit ambiguous, determining when it’s appropriate to deny information requests requires careful consideration and defined processes.
Using an enterprise-wide information governance framework will help organizations plan and take a structured approach as they implement the rule.
Policies with procedural detail must be in place to document detailed case-by-case determinations, including specifying how the denial is tailored to criteria directly relevant to meeting the information blocking exception or other privacy law restriction. For example, what processes will need to be developed to handle records requests for patients at the facility? Are there times when delaying test results by the physician is appropriate? Have processes been identified to review requests that may qualify for an exception?
Consider the following approach for developing and implementing policies related to EHI requests:
- Convene all organizational stakeholders, including health information management (HIM), privacy and security, legal, compliance, information technology (IT), and clinicians, and any department that receives requests from a patient or a patient’s personal representative.
- Identify policies and procedures that address information sharing. This includes HIM policies, HIPAA policies, and IT policies, as well as any policies in place related to governing confidential and proprietary information.
- Identify and list all the systems that contain EHI and the types of EHI within each system. Review how information is received from other providers, how it is captured, and if it is used for treatment.
- Review workflows that may be impacted, identify gaps, and determine if there are workflows that may be perceived as information blocking and how these will be addressed. Ensure all processes are clearly documented.
- Determine where to route requests for review and who will review the requests that may fall under the information blocking rule.
- Develop a communication plan to educate the organization and re-educate about the importance of good documentation habits. Continuously communicate any changes and updates to processes and workflows so anyone receiving a request knows what to do.
- Train and educate any staff that may receive a request to access, exchange, or use EHI to make sure they are aware of the information blocking rule and make sure they know how to handle requests
- Clearly document any requests that are not fulfilled under one of the eight exceptions to mitigate compliance risk. Implementing a procedure that consistently reviews requests and documents the process for denial will ensure consistency. (See the sidebar titled “Sample Documentation of an EHI Request Denial.”)
- Organizations should establish regularly scheduled audits. Complaints, technology changes or issues, and legislative updates will need to be evaluated as they emerge. Workflows, policies, and procedures will need to be reviewed accordingly to ensure compliance.
Carefully Consider the Exceptions
It is important for healthcare organizations and stakeholders to carefully consider the eight exceptions and develop policies concurrent with those developed and implemented for EHI fulfillment.
Provider organizations need well-defined processes to evaluate and review requests, maintain documentation for compliance purposes, and determine how denials are consistently tailored to one or more of the information blocking exceptions.
Doing so will ensure that the organization stays in compliance with the provisions without endangering the privacy and security of EHI or degrade a return on technology investments.
Information Blocking Definitions
Electronic Health Information (EHI): EHI is defined as individually identifiable health information that is transmitted or maintained by or in electronic media and to the extent that it would be included in the designated record set
Access: The ability or means necessary to make EHI available for exchange or use
Exchange: The ability of EHI to be transmitted between and among different technologies, systems, platforms, or networks
Use: The ability for EHI, once accessed or exchanged, to be understood and acted upon
Information blocking: Anything that interferes with, prevents, or materially discourages access, exchange, or use of EHI
United States Core Data for Interoperability: A standardized set of health data classes and constituent data elements for nationwide, interoperable health information exchange
Sample Documentation of an EHI Request Denial
Date of receipt: _______________
Type of request: ___________
Patient name(s) (if applicable): ____________
MRN(s) (if applicable): ________________
Information blocking exception: _____________________
Justification for the exception: _______________________
Date of response (if applicable): _________________________
Owning team: ________________________________
Approved by: ______________________________
- HIPAA Privacy Rule
- ONC’s Cures Act Final Rule
- Information Blocking Rule Exceptions
- United States Core Data for Interoperability
- Greene, Adam H. et al. “Top HHS ‘Information Blocking’ regulatory compliance challenges.” Lexology. September 14, 2020. lexology.com/library/detail.aspx?g=7933a150-959a-4cdd-bc53-d5d1d67b7931&l=95ZX5H5.
- CHIME Public Policy. Summary of Information Blocking and Eight Exceptions.https://chimecentral.org/wp-content/uploads/2020/06/061420_CHIME-Information-Blocking-Cheat-Sheet-FINAL-RULE1-1.pdf.
Sharon Slivochka is director of the electronic health record in health information management at large multi-specialty health system.
Diana Warner (firstname.lastname@example.org) is director of account management for MRO.
Bookmark AHIMA’s Information Blocking Resource Page
The Cures Act compliance clock is ticking! Bookmark AHIMA’s Information Blocking resources page, regularly updated with new case studies, interviews, news, and podcasts on the clinical, administrative, financial, and legal aspects of the final rule. Click here.