chevron-down Created with Sketch Beta.
August 30, 2021

The Role of Information Blocking in Providing Patients Their Protected Health Information

Rachel V. Rose, JD, MBA, Attorney at Law PLLC, Houston, TX

Introduction


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has two primary considerations related to patients’ protected health information (PHI) – privacy and security. Under HIPAA, patients are entitled to access to their medical records, but there is some leeway for covered entities to refrain from providing such access.

The 21st Century Cures Act of 2016 (Cures Act), which addresses interoperability, information blocking, and ONC Health IT Certification, expands the right of patients to access their electronic health information (EHI) and requires that providers give patients access to their EHI in the form of their choosing. As the troubling trend of rising data breaches and cyberattacks has taught us, there is a delicate balance between simply providing patients information, on demand, in any format, and maintaining a secure IT environment that mitigates the risk of a cybersecurity attack or data breach. Covered entities as well as their business associates have a duty not only to provide patients with medical records, but also a broader obligation to all patients to protect the confidentiality, integrity, and availability of the data.

Here is where Section 4004 of the Cures Act, which addresses information blocking, comes into play. The concept of “information blocking” is relevant to achieving the balance of system security and providing patients access to their medical records. Admittedly, the Cures Act, as well as the two final rules (the ONC Final Rule and CMS Final Rule) implementing the Cures Act are dense, require more than one read, and have provisions that are not “bright line” rules.

The purpose of this article is to parse out activities that qualify as prohibited information blocking and note the exceptions to the prohibition. The article also includes several compliance tips so providers can create adequate policies and procedures to integrate these new exceptions into their procedures for providing patients with their PHI.

Information Blocking: Activities and Exceptions

Fundamentally, “information blocking is a practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI).” As set forth in 45 C.F.R. § 171.102:

EHI means electronic protected health information [ePHI] as defined in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of records are used or maintained by or for a covered entity as defined in 45 CFR 164.103, but EHI shall not include: (1) Psychotherapy notes as defined in 45 CFR 164.501; or (2) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

So healthcare providers have an obligation under HIPAA and the Cures Act to provide certain EHI to patients without interference. Section 4004 of the  Cures Act provides the general prohibition against information blocking as well as eight exceptions where such blocking is permissible. The following practices most likely constitute information blocking:

  • Practices that restrict authorized access, exchange, or use under applicable state or federal law of such information for treatment and other permitted purposes under such applicable law, including transitions between certified health information technologies (health IT).
  • Implementing health IT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging, or using EHI.
  • Implementing health IT in ways that are likely to: (a) restrict the access, exchange, or use of EHI with respect to exporting complete information sets or in transitioning between health IT systems; or (b) lead to fraud, waste, or abuse, or impede innovations and advancements in health information access, exchange, and use, including care delivery enabled by health IT.

The exceptions available in Section 4004 of the Cures Act create a balance between cybersecurity considerations, a covered entity’s or business associate’s obligations to other patients and its overall IT security, and an individual’s right to access his/her medical records in a format of his/her choosing.

The table below describes the exceptions to information blocking. There are two categories of exception: (1) not fulfilling requests and (2) exceptions involving the procedures for fulfilling requests.

Category of the Exception

Exception

Not fulfilling requests to access, exchange, or use EHI

Preventing Harm Exception applies when an actor engages in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.

Not fulfilling requests to access, exchange, or use EHI

Privacy Exception applies if an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.

Not fulfilling requests to access, exchange, or use EHI

Security Exception applies if an actor interferes with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met. NOTE: the actions must be directly related to safeguarding the confidentiality, integrity, and availability of EHI that is tailored to specific security risks and implemented in a uniform and non-discriminatory manner.

Not fulfilling requests to access, exchange, or use EHI

Infeasibility Exception applies if an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.

Not fulfilling requests to access, exchange, or use EHI

Health IT Performance Exception applies when an actor takes reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT, provided certain conditions are met.

Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI

Content and Manner Exception is available to an actor to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.

Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI

Fees Exception enables an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met. NOTE: If an actor is subject to the conditions of certification condition § 170.402(a)(4) or §170.404 it must also comply with such condition(s).

Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI

Licensing Exception allows for an actor to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.


These eight exceptions can be thought of as safe harbors for actors (i.e., healthcare providers, health IT developers, health information networks (HINs) and health information exchanges (HIEs)), which if adhered to as prescribed, will enable the action not to be considered information blocking.

Compliance Suggestions

What can entities do to ensure compliance with the Cures Act as well as HIPAA? 45 C.F.R. § 164.308(a)(1)(ii)(A) requires that covered entities and business associates conduct an annual security risk analysis to identify and mitigate vulnerabilities regarding ePHI. HHS stated that “[c]onducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the [HIPAA] Security Rule.” Because EHI includes ePHI, Sections 4002 and 4004 of the Cures Act must be included in evaluating the technical, administrative, and physical safeguards of an organization. Here are some fundamental compliance suggestions, many of which are already required by HIPAA’s Security Rule:

  1. Conduct an annual security risk analysis and add the information blocking rules and exceptions to it; 
  2. Add any relevant disclosures to the HIPAA authorization that patients sign;
  3. Integrate ONC Final Rule and CMS Final Rule requirements and exceptions into both policies and procedures and training. Policies and procedures provide the framework for organizations to comply with the information blocking exceptions by providing a structure that a workforce member can reference before sending PHI to a patient; and
  4. Ensure that the exceptions are applied in a consistent and non-discriminatory manner.

Covered entities or their business associates need to balance maintaining the confidentiality, integrity, and availability of information to all patients and the security of the IT infrastructure with providing individual patients with their EHI. This is where comprehensive policies and procedures come into play – by providing a framework for providing EHI to patients in ways that are safe and mitigate the risk of a cyberattack or a breach.  

Conclusion

HIPAA and the Cures Act go hand-in-hand. HIPAA requires that patients are provided access to their medical records, while the Cures Act added ways in which patients may receive their PHI. Covered entities and business associates may not engage in information blocking; however, the exceptions to information blocking seek to balance a patient’s access with the HIPAA Security Rule’s requirements for protecting all ePHI that an entity creates, receives, maintains, and/or transmits. In order to maintain a culture of compliance, persons should implement the suggested changes and notify patients when an information blocking exception applies, as well as providing the information in an alternative format. Overall, it’s important to take a holistic approach to protect all EHI while providing patients with their records. 

    Entity:
    Topic:
    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

    Rachel V. Rose

    -------------------

    Rachel V. Rose, JD, MBA, is a principal at Rachel V. Rose – Attorney at Law, PLLC (Houston, Texas). She advises clients on compliance, transactions, and litigation in healthcare, cybersecurity, corporate and securities, False Claims Act and Dodd-Frank whistleblower areas of law. She also teaches bioethics at Baylor College of Medicine in Houston. She may be reached through her website, www.rvrose.com.