United States:

The Information Blocking Rule: Considerations For Health Care Providers


To print this article, all you need is to be registered or login on Mondaq.com.

General Overview

On May 1, 2020, the Office of the National Coordinator for
Health Information Technology (“ONC”) published its final
rule, commonly referred to as the “Information Blocking Rule,” implementing
certain provisions of the 21st Century Cures Act that are designed
to support the access, exchange, and use of electronic health
information (“EHI”) and prohibit information blocking.
The Information Blocking Rule became effective on April 5, 2021,
after a delay due to the COVID-19 pandemic. It applies to any
individual or entity that meets the definition of at least one
category of “actor”- a health care provider, health IT
developer of certified health IT, or health information network
(“HIN”) or health information exchange (“HIE”)
– and generally prohibits any practice that is not required by law
or permitted by an applicable exception (discussed below) that
“is likely to interfere with access, exchange or use of
[EHI]” when the applicable knowledge standard is met (the
terms “access,” “exchange” and “use”
are defined terms under the Information Blocking Rule). While the
Information Blocking Rule applies to various types of actors, this
summary offers a high-level overview of relevant considerations
specifically for health care providers.

A health care provider meets the knowledge standard under the
Information Blocking Rule when the provider “knows
that such practice is unreasonable and is likely
to interfere with access, exchange or use of [EHI].” (emphasis
added). In addition to a health care provider’s refusal to
provide patients with access to their EHI upon request, certain
unnecessary delays in providing patients access to their EHI could
potentially constitute information blocking if the requisite
knowledge standard is met. Examples include:

  • A health care provider establishing an organizational policy
    that imposes delays on the release of a patient’s laboratory
    results for any period of time in order to allow an ordering
    provider to review the results or in order to personally inform the
    patient of the results before the patient is able to electronically
    access the results;

  • A delay in providing access, exchange, or use occurs after a
    patient logs in to a patient portal to access EHI that a health
    care provider has (including, for example, lab results) and such
    EHI is not available-for any period of time-through the portal;
    and

  • A delay in providing a patient’s EHI via an application
    programming interface to an application that the patient has
    authorized to receive their EHI.

According to the ONC, this could potentially mean “a
patient would be able to access EHI, such as test results, in
parallel to the availability of the test results to the ordering
clinician.”

Exceptions

Fortunately, there are eight exceptions to the Information
Blocking Rule that are divided into two categories: exceptions
involving not fulfilling requests to access, exchange, or use EHI
and exceptions that involve procedures for fulfilling requests to
access, exchange, or use EHI. Practices that satisfy one or more of
the below exceptions will not constitute information blocking. A
practice that fails to meet all conditions of an applicable
exception will not necessarily constitute information blocking.
Such practices will be assessed on a case-by-case basis to
determine whether the practice violates the Information Blocking
Rule. The available exceptions are summarized below for
reference:




















Category Exception Requirements
Exceptions that involve not fulfilling
requests to access, exchange, or use EHI
Preventing Harm Exception: It will
not be information blocking for the provider to engage in practices
that are reasonable and necessary to prevent harm to a patient or
another person, if certain conditions are met.
The provider must reasonably believe that the practice will
substantially reduce a risk of harm;

The practice must be no broader than necessary;


The practice must satisfy at least one condition from each of
the following categories: type of risk, type of harm, and
implementation basis; and


The practice must satisfy the condition concerning a patient
right to request review of an individualized determination of risk
of harm.

Privacy Exception: It will not be
information blocking if the provider does not fulfill a request to
access, exchange, or use EHI in order to protect an
individual’s privacy, provided certain conditions are met.
The provider’s privacy-protective practice must meet at
least one of the following sub-exceptions:

If the provider is required by law to satisfy a precondition
(e.g., patient consent or authorization) prior to providing access,
exchange, or use of EHI, the provider may choose not to provide
access, exchange, or use of such EHI if the precondition has not
been satisfied under certain circumstances.


The provider may deny an individual’s request for access to
his or her EHI in circumstances provided under the HIPAA Privacy
Rule at 45 CFR 164.524(a)(1) and (2) (e.g., psychotherapy
notes).


The provider may choose not to provide access, exchange, or use
of an individual’s EHI if doing so fulfills the wishes of the
individual, provided certain conditions are met.

Security Exception: It will not be
information blocking for the provider to interfere with the access,
exchange, or use of EHI in order to protect the security of EHI,
provided certain conditions are met.
The practice must be: directly related to safeguarding the
confidentiality, integrity, and availability of EHI; tailored to
specific security risks; and implemented in a consistent and
non-discriminatory manner.

Additionally, the practice must either implement a qualifying
organizational security policy or implement a qualifying security
determination.

Infeasibility Exception: It will not
be information blocking if the provider does not fulfill a request
to access, exchange, or use EHI due to the infeasibility of the
request, provided certain conditions are met.
 
The practice must either be due to uncontrollable events (e.g.,
natural disaster, public health emergency, civil insurrection);
inability to segment the requested EHI; or infeasibility under the
circumstances based on certain factors.

The provider must provide a written response to the requestor
within 10 business days of receipt of the request with the
reason(s) why the request is infeasible.

Health IT Performance Exception: It
will not be information blocking for the provider to take
reasonable and necessary measures to make health IT temporarily
unavailable or to degrade the health IT’s performance for the
benefit of the overall performance of the health IT, provided
certain conditions are met.  
The practice must:

Be implemented for a period of time no longer than necessary to
achieve the maintenance or improvements for which the health IT was
made unavailable or the health IT’s performance degraded;


Be implemented in a consistent and non-discriminatory manner;
and


Meet certain requirements if the unavailability or degradation
is initiated by a health IT developer of certified health IT, HIE,
or HIN.


Certain other conditions apply for the provider’s actions
against a third-party app that is negatively impacting the health
IT’s performance.

Exceptions that involve procedures for
fulfilling requests to access, exchange, or use EHI
Content and Manner Exception: It will
not be information blocking for an actor to limit the content of
its response to a request to access, exchange, or use EHI or the
manner in which it fulfills a request to access, exchange, or use
EHI, provided certain conditions are met.
The provider must respond to a request to access, exchange, or
use EHI with EHI as defined in applicable regulations.

The provider may need to fulfill a request in an alternative
manner when the provider is technically unable to fulfill the
request in any manner requested; or cannot reach agreeable terms
with the requestor to fulfill the request.

Fees Exception: It will not be
information blocking for the provider to charge fees, including
fees that result in a reasonable profit margin, for accessing,
exchanging, or using EHI, provided certain conditions are met.
The practice must meet the basis for fees condition (e.g., fees
must be based on objective and verifiable criteria that are
uniformly applied for all similarly situated classes of persons or
entities and requests).

The practice must not be specifically excluded (e.g., a fee
based in any part on the electronic access by an individual, their
personal representative, or another person or entity designated by
the individual to access the individual’s EHI).

Licensing Exception: It will not be
information blocking for the provider to license interoperability
elements for EHI to be accessed, exchanged, or used, provided
certain conditions are met.
The practice must meet conditions regarding negotiating a
license (e.g., the provider must begin license negotiations with
the requestor within 10 business days from receipt of the request
and negotiate a license within 30 business days from receipt of the
request) and regarding licensing conditions (e.g., scope of rights,
reasonable royalty, non-discriminatory terms, collateral terms,
non-disclosure agreement).

Health care providers seeking to implement the Information
Blocking Rule into their existing compliance programs should
consider:

  • Reviewing and revising their existing HIPAA policies and
    procedures, specifically those pertaining to individual access and
    training personnel regarding the same.

  • Assessing the health care provider’s use of EMR and patient
    portal functionality (e.g., does the EMR include unnecessary delays
    that should be corrected?).

  • Updating the patient portal terms of use.

  • Reviewing and revising Business Associate Agreements to ensure
    terms comply with the information blocking rules.

  • Consulting with vendors to determine how the vendors plan to
    comply with the Information Blocking Rule.

Violation of the Information Blocking Rule by health care
providers may result in “appropriate disincentives,”
(i.e., penalties), which have yet to be established and will be set
forth in a future rulemaking by the Office of Inspector General. We
recommend that health care providers ensure their practices
regarding responding to requests for EHI are appropriate
considering the Information Blocking Rule and implement standards
that guard against information blocking into their ongoing
compliance efforts.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Food, Drugs, Healthcare, Life Sciences from United States

The New Mass Tort: Herbicides

Bryan Cave Leighton Paisner LLP

The modern mass tort, where thousands of personal injury cases are transferred to a single court for coordinated management, has evolved over the past two decades after courts concluded…

2021 Global Life Sciences Sector Outlook (Video)

Bryan Cave Leighton Paisner LLP

On 13 May 2021, we hosted a webinar to discuss the current Life Sciences market – its future growth, opportunities and investor appetite in this growing sector.