HIPAA’s New Information Blocking Rule

What is (and isn’t) information blocking?

In 2016, Congress passed the 21st Century Cures Act, which sought to encourage innovation in the healthcare field and improve patients’ right to access their medical records. The Act established that health care providers, as well as health information technology developers, networks and exchanges, will be subject to civil monetary penalties for engaging in practices that constitute information blocking.

Information blocking is defined as a practice which is likely to interfere with, prevent, or materially discourage access, exchange, or use of Electronic Health Information (EHI). Violations of the law are categorized based on a covered entity’s knowledge of the information blocking practices.

  • Health care providers are in violation if they know a practice is unreasonable and is likely to interfere with, prevent, or materially discourage access to EHI.
  • Health information developers, networks, and exchanges are in violation if they know or should know that a practice is likely to interfere with, prevent, or materially discourage access to EHI.

The law specified that these provisions would not be enforced until the Office of the National Coordinator for Health IT (ONC) issued rules identifying exceptions to the law. Earlier this year, these rules went into effect.

The ONC rules identify circumstances in which it may be “reasonable and necessary” for a covered entity to interfere with, prevent, or materially discourage access to EHI, such as:

  • The covered entity reasonably believes that restricting access will prevent harm to a patient or another person.
  • Restricting access is necessary in order to protect the security of EHI.
  • The covered entity has taken actions to maintain or improve health IT performance, which makes EHI temporarily unavailable.
  • The request to access information is infeasible, due to unforeseeable circumstances (such as a natural disaster or public health emergency) or because the requested information cannot be segmented from information the patient does not have the right to access.

Under the Health Insurance Portability and Accountability Act (HIPAA), health care providers are currently required to respond to a request for access within 30 days. However, the new rules clarify that any unnecessary delay in providing access to EHI may be considered a violation, even when the delay is less than 30 days. For example, according to the ONC’s Final Rule FAQs, it would likely be considered information blocking if a health care provider “established an organization policy that… imposed delays on the release of lab results for any period of time.”

This includes organizational delays imposed so that the ordering clinician can review the results as well as delays imposed so that the patient can be personally informed of the results.  However, according to the FAQs, it would likely not be considered a violation if the release of EHI is delayed only for as long as is necessary, such as the time it takes to determine if a request for access is compliant with state law.

What information must be provided right now?

Enforcement of penalties for information blocking began 30 days after the new rules became effective. As a result, covered entities were required to provide patients with access to certain EHI by April 5, 2021 in order to comply with the law.

Under the current rules, patients must have access to 16 classes of EHI data specified by the USCDI:

  • Patient Demographics
  • Vital Signs
  • Allergies and Intolerances
  • Medications
  • Smoking Status
  • Immunizations
  • Procedures
  • Care Team Members
  • Clinical Notes
  • Assessment and Plan of Treatment
  • Goals
  • Health Concerns
  • Laboratory
  • Problems
  • Unique Device Identifier(s) For a Patient’s Implantable Device
  • Provenance (metadata such as Author Organization)
What changes are coming next?

While these provisions are already in effect, the full impact of the information blocking provision of the 21st Century Cures Act still hasn’t been felt. On October 6, 2022, the scope of EHI accessible to patients will increase to include the full designated record set (DRS) as defined under the HIPAA. This includes “medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals.”

The HHS Office of Civil Rights (OCR) has also recently proposed modifications to the HIPAA Privacy Rule which would address information blocking. Under current regulations, covered entities must respond to a patient’s request for “readily producible” copies of PHI within 30 calendar days. The proposed rule would shorten that time to 15 calendar days, while clarifying that PHI includes electronic records (or ePHI).

The rule would also place some limitations by allowing covered entities to provide patients only with copies of electronic records, as opposed to providing records in the patient’s preferred format. Additionally, it would limit an individual’s right to direct a copy of PHI to a third party by specifying that an individual may direct an electronic copy of PHI in an Electronic Health Record (EHR) to a third party.

Some organizations have already expressed concern about unforeseen ramifications if these changes go into effect. In a letter to OCR, James L. Madara, M.D. of the American Medical Association (AMA) expressed concern about placing additional regulatory burden on physician practices, particularly so soon after making “significant, paradigm-changing adjustments to their information management, patient engagement, and exchange processes to comply with information blocking regulations.”

Patient advocates and privacy experts have also highlighted potential data security concerns. For example, the proposed rule allows individuals to direct a copy of their ePHI to a third party, but does not limit access to entities which are covered by HIPAA. This may leave patient data vulnerable in ways that the individual requesting access is unaware of, as entities covered by HIPAA are subject to security standards that other entities are not required to meet.

How do I make sure my business is prepared?

As health care providers are required to make a greater range of electronic health information available to patients and third parties, it’s more important than ever that entities which control EHI and PHI take appropriate security measures to protect patient data. It’s also essential that health care providers and other covered entities establish policies and procedures which are compliant with these new regulations, as well as existing federal and state laws concerning patient privacy and security.

If you need help developing your policies, training employees on new procedures, or implementing a comprehensive data security system, Gazelle Consulting is here to help! Check out our services page or contact us for a free consultation to see if our customized HIPAA compliance services are right for you.

Nav close