Physicians must walk a fine line between protecting patient privacy and allowing access to and sharing of patient files as needed to ensure the highest standards of care.
On one hand, the Health Insurance Portability and Accountability Act (HIPAA) requires that patient data be stored and transmitted securely, and never shared without patient consent or unless required to safeguard a patient's safety or the safety of others.
On the other hand, the 21st Century Cures Act (Cures) includes specific provisions to promote health information interoperability, and penalizes those seen to be guilty of intentional or unintentional "information blocking."
How can you ensure your practice stays compliant with both pieces of legislation?
What is Information Blocking?
Information blocking (also called info blocking) can happen at several different points in the patient care journey, and take several forms.
Physicians may experience information blocking when attempting to:
- Access patient records held by other providers
- Connect electronic health record (EHR) systems to health information exchanges (HIEs)
- Migrate from one EHR to another
- Link EHRs with a clinical data registry
Patients may experience information blocking when attempting to:
- Access their medical records
- Sending their records to another provider.
According to the American Medical Association (AMA), Cures specifically defines information blocking as "business, technical, and organizational practices that prevent or materially discourage the access, exchange or use of electronic health information (EHI)."
Cures further specifies that blocking applies when "an Actor knows, or (for some Actors like EHR vendors) should know, that these practices are likely to interfere with access, exchange, or use of EHI."
Finally, Cures states that if such blocking is conducted by a health care provider, it must be shown that they knew or could reasonably be expected to know that their actions were "unreasonable and likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI."
Cures also lays out key terms and mandates for what shall constitute access, exchange, and use, as well as definitions for EHI, Actors, and actions and deadlines for compliance.
Access
Access is the means through which EHI is made available, enabling it to be exchanged, used or both.
Exchange
Exchange is how EHI is able to be transmitted. This can be bidirectional transmission or network-based, and includes different technologies as well as myriad networks, platforms and systems.
Use
Use is the ability to understand or act on accessed or exchanged EHI.
Acted upon
To act on may be bidirectional, and can include reading or writing to EHI files.
Actors
Actors must comply with information blocking regulations. Actors include health care providers, developers of certified health IT solutions, health information networks (HINs) and HIEs.
EHI
EHI encompasses all of the electronic protected health information (ePHI) in a designated record set, typically including medical and billing records as well as any other records which may be accessed to help make decisions about a patient's care. EHI is also protected under HIPAA regulations whether records are used or maintained by or for an entity covered by Cures.
Deadlines
All Actors will be subject to Information Blocking rules and regulations on April 5, 2021. EHI is currently limited to the types of specific data elements represented in the US Core Data for Interoperability (USCDI) V1 standard. According to the American Health Information Management Association (AHIMA), after October 5, 2022, all physicians will be required to make the entirety of their patients' ePHI available.
What Actions Can be Considered Information Blocking?
Information blocking can occur as an act, or as an omission, by an Actor. Any act or omission that interferes with the access, exchange or use of EHI may be considered info blocking, but is not automatically considered info blocking. Physician Actors must have knowledge and intent to participate in blocking.
Examples of info blocking practices include (but aren't limited to):
- Restricting authorized access, exchange or use of information for treatment and other permitted purposes under applicable state or federal law
- Implementing health IT solutions in ways considered "nonstandard" and which are likely to add substantially to the burden or complexity of EHI access, exchange, or use
- Limiting or restricting the interoperability of a provider or practices or other related system's health IT without a legitimate security reason
- Implementing health IT or specific acts that could restrict, delay or make otherwise challenging the access, exchange or use of EHI (including charging for health records)
- Committing acts that lead to waste, abuse, fraud or impediment related to health information access, exchange, or use, including health IT-enabled care delivery
- Restricting access, exchange, and use, through legal documents or organizational policies related to EHI and health IT
- Rent-seeking or predatory pricing practices designed to manipulate the economic market
What Exceptions Apply to Information Blocking
HIPAA regulations lay out when information is permitted to be exchanged. Cures lays out how access, exchange and use of information is mandated, and who must comply. These two Acts form the sides of the road that providers, information exchanges and networks, and health IT solutions must operate within to stay compliant.
Exceptions to CURES regulations apply. If your practice fails to comply with a request, you may or may not meet the conditions of an exception. (If you don't meet the conditions, you're not automatically guilty of info blocking, but you won't qualify for protection from potential penalties or disincentives.)
Each act or omission will be evaluated on a case-by-case basis to measure the physician's knowledge, intent, and the level of impact the potential blocking has had on the patient or other parts of the health care and patient care chain. Examples of exemptions include failures to comply with an information request due to:
- Intent to prevent harm to a patient or another person
- Concerns about patient privacy and/or security of health data
- Legitimate downtime related to health IT systems
- Infeasibility of sharing data (as in unreasonable cost or burden to comply)
If a claim is brought that your practice is engaging in information blocking, your best defense is a strong EHI system, written organizational policies, and meticulous documentation that can show clearly if there was an applicable exception.
How Tangible Helps Maintain Data Sharing Compliance
Tangible's Integration-as-a-Platform Service (IaaPS) helps practices manage their EHRs confidently and correctly, making it easy to integrate with multiple systems and comply with both HIPAA and Cures. Our Patient Engagement portal facilitates easy patient access to records and other EHI, closing the loop on information sharing and preventing unintentional blocking.
For more insights on how to protect your practice from inadvertent information blocking and to discuss our solutions for EHI regulatory compliance, contact one of our health IT experts today.
