October 15, 2020
If you’re at all familiar with the 21st Century Cures Act, you may have heard the term ‘information blocking’ tossed around. Even if you’re not, you may be familiar with the ongoing healthcare battle to prevent information blocking and more effectively share patient information. If you’re not familiar with any of these things…well…keep reading anyways, if you’re an independent practice we promise this is going to be increasingly important information to know.
A major goal of the Cures Act is to break down the barriers currently erected to interfere with, prevent, or discourage the access, exchange, or use of electronic Protected Health Information (ePHI) within the healthcare industry – otherwise known as information blocking. HIPAA outlines the specific ways information can be shared (and these rules still apply) but the statement of “sorry we can’t share that information because of HIPAA” is often applied incorrectly, and part of what the Cures Act hopes to correct.
Deliberately blocking information that should be shared with patients and other appropriate covered entities, such as with Health Information Exchanges (HIE’s), can prevent or delay proper treatment and ultimately reduces the effectiveness of patient care. Before the Cures Act rules go into effect (November 2, 2020), organizations must reevaluate or remove any barriers currently in place that constitute information blocking. Not 100% what that really means? You aren’t alone, which is why the Office of the National Coordinator for Healthcare Technology (ONC) has created a helpful cheat sheet for what does and does not qualify as information blocking.
There are some exceptions to what falls under the “information blocking” umbrella, including:
- Preventing Harm Exception – if a provider engages in practices that are reasonably necessary to prevent the harm of a patient or other individual.
- Privacy Exception – when a provider does not complete a request for the purpose of protecting an individual’s privacy.
- Security Exception – means that it will not be information blocking if the provider interferes with the access, exchange, or use of ePHI in order to protect the security of the data itself.
- Infeasibility – if the provider does not fulfill a request due to the infeasibility of the request, for example, the provider cannot fulfill a request for access due to a natural disaster or internet service interruption.
- Health IT performance – when a provider takes reasonably necessary steps to make health IT temporarily unavailable or to degrade the health IT’s performance in order to either achieve maintenance or improvements, be implemented in a consistent manner, and not occur for a period of time longer than is necessary to resolve any negative impacts.
- Content and manner – if a provider limits the content of its response to a request to access, exchange, or use ePHI or the manner in which it fulfills a request to access, exchange, or use ePHI.
- Fees Exception – means that a provider can charge fees for accessing, exchanging, or using ePHI as long they are reasonably related to the provider’s costs of providing the type of access.
- Licensing – if a provider licenses interoperability elements for ePHI to be accessed, exchanged, or used.
All of these exceptions are only permissible provided certain conditions are met.
In general, think of information blocking as refusing to share data even when there is no reason not to – i.e., none of these exceptions or regular privacy concerns apply. Where it gets tricky is when information sharing might – though the situation makes it unclear – violate HIPAA compliance regulations (really violate them, not just as an excuse). It’s always helpful to ask the experts in these circumstances – such as your HIPAA compliance program provider (*cough cough*).