Information blocking requirements apply to full scope of EHI

Information blocking requirements apply to full scope of EHI

The Advocacy Council previously informed members that, beginning on April 5, 2021, health care providers (including allergy practices) must comply with the Office of the National Coordinator for Health Information Technology’s (ONC’s) requirements governing the prohibition against information blocking.

Beginning October 6, 2022, the information blocking requirements are no longer limited to a subset of electronic health information (EHI). These requirements now apply to the full scope of EHI, as described in detail below.

Information Blocking Requirements

The ONC interprets the 21st Century Cures Act as prohibiting health care providers from engaging in information blocking, which is broadly defined as an act or omission by a health care provider (including physicians and practitioners) that is likely to interfere with access, exchange, or use of EHI.

Understanding Electronic Health Information

EHI refers to electronic protected health information included in a designated record set. A designated record includes:

  • The medical records and billing records about individuals.
  • The enrollment, payment, claims adjudication, and case or medical management of record systems maintained by or for a health plan.
  • Records that are used, in whole or in part, to make decisions about individuals.

EHI does not include information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. In addition, health information that is de-identified – consistent with HIPAA Rules – is not included in the definition of EHI for the purposes of information blocking. It is also important to note that if a provider uses paper records, those records are not subject to the Information Blocking requirements. Information blocking pertains only to the access, exchange, and use of EHI. However, protected health information that providers have, but do not maintain electronically, are still subject to all applicable HIPAA requirements, including the right of access.

A provider must respond to a request to access, exchange, or use EHI, regardless of when the information was generated, unless an exception applies. Practices should update their policies and procedures governing information blocking and contact their EHR vendor to facilitate compliance.

A practice is not considered to be “information blocking” if the health care provider satisfies one or more of the following exceptions, provided certain conditions are met:

Exceptions for Not Fulfilling Requests

  • Preventing Harm Exception: The health care provider holds a reasonable belief that the practice will substantially reduce a risk of harm to a patient or another person that would otherwise arise from the access, exchange, or use of EHI affected by the practice.
  • Privacy Exception: The health care provider does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy.
  • Security Exception: The provider’s practice is directly related to safeguarding the confidentiality, integrity, and availability of EHI.
  • Infeasibility Exception: The health care provider does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request.
  • Health IT Performance Exception: The provider’s practice involves reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT.

Exceptions for Procedures for Fulfilling Requests

  • Content and Manner Exception: Under certain circumstances, the health care provider may limit the content of its response to or the manner in which it responds to a request to access, exchange, or use EHI.
  • Fees Exception: Under certain circumstances, an actor may charge fees for accessing, exchanging, or using EHI.
  • Licensing Exception: Under certain circumstances, an actor may license interoperability elements for EHI to be accessed, exchanged, or used. (Health care providers are less likely to invoke this exception).

Additional information on these exceptions can be found on ONC’s website. If a health care provider satisfies at least one exception, the provider will not be subject to enforcement action, which has not yet been established by the Department of Health and Human Services. Failure to fall under an exception does not automatically mean that a practice is information blocking. Instead, the practice would be evaluated, based on the specific facts and circumstances, to determine whether information blocking has occurred.

For more information regarding information blocking, please refer to ONC’s website and the College’s Risk and Compliance Toolkit.

ONC is hosting “virtual office hours” on October 27 from 2:00 to 3:00 p.m. EST. Providers interested in joining this webinar can register here.