On May 1, 2020, the Office of the National Coordinator for Health Information Technology (“ONC”) published its final rule, commonly referred to as the “Information Blocking Rule,” implementing certain provisions of the 21st Century Cures Act that are designed to support the access, exchange, and use of electronic health information (“EHI”) and prohibit information blocking. The Information Blocking Rule became effective on April 5, 2021, after a delay due to the COVID-19 pandemic. It applies to any individual or entity that meets the definition of at least one category of “actor”— a health care provider, health IT developer of certified health IT, or health information network (“HIN”) or health information exchange (“HIE”) — and generally prohibits any practice that is not required by law or permitted by an applicable exception (discussed below) that “is likely to interfere with access, exchange or use of [EHI]” when the applicable knowledge standard is met (the terms “access,” “exchange” and “use” are defined terms under the Information Blocking Rule). While the Information Blocking Rule applies to various types of actors, this summary offers a high-level overview of relevant considerations specifically for health care providers.
A health care provider meets the knowledge standard under the Information Blocking Rule when the provider “knows that such practice is unreasonable and is likely to interfere with access, exchange or use of [EHI].” (emphasis added). In addition to a health care provider’s refusal to provide patients with access to their EHI upon request, certain unnecessary delays in providing patients access to their EHI could potentially constitute information blocking if the requisite knowledge standard is met. Examples include:
- A health care provider establishing an organizational policy that imposes delays on the release of a patient’s laboratory results for any period of time in order to allow an ordering provider to review the results or in order to personally inform the patient of the results before the patient is able to electronically access the results;
- A delay in providing access, exchange, or use occurs after a patient logs in to a patient portal to access EHI that a health care provider has (including, for example, lab results) and such EHI is not available—for any period of time—through the portal; and
- A delay in providing a patient’s EHI via an application programming interface to an application that the patient has authorized to receive their EHI.
According to the ONC, this could potentially mean “a patient would be able to access EHI, such as test results, in parallel to the availability of the test results to the ordering clinician.”
Fortunately, there are eight exceptions to the Information Blocking Rule that are divided into two categories: exceptions involving not fulfilling requests to access, exchange, or use EHI and exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI. Practices that satisfy one or more of the below exceptions will not constitute information blocking. A practice that fails to meet all conditions of an applicable exception will not necessarily constitute information blocking. Such practices will be assessed on a case-by-case basis to determine whether the practice violates the Information Blocking Rule. The available exceptions are summarized below for reference:
|Exceptions that involve not fulfilling requests to access, exchange, or use EHI||Preventing Harm Exception: It will not be information blocking for the provider to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, if certain conditions are met.||The provider must reasonably believe that the practice will substantially reduce a risk of harm;
The practice must be no broader than necessary;
The practice must satisfy at least one condition from each of the following categories: type of risk, type of harm, and implementation basis; and
The practice must satisfy the condition concerning a patient right to request review of an individualized determination of risk of harm.
|Privacy Exception: It will not be information blocking if the provider does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.||The provider’s privacy-protective practice must meet at least one of the following sub-exceptions:
If the provider is required by law to satisfy a precondition (e.g., patient consent or authorization) prior to providing access, exchange, or use of EHI, the provider may choose not to provide access, exchange, or use of such EHI if the precondition has not been satisfied under certain circumstances.
The provider may deny an individual’s request for access to his or her EHI in circumstances provided under the HIPAA Privacy Rule at 45 CFR 164.524(a)(1) and (2) (e.g., psychotherapy notes).
The provider may choose not to provide access, exchange, or use of an individual’s EHI if doing so fulfills the wishes of the individual, provided certain conditions are met.
|Security Exception: It will not be information blocking for the provider to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.||The practice must be: directly related to safeguarding the confidentiality, integrity, and availability of EHI; tailored to specific security risks; and implemented in a consistent and non-discriminatory manner.
Additionally, the practice must either implement a qualifying organizational security policy or implement a qualifying security determination.
|Infeasibility Exception: It will not be information blocking if the provider does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.||The practice must either be due to uncontrollable events (e.g., natural disaster, public health emergency, civil insurrection); inability to segment the requested EHI; or infeasibility under the circumstances based on certain factors.
The provider must provide a written response to the requestor within 10 business days of receipt of the request with the reason(s) why the request is infeasible.
|Health IT Performance Exception: It will not be information blocking for the provider to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT, provided certain conditions are met.||The practice must:
Be implemented for a period of time no longer than necessary to achieve the maintenance or improvements for which the health IT was made unavailable or the health IT’s performance degraded;
Be implemented in a consistent and non-discriminatory manner; and
Meet certain requirements if the unavailability or degradation is initiated by a health IT developer of certified health IT, HIE, or HIN.
Certain other conditions apply for the provider’s actions against a third-party app that is negatively impacting the health IT’s performance.
|Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI||Content and Manner Exception: It will not be information blocking for an actor to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.||The provider must respond to a request to access, exchange, or use EHI with EHI as defined in applicable regulations.
The provider may need to fulfill a request in an alternative manner when the provider is technically unable to fulfill the request in any manner requested; or cannot reach agreeable terms with the requestor to fulfill the request.
|Fees Exception: It will not be information blocking for the provider to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.||The practice must meet the basis for fees condition (e.g., fees must be based on objective and verifiable criteria that are uniformly applied for all similarly situated classes of persons or entities and requests).
The practice must not be specifically excluded (e.g., a fee based in any part on the electronic access by an individual, their personal representative, or another person or entity designated by the individual to access the individual’s EHI).
|Licensing Exception: It will not be information blocking for the provider to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.||The practice must meet conditions regarding negotiating a license (e.g., the provider must begin license negotiations with the requestor within 10 business days from receipt of the request and negotiate a license within 30 business days from receipt of the request) and regarding licensing conditions (e.g., scope of rights, reasonable royalty, non-discriminatory terms, collateral terms, non-disclosure agreement).|
Health care providers seeking to implement the Information Blocking Rule into their existing compliance programs should consider:
- Reviewing and revising their existing HIPAA policies and procedures, specifically those pertaining to individual access and training personnel regarding the same.
- Assessing the health care provider’s use of EMR and patient portal functionality (e.g., does the EMR include unnecessary delays that should be corrected?).
- Reviewing and revising Business Associate Agreements to ensure terms comply with the information blocking rules.
- Consulting with vendors to determine how the vendors plan to comply with the Information Blocking Rule.
Violation of the Information Blocking Rule by health care providers may result in “appropriate disincentives,” (i.e., penalties), which have yet to be established and will be set forth in a future rulemaking by the Office of Inspector General. We recommend that health care providers ensure their practices regarding responding to requests for EHI are appropriate considering the Information Blocking Rule and implement standards that guard against information blocking into their ongoing compliance efforts.
For additional information, please refer to the information blocking resources on HealthIT.gov.