All healthcare providers need to be aware that the federal government has recently issued new regulations that will affect the rights of patients as well as third parties to access healthcare providers’ medical records. In 2016, Congress passed the 21st Century Cures Act (Cures Act) which contained a multitude of healthcare reforms. One of the goals of the Cures Act was to enhance patient access to their medical records as well as to promote the ability of all parties in the healthcare industry to communicate seamlessly across various software platforms and electronic devices. Over a period of years, regulations were proposed under the title “Information Blocking,” and those regulations were recently finalized. Compliance with the Information Blocking Rule is required as of April 5, 2021.
WHAT IS INFORMATION BLOCKING?
Pursuant to the new regulations, information blocking is defined as “any practice that is likely to interfere with, prevent, materially discourage, or otherwise inhibit the access, exchange or use of Electronic Health Information (EHI).” Examples of information blocking by healthcare providers may include practices that make it difficult or impossible for patients to access their electronic health records. Another example would be actions by healthcare providers to prevent or obstruct access to his or her medical records by other treating providers.
WHO DOES THE INFORMATION BLOCKING RULE APPLY TO?
The new regulations apply to:
- Healthcare providers of all kinds
- Health information technology companies
- Health information networks
- Health information exchanges
WHAT SPECIFIC HEALTH INFORMATION IS COVERED BY THE INFORMATION BLOCKING RULE?
Until Oct. 5, 2022, the types of medical records subject to the rule (and which must be fully accessible) are:
- Consultation notes
- Discharge summary notes
- Procedures notes
- Progress notes
- Imaging report narratives
- Lab report narratives
- Pathology report narratives
- History and Physical (H&P) examinations
After Oct. 5, 2022, the rule will apply to all Electronic Protected Health Information (ePHI) as defined by HIPAA. This will include most materials in healthcare providers’ charts regarding a patient, including billing records.
WHAT DOCUMENTS OR RECORDS ARE EXCLUDED FROM THE INFORMATION BLOCKING RULE?
The Information Blocking Rule specifically excludes “psychotherapy notes,” as defined by HIPAA as well as documents and information prepared in anticipation of litigation.
ARE THERE EXCEPTIONS TO THE INFORMATION BLOCKING RULE?
The new regulations have eight broad exceptions that permit healthcare providers to block access to health information in certain situations. If any of the following eight exceptions apply, the healthcare provider is not required to provide access and will not be penalized for doing so:
- Preventing Harm Exception
- Privacy Exception
- Security Exception
- Infeasibility Exception
- Health Information Technology Performance Exception
- Licensing Exception
- Fees Exception
- Content and Manner Exception
These exceptions come with various “conditions” that must be satisfied before the exception will apply. The exceptions are technical, complicated and must be worked through carefully in order to understand and apply them in any given situation. The greatest downside of the new regulations is the complexity and difficulty in applying the rules.
WHAT IS THE INTERPLAY BETWEEN HIPAA AND THE INFORMATION BLOCKING RULE?
This is a complicated issue. The following information contrasts and compares the overlapping requirements of HIPAA and the Information Blocking Rule.
As can be seen above, the Information Blocking Rule is intended to enhance patients’ rights to access their health information. It is also intended to promote communication and sharing of information between healthcare providers and with health information technology companies.
It is also important to note the following from the official comments to the Information Blocking Rule:
We do not require the disclosure of Electronic Health Information (EHI) in any way that would not already be permitted under the HIPAA Privacy Rule. However, if an actor is permitted to provide access under HIPAA, then the Information Blocking Rule would require that the actor provide that access so long as the actor is not prohibited by law from doing so.
In other words, in the many situations where HIPAA permits disclosure or access to health information, the Information Blocking Rule will require such to be done. For example, under HIPAA, if another treating healthcare provider requests access to your records, HIPAA only says that you may provide such access. Under the Information Blocking Rule, however, such access must be allowed or the provider will be guilty of information blocking.
WHAT SHOULD HEALTHCARE PROVIDERS DO NOW TO COMPLY WITH THE NEW REGULATIONS?
Healthcare providers should make both technical and operational changes to comply with the new regulations. From a technical standpoint, providers should contact their Electronic Health Records (EHR) vendors to ensure that their EHR software is certified to comply with the Information Blocking Rule. Providers should also have a careful discussion with their vendors as to the mechanics of how and under what circumstances access will be allowed to the providers’ electronic medical records.
From an operational standpoint, the following is recommended:
- Training of staff on the new regulations
- Modifications to the HIPAA Notice of Privacy Practices
- Potential modifications to HIPAA Business Associate Agreements
- Revisions to HIPAA policies regarding access to medical records
As can be seen, most of the technical and operational changes discussed above relate to the issue of access to healthcare providers’ records, not only by patients, but also by other healthcare providers and third parties.
WHAT ARE THE PENALTIES FOR INFORMATION BLOCKING?
To be held responsible under the Information Blocking Rule, healthcare providers must have intent to act in a way that would block or prevent access to health information. Mere negligence is not enough to constitute a violation. The penalties under the new regulations are different for health information technology companies and healthcare providers. Health information technology companies who are found to be in violation of the new rules will be subject to civil monetary penalties of up to one million dollars per violation. By contrast, for healthcare providers, there is no current monetary penalty, although the regulations state that violators will be referred to “an appropriate agency” for imposition of “appropriate disincentives.” Obviously, this is extremely vague and the reality is that until the government issues further regulations, healthcare providers are unlikely to be severely penalized at this time. This is likely to change over the next year as further rules are implemented.
WHAT MALPRACTICE AND RISK MANAGEMENT CONCERNS ARE RAISED BY THE NEW INFORMATION BLOCKING RULE?
Under the Information Blocking Rule, patients will have greater and, at times, immediate access to health information. This is good in the sense that patients can be more engaged and informed about their health and health care. It is of concern, however, for the unwary practitioner. Provider notes can be misread and misunderstood by patients. Provider notes may be stated in a way that is offensive to the patient, or the records can simply be incorrect. Providers will need to take care to ensure that records are accurate, informative and non-offensive. Practitioners will need to assume that all notes will be read by the patient and recognize the practical and legal implications.
Providers will need to take care with certain sensitive words, such as “obesity,” “addict,” “non-compliant,” “patient refuses,” etc. Practitioners should never fail to accurately and properly document difficult issues, but rather than using terms such as “non-compliant,” they should simply describe the behavior by the patient that constitutes the non-compliance.
As in the past, providers need to be very careful with the use of templates and other common features of Electronic Health Records. Copying and pasting and “carry forward features” continue to be very troublesome, and this will be amplified with greater patient access under the Information Blocking Rule.
The issue of “access” to health information, particularly patient access to such, has been slowly evolving for 20 years. In 2003, HIPAA created a right of access which was not particularly robust. In 2009, the HI-TECH Act strengthened that right of access and brought it into the digital age. Now, the Information Blocking Rule has further enhanced the right of access, not only for patients, but for all players in the healthcare industry.