Effective April 5, 2021, Health Care Providers are prohibited from blocking access, exchange, or the use of protected electronic health information (“EHI”), or engaging in an act or omission or practice that is unreasonable and likely to interfere with the access, exchange, or use of EHI.
The definition of “Health Care Providers” is comprehensive, and includes physicians, nurse practitioners, physician assistants, psychologists, hospitals, skilled nursing facilities, nursing facilities, home health care agencies, long-term health care facilities, ambulatory surgical centers, etc.
Health Care Providers should anticipate receiving EHI requests from patients, their representatives, or other health care providers. If a Health Care Provider does not have electronic health records (“EHR”), they should be prepared to work with the requestor to provide the information in a reasonable format, such as via paper, in a mutually agreed, timely manner.
Failure of a Health Care Provider to comply can result in requestors reporting the Health Care Provider to the U.S. Department of Health & Human Services - Office of the National Coordinator for Health Information Technology (“ONC”). Upon receiving a report, the ONC may further investigate the Health Care Provider for noncompliance with the Information Blocking Rule, and involve the Office of the Inspector General to impose civil monetary penalties.
A. Generally, What are Health Care Providers Required to Disclose?
When a Health Care Provider receives a request to access, exchange, or use EHI, they are to respond with the data elements represented in the United States Core Data for Interoperability (“USCDI”) standards found here.
The USCDI standards include:
1. Allergies and Intolerances.
a. Substance (Drug Class)
b. Substance (Medication)
2. Assessment and Plan of Treatment
3. Care Team Members
4. Clinical Notes (including structure and unstructured data),
a. Pathology Report Narratives.
b. Consultation Note
c. Discharge Summary Note
d. History & Physical
e. Imaging Narrative
f. Laboratory Report Narrative
g. Procedure Note.
h. Progress Note
5. Patient’s Goals
6. Health Concerns
10. Patient Demographics
a. Full Name (including previous names)
b. Birth Sex
c. Date of Birth
f. Preferred Language
g. Addresses (current and previous)
h. Phone Number and type of Phone Number
i. Email address
13. Provenance (metadata on who created the data)
14. Smoking Status
15. Unique Device Identifier(s) for a Patient’s Implantable Device(s)
16. Vital Signs
Health Care Providers are to provide as much of the above information as they can, so long as it is relevant for their practice. For example, if a patient does not have an implantable device, or a Health Care Provider does not collect laboratory results, the Health Care Provider is not to “create” information to complete these fields.
B. Example of a Relevant Exception to an EHI Disclosure
The Information Blocking Rule provides several exceptions allowing Health Care Providers to delay or withhold EHI for the safety of the patient and the privacy and security of the patient’s EHI.
Health Care Providers are most likely to elect the “Preventing Harm” exception where they engage in practices that are reasonable and necessary to prevent harm to a patient or person, provided that:
1. the Health Care Provider holds a reasonable belief that the practice will substantially reduce the risk of harm to the patient;
2. The practice is no broader than necessary;
3. The practice must satisfy at least one condition from the following categories:
a. type of risk, which refers to whether a licensed health care professional who has a clinical-patient relationship with the patient determines that there is risk in disclosing the EHI, or there is a belief that the data requested is reasonably suspected to be misidentified, mismatched, corrupted, or erroneous;
b. type of harm, which refers to how withholding the EHI likely, or does in fact, interfere with the patient or their legal representative’s right to access, exchange, or use their EHI;
c. and implementation basis, which refers to how the practice implemented is based on the Health Care Provider’s organizational policy or a determination specific to the facts and circumstances; and
4. The practice must satisfy the condition concerning a patient’s right to request review of an individualized determination of risk of harm.
For example, a Health Care Provider can apply the Preventing Harm exception and delay providing the requestor access to laboratory and pathology results that are pending confirmation or considered not reliable for purposes of clinical decision making, or delay providing notes that a clinician has begun to draft, but cannot finalize, until they receive confirmed laboratory or pathology results.
The Preventing Harm exception does not apply if the data requested (even if incomplete) is used to make health care decisions about an individual. The Preventing Harm exception also does not provide a “blanket” several day delay on the release of laboratory or other test results to patients so an ordering clinician can evaluate each result for the potential risk of harm associated with the release. This exception is designed to cover only those practices that are no broader than necessary to reduce a risk of harm to the patient or another person.
Additional exceptions also may apply. If the Health Care Provider struggles to sequester the non-finalized clinical notes and laboratory/pathology results in EHI from disclosure to the requestor, the “Content” and Manner” and “Infeasibility” exceptions may apply. The “Content and Manner” exception addresses the technical issues a Health Care Provider may have in complying with the EHI request. The “Infeasibility” exception addresses situations such as when a Health Care Provider cannot unambiguously sequester the non-finalized clinical notes and laboratory/pathology results in EHI from disclosure. A Health Care Provider should check if its EHR provider has the technical means to sequester EHI requested.
C. Recommended Action Items
To comply with the Information Blocking Rule, Health Care Providers should:
1. Confirm that their EHR provider complies with the 21st Century Act and obtain any updated Privacy Policies from them.
2. Draft a policy and procedure on how they will handle EHI requests, including
a. to what extent they will educate requestors on how to use the EHR; and
b. preparing extensive documentation when applying an Exception in support of not responding to a request.
3. Train staff on the policy and procedure to handle EHI requests.
4. Review their Notice of Privacy Practices to include how requestors can report any suspected information blocking.
The law and guidance on implementation of the 21st Century Cures Act continues to evolve. We will update this Alert to reflect such changes. Please do not hesitate to contact one of the listed Roetzel attorneys for further information or to assist with implementation of the above.View PDF