As a medical release of information vendor, we get a lot of questions about the 21st Century Cures Act (Cures Act) and the accompanying Office of the National Coordinator (ONC) Information Blocking Final Rule. So, we decided to answer some of your most frequently asked questions and share a few examples of what qualifies as information blocking to provide additional clarity to this admittedly confusing subject.
What Exactly is Information Blocking?
In the Cures Act, Congress worked to give patients easier access to their medical records through the prohibition of information blocking by a covered entity under HIPAA. Cue the celebrate emojis: access and interoperability are absolutely essential in the digital health era, and they greatly improve patient care, which is what everyone wants.
Now, let’s dive deeper into information blocking specifically.
The Cures Act defines information blocking as including any act that “is likely to interfere with access, exchange, or use of electronic health information…that may include practices that restrict authorized access, exchange, or use under applicable State or Federal law of such information for treatment and other permitted purposes under such applicable law, including transitions between certified health information technologies.”
The Information Blocking Final Rule, which is what the Cures Act authorized and what you commonly hear referenced, similarly describes information blocking for providers as an act that a provider “knows…is unreasonable and is likely to interfere with access, exchange, or use of electronic health information.”
So, what does that all mean? Simply put, healthcare organizations and other covered entities under HIPAA can’t improperly withhold electronic health information. And if they do, penalties can be levied against their organization. One important note here: unfortunately, the definitions of “electronic health information”, “ePHI” and “PHI stored in a digital format” aren’t synonymous, although we see them used interchangeably all the time. For a deeper dive into the specific usage of terms, here is a helpful FAQ from ONC.
Now, Let’s Answer Some Information Blocking Frequently Asked Questions.
We get a lot of questions about what does and what does not constitute information blocking. Below are a few of the most commonly asked questions. Have a question that you don’t see below? Let us know and we’ll answer it in an upcoming blog!
Does information blocking only apply to patient right of access requests?
This is one of the most confusing, and therefore most commonly misunderstood, applications of the Information Blocking Rule. There is nothing in the definition of information blocking that supports applying it only to right of access requests. Information blocking applies to all electronic health information, and therefore, any request relating to electronic health information.
Can I exclude records from an external provider or other outside source when I receive a medical records request?
No. The definition of information blocking clearly states that all “electronic health information” should be provided – there’s no qualifier for whether that information originated from inside your organization or from another provider. Therefore, excluding records solely because they were generated by an external provider or other source such as a payer is likely to trip the information blocking wire.
I have multiple locations (clinics, hospitals, etc.) – Can I limit release to just one location without information blocking?
There is nothing in the definition of information blocking that would allow for the exclusion of some records in this case. A possible exception would be if your organization has different repositories of electronic health information at different locations, such as a different Electronic Health Record (EHR) system at each location. If the request should include records from multiple locations, and those records are accessible in the same EHR, records from both locations must be included.
As a provider, can I try to verify a requestor’s identity without information blocking?
You can and you should! Anyone releasing medical records (whether it’s someone at your organization or a vendor that you’re partners with, like HealthMark) should be verifying a requestor’s identity to avoid an erroneous release of a patient’s private health information. The Information Blocking Rule’s requirement around verification measures is that they cannot be “unreasonable.” The same security and privacy protections of HIPAA are still at play; the Information Blocking Rules are not a HIPAA workaround.
Information Blocking Examples
Now that we’ve dissected what information blocking is and answered some FAQs, let’s dive into a few examples.
Most information blocking violations are inadvertent, and that’s why it’s even more important to understand what could possibly get your organization in hot water. Here are a few reasons we’ve seen organizations be reported to the ONC Information Blocking Portal:
- Charging excessive fees. Providers can charge fees that are appropriate and governed by HIPAA, HITECH, and state law to make health information available. Any fees that fall outside of these guardrails are ill-advised.
- Disproportionately limiting the length of time that a requester has access to their requested information. An example here would be providing one-time access or a very short window of time, such as less than 48 hours, to access records before making them unavailable.
- Refusing to transfer EHI to a patient-selected third party without a valid reason under the exceptions or exclusions of the rule.
This list is just the tip of the iceberg when it comes to information blocking examples. For additional information, check out the ONC’s Information Blocking Resource Library
The Bottom Line on Information Blocking
In summary, the ONC takes information blocking seriously, as you can see by the number of claims in this report received through the Information Blocking Portal. As a provider, it’s important to take necessary steps to encourage interoperability and information sharing as appropriate. But as you know, exactly which steps to take can be fuzzy at best. We hope this blog helps clear up some of the confusion around this complex topic, and helps you outline the right path forward for your organization. If you have any other questions about information blocking, please let us know and we will cover them in an upcoming blog.