Compliance Operations Overview: What are the Information Blocking Regulations?

Compliance Operations Overview: What are the Information Blocking Regulations?
The ONC 21st Century Cures Act is a federal law that prohibits information blocking. Information blocking occurs when healthcare providers, health IT developers, or health information exchanges interfere with access to electronic health information.

The law defines "actors" who can commit information blocking. These actors include:

1. Healthcare providers
2. Health IT developers of certified health IT
3. Health information exchanges and health information networks

The regulations at 45 CFR Part 171 describe what counts as information blocking and when it is  allowed.

What is Electronic Health Information?
Electronic health information is health data stored electronically. It includes the type of information that would be in a HIPAA designated record set as electronic protected health information (ePHI). Not all ePHI is EHI, forever. ePHI, for example, includes psychotherapy notes and information compiled for legal proceedings, while EHI does not include this information. 

What Counts as Information Blocking?
Information blocking is a practice that is likely to interfere with the access, exchange, or use of electronic health information.

Here are some examples of practices that could be information blocking:

Example 1: Charging Excessive Fees A hospital charges a competing health system $10,000 to access a single patient's records electronically. The fee is far more than the hospital's actual costs. This unreasonable fee blocks access to the information.

Example 2: Refusing Reasonable Requests A health IT vendor refuses to provide an interface that would let a hospital share data with other systems. While the vendor has the technical ability to do this, it refuses to because it wants to discourage the hospital from sharing this information. This refusal blocks the exchange of information.

Example 3: Creating Technical Barriers An EHR system requires other systems to use a complicated, outdated format to request patient data. Modern, standard formats exist that would work better. The complicated format makes it very difficult to exchange information. This technical barrier blocks information exchange.

Example 4: Delaying Access Without Good Reason A clinic takes 90 days to respond to a patient's request for their electronic health records. The clinic has the records available in its system. There is no technical problem. There is no valid legal reason for the delay. This unreasonable delay blocks access to information.

Practices that constitute information blocking are not permitted, unless they fall under one of the exceptions discussed below.

What are the Information Blocking Exceptions?
If an actor's practice meets one of these eight exceptions, it is not considered information blocking.

The eight exceptions are:

1. Preventing Harm Exception - Refusing access to prevent harm to a patient or another person
2. Privacy Exception - Refusing access to protect an individual's privacy
3. Security Exception - Limiting access to protect the security of EHI
4. Infeasibility Exception - Refusing infeasible requests
5. Health IT Performance Exception - Temporarily making health IT unavailable for maintenance or improvements
6. Manner Exception - Fulfilling requests in an alternative manner
7. Fees Exception - Charging reasonable fees for EHI access
8. Licensing Exception - Requiring licenses and charging royalties for proprietary interoperability elements

The first five exceptions involve situations where an actor does not fulfill a request for electronic health information. The last three exceptions involve how an actor fulfills such requests.

The Preventing Harm Exception
An actor can refuse to provide access to electronic health information to prevent harm to a patient or another person. This is allowed when certain conditions are met:

1. The actor must reasonably believe that providing access will substantially increase a risk of harm.
2. The actor's practice must be no broader than necessary to prevent the harm.
3. The patient must be given the right to request review of the determination.

The Privacy Exception
An actor can refuse to provide access to electronic health information to protect an individual's privacy. This is allowed in certain situations.

Healthcare providers may refuse access in these situations:

Precondition not satisfied: Here, state or federal law requires a precondition be satisfied before providing access. A precondition might be patient consent or authorization. If the precondition has not been satisfied, the provider may refuse access.

The HIPAA Privacy Rule allows denial: If The HIPAA Privacy Rule allows a covered entity to deny access to ePHI in certain circumstances, a provider may deny access to EHI in those same circumstances.

Patient requests no sharing: A patient requests that their information not be shared. The provider may honor that request.

The Security Exception
An actor can limit access to electronic health information to protect its security. This is allowed when certain conditions are met.

The security practice that limits access must be:

1. Directly related to protecting ePHI confidentiality, integrity, and availability
2. Tailored to specific security risks
3. Implemented consistently and without discrimination

The Infeasibility Exception
An actor may refuse a request for electronic health information if the request is infeasible. The actor must provide a written explanation to the requester within 10 business days.

This exception applies in these situations:

Uncontrollable events: Disasters, public health emergencies, internet outages, or acts of military or regulatory authorities prevent fulfillment.

Segmentation is impossible: The actor cannot separate the requested EHI from information that cannot legally be disclosed. This includes information that may be withheld under the Preventing Harm or Privacy exceptions.

Third party seeks modification rights: A requester wants to edit or change the EHI. The request may be refused.

Circumstances make compliance infeasible: Available financial and technical resources make compliance infeasible, or compliance costs make it infeasible. The actor must document why compliance is infeasible.

Manner exception exhausted: The actor has offered all alternative fulfillment methods required under the Manner Exception (discussed below) The actor still cannot fulfill the request.

The Health IT Performance Exception

An actor may temporarily make health IT unavailable for maintenance or improvements. An actor may temporarily degrade its performance for these purposes.

This is allowed when the practice:

1. Lasts only as long as necessary
2. Is applied consistently and without discrimination

Exceptions for How Requests Are Fulfilled

The Manner Exception

An actor may limit how it fulfills an EHI request. This is allowed when the actor cannot agree with the requester about how to fulfill the request. It is also allowed when the actor is technically unable to fulfill the request as specified.

The Manner Exception allows fulfillment in an alternative manner. When using an alternative manner, the actor must comply with the Fees Exception and the Licensing Exceptions discussed below.

Fees Exception

An actor may charge fees for EHI access. But only if those fees are:

1. Based on objective, verifiable criteria applied uniformly
2. Reasonably related to the actor's costs
3. Not based on whether the requester is a competitor

When charging fees is prohibited: Individuals cannot be charged a fee for accessing their own EHI electronically. This applies when they access their records through certified health IT.

Note that HIPAA allows covered entities to charge reasonable fees when patients request copies of their records. 

But the information blocking regulations prohibit fees when individuals access their own EHI electronically through certified health IT. Actors must follow both sets of rules.

The Licensing Exception
Sometimes accessing, exchanging, or using EHI requires using an actor's proprietary technology, code, or methods. These are called "interoperability elements."

The licensing exception allows actors to protect their intellectual property. Actors can require licenses for use of their proprietary interoperability elements. Actors can charge reasonable royalties for those licenses. This is not considered information blocking when certain conditions are met.

An actor's licensing practice will not be considered information blocking when:

1. The actor negotiates with the would-be licensee in good faith. Negotiations must start within 10 days. They must be completed within 30 days.
2. The actor charges reasonable royalties, not excessive fees.
3. The actor does not discriminate when imposing licensing terms.

Conclusion

The information blocking regulations protect patients' access to their electronic health information. They also promote the exchange of health information between healthcare providers, health IT systems, and other authorized parties.

Healthcare providers, health IT developers, and health information exchanges must not interfere with access to electronic health information. Interference - information blocking - is prohibited unless an exception applies.

The eight exceptions recognize legitimate reasons why an actor might not fulfill a request for information or might limit how it fulfills the request. These reasons include preventing harm, protecting privacy, maintaining security, dealing with infeasible requests, and maintaining IT systems.

Actors who rely on exceptions must meet all the conditions for that exception. They must apply their practices consistently and without discrimination. They must act in good faith.

Understanding these regulations helps ensure that patients can access their health information. It helps ensure that healthcare providers can exchange information to provide better care. It promotes interoperability across the healthcare system.