Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.
After the start of the COVID-19 public health emergency, the Department of Health and Human Services (HHS), prohibited “information blocking” practices by covered entities who had restricted the free flow of EHI. The essence of the rule is to mandate quick and easy access to EHI by covered entities as well as between those entities and clients or patients. The new federal rule will take effect on April 5, 2021, and is part of the 21st Century Cures Act, which is designed to promote secure access and exchange of electronic health information (EHI).
Before this rule, clients and patients needed to request a copy of their EHI, then could be asked to wait up to 30 days before gaining access. Once the rule is effective, professionals or organizations controlling this information will need to provide prompt and direct access to the EHR system or patient portal for patients to download their information.
What Is Information Blocking?
Information blocking is a practice that is likely to interfere with access, exchange, or use of EHI, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity. The new information blocking law applies to health IT developers of certified health IT, health information networks (HINs), health information exchanges (HIEs), or health care providers.
What is the Relevance of the HHS Information Blocking Rule to Providers?
In the midst of the COVID pandemic-related relaxation of enforcement for some of HIPAA’s other privacy and security rules, the Office for Civil Rights has stepped up its enforcement efforts in support of patient’s right to access to records as part of the OCR’s “HIPAA Right of Access Initiative,” announced in 2019. This initiative was taken in response to mounting complaints by patients who were being denied access to their records by their healthcare providers and organizations. These groups are known as “covered entities,” and further defined here. See Telebehavioral Health Institute’s (Telehealth.org) articles describing twelve enforcement actions related to the Right of Access: 5 HIPAA Violation Fines for Failing to Grant the Right of Access and More HIPAA Right of Access Violations Reported by OCR“ for more detailed enforcement information.
In the final Information Blocking Rule, HHS has identified eight categories of reasonable and necessary activities that do not constitute information blocking, provided certain conditions are met (referred to as “exceptions”). The exceptions support seamless and secure access, exchange, and use of EHI and offer actors the certainty that practices that meet the conditions of an exception will not be considered information blocking. These actors include the above-identified health IT developers, health information exchanges (HIEs), health information networks (HINs) or health care providers.
Does the New Information Blocking Rule Change HIPAA?
The new information blocking rule doesn’t change HIPAA’s rules about which types of health information can be accessed. The rule requires instant access, thereby removing the HIPAA 30-day time frame previously allowed for a response to a client or patient’s request for access to their electronic records. In short, the new rule applies to:
- Professionals who use EHRs
- Professionals who work in large health systems already be using EHRs
Information Blocking Rule Exceptions
- Professionals who keep EHI but do not have an EHR that allows for direct and instant patient access
- Professionals acting to prevent client or patient harm
- Professionals who keep paper records
For Further Information
For more information, including many additional examples of practices that could constitute information blocking, visit the Office of the National Coordinator for Health Information Technology (ONC) statement describing the Final Rule Policy and in particular, the Information Blocking webpage. Yet more general information can be obtained on the Cures Act Final Rule webpage.
HIPAA Compliant Cybersecurity for Professionals
Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.