Tackling the Information Blocking Rule! Enhancing Patient & Provider Access to EHI

Consider this – On April 6, you get a medical records request from a patient who asks for their records to be sent so they can access them on their smartphone. What is your first thought?

• “HIPAA allows me 30 days to fulfill this request, so I will get to it when I can.”
• “I guess I could send the records to the patient’s email if they want to access them from their phone.”
•  “I think our EHR has a patient portal function, but I’m not sure we ever turned that on.”

If you agreed with any of these thoughts, you have some work to do to be able to comply with the new Information Blocking Rule. Without education to key staff and solid processes in place to ensure a timely response and in the right manner, your organization could be accused of information blocking. If you have no idea what this rule is, keep reading for some insight.

What is Information Blocking and why is it getting so much attention, particularly in the midst of a pandemic? The 21^stCentury Cures Act was signed into law in December 2016. That is not a typo – it was enacted more than 4 years ago. So why did it take so long to get to here? Before the law could be put into action, the Office of the National Coordinator (ONC) for Health IT had to write the Cures Act Final Rule. Well, they did, and the original November 2020 implementation date was delayed due to the pandemic, but now the official effective date is here – April 5, 2021! (Note: This rule does not override other state or federal laws, including HIPAA Privacy and Security Rules.)

The intent of the rule is to reduce practices that prevent the access to, exchange of, and use of electronic health information (EHI). This part of the law is termed “information blocking” which is defined as “practices by an actor that likely interfere with, prevent, or materially discourage the access, exchange, or use of EHI, except as required by law or covered by an exception.” The “actors” are healthcare providers, developers of certified health IT, and health information networks/exchanges (HINs/HIEs). Business Associates are not included unless their primary business makes them one.

Don’t panic! Unless your EHR has a patient portal, I expect that you can comply quite readily. The rule does not require you to purchase or implement any specific products or functionality. But if your EHR has a portal, then you do need to learn to use it and grant access. While your hospice EHR may not have a patient portal, some palliative care EHRs do have them. Thus, if you use two EHRs, you’ll have to design a process for all medical records.

If your EHR does not have a patient portal, then you can provide the requested information in an alternative manner such as via encrypted email or paper. If you already have good processes in place to promptly handle medical records requests, then there is less to be concerned about.

What information is covered by the rule? Before October 6, 2022, EHI is limited to what is identified by the data elements represented in the United States Core Data for Interoperability (USCDI) standard. This is a comprehensive list similar to what we often release to patients, families, and providers. Some of the categories included in the USCDI include the following: Assessment and Plan of Treatment, Medications, Clinical Notes, Problems, and Goals.

ONC has defined eight exceptions and as long as documentation supports its use, then the practices will not be considered information blocking. A practice not meeting an exception will be evaluated on the merits of the case. The exceptions are divided into two categories – 1) Not fulfilling requests, and 2) Procedures for fulfilling requests. Examples of exceptions include Preventing Harm, Privacy, Security, Infeasibility, Content and Manner, and Fees. For more information on exceptions, refer to the Health IT Information Blocking Exceptions webpage.

Some examples of conduct that may be considered information blocking include the following:

• You charge fees that make exchanging EHI cost prohibitive.
• Your policies or contracts prevent or limit sharing of information.
• You inappropriately cite the HIPAA Privacy Rule as a reason not to share information. It is critical that staff who respond to medical record requests understand there is a difference between safeguarding information in accordance with HIPAA and doing something to create an unnecessary obstacle.
• Your policy requires a patient’s written authorization before sharing with unaffiliated providers for treatment purposes. (Hint: This works in your favor for referrals and continuity of care!)

There are several actions you can take to help ensure compliance.

• Read the information at the links provided and become more familiar with the Rule.
• Determine if your EHR has a patient portal. If so and it is not in use, contact your EHR vendor for training.
• Review, and revise if needed, policies on receiving, tracking, and fulfilling all medical records requests for all service lines.
• Be sure that you have processes to provide records without unreasonable delay.
• Determine what methods you have to provide medical records so that you can identify an alternative manner when you technically cannot fulfill the request.
• Educate staff on who to direct medical record requests to and stress the importance of doing so promptly.
• If your EHR does not have a patient portal, contact your vendor to determine if they are developing one so that you know to be attune to information on that when available.
• All prior HIPAA rules remain in place, so this is a great time to look at your processes for the exchange, use, and access of electronic, paper, and oral data, also known as protected health information (PHI).

I hope you now have more insight into tackling compliance to ensure no information blocking takes place. But there is more to the rule and I have culled only some of the major points of the rule for you, so it is imperative that you read more for yourself. I suggest you start with ONC’s Information Blocking webpage. Remember that it is your responsibility to ensure that your organization complies with all rules and regulations. The Office of Inspector General (OIG) must wait for additional rulemaking before they can impose penalties for information blocking so take this reprieve and ensure you have solid processes!

(This blog does not address all situations and is for informational purposes only.)

 Annette Kiser, Chief Compliance Officer, 
Teleios Collaborative Network

Leadership Immersion
Plan to attend: April 12-14, 2021
Register Now

Teleios University (TU)
Discover More
Register Today!

An organizational model that allows not-for-profit hospices (Members) to leverage best practices, achieve economies of scale and collaborate in ways that better prepare each agency to participate in emerging alternative payment models and advance their charitable missions.