Starting April 5, 2021, information blocking will no longer be allowed thanks to changes that were kicked off by 2016’s 21st Century Cures Act. In short, information blocking involves interfering with the exchange, access, or use of electronic health information.
There are many ways information can be “blocked,” but the term broadly refers to improperly restricting access to private health information. Information blocking can sometimes occur by misapplying the HIPAA Privacy Rule, but it is not always intentional. Poorly designed IT systems can also prevent patients from accessing important health information.
A Brief Background on Information Blocking
Congress passed the 21st Century Cures Act to modernize the health care system. With many hospitals and organizations adopting electronic medical records and other technology, the bill focused on improving the interoperability of technology and increasing patient access to their health information. The 21st Century Cures Act builds on HIPAA, which was passed in 1996 before the widespread adoption of online health technology. Under HIPAA, patients have the right to access and receive copies of their health information.
The Office of the National Coordinator for Health Information Technology (ONC) Cures Act Final Rule added exceptions and health IT certification requirements, but the Department of Health and Human Services postponed compliance requirements due to the pandemic. HHS set the new date for the information blocking provisions to begin on April 5, 2021.
What Is Information Blocking?
Information blocking is any practice that is likely to interfere with the use, access, or exchange of electronic health information. It applies to three specific groups:
- Healthcare providers
- Health IT developers of certified health IT.
- Health information networks and health information exchanges
Examples include:
- Improperly citing the HIPAA Privacy Rule as the reason for not sharing ePHI.
- Imposing fees that make the exchange of information cost prohibitive.
- Implementing technology in non-standard ways to limit the interoperability of the information.
- Locking patients in to a particular technology or standard so that their health information is not portable.
Information Blocking Exceptions
There are eight separate categories of exceptions. The first group include exceptions that involve not fulfilling requests for access, exchange, or use:
- Privacy
- Security
- Preventing harm
- Infeasibility
- Health IT performance
The second are exceptions that involve procedures for fulfilling requests for access, exchange, or use:
- Licensing
- Fees
- Content and manner
In situations that meet these exceptions, interfering with the sharing, use, or access to health data is not considered information blocking. The categories are nuanced, so you should really refer to the link for specifics.
One basic example would be an IT department denying an information request during a natural disaster event that impacted a data center. It would not be feasible for an IT department to grant access during the outage and an exception may be granted. However, the entity needs to reply to the requester within 10 business days to explain why the request could not be fulfilled. Requests cannot be ignored.
Proposed Penalties
The Office of the Inspector General has not yet announced the finalized penalty. However, the proposed rule states that the maximum penalty for each violation would not exceed $1 million.
How to Prepare for the Information Blocking Changes
Starting on April 5, 2021, organizations that are responsible for compliance will need to ensure that they are not engaging in information blocking practices (unless covered by an exception).
If an organization is improperly restricting information, it will need to make technical and operational changes to stop the practice. This may include updating policies and business associate agreements to ensure that data is available when requested.
Depending on the technology utilized, ending the practice of information blocking may be a significant undertaking. If large overhauls to current governance standards and infrastructure are required, organizations should:
- Develop an action plan that reviews requirements and establishes an appropriate governance structure.
- Review access policies to meet the new requirements.
- Set up a process for evaluating situations where the eight exceptions apply.
- Give employees comprehensive training where appropriate.
The information blocking changes may help to facilitate a better healthcare environment, but they are also a significant undertaking for certain stakeholders. Managing them appropriately will require diligence and attention to bring about the best outcomes for patients, and to reduce the chances of facing penalties from violations.