Information Blocking: Cures Act Final Rule

The information blocking requirements of the Cures Act Final Rule will take effect on November 2, 2020. This means healthcare providers have barely a month to ensure they are in compliance or risk financial penalties. When it comes to allowing proper access to information as required by HIPAA, commonly called “Right of Access,” regulatory entities have already begun cracking down on violators. In 2019, the Office for Civil rights (OCR) at HHS had announced its intention to more aggressively enforce the rights of patients to have prompt access to medical records without being overcharged for it.  

Recent actions by the OCR have proven this was more than just talk. Back in mid-September, OCR-HHS settled five investigations into violations of the HIPAA Right of Access Initiative. The collective sum of the fines and penalties levied against the five organizations involved totaled $136,500 and ranged from as little as $3,500 to as much as $70,000 per organization.  

While there has been a lot of discussion around information blocking lately, there seems to be some confusion as to what that does (and does not) include. This blog will define what actions are considered information blocking as well as what exceptions are made, and to let providers know how all of this applies to them, their staff and their practices. 

The Cures Act Final Rule on Information Blocking 

According to the Cures Act Final Rule, information blocking is defined as “a practice by a health IT developer of certified health IT, health information network, health information exchange, or healthcare provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI).”  

Here are specifics as to what constitutes information blocking, as detailed in Section 4004 of the Cures Act, which considers the following practices as violations: 

• Practices that restrict authorized access, exchange or use under applicable state or federal law of such information for treatment and other permitted purposes under such applicable law, including transitions between certified health information technologies (health IT) 

• Implementing health IT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging or using EHI 
• Implementing health IT in ways that are likely to do the following: 
  
  
  • Restrict the access, exchange or use of EHI with respect to exporting complete information sets or in transitioning between health IT systems
  • Lead to fraud, waste, or abuse, or impede innovations and advancements in health information access, exchange and use, including care delivery enabled by health IT 
    
    

Exceptions to Information Blocking  

It is important to note that there are eight possible exceptions to the above listed definitions of information blocking. These exceptions are as follows (please note that each exception has certain conditions that must be met, as explained via this link): 

1. Prevent Harm Exception – It is not considered an information blocking violation if an actor does so in a situation where it is reasonable and necessary in order to prevent harm to a patient or another person.  
   
   
2. Privacy Exception – It will not be considered a violation if an actor does not fulfill a request to access, exchange or use EHI in order to protect an individual’s privacy. 
   
   
3. Security Exception – It will not be considered a violation if an actor interferes with the access, exchange or use of EHI in order to protect the security of EHI. 
   
   
4. Infeasibility Exception – It will not be information blocking if an actor does not fulfill a request to access, exchange or use EHI due to the infeasibility of the request (meaning it cannot be reasonably achieved under current conditions). 
   
   
5. Health IT Performance Exception – It will not be considered a violation if an actor takes reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT's performance for the benefit of the overall performance of the health IT. 
   
   
6. Content & Manner Exception – It is not information blocking for an actor to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange or use EHI. 
   
   
7. Fees Exception – It is not a violation for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging or using EHI. For example, if the standard and reasonable fee is not paid by the individual making the request. 
   
   
8. Licensing Exception – It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged or used. 

What All of This Means for Healthcare Providers 

According to Healthit.gov, there are four main areas of focus that clinicians should observe to maintain compliance with the Cure Act Final Rule: 

1. Make patient data requests easy and inexpensive  
2. Allow choice of apps via open APIs  
3. Implementation of practices that are considered reasonable and necessary activities that do not constitute information blocking 
4. Improve patient safety by balancing transparency of patient data while protecting the security of health IT 

While concerns about information blocking and HIPAA violations should always be top of mind for providers and staff, a little knowledge and training goes a long way. Be sure all members of your staff know what information blocking is as well as how to avoid it to ensure you don’t end up being slapped with fines and penalties for something that can be so easily avoided. 

To learn how Nextech’s integrated solutions can help your practice with interoperability and data transparency, or how our team of experts can assist with compliance, fill out this form and we will be in touch soon.