What is the Interoperability and Information Blocking Rule?

The Interoperability and Information Blocking Rule, taking effect on November 3, 2020, enables the exchange of electronic health information (EHI). The Rule was enacted with the intention of increasing patient access to information, lowering costs, and improving outcomes. The Rule prohibits covered entities from blocking information sharing, and imposes civil penalties for violations. More details are discussed below.

When is it Permitted to Block Information?

Although the Interoperability and Information Blocking Rule prohibits healthcare providers from blocking information, there are certain circumstances in which the Rule does not apply.

1. The information blocking is in accordance with the law. For instance, healthcare providers can not disclose EHI in a manner that would violate HIPAA or state privacy laws. If, however, HIPAA or state laws allow for EHI to be disclosed for the purpose it is being requested, the information blocking rule applies.
2. The healthcare provider was not aware that it was blocking access to EHI. The Office of Inspector General (OIG) has stated that it, “will not bring enforcement actions against actors who OIG determined made innocent mistakes (i.e., lack the requisite intent for information blocking).”
3. The provider is subject to a regulatory exception. The Department of Health and Human Services (HHS) has deemed the following eight practices acceptable, even though they may disrupt information sharing.

Preventing harm. Information blocking is permitted if a healthcare provider determines that the practice will substantially reduce the risk of harm to a patient or other person.

Protecting patient privacy. Blocking EHI sharing is permitted if (i) state or federal privacy laws impose preconditions to access that have not been satisfied; (ii) HIPAA allows the provider to deny access to the individual; or (iii) the patient has requested that her/his information not be shared. (45 C.F.R. § 171.202; see 85 FR 25844-25859).

Protecting EHI security. Healthcare providers are permitted to block EHI sharing to ensure the confidentiality, integrity, and availability of ePHI when (i) done consistently with the providers’ organizational security policies or (ii) when there has been a specific determination that there are no reasonable, less obstructive alternatives to secure the EHI. (45 C.F.R. § 171.203; see 85 FR 25859-65).

Access is infeasible. EHI access may be blocked if (i) extraordinary circumstances beyond its control prevent the provider from fulfilling the request; (ii) the provider cannot segregate the requested EHI from other information that is not subject to access; or (iii) the provider demonstrates that responding to the request is not feasible due to, i.e., the type of information, cost, available resources, control of the relevant platform, etc. Within ten (10) days of the request, the provider must notify the requestor in writing of the reason for failing to provide the access requested. (45 C.F.R. § 171.204; see 85 FR 25865-70).

Maintenance and improvement. EHI access may be temporarily blocked for improvement and maintenance of health IT. (45 C.F.R. § 171.205; see 85 FR 25870-75).

Content and manner. EHI access must be granted in the format requested unless the provider cannot technically fulfill the request; however, limits on fees for record requests still apply. (45 C.F.R. § 171.301; see 85 FR 25875-79).

Fees. Reasonable fees may be charged for exchanging or accessing EHI, as long as costs are based on provider’s costs for providing records. (45 C.F.R. § 171.302; see 85 FR 25879-88).

Licensing. Licensing interoperability elements is permitted as long as negotiating is complete within ten (10) days of the request, and is in compliance with regulatory standards. (45 C.F.R. § 171.303; see 85 FR 25888-97).