When is it Permitted to Block Information?
Although the Interoperability and Information Blocking Rule prohibits healthcare providers from blocking information, there are certain circumstances in which the Rule does not apply.
- The information blocking is in accordance with the law. For instance, healthcare providers can not disclose EHI in a manner that would violate HIPAA or state privacy laws. If, however, HIPAA or state laws allow for EHI to be disclosed for the purpose it is being requested, the information blocking rule applies.
- The healthcare provider was not aware that it was blocking access to EHI. The Office of Inspector General (OIG) has stated that it, “will not bring enforcement actions against actors who OIG determined made innocent mistakes (i.e., lack the requisite intent for information blocking).”
- The provider is subject to a regulatory exception. The Department of Health and Human Services (HHS) has deemed the following eight practices acceptable, even though they may disrupt information sharing.
Preventing harm. Information blocking is permitted if a healthcare provider determines that the practice will substantially reduce the risk of harm to a patient or other person.
Protecting patient privacy. Blocking EHI sharing is permitted if (i) state or federal privacy laws impose preconditions to access that have not been satisfied; (ii) HIPAA allows the provider to deny access to the individual; or (iii) the patient has requested that her/his information not be shared. (45 C.F.R. § 171.202; see 85 FR 25844-25859).
Protecting EHI security. Healthcare providers are permitted to block EHI sharing to ensure the confidentiality, integrity, and availability of ePHI when (i) done consistently with the providers’ organizational security policies or (ii) when there has been a specific determination that there are no reasonable, less obstructive alternatives to secure the EHI. (45 C.F.R. § 171.203; see 85 FR 25859-65).
Access is infeasible. EHI access may be blocked if (i) extraordinary circumstances beyond its control prevent the provider from fulfilling the request; (ii) the provider cannot segregate the requested EHI from other information that is not subject to access; or (iii) the provider demonstrates that responding to the request is not feasible due to, i.e., the type of information, cost, available resources, control of the relevant platform, etc. Within ten (10) days of the request, the provider must notify the requestor in writing of the reason for failing to provide the access requested. (45 C.F.R. § 171.204; see 85 FR 25865-70).
Maintenance and improvement. EHI access may be temporarily blocked for improvement and maintenance of health IT. (45 C.F.R. § 171.205; see 85 FR 25870-75).
Content and manner. EHI access must be granted in the format requested unless the provider cannot technically fulfill the request; however, limits on fees for record requests still apply. (45 C.F.R. § 171.301; see 85 FR 25875-79).
Fees. Reasonable fees may be charged for exchanging or accessing EHI, as long as costs are based on provider’s costs for providing records. (45 C.F.R. § 171.302; see 85 FR 25879-88).
Licensing. Licensing interoperability elements is permitted as long as negotiating is complete within ten (10) days of the request, and is in compliance with regulatory standards. (45 C.F.R. § 171.303; see 85 FR 25888-97).
When is it Prohibited to Block Information?
The Rule prohibits information blocking when a provider knows that it, “is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” It also prohibits information blocking unless (i) the practice is required by law, or (ii) the practice fits within one of the exceptions listed above. (45 C.F.R. § 171.103(a)).
How to Comply with the Interoperability and Information Blocking Rule
There are five steps that you can take to ensure that you are complying with the Interoperability and Information Blocking Rule.
- Identify and educate stakeholders on information sharing practices.
- Review EHI practices and make adjustments if necessary.
- Review EHI system functionality to ensure that they are configured properly to facilitate information sharing.
- Respond appropriately to requests for information sharing.
- Pay attention to newly released guidance.
Penalties for Violations
The Office of Inspector General (OIG) stated that it will issue fines of up to $1,000,000 for failing to comply with the Interoperability and Information Blocking Rule. When determining how much to fine an organization for violating the Rule, OIG will consider the following factors: (i) the nature and extent of the information blocking; (ii) the resulting harm, including (a) the number of patients affected, (b) the number of providers affected, and (c) the number of days the information blocking persisted. (85 FR 22991; proposed 42 C.F.R. § 1003.1420).