Beginning on November 2, 2020, health care providers around the nation must ensure compliance with the newly published Information Blocking Regulations (the “Regulations”). Reflecting a shift in how health care providers must provide access to electronic health information, these Regulations aim to improve the quality and availability of health care but also pose a risk for health care entities who find themselves unprepared. To learn more about information blocking and the Regulations, see Hall Render’s article on the topic here.

The Regulations prohibit Actors from engaging in any practice that is likely to interfere with access, exchange or use of EHI. The Regulations apply broadly to any system, activity or process of an Actor that relates to or governs the provision of access to EHI. Actors risk liability if they intentionally interfere with the access, exchange or use of EHI, unless such practice fits completely within 1 of the 7 exceptions. Responding to this new regulatory obligation requires a coordinated response by Privacy, Security, IT Operations, Health Information Management, Clinical leadership (to the extent the request implicates the Risk of Harm exception) and legal (“IB Committee”). The IB Committee must review past practices, prepare the health system and its staff for the new obligation and ensure that access to patient information is a component of future planning and strategy.

Past. Evaluate existing policies, procedures and IT strategies that may adversely impact or create barriers to patient access.

  1. IT Systems. That means an Actor must review the policies and IT systems that hold the designated record set to identify policies, procedures, system rules and non-standard configurations that could interfere with access, exchange or use of EHI.
  2. Access policies. In addition, an Actor should review existing policies related to how, when and under what circumstances EHI is disclosed and/or access via APIs is provided. The scope of policies includes but will likely not be limited to, policies that address privacy, security, HIM, suppression or delays in the release of patient information and system policies related to responses to subpoenas for patient information (a/k/a ROI requests).

Present. The Regulations impose an obligation on Actors to receive and respond to a request for access within a limited time window. Compliance with the Regulations will require the development of a process for receiving and evaluating a request within the context of the Information Blocking exceptions within the narrow time frames permitted by the Regulations. The findings of the IB Committee might result in a response of reformulating the request through the content and manner exception or outright denying the request through the infeasibility exception.

In addition, the activities of the IB Committee will likely result in the definition or revision of various operational policies and procedures. Because a response of infeasible requires the Actor to respond in 10 business days from the receipt of the request, we are advising Actors to proactively gather together those policies and procedures that are reasonably anticipated to be needed to respond to a request for an API and have a process and workflow in place to coordinate the response by the IB Committee within the compressed timeframe.

Finally, Clinical staff will need to be trained regarding when and how to document risk of harm and patient preferences with respect to the use and disclosure of patient information, particularly in relation to the treatment of minors.

Future. Compliance with the Regulations must be included as a consideration in the design, support and maintenance of the IT systems containing the designate record set on a go-forward basis. Therefore, it is also advisable that the Enterprise Architecture Review Process include an analysis of whether new will present a barrier to subsequent access.

In addition, annual HIPAA training should be expanded and revised to ensure that clinical and operations staff are aware of the obligations of the Regulations, and the Actor’s procedures for reporting and mitigating barriers to access.

Development of a Compliance Program and the IB Committee

As noted by OIG in its draft enforcement rule, liability ensues for health care providers if the “practice” of information blocking is done knowingly (and for health IT developers if such “practice” is known or should have been known, to interfere with access to EHI). To support a good faith intent to comply with the obligations of the Regulations, entities should form an IB Committee, charged with evaluating past actions that may implicate the Regulations, reviewing current requests for access to information, educating stakeholders on their obligations and ensuring operations of the covered entity do not implicate the Regulations.

As we envision it, the IB Committee will hold primary accountability for guiding the entity through the paradigm shift. As described above, for more than 2 decades health care providers have been operating within the regulatory obligations of HIPAA, implementing IT solutions, policies and procedures to prohibit the inappropriate disclosure of PHI. The IB Committee responsibilities would include:

Education: The obligations of compliance with the Regulations impact operations across both the clinical and IT environments. An effective Program will contemplate the development of an education program that aligns with the applicable individual’s responsibilities within the organization and provides an effective means for the individual to raise compliance concerns.

Process: The IB Committee must implement a process for the timely receipt and processing of requests for access within the confines of the applicable exceptions and consistent with any organizational policies.

Policy Review: The IB Committee should carefully review organizational policies related to access to IT systems and patient information to ensure that any impediment to access is narrowly tailored in order to achieve the operational objectives and does not unduly burden those seeking access to patient data.

Information Technology: The IB committee should review and evaluate the current technology plan to identify non-standard implementations, document legitimate reasons for such non-standard configurations, identify barriers to patient access that can be removed as part of the organization’s technology plan and revise the Enterprise Architecture process to include giving due consideration to the impacts of IT implementations on patient data access.

Although the IB Committee would hold primary responsibility for such activities, Compliance would be charged with ensuring that the IB Committee diligently performed its responsibilities and was provided with appropriate resources necessary in order to achieve such objectives.