Published on May 1, 2020, the Information Blocking Regulations (“Regulations”) currently have a compliance date of November 2, 2020. These Regulations reflect a paradigm shift in how health care providers must provide access to electronic health information. Further guidance is pending from CMS and OIG regarding enforcement of the rule; however, exclusion and $1 million per violation civil monetary penalties are all still possible.

Background

These Regulations include various nuances; however, in general, these Regulations prohibit Actors (e.g., health care providers, HIEs, Health IT Developers) from taking action that is likely to interfere with, prevent or materially discourage access, exchange or use of electronic health information. Specifically, except to the extent covered by an exception, the Regulations obligate an Actor to provide a requestor (a patient, a patient’s representative or person seeking an API connection to the Actor’s technology) with access to the electronic health information (“EHI”) within its control or possession. Similar in structure to the Anti-Kickback Statute, the Regulations implement an intent-based statute, providing a broad general prohibition then a series of exceptions, which, if fully complied with, shield the Actor from liability. The exceptions to the Regulations permit an Actor to deny access, limit the amount of access, delay access, condition the type of access or charge a fee for access, all subject to the detailed limitations stated in the applicable exception.

The Regulations are not simply a technical responsibility that rests solely with the CIO, but rather compliance with these obligations requires participation by clinical staff, IT, privacy, security and legal to identify practices and activities that appear to discourage the access, exchange or use of EHI and to develop a process to (a) receive requests for access; (b) evaluate those requests in the context of some very specific exceptions; and (c) respond to requests within a defined period of time (depending on the applicability of the exception the time period can be as short as 10 days). These Regulations impart risk on many activities that have come to be common practice (e.g., standing order to holding HIV test results until counseling services are coordinated, production of limited data in response to records request, etc.). These Regulations are requiring health systems to re-evaluate how they maintain and make available patient information.

Paradigm Shift

The Regulations reflect a paradigm shift for Actors, obligating such entities to carefully review decades worth of compliance activities and recalibrate to new requirements before the November 2, 2020 compliance date.

In general, except for in the provision of treatment, payment and health care operations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) prohibited health care providers and other covered entities from disclosing protected health information (“PHI”) without patient consent. In addition, and subject to limitations, HIPAA obligated health care providers to provide patients with access to their designated record set. In the 24 years since HIPAA was first enacted, covered entities have been implementing policies and procedure and designing and implementing IT services with a view towards the obligations of HIPAA to protect PHI from impermissible disclosure. When the permissibility of a disclosure of PHI was in question or unclear, the conservative approach was to avoid disclosure. As a general rule, HIPAA policies and procedures were structured to bar disclosures.

The Regulations, in contrast, prohibit Actors from engaging in any practice that is likely to interfere with access, exchange or use of EHI. The Regulations apply broadly to any system, activity or process of an Actor that relates to or governs the provision of access to EHI. As described in the final ONC Regulations, Actors risk liability if they intentionally interfere with the access, exchange or use of EHI, unless such practice fits completely within one of the seven exceptions.

The Regulations are the analogue to the HIPAA Privacy Rule. Entities that have implemented policies and procedures and configured IT systems based on a conservative interpretations of HIPAA may now find that those actions intended to support compliance with HIPAA may evidence prohibited activity under the Regulations. What was once a safe practice of not disclosing data, may now, under this new regulatory regime, create liability.