In two weeks, on October 6, 2022, the scope of the 21st Century Cures Act Information Blocking Rule expands to prohibit health care providers from blocking or interfering with patient access to any electronic information in a "designated record set," as the term is defined under HIPAA. For health care providers, this has led to questioning exactly what information falls within the designated record set and what is their obligation to make this information available to patients in real-time. In preparation for this imminent expansion of the Information Blocking Rule's scope, it is high time for health care providers to create or revisit a policy on what information is within their designated record sets and to document the basis for any circumstances in which this information is not immediately available to patients through the providers' patient portals.
The Information Blocking Rule generally prohibits health care providers and certain other covered "actors" from engaging in practices that interfere with access, use, or exchange of "electronic health information." A more robust DWT discussion of the Information Blocking Rule is available here. The "applicability date" for the Rule was April 5, 2021.
The Information Blocking Rule's definition of "electronic health information" initially was limited to the data elements represented in the United States Core Data for Interoperability (USCDI) standard. As of October 6, 2022, however, the scope of "electronic health information" will be expanded to include all electronic information in a health care provider's designated record set. This represents a significant expansion of what information providers must make available to patients without unnecessary delay.
What Is the Designated Record Set?
The Information Blocking Rule incorporates the HIPAA definition of "designated record set," with a slight modification to address information blocking actors that are not HIPAA covered entities. Under this definition, as applied to health care providers, a designated record set includes:
A group of records maintained by or for the health care provider that is:
- (i) The medical records and billing records about individuals maintained by or for the health care provider; or
- (ii) Used, in whole or in part, by or for the health care provider to make decisions about individuals.
There is sometimes confusion regarding how the "designated record set" compares to the "legal medical record." Neither HIPAA nor the Information Blocking Rule use the term "legal medical record." Health care providers generally have some discretion to define what constitutes their "legal medical record." The designated record set is larger, though, as it includes not only medical records (which can be interpreted to mean the "legal medical record"), but also billing records and any other information used to make decisions about individuals.
A good litmus test is whether a flaw in the data would impact patient care or payment processes. If there is a problem with the data, such as the accidental inclusion of another patient's information, will this affect treatment or the amount a patient or insurer owes? If so, then the information likely qualifies as part of the designated record set for purposes of HIPAA and the Information Blocking Rule. In contrast, if a flaw in the data would not affect the patient but rather would only impact the provider's internal processes – such as a quality assessment study – then the information likely is not part of the designated record set.
The HHS Office for Civil Rights (OCR) has provided a case example from its enforcement files that a designated record set – the information subject to the HIPAA right of access – should include any information created by another health care provider if that information has been incorporated into the provider's records. Accordingly, health care providers should include access to records within their systems that originated from other providers if the information is used to make decisions about the individual.
Additionally, there sometimes is confusion regarding whether "raw data," such as EKG, EEG, fetal monitoring data, etc., is part of the designated record set, or if the health care provider needs to include only the reports that interpret this data. OCR brought an enforcement action with respect to a patient's access to fetal heart monitor records, indicating that OCR interprets this raw data to be part of the designated record set to the extent retained by the health care provider.
Create or Revisit a Designated Record Set Policy
Since April 2003, the HIPAA Privacy Rule has required (at 45 C.F.R. § 164.524(e)(1)) a HIPAA-covered health care provider to document the designated record sets that are subject to access by patients. Accordingly, a health care provider ideally already should have a policy or other documentation describing what information constitutes its "designated record set," which will be subject to the expanded Information Blocking Rule.
If you are a health care provider and do not have documentation describing your designated record set, now is a really good time to come into compliance with this longstanding HIPAA requirement.
If you already have a policy or other documentation regarding your designated record set, then this expansion of the Information Blocking Rule and OCR's separate focus on enforcing patients' right of access means that now is a good time to review your policy and confirm that it captures all appropriate information.
Providing Access to the Designated Record Set
One of the biggest questions surrounding the Information Blocking Rule is exactly what a health care provider's obligation is with respect to electronic health information. For example, must providers proactively make all electronic health information available to patients, or do they need to provide this information only upon request?
The HHS Office of the National Coordinator for Health Information Technology (ONC), the agency that drafted the Information Blocking Rule, has changed its guidance answering this question. In January 2021, ONC initially issued guidance stating that "[t]here is no requirement under the information blocking regulations to proactively make available any [electronic health information] to patients or others who have not requested the [electronic health information]." In November 2021, however, ONC revised this guidance and stated that:
"Proactively" or "proactive" is not a regulatory concept included within the information blocking regulations. Rather, the information blocking regulations focus on whether a practice (an act or omission) constitutes information blocking. Further, an important consideration is whether the practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI.
In other ONC guidance, the agency has stated that: "It also would likely be considered an interference: where a delay in providing access, exchange, or use occurs after a patient logs in to a patient portal to access [electronic health information]that a health care provider has (including, for example, lab results) and such [electronic health information] is not available—for any period of time—through the portal" (emphasis added).
Based on this guidance, which does not have the force of law, health care providers should consider making their entire designated record set available in real-time through the patient portal, unless there are valid circumstances that prevent the provider from doing so.
If information in a designated record set is not readily available through the patient portal, then the health care provider does not necessarily need to move heaven and earth to make it available. For example, if designated record set information resides outside of the electronic health record system and there would be significant burden to create an interface that connects it to the patient portal, then the Information Blocking Rule arguably does not require the provider to proactively create this type of an interface. Or if information is in archived records, then the health care provider does not necessarily need to proactively upload all archived material into the patient portal.
Rather, the higher risk of non-compliance may be if designated record set information is readily available through the patient portal but the provider either actively blocks the information from flowing through the portal or fails to turn on a configuration that would make the information available through the portal.
To address this issue, health care providers may choose to go through their designated record set documentation, identify any designated record set information that would not be available through the patient portal, and document a valid reason why it is not flowing into the patient portal, such as:
- The information is not available through the patient portal because of technical issues, such as the information residing outside the EHR and cannot readily be connected to the patient portal;
- The information includes information that cannot legally be made available through the patient portal and cannot readily be segmented from that which may be made available (such as a minor's information where the parent or guardian with portal access is entitled to some of the minor's information but not information on certain sensitive care for which the minor legally may consent); or
- A specific Information Blocking Rule exception applies, such as an individualized determination that providing the patient with access to the information will endanger the life or safety of the patient or others.
Much confusion surrounding the Information Blocking Rule remains, and the expectations on health care providers may change as additional guidance is issued or the regulations are amended.
Enforcement of the Information Blocking Rule
No discussion of health care providers and the Information Blocking Rule would be complete at this point without recognition of the lack of an enforcement rule. The 21st Century Cures Act states that, if the HHS Office of Inspector General (OIG) determines that a health care provider has violated the Information Blocking Rule, then the provider "shall be referred to the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary sets forth through notice and comment rulemaking." At this point, we do not have a proposed enforcement rule with respect to health care providers, so we do not know which HHS agency will enforce the Information Blocking Rule on health care providers or what will be the "appropriate disincentives."
For other information blocking actors (health information technology developers and health information exchanges and networks), the OIG issued a proposed enforcement rule and indicated that it would not bring enforcement actions for conduct occurring prior to publication of a final enforcement rule. It is likely that HHS will follow suit for health care providers, only enforcing the rule against information blocking by health care providers after a specific enforcement rule applicable to providers' information blocking has been proposed and finalized. But this position is not guaranteed, so it is possible that HHS could seek to one day impose not-yet-identified "appropriate disincentives" on any health care provider that is found to block access to any portion of the electronic designated record set on or after October 6, 2022.