Summary

Information blocking has been a regulatory requirement for years, but as enforcement picks up, compliance is becoming a much bigger focus for healthcare organizations. This article focuses on the rules around information blocking, interoperability, and data access.

Join Fellow Healthcare IT Pros

Tips, Guides, News & More

Sign Me Up
21st-Century-Cures-Act

Three main tenets of the Cures Act – Patient Access, Protection and Choice:

  1. Ease of access to their records – The Cures Act supports a patient’s control of their health care and their medical record through smartphones and modern software apps.
  2. Protecting patient privacy and security – The rule supports secure patient access to their electronic medical record data. Patients will be able to use applications they authorize to receive data from their medical records. OAuth2 is used to authorize applications – the same highly secure protocol used on travel and banking apps.
  3. Promoting the ability to shop for care and manage costs – The final rule expands patient and payer choice by increasing data availability that supports insights about care quality and costs. This is similar in how apps have increased transparency in other industries such as online shopping, travel and banking to deliver information to patients and payers to assist in decision making.

Ease of Access and Information Blocking

One of the primary ways the 21st Century Cures Act supports patient access is through the Information Blocking Rule, which was designed to ensure electronic health information can be accessed, exchanged and used without unnecessary barriers. As the regulatory framework has matured, federal attention has increasingly shifted from implementation to enforcement.

Recent communications from HHS, ASTP/ONC and the HHS Office of Inspector General (OIG) signal that healthcare organizations should expect greater scrutiny regarding how electronic health information is accessed, exchanged and provided upon request. Compliance programs should now evaluate not only whether policies exist, but whether organizations can consistently and efficiently fulfill requests for electronic health information.

There are many key dates related to the Information Blocking Rules

Several key regulatory milestones have shaped today’s information blocking enforcement landscape:

June 24, 2024. The Department of Health and Human Services (HHS) released its final rule that establishes disincentives for health care providers that have committed information blocking. There are disincentives outlined for Hospitals and Critical Access Hospitals (CAH), Clinician and Group Practices and Accountable Care Organizations. The disincentives include financial penalties as well as loss of Meaningful Use status and a loss of eligibility to participate in the Shared Savings Program for ACOs.

June 27, 2023. The Office of the Inspector General (OIG) released a final rule that established penalties for information blocking for actors other than health care providers, such as health IT developers, health information exchanges and health information networks. If the OIG determines if any of these individuals/groups committed information blocking, they may be subject to a civil monetary penalty of up to $1 million per violation.

Together, these actions establish a complete enforcement framework for information blocking. With disincentives now in place for providers and penalties previously established for developers, exchanges and networks, healthcare organizations should anticipate increased oversight and investigation of information blocking complaints.

How to determine if information is ePHI: 

EPHI is defined as electronic protected health information (ePHI) to the extent that it would be included in a designated record set (DRS), regardless of whether the group of records are used or maintained by or for a covered entity. The expanded definition of EHI (as defined in 45 CFR 171.102) includes a broad set of records. To determine whether the information is EHI, consider if the information:

  1. Is individually identifiable health information that is maintained in electronic media or transmitted by electronic media
  2. And would be included in one of the following groups of records:
    a. medical records and billing records of a provider about individuals;
    b. enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan;
    c. records used in whole or in part, to make decisions about individuals
  3.  And is not excluded from the EHI definition

If the answer to the three questions above is “yes,” then it is EHI.

What is not EHI?

  • Psychotherapy notes as defined in 45 CFR 164.501
  • Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding
  • Individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g
  • Individually identifiable health information in records described at 20 U.S.C. 1232g(a)(4)(B)(iv)
  • Individually identifiable health information in employment records held by a covered entity in its role as employer
  • Individually identifiable health information regarding a person who has been deceased for more than 50 years
  • De-identified protected health information as defined under 45 CFR 164.514

There also are eight exceptions to the information blocking ban that have been established to allow clinicians and hospitals common sense operational flexibility. These exceptions are grounded in protecting patient privacy, security, and handling situations where moving data isn’t a technically viable solution. These exceptions are divided into two categories:

  1. Exceptions that involve not fulfilling requests to access, exchange or use EHI, and
  2. Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.

To review the most current updates related to interoperability, information blocking and the ONC Health IT Certification Program, visit the ONC’s Cures Act Final Rule website.

Switching EHRs shouldn’t mean a disruption in a provider’s access to their data.

EHR vendors are required to enable a usable export of all patient records when a healthcare provider is switching health IT systems, as opposed to only providing the summary of care records, which was the prior requirement. Not only will this allow providers to switch EHRs more easily and completely, but it will also ensure that a complete patient narrative is being transferred for better patient care. As the ONC states, “Providers should be able to choose the IT tools that allow them to provide the best care for patients, without excessive costs or technical barriers.”

With enforcement activity increasing, compliance is no longer simply a future planning exercise. Healthcare organizations should evaluate whether their people, processes and technologies can support timely access to electronic health information while minimizing operational burden and compliance risk.

Speaking of competitive advantages, let’s talk about the long game.

Information blocking isn’t always a deliberate refusal to share data. Often, organizations face compliance risk because historical patient information is fragmented across multiple legacy systems, making timely retrieval difficult.

One big step forward in the health data management race is to consolidate records from legacy EHR, ERP and HR systems into an active archive.  This approach avoids the user having to log in to multiple legacy systems to fulfill a single Release of Information request.   Advanced authentication services such as  Single Sign-On allow a seamless connection from the current EHR (i.e., Single Sign-On from Epic) in context to the patient’s historical medical record.

As healthcare providers continue to adapt and evolve with how they need health and business data to flow through technology systems and now more fluidly to patients on new apps, it will be even more important to have a solid lifecycle data management plan that consolidates disparate data sets. With some multi-hospital organizations managing 30 to 40 read-only legacy EHRs with varying states of usability, it is even more important to streamline and have a lean and forward-thinking data management strategy for the long haul.

As your team continues to adapt to evolving regulations, follow retention guidelines and safely guide the data within your care wherever it needs to go, it’s a good time to make sure your inventory of applications is consolidated, secured, accessible and usable.

An active archive such as HealthData Archiver® is a long-term medical data storage strategy that reduces or eliminates legacy system management costs, provides role-based security and is a vendor-neutral long-term home for legacy records. Secure, compliant, long-term PHI storage in an electronic health data archive solution helps manage the legacy application portfolio which saves on maintenance contracts, mitigates technical risk, and reduces labor burden. With an active archive, outdated legacy applications can be decommissioned and ROI is often seen in 18-24 months.

What to do if a vendor organization is keeping you from your health data:

Clinicians and hospitals continue to consider their options in choosing the EHR that best fits the organization, gaining access to protected health information (PHI) from the outgoing EHR vendor may remain a challenge.

Even before the newest information blocking law was handed down, EHR vendors were required by law to return PHI to the covered entity in a reasonable and usable format upon termination of a contract. If your healthcare organization experiences barriers accessing its electronic health information from a current or former technology vendor, those challenges may warrant review under information blocking requirements and related access provisions.

Preparing for Increased Information Blocking Enforcement

As information blocking enforcement gains momentum, healthcare organizations should evaluate whether their current processes, technologies and legacy-system strategies support timely access to electronic health information. Organizations that simplify access to historical records, reduce reliance on aging applications and streamline release workflows will be better positioned to meet evolving compliance expectations while improving service to patients and providers.

Note: This blog is updated from a previous version published on Nov. 30, 2022.

Ready to connect?

Contact us today to learn more about our healthcare data management solutions.

Healthcare IT tips, guides, news & more delivered to your inbox

Learn More