Erin MacLean (email@example.com, firstname.lastname@example.org) is Attorney/Managing Shareholder at Freeman & MacLean PC, located in Helena, MT, and Regional Compliance Director at Compliagent LLC, located in Los Angeles, CA.
Healthcare providers have an obligation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to protect the confidentiality of protected health information (PHI), but this obligation does not grant them ownership or exclusive control over the PHI. Further, when a provider requests PHI for treatment purposes and that request is improperly delayed or denied, the withholding provider may be liable for information blocking under the 21st Century Cures Act (Cures Act) unless the information is otherwise protected by law, such as in the case of substance use disorder patient records under . This article addresses the evolution of access and exchange of PHI for treatment purposes with the passage of the Cures Act in 2016 and the Office of the National Coordinator for Health Information Technology’s (ONC) issuance of its Cures Act final rule in March of 2020.
HIPAA modernized the flow of healthcare information. It changed how providers and patients access records, especially health information stored and shared electronically. An unintended consequence of HIPAA’s privacy restrictions is information blocking, a result of the reluctance of providers to exchange PHI with other providers for treatment purposes. In 2015, the ONC’s Report to Congress defined information blocking as “knowingly and unreasonably interfer[ing] with the exchange or use of electronic health information.” The ONC stated that the secure, efficient, and effective sharing and use of electronic health information (EHI) is a key component of healthcare delivery system reform. Nonetheless, in the era of the Affordable Care Act, where billions of dollars of incentives have been given to providers to implement systems of managing electronic health records (EHRs), “challenges continue to limit the widespread and effective sharing of [EHI] across the health care continuum.”
HIPAA and important exceptions
One objective of HIPAA was to permit secure electronic exchange of information for treatment purposes. Despite this objective, some providers have instituted practices that frustrate this goal, such as requiring outside treatment providers to obtain patients’ authorization to access PHI, which is unnecessary and can constitute information blocking. Covered entities may disclose PHI to other providers for treatment purposes without patient authorization. This is one of the clearest exceptions to HIPAA’s rules, which otherwise prohibit a covered entity from using or disclosing PHI, unless authorized by patients.
Any healthcare provider transmitting health information in connection with certain transactions is a covered entity under HIPAA and subject to the HIPAA Privacy Rule. The HIPAA Privacy Rule standards dictate how providers may use and disclose PHI. A major goal of the Privacy Rule is to assure PHI is protected, while still allowing for the necessary flow of information to promote high-quality healthcare and protect the public. The Privacy Rule states, “A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.”
Ask yourself, “What steps can I take to ensure that my organization is disclosing PHI in a timely manner to all authorized providers that request PHI for treatment purposes?”
The U.S. Department of Health and Human Services (HHS) provides guidance to covered entities, stating that they may rely on professional ethics and best judgments in deciding which disclosures to make. HHS also maintains that a healthcare provider’s primary responsibility under HIPAA is to disclose PHI in a secure, permitted manner. A covered entity may use and disclose PHI for its own treatment, payment, and healthcare operations activities. Additionally, a covered entity is also permitted to disclose PHI for the treatment or payment activities of any other covered entity.
Treatment is defined as “provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.” Patients expect their health information to be disclosed, as necessary, for treatment, billing, and the operations of the covered entity’s healthcare business; such transactions are permitted under HIPAA. Providers seem to understand that they may disclose PHI for treatment purposes to outside providers; however, recurring information blocking demonstrates that providers may be unwilling to do so for various reasons, including an intent to keep the information from perceived or actual competitors in the healthcare field.
The 21st Century Cures Act
In December 2016, the Cures Act was signed into law. Although the Cures Act’s stated goal was to expand medical research and expedite approvals of drug therapies, it also contained several provisions related to HIPAA. The Cures Act altered existing law in a manner intended to promote patients’ access to health records, including information contained in EHRs.
First, the Cures Act added a subsection to the Health Information Technology for Economic and Clinical Health Act of 2009. The Cures Act clarified that business associates are permitted to provide PHI to a patient (or the patient’s designee) in response to an access request from the patient when the patients’ records are located within an EHR. As a result of these changes, it is imperative that providers review their existing business associate agreements to ensure they comply with this provision in the Cures Act and are worded in a manner that promotes timely responses to patient requests for information.
Ask yourself: “Are my business associate agreements in conflict with the Cures Act?”
Second, the Cures Act revised the statutory definition of information blocking to apply to actions of healthcare providers. As previously noted, HIPAA permits, but does not require, disclosures of PHI for treatment purposes. The Cures Act, on the other hand, prohibits information blocking. Under the Cures Act, information blocking is defined as any conduct that is known by the provider to be unreasonable and “likely to interfere with, prevent, or materially discourage access, exchange, or use of [EHI].” Although the act did not technically amend HIPAA or the Privacy and Security Rules implemented by HHS, providers must be aware that their obligation to allow access to PHI for treatment purposes extends far beyond what is mandated under HIPAA. Thus, if a provider is permitted to disclose PHI under HIPAA or another law and chooses not to do so, the provider denying access would be engaging in information blocking, unless that provider can show the denial was “reasonable and necessary.”
Ask yourself: “Does my organization respond to requests for information for treatment purposes in any manner that may interfere with, prevent, or materially discourage access, exchange, or use of PHI by other healthcare providers?”
Proposed rules under the Cures Act
After the passage of the Cures Act, HHS requested a study as to whether HIPAA regulations should be revised to remove any barriers to patient care, communication, and availability of patient information. In response to this request, in December of 2018, the Office for Civil Rights (OCR) issued a Request for Information on Modifying HIPAA Rules to Improve Coordinated Care to identify the provisions of HIPAA that may “impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities…, without meaningfully contributing to the protection of the privacy or security of individuals’ [PHI].” Notably, the OCR recognized that the permissive status of HIPAA’s exception to the authorization requirement for treatment purposes, along with the lack of a time frame provided or required for such disclosures, can lead to circumstances where records are not transferred between covered entities in a timely fashion to the detriment of coordinated care and/or case management.
On March 4, 2019, the ONC issued proposed rules under the Cures Act to address concerns over providers and covered entities limiting the availability and use of electronic health information (EHI) for authorized and permitted purposes.
According to the proposed rules, the Cures Act does not restrict the definition of information blocking to practices related to “certified health IT,” nor does the act impose a “temporal nexus” requiring that information blocking occur at a time when the denying provider had certified health IT. Within the proposed rules, the ONC explains that it interprets “the terms ‘access,’ ‘exchange,’ and ‘use’ broadly, consistent with their generally understood meaning in the health IT industry and their function and context in the information blocking provision.” The ONC states that, “because information blocking may take many forms, it is not possible...to anticipate or catalog the many potential types of practices that may raise information blocking concerns.” The ONC does, however, introduce the following “likelihood requirement” in determining whether an action constitutes information blocking:
The information blocking provision and its enforcement subsection do not define the terms ‘interfere with,’ ‘prevent,’ and ‘materially discourage,’ and use these terms collectively and without differentiation….[W]e do not believe they are mutually exclusive, but that prevention and material discouragement are best understood as types of interference, and that use of these terms in the statute to define information blocking illustrates the desire to reach all practices that an actor knows, or should know, are likely to prevent, materially discourage, or otherwise interfere with the access, exchange, or use of EHI… [I]nterference could include practices that increase the cost, complexity, or other burden associated with accessing, exchanging, or using EHI… [as well as] practices that limit the utility, efficacy, or value of EHI that is accessed, exchanged, or used, such as by diminishing the integrity, quality, completeness, or timeliness of the data.
The ONC describes the information blocking provision as “preventative in nature,” as it is designed to prevent interference with access, exchange, or use of EHI. As such, a practice satisfies the provision’s likelihood requirement if “there is a reasonably foreseeable risk that the practice will interfere with access, exchange, or use of EHI.”
You should analyze whether there is a reasonably foreseeable risk that your organization’s practices related to disclosing PHI for treatment purposes will interfere with access, exchange, or use of PHI by other healthcare providers.
ONC Cures Act final rule
On March 9, 2020, the ONC issued its final rule under the Cures Act on information blocking (Final Rule), implementing the vast majority of the previously proposed rules as they related to information blocking. The Final Rule clarifies the following about the intent of the rule:
In addition to fulfilling the Cures Act’s requirements, the final rule contributes to fulfilling Executive Order (EO) 13813. The President issued EO 13813 on October 12, 2017, to promote health care choice and competition across the United States. Section 1(c) of the EO, in relevant part, states that government rules affecting the United States health care system should re-inject competition into health care markets by lowering barriers to entry and preventing abuses of market power.
The ONC also stated that the Final Rule is necessary to “meet our statutory responsibilities under the 21st Century Cures Act (Cures Act) and to advance HHS policy goals to promote interoperability and mitigate burden for stakeholders.”
Information for providers
Information blocking concerns are “especially pronounced when the conduct at issue has the potential to interfere with the access, exchange, or use of EHI that is created or maintained during the practice of medicine or the delivery of health care services to patients.” Additionally, the ONC noted that “observational health information may be technically structured or unstructured (such as ‘‘free text’’). Therefore, in general, clinicians’ notes would constitute observational health information, at least insofar as the notes contain observations or conclusions about a patient or the patient’s care.”
The ONC makes clear that “practices that adversely impact the access, exchange, or use of observational health information (as well as practices that increase the cost, difficulty, or other burden of accessing, exchanging, or using EHI for these purposes) will almost always implicate the information blocking provision.” In fact, “ collecting, organizing, formatting, or processing observational health information maintained in EHRs and other source systems does not change the fundamental nature of that EHI or obligations under the information blocking provisions.” Likewise, EHI stored in a proprietary format or combined with confidential or proprietary information falls under the same provision to facilitate access, exchange, and use of the EHI.The ONC recognizes that “[a]n actor may have substantial control over one or more interoperability elements that provide the only reasonable means of accessing, exchanging, or using EHI for a particular purpose.” In such circumstances, any practice by the actor that could impede the use of the interoperability elements would almost always implicate the information blocking provision.
The ONC gives the following examples to illustrate types of formal restrictions that may be considered information blocking:
“A health system’s internal policies or procedures require staff to obtain an individual’s written consent before sharing any of a patient’s EHI with unaffiliated providers for treatment purposes even though obtaining an individual’s consent is not required by state or federal law”;
“A health system incorrectly claims that the HIPAA Rules or other legal requirements preclude it from exchanging EHI with unaffiliated providers”;
“A health care provider has the capability to provide same-day access to EHI in a form and format requested by a patient or a patient’s health care provider, but takes several days to respond”; and
Engaging in rent-seeking or practices that artificially increase the cost and expense associated with accessing, exchanging, and using EHI.
As part of your risk analysis, determine whether your organization engages in these types of information blocking activities.
The Cures Act’s information blocking provision empowers healthcare professionals to have the EHI they need, when and where they need it, to make treatment decisions, to coordinate effectively, and to manage patient care while using EHI.
Penalties and disincentives
The Cures Act authorizes the Office of Inspector General (OIG) to penalize entities for information blocking. The Proposed Rules authorize public reporting of “providers or hospitals that participate in ‘information blocking,’ practices that unreasonably limit the availability, disclosure, and use of [EHI].”
In the Final Rule, the ONC clarified: “[e]nforcement of information blocking civil monetary penalties (CMP) in section 3022(b)(2)(A) of the [Public Health Service Act] will not begin until established by future notice and comment rulemaking by OIG.” At a minimum, providers will not be subject to penalties until CMP rules are final and the time frame for enforcement would not begin sooner than the compliance date of the information blocking provision. The ONC also clarified that “[d]iscretion will be exercised such that conduct that occurs before that time will not be subject to the information blocking CMPs,” while also detailing that “[i]ndividuals and entities are subject to the information blocking regulations and must comply with this rule as of the compliance date of this provision.”
Moving forward, providers will need to carefully consider whether the risk of disclosing PHI outweighs the risk of declining to make a disclosure in a manner that constitutes information blocking. Providers must also consider the consequences of enforcement by the OCR if they disclose the PHI to the wrong recipient or without appropriately verifying the recipient’s authority to receive the PHI.
OIG has the authority to refer providers engaging in information blocking to an appropriate agency for “disincentives,” and to “consult” with OCR regarding HIPAA to resolve an information blocking claim. It is still unclear how OIG will enforce this provision, but developers, exchanges, and networks may face penalties of up to $1 million per violation. Moving forward, information blocking could become a costly practice. The ONC emphasized in the Proposed Rule that the ONC’s and OIG’s respective authorities under the Cures Act are independent, and that either or both offices may exercise and/or coordinate their authorities regarding information blocking at any time.
Ask yourself: “What can my organization do to ensure compliance with HIPAA while also avoiding activity that OCR/OIG would consider to be information blocking?”
As long as information is not otherwise protected from disclosure by law, providers must affirmatively provide access to patient information to other providers for treatment purposes. The ONC has made clear that obligations of healthcare providers with regard to this type of permissive disclosure under HIPAA have been significantly altered by the Cures Act. Any denial of such requests—for economic gain and/or in a manner that does not meet a Cures Act exception to the required access—constitutes information blocking. Providers handling health information and requests for PHI for treatment purposes need to have a clear understanding of these requirements. This is especially true since the Cures Act’s information blocking provision establishes penalties and requires the implementation of appropriate disincentives for practices that restrict access, exchange, or use of EHI for permissible purposes.
Every healthcare provider who electronically transmits health information in certain transactions is a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and is subject to the HIPAA Privacy Rule.
As an exception to HIPAA, healthcare providers may disclose protected health information (PHI) to other providers for treatment purposes without a patient’s authorization.
The 21st Century Cures Act extends the obligation of healthcare providers to give other providers access to PHI for treatment purposes beyond what is mandated under HIPAA.
The 21st Century Cures Act’s information blocking provision promotes effective patient care and access to health records by healthcare providers, including information contained in electronic health records.
You should determine whether your organization is engaging in information blocking and implement strategies to avoid information blocking when receiving requests for PHI from other providers.