A hospital employee laughs at an email from a competitor asking for patient information for a quality assessment study. The email has a list of admissions, including patient names, dates of birth and discharge dates, and the employee is asked to match them to the hospital’s patient list and the patients of unaffiliated community providers that share the hospital’s electronic health records (EHRs), and then send over discharge summary notes and consultation notes for every encounter within 90 days of discharge. “There’s no way I’m going to hand over so much sensitive patient information to a competitor,” the employee thinks. He hits the delete button on the competitor’s request.
That probably won’t fly when HHS’s information-blocking regulation, which interprets a provision from the 21st Century Cures Act, takes effect April 5. The compliance deadline was Nov. 2, but HHS announced a delay on Oct. 29. The competing hospital in this scenario may file an information-blocking complaint with HHS. “Pressing delete on requests for patient health information could be information blocking in the years to come,” said attorney Adam Greene, with Davis Wright Tremaine in Washington, D.C. The hospital could be fined $1 million in relation to denying the request for access to patient information of the unaffiliated health care providers that the hospital hosts on its EHR system. “As of [April 5], you should not be engaging in any practices that are information blocking,” Greene said Oct. 15 at a webinar sponsored by the Health Care Compliance Association. The enforcement regulations are not in effect yet, however, so it’s unclear when penalties will be assessed.
According to the final regulation, which was published in the Federal Register May 1 by the HHS Office of the National Coordinator for Health Information Technology (ONC), any action or inaction that knowingly interferes with the access, exchange or use of electronic health information (EHI) may lead to “disincentives” or penalties. Information blocking won’t be tolerated unless a practice is required by law or falls into one of eight exceptions. The rules apply to three types of “actors”: health care providers (e.g., hospitals and physicians), health information networks/health information exchanges, and developers of certified health information technology.