管家婆心水论坛

Things to Know about Information Blocking

Overview of the regulation, key dates, what is expected of physicians, and additional resources.

What is Information Blocking, and to which actors does it apply?

The Assistant Secretary for Technology Policy and Office of the National Coordinator for Health IT (ASTP/ONC) information blocking regulations apply to three categories of actors: health IT developers of certified health IT; health information exchanges and health information networks; and health care 鈥減roviders,鈥 which includes hospitals, skilled nursing facilities, health care clinics, group practices, long term care facilities, federally qualified health centers, rural health clinics, and laboratories. See ONC鈥檚 resource on for more information about actors.

As it pertains to health care physicians, 鈥渋nformation blocking鈥 is defined as the intentional withholding of patient health information 鈥 either from 鈥減rovider鈥 to 鈥減rovider鈥 or 鈥減rovider鈥 to patient. 鈥淚nformation Blocking,鈥 as used throughout this FAQ, references the information blocking provisions of the 21st Century Cures Act. The aim of these regulations is to provide patients more control of their health data and enhance patient care improving the physician鈥檚 ability to collect and utilize information for the benefit of their patients and practice. This expanded access will also result in improvements in the patient-physician relationship, including enhanced trust, transparency, communication, and shared decision-making.

If a practice still uses paper records, are they subject to the Information Blocking regulations?

No, information blocking pertains only to the access, exchange, and use of EHI. This should be contrasted to HIPAA, which covers paper, electronic, and verbal data as protected health information (PHI). Individuals still have the right to access their paper records under existing HIPAA rules. Where an individual requests a paper copy of PHI maintained by the practice, it is still expected that the practice will be able to provide the individual the paper copy requested.

When responding to requests for EHI, what are the exceptions that a physician may claim?

The information blocking regulations serve to improve the access to and sharing of a patient鈥檚 health record, there are situations ASTP/ONC has established nine when reasonable and necessary activities would not constitute information blocking. The first category of exceptions involves unfulfilled requests to access, exchange, or use EHI: Preventing Harm Exception; Privacy Exception; Security Exception; Infeasibility Exception; and Health IT Performance Exception. The second category involves the procedures followed in fulfilling requests to access, exchange, or use EHI: Manner Exception; Fees Exception; and Licensing Exception. The third category involves practices related to actors鈥 participation in the Trusted Exchange Framework and Common Agreement (TEFCA): TEFCA Manner Exception.

Actors have the burden of proving that their practices restricting the free flow of health information fit within one of the nine exceptions. Exceptions apply on a case-by-case basis and will require substantial documentation that will be evaluated by ASTP/ONC and the Office of the Inspector General (OIG). More details on each exception can be found on the ASTP/ONC .

What data and note types are covered under information blocking and must be shared?

EHI is as electronic protected health information (ePHI) to the extent that it would be included in a designated record set (with exceptions including psychotherapy notes or legal proceedings), regardless of whether records are used or maintained by or for a HIPAA covered entity. The type of information that must be shared may differ if, for example, the patient is an adolescent. Please reference ATSP/ONC鈥檚 鈥,鈥 for more details.

Are there penalties if a physician intentionally withholds? What about in the case of a mistake?

Yes. The Office of Inspector General (OIG) is charged with investigating allegations of information blocking and determining whether a violation has occurred. On July 1, 2024, HHS released a final rule establishing disincentives for practitioners using authorities for programs administered by CMS (effective as of July 31, 2024) and outlined the process by which OIG investigates a claim of information blocking. For more information, please see ASTP/ONC鈥檚 and . In the case of innocent mistake, OIG has confirmed that it will not bring enforcement actions against actors who lack the requisite intent for information blocking.

How does information blocking tie into CMS鈥 Interoperability and Patient Access rule? What effect does information blocking have on CMS鈥 Promoting Interoperability program?

The CMS Interoperability and Patient Access regulations promote patient access and exchange of their clinical data and claims data across CMS-contracted payers. Additionally, CMS requires access to physician directory information and requires physician organizations, including hospitals, to send admission, discharge, and transfer notifications to the patient鈥檚 care team.

A physician participating in CMS鈥 Promoting Interoperability (PI) program is required to attest they are in good faith implementing and using their EHRs to exchange data. If a health system is found to have falsely attested, it could potentially owe back the incentive funds and could be liable for penalties under the False Claims Act. ASTP/ONC will also publish on a public website information about actors who have been determined by OIG to have committed information blocking.

FAQs

Information Blocking Exceptions

Describes the exceptions to claim and document if deciding not to share information.

What exceptions may a physician claim when responding to requests to exchange EHI? How are these exceptions applied in practice?

The aim of the information blocking regulations is to improve the access to and sharing of a patient鈥檚 health record. Information blocking exceptions should be a reserve rather than a default. Physicians should view each data exchange request or encounter as a 鈥渟hare unless鈥 situation, rather than a 鈥減ermitted sharing鈥 situation. The 鈥渦nless鈥 should be captured by the exceptions detailed below, with an understanding that the applicability of each exception is dependent upon several other conditions being met. It is also important to note that exceptions apply on a case-by-case basis and will require substantial documentation that will be evaluated by ASTP/ONC and the Office of the Inspector General (OIG). Actors, including physicians, have the burden of proving that practices restricting the free flow of electronic health information fit within one of the nine exceptions to information blocking. Additional information can be found on the ASTP/ONC exceptions .

Category 1: exceptions that involve not fulfilling requests to access, exchange, or use (AEU) EHI.

  • Preventing Harm Exception 鈥 practices that are reasonable and necessary to prevent harm to a patient or another person.
  • Security Exception 鈥 interfering with AEU to protect the security of EHI.
  • Health IT Performance Exception 鈥 taking reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT鈥檚 performance for the benefit of the overall performance of the health IT.
  • Privacy Exception 鈥 not fulfilling a request to AEU to protect an individual鈥檚 privacy.
  • Infeasibility Exception 鈥 not fulfilling a request due to the infeasibility of the request.

Category 2: exceptions that involve procedures for fulfilling AEU requests.

  • Manner Exception 鈥 limiting the content of a response or the manner in which the request is fulfilled.
  • Fees Exception 鈥 charging fees, including fees that result in a reasonable profit margin, for AEU of EHI, provided those fees are based on the physician鈥檚 costs, applied in a non-discriminatory manner, and complies with Conditions of Certification in 搂 170.402(a)(4) (Assurances 鈥 certification to 鈥淓HI Export鈥 criterion) or 搂 170.404 (API).
  • Licensing Exception 鈥 licensing interoperability elements for EHI to be AEU, provided licensing conditions are met.

Category 3: exceptions that involve practices related to actors鈥 participation in the Trusted Exchange Framework and Common Agreement (TEFCA).

  • TEFCA Manner Exception 鈥 fulfilling AEU or EHI only via TEFCA.

Are there any examples of actions or activities that could constitute information blocking? What are some of the warning signs I should look for in my practice?

Yes. Like the exceptions, practices that constitute information blocking may take different forms. Actors should refrain from practices that restrict authorized AEU under applicable state or federal law, such as failing to transition between certified health IT versions, as well as implementing health IT in nonstandard ways that are likely to substantially increase the complexity or burden of AEU. Practices that, for example, fail to export complete information sets or impede innovations and advancements in health information AEU, including care delivery enabled by health IT, may be found to be information blocking.

EHR and Health IT System Updates

Describes EHR functionality needed and questions to ask your vendor. 

What should physicians look for in EHR systems to support information exchange?

It is important that physicians ensure their technology aligns with the 21st Century Cures Act mandates. Physicians will also want to confirm their systems are compliant and should review specific functionalities related to information exchange. Below are a few features a physician may want to look for in an EHR system.

  • Compatibility with HL7 Fast Healthcare Interoperability Resources (FHIR庐) Release 5.
  • Optimized patient portal features that allow easy sharing and downloading of records.
  • Ability for patients to share or link their information to third parties, such as smartphone applications and other mobile health applications.
  • Ability to document when EHI is not provided when requested, along with the documentation necessary to support the appropriate exception.

Patient Access to Information

Describes how to address questions and concerns around patients鈥 increased access to health information.

If a patient would like to be provided their EHI via an API to an app that the patient has authorized to receive their PHI, must a physician provide this type of access?

Yes, it would likely be considered interference when any delay occurs in providing a patient鈥檚 EHI via an API. APIs can enable systems to send or retrieve data that can update a patient鈥檚 record, as well as send information from one system to another. You and your staff should be prepared to provide information on how patients can go about accessing their information through an app of their choosing. If your EHR currently lacks the capabilities to provide access to these types of connections, you should discuss with your vendor when it is anticipated that your EHR supports API integration. For a resource on APIs and patient access to information, please visit .

What if my patient receives their results before I can offer a clinical explanation? How does a physician best provide anticipatory guidance on exchanged health information?

It may occur that a patient receives laboratory results, for example, ahead of the opportunity for a physician to review and discuss with the patient. To mitigate concerns, a physician should provide anticipatory guidance to patients regarding their unique medical situation and what any exchange or report may mean for them. Physician practices may also find it helpful to designate specific people to channel patient inquires and concerns to the appropriate person(s). Perhaps the best approach, however, is to discuss everything in the note with the patient to minimize surprise, shock, and confusion.

What if a patient disagrees with what鈥檚 in their note; do they have the right to request changes to their medical record? What should be some of the relevant considerations?

Yes, patients do have a right to amend information in their medical record. Current federal privacy laws mandate all patient amendment requests to the medical record be completed no later than sixty (60) days after the request is received; however, there may also be applicable state and local guidelines affecting the timeframe. You should also note that your organization may require you to track these requests via processes specific to your practice. It is important to review and confirm organizational understanding of the process for fulfilling these amendment requests.

Definitions

Electronic Health Information (EHI)

EHI is defined as electronic protected health information (ePHI) to the extent that it would be included in a designated record set (with exceptions including psychotherapy notes or legal proceedings), regardless of whether records are used or maintained by or for a HIPAA covered entity.

EHI incorporates the terms 鈥渆lectronic protected health information鈥 (ePHI) and 鈥渄esignated record set鈥 (DRS), as they are defined by HIPAA. The definition of EHI specifically excludes psychotherapy notes or information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, regardless of whether the group of records are used or maintained by or for a covered entity. Like ePHI, the data that constitutes EHI is not tied to a specific system in which the EHI is maintained. Health information that is de-identified consistent with the requirements of the HIPAA Privacy Rule (at 45 CFR 164.514(b)) is not included in the definition of EHI for the purposes of information blocking. Thus, any individually identifiable health information that is transmitted by or maintained in electronic media is EHI to the extent that the information would be included in the designated record set.

Protected Health Information (PHI)

Health information that identifies or reasonably could be used to identify an individual (individually identifiable health information) with certain exclusions such as Family Educational Rights and Privacy Act (FERPA) education or treatment records and employment records of a covered entity. Such health information not only identifies the individual, such as demographic information, but also relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or payment for care. The information may be maintained or transmitted in any form or media (e.g., electronic, paper, or oral).

Electronic Protected Health Information (ePHI)

Any PHI that is maintained or transmitted in electronic form.

Designated Record Set (DRS)

Medical records and billing records about individuals; enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; and/or other records that are used, in whole or in part, to make decisions about individuals.

Record

Any item, collection, or grouping of information that includes PHI.


DISCLAIMER - The information contained on this page should not be seen as official technical or legal advice. State laws around data release may affect applicability of the ONC and CMS rules. Consult with your organization鈥檚 Health Information Management, compliance, legal, finance, and public affairs teams to find out how it applies to you.