To Share EHI or not Share EHI – That is the Question

Background

Most healthcare entities and their compliance professionals know about HIPAA. They know that HIPAA generally allows them to share protected health information (PHI) under certain circumstances without obtaining a specific authorization from the patient. For example, they are allowed to share PHI for treatment, payment, or operations, but it is generally not required to do so under HIPAA.

In 2016, however, Congress passed the 21st Century Cures Act. A major portion of that legislation makes the blocking of health information illegal. This is commonly known as “information blocking.” The federal government has issued what is known as the “Information Blocking Rule.” In short, the rule makes it so health care providers must share protected health information with other covered entities and other entities as directed by the patient.

So, whereas HIPAA describes certain situations where covered entities are allowed to share PHI, the information blocking rule outlines circumstances when they must share certain information. Under the information blocking rule, the information needed to be shared is electronic health information (EHI) which has its own definition in the rules.

Information blocking is defined: ‘‘a practice that—(A) except as required by law or specified by the Secretary pursuant to rulemaking under paragraph (3), is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information; and (B)(i) if conducted by a health information technology developer, exchange, or network, such developer, exchange, or network knows, or should know, that such practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information; or (ii) if conducted by a health care provider, such provider knows that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.”

There is a lot in this definition and a full discussion of all the implications of the information blocking rule is beyond the scope of this eBrief. However, it does make sense to share the eight exceptions to the rule. These exceptions are described in greater detail here.

Briefly stated, the exceptions fall into two major classes:

1. 1. Exceptions that involve not fulfilling requests to access, exchange, or use EHI
   2. Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI

Class I exceptions include:

1. Preventing Harm Exception: It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.

2. Privacy Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.

3. Security Exception: It will not be information blocking for an actor to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.

4. Infeasibility Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.

5. Health IT Performance Exception: It will not be information blocking for an actor to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT's performance for the benefit of the overall performance of the health IT, provided certain conditions are met.

Class II exceptions include:

6. Content and Manner Exception: It will not be information blocking for an actor to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.

7. Fees Exception: It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.

8. Licensing Exception: It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.

OIG Proposed Rule

Though there has been a lot of rulemaking and finalizing of rules, one entity has yet to finalize their rule. HHS OIG is the entity responsible for conducting investigations to determine whether an action constitutes “interference with” the ability to access, exchange, or use EHI (i.e., information blocking). The OIG has issued a proposed rule for imposing civil money penalties for information blocking but has not yet issued their final rule. (see proposed rule here)

It was originally reported that the OIG expected to issue their final rule in September 2021. Of course, that date has come and gone.

Christi Grimm, the Inspector General is quoted on the OIG’s website as saying, “Health IT professionals and entities who make innocent mistakes will not be subject to CMPs. As our proposed rule makes clear, each allegation of information blocking would be assessed based on its own merits given the unique facts and circumstances presented, including the intent of parties. That assessment will include close coordination with ONC and the HHS Office of Civil Rights."

Conclusion

Information blocking can be a complex matter. In an attempt to simplify it, this eBrief has described it as a set of rules that mandate when certain EHI (electronic health information) must be shared as opposed to HIPAA, where most compliance professionals are interpreting the rules to find circumstances when PHI is allowed to be shared. The compliance community is waiting for the OIG’s Final Rule regarding imposing civil monetary penalties.

Download this blog as a PDF, click the button below.