The April 5 deadline to comply with new information-blocking regulations is around the corner, and now is the time to get ready to comply or risk audits and penalties down the road.
The new regulations aim to grant patients access to their health information by preventing information-blocking practices by providers, health IT developers, health information exchanges, and health information networks. They were developed by the US Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology and Centers for Medicare & Medicaid Services to support the MyHealthEData Initiative and the 21st Century Cures Act.
Once the rule is implemented, patients can and will ask for access to their information, and you must provide it unless there is just cause why you cannot.
Are you ready?
Is your team ready?
Is your electronic health record (EHR) vendor up to the task?
Your electronic health vendor should have reached out and detailed the ways in which their software will make such sharing possible and HIPAA compliant. If yours hasn’t, get on the phone today and find out what they are doing to help you comply with these new regulations.
Your practice should have procedures in place to handle requests before April 5, 2021.
Consider assigning a staff person to handle these requests. While there will likely be a learning curve as more details evolve, this person must understand the Rule and your EHR system’s functionality. A good place to start gathering intel is at the Information-Blocking Resource Center (infoblockingcenter.org), which was established by a coalition of health IT and physician groups.
Exceptions to the Rule
It’s also important to familiarize yourself with the eight exceptions that can protect you from penalties under the final rule. These are divided into two broad-based categories: those that involve not fulfilling requests due to the nature of the request and those that involve not fulfilling requests due to procedural issues.
The former category includes the preventing harm exception, meaning that it is not necessarily information-blocking if you avoid sharing information to prevent harm to a patient or another person. The privacy exception notes that it’s OK not to fulfill a request to protect an individual’s privacy, provided certain conditions are met.
A security exception may allow you to deny a request to protect the security of the electronic health information. The feasibility exception states that it’s not information-blocking if the request can’t easily be granted due to issues with the type of information requested, its cost, available resources. and/or control of the relevant platform. Also, the Health IT performance exception states the access can be denied due to system maintenance.
The latter category of exceptions that involve procedures for fulfilling requests includes the content and manner exception, which states it is not information-blocking to limit the content of a response. The fees exception permits you to charge for information, provided certain conditions are met. The licensing exception says it is OK to license applications to access the information if this occurs in a timely, reasonable, and nondiscriminatory manner, and the license meets specified conditions.
It’s not enough to just claim an exception; your practice must also know how to apply for it or risk penalty if audited. The amount of the penalty will likely be related to the nature and extent of the information-blocking and the resulting harm. Stay tuned, as this is a quickly developing story.
Recommended
Andrew Mastro, MS, PA-C
Andrew Mastro, MS, PA-C
Daniel I. Schlessinger, MD
Clay J. Cockerell, MD, MBA, JD
