
Patients’ access to health information through their smartphones creates compliance risk for physicians
The Department of Health and Human Services has set forth new rules to provide patients with smartphones easier access to their health information and to establish exceptions to the information blocking provisions of the 21st Century Cures Act (“Cures Act”). As health care becomes more about the customers, the customer, also known as the patient, wants to know more about their health and how they can improve it. Physicians are expected to enhance their electronic health records (“EHR”) to improve interoperability with patients’ smartphones while preventing inappropriate disclosures of information.
On March 9, 2020, the Office of the National Coordinator for Health IT (“ONC”) issued the final rule implementing the Cures Act requirements to develop and enhance patients’ smartphone access to their health information through the use of application programming interfaces (“APIs”) at no cost. These regulations were developed with the objective of improving interoperability and patient access to electronic health information (“EHI”) while discouraging information blocking. Information blocking is defined by the Cures Act as a “practice that is likely to interfere with, prevent or materially discourage access, exchange, or use of electronic health information.”
Due to the COVID-19 pandemic, compliance with the ONC rule has been postponed to April 5, 2021. As this date quickly approaches, providers must update their current data handling practices to ensure compliance. This includes upgrading their EHR to the new 2015 Edition certification criteria and implementation of an API to support interoperability.
The HHS Office of the Inspector General has enforcement authority over information blocking but has yet to release its regulation to address physician penalties. Until then, however, providers must still agree to the “prevention of information blocking” to meet Promoting Interoperability reporting requirements. That said, the ONC understands that physicians have legitimate reasons for preventing access to patient information that are established in the regulation. The regulation establishes eight types of necessary and complex “exceptions” to information blocking to shield providers who have a legitimate purpose for not providing patient information: preventing harm; ensuring the privacy of EHI; maintaining the security of EHI; charging fees for accessing or exchanging EHI; infeasibility of the request; licensing of interoperability elements for EHI to be accessed or exchanged; maintaining health IT performance; and limiting the content of the response to a request.
Given the complexity of these exceptions, providers are encouraged to become familiar with the requisite elements embodied in each exception, develop a process to determine if there is a legitimate reason to block information, and document each applicable exception in denying a data request. It is especially crucial to develop or revise policies concerning data governance to ensure that the criteria set forth in each exception is addressed. It is important to note that these information blocking provisions must be considered concurrently with applicable HIPAA regulations. Bleakley Platt & Schmidt, LLP can assist providers to understand the full impact of these regulations and advise regarding compliance and implementation.