On October 29, 2020, the Office of the National Coordinator for Health Information Technology (ONC) issued an Interim Final Rule extending the compliance dates for the agency’s 21st Century Cures Act Final Rule. The extension means that information blocking applicability date was moved to April 5, 2021 from November 2, 2020.
What is information blocking?
Information blocking is defined as a practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI). This prohibition is relevant for healthcare providers, developers of certified health IT and health information networks or health information exchanges.
Healthcare providers make hundreds of decisions each day relating to access, exchange, or use of EHI, and every decision could fall in the scope of information blocking. That’s why it is so important for providers to understand the potential impact of the information blocking prohibition for their organizations. We suggest you start by asking a few questions.
But first, it’s important to understand two fundamental things:
- The information blocking prohibition applies to any request for EHI, and
- The standards for compliance apply to all healthcare providers.
1. How often are you not fulfilling requests for electronic health information today? And for what reasons?
To get a better sense of the scale of potential information blocking, evaluate your current performance. Industry data suggests that, on average, roughly 20 percent of requests are not fulfilled. The most frequent reason for the requests not being fulfilled is an invalid authorization. While it is possible that an invalid authorization could fall into one of the eight categories of exceptions to information blocking, the Privacy Exception requires that providers should “use reasonable efforts within its control to provide the individual with a consent or authorization form that satisfies all required elements of the precondition or provide other reasonable assistance to the individual to satisfy all required elements of the precondition.”
TIP: Avoid the possibility of information blocking by reviewing your process for responding to invalid authorization forms and make sure requestors have access to a valid authorization form.
Given existing requests for EHI won’t represent all future possibilities for information blocking, particularly as requests for EHI become more digital, understanding the status quo allows organizations to identify immediate changes to consider for near-term information blocking enforcement.
2. Do you know all the sources of health data for your organization?
According to HIMSS Analytics, the average hospital has 16 different electronic health record (EHR) systems, not to mention other health data repositories like separate databases for images, paper records in offices, paper records in storage, and even microfiche records. As the health data sharing process is more highly scrutinized, make sure you know where your health data records are stored and have a process to access and release all data in a timely manner.
Given that health information is stored in multiple departments, across different facilities and often governed by different processes and policies (e.g., business office, radiology, HIM), there should be a centralized perspective as well as consistent guidelines and escalation procedures. This can help reduce the likelihood of an information blocking issue as well as ensure patients and other requests have a standard and reliable experience across the facility and/or full health system.
If you answer No to this question, it’s critical that you take an inventory of all your data sources and policies and procedures so you can establish a centralized approach to help you avoid violating information blocking rules.
3. Have you met with your compliance, privacy and/or legal teams to confirm whether release of information policies and procedures need to be updated?
The ONC rule includes eight categories of exceptions where it could be permissible to interfere with, prevent, or materially discourage access, exchange or use of EHI. They are broadly bucketed into exceptions that involve not fulfilling requests and exceptions that involve procedures for fulfilling.
These exceptions are complex and nuanced, often with sub-exceptions that themselves have multiple requirements that must be met. While health information management (HIM) is at the front lines of responding to requests to health data, there should be organizational alignment with compliance, privacy and legal teams about appropriate policies and procedures for the appropriate access, exchange, or use of EHI.
4. Have you documented organizational policies covering privacy, security, and other practices related to releasing health information?
In several exception categories, ONC indicates the actor, as designated by the information blocking rule, should have organizational policies and procedures that document the need for information blocking.
For example, compliance with the HIPAA Privacy Rule’s minimum necessary requirement may be a valid reason for information blocking as long as the provider’s practice for making a minimum necessary determination or requiring an authorization for disclosure of unnecessary information:
- Is tailored to the applicable precondition (e.g., the Privacy Rule’s minimum necessary standard)
- Is implemented in a consistent and nondiscriminatory manner
- Conforms to the health care provider’s written policies and procedures that includes criteria for determining whether the precondition is satisfied and that are implemented by the provider through employee training, for example
- Or is documented on a case-by-case basis with detail on the criteria used for determination and evaluation of the specific case against those criteria
It’s likely your organization already has many of the relevant policies in place, but it’s important to ensure that these policies are standardized and appropriately updated by adding language to satisfy the requirements in the information blocking exceptions.
5. In your facility, are you a part of a cross-functional team, including IT, that is planning for information blocking compliance with a roadmap for the next few years?
Some of the organizations we have worked with that are most prepared for information blocking enforcement have stood up a cross-functional team with responsibility for compliance with the ONC as well as the CMS rule relating to interoperability. Given that the rules include requirements spanning IT, Compliance, HIM, and perhaps other departments, it is helpful to designate responsibility within these groups as well as establish ongoing transparency and communication between the groups.
The rules advance a vision of healthcare providers as key enablers of patient and third-party access to clinical data. While various internal groups may take lead responsibility for individual requirements in the rules, healthcare organizations would benefit from having a central vision for digital access to clinical data as well as a roadmap for compliance with clear responsibilities.
While information blocking enforcement is the first milestone in the ONC rule, there are many more to come. Many of these milestones relate to health IT and IT departments will likely lead compliance on them with their EHR vendor. However, it is critically important that HIM be engaged in these discussions and decisions because HIM is closest to understanding patient and other requestor needs. HIM should be actively involved in informing decisions about EHR functionality that will define daily HIM operations.
TIP: Bring together stakeholders from across the organization—information blocking is not solely the responsibility of HIM or IT. An enterprise-wide effort is required to ensure full compliance with the requirements of the Cures Act and the Final Rules.
6. Have you prepared staff and patient education materials?
The concept of freer access, exchange, or use of electronic health information (EHI) is here to stay. Congress passed the 21st Century Cures Act in 2016 and, since then, our society has come to enjoy and expect even greater access to data.
While health information management (HIM) staff may be the group most directly affected by the information blocking prohibition, other areas of the healthcare organization may also have interactions with requests for access, exchange, or use of electronic health information.
Organizations need to develop broad, comprehensive, internal communications that describe how the organization is supporting authorized and secure access, exchange, and use of electronic health information, and provide specific guidance on process changes employees may be implementing.
They should also be preparing to better educate patients. Examples of education include ways to access health data, how to use that health data to positively impact health outcomes, and how to make informed decisions about granting others access, especially given the lack of HIPAA protections outside of covered entities.
The beginning of information blocking enforcement is just another nudge towards greater interoperability and data sharing that will hopefully enable greater health care system transformation. It’s not too late to prepare your organization for information blocking enforcement.