April 2, 2021, 11:30 a.m. Cindy Borgmeyer ― With new regulations prohibiting physicians and other health care providers from blocking health information sharing set to take effect next week, it’s important for AAFP members to know what to expect.
Case in point is the Information Blocking Rule developed by CMS and the Office of the National Coordinator for Health IT to implement a specific provision of the 21st Century Cures Act. Unlike HIPAA, which allowed physicians and other health care providers to share protected health information from the patient’s medical record with one another for the purposes of treatment, payment or operations but did not require them to do so, the Information Blocking Rule makes that information sharing between physicians and other covered entities mandatory unless one or more of eight exceptions can be applied.
Those exceptions are segmented into two categories:
AAFP News spoke with Academy Vice President and Chief Medical Informatics Officer Steven Waldren, M.D., M.S., to find out more details.
Q: What are the fundamentals members should know about the Information Blocking Rule?
A: The first key message is that the compliance deadline for the rule is April 5. The next is that there are no penalties currently defined by the government, so there’s no way to enforce the rule without taking that step, although there are HIPAA and other regulations that physicians need to comply with.
The last piece has two parts. One is that the definition of what has to be shared ― electronic health information, or EHI ― that’s limited until October 2022 to just a core data set, so it’s not the entire medical record. And the second is that there is a set of exceptions for various causes; these are appropriate reasons not to share that information.
Q: Can you describe a scenario in which such an exception would apply?
A: We have asked the federal government to do that because we currently don’t have any clear guidance. The content and manner exception is one I’d point to; it was part of the conversation in the final rule. There was a lawsuit brought against Alex Azar, as secretary of HHS, and the court said you can’t force the provider to deliver this information in just any format. It needs to be in whatever format is in the EHR.
So, if a patient asks for it ― for whatever reason and however they want it ― if you have it in that format and it’s a reasonable request, you’re required to provide it to them. But if they ask for the information in a manner that you don’t have, you can give it to them in an alternative format.
Q: Are there particular practices related to these exceptions that physicians should be careful about implementing?
A: On the fees exception, unless the physician is really incurring a significant cost, it’s probably not advisable to charge a fee. If you have a significant amount of expenses, you may recoup those expenses but no more than that. Be wary of that, because I can see that as an area that may be problematic if federal regulators think you’re overcharging. The other piece of this is to consider whatever is reasonable. So, if you’re the only practice that’s charging for this in your city, that might be an issue.
Q: What should we expect to see in the way of further guidance on how the exceptions will be interpreted?
A: Well, it’s going to be one of two things. It’s either going to come out as guidance from ONC saying here’s an example and here’s how it would or wouldn’t apply. The other is more or less like case law; as they find people or define people who are information-blocking and say here’s the example, then we’ll know we can’t do that.
What we asked for in our commentary on the proposed rule was to create the first couple of years of this as an educational program. So, when you find someone who is information-blocking, allow them to rectify it, and then you have clear guidance that that was an example of it. Don’t start fining people until after that’s been done.
Q: Do you see further developments in this privacy compliance area in the pipeline?
A: We’re going to be sending a letter to HHS because they’re considering revamping HIPAA due to some of the changes around that. There are planned changes in the HIPAA provision that might expand exceptions to the “minimum necessary standard,” meaning that you wouldn’t be required to fulfill the minimum and necessary components of HIPAA to better align it with this information blocking rule.
Overall, there’s a lot of national advocacy on redoing the privacy infrastructure around health information to expand it beyond covered entities, beyond hospitals and practices. Think about it: Facebook, Apple, Google ― they don’t have any requirements on them. But we don’t know if that will be three months from now or a year from now.
Q: Is there any more advice you’d like to offer members as this new rule is poised to take effect?
A: I would just say that folks can start looking through these exceptions and thinking about them as they contemplate not sharing information for whatever reason. There are going to be some “do no harm” situations; an example might involve an adolescent with a mental health issue or a sexually transmitted disease.
And I’ll repeat that there’s no enforcement yet because there are no penalties defined. I think the government will continue to provide more and more guidance, but it’s wise to start planning to share information if it’s appropriate for the person requesting it to have it.