5 Practices to Avoid: Understanding the CURES Act Information Blocking Rule<br />
<br />'+'

5 Practices to Avoid: Understanding the CURES Act Information Blocking Rule

As of April 5, 2021, all health care providers are required to comply with the 21st Century Cures Act Information Blocking Rule. This Rule is intended to enhance patients’ rights to access, to promote communication and sharing of information between medical providers and with health information technology companies, and to debunk myths and practices that had arisen under the HIPAA privacy regulations that were causing roadblocks in the efficient communication of medical information.  

Information blocking is defined as “any practice that is likely to interfere with, prevent, materially discourage, or otherwise inhibit the access, exchange or use of Electronic Health Information (EHI)” unless required by law or if an exception applies. EHI includes all electronic protected health information contained in the designated record set as defined in HIPAA: medical records, billing records, payment and claims records, health plan enrollment records, case management records, and any other records used, in whole or in part, to make decisions about patients. Psychotherapy notes and information compiled in reasonable anticipation of litigation are specifically excluded from EHI.  

Brief descriptions of other exceptions are as follows:

  • The Preventing Harm Exception allows a provider to withhold EHI if the provider holds a reasonable belief that the practice will substantially reduce a risk of harm.  
  • The Privacy Exception recognizes that a provider should not be required to use or disclose EHI in a way that is prohibited under state or federal privacy laws. 
  • The Security Exception states that it will not be information blocking for a health care provider to interfere with the access, exchange, or use of EHI to protect the security of EHI, provided certain conditions are met. 
  • The Health IT Performance Exception recognizes that there may be times when a provider cannot respond because its health IT is offline temporarily for maintenance or upgrades to the system.
  • The Content and Manner Exception permits a health care provider to fulfill a request in an alternative manner when the provider is technically unable to fulfill the request in the manner requested or cannot reach agreeable terms with the requestor to fulfill the request.  
  • Under the Fees Exception, health care providers may recover certain costs reasonably incurred for the access, exchange, or use of EHI if certain conditions are met. This exception will most likely be applicable to EHR vendors rather than health care providers.
  • The Licensing Exception acknowledges that in certain cases, a license to access, exchange, or use EHI may be necessary for certain “interoperability elements” to be used. This exception will also most likely be applicable to EHR vendors rather than health care providers.

To assist in your compliance with this complex regulation, here are five practices to avoid. These examples are taken from U.S. Department of Health and Human Services (HHS) commentary and guidance as potential information blocking. 

  1. Routinely delaying the posting of lab or test results until after speaking with the patient. HHS guidance repeatedly emphasizes that this practice is prohibited and that the Preventing Harm Exception will not justify a policy of withholding or delaying access to lab or test results until after the provider has had a chance to review the results and speak with the patient, except in rare and special circumstances pertaining to a particularly susceptible, individual patient.
  2. Failing to provide same-day access to available EHI in a form and format requested by a patient or by a provider, and takes several days to respond. The records do not have to be provided unless requested. But once requested, the records are to be provided “immediately.” Immediately is not defined, however HHS commentary suggests that the provider should respond to an information request usually within a day or two—more quickly if the situation is more urgent. The HIPAA 30-day response time does not apply to the Information Blocking Rule.
  3. Not enabling patient portal features that allow patients to directly transmit or request direct transmission of their EHI to a third party. The Information Blocking Rule involves more than just promptly posting a patient’s medical records to the patient portal or timely responding to a patient’s request for access, exchange, or use of EHI. Any policy, practice, or contract provision that interferes with a patient’s access may constitute information blocking.
  4. Requiring an individual’s written consent or authorization before sharing EHI with unaffiliated providers for treatment purposes when not required by state or federal law, or incorrectly claiming that the HIPAA Rules or other laws preclude a provider from exchanging EHI with unaffiliated providers. HIPAA is not as restrictive as most health care providers may think. Under HIPAA, it is permissible, but not required, to share medical records without an authorization or release of records form signed by the patient with another health care provider for treatment purposes. Requiring a patient to sign a consent or authorization when not required, or claiming it does require an authorization, is information blocking. HIPAA sets forth many other circumstances where providers are permitted, but not required, to disclose medical information without an authorization from the patient.  
  5. Failing to report required conditions, illnesses, or injuries as required by state law or failing to respond to public health or health oversight requests. As noted in guidance, if a health care provider is permitted to provide access under HIPAA, then the Information Blocking Rule would require that access as long as the provider is not otherwise prohibited by law from doing so. HIPAA sets forth many circumstances where providers are permitted, but not required, to disclose medical information without an authorization from the patient. The Information Blocking Rule would apply to requests for access from patients or their personal representatives, other health care providers (HIPAA Treatment Exception), health oversight entities such as medical boards or Medicare (HIPAA Health Oversight Exception), public health authorities (HIPAA Public Health Activities Exception), and others who may properly obtain access under HIPAA (See HIPAA Law Enforcement Exception, Judicial and Administrative Proceedings Exception, etc.). Accordingly, failing to report a gunshot wound, knife wound, child abuse, elder abuse, infectious diseases, or similar condition, illness, or injury required by state law to be reported would be information blocking because such disclosures would be permitted under HIPAA. Similarly, failure to respond to a request for records from health oversight entities such as medical boards or Medicare could also be considered information blocking.
These are the areas where HHS is likely to focus initially and then expand into more subtle areas over time. More information may be obtained on the Office of the National Coordinator’s website at https://www.healthit.gov/topic/information-blocking

This article is for informational purposes only. It is not intended as legal advice, or as a substitute for the advice of an attorney or other professional. It does not address all possible legal and other issues that may arise regarding information blocking and interoperability. Each health care provider should consult legal counsel for specific legal advice if an issue arises.

Published: 2nd Quarter 2023