Empowering Patients with Their Health Record in a Modern Health IT Economy

Consultants

by Mario Fucinari • 

DC, CPCO, CPPM •

The following frequently asked questions were organized as a service by Mario Fucinari DC, CPCO, CPPM. The laws, rules, and regulations regarding the establishment and operation of a healthcare facility vary greatly from state to state and are constantly changing. Dr. Mario Fucinari does not engage in providing legal services. If legal services are required, the services of a healthcare attorney should be attained. The information in this document has been verified for accuracy, however, the information is for educational purposes and should not be construed as written policy for any federal agency.

Introduction

The patient is at the center of the 21st Century Cures Act. Putting patients in charge of their health records is a crucial piece of patient control in health care, and patient control is at the center of HHS’s work toward a value-based health care system.

The ONC Cures Act Final Rule implements interoperability requirements outlined in the Cures Act. Patients need more power in their health care, and access to information is key to making that happen.
Putting the patient first in health technology enables the health care system to deliver:

  • Transparency into the cost and outcomes of their care
  • Competitive options in getting medical care
  • Modern smartphone apps to provide them convenient access to their records
  • An app economy that provides patients, physicians, hospitals, payers, and employers with innovation and choice

FAQ

Q: What or who are defined in the three categories of actors regulated by the information blocking section of the ONC cures act final rule?

A: The three categories of “actors” are defined as:

  • Health Care Provider – A health care provider is a: hospital; skilled nursing facility; nursing facility; home health entity or other long term care facility; health care clinic; community mental health center; renal dialysis facility; blood center; ambulatory surgical center; emergency medical services provider; federally qualified health center; group practice; pharmacist; pharmacy; laboratory; physician; practitioner; provider operated by or under contract with the Indian Health Service or by an Indian tribe, tribal organization, or urban Indian organization; rural health clinic; covered entity under 42 U.S.C. 256b; ambulatory surgical center; therapist; and any other category of health care facility, entity, practitioner, or clinician determined appropriate by the HHS Secretary.*
  • Health Information Network or Health Information Exchange Health information network or health information exchange means an individual or entity that determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of electronic health information:
    • Among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other; and
    • That is for a treatment, payment, or health care operations purpose, as such terms are defined in 45 CFR 164.501 regardless of whether such individuals or entities are subject to the requirements of 45 CFR parts 160 and 164.
  • Health IT Developer of Certified Health IT – Health IT developer of certified health IT means an individual or entity, other than a health care provider that self-develops health IT for its own use, that develops or offers health information technology (as that term is defined in 42 U.S.C. 300jj(5)) and which has, at the time it engages in a practice that is the subject of an information blocking claim, one or more Health IT Modules certified under a program for the voluntary certification of health information technology that is kept or recognized by the National Coordinator pursuant to 42 U.S.C. 300jj-11(c)(5) (ONC Health IT Certification Program).

Q. Do the information blocking regulations require actors to have or use certified health IT, or upgrade the certified health IT software they already have, in order to fulfill a request to access, exchange, or use electronic health information?

A: No. The information blocking regulations do not require actors to have or use health IT certified under the ONC Health IT Certification Program. Actors subject to the information blocking regulations are not required to immediately upgrade their certified health IT (as of the applicability date (i.e., April 5, 2021)) if they also happen to participate in a separate regulatory program that requires the use of certified health IT, such as CMSユ Promoting Interoperability Programs. However, the law applies to the access, exchange, and use of EHI no matter what technology is used by actors.


Q: What are the timeframes for implementation of the information blocking regulations?

A: The Interim Final Rule revised the information blocking definition in 45 CFR 171.103 to adjust the timeframe for the “USCDI limitation.” Information Blocking regulations require an actor to give assurances that it will not take any action that constitutes information blocking or actions that inhibit access, exchange, and use of electronic health information (EHI). Before October 6, 2022, electronic health information (EHI) for the purposes of the information blocking definition is limited to the EHI identified by the data elements represented in the United States Core Data for Interoperability (USCDI) standard.

Enforcement of the information blocking regulations depends upon the individual or entity that is subject of an enforcement action or “actor.” For health IT developers and health information networks/HIEs, the HHS Office of the Inspector General is currently engaged in rulemaking to establish enforcement dates. For health care providers, HHS must engage in future rulemaking to establish appropriate disincentives as directed by the 21st Century Cures Act.


Q: If my state law differs from the Federal law, which one takes precedent?

A: If an actor is prohibited under state law from sharing certain electronic health information (EHI), they are not caught in a catch-22. The state law applies and, therefore, the actor does not need to also meet a regulatory exception to information blocking for the EHI that the state law prohibits sharing.


Q: Will my current health information software be required to be certified?

A: Any health IT developer with one or more Health IT Modules certified under the ONC Health IT Certification Program is covered by the information blocking law. IN addition, someone who does not initially develop but does offer one or more certified Health IT Modules to others, such as by resale or other arrangement potentially including donation of software or services, is also a “health IT developer of certified health IT.

In the information blocking law, Congress established that health IT developers of certified health IT and HINs/HIEs would be subject to penalties of up to $1M per violation for engaging in information blocking. Itユs also worth noting that health IT developers of certified health IT are subject to an “information blocking” Condition of Certification under the ONC Health IT Certification Program.


Q: What are the consequences if I, as a health care provider, do not offer access to health information?

A: A health care provider who engages in information blocking may be subject to “appropriate disincentives,” as set forth by the HHS Secretary. Regulations (not yet issued) are required to implement HHSユ approach to these disincentives.


Q: When would a delay in fulfilling a request for access, exchange, or use EHI be considered an interference under the information blocking regulation?

A: A determination as to whether a delay would be an interference that implicates the information blocking regulation would require a fact-based, case-by-case assessment of the circumstances. That assessment would also determine whether the interference is with the legally permissible access, exchange, or use of EHI; whether the actor engaged in the practice with the requisite intent; and whether the practice satisfied the conditions of an exception. Please see 45 CFR 171.103 regarding the elements of information blocking. It would most likely be interpreted unlikely to be an Interference if the delay is necessary to enable the access, exchange, or use of EHI.


Q: If a person has not requested access to their electronic health information, must I be proactive to make the information available through patient portals?

A: No. There is no requirement under the information blocking regulations to proactively make available any EHI to patients or others who have not requested the EHI. We note, however, that a delay in the release or availability of EHI in response to a request for legally permissible access, exchange, or use of EHI may be an interference under the information blocking regulations.


Q: Are actors expected to release test results to patients through a patient portal or application programming interface (API) as soon as the results are available to the ordering clinician?

A: While the information blocking regulations do not require actors to proactively make electronic health information (EHI) available, once a request to access, exchange or use EHI is made, actors must timely respond to the request (for example, from a patient for their test results). Delays or other unnecessary impediments could implicate the information blocking provisions.


Q: If a state or federal law or regulation, such as the HIPAA privacy rule, require EHI to be released no later than a certain time frame after the request is made, is it safe to assume that any practice that meets the release of the information within that required timeframe will never be considered information blocking?

A: No. The information blocking regulations (45 CFR Part 171) have their own standalone provisions (see 42 U.S.C. 300jj-52). The fact that an actor covered by the information blocking regulations meets its obligations under another law applicable to them or its circumstances (such as the maximum allowed time an actor has under that law to respond to a patientユs request) will not automatically demonstrate that the actorユs practice does not implicate the information blocking definition.

If an actor who could more promptly fulfill requests for legally permissible access, exchange, or use of EHI chooses instead to engage in a practice that delays fulfilling those requests, that practice could constitute an interference under the information blocking regulation, even if requests affected by the practice are fulfilled within a time period specified by a different applicable law.


Q: Will educating patients about the privacy and security risks posed by health information delivery methods such as third-party apps or email that the patient chooses be considered interference?

A: It will not be considered an “interference” with the access, exchange, or use of EHI if:

    • Foremost, the information provided by actors focuses on any current privacy and/or security risks posed by the technology or the third-party developer of the technology;
    • Second, this information is factually accurate, unbiased, objective, and not unfair or deceptive; and
    • Finally, the information is provided in a non-discriminatory manner.

Q: Does the electronic health information definitions exclusion of cycle therapy notes apply to notes of sessions conducted by a type of mental health professional other than the psychiatrist?

A: It depends. To the extent the content of any particular note meets the definition of “psychotherapy notes” in the HIPAA Rules (see 45 CFR 164.501), that note would be considered a psychotherapy note for purposes of information blocking. The information blocking regulations do not specify types of health care providers to be mental health professionals for purposes of applying the “psychotherapy notes” definition under the information blocking regulations. Thus, all notes that are “psychotherapy notes” for purposes of the HIPAA Rules are also “psychotherapy notes” for purposes of the information blocking regulations in 45 CFR part 171, and are therefore excluded from the definition of EHI for purposes of the information blocking regulations.


Q: Is draft clinical information, such as clinical notes or incomplete test results that are pending confirmation or edit, included in the definition of electronic health information for purposes of the information blocking regulations?

A: Draft clinical notes and laboratory results pending confirmation are examples of data points that may not be appropriate to disclose or exchange until they are finalized. However, if such data are used to make health care decisions about an individual then that data would fall within the definition of “designated record set” (see 45 CFR § 164.501), and therefore within the definition of EHI. To the extent a data point falls within the definition of EHI, practices likely to interfere with legally permissible access, exchange or use of that EHI could implicate the information blocking definition.

From April 5, 2021 through October 5, 2022, EHIユs scope for purposes of the information blocking definition is limited to the EHI that is represented by data classes and elements within the United States Core Data for Interoperability (USCDI). Therefore, during this period, interference with a request for legally permissible access, exchange, or use of non-final data points would potentially implicate the information blocking regulations only to the extent noted in the above paragraph and only to the extent that the data are within both the definition of EHI and the data classes and elements represented within the USCDI.


Q: For the period of time when information blocking is “limited to the United states core data for interoperability (USCDI),” how is an actor expected to fulfill a request for the USCDI if they do not yet have certified health IT and place that includes an API with the USCD standard?

A: An actor is not automatically required to fulfill a request using the specific content and vocabulary standards identified in the United States Core Data for Interoperability (USCDI) standard for the representation of data classes and data elements, nor are they required to use certified technology or any specific functionality. The information blocking definition (45 CFR 171.103) provides that before October 6, 2022, electronic health information (EHI) is limited to the subset of EHI represented by the data elements identified by the USCDI standard. This limitation of EHI for purposes of the information blocking definition is not contingent on whether those data elements are recorded or represented using specific content and vocabulary standards in the USCDI standard in 45 CFR 171.213. On and after October 6, 2022, the information blocking regulation in 45 CFR part 171 pertain to all EHI as defined in 45 CFR 171.102.

Again, the information blocking regulations do not require the use of any specific standard or functionality. Instead, the “Content and Manner” exception (45 CFR 171.301) outlines a process by which an actor may prioritize the use of standards in fulfilling a request for EHI in a manner that supports and prioritizes the interoperability of the data. This means that, for the purposes of information blocking, before October 6, 2022, an actor may fulfill a request with the EHI identified by the data elements represented in the USCDI standard, first in the manner requested and, if not, in an alternate manner agreed upon with the requestor, following the order of priority specified in the exception.

Note: Due to this fact, one should consider using methods described in “HIPAA for the Chiropractic Profession” (www.Askmario.com) such as encryption and email with pdf software.


Q: What are the applicability dates and enforcement dates for the information blocking regulations?

A: The applicability date for the information blocking regulations in 45 CFR part 171 was established in the ONC Cures Act Final Rule and was subsequently adjusted in the ONC Interim Final Rule. The applicability is April 5, 2021.

The Interim Final Rule also revised the information blocking definition in 45 CFR 171.103 to adjust the timeframe for the “USCDI limitation.” Before October 6, 2022, electronic health information (EHI) for the purposes of the information blocking definition is limited to the EHI identified by the data elements represented in the United States Core Data for Interoperability (USCDI) standard.

Enforcement of the information blocking regulations depends upon the individual or entity (“actor”) that is subject of an enforcement action. For health IT developers and health information networks/HIEs, the HHS Office of the Inspector General is currently engaged in rulemaking to establish enforcement dates. For health care providers, HHS must engage in future rulemaking to establish appropriate disincentives as directed by the 21st Century Cures Act.

Sources:

  1. https://www.healthit.gov/curesrule/resources/information-blocking-faqs
  2. https://www.healthit.gov/buzz-blog/category/21st-century-cures-act
  3. https://www.healthit.gov/cures/sites/default/files/cures/2020-03/InformationBlockingActors.pdf
  4. “HIPAA for the Chiropractic Profession,” copyright 2021 by Mario Fucinari DC, CPCO, CPPM, CIC, www.askmario.com

Dr. Mario Fucinari is a Certified Insurance Consultant, Certified Professional Compliance Officer, a Certified Profession Practice Manager, and a member of the Medicare Carrier Advisory Committee. Dr. Fucinari is also on the speakerユs bureau for ChiroHealthUSA, NCMIC, and Foot Levelers. Contact Dr. Fucinari for classes on HIPAA, Medicare, documentation, examination, or rehabilitation training. If you wish to have him speak for your group, you can contact him or one of the speaker’s bureau for availability and class content. For further information, you may email him at Doc@Askmario.com or check his website for resources at www.Askmario.com.