Selected Podcast
Information Blocking and Small Practices
Brad Trudell discusses information blocking and small practices and breaks down what information blocking is.
Featuring:
Brad Trudell
Brad Trudell is MetaStar’s HIPAA Privacy and Security Lead. He is an attorney with over 20 years of experience focusing on HIPAA privacy and security compliance. Brad has conducted hundreds of HIPAA Security Risk Assessments in 45 states for a variety of hospitals and other healthcare providers, health plans and government entities. Today, he’s sharing information with us about Information Blocking. Transcription:
Caitlin Whyte: MetaStar Health IT Radio is a podcast series that features consulting content experts and covers topics regarding the Wisconsin Medicaid EHR Incentive Program, Promoting Interoperability, formerly Meaningful Use, as well as a behavior health technical assistance initiative. Episodes covered will guide your practice, clinic, hospital, or hospital system through the complex federal and state requirements of the PI program.
MetaStar has helped more than 2000 providers attest to promoting interoperability as Wisconsin's Regional Extension Center since 2010 and continues to provide attestation assistance and audit preparation as a consulting service.
We are joined today by Brad Trudell to discuss information blocking. This is MetaStar Health IT Radio. I'm your host, Caitlin Whyte. So Brad, to start us off here, just what is information blocking?
Brad Trudell: In a nutshell, information blocking is an activity that prevents the free flow of patient data. Some examples would be that's just when the clinic can't access patient records from another provider or when an EHR vendor prevents patient data from being migrated to a provider's new EHR.
The patients can also feel the effects. They have difficulty either accessing their own health information or in sending the records to another provider. The general rule is that information blocking is a practice that's likely to interfere with the access, exchange and use of EHI, which is electronic health information. And if it's done by a health care provider, the provider has to know that the practice is unreasonable and likely to interfere with or prevent the access, exchange or use of EHI
So the Information Blocking Rules pertaining to EHI, which is defined as the EPHI or electronic protected health information that's in a HIPAA designated record set. So for providers, what we're really talking about is medical records and billing records about individuals and any other records that they use to make decisions about individuals.
Caitlin Whyte: Can you tell us more about the background on the Information Blocking Rule?
Brad Trudell: Yeah. Back in 2015, a report to congress first came up with a definition of information blocking. That report focused on non-legitimate reasons why EHR systems aren't interoperable or, in other words, able to exchange and use of patient data. The report discussed the complaints about both health IT vendors and healthcare providers and the targeted actions to address the issue including proposing new rules to deter this practice.
The next year, in December of 2016, the 21st Century Cures Act became law. The Cures Act included provisions to promote health information and interoperability and to prohibit information blocking by three groups of what they called actors, which include the health information networks, EHR vendors and, of course, the focus of today's talk, healthcare providers.
And a few years later in March of 2019, a proposed rule was released to sort of flesh out and implement the information blocking provisions of the Cures Act. Over 2000 comments were submitted to the feds regarding that proposed rule. And after reviewing and responding to all those comments, the final Information Blocking Rule was released in March of 2020.
Caitlin Whyte: So has this rule gone into effect yet?
Brad Trudell: The Information Blocking Rule is currently in effect. Originally, the rule was set to take effect on November 2nd of last year, but on October 29th, it was announced that the effective date had been pushed back to April 5th of 2021. This was largely, of course, as a result of difficulties that providers were facing due to ongoing coronavirus pandemic.
Caitlin Whyte: So, Brad, are there any exceptions under this rule?
Brad Trudell: Yeah, there are eight specific exceptions listed in the Information Blocking Rule. In other words, these would actually be valid reasons to restrict access to information, even though they would likely otherwise fall under the definition of EHI information blocking.
The eight exceptions are divided into two categories and the first category is called not fulfilling requests to access, exchange or use EHI. So not fulfilling requests. This first category contains five of the eight exceptions. The five are preventing harm, privacy, security, infeasibility and health IT performance.
The second category is called procedures for fulfilling requests to access, exchange or use EHI. And this category of course contains the other three exceptions: content and manner exception, fees exception and licensing exceptions. A big part of complying with Information Blocking Rule and taking advantage of any of these eight exceptions is going to be documentation as each one of the exceptions contains conditions and there are quite a few documentation requirements included with each of those conditions.
It will be important for providers to include in their documentation the specific facts and circumstances involved in the decision to use an exception. However, it's also important to point out that simply failing to meet the conditions of an exception will not automatically mean that the practice is guilty of information blocking. It only means that there isn't a guaranteed protection from potential penalties or disincentive. So each act will be evaluated on a case by case basis to determine if in fact information blocking has occurred.
Caitlin Whyte: Which of these exceptions are most applicable to smaller practices?
Brad Trudell: While it's important for practices to prepare and lay the groundwork to be able to take advantage of all eight of these exceptions, the preventing harm, privacy and security exception would likely be among those more commonly utilized by provider.
The preventing harm exception recognizes that protecting patients and others from unreasonable risks of harm can sometimes justify practices that could possibly interfere with the access, exchange or use of EHI. Therefore, it will not be considered information blocking to engage in practices that are reasonable and necessary to prevent harm to a patient or another person provided that certain conditions are met. However, the provider still has to hold a reasonable belief that the practice will substantially reduce that risk of physical harm to a patient or another person and also that the practice can't be broader than necessary to substantially reduce that risk of harm. So it must be narrowly tailored.
The privacy exception recognizes that providers shouldn't be required to use or disclose EHI in a way that is otherwise prohibited by state or federal privacy laws. Therefore, under the privacy exception, it will not be considered information blocking to not fulfill a request to access, exchange or use EHI in order to protect an individual's privacy provided, of course, that again certain conditions are met.
And the privacy exception does contain four subexceptions. And really those are designed to make sure that individual privacy rights are not reduced as a result of the information blocking provision and also to ensure that the information blocking provision doesn't require the use or disclosure of EHI in a way that's not otherwise allowed under the HIPAA privacy rule.
The security exception is intended to cover all legitimate security practices of providers. So it won't be considered information blocking to interfere with the access, exchange or use of EHI in order to protect the security of EHI, again, provided that certain conditions are met.
The security exception does allow providers to put in place reasonable and necessary security practices. And it also prohibits security practices that are basically just disguised forms of information blocking. A practice by a provider will not be considered information blocking if it's directly related to safeguarding what we call the CIA of EHI. That's the confidentiality, integrity, and availability of EHI. Also, if it's tailored to the specific security risk being addressed and then finally, if it's implemented in a consistent and nondiscriminatory manner. Providers and security related practices can satisfy the security exception by having a written organizational security policy in place.
Caitlin Whyte: Now, what should sites be doing to comply with these requirements?
Brad Trudell: There are several steps that practices should currently be taking to comply with the new requirements. First, it will be necessary to update and revise HIPAA policies to comply with the Information Blocking Rules. HIPAA's permissible disclosures of PHI are now required disclosures under the Information Blocking Rules, unless one of the eight exceptions applies, and this is a major change.
Information blocking could be found to exist if policies, for example, imposed privacy requirements from obtaining EHI above what the law actually requires. So updated policies and detailed procedures will be needed for providers to qualify for the exception under the new rule. And for example, use and disclosure policies, access policies, fee policies and security policies will all be among those that need to be updated.
Next up, conducting a robust SRA or security risk assessment in order to claim the security exception to information blocking. The practice in question must directly relate to the safeguarding of the CIA of EHI, confidentiality, integrity, and availability of EHI. And this has to be shown by having security policies, written security policies in place by conducting security risk assessments that guide the provider's security practices and, of course, by maintaining solid supporting security documentation.
Next, providers should be proactive with data requests. Under the privacy exception, the provider is allowed to deny a request for EHI. For example, if a HIPAA-compliant authorization form has not been received, but the provider still has to make reasonable efforts to provide a compliant form to the individual or to assist the individual with satisfying the requirements. Providers are not required to chase the patients, but they may be second guessed on the reasonableness of their efforts to assist individuals.
Next, providers should review fees that they charge. Any fee that's charged for the exchange of EHI, electronic health information, may be information blocking, unless an exception applies. Exceptions do allow some commercially reasonable fees and licensing, but the pricing has to be fair. Fees charged for patients to access their own EHI will be inherently suspect, meaning they're not going to be allowed unless it can be shown that they are cost-based. So providers should really keep cost records and documentation to justify those fees that they want to charge.
And then finally, business associate agreements and other contracts that restrict the use or disclosure of EHI, they should really be reviewed for overly strict provisions, which could result in information blocking. Unreasonable provisions that refuse to provide EHI for example and go beyond HIPAA's requirements could be considered information blocking.
Caitlin Whyte: At this time, what does enforcement of this rule entail?
Brad Trudell: OIG, the Office of the Inspector General is the federal office that will be investigating potential information blocking complaints. And OIG does have the authority to levy penalties of up to a million dollars per violation of the new rules. These are very strict penalties, obviously, but the penalties will not apply to providers unless the provider also happens to be health information network or exchange.
However, OIG may refer providers to what's called an appropriate agency for disincentives under the CMS Incentive Programs. Final enforcement details, including potential penalties for providers are going to be contained in future OIG rules. So again for right now, other actors besides providers are subject to million-dollar penalties. And right now, healthcare providers are more or less subject to potential disincentives under the CMS Incentive Programs.
Caitlin Whyte: And wrapping up here, Brad, where can folks go for more information?
Brad Trudell: Yeah, I would suggest HealthIT.gov to find out more information on the Information Blocking Rule. HealthIT.gov is going to contain fact sheets, webinars, additional FAQ's on the subject. In addition, the American Medical Association's website contains numerous links to useful documents, such as summaries of the Information Blocking Rule as well as tip sheets for compliance for providers. And as always, you can visit MetaStar.com, that's M-E-T-A-S-T-A-R dot com, for additional information.
Caitlin Whyte: Thank you, Brad, so much for being with us and breaking all this information down for us. For more information on this topic and to access resources mentioned, please visit MetaStar.com/podcast. That’s M-E-T-A-S-T-A-R dot com slash podcast. If you enjoyed this episode, you can find more just like it in our podcast library, and be sure to share it with others on your social channels.
This is MetaStar Health IT Radio. I'm your host, Caitlin Whyte. We'll see you next time.
Caitlin Whyte: MetaStar Health IT Radio is a podcast series that features consulting content experts and covers topics regarding the Wisconsin Medicaid EHR Incentive Program, Promoting Interoperability, formerly Meaningful Use, as well as a behavior health technical assistance initiative. Episodes covered will guide your practice, clinic, hospital, or hospital system through the complex federal and state requirements of the PI program.
MetaStar has helped more than 2000 providers attest to promoting interoperability as Wisconsin's Regional Extension Center since 2010 and continues to provide attestation assistance and audit preparation as a consulting service.
We are joined today by Brad Trudell to discuss information blocking. This is MetaStar Health IT Radio. I'm your host, Caitlin Whyte. So Brad, to start us off here, just what is information blocking?
Brad Trudell: In a nutshell, information blocking is an activity that prevents the free flow of patient data. Some examples would be that's just when the clinic can't access patient records from another provider or when an EHR vendor prevents patient data from being migrated to a provider's new EHR.
The patients can also feel the effects. They have difficulty either accessing their own health information or in sending the records to another provider. The general rule is that information blocking is a practice that's likely to interfere with the access, exchange and use of EHI, which is electronic health information. And if it's done by a health care provider, the provider has to know that the practice is unreasonable and likely to interfere with or prevent the access, exchange or use of EHI
So the Information Blocking Rules pertaining to EHI, which is defined as the EPHI or electronic protected health information that's in a HIPAA designated record set. So for providers, what we're really talking about is medical records and billing records about individuals and any other records that they use to make decisions about individuals.
Caitlin Whyte: Can you tell us more about the background on the Information Blocking Rule?
Brad Trudell: Yeah. Back in 2015, a report to congress first came up with a definition of information blocking. That report focused on non-legitimate reasons why EHR systems aren't interoperable or, in other words, able to exchange and use of patient data. The report discussed the complaints about both health IT vendors and healthcare providers and the targeted actions to address the issue including proposing new rules to deter this practice.
The next year, in December of 2016, the 21st Century Cures Act became law. The Cures Act included provisions to promote health information and interoperability and to prohibit information blocking by three groups of what they called actors, which include the health information networks, EHR vendors and, of course, the focus of today's talk, healthcare providers.
And a few years later in March of 2019, a proposed rule was released to sort of flesh out and implement the information blocking provisions of the Cures Act. Over 2000 comments were submitted to the feds regarding that proposed rule. And after reviewing and responding to all those comments, the final Information Blocking Rule was released in March of 2020.
Caitlin Whyte: So has this rule gone into effect yet?
Brad Trudell: The Information Blocking Rule is currently in effect. Originally, the rule was set to take effect on November 2nd of last year, but on October 29th, it was announced that the effective date had been pushed back to April 5th of 2021. This was largely, of course, as a result of difficulties that providers were facing due to ongoing coronavirus pandemic.
Caitlin Whyte: So, Brad, are there any exceptions under this rule?
Brad Trudell: Yeah, there are eight specific exceptions listed in the Information Blocking Rule. In other words, these would actually be valid reasons to restrict access to information, even though they would likely otherwise fall under the definition of EHI information blocking.
The eight exceptions are divided into two categories and the first category is called not fulfilling requests to access, exchange or use EHI. So not fulfilling requests. This first category contains five of the eight exceptions. The five are preventing harm, privacy, security, infeasibility and health IT performance.
The second category is called procedures for fulfilling requests to access, exchange or use EHI. And this category of course contains the other three exceptions: content and manner exception, fees exception and licensing exceptions. A big part of complying with Information Blocking Rule and taking advantage of any of these eight exceptions is going to be documentation as each one of the exceptions contains conditions and there are quite a few documentation requirements included with each of those conditions.
It will be important for providers to include in their documentation the specific facts and circumstances involved in the decision to use an exception. However, it's also important to point out that simply failing to meet the conditions of an exception will not automatically mean that the practice is guilty of information blocking. It only means that there isn't a guaranteed protection from potential penalties or disincentive. So each act will be evaluated on a case by case basis to determine if in fact information blocking has occurred.
Caitlin Whyte: Which of these exceptions are most applicable to smaller practices?
Brad Trudell: While it's important for practices to prepare and lay the groundwork to be able to take advantage of all eight of these exceptions, the preventing harm, privacy and security exception would likely be among those more commonly utilized by provider.
The preventing harm exception recognizes that protecting patients and others from unreasonable risks of harm can sometimes justify practices that could possibly interfere with the access, exchange or use of EHI. Therefore, it will not be considered information blocking to engage in practices that are reasonable and necessary to prevent harm to a patient or another person provided that certain conditions are met. However, the provider still has to hold a reasonable belief that the practice will substantially reduce that risk of physical harm to a patient or another person and also that the practice can't be broader than necessary to substantially reduce that risk of harm. So it must be narrowly tailored.
The privacy exception recognizes that providers shouldn't be required to use or disclose EHI in a way that is otherwise prohibited by state or federal privacy laws. Therefore, under the privacy exception, it will not be considered information blocking to not fulfill a request to access, exchange or use EHI in order to protect an individual's privacy provided, of course, that again certain conditions are met.
And the privacy exception does contain four subexceptions. And really those are designed to make sure that individual privacy rights are not reduced as a result of the information blocking provision and also to ensure that the information blocking provision doesn't require the use or disclosure of EHI in a way that's not otherwise allowed under the HIPAA privacy rule.
The security exception is intended to cover all legitimate security practices of providers. So it won't be considered information blocking to interfere with the access, exchange or use of EHI in order to protect the security of EHI, again, provided that certain conditions are met.
The security exception does allow providers to put in place reasonable and necessary security practices. And it also prohibits security practices that are basically just disguised forms of information blocking. A practice by a provider will not be considered information blocking if it's directly related to safeguarding what we call the CIA of EHI. That's the confidentiality, integrity, and availability of EHI. Also, if it's tailored to the specific security risk being addressed and then finally, if it's implemented in a consistent and nondiscriminatory manner. Providers and security related practices can satisfy the security exception by having a written organizational security policy in place.
Caitlin Whyte: Now, what should sites be doing to comply with these requirements?
Brad Trudell: There are several steps that practices should currently be taking to comply with the new requirements. First, it will be necessary to update and revise HIPAA policies to comply with the Information Blocking Rules. HIPAA's permissible disclosures of PHI are now required disclosures under the Information Blocking Rules, unless one of the eight exceptions applies, and this is a major change.
Information blocking could be found to exist if policies, for example, imposed privacy requirements from obtaining EHI above what the law actually requires. So updated policies and detailed procedures will be needed for providers to qualify for the exception under the new rule. And for example, use and disclosure policies, access policies, fee policies and security policies will all be among those that need to be updated.
Next up, conducting a robust SRA or security risk assessment in order to claim the security exception to information blocking. The practice in question must directly relate to the safeguarding of the CIA of EHI, confidentiality, integrity, and availability of EHI. And this has to be shown by having security policies, written security policies in place by conducting security risk assessments that guide the provider's security practices and, of course, by maintaining solid supporting security documentation.
Next, providers should be proactive with data requests. Under the privacy exception, the provider is allowed to deny a request for EHI. For example, if a HIPAA-compliant authorization form has not been received, but the provider still has to make reasonable efforts to provide a compliant form to the individual or to assist the individual with satisfying the requirements. Providers are not required to chase the patients, but they may be second guessed on the reasonableness of their efforts to assist individuals.
Next, providers should review fees that they charge. Any fee that's charged for the exchange of EHI, electronic health information, may be information blocking, unless an exception applies. Exceptions do allow some commercially reasonable fees and licensing, but the pricing has to be fair. Fees charged for patients to access their own EHI will be inherently suspect, meaning they're not going to be allowed unless it can be shown that they are cost-based. So providers should really keep cost records and documentation to justify those fees that they want to charge.
And then finally, business associate agreements and other contracts that restrict the use or disclosure of EHI, they should really be reviewed for overly strict provisions, which could result in information blocking. Unreasonable provisions that refuse to provide EHI for example and go beyond HIPAA's requirements could be considered information blocking.
Caitlin Whyte: At this time, what does enforcement of this rule entail?
Brad Trudell: OIG, the Office of the Inspector General is the federal office that will be investigating potential information blocking complaints. And OIG does have the authority to levy penalties of up to a million dollars per violation of the new rules. These are very strict penalties, obviously, but the penalties will not apply to providers unless the provider also happens to be health information network or exchange.
However, OIG may refer providers to what's called an appropriate agency for disincentives under the CMS Incentive Programs. Final enforcement details, including potential penalties for providers are going to be contained in future OIG rules. So again for right now, other actors besides providers are subject to million-dollar penalties. And right now, healthcare providers are more or less subject to potential disincentives under the CMS Incentive Programs.
Caitlin Whyte: And wrapping up here, Brad, where can folks go for more information?
Brad Trudell: Yeah, I would suggest HealthIT.gov to find out more information on the Information Blocking Rule. HealthIT.gov is going to contain fact sheets, webinars, additional FAQ's on the subject. In addition, the American Medical Association's website contains numerous links to useful documents, such as summaries of the Information Blocking Rule as well as tip sheets for compliance for providers. And as always, you can visit MetaStar.com, that's M-E-T-A-S-T-A-R dot com, for additional information.
Caitlin Whyte: Thank you, Brad, so much for being with us and breaking all this information down for us. For more information on this topic and to access resources mentioned, please visit MetaStar.com/podcast. That’s M-E-T-A-S-T-A-R dot com slash podcast. If you enjoyed this episode, you can find more just like it in our podcast library, and be sure to share it with others on your social channels.
This is MetaStar Health IT Radio. I'm your host, Caitlin Whyte. We'll see you next time.