What Is Information Blocking?
The Information Blocking Rule is integral to the healthcare industry and allows healthcare providers to perform better care. Keep reading to learn more.
Healthcare can be a complicated industry, especially when it comes to the protection and sharing of medical information. Keep reading to learn more about information blocking, how to avoid being penalized for it, and the major exceptions to these relatively new provisions.
An Introduction to Information Blocking
In 2016, the federal government passed the 21st Century Cures Act, which contained many healthcare reforms. One of the goals of this piece of legislation was to improve access to medical records for both patients and their healthcare providers. On April 5, 2021, the Information Blocking Rule went into effect, which finalized many of the regulations put forth by the Cures Act.
According to the Office of the National Coordinator for Health Information Technology (ONC), Information Blocking refers to when entities—primarily healthcare providers and IT developers— inhibit access to electronic health information (EHI) and make it more difficult for patients and the healthcare organizations that provide care to them to use the information for healthcare purposes.
Information Blocking FAQs
Here are a few frequently asked questions regarding information blocking to elaborate further on the topic.
Why Is the Information Blocking Rule Important?
As discussed above, the Cures Act and Information Blocking Rule strive to increase patients’ access to their healthcare information. It also encourages secure communication between healthcare providers and health information technology companies. With increased access to medical information, patients can be more informed of their care, and healthcare providers can offer better, more informed health services.
What Are Some Examples of Information Blocking?
Here are a few common practices that can be considered information blocking:
- Restricting authorized access that is applicable under state or federal law.
- Implementing health IT in nonstandard ways that increase complexity and make it more difficult for patients and healthcare to access EHI.
- Limiting or restricting health IT’s ability to share EHI with other users.
- Refusing to register an application that enables patient access to EHI.
- Acts that lead to fraud, waste, or abuse.
- Opportunistic pricing practices.
What Information Is Covered?
As of October 5, 2022, all of the electronically protected health information (ePHI) defined by HIPAA is covered by the Information Blocking Rule, including:
- Dates, such as birthdate or treatment dates
- Contact numbers
- Email address
- Social Security Numbers
In short, ePHI is any information that can be used to identify a patient.
What Information Is Not Covered?
There are only two sets of information not covered by the Information Blocking rule: psychotherapy notes, as defined by HIPAA, and documents and information being prepared for litigation. Otherwise, the provision covers all of the ePHI defined by HIPAA.
Who Do the Information Blocking Regulations Apply to?
The information blocking regulations apply to three main groups of organizations:
- All healthcare providers
- Health information technology companies that design and use IT systems for the healthcare industry
- Health information exchanges/networks, which healthcare providers use to access and share patients’ EHI.
How Are HIPAA and the Information Blocking Rule Related?
If HIPAA permits disclosure to EHI, the Information Blocking Rule requires it. Here are a few more points of comparison between the two regulations:
|HIPAA||Information Blocking Rule|
|Specifies when PHI can be shared with a third party.||Requires that ePHI must be accessible to patients and authorized third parties.|
|Providers can deny a request for access if it would jeopardize the health or safety of the patient or another individual.||Providers can deny access according to the eight information blocking exceptions (discussed below).|
|Defines who has access to PHI.||Requires that access must be provided for those described under HIPAA.|
|Defines when a release of PHI is or is not required.||States that if sharing is permitted, with or without a release, access to ePHI is also allowed.|
What Are the Penalties for Information Blocking?
Health IT companies violating the Information Blocking Rule can be fined up to $1 million per violation. However, there is currently no monetary penalty for providers. Instead, they will be referred to an appropriate agency to discourage them from the practice. Because the ruling is still relatively new, the federal government will likely issue further regulations regarding penalties for healthcare providers in the next few years.
Proper medical billing and coding is an important part of providing expert care and establishing clear, accurate communication between your organization, patients, and other healthcare providers. Explore our services and see how BSI Medical Billing can support your healthcare organization in providing the care your patients need.
8 Information Blocking Exceptions
Although the recent regulatory changes have made it much easier for patients and collaborating healthcare providers to access EHI, there are a few key exceptions to the rule.
1. Preventing Harm Exception
It is not considered information blocking if an actor engages in reasonable and necessary practices to prevent physical harm to a patient or another person. The Preventing Harm Exception may also be used if disclosing certain data or EHI would endanger a patient’s or other person’s safety.
2. Privacy Exception
It’s not considered information blocking if it is reasonable and necessary to withhold information to protect a patient’s or individual’s privacy. For the Privacy Exception to be satisfied, at least one of the following four sub-exceptions must be met:
- A precondition, such as patient consent or authorization, is not satisfied
- Health IT developer isn’t covered by HIPAA Privacy Rule
- Denial is consistent with HIPAA Privacy Rule for a covered entity or business associate
- Respecting an individual’s request not to share information
3. Security Exception
It’s not considered information blocking if an actor interferes with the disclosure of EHI to protect the security of that information. For this exception to apply, the practice must be directly related to safeguarding the confidentiality of EHI and implemented in a consistent manner.
4. Infeasibility Exception
The Infeasibility Exception states that if an actor does not fulfill a request because certain uncontrollable factors make doing so impossible, such as natural disasters, it is not considered information blocking.
5. Health IT Performance Exception
It’s not considered information blocking to make health IT unavailable to benefit its overall performance. For this exception to apply, the practice must perform maintenance swiftly and in a non-discriminatory fashion.
6. Licensing Exception
It is not considered information blocking if an actor licenses interoperability elements for accessing EHI. Interoperability elements allow for two or more systems to exchange health information and use it upon reception. For this exception to apply, the actor must successfully negotiate a series of license conditions, including:
- Scope of rights
- Reasonable royalty
- Non-discriminatory terms
- Collateral terms
- Non-disclosure agreement
7. Fees Exception
The fees exception states that it is not information blocking for an actor to charge fees to access or exchange EHI. Fees must be based on objective, verifiable criteria and applied uniformly.
8. Content and Manner Exception
The Content and Manner Exception allows an actor to limit the content of their response or how they fulfill a request. The Content Condition sets what information an actor must provide in response to a request to access, exchange, or use EHI, according to the Cures Act final ruling’s definition. The Manner Condition states that an actor can change a request’s fulfillment if they are technically unable to fulfill it or if they cannot reach agreeable terms with the requestor.