A New Era for Access

By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure#HCdeJure

The information blocking regulations that are designed to promote individual access to records finally went into effect on Monday, April 5, 2021. The regulations were long delayed both in initial drafting and then implementation after finalization. As a reminder, the premise of the regulations are to remove barriers to information both for individuals, organizations or applications acting on behalf of individuals, and others. The goal goes to the ideal of establishing the free flow of data to support care coordination, care collaboration, and individual autonomy.

A Brief Primer
It may be difficult to remember what information blocking actually constitutes. As defined within the regulations addresses an action by one of (i) a developer of health information technology, (ii) a health information network, (iii) a health information exchange, or (iv) a healthcare provider that is likely to interfere with access to, exchange of, or use of electronic health information. Electronic health information is a new term of art introduced for the information blocking regulations, but the definition goes back to essentially the definition of protected health information found in the HIPAA regulations and more specifically as set out in the patient right of access requirements under HIPAA. Specifically, electronic health information means protected health information contained in a designated record set (while this may not represent all information held, it is still pretty close to everything) whether the records are used or maintained by the entity holding (this expands a bit as it would then sweep in all records and not just those considered by the holding entity to be included). However, consistent with HIPAA, the definition excludes psychotherapy records (mental health records are still given special protection) and information compiled in reasonable anticipation of or for use in a civil, criminal, or administrative proceeding or action (essentially protecting information created likely through legal support).

The definition and base requirements implied in the definition, from a high level perspective, align with the right of access under HIPAA. However, the rules do become much more expansive and drive more immediate access to electronic health information. One primary example would be posting lab or test results for patient access immediately, even if that means the treating physician or other clinician has not had a chance to review yet and/or contact the patient, if necessary, to discuss. The access also gets into technology by driving application interface connections into electronic medical records, with the application connecting in set by an individual’s choice. Privacy concerns likely justifiably exist on that front (how many actually read the terms of use or privacy policies of an app?) since an individual may unintentionally be exposing their information. However, the potential exposure is ultimately put into the hands of the individual for the impact.

But Wait, There are Exceptions
As with any good regulation, the basic premise of the regulation is creating liberal access to information, but exceptions to that right are included within the regulation too. Exceptions to broad regulations are commonplace because it is easier to define scope by identifying when the overarching principle does not apply (meaning definition by exclusion) as opposed to trying to affirmatively define a concept through an exclusive list of instance.

For information blocking, the following categories of exception exist:

  • Preventing Harm – Meant to address instances where denying access is reasonable and necessary to prevent harm to the requesting individual or another person;
  • Privacy – Requests can be denied to protect privacy (meaning privacy as established by another applicable law or regulation);
  • Security – Requests can be denied to protect security (meaning security as established by another applicable law or regulation);
  • Infeasibility – If it is infeasible, essentially not practically possible, to comply with a request because of limited technology capabilities, legal requirements or some other cause, then a request can be denied;
  • Health IT Performance – Recognizing that technology may need to be updated or taken offline, then it would be reasonable to deny a request;
  • Content and Manner – The scope of information provided and how the request is fulfilled can allow for limitation, though not very extensively;
  • Fees – A fee can be charged for fulfilling the request to enable a reasonable profit margin that is based reasonable costs of meting the request and based on objective and verifiable criteria; and
  • Licensing – It is allowable to charge reasonable royalties for use of an innovation related to interoperability requirements.

A factor in all of the exceptions is the need to meet certain criteria as laid out in the particular exception. That means the devil will be in the details and what justifications are used to say why an exception applies.

The Challenges
Every regulation, whether new or existing, brings the challenge of understanding how to comply with the regulation. Compliance requires understanding, awareness, and education. As should be well known, those elements require a significant amount of time and attention. It is not a quick or easy process to understand the nuances of a new regulation or to change the course of how operations have gone for a significant period of time (even if those operations were not wholly consistent with even previously existing regulations).

The challenge of understanding the information blocking regulation should not be discounted. Regulations, even if arguably relatively clear, are subject to varying interpretations. Responses to frequently asked questions and other sub-regulatory guidance (meaning guidance that has not gone through a formal notice and comment period, which also means it is not binding) help to guide impacted or covered entities and individuals in how to comply with the law. Absent an official or unofficial position, varying positions can be taken that drive inconsistencies across organizations and create frustrations when it comes to accessing information.

Optimistically, a strong educational push will occur that helps create good understanding of the new regulations from the start. The very public attention to the rollout of the regulation and growing expectation that should be accessible are factors in favor of actual compliance occurring. If the spotlight remains on activities and non-compliance is highlighted, then the expected response would be to follow the regulations as called for. Again, that is an optimistic view of the outcome. The reality will likely be much messier because compliance is always an uphill battle and trying to find loopholes will occur.

Another primary challenge will be aligning the new federal requirements with pre-existing state by state regulations that implement more restrictive measures when it comes to accessibility of information. The restrictions found in state law are often the cause of denial, even if HIPAA is cited. A similar outcome could occur with the information blocking regulations, especially since exceptions included with the regulations specifically contemplate denying a request if another law is at cross-purposes.

The scope of individuals who could submit a request are also expected to create complications. Taking pediatric records as an example, what happens when the patient is a teenager and under state law can consent without a parent to certain treatment or wants to share personal information without a parent learning? Typically parents or guardians of unemancipated minors can see all records, though state law can give special protection in some of the scenarios identified in the example. If special protection is given, are those specially protected records maintained separately as a distinct record or would a blank space occur when a parent requests the record? The nuances can raise a number of questions as to how to comply and are already drawing comments from impacted entities and organizations.

Looking Forward
For now, attention should be focused on moving forward and taking the necessary steps to enable access. More individuals are interested in the access and working more collaboratively with healthcare teams. The drive for collaboration was underscored by some of the shifts to digital health seen throughout the course of the COVID-19 pandemic. Not only did individuals interact with clinicians through videoconferencing or other means of connection, but data were collected and remote engagement rose. Such connections should continue, but that will also fuel a desire to have information flow in both directions.

Related to moving forward and being cautiously optimistic about compliance, the opportunity for enforcement of violations will exist. While the specifics of how enforcement will occur are not yet known given the unknown status of the Office of Inspector General (OIG) finalizing a civil monetary penalty regulation, it will come at some point. Even with enforcement coming at some point, there could be uncertainty as to whether the OIG will focus on violations. Attention could be driven by outside forces if a number of complaints arise. Knowing whether that will occur will be a matter of time.

Connected to enforcement is whether reported violations will be tracked. Could a table similar to the HIPAA Wall of Shame be created? Public press and attention in that regard could be a form of peer pressure to drive change and compliance.

Ultimately, hiccups and bumps in the road will occur. However, the system and industry are changing and resisting just for the sake of resisting will not sit well. Consider the information blocking regulations as an opportunity for somewhat of a fresh start and an additional means of driving collaboration.

This article was originally published on The Pulse blog and is republished here with permission.