Information Blocking Regulations Work in Concert with HIPAA Rules

And Other Privacy Laws to Support Health Information Privacy

By Rachel Nelson and Kathryn Marchesini, ONC
Twitter: @ONC_HealthIT

We often get asked about how ONC’s information blocking regulations and HHS’ Office for Civil Rights’ (OCR) Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules) interact with one another. To help clarify, ONC just released a few new information blocking frequently asked questions (FAQs) that illustrate how the federal regulations interact. This post also reviews how the information blocking regulations interact with the HIPAA Privacy Rule and other laws that impose specific restrictions on information sharing to protect the privacy of an individual’s health information.

ONC’s information blocking regulations generally promote the access, exchange, and use of electronic health information (EHI) as defined in the information blocking regulations. Recognizing that many information blocking actors (as defined in the information blocking regulations) are also subject to the HIPAA Rules — as HIPAA covered entities, business associates of HIPAA covered entities, or both — ONC designed the information blocking regulations with the understanding that many actors would need to continue complying with the HIPAA Rules. Although it may be easy to see how the HIPAA Privacy Rule and ONC’s information blocking regulations reinforce one another in an area like an individual’s right of access, we understand that it may be less obvious in other areas.

Today, ONC posted three information blocking FAQs highlighting how information blocking regulations work in tandem with the HIPAA Privacy Rule and other privacy protective laws in force today where:

  • An actor does not disclose an individual’s EHI based on the individual’s request that their EHI not be disclosed (IB.FAQ47.1.2023APR);
  • An actor does not fulfill a request to access, exchange, or use EHI in order to comply with federal privacy laws that require certain conditions to have been met prior to disclosure (IB.FAQ48.1.2023APR); or
  • An actor, such as a health care provider, that operates in more than one state implements practices to uniformly follow the state law that is the most privacy protective across all the other states in which the actor operates (IB.FAQ49.1.2023APR).

On April 12, 2023 our colleagues in OCR published a proposed rule that detailed potential changes to the HIPAA Privacy Rule. Learn more about OCR’s proposed rule, including its full details and how to share any comments that you may have on OCR’s proposals.

Below is a brief walkthrough of three aspects of the information blocking regulations to remember as you review the proposed updates to the HIPAA Privacy Rule and recently enacted or currently proposed changes to other federal, state, or tribal laws that protect the privacy of an individual’s health information.

1. If another law that applies to the actor prohibits sharing EHI in a particular circumstance, such as for a particular purpose, then not sharing EHI in the particular circumstance is not information blocking.

The information blocking definition (45 CFR 171.103(a)(1)) excludes practices likely to interfere with access, exchange, or use of EHI when the practices are required by law. Our reference to “required by law” here includes federal statutes, regulations, court orders, and binding administrative decisions or settlements. It also includes state and tribal laws where applicable. (85 FR 25794)

Interferences with EHI access, exchange, or use that are required by law are not limited to but would include a prohibition on using or disclosing EHI for a particular purpose. For example, the HIPAA Privacy Rule prohibits certain health plans from using or disclosing genetic information for underwriting purposes (45 CFR 164.502(a)(5)(i)). Because compliance with this prohibition is required by law for an actor subject to this prohibition, such an actor’s practice of denying any request for access, exchange, or use of EHI that violates the prohibition would be excluded from the information blocking definition (45 CFR 171.103) without needing to be covered by any exceptions set out in later sections of the information blocking regulations.

Similarly, any information blocking actor subject to another provision of federal law, or a provision of a state or tribal law, that expressly prohibits a certain access, exchange, or use of EHI must comply with that other law. The actor’s practice of denying the access, exchange, or use of EHI that is expressly prohibited by the other law with which the actor must comply would be excluded from the information blocking definition (45 CFR 171.103) without needing to be covered by any exceptions set out in later sections of the information blocking regulations.

2. If another law that applies to an actor permits the actor to share EHI only if specific requirements are met first, then information blocking regulations allow for the actor’s taking reasonable and necessary steps to ensure the actor shares EHI only when those requirements are met.

Some laws, as discussed above, include provisions that specifically prohibit certain accesses, exchanges, or uses of EHI. However, health information privacy laws in general are typically framed in a way that permit an access, exchange, or use of health information to be made only if specific preconditions are satisfied and do not expressly prohibit access, exchange, or use of EHI for most purposes. (For discussion of how ONC distinguished between practices likely to interfere with EHI access, exchange, or use that are required by law and practices that an actor engages in pursuant to a law protecting health information privacy, see 85 FR 25794 and 85 FR 25846).

The Precondition Not Satisfied (45 CFR 171.202(b)) subexception of the information blocking Privacy Exception outlines a framework actors can follow so that the actors’ practices of not fulfilling requests to access, exchange, or use EHI would not be considered information blocking when a precondition of applicable law has not been satisfied. A recently posted ONC Information Blocking FAQ (IB.FAQ48.1.2023[APR]) discusses examples of the interaction between the information blocking regulations and two different HIPAA Privacy Rule preconditions that, when satisfied, render the use or disclosure of PHI permitted under the HIPAA Privacy Rule. One of those examples cites the precondition of obtaining an individual’s authorization, and another references the “HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care” guidance issued by OCR in the summer of 2022.

3. If federal or state laws restricting or prohibiting the sharing of EHI change, the information blocking regulations are built to automatically accommodate actors’ need to comply with those other laws as soon as changes are effective.

The exclusion from the (45 CFR 171.103) information blocking definition of practices required by law and the (45 CFR 171.202(b)) precondition not satisfied subexception are not tied to specific laws or preconditions. The information blocking regulations accommodate actors’ compliance with the HIPAA Privacy Rule today or as it may be updated over time to add, remove, or modify restrictions, prohibitions, or requirements for using or disclosing PHI. The information blocking regulations likewise accommodate actors’ compliance with other laws as these laws’ restrictions, prohibitions, or preconditions on sharing individuals’ health information evolve over time alongside the policy and technology landscape.

We hope this walkthrough helps illustrate the relationship between the information blocking regulations and the HIPAA Rules, as well as other laws — federal, state, or tribal — that impose specific restrictions on information sharing to protect the privacy of an individual’s health information. To find out more about how the information blocking regulations and HIPAA Rules work together, including additional FAQs, please visit the information blocking page of ONC’s website, HealthIT.gov.

Public comments on the proposed changes to the HIPAA Privacy Rule will be open for 60 days following publication in the Federal Register, and should be submitted via one of the ways identified in OCR’s proposed rule.

This post was originally published on the Health IT Buzz and is syndicated here with permission.