- Your vendor is not “taking care of it.” Compliance with the Information Blocking rule is about more than just the technology.
- Assemble a “task team” to tackle operational decisions that need to be made to comply with Information Blocking.
- Use a checklist to begin “ticking off” boxes to ensure that your organization is moving towards compliance with Info Blocking by April 5th!
Subscribe to HERE to Legal HIE’s compliance library to gain access to sample policies, documents and tools for compliance with the Information Blocking Rule.
Over the last few weeks, I have come across a number of health care provider organizations that are under the incorrect assumption or belief that their EMR vendor is “taking care of” all that needs to be done in order for the provider to comply with Information Blocking. This is false. Although a significant part of the Information Blocking Rule does include new requirements for health IT developers to successfully obtain ONC certification or recertification in the future, including alignment with compliant information blocking practices, there are operational decisions and other process issues that must be addressed and can only be implemented by the Actor – i.e., the health care provider organization or HIE/HIN, as applicable. So, every health care provider that meets the definition of an “Actor” should be taking active steps towards getting their organization positioned to comply with Information Blocking by April 5, 2021. Where should you start? I propose using a checklist as a simple starting point to begin “ticking off” your Information Blocking “to do” list — and, good news . . . I have put one together for you here to get you started!
Completing all of the items on this list does not guarantee your organization’s compliance with Information Blocking, which will be determined by other considerations including your organization’s health IT functionality and types of requests for EHI being received. Nevertheless, I think that it offers a good-enough skeleton to build off of as you dig deeper into your Information Blocking compliance efforts. Enjoy!
[dvmd_table_maker tbl_icon_type=”%%67%%” tbl_icon_size=”16px” tbl_icon_color=”#0081C5″ _builder_version=”4.8.1″ _module_preset=”default” custom_padding=”10px||10px||true|false” hover_enabled=”0″ border_radii_tbl_chead_cell_border=”on|6px|6px|6px|6px” sticky_enabled=”0″ admin_label=”Table Maker”][dvmd_table_maker_item col_content=”Assemble a “task team” to tackle Information Blocking
Vendor/EMR representative
IT/ Security
Privacy Officer
Legal/Compliance” col_icon_type=”%%61%%” col_icon_color=”#F79521″ col_tcell_cell_align_vert=”center” col_tcell_cell_padding=”|15px||15px|false|true” _builder_version=”4.8.1″ _module_preset=”default” col_tcell_text_font_size=”14px” col_chead_text_font=”|700|||||||” col_chead_text_font_size=”15px” hover_enabled=”0″ border_color_all_col_tcell_cell_border=”#FFFFFF” border_style_all_col_tcell_cell_border=”solid” sticky_enabled=”0″][/dvmd_table_maker_item][/dvmd_table_maker][dvmd_table_maker tbl_icon_type=”%%67%%” tbl_icon_size=”16px” tbl_icon_color=”#0081C5″ _builder_version=”4.8.1″ _module_preset=”default” custom_padding=”10px||10px||true|false” hover_enabled=”0″ border_radii_tbl_chead_cell_border=”on|6px|6px|6px|6px” sticky_enabled=”0″][dvmd_table_maker_item col_label=”Determine what type(s) of “Actor”=” col_content=”Determine what type of “Actor” is your organization?
Health Care Provider?
HIE/HIN?
Developer/offeror of Certified Health IT?
More than one?” col_icon_type=”%%61%%” col_icon_color=”#F79521″ col_tcell_cell_align_vert=”center” col_tcell_cell_padding=”|15px||15px|false|true” _builder_version=”4.8.1″ _module_preset=”default” col_tcell_text_font_size=”14px” col_chead_text_font=”|700|||||||” col_chead_text_font_size=”15px” hover_enabled=”0″ border_color_all_col_tcell_cell_border=”#FFFFFF” border_style_all_col_tcell_cell_border=”solid” sticky_enabled=”0″][/dvmd_table_maker_item][/dvmd_table_maker][dvmd_table_maker tbl_icon_type=”%%67%%” tbl_icon_size=”16px” tbl_icon_color=”#0081C5″ _builder_version=”4.8.1″ _module_preset=”default” custom_padding=”10px||10px||true|false” border_radii_tbl_chead_cell_border=”on|6px|6px|6px|6px”][dvmd_table_maker_item col_label=”Identify/evaluate current practices” col_content=”Identify/evaluate current practices for potential info blocking
Patient Portals: What is being requested and released? Is EHI impermissibly delayed or blocked?
Provider Portals: What is being requested & released?
EMR requests for access, exchange and use of EHI by who? for what purpose(s)?
Review HIPAA Business Associate Agreements & update if needed. No %22unconscionable terms%22 or prohibited blocking of EHI.” col_icon_type=”%%61%%” col_icon_color=”#F79521″ col_tcell_cell_align_vert=”center” col_tcell_cell_padding=”|15px||15px|false|true” _builder_version=”4.8.1″ _module_preset=”default” col_tcell_text_font_size=”14px” col_chead_text_font=”|700|||||||” col_chead_text_font_size=”15px” hover_enabled=”0″ border_color_all_col_tcell_cell_border=”#FFFFFF” border_style_all_col_tcell_cell_border=”solid” sticky_enabled=”0″][/dvmd_table_maker_item][/dvmd_table_maker][dvmd_table_maker tbl_icon_type=”%%67%%” tbl_icon_size=”16px” tbl_icon_color=”#0081C5″ _builder_version=”4.8.1″ _module_preset=”default” custom_padding=”10px||10px||true|false” hover_enabled=”0″ border_radii_tbl_chead_cell_border=”on|6px|6px|6px|6px” sticky_enabled=”0″][dvmd_table_maker_item col_label=”Develop basic Information Blocking policies” col_content=”Develop basic Information Blocking policies
Preventing Harm Exception
Privacy Exception
Security Exception
Infeasibility Exception
Health IT Performance Exception
Content & Manner Exception
Fees Exception
Licensing Exception
(8 sample policies are available in our Compliance Library. See the Membership tab for details)” col_icon_type=”%%61%%” col_icon_color=”#F79521″ col_tcell_cell_align_vert=”center” col_tcell_cell_padding=”|15px||15px|false|true” _builder_version=”4.8.1″ _module_preset=”default” col_tcell_text_font_size=”14px” col_chead_text_font=”|700|||||||” col_chead_text_font_size=”15px” hover_enabled=”0″ border_color_all_col_tcell_cell_border=”#FFFFFF” border_style_all_col_tcell_cell_border=”solid” sticky_enabled=”0″][/dvmd_table_maker_item][/dvmd_table_maker]
Implement compliant practices:
[dvmd_table_maker tbl_icon_type=”%%67%%” tbl_icon_size=”16px” tbl_icon_color=”#0081C5″ _builder_version=”4.8.1″ _module_preset=”default” custom_padding=”10px||10px||true|false” hover_enabled=”0″ border_radii_tbl_chead_cell_border=”on|6px|6px|6px|6px” sticky_enabled=”0″][dvmd_table_maker_item col_label=”Preventing Harm” col_content=”Preventing Harm
Use a harm “Decision Tree” for determinations. (see our Compliance Library for this Tool)
Practitioner training/education: educate your practitioners on how to make %22harm%22 determinations.
Make determinations based on written Organizational Policy or episodic determinations. Decide on process.” col_icon_type=”%%61%%” col_icon_color=”#F79521″ col_tcell_cell_align_vert=”center” col_tcell_cell_padding=”|15px||15px|false|true” _builder_version=”4.8.1″ _module_preset=”default” col_tcell_text_font_size=”14px” col_chead_text_font=”|700|||||||” col_chead_text_font_size=”15px” hover_enabled=”0″ border_color_all_col_tcell_cell_border=”#FFFFFF” border_style_all_col_tcell_cell_border=”solid” sticky_enabled=”0″][/dvmd_table_maker_item][/dvmd_table_maker][dvmd_table_maker tbl_icon_type=”%%67%%” tbl_icon_size=”16px” tbl_icon_color=”#0081C5″ _builder_version=”4.8.1″ _module_preset=”default” custom_padding=”10px||10px||true|false” hover_enabled=”0″ border_radii_tbl_chead_cell_border=”on|6px|6px|6px|6px” sticky_enabled=”0″][dvmd_table_maker_item col_label=”Privacy Exception” col_content=”Privacy Exception
Review consent process, and update as needed.
arrow_carrot-right Identify exceptions to consent under applicable federal & state law
arrow_carrot-right Add new process to ensure “reasonable efforts” are made to facilitate obtaining compliant consent when required
Review & update HIPAA Right of Access & Personal Representatives P&Ps.
arrow_carrot-right Minors & Parents
arrow_carrot-right HIPAA Personal Representatives & other %22Legal Representatives%22 recognized for Info Blocking
arrow_carrot-right Follow HIPAA for unreviewable denials of access
Review & update HIPAA Request for Confidential Communications P&Ps.
Training as needed for registration, HIM, medical records, staff etc.
Make determinations to deny requests for EHI based on Privacy Exception per written Organizational Policy or episodic.” col_icon_type=”%%61%%” col_icon_color=”#F79521″ col_tcell_cell_align_vert=”center” col_tcell_cell_padding=”|15px||15px|false|true” _builder_version=”4.8.1″ _module_preset=”default” col_tcell_text_font_size=”14px” col_chead_text_font=”|700|||||||” col_chead_text_font_size=”15px” hover_enabled=”0″ border_color_all_col_tcell_cell_border=”#FFFFFF” border_style_all_col_tcell_cell_border=”solid” sticky_enabled=”0″][/dvmd_table_maker_item][/dvmd_table_maker][dvmd_table_maker tbl_icon_type=”%%67%%” tbl_icon_size=”16px” tbl_icon_color=”#0081C5″ _builder_version=”4.8.1″ _module_preset=”default” custom_padding=”10px||10px||true|false” hover_enabled=”0″ border_radii_tbl_chead_cell_border=”on|6px|6px|6px|6px” sticky_enabled=”0″][dvmd_table_maker_item col_label=”Security Exception” col_content=”Security Exception
IT to review to ensure comprehensive Organizational Security Policy (OSP) in place to satisfy Security Exception.
arrow_carrot-right Must identify specific security risks (HIPAA risk assessment; other)
arrow_carrot-right Security practices must be tailored to the identified risks (per industry standards i.e., NIST)
arrow_carrot-right Ensure there is a comprehensive Security Response Plan in place to address incidents
Review & update HIPAA Security P&Ps as needed. Cross-walk them to the OSP.
Implement security practices in accordance with OSP. Evaluate new security risks as they come up or in response to new or original requests for EHI.” col_icon_type=”%%61%%” col_icon_color=”#F79521″ col_tcell_cell_align_vert=”center” col_tcell_cell_padding=”|15px||15px|false|true” _builder_version=”4.8.1″ _module_preset=”default” col_tcell_text_font_size=”14px” col_chead_text_font=”|700|||||||” col_chead_text_font_size=”15px” hover_enabled=”0″ border_color_all_col_tcell_cell_border=”#FFFFFF” border_style_all_col_tcell_cell_border=”solid” sticky_enabled=”0″][/dvmd_table_maker_item][/dvmd_table_maker][dvmd_table_maker tbl_icon_type=”%%67%%” tbl_icon_size=”16px” tbl_icon_color=”#0081C5″ _builder_version=”4.8.1″ _module_preset=”default” custom_padding=”10px||10px||true|false” hover_enabled=”0″ border_radii_tbl_chead_cell_border=”on|6px|6px|6px|6px” sticky_enabled=”0″][dvmd_table_maker_item col_label=”Infeasibility Exception” col_content=”Infeasibility Exception
Use a “Decision Tree” to deny requests for EHI based on infeasiblity. Document. (see our Compliance Library for this Tool)
Use a “Notice of Infeasibility” to inform requestor when a decision is made to deny access, exchange or use of EHI due to infeasibility. (see our Compliance Library for this Form)” col_icon_type=”%%61%%” col_icon_color=”#F79521″ col_tcell_cell_align_vert=”center” col_tcell_cell_padding=”|15px||15px|false|true” _builder_version=”4.8.1″ _module_preset=”default” col_tcell_text_font_size=”14px” col_chead_text_font=”|700|||||||” col_chead_text_font_size=”15px” hover_enabled=”0″ border_color_all_col_tcell_cell_border=”#FFFFFF” border_style_all_col_tcell_cell_border=”solid” sticky_enabled=”0″][/dvmd_table_maker_item][/dvmd_table_maker][dvmd_table_maker tbl_icon_type=”%%67%%” tbl_icon_size=”16px” tbl_icon_color=”#0081C5″ _builder_version=”4.8.1″ _module_preset=”default” custom_padding=”10px||10px||true|false” hover_enabled=”0″ border_radii_tbl_chead_cell_border=”on|6px|6px|6px|6px” sticky_enabled=”0″][dvmd_table_maker_item col_label=”Health IT Performance” col_content=”Health IT Performance
Train/educate IT staff on permissible delays & downtime under Information Blocking.
Do not take incoming EHI “off line” as a default.
Delay for data %22mapping” is allowed.
Must “know” or “reasonably suspect” data has errors in order to take EHI offline. Cannot presume all data is inaccurate.” col_icon_type=”%%61%%” col_icon_color=”#F79521″ col_tcell_cell_align_vert=”center” col_tcell_cell_padding=”|15px||15px|false|true” _builder_version=”4.8.1″ _module_preset=”default” col_tcell_text_font_size=”14px” col_chead_text_font=”|700|||||||” col_chead_text_font_size=”15px” hover_enabled=”0″ border_color_all_col_tcell_cell_border=”#FFFFFF” border_style_all_col_tcell_cell_border=”solid” sticky_enabled=”0″][/dvmd_table_maker_item][/dvmd_table_maker][dvmd_table_maker tbl_icon_type=”%%67%%” tbl_icon_size=”16px” tbl_icon_color=”#0081C5″ _builder_version=”4.8.1″ _module_preset=”default” custom_padding=”10px||10px||true|false” hover_enabled=”0″ border_radii_tbl_chead_cell_border=”on|6px|6px|6px|6px” sticky_enabled=”0″][dvmd_table_maker_item col_label=”Content & Manner Exception” col_content=”Content & Manner Exception
Determine if only USCDI data will be provided (through October 5, 2022), or elect to provide all EHI requested.
Use a “Decision Tree” for providing EHI in alternate manner per Manner Exception. (see our Compliance Library for this Tool)” col_icon_type=”%%61%%” col_icon_color=”#F79521″ col_tcell_cell_align_vert=”center” col_tcell_cell_padding=”|15px||15px|false|true” _builder_version=”4.8.1″ _module_preset=”default” col_tcell_text_font_size=”14px” col_chead_text_font=”|700|||||||” col_chead_text_font_size=”15px” hover_enabled=”0″ border_color_all_col_tcell_cell_border=”#FFFFFF” border_style_all_col_tcell_cell_border=”solid” sticky_enabled=”0″][/dvmd_table_maker_item][/dvmd_table_maker][dvmd_table_maker tbl_icon_type=”%%67%%” tbl_icon_size=”16px” tbl_icon_color=”#0081C5″ _builder_version=”4.8.1″ _module_preset=”default” custom_padding=”10px||10px||true|false” hover_enabled=”0″ border_radii_tbl_chead_cell_border=”on|6px|6px|6px|6px” sticky_enabled=”0″][dvmd_table_maker_item col_label=”Fees Exception” col_content=”Fees Exception
Identify arrangements where a “fee” is or may be charged for access, exchange or use of EHI.
Ensure that fee arrangements comply with the Fees Exception.
A requestor that demands a particular Manner of access/exchange/use of EHI which requires specific IT or costly customization can be required to cover such cost which is not required to fit within the Fees Exception.” col_icon_type=”%%61%%” col_icon_color=”#F79521″ col_tcell_cell_align_vert=”center” col_tcell_cell_padding=”|15px||15px|false|true” _builder_version=”4.8.1″ _module_preset=”default” col_tcell_text_font_size=”14px” col_chead_text_font=”|700|||||||” col_chead_text_font_size=”15px” hover_enabled=”0″ border_color_all_col_tcell_cell_border=”#FFFFFF” border_style_all_col_tcell_cell_border=”solid” sticky_enabled=”0″][/dvmd_table_maker_item][/dvmd_table_maker][dvmd_table_maker tbl_icon_type=”%%67%%” tbl_icon_size=”16px” tbl_icon_color=”#0081C5″ _builder_version=”4.8.1″ _module_preset=”default” custom_padding=”10px||10px||true|false” hover_enabled=”0″ border_radii_tbl_chead_cell_border=”on|6px|6px|6px|6px” sticky_enabled=”0″][dvmd_table_maker_item col_label=”Licensing Exception” col_content=”Licensing Exception
Determine who is responsible for licensing agreements for EHI.
Review and ensure licensing agreements for EHI comply with the Licensing Exception.
Develop and use a template Licensing Agreement for EHI that is compliant with the Licensing Exception.” col_icon_type=”%%61%%” col_icon_color=”#F79521″ col_tcell_cell_align_vert=”center” col_tcell_cell_padding=”|15px||15px|false|true” _builder_version=”4.8.1″ _module_preset=”default” col_tcell_text_font_size=”14px” col_chead_text_font=”|700|||||||” col_chead_text_font_size=”15px” hover_enabled=”0″ border_color_all_col_tcell_cell_border=”#FFFFFF” border_style_all_col_tcell_cell_border=”solid” sticky_enabled=”0″][/dvmd_table_maker_item][/dvmd_table_maker][dvmd_table_maker tbl_icon_type=”%%67%%” tbl_icon_size=”16px” tbl_icon_color=”#0081C5″ _builder_version=”4.8.1″ _module_preset=”default” custom_padding=”10px||10px||true|false” hover_enabled=”0″ border_radii_tbl_chead_cell_border=”on|6px|6px|6px|6px” sticky_enabled=”0″][dvmd_table_maker_item col_label=”Develop process to evaluate requests for EHI going forward” col_content=”Develop a process to evaluate & escalate incoming requests for EHI going forward
” col_icon_type=”%%61%%” col_icon_color=”#F79521″ col_tcell_cell_align_vert=”center” col_tcell_cell_padding=”|15px||15px|false|true” _builder_version=”4.8.1″ _module_preset=”default” col_tcell_text_font_size=”14px” col_chead_text_font=”|700|||||||” col_chead_text_font_size=”15px” hover_enabled=”0″ border_color_all_col_tcell_cell_border=”#FFFFFF” border_style_all_col_tcell_cell_border=”solid” sticky_enabled=”0″][/dvmd_table_maker_item][/dvmd_table_maker]
Subscribe HERE to Legal HIE’s compliance library to gain access to sample policies, documents and tools for compliance with the Information Blocking Rule. Review our Table of Contents here.
