The IBR Privacy Exception permits actors to not fulfill a request for access, exchange, or use of EHI under certain circumstances.
If a federal or state law requires a legal precondition (e.g., consent) to be satisfied before EHI may be released, an actor may follow that law. If an actor operates in multiple states with differing privacy standards, the actor would be permitted (but not required) to adopt a single standard (e.g., consent required) consistent with the state law that is the most restrictive.
- If the individual who is the subject of the EHI requests his/her EHI to not be shared, an actor may deny a requestor access to such individual’s EHI consistent with the individual’s expressed wishes.
Subscribe HERE to Legal HIE’s backend compliance library to gain access to tools, checklists, whitepapers, sample policies and a lot more to help your organization stay on top of the newest compliance challenges in 2023!
On April 1, the Office of National Coordinator (ONC) posted several new responses to Frequently Asked Questions (FAQ) about the Information Blocking Rule (IBR). Three (3) of the new FAQs focus on the IBR’s Privacy Exception and how it works in tandem with the HIPAA Privacy Rule and other “privacy protective laws.” Here are the highlights:
- Would it be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to comply with federal privacy laws that require certain conditions to have been met prior to disclosure?
“No, it would not be information blocking if the actor’s practice of not fulfilling a request in such circumstances meets the Privacy Exception (45 CFR 171.202) . . . where federal law such as the HIPAA Privacy Rule does not permit EHI to be used or disclosed unless certain requirements (“preconditions”) are met, then an actor’s practice of not fulfilling a request to access, exchange, or use EHI when these preconditions are not met is not information blocking. The Precondition Not Satisfied (45 CFR 171.202(b)) sub-exception of the Privacy Exception outlines a framework for actors to follow so that the actors’ practices of not fulfilling requests to access, exchange, or use EHI would not constitute information blocking when a precondition of applicable law has not been satisfied.” See FAQ48.1.2023APR
- If an individual requests that their EHI not be disclosed, is it information blocking if an actor does not disclose the EHI based on the individual’s request?
“No, if the actor’s conduct satisfies the requirements of the information blocking regulations, such as the Privacy Exception (45 CFR 171.202). For example, the sub-exception Respecting an Individual’s Request Not to Share Information permits an actor, unless the disclosure is required by law, to honor an individual’s request not to provide access, exchange, or use of the individual’s EHI, which aligns with the individual’s right to request a restriction on disclosures of their protected health information under the HIPAA Privacy Rule (45 CFR 164.522(a)(1)).” See FAQ47.1.2023APR
- If an actor, such as a health care provider, operates in more than one state, is it consistent with the information blocking regulations for the health care provider to implement practices to uniformly follow the state law that is the most privacy protective (more restrictive) across all the other states in which it operates?
“Yes, if the actor satisfies the requirements of the information blocking regulations, such as the Precondition Not Satisfied sub-exception of the Privacy Exception (45 CFR 171.202(b)). For purposes of the information blocking regulations, health care providers and other information blocking actors operating under multiple state laws, or state and tribal laws, with inconsistent legal requirements for EHI disclosures may choose to adopt uniform policies and procedures so that the actor only makes disclosures of EHI that meet the requirements of the state law providing the most protection to individuals’ privacy (45 CFR 171.202(b)).” See FAQ49.1.2023APR
You can visit ONC’s page here to view all of the FAQs posted in their entirely (Tip: after the “Filter” field, if you select “Yes” to “Recently added/changed” you will see just the newest FAQs).
In my opinion, the IBR’s Privacy Exception is the most challenging to understand and implement (a close second is the Preventing Harm Exception). If you’re someone who likes to use a checklist to serve as a roadmap when addressing challenging compliance topics like how to operationalize the IBR Privacy Exception, then download a complimentary copy of the IBR Checklist – Privacy Exception (.pdf) which is an excerpt from our comprehensive IBR Checklist for compliance with all of the IBR Exceptions. For our full IBR compliance checklist and more IBR tools, check out our Legal HIE compliance library which is available through subscription here.
