- Under the Privacy Exception, an Actor is permitted to not fulfill a request received to access, exchange, or use EHI to protect an individual’s privacy.
- The sub-exception for a “precondition-not-satisfied” will continue to put state laws governing privacy and consent at the center of decisions about whether EHI will be shared with third parties.
- Healthcare providers and HIEs/HINs especially will need to ensure that they have identified and analyzed each legal precondition to the release of EHI that is applicable to the particular type of entity and type of information that is implicated.
Subscribe HERE to Legal HIE’s Compliance Library to gain access to sample policies, documents & tools for compliance with the Info Blocking Rule.
The 21st Century Cures Act and its related rules are being touted as the “missing ingredient” needed to propel the exchange of electronic health information forward to the next stage. A primary goal of this new law is to ensure that individuals have greater opportunity to leverage available and emerging technology which allows them to access and control their medical information as they see fit. It is likely that at least for patient access and control purposes, the Cures Act rules will help. However, the rules do not provide solutions to other legal barriers – such as state laws requiring specific consent to disclose certain sensitive data – which have plagued and stymied the robust exchange of EHI between legitimate stakeholders since its inception.
In fact, the Privacy Exception under the Information Blocking Rule ensures that Actors continue to defer to the patchwork of consent standards which are peppered throughout each state’s various statutes and regulations. Under the Privacy Exception, an Actor (i.e., healthcare provider, HIE/HIN, or certified health IT developer) is permitted to NOT fulfill a request received to access, exchange, or use electronic health information (EHI) if the Actor’s practice protects an individual’s privacy. To qualify for this exception, the Actor would need to demonstrate that all of the specific requirements have been met for at least one of the four “sub-exceptions” under the Privacy Exception. In particular, the sub-exception for a “precondition-not-satisfied” will continue to put state laws governing privacy and consent at the center of decisions about whether EHI will be shared with third parties.
Under the precondition-not-satisfied sub-exception, a state or federal law would have to require one or more preconditions (i.e., a signed consent) to be met before an Actor may permit a third-party to access or receive EHI. The Actor is required to tailor its excepted info-blocking practice to the applicable precondition-not-satisfied and implement it in a consistent and non-discriminatory manner — meaning that an Actor can’t decide to apply the precondition in certain instances, but not in others. Accordingly, the rules require that the Actor conform its excepted info-blocking practice in organization-wide policies and procedures (P&Ps) that:
- are in writing;
- specify the criteria to be used by the Actor to determine when the precondition would be satisfied and, as applicable, the steps that the Actor will take to satisfy the precondition; and
- are implemented by the Actor, including by providing training on the P&Ps.
If an Actor does not adopt and implement such written organization-wide P&Ps, then every instance where a request is made for access, exchange or use of EHI will need to be documented by the Actor on a case-by-case basis, identifying the criteria used by the Actor to determine when the precondition would be satisfied, any criteria that were not met, and the reason why the criteria were not met.
The rule further requires that if the state or federal law relies on the provision of a consent or authorization from an individual and the Actor has received a version of such a consent or authorization that does not satisfy all elements of the precondition required under applicable law, the Actor must use reasonable efforts within its control to provide the individual with a consent or authorization form that satisfies all required elements of the precondition OR provide other reasonable assistance to the individual to satisfy all required elements of the precondition. Additionally, an Actor may not improperly encourage or induce the individual to withhold the consent or authorization.
As a result, federal and state privacy consent laws will remain a source for mind-numbing debate when access to EHI is requested by third parties. However, in order to even get to the point of discussing whether a patient’s signed consent meets applicable state and federal requirements, Actors – and especially healthcare providers and HIEs/HINs – will need to ensure that they have identified and analyzed each legal precondition to the release of EHI that is applicable to the particular type of entity (ex., hospital vs. physician office) and type of information (ex., ADT vs. HIV/AIDS Info) that is implicated. By way of example, my Consent Tiers document offers a snapshot of just the first page of such analysis examining the federal and state law preconditions to consent. With the November 2020 deadline looming, Actors are best advised to begin evaluating the impact of the Cures Act rules and the Privacy Exception now, where such analysis will take time and effort to complete.
________________________
If you are interested in being emailed directly about our upcoming 3-part Webinar series which will take a deep dive into each one of the 8 Exceptions to Information Blocking one-by-one, use our Contact Us portal to get on our notification list.
