- Health Care Providers, Health Information Exchanges (HIEs) and Health Information Networks (HINs) will be legally prohibited from interfering with the access, exchange, or use of EHI unless an exception applies.
- HIEs/HINs are not allowed to use or further disclose PHI other than as permitted or required by their HIPAA BAAs with health care providers.
- Only HIEs and HINs are exposed to potential monetary penalties (but not health care providers) if they wrongfully withhold information when an exception to information blocking is improperly applied.
Subscribe HERE to Legal HIE’s Compliance Library to gain access to sample policies, documents & tools for compliance with the Info Blocking Rule.
This month, ONC officially published its Cures Act Final Rule which, among other things, prohibits “Actors” from engaging in “information blocking.” There are three categories of “Actors” regulated by the information blocking section of ONC’s final rule: (1) Health Care Providers, (2) Health Information Networks (HINs) or Health Information Exchanges (HIEs), and (3) Health IT Developers of Certified Health IT. These types of Actors will be legally prohibited from “interfering with” the access, exchange, or use of electronic health information (EHI), unless one or more of the eight (8) exceptions specifically laid-out in the rule would apply. However, what if a Health Care Provider and its HIPAA Business Associate HIE/HIN disagree on whether an exception allows EHI to be withheld from access, exchange, or use under a certain set of specific facts?
ONC refined key definitions in its Final Rule. Specifically, the definitions of HIN/HIE Actors were revised and are now defined as follows:
“Health information network” or “health information exchange” means an individual or entity that determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of electronic health information:
(1) Among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other; and
(2) That is for a treatment, payment, or health care operations purpose, as such terms are defined in 45 CFR 164.501 regardless of whether such individuals or entities are subject to the requirements of 45 CFR parts 160 and 164.
First, it is important to note that the information blocking provisions only apply to HIEs/HIN where EHI is exchanged between “more than two unaffiliated individuals or entities.” Therefore, exchange of EHI which is taking place intra-healthcare system or between one or more affiliated persons or entities is not subject to the information blocking rules.
Second, the final rule makes the information blocking provisions applicable only to access, exchange or use of EHI for treatment, payment or health care operations, but additionally includes persons or entities who is not otherwise a “covered entity” or “business associate” as defined by HIPAA. So, the final rule expands the potential reach of Actors who could be found to be engaging in in prohibited information blocking. However, this post focuses on when prohibited information blocking practices are at question between an HIE/HIN that is a HIPAA Business Associate of a HIPAA covered entity health care provider.
As most know, HIPAA sets a floor for privacy below which a covered entity health care provider cannot go below with respect to how such provider uses and discloses protected health information (PHI). When a state law specifically requires additional privacy protections on how certain PHI is used and disclosed (e.x., HIV/AIDS), the more stringent state law must be followed. However, until now, many health care providers have also been allowed to voluntarily adopt more conservative organizational policies governing how patients’ medical information is shared with others. Currently, the HIPAA Privacy Rule also still allows this. For example, with regard to “optional elements” that may be included in a health care providers Notice of Privacy Practices (NPP) Sect. 164.520(b)(2)(i) states:
“In addition to the information required by paragraph (b)(1) of this section, if a covered entity elects to limit the uses or disclosures that it is permitted to make under this subpart, the covered entity may describe its more limited uses or disclosures in its notice, provided that the covered entity may not include in its notice a limitation affecting its right to make a use or disclosure that is required by law or permitted by §164.512(j)(1)(i).”
Before the 21st Century Cures Act, there was no issue if a health care provider elected to be more restrictive with regard to how it shared patients’ information. For example, a provider might always require a signed consent from the patient before releasing the patient’s medical information to anyone, even when one was not technically required by HIPAA or state law. In accordance with the HIPAA Privacy Rule, providers would have also reflected these privacy practices in their HIPAA NPP. However, some of these “conservative” practices will need to change.
As health care providers begin to examine and potentially overhaul long-standing internal practices of how they share patient information to address their new obligation to avoid engaging in prohibited information blocking, additional challenges will likely arise when such information is shared through a contracted HIE/HIN. Both health care providers and HIEs/HINs are Actors which will be required to not engage in information blocking practices. However, the Privacy Exception under the ONC final rule will allow such Actors to withhold sharing EHI if the conditions of that exception are met. How that Privacy Exception is interpreted and determined to apply by a covered entity health care provider and its HIE/HIN could become a potential point of contention. In anticipation of this, health care providers and HIE/HINs would be best served by beginning those discussions now before enforcement begins for all EHI on May 1, 2022 — starting with potentially tweaking their HIPAA BAAs, as needed.
HIPAA requires that the HIPAA BAA between a covered entity (i.e., health care provider) and a business associate (i.e., an HIE/HIN) must establish the permitted and required uses and disclosures of protected health information by the business associate (see 45 CFR 164.504(e)(2)(i)). Therefore, if a use and disclosure would be required under the ONC final rule on information blocking, then those should be established in the HIPAA BAA. Additionally, in many instances, covered entity health care providers have purposefully drafted-in restrictions on how a HIE/HIN may share their PHI, even when such sharing would otherwise be permitted under HIPAA. Such restrictions may now need to be revisited even if ONC has not specifically required HIPAA BAAs to be revised to align with its final rule on information blocking. In the Preamble to the final rule, ONC states:
“While the information blocking provision does not require actors to violate these agreements, a BAA or its associated service level agreements must not be used in a discriminatory manner by an actor to forbid or limit disclosures that otherwise would be permitted by the Privacy Rule.”
Therefore, by getting a head start on reviewing the uses and disclosures of PHI established in their HIPAA BAAs and current information sharing practices, health care providers and their HIEs/HINs can potentially be better prepared for situations in the future where one party (i.e, the health care provider) believes that the Privacy Exception applies but the other party disagrees (i.e., the HIE/HIN). As pointed out in my previous post covering the OIG’s release of a Proposed Rule for Civil Monetary Penalties which may be assessed for intentional information blocking, only HIEs and HINs will be subject to such penalties – which could put them between a rock in a hard place if their healthcare provider customers are not on the same page about certain information sharing requests.
_____________________________________
Subscribe HERE to Legal HIE’s Compliance Library to gain access to sample policies, documents & tools for compliance with the Info Blocking Rule.
