The information blocking rule expands to include the set of designated electronic records

In two weeks, on October 6, 2022, the 21st Century Act Information Prevention Act expands to prevent healthcare providers from blocking or interfering with patient access to any electronic information in a “designated recordset,” as the term defined under HIPAA. For health care providers, this has led to the question of exactly what information falls within the specific set of records and what their obligation is to make that information available to patients in real time. In preparation for this imminent expansion of the scope of the information blocking rule, it is time for health care providers to create or reconsider a policy on the information within their assigned records sets and to document the basis for any circumstances in which such information is not immediately available to patients through providers’ patient portals. Services.

The Information Ban Rule generally prohibits health care providers and some other covered “actors” from engaging in practices that interfere with access, use, or exchange of Electronic Health Information. A more robust DWT discussion of the Information Ban rule is available here. The “date of application” of the rule was April 5, 2021.

The block information rule definition of “electronic health information” was initially limited to data items represented in the United States Basic Data Standard for Interoperability (USCDI). Effective October 6, 2022, Electronic Health Information will be expanded to include all electronic information in a healthcare provider’s set of records. This represents a significant expansion of what information providers must make available to patients without undue delay.

What is the assigned set of records?

The Information Ban Rule includes HIPAA’s definition of a “designated set of records”, with a slight modification to address actors who block information that are not entities covered by HIPAA. Under this definition, as applied to healthcare providers, an assigned set of records includes:

A set of records kept by or for a health care provider:

  • (i) Medical and billing records of individuals maintained or held by a health care provider; or
  • (2) They are used, in whole or in part, by or for the benefit of a healthcare provider to make decisions about individuals.

There is sometimes confusion as to how a ‘specified set of records’ compares to a ‘legal medical record’. Neither HIPAA nor the Information Restriction Rule uses the term “legal medical record.” Health care providers generally have some discretion to determine what constitutes their “legal medical record.” The set of assigned records is larger, although it includes not only medical records (which can be interpreted to mean “legal medical record”), but also billing records and any other information used to make decisions about individuals.

A good test is whether a flaw in the data will affect patient care or payments. If there is a problem with the data, such as the accidental inclusion of another patient’s information, will that affect the treatment or the amount owed to the patient or the insurance company? If so, the information likely qualifies as part of the set of records identified for the purposes of the HIPAA and the Information Restriction Rule. In contrast, if there is a data defect that does not affect the patient but will only affect the internal operations of the provider – such as a quality assessment study – then the information is likely to be Not Part of a set of mapped records.

The HHS Office of Civil Rights (OCR) provided an example of a case from its enforcement files that the particular set of records—information subject to the HIPAA right of access—must include any information generated by another health care provider if that information is incorporated into the provider’s records. Accordingly, health care providers must include access to records within their systems that have originated from other providers if the information is used to make decisions about the individual.

In addition, there is sometimes confusion as to whether “primary data”, such as EKG, EEG, fetal monitoring data, etc., are part of the specific set of records, or if the healthcare provider needs to include only reports that interpret this data. OCR took executive action regarding patient access to fetal heart monitoring records, indicating that OCR interprets these raw data to be part of the set of records to the extent maintained by the health care provider.

Create or revisit the assigned recordset policy

Since April 2003, the HIPAA Privacy Rule (in 45 CFR § 164.524(e) (1)) has required a HIPAA covered health care provider to document particular recordsets subject to access by patients. Accordingly, the health care provider must already have a policy or other documentation describing the information that makes up their “designated set of records,” which will be subject to the extended information block rule.

If you are a healthcare provider and do not have documentation describing your set of records, this is a really good time to comply with HIPAA’s longstanding requirements.

If you already have a policy or other documentation related to your collection of records, this expansion of the information blocking rule and OCR’s separate focus on enforcing patient access means that now is a good time to review your policy and make sure it captures all the appropriate information.

Provide access to the designated set of records

One of the biggest questions surrounding the blocking of information rule is exactly what the health care provider’s obligation is with regard to electronic health information. For example, should providers proactively provide all electronic health information to patients, or do they need to provide this information only on request?

HHS’s Office of the National Health Information Technology Coordinator (ONC), the agency that drafted the Information Ban Act, has changed its guidance to answer this question. In January 2021, the National Bureau of Statistics initially issued guidance stating that “

“Proactive” or “proactive” is not a regulatory concept included in the Blocking of Information Regulations. Instead, information blocking regulations focus on whether the practice (action or omission) constitutes information blocking. Furthermore, an important consideration is whether the practice is likely to interfere with, prevent or physically discourage access, exchange, or use of the EHI.

In further directives to the UN national office, the agency stated: “It will do so too Probably Considered interference: a delay in providing access, exchange, or use after a patient has logged into the patient portal to access [electronic health information]That the healthcare provider has (including, for example, lab results) etc. [electronic health information] Unavailable-for any period of time– Through the Gate” (emphasis added).

Based on these guidelines, which do not have the force of law, health care providers should consider making the entire assigned set of records available in real time through the patient portal, unless there are valid circumstances that prevent the provider from doing so.

If the information in the custom set of records is not readily available through the patient portal, the health care provider does not necessarily need to move heaven and earth to make it available. For example, if the information for a particular set of records is located outside the EHR system and there will be a significant burden to create an interface that connects it to the patient portal, then the information blocking rule can be argued to not require the provider to proactively create this type of interface. Or, if the information is in archived records, the healthcare provider will not necessarily need to proactively upload all archived material into the patient portal.

Alternatively, the greater risk of non-compliance may be if the information of the particular record set is readily available through the patient portal but the provider either actively prevents the information from flowing through the portal or fails to operate the configuration that would make the information available through the portal.

To address this issue, health care providers may choose to look at their assigned recordset documentation, determine which particular recordset information will not be available through the patient portal, and document a good reason why it is not flowing into the patient portal, such as:

  • Information is not available through the patient portal due to technical issues, such as information that is outside the EHR and cannot be easily connected to the patient portal;
  • The information includes information that is not legally available through a patient portal and is not easily separated from that which may be available (such as information of a minor where a parent or guardian who has access to the portal is entitled to some of the minor’s information but no information about a particular sensitive care may consent legally obligated to them); or
  • A specific exception to the information-blocking rule applies, such as an individual determination that providing a patient with access to information would endanger the life or safety of the patient or others.

There is still a lot of confusion surrounding the information-blocking rule, and expectations for health care providers may change as additional guidelines are issued or regulations are amended.

Enforcement of the Information Ban Rule

No discussion of healthcare providers and the information blocking rule would be complete at this point without acknowledging the lack of an enforcement rule. The 21st Century Treatment Act states that if the HHS Office of the Inspector General (OIG) determines that a health care provider has violated the information blocking rule, the provider must be referred “to the appropriate agency for appropriate disincentives using the powers under applicable federal law, as determined by the Minister of during the establishment of notice and comment rules.” At this point, we don’t have a proposed enforcement rule regarding health care providers, so we don’t know which HHS agency will enforce the information blocking rule on health care providers or what “appropriate disincentives” are.

For other actors withholding information (health information technology developers, health information exchange networks and networks), OIG issued a proposed enforcement rule and indicated that it would not take enforcement action for conduct that occurs prior to publication of the final enforcement rule. HHS will likely follow suit for health care providers, only enforcing the rule against information blocking by health care providers after a specific enforcement rule applicable to health care provider information blocking has been proposed and completed. But that position is not guaranteed, so it is possible that one day HHS will seek to impose as yet unidentified “appropriate disincentives” on any health care provider found to prevent access to any part of the particular electronic record on or after October 6, 2022.

Leave a Reply

%d bloggers like this: