How Data Exchange Laws May Affect Information Blocking Exceptions

When complying with the information blocking provisions of the 21st Century Cures Act, healthcare organizations must consider the context of other laws surrounding electronic health data exchange, according to a HealthITBuzz blog post written by Steven Posnack, deputy national coordinator for health IT.

Posnack noted that As outlined in the Cures Act, the “starting line” for evaluating whether a practice might be information blocking is different depending on the fact pattern and actor(s) involved (for example, healthcare providers, certified health IT developers, and health information networks or health information exchanges), Posnack wrote.

As a result, understanding how the information blocking provision applies to individual practices must account for case-by-case information, such as what an actor’s intent was, whether a regulatory exception has been met, and whether there was an interference in the access, sharing, or use of electronic health information.

Posnack emphasized that stakeholders should consider the information blocking provision in the context of other laws surrounding electronic health data exchange.

He suggested that healthcare organizations keep in mind how three main concepts found in the information blocking regulations (“required by law,” “interference,” and “exceptions”) align with other laws.

Posnack also noted that the information blocking definition provided in the Cures Act did not include practices that were likely to interfere with access, exchange, or use of electronic health information when the practice was “required by law.”

“ONC’s regulatory definition of information blocking substantially mirrors the statute, and ONC currently interprets ‘required by law’ to include federal and state law, and tribal laws, as applicable,” he wrote.

Based on this definition, it likely would not be considered information blocking if an actor abided by a state law that prohibits disclosure of certain parts of an adolescent’s electronic health information to the adolescent’s parent, Posnack pointed out as an example.

An “interference” is “any practice (an act or omission) that is likely to interfere with, materially discourage, or prevent access, exchange, or use of electronic health information,” Posnack said.

He explained that if a state or federal law allows a particular interference to occur without violating that law, then the actor could not solely rely on that law as justification for unnecessarily delaying or interfering with access, exchange, or use of electronic health information.

“Interference in the form of delays that may be allowed but are not required by other laws is not automatically exempted from implicating the information blocking definition,” he said.

Posnack said that entities should examine their practices that may have been set up in relation to laws that allow certain periods of delay before they share data, as these once permitted practices may now interfere with electronic health information access in a way that could constitute “information blocking.”

Information blocking “exceptions,” of which there are eight, are necessary activities that do not constitute information blocking. Posnack suggested that actors review the Privacy and Preventing Harm Exceptions when it comes to other laws that may place requirements on electronic health information sharing.

For instance, one aspect of the Privacy Exception focuses on fulfilling pre-conditions of federal and/or state law before providing access, exchange, or use of electronic health information.

Another aspect of the Privacy Exception focuses on situations where it may be reasonable and necessary to restrict access to a patient’s electronic health information, such as honoring an individual’s request to limit sharing of their information.

The Preventing Harm Exception covers interference with a patient’s access, sharing, or use of their own electronic health information to reduce risk of physical harm to the patient or other(s).

Based on similar types of harm identified by the HIPAA Privacy Rule, the Preventing Harm Exception also covers interference with access, exchange, or use of an individual’s electronic health information by the patient’s representative — such as a pediatric patient’s parent — to reduce the risk of substantial harm to the patient or to another individual.  

“We encourage actors to review the exception if they are concerned about some form of harm coming from the release of EHI in fulfilment of the individual’s right of access under the HIPAA Privacy Rule,” Posnack concluded.