Checklist for Info Blocking Compliance

by | Feb 25, 2021 | Information Blocking

  • Your vendor is not “taking care of it.” Compliance with the Information Blocking rule is about more than just the technology.
  • Assemble a “task team” to tackle operational decisions that need to be made to comply with Information Blocking.
  • Use a checklist to begin “ticking off” boxes to ensure that your organization is moving towards compliance with Info Blocking by April 5th!

Subscribe to HERE to Legal HIE’s compliance library to gain access to sample policies, documents and tools for compliance with the Information Blocking Rule.

Over the last few weeks, I have come across a number of health care provider organizations that are under the incorrect assumption or belief that their EMR vendor is “taking care of” all that needs to be done in order for the provider to comply with Information Blocking. This is false. Although a significant part of the Information Blocking Rule does include new requirements for health IT developers to successfully obtain ONC certification or recertification in the future, including alignment with compliant information blocking practices, there are operational decisions and other process issues that must be addressed and can only be implemented by the Actor – i.e., the health care provider organization or HIE/HIN, as applicable.  So, every health care provider that meets the definition of an “Actor” should be taking active steps towards getting their organization positioned to comply with Information Blocking by April 5, 2021. Where should you start?  I propose using a checklist as a simple starting point to begin “ticking off” your Information Blocking “to do” list — and, good news . . .  I have put one together for you here to get you started!

Completing all of the items on this list does not guarantee your organization’s compliance with Information Blocking, which will be determined by other considerations including your organization’s health IT functionality and types of requests for EHI being received.  Nevertheless, I think that it offers a good-enough skeleton to build off of as you dig deeper into your Information Blocking compliance efforts.  Enjoy!

Assemble a “task team” to tackle Information Blocking
Vendor/EMR representative
IT/ Security
Privacy Officer
Legal/Compliance
Determine what type of “Actor” is your organization?
Health Care Provider?
HIE/HIN?
Developer/offeror of Certified Health IT?
More than one?
Identify/evaluate current practices for potential info blocking
Patient Portals: What is being requested and released? Is EHI impermissibly delayed or blocked?
Provider Portals: What is being requested & released?
EMR requests for access, exchange and use of EHI by who? for what purpose(s)?
Review HIPAA Business Associate Agreements & update if needed. No "unconscionable terms" or prohibited blocking of EHI.
Develop basic Information Blocking policies
Preventing Harm Exception
Privacy Exception
Security Exception
Infeasibility Exception
Health IT Performance Exception
Content & Manner Exception
Fees Exception
Licensing Exception
(8 sample policies are available in our Compliance Library. See the Membership tab for details)

Implement compliant practices:

Preventing Harm
Use a harm “Decision Tree” for determinations. (see our Compliance Library for this Tool)
Practitioner training/education: educate your practitioners on how to make "harm" determinations.
Make determinations based on written Organizational Policy or episodic determinations. Decide on process.
Privacy Exception
Review consent process, and update as needed.
Identify exceptions to consent under applicable federal & state law
Add new process to ensure “reasonable efforts” are made to facilitate obtaining compliant consent when required
Review & update HIPAA Right of Access & Personal Representatives P&Ps.
Minors & Parents
HIPAA Personal Representatives & other "Legal Representatives" recognized for Info Blocking
Follow HIPAA for unreviewable denials of access
Review & update HIPAA Request for Confidential Communications P&Ps.
Training as needed for registration, HIM, medical records, staff etc.
Make determinations to deny requests for EHI based on Privacy Exception per written Organizational Policy or episodic.
Security Exception
IT to review to ensure comprehensive Organizational Security Policy (OSP) in place to satisfy Security Exception.
Must identify specific security risks (HIPAA risk assessment; other)
Security practices must be tailored to the identified risks (per industry standards i.e., NIST)
Ensure there is a comprehensive Security Response Plan in place to address incidents
Review & update HIPAA Security P&Ps as needed. Cross-walk them to the OSP.
Implement security practices in accordance with OSP. Evaluate new security risks as they come up or in response to new or original requests for EHI.
Infeasibility Exception
Use a “Decision Tree” to deny requests for EHI based on infeasiblity. Document. (see our Compliance Library for this Tool)
Use a “Notice of Infeasibility” to inform requestor when a decision is made to deny access, exchange or use of EHI due to infeasibility. (see our Compliance Library for this Form)
Health IT Performance
Train/educate IT staff on permissible delays & downtime under Information Blocking.
Do not take incoming EHI “off line” as a default.
Delay for data "mapping” is allowed.
Must “know” or “reasonably suspect” data has errors in order to take EHI offline. Cannot presume all data is inaccurate.
Content & Manner Exception
Determine if only USCDI data will be provided (through October 5, 2022), or elect to provide all EHI requested.
Use a “Decision Tree” for providing EHI in alternate manner per Manner Exception. (see our Compliance Library for this Tool)
Fees Exception
Identify arrangements where a “fee” is or may be charged for access, exchange or use of EHI.
Ensure that fee arrangements comply with the Fees Exception.
A requestor that demands a particular Manner of access/exchange/use of EHI which requires specific IT or costly customization can be required to cover such cost which is not required to fit within the Fees Exception.
Licensing Exception
Determine who is responsible for licensing agreements for EHI.
Review and ensure licensing agreements for EHI comply with the Licensing Exception.
Develop and use a template Licensing Agreement for EHI that is compliant with the Licensing Exception.
Develop a process to evaluate & escalate incoming requests for EHI going forward

Subscribe HERE to Legal HIE’s compliance library to gain access to sample policies, documents and tools for compliance with the Information Blocking Rule. Review our Table of Contents here.

Share this:

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

Archives