Per ONC, Lab Results Generally Cannot be Delayed to “Prevent Harm” (unless threat to life & physical safety)

by | Oct 8, 2020 | HIPAA Privacy, Information Blocking

As the November 2nd deadline for compliance with ONC’s Information Blocking Rule nears, many health care providers – which are “Actors” subject to the Rule – are scrambling to reexamine their default settings for sharing various types of data, including lab results.

In ONC’s Final Rule preamble, several commenters indicated that providers’ current organizational policies call for practices that delay the release of laboratory results so that the patient’s clinician has an opportunity to review the results before potentially needing to respond to patient questions, or has an opportunity to communicate the results to the patient in a way that builds the clinician-patient relationship. Some commenters indicated their standard practice is to automatically time-delay release of results in general, with an automatic release at the end of a time period determined by the organizational policy in place to ensure that patients can consistently access their information within the timeframe targeted by relevant measures under the CMS Promoting Interoperability Programs. Commenters requested that ONC clarify whether such practices would be recognized under the Preventing Harm Exception under the Information Blocking Rule, or that ONC recognizes such current organizational policies and practices as excepted from the definition of information blocking. Surprisingly ONC was not convinced by commentators’ reasons for delaying lab results — and responded as follows (emphasis is mine):

While we recognize the importance of effective clinician-patient relationships and patient communications, we are not persuaded that routinely time-delaying the availability of broad classes of EHI should be recognized as excepted from the information blocking definition under [the Preventing Harm Exception]. Consistent with § 171.201(d)(3) as finalized, the harm of which a practice must reduce a risk must, where the practice interferes with the patient’s access to their own EHI, be one that could justify denying the patient’s right of access to PHI under § 164.524(a)(3). Currently, § 164.524(a)(3)(i) requires that for a covered entity to deny an individual access to their PHI within the designated record set, the disclosure of that PHI must be reasonably likely to endanger the life or physical safety of the patient or another person. No commenter cited evidence that routinely delaying EHI availability to patients in the interest of fostering clinician-patient relationships substantially reduces danger to life or physical safety of patients or other persons that would otherwise routinely arise from patients’ choosing to access the information as soon as it is finalized.

Moreover, we are independently aware, and some comment submissions confirmed, that it is not uncommon to automatically release lab and other findings to patients electronically regardless of whether a clinician has seen the information or discussed it with the patient before the patient can choose to access it electronically. We presume these types of automatic releases would not be the case if patients accessing their information on a timeframe that is more of their own choosing routinely posed a risk to the life or physical safety of these patients or other natural persons. Thus, we believe that where applicable law does not prohibit making particular information available to a patient electronically before it has been conveyed in another way, deference should generally be afforded to patients’ right to choose whether to access their data as soon as it is available or wait for the provider to contact them to discuss their results.

Only in specific circumstances do we believe delaying patients’ access to their health information so that providers retain full control over when and how it is communicated could be both necessary and reasonable for purposes of substantially reducing a risk of harm cognizable under [the Preventing Harm Exception].  Circumstances where [the Preventing Harm Exception] would apply to such delay are those where a licensed health care professional has made an individualized determination of risk in the exercise of professional judgment consistent with § 171.201(c)(1), whether the actor implementing the practice is the licensed health care professional acting directly on their own determination or another actor implementing the delay in reliance on that determination. An actor could choose to demonstrate the reasonable belief required by § 171.201(a) through an organizational policy (§ 171.201(f)(1)) with which the practice is consistent, or based on a determination based on facts and circumstances known or reasonably believed by the actor at the time the determination was made and while the practice remains in use (§ 171.201(f)(2)), to rely on a determination consistent with § 171.201(c)(1).”

In addition, health care professionals specifically commented to ONC that clinical experience indicates a “systematic and substantial risk” that releasing some patient data through a patient portal or API without first communicating the particular results or diagnosis with the patient in a more interactive venue would pose risks of substantial harm to patients. One example such health care professionals specifically cited was genetic testing results indicating a high risk of developing a neurodegenerative disease for which there is no effective treatment or cure. Commenters recommended that ONC define the Preventing Harm Exception to allow delay of the electronic release of such genetic testing results, as a matter of organizational policy, to ensure patients and their families are not exposed to this information without appropriate counseling and context. Unfortunately, in response to these valid points ONC simply reiterated that in order to withhold such data under the Preventing Harm Exception, one would have to apply the relevant tests, complete an analysis and satisfy the conditions of the exception:

To satisfy the conditions of [the Preventing Harm Exception], and actor would have to demonstrate that they held a reasonable belief that delaying availability of information until the information can be delivered in combination with appropriate counseling and context in an interactive venue will substantially reduce a risk of harm cognizable under this exception. An actor could accomplish such demonstration through showing the practice is consistent with either an organizational policy meeting § 171.201(f)(1) or a determination based on facts and circumstances known or reasonably believed by the actor at the time the determination was made and while the practice remains in use meeting § 171.201(f)(2). However, for a practice likely to, or that does in fact, interfere with the patient’s access to their own EHI (§ 171.201(d)(3)), the actor implementing these practices must demonstrate a reasonable belief that the practice will substantially reduce a risk of harm to the life or physical safety of the patient. The clinician who orders testing of the sort referenced in the comment would, we presume, do so in the context of a clinician-patient relationship. In the context of that relationship, a licensed health care professional should be well positioned to make determinations consistent with § 171.201(c)(1) as to specifically when their patients, or other particular natural persons, would face a risk of harm cognizable under § 171.201(d)(3)—or § 171.201(d)(1) or (2) if or as may be applicable—if the access, exchange, or use of a particular testing result or diagnosis were to be released electronically before it could be explained and contextualized by an appropriately skilled professional, such as a clinician or a health educator, in real time.”

Therefore, ONC has made it clear that the Preventing Harm Exception cannot be “loosely” applied in order to hold back lab results or other electronic health information from patients. In sum, unless the law of a provider’s particular state law prohibits the release of lab results for a specified period of time or regulates the manner in which such results are shared with patients, providers are expected to not delay the immediate sharing of available test results with a patient.  A health care provider has only two choices under the Preventing Harm Exception to delay furnishing test results to the patient — either (1) the patient’s doctor must make a patient-specific determination that releasing such results to the patient will cause “harm to the life or physical safety” of the patient or another person or (2) the patient has express a personal preference that his/her results may be delayed until the patient’s doctor has reviewed the results and/or discusses such results with the patient in person.  Of these two options, health care providers might want to consider introducing a new process to their workflow that includes capturing the patient’s preference with regard to receiving their test result — i.e., Choice One: Delay Result Until Provider reviews or Choice Two:  Release immediately.  A provider should then choose the appropriate setting in their EMR that reflects the selection made by the patient, which then in turn can be used to automate a “release” vs “hold back” data flow as lab or other test results are received in the EMR.

Applying the Preventing Harm Exception is, in my opinion, the most complex of all the Information Blocking Exceptions.  We have dissected this exception and reduced it to a easy-to-understand simple policy which offers health care provides with a framework within which to complete an analysis when considering whether to delay or hold back particular electronic health information.

To get access to our sample Preventing Harm Policy, and all of our other Information Blocking Policies and tools, subscribe HERE to Legal HIE’s Compliance Library to gain access to sample policies,  documents & tools for compliance with the Info Blocking Rule.

Share this:

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

Archives