- Actors who meet the Privacy Exception will not be considered to have engaged in prohibited Information Blocking.
- The Preconditioned Not Satisfied sub-exception permits blocking of information if State or Federal Law preconditions (ex., consent) have not been met.
- Actors will need to incorporate state-specific preconditions directly into their written policies and procedure if they want to routinely rely on the Precondition Not Satisfied sub-exception of the Privacy Exception.
Subscribe HERE to Legal HIE’s Compliance Library to gain access to sample policies, documents & tools for compliance with the Info Blocking Rule.
Section 4004 of the 21st Century Cures Act defines practices that constitute prohibited “Information Blocking” and authorized HHS to identify reasonable and necessary activities which would nevertheless be allowed as exceptions to the general rule. In its Cures Act Final Rule, ONC defined eight (8) exceptions where if the conditions of one or more such exceptions are met by an Actor (i.e., health care provider, health IT developer, health information exchange or network (HIE/HIN)), they can be assured that their practice with respect to the access, exchange, or use of electronic health information (EHI) will not be found to be prohibited information blocking. However, deciding whether “to block, or not to block” health information based on an exception laid out in ONC’s Final Rule can quickly turn into a Shakespearean tragedy unless Actors understand in advance the specific criteria that need to be met in order to meet any such applicable exception.
ONC has divided its 8 Exceptions into two categories:
Exceptions that involve not fulfilling requests to access, exchange, or use EHI, which are:
- Preventing Harm Exception
- Privacy Exception
- Security Exception
- Infeasibility Exception
- Health IT Performance Exception
Exceptions that involve procedures for fulfilling, which are
- Content and Manner Exception
- Fees Exception
- Licensing Exception
For each Exception, there are key conditions that must be met for an Actor to be certain that its practice would not be found to violate the Information Blocking prohibition. Take the Privacy Exception as an example — an Actor’s “privacy-protective” practice must meet at least one of the four sub-exceptions set forth in 45 CFR 171.202(b)-(e):
- Precondition (required under State or Federal Law) Not Satisfied;
- Health IT developer of certified health IT not covered by HIPAA;
- Denial of An Individual’s Request for Their EHI Consistent With the HIPAA Privacy Rule (i.e. 45 CFR 164.524(a) (1) and (2));
- Respecting an Individual’s Request Not to Share Information.
An Actor then must meet all of the criteria of at least one of the sub-exceptions in order for the Privacy Exception to apply. For example, under the Precondition Not Satisfied sub-exception (§171.202(b)), ALL of the following requirements must be met:
- The Actor’s practice is tailored to the applicable precondition not satisfied, is implemented in a consistent and non-discriminatory manner, and either:
(i) Conforms to the actor’s organizational policies and procedures that:
(A) Are in writing;
(B) Specify the criteria to be used by the actor to determine when the precondition would be satisfied and, as applicable, the steps that the actor will take to satisfy the precondition; and
(C) Are implemented by the actor, including by providing training on the policies and procedures;
OR
(ii) Are documented by the Actor, on a case-by-case basis, identifying the criteria used by the actor to determine when the precondition would be satisfied, any criteria that were not met, and the reason why the criteria were not met.
2. If the precondition relies on the provision of a consent or authorization from an individual and the Actor has received a version of such a consent or authorization that does not satisfy all elements of the precondition required under applicable law, the Actor must:
(i) Use reasonable efforts within its control to provide the individual with a consent or authorization form that satisfies all required elements of the precondition or provide other reasonable assistance to the individual to satisfy all required elements of the precondition; and
(ii) Not improperly encourage or induce the individual to withhold the consent or authorization.
3. For purposes of determining whether the Actor’s privacy policies and procedures and actions satisfy the requirements of paragraphs (b)(1)(i) and (b)(2) above when the Actor’s operations are subject to multiple laws which have inconsistent preconditions, they shall be deemed to satisfy the requirements of the paragraphs if the Actor has adopted uniform privacy policies and procedures to address the more restrictive preconditions.
The last requirement highlights one of the challenges Actors that conduct business in multiple states will face where state-specific preconditions (i.e., obtaining consent) vary from state-to-state. ONC invited comments on this particular issue, and in the Preamble to its Final Rule it responded as follows:
“We appreciate the various comments and recognize that it is difficult for organizations operating across State lines to have different workflows for each State while assuring privacy, particularly the individual’s right under the HIPAA Rules to obtain their PHI. Additionally, it is important that any uniform policies and procedures must in fact be implemented across an Actor’s entire organization and not be applied selectively in ways which might be contrary to the information blocking provision. Balancing these goals, this final rule provides that, except for an individual’s access to their EHI as discussed below, Actors may meet this sub-exception if they operate across multiple states and elect to adopt and implement uniform policies and procedures required by one State that are more restrictive (i.e., provide greater privacy protections) than would otherwise be required by another specific State or Federal law. To be considered more restrictive in this context, a law might require more or different preconditions to the access, exchange, or use of EHI than Federal law or the law of another State in which the actor operates. Alternatively, an actor could comply with the preconditions of each State in which it operates on a State-by-State basis with respect to the EHI requested. These alternatives provide multi-state actors with significant flexibility without adversely impacting an individual’s right to obtain EHI as described below. An actor that operates in multiple states could either comply with the laws of each State in which it operates or comply with the most restrictive State laws in which it operates and where applicable, comply with Federal law requirements. The Actor will need to document either approach in its policies and procedures in which the Actor has adopted and implemented in order to meet the conditions of §171.202(b)(1)(i) because the uniform approach will not be available to Actors that operate on a case by case basis without policies and procedures as contemplated by subsection §171.202(b)(1)(ii). Those Actors without uniform policies and procedures will need to comply with each of the applicable State and Federal laws . . . We note that an Actor may not inappropriately seek to use State or Federal laws as a shield against disclosing EHI. For example, we would expect that Actors implement State-mandated preconditions consistently and in a non-discriminatory manner when fulfilling requests to access, exchange, or use EHI. Additionally, we caution Actors who repeatedly change their privacy policies depending on the EHI requestor or the request that such actions may be considered intended to materially interfere with, prevent, or discourage the access, exchange, or use of EHI.” 85 Fed Reg 25642, 25848 (May 1, 2020).
While Actors who conduct business in more than one state might have the heaviest “lift” with getting their ducks in a row, all Actors will need to get their organizational policies and procedures (P&Ps) governing information-sharing aligned with the Precondition Not Satisfied sub-exception. Generic or “high level” HIPAA P&Ps governing an organization’s uses and disclosures of PHI/EHI will not cut it if an Actor wants to rely on its written P&Ps as a basis for denying a requested access, exchange, or use of PHI/EHI because the sub-exception requires specific applicable State law (or other federal law) criteria to be set out in writing in such P&Ps and included in training of employees. Therefore, an organization will need to satisfy such steps in order to routinely be able to rely on such exception as an allowed reason for blocking requested information. Otherwise, the Actor will have to resort to making determinations on a case-by-case basis with each request, and document its rationale for the determination.
The foregoing offers just a glimpse of the challenges that lie ahead for Actor-organizations as they gear up for compliance with the new Information Blocking Rule. Although the compliance deadline for these provisions is November 2, 2020 with regard to EHI that is USCDI (United States Core Data for Interoperability), and Actor-organizations will need to invest significant time and resources to get their policies and processes updated to reflect these new standards.
________________________________________
Subscribe HERE to Legal HIE’s Compliance Library to gain access to sample policies, documents & tools for compliance with the Info Blocking Rule.