Information Blocking Penalties Are Being Enforced. Here’s What Healthcare Providers Need to Know.
Learn about information blocking regulations, how they're defined, who the rule applies to, and steps to remain in compliance and avoid possibly millions of dollars in penalties.
What is Information Blocking?
Information blocking is a healthcare related business, organizational, or technical practice a provider knows is “unreasonable” and is likely to “interfere with access, exchange, or use of electronic health information.” Per HHS Secretary Xavier Becerra, “when health information can be appropriately accessed and exchanged, care is more coordinated and efficient, allowing the healthcare system to better serve patients.” Consider a provider policy that requires patient consent before sharing medical information with another provider. Delaying the release for consent could interfere with the exchange of information, negatively impact care, and be considered information blocking.
What are the Penalties for Information Blocking?
The penalties for providers who commit information blocking come in the form of “disincentives.” A disincentive results in reduced Medicare reimbursements when participating in the following CMS programs:
Providers should understand their financial exposure as disincentives could reach up to millions of dollars depending on Medicare reimbursement volumes. In addition, providers disincentivized for information blocking will be listed publicly on the Assistant Secretary for Technology Policy and Office of the National Coordinator for Health Information Technology (ASTP/ONC) website.
Not all providers subject to the information blocking regulations participate in these CMS programs, and as a result, not all providers are currently subject to disincentives. However, HHS considers these disincentives only a first step and expects all impacted providers to comply even if penalties are not currently applicable.
How Does Information Blocking Relate to HIPAA?
Providers still need to comply with HIPAA’s right of access provisions which require covered entities to disclose health information upon request. Information blocking builds and expands on HIPAA to promote more information sharing. And while the two regulations are complementary, there are differences that require a paradigm shift in provider thinking.
Provider organizations should understand these differences – explained further in this article – and consider policy and procedure (P&P) updates to align workflows with information blocking expectations.
When Does Information Need to be Shared?
The information blocking rule mandates providers share data unless specific conditions called exceptions – explained more below – are met. This is a fundamental change compared to HIPAA, which states situations when it’s permissible to share data but doesn’t mandate information sharing. For example, under HIPAA, a treating doctor is permitted but not necessarily required to share information with a patient’s Primary Care Physician (PCP). But, under the information blocking rule, the treating doctor’s records must be accessible to the PCP. Stakeholders involved in the release of information at provider organizations need to be aware of this new sharing mandate and that it applies to any HIPAA permitted disclosure of health information. This includes providers, patients, personal representatives, HIPAA authorized 3rd parties, and situations where authorization to disclose is not required.
How Fast Must Information be Shared?
Under HIPAA, providers are allowed up to 30 days to respond to information requests. The information blocking rule often requires sharing information faster as providers must respond to requests “timely” and prevent delays in releasing information unless “necessary.” Although the “necessary” standard remains open to interpretation, the ASTP/ONC provides examples of practices not considered “necessary.” Delaying information availability on provider portals or policies that block the release of test results unless physician-reviewed would likely not be “necessary” and could be information blocking. Providers should share information as quickly as possible to best satisfy information blocking expectations.
Which Providers are Subject to Information Blocking?
Healthcare providers impacted by the information blocking regulations are defined by the Public Health Service Act (PHSA) and include hospitals, physicians, group practices, clinics, and a dozen plus additional provider types. More providers are subject to information blocking regulations than HIPAA’s right of access requirements which only regulate providers that are considered HIPAA covered entities. To understand if information blocking impacts your provider organization:
What Data Needs to be Shared?
HIPAA’s right of access and the information blocking rule cover almost the same information. HIPAA requires sharing the designated record set (DRS). For providers, the DRS is a patient’s electronic/paper medical records, billing records, and records “used to make decisions about individuals.” Information blocking requires sharing only the electronic – not paper – portion of the DRS, which is defined as electronic health information or EHI.
While providers are required and should prepare to share all of a patient’s EHI, fulfillment is required only with the specific information requested. Challenges for providers are 1) the EHI can be spread out across a variety of different applications and 2) the volume of each patient’s EHI may be significant even with a limited medical history. With a renewed emphasis on information sharing, an inventory of technologies where EHI is located, their data extraction capabilities, and an up-to-date written and well understood DRS policy are needed to support compliance. When documenting a DRS policy, providers should:
What Data Formats Are Acceptable?
HIPAA requires fulfilling data requests in a readable hard copy format or another format as agreed. However, the information blocking rule establishes the need to provide content in the format requested. This could be physical media, electronic access, or in new machine-readable formats introduced by the information blocking regulations. Offering images on outdated media types like CD-ROM or denying requests in a specific format could be considered information blocking. Providers should implement the most current data access and sharing capabilities offered by Health IT vendors in support of information sharing.
What are the Information Blocking Exceptions?
Providers don’t necessarily have to release information when requested, the regulations define nine information sharing exceptions in three categories.
Most exceptions only need to be met, but several require explanation as to why an information request is not being fulfilled. Providers should understand how and when to leverage exceptions in the context of their organization. Due to their likely applicability, the exceptions for privacy, preventing harm, and infeasibility will be of particular interest to providers.
Although not an exception, information does not have to be released when it violates any tribal, state, or federal law as legal requirements were intentionally excluded from the information blocking definition.
How is Information Blocking Impacting Patient Care?
Providers should be mindful that patients can get more complete and immediate access to health information than ever before. Provider notes are available and can be viewed shortly after a doctor’s visit. Patients can see test results before a provider review. This improved access to medical information may increase patient engagement with their medical records and have clinical workflow considerations. For example, providers may want to offer guidance when ordering tests letting patients know they may be able to see results on patient portals before learning about them from their provider. Then, emphasize it’s the patient’s choice to review portal results or wait for direct provider communication.
How Can Provider Organizations Prepare?
