How and when you grant access to your patient medical records is about to change. Effective April 5th, 2021, new federal guidelines require you to more readily grant access to your patients’ health information, or else. Information blocking exceptions.

The regulation driving this change is the new 21st Century CURES Act (also referred to as information blocking). The Office of the National Coordinator for Health Information Technology (ONC) is responsible for implementing the Rule (the same Agency responsible for HIPAA). Information blocking exceptions.

In summary, the Congress defines information blocking as anything that prevents or discourages the access, exchange or use of electronic health information (EHI).

Despite this new Rule’s requirements, there are still legitimate reasons NOT to disclose patient EHI. As a recognition of this, the ONC created 8 exceptions to when you are required to disclose patient information. Information blocking exceptions.

The Eight Information Blocking Exceptions

These exceptions were created to help protect your practice from violating the Rule when you have a legitimate reason for not sharing patient data. However, justifying an exception requires substantial documentation to protect your office against violations and penalties.

Note: If an action you’ve taken doesn’t meet the conditions of an exception, it won’t automatically be considered information blocking. These cases will be considered individually by the ONC.

Here is a look at the 8 exceptions (and their related categories) and how you should use them.

CATEGORY: Failure to Provide Access, Exchange Information or Use EHI:

1. Preventing Harm: Certain situations may arise in which withholding information could prevent physical harm to a patient or another person. This applies when you believe that disclosure of EHI would endanger the physical safety or life of an individual.
2. Privacy: You are not required to grant access to EHI the “necessary conditions” outlined in your State and Federal laws are present. Also, you must be sure that your reasoning complies with “unreviewable grounds” HIPAA Privacy Rules. Additional situations include inmate requests, research results/data, and information from non-healthcare providers based on a promise of confidentiality.
3. Security: You must demonstrate that in withholding patient data, you are concerned only with “safeguarding the confidentiality, integrity and availability of EHI.” This exception specifies that you must have effective organization security policies and process in place that cover a variety of specific situations.
4. Infeasibility: This exception outlines specific instances where the fulfillment of a request can be limited. These include public health emergencies, internet outages and natural or man-made disasters. Technology limitations are also included here. When making your decision of infeasibility, there are several points to consider: Type and purpose for the information, your cost, your available resources, non-discriminatory (everyone gets treated the same), your access to the information.

NOTE: Under this exception, after you deny access, you have a 10-day deadline to communication your reasons for making this decision back to the requestor.

5. Health IT Performance: Recognizes that data must be maintained and allows for EHI to be temporarily unavailable due to this maintenance. Likewise, if your data technology needs to be upgraded, its performance can be temporarily suspended while this work is completed.

CATEGORY: Procedures to Comply with the Rule to Ensure Access, Exchange or the Use of EHI:

6. Content and Manner: The “Content” portion of this exception defines the information included in this rule through the United States Core Data for Interoperability (USCDI). However, you are not required to comply with this portion of the rule until May 2, 2022. The “Manner” component allows you to fulfill a request in an alternative manner if you cannot (due to technological restraints) fulfill the request in the manner requested; or if you are unable to reach agreeable terms with the requestor.
7. Fees: Allows you to charge fees related to providing access to EHI. These fees must be in alignment with what it costs to provide the information. This exception DOES NOT permit any practices that exclude requestors from obtaining data and must comply with the HIPAA Privacy Rule and your State requirements.

Note:  To help you determine what you can and can’t charge for patient information access while complying with necessary regulations, check out the immediately available online training, Stop $85,000 Penalty: Comply with New Medical Records Fees Rule, by Jennifer Searfoss, Esq.

8. Licensing: Seeks to protect “the value of your innovations.” Here, you’re allowed to charge royalties to gain some return on the investments you made to develop, maintain and update your technology. This exception is likely to be used more by healthcare technology developers than individual practices.

What Actions Should You Take for an Exception?

Remember, state and federal laws supersede the Final Rule. Your scenario may not qualify as an exception to Information Blocking under the ONC Final Rule if your state has strict laws against releasing information (particularly sensitive data) it doesn’t have to. Simply follow the state rule.

If you feel you have a scenario that does falls under one of these eight exceptions, you’ll need to:

• Develop workflow processes as a check to see if an exception applies
• Identify which of the eight exceptions your situation applies to
• Document the appropriate exception category

To avoid violations and fines, you must satisfy at least one exception and meet all applicable conditions. The Final Rule states the penalty for providers is “appropriate disincentives.”

Knowing how to handle exceptions is only one small aspect of ensuring your compliance with the CURES Act rules. You’ll need to make substantial changes to your practice’s information systems, procedures and clinical workflows. Fortunately, help is available to guide you through.

On Tuesday, March 30^th at 1 PM ET, nationally recognized healthcare attorney, Ryan Johnson, JD, is leading a live, 60-minute online training session that give you a roadmap of how to comply with the new Cures Act. When you attend, you’ll receive easy-to-implement, step-by-step strategies that will make it easier for you to comply by the April 5th deadline. Don’t wait. Register now!

You can read more about Information Blocking Exceptions in the ONC’s official CURES ACT FINAL RULE document on their website.

	Subscribe to Healthcare Practice Advisor
	Get actionable advice to help improve your practice’s reimbursement, compliance, and success in this weekly eNewsletter.
	Email* Hidden List Source Hidden List Name Hidden landing_site Hidden Yes! I would like to receive free weekly issues of Healthcare Practice Advisor. Hidden LeadGenSKU