What DC Physicians Need to Know About Cures Act Info Blocking Rules
At its April 19 meeting, the MSDC Board held a lengthy discussion about the CURES Act's "info blocking" requirements that are coming online soon. The Board wants all DC physicians to be aware of the requirements, what is and is not included, and how to speak out if you are concerned about the new regulations.
Where is this requirement coming from?
Congress passed and President Obama signed into law the 21st Century Cures Act in 2016. The bill's aim is to increase interoperability between EHRs and improve access by patients to their medical records. In March 2019, the Office of the National Coordinator for Health Information Technology (ONC) issued a proposed rule that was finalized May 2020. The rule established the requirements on "information blocking".
What is information blocking?
Information or "info blocking" is the inability of an interested party to access a medical record. This includes a physician trying to access a patient record from another EHR or provider, or a patient trying to download their medical record or provide it to a new physician. The Cures Act rule further defines it as a business, technical, or organization practice that discourages or prevents access to electronic health information (EHI) when the actor preventing access knows or should know they should not interfere with access.
How does the rule define EHI?
The rules defines EHI as electronic protected health information in a designated record set (defined by HIPAA) regardless of whether the records are used or maintained by the "covered entity". This means your medical, billing, and other patient records are now available to patient access once they are signed by the physician.
Under the new rules, what are common ways I may be info blocking my patients?
The rules are broad and situationally based, although generally speaking an act or omission to interfere with EHI access may be considered info blocking. Some examples, per the AMA, include:
- Requiring a patient's written consent before sharing EHI
- Disabling a feature that allows sharing of EHI to other users
- Delaying sharing information in a requested format even if the EHR has the ability to do so
It is important to know that no harm needs to be done to be considered info blocking; the intent to restrict access is sufficient.
What are the exceptions to the info sharing rules?
The legislation and rule defined two categories of exceptions: not fulfilling requests to access, exchange, or use EHI; and procedures for fulfilling requests to access, exchange, or use EHI. To qualify for an exception, the action or policy must (1) be reasonable and necessary; (2) address significant risk; AND (3) be subject to strict conditions. The exceptions are below:
- Preventing harm exception - information is withheld to prevent physical harm
- Privacy exception - information is withheld under state and federal privacy laws
- Security exception - access to information is restricted due to uniform security processes targeting a specific security concern
- Infeasibility exception - it is not physically possible for a provider to give the information in the way requested.
- Health IT performance exception - information is not provided because routine maintenance of systems are being conducted
- Content and manner exception - info blocking is not applicable if the provider meets the content request and manner condition of the request. This exception lasts for 24 months after May 1, 2020.
- Fee exception - a practice may charge a reasonable fee for accommodating the EHI request
- Licensing exception - this exception applies to building interoperability elements into an EHI request.
What can I do if I have concerns or stories about these requirements?