Avoiding Information Blocking: Issues Related to Adolescent EHI Access

Overview of the 21st Century Cures Act

In May 2020, the Office of the National Coordinator for Health Information Technology (“ONC”) released the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program (the “Information Blocking Rule”). The Information Blocking Rule went into effect in April 2021 with the goals of achieving widespread interoperability among health IT systems and improving patients’ ability to access their electronic health information (“EHI”). The Information Blocking Rule applies to the following entities:

• • Health care providers (which encompasses a broad list of providers, including but not limited to physicians, pharmacies, labs, hospitals, surgery centers, and nursing facilities);
    
    
  • Health Information Networks or Health Information Exchanges; and
    
    
  • Health IT Developers or Certified Health IT.

Collectively, these entities are referred to as “Actors” in the Information Blocking Rule.

Information Blocking Examples

The Information Blocking Rule prohibits Actors from undertaking any practice likely to interfere with, prevent, or materially discourage access to, exchange of, or use of EHI. As of October 6, 2022, the definition of EHI has been expanded to mean all electronic protected health information (“ePHI”) included in a patient’s designated record set (except for psychotherapy notes and information compiled in anticipation of litigation or administrative action).

Examples of activities which constitute information blocking include:

• • A health system requires staff to obtain patient written consent before sharing patient’s EHI with unaffiliated providers.
    
    
  • A hospital customizes its electronic health record (“EHR") to include barriers to sending referrals and EHI to unaffiliated providers.
    
    
  • A practice has a policy that the physician must review a test result before making it available for patient access on the portal.
    
    
  • An EHR Vendor prevents (e.g., through high fees) a third-party clinical decision support application from writing EHI into the EHR.
    
    
  • A Health IT Vendor discourages customers from getting data integration capabilities from a third party, claiming that it will have that same functionality soon even though such functionalities are in early stages of development.

The Information Blocking Rule also creates eight information blocking exceptions in which an Actor may justify an information blocking activity if certain conditions are met.¹

HIPAA Protections for Minors that Consent to their Own Care

The Privacy Rule (45 C.F.R. Part 160 and Subparts A and E of Part 164) allows parents to access to their child’s medical records as that child’s personal representative when such access is not inconsistent with state or other law. In each state, adolescent minors have the right to consent to some health care services, and to most sexual and reproductive care. When minors are allowed to consent to their own care, their EHI is also protected by HIPAA. In this circumstance, a parent will not be considered a child’s personal representative when the minor is the one who consents to the care and the consent of the parent is not required under state or other applicable law.

Prior to the Information Blocking Rule, providers often addressed this issue by entirely excluding medical records of minor patients from patient portals where a parent could access the information. However, this practice would likely constitute information blocking under the current rule both as to the consenting minor and the parents.

Avoiding Information Blocking While Protecting Minors’ EHI

In this situation, a provider should, if possible, segment the EHI and have the different levels of access linked for variations of EHI release. If a provider is unable to segment out the EHI for differential release, the provider may need to rely on the Infeasibility Exception. The Infeasibility Exception explains that a provider is permitted to deny a request for EHI if fulfilling the request is objectively and verifiably infeasible. The provider must give an explanation within 10 days from when the request was received stating why it is infeasible to segment out the requested data. The provider must be careful to not disclose to the parent that the child legally received medical care without parental consent.

Providers may also want to consider whether the Preventing Harm Exception might apply in this scenario. For instance, if release of the minor’s health information or explaining the basis for the infeasibility may reveal that the minor sought confidential health services, the information blocking activity may be justified on the basis that that practice is reasonable and necessary to prevent harm to the minor or another person.

When Does a Provider Have to Make EHI Available?

One of the biggest questions surrounding the Information Blocking Rule is whether a provider must proactively make all EHI available to patients or whether the provider only needs to supply this information upon request. ONC has changed its answer to this question a few times.² Initially, in January 2021, ONC issued guidance explaining that there is no requirement to proactively make all EHI available to patients or others who have not requested the EHI. In November 2021, ONC revised that guidance to explain that “proactive” is not a regulatory concept articulated within the scope of the information blocking regulations. Rather, the agency will look at whether the act or omission would constitute interference, prevention, or materially discourage the access or exchange of EHI. Then, the ONC issued guidance which stated that it would likely be considered interference where a provider delayed in providing access, exchange, or use of EHI after a patient logs into a patient portal to access their health information where that provider has such EHI, but it is not available for any period.

Enforcement of the Information Blocking Final Rule & “Disincentives” for Actors

Previously, the 21st Century Cures Act provided that, if the HHS Office of Inspector General (“OIG”) determined that a health care provider violated the Information Blocking Rule, then the provider should “be referred to the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary sets forth through notice and comment rulemaking." Subsequently, in June 2023, HHS OIG established penalties for health IT developers of certified health IT or other entities offering certified health IT, health information exchanges, and health information networks. Under the June 2023 rule, individuals or entities who commit information blocking may be subject to civil monetary penalties of up to $1 million per violation. This rule went into effect August 2, 2023.

Approximately one year later, in June 2024, HHS OIG released another rule aimed at disincentivizing information blocking activity by healthcare providers. Specifically, this rule establishes “disincentives” for health care providers who engage in practices that a health care provider knew were unreasonable and unlikely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information (EHI), except as required by law or covered by a regulatory exception. The disincentives created by this rule apply to a broad range of healthcare providers, including hospitals, physicians, dentists, some types of therapists, and other eligible professionals who participate in Medicare and/or Medicaid programs. Importantly, the rule’s scope is not limited to HIPAA-regulated entities or providers using certified health IT. This rule went into effect July 31, 2024.

With these additional final rules, there are now true enforcement provisions associated with information blocking activity. However, neither the Information Blocking Rule nor the final rules mentioned above establish an administrative appeals process for providers. Instead, the rules defer to appeals processes available under HHS’ authority to establish disincentives—including authority for payments, recoupment, or contracting for the Medicare Shared Savings Program, the Medicare Promoting Interoperability Program, or the Merit-based Incentive Payment System (“MIPS”).

Compliance Strategies

Based on this new guidance, providers may want to consider making a patient’s entire designated record set available in the patient portal. Of course, as discussed above, to the extent there is information that cannot be segmented and there are valid reasons for not releasing that information to a minor or the minor’s parent, the provider should document the reasons why the EHI is not available. It is likely that the most significant risk of non-compliance could be where the designated record set is readily available through the patient portal, but the provider actively blocks the minor or parent from receiving that information or fails to turn on a configuration that would make the information available through the portal.

To address this potential pitfall, providers may want to consider going through the designated record set, identifying any information that is not to be made available through the portal, and documenting the reason why the information is not or cannot flow into the patient portal. Some examples of valid explanations might be:

• • The information is not available through the patient portal because of technical issues, such as the information resides outside the EHR and cannot readily be connected to the patient portal;
    
    
  • The information includes information that cannot legally be made available through the patient portal and cannot readily be segmented from that which may be made available (such as a minor's information where the parent or guardian with portal access is entitled to some of the minor's information but not information on certain care for which the minor legally may consent); or
    
    
  • A specific exception applies, such as an individualized determination that providing the patient with access to the information will endanger the life or safety of the patient or others (i.e., the Preventing Harm Exception).

MICA members with general questions regarding the Information Blocking Rule, whether an act or omission constitutes information blocking, or whether an exception applies can contact the MICA Risk Management Hotline at 800-705-0538 or rm_info@mica-insurance.com. Those seeking a legal interpretation of the Rule and advice on its application to fact-specific scenarios involving patients’ access to EHI should consider contacting a healthcare attorney to discuss compliance with the rule’s requirements and intricacies.

^{[1] When not fulfilling requests for EHI (42 C.F.R. §§ 171.200 -171.205)}

• ^{Preventing Harm Exception:}
  • ^{Practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.}
• ^{Privacy Exception}
  • ^{Practices implemented to protect the privacy of EHI, based in privacy laws tailored to specific privacy risks (e.g., HIPAA).}
• ^{Security Exception}
  • ^{Practices implemented to protect the security of EHI, as long as the measures are specifically tailored to the security risk and implemented in a consistent and non-discriminatory manner.}
• ^{Infeasibility Exception}
  • ^{Denying requests for EHI if fulfilling the request is objectively and verifiably infeasible.}
• ^{Health IT Performance}
  • ^{Making technology temporarily unavailable for maintenance or updates.}

^{When fulfilling requests for EHI (42 C.F.R. §§ 171.300-171.303)}

• ^{Content and Manner Exception}
  • ^{Limiting the content of its responses to requests for access, exchange, or use of EHI or the manner in which it fulfills such a request.}
• ^{Fees Exception}
  • ^{Charging for costs it reasonably incurs when fulfilling requests for access, exchange, or use of EHI.}
• ^{Licensing Exception}
  • ^{When fulfilling requests, an organization may claim intellectual property rights, but it must respond to requests to license interoperability elements.}

^{[2] See generally, https://www.healthit.gov/faq/do-information-blocking-regulations-45-cfr-part-171-require-actors-proactively-make-electronic.}