April 5th 2021 was a major day in the history of patient data access. On that day, providers, vendors, and health information networks were required, under federal regulation, to make patient data available electronically to patients. The federal rule, 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, means that providers must find a way agreeable to both the practice and the patient to provide data.
The information blocking rules say that if a patient requests their data in digital form, one way it can be provided is through a link between the EHR vendor's software and the patient's Apple Health app on their iPhone or iPad. If the vendor software does not have that capability, providers are required to find some other way to digitally share requested patient medical records, to be in compliance with the April 5th rule. The information blocking rule applies to all U.S. providers, even if they don't participate in Medicare or Medicaid.
As of now, there is no specific standard for data exchange required. However, in 2023 EHR providers will be required to support the standard interface known as Fast Healthcare Interoperability Resources (FHIR). This interface provides the way for all vendors and apps to exchange the required data. Providers will need to have their systems upgraded to support this interface by January 1, 2023.
While the rule requires giving patients access to their data, there are a number of exceptions to the requirement. There are 8 categories of exceptions to the requirement for releasing data. The first 5 exceptions involve not fulfilling requests to access, exchange, or use EHI. The final three exceptions involve procedures for fulfilling requests to access, exchange, or use EHI.
Preventing Harm
ONC "recognizes that the public interest in protecting patients and other persons against unreasonable risks of harm can justify practices that are likely to interfere with access, exchange, or use of EHI." If it can be determined, organizations can deny EHI requests to protect patients and other consumers from harm. It is required that the potential risk and harm that would trigger the exception must be appropriately documented. Practices will need to segment sensitive records (behavioral health, substance abuse).
Privacy
Organizations are not required to disclose EHI in a way that is prohibited under applicable laws.
Security
Organizations can claim this exception if the denial is "directly related to safeguarding the confidentiality, integrity, and availability of EHI; tailored to specific security risks, and implemented in a consistent and non-discriminatory manner." Organizational privacy and security rules should be updated to reflect if and when this exception can be used.
Infeasibility
This exception refers to situations where fulfillment of EHI requests is severely limited, such as natural or man-made disasters, public health emergencies, technological limitations, or the inability to "unambiguously" segment requested EHI. Such situations must be well documented when refusing the request.
Health IT Performance
This is the situation where an organization's IT infrastructure may be undergoing maintenance or upgrades and is temporarily unavailable. EHI requests do not take precedence over health IT performance and organizations can take reasonable steps to assure the health of their IT systems. Documentation of these steps must be maintained.
Content and Manner
This exception provides clarity and flexibility to organizations concerning the scope of a request to access, exchange, or use EHI. For the next 24 months, the data requests that fall under the information blocking final rule include those identified by the data elements represented in the United States Core Data for Interoperability (USCDI) standard. This exception also supports innovation and competition by allowing actors to first attempt to reach and maintain market negotiated terms for the access, exchange, and use of EHI. After the 24 month period, the data to be exchanged is expanded and must be exchanged using the adopted FHIR standards.
Fees
The final rule carved out an exception to permit healthcare organizations to charge fees for record requests to assist in the development of technologies and provision of services that enhance interoperability. However, fees must be based on objective and verifiable criteria and be reasonably related to the costs of access to, or exchange, or use of EHI.
Licensing
This is an exception that applies to organizations that develops the software for interoperability. It permits developers to charge "reasonable royalties" to develop, maintain, and update those innovations. According to the rule, "an actor must begin license negotiations with the requestor within 10 business days from receipt of the request and negotiate a license within 30 business days from receipt of the request."
ONC is the organization tasked with enforcing this rule and will respond to reported violations. They have created a portal for the reporting of violations at https://inquiry.healthit.gov/support/plugins/servlet/desk/portal/6.
Remember that these requirements are already in effect. Practices should work closely with their EHR vendors to assure that proper data access to patient data is turned on and meets the rule requirements, both now and in 2023 when FHIR standards are required.
By Stanley Nachimson, Nachimson Advisors
