Podcast: Discussing Information Blocking with Eddie Williams

Mia McKown: Hi, this is Mia McKown with Holland & Knight. We're here today for another episode of Florida Capital Conversations. And with me today is Eddie Williams and Shannon Hartsfield, two of my partners. And we're going to talk today about what we need to know about patient access and information blocking. I have to say, this was something that until a couple of years ago I had never really even thought about. And it's very, very interesting and what it means and the implications and the healthcare arena. And it's constantly developing. And Eddie, I think there are some things that we still don't know yet as it develops. So can you tell us a little bit, what is information blocking and what are some of the rules and regulations that apply, that some of our listeners need to know about?

Information Blocking Overview

Eddie Williams: Thanks, Mia. Yes, the information blocking provisions came about as a result of the 2020 Cures Act, and during the time when the world was shut down, you know, these new statutes and rules came into play primarily in order to facilitate the free flowing of health information and allow patients to have the right to have immediate access to their information. And the rules came into effect in 2021. And primarily they are administered by the Office of the National Coordinator for Health Information Technology, which for short we call it all ONC. And basically information blocking is defined as any practice that is likely to interfere or prevent or materially discourage the exchange, access or use of electronic health information. Again, we're only talking about electronic health information on an information blocking rule. So paper records would not be subject to this prohibition. And the actors under the information blocking rule who are subject to that, generally, you have your healthcare providers, which could be physicians, healthcare facilities, from hospitals, healthcare clinics, nursing homes, assisted living facilities and other type of healthcare providers and facilities. They're subject to the rule as well as health information exchanges or health information networks. And then the other party are health IT developers of certified health IT technology.

These new statutes and rules came into play primarily in order to facilitate the free flowing of health information and allow patients to have the right to have immediate access to their information.

Who Is Being Blocked from Accessing Information?

Mia McKown: Is this about keeping information from the patient themselves or keeping it from people that the patient wants the information to go to? Who's being blocked?

Eddie Williams: Well, it could be patients, or as you indicated, it could be someone or even a technology like an app who the patient is authorizing to receive access to that information. Or it could be another provider requesting access to a patient's information who has the legal right or who has been authorized to receive that information. So it's not just patients making a request. It could be other parties on behalf of the patient, making a request for access or use or exchange of their information. So that is the type of situation that you deal with under the information blocking rule. Again, primarily if you look at it from a broad scheme, designed to allow for the free flowing of information and not prevent the blocking, or allowing actors to institute policies or practices that will inhibit the free flowing or exchange or use of that information. And again, it deals with electronic health information. And here we're talking about electronic protected health information as defined in HIPAA that would be included within a designated records set, again, as defined under HIPAA, even if that information is not being maintained or used by a covered entity. So again, electronic protected health information is primarily what we're dealing with. And prior to October 6 of 2022, it was a limited set of information that we were only concerned with under the information blocking rule. However, now it applies again to the full designated records set. So, a patient can come at you: I want all of my records. So a provider, under the information blocking rule, would have to comply and provide them with a full set of the records. For a healthcare provider, there must be a specific intent to block or engage in a practice to prohibit access to the information. And again, you know, mere negligence cannot constitute information blocking.

And here we're talking about electronic protected health information as defined in HIPAA that would be included within a designated records set, again, as defined under HIPAA, even if that information is not being maintained or used by a covered entity.

Disclosure Timeline Regulations

Mia McKown: Is there a hard and fast rule with how quickly you are to provide the information, to give some guidance because you're talking about negligence. And as a litigator, I hear that word and it immediately pricks up my ears. So is there a hard, fast rule on what the timing is for disclosure?

Eddie Williams: Yeah, under the information blocking rule, there is no specific, hard, fast rule that says you have to disclose the records by X days. We have that under HIPAA, which it's 30 days now, but those rules, we're waiting on new rules to be administered or issued. And we're expecting that timeframe to come down. And so we're also expecting HIPAA and the information blocking rule to sort of be married together or harmonize in order for us to have some additional guidance on when a provider has to disclose information and not be in violation of either HIPAA or the information blocking rule. But under the information blocking rule, there is no hard, fast rule that says you have to provide that access. Basically, ONC has come out and says any unreasonable delay after a request could be considered information blocking. But again, for a healthcare provider, there has to be intent to engage in a particular practice or institute a policy that is unreasonable. And a healthcare provider likely understands and knows that practice or policy is going to interfere with exchange use or access to the electronic health information.

And so we're also expecting HIPAA and the information blocking rule to sort of be married together or harmonize in order for us to have some additional guidance on when a provider has to disclose information and not be in violation of either HIPAA or the information blocking rule.

Role of Patient Portals and Access to Records

Shannon Hartsfield: So, Eddie, this is Shannon Hartsfield. If you have a doctor that has a policy of not disclosing lab results, say, to a patient, even though the doctor has them electronically, could make them available on a portal that the doctor already has, they say, no, I want the patient to come in and discuss these records with me first. That sounds like a problem.

Eddie Williams: Yes. The ONC has basically said that is a practice that is likely to be considered information blocking. If they have the records, the lab results, they're in an electronic format, the lab results have become final, then the expectation under the information blocking rule is for the physician to provide access to the patient for those records. If the provider has a portal, patient portal, and the patient goes to that portal and accesses it to review those lab results and they are not there, the ONC has come out and said that accessing or logging on to that portal is considered a request and therefore any unreasonable delay after that request of delaying and disclosing that information or providing those results is likely to be considered information blocking unless that particular practice comes within one of the permissible exceptions, or you're complying with federal or state law in not disclosing those laboratory results electronically. There are some states which have some laws which prohibits healthcare providers and laboratories from disclosing certain laboratory diagnostic test results electronically until the practitioner reviews that information and discusses it with the patient. Florida's not one of those states that have such laws like that. So if you're in Florida, healthcare providers would need to basically, in parallel to receiving those records, make sure that they are loading them up into the portal and providing access to the patients.

If the provider has a portal, patient portal, and the patient goes to that portal and accesses it to review those lab results and they are not there, the ONC has come out and said that accessing or logging on to that portal is considered a request and therefore any unreasonable delay after that request of delaying and disclosing that information or providing those results is likely to be considered information blocking unless that particular practice comes within one of the permissible exceptions.

Mia McKown: What if I don't want the records through the portal? I mean, does that, is that implicated at all by blocking? I hate the portal.

Eddie Williams: Well, that would not be considered information blocking if a healthcare provider is complying with a request from the patient. But it would be, it would be good advice for the practitioner to document those requests. And you may also, when you're dealing with certain sensitive information or sensitive to lab results — say, for instance, oncology test results and things of that nature — you may want to consider having a discussion with the patient beforehand, before you send them out for the test results, whether they would like for you to review that information with them prior to them receiving the test results and get their consent and agreement for that. It has to be voluntary. It can't be a policy that you put in place, so it has to be voluntary and a patient agrees to, yes, I would rather for you to get the information and to bring me back in for a follow-up appointment and disclose that information to me face to face versus me logging on to the portal and seeing these results, and that way, it may cause some traumatic harm to the patient. Another one of the areas which ONC has acknowledged that it may, it is likely considered information blocking, is where an actor basically delays instituting some type of technology that allows a patient to access their information, again, through a portal, for instance. If you have an electronic medical record system and you have the ability to turn it on to allow patients to have access to their records, but you elect to not do that, then that could be considered information blocking on behalf of that healthcare provider, again, unless they fall into one of the permissible exceptions under the rule. Some of the elements, again, what we're talking about for information blocking, basically, again, you have a practice that's likely to interfere or prevent or materially discourage access, exchange or use of electronic health information. The actor who's implementing this particular policy, if they are covered by the rule, the practice involves, again, electronic health information. We're not talking about paper records. The actor again possesses the requisite knowledge for again, for a healthcare provider. There must be specific intent that they know that this practice will likely interfere with the access exchange or use of information. The practice, again, is not required by law, and the withholding of that electronic health information doesn't fall within one of the permissible exceptions.

If you have an electronic medical record system and you have the ability to turn it on to allow patients to have access to their records, but you elect to not do that, then that could be considered information blocking on behalf of that healthcare provider, again, unless they fall into one of the permissible exceptions under the rule.

Permissible Exceptions

Mia McKown: You've talked a lot about the permissible exceptions. What are those?

Eddie Williams: Well, you have eight exceptions under the information blocking rule. They are the preventing harm exception, the privacy exception, the security exception, infeasibility exception, the health information technology performance exception, a licensing exception and fees exception. And also content and manner in which under the new modification, which are still pending, it's primarily just going to be the manner exception, because now with the EHI constituting the entire designated record set, the content part of that exception has really been done away with, but those are the permissible exceptions under the information blocking rule, primarily for healthcare providers. The main ones that they will be likely concerned with are the preventing harm exemption, as well as the privacy exception and the infeasibility exception, and also the manner exception, which basically, again, deals with, you know, you're not able to provide the requested data in the manner in which the patient is requesting it be provided to them. Let's talk a little bit about the preventing harm exception. It would not be considered information blocking for an actor to engage in a practice that's reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met. The first, you have to hold a reasonable belief that the practice is going to substantially reduce the risk of harm to the patient or another natural person that would otherwise arise from the access exchange or use of that information. The practice must also be no broader than necessary to reduce that specific risk that you're concerned about. And also the risk of harm must be determined on an individualized basis based on expertise and professional judgment of the licensed healthcare provider who has a current clinician patient relationship with the individual.

You have eight exceptions under the information blocking rule. They are the preventing harm exception, the privacy exception, the security exception, infeasibility exception, the health information technology performance exception, a licensing exception and fees exception.

Importance of Documentation

Mia McKown: Shannon, when we're talking about these exceptions, I mean, they're pretty broad-based, pretty reasonable. When you counsel clients on these things, is the best way to try to make sure you might fit into preventing the harm exception, Shannon and Eddie, is having a good policy and procedure in place. I mean, what I mean, these are all very general preventing harm and things of that nature. What's the best way for, say, a physicians practice group to make sure that their policies can meet this exception?

Shannon Hartsfield: Documentation is going to be critical, and something to remember with preventing harm is that they look to the HIPAA provisions about harm, and it actually requires an individualized determination of bodily harm. And so that's probably a very high standard. But I do think that if you've got policies and procedures in place and they track the regulations and you train people on them and you're following them, then you're definitely going to be reducing your risks.

Documentation is going to be critical, and something to remember with preventing harm is that they look to the HIPAA provisions about harm, and it actually requires an individualized determination of bodily harm.

Mia McKown: Yeah, sorry, Eddie. I just immediately with the, you know I come at this, we all are coming at it from different perspectives, and I immediately start thinking, litigation. And so what can we do to mitigate for our clients to make sure that if they need this exception, that they're doing what they can to prove that they meet the requirements.

Eddie Williams: Right. And as you indicated, they do have to have these documented in a policy. These particular actions that they're going to take, it should be documented in a policy when they're trying to comply with these exceptions. And they should also document any type of refusal to disclose information when they're relying on that particular exception. You must, you have to document that. And under the preventing harm exemption, you have to give the patient or the representative who's requested an information, an opportunity to have that individualized determination reviewed by a party that was not involved in their original determination to block providing access or exchange or use of that information. The other exception that we're going to talk about is the infeasibility exception. And under the information blocking rule, it would not be considered information blocking not to fulfill a request due to the infeasibility of the request. Provided, again, certain conditions are met. Here under the infeasibility exception, we're talking about certain things like uncontrollable events. For instance, act of God, you have natural or human-made disasters. You may have a public health emergency, or you could even have telecommunication issues whereby you have slow internet service or there was disruption in service preventing you from providing that access or exchange of that information.

These particular actions that they're going to take, it should be documented in a policy when they're trying to comply with these exceptions. And they should also document any type of refusal to disclose information when they're relying on that particular exception. You must, you have to document that.

Mia McKown: Eddie, I've seen on the news where, and I think we all have, where hackers come in and they've taken control of people's internet and their records, would that be something that would be considered a manmade act of God type thing that would warrant infeasibility?

Eddie Williams: It could be. It could be. Those situations where you cannot provide the access that particular time based upon those certain events. Say, for instance, like you say, a hacking incident where they've taken your EMR system hostage and you cannot provide access or disclosure that could qualify.

Mia McKown: I mean it sounds insane, but it's happened.

Eddie Williams: Yes, that has happened. And for instance, hospital systems have been shut down for weeks, months, basically, because they can't provide access to the records or even operate their own systems internally to say if you want to provide surgeries and things of that nature and physicians can't get access to the records and data to provide those services.

Closing Thoughts

Shannon Hartsfield: So, Eddie, this has been very interesting, and this is obviously a very important topic for healthcare clients. Do you have any final words of wisdom as we wrap up this segment?

Eddie Williams: I would just advise clients that they, under the information blocking rule, they should be aware that these rules are designed primarily to allow the free flow of patient information. And when patients access portals and things of that nature or make requests for the information, that they should do their best to provide patients their information in a timely manner. You know, there's still pending rules, and we're waiting on new HIPAA amended rules to come forth that may harmonize a lot of these issues and provide greater guidance for practitioners during this particular time, even though it may be difficult and a lot of the requirements may not align with their current practices. They just must be aware that these rules are real and they're here. And the way we're going in the industry today is to provide that open access to the records at the patient request. Again, you still have to comply with all the privacy and confidentiality requirements — HIPAA, as well as state law. But again, when it comes to access, you're going to have to grant those patients their ability to exercise their right to access their records.

I would just advise clients that they, under the information blocking rule, they should be aware that these rules are designed primarily to allow the free flow of patient information. And when patients access portals and things of that nature or make requests for the information, that they should do their best to provide patients their information in a timely manner.

Mia McKown: It's an interesting topic, things that frankly in my career I didn't even think about five, six years ago. Technology is faster and faster, which is good in a lot of ways, but I think a lot of the rules and regulations are catching up with it. So it'll be interesting to see once the rules come out, we'll see. You know, a lot of what we're talking about, it seems like, Eddie, now we're kind of predicting that certain things that we think they're going to do in the direction, and hopefully once the rules come back out and you guys take a look at it, we can jump back on and give an update as to what was finalized and where we go from there. But thank you again for this information on, as Shannon mentioned, a very interesting topic that continues to develop. We appreciate you joining Holland & Knight for our Capital Conversations, and we hope you'll join us in future episodes. Thank you again from Mia McKown, Eddie Williams and Shannon Hartsfield.