FAQ on Information Blocking: Patient Access

Describes how to address questions and concerns around patients’ increased access to health information.

If a patient would like to be provided their EHI via an API to an app that the patient has authorized to receive their PHI, must a physician provide this type of access?

Yes, it would likely be considered interference when any delay occurs in providing a patient’s EHI via an API. APIs can enable systems to send or retrieve data that can update a patient’s record, as well as send information from one system to another. You and your staff should be prepared to provide information on how patients can go about accessing their information through an app of their choosing. If your EHR currently lacks the capabilities to provide access to these types of connections, you should discuss with your vendor when it is anticipated that your EHR supports API integration.

What if my patient receives their results before I am able to offer a clinical explanation? How does a physician best provide anticipatory guidance on exchanged health information?

Although an unintended consequence of the rule, it may occur that a patient receives laboratory results, for example, ahead of the opportunity for a physician to review and discuss with the patient. To mitigate this, a physician should provide anticipatory guidance to patients regarding their unique medical situation and what any exchange or report may mean for them. Physician practices may also find it helpful to designate specific persons to channel patient inquires and concerns to the appropriate person(s). Perhaps the best approach, however, is to discuss everything in the note with the patient as to minimize surprise, shock, and confusion.

What if a patient disagrees with what’s in their note; do they have the right to request changes to their medical record? What should be some of the relevant considerations?

Yes, patients do have a right to amend information in their medical record. Current federal privacy laws mandate all patient amendment requests to the medical record be completed no later than sixty (60) days after the request is received; however, there may also be applicable state and local guidelines affecting such timeframe. You should also note that your organization may require you to track these requests via processes specific to your practice. It is important to review and confirm organizational understanding of the process for fulfilling these amendment requests.

What if there is concern that a parent, friend, or another individual inappropriately has access to a patient’s portal and EHI? What if there is a known risk that a patient is being coerced into sharing their information?

Sometimes it may be appropriate for a physician to interfere with the exchange of information. Under certain circumstances, a physician may be able to claim a “Privacy Exception”2 which permits their information blocking3 in order to protect the patient’s privacy. As used throughout this FAQ, “information blocking” references the act of intentionally withholding patient information, while “Information Blocking” references the body of works that are the information blocking provisions of the 21st Century Cures Act. To minimize risk of penalty, a physician must also ensure to appropriately document the reasoned exception for not sharing the note. Exceptions apply on a case-by-case basis and will require substantial documentation that will be evaluated by ONC and the Office of the Inspector General (OIG).

What are best practices for documenting in cases where there is a proxy directing care?

In cases of proxy access to records, physicians may want to obtain proxy renewal on a yearly basis, rather than a continuum of the patient’s care. This is just one action a practice may take to help ensure they are ready for Information Blocking.

DISCLAIMER - The information contained on this page should not be seen as official technical or legal advice. State laws around data release may affect applicability of the ONC and CMS rules. Consult with your organization’s Health Information Management, compliance, legal, finance, and public affairs teams to find out how it applies to you.