Describes the various exceptions to claim and document if deciding not to share information.
What exceptions may a physician claim when responding to requests to exchange EHI? How does the applicability of each exception look in practice?
As used throughout this FAQ, “Information Blocking” references the body of works that are the information blocking provisions of the 21st Century Cures Act, while “information blocking” is the act of intentionally withholding patient information. The end goal of the Information Blocking Regulations are to improve access to and sharing of the entire record. For this reason, information blocking exceptions should be a reserve rather than a default. Physicians should view each data exchange request or encounter as a “share unless” situation, rather than a “permitted sharing” situation. The “unless” should be captured by the exceptions detailed below, with an understanding that the applicability of each exception is additionally dependent upon several other certain conditions being met .Given the unique nature of every encounter, exceptions may take different forms at different times, and you should consult the Final Rule for more information. It is also important to note that exceptions apply on a case-by-case basis and will require substantial documentation that will be evaluated by ONC and the Office of the Inspector General (OIG). The below should not be seen to represent an exhaustive list, and additional examples of real-world scenarios are under development.
Category 1: exceptions that involve not fulfilling requests to access, exchange, or use (AEU).
- Preventing Harm Exception – practices that are reasonable and necessary to prevent harm to a patient or another person. This exception may be applicable:
- To avoid the risk that corrupt or inaccurate data will be incorporated in the patient’s EHR; and
- Upon the determination by a licensed health professional that disclosure is likely to endanger life or physical safety of the patient or others.
- Security Exception – interfering with AEU in order to protect the security of EHI. This exception may be applicable:
- If necessary to (1) safeguard the confidentiality, integrity, and availability of EHI consistent with the physicians organizational security policies, or (2) a specific determination that there are no reasonable, less obstructive alternatives to secure the EHI than to prevent its exchange.
- Health IT Performance Exception – taking reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT.
- Privacy Exception – failing to fulfill a request to AEU in order to protect an individual’s privacy. This exception may be applicable:
- Where state or federal privacy laws impose preconditions to access that have not been satisfied;
- HIPAA allows the physician or other clinician to deny access to the individual; or
- The patient has requested that its information not be shared.
- Infeasibility Exception – not fulfilling a request due to the infeasibility of the request. This exception may be applicable:
- If extraordinary circumstances beyond its control prevent the physician from fulfilling the request;
- The physician cannot segregate the requested EHI from other information that is not subject to access;
- If EHI must be manually retrieved and moved from one system to another system, resulting in delay (so long as the delay is no longer than necessary); or
- The physician demonstrates that responding to the request is not feasible due to the type of information, cost, available resources, control of the relevant platform, etc.
Category 2: exceptions that involve procedures for fulfilling requests to access, exchange, or use.
- Content and Manner Exception – limiting the content of a response or the manner in which the request is fulfilled. This exception may be applicable:
- Where the physician is technically unable to fulfill the request; or
- The physician cannot reach agreeable terms with the requestor to fulfill the terms.
- Fees Exception – charging fees, including fees that result in a reasonable profit margin, for AEU of EHI, provided those fees are based on the physician’s costs and applied in a non-discriminatory manner.
- Licensing Exception – licensing interoperability elements for EHI to be AEU.
In claiming exceptions to the exchange of EHI, who has the burden of proving the exception was appropriately claimed?
Actors, inclusive of physicians, have the burden of proving that practices restricting the free flow of electronic health information fit within one of the eight aforementioned exceptions to information blocking.
Are there any examples of actions or activities that could constitute information blocking? What are some of the warning signs I should look for in my practice?
Yes. Like the exceptions, practices that are indeed information blocking may take different forms. However, there are many ways to guard against this and a few things to take notice of when reviewing your processes and procedures. These include refraining from practices that restrict authorized AEU under applicable state or federal law, such as failing to transition between certified health IT versions, as well as implementing health IT in nonstandard ways that are likely to substantially increase the complexity or burden of AEU. Practices that, for example, fail to export complete information sets or impede innovations and advancements in health information AEU, including care delivery enabled by health IT, may be found to be information blocking.
DISCLAIMER - The information contained on this page should not be seen as official technical or legal advice. State laws around data release may affect applicability of the ONC and CMS rules. Consult with your organization’s Health Information Management, compliance, legal, finance, and public affairs teams to find out how it applies to you.