Information Blocking vs. Right of Access Violation. Do You Know the Difference? Part 1

​Aspect

Right of Access

Information Blocking

What it is:

The HIPAA requirement to provide individuals with access to their own PHI contained in one or more designated record sets maintained by a covered entity.

A provision in the 21st Century Cures Act intended to minimize the interference of the ability of authorized persons to access, exchange, or use Electronic Health Information.

Enforcement date:

The HIPAA Privacy Rule was first enforced in the United States on April 14, 2003. The Office for Civil Rights (OCR) began an enforcement initiative in 2019.

First enforced in the United States on April 5, 2021.

Goal:

To give individuals greater control over their own health information. This initiative:

• Ensures individuals the right to access their own medical records and to receive copies of those records in a timely manner, without undue delay or cost.

• Provides individuals the right to request access to their health information held by covered entities, such as healthcare providers, health plans, and healthcare clearinghouses.

  • These entities must provide individuals with their requested information in the format and manner requested by the individual if it is readily producible in that format. This information can include medical and billing records, as well as other health information such as test results and imaging reports.

The goal of the Information Blocking Act, also known as the 21st Century Cures Act, is:

• To improve the interoperability of electronic health records (EHRs) and other health information technology (HIT) systems in the United States.

• Aims to promote the secure and efficient sharing of health information among healthcare providers, patients, and other stakeholders in the healthcare system.

• Prohibits healthcare providers, health IT developers, and health information exchanges from engaging in practices that prevent or discourage the access, exchange, or use of electronic health information. This includes actions such as charging excessive fees for access to health information, creating technical barriers to the sharing of health information, and imposing unreasonable delays on the release of health information.

When must records be provided:

Covered entities, such as healthcare providers and health plans, are generally required to provide patients with access to their protected health information (PHI) upon request, unless an exception applies.

Specifically, a covered entity must provide access to PHI within 30 days of receiving a request from the individual, unless the covered entity provides a written explanation of the delay and the reason for the delay and extends the time-period by an additional 30 days.

​Under the information blocking rule, EHI must be made accessible to individuals, their personal representatives, and other authorized parties, without unreasonable delay and in the manner requested by the individual, except in certain limited circumstances. These circumstances are listed below in the following chart. It's important to note that a healthcare provider must provide a clear explanation for any limitations on access to EHI and must make a good faith effort to provide access to as much EHI as possible. Healthcare providers are also required to make available any information blocking policies or procedures that they have in place, and to provide patients with information on how to file a complaint if they believe that their access to EHI has been improperly limited or blocked.

What information is subject to?

​Under HIPAA, individuals have the right to access and obtain a copy of their protected health information (PHI) that is maintained by covered entities, such as healthcare providers and health plans. PHI is broadly defined as any information, including demographic information, that:

1. Relates to the individual's past, present, or future physical or mental health or condition;

2. Relates to the provision of healthcare to the individual; or

3. Identifies the individual or could reasonably be used to identify the individual.

Some examples of PHI that are subject to the right of access include:

• Medical and clinical records, including diagnoses, test results, and treatment plans;

• Billing and insurance information;

• Prescription and medication records;

• Immunization records;

• Lab reports;

• Radiology images;

• Health insurance enrollment and coverage information; and

• Personal demographic information, such as name, address, and social security number, if it is included in the individual's health record.

​Under the information blocking rule, electronic health information (EHI) is subject to the right of access and exchange. EHI is defined as:

• Electronic protected health information (ePHI) that is created, stored, transmitted, or received by a covered entity or business associate that is subject to HIPAA.

Some examples of EHI that are subject to the information blocking rule include:

1. Clinical notes, including progress notes and operative notes;

2. Diagnostic imaging, including X-rays, MRIs, and CT scans;

3. Laboratory test results;

4. Pathology reports;

5. Medication lists and prescription histories;

6. Immunization records;

7. Vital signs and other clinical measurements;

8. Patient demographic information, such as name, address, and social security number, if it is included in the EHI.

Penalties?

YES The right of access initiative is enforced by the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS). OCR can investigate complaints of noncompliance and may take enforcement actions against covered entities that violate the right of access requirements.

• If OCR determines that a covered entity has violated the right of access requirements, the covered entity may be subject to civil monetary penalties, which can range from $100 to $50,000 per violation, depending on the severity of the violation.

• The maximum annual penalty for all violations of an identical requirement or prohibition is $1.5 million.

In addition to civil monetary penalties, OCR may require the covered entity to develop a corrective action plan and to monitor the covered entity's compliance. It's important to note that individuals also have the right to file a complaint with OCR if they believe that a covered entity has violated their right of access. OCR may investigate complaints and take enforcement actions as appropriate.

​YES There are penalties for violating the information blocking rule which is enforced by the Office of the National Coordinator for Health Information Technology (ONC) and the Department of Health and Human Services (HHS). Covered entities that engage in information blocking practices may be subject to enforcement actions, which can include:

1. Civil monetary penalties: The HHS may impose civil monetary penalties of up to $1 million per violation for each instance of information blocking.

2. The maximum annual penalty for all violations of an identical requirement or prohibition is $5 million.

3. Disincentives for health information exchange: The HHS may also take steps to limit or restrict a covered entity's participation in certain health information exchange programs or to exclude the entity from certain government healthcare programs.

4. Publication of violators: The ONC may publish the names of covered entities that have engaged in information blocking practices, which can harm the entity's reputation and public image.

​To whom can the information be released?

​In addition to the individual, the following individuals or entities may be allowed access to PHI under certain circumstances:

1. Personal representatives: Individuals may designate a personal representative, such as a legal guardian, healthcare proxy, or other authorized person, to act on their behalf in obtaining access to their PHI.

2. Parents and guardians: Parents or legal guardians may access the PHI of their minor children or children for whom they are legal guardians.

3. Healthcare providers: Other healthcare providers may be granted access to an individual's PHI for the purpose of providing treatment or coordinating care.

4. Business associates: Business associates that provide services to covered entities, such as billing or transcription services, may be allowed access to PHI to perform their services.

​EHI must be made accessible to individuals, their personal representatives, and other authorized parties, without unreasonable delay and in the manner requested by the individual, except in certain limited circumstances. Authorized parties may include:

1. Other healthcare providers: Healthcare providers may be authorized to access an individual's EHI for the purpose of providing treatment or coordinating care.

2. Health plans: Health plans may be authorized to access an individual's EHI for the purpose of administering benefits and coordinating care.

3. Caregivers and family members: Caregivers and family members may be authorized to access an individual's EHI with the individual's consent or as authorized by law.

4. Researchers: Researchers may be authorized to access de-identified EHI for research purposes, subject to certain privacy and security requirements.

5. Public health authorities: Public health authorities may be authorized to access EHI for the purpose of monitoring and responding to public health threats.

May the request be denied?

​A covered entity may deny a request for access to protected health information (PHI) under certain limited circumstances. The covered entity must provide a written denial and explanation of the denial to the individual, along with information on how to request a review of the denial. The limited circumstances under which a request for access may be denied include:

1. Psychotherapy notes: Covered entities are not required to provide access to psychotherapy notes, which are notes recorded by a mental health professional documenting or analyzing the contents of a counseling session.

2. Information compiled for legal proceedings: Covered entities may deny access to information that is created for the purpose of legal proceedings, such as attorney-client privileged communications.

3. Information prohibited by law: Covered entities may deny access to PHI if providing access would be prohibited by another law.

4. Information that may cause harm: Covered entities may deny access to PHI if they reasonably believe that providing access would endanger the life or physical safety of the individual or another person.

​Under the information blocking rule, healthcare providers and other covered entities may only deny a request for access to EHI under certain limited circumstances. The exceptions under which a request for access may be denied include:

1. Preventing harm: A healthcare provider may limit the access to EHI if they believe that providing access could reasonably result in harm to the individual or another person.

2. Privacy: A healthcare provider may limit access to EHI if they reasonably believe that providing access would violate the privacy of another person.

3. Security: A healthcare provider may limit access to EHI if they reasonably believe that providing access would pose a security risk to the EHI or to other systems that are part of the electronic health record ecosystem.

4. Infeasibility: A healthcare provider may limit access to EHI if the request is not technically feasible or if providing access would require unreasonable effort or resources.

If access is denied, the healthcare provider must also provide information on how to file a complaint.

​Fees allowed to be charged to the patient?

​Yes, covered entities under HIPAA Privacy Rule may charge a reasonable, cost-based fee for providing individuals with access to their protected health information (PHI).

• The fee may only include the cost of labor for copying the PHI, supplies for creating the paper or electronic copy, and postage if the individual has requested that the PHI be mailed to them.

• The fee may not include the cost of searching for and retrieving the PHI or any other associated administrative costs.

Covered entities are required to inform individuals of the fee in advance.

• The fee may not be a barrier to individuals accessing their PHI. Covered entities must also provide access to the PHI in the format requested by the individual if it is readily producible in that format.

It's important to note that there are some situations where fees cannot be charged, such as when an individual requests access to their PHI for the purposes of filing a complaint with the HHS or if the covered entity fails to provide the individual with access to their PHI in a timely manner. Some state laws may limit or prohibit the fees that can be charged for providing access to PHI.

​No, under the information blocking rule, healthcare providers and other covered entities may not charge fees that are not reasonably necessary for accessing, exchanging, or using EHI.

• This means that if an individual requests access to their EHI or for their EHI to be transmitted to another entity, covered entities are generally not allowed to charge fees that are higher than the cost of labor and resources required to fulfill the request.

Additionally, if a covered entity charges fees for any other services or products related to EHI, such as an EHR system, the fee must be reasonably related to the actual cost of providing the service or product. The covered entity must also provide a detailed explanation of the fees and how they were calculated and must make the fees publicly available. It's important to note that there are some circumstances where a covered entity may be able to charge fees that are higher than the cost of labor and resources, such as when the request is complex or involves large amounts of EHI. However, these fees must be reasonable. and the covered entity must provide an itemized bill explaining the fees.