Coming in April, a new patient health care records rule could be the first steps towards a universal health record
The balance between patient health care records access and privacy is a constant strain on chiropractic and health care practitioners and patients alike, daily. From a regulatory perspective, the Health and Human Services Office for Civil Rights (OCR), the enforcement and oversight arm of the federal government overseeing federal HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164, Subparts A, C and E) has historically stressed the privacy component and addressed patient access to records on seemingly a one-off basis — by patient complaint.
Tides are shifting and a new rule, the Information Blocking Rule (45 CFR 171) 1, is taking effect as of April 5, 2021, aiming to effect immediate patient access to their health records, bringing us closer toward the coveted unicorn, the Universal Health Record. 2
The Blocking Rule
The Blocking Rule approaches the goal of a Universal Health Record from several different directions.
The Blocking Rule requires software developers and health information exchanges to develop a competitive marketplace to obtain an electronic solution to provide patients immediate access to their health record, and also requires action by providers to utilize the marketplace and provide their patients access to their health record without causing interference or disruption — or face the consequences. 3 Competitive marketplaces, immediate access, conforming with legal requirements to protect privacy, consequences; these are all powerful words creating meaningful consequences to those impacted, and those intended to be impacted appear to be a significant sector of society — IT providers, utilities, providers and patients. 4
Most relevant to our concern, where do practitioners fit in? Will there be more requirements to follow? How should our approach toward patient information, protected health information and patient access change? The purpose of this article is to explore issues for practitioners and further explain the intention of the Blocking Rule, as well as other influences in the regulatory scheme of HIPAA currently at work impacting practitioners.
As of April 2021, each practitioner is required to share basic elements of a patient chart (such as patient name, address, allergies, care team members and laboratory test results) upon patient request, electronically, and provided immediately. 5 Providers will be expected to share this information through consultation notes, discharge summary notes, history and physical, imaging narratives, laboratory report narratives, pathology report narratives, procedure notes and progress notes. 6
In addition, practitioners are required to comply with the HIPAA Privacy and Security Rule in the transmission of the electronic health record to the patient. 7 On or before around October of 2023, providers will be expected to completely comply with the Blocking Rule, and without violating patient privacy. 8
Exceptions to the Blocking Rule
The Blocking Rule acknowledges scenarios where providing a patient record would be a breach of the HIPAA Privacy and Security Rules or against public policy, and has provided for several noteworthy exceptions, as follows:
- Preventing Harm A practitioner may deny access of a patient record where the practitioner reasonably believes not providing the record is reasonable and necessary to prevent harm to a patient, provided certain conditions are met. 9
- Privacy A practitioner may deny access of a patient record where the practitioner reasonably believes the disclosure would violate any relevant state or federal privacy laws. 10
- Security A practitioner may deny access of a patient record where the practitioner reasonably believes not providing the record is reasonable in order to protect the security of the electronic health record. 11
- Infeasibility Exception. A practitioner may deny access/ not fulfill a request of a patient due to the infeasibility of the This is if there are legitimate practical challenges which render the fulfillment of a request for the electronic health record impossible or impracticable because of lack of technological capabilities, legal rights, or other means necessary to enable access. To qualify for this exception the practitioner must not be able to grant access because of an uncontrollable event, like a public emergency, natural disaster or internet service disruption, the inability to segment the information in an unambiguous manner. 12
- Health IT Performance Exception. A practitioner is permitted to temporarily make electronic health information unavailable to benefit the overall performance of the health IT. This exception recognizes that for health IT to properly function, it must be maintained and updated requiring electronic health information to be taken offline temporarily. Practitioners are given leeway in order to ensure that the system remains stable and current in order to continue to work at maximum efficiency. 13
- Content and Manner Exception. A Practitioner may limit the content of its response to a request for an electronic health record or the manner in which the provider fulfills the request. 14
Notably, with the use of each aforementioned exception, the practitioner denying access should, with specificity, document the rationale for denying access, and further document with specificity the rationale for any delay in production as well.
Fees may be assessed to the patient, as under the HIPAA Privacy and Security Rules. Specifically, the Blocking Rule provides that providers may charge reasonable fees for accessing, exchanging or using electronic health records if the fee is applied in a non-discriminatory manner and related to the provider’s cost. 15
Electronic Marketplace Creation
One of the greater impacts of the Blocking Rule is the guided consolidation of innovation and marketplace for electronic health records. 16 Third-party application developers are being called on to generate apps, capable of being accessed on smart phones and other devices, which will allow patients to easily and efficiently access and share their medical records. 17 Developers may enter into a certification program which sets standards and guidelines for storing and sharing medical information. 18 While entering into the certification program is currently voluntary, it is difficult to forecast how developers who do not become certified will compete in the field. There is a possibility that users will not trust their apps or that additional rules are passed which make certification a requisite for competing in the field.
At this point, it is not clear exactly how this marketplace will function and how providers will interact with it, but it is expected to provide both providers and patients with an extremely user-friendly interface which easily stores and transmits electronic health information. Providers will be expected to have all of their patient’s medical records converted into an electronic format which will then become transmissible to the third-party applications. 19
Many providers already have experience with this type of technology and often utilize healthcare portals to share electronic medical records with patients. Other providers utilize Gmail or other similar e-mail services to send patients their health records directly. These providers will likely not have to make drastic changes to their current systems of operations to ensure that they are compliant with the Information Blocking Rule. Instead, they are expected to continue maintaining records in an electronic format which will be securely transmitted to patients. Other providers, who do not primarily keep their records in electronic format, will have to spend time from now until April 5, 2021 ensuring that their practices develop internal systems to convert records into an electronic format. Those providers will have to spend money to train staff and develop internal procedures to guarantee that their practices will be compliant and able to quickly provide patients with their records in a secure manner. 20
Penalties for Non-Compliance Under the Blocking Rule
The provisions of the Blocking Rule will become enforceable April 5, 2021. 21 Based on similar initiatives in the realm of HIPAA Privacy and Security, we anticipate the promulgation of a penalty construct that will involve monetary penalties for non compliance. 22 Currently, it is known that the Office of Inspector General has authorized penalties up to a $1 million fine on providers who violate the Blocking Rule. 23 When assessing the amount of a potential fine, it is likely the Office of Inspector General will consider the severity of the consequences caused by the information blocking, the number of patients impacted, and the amount of time during which the violation persisted. 24
Even though there are broad guidelines for how providers can be penalized, there still remains a fair amount of obscurity for how strictly these provisions will be enforced going forward. The Office of the National Coordinator has stated that the “HHS must engage in future rulemaking to establish appropriate disincentives.” 25 At this point we can only speculate as to how strict the regulators will be and how high potential monetary penalties will range up to. In the past, we have seen other regulatory bodies strictly enforce patients right to quickly and affordably access their health records. 26
HIPAA Enforcement, In General
The Office for Civil Rights has set an extremely severe precedent when enforcing the HIPAA right of access initiative discussed below. Since September 9, 2019 the OCR has settled ten (10) investigations against providers concerning the HIPAA right of access initiative which guarantees patients the ability to affordably and quickly access copies of their medical records. These investigations determined that the practices of numerous providers were likely in violation of the right of access provisions and resolved in settlements to pay the OCR monetary penalties ranging up to $160,000. 27 In total, the combined reported amount of monetary penalties thus far collected in settlements is approximately $591,500.
In the written report on its first reported settlement, the OCR announced “this initiative as an enforcement priority” and promised to “vigorously enforce” patient rights to receive copies of health information. 28 The report details how Bayfront Health St. Petersburg (“Bayfront”) failed to respond to a mother’s request for records regarding her unborn child. 29 HIPAA rules generally require covered health care providers to provide medical records within 30 days of a request, 30 Bayfront responded after 9 months. For this infraction Bayfront paid $85,000 to OCR and implemented a corrective action plan to address issues like that one going forward. 31
The second report, dated December 12, 2019, announced a settlement for $85,000 against Korunda Medical, LLC for failing to timely provide medical records in electronic format to a 3rd party on behalf of a patient. 32 The Director of OCR, Roger Severino, said “for too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. 33 We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law.” 34
On September 15, 2020, a little more than a year after the first settlement was announced, the OCR made a report about five more settlements in regards to potential infractions of the HIPAA right of access initiative. 35 Roger Severino made clear that these settlements are meant to “send a message” to the health care industry about the importance and necessity of complying with the HIPAA rules. He added that the intention of the regulations and the desire to ardently enforce them is to continue to empower patients to take charge of their health care decisions. 36 Since then, three more investigations have been settled making the final number until this point ten in total.
These investigations and the strong unambiguous rhetoric from Director Severino clearly demonstrate how determined the OCR is to making sure all medical providers are in strict compliance with information blocking laws. While the particular disincentives have not yet been announced, it is safe to project that the OCR will be just as keen to enforce the information blocking provisions of the Cures Act in order to continue safeguarding and supporting patient values.
Prepare for the rule’s effective date
The Blocking Rule effective date is approaching, and while most practitioners have systems in place for storing and transmitting their patients’ electronic medical records, those who do not have such systems are expected to fall in line.
Ensuring that your practice is capable of complying with the rule is important because there will be a risk of audit and fines for non-compliance (likely to initiate from a patient complaint if at some point you cannot electronically share a patient record).
On a positive note, the implementation of the Blocking Rule will also give rise to (hopefully) a transparent competitive marketplace for electronic health records and electronic health record migration and sharing technology that will be compliant and cost-effective.
JENNIFER KIRSCHENBAUM, ESQ., manages Kirschenbaum & Kirschenbaum, P.C.’s health care department and devotes her practice to representing chiropractors and other providers in the establishment and operation of multi-disciplinary practice structures, licensure matters, audit defense, contract issues, buy/sell, partnership development and disputes, and general practice matters. She can be reached at Jennifer@Kirschenbaumesq.com or 516-747-6700 x302.
ZACHARY SHER, JD, is an associate in K&K’s health care department.
7 https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html https://www.federalregister.gov/documents/2020/11/04/2020-24376/information-blocking-and-the-onc-health-
8 45 CFR part 171.201
9 Id. part 171.202
10 Id. part 171.203
11 Id. part 171.204
12 Id. Part 171.205
13 Id. part 171.206
14 Id. part 171.207