Asset Management, Governance, Risk and Compliance, Compliance Management, Privacy

Myth-busting the common info blocking, interoperability misconceptions of electronic health info

Charge nurse Liliana Palacios makes a phone call while nurse Rocky Dixon plans patient care at the nurses station in the acute care COVID unit at Harborview Medical Center on May 7, 2020, in Seattle. (Photo by Karen Ducey/Getty Images)

While the healthcare sector continued its response to the COVID-19 pandemic, the information blocking rule went live in April 2021. And in less than a year, all electronic health information will be in scope for the Department of Health and Human Services interoperability regulation.

Patient access and data sharing have been key priorities for HHS since 2019. And despite numerous meetings, educational sessions, and comment periods, many provider organizations are still struggling with the rules’ nuances and implementing the needed tools to support the mandated data sharing requirements.

During the final keynote of the inaugural SCHealth eConference, Impact Advisors’ Principal Dr. Dan Golder and First Health Advisory CEO Carter Groome shed light on the biggest misconceptions and overall myths surrounding the interoperability and info blocking rules to support providers with the regulatory shift.

“The enforcement landscape, it's hazy, and that's what causes these challenges and sort of maybe misconceptions, especially on the provider disincentive side,” said Groome. “I would advise to err on the side of caution and get after [these rule changes].”

Policies: Invoking ‘exceptions’

One of the biggest misconceptions surrounds the info blocking rule’s "exceptions" carveout. The 21st Century Cures Act defines the elements that constitute info blocking and gives HHS the authority to identify reasonable and necessary activities that don’t fall under the rule “referred to as exceptions”

HHS has defined those exceptions for all healthcare actors that fall under the enforcement of the rule but meet certain conditions to claim exemptions. As such, any practice that doesn’t meet the conditions, per HHS, will not automatically be considered info blocking.

In total there are eight exceptions that fall under two categories: those that involve unfilled requests for access, exchange or use of electronic health information, and those that involve the procedures. HHS explained that certain cases will “be evaluated on a case-by-case basis to determine whether information blocking has occurred.”

Golder has heard that many providers intend to just invoke the exceptions element, particularly around the privacy and security elements. But providers shouldn’t be quick to invoke the exceptions rules.

“You really need to have those supported by a written policy before you claim the exception, which means you've got to review your policies, understand them, tweak them, and have that all in place,” said Golder. It’s “a little bit of a governance issue, and most organizations don't have a great handle on it.”

Another part of the exceptions’ challenges stems from departmental policies that differ from the organizational policies. Meaning that, often departments will create their own group or practice, with customized policies. Golder noted that it’s hard to align those with the information blocking.

In short, policies are one of the key things most healthcare organizations miss — but it’s also a key part of the new rules that providers must understand.

Infeasibility exception

The second biggest misconception involves invoking the “infeasibility exception.” According to HHS, “It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.”

“This exception recognizes that legitimate practical challenges may limit an actor’s ability to comply with requests for access, exchange, or use of EHI,” HHS continued. “An actor may not have — and may be unable to obtain — the requisite technological capabilities, legal rights, or other means necessary to enable access, exchange, or use.”

A lot of healthcare providers are simply throwing in the towel, as they feel they can’t get the information out as required by the rule and that by claiming the infeasibility exception, HHS will not enforce the issue. Golder warned this position could be a grave error, as there are specific criteria that must be met, particularly with the legal definitions of the rule.

Providers need to understand that HHS has tightly defined the infeasibility exception, and they can’t just claim that the request is infeasible.

EHI start date

Many providers also fail to understand just when the rule applies and to what data.

“If the information exists electronically, no matter when it was generated, even if it was generated before April 5 or before the 21st Century Cures Act was even a glimmer … it is information that must be shared,” said Golder.

For example, Golder wrote software for the electronic management of records in the late 1980s. If that provider was still using that information and it remains electronic, it must be shared because, “There is no look back date.”

Myth: This is just about my EHR

The rules don’t only apply to the data stored in the healthcare’s electronic health record, or even a provider’s own CE certified software. Golder stressed that the regulations pertain to every piece of software and even third-party systems. It may be an extremely heavy lift to evaluate these requirements on all tech elements with health information across the organization by the Oct. 6, 2022, enactment, but it’s required.

In one example, Golder explained that a health system is currently working to meet these requirements with a team of 40 people dedicated to electronic protected health information and vetting all third-party systems, along with contacting the vendors to track their progress with the enforcement.

“This is not a simple task, so please don't wait,” said Golder.

Myth: This is only about patient portals

A common misconception heard by Golder throughout these changes has been that the rule is solely about patient portals. Although portals are a convenient manner to share and provide information with patients, as “they're used to it, it's comfortable to them, they can get it on their phone.”

But providers need to be sensitive to when a patient asks for specific information, it needs to be provided in the manner they’ve requested and “not the manner we choose to give to them.” 

Groome reminded providers that not all patients have a smart device or even a computer. Under these rules providers need to ask themselves whether they have the mechanisms in place to demonstrate they’ve taken a good faith effort in electronically providing them their requested information.

“There's a little bit of a negotiation there,” Golder added. “If somebody is looking for a vaccine card, let's find a way to give them that simply, easily electronically, and we don't have to jump through a lot of different hoops. Again, it’s being sensitive to what’s actually being asked and what manner it's being asked to be received.”

Myth: PDFs and faxes aren’t EHI

Another major myth is that PDFs or faxes aren’t considered electronic information under the info blocking rule, but Golder stressed that’s incorrect. These “electronic paper” elements do fall under the rule. 

The EHI rule says “essentially that you must exchange this information in a machine readable format, PDFs are not a machine readable format.” So a lot of providers simply say they’ll “print a PDF, burn it to a CD, and CDs are electronic so that counts. It really does.” 

Developers

The final myth is a bit more nuanced: “If you extend your EHR to unaffiliated providers, and there's a number of EHR systems that allow you to share your instance of your EHR and let other people use it. According to the rule, you fall under the developer category,” said Golder. 

With that distinction, comes additional legal risk with knowing what is considered info blocking. And if it’s considered such, there will be higher penalties for those parties. In the end, those that fall into the developer category need to “recognize if you're extending your EHR, you've got a higher legal standard to [the provider].”

To Golder, this awareness strengthens the need for providers to understand the implications of sharing their EHR.

At the end of the day, it’s about awareness of the rules despite the pandemic’s impact on the rollout and enforcement dates, Groome explained. “Many organizations are really working hard to better understand the requests that are coming. They want to be compliant.”

Providers must ask what information is required to be sent and what tracking mechanisms are in place to follow data requests to ensure they’re fulfilled, including staff assigned to following up with these requests to ensure compliance. Those tracking mechanisms will be crucial for demonstrating compliance to HHS, if requested.

“You can course-correct down the road, but I wouldn't want to be caught flat footed on this and then find out there are a lot of teeth behind some of these enforcement actions,” Groome concluded. “Let's get after this, there's a lot to be done.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds